feat: Not allow local resource management by default (#1359)

<!-- Mandatory: Provide a clear, concise description of the changes and
their purpose -->
AAP-48659 asks to remove ALLOW_LOCAL_RESOURCE_MANAGEMENT in EDA. This
flag is no longer used across AAP.
<!-- If applicable, provide a link to the issue that is being addressed
-->
https://issues.redhat.com/browse/AAP-48659
<!-- What is being changed? -->
This PR converts ALLOW_LOCAL_RESOURCE_MANAGEMENT to an internal flag.
The default value is False meaning EDA is not allowed to create/modify
shared resources. PDE does not need to manipulate the flag. The flag is
not completely removed for development purpose. It can be turn on to run
EDA standalone.
<!-- Why is this change needed? -->
<!-- How does this change address the issue? -->
<!-- Does this change introduce any new dependencies, blockers or
breaking changes? -->
<!-- How it can be tested? -->

Author: bzwei

src/aap_eda/settings/defaults.py

@@ -220,8 +220,12 @@
 ANSIBLE_BASE_JWT_VALIDATE_CERT: bool = False
 ANSIBLE_BASE_JWT_KEY: str = "https://localhost"
 
+# Default Not allow local resource management.
+# Ignore what is set in DAB.
+# Can be changed via ENV
+ALLOW_LOCAL_RESOURCE_MANAGEMENT: bool = False
+
 # These settings have defaults in DAB
-# ALLOW_LOCAL_RESOURCE_MANAGEMENT
 # RESOURCE_SERVICE_PATH
 # RESOURCE_SERVER_SYNC_ENABLED
 # ENABLE_SERVICE_BACKED_SSO

src/aap_eda/settings/development_defaults.py

@@ -20,7 +20,7 @@
 ANSIBLE_BASE_MANAGED_ROLE_REGISTRY = {}
 ANSIBLE_BASE_JWT_KEY = "https://localhost"
 ANSIBLE_BASE_JWT_VALIDATE_CERT = False
-ALLOW_LOCAL_RESOURCE_MANAGEMENT: True
+ALLOW_LOCAL_RESOURCE_MANAGEMENT = True
 
 RESOURCE_SERVER = {
     "URL": None,

tests/integration/api/test_organization.py

@@ -100,6 +100,7 @@ def test_list_organizations_filter_by_ansible_id(
 
 @pytest.mark.django_db
 def test_create_organization(
+    use_local_resource_setting,
     base_client: APIClient,
     super_user: models.User,
 ):
@@ -152,6 +153,7 @@ def test_retrieve_organization_not_exist(admin_client: APIClient):
 
 @pytest.mark.django_db
 def test_partial_update_organization_success(
+    use_local_resource_setting,
     new_organization: models.Organization,
     superuser_client: APIClient,
 ):
@@ -180,6 +182,7 @@ def test_partial_update_organization_forbidden(
 
 @pytest.mark.django_db
 def test_partial_update_default_organization_exception(
+    use_local_resource_setting,
     default_organization: models.Organization,
     superuser_client: APIClient,
 ):
@@ -197,7 +200,9 @@ def test_partial_update_default_organization_exception(
 
 @pytest.mark.django_db
 def test_delete_organization_success(
-    new_organization: models.Organization, superuser_client: APIClient
+    use_local_resource_setting,
+    new_organization: models.Organization,
+    superuser_client: APIClient,
 ):
     response = superuser_client.delete(
         f"{api_url_v1}/organizations/{new_organization.id}/"
@@ -212,7 +217,9 @@ def test_delete_organization_success(
 
 @pytest.mark.django_db
 def test_delete_organization_conflict(
-    default_organization: models.Organization, admin_client: APIClient
+    use_local_resource_setting,
+    default_organization: models.Organization,
+    admin_client: APIClient,
 ):
     response = admin_client.delete(
         f"{api_url_v1}/organizations/{default_organization.id}/"
@@ -233,7 +240,9 @@ def test_delete_organization_forbidden(
 
