AAP-48392 Fix test failures due to uptream DAB ContentType changes (#1355)

This is another version of
#1353, but with the dependency
changes reverted.

That linked PR (draft) shows that this is effective. I expect tests will
pass here (which current DAB) as well. But that PR shows that, if we
merge this, it will make downstream tests for
ansible/django-ansible-base#749 will pass.

----

Technical summary:

There are 2 structural changes in DAB RBAC that require adjustment by
the app:
- the `post_migrate` signal will now run _once_ as opposed to run _for
every app_ and to do that, it can only run when the post migrate signal
is called for its own app (the "dab_rbac" app), but doing this mucks
with the assumptions around what order post_migrate methods run in, so
this often requires other post-migrate methods to call the methods to
create DAB types and permissions to resolve the ordering problem
- A DAB RBAC-specific content type app is introduced, and this is
clearly not the same as the proper `ContentType` model, and this will
error any queries that pass a content type object as a python object. To
do that, we'll just use the variable from DAB RBAC for the content type,
which will give the correct model for whatever version of DAB we are
using.

Author: AlanCoding

src/aap_eda/core/management/commands/create_initial_data.py

@@ -17,8 +17,8 @@
 
 from ansible_base.rbac import permission_registry
 from ansible_base.rbac.models import DABPermission, RoleDefinition
+from django.apps import apps
 from django.conf import settings
-from django.contrib.contenttypes.models import ContentType
 from django.core.exceptions import ImproperlyConfigured
 from django.core.management import BaseCommand
 from django.db import transaction
@@ -1291,6 +1291,15 @@ def handle(self, *args, **options):
         self._remove_deprecated_credential_kinds()
         enable_redis_prefix()
 
+    @property
+    def content_type_model(self):
+        try:
+            # DAB RBAC migrated to a custom type model, try to use that here
+            return apps.get_model("dab_rbac", "DABContentType")
+        except LookupError:
+            # Fallback for older version of DAB, which just used ContentType
+            return apps.get_model("contenttypes", "ContentType")
+
     def _remove_deprecated_credential_kinds(self):
         """Remove old credential types which are deprecated."""
         for credential_type in models.CredentialType.objects.filter(
@@ -1356,7 +1365,7 @@ def _read_file(self, name: str, key: str):
             return f.read()
 
     def _create_org_roles(self):
-        org_ct = ContentType.objects.get(model="organization")
+        org_ct = self.content_type_model.objects.get(model="organization")
         created = updated = 0
         for role_data in ORG_ROLES:
             data = {
@@ -1426,7 +1435,7 @@ def _create_permissions_for_content_type(self, ct=None) -> list:
 
     def _create_obj_roles(self):
         for cls in permission_registry.all_registered_models:
-            ct = ContentType.objects.get_for_model(cls)
+            ct = self.content_type_model.objects.get_for_model(cls)
             parent_model = permission_registry.get_parent_model(cls)
             # ignore if the model is organization, covered by org roles
             # or child model, inherits permissions from parent model
@@ -1441,7 +1450,9 @@ def _create_obj_roles(self):
             child_models = permission_registry.get_child_models(cls)
             child_names = []
             for _, child_model in child_models:
-                child_ct = ContentType.objects.get_for_model(child_model)
+                child_ct = self.content_type_model.objects.get_for_model(
+                    child_model
+                )
                 permissions.extend(
                     self._create_permissions_for_content_type(child_ct)
                 )
@@ -1500,7 +1511,7 @@ def _create_obj_roles(self):
                     name=f"Organization {cls._meta.verbose_name.title()} Admin",  # noqa: E501
                     defaults={
                         "description": f"Has all permissions to {cls._meta.verbose_name}s within an organization",  # noqa: E501
-                        "content_type": ContentType.objects.get(
+                        "content_type": self.content_type_model.objects.get(
                             model="organization"
                         ),
                         "managed": True,

tests/integration/api/test_user.py

@@ -15,8 +15,8 @@
 from typing import Any, Dict
 
 import pytest
+from ansible_base.rbac import permission_registry
 from ansible_base.rbac.models import DABPermission, RoleDefinition
-from django.contrib.contenttypes.models import ContentType
 from rest_framework import status
 from rest_framework.reverse import reverse
 from rest_framework.test import APIClient
@@ -49,7 +49,9 @@ def org_admin_rd():
             "view_organization",
             "delete_organization",
         ],
-        content_type=ContentType.objects.get_for_model(models.Organization),
+        content_type=permission_registry.content_type_model.objects.get_for_model(  # noqa: E501
+            models.Organization
+        ),
         managed=True,  # custom roles can not include these permissions
     )
 
