AAP-51654 Enforce that references to objects are strictly done in claims data, not token data (#809)

The prior solution partially migrate us from passing claims data inside
of the JWT data to a new user "claims" data structure.

However, it was still referencing "objects" inside of the JWT data
itself.

This refactors the methods out of the auth class, which makes this kind
of bug likely. Stuff is just passed as method arguments in this new
approach. This is what I originally expected out of this work.

Author: AlanCoding

ansible_base/jwt_consumer/common/auth.py

@@ -1,14 +1,11 @@
 import logging
 import uuid
 from datetime import datetime
-from typing import Optional, Tuple
+from typing import Optional
 
 import jwt
-from django.apps import apps
-from django.conf import settings
 from django.contrib.auth import get_user_model
 from django.core.exceptions import ObjectDoesNotExist
-from django.db.models import Model
 from django.db.utils import IntegrityError
 from rest_framework.authentication import BaseAuthentication
 from rest_framework.exceptions import AuthenticationFailed
@@ -19,7 +16,7 @@
 from ansible_base.lib.logging.runtime import log_excess_runtime
 from ansible_base.lib.utils.auth import get_user_by_ansible_id
 from ansible_base.lib.utils.translations import translatableConditionally as _
-from ansible_base.rbac.claims import get_claims_hash, get_user_claims, get_user_claims_hashable_form
+from ansible_base.rbac.claims import get_claims_hash, get_user_claims, get_user_claims_hashable_form, save_user_claims
 from ansible_base.resource_registry.models import Resource, ResourceType
 from ansible_base.resource_registry.rest_client import get_resource_server_client
 from ansible_base.resource_registry.signals.handlers import no_reverse_sync
@@ -36,18 +33,6 @@
     "is_superuser",
 ]
 
-_permission_registry = None
-
-
-def permission_registry():
-    global _permission_registry
-
-    if not _permission_registry:
-        from ansible_base.rbac.permission_registry import permission_registry as permission_registry_singleton
-
-        _permission_registry = permission_registry_singleton
-    return _permission_registry
-
 
 class JWTCommonAuth:
     def __init__(self, user_fields=default_mapped_user_fields) -> None:
@@ -241,24 +226,6 @@ def decode_jwt_token(self, unencrypted_token, decryption_key, additional_options
             algorithms=["RS256"],
         )
 
-    def get_role_definition(self, name: str) -> Optional[Model]:
-        """Simply get the RoleDefinition from the database if it exists and handler corner cases
-
-        If this is the name of a managed role for which we have a corresponding definition in code,
-        and that role can not be found in the database, it may be created here
-        """
-        from ansible_base.rbac.models import RoleDefinition
-
-        try:
-            return RoleDefinition.objects.get(name=name)
-        except RoleDefinition.DoesNotExist:
-
-            constructor = permission_registry().get_managed_role_constructor_by_name(name)
-            if constructor:
-                rd, _ = constructor.get_or_create(apps)
-                return rd
-        return None
-
     def process_rbac_permissions(self):
         """
         Process RBAC permissions using claims hash logic
@@ -313,7 +280,7 @@ def process_rbac_permissions(self):
             global_roles = gateway_claims.get('global_roles', [])
 
             # Process the RBAC permissions with the gateway claims
-            self._apply_rbac_permissions(objects, object_roles, global_roles)
+            save_user_claims(self.user, objects, object_roles, global_roles)
 
             # Update cache with the new hash
             self.cache.cache_claims_hash(user_ansible_id, jwt_claims_hash)
@@ -344,108 +311,6 @@ def _fetch_jwt_claims_from_gateway(self, user_ansible_id: str) -> Optional[dict]
             logger.error(f"Error fetching claims from gateway: {e}")
             return None
 