 
 @pytest.mark.django_db
-def test_delete_organization_not_exist(admin_client: APIClient):
+def test_delete_organization_not_exist(
+    use_local_resource_setting, admin_client: APIClient
+):
     response = admin_client.delete(f"{api_url_v1}/organizations/100/")
     assert response.status_code == status.HTTP_404_NOT_FOUND
 

tests/integration/api/test_root.py

@@ -94,6 +94,8 @@
 def test_v1_root(admin_client, request, expected_slugs, use_shared_resource):
     if use_shared_resource:
         request.getfixturevalue("use_shared_resource_setting")
+    else:
+        request.getfixturevalue("use_local_resource_setting")
     response = admin_client.get(f"{api_url_v1}/")
     assert response.status_code == 200
     assert len(response.data) == len(expected_slugs)

tests/integration/api/test_team.py

@@ -88,6 +88,7 @@ def test_list_teams_filter_by_ansible_id(
 
 @pytest.mark.django_db
 def test_create_team(
+    use_local_resource_setting,
     default_organization: models.Organization,
     admin_client: APIClient,
 ):
@@ -123,7 +124,6 @@ def test_create_team_forbidden(
 
 @pytest.mark.django_db
 def test_create_team_unique_name_constraint(
-    use_shared_resource_setting,
     default_organization: models.Organization,
     default_team: models.Team,
     admin_client: APIClient,
@@ -155,6 +155,7 @@ def test_retrieve_team_not_exist(admin_client: APIClient):
 
 @pytest.mark.django_db
 def test_partial_update_team(
+    use_local_resource_setting,
     default_team: models.Team,
     admin_client: APIClient,
 ):
@@ -183,7 +184,9 @@ def test_partial_update_team_forbidden(
 
 @pytest.mark.django_db
 def test_delete_team_success(
-    default_team: models.Team, admin_client: APIClient
+    use_local_resource_setting,
+    default_team: models.Team,
+    admin_client: APIClient,
 ):
     response = admin_client.delete(f"{api_url_v1}/teams/{default_team.id}/")
     assert response.status_code == status.HTTP_204_NO_CONTENT
@@ -202,7 +205,9 @@ def test_delete_team_forbidden(
 
 
 @pytest.mark.django_db
-def test_delete_team_not_exist(admin_client: APIClient):
+def test_delete_team_not_exist(
+    use_local_resource_setting, admin_client: APIClient
+):
     response = admin_client.delete(f"{api_url_v1}/teams/100/")
     assert response.status_code == status.HTTP_404_NOT_FOUND
 

tests/integration/api/test_user.py

@@ -103,7 +103,11 @@ def test_retrieve_current_user_unauthenticated(base_client: APIClient):
 
 
 @pytest.mark.django_db
-def test_update_current_user(admin_client: APIClient, admin_user: models.User):
+def test_update_current_user(
+    use_local_resource_setting,
+    admin_client: APIClient,
+    admin_user: models.User,
+):
     response = admin_client.patch(
         f"{api_url_v1}/users/me/",
         data={
@@ -135,7 +139,9 @@ def test_update_current_user_forbidden(
 
 @pytest.mark.django_db
 def test_update_current_user_password(
-    admin_client: APIClient, admin_user: models.User
+    use_local_resource_setting,
+    admin_client: APIClient,
+    admin_user: models.User,
 ):
     response = admin_client.patch(
         f"{api_url_v1}/users/me/",
@@ -151,6 +157,7 @@ def test_update_current_user_password(
 
 @pytest.mark.django_db
 def test_update_current_user_username_fail(
+    use_local_resource_setting,
     admin_client: APIClient,
     admin_user: models.User,
     admin_info: dict,
@@ -171,7 +178,7 @@ def test_update_current_user_username_fail(
 
 
 @pytest.mark.django_db
-def test_create_user(admin_client: APIClient):
+def test_create_user(use_local_resource_setting, admin_client: APIClient):
     create_user_data = {
         "username": "test.user",
         "first_name": "Test",
@@ -205,7 +212,6 @@ def test_create_user_forbidden(
 
 @pytest.mark.django_db
 def test_update_is_superuser_field(
-    use_shared_resource_setting,
     superuser_client: APIClient,
     new_user: models.User,
 ):
@@ -223,7 +229,6 @@ def test_update_is_superuser_field(
 
 @pytest.mark.django_db
 def test_update_superuser_field_as_non_superuser(
-    use_shared_resource_setting,
     admin_client: APIClient,
     new_user: models.User,
 ):
@@ -240,6 +245,7 @@ def test_update_superuser_field_as_non_superuser(
 
 @pytest.mark.django_db
 def test_create_superuser(
+    use_local_resource_setting,
     superuser_client: APIClient,
     user_api_client: APIClient,
     org_admin_rd,
@@ -277,7 +283,9 @@ def test_create_superuser(
 
