[RBAC] Rename managed role definitions, and move migration logic here (#15087)

* Rename managed role definitions, and move migration logic here

* Fix naming capitalization

awx/main/tests/functional/dab_rbac/conftest.py

@@ -0,0 +1,10 @@
+import pytest
+from django.apps import apps
+
+from awx.main.migrations._dab_rbac import setup_managed_role_definitions
+
+
+@pytest.fixture
+def managed_roles():
+    "Run the migration script to pre-create managed role definitions"
+    setup_managed_role_definitions(apps, None)

awx/main/tests/functional/dab_rbac/test_dab_migration.py

@@ -0,0 +1,45 @@
+import pytest
+from django.apps import apps
+from django.test.utils import override_settings
+
+from awx.main.migrations._dab_rbac import setup_managed_role_definitions
+
+from ansible_base.rbac.models import RoleDefinition
+
+INVENTORY_OBJ_PERMISSIONS = ['view_inventory', 'adhoc_inventory', 'use_inventory', 'change_inventory', 'delete_inventory', 'update_inventory']
+
+
+@pytest.mark.django_db
+def test_managed_definitions_precreate():
+    with override_settings(
+        ANSIBLE_BASE_ROLE_PRECREATE={
+            'object_admin': '{cls._meta.model_name}-admin',
+            'org_admin': 'organization-admin',
+            'org_children': 'organization-{cls._meta.model_name}-admin',
+            'special': '{cls._meta.model_name}-{action}',
+        }
+    ):
+        setup_managed_role_definitions(apps, None)
+    rd = RoleDefinition.objects.get(name='inventory-admin')
+    assert rd.managed is True
+    # add permissions do not go in the object-level admin
+    assert set(rd.permissions.values_list('codename', flat=True)) == set(INVENTORY_OBJ_PERMISSIONS)
+
+    # test org-level object admin permissions
+    rd = RoleDefinition.objects.get(name='organization-inventory-admin')
+    assert rd.managed is True
+    assert set(rd.permissions.values_list('codename', flat=True)) == set(['add_inventory', 'view_organization'] + INVENTORY_OBJ_PERMISSIONS)
+
+
+@pytest.mark.django_db
+def test_managed_definitions_custom_obj_admin_name():
+    with override_settings(
+        ANSIBLE_BASE_ROLE_PRECREATE={
+            'object_admin': 'foo-{cls._meta.model_name}-foo',
+        }
+    ):
+        setup_managed_role_definitions(apps, None)
+    rd = RoleDefinition.objects.get(name='foo-inventory-foo')
+    assert rd.managed is True
+    # add permissions do not go in the object-level admin
+    assert set(rd.permissions.values_list('codename', flat=True)) == set(INVENTORY_OBJ_PERMISSIONS)

awx/main/tests/functional/dab_rbac/test_dab_rbac_api.py

@@ -10,19 +10,19 @@ from ansible_base.rbac.models import RoleDefinition
 
 
 @pytest.mark.django_db
-def test_managed_roles_created():
+def test_managed_roles_created(managed_roles):
     "Managed RoleDefinitions are created in post_migration signal, we expect to see them here"
     for cls in (JobTemplate, Inventory):
         ct = ContentType.objects.get_for_model(cls)
         rds = list(RoleDefinition.objects.filter(content_type=ct))
         assert len(rds) > 1
-        assert f'{cls._meta.model_name}-admin' in [rd.name for rd in rds]
+        assert f'{cls.__name__} Admin' in [rd.name for rd in rds]
         for rd in rds:
             assert rd.managed is True
 
 
 @pytest.mark.django_db
-def test_custom_read_role(admin_user, post):
+def test_custom_read_role(admin_user, post, managed_roles):
     rd_url = django_reverse('roledefinition-list')
     resp = post(
         url=rd_url, data={"name": "read role made for test", "content_type": "awx.inventory", "permissions": ['view_inventory']}, user=admin_user, expect=201
@@ -40,8 +40,8 @@ def test_custom_system_roles_prohibited(admin_user, post):
 
 
 @pytest.mark.django_db
-def test_assign_managed_role(admin_user, alice, rando, inventory, post):
-    rd = RoleDefinition.objects.get(name='inventory-admin')
+def test_assign_managed_role(admin_user, alice, rando, inventory, post, managed_roles):
+    rd = RoleDefinition.objects.get(name='Inventory Admin')
     rd.give_permission(alice, inventory)
     # Now that alice has full permissions to the inventory, she will give rando permission
     url = django_reverse('roleuserassignment-list')
@@ -63,7 +63,7 @@ def test_assign_custom_delete_role(admin_user, rando, inventory, delete, patch):
 
 
 @pytest.mark.django_db
-def test_assign_custom_add_role(admin_user, rando, organization, post):
+def test_assign_custom_add_role(admin_user, rando, organization, post, managed_roles):
     rd, _ = RoleDefinition.objects.get_or_create(
         name='inventory-add', permissions=['add_inventory', 'view_organization'], content_type=ContentType.objects.get_for_model(Organization)
     )

awx/main/tests/functional/dab_rbac/test_translation_layer.py

@@ -14,7 +14,7 @@ from ansible_base.rbac.models import RoleUserAssignment
     'role_name',
     ['execution_environment_admin_role', 'project_admin_role', 'admin_role', 'auditor_role', 'read_role', 'execute_role', 'notification_admin_role'],
 )
-def test_round_trip_roles(organization, rando, role_name):
+def test_round_trip_roles(organization, rando, role_name, managed_roles):
     """
     Make an assignment with the old-style role,
     get the equivelent new role
@@ -28,7 +28,7 @@ def test_round_trip_roles(organization, rando, role_name):
 
 
 @pytest.mark.django_db
-def test_organization_level_permissions(organization, inventory):
+def test_organization_level_permissions(organization, inventory, managed_roles):
     u1 = User.objects.create(username='alice')
     u2 = User.objects.create(username='bob')
 
@@ -58,14 +58,14 @@ def test_organization_level_permissions(organization, inventory):
 
 
 @pytest.mark.django_db
-def test_organization_execute_role(organization, rando):
+def test_organization_execute_role(organization, rando, managed_roles):
     organization.execute_role.members.add(rando)
     assert rando in organization.execute_role
     assert set(Organization.accessible_objects(rando, 'execute_role')) == set([organization])
 
 
 @pytest.mark.django_db
-def test_workflow_approval_list(get, post, admin_user):
+def test_workflow_approval_list(get, post, admin_user, managed_roles):
     workflow_job_template = WorkflowJobTemplate.objects.create()
     approval_node = WorkflowJobTemplateNode.objects.create(workflow_job_template=workflow_job_template)
     url = reverse('api:workflow_job_template_node_create_approval', kwargs={'pk': approval_node.pk, 'version': 'v2'})
@@ -79,14 +79,14 @@ def test_workflow_approval_list(get, post, admin_user):
 
 
 @pytest.mark.django_db
-def test_creator_permission(rando, admin_user, inventory):
+def test_creator_permission(rando, admin_user, inventory, managed_roles):
     give_creator_permissions(rando, inventory)
     assert rando in inventory.admin_role
     assert rando in inventory.admin_role.members.all()
 
 
 @pytest.mark.django_db
-def test_team_team_read_role(rando, team, admin_user, post):
+def test_team_team_read_role(rando, team, admin_user, post, managed_roles):
     orgs = [Organization.objects.create(name=f'foo-{i}') for i in range(2)]
     teams = [Team.objects.create(name=f'foo-{i}', organization=orgs[i]) for i in range(2)]
     teams[1].member_role.members.add(rando)