Do some aesthetic adjustments to role presentation fields (#15153)

* Do some asthetic adjustments to role presentation fields

* Correctly test managed setup

* Minor migration adjustments

awx/main/migrations/_dab_rbac.py

@@ -275,7 +275,12 @@ def setup_managed_role_definitions(apps, schema_editor):
     """
     Idepotent method to create or sync the managed role definitions
     """
-    to_create = settings.ANSIBLE_BASE_ROLE_PRECREATE
+    to_create = {
+        'object_admin': '{cls.__name__} Admin',
+        'org_admin': 'Organization Admin',
+        'org_children': 'Organization {cls.__name__} Admin',
+        'special': '{cls.__name__} {action}',
+    }
 
     ContentType = apps.get_model('contenttypes', 'ContentType')
     Permission = apps.get_model('dab_rbac', 'DABPermission')

awx/main/models/rbac.py

@@ -10,6 +10,9 @@
 # django-rest-framework
 from rest_framework.serializers import ValidationError
 
+# crum to impersonate users
+from crum import impersonate
+
 # Django
 from django.db import models, transaction, connection
 from django.db.models.signals import m2m_changed
@@ -553,17 +556,22 @@ def get_role_definition(role):
         return
     f = obj._meta.get_field(role.role_field)
     action_name = f.name.rsplit("_", 1)[0]
-    rd_name = f'{type(obj).__name__} {action_name.title()} Compat'
+    model_print = type(obj).__name__
+    rd_name = f'{model_print} {action_name.title()} Compat'
     perm_list = get_role_codenames(role)
-    defaults = {'content_type_id': role.content_type_id}
-    try:
-        rd, created = RoleDefinition.objects.get_or_create(name=rd_name, permissions=perm_list, defaults=defaults)
-    except ValidationError:
-        # This is a tricky case - practically speaking, users should not be allowed to create team roles
-        # or roles that include the team member permission.
-        # If we need to create this for compatibility purposes then we will create it as a managed non-editable role
-        defaults['managed'] = True
-        rd, created = RoleDefinition.objects.get_or_create(name=rd_name, permissions=perm_list, defaults=defaults)
+    defaults = {
+        'content_type_id': role.content_type_id,
+        'description': f'Has {action_name.title()} permission to {model_print} for backwards API compatibility',
+    }
+    with impersonate(None):
+        try:
+            rd, created = RoleDefinition.objects.get_or_create(name=rd_name, permissions=perm_list, defaults=defaults)
+        except ValidationError:
+            # This is a tricky case - practically speaking, users should not be allowed to create team roles
+            # or roles that include the team member permission.
+            # If we need to create this for compatibility purposes then we will create it as a managed non-editable role
+            defaults['managed'] = True
+            rd, created = RoleDefinition.objects.get_or_create(name=rd_name, permissions=perm_list, defaults=defaults)
     return rd
 
 

awx/main/tests/functional/api/test_credential.py

@@ -30,7 +30,7 @@ def test_idempotent_credential_type_setup():
 
 
 @pytest.mark.django_db
-def test_create_user_credential_via_credentials_list(post, get, alice, credentialtype_ssh):
+def test_create_user_credential_via_credentials_list(post, get, alice, credentialtype_ssh, setup_managed_roles):
     params = {
         'credential_type': 1,
         'inputs': {'username': 'someusername'},
@@ -81,7 +81,7 @@ def test_credential_validation_error_with_multiple_owner_fields(post, admin, ali
 
 
 @pytest.mark.django_db
-def test_create_user_credential_via_user_credentials_list(post, get, alice, credentialtype_ssh):
+def test_create_user_credential_via_user_credentials_list(post, get, alice, credentialtype_ssh, setup_managed_roles):
     params = {
         'credential_type': 1,
         'inputs': {'username': 'someusername'},

awx/main/tests/functional/conftest.py

@@ -16,6 +16,8 @@
 
 from django.db.models.signals import post_migrate
 
+from awx.main.migrations._dab_rbac import setup_managed_role_definitions
+
 # AWX
 from awx.main.models.projects import Project
 from awx.main.models.ha import Instance
@@ -90,6 +92,12 @@ def deploy_jobtemplate(project, inventory, credential):
     return jt
 
