job template creation to require use_role, include network creds

2026-05-17 05:08:37 -05:00 · 2016-06-09 11:13:34 -04:00
parent 74b6ea82fb
commit a431f16953
4 changed files with 95 additions and 13 deletions
@@ -78,11 +78,15 @@ def test_job_template_factory(job_template_factory):
    jt_objects = job_template_factory('testJT', organization='org1',
                                      project='proj1', inventory='inventory1',
                                      credential='cred1', survey='test-survey',
+                                      cloud_credential='aws1',
+                                      network_credential='juniper1',
                                      jobs=[1])
    assert jt_objects.job_template.name == 'testJT'
    assert jt_objects.project.name == 'proj1'
    assert jt_objects.inventory.name == 'inventory1'
    assert jt_objects.credential.name == 'cred1'
+    assert jt_objects.cloud_credential.name == 'aws1'
+    assert jt_objects.network_credential.name == 'juniper1'
    assert jt_objects.inventory.organization.name == 'org1'
    assert jt_objects.job_template.survey_enabled is True
    assert jt_objects.job_template.survey_spec is not None
@@ -13,6 +13,13 @@ from django.apps import apps
 from django.core.urlresolvers import reverse


+@pytest.fixture
+def jt_objects(job_template_factory):
+    objects = job_template_factory(
+        'testJT', organization='org1', project='proj1', inventory='inventory1',
+        credential='cred1', cloud_credential='aws1', network_credential='juniper1')
+    return objects
+
@pytest.mark.django_db
 def test_job_template_migration_check(credential, deploy_jobtemplate, check_jobtemplate, user):
    admin = user('admin', is_superuser=True)
@@ -159,6 +166,58 @@ def test_job_template_access_superuser(check_license, user, deploy_jobtemplate):
    assert access.can_read(deploy_jobtemplate)
    assert access.can_add({})

+@pytest.mark.django_db
+def test_job_template_access_read_level(jt_objects, rando):
+
+    access = JobTemplateAccess(rando)
+    jt_objects.project.read_role.members.add(rando)
+    jt_objects.inventory.read_role.members.add(rando)
+    jt_objects.credential.read_role.members.add(rando)
+    jt_objects.cloud_credential.read_role.members.add(rando)
+    jt_objects.network_credential.read_role.members.add(rando)
+
+    proj_pk = jt_objects.project.pk
+    assert not access.can_add(dict(inventory=jt_objects.inventory.pk, project=proj_pk))
+    assert not access.can_add(dict(credential=jt_objects.credential.pk, project=proj_pk))
+    assert not access.can_add(dict(cloud_credential=jt_objects.cloud_credential.pk, project=proj_pk))
+    assert not access.can_add(dict(network_credential=jt_objects.network_credential.pk, project=proj_pk))
+
+@pytest.mark.django_db
+def test_job_template_access_use_level(jt_objects, rando):
+
+    access = JobTemplateAccess(rando)
+    jt_objects.project.use_role.members.add(rando)
+    jt_objects.inventory.use_role.members.add(rando)
+    jt_objects.credential.use_role.members.add(rando)
+    jt_objects.cloud_credential.use_role.members.add(rando)
+    jt_objects.network_credential.use_role.members.add(rando)
+
+    proj_pk = jt_objects.project.pk
+    assert access.can_add(dict(inventory=jt_objects.inventory.pk, project=proj_pk))
+    assert access.can_add(dict(credential=jt_objects.credential.pk, project=proj_pk))
+    assert access.can_add(dict(cloud_credential=jt_objects.cloud_credential.pk, project=proj_pk))
+    assert access.can_add(dict(network_credential=jt_objects.network_credential.pk, project=proj_pk))
+
+@pytest.mark.django_db
+def test_job_template_access_org_admin(jt_objects, rando):
+    access = JobTemplateAccess(rando)
+    # Appoint this user as admin of the organization
+    jt_objects.inventory.organization.admin_role.members.add(rando)
+    # Assign organization permission in the same way the create view does
+    organization = jt_objects.inventory.organization
+    jt_objects.credential.owner_role.parents.add(organization.admin_role)
+    jt_objects.cloud_credential.owner_role.parents.add(organization.admin_role)
+    jt_objects.network_credential.owner_role.parents.add(organization.admin_role)
+
+    proj_pk = jt_objects.project.pk
+    assert access.can_add(dict(inventory=jt_objects.inventory.pk, project=proj_pk))
+    assert access.can_add(dict(credential=jt_objects.credential.pk, project=proj_pk))
+    assert access.can_add(dict(cloud_credential=jt_objects.cloud_credential.pk, project=proj_pk))
+    assert access.can_add(dict(network_credential=jt_objects.network_credential.pk, project=proj_pk))
+
+    assert access.can_read(jt_objects.job_template)
+    assert access.can_delete(jt_objects.job_template)
+
@pytest.mark.django_db
@pytest.mark.job_permissions
 def test_job_template_creator_access(project, rando, post):