-    def _apply_rbac_permissions(self, objects, object_roles, global_roles):
-        """
-        Apply RBAC permissions from claims data
-        """
-        from ansible_base.rbac.models import RoleUserAssignment
-
-        role_diff = RoleUserAssignment.objects.filter(user=self.user, role_definition__name__in=settings.ANSIBLE_BASE_JWT_MANAGED_ROLES)
-
-        for system_role_name in global_roles:
-            logger.debug(f"Processing system role {system_role_name} for {self.user.username}")
-            rd = self.get_role_definition(system_role_name)
-            if rd:
-                if rd.name in settings.ANSIBLE_BASE_JWT_MANAGED_ROLES:
-                    assignment = rd.give_global_permission(self.user)
-                    role_diff = role_diff.exclude(pk=assignment.pk)
-                    logger.info(f"Granted user {self.user.username} global role {system_role_name}")
-                else:
-                    logger.error(f"Unable to grant {self.user.username} system level role {system_role_name} because it is not a JWT managed role")
-            else:
-                logger.error(f"Unable to grant {self.user.username} system level role {system_role_name} because it does not exist")
-                continue
-
-        for object_role_name in object_roles.keys():
-            rd = self.get_role_definition(object_role_name)
-            if rd is None:
-                logger.error(f"Unable to grant {self.user.username} object role {object_role_name} because it does not exist")
-                continue
-            elif rd.name not in settings.ANSIBLE_BASE_JWT_MANAGED_ROLES:
-                logger.error(f"Unable to grant {self.user.username} object role {object_role_name} because it is not a JWT managed role")
-                continue
-
-            object_type = object_roles[object_role_name]['content_type']
-            object_indexes = object_roles[object_role_name]['objects']
-
-            for index in object_indexes:
-                object_data = objects[object_type][index]
-                try:
-                    resource, obj = self.get_or_create_resource(object_type, object_data)
-                except IntegrityError as e:
-                    logger.warning(
-                        f"Got integrity error ({e}) on {object_data}. Skipping {object_type} assignment. "
-                        "Please make sure the sync task is running to prevent this warning in the future."
-                    )
-                    continue
-
-                if resource is not None:
-                    assignment = rd.give_permission(self.user, obj)
-                    role_diff = role_diff.exclude(pk=assignment.pk)
-                    logger.info(f"Granted user {self.user.username} role {object_role_name} to object {obj.name} with ansible_id {object_data['ansible_id']}")
-
-        # Remove all permissions not authorized by the JWT
-        for role_assignment in role_diff:
-            rd = role_assignment.role_definition
-            content_object = role_assignment.content_object
-            if content_object:
-                rd.remove_permission(self.user, content_object)
-            else:
-                rd.remove_global_permission(self.user)
-
-    def get_or_create_resource(self, content_type: str, data: dict) -> Tuple[Optional[Resource], Optional[Model]]:
-        """
-        Gets or creates a resource from a content type and its default data
-
-        This can only build or get organizations or teams
-        """
-        object_ansible_id = data['ansible_id']
-        try:
-            resource = Resource.objects.get(ansible_id=object_ansible_id)
-            logger.debug(f"Resource {object_ansible_id} already exists")
-            return resource, resource.content_object
-        except Resource.DoesNotExist:
-            pass
-
-        # The resource was missing so we need to create its stub
-        if content_type == 'team':
-            # For a team we first have to make sure the org is there
-            org_id = data['org']
-            organization_data = self.token['objects']["organization"][org_id]
-
-            # Now that we have the org we can build a team
-            org_resource, _ = self.get_or_create_resource("organization", organization_data)
-
-            resource = Resource.create_resource(
-                ResourceType.objects.get(name="shared.team"),
-                {"name": data["name"], "organization": org_resource.ansible_id},
-                ansible_id=data["ansible_id"],
-            )
-
-            return resource, resource.content_object
-
-        elif content_type == 'organization':
-            resource = Resource.create_resource(
-                ResourceType.objects.get(name="shared.organization"),
-                {"name": data["name"]},
-                ansible_id=data["ansible_id"],
-            )
-
-            return resource, resource.content_object
-        else:
-            logger.error(f"build_resource_stub does not know how to build an object of type {type}")
-            return None, None
-
 
