Allow registering models via a setting (ansible#533)

AlanCoding · web-flow · commit 20f43dad090a · 2024-11-26T13:37:47.000-05:00
diff --git a/ansible_base/lib/dynamic_config/settings_logic.py b/ansible_base/lib/dynamic_config/settings_logic.py
@@ -223,6 +223,9 @@ def get_dab_settings(
 
         dab_data['MANAGE_ORGANIZATION_AUTH'] = True
 
+        # Alternative to permission_registry.register
+        dab_data['ANSIBLE_BASE_RBAC_MODEL_REGISTRY'] = {}
+
         dab_data['ORG_ADMINS_CAN_SEE_ALL_USERS'] = True
 
     if 'ansible_base.resource_registry' in installed_apps:
diff --git a/ansible_base/rbac/permission_registry.py b/ansible_base/rbac/permission_registry.py
@@ -32,7 +32,7 @@ def __init__(self):
         self._tracked_relationships = set()
         self._trackers = dict()
 
-    def register(self, *args, parent_field_name='organization'):
+    def register(self, *args: Type[Model], parent_field_name: Optional[str] = 'organization'):
         if self.apps_ready:
             raise RuntimeError('Cannot register model to permission_registry after apps are ready')
         for cls in args:
@@ -142,16 +142,24 @@ def create_managed_roles(self, apps) -> list[tuple[Model, bool]]:
             ret.append((rd, created))
         return ret
 
-    def call_when_apps_ready(self, apps, app_config):
+    def call_when_apps_ready(self, apps, app_config) -> None:
         from ansible_base.rbac import triggers
         from ansible_base.rbac.evaluations import bound_has_obj_perm, bound_singleton_permissions, connect_rbac_methods
         from ansible_base.rbac.management import create_dab_permissions
 
         self.apps = apps
-        self.apps_ready = True
 
+        # Finish registering models
         if self.team_model not in self._registry:
-            self._registry.add(self.team_model)
+            self.register(self.team_model)
+
+        for model_name, kwargs in settings.ANSIBLE_BASE_RBAC_MODEL_REGISTRY.items():
+            model = apps.get_model(model_name)
+            if model not in self._registry:
+                self.register(model, **kwargs)
+
+        # This will lock-down the registry, raising an error for any other registrations
+        self.apps_ready = True
 
         # Do no specify sender for create_dab_permissions, because that is passed as app_config
         # and we want to create permissions for external apps, not the dab_rbac app
diff --git a/docs/apps/rbac/for_app_developers.md b/docs/apps/rbac/for_app_developers.md
@@ -140,6 +140,25 @@ model of `MyModel`, or `None`.
 TODO: Update to allow ManyToMany parent relationship in addition to ForeignKey
 https://github.com/ansible/django-ansible-base/issues/78
 
+#### Registering via a Setting
+
+If you don't want to register models in your Django models definition,
+then you can do the same thing with a setting.
+
+```
+ANSIBLE_BASE_RBAC_MODEL_REGISTRY = {
+    "my_app.mymodel": {"parent_field_name": "organization"}
+}
+```
+
+You might want to do this if `MyModel` isn't from your own app,
+and you want to avoid changing import order without additional thought.
+
+Models declared here are registered _in addition to_ the calls to
+`permission_registry.register`.
+Note that settings should never contain imported python objects.
+The model is referenced by app_label.model_name string.
+
 #### Django Model, Apps, and Permission Constraints
 
 It is fine to register models from multiple apps, but among the registered models,
diff --git a/test_app/models.py b/test_app/models.py
@@ -353,7 +353,12 @@ class Meta:
     organization = models.ForeignKey(Organization, on_delete=models.CASCADE, related_name='public_data')
 
 
-permission_registry.register(Organization, Inventory, Credential, Namespace, Team, Cow, UUIDModel, PositionModel, WeirdPerm, PublicData)
+# Intentionally, for testing purposes, we register these models in settings
+# - Inventory
+# - Credential
+# - ImmutableTask, parent_field_name=None
+
+permission_registry.register(Organization, Namespace, Team, Cow, UUIDModel, PositionModel, WeirdPerm, PublicData)
 permission_registry.register(ParentName, parent_field_name='my_organization')
 permission_registry.register(CollectionImport, parent_field_name='namespace')
 permission_registry.register(InstanceGroup, ImmutableTask, LogEntry, parent_field_name=None)
diff --git a/test_app/settings.py b/test_app/settings.py
@@ -185,6 +185,11 @@
 ANSIBLE_BASE_JWT_MANAGED_ROLES.append("System Auditor")  # noqa: F821 this is set by dynamic settings for jwt_consumer
 ANSIBLE_BASE_ALLOW_SINGLETON_USER_ROLES = True
 ANSIBLE_BASE_ALLOW_SINGLETON_TEAM_ROLES = True
+ANSIBLE_BASE_RBAC_MODEL_REGISTRY = {
+    "test_app.inventory": {"parent_field_name": "organization"},
+    "test_app.credential": {},
+    "test_app.immutabletask": {"parent_field_name": None},
+}
 ANSIBLE_BASE_OAUTH2_PROVIDER_PERMISSIONS_CHECK_IGNORED_VIEWS = ["drf_spectacular.views.SpectacularSwaggerView"]
 ALLOW_SHARED_RESOURCE_CUSTOM_ROLES = True  # Allow making custom roles with org change permission, for example
 ALLOW_LOCAL_ASSIGNING_JWT_ROLES = False
