Merge branch 'rbac' of github.com:ansible/ansible-tower into rbac

awx/main/tests/functional/test_rbac_inventory.py

@@ -81,7 +81,7 @@ def test_inventory_admin_team(inventory, permissions, user, team):
     u = user('admin', False)
     perm = Permission(team=team, inventory=inventory, permission_type='admin')
     perm.save()
-    team.users.add(u)
+    team.deprecated_users.add(u)
 
     assert inventory.accessible_by(u, permissions['admin']) is False
 
@@ -105,7 +105,7 @@ def test_inventory_auditor(inventory, permissions, user, team):
     u = user('auditor', False)
     perm = Permission(team=team, inventory=inventory, permission_type='read')
     perm.save()
-    team.users.add(u)
+    team.deprecated_users.add(u)
 
     assert inventory.accessible_by(u, permissions['admin']) is False
     assert inventory.accessible_by(u, permissions['auditor']) is False
@@ -129,7 +129,7 @@ def test_inventory_updater(inventory, permissions, user, team):
     u = user('updater', False)
     perm = Permission(team=team, inventory=inventory, permission_type='write')
     perm.save()
-    team.users.add(u)
+    team.deprecated_users.add(u)
 
     assert inventory.accessible_by(u, permissions['admin']) is False
     assert inventory.accessible_by(u, permissions['auditor']) is False
@@ -154,7 +154,7 @@ def test_inventory_executor(inventory, permissions, user, team):
     u = user('executor', False)
     perm = Permission(team=team, inventory=inventory, permission_type='read', run_ad_hoc_commands=True)
     perm.save()
-    team.users.add(u)
+    team.deprecated_users.add(u)
 
     assert inventory.accessible_by(u, permissions['admin']) is False
     assert inventory.accessible_by(u, permissions['auditor']) is False

awx/main/tests/functional/test_rbac_job_templates.py

@@ -16,7 +16,7 @@ def test_job_template_migration_check(deploy_jobtemplate, check_jobtemplate, use
     joe = user('joe')
 
 
-    check_jobtemplate.project.organizations.all()[0].users.add(joe)
+    check_jobtemplate.project.organizations.all()[0].deprecated_users.add(joe)
 
     Permission(user=joe, inventory=check_jobtemplate.inventory, permission_type='read').save()
     Permission(user=joe, inventory=check_jobtemplate.inventory,
@@ -45,7 +45,7 @@ def test_job_template_migration_deploy(deploy_jobtemplate, check_jobtemplate, us
     joe = user('joe')
 
 
-    deploy_jobtemplate.project.organizations.all()[0].users.add(joe)
+    deploy_jobtemplate.project.organizations.all()[0].deprecated_users.add(joe)
 
     Permission(user=joe, inventory=deploy_jobtemplate.inventory, permission_type='read').save()
     Permission(user=joe, inventory=deploy_jobtemplate.inventory,
@@ -73,11 +73,11 @@ def test_job_template_migration_deploy(deploy_jobtemplate, check_jobtemplate, us
 def test_job_template_team_migration_check(deploy_jobtemplate, check_jobtemplate, organization, team, user):
     admin = user('admin', is_superuser=True)
     joe = user('joe')
-    team.users.add(joe)
+    team.deprecated_users.add(joe)
     team.organization = organization
     team.save()
 
-    check_jobtemplate.project.organizations.all()[0].users.add(joe)
+    check_jobtemplate.project.organizations.all()[0].deprecated_users.add(joe)
 
     Permission(team=team, inventory=check_jobtemplate.inventory, permission_type='read').save()
     Permission(team=team, inventory=check_jobtemplate.inventory,
@@ -108,11 +108,11 @@ def test_job_template_team_migration_check(deploy_jobtemplate, check_jobtemplate
 def test_job_template_team_deploy_migration(deploy_jobtemplate, check_jobtemplate, organization, team, user):
     admin = user('admin', is_superuser=True)
     joe = user('joe')
-    team.users.add(joe)
+    team.deprecated_users.add(joe)
     team.organization = organization
     team.save()
 
-    deploy_jobtemplate.project.organizations.all()[0].users.add(joe)
+    deploy_jobtemplate.project.organizations.all()[0].deprecated_users.add(joe)
 
     Permission(team=team, inventory=deploy_jobtemplate.inventory, permission_type='read').save()
     Permission(team=team, inventory=deploy_jobtemplate.inventory,

awx/main/tests/functional/test_rbac_organization.py

@@ -12,7 +12,7 @@ from django.apps import apps
 @pytest.mark.django_db
 def test_organization_migration_admin(organization, permissions, user):
     u = user('admin', False)
-    organization.admins.add(u)
+    organization.deprecated_admins.add(u)
 
