Get to functionally working sync of role assignments

Author: AlanCoding

ansible_base/rbac/api/views.py

@@ -33,6 +33,7 @@
 from ..models import DABContentType, DABPermission, get_evaluation_model
 from ..policies import check_content_obj_permission
 from ..remote import RemoteObject, get_resource_prefix
+from ..sync import maybe_reverse_sync_assignment, maybe_reverse_sync_unassignment
 
 
 def list_combine_values(data: dict[Type[Model], list[str]]) -> list[str]:
@@ -148,20 +149,36 @@ def filter_queryset(self, qs):
             new_qs = model.visible_items(self.request.user, qs)
         return super().filter_queryset(new_qs)
 
+    def remote_sync_assignment(self, assignment):
+        "Intermediary for sync method so that child classes can modify it purely in viewset"
+        maybe_reverse_sync_assignment(assignment)
+
+    def remote_sync_unassignment(self, role_definition, actor, content_object):
+        maybe_reverse_sync_unassignment(role_definition, actor, content_object)
+
     def perform_create(self, serializer):
-        return super().perform_create(serializer)
+        ret = super().perform_create(serializer)
+        self.remote_sync_assignment(serializer.instance)
+        return ret
 
     def perform_destroy(self, instance):
         check_can_remove_assignment(self.request.user, instance)
         check_locally_managed(instance.role_definition)
 
+        # Save properties for sync after it is done locally (at which point assignment will not exist)
+        role_definition = instance.role_definition
+        actor = instance.actor
+        content_object = instance.content_object
+
         if instance.content_type_id:
             with transaction.atomic():
                 instance.role_definition.remove_permission(instance.actor, instance.content_object)
         else:
             with transaction.atomic():
                 instance.role_definition.remove_global_permission(instance.actor)
 
+        self.remote_sync_unassignment(role_definition, actor, content_object)
+
 
 class RoleTeamAssignmentViewSet(BaseAssignmentViewSet):
     """

ansible_base/rbac/service_api/serializers.py

@@ -67,8 +67,8 @@ class BaseAssignmentSerializer(serializers.ModelSerializer):
     content_type = serializers.SlugRelatedField(read_only=True, slug_field='api_slug')
     role_definition = serializers.SlugRelatedField(slug_field='name', queryset=RoleDefinition.objects.all())
     created_by_ansible_id = ActorAnsibleIDField(source='created_by', required=False)
-    object_ansible_id = ObjectIDAnsibleIDField(source='object_id', required=False)
-    # TODO: use the from_service to control what we sync back to
+    object_ansible_id = ObjectIDAnsibleIDField(source='object_id', required=False, allow_null=True)
+    object_id = serializers.CharField(allow_blank=True)
     from_service = serializers.CharField(write_only=True)
 
     def to_representation(self, instance):
@@ -84,15 +84,18 @@ def validate(self, attrs):
 
         So this does the mutual validation to assure we have sufficient data.
         """
-        has_oid = 'object_id' in self.initial_data
-        has_oaid = 'object_ansible_id' in self.initial_data
+        has_oid = bool(self.initial_data.get('object_id'))
+        has_oaid = bool(self.initial_data.get('object_ansible_id'))
 
         if not self.partial and not has_oid and not has_oaid:
             raise serializers.ValidationError("You must provide either 'object_id' or 'object_ansible_id'.")
+        elif not has_oaid:
+            # need to remove blank and null fields or else it can overwrite the non-null non-blank field
+            attrs['object_id'] = self.initial_data['object_id']
 
