[AAP-51985] Implements cross-service RBAC cleanup for object deletion (#834)

Implements automatic cleanup of orphaned role assignments when objects are deleted by adding /service-index/object-delete/ API endpoint for bulk role cleanup.

Author: arrestle

ansible_base/rbac/service_api/router.py

@@ -9,3 +9,4 @@
 # Different basenames used to distinguish between the duplicate, public, endpoints
 service_router.register(r'role-user-assignments', views.ServiceRoleUserAssignmentViewSet, basename='serviceuserassignment')
 service_router.register(r'role-team-assignments', views.ServiceRoleTeamAssignmentViewSet, basename='serviceteamassignment')
+service_router.register(r'object-delete', views.ServiceObjectDeleteViewSet, basename='serviceobjectdelete')

ansible_base/rbac/service_api/views.py

@@ -1,5 +1,5 @@
 from django.db import transaction
-from rest_framework import permissions, status
+from rest_framework import permissions, status, viewsets
 from rest_framework.decorators import action
 from rest_framework.response import Response
 from rest_framework.viewsets import GenericViewSet, mixins
@@ -145,3 +145,65 @@ def assign(self, request):
     @action(detail=False, methods=['post'], url_path='unassign')
     def unassign(self, request):
         return self._unassign(request)
+
+
+class ServiceObjectDeleteViewSet(viewsets.ViewSet):
+    """
+    Bulk deletion of role assignments for deleted objects.
+    Uses standard create() method to bypass service token authentication restrictions.
+    Handles both user and team assignments in a single API call.
+    """
+
+    permission_classes = [HasResourceRegistryPermissions]
+
+    def create(self, request):
+        """
+        Delete all role assignments (user and team) for a specific resource.
+
+        Expected request data:
+        {
+            "resource_type": "main.inventory",
+            "resource_pk": "4"
+        }
+        """
+        from ..models import DABContentType
+
+        # Validate request data
+        serializer_data = {
+            'resource_type': request.data.get('resource_type'),
+            'resource_pk': request.data.get('resource_pk'),
+        }
+
+        if not serializer_data['resource_type'] or not serializer_data['resource_pk']:
+            return Response({'error': 'Both resource_type and resource_pk are required'}, status=status.HTTP_400_BAD_REQUEST)
+
+        try:
+            # Parse resource_type (e.g., "main.inventory" -> app_label="main", model="inventory")
+            app_label, model_name = serializer_data['resource_type'].split('.', 1)
+        except ValueError:
+            return Response({'error': 'Invalid resource_type format. Expected: app_label.model_name'}, status=status.HTTP_400_BAD_REQUEST)
+
+        try:
+            # Get the content type
+            content_type = DABContentType.objects.get(app_label=app_label, model=model_name)
+        except DABContentType.DoesNotExist:
+            return Response({'error': f'Content type not found: {serializer_data["resource_type"]}'}, status=status.HTTP_400_BAD_REQUEST)
+
+        # Perform bulk deletion in a transaction
+        with transaction.atomic():
+            # Delete user role assignments
+            user_deleted_count = RoleUserAssignment.objects.filter(content_type=content_type, object_id=serializer_data['resource_pk']).delete()[0]
+
+            # Delete team role assignments
+            team_deleted_count = RoleTeamAssignment.objects.filter(content_type=content_type, object_id=serializer_data['resource_pk']).delete()[0]
+
+        total_deleted = user_deleted_count + team_deleted_count
+
+        return Response(
+            {
+                'message': f'Deleted {total_deleted} role assignments for {serializer_data["resource_type"]} {serializer_data["resource_pk"]}',
+                'deleted_count': total_deleted,
+                'breakdown': {'user_assignments_deleted': user_deleted_count, 'team_assignments_deleted': team_deleted_count},
+            },
+            status=status.HTTP_200_OK,
+        )

ansible_base/rbac/sync.py

@@ -8,10 +8,10 @@
    - totally immutable model
    - have very weird way of referencing related objects
    - must run various internal RBAC logic for rebuilding RoleEvaluation entries
-
 2. RoleDefinition sync timing - which has timing issues:
    - post_save fires before many-to-many relations are saved
    - permissions need to be attached before syncing
+3. Object deletion cleanup - cross-service sync for orphaned assignments
 """
 
 import logging
@@ -62,6 +62,31 @@ def maybe_reverse_sync_unassignment(role_definition, actor, content_object):
     client.sync_unassignment(role_definition, actor, content_object)
 
