def test_job_template_access_admin(role_names, jt_linked, rando): ssh_cred = jt_linked.machine_credential access = JobTemplateAccess(rando) # Appoint this user as admin of the organization #jt_linked.inventory.organization.admin_role.members.add(rando) assert not access.can_read(jt_linked) assert not access.can_delete(jt_linked) for role_name in role_names: role = getattr(jt_linked.inventory.organization, role_name) role.members.add(rando) # Assign organization permission in the same way the create view does organization = jt_linked.inventory.organization ssh_cred.admin_role.parents.add(organization.admin_role) proj_pk = jt_linked.project.pk assert access.can_add( dict(inventory=jt_linked.inventory.pk, project=proj_pk)) assert access.can_add(dict(credential=ssh_cred.pk, project=proj_pk)) for cred in jt_linked.credentials.all(): assert access.can_unattach(jt_linked, cred, 'credentials', {}) assert access.can_read(jt_linked) assert access.can_delete(jt_linked)
def test_job_template_access_superuser(check_license, user, deploy_jobtemplate): # GIVEN a superuser u = user('admin', True) # WHEN access to a job template is checked access = JobTemplateAccess(u) # THEN all access checks should pass assert access.can_read(deploy_jobtemplate) assert access.can_add({})
def test_jt_org_ownership_change(user, jt_linked): admin1 = user('admin1') org1 = jt_linked.project.organization org1.admin_role.members.add(admin1) a1_access = JobTemplateAccess(admin1) assert a1_access.can_read(jt_linked) admin2 = user('admin2') org2 = Organization.objects.create(name='mrroboto', description='domo') org2.admin_role.members.add(admin2) a2_access = JobTemplateAccess(admin2) assert not a2_access.can_read(jt_linked) jt_linked.project.organization = org2 jt_linked.project.save() jt_linked.inventory.organization = org2 jt_linked.inventory.save() assert a2_access.can_read(jt_linked) assert not a1_access.can_read(jt_linked)
def test_job_template_access_org_admin(jt_linked, rando): access = JobTemplateAccess(rando) # Appoint this user as admin of the organization jt_linked.inventory.organization.admin_role.members.add(rando) # Assign organization permission in the same way the create view does organization = jt_linked.inventory.organization jt_linked.get_deprecated_credential('ssh').admin_role.parents.add(organization.admin_role) proj_pk = jt_linked.project.pk assert access.can_add(dict(inventory=jt_linked.inventory.pk, project=proj_pk)) assert access.can_add(dict(credential=jt_linked.credential, project=proj_pk)) for cred in jt_linked.credentials.all(): assert access.can_unattach(jt_linked, cred, 'credentials', {}) assert access.can_read(jt_linked) assert access.can_delete(jt_linked)
def test_orphan_JT_readable_by_system_auditor(self, job_template, system_auditor): assert system_auditor.is_system_auditor assert job_template.project is None access = JobTemplateAccess(system_auditor) assert access.can_read(job_template)