         # NOTE: right now not enforcing the case you provide both, could check for consistency later
 
-        return attrs
+        return super().validate(attrs)
 
     def find_existing_assignment(self, queryset):
         actor = self.validated_data[self.actor_field]
@@ -116,10 +119,14 @@ def create(self, validated_data):
             obj = None
             if object_id:
                 model = rd.content_type.model_class()
-                try:
-                    obj = model.objects.get(pk=object_id)
-                except model.DoesNotExist as exc:
-                    raise serializers.ValidationError({'object_id': str(exc)})
+
+                if issubclass(model, RemoteObject):
+                    obj = model(content_type=rd.content_type, object_id=object_id)
+                else:
+                    try:
+                        obj = model.objects.get(pk=object_id)
+                    except model.DoesNotExist as exc:
+                        raise serializers.ValidationError({'object_id': str(exc)})
 
             # Validators not ran, because this should be an internal action
 

ansible_base/rbac/service_api/views.py

@@ -53,6 +53,16 @@ class ServiceRoleUserAssignmentViewSet(
         ansible_id_backend.RoleAssignmentFilterBackend,
     ]
 
+    def remote_secondary_sync_assignment(self, assignment, from_service=None):
+        """To allow service-specific sync when getting assignment from /service-index/ endpoint
+
+        Will get a None value for from_service is the superuser is manually testing this endpoint.
+        """
+        pass
+
+    def remote_secondary_sync_unassignment(self, role_definition, actor, content_object, from_service=None):
+        pass
+
     @action(detail=False, methods=['post'], url_path='assign')
     def assign(self, request):
         serializer = self.get_serializer(data=request.data)
@@ -64,6 +74,7 @@ def assign(self, request):
             return Response(output_serializer.data, status=status.HTTP_200_OK)
 
         instance = serializer.save()
+        self.remote_secondary_sync_assignment(serializer.instance, from_service=serializer.validated_data.get('from_service'))
         output_serializer = self.get_serializer(instance)
         return Response(output_serializer.data, status=status.HTTP_201_CREATED)
 
@@ -77,8 +88,14 @@ def unassign(self, request):
             output_serializer = self.get_serializer(existing)
             return Response(output_serializer.data, status=status.HTTP_200_OK)
 
+        # Save properties for sync after it is done locally (at which point assignment will not exist)
+        role_definition = existing.role_definition
+        actor = existing.actor
+        content_object = existing.content_object
+
         # Use standard DRF delete logic
         self.perform_destroy(existing)
+        self.remote_secondary_sync_unassignment(role_definition, actor, content_object, from_service=serializer.validated_data.get('from_service'))
         return Response(status=status.HTTP_204_NO_CONTENT)
 
     def perform_destroy(self, instance):

ansible_base/rbac/sync.py

@@ -0,0 +1,54 @@
+from ansible_base.resource_registry.utils.settings import resource_server_defined  # safe import
+
+"""
+Module is a parallel to resource_registry
+
+ansible_base.resource_registry.utils.sync_to_resource_server.sync_to_resource_server
+
+However, this only deals with role assignments, which have key differences
+- totally immutable model
+- have very weird way of referencing related objects
+- must run various internal RBAC logic for rebuilding RoleEvaluation entries
+"""
+
+
+def reverse_sync_enabled_all_conditions(assignment):
+    """This checks for basically all cases we do not reverse sync
+    1. object level flag for skipping the sync
+    2. environment variable to skip sync
+    3. context manager to disable sync
+    4. RESOURCE_SERVER setting not actually set
+    """
+    from ansible_base.resource_registry.signals.handlers import reverse_sync_enabled
+    from ansible_base.resource_registry.utils.sync_to_resource_server import should_skip_reverse_sync
+
+    if not resource_server_defined():
+        return False
+
+    if not reverse_sync_enabled.enabled:
+        return False
+
+    if should_skip_reverse_sync(assignment):
+        return
+
+    return True
+
+
+def maybe_reverse_sync_assignment(assignment):
+    if not reverse_sync_enabled_all_conditions(assignment):
+        return
+
+    from ansible_base.resource_registry.utils.sync_to_resource_server import get_current_user_resource_client
+
+    client = get_current_user_resource_client()
+    client.sync_assignment(assignment)
+
+
+def maybe_reverse_sync_unassignment(role_definition, actor, content_object):
+    if not reverse_sync_enabled_all_conditions(role_definition):
+        return
+
+    from ansible_base.resource_registry.utils.sync_to_resource_server import get_current_user_resource_client
+
+    client = get_current_user_resource_client()
+    client.sync_unassignment(role_definition, actor, content_object)

