Add user and team sync endpoints

Author: AlanCoding

ansible_base/rbac/service_api/router.py

@@ -6,3 +6,6 @@
 
 service_router.register(r'role-types', views.RoleContentTypeViewSet)
 service_router.register(r'role-permissions', views.RolePermissionTypeViewSet)
+# Different basenames used to distinguish between the duplicate, public, endpoints
+service_router.register(r'role-user-assignments', views.ServiceRoleUserAssignmentViewSet, basename='serviceuserassignment')
+service_router.register(r'role-team-assignments', views.ServiceRoleTeamAssignmentViewSet, basename='serviceteamassignment')

ansible_base/rbac/service_api/serializers.py

@@ -1,6 +1,7 @@
 from rest_framework import serializers
 
-from ..models import DABContentType, DABPermission
+from ..models import DABContentType, DABPermission, RoleTeamAssignment, RoleUserAssignment
+from ..remote import RemoteObject
 
 
 class DABContentTypeSerializer(serializers.ModelSerializer):
@@ -17,3 +18,46 @@ class DABPermissionSerializer(serializers.ModelSerializer):
     class Meta:
         model = DABPermission
         fields = ['api_slug', 'codename', 'content_type', 'name']
+
+
+assignment_common_fields = ('created', 'created_by_ansible_id', 'object_id', 'object_ansible_id', 'content_type', 'role_definition')
+
+
+class BaseAssignmentSerializer(serializers.ModelSerializer):
+    content_type = serializers.SlugRelatedField(read_only=True, slug_field='api_slug')
+    role_definition = serializers.SlugRelatedField(read_only=True, slug_field='name')
+    created_by_ansible_id = serializers.SerializerMethodField()
+    object_ansible_id = serializers.SerializerMethodField()
+
+    def get_created_by_ansible_id(self, obj):
+        return str(obj.created_by.resource.ansible_id)
+
+    def get_object_ansible_id(self, obj):
+        content_object = obj.content_object
+        if isinstance(content_object, RemoteObject):
+            return None
+        if hasattr(content_object, 'resource'):
+            return str(content_object.resource.ansible_id)
+        return None
+
+
+class RoleUserAssignmentSerializer(BaseAssignmentSerializer):
+    user_ansible_id = serializers.SerializerMethodField()
+
+    class Meta:
+        model = RoleUserAssignment
+        fields = assignment_common_fields + ('user_ansible_id',)
+
+    def get_user_ansible_id(self, obj):
+        return str(obj.user.resource.ansible_id)
+
+
+class RoleTeamAssignmentSerializer(BaseAssignmentSerializer):
+    user_ansible_id = serializers.SerializerMethodField()
+
+    class Meta:
+        model = RoleTeamAssignment
+        fields = assignment_common_fields + ('team_ansible_id',)
+
+    def get_team_ansible_id(self, obj):
+        return str(obj.team.resource.ansible_id)

ansible_base/rbac/service_api/views.py

@@ -2,7 +2,7 @@
 
 from ansible_base.lib.utils.views.django_app_api import AnsibleBaseDjangoAppApiView
 
-from ..models import DABContentType, DABPermission
+from ..models import DABContentType, DABPermission, RoleTeamAssignment, RoleUserAssignment
 from . import serializers as service_serializers
 
 
@@ -26,3 +26,31 @@ class RolePermissionTypeViewSet(
 
     queryset = DABPermission.objects.prefetch_related('content_type').all()
     serializer_class = service_serializers.DABPermissionSerializer
+
+
+# NOTE: role definitions are exchanged via the resources endpoint, so not included here
+
+
+prefetch_related = ('created_by__resource', 'content_type', 'role_definition')
+
+
+class ServiceRoleUserAssignmentViewSet(
+    AnsibleBaseDjangoAppApiView,
+    mixins.ListModelMixin,
+    GenericViewSet,
+):
+    """List of assignments for cross-service communication"""
+
+    queryset = RoleUserAssignment.objects.prefetch_related('user__resource', *prefetch_related)
+    serializer_class = service_serializers.RoleUserAssignmentSerializer
+
+
+class ServiceRoleTeamAssignmentViewSet(
+    AnsibleBaseDjangoAppApiView,
+    mixins.ListModelMixin,
+    GenericViewSet,
+):
+    """List of team role assignments for cross-service communication"""
+
+    queryset = RoleTeamAssignment.objects.prefetch_related('team__resource', *prefetch_related)
+    serializer_class = service_serializers.RoleTeamAssignmentSerializer

test_app/tests/rbac/remote/test_service_api.py

@@ -99,3 +99,20 @@ def test_reload_permissions(admin_api_client):
     assert response.status_code == 200, response.data
 
     assert response.data['results'] == original
+
+
+@pytest.mark.django_db
+def test_list_role_user_assignments(admin_api_client, rando, inv_rd, inventory):
+    inv_rd.give_permission(rando, inventory)
+
+    url = get_relative_url('serviceuserassignment-list')
+    response = admin_api_client.get(url + '?page_size=200', format="json")
+    assert response.status_code == 200, response.data
+
+    candidates = [assignment for assignment in response.data['results'] if assignment['role_definition'] == inv_rd.name]
+    assert len(candidates) == 1, response.data
+    from_api = candidates[0]
+
+    assert int(from_api['object_id']) == inventory.id
+    assert from_api['user_ansible_id'] == str(rando.resource.ansible_id)
+    assert from_api['content_type'] == 'aap.inventory'