 
+@pytest.fixture
+def setup_managed_roles():
+    "Run the migration script to pre-create managed role definitions"
+    setup_managed_role_definitions(apps, None)
+
+
 @pytest.fixture
 def team(organization):
     return organization.teams.create(name='test-team')

awx/main/tests/functional/dab_rbac/test_dab_rbac_api.py

@@ -10,7 +10,7 @@
 
 
 @pytest.mark.django_db
-def test_managed_roles_created(managed_roles):
+def test_managed_roles_created(setup_managed_roles):
     "Managed RoleDefinitions are created in post_migration signal, we expect to see them here"
     for cls in (JobTemplate, Inventory):
         ct = ContentType.objects.get_for_model(cls)
@@ -22,7 +22,7 @@ def test_managed_roles_created(managed_roles):
 
 
 @pytest.mark.django_db
-def test_custom_read_role(admin_user, post, managed_roles):
+def test_custom_read_role(admin_user, post, setup_managed_roles):
     rd_url = django_reverse('roledefinition-list')
     resp = post(
         url=rd_url, data={"name": "read role made for test", "content_type": "awx.inventory", "permissions": ['view_inventory']}, user=admin_user, expect=201
@@ -40,7 +40,7 @@ def test_custom_system_roles_prohibited(admin_user, post):
 
 
 @pytest.mark.django_db
-def test_assignment_to_invisible_user(admin_user, alice, rando, inventory, post, managed_roles):
+def test_assignment_to_invisible_user(admin_user, alice, rando, inventory, post, setup_managed_roles):
     "Alice can not see rando, and so can not give them a role assignment"
     rd = RoleDefinition.objects.get(name='Inventory Admin')
     rd.give_permission(alice, inventory)
@@ -51,7 +51,7 @@ def test_assignment_to_invisible_user(admin_user, alice, rando, inventory, post,
 
 
 @pytest.mark.django_db
-def test_assign_managed_role(admin_user, alice, rando, inventory, post, managed_roles, organization):
+def test_assign_managed_role(admin_user, alice, rando, inventory, post, setup_managed_roles, organization):
     rd = RoleDefinition.objects.get(name='Inventory Admin')
     rd.give_permission(alice, inventory)
     # When alice and rando are members of the same org, they can see each other
@@ -78,7 +78,7 @@ def test_assign_custom_delete_role(admin_user, rando, inventory, delete, patch):
 
 
 @pytest.mark.django_db
-def test_assign_custom_add_role(admin_user, rando, organization, post, managed_roles):
+def test_assign_custom_add_role(admin_user, rando, organization, post, setup_managed_roles):
     rd, _ = RoleDefinition.objects.get_or_create(
         name='inventory-add', permissions=['add_inventory', 'view_organization'], content_type=ContentType.objects.get_for_model(Organization)
     )

awx/main/tests/functional/dab_rbac/test_translation_layer.py

@@ -2,19 +2,23 @@
 
 import pytest
 
+from django.contrib.contenttypes.models import ContentType
+
+from crum import impersonate
+
 from awx.main.models.rbac import get_role_from_object_role, give_creator_permissions
 from awx.main.models import User, Organization, WorkflowJobTemplate, WorkflowJobTemplateNode, Team
 from awx.api.versioning import reverse
 
-from ansible_base.rbac.models import RoleUserAssignment
+from ansible_base.rbac.models import RoleUserAssignment, RoleDefinition
 
 
 @pytest.mark.django_db
 @pytest.mark.parametrize(
     'role_name',
     ['execution_environment_admin_role', 'project_admin_role', 'admin_role', 'auditor_role', 'read_role', 'execute_role', 'notification_admin_role'],
 )
-def test_round_trip_roles(organization, rando, role_name, managed_roles):
+def test_round_trip_roles(organization, rando, role_name, setup_managed_roles):
     """
     Make an assignment with the old-style role,
     get the equivelent new role
@@ -28,7 +32,39 @@ def test_round_trip_roles(organization, rando, role_name, managed_roles):
 