ansible_base/resource_registry/rest_client.py

@@ -190,7 +190,7 @@ def sync_unassignment(self, role_definition, actor, content_object):
             if ct.service == 'shared':
                 data['object_ansible_id'] = str(content_object.resource.ansible_id)
             else:
-                data['object_id'] = content_object.object_id
+                data['object_id'] = content_object.pk
 
         return self._sync_assignment(data, giving=False)
 

test_app/tests/resource_registry/test_resources_api_rest_client.py

@@ -183,40 +183,61 @@ def test_list_role_permissions_all_pages(resource_client):
     assert resp.json()["count"] > 25
 
 
-def _assert_assignment_matches_data(assignment, data, organization, user):
+def _assert_assignment_matches_data(assignment, data, obj, user):
     assert 'created' in data, data
     # assert DateTimeField().to_representation(assignment.created) == data['created']  # TODO
     assert str(assignment.created_by.resource.ansible_id) == data['created_by_ansible_id']
-    assert assignment.object_id == organization.id
+    assert assignment.object_id == obj.id
     assert str(assignment.object_id) == str(data['object_id'])
-    assert str(organization.resource.ansible_id) == data['object_ansible_id']
-    assert 'shared.organization' == data['content_type']
-    assert 'Organization Admin' == data['role_definition']
+    if hasattr(obj, 'resource'):
+        assert str(obj.resource.ansible_id) == data['object_ansible_id']
+        assert 'shared.organization' == data['content_type']
+        assert 'Organization Admin' == data['role_definition']
+    else:
+        assert 'aap.inventory' == data['content_type']
+        assert 'change-inv' == data['role_definition']
     assert str(user.resource.ansible_id) == data['user_ansible_id']
 
 
 @pytest.mark.django_db
-def test_sync_assignment(resource_client, org_admin_rd, user, organization):
+def test_sync_org_assignment(resource_client, org_admin_rd, user, organization):
     assignment = org_admin_rd.give_permission(user, organization)
     resp = resource_client.sync_assignment(assignment)
-
     assert resp.status_code == 200, resp.text
-
     data = resp.json()
     # Existing assignment should be this current assignment
     _assert_assignment_matches_data(assignment, data, organization, user)
 
     org_admin_rd.remove_permission(user, organization)
-
     resp = resource_client.sync_assignment(assignment)  # assignment not actually here locally
-
     assert resp.status_code == 201, resp.text  # created
-
     data = resp.json()
     # All the data, on the remote system, should match our original assignment
     _assert_assignment_matches_data(assignment, data, organization, user)
 
 
+@pytest.mark.django_db
+def test_sync_obj_assignment(resource_client, user, inventory):
+    inv_rd = RoleDefinition.objects.create_from_permissions(
+        permissions=['change_inventory', 'view_inventory'],
+        name='change-inv',
+        content_type=permission_registry.content_type_model.objects.get_for_model(Inventory),
+    )
+    assignment = inv_rd.give_permission(user, inventory)
+    resp = resource_client.sync_assignment(assignment)
+    assert resp.status_code == 200, resp.text
+    data = resp.json()
+    # Existing assignment should be this current assignment
+    _assert_assignment_matches_data(assignment, data, inventory, user)
+
+    inv_rd.remove_permission(user, inventory)
+    resp = resource_client.sync_assignment(assignment)  # assignment not actually here locally
+    assert resp.status_code == 201, resp.text  # created
+    data = resp.json()
+    # All the data, on the remote system, should match our original assignment
+    _assert_assignment_matches_data(assignment, data, inventory, user)
+
+
 @pytest.mark.django_db
 def test_get_resource_404(resource_client):
     resource_client.raise_if_bad_request = True