     # Undo some automatic work that we're supposed to be testing with our migration
     organization.admin_role.members.remove(u)
@@ -26,7 +26,7 @@ def test_organization_migration_admin(organization, permissions, user):
 @pytest.mark.django_db
 def test_organization_migration_user(organization, permissions, user):
     u = user('user', False)
-    organization.users.add(u)
+    organization.deprecated_users.add(u)
 
     # Undo some automatic work that we're supposed to be testing with our migration
     organization.member_role.members.remove(u)
@@ -42,14 +42,14 @@ def test_organization_migration_user(organization, permissions, user):
 @pytest.mark.django_db
 def test_organization_access_superuser(cl, organization, user):
     access = OrganizationAccess(user('admin', True))
-    organization.users.add(user('user', False))
+    organization.deprecated_users.add(user('user', False))
 
     assert access.can_change(organization, None)
     assert access.can_delete(organization)
 
     org = access.get_queryset()[0]
-    assert len(org.admins.all()) == 0
-    assert len(org.users.all()) == 1
+    assert len(org.deprecated_admins.all()) == 0
+    assert len(org.deprecated_users.all()) == 1
 
 
 @mock.patch.object(BaseAccess, 'check_license', return_value=None)

awx/main/tests/functional/test_rbac_project.py

@@ -91,92 +91,90 @@ def test_project_migration():
     assert o3.projects.all()[0].jobtemplates.count() == 0
 
