def test_implicit_deletes(alice): 'Ensures implicit resources and roles delete themselves' delorg = Organization.objects.create(name='test-org') child = Role.objects.create() child.parents.add(delorg.admin_role) delorg.admin_role.members.add(alice) admin_role_id = delorg.admin_role.id auditor_role_id = delorg.auditor_role.id assert child.ancestors.count() > 1 assert Role.objects.filter(id=admin_role_id).count() == 1 assert Role.objects.filter(id=auditor_role_id).count() == 1 n_alice_roles = alice.roles.count() n_system_admin_children = Role.singleton( 'system_administrator').children.count() delorg.delete() assert Role.objects.filter(id=admin_role_id).count() == 0 assert Role.objects.filter(id=auditor_role_id).count() == 0 assert alice.roles.count() == (n_alice_roles - 1) assert Role.singleton('system_administrator').children.count() == ( n_system_admin_children - 1) assert child.ancestors.count() == 1 assert child.ancestors.all()[0] == child
def test_copy_edit_standard(self, mocker, job_template_factory): """Verify that the exact output of the access.py methods are put into the serializer user_capabilities""" jt_obj = job_template_factory('testJT', project='proj1', persisted=False).job_template jt_obj.admin_role = Role(id=9, role_field='admin_role') jt_obj.execute_role = Role(id=8, role_field='execute_role') jt_obj.read_role = Role(id=7, role_field='execute_role') user = User(username="******") serializer = JobTemplateSerializer(job_template) serializer.show_capabilities = ['copy', 'edit'] serializer._summary_field_labels = lambda self: [] serializer._recent_jobs = lambda self: [] request = APIRequestFactory().get('/api/v2/job_templates/42/') request.user = user view = JobTemplateDetail() view.request = request view.kwargs = {} serializer.context['view'] = view with mocker.patch("awx.api.serializers.role_summary_fields_generator", return_value='Can eat pie'): with mocker.patch("awx.main.access.JobTemplateAccess.can_change", return_value='foobar'): with mocker.patch("awx.main.access.JobTemplateAccess.can_copy", return_value='foo'): response = serializer.get_summary_fields(jt_obj) assert response['user_capabilities']['copy'] == 'foo' assert response['user_capabilities']['edit'] == 'foobar'
def test_jt_add_scan_job_check(job_template_with_ids, user_unit): "Assure that permissions to add scan jobs work correctly" access = JobTemplateAccess(user_unit) project = job_template_with_ids.project inventory = job_template_with_ids.inventory project.use_role = Role() inventory.use_role = Role() organization = Organization(name='test-org') inventory.organization = organization organization.admin_role = Role() def mock_get_object(Class, **kwargs): if Class == Project: return project elif Class == Inventory: return inventory else: raise Exception('Item requested has not been mocked') with mock.patch.object(JobTemplateAccess, 'check_license', return_value=None): with mock.patch('awx.main.models.rbac.Role.__contains__', return_value=True): with mock.patch('awx.main.access.get_object_or_400', mock_get_object): assert access.can_add({ 'project': project.pk, 'inventory': inventory.pk, 'job_type': 'scan' })
def sync_superuser_status_to_rbac(instance, **kwargs): 'When the is_superuser flag is changed on a user, reflect that in the membership of the System Admnistrator role' update_fields = kwargs.get('update_fields', None) if update_fields and 'is_superuser' not in update_fields: return if instance.is_superuser: Role.singleton(ROLE_SINGLETON_SYSTEM_ADMINISTRATOR).members.add(instance) else: Role.singleton(ROLE_SINGLETON_SYSTEM_ADMINISTRATOR).members.remove(instance)
def test_visible_roles(admin_user, system_auditor, rando, organization, project): ''' system admin & system auditor fixtures needed to create system roles ''' organization.auditor_role.members.add(rando) access = RoleAccess(rando) assert rando not in organization.admin_role assert access.can_read(organization.admin_role) assert organization.admin_role in Role.visible_roles(rando) assert rando not in project.admin_role assert access.can_read(project.admin_role) assert project.admin_role in Role.visible_roles(rando)
