Prevent modifying shared resources when using platform ingress (#15234)

* Prevent modifying shared resources

Adds a class decorator to prevent modifying shared resources
when gateway is being used.

AWX_DIRECT_SHARED_RESOURCE_MANAGEMENT_ENABLED is the setting
to enable/disable this feature.

Works by overriding these view methods:
- create
- delete
- perform_update

create and delete are overridden to raise a
PermissionDenied exception.

perform_update is overridden to check if any shared
fields are being modified, and raise a PermissionDenied
exception if so.

Additional changes:

Prevent sso conf from registering external authentication related settings if
AWX_DIRECT_SHARED_RESOURCE_MANAGEMENT_ENABLED is False

Signed-off-by: Seth Foster <fosterbseth@gmail.com>
Co-authored-by: Hao Liu <44379968+TheRealHaoLiu@users.noreply.github.com>

awx/main/tests/functional/api/test_immutablesharedfields.py

@@ -0,0 +1,66 @@
+import pytest
+
+from awx.api.versioning import reverse
+from awx.main.models import Organization
+
+
+@pytest.mark.django_db
+class TestImmutableSharedFields:
+    @pytest.fixture(autouse=True)
+    def configure_settings(self, settings):
+        settings.AWX_DIRECT_SHARED_RESOURCE_MANAGEMENT_ENABLED = False
+
+    def test_create_raises_permission_denied(self, admin_user, post):
+        orgA = Organization.objects.create(name='orgA')
+        resp = post(
+            url=reverse('api:team_list'),
+            data={'name': 'teamA', 'organization': orgA.id},
+            user=admin_user,
+            expect=403,
+        )
+        assert "Creation of this resource is not allowed" in resp.data['detail']
+
+    def test_perform_delete_raises_permission_denied(self, admin_user, delete):
+        orgA = Organization.objects.create(name='orgA')
+        team = orgA.teams.create(name='teamA')
+        resp = delete(
+            url=reverse('api:team_detail', kwargs={'pk': team.id}),
+            user=admin_user,
+            expect=403,
+        )
+        assert "Deletion of this resource is not allowed" in resp.data['detail']
+
+    def test_perform_update(self, admin_user, patch):
+        orgA = Organization.objects.create(name='orgA')
+        team = orgA.teams.create(name='teamA')
+        # allow patching non-shared fields
+        patch(
+            url=reverse('api:team_detail', kwargs={'pk': team.id}),
+            data={"description": "can change this field"},
+            user=admin_user,
+            expect=200,
+        )
+        orgB = Organization.objects.create(name='orgB')
+        # prevent patching shared fields
+        resp = patch(url=reverse('api:team_detail', kwargs={'pk': team.id}), data={"organization": orgB.id}, user=admin_user, expect=403)
+        assert "Cannot change shared field" in resp.data['organization']
+
+    @pytest.mark.parametrize(
+        'role',
+        ['admin_role', 'member_role'],
+    )
+    @pytest.mark.parametrize('resource', ['organization', 'team'])
+    def test_prevent_assigning_member_to_organization_or_team(self, admin_user, post, resource, role):
+        orgA = Organization.objects.create(name='orgA')
+        if resource == 'organization':
+            role = getattr(orgA, role)
+        elif resource == 'team':
+            teamA = orgA.teams.create(name='teamA')
+            role = getattr(teamA, role)
+        resp = post(
+            url=reverse('api:user_roles_list', kwargs={'pk': admin_user.id}),
+            data={'id': role.id},
+            user=admin_user,
+            expect=403,
+        )
+        assert f"Cannot directly modify user membership to {resource}." in resp.data['msg']