 class JWTAuthentication(BaseAuthentication):
     map_fields = default_mapped_user_fields

ansible_base/jwt_consumer/hub/auth.py

@@ -1,89 +1,9 @@
 import logging
 
-from django.contrib.contenttypes.models import ContentType
-from django.db.models.query import IntegrityError
-
 from ansible_base.jwt_consumer.common.auth import JWTAuthentication
-from ansible_base.jwt_consumer.common.exceptions import InvalidService
-from ansible_base.rbac.models import RoleDefinition, RoleUserAssignment
-from ansible_base.resource_registry.models import Resource
 
 logger = logging.getLogger('ansible_base.jwt_consumer.hub.auth')
 
 
 class HubJWTAuth(JWTAuthentication):
-
-    def get_galaxy_models(self):
-        '''This is separate from process_permissions purely for testability.'''
-        try:
-            from galaxy_ng.app.models import Organization, Team
-        except ImportError:
-            raise InvalidService("automation-hub")
-
-        return Organization, Team
-
-    def _apply_rbac_permissions(self, objects, object_roles, global_roles):
-        # Map teams in the JWT to Automation Hub groups.
-        Organization, Team = self.get_galaxy_models()
-        self.team_content_type = ContentType.objects.get_for_model(Team)
-        self.org_content_type = ContentType.objects.get_for_model(Organization)
-
-        # TODO - galaxy does not have an org admin roledef yet
-        # admin_orgs = []
-
-        # TODO - galaxy does not have an org member roledef yet
-        # member_orgs = []
-
-        # The "shared" [!local] teams this user admins
-        admin_teams = []
-
-        # the teams this user should have a "shared" [!local] assignment to
-        member_teams = []
-
-        for role_name in object_roles.keys():
-            if role_name.startswith('Team'):
-                for object_index in object_roles[role_name]['objects']:
-                    team_data = objects['team'][object_index]
-                    ansible_id = team_data['ansible_id']
-                    try:
-                        team = Resource.objects.get(ansible_id=ansible_id).content_object
-                    except Resource.DoesNotExist:
-                        try:
-                            team = self.common_auth.get_or_create_resource('team', team_data)[1]
-                        except IntegrityError as e:
-                            logger.warning(
-                                f"Got integrity error ({e}) on {team_data}. Skipping team assignment. "
-                                "Please make sure the sync task is running to prevent this warning in the future."
-                            )
-                            continue
-
-                    if role_name == 'Team Admin':
-                        admin_teams.append(team)
-                    elif role_name == 'Team Member':
-                        member_teams.append(team)
-
-        for roledef_name, teams in [('Team Admin', admin_teams), ('Team Member', member_teams)]:
-
-            # the "shared" "non-local" definition ...
-            try:
-                roledef = RoleDefinition.objects.get(name=roledef_name)
-            except RoleDefinition.DoesNotExist:
-                raise RoleDefinition.DoesNotExist(f'Expected JWT role {roledef_name} does not exist locally')
-
-            # pks for filtering ...
-            team_pks = [team.pk for team in teams]
-
-            # delete all assignments not defined by this jwt ...
-            for assignment in RoleUserAssignment.objects.filter(user=self.common_auth.user, role_definition=roledef).exclude(object_id__in=team_pks):
-                team = Team.objects.get(pk=assignment.object_id)
-                roledef.remove_permission(self.common_auth.user, team)
-
-            # assign "non-local" for each team ...
-            for team in teams:
-                roledef.give_permission(self.common_auth.user, team)
-
-        auditor_roledef = RoleDefinition.objects.get(name='Platform Auditor')
-        if "Platform Auditor" in global_roles:
-            auditor_roledef.give_global_permission(self.common_auth.user)
-        else:
-            auditor_roledef.remove_global_permission(self.common_auth.user)
+    use_rbac_permissions = True