Test org level roles for remote models

Author: AlanCoding

test_app/tests/rbac/remote/conftest.py

@@ -1,12 +1,15 @@
 import pytest
 
-from ansible_base.rbac.models import DABContentType, DABPermission, RoleDefinition
+from ansible_base.rbac import permission_registry
+from ansible_base.rbac.models import DABPermission, RoleDefinition
+from test_app.models import Organization
 
 
 @pytest.fixture
 def foo_type():
     "Idea is that this is a remote type, in this case, the foo type"
-    return DABContentType.objects.create(service='foo', model='foo', app_label='foo')
+    org_ct = permission_registry.content_type_model.objects.get_for_model(Organization)
+    return permission_registry.content_type_model.objects.create(service='foo', model='foo', app_label='foo', parent_content_type=org_ct)
 
 
 @pytest.fixture
@@ -23,7 +26,7 @@ def foo_rd(foo_type, foo_permission):
 
 @pytest.fixture
 def foo_type_uuid():
-    return DABContentType.objects.create(service='foo', model='foo_uuid', app_label='foo', pk_field_type='uuid')
+    return permission_registry.content_type_model.objects.create(service='foo', model='foo_uuid', app_label='foo', pk_field_type='uuid')
 
 
 @pytest.fixture

test_app/tests/rbac/remote/test_public_api_compat.py

@@ -3,7 +3,9 @@
 import pytest
 
 from ansible_base.lib.utils.response import get_relative_url
+from ansible_base.rbac import permission_registry
 from ansible_base.rbac.remote import RemoteObject
+from test_app.models import Organization
 
 # Role Definitions
 
@@ -35,7 +37,7 @@ def test_create_remote_role_definition_for_remote(admin_api_client, foo_type, fo
 
 
 @pytest.mark.django_db
-def test_create_remote_role_definition_global(admin_api_client, foo_type, foo_permission):
+def test_create_remote_role_definition_global(admin_api_client, foo_permission):
     "Test creation of a system-wide role definition for a remote model"
     url = get_relative_url("roledefinition-list")
     data = dict(name='foo-foo-foo-global', description='bar', permissions=[foo_permission.api_slug], content_type=None)
@@ -45,6 +47,18 @@ def test_create_remote_role_definition_global(admin_api_client, foo_type, foo_pe
     assert response.data['permissions'] == ['foo.foo_foo']
 
 
+@pytest.mark.django_db
+def test_create_remote_role_definition_organization(admin_api_client, foo_permission):
+    "Test creation of an organization-wide role definition for a remote model"
+    url = get_relative_url("roledefinition-list")
+    org_ct = permission_registry.content_type_model.objects.get_for_model(Organization)
+    data = dict(name='foo-foo-foo-org', description='bar', permissions=[foo_permission.api_slug, 'shared.view_organization'], content_type=org_ct.api_slug)
+    response = admin_api_client.post(url, data=data, format="json")
+    assert response.status_code == 201, response.data
+    assert response.data['name'] == 'foo-foo-foo-org'
+    assert set(response.data['permissions']) == {'foo.foo_foo', 'shared.view_organization'}
+
+
 # Role User Assignments
 
 

test_app/tests/rbac/test_validators.py

@@ -6,8 +6,9 @@
 from rest_framework.exceptions import ValidationError
 
 from ansible_base.lib.utils.response import get_relative_url
-from ansible_base.rbac.models import RoleDefinition
+from ansible_base.rbac.models import DABPermission, RoleDefinition
 from ansible_base.rbac.permission_registry import permission_registry
+from ansible_base.rbac.remote import RemoteObject
 from ansible_base.rbac.validators import LocalValidators, permissions_allowed_for_role
 from test_app.models import Credential, Inventory, Organization
 
@@ -146,13 +147,23 @@ def test_no_change_permission_without_view(enabled):
 @pytest.mark.parametrize('cls', permission_registry.all_registered_models)
 def test_db_model_validators_match(cls):
     "This is a code transition test, making sure new DB-backed methods match model-backed methods"
+
+    # Load in some remote types and permissions to make test meaningful
+    org_ct = permission_registry.content_type_model.objects.get_for_model(Organization)
+    foo_ct = permission_registry.content_type_model.objects.create(service='foo', model='foo', app_label='foo', parent_content_type=org_ct)
+    DABPermission.objects.create(codename='foo_foo', content_type=foo_ct)
+
     db_perms = permissions_allowed_for_role(cls)
     model_perms = LocalValidators.permissions_allowed_for_role(cls)
 
     # convert data structure into sets because this test does not care about ordering
     for perms_structure in (db_perms, model_perms):
         tmp_structure = deepcopy(perms_structure)
         for main_model, codenames_list in tmp_structure.items():
+            if issubclass(main_model, RemoteObject):
+                # obviously the model method will not track permissions valid for remote model
+                perms_structure.pop(main_model)
+                continue
             perms_structure[main_model] = set(codenames_list)
 
     assert db_perms == model_perms