Merge branch 'release_3.0.2' into devel

* release_3.0.2: (126 commits) Disable permissions tab in Credential > Edit form if Credential is private (#3288) Tweaked the popover text for job and skip tags on JT add/edit Workaround a cascade setnull polymorphic issue flake8 Fixed old test expectations Made it so the credential organization field can't be changed Skip some unit tests Fixed org auditor visibility of team credentials Fix sosreport fix credential kind options for list interpret any code below 300 as success bail when status code is over 300 Make CloudForms inventory_script work Use no_log when handling passwords Prevent ignored task from being displayed as failing. making ec2 cred optional on group->edit making ec2 credential optional for ec2 inventory Revert "Fix to ensure org auditors can see team credentials" Fixed team credential list to work with corrected permissions Making the username and password fields optional ...
2026-05-06 08:21:50 -05:00 · 2016-08-18 22:52:55 -04:00
parent ce61fe4a42 fc1ca378d1
commit 8893f8278a
96 changed files with 1151 additions and 570 deletions
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -1,4 +1,3 @@
-
 # Copyright (c) 2015 Ansible, Inc.
 # All Rights Reserved.

@@ -201,7 +200,7 @@ class ApiV1ConfigView(APIView):
        '''Return various sitewide configuration settings.'''

        license_reader = TaskSerializer()
-        license_data   = license_reader.from_database(show_key=request.user.is_superuser)
+        license_data   = license_reader.from_database(show_key=request.user.is_superuser or request.user.is_system_auditor)
        if license_data and 'features' in license_data and 'activity_streams' in license_data['features']:
            license_data['features']['activity_streams'] &= tower_settings.ACTIVITY_STREAM_ENABLED

@@ -225,7 +224,10 @@ class ApiV1ConfigView(APIView):
            user_ldap_fields.extend(getattr(settings, 'AUTH_LDAP_USER_FLAGS_BY_GROUP', {}).keys())
            data['user_ldap_fields'] = user_ldap_fields

-        if request.user.is_superuser or Organization.accessible_objects(request.user, 'admin_role').exists():
+        if request.user.is_superuser \
+                or request.user.is_system_auditor \
+                or Organization.accessible_objects(request.user, 'admin_role').exists() \
+                or Organization.accessible_objects(request.user, 'auditor_role').exists():
            data.update(dict(
                project_base_dir = settings.PROJECTS_ROOT,
                project_local_paths = Project.get_local_path_choices(),
@@ -880,12 +882,19 @@ class TeamRolesList(SubListCreateAttachDetachAPIView):
            data = dict(msg="Role 'id' field is missing.")
            return Response(data, status=status.HTTP_400_BAD_REQUEST)

-        role = Role.objects.get(pk=sub_id)
-        content_type = ContentType.objects.get_for_model(Organization)
-        if role.content_type == content_type:
+        role = get_object_or_400(Role, pk=sub_id)
+        org_content_type = ContentType.objects.get_for_model(Organization)
+        if role.content_type == org_content_type:
            data = dict(msg="You cannot assign an Organization role as a child role for a Team.")
            return Response(data, status=status.HTTP_400_BAD_REQUEST)

+        team = get_object_or_404(Team, pk=self.kwargs['pk'])
+        credential_content_type = ContentType.objects.get_for_model(Credential)
+        if role.content_type == credential_content_type:
+            if not role.content_object.organization or role.content_object.organization.id != team.organization.id:
+                data = dict(msg="You cannot grant credential access to a team when the Organization field isn't set, or belongs to a different organization")
+                return Response(data, status=status.HTTP_400_BAD_REQUEST)
+
        return super(TeamRolesList, self).post(request, *args, **kwargs)

 class TeamObjectRolesList(SubListAPIView):
@@ -1209,7 +1218,24 @@ class UserRolesList(SubListCreateAttachDetachAPIView):
            return Response(data, status=status.HTTP_400_BAD_REQUEST)

        if sub_id == self.request.user.admin_role.pk:
-            raise PermissionDenied('You may not remove your own admin_role.')
+            raise PermissionDenied('You may not perform any action with your own admin_role.')
+
+        user = get_object_or_400(User, pk=self.kwargs['pk'])
+        role = get_object_or_400(Role, pk=sub_id)
+        user_content_type = ContentType.objects.get_for_model(User)
+        if role.content_type == user_content_type:
+            raise PermissionDenied('You may not change the membership of a users admin_role')
+
+        credential_content_type = ContentType.objects.get_for_model(Credential)
+        if role.content_type == credential_content_type:
+            if role.content_object.organization and user not in role.content_object.organization.member_role:
+                data = dict(msg="You cannot grant credential access to a user not in the credentials' organization")
+                return Response(data, status=status.HTTP_400_BAD_REQUEST)
+
+            if not role.content_object.organization and not request.user.is_superuser:
+                data = dict(msg="You cannot grant private credential access to another user")
+                return Response(data, status=status.HTTP_400_BAD_REQUEST)
+

        return super(UserRolesList, self).post(request, *args, **kwargs)