 
+def maybe_reverse_sync_object_deletion(content_object):
+    """Trigger reverse-sync for object deletion to clean up orphaned role assignments.
+    This is called when a resource with object-level role assignments is deleted.
+
+    Args:
+        content_object: The deleted resource instance to clean up assignments for
+    """
+    if not reverse_sync_enabled_all_conditions(content_object):
+        logger.debug(f"Skipping reverse-sync object deletion for {content_object}")
+        return
+
+    logger.debug(f"Performing reverse-sync object deletion for {content_object}")
+
+    try:
+        from ansible_base.resource_registry.utils.sync_to_resource_server import get_current_user_resource_client
+
+        client = get_current_user_resource_client()
+        client.sync_object_deletion(content_object)
+        logger.debug(f"Successfully synced object deletion for {content_object}")
+    except Exception as e:
+        # Log the error but don't let sync failures break local deletion
+        logger.warning(f"Failed to sync object deletion for {content_object}: {e}")
+        return
+
+
 def maybe_reverse_sync_role_definition(instance, action="update"):
     """Manually trigger reverse-sync for a RoleDefinition if appropriate.
 

ansible_base/rbac/triggers.py

@@ -255,15 +255,33 @@ def rbac_post_delete_remove_object_roles(instance, *args, **kwargs):
 
         # Similar to user deletion, clean up any orphaned object roles
         ObjectRole.objects.filter(users__isnull=True, teams__isnull=True).delete()
+        deleted_count, _ = ObjectRole.objects.filter(users__isnull=True, teams__isnull=True).delete()
+        if deleted_count:
+            had_object_assignments = True
 
     ct = permission_registry.content_type_model.objects.get_for_model(instance)
-    ObjectRole.objects.filter(content_type=ct, object_id=instance.pk).delete()
+
+    # Use bulk delete return value to determine if object-level assignments existed
+    # This avoids the inefficient .exists() query and works correctly for team deletion cases
+    deleted_count, _ = ObjectRole.objects.filter(content_type=ct, object_id=instance.pk).delete()
+    had_object_assignments = deleted_count > 0
 
     parent_field_name = permission_registry.get_parent_fd_name(instance)
     if parent_field_name:
         # Delete all evaluations from inherited permissions
         get_evaluation_model(instance).objects.filter(content_type_id=ct.id, object_id=instance.pk).delete()
 
+    # Only sync when object-level assignments existed - this is the key performance optimization
+    if had_object_assignments:
+        try:
+            from ansible_base.rbac.sync import maybe_reverse_sync_object_deletion
+
+            maybe_reverse_sync_object_deletion(instance)
+        except Exception:
+            # Continue with local deletion even if cross-service sync fails
+            # This ensures we don't break local operations due to network/auth issues
+            logger.exception(f"Failed to sync object deletion for {instance}")
+
 
 def rbac_post_user_delete(instance, *args, **kwargs):
     """

ansible_base/resource_registry/rest_client.py

@@ -212,6 +212,26 @@ def sync_unassignment(self, role_definition, actor, content_object):
 
         return self._sync_assignment(data, giving=False)
 
+    def sync_object_deletion(self, content_object):
+        """Sync object deletion to Gateway for cleanup of all related role assignments"""
+        from ansible_base.rbac.models import DABContentType
+
+        # Get the content type information
+        content_type = DABContentType.objects.get_for_model(content_object)
+
+        data = {
+            'resource_type': f'{content_type.app_label}.{content_type.model}',
+            'resource_pk': str(content_object.pk),  # Convert pk to string for JSON serialization
+        }
+
+        # Make single API call to the new object-delete endpoint
+        response = self._make_request("post", "object-delete/", data=data)
+
+        if response.status_code == 200:
+            return response.json()
+        else:
+            return {'error': f'Failed with status {response.status_code}', 'status_code': response.status_code}
+
     def _sync_assignment(self, data, giving=True):
         if giving:
             sub_url = 'assign'
@@ -224,4 +244,4 @@ def _sync_assignment(self, data, giving=True):
 
         url = f'role-{actor_type}-assignments/{sub_url}/'
 
-        return self._make_request(method="post", path=url, data=data)
+        return self._make_request("post", url, data=data)