Replaced our 'Resource' table with a GenericForeignKey in RolePermission

awx/main/tests/functional/test_rbac_api.py

@@ -1,6 +1,7 @@
 import mock # noqa
 import pytest
 
+from django.contrib.contenttypes.models import ContentType
 from django.core.urlresolvers import reverse
 from awx.main.models.rbac import Role, ROLE_SINGLETON_SYSTEM_ADMINISTRATOR
 
@@ -53,8 +54,6 @@ def test_get_roles_list_user(organization, inventory, team, get, user):
     assert team.member_role.id not in role_hash
 
 
-
-
 @pytest.mark.django_db
 def test_cant_create_role(post, admin):
     "Ensure we can't create new roles through the api"
@@ -225,7 +224,7 @@ def test_get_role(get, admin, role):
     assert response.data['id'] == role.id
 
 @pytest.mark.django_db
-def test_put_role(put, admin, role):
+def test_put_role_405(put, admin, role):
     url = reverse('api:role_detail', args=(role.id,))
     response = put(url, {'name': 'Some new name'}, admin)
     assert response.status_code == 405
@@ -233,7 +232,7 @@ def test_put_role(put, admin, role):
     #assert r.name == 'Some new name'
 
 @pytest.mark.django_db
-def test_put_role_access_denied(put, alice, admin, role):
+def test_put_role_access_denied(put, alice, role):
     url = reverse('api:role_detail', args=(role.id,))
     response = put(url, {'name': 'Some new name'}, alice)
     assert response.status_code == 403 or response.status_code == 405
@@ -400,8 +399,10 @@ def test_role_children(get, team, admin, role):
 @pytest.mark.django_db
 def test_resource_access_list(get, team, admin, role):
     team.users.add(admin)
-    url = reverse('api:resource_access_list', args=(team.resource.id,))
+    content_type_id = ContentType.objects.get_for_model(team).pk
+    url = reverse('api:resource_access_list', args=(content_type_id, team.id,))
     res = get(url, admin)
+    print(res.data)
     assert res.status_code == 200
 
 
@@ -420,7 +421,6 @@ def test_ensure_rbac_fields_are_present(organization, get, admin):
     assert 'summary_fields' in org
     assert 'resource_id' in org
     assert org['resource_id'] > 0
-    assert org['related']['resource'] != ''
     assert 'roles' in org['summary_fields']
 
     org_role_response = get(org['summary_fields']['roles']['admin_role']['url'], admin)
@@ -434,7 +434,6 @@ def test_ensure_rbac_fields_are_present(organization, get, admin):
 
 @pytest.mark.django_db
 def test_ensure_permissions_is_present(organization, get, user):
-    #u = user('admin', True)
     url = reverse('api:organization_detail', args=(organization.id,))
     response = get(url, user('admin', True))
     assert response.status_code == 200
@@ -446,7 +445,6 @@ def test_ensure_permissions_is_present(organization, get, user):
 
 @pytest.mark.django_db
 def test_ensure_role_summary_is_present(organization, get, user):
-    #u = user('admin', True)
     url = reverse('api:organization_detail', args=(organization.id,))
     response = get(url, user('admin', True))
     assert response.status_code == 200

awx/main/tests/functional/test_rbac_core.py

@@ -2,7 +2,7 @@ import pytest
 
 from awx.main.models import (
     Role,
-    Resource,
+    RolePermission,
     Organization,
 )
 
@@ -13,17 +13,27 @@ def test_auto_inheritance_by_children(organization, alice):
     B = Role.objects.create(name='B')
     A.members.add(alice)
 