 
 @pytest.mark.django_db
-def test_organization_level_permissions(organization, inventory, managed_roles):
+def test_role_naming(setup_managed_roles):
+    qs = RoleDefinition.objects.filter(content_type=ContentType.objects.get(model='jobtemplate'), name__endswith='dmin')
+    assert qs.count() == 1  # sanity
+    rd = qs.first()
+    assert rd.name == 'JobTemplate Admin'
+    assert rd.description
+    assert rd.created_by is None
+
+
+@pytest.mark.django_db
+def test_action_role_naming(setup_managed_roles):
+    qs = RoleDefinition.objects.filter(content_type=ContentType.objects.get(model='jobtemplate'), name__endswith='ecute')
+    assert qs.count() == 1  # sanity
+    rd = qs.first()
+    assert rd.name == 'JobTemplate Execute'
+    assert rd.description
+    assert rd.created_by is None
+
+
+@pytest.mark.django_db
+def test_compat_role_naming(setup_managed_roles, job_template, rando, alice):
+    with impersonate(alice):
+        job_template.read_role.members.add(rando)
+    qs = RoleDefinition.objects.filter(content_type=ContentType.objects.get(model='jobtemplate'), name__endswith='ompat')
+    assert qs.count() == 1  # sanity
+    rd = qs.first()
+    assert rd.name == 'JobTemplate Read Compat'
+    assert rd.description
+    assert rd.created_by is None
+
+
+@pytest.mark.django_db
+def test_organization_level_permissions(organization, inventory, setup_managed_roles):
     u1 = User.objects.create(username='alice')
     u2 = User.objects.create(username='bob')
 
@@ -58,14 +94,14 @@ def test_organization_level_permissions(organization, inventory, managed_roles):
 
 
 @pytest.mark.django_db
-def test_organization_execute_role(organization, rando, managed_roles):
+def test_organization_execute_role(organization, rando, setup_managed_roles):
     organization.execute_role.members.add(rando)
     assert rando in organization.execute_role
     assert set(Organization.accessible_objects(rando, 'execute_role')) == set([organization])
 
 
 @pytest.mark.django_db
-def test_workflow_approval_list(get, post, admin_user, managed_roles):
+def test_workflow_approval_list(get, post, admin_user, setup_managed_roles):
     workflow_job_template = WorkflowJobTemplate.objects.create()
     approval_node = WorkflowJobTemplateNode.objects.create(workflow_job_template=workflow_job_template)
     url = reverse('api:workflow_job_template_node_create_approval', kwargs={'pk': approval_node.pk, 'version': 'v2'})
@@ -79,14 +115,14 @@ def test_workflow_approval_list(get, post, admin_user, managed_roles):
 
 
 @pytest.mark.django_db
-def test_creator_permission(rando, admin_user, inventory, managed_roles):
+def test_creator_permission(rando, admin_user, inventory, setup_managed_roles):
     give_creator_permissions(rando, inventory)
     assert rando in inventory.admin_role
     assert rando in inventory.admin_role.members.all()
 
 
 @pytest.mark.django_db
-def test_team_team_read_role(rando, team, admin_user, post, managed_roles):
+def test_team_team_read_role(rando, team, admin_user, post, setup_managed_roles):
     orgs = [Organization.objects.create(name=f'foo-{i}') for i in range(2)]
     teams = [Team.objects.create(name=f'foo-{i}', organization=orgs[i]) for i in range(2)]
     teams[1].member_role.members.add(rando)

awx/main/tests/functional/test_rbac_job_templates.py

@@ -165,7 +165,7 @@ def test_system_admin_orphan_capabilities(self, job_template, admin_user):
 
 @pytest.mark.django_db
 @pytest.mark.job_permissions
-def test_job_template_creator_access(project, organization, rando, post):
+def test_job_template_creator_access(project, organization, rando, post, setup_managed_roles):
     project.use_role.members.add(rando)
     response = post(
         url=reverse('api:job_template_list'),

awx/settings/defaults.py

@@ -1148,13 +1148,8 @@
 
 # Settings for the ansible_base RBAC system
 
-# Only used internally, names of the managed RoleDefinitions to create
-ANSIBLE_BASE_ROLE_PRECREATE = {
-    'object_admin': '{cls.__name__} Admin',
-    'org_admin': 'Organization Admin',
-    'org_children': 'Organization {cls.__name__} Admin',
-    'special': '{cls.__name__} {action}',
-}
+# This has been moved to data migration code
+ANSIBLE_BASE_ROLE_PRECREATE = {}
 
 # Name for auto-created roles that give users permissions to what they create
 ANSIBLE_BASE_ROLE_CREATOR_NAME = '{cls.__name__} Creator'