JT RBAC edits for extra_credentials and vault_credential

2026-04-18 14:01:49 -05:00 · 2017-05-08 14:34:39 -04:00
parent 5b86fc299f
commit c6a3a7cc34
8 changed files with 161 additions and 73 deletions
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -28,7 +28,7 @@ from django.utils.timezone import now
 from django.utils.functional import cached_property

 # Django REST Framework
-from rest_framework.exceptions import ValidationError
+from rest_framework.exceptions import ValidationError, PermissionDenied
 from rest_framework import fields
 from rest_framework import serializers
 from rest_framework import validators
@@ -2248,6 +2248,7 @@ class JobOptionsSerializer(LabelsListMixin, BaseSerializer):

    def validate(self, attrs):
        v1_credentials = {}
+        view = self.context.get('view', None)
        if self.version == 1:  # TODO: remove in 3.3
            for attr, kind, error in (
                ('cloud_credential', 'cloud', _('You must provide a cloud credential.')),
@@ -2260,6 +2261,8 @@ class JobOptionsSerializer(LabelsListMixin, BaseSerializer):
                        cred = v1_credentials[attr] = Credential.objects.get(pk=pk)
                        if cred.credential_type.kind != kind:
                            raise serializers.ValidationError({attr: error})
+                        if (not view) or (not view.request) or (view.request.user not in cred.use_role):
+                            raise PermissionDenied()

        if 'project' in self.fields and 'playbook' in self.fields:
            project = attrs.get('project', self.instance and self.instance.project or None)
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -2586,7 +2586,7 @@ class JobTemplateList(ListCreateAPIView):
    always_allow_superuser = False
    capabilities_prefetch = [
        'admin', 'execute',
-        {'copy': ['project.use', 'inventory.use', 'credential.use']}
+        {'copy': ['project.use', 'inventory.use', 'credential.use', 'vault_credential.use']}
    ]

    def post(self, request, *args, **kwargs):
@@ -2839,6 +2839,17 @@ class JobTemplateExtraCredentialsList(SubListCreateAttachDetachAPIView):
    new_in_320 = True
    new_in_api_v2 = True

+    def get_queryset(self):
+        # Return the full list of extra_credentials
+        parent = self.get_parent_object()
+        self.check_parent_access(parent)
+        sublist_qs = getattrd(parent, self.relationship)
+        sublist_qs = sublist_qs.prefetch_related(
+            'created_by', 'modified_by',
+            'admin_role', 'use_role', 'read_role',
+            'admin_role__parents', 'admin_role__members')
+        return sublist_qs
+
    def is_valid_relation(self, parent, sub, created=False):
        current_extra_types = [
            cred.credential_type.pk for cred in parent.extra_credentials.all()
@@ -4116,7 +4127,8 @@ class UnifiedJobTemplateList(ListAPIView):
    new_in_148 = True
    capabilities_prefetch = [
        'admin', 'execute',
-        {'copy': ['jobtemplate.project.use', 'jobtemplate.inventory.use', 'jobtemplate.credential.use',
+        {'copy': ['jobtemplate.project.use', 'jobtemplate.inventory.use',
+                  'jobtemplate.credential.use', 'jobtemplate.vault_credential.use',
                  'workflowjobtemplate.organization.admin']}
    ]