+
+
     assert organization.accessible_by(alice, {'read': True}) is False
+    assert Organization.accessible_objects(alice, {'read': True}).count() == 0
     A.children.add(B)
     assert organization.accessible_by(alice, {'read': True}) is False
+    assert Organization.accessible_objects(alice, {'read': True}).count() == 0
     A.children.add(organization.admin_role)
     assert organization.accessible_by(alice, {'read': True}) is True
+    assert Organization.accessible_objects(alice, {'read': True}).count() == 1
     A.children.remove(organization.admin_role)
     assert organization.accessible_by(alice, {'read': True}) is False
     B.children.add(organization.admin_role)
     assert organization.accessible_by(alice, {'read': True}) is True
     B.children.remove(organization.admin_role)
     assert organization.accessible_by(alice, {'read': True}) is False
+    assert Organization.accessible_objects(alice, {'read': True}).count() == 0
+
+    # We've had the case where our pre/post save init handlers in our field descriptors
+    # end up creating a ton of role objects because of various not-so-obvious issues
+    assert Role.objects.count() < 50
 
 
 @pytest.mark.django_db
@@ -53,12 +63,29 @@ def test_permission_union(organization, alice):
     B.members.add(alice)
 
     assert organization.accessible_by(alice, {'read': True, 'write': True}) is False
-    A.grant(organization, {'read': True})
+    RolePermission.objects.create(role=A, resource=organization, read=True)
     assert organization.accessible_by(alice, {'read': True, 'write': True}) is False
-    B.grant(organization, {'write': True})
+    RolePermission.objects.create(role=A, resource=organization, write=True)
     assert organization.accessible_by(alice, {'read': True, 'write': True}) is True
 
 
+@pytest.mark.django_db
+def test_accessible_objects(organization, alice, bob):
+    A = Role.objects.create(name='A')
+    A.members.add(alice)
+    B = Role.objects.create(name='B')
+    B.members.add(alice)
+    B.members.add(bob)
+
+    assert Organization.accessible_objects(alice, {'read': True, 'write': True}).count() == 0
+    RolePermission.objects.create(role=A, resource=organization, read=True)
+    assert Organization.accessible_objects(alice, {'read': True, 'write': True}).count() == 0
+    assert Organization.accessible_objects(bob, {'read': True, 'write': True}).count() == 0
+    RolePermission.objects.create(role=B, resource=organization, write=True)
+    assert Organization.accessible_objects(alice, {'read': True, 'write': True}).count() == 1
+    assert Organization.accessible_objects(bob, {'read': True, 'write': True}).count() == 0
+    assert Organization.accessible_objects(bob, {'read': True, 'write': True}).count() == 0
+
 @pytest.mark.django_db
 def test_team_symantics(organization, team, alice):
     assert organization.accessible_by(alice, {'read': True}) is False
@@ -110,32 +137,28 @@ def test_implicit_deletes(alice):
     delorg = Organization.objects.create(name='test-org')
     delorg.admin_role.members.add(alice)
 
-    resource_id = delorg.resource.id
     admin_role_id = delorg.admin_role.id
     auditor_role_id = delorg.auditor_role.id
 
     assert Role.objects.filter(id=admin_role_id).count() == 1
     assert Role.objects.filter(id=auditor_role_id).count() == 1
-    assert Resource.objects.filter(id=resource_id).count() == 1
     n_alice_roles = alice.roles.count()
     n_system_admin_children = Role.singleton('System Administrator').children.count()
+    rp = RolePermission.objects.create(role=delorg.admin_role, resource=delorg, read=True)
 
     delorg.delete()
 
     assert Role.objects.filter(id=admin_role_id).count() == 0
     assert Role.objects.filter(id=auditor_role_id).count() == 0
-    assert Resource.objects.filter(id=resource_id).count() == 0
     assert alice.roles.count() == (n_alice_roles - 1)
+    assert RolePermission.objects.filter(id=rp.id).count() == 0
     assert Role.singleton('System Administrator').children.count() == (n_system_admin_children - 1)
 
 @pytest.mark.django_db
 def test_content_object(user):
-    'Ensure our conent_object stuf seems to be working'
+    'Ensure our content_object stuf seems to be working'
 
-    print('Creating organization')
     org = Organization.objects.create(name='test-org')
-    print('Organizaiton id: %d  resource: %d  admin_role: %d' % (org.id, org.resource.id, org.admin_role.id))
-    assert org.resource.content_object.id == org.id
     assert org.admin_role.content_object.id == org.id
 
 @pytest.mark.django_db