rename existing param for destructive operations to be related only w…

…ith api requests next commit will introduce new param for destructive operations within seeding that will allow us to have a finer control over destructive RBAC operations
petracihalova · Jul 19, 2024 · 390089b · 390089b
1 parent 28ff218
commit 390089b
Show file tree

Hide file tree

Showing 7 changed files with 22 additions and 15 deletions.
diff --git a/deploy/rbac-clowdapp.yml b/deploy/rbac-clowdapp.yml
@@ -455,8 +455,8 @@ objects:
             value: ${BYPASS_BOP_VERIFICATION}
           - name: ROLE_CREATE_ALLOW_LIST
             value: ${ROLE_CREATE_ALLOW_LIST}
-          - name: RBAC_DESTRUCTIVE_ENABLED_UNTIL
-            value: ${RBAC_DESTRUCTIVE_ENABLED_UNTIL}
+          - name: RBAC_DESTRUCTIVE_API_ENABLED_UNTIL
+            value: ${RBAC_DESTRUCTIVE_API_ENABLED_UNTIL}
           - name: CLOWDER_ENABLED
             value: ${CLOWDER_ENABLED}
           - name: APP_NAMESPACE
@@ -727,7 +727,7 @@ parameters:
   name: ROLE_CREATE_ALLOW_LIST
   value: cost-management,remediations,inventory,drift,policies,advisor,catalog,approval,vulnerability,compliance,automation-analytics,notifications,patch,integrations,ros,staleness,config-manager,idmsvc
 - description: Timestamp expiration allowance on destructive actions through the internal RBAC API
-  name: RBAC_DESTRUCTIVE_ENABLED_UNTIL
+  name: RBAC_DESTRUCTIVE_API_ENABLED_UNTIL
   value: ''
 - description: Image tag
   name: IMAGE_TAG

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -33,7 +33,7 @@ services:
         - PRINCIPAL_PROXY_SERVICE_PATH=${PRINCIPAL_PROXY_SERVICE_PATH}
         - PRINCIPAL_PROXY_SERVICE_SOURCE_CERT=${PRINCIPAL_PROXY_SERVICE_SOURCE_CERT-False}
         - PRINCIPAL_PROXY_SERVICE_SSL_VERIFY=${PRINCIPAL_PROXY_SERVICE_SSL_VERIFY-False}
-        - RBAC_DESTRUCTIVE_ENABLED_UNTIL=${RBAC_DESTRUCTIVE_ENABLED_UNTIL}
+        - RBAC_DESTRUCTIVE_API_ENABLED_UNTIL=${RBAC_DESTRUCTIVE_API_ENABLED_UNTIL}
       privileged: true
       ports:
           - 9080:8080

diff --git a/rbac/core/utils.py b/rbac/core/utils.py
@@ -22,7 +22,12 @@
 from django.conf import settings
 
 
-def destructive_ok():
+def destructive_ok(operation_type):
     """Determine if it's ok to run destructive operations."""
     now = datetime.datetime.utcnow().replace(tzinfo=pytz.UTC)
-    return now < settings.INTERNAL_DESTRUCTIVE_API_OK_UNTIL
+    if operation_type == "api":
+        return now < settings.INTERNAL_DESTRUCTIVE_API_OK_UNTIL
+    if operation_type == "seeding":
+        return False
+
+    return False
diff --git a/rbac/internal/views.py b/rbac/internal/views.py
@@ -137,7 +137,7 @@ def tenant_view(request, org_id):
     """
     logger.info(f"Tenant view: {request.method} {request.user.username}")
     if request.method == "DELETE":
-        if not destructive_ok():
+        if not destructive_ok("api"):
             return HttpResponse("Destructive operations disallowed.", status=400)
 
         tenant_obj = get_object_or_404(Tenant, org_id=org_id)
@@ -391,7 +391,7 @@ def invalid_default_admin_groups(request):
         }
         return HttpResponse(json.dumps(payload), content_type="application/json")
     if request.method == "DELETE":
-        if not destructive_ok():
+        if not destructive_ok("api"):
             return HttpResponse("Destructive operations disallowed.", status=400)
         invalid_default_admin_groups_list.delete()
         return HttpResponse(status=204)
@@ -405,7 +405,7 @@ def role_removal(request):
     """
     logger.info(f"Role removal: {request.method} {request.user.username}")
     if request.method == "DELETE":
-        if not destructive_ok():
+        if not destructive_ok("api"):
             return HttpResponse("Destructive operations disallowed.", status=400)
 
         role_name = request.GET.get("name")
@@ -433,7 +433,7 @@ def permission_removal(request):
     """
     logger.info(f"Permission removal: {request.method} {request.user.username}")
     if request.method == "DELETE":
-        if not destructive_ok():
+        if not destructive_ok("api"):
             return HttpResponse("Destructive operations disallowed.", status=400)
 
         permission = request.GET.get("permission")

diff --git a/rbac/management/role/definer.py b/rbac/management/role/definer.py
@@ -137,7 +137,7 @@ def seed_roles():
     # Find roles in DB but not in config
     roles_to_delete = Role.objects.filter(system=True).exclude(id__in=current_role_ids)
     logger.info(f"The following '{roles_to_delete.count()}' roles(s) eligible for removal: {roles_to_delete.values()}")
-    if destructive_ok():
+    if destructive_ok("seeding"):
         logger.info(f"Removing the following role(s): {roles_to_delete.values()}")
         # Actually remove roles no longer in config
         with transaction.atomic():
@@ -202,7 +202,7 @@ def seed_permissions():
     logger.info(
         f"The following '{perms_to_delete.count()}' permission(s) eligible for removal: {perms_to_delete.values()}"
     )
-    if destructive_ok():
+    if destructive_ok("seeding"):
         logger.info(f"Removing the following permissions(s): {perms_to_delete.values()}")
         # Actually remove perms no longer in DB
         with transaction.atomic():

diff --git a/rbac/rbac/settings.py b/rbac/rbac/settings.py
@@ -367,7 +367,9 @@
 INTERNAL_API_PATH_PREFIXES = ["/_private/"]
 
 try:
-    INTERNAL_DESTRUCTIVE_API_OK_UNTIL = parse_dt(os.environ.get("RBAC_DESTRUCTIVE_ENABLED_UNTIL", "not-a-real-time"))
+    INTERNAL_DESTRUCTIVE_API_OK_UNTIL = parse_dt(
+        os.environ.get("RBAC_DESTRUCTIVE_API_ENABLED_UNTIL", "not-a-real-time")
+    )
     if INTERNAL_DESTRUCTIVE_API_OK_UNTIL.tzinfo is None:
         INTERNAL_DESTRUCTIVE_API_OK_UNTIL = INTERNAL_DESTRUCTIVE_API_OK_UNTIL.replace(tzinfo=pytz.UTC)
 except ValueError as e:

diff --git a/tests/core/test_utils.py b/tests/core/test_utils.py
@@ -33,9 +33,9 @@ def invalid_destructive_time():
     @override_settings(INTERNAL_DESTRUCTIVE_API_OK_UNTIL=valid_destructive_time())
     def test_destructive_ok_true(self):
         """Test that it's true when within date range."""
-        self.assertEqual(destructive_ok(), True)
+        self.assertEqual(destructive_ok("api"), True)
 
     @override_settings(INTERNAL_DESTRUCTIVE_API_OK_UNTIL=invalid_destructive_time())
     def test_destructive_ok_false(self):
         """Test that it's false when not within date range."""
-        self.assertEqual(destructive_ok(), False)
+        self.assertEqual(destructive_ok("api"), False)