def test_consistency_of_is_superuser_flag(reverse): users = [User.objects.create(username='******'.format(i)) for i in range(2)] for u in users: assert u.is_superuser is False system_admin = Role.singleton('system_administrator') if reverse: for u in users: u.roles.add(system_admin) else: system_admin.members.add(*[u.id for u in users]) # like .add(42, 54) for u in users: u.refresh_from_db() assert u.is_superuser is True users[0].roles.clear() for u in users: u.refresh_from_db() assert users[0].is_superuser is False assert users[1].is_superuser is True system_admin.members.clear() for u in users: u.refresh_from_db() assert u.is_superuser is False
def test_workflow_can_add(self, workflow, user_unit): organization = Organization(name='test-org') workflow.organization = organization organization.admin_role = Role() def mock_get_object(Class, **kwargs): if Class == Organization: return organization else: raise Exception('Item requested has not been mocked') access = WorkflowJobTemplateAccess(user_unit) with mock.patch('awx.main.models.rbac.Role.__contains__', return_value=True): with mock.patch('awx.main.access.get_object_or_400', mock_get_object): assert access.can_add({'organization': 1})
def test_change_jt_sensitive_data(job_template_with_ids, mocker, user_unit): """Assure that can_add is called with all ForeignKeys.""" job_template_with_ids.admin_role = Role() data = {'inventory': job_template_with_ids.inventory.id + 1} access = JobTemplateAccess(user_unit) mock_add = mock.MagicMock(return_value=False) with mock.patch('awx.main.models.rbac.Role.__contains__', return_value=True): with mocker.patch('awx.main.access.JobTemplateAccess.can_add', mock_add): with mocker.patch('awx.main.access.JobTemplateAccess.can_read', return_value=True): assert not access.can_change(job_template_with_ids, data) mock_add.assert_called_once_with({ 'inventory': data['inventory'], 'project': job_template_with_ids.project.id })
def test_indirect_access_list(get, organization, project, team_factory, user, admin): project_admin = user('project_admin') project_admin_team_member = user('project_admin_team_member') team_admin = user('team_admin') project_admin_team = team_factory('project-admin-team') project.admin_role.members.add(project_admin) project_admin_team.member_role.members.add(project_admin_team_member) project_admin_team.member_role.children.add(project.admin_role) project_admin_team.admin_role.members.add(team_admin) result = get(reverse('api:project_access_list', kwargs={'pk': project.id}), admin) assert result.status_code == 200 # Result should be: # project_admin should have direct access, # project_team_admin should have "direct" access through being a team member -> project admin, # team_admin should have direct access the same as the project_team_admin, # admin should have access through system admin -> org admin -> project admin assert result.data['count'] == 4 project_admin_res = [ r for r in result.data['results'] if r['id'] == project_admin.id ][0] team_admin_res = [ r for r in result.data['results'] if r['id'] == team_admin.id ][0] project_admin_team_member_res = [ r for r in result.data['results'] if r['id'] == project_admin_team_member.id ][0] admin_res = [r for r in result.data['results'] if r['id'] == admin.id][0] assert len(project_admin_res['summary_fields']['direct_access']) == 1 assert len(project_admin_res['summary_fields']['indirect_access']) == 0 assert len(team_admin_res['summary_fields']['direct_access']) == 1 assert len(team_admin_res['summary_fields']['indirect_access']) == 0 assert len(admin_res['summary_fields']['direct_access']) == 0 assert len(admin_res['summary_fields']['indirect_access']) == 1 project_admin_entry = project_admin_res['summary_fields']['direct_access'][ 0]['role'] assert project_admin_entry['id'] == project.admin_role.id # assure that results for team admin are the same as for team member team_admin_entry = team_admin_res['summary_fields']['direct_access'][0][ 'role'] assert team_admin_entry['id'] == project.admin_role.id assert team_admin_entry['name'] == 'Admin' project_admin_team_member_entry = project_admin_team_member_res[ 'summary_fields']['direct_access'][0]['role'] assert project_admin_team_member_entry['id'] == project.admin_role.id assert project_admin_team_member_entry['team_id'] == project_admin_team.id assert project_admin_team_member_entry[ 'team_name'] == project_admin_team.name admin_entry = admin_res['summary_fields']['indirect_access'][0]['role'] assert admin_entry['name'] == Role.singleton('system_administrator').name