Add tests and fix team service assignment viewset

AlanCoding · AlanCoding · commit 888f5e5104bd · 2025-07-18T19:52:53.000-04:00
diff --git a/ansible_base/rbac/service_api/views.py b/ansible_base/rbac/service_api/views.py
@@ -48,6 +48,12 @@ class BaseSerivceRoleAssignmentViewSet(
 ):
     """List of assignments for cross-service communication"""
 
+    permission_classes = try_add_oauth2_scope_permission(
+        [
+            HasResourceRegistryPermissions,
+        ]
+    )
+
     def remote_secondary_sync_assignment(self, assignment, from_service=None):
         """To allow service-specific sync when getting assignment from /service-index/ endpoint
 
@@ -102,17 +108,14 @@ def perform_destroy(self, instance):
 
 
 class ServiceRoleUserAssignmentViewSet(BaseSerivceRoleAssignmentViewSet):
+    """List of user assignments for cross-service communication"""
+
     queryset = RoleUserAssignment.objects.prefetch_related('user__resource', *prefetch_related)
     serializer_class = service_serializers.RoleUserAssignmentSerializer
     filter_backends = AnsibleBaseDjangoAppApiView.filter_backends + [
         ansible_id_backend.UserAnsibleIdAliasFilterBackend,
         ansible_id_backend.RoleAssignmentFilterBackend,
     ]
-    permission_classes = try_add_oauth2_scope_permission(
-        [
-            HasResourceRegistryPermissions,
-        ]
-    )
 
     @action(detail=False, methods=['post'], url_path='assign')
     def assign(self, request):
@@ -123,11 +126,7 @@ def unassign(self, request):
         return self._unassign(request)
 
 
-class ServiceRoleTeamAssignmentViewSet(
-    AnsibleBaseDjangoAppApiView,
-    mixins.ListModelMixin,
-    GenericViewSet,
-):
+class ServiceRoleTeamAssignmentViewSet(BaseSerivceRoleAssignmentViewSet):
     """List of team role assignments for cross-service communication"""
 
     queryset = RoleTeamAssignment.objects.prefetch_related('team__resource', *prefetch_related)
@@ -136,11 +135,6 @@ class ServiceRoleTeamAssignmentViewSet(
         ansible_id_backend.TeamAnsibleIdAliasFilterBackend,
         ansible_id_backend.RoleAssignmentFilterBackend,
     ]
-    permission_classes = try_add_oauth2_scope_permission(
-        [
-            HasResourceRegistryPermissions,
-        ]
-    )
 
     @action(detail=False, methods=['post'], url_path='assign')
     def assign(self, request):
diff --git a/test_app/tests/rbac/remote/test_service_api.py b/test_app/tests/rbac/remote/test_service_api.py
@@ -135,6 +135,67 @@ def test_apply_role_assignment(admin_api_client, rando, inv_rd, inventory):
     assert response.status_code == 200, response.data
 
 
+@pytest.mark.django_db
+def test_unassign_endpoint(rando, org_inv_rd, inventory, admin_api_client):
+    org_inv_rd.give_permission(rando, inventory.organization)
+    assert rando.has_obj_perm(inventory, 'change')
+
+    url = get_relative_url('serviceuserassignment-unassign')
+    data = {
+        "role_definition": org_inv_rd.name,
+        "user_ansible_id": str(rando.resource.ansible_id),
+        "object_ansible_id": str(inventory.organization.resource.ansible_id),
+    }
+    response = admin_api_client.post(url, data)
+    assert response.status_code == 204, response.data
+    assert not rando.has_obj_perm(inventory, 'change')
+
+    # second gets a 200 code
+    response = admin_api_client.post(url, data)
+    assert response.status_code == 200, response.data
+    assert not rando.has_obj_perm(inventory, 'change')
+
+
+# teams
+@pytest.mark.django_db
+def test_apply_role_assignment_for_team(admin_api_client, inv_rd, inventory, team, member_rd, rando):
+    member_rd.give_permission(rando, team)
+    url = get_relative_url('serviceteamassignment-assign')
+
+    data = {"role_definition": inv_rd.name, "team_ansible_id": str(team.resource.ansible_id), "object_id": inventory.pk}
+
+    assert not rando.has_obj_perm(inventory, 'change')
+    response = admin_api_client.post(url, data=data)
+    assert response.status_code == 201, response.data
+    assert rando.has_obj_perm(inventory, 'change')
+
+    # Second try, response code indicates assignment already exists
+    response = admin_api_client.post(url, data=data)
+    assert response.status_code == 200, response.data
+
+
+@pytest.mark.django_db
+def test_unassign_endpoint_for_team(team, org_inv_rd, inventory, admin_api_client, member_rd, rando):
+    member_rd.give_permission(rando, team)
+    org_inv_rd.give_permission(team, inventory.organization)
+    assert rando.has_obj_perm(inventory, 'change')
+
+    url = get_relative_url('serviceteamassignment-unassign')
+    data = {
+        "role_definition": org_inv_rd.name,
+        "team_ansible_id": str(team.resource.ansible_id),
+        "object_ansible_id": str(inventory.organization.resource.ansible_id),
+    }
+    response = admin_api_client.post(url, data)
+    assert response.status_code == 204, response.data
+    assert not rando.has_obj_perm(inventory, 'change')
+
+    # second gets a 200 code
+    response = admin_api_client.post(url, data)
+    assert response.status_code == 200, response.data
+    assert not rando.has_obj_perm(inventory, 'change')
+
+
 @pytest.mark.django_db
 def test_filter_assignment_list(admin_api_client, rando, inv_rd, view_inv_rd, org_inv_rd, inventory):
     inv_rd.give_permission(rando, inventory)
@@ -165,27 +226,6 @@ def test_filter_assignment_list(admin_api_client, rando, inv_rd, view_inv_rd, or
     assert response.data['count'] == 2
 
 
-@pytest.mark.django_db
-def test_unassign_endpoint(rando, org_inv_rd, inventory, admin_api_client):
-    org_inv_rd.give_permission(rando, inventory.organization)
-    assert rando.has_obj_perm(inventory, 'change')
-
-    url = get_relative_url('serviceuserassignment-unassign')
-    data = {
-        "role_definition": org_inv_rd.name,
-        "user_ansible_id": str(rando.resource.ansible_id),
-        "object_ansible_id": str(inventory.organization.resource.ansible_id),
-    }
-    response = admin_api_client.post(url, data)
-    assert response.status_code == 204, response.data
-    assert not rando.has_obj_perm(inventory, 'change')
-
-    # second gets a 200 code
-    response = admin_api_client.post(url, data)
-    assert response.status_code == 200, response.data
-    assert not rando.has_obj_perm(inventory, 'change')
-
-
 @pytest.mark.django_db
 @pytest.mark.parametrize(
     'reverse_name,normal_case,unauth_case',
@@ -194,8 +234,8 @@ def test_unassign_endpoint(rando, org_inv_rd, inventory, admin_api_client):
         ('dabpermission-list', 200, 401),
         ('resource-list', 403, 401),
         ('serviceuserassignment-list', 403, 401),
-        ('serviceteamassignment-list', 403, 401)
-    ]
+        ('serviceteamassignment-list', 403, 401),
+    ],
 )
 def test_service_api_permissions(reverse_name, normal_case, unauth_case, admin_api_client, user_api_client, unauthenticated_api_client):
     url = get_relative_url(reverse_name)
