added new param to control enable destructive operations during seeding

deploy/rbac-clowdapp.yml

@@ -457,6 +457,8 @@ objects:
             value: ${ROLE_CREATE_ALLOW_LIST}
           - name: RBAC_DESTRUCTIVE_API_ENABLED_UNTIL
             value: ${RBAC_DESTRUCTIVE_API_ENABLED_UNTIL}
+          - name: RBAC_DESTRUCTIVE_SEEDING_ENABLED_UNTIL
+            value: ${RBAC_DESTRUCTIVE_SEEDING_ENABLED_UNTIL}
           - name: CLOWDER_ENABLED
             value: ${CLOWDER_ENABLED}
           - name: APP_NAMESPACE
@@ -729,6 +731,9 @@ parameters:
 - description: Timestamp expiration allowance on destructive actions through the internal RBAC API
   name: RBAC_DESTRUCTIVE_API_ENABLED_UNTIL
   value: ''
+- description: Timestamp expiration allowance on destructive actions through the seeding job
+  name: RBAC_DESTRUCTIVE_SEEDING_ENABLED_UNTIL
+  value: ''
 - description: Image tag
   name: IMAGE_TAG
   required: true

docker-compose.yml

@@ -34,6 +34,7 @@ services:
         - PRINCIPAL_PROXY_SERVICE_SOURCE_CERT=${PRINCIPAL_PROXY_SERVICE_SOURCE_CERT-False}
         - PRINCIPAL_PROXY_SERVICE_SSL_VERIFY=${PRINCIPAL_PROXY_SERVICE_SSL_VERIFY-False}
         - RBAC_DESTRUCTIVE_API_ENABLED_UNTIL=${RBAC_DESTRUCTIVE_API_ENABLED_UNTIL}
+        - RBAC_DESTRUCTIVE_SEEDING_ENABLED_UNTIL=${RBAC_DESTRUCTIVE_SEEDING_ENABLED_UNTIL}
       privileged: true
       ports:
           - 9080:8080

rbac/core/utils.py

@@ -28,6 +28,6 @@ def destructive_ok(operation_type):
     if operation_type == "api":
         return now < settings.INTERNAL_DESTRUCTIVE_API_OK_UNTIL
     if operation_type == "seeding":
-        return False
+        return now < settings.DESTRUCTIVE_SEEDING_OK_UNTIL
 
     return False

rbac/rbac/settings.py

@@ -355,6 +355,15 @@
 GROUP_SEEDING_ENABLED = ENVIRONMENT.bool("GROUP_SEEDING_ENABLED", default=True)
 MAX_SEED_THREADS = ENVIRONMENT.int("MAX_SEED_THREADS", default=None)
 
+try:
+    DESTRUCTIVE_SEEDING_OK_UNTIL = parse_dt(
+        os.environ.get("RBAC_DESTRUCTIVE_SEEDING_ENABLED_UNTIL", "not-a-real-time")
+    )
+    if DESTRUCTIVE_SEEDING_OK_UNTIL.tzinfo is None:
+        DESTRUCTIVE_SEEDING_OK_UNTIL = DESTRUCTIVE_SEEDING_OK_UNTIL.replace(tzinfo=pytz.UTC)
+except ValueError as e:
+    DESTRUCTIVE_SEEDING_OK_UNTIL = datetime.datetime(1970, 1, 1, tzinfo=pytz.UTC)
+
 # disable log messages less than CRITICAL when running unit tests.
 if len(sys.argv) > 1 and sys.argv[1] == "test":
     logging.disable(logging.CRITICAL)

tests/core/test_utils.py

@@ -39,3 +39,13 @@ def test_destructive_ok_true(self):
     def test_destructive_ok_false(self):
         """Test that it's false when not within date range."""
         self.assertEqual(destructive_ok("api"), False)
+
+    @override_settings(DESTRUCTIVE_SEEDING_OK_UNTIL=valid_destructive_time())
+    def test_destructive_ok_true(self):
+        """Test that it's true when within date range."""
+        self.assertEqual(destructive_ok("seeding"), True)
+
+    @override_settings(DESTRUCTIVE_SEEDING_OK_UNTIL=invalid_destructive_time())
+    def test_destructive_ok_false(self):
+        """Test that it's false when not within date range."""
+        self.assertEqual(destructive_ok("seeding"), False)

tests/internal/test_views.py

@@ -410,7 +410,7 @@ def test_delete_selective_roles_disallowed(self):
     @override_settings(INTERNAL_DESTRUCTIVE_API_OK_UNTIL=valid_destructive_time())
     def test_delete_selective_roles(self):
         """Test that we can delete selective roles when allowed and no roles."""
-        # No name speicified
+        # No name specified
         response = self.client.delete(f"/_private/api/utils/role/", **self.request.META)
         self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)