Merge branch 'devel' into ansible_id_assurance

Author: bhavenst

ansible_base/authentication/serializers/__init__.py

@@ -1,3 +1,3 @@
-from .authenticator import AuthenticatorSerializer  # noqa: 401
+from .authenticator import AuthenticatorSerializer, AuthenticatorUpdateSerializer  # noqa: 401
 from .authenticator_map import AuthenticatorMapSerializer  # noqa: 401
 from .ui_auth import PasswordAuthenticatorSerializer, SSOAuthenticatorSerializer, UIAuthResponseSerializer  # noqa: 401

ansible_base/authentication/serializers/authenticator.py

@@ -146,3 +146,12 @@ def _get_related(self, obj) -> dict[str, str]:
             related['users'] = get_relative_url('authenticator-users-list', kwargs={'pk': obj.pk})
 
         return related
+
+
+class AuthenticatorUpdateSerializer(AuthenticatorSerializer):
+    """Specialized serializer for update operations that makes type field read-only."""
+
+    type = ChoiceField(choices=get_authenticator_plugins(), read_only=True, help_text="The type of authentication service this is.")
+
+    class Meta(AuthenticatorSerializer.Meta):
+        read_only_fields = getattr(AuthenticatorSerializer.Meta, 'read_only_fields', []) + ['type']

ansible_base/authentication/serializers/authenticator_map.py

@@ -8,13 +8,22 @@
 from ansible_base.authentication.utils.authenticator_map import _EXPANSION_FIELDS, check_expansion_syntax, check_role_type, has_expansion
 from ansible_base.authentication.utils.trigger_definition import TRIGGER_DEFINITION
 from ansible_base.lib.serializers.common import NamedCommonModelSerializer
+from ansible_base.lib.serializers.fields import JSONField
 from ansible_base.lib.utils.string import is_empty
 from ansible_base.lib.utils.typing import TranslatedString
 
 logger = logging.getLogger('ansible_base.authentication.serializers.authenticator_map')
 
 
 class AuthenticatorMapSerializer(NamedCommonModelSerializer):
+    triggers = JSONField(
+        required=True,
+        allow_null=False,
+        error_messages={'required': 'Triggers must be a valid dict'},
+        help_text="Required. Trigger conditions dictionary that determines when this map applies. "
+        "See /trigger_definition/ for structure details. Only one top-level key per request.",
+    )
+
     class Meta:
         model = AuthenticatorMap
         fields = NamedCommonModelSerializer.Meta.fields + ['authenticator', 'map_type', 'role', 'organization', 'team', 'revoke', 'triggers', 'order']

ansible_base/authentication/views/authenticator.py

@@ -5,7 +5,7 @@
 from rest_framework.viewsets import ModelViewSet
 
 from ansible_base.authentication.models import Authenticator, AuthenticatorUser
-from ansible_base.authentication.serializers import AuthenticatorSerializer
+from ansible_base.authentication.serializers import AuthenticatorSerializer, AuthenticatorUpdateSerializer
 from ansible_base.lib.utils.views.django_app_api import AnsibleBaseDjangoAppApiView
 
 logger = logging.getLogger('ansible_base.authentication.views.authenticator')
@@ -36,6 +36,11 @@ def get_serializer(self, *args, **kwargs):
 
         return super().get_serializer(*args, **kwargs)
 
+    def get_serializer_class(self):
+        if self.action in ['update', 'partial_update']:
+            return AuthenticatorUpdateSerializer
+        return super().get_serializer_class()
+
     def destroy(self, request, *args, **kwargs):
         instance = self.get_object()
 

ansible_base/rbac/api/views.py

@@ -14,6 +14,7 @@
 from rest_framework.viewsets import GenericViewSet, ModelViewSet, mixins
 
 from ansible_base.lib.utils.auth import get_team_model, get_user_model
+from ansible_base.lib.utils.schema import extend_schema_if_available
 from ansible_base.lib.utils.views.django_app_api import AnsibleBaseDjangoAppApiView
 from ansible_base.lib.utils.views.permissions import try_add_oauth2_scope_permission
 from ansible_base.rbac.api.permissions import RoleDefinitionPermissions
@@ -236,17 +237,24 @@ class RoleTeamAssignmentViewSet(BaseAssignmentViewSet):
     ]
 
