[DAB RBAC] Re-implement system auditor as a singleton role in new system (#14963)

* Add new enablement settings from DAB RBAC * Initial implementation of system auditor as role without testing * Fix system auditor role, remove duplicate assignments * Make the system auditor role managed * Flake8 fix * Remove another thing from old solution * Fix a few test failures * Add extra setting to disable custom system roles via API * Add test for custom role prohibition
2026-03-13 23:17:32 -02:30 · 2024-03-11 12:16:49 -04:00
parent 74ce21fa54
commit 9dcc11d54c
15 changed files with 70 additions and 47 deletions
--- a/awx/main/tests/functional/dab_rbac/test_dab_rbac_api.py
+++ b/awx/main/tests/functional/dab_rbac/test_dab_rbac_api.py
@@ -32,6 +32,13 @@ def test_custom_read_role(admin_user, post):
    assert rd.content_type == ContentType.objects.get_for_model(Inventory)


+@pytest.mark.django_db
+def test_custom_system_roles_prohibited(admin_user, post):
+    rd_url = django_reverse('roledefinition-list')
+    resp = post(url=rd_url, data={"name": "read role made for test", "content_type": None, "permissions": ['view_inventory']}, user=admin_user, expect=400)
+    assert 'System-wide roles are not enabled' in str(resp.data)
+
+
@pytest.mark.django_db
 def test_assign_managed_role(admin_user, alice, rando, inventory, post):
    rd = RoleDefinition.objects.get(name='inventory-admin')
--- a/awx/main/tests/functional/test_rbac_job_templates.py
+++ b/awx/main/tests/functional/test_rbac_job_templates.py
@@ -177,7 +177,7 @@ def test_job_template_creator_access(project, organization, rando, post):
    jt_pk = response.data['id']
    jt_obj = JobTemplate.objects.get(pk=jt_pk)
    # Creating a JT should place the creator in the admin role
-    assert rando in jt_obj.admin_role.members.all()
+    assert rando in jt_obj.admin_role


@pytest.mark.django_db
--- a/awx/main/tests/functional/test_rbac_user.py
+++ b/awx/main/tests/functional/test_rbac_user.py
@@ -4,7 +4,7 @@ from unittest import mock
 from django.test import TransactionTestCase

 from awx.main.access import UserAccess, RoleAccess, TeamAccess
-from awx.main.models import User, Organization, Inventory
+from awx.main.models import User, Organization, Inventory, get_system_auditor_role


 class TestSysAuditorTransactional(TransactionTestCase):
@@ -18,6 +18,7 @@ class TestSysAuditorTransactional(TransactionTestCase):

    def test_auditor_caching(self):
        rando = self.rando()
+        get_system_auditor_role()  # pre-create role, normally done by migrations
        with self.assertNumQueries(2):
            v = rando.is_system_auditor
        assert not v