[AAP-48398] Add periodic role assignment fallback sync (ansible#810)

jessicamack · AlanCoding · fosterseth · web-flow · commit 56bfaf49731d · 2025-08-21T16:02:57.000-04:00
Gateway is the source of truth for RBAC. This change adds a method to sync the Role Team and Role User assignments between Controller and Gateway using the resource server. This ensures that all Role assignments locally match what Gateway reports.

---------

Signed-off-by: Seth Foster &lt;fosterbseth@gmail.com&gt;
Co-authored-by: Alan Rominger &lt;arominge@redhat.com&gt;
Co-authored-by: Seth Foster &lt;fosterbseth@gmail.com&gt;
Co-authored-by: Seth Foster &lt;fosterseth@users.noreply.github.com&gt;
diff --git a/ansible_base/resource_registry/tasks/sync.py b/ansible_base/resource_registry/tasks/sync.py
@@ -8,6 +8,7 @@
 from dataclasses import dataclass, field
 from enum import Enum
 from io import StringIO, TextIOBase
+from typing import Any
 
 from asgiref.sync import sync_to_async
 from django.conf import settings
@@ -17,6 +18,7 @@
 from django.db.utils import Error, IntegrityError
 from requests import HTTPError
 
+from ansible_base.rbac.models.role import AssignmentBase, RoleDefinition, RoleTeamAssignment, RoleUserAssignment
 from ansible_base.resource_registry.models import Resource, ResourceType
 from ansible_base.resource_registry.models.service_identifier import service_id
 from ansible_base.resource_registry.registry import get_registry
@@ -73,6 +75,29 @@ def __iter__(self):
         return iter((self.status, self.item))
 
 
+@dataclass
+class AssignmentTuple:
+    """Represents an assignment as a 3-tuple for comparison"""
+
+    actor_ansible_id: str  # user_ansible_id or team_ansible_id
+    ansible_id_or_pk: str | None  # object_id or object_ansible_id (None for global)
+    role_definition_name: str
+    assignment_type: str  # 'user' or 'team'
+
+    def __hash__(self):
+        return hash((self.actor_ansible_id, self.ansible_id_or_pk, self.role_definition_name, self.assignment_type))
+
+    def __eq__(self, other):
+        if not isinstance(other, AssignmentTuple):
+            return False
+        return (
+            self.actor_ansible_id == other.actor_ansible_id
+            and self.ansible_id_or_pk == other.ansible_id_or_pk
+            and self.role_definition_name == other.role_definition_name
+            and self.assignment_type == other.assignment_type
+        )
+
+
 def create_api_client() -> ResourceAPIClient:
     """Factory for pre-configured ResourceAPIClient."""
     params = {"raise_if_bad_request": False}
@@ -114,6 +139,211 @@ def fetch_manifest(
     return [ManifestItem(**row) for row in csv_reader]
 
