[RBAC] failed grouprole permission migrations fix (#2274)

Newly created roles during migrations we not getting permissions assigned, and that made it appear that no user owned any resources. This change re-adds the relevant model permissions to preserve the "ownership" the API would evaluation and display. No-Issue Signed-off-by: James Tanner <[email protected]> (cherry picked from commit f2262c6)
ansible · Sep 26, 2024 · 1aac7fd · 1aac7fd
1 parent 94e563c
commit 1aac7fd
Showing 1 changed file with 32 additions and 3 deletions.
diff --git a/galaxy_ng/app/migrations/_dab_rbac.py b/galaxy_ng/app/migrations/_dab_rbac.py
@@ -1,9 +1,13 @@
 import logging
 
 from django.apps import apps as global_apps
+from django.contrib.contenttypes.models import ContentType
+from rest_framework.exceptions import ValidationError
 
 from ansible_base.rbac.management import create_dab_permissions
 from ansible_base.rbac.migrations._utils import give_permissions
+from ansible_base.rbac.validators import permissions_allowed_for_role, combine_values
+
 
 logger = logging.getLogger(__name__)
 
@@ -34,6 +38,12 @@ def create_permissions_as_operation(apps, schema_editor):
 
 
 def split_pulp_roles(apps, schema_editor):
+    '''
+    For every user&group role that is tied to a specific content object,
+    split the role out into a new single content type role with permissions
+    that are only relevant to that content object. Afterwards, swap the
+    [User|Group]Role's .role with the new role.
+    '''
     Role = apps.get_model('core', 'Role')
     UserRole = apps.get_model('core', 'UserRole')
     GroupRole = apps.get_model('core', 'GroupRole')
@@ -43,12 +53,32 @@ def split_pulp_roles(apps, schema_editor):
         for assignment_cls in (UserRole, GroupRole):
             for pulp_assignment in assignment_cls.objects.filter(role=corerole, content_type__isnull=False):
                 if pulp_assignment.content_type_id not in split_roles:
+
+                    # Get all permissions relevant to this content model.
+                    # If any model (like synclist) hasn't been registered in the permission
+                    # system, it should not be split/recreated ...
+                    cls = apps.get_model(pulp_assignment.content_type.app_label, pulp_assignment.content_type.model)
+                    try:
+                        ct_codenames = combine_values(permissions_allowed_for_role(cls))
+                    except ValidationError:
+                        continue
+
+                    # Make a new role for this special content model
                     new_data = {
                         'description': corerole.description,
                         'name': f'{corerole.name}_{pulp_assignment.content_type.model}'
                     }
                     new_role = Role(**new_data)
                     new_role.save()
+
+                    # Add the necesarry permissions to the new role ...
+                    for perm in pulp_assignment.role.permissions.all():
+                        # The pulp role may have had permissions related to some other
+                        # content model we're not interested in, so we will skip adding those.
+                        if ct_codenames and perm.codename not in ct_codenames:
+                            continue
+                        new_role.permissions.add(perm)
+
                     split_roles[pulp_assignment.content_type_id] = new_role
 
                 pulp_assignment.role = split_roles[pulp_assignment.content_type_id]
@@ -112,11 +142,10 @@ def migrate_role_assignments(apps, schema_editor):
         if not rd:
             continue
 
-        # FIXME - why?
-        if not hasattr(group_role.group, 'team'):
+        actor = Team.objects.filter(group=group_role.group).first()
+        if actor is None:
             continue
 
-        actor = group_role.group.team
         if not group_role.object_id:
             RoleTeamAssignment.objects.create(role_definition=rd, team=actor)
         else: