def test_manage_org_auth_setting(ext_auth, superuser, expect, organization,
rando, user, team):
u = user('foo-user', is_superuser=superuser)
if not superuser:
organization.admin_role.members.add(u)
with mock.patch('awx.main.access.settings') as settings_mock:
settings_mock.MANAGE_ORGANIZATION_AUTH = ext_auth
assert [
# use via /api/v2/users/N/roles/
UserAccess(u).can_attach(rando, organization.admin_role, 'roles'),
UserAccess(u).can_attach(rando, team.admin_role, 'roles'),
# use via /api/v2/roles/N/users/
RoleAccess(u).can_attach(organization.admin_role, rando,
'members'),
RoleAccess(u).can_attach(team.admin_role, rando, 'members')
] == [expect for i in range(4)]
assert [
# use via /api/v2/users/N/roles/
UserAccess(u).can_unattach(rando, organization.admin_role,
'roles'),
UserAccess(u).can_unattach(rando, team.admin_role, 'roles'),
# use via /api/v2/roles/N/users/
RoleAccess(u).can_unattach(organization.admin_role, rando,
'members'),
RoleAccess(u).can_unattach(team.admin_role, rando, 'members')
] == [expect for i in range(4)]
def test_need_all_orgs_to_admin_user(user):
'''
Old behavior - org admin to ANY organization that a user is member of
grants permission to admin that user
New behavior enforced here - org admin to ALL organizations that a
user is member of grants permission to admin that user
'''
org1 = Organization.objects.create(name='org1')
org2 = Organization.objects.create(name='org2')
org1_admin = user('org1-admin')
org1.admin_role.members.add(org1_admin)
org12_member = user('org12-member')
org1.member_role.members.add(org12_member)
org2.member_role.members.add(org12_member)
user_access = UserAccess(org1_admin)
assert not user_access.can_change(org12_member, {'last_name': 'Witzel'})
role_access = RoleAccess(org1_admin)
assert not role_access.can_attach(org1.admin_role, org12_member, 'members',
None)
assert not role_access.can_attach(org1.member_role, org12_member,
'members', None)
org2.admin_role.members.add(org1_admin)
assert role_access.can_attach(org1.admin_role, org12_member, 'members',
None)
assert role_access.can_attach(org1.member_role, org12_member, 'members',
None)
def test_org_admin_cannot_delete_member_attached_to_other_group(
org_admin, org_member):
other_org = Organization.objects.create(name="other-org",
description="other-org-desc")
access = UserAccess(org_admin)
other_org.member_role.members.add(org_member)
assert not access.can_delete(org_member)
def test_user_access_attach(rando, inventory):
inventory.read_role.members.add(rando)
user_access = UserAccess(rando)
role_access = RoleAccess(rando)
data = {'id': inventory.admin_role.pk}
assert not user_access.can_attach(rando, inventory.admin_role, 'roles', data, False)
assert not role_access.can_attach(inventory.admin_role, rando, 'members', data, False)
def test_org_object_role_not_sufficient(user, organization):
member = user('amember')
obj_admin = user('icontrolallworkflows')
organization.member_role.members.add(member)
organization.workflow_admin_role.members.add(obj_admin)
user_access = UserAccess(obj_admin)
assert not user_access.can_change(member, {'last_name': 'Witzel'})
def test_orphaned_user_allowed(org_admin, rando, organization):
'''
We still allow adoption of orphaned* users by assigning them to
organization member role, but only in the situation where the
org admin already posesses indirect access to all of the user's roles
*orphaned means user is not a member of any organization
'''
role_access = RoleAccess(org_admin)
assert role_access.can_attach(organization.member_role, rando, 'members', None)
# Cannot edit the user directly without adding to org first
user_access = UserAccess(org_admin)
assert not user_access.can_change(rando, {'last_name': 'Witzel'})
def test_org_superuser_role_attach(admin_user, org_admin, organization):
'''
Ideally, you would not add superusers to roles (particularly member_role)
but it has historically been possible
this checks that the situation does not grant unexpected permissions
'''
organization.member_role.members.add(admin_user)
role_access = RoleAccess(org_admin)
assert not role_access.can_attach(organization.member_role, admin_user, 'members', None)
assert not role_access.can_attach(organization.admin_role, admin_user, 'members', None)
user_access = UserAccess(org_admin)
assert not user_access.can_change(admin_user, {'last_name': 'Witzel'})
def test_user_accessible_objects(user, organization):
'''
We cannot directly use accessible_objects for User model because
both editing and read permissions are obligated to complex business logic
'''
admin = user('admin', False)
u = user('john', False)
access = UserAccess(admin)
assert access.get_queryset().count() == 1 # can only see himself
organization.member_role.members.add(u)
organization.member_role.members.add(admin)
assert access.get_queryset().count() == 2
organization.member_role.members.remove(u)
assert access.get_queryset().count() == 1
def test_orphaned_user_allowed(org_admin, rando, organization, org_credential):
'''
We still allow adoption of orphaned* users by assigning them to
organization member role, but only in the situation where the
org admin already posesses indirect access to all of the user's roles
*orphaned means user is not a member of any organization
'''
# give a descendent role to rando, to trigger the conditional
# where all ancestor roles of rando should be in the set of
# org_admin roles.
org_credential.admin_role.members.add(rando)
role_access = RoleAccess(org_admin)
org_access = OrganizationAccess(org_admin)
assert role_access.can_attach(organization.member_role, rando, 'members',
None)
assert org_access.can_attach(organization, rando, 'member_role.members',
None)
# Cannot edit the user directly without adding to org first
user_access = UserAccess(org_admin)
assert not user_access.can_change(rando, {'last_name': 'Witzel'})
def test_user_queryset(user):
u = user('pete', False)
access = UserAccess(u)
qs = access.get_queryset()
assert qs.count() == 1
def test_system_auditor_can_modify_self(system_auditor):
access = UserAccess(system_auditor)
assert access.can_change(obj=system_auditor,
data=dict(is_system_auditor='true'))
def test_org_admin_can_delete_group_member(org_admin, org_member):
access = UserAccess(org_admin)
assert access.can_delete(org_member)
def test_org_admin_can_delete_orphan(org_admin, alice):
access = UserAccess(org_admin)
assert access.can_delete(alice)
def test_org_admin_edit_sys_auditor(org_admin, alice, organization):
organization.member_role.members.add(alice)
access = UserAccess(org_admin)
assert not access.can_change(obj=alice,
data=dict(is_system_auditor='true'))
def test_org_admin_create_sys_auditor(org_admin):
access = UserAccess(org_admin)
assert not access.can_add(data=dict(username='******',
password="******",
email="*****@*****.**",
is_system_auditor='true'))
