tbs093a
/
docker.images
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
docker.images/ansible.awx/awx-17.1.0/awx/main/tests/functional/test_rbac_team.py

184 lines
6.0 KiB
Python
Raw Permalink Blame History

import pytest
from unittest import mock
from awx.main.access import TeamAccess
from awx.main.models import Project, Organization, Team
@pytest.mark.django_db
def test_team_attach_unattach(team, user):
u = user('member', False)
access = TeamAccess(u)
team.member_role.members.add(u)
assert not access.can_attach(team, team.member_role, 'member_role.children', None)
assert not access.can_unattach(team, team.member_role, 'member_role.children')
team.admin_role.members.add(u)
assert access.can_attach(team, team.member_role, 'member_role.children', None)
assert access.can_unattach(team, team.member_role, 'member_role.children')
u2 = user('non-member', False)
access = TeamAccess(u2)
assert not access.can_attach(team, team.member_role, 'member_role.children', None)
assert not access.can_unattach(team, team.member_role, 'member_role.children')
@pytest.mark.django_db
@pytest.mark.parametrize('ext_auth', [True, False])
def test_team_org_resource_role(ext_auth, team, user, rando):
with mock.patch('awx.main.access.settings') as settings_mock:
settings_mock.MANAGE_ORGANIZATION_AUTH = ext_auth
u = user('member', False)
team.organization.admin_role.members.add(u)
access = TeamAccess(u)
assert access.can_attach(team, rando, 'member_role.members') == ext_auth
team.member_role.members.add(rando)
assert access.can_unattach(team, rando, 'member_role.members') == ext_auth
@pytest.mark.django_db
def test_team_access_superuser(team, user):
team.member_role.members.add(user('member', False))
access = TeamAccess(user('admin', True))
assert access.can_add(None)
assert access.can_change(team, None)
assert access.can_delete(team)
t = access.get_queryset()[0]
assert len(t.member_role.members.all()) == 1
assert len(t.organization.admin_role.members.all()) == 0
@pytest.mark.django_db
def test_team_access_org_admin(organization, team, user):
a = user('admin', False)
organization.admin_role.members.add(a)
team.organization = organization
team.save()
access = TeamAccess(a)
assert access.can_add({'organization': organization.pk})
assert access.can_change(team, None)
assert access.can_delete(team)
t = access.get_queryset()[0]
assert len(t.member_role.members.all()) == 0
assert len(t.organization.admin_role.members.all()) == 1
@pytest.mark.django_db
def test_team_access_member(organization, team, user):
u = user('member', False)
team.member_role.members.add(u)
team.organization = organization
team.save()
access = TeamAccess(u)
assert not access.can_add({'organization': organization.pk})
assert not access.can_change(team, None)
assert not access.can_delete(team)
t = access.get_queryset()[0]
assert len(t.member_role.members.all()) == 1
assert len(t.organization.admin_role.members.all()) == 0
@pytest.mark.django_db
def test_team_accessible_by(team, user, project):
u = user('team_member', False)
team.member_role.children.add(project.use_role)
assert team in project.read_role
assert u not in project.read_role
team.member_role.members.add(u)
assert u in project.read_role
@pytest.mark.django_db
def test_team_accessible_objects(team, user, project):
u = user('team_member', False)
team.member_role.children.add(project.use_role)
assert len(Project.accessible_objects(team, 'read_role')) == 1
assert not Project.accessible_objects(u, 'read_role')
team.member_role.members.add(u)
assert len(Project.accessible_objects(u, 'read_role')) == 1
@pytest.mark.django_db
def test_team_admin_member_access(team, user, project):
u = user('team_admin', False)
team.member_role.children.add(project.use_role)
team.admin_role.members.add(u)
assert len(Project.accessible_objects(u, 'use_role')) == 1
@pytest.mark.django_db
def test_team_member_org_role_access_project(team, rando, project, organization):
team.member_role.members.add(rando)
assert rando not in project.read_role
team.member_role.children.add(organization.project_admin_role)
assert rando in project.admin_role
@pytest.mark.django_db
def test_team_member_org_role_access_workflow(team, rando, workflow_job_template, organization):
team.member_role.members.add(rando)
assert rando not in workflow_job_template.read_role
team.member_role.children.add(organization.workflow_admin_role)
assert rando in workflow_job_template.admin_role
@pytest.mark.django_db
def test_team_member_org_role_access_inventory(team, rando, inventory, organization):
team.member_role.members.add(rando)
assert rando not in inventory.read_role
team.member_role.children.add(organization.inventory_admin_role)
assert rando in inventory.admin_role
@pytest.mark.django_db
def test_org_admin_team_access(organization, team, user, project):
u = user('team_admin', False)
organization.admin_role.members.add(u)
team.organization = organization
team.save()
team.member_role.children.add(project.use_role)
assert len(Project.accessible_objects(u, 'use_role')) == 1
@pytest.mark.django_db
@pytest.mark.parametrize('enabled', [True, False])
def test_org_admin_view_all_teams(org_admin, enabled):
access = TeamAccess(org_admin)
other_org = Organization.objects.create(name='other-org')
other_team = Team.objects.create(name='other-team', organization=other_org)
with mock.patch('awx.main.access.settings') as settings_mock:
settings_mock.ORG_ADMINS_CAN_SEE_ALL_USERS = enabled
assert access.can_read(other_team) is enabled
@pytest.mark.django_db
def test_team_member_read(rando, organization, team):
assert team.organization == organization
organization.member_role.members.add(rando)
assert TeamAccess(rando).can_read(team)
assert team in TeamAccess(rando).get_queryset()
@pytest.mark.django_db
def test_team_list_no_duplicate_entries(rando, organization, team):
organization.member_role.members.add(rando)
team.read_role.members.add(rando)
assert list(TeamAccess(rando).get_queryset()) == [team]
Reference in New Issue View Git Blame Copy Permalink