 
+def get_ansible_id_or_pk(assignment: AssignmentBase) -> str:
+    # For object-scoped assignments, try to get the object's ansible_id
+    if assignment.content_type.model in ('organization', 'team'):
+        object_resource = Resource.objects.filter(object_id=assignment.object_id, content_type__model=assignment.content_type.model).first()
+        if object_resource:
+            ansible_id_or_pk = object_resource.ansible_id
+        else:
+            raise RuntimeError(f"Error: {assignment.content_type.model} {assignment.object_id} was found without an associated Resource.")
+    else:
+        ansible_id_or_pk = assignment.object_id
+
+    return str(ansible_id_or_pk)
+
+
+def get_content_object(role_definition: RoleDefinition, assignment_tuple: AssignmentTuple) -> Any:
+    content_object = None
+    if role_definition.content_type.model in ('organization', 'team'):
+        object_resource = Resource.objects.get(ansible_id=assignment_tuple.ansible_id_or_pk)
+        content_object = object_resource.content_object
+    else:
+        model = role_definition.content_type.model_class()
+        content_object = model.objects.get(pk=assignment_tuple.ansible_id_or_pk)
+
+    return content_object
+
+
+def get_remote_assignments(api_client: ResourceAPIClient) -> set[AssignmentTuple]:
+    """Fetch remote assignments from the resource server and convert to tuples."""
+    assignments = set()
+
+    # Fetch user assignments with pagination
+    try:
+        page = 1
+        while True:
+            filters = {'page': page}
+            user_resp = api_client.list_user_assignments(filters=filters)
+            if user_resp.status_code == 200:
+                user_data = user_resp.json()
+                for assignment in user_data.get('results', []):
+                    # Handle both object_id and object_ansible_id
+                    ansible_id_or_pk = assignment.get('object_ansible_id') or assignment.get('object_id')
+                    assignments.add(
+                        AssignmentTuple(
+                            actor_ansible_id=assignment['user_ansible_id'],
+                            ansible_id_or_pk=ansible_id_or_pk,
+                            role_definition_name=assignment['role_definition'],
+                            assignment_type='user',
+                        )
+                    )
+
+                # Check if there's a next page
+                if not user_data.get('next'):
+                    break
+
+                page += 1
+                logger.debug(f"Fetching next page {page} of user assignments")
+            else:
+                logger.warning(f"Failed to fetch user assignments page {page}: HTTP {user_resp.status_code}")
+                break
+    except Exception as e:
+        logger.warning(f"Failed to fetch remote user assignments: {e}")
+
+    # Fetch team assignments with pagination
+    try:
+        page = 1
+        while True:
+            filters = {'page': page}
+            team_resp = api_client.list_team_assignments(filters=filters)
+            if team_resp.status_code == 200:
+                team_data = team_resp.json()
+                for assignment in team_data.get('results', []):
+                    # Handle both object_id and object_ansible_id
+                    ansible_id_or_pk = assignment.get('object_ansible_id') or assignment.get('object_id')
+                    assignments.add(
+                        AssignmentTuple(
+                            actor_ansible_id=assignment['team_ansible_id'],
+                            ansible_id_or_pk=ansible_id_or_pk,
+                            role_definition_name=assignment['role_definition'],
+                            assignment_type='team',
+                        )
+                    )
+
+                # Check if there's a next page
+                if not team_data.get('next'):
+                    break
+
+                page += 1
+                logger.debug(f"Fetching next page {page} of team assignments")
+            else:
+                logger.warning(f"Failed to fetch team assignments page {page}: HTTP {team_resp.status_code}")
+                break
+    except Exception as e:
+        logger.warning(f"Failed to fetch remote team assignments: {e}")
+
+    return assignments
+
+
+def get_local_assignments() -> set[AssignmentTuple]:
+    """Get local assignments and convert to tuples."""
+    assignments = set()
+
+    # Get user assignments
+    for assignment in RoleUserAssignment.objects.select_related('user', 'role_definition').all():
+        try:
+            user_resource = Resource.get_resource_for_object(assignment.user)
+        except Resource.DoesNotExist:
+            # Skip assignments where the user doesn't have a resource
+            continue
+
+        user_ansible_id = user_resource.ansible_id
+        # Handle both object-scoped and global assignments
+        object_id = assignment.object_id
+        ansible_id_or_pk = None
+        if object_id and assignment.content_type:
+            ansible_id_or_pk = get_ansible_id_or_pk(assignment)
+
+        assignments.add(
+            AssignmentTuple(
+                actor_ansible_id=str(user_ansible_id),
+                ansible_id_or_pk=ansible_id_or_pk if ansible_id_or_pk else None,
+                role_definition_name=assignment.role_definition.name,
+                assignment_type='user',
+            )
+        )
+
+    # Get team assignments
+    for assignment in RoleTeamAssignment.objects.select_related('team', 'role_definition').all():
+        try:
+            team_resource = Resource.get_resource_for_object(assignment.team)
+        except Resource.DoesNotExist:
+            # Skip assignments where the user doesn't have a resource
+            continue
+        team_ansible_id = team_resource.ansible_id
+
+        # Handle both object-scoped and global assignments
+        object_id = assignment.object_id
+        ansible_id_or_pk = None
+        if object_id and assignment.content_type:
+            # For object-scoped assignments, try to get the object's ansible_id
+            ansible_id_or_pk = get_ansible_id_or_pk(assignment)
+
+        assignments.add(
+            AssignmentTuple(
+                actor_ansible_id=str(team_ansible_id),
+                ansible_id_or_pk=ansible_id_or_pk if ansible_id_or_pk else None,
+                role_definition_name=assignment.role_definition.name,
+                assignment_type='team',
+            )
+        )
+
+    return assignments
+
+
+def delete_local_assignment(assignment_tuple: AssignmentTuple) -> bool:
+    """Delete a local assignment based on the tuple."""
+    try:
+        role_definition = RoleDefinition.objects.get(name=assignment_tuple.role_definition_name)
+
+        # Get the actor (user or team)
+        resource = Resource.objects.get(ansible_id=assignment_tuple.actor_ansible_id)
+        actor = resource.content_object
+
+        # Get the object if it's not a global assignment
+        content_object = None
+        if assignment_tuple.ansible_id_or_pk:
+            content_object = get_content_object(role_definition, assignment_tuple)
+        # Use the role definition's remove methods
+        if content_object:
+            role_definition.remove_permission(actor, content_object)
+        else:
+            role_definition.remove_global_permission(actor)
+
+        return True
+
+    except Exception as e:
+        logger.error(f"Failed to delete assignment {assignment_tuple}: {e}")
+        return False
+
+
+def create_local_assignment(assignment_tuple: AssignmentTuple) -> bool:
+    """Create a local assignment based on the tuple."""
+    try:
+        role_definition = RoleDefinition.objects.get(name=assignment_tuple.role_definition_name)
+
+        # Get the actor (user or team)
+        resource = Resource.objects.get(ansible_id=assignment_tuple.actor_ansible_id)
+        actor = resource.content_object
+
+        # Get the object if it's not a global assignment
+        content_object = None
+        if assignment_tuple.ansible_id_or_pk:
+            content_object = get_content_object(role_definition, assignment_tuple)
+        # Use the role definition's give methods
+        if content_object:
+            role_definition.give_permission(actor, content_object)
+        else:
+            role_definition.give_global_permission(actor)
+
+        return True
+
+    except Exception as e:
+        logger.error(f"Failed to create assignment {assignment_tuple}: {e}")
+        return False
+
+
 def get_orphan_resources(
     resource_type_name: str,
     manifest_list: list[ManifestItem],
@@ -339,6 +569,7 @@ class SyncExecutor:
     deleted_count: int = 0
     asyncio: bool = False
     results: dict = field(default_factory=lambda: defaultdict(list))
+    sync_assignments: bool = True
 