 
-class RoleUserAssignmentViewSet(BaseAssignmentViewSet):
-    """
-    Use this endpoint to give a user permission to a resource or an organization.
-    The needed data is the user, the role definition, and the object id.
-    The object must be of the type specified in the role definition.
-    The type given in the role definition and the provided object_id are used
-    to look up the resource.
+# Schema fragments for RoleUserAssignmentViewSet OpenAPI spec
+_USER_ACTOR_ONEOF = {
+    'oneOf': [
+        {'required': ['user'], 'not': {'required': ['user_ansible_id']}},
+        {'required': ['user_ansible_id'], 'not': {'required': ['user']}},
+    ]
+}
+
+_OBJECT_ID_ONEOF = {
+    'oneOf': [
+        {'properties': {'object_id': {'oneOf': [{'type': 'integer'}, {'type': 'string', 'format': 'uuid'}]}, 'object_ansible_id': False}},
+        {'properties': {'object_ansible_id': {'type': 'string', 'format': 'uuid'}, 'object_id': False}},
+        {'not': {'anyOf': [{'required': ['object_id']}, {'required': ['object_ansible_id']}]}},
+    ]
+}
 
-    After creation, the assignment cannot be edited, but can be deleted to
-    remove those permissions.
-    """
+
+class RoleUserAssignmentViewSet(BaseAssignmentViewSet):
 
     resource_purpose = "RBAC role grants assigning permissions to users for specific resources"
 
@@ -257,6 +265,25 @@ class RoleUserAssignmentViewSet(BaseAssignmentViewSet):
         ansible_id_backend.RoleAssignmentFilterBackend,
     ]
 
+    @extend_schema_if_available(
+        request={
+            'application/json': {
+                'allOf': [
+                    {'$ref': '#/components/schemas/RoleUserAssignment'},
+                    _USER_ACTOR_ONEOF,
+                    _OBJECT_ID_ONEOF,
+                ]
+            },
+        },
+        description="Give a user permission to a resource, an organization, or globally (when allowed)."
+        "Must specify 'role_definition' and exactly one of 'user' or 'user_ansible_id'."
+        "Can specify at most one of 'object_id' or 'object_ansible_id' (omit both for global roles)."
+        "The content_type of the role definition and the provided object_id are used to look up the resource."
+        "After creation, the assignment cannot be edited, but can be deleted to remove those permissions.",
+    )
+    def create(self, request, *args, **kwargs):
+        return super().create(request, *args, **kwargs)
+
 
 class AccessURLMixin:
     def get_actor_model(self):

test_app/tests/api_documentation/test_schema_integration.py

@@ -148,3 +148,35 @@ def test_openapi_schema_unauthenticated_access(unauthenticated_api_client):
     if response.status_code == 200:
         schema = response.data
         assert 'openapi' in schema
+
+
+def test_role_user_assignment_create_schema(admin_api_client):
+    """
+    Test that RoleUserAssignmentViewSet's create operation has proper schema constraints.
+
+    Generated by Claude Code (claude-sonnet-4-5@20250929)
+
+    Verifies that the request body schema properly enforces:
+    - Exactly one of 'user' or 'user_ansible_id' is required
+    - At most one of 'object_id' or 'object_ansible_id' can be specified
+    """
+    url = '/api/v1/docs/schema/'
+    response = admin_api_client.get(url)
+    assert response.status_code == 200
+
+    # Navigate directly to the schema - will raise KeyError if path doesn't exist
+    all_of = response.data['paths']['/api/v1/role_user_assignments/']['post']['requestBody']['content']['application/json']['schema']['allOf']
+
+    # Verify structure: [base_schema, user_constraint, object_constraint]
+    assert len(all_of) == 3, "Should have 3 items: base schema + 2 constraint sets"
+    assert all_of[0] == {'$ref': '#/components/schemas/RoleUserAssignment'}
+
+    # Verify user constraint: exactly one of 'user' or 'user_ansible_id'
+    user_one_of = all_of[1]['oneOf']
+    assert len(user_one_of) == 2
+    assert user_one_of[0] == {'required': ['user'], 'not': {'required': ['user_ansible_id']}}
+    assert user_one_of[1] == {'required': ['user_ansible_id'], 'not': {'required': ['user']}}
+
+    # Verify object constraint: at most one of 'object_id' or 'object_ansible_id'
+    object_one_of = all_of[2]['oneOf']
+    assert len(object_one_of) == 3