Add endpoints for types and permissions

Author: AlanCoding

ansible_base/rbac/service_api/router.py

@@ -0,0 +1,8 @@
+from ansible_base.lib.routers import AssociationResourceRouter
+
+from . import views
+
+service_router = AssociationResourceRouter()
+
+service_router.register(r'role-types', views.RoleContentTypeViewSet)
+service_router.register(r'role-permissions', views.RolePermissionTypeViewSet)

ansible_base/rbac/service_api/serializers.py

@@ -0,0 +1,19 @@
+from rest_framework import serializers
+
+from ..models import DABContentType, DABPermission
+
+
+class DABContentTypeSerializer(serializers.ModelSerializer):
+    parent_content_type = serializers.SlugRelatedField(read_only=True, slug_field='api_slug')
+
+    class Meta:
+        model = DABContentType
+        fields = ['api_slug', 'service', 'app_label', 'model', 'parent_content_type', 'pk_field_type']
+
+
+class DABPermissionSerializer(serializers.ModelSerializer):
+    content_type = serializers.SlugRelatedField(read_only=True, slug_field='api_slug')
+
+    class Meta:
+        model = DABPermission
+        fields = ['api_slug', 'codename', 'content_type', 'name']

ansible_base/rbac/service_api/views.py

@@ -0,0 +1,28 @@
+from rest_framework.viewsets import GenericViewSet, mixins
+
+from ansible_base.lib.utils.views.django_app_api import AnsibleBaseDjangoAppApiView
+
+from ..models import DABContentType, DABPermission
+from . import serializers as service_serializers
+
+
+class RoleContentTypeViewSet(
+    AnsibleBaseDjangoAppApiView,
+    mixins.ListModelMixin,
+    GenericViewSet,
+):
+    """List of types registered with the RBAC system, or loaded in from external system"""
+
+    queryset = DABContentType.objects.prefetch_related('parent_content_type').all()
+    serializer_class = service_serializers.DABContentTypeSerializer
+
+
+class RolePermissionTypeViewSet(
+    AnsibleBaseDjangoAppApiView,
+    mixins.ListModelMixin,
+    GenericViewSet,
+):
+    """List of permissions managed with the RBAC system"""
+
+    queryset = DABPermission.objects.prefetch_related('content_type').all()
+    serializer_class = service_serializers.DABPermissionSerializer

ansible_base/rbac/urls.py

@@ -4,10 +4,18 @@
 from ansible_base.rbac.api.views import RoleMetadataView
 from ansible_base.rbac.apps import AnsibleRBACConfig
 
+from .service_api.router import service_router
+
 app_name = AnsibleRBACConfig.label
 
+
+service_urls = [
+    path('', include(service_router.urls)),
+]
+
 api_version_urls = [
     path('', include(router.urls)),
+    path('service-index/', include(service_urls)),
     path(r'role_metadata/', RoleMetadataView.as_view(), name="role-metadata"),
 ]
 

test_app/tests/rbac/remote/test_public_api_compat.py

@@ -28,3 +28,28 @@ def test_create_remote_role_definition(admin_api_client, foo_type, foo_permissio
     assert response.status_code == 201, response.data
     assert response.data['name'] == 'foo-foo-foo-custom'
     assert response.data['permissions'] == ['foo.foo_foo']
+
+
+# TODO: check that assignment endpoint works
+
+# @pytest.mark.django_db
+# def test_give_remote_permission(rando, foo_type, foo_permission, foo_rd):
+#     assert foo_type.service == 'foo'  # a place, a domain, a server, known as foo
+#     assert foo_type.api_slug == 'foo.foo'  # there lives a foo in foo
+
+#     assert foo_permission.api_slug == 'foo.foo_foo'  # expression of the ability that one may foo a foo
+
+#     a_foo = RemoteObject(content_type=foo_type, object_id=42)
+#     assignment = foo_rd.give_permission(rando, a_foo)
+
+#     assignment = RoleUserAssignment.objects.get(pk=assignment.pk)
+#     assert isinstance(assignment.content_object, RemoteObject)
+
+#     # We can do evaluation querysets, but these can not return objects, just id values
+#     assert set(foo_type.model_class().access_ids_qs(actor=rando, codename='foo')) == {(int(assignment.object_id),)}
+
+#     # Test that user-attached methods also work
+#     assert rando.has_obj_perm(a_foo, 'foo')
+#     with pytest.raises(RuntimeError) as exc:
+#         assert not rando.has_obj_perm(a_foo, 'bar')  # not a valid permission
+#     assert 'The permission bar_foo is not valid for model foo' in str(exc)

test_app/tests/rbac/remote/test_service_api.py

@@ -0,0 +1,34 @@
+import pytest
+
+from ansible_base.lib.utils.response import get_relative_url
+
+
+@pytest.mark.django_db
+def test_get_resource_list(admin_api_client):
+    url = get_relative_url('dabcontenttype-list')
+    response = admin_api_client.get(url, format="json")
+    assert response.status_code == 200, response.data
+    type_data = {t['api_slug']: t for t in response.data['results']}
+
+    assert 'shared.organization' in type_data
+    org_data = type_data['shared.organization']
+    assert org_data['parent_content_type'] is None
+    assert org_data['service'] == 'shared'
+    assert org_data['model'] == 'organization'
+
+    assert 'aap.inventory' in type_data
+    inv_data = type_data['aap.inventory']
+    assert inv_data['parent_content_type'] == 'shared.organization'
+
+
+@pytest.mark.django_db
+def test_get_permission_list(admin_api_client):
+    url = get_relative_url('dabpermission-list')
+    response = admin_api_client.get(url + '?page_size=200', format="json")
+    assert response.status_code == 200, response.data
+    type_data = {t['api_slug']: t for t in response.data['results']}
+
+    assert 'shared.change_organization' in type_data
+    change_org_data = type_data['shared.change_organization']
+    assert change_org_data['content_type'] == 'shared.organization'
+    assert change_org_data['codename'] == 'change_organization'