From ff5b42e1948846fc6f8828e9d0d9cc868aafd114 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petra=20C=CC=8Ci=CC=81halova=CC=81?= Date: Wed, 18 Dec 2024 12:17:53 +0100 Subject: [PATCH 1/2] add tenant in the Role queries --- rbac/management/group/definer.py | 4 ++-- rbac/management/role/definer.py | 7 +++++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/rbac/management/group/definer.py b/rbac/management/group/definer.py index 618f22de..9fc1dbef 100644 --- a/rbac/management/group/definer.py +++ b/rbac/management/group/definer.py @@ -61,7 +61,7 @@ def seed_group() -> Tuple[Group, Group]: tenant=public_tenant, ) - platform_roles = Role.objects.filter(platform_default=True) + platform_roles = Role.objects.filter(platform_default=True, tenant=public_tenant) update_group_roles(group, platform_roles, public_tenant) logger.info("Finished seeding default group %s.", name) @@ -76,7 +76,7 @@ def seed_group() -> Tuple[Group, Group]: defaults={"description": admin_group_description, "name": admin_name, "system": True}, tenant=public_tenant, ) - admin_roles = Role.objects.filter(admin_default=True) + admin_roles = Role.objects.filter(admin_default=True, tenant=public_tenant) update_group_roles(admin_group, admin_roles, public_tenant) logger.info("Finished seeding default org admin group %s.", name) diff --git a/rbac/management/role/definer.py b/rbac/management/role/definer.py index aa945502..f374bf14 100644 --- a/rbac/management/role/definer.py +++ b/rbac/management/role/definer.py @@ -88,7 +88,9 @@ def _make_role(data, dual_write_handler, force_create_relationships=False): else: if role.version != defaults["version"]: dual_write_handler.prepare_for_update(role) - Role.objects.filter(name=name).update(**defaults, display_name=display_name, modified=timezone.now()) + Role.objects.filter(name=name, tenant=public_tenant).update( + **defaults, display_name=display_name, modified=timezone.now() + ) logger.info("Updated system role %s.", name) role.access.all().delete() role_obj_change_notification_handler(role, "updated") @@ -152,7 +154,8 @@ def seed_roles(force_create_relationships=False): current_role_ids.update(file_role_ids) # Find roles in DB but not in config - roles_to_delete = Role.objects.filter(system=True).exclude(id__in=current_role_ids) + public_tenant = Tenant.objects.get(tenant_name="public") + roles_to_delete = Role.objects.filter(system=True, tenant=public_tenant).exclude(id__in=current_role_ids) logger.info(f"The following '{roles_to_delete.count()}' roles(s) eligible for removal: {roles_to_delete.values()}") if destructive_ok("seeding"): logger.info(f"Removing the following role(s): {roles_to_delete.values()}") From 9330138b619134ab574fbc5a081480a82b672d67 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petra=20C=CC=8Ci=CC=81halova=CC=81?= Date: Wed, 18 Dec 2024 17:06:20 +0100 Subject: [PATCH 2/2] added test_seed_roles_does_not_update_custom_roles_of_the_same_name --- tests/management/role/test_definer.py | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/tests/management/role/test_definer.py b/tests/management/role/test_definer.py index fe150f31..80eca71a 100644 --- a/tests/management/role/test_definer.py +++ b/tests/management/role/test_definer.py @@ -404,3 +404,24 @@ def test_seed_roles_existing_role_add_tuples( self.assertTrue( any(self.is_update_event("dummy_hosts_write", args[0]) for args, _ in mock_replicate.call_args_list) ) + + @patch( + "builtins.open", + new_callable=mock_open, + read_data='{"roles": [{"name": "dummy_role_update", "system": true, "version": 3, "access": [{"permission": ' + '"dummy:hosts:read"}]}]}', + ) + @patch("os.listdir") + @patch("os.path.isfile") + def test_seed_roles_does_not_update_custom_roles_of_the_same_name(self, mock_isfile, mock_listdir, mock_open): + # mock files + mock_listdir.return_value = ["role.json"] + mock_isfile.return_value = True + + # create a role in the database that exists in config for both public tenant and custom tenant + Role.objects.create(name="dummy_role_update", system=True, version=1, tenant=self.public_tenant) + custom = Role.objects.create(name="dummy_role_update", system=False, version=1, tenant=self.tenant) + + seed_roles() + + self.assertFalse(Role.objects.get(pk=custom.pk).system)