AAP-50805 Ignore role content types not known to system in sync (#811)

The bug here is that AWX `periodic_resource_sync` will result in an
error.

It seems there was an attempt to log an error and continue on when
getting a `ValidationError`, it seems this only targeted the Django
validation error exception, leaving the more common DRF ValidationError
uncaught. This means that the issue broke the resource sync, globally.
That means the periodic sync was effectively broken by the referenced
bug.

We could change that, but we wanted to have a targeted and more
intentional special-case just for roles, and that is what this
implements.

If the field `RoleDefinition.content_type` references a type that does
not exist locally, we don't bother in the _periodic fallback_ sync and
just skip over that record. This is very sensible behavior, and it will
be reported as a no-op, as one should expect.

Author: AlanCoding

ansible_base/resource_registry/shared_types.py

@@ -1,4 +1,5 @@
 from rest_framework import serializers
+from rest_framework.exceptions import ValidationError
 
 from ansible_base.rbac.models import DABContentType, DABPermission
 from ansible_base.resource_registry.utils.resource_type_serializers import AnsibleResourceForeignKeyField, SharedResourceTypeSerializer
@@ -104,3 +105,15 @@ class RoleDefinitionType(SharedResourceTypeSerializer):
         default=None,
     )
     permissions = LenientPermissionSlugListField()
+
+    def is_valid(self, raise_exception=False):
+        try:
+            return super().is_valid(raise_exception=raise_exception)
+        except ValidationError as e:
+            if hasattr(e, 'detail') and 'content_type' in e.detail:
+                fd_detail = e.detail['content_type'][0]
+                if fd_detail.code == "does_not_exist":
+                    from ansible_base.resource_registry.tasks.sync import SkipResource
+
+                    raise SkipResource(*e.args)
+            raise

ansible_base/resource_registry/tasks/sync.py

@@ -37,6 +37,13 @@ class ResourceSyncHTTPError(HTTPError):
     """Custom catchall error"""
 
 
+class SkipResource(ValidationError):
+    """To raise by serializers if the item should be skipped"""
+
+    default_detail = "The specified content_type slug was not found."
+    default_code = "content_type_does_not_exist"
+
+
 class SyncStatus(str, Enum):
     CREATED = "created"
     UPDATED = "updated"
@@ -226,6 +233,8 @@ def _attempt_create_resource(
             ansible_id=manifest_item.ansible_id,
             service_id=resource_service_id,
         )
+    except SkipResource:
+        return SyncResult(SyncStatus.NOOP, manifest_item)
     except IntegrityError:
         # This typically means that there was a duplicate key error. To mitigate this
         # we will attempt to hanlde the conflicting resource and perform the operation

test_app/tests/resource_registry/test_resource_sync.py

@@ -7,9 +7,10 @@
 
 from ansible_base.lib.testing.util import StaticResourceAPIClient
 from ansible_base.lib.utils.response import get_relative_url
-from ansible_base.resource_registry.models import Resource
+from ansible_base.rbac.models import RoleDefinition
+from ansible_base.resource_registry.models import Resource, ResourceType
 from ansible_base.resource_registry.models.service_identifier import service_id
-from ansible_base.resource_registry.tasks.sync import ResourceSyncHTTPError, SyncExecutor
+from ansible_base.resource_registry.tasks.sync import ManifestItem, ResourceSyncHTTPError, SyncExecutor, _attempt_create_resource
 
 
 @pytest.fixture(scope="function")
@@ -178,6 +179,36 @@ def test_resource_sync_update_conflict(static_api_client, stdout, resource_to_up
     assert Resource.objects.get(ansible_id=new_id).name == "was_renamed"
 
 
+@pytest.mark.django_db
+def test_resource_sync_create_local_role_definition(static_api_client, stdout, resource_to_update):
+    item_data = {"name": "Organization Inventory Role", "content_type": "shared.organization", "managed": True, "permissions": []}
+    manifest_item = ManifestItem(str(uuid4()), str(uuid4()), item_data)
+    result = _attempt_create_resource(
+        manifest_item=manifest_item,
+        resource_data=item_data,
+        resource_type=ResourceType.objects.get(name='shared.roledefinition'),
+        resource_service_id=str(uuid4()),
+        api_client=static_api_client,  # unused
+    )
+    assert result.status == 'created'
+
+
+@pytest.mark.django_db
+def test_resource_sync_create_non_local_role_definition(static_api_client, stdout, resource_to_update):
+    item_data = {"name": "Remote Role", "content_type": "shared.foo_type", "managed": True, "permissions": []}
+    manifest_item = ManifestItem(str(uuid4()), str(uuid4()), item_data)
+    result = _attempt_create_resource(
+        manifest_item=manifest_item,
+        resource_data=item_data,
+        resource_type=ResourceType.objects.get(name='shared.roledefinition'),
+        resource_service_id=str(uuid4()),
+        api_client=static_api_client,  # unused
+    )
+    assert result.status == 'noop'
+
+    assert not RoleDefinition.objects.filter(name="Remote Role").exists()
+
+
 @pytest.mark.django_db
 def test_resource_sync_create_conflict(static_api_client, stdout, resource_to_update):
     # Update the ansible ID on the local resources so that it causes a conflict to happen.