@@ -241,7 +241,8 @@ def decode_jwt_token(self, unencrypted_token, decryption_key, additional_options
241241 algorithms = ["RS256" ],
242242 )
243243
244- def get_role_definition (self , name : str ) -> Optional [Model ]:
244+ @staticmethod
245+ def get_role_definition (name : str ) -> Optional [Model ]:
245246 """Simply get the RoleDefinition from the database if it exists and handler corner cases
246247
247248 If this is the name of a managed role for which we have a corresponding definition in code,
@@ -344,35 +345,36 @@ def _fetch_jwt_claims_from_gateway(self, user_ansible_id: str) -> Optional[dict]
344345 logger .error (f"Error fetching claims from gateway: { e } )
345346 return None
346347
347- def _apply_rbac_permissions (self , objects , object_roles , global_roles ):
348+ @staticmethod
349+ def _apply_rbac_permissions (user , objects : dict , object_roles : dict , global_roles : list ) -> None :
348350 """
349351 Apply RBAC permissions from claims data
350352 """
351353 from ansible_base .rbac .models import RoleUserAssignment
352354
353- role_diff = RoleUserAssignment .objects .filter (user = self . user , role_definition__name__in = settings .ANSIBLE_BASE_JWT_MANAGED_ROLES )
355+ role_diff = RoleUserAssignment .objects .filter (user = user , role_definition__name__in = settings .ANSIBLE_BASE_JWT_MANAGED_ROLES )
354356
355357 for system_role_name in global_roles :
356- logger .debug (f"Processing system role { system_role_name } { self . user .username } )
357- rd = self .get_role_definition (system_role_name )
358+ logger .debug (f"Processing system role { system_role_name } { user .username } )
359+ rd = JWTCommonAuth .get_role_definition (system_role_name )
358360 if rd :
359361 if rd .name in settings .ANSIBLE_BASE_JWT_MANAGED_ROLES :
360- assignment = rd .give_global_permission (self . user )
362+ assignment = rd .give_global_permission (user )
361363 role_diff = role_diff .exclude (pk = assignment .pk )
362- logger .info (f"Granted user { self . user .username } { system_role_name } )
364+ logger .info (f"Granted user { user .username } { system_role_name } )
363365 else :
364- logger .error (f"Unable to grant { self . user .username } { system_role_name } )
366+ logger .error (f"Unable to grant { user .username } { system_role_name } )
365367 else :
366- logger .error (f"Unable to grant { self . user .username } { system_role_name } )
368+ logger .error (f"Unable to grant { user .username } { system_role_name } )
367369 continue
368370
369371 for object_role_name in object_roles .keys ():
370- rd = self .get_role_definition (object_role_name )
372+ rd = JWTCommonAuth .get_role_definition (object_role_name )
371373 if rd is None :
372- logger .error (f"Unable to grant { self . user .username } { object_role_name } )
374+ logger .error (f"Unable to grant { user .username } { object_role_name } )
373375 continue
374376 elif rd .name not in settings .ANSIBLE_BASE_JWT_MANAGED_ROLES :
375- logger .error (f"Unable to grant { self . user .username } { object_role_name } )
377+ logger .error (f"Unable to grant { user .username } { object_role_name } )
376378 continue
377379
378380 object_type = object_roles [object_role_name ]['content_type' ]
@@ -381,7 +383,7 @@ def _apply_rbac_permissions(self, objects, object_roles, global_roles):
381383 for index in object_indexes :
382384 object_data = objects [object_type ][index ]
383385 try :
384- resource , obj = self .get_or_create_resource (object_type , object_data )
386+ resource , obj = JWTCommonAuth .get_or_create_resource (objects , object_type , object_data )
385387 except IntegrityError as e :
386388 logger .warning (
387389 f"Got integrity error ({ e } { object_data } { object_type }
@@ -390,20 +392,21 @@ def _apply_rbac_permissions(self, objects, object_roles, global_roles):
390392 continue
391393
392394 if resource is not None :
393- assignment = rd .give_permission (self . user , obj )
395+ assignment = rd .give_permission (user , obj )
394396 role_diff = role_diff .exclude (pk = assignment .pk )
395- logger .info (f"Granted user { self . user .username } { object_role_name } { obj .name } { object_data ['ansible_id' ]} )
397+ logger .info (f"Granted user { user .username } { object_role_name } { obj .name } { object_data ['ansible_id' ]} )
396398
397399 # Remove all permissions not authorized by the JWT
398400 for role_assignment in role_diff :
399401 rd = role_assignment .role_definition
400402 content_object = role_assignment .content_object
401403 if content_object :
402- rd .remove_permission (self . user , content_object )
404+ rd .remove_permission (user , content_object )
403405 else :
404- rd .remove_global_permission (self . user )
406+ rd .remove_global_permission (user )
405407
406- def get_or_create_resource (self , content_type : str , data : dict ) -> Tuple [Optional [Resource ], Optional [Model ]]:
408+ @staticmethod
409+ def get_or_create_resource (objects : dict , content_type : str , data : dict ) -> Tuple [Optional [Resource ], Optional [Model ]]:
407410 """
408411 Gets or creates a resource from a content type and its default data
409412
@@ -421,10 +424,10 @@ def get_or_create_resource(self, content_type: str, data: dict) -> Tuple[Optiona
421424 if content_type == 'team' :
422425 # For a team we first have to make sure the org is there
423426 org_id = data ['org' ]
424- organization_data = self . token [ ' objects' ] ["organization" ][org_id ]
427+ organization_data = objects ["organization" ][org_id ]
425428
426429 # Now that we have the org we can build a team
427- org_resource , _ = self .get_or_create_resource ("organization" , organization_data )
430+ org_resource , _ = JWTCommonAuth .get_or_create_resource ("organization" , organization_data )
428431
429432 resource = Resource .create_resource (
430433 ResourceType .objects .get (name = "shared.team" ),
0 commit comments