RBAC Roles Refactor (#1413)

* Revert "Revert RBAC Roles (#1205)" (#1212)
* Fix CI on feature branches (#1271)
* Fix groups on namespaces and container namespaces. (#1269)
* Update pulp_container to 2.12, pulpcore to 3.19 (#1272) Issue: AAH-1526
* Migrate permissions from Groups to Roles (#1199) Issue: AAH-1128
* Upgrade to pulpcore 3.20 (#1279) Issue: AAH-1643
* Add python package name to AppConfig (#1314)  No-Issue
* Make roles and group/roles visible for users with group permission (#1316)  No-Issue
* Don't require 'view_group' permissions (#1367) Issue: AAH-1805
* Allow roles assignment to group with `change_group` permission (#1371) Issue: AAH-1766
* Remove deprecated media type from pulp_container. (#1380) Issue: AAH-1828
* Update pulp dependencies from commit hashes to pinned versions (#1381) No-Issue
* Resolve guardian foreign key contraints in rbac migration (#1384) Issue: AAH-1765
* Fix bug preventing users with object permissions from adding groups to container namespaces. (#1387) Issue: AAH-1757
* Make my permissions work with proxy models. (#1389) No-Issue
* Add RBAC roles tests (#1283) Issue: AAH-1609
* Resolve test issues after rebase to master (#1392) No-Issue
* Remove guardian from LDAP on rbac-roles branch. (#1394) No-Issue
* Mark current rbac roles, group test standalone_only (#1395) No-Issue
* Add RBAC object tests (#1391) Issue: AAH-1850
* Add RBAC Roles CI workflow (#1398) No-Issue
* Rename migrations to not override default branch (#1401) No-Issue
* Add role check to app auth unit test (#1402) No-Issue
* Clear out old django model permissions (#1404) No-Issue
* Upgrade pulp container (#1399) No-Issue
* Check expected state and behavior of group permissions (#1403) No-Issue

Co-authored-by: David Newswanger <[email protected]>
Signed-off-by: James Tanner <[email protected]>
Co-authored-by: Brian McLaughlin <[email protected]>
Co-authored-by: Jiří Jeřábek <[email protected]>
Co-authored-by: Shaiah Emigh-Doyle <[email protected]>
Co-authored-by: Andrew Crosby <[email protected]>
Co-authored-by: jctanner <[email protected]>

.github/stale.yml

@@ -0,0 +1,53 @@
+# Configuration for probot-stale - https://github.com/probot/stale
+
+# Number of days of inactivity before an Issue or Pull Request becomes stale
+daysUntilStale: 90
+
+# Number of days of inactivity before an Issue or Pull Request with the stale label is closed.
+# Set to false to disable. If disabled, issues still need to be closed manually, but will remain marked as stale.
+daysUntilClose: 30
+
+# Only issues or pull requests with all of these labels are check if stale. Defaults to `[]` (disabled)
+onlyLabels: []
+
+# Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable
+exemptLabels:
+  - security
+  - planned
+
+# Set to true to ignore issues in a project (defaults to false)
+exemptProjects: false
+
+# Set to true to ignore issues in a milestone (defaults to false)
+exemptMilestones: false
+
+# Set to true to ignore issues with an assignee (defaults to false)
+exemptAssignees: false
+
+# Label to use when marking as stale
+staleLabel: stale
+
+# Limit the number of actions per hour, from 1-30. Default is 30
+limitPerRun: 30
+# Limit to only `issues` or `pulls`
+only: pulls
+
+pulls:
+  markComment: |-
+    This pull request has been marked 'stale' due to lack of recent activity. If there is no further activity, the PR will be closed in another 30 days. Thank you for your contribution!
+
+  unmarkComment: >-
+    This pull request is no longer marked for closure.
+
+  closeComment: >-
+    This pull request has been closed due to inactivity. If you feel this is in error, please reopen the pull request or file a new PR with the relevant details.
+
+issues:
+  markComment: |-
+    This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
+
+  unmarkComment: >-
+    This issue is no longer marked for closure.
+
+  closeComment: >-
+    This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.