@@ -62,7 +64,9 @@ def org_member_rd():
             "member_organization",
             "view_organization",
         ],
-        content_type=ContentType.objects.get_for_model(models.Organization),
+        content_type=permission_registry.content_type_model.objects.get_for_model(  # noqa: E501
+            models.Organization
+        ),
         managed=True,
     )
 
@@ -584,7 +588,9 @@ def test_resources_remain_after_user_delete(
     # Give default user permission to create resources
     admin_role = RoleDefinition.objects.create(
         name="Elevated User",
-        content_type=ContentType.objects.get_for_model(default_organization),
+        content_type=permission_registry.content_type_model.objects.get_for_model(  # noqa: E501
+            default_organization
+        ),
     )
     admin_role.permissions.add(*DABPermission.objects.all())
     admin_role.give_permission(default_user, default_organization)

tests/integration/conftest.py

@@ -19,10 +19,10 @@
 from unittest.mock import MagicMock, create_autospec
 
 import pytest
+from ansible_base.rbac import permission_registry
 from ansible_base.rbac.models import DABPermission, RoleDefinition
 from django.conf import settings
 from django.contrib.auth.models import AnonymousUser
-from django.contrib.contenttypes.models import ContentType
 from django.test import override_settings
 from rest_framework.test import APIClient
 
@@ -92,7 +92,9 @@ def admin_user(default_organization, admin_info):
     )
     admin_role = RoleDefinition.objects.create(
         name="Test Admin",
-        content_type=ContentType.objects.get_for_model(default_organization),
+        content_type=permission_registry.content_type_model.objects.get_for_model(  # noqa: E501
+            default_organization
+        ),
     )
     admin_role.permissions.add(*DABPermission.objects.all())
     admin_role.give_permission(user, default_organization)

tests/integration/dab_rbac/conftest.py

@@ -13,7 +13,7 @@
 #  limitations under the License.
 import pytest
 from ansible_base.rbac.models import DABPermission, RoleDefinition
-from django.contrib.contenttypes.models import ContentType
+from django.apps import apps
 from django.db.models import ForeignKey
 from django.forms.models import model_to_dict
 from rest_framework.test import APIClient
@@ -91,7 +91,15 @@ def _rf(target_user, obj, action):
         this creates a role definition with that permission
         then it gives the specified user to the specified object
         """
-        ct = ContentType.objects.get_for_model(obj)
+
+        try:
+            # DAB RBAC migrated to a custom type model, try to use that here
+            ct_model = apps.get_model("dab_rbac", "DABContentType")
+        except LookupError:
+            # Fallback for older version of DAB, which just used ContentType
+            ct_model = apps.get_model("contenttypes", "ContentType")
+
+        ct = ct_model.objects.get_for_model(obj)
         rd, _ = RoleDefinition.objects.get_or_create(
             name=f"{obj._meta.model_name}-{action}", content_type=ct
         )

tests/integration/dab_rbac/test_crud_permissions.py

@@ -15,7 +15,6 @@
 import pytest
 from ansible_base.rbac import permission_registry
 from ansible_base.rbac.models import DABPermission, RoleDefinition
-from django.contrib.contenttypes.models import ContentType
 from django.test import override_settings
 from django.urls.exceptions import NoReverseMatch
 from rest_framework.reverse import reverse
@@ -71,7 +70,9 @@ def test_add_permissions(
         )
         add_rd = RoleDefinition.objects.create(
             name=f"add-{model._meta.model_name}",
-            content_type=ContentType.objects.get_for_model(parent_obj),
+            content_type=permission_registry.content_type_model.objects.get_for_model(  # noqa: E501
+                parent_obj
+            ),
         )
         add_rd.permissions.add(
             DABPermission.objects.get(codename=f"add_{model._meta.model_name}")

tests/integration/dab_rbac/test_role_permissions.py

@@ -13,8 +13,8 @@
 #  limitations under the License.
 
 import pytest
+from ansible_base.rbac import permission_registry
 from ansible_base.rbac.models import RoleDefinition, RoleUserAssignment
-from django.contrib.contenttypes.models import ContentType
 from rest_framework.reverse import reverse
 
 from aap_eda.core import models
@@ -24,7 +24,9 @@
 def view_activation_rd():
     return RoleDefinition.objects.create_from_permissions(
         name="view_act",
-        content_type=ContentType.objects.get_for_model(models.Activation),
+        content_type=permission_registry.content_type_model.objects.get_for_model(  # noqa: E501
+            models.Activation
+        ),
         permissions=["view_activation"],
     )