Allow registering models via a setting

Fix test failure due to app readiness
ansible · Aug 8, 2024 · e0d8c53 · e0d8c53
1 parent 86be16e
commit e0d8c53
Show file tree

Hide file tree

Showing 5 changed files with 46 additions and 6 deletions.
diff --git a/ansible_base/lib/dynamic_config/dynamic_settings.py b/ansible_base/lib/dynamic_config/dynamic_settings.py
@@ -204,6 +204,9 @@
     # API clients can assign users and teams roles for shared resources
     ALLOW_LOCAL_RESOURCE_MANAGEMENT = True
 
+    # Alternative to permission_registry.register
+    ANSIBLE_BASE_RBAC_MODEL_REGISTRY = {}
+
     try:
         MANAGE_ORGANIZATION_AUTH
     except NameError:

diff --git a/ansible_base/rbac/permission_registry.py b/ansible_base/rbac/permission_registry.py
@@ -32,7 +32,7 @@ def __init__(self):
         self._tracked_relationships = set()
         self._trackers = dict()
 
-    def register(self, *args, parent_field_name='organization'):
+    def register(self, *args: Type[Model], parent_field_name: Optional[str] = 'organization'):
         if self.apps_ready:
             raise RuntimeError('Cannot register model to permission_registry after apps are ready')
         for cls in args:
@@ -142,16 +142,24 @@ def create_managed_roles(self, apps) -> list[tuple[Model, bool]]:
             ret.append((rd, created))
         return ret
 
-    def call_when_apps_ready(self, apps, app_config):
+    def call_when_apps_ready(self, apps, app_config) -> None:
         from ansible_base.rbac import triggers
         from ansible_base.rbac.evaluations import bound_has_obj_perm, bound_singleton_permissions, connect_rbac_methods
         from ansible_base.rbac.management import create_dab_permissions
 
         self.apps = apps
-        self.apps_ready = True
 
+        # Finish registering models
         if self.team_model not in self._registry:
-            self._registry.add(self.team_model)
+            self.register(self.team_model)
+
+        for model_name, kwargs in settings.ANSIBLE_BASE_RBAC_MODEL_REGISTRY.items():
+            model = apps.get_model(model_name)
+            if model not in self._registry:
+                self.register(model, **kwargs)
+
+        # This will lock-down the registry, raising an error for any other registrations
+        self.apps_ready = True
 
         # Do no specify sender for create_dab_permissions, because that is passed as app_config
         # and we want to create permissions for external apps, not the dab_rbac app

diff --git a/docs/apps/rbac/for_app_developers.md b/docs/apps/rbac/for_app_developers.md
@@ -119,6 +119,25 @@ model of `MyModel`, or `None`.
 TODO: Update to allow ManyToMany parent relationship in addition to ForeignKey
 https://github.com/ansible/django-ansible-base/issues/78
 
+#### Registering via a Setting
+
+If you don't want to register models in your Django models definition,
+then you can do the same thing with a setting.
+
+```
+ANSIBLE_BASE_RBAC_MODEL_REGISTRY = {
+    "my_app.mymodel": {"parent_field_name": "organization"}
+}
+```
+
+You might want to do this if `MyModel` isn't from your own app,
+and you want to avoid changing import order without additional thought.
+
+Models declared here are registered _in addition to_ the calls to
+`permission_registry.register`.
+Note that settings should never contain imported python objects.
+The model is referenced by app_label.model_name string.
+
 #### Django Model, Apps, and Permission Constraints
 
 It is fine to register models from multiple apps, but among the registered models,

diff --git a/test_app/models.py b/test_app/models.py
@@ -312,10 +312,15 @@ class Meta:
     organization = models.ForeignKey(Organization, on_delete=models.CASCADE, related_name='public_data')
 
 
-permission_registry.register(Organization, Inventory, Credential, Namespace, Team, Cow, UUIDModel, PositionModel, WeirdPerm, PublicData)
+# Intentionally, for testing purposes, we register these models in settings
+# - Inventory
+# - Credential
+# - ImmutableTask, parent_field_name=None
+
+permission_registry.register(Organization, Namespace, Team, Cow, UUIDModel, PositionModel, WeirdPerm, PublicData)
 permission_registry.register(ParentName, parent_field_name='my_organization')
 permission_registry.register(CollectionImport, parent_field_name='namespace')
-permission_registry.register(InstanceGroup, ImmutableTask, parent_field_name=None)
+permission_registry.register(InstanceGroup, parent_field_name=None)
 
 # NOTE(cutwater): Using hard coded role names instead of ones defined in ReconcileUser class,
 #   to avoid circular dependency between models and claims modules. This is a temporary workarond,

diff --git a/test_app/settings.py b/test_app/settings.py
@@ -176,6 +176,11 @@
 ANSIBLE_BASE_JWT_MANAGED_ROLES.append("System Auditor")  # noqa: F821 this is set by dynamic settings for jwt_consumer
 ANSIBLE_BASE_ALLOW_SINGLETON_USER_ROLES = True
 ANSIBLE_BASE_ALLOW_SINGLETON_TEAM_ROLES = True
+ANSIBLE_BASE_RBAC_MODEL_REGISTRY = {
+    "test_app.inventory": {"parent_field_name": "organization"},
+    "test_app.credential": {},
+    "test_app.immutabletask": {"parent_field_name": None},
+}
 
 ANSIBLE_BASE_USER_VIEWSET = 'test_app.views.UserViewSet'