     def write(self, text: str = ""):
         """Write to assigned IO or simply ignores the text."""
@@ -458,6 +689,59 @@ def _dispatch_sync_process(self, manifest_list: list[ManifestItem]):
             self.write()
             self._process_manifest_list(manifest_list)
 
+    def _sync_assignments(self):
+        """Synchronize role assignments between local and remote systems."""
+        if not self.sync_assignments:
+            return
+
+        self.write(">>> Syncing role assignments")
+
+        try:
+            # Get remote and local assignments
+            remote_assignments = get_remote_assignments(self.api_client)
+            local_assignments = get_local_assignments()
+
+            # Calculate differences
+            to_delete = local_assignments - remote_assignments
+            to_create = remote_assignments - local_assignments
+
+            deleted_count = 0
+            created_count = 0
+            error_count = 0
+
+            # Delete local assignments that don't exist remotely
+            for assignment_tuple in to_delete:
+                if delete_local_assignment(assignment_tuple):
+                    deleted_count += 1
+                    self.write(
+                        f"DELETED assignment {assignment_tuple.assignment_type} {assignment_tuple.actor_ansible_id}"
+                        " -> {assignment_tuple.role_definition_name} on {assignment_tuple.ansible_id_or_pk or 'global'}"
+                    )
+                else:
+                    error_count += 1
+
+            # Create local assignments that exist remotely but not locally
+            for assignment_tuple in to_create:
+                if create_local_assignment(assignment_tuple):
+                    created_count += 1
+                    self.write(
+                        f"CREATED assignment {assignment_tuple.assignment_type} {assignment_tuple.actor_ansible_id}"
+                        " -> {assignment_tuple.role_definition_name} on {assignment_tuple.ansible_id_or_pk or 'global'}"
+                    )
+                else:
+                    error_count += 1
+
+            self.write(f"Assignment sync completed: Created {created_count} | Deleted {deleted_count} | Errors {error_count}")
+
+            # Store results for reporting
+            self.results["assignments_created"] = [created_count]
+            self.results["assignments_deleted"] = [deleted_count]
+            self.results["assignment_errors"] = [error_count]
+
+        except Exception as e:
+            self.write(f"Assignment sync failed: {e}")
+            logger.exception("Assignment sync failed")
+
     def run(self):
         """Run the sync workflow.
 
