Expand out the early membership role assignment

The Member role can derive from e.g. the Org Admin role, so basically all organization and team roles should be assigned first, so that RBAC conditions are met when assigning later roles.
2026-01-09 23:12:08 -03:30 · 2022-03-03 16:02:53 -05:00 · 2022-03-03 16:02:53 -05:00 · 69ea456cf6
commit 69ea456cf6
parent e02e91adaa
1 changed files with 15 additions and 9 deletions
--- a/awxkit/awxkit/api/pages/api.py
+++ b/awxkit/awxkit/api/pages/api.py
@ -1,3 +1,4 @@
+from collections import defaultdict
 import itertools
 import logging

@ -204,7 +205,7 @@ class ApiV2(base.Base):

    # Import methods

-    def _dependent_resources(self, data):
+    def _dependent_resources(self):
        page_resource = {getattr(self, resource)._create().__item_class__: resource for resource in self.json}
        data_pages = [getattr(self, resource)._create().__item_class__ for resource in EXPORTABLE_RESOURCES]

@ -256,7 +257,12 @@ class ApiV2(base.Base):
                if not S:
                    continue
                if name == 'roles':
-                    self._roles.append((_page, S))
+                    indexed_roles = defaultdict(list)
+                    for role in S:
+                        if 'content_object' not in role:
+                            continue
+                        indexed_roles[role['content_object']['type']].append(role)
+                    self._roles.append((_page, indexed_roles))
                else:
                    self._related.append((_page, name, S))

@ -278,17 +284,17 @@ class ApiV2(base.Base):
            log.debug("post_data: %r", {'id': role_page['id']})

    def _assign_membership(self):
-        for _page, roles in self._roles:
+        for _page, indexed_roles in self._roles:
            role_endpoint = _page.json['related']['roles']
-            for role in roles:
-                if role['name'] == 'Member':
+            for content_type in ('organization', 'team'):
+                for role in indexed_roles.get(content_type, []):
                    self._assign_role(role_endpoint, role)

    def _assign_roles(self):
-        for _page, roles in self._roles:
+        for _page, indexed_roles in self._roles:
            role_endpoint = _page.json['related']['roles']
-            for role in roles:
-                if role['name'] != 'Member':
+            for content_type in set(indexed_roles) - {'organization', 'team'}:
+                for role in indexed_roles.get(content_type, []):
                    self._assign_role(role_endpoint, role)

    def _assign_related(self):
@ -330,7 +336,7 @@ class ApiV2(base.Base):

        changed = False

-        for resource in self._dependent_resources(data):
+        for resource in self._dependent_resources():
            endpoint = getattr(self, resource)
            # Load up existing objects, so that we can try to update or link to them
            self._cache.get_page(endpoint)