Finishing work for assignment sync endpoints

Author: AlanCoding

ansible_base/rbac/management/__init__.py

@@ -1,4 +1,5 @@
 import logging
+from collections import defaultdict
 
 from django.apps import apps as global_apps
 from django.db import DEFAULT_DB_ALIAS, connection, router
@@ -94,8 +95,14 @@ def sync_DAB_permissions(verbosity=2, using=DEFAULT_DB_ALIAS, apps=global_apps):
             perms.append(permission)
 
     Permission.objects.using(using).bulk_create(perms)
+
+    # This is all just for nice logging
+    perms_by_model_name = defaultdict(list)
     for perm in perms:
-        logger.debug("Adding permission '%s'" % perm)
+        perms_by_model_name[perm.content_type.model].append(perm.codename)
+    for model_name, codenames in perms_by_model_name.items():
+        codename_prnt = ', '.join(codenames)
+        logger.debug(f"Added DAB permissions for model {model_name}: {codename_prnt}")
 
     # Reset the sequence to avoid PK collision later
     if connection.vendor == 'postgresql':

ansible_base/rbac/service_api/serializers.py

@@ -1,4 +1,7 @@
+from crum import impersonate
 from django.apps import apps
+from django.db import transaction
+from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers
 
 from ..models import DABContentType, DABPermission, RoleDefinition, RoleTeamAssignment, RoleUserAssignment
@@ -35,33 +38,96 @@ def to_internal_value(self, data):
         return resource.content_object
 
 
+class ObjectIDAnsibleIDField(serializers.Field):
+    "This is an ansible_id field intended to be used with source pointing to object_id, so, does conversion"
+
+    def to_representation(self, value):
+        "The source for this field is object_id, which is ignored, use content_object instead"
+        assignment = self.parent.instance
+        content_object = assignment.content_object
+        if isinstance(content_object, RemoteObject):
+            return None
+        if hasattr(content_object, 'resource'):
+            return str(content_object.resource.ansible_id)
+        return None
+
+    def to_internal_value(self, value):
+        "Targeting object_id, this converts ansible_id into object_id"
+        resource_cls = apps.get_model('dab_resource_registry', 'Resource')
+        resource = resource_cls.objects.get(ansible_id=value)
+        return resource.object_id
+
+
 assignment_common_fields = ('created', 'created_by_ansible_id', 'object_id', 'object_ansible_id', 'content_type', 'role_definition')
 
 
 class BaseAssignmentSerializer(serializers.ModelSerializer):
     content_type = serializers.SlugRelatedField(read_only=True, slug_field='api_slug')
     role_definition = serializers.SlugRelatedField(slug_field='name', queryset=RoleDefinition.objects.all())
     created_by_ansible_id = ActorAnsibleIDField(source='created_by', required=False)
-    object_ansible_id = serializers.SerializerMethodField()
+    object_ansible_id = ObjectIDAnsibleIDField(source='object_id', required=False)
     # TODO: use the from_service to control what we sync back to
     from_service = serializers.CharField(write_only=True)
 
     def get_created_by_ansible_id(self, obj):
         return str(obj.created_by.resource.ansible_id)
 
-    def get_object_ansible_id(self, obj):
-        content_object = obj.content_object
-        if isinstance(content_object, RemoteObject):
-            return None
-        if hasattr(content_object, 'resource'):
-            return str(content_object.resource.ansible_id)
-        return None
+    def validate(self, attrs):
+        """The object_id vs ansible_id is the only dual-write case, where we have to accept either
+
+        So this does the mutual validation to assure we have sufficient data.
+        """
+        has_oid = 'object_id' in self.initial_data
+        has_oaid = 'object_ansible_id' in self.initial_data
+
+        if not self.partial and not has_oid and not has_oaid:
+            raise serializers.ValidationError("You must provide either 'object_id' or 'object_ansible_id'.")
+
+        # NOTE: right now not enforcing the case you provide both, could check for consistency later
+
+        return attrs
 
     def find_existing_assignment(self, queryset):
         actor = self.validated_data[self.actor_field]
-        object_id = self.validated_data['object_id']
         role_definition = self.validated_data['role_definition']
-        return queryset.filter(object_id=object_id, role_definition=role_definition, **{self.actor_field: actor}).first()
+        object_id = self.validated_data['object_id']
+        filter_kwargs = {self.actor_field: actor}
+        return queryset.filter(role_definition=role_definition, object_id=object_id, **filter_kwargs).first()
+
+    def create(self, validated_data):
+        rd = validated_data['role_definition']
+        actor = validated_data[self.actor_field]
+
+        as_user = None
+        if 'created_by' in validated_data:
+            as_user = validated_data['created_by']
+
+        # Unlike the public view, the action is attributed to the specified user in data
+        with impersonate(as_user):
+
+            object_id = validated_data['object_id']
+            obj = None
+            if object_id:
+                model = rd.content_type.model_class()
+                try:
+                    obj = model.objects.get(pk=object_id)
+                except model.DoesNotExist as exc:
+                    raise serializers.ValidationError({'object_id': str(exc)})
+
+            # Validators not ran, because this should be an internal action
+
+            if rd.content_type:
+                # Object role assignment
+                if not obj:
+                    raise serializers.ValidationError({'object_id': _('Object must be specified for this role assignment')})
+
+                with transaction.atomic():
+                    assignment = rd.give_permission(actor, obj)
+            else:
+                with transaction.atomic():
+                    assignment = rd.give_global_permission(actor)
+
+            return assignment
 
 
 class RoleUserAssignmentSerializer(BaseAssignmentSerializer):

