From 69ea456cf6bde97383d943583eb4bfcb73392c18 Mon Sep 17 00:00:00 2001
From: Jeff Bradberry <jeff.bradberry@gmail.com>
Date: Thu, 3 Mar 2022 16:02:53 -0500
Subject: [PATCH] Expand out the early membership role assignment

The Member role can derive from e.g. the Org Admin role, so basically
all organization and team roles should be assigned first, so that RBAC
conditions are met when assigning later roles.
---
 awxkit/awxkit/api/pages/api.py | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/awxkit/awxkit/api/pages/api.py b/awxkit/awxkit/api/pages/api.py
index 1feadf444d..7ce4b7a042 100644
--- a/awxkit/awxkit/api/pages/api.py
+++ b/awxkit/awxkit/api/pages/api.py
@@ -1,3 +1,4 @@
+from collections import defaultdict
 import itertools
 import logging
 
@@ -204,7 +205,7 @@ class ApiV2(base.Base):
 
     # Import methods
 
-    def _dependent_resources(self, data):
+    def _dependent_resources(self):
         page_resource = {getattr(self, resource)._create().__item_class__: resource for resource in self.json}
         data_pages = [getattr(self, resource)._create().__item_class__ for resource in EXPORTABLE_RESOURCES]
 
@@ -256,7 +257,12 @@ class ApiV2(base.Base):
                 if not S:
                     continue
                 if name == 'roles':
-                    self._roles.append((_page, S))
+                    indexed_roles = defaultdict(list)
+                    for role in S:
+                        if 'content_object' not in role:
+                            continue
+                        indexed_roles[role['content_object']['type']].append(role)
+                    self._roles.append((_page, indexed_roles))
                 else:
                     self._related.append((_page, name, S))
 
@@ -278,17 +284,17 @@ class ApiV2(base.Base):
             log.debug("post_data: %r", {'id': role_page['id']})
 
     def _assign_membership(self):
-        for _page, roles in self._roles:
+        for _page, indexed_roles in self._roles:
             role_endpoint = _page.json['related']['roles']
-            for role in roles:
-                if role['name'] == 'Member':
+            for content_type in ('organization', 'team'):
+                for role in indexed_roles.get(content_type, []):
                     self._assign_role(role_endpoint, role)
 
     def _assign_roles(self):
-        for _page, roles in self._roles:
+        for _page, indexed_roles in self._roles:
             role_endpoint = _page.json['related']['roles']
-            for role in roles:
-                if role['name'] != 'Member':
+            for content_type in set(indexed_roles) - {'organization', 'team'}:
+                for role in indexed_roles.get(content_type, []):
                     self._assign_role(role_endpoint, role)
 
     def _assign_related(self):
@@ -330,7 +336,7 @@ class ApiV2(base.Base):
 
         changed = False
 
-        for resource in self._dependent_resources(data):
+        for resource in self._dependent_resources():
             endpoint = getattr(self, resource)
             # Load up existing objects, so that we can try to update or link to them
             self._cache.get_page(endpoint)