@@ -1388,8 +1414,8 @@ class TeamCredentialsList(SubListCreateAPIView):
        self.check_parent_access(team)

        visible_creds = Credential.accessible_objects(self.request.user, 'read_role')
-        team_creds = Credential.objects.filter(admin_role__parents=team.member_role)
-        return team_creds & visible_creds
+        team_creds = Credential.objects.filter(Q(use_role__parents=team.member_role) | Q(admin_role__parents=team.member_role))
+        return (team_creds & visible_creds).distinct()


 class OrganizationCredentialList(SubListCreateAPIView):
@@ -2975,7 +3001,17 @@ class JobJobTasksList(BaseJobEventsList):
        # and these are what we're interested in here.
        STARTING_EVENTS = ('playbook_on_task_start', 'playbook_on_setup')

-        queryset = JobEvent.start_event_queryset(parent_task, STARTING_EVENTS)
+        # We need to pull information about each start event.
+        #
+        # This is super tricky, because this table has a one-to-many
+        # relationship with itself (parent-child), and we're getting
+        # information for an arbitrary number of children. This means we
+        # need stats on grandchildren, sorted by child.
+        queryset = (JobEvent.objects.filter(parent__parent=parent_task,
+                                            parent__event__in=STARTING_EVENTS)
+                                    .values('parent__id', 'event', 'changed', 'failed')
+                                    .annotate(num=Count('event'))
+                                    .order_by('parent__id'))

        # The data above will come back in a list, but we are going to
        # want to access it based on the parent id, so map it into a
@@ -3034,10 +3070,13 @@ class JobJobTasksList(BaseJobEventsList):
            # make appropriate changes to the task data.
            for child_data in data.get(task_start_event.id, []):
                if child_data['event'] == 'runner_on_failed':
-                    task_data['failed'] = True
                    task_data['host_count'] += child_data['num']
                    task_data['reported_hosts'] += child_data['num']
-                    task_data['failed_count'] += child_data['num']
+                    if child_data['failed']:
+                        task_data['failed'] = True
+                        task_data['failed_count'] += child_data['num']
+                    else:
+                        task_data['skipped_count'] += child_data['num']
                elif child_data['event'] == 'runner_on_ok':
                    task_data['host_count'] += child_data['num']
                    task_data['reported_hosts'] += child_data['num']
@@ -3625,7 +3664,6 @@ class RoleDetail(RetrieveAPIView):

    model = Role
    serializer_class = RoleSerializer
-    permission_classes = (IsAuthenticated,)
    new_in_300 = True


@@ -3648,6 +3686,26 @@ class RoleUsersList(SubListCreateAttachDetachAPIView):
        if not sub_id:
            data = dict(msg="User 'id' field is missing.")
            return Response(data, status=status.HTTP_400_BAD_REQUEST)
+
+        user = get_object_or_400(User, pk=sub_id)
+        role = self.get_parent_object()
+        if role == self.request.user.admin_role:
+            raise PermissionDenied('You may not perform any action with your own admin_role.')
+
+        user_content_type = ContentType.objects.get_for_model(User)
+        if role.content_type == user_content_type:
+            raise PermissionDenied('You may not change the membership of a users admin_role')
+
+        credential_content_type = ContentType.objects.get_for_model(Credential)
+        if role.content_type == credential_content_type:
+            if role.content_object.organization and user not in role.content_object.organization.member_role:
+                data = dict(msg="You cannot grant credential access to a user not in the credentials' organization")
+                return Response(data, status=status.HTTP_400_BAD_REQUEST)
+
+            if not role.content_object.organization and not request.user.is_superuser:
+                data = dict(msg="You cannot grant private credential access to another user")
+                return Response(data, status=status.HTTP_400_BAD_REQUEST)
+
        return super(RoleUsersList, self).post(request, *args, **kwargs)


@@ -3672,13 +3730,20 @@ class RoleTeamsList(SubListAPIView):
            data = dict(msg="Team 'id' field is missing.")
            return Response(data, status=status.HTTP_400_BAD_REQUEST)

+        team = get_object_or_400(Team, pk=sub_id)
        role = Role.objects.get(pk=self.kwargs['pk'])
-        content_type = ContentType.objects.get_for_model(Organization)
-        if role.content_type == content_type:
+
+        organization_content_type = ContentType.objects.get_for_model(Organization)
+        if role.content_type == organization_content_type:
            data = dict(msg="You cannot assign an Organization role as a child role for a Team.")
            return Response(data, status=status.HTTP_400_BAD_REQUEST)

-        team = Team.objects.get(pk=sub_id)
+        credential_content_type = ContentType.objects.get_for_model(Credential)
+        if role.content_type == credential_content_type:
+            if not role.content_object.organization or role.content_object.organization.id != team.organization.id:
+                data = dict(msg="You cannot grant credential access to a team when the Organization field isn't set, or belongs to a different organization")
+                return Response(data, status=status.HTTP_400_BAD_REQUEST)
+
        action = 'attach'
        if request.data.get('disassociate', None):
            action = 'unattach'