Validate that control-only Instance nodes cannot change IG membership

2026-03-09 13:39:27 -02:30 · 2021-08-23 17:36:19 -04:00
parent 68f79a1f3a
commit a2b984a1a5
3 changed files with 70 additions and 3 deletions
--- a/awx/api/views/init.py
+++ b/awx/api/views/init.py
@@ -402,6 +402,11 @@ class InstanceInstanceGroupsList(InstanceGroupMembershipMixin, SubListCreateAtta
    parent_model = models.Instance
    relationship = 'rampart_groups'

+    def is_valid_relation(self, parent, sub, created=False):
+        if parent.node_type == 'control':
+            return {'msg': _(f"Cannot change instance group membership of control-only node: {parent.hostname}.")}
+        return None
+

 class InstanceGroupList(ListCreateAPIView):

@@ -444,6 +449,11 @@ class InstanceGroupInstanceList(InstanceGroupMembershipMixin, SubListAttachDetac
    relationship = "instances"
    search_fields = ('hostname',)

+    def is_valid_relation(self, parent, sub, created=False):
+        if sub.node_type == 'control':
+            return {'msg': _(f"Cannot change instance group membership of control-only node: {sub.hostname}.")}
+        return None
+

 class ScheduleList(ListCreateAPIView):

--- a/awx/api/views/mixin.py
+++ b/awx/api/views/mixin.py
@@ -68,13 +68,23 @@ class InstanceGroupMembershipMixin(object):
    membership.
    """

+    def attach_validate(self, request):
+        parent = self.get_parent_object()
+        sub_id, res = super().attach_validate(request)
+        if res:  # handle an error
+            return sub_id, res
+        sub = get_object_or_400(self.model, pk=sub_id)
+        attach_errors = self.is_valid_relation(parent, sub)
+        if attach_errors:
+            return sub_id, Response(attach_errors, status=status.HTTP_400_BAD_REQUEST)
+        return sub_id, res
+
    def attach(self, request, *args, **kwargs):
        response = super(InstanceGroupMembershipMixin, self).attach(request, *args, **kwargs)
        sub_id, res = self.attach_validate(request)
        if status.is_success(response.status_code):
            if self.parent_model is Instance:
-                ig_obj = get_object_or_400(self.model, pk=sub_id)
-                inst_name = ig_obj.hostname
+                inst_name = self.get_parent_object().hostname
            else:
                inst_name = get_object_or_400(self.model, pk=sub_id).hostname
            with transaction.atomic():
@@ -91,11 +101,12 @@ class InstanceGroupMembershipMixin(object):
        return response

    def unattach_validate(self, request):
+        parent = self.get_parent_object()
        (sub_id, res) = super(InstanceGroupMembershipMixin, self).unattach_validate(request)
        if res:
            return (sub_id, res)
        sub = get_object_or_400(self.model, pk=sub_id)
-        attach_errors = self.is_valid_relation(None, sub)
+        attach_errors = self.is_valid_relation(parent, sub)
        if attach_errors:
            return (sub_id, Response(attach_errors, status=status.HTTP_400_BAD_REQUEST))
        return (sub_id, res)