Merge pull request RedHatInsights#1398 from petracihalova/add-public-…

…tenant [RHCLOUD-36043] add tenant in the Role queries
petracihalova · Dec 18, 2024 · 4e192db · 4e192db
2 parents ea89323 + 9330138
commit 4e192db
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 4 deletions.
diff --git a/rbac/management/group/definer.py b/rbac/management/group/definer.py
@@ -61,7 +61,7 @@ def seed_group() -> Tuple[Group, Group]:
             tenant=public_tenant,
         )
 
-        platform_roles = Role.objects.filter(platform_default=True)
+        platform_roles = Role.objects.filter(platform_default=True, tenant=public_tenant)
         update_group_roles(group, platform_roles, public_tenant)
         logger.info("Finished seeding default group %s.", name)
 
@@ -76,7 +76,7 @@ def seed_group() -> Tuple[Group, Group]:
             defaults={"description": admin_group_description, "name": admin_name, "system": True},
             tenant=public_tenant,
         )
-        admin_roles = Role.objects.filter(admin_default=True)
+        admin_roles = Role.objects.filter(admin_default=True, tenant=public_tenant)
         update_group_roles(admin_group, admin_roles, public_tenant)
         logger.info("Finished seeding default org admin group %s.", name)
 

diff --git a/rbac/management/role/definer.py b/rbac/management/role/definer.py
@@ -88,7 +88,9 @@ def _make_role(data, dual_write_handler, force_create_relationships=False):
     else:
         if role.version != defaults["version"]:
             dual_write_handler.prepare_for_update(role)
-            Role.objects.filter(name=name).update(**defaults, display_name=display_name, modified=timezone.now())
+            Role.objects.filter(name=name, tenant=public_tenant).update(
+                **defaults, display_name=display_name, modified=timezone.now()
+            )
             logger.info("Updated system role %s.", name)
             role.access.all().delete()
             role_obj_change_notification_handler(role, "updated")
@@ -152,7 +154,8 @@ def seed_roles(force_create_relationships=False):
                 current_role_ids.update(file_role_ids)
 
     # Find roles in DB but not in config
-    roles_to_delete = Role.objects.filter(system=True).exclude(id__in=current_role_ids)
+    public_tenant = Tenant.objects.get(tenant_name="public")
+    roles_to_delete = Role.objects.filter(system=True, tenant=public_tenant).exclude(id__in=current_role_ids)
     logger.info(f"The following '{roles_to_delete.count()}' roles(s) eligible for removal: {roles_to_delete.values()}")
     if destructive_ok("seeding"):
         logger.info(f"Removing the following role(s): {roles_to_delete.values()}")

diff --git a/tests/management/role/test_definer.py b/tests/management/role/test_definer.py
@@ -404,3 +404,24 @@ def test_seed_roles_existing_role_add_tuples(
         self.assertTrue(
             any(self.is_update_event("dummy_hosts_write", args[0]) for args, _ in mock_replicate.call_args_list)
         )
+
+    @patch(
+        "builtins.open",
+        new_callable=mock_open,
+        read_data='{"roles": [{"name": "dummy_role_update", "system": true, "version": 3, "access": [{"permission": '
+        '"dummy:hosts:read"}]}]}',
+    )
+    @patch("os.listdir")
+    @patch("os.path.isfile")
+    def test_seed_roles_does_not_update_custom_roles_of_the_same_name(self, mock_isfile, mock_listdir, mock_open):
+        # mock files
+        mock_listdir.return_value = ["role.json"]
+        mock_isfile.return_value = True
+
+        # create a role in the database that exists in config for both public tenant and custom tenant
+        Role.objects.create(name="dummy_role_update", system=True, version=1, tenant=self.public_tenant)
+        custom = Role.objects.create(name="dummy_role_update", system=False, version=1, tenant=self.tenant)
+
+        seed_roles()
+
+        self.assertFalse(Role.objects.get(pk=custom.pk).system)