Add workaround for pulpcore bug.

No-Issue Signed-off-by: James Tanner <[email protected]>
ansible · Sep 25, 2023 · 4834cb4 · 4834cb4
1 parent e564e1f
commit 4834cb4
Show file tree

Hide file tree

Showing 4 changed files with 65 additions and 9 deletions.
diff --git a/galaxy_ng/app/access_control/fields.py b/galaxy_ng/app/access_control/fields.py
@@ -88,6 +88,7 @@ def _validate_user(self, user_data):
     def to_representation(self, value):
         rep = []
         for user in value:
+            print(f'TO_REP: {value}')
             rep.append({
                 'id': user.id,
                 'name': user.username,

diff --git a/galaxy_ng/app/access_control/mixins.py b/galaxy_ng/app/access_control/mixins.py
@@ -8,9 +8,12 @@
     assign_role,
     remove_role,
     get_groups_with_perms_attached_roles,
-    get_users_with_perms_attached_roles,
+    # get_users_with_perms_attached_roles,
 )
 
+# FIXME - workaround for https://github.com/pulp/pulpcore/pull/4479
+from galaxy_ng.app.utils.pulp_rbac import get_users_with_perms_attached_roles
+
 from django_lifecycle import hook
 
 
@@ -93,11 +96,13 @@ def _set_users(self, users):
                 obj, include_model_permissions=False)
             for user in current_users:
                 for perm in current_users[user]:
+                    print(f'REMOVE_ROLE perm:{perm} user:{user} obj:{obj}')
                     remove_role(perm, user, obj)
 
             for user in users:
                 for role in users[user]:
                     try:
+                        print(f'ASSIGN ROLE role:{role} user:{user} obj:{obj}')
                         assign_role(role, user, obj)
                     except BadRequest:
                         raise ValidationError(

diff --git a/galaxy_ng/app/utils/pulp_rbac.py b/galaxy_ng/app/utils/pulp_rbac.py
@@ -0,0 +1,45 @@
+from collections import defaultdict
+
+from django.db.models import Q
+from django.contrib.auth.models import Permission
+from django.contrib.contenttypes.models import ContentType
+
+from pulpcore.app.models.role import GroupRole
+from pulpcore.app.models.role import UserRole
+
+
+def get_users_with_perms_attached_roles(
+    obj,
+    with_group_users=True,
+    only_with_perms_in=None,
+    include_domain_permissions=True,
+    include_model_permissions=True,
+    for_concrete_model=False,
+):
+    # DELETE ONCE https://github.com/pulp/pulpcore/pull/4479 IS RELEASED AND BUMPED IN GALAXY_NG
+    ctype = ContentType.objects.get_for_model(obj, for_concrete_model=for_concrete_model)
+    perms = Permission.objects.filter(content_type__pk=ctype.id)
+    if only_with_perms_in:
+        codenames = [
+            split_perm[-1]
+            for split_perm in (perm.split(".", maxsplit=1) for perm in only_with_perms_in)
+            if len(split_perm) == 1 or split_perm[0] == ctype.app_label
+        ]
+        perms = perms.filter(codename__in=codenames)
+
+    object_query = Q(content_type=ctype, object_id=obj.pk)
+    if include_domain_permissions and getattr(obj, "pulp_domain", None):
+        object_query = Q(domain=obj.pulp_domain_id) | object_query
+    if include_model_permissions:
+        object_query = Q(object_id=None) | object_query
+
+    user_roles = UserRole.objects.filter(role__permissions__in=perms).filter(object_query)
+    res = defaultdict(set)
+    for user_role in user_roles:
+        res[user_role.user].add(user_role.role.name)
+    if with_group_users:
+        group_roles = GroupRole.objects.filter(role__permissions__in=perms).filter(object_query)
+        for group_role in group_roles:
+            for user in group_role.group.user_set.all():
+                res[user].add(group_role.role.name)
+    return {k: list(v) for k, v in res.items()}
diff --git a/galaxy_ng/tests/integration/api/test_namespace_management.py b/galaxy_ng/tests/integration/api/test_namespace_management.py
@@ -80,15 +80,16 @@ def test_namespace_create_with_user(ansible_config, user_property):
     new_namespace = generate_unused_namespace(api_client=api_client)
 
     # make a namespace with a user and without defining groups ...
+    object_roles = [
+        'galaxy.collection_namespace_owner',
+        'galaxy.collection_publisher'
+    ]
     payload = {
         'name': new_namespace,
         'users': [
             {
                 user_property: me.get(user_property),
-                'object_roles': [
-                    'galaxy.collection_namespace_owner',
-                    'galaxy.collection_publisher'
-                ]
+                'object_roles': object_roles,
             }
         ]
     }
@@ -99,6 +100,8 @@ def test_namespace_create_with_user(ansible_config, user_property):
     assert resp['groups'] == []
     assert resp['users'] != []
     assert username in [x['name'] for x in resp['users']]
+    assert username in [x['name'] for x in resp['users']]
+    assert resp['users'][0]['object_roles'] == object_roles
 
 
 @pytest.mark.galaxyapi_smoke
@@ -134,15 +137,16 @@ def test_namespace_edit_with_user(ansible_config, user_property):
     assert resp['users'] == []
 
     # now edit the namespace to add the user
+    object_roles = [
+        'galaxy.collection_namespace_owner',
+        'galaxy.collection_publisher'
+    ]
     payload = {
         'name': new_namespace,
         'users': [
             {
                 user_property: me.get(user_property),
-                'object_roles': [
-                    'galaxy.collection_namespace_owner',
-                    'galaxy.collection_publisher'
-                ]
+                'object_roles': object_roles,
             }
         ]
     }
@@ -157,3 +161,4 @@ def test_namespace_edit_with_user(ansible_config, user_property):
     assert resp['groups'] == []
     assert resp['users'] != []
     assert username in [x['name'] for x in resp['users']]
+    assert resp['users'][0]['object_roles'] == object_roles