 
-#@pytest.mark.django_db
-#def test_project_user_project(user_project, project, user):
-#    u = user('owner')
-#
-#    assert old_access.check_user_access(u, user_project.__class__, 'read', user_project)
-#    assert old_access.check_user_access(u, project.__class__, 'read', project) is False
-#
-#    assert user_project.accessible_by(u, {'read': True}) is False
-#    assert project.accessible_by(u, {'read': True}) is False
-#    migrations = rbac.migrate_projects(apps, None)
-#    assert len(migrations[user_project.name]['users']) == 1
-#    assert len(migrations[user_project.name]['teams']) == 0
-#    assert user_project.accessible_by(u, {'read': True}) is True
-#    assert project.accessible_by(u, {'read': True}) is False
-#
-#@pytest.mark.django_db
-#def test_project_accessible_by_sa(user, project):
-#    u = user('systemadmin', is_superuser=True)
-#    # This gets setup by a signal, but we want to test the migration which will set this up too, so remove it
-#    Role.singleton('System Administrator').members.remove(u)
-#
-#    assert project.accessible_by(u, {'read': True}) is False
-#    rbac.migrate_organization(apps, None)
-#    su_migrations = rbac.migrate_users(apps, None)
-#    migrations = rbac.migrate_projects(apps, None)
-#    assert len(su_migrations) == 1
-#    assert len(migrations[project.name]['users']) == 0
-#    assert len(migrations[project.name]['teams']) == 0
-#    print(project.admin_role.ancestors.all())
-#    print(project.admin_role.ancestors.all())
-#    assert project.accessible_by(u, {'read': True, 'write': True}) is True
-#
-#@pytest.mark.django_db
-#def test_project_org_members(user, organization, project):
-#    admin = user('orgadmin')
-#    member = user('orgmember')
-#
-#    assert project.accessible_by(admin, {'read': True}) is False
-#    assert project.accessible_by(member, {'read': True}) is False
-#
-#    organization.admin_role.members.add(admin)
-#    organization.member_role.members.add(member)
-#
-#    rbac.migrate_organization(apps, None)
-#    migrations = rbac.migrate_projects(apps, None)
-#
-#    assert len(migrations[project.name]['users']) == 0
-#    assert len(migrations[project.name]['teams']) == 0
-#    assert project.accessible_by(admin, {'read': True, 'write': True}) is True
-#    assert project.accessible_by(member, {'read': True}) is False
-#
-#@pytest.mark.django_db
-#def test_project_team(user, team, project):
-#    nonmember = user('nonmember')
-#    member = user('member')
-#
-#    #team.users.add(member)
-#    team.member_role.members.add(member)
-#    project.teams.add(team)
-#
-#    assert project.accessible_by(nonmember, {'read': True}) is False
-#    assert project.accessible_by(member, {'read': True}) is False
-#
-#    rbac.migrate_team(apps, None)
-#    rbac.migrate_organization(apps, None)
-#    migrations = rbac.migrate_projects(apps, None)
-#
-#    assert len(migrations[project.name]['users']) == 0
-#    assert len(migrations[project.name]['teams']) == 1
-#    assert project.accessible_by(member, {'read': True}) is True
-#    assert project.accessible_by(nonmember, {'read': True}) is False
-#
-#@pytest.mark.django_db
-#def test_project_explicit_permission(user, team, project, organization):
-#    u = user('prjuser')
-#
-#    assert old_access.check_user_access(u, project.__class__, 'read', project) is False
-#
-#    organization.member_role.members.add(u)
-#    p = Permission(user=u, project=project, permission_type='create', name='Perm name')
-#    p.save()
-#
-#    assert project.accessible_by(u, {'read': True}) is False
-#
-#    rbac.migrate_organization(apps, None)
-#    migrations = rbac.migrate_projects(apps, None)
-#
-#    assert len(migrations[project.name]['users']) == 1
-#    assert project.accessible_by(u, {'read': True}) is True
+def test_project_user_project(user_project, project, user):
+    u = user('owner')
+
+    assert old_access.check_user_access(u, user_project.__class__, 'read', user_project)
+    assert old_access.check_user_access(u, project.__class__, 'read', project) is False
+
+    assert user_project.accessible_by(u, {'read': True}) is False
+    assert project.accessible_by(u, {'read': True}) is False
+    migrations = rbac.migrate_projects(apps, None)
+    assert len(migrations[user_project.name]['users']) == 1
+    assert len(migrations[user_project.name]['teams']) == 0
+    assert user_project.accessible_by(u, {'read': True}) is True
+    assert project.accessible_by(u, {'read': True}) is False
+
+@pytest.mark.django_db
+def test_project_accessible_by_sa(user, project):
+    u = user('systemadmin', is_superuser=True)
+    # This gets setup by a signal, but we want to test the migration which will set this up too, so remove it
+    Role.singleton('System Administrator').members.remove(u)
+
+    assert project.accessible_by(u, {'read': True}) is False
+    rbac.migrate_organization(apps, None)
+    su_migrations = rbac.migrate_users(apps, None)
+    migrations = rbac.migrate_projects(apps, None)
+    assert len(su_migrations) == 1
+    assert len(migrations[project.name]['users']) == 0
+    assert len(migrations[project.name]['teams']) == 0
+    print(project.admin_role.ancestors.all())
+    print(project.admin_role.ancestors.all())
+    assert project.accessible_by(u, {'read': True, 'write': True}) is True
+
+@pytest.mark.django_db
+def test_project_org_members(user, organization, project):
+    admin = user('orgadmin')
+    member = user('orgmember')
+
+    assert project.accessible_by(admin, {'read': True}) is False
+    assert project.accessible_by(member, {'read': True}) is False
+
+    organization.deprecated_admins.add(admin)
+    organization.deprecated_users.add(member)
+
+    rbac.migrate_organization(apps, None)
+    migrations = rbac.migrate_projects(apps, None)
+
+    assert len(migrations[project.name]['users']) == 1
+    assert len(migrations[project.name]['teams']) == 0
+    assert project.accessible_by(admin, {'read': True, 'write': True}) is True
+    assert project.accessible_by(member, {'read': True})
+
+@pytest.mark.django_db
+def test_project_team(user, team, project):
+    nonmember = user('nonmember')
+    member = user('member')
+
+    team.deprecated_users.add(member)
+    project.teams.add(team)
+
+    assert project.accessible_by(nonmember, {'read': True}) is False
+    assert project.accessible_by(member, {'read': True}) is False
+
+    rbac.migrate_team(apps, None)
+    rbac.migrate_organization(apps, None)
+    migrations = rbac.migrate_projects(apps, None)
+
+    assert len(migrations[project.name]['users']) == 0
+    assert len(migrations[project.name]['teams']) == 1
+    assert project.accessible_by(member, {'read': True}) is True
+    assert project.accessible_by(nonmember, {'read': True}) is False
+
+@pytest.mark.django_db
+def test_project_explicit_permission(user, team, project, organization):
+    u = user('prjuser')
+
+    assert old_access.check_user_access(u, project.__class__, 'read', project) is False
+
+    organization.deprecated_users.add(u)
+    p = Permission(user=u, project=project, permission_type='create', name='Perm name')
+    p.save()
+
+    assert project.accessible_by(u, {'read': True}) is False
+
+    rbac.migrate_organization(apps, None)
+    migrations = rbac.migrate_projects(apps, None)
+
+    assert len(migrations[project.name]['users']) == 1
+    assert project.accessible_by(u, {'read': True}) is True