 
 @pytest.mark.django_db
-def test_modify_superuser_as_superuser(superuser_client: APIClient):
+def test_modify_superuser_as_superuser(
+    use_local_resource_setting, superuser_client: APIClient
+):
     other_user = models.User.objects.create(username="other-user")
     assert other_user.is_superuser is False  # sanity
     url = reverse("user-detail", kwargs={"pk": other_user.pk})
@@ -288,6 +296,7 @@ def test_modify_superuser_as_superuser(superuser_client: APIClient):
 
 @pytest.mark.django_db
 def test_modify_superuser_as_org_admin(
+    use_local_resource_setting,
     user_api_client: APIClient,
     org_admin_rd,
     org_member_rd,
@@ -322,7 +331,7 @@ def test_modify_superuser_as_org_admin(
 
 @pytest.mark.django_db
 def test_organization_admin_can_create_user(
-    default_user, user_api_client, org_admin_rd
+    use_local_resource_setting, default_user, user_api_client, org_admin_rd
 ):
     create_user_data = {
         "username": "test.user",
@@ -431,6 +440,7 @@ def test_list_users_filter_superuser(
 
 @pytest.mark.django_db
 def test_partial_update_user(
+    use_local_resource_setting,
     admin_client: APIClient,
     admin_user: models.User,
 ):
@@ -472,6 +482,7 @@ def test_partial_update_user_forbidden(
 
 @pytest.mark.django_db
 def test_delete_user(
+    use_local_resource_setting,
     superuser_client: APIClient,
     default_user: models.User,
 ):
@@ -578,6 +589,7 @@ def test_list_users_filter_by_ansible_id(
 
 @pytest.mark.django_db
 def test_resources_remain_after_user_delete(
+    use_local_resource_setting,
     base_client: APIClient,
     admin_user: models.User,
     default_user: models.User,

tests/integration/conftest.py

@@ -816,6 +816,12 @@ def use_shared_resource_setting():
         yield
 
 
+@pytest.fixture
+def use_local_resource_setting():
+    with override_settings(ALLOW_LOCAL_RESOURCE_MANAGEMENT=True):
+        yield
+
+
 # fixture for a running redis server
 @pytest.fixture
 def default_credential_type() -> models.CredentialType:

tests/integration/dab_rbac/test_crud_permissions.py

@@ -41,6 +41,7 @@ def get_detail_url(obj, skip_if_not_found=False):
 @pytest.mark.django_db
 @pytest.mark.parametrize("model", permission_registry.all_registered_models)
 def test_add_permissions(
+    use_local_resource_setting,
     request,
     model,
     cls_factory,
@@ -163,7 +164,13 @@ def test_view_permissions(
 @pytest.mark.django_db
 @pytest.mark.parametrize("model", permission_registry.all_registered_models)
 def test_change_permissions(
-    model, cls_factory, default_user, user_client, give_obj_perm, request
+    use_local_resource_setting,
+    model,
+    cls_factory,
+    default_user,
+    user_client,
+    give_obj_perm,
+    request,
 ):
     model_name = cls_factory.get_model_name(model)
     obj = cls_factory.get_fixture_object(request, model_name)
@@ -205,7 +212,13 @@ def test_change_permissions(
 @pytest.mark.django_db
 @pytest.mark.parametrize("model", permission_registry.all_registered_models)
 def test_delete_permissions(
-    model, cls_factory, default_user, user_client, give_obj_perm, request
+    use_local_resource_setting,
+    model,
+    cls_factory,
+    default_user,
+    user_client,
+    give_obj_perm,
+    request,
 ):
     model_name = cls_factory.get_model_name(model)
     obj = cls_factory.get_fixture_object(request, model_name)

tests/integration/dab_rbac/test_organization.py

@@ -73,7 +73,12 @@ def test_create_with_default_org(cls_factory, model, admin_client, request):
 @pytest.mark.django_db
 @pytest.mark.parametrize("model", ORG_MODELS)
 def test_create_with_custom_org(
-    cls_factory, model, superuser_client, request, new_organization
+    use_local_resource_setting,
+    cls_factory,
+    model,
+    superuser_client,
+    request,
+    new_organization,
 ):
     model_name = cls_factory.get_model_name(model)
     model_obj = cls_factory.get_fixture_object(request, model_name)

tests/integration/dab_rbac/test_related_permissions.py

@@ -20,6 +20,7 @@
 @pytest.mark.django_db
 @pytest.mark.parametrize("model", permission_registry.all_registered_models)
 def test_related_organization_edit_access_control(
+    use_local_resource_setting,
     cls_factory,
     default_user,
     user_client,