Prevent assigning credential to user of other org #15296
Conversation
|
|
||
| def validate_role_assignment(self, actor, role_definition): | ||
| if isinstance(actor, User): | ||
| if actor.is_superuser or self.organization in actor.organizations: |
There was a problem hiding this comment.
actor.organizations wasn't correct, and it was my fault. #15298
AlanCoding
left a comment
There was a problem hiding this comment.
We should add a unit test for this. Considering it now has 2 dependent patches, I would not feel comfortable merging without that as added verification. Otherwise we should be good.
| resp = post(url=url, data={"user": rando.id, "role_definition": rd.id, "object_id": credential.id}, user=admin_user, expect=400) | ||
| assert "You cannot grant credential access to a User not in the credentials' organization" in str(resp.data) | ||
|
|
||
| # can assign credential to superuser |
There was a problem hiding this comment.
Never really thought about this case, also don't think I care either way.
|
CI should be re-ran once ansible/django-ansible-base#490 is merged |
d861cfc to
4076208
Compare
|
I previously rebased this (using github). Checks failed due to stale image. I rebuilt the image and restarted the check (without modifying patch) just now. I am expecting a pass, but we'll see. |
|
I know the image has rebuilt, but locally, I pulled it and got a version from 19 hours ago (which is too old) and confirmed it has this commit: ansible/django-ansible-base@8eab0c0 And if that's what the checks are using (which it could be) then that would be why it's failing. |
4076208 to
0c2f5a8
Compare
|
#15308 was merged to freshen up the images and address the issue with CI here. |
Utilizes the `validate_role_assignment` callback from dab (see dab PR ansible#490) to prevent granting credential access to a user of another organization. This logic will work for role_user_assignments and role_team_assignments endpoints. Signed-off-by: Seth Foster <[email protected]>
Signed-off-by: Seth Foster <[email protected]>
Signed-off-by: Seth Foster <[email protected]>
Signed-off-by: Seth Foster <[email protected]>
0c2f5a8 to
71bba17
Compare
Signed-off-by: Seth Foster <[email protected]>
Signed-off-by: Seth Foster <[email protected]>
|
With the latest test failure, I think we're seeing a conflict of expectations with what I did in #15298 What I merged there considered indirect "member" permission to an organization. We have faced this in a couple of circumstances, and according to the logic of indirect access, the superuser has "member" permission to all organizations. However (and I hit this in other places as well), people are confused about listing superuser as a member of all organizations. Consulting the prior expectations, I think it would give a 400 even if the user in question was a superuser (who was not a direct member of the organization). |
|
Link related issue #15296 (comment) |
diff --git a/awx/main/tests/functional/dab_rbac/test_dab_rbac_api.py b/awx/main/tests/functional/dab_rbac/test_dab_rbac_api.py
index c54f5677cb..5bc4244fa3 100644
--- a/awx/main/tests/functional/dab_rbac/test_dab_rbac_api.py
+++ b/awx/main/tests/functional/dab_rbac/test_dab_rbac_api.py
@@ -134,9 +134,8 @@ def test_assign_credential_to_user_of_another_org(setup_managed_roles, credentia
assert "You cannot grant credential access to a User not in the credentials' organization" in str(resp.data)
# can assign credential to superuser
- rando.super_user = True
+ rando.is_superuser = True
rando.save()
- assert organization not in rando.organizations
post(url=url, data={"user": rando.id, "role_definition": rd.id, "object_id": credential.id}, user=admin_user, expect=201)
# can assign credential to org_memberThis brings it from failing to passing. We are pretty well agreed that this is acceptable, and is the same as before. |
Signed-off-by: Seth Foster <[email protected]>
Signed-off-by: Seth Foster <[email protected]>
Utilizes the `validate_role_assignment` callback from dab (see dab PR ansible#490) to prevent granting credential access to a user of another organization. This logic will work for role_user_assignments and role_team_assignments endpoints. Signed-off-by: Seth Foster <[email protected]>
Utilizes the `validate_role_assignment` callback from dab (see dab PR ansible#490) to prevent granting credential access to a user of another organization. This logic will work for role_user_assignments and role_team_assignments endpoints. Signed-off-by: Seth Foster <[email protected]>
SUMMARY
AAP-24919
requires ansible/django-ansible-base#490
Utilizes the
validate_role_assignmentcallback from dab to prevent granting credential access to a user of another organization.This prevention was already being handled correctly for the
RoleUsersListview, but not through the newerrole assignment endpoints.
This change is for assignments that are made through the role_user_assignments and role_team_assignments endpoints.
ISSUE TYPE
COMPONENT NAME