ansible_base/rbac/service_api/views.py

@@ -1,3 +1,4 @@
+from django.db import transaction
 from rest_framework import status
 from rest_framework.decorators import action
 from rest_framework.response import Response
@@ -59,10 +60,8 @@ def assign(self, request):
 
         existing = serializer.find_existing_assignment(self.get_queryset())
         if existing:
-            return Response(
-                {"detail": "This assignment already exists."},
-                status=status.HTTP_409_CONFLICT,
-            )
+            output_serializer = self.get_serializer(existing)
+            return Response(output_serializer.data, status=status.HTTP_200_OK)
 
         instance = serializer.save()
         output_serializer = self.get_serializer(instance)
@@ -75,15 +74,21 @@ def unassign(self, request):
 
         existing = serializer.find_existing_assignment(self.get_queryset())
         if not existing:
-            return Response(
-                {"detail": "No such assignment exists."},
-                status=status.HTTP_409_CONFLICT,
-            )
+            output_serializer = self.get_serializer(existing)
+            return Response(output_serializer.data, status=status.HTTP_200_OK)
 
         # Use standard DRF delete logic
         self.perform_destroy(existing)
         return Response(status=status.HTTP_204_NO_CONTENT)
 
+    def perform_destroy(self, instance):
+        if instance.content_type_id:
+            with transaction.atomic():
+                instance.role_definition.remove_permission(instance.actor, instance.content_object)
+        else:
+            with transaction.atomic():
+                instance.role_definition.remove_global_permission(instance.actor)
+
 
 class ServiceRoleTeamAssignmentViewSet(
     AnsibleBaseDjangoAppApiView,

ansible_base/resource_registry/rest_client.py

@@ -5,6 +5,7 @@
 
 import requests
 import urllib3
+from django.apps import apps
 
 from ansible_base.resource_registry.resource_server import get_resource_server_config, get_service_token
 
@@ -166,3 +167,43 @@ def list_role_types(self, filters: Optional[dict] = None):
 
     def list_role_permissions(self, filters: Optional[dict] = None):
         return self._make_request("get", "role-permissions/", params=filters)
+
+    def sync_assignment(self, assignment):
+        from ansible_base.rbac.service_api.serializers import RoleTeamAssignmentSerializer, RoleUserAssignmentSerializer
+
+        if assignment._meta.model_name == 'roleuserassignment':
+            serializer = RoleUserAssignmentSerializer(assignment)
+        else:
+            serializer = RoleTeamAssignmentSerializer(assignment)
+
+        return self._sync_assignment(serializer.data)
+
+    def sync_unassignment(self, role_definition, actor, content_object):
+        data = {'role_definition': role_definition.name}
+        data[f'{actor._meta.model_name}_ansible_id'] = str(actor.resource.ansible_id)
+
+        if content_object is None:
+            data['object_id'] = None
+        else:
+            ct_cls = apps.get_model('dab_rbac', 'DABContentType')
+            ct = ct_cls.objects.get_for_model(content_object)
+            if ct.service == 'shared':
+                data['object_ansible_id'] = str(content_object.resource.ansible_id)
+            else:
+                data['object_id'] = content_object.object_id
+
+        return self._sync_assignment(data, giving=False)
+
+    def _sync_assignment(self, data, giving=True):
+        if giving:
+            sub_url = 'assign'
+        else:
+            sub_url = 'unassign'
+
+        actor_type = 'user'
+        if 'team' in data:
+            actor_type = 'team'
+
+        url = f'role-{actor_type}-assignments/{sub_url}/'
+
+        return self._make_request(method="post", path=url, data=data)

test_app/tests/resource_registry/test_resources_api_rest_client.py

@@ -183,6 +183,40 @@ def test_list_role_permissions_all_pages(resource_client):
     assert resp.json()["count"] > 25
 
 
+def _assert_assignment_matches_data(assignment, data, organization, user):
+    assert 'created' in data, data
+    # assert DateTimeField().to_representation(assignment.created) == data['created']  # TODO
+    assert str(assignment.created_by.resource.ansible_id) == data['created_by_ansible_id']
+    assert assignment.object_id == organization.id
+    assert str(assignment.object_id) == str(data['object_id'])
+    assert str(organization.resource.ansible_id) == data['object_ansible_id']
+    assert 'shared.organization' == data['content_type']
+    assert 'Organization Admin' == data['role_definition']
+    assert str(user.resource.ansible_id) == data['user_ansible_id']
+
+
+@pytest.mark.django_db
+def test_sync_assignment(resource_client, org_admin_rd, user, organization):
+    assignment = org_admin_rd.give_permission(user, organization)
+    resp = resource_client.sync_assignment(assignment)
+
+    assert resp.status_code == 200, resp.text
+
+    data = resp.json()
+    # Existing assignment should be this current assignment
+    _assert_assignment_matches_data(assignment, data, organization, user)
+
+    org_admin_rd.remove_permission(user, organization)
+
+    resp = resource_client.sync_assignment(assignment)  # assignment not actually here locally
+
+    assert resp.status_code == 201, resp.text  # created
+
+    data = resp.json()
+    # All the data, on the remote system, should match our original assignment
+    _assert_assignment_matches_data(assignment, data, organization, user)
+
+
 @pytest.mark.django_db
 def test_get_resource_404(resource_client):
     resource_client.raise_if_bad_request = True
@@ -214,7 +248,7 @@ def test_additional_data_read(resource_client, django_user_model, github_authent
 @pytest.mark.django_db
 @pytest.mark.parametrize('partial', [True, False])
 def test_additional_data_write(resource_client, partial):
-    "Will remove a permission from a role definition using the additional_data field."
+    "Will remove a permission from a role definition."
     rd = RoleDefinition.objects.create_from_permissions(
         permissions=['aap.change_inventory', 'aap.view_inventory'],
         name='change-inv-for-now',