Add RoleData to resource registry

Author: AlanCoding

ansible_base/resource_registry/registry.py

@@ -27,6 +27,7 @@ class ServiceAPIConfig:
         "shared.team": ResourceTypeProcessor,
         "shared.organization": ResourceTypeProcessor,
         "shared.user": ResourceTypeProcessor,
+        "shared.roledefinition": ResourceTypeProcessor,
     }
 
     custom_resource_processors = {}

ansible_base/resource_registry/shared_types.py

@@ -1,5 +1,6 @@
 from rest_framework import serializers
 
+from ansible_base.rbac.models import DABContentType
 from ansible_base.resource_registry.utils.resource_type_serializers import AnsibleResourceForeignKeyField, SharedResourceTypeSerializer
 from ansible_base.resource_registry.utils.sso_provider import get_sso_provider_server
 
@@ -75,3 +76,27 @@ class TeamType(SharedResourceTypeSerializer):
         default="",
         allow_blank=True,
     )
+
+
+class RoleDefinitionPermissionsSerializer(serializers.Serializer):
+    permissions = serializers.SlugRelatedField(
+        slug_field='api_slug',
+        read_only=True,
+        many=True,
+    )
+
+
+class RoleDefinitionType(SharedResourceTypeSerializer):
+    RESOURCE_TYPE = "roledefinition"
+    ADDITIONAL_DATA_SERIALIZER = RoleDefinitionPermissionsSerializer
+    UNIQUE_FIELDS = ("name",)
+
+    name = serializers.CharField()
+    description = serializers.CharField(default="", allow_blank=True)
+    managed = serializers.BooleanField()
+    content_type = serializers.SlugRelatedField(
+        slug_field='api_slug',
+        queryset=DABContentType.objects.all(),
+        allow_null=True,
+        default=None,
+    )

docs/apps/rbac/for_app_developers.md

@@ -350,3 +350,31 @@ role definition with the name "team-member".
 Apps that utilize django-ansible-base may wish to add extra validation when assigning roles to actors (users or teams).
 
 see [Validation callback for role assignment](../../lib/validation.md)
+
+### Remote Permissions
+
+There is an API under `/service-index/` designed for the purpose (primarily) for use in
+coordination of permissions between multiple servers or services.
+Actually doing the coordination of permissions in a cluster is an exercise left up to the reader.
+
+Types and permissions are shown in:
+ - `/service-index/role-types/`
+ - `/service-index/role-permissions/`
+
+To get everything you need, you must add an entry to your `RESOURCE_LIST` setting.
+
+```
+from ansible_base.rbac.models import RoleDefinition
+from ansible_base.resource_registry.shared_types import RoleDefinitionType
+
+RESOURCE_LIST = (
+    ...
+    ResourceConfig(
+        RoleDefinition,
+        shared_resource=SharedResource(serializer=RoleDefinitionType, is_provider=False),
+    ),
+)
+```
+
+With this, role definitions should appear in the endpoint
+ - `/service-index/resources/?`

test_app/resource_api.py

@@ -1,8 +1,9 @@
 from django.contrib.auth import get_user_model
 
 from ansible_base.authentication.models import Authenticator
+from ansible_base.rbac.models import RoleDefinition
 from ansible_base.resource_registry.registry import ResourceConfig, ServiceAPIConfig, SharedResource
-from ansible_base.resource_registry.shared_types import OrganizationType, TeamType, UserType
+from ansible_base.resource_registry.shared_types import OrganizationType, RoleDefinitionType, TeamType, UserType
 from ansible_base.resource_registry.utils.resource_type_processor import ResourceTypeProcessor
 from test_app.models import Organization, Original1, Proxy2, ResourceMigrationTestModel, Team
 
@@ -37,6 +38,10 @@ class APIConfig(ServiceAPIConfig):
         Organization,
         shared_resource=SharedResource(serializer=OrganizationType, is_provider=False),
     ),
+    ResourceConfig(
+        RoleDefinition,
+        shared_resource=SharedResource(serializer=RoleDefinitionType, is_provider=False),
+    ),
     # Authenticators won't be a shared resource in production, but it's a convenient model to use for testing.
     ResourceConfig(Authenticator),
     ResourceConfig(ResourceMigrationTestModel),

test_app/tests/rbac/remote/test_service_api.py

@@ -32,3 +32,22 @@ def test_get_permission_list(admin_api_client):
     change_org_data = type_data['shared.change_organization']
     assert change_org_data['content_type'] == 'shared.organization'
     assert change_org_data['codename'] == 'change_organization'
+
+
+@pytest.mark.django_db
+def test_role_definition_listed_as_resource(admin_api_client, org_admin_rd):
+    url = get_relative_url('resource-list')
+    url += '?page_size=200&content_type__resource_type__name=shared.roledefinition'
+    response = admin_api_client.get(url, format="json")
+    assert response.status_code == 200, response.data
+    rd_data = {rd['name']: rd for rd in response.data['results']}
+
+    assert 'Organization Admin' in rd_data
+    org_admin_data = rd_data['Organization Admin']
+
+    detail = admin_api_client.get(org_admin_data['url'], format="json")
+    resource_data = detail.data['resource_data']
+    assert resource_data['managed'] is True
+    assert resource_data['content_type'] == 'shared.organization'
+    assert 'permissions' in detail.data['additional_data']
+    assert 'aap.add_inventory' in detail.data['additional_data']['permissions']