Create galaxy_ng specific Roles (#1058)

* Update to pulpcore 3.17.3
* Correct verbosity parameter
* Add default LOCKED_ROLES
* Added roles: galaxy.collection_admin, galaxy.execution_environment_admin
* Import adjust_roles from pulpcore plugin api
* Integration test to verify expected galaxy locked roles exist
* Mark test as standalone_only for time being.
Issue: AAH-1092

CHANGES/1092.misc

@@ -1 +1 @@
-Update to pulpcore 3.17.3
+Create galaxy_ng specific Roles

galaxy_ng/app/access_control/statements/__init__.py

@@ -1,9 +1,11 @@
 from .standalone import STANDALONE_STATEMENTS
 from .insights import INSIGHTS_STATEMENTS
 from .pulp_container import PULP_CONTAINER_VIEWSETS
+from .roles import VIEWSETS
 
 __all__ = (
     STANDALONE_STATEMENTS,
     INSIGHTS_STATEMENTS,
-    PULP_CONTAINER_VIEWSETS
+    PULP_CONTAINER_VIEWSETS,
+    VIEWSETS
 )

galaxy_ng/app/access_control/statements/roles.py

@@ -0,0 +1,51 @@
+VIEWSETS = {
+    "CollectionViewSet": {
+        "LOCKED_ROLES": {
+            "galaxy.collection_admin": [
+                "galaxy.change_namespace",
+                "galaxy.delete_namespace",
+                "galaxy.view_namespace",
+                "galaxy.upload_to_namespace",
+                "ansible.delete_collection",
+            ],
+        }
+    },
+    "ContainerRepositoryViewSet": {
+        "LOCKED_ROLES": {
+            "galaxy.execution_environment_admin": [
+                "container.delete_containerrepository",
+                "container.namespace_change_containerdistribution",
+                "container.namespace_modify_content_containerpushrepository",
+                "container.namespace_push_containerdistribution",
+                "container.add_containernamespace",
+                "container.change_containernamespace",
+            ],
+        }
+    },
+    "NamespaceViewSet": {
+        "LOCKED_ROLES": {
+            "galaxy.namespace_owner": [
+                "galaxy.add_namespace",
+                "galaxy.change_namespace",
+                "galaxy.delete_namespace",
+                "galaxy.view_namespace",
+                "galaxy.upload_to_namespace",
+                "ansible.delete_collection",
+            ],
+            "galaxy.publisher": [
+                "galaxy.upload_to_namespace",
+                "ansible.delete_collection",
+            ],
+        },
+    },
+    "SyncListViewSet": {
+        "LOCKED_ROLES": {
+            "galaxy.synclist_owner": [
+                "galaxy.add_synclist",
+                "galaxy.change_synclist",
+                "galaxy.delete_synclist",
+                "galaxy.view_synclist",
+            ],
+        }
+    },
+}

galaxy_ng/app/signals/handlers.py

@@ -6,7 +6,9 @@
 from django.apps import apps
 from django.dispatch import receiver
 from django.db.models.signals import post_save, post_migrate
+from pulpcore.plugin.apps import adjust_roles
 from pulp_ansible.app.models import AnsibleDistribution, AnsibleRepository, Collection
+from galaxy_ng.app.access_control.statements.roles import VIEWSETS as GALAXY_VIEWSETS
 from galaxy_ng.app.access_control.statements import PULP_CONTAINER_VIEWSETS
 from galaxy_ng.app.models import ContentRedirectContentGuard, Namespace
 
@@ -48,6 +50,26 @@ def create_namespace_if_not_present(sender, instance, created, **kwargs):
     Namespace.objects.get_or_create(name=instance.namespace)
 
 
+def set_role_definitions(sender, **kwargs):
+    apps = kwargs.get("apps")
+    if apps is None:
+        from django.apps import apps
+    role_prefix = f"{sender.label}."
+    desired_roles = {}
+    for viewset in GALAXY_VIEWSETS:
+        locked_roles = GALAXY_VIEWSETS[viewset]['LOCKED_ROLES']
+        if locked_roles is not None:
+            desired_roles.update(locked_roles or {})
+    adjust_roles(apps, role_prefix, desired_roles, verbosity=kwargs.get("verbosity", 1))
+
+
+post_migrate.connect(
+    set_role_definitions,
+    sender=apps.get_app_config("galaxy"),
+    dispatch_uid="set_galaxy_locked_role_definitions"
+)
+
+
 def set_pulp_container_access_policies(sender, **kwargs):
     apps = kwargs.get("apps")
     if apps is None:

galaxy_ng/tests/integration/api/test_locked_roles.py

@@ -0,0 +1,35 @@
+"""test_locked_roles.py - Tests creation of locked roles."""
+
+import pytest
+
+from ..utils import get_client
+
+pytestmark = pytest.mark.qa  # noqa: F821
+
+
+@pytest.mark.standalone_only
+@pytest.mark.role
+def test_locked_roles_exist(ansible_config):
+    galaxy_locked_roles = [
+        "galaxy.collection_admin",
+        "galaxy.execution_environment_admin",
+        "galaxy.namespace_owner",
+        "galaxy.publisher",
+        "galaxy.synclist_owner",
+    ]
+
+    config = ansible_config("ansible_partner")
+    api_client = get_client(
+        config=config,
+        require_auth=True,
+        request_token=False
+    )
+    resp = api_client('/pulp/api/v3/roles/', method='GET')
+    locked_roles = resp['results']
+
+    galaxy_locked_roles_count = 0
+    for role in locked_roles:
+        if role["name"].startswith("galaxy.") and role["locked"]:
+            galaxy_locked_roles_count += 1
+            assert role["name"] in galaxy_locked_roles and role["locked"]
+    assert len(galaxy_locked_roles) == galaxy_locked_roles_count

galaxy_ng/tests/integration/conftest.py

@@ -34,6 +34,7 @@
 synclist: Related to synclist object and synclist repo.
 openapi: Checks the openapi schema and routes.
 openapi_generate_bindings: Verifies pulp client bindings generator
+role: Related to RBAC Roles
 """