@@ -466,6 +750,7 @@ def run(self):
         3. Cleanup orphaned resources (deleted remotely).
         4. Process the sync for each item in the manifest.
         5. Handle retries.
+        6. Sync role assignments.
         """
         self.write("----- RESOURCE SYNC STARTED -----")
         self.write()
@@ -488,4 +773,8 @@ def run(self):
 
             self.write()
 
+        # Sync assignments after all resources are synced
+        self._sync_assignments()
+        self.write()
+
         self.write("----- RESOURCE SYNC FINISHED -----")
diff --git a/test_app/tests/resource_registry/test_resource_sync.py b/test_app/tests/resource_registry/test_resource_sync.py
@@ -10,7 +10,7 @@
 from ansible_base.rbac.models import RoleDefinition
 from ansible_base.resource_registry.models import Resource, ResourceType
 from ansible_base.resource_registry.models.service_identifier import service_id
-from ansible_base.resource_registry.tasks.sync import ManifestItem, ResourceSyncHTTPError, SyncExecutor, _attempt_create_resource
+from ansible_base.resource_registry.tasks.sync import AssignmentTuple, ManifestItem, ResourceSyncHTTPError, SyncExecutor, _attempt_create_resource
 
 
 @pytest.fixture(scope="function")
@@ -254,3 +254,45 @@ def test_sync_error_handling_create(static_api_client, stdout):
         executor = SyncExecutor(api_client=static_api_client, stdout=stdout)
         executor.run()
         any('Errors 1' in line for line in stdout.lines)
+
+
+@mock.patch('ansible_base.resource_registry.tasks.sync.create_local_assignment')
+@mock.patch('ansible_base.resource_registry.tasks.sync.delete_local_assignment')
+@pytest.mark.django_db
+def test_role_assignment_resource_sync(mock_delete, mock_create, static_api_client, stdout):
+    mock_delete.return_value = True
+    mock_create.return_value = True
+
+    # Mock a remote assignment that does not exist locally to test creation
+    with mock.patch(
+        "ansible_base.resource_registry.tasks.sync.get_remote_assignments",
+        return_value={
+            AssignmentTuple(
+                actor_ansible_id='97447387-8596-404f-b0d0-6429b04c8d22', ansible_id_or_pk='1', role_definition_name='Team Member', assignment_type='user'
+            ),
+        },
+    ):
+        executor = SyncExecutor(api_client=static_api_client, stdout=stdout)
+        executor._sync_assignments()
+
+        assert '>>> Syncing role assignments' in stdout.lines
+        assert executor.results["assignments_created"] == [1]
+        assert executor.results["assignments_deleted"] == [0]
+        assert executor.results["assignment_errors"] == [0]
+
+    # Mock a local assignment with no matching remote assignment to test deletion
+    with mock.patch(
+        "ansible_base.resource_registry.tasks.sync.get_local_assignments",
+        return_value={
+            AssignmentTuple(
+                actor_ansible_id='97447387-8596-404f-b0d0-6429b04c8d22', ansible_id_or_pk='1', role_definition_name='Team Member', assignment_type='user'
+            ),
+        },
+    ):
+        executor = SyncExecutor(api_client=static_api_client, stdout=stdout)
+        executor._sync_assignments()
+
+        assert '>>> Syncing role assignments' in stdout.lines
+        assert executor.results["assignments_created"] == [0]
+        assert executor.results["assignments_deleted"] == [1]
+        assert executor.results["assignment_errors"] == [0]