.github/template_gitref

@@ -1 +1 @@
-2021.08.26-132-g4a6cd66
+2021.08.26-139-g0d40f35

.github/workflows/ci.yml

@@ -7,7 +7,7 @@
 
 ---
 name: Galaxy CI
-on: {pull_request: {branches: ['*']}, push: {branches: ['*']}}
+on: {pull_request: {branches: ['**']}, push: {branches: ['**']}}
 jobs:
 
   check_commit:

.github/workflows/ci_insights.yml

@@ -3,14 +3,14 @@ name: Insights
 on:
   pull_request:
     branches:
-      - '*'
+      - '**'
     paths-ignore:
       - 'docs/**'
       - 'mkdocs.yml'
       - 'CHANGES/**'
   push:
     branches:
-      - '*'
+      - '**'
   workflow_dispatch:
 
 jobs:

.github/workflows/ci_standalone-community.yml

@@ -3,14 +3,14 @@ name: Standalone Community
 on:
   pull_request:
     branches:
-      - '*'
+      - '**'
     paths-ignore:
       - 'docs/**'
       - 'mkdocs.yml'
       - 'CHANGES/**'
   push:
     branches:
-      - '*'
+      - '**'
   workflow_dispatch:
 
 jobs:

.github/workflows/ci_standalone-ldap.yml

@@ -3,14 +3,14 @@ name: Standalone LDAP
 on:
   pull_request:
     branches:
-      - '*'
+      - '**'
     paths-ignore:
       - 'docs/**'
       - 'mkdocs.yml'
       - 'CHANGES/**'
   push:
     branches:
-      - '*'
+      - '**'
   workflow_dispatch:
 
 jobs:

.github/workflows/ci_standalone-rbac-roles.yml

@@ -0,0 +1,76 @@
+---
+name: Standalone RBAC Roles
+on: 
+  pull_request:
+    branches:
+      - '**'
+    paths-ignore:
+      - 'docs/**'
+      - 'mkdocs.yml'
+      - 'CHANGES/**'
+  push:
+    branches:
+      - '**'
+  workflow_dispatch:
+
+jobs:
+
+  integration:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - uses: actions/setup-python@v2
+        with:
+          python-version: "3.8"
+
+      - name: Update apt
+        run: sudo apt -y update
+
+      - name: Install LDAP requirements
+        run: sudo apt-get install -y libsasl2-dev python-dev libldap2-dev libssl-dev build-essential
+
+      - name: Install docker-compose
+        run: pip3 install --upgrade docker-compose
+
+      - name: collect system info
+        run: whoami; id; pwd; ls -al; uname -a ; df -h .; mount ; cat /etc/issue; docker --version ; ps aux | fgrep -i docker; ls -al /var/run/containerd/containerd.sock
+
+      - name: clone the hub ui repo
+        run: git clone https://github.com/ansible/ansible-hub-ui /tmp/ansible-hub-ui 
+
+      - name: create the .compose.env file
+        run: rm -f .compose.env; cp .compose.env.example .compose.env
+
+      - name: workaround github worker permissions issues
+        run: sed -i.bak 's/PIP_EDITABLE_INSTALL=1/PIP_EDITABLE_INSTALL=0/' .compose.env
+
+      - name: workaround github worker permissions issues
+        run: sed -i.bak 's/WITH_DEV_INSTALL=1/WITH_DEV_INSTALL=0/' .compose.env
+
+      - name: set the hub ui path in .compose.env
+        run: echo "ANSIBLE_HUB_UI_PATH='/tmp/ansible-hub-ui'" >> .compose.env
+
+      - name: disable approval setting override
+        run: sed -i.bak 's/PULP_GALAXY_REQUIRE_CONTENT_APPROVAL/#PULP_GALAXY_REQUIRE_CONTENT_APPROVAL/' dev/standalone/galaxy_ng.env
+
+      - name: build stack
+        run: make docker/build
+
+      - name: run migrations
+        run: make docker/migrate
+
+      - name: load translations
+        run: make docker/translations
+
+      - name: start the compose stack
+        run: ./compose up -d
+
+      - name: give stack some time to spin up
+        run: sleep 120
+
+      - name: set keyring on staging repo for signature upload
+        run: ./compose exec -T api ./entrypoint.sh manage set-repo-keyring --repository staging --keyring /etc/pulp/certs/galaxy.kbx -y
+
+      - name: run the integration tests
+        run: HUB_LOCAL=1 ./dev/standalone-rbac-roles/RUN_INTEGRATION.sh

.github/workflows/ci_standalone.yml

@@ -3,14 +3,14 @@ name: Standalone
 on: 
   pull_request:
     branches:
-      - '*'
+      - '**'
     paths-ignore:
       - 'docs/**'
       - 'mkdocs.yml'
       - 'CHANGES/**'
   push:
     branches:
-      - '*'
+      - '**'
   workflow_dispatch:
 
 jobs:

.github/workflows/scripts/before_install.sh

@@ -111,7 +111,7 @@ fi
 
 
 
-git clone --depth=1 https://github.com/pulp/pulpcore.git --branch 3.18.1
+git clone --depth=1 https://github.com/pulp/pulpcore.git --branch 3.20.0
 
 cd pulpcore
 
@@ -122,7 +122,7 @@ fi
 cd ..
 
 
-git clone --depth=1 https://github.com/pulp/pulp_ansible.git --branch 0.13.0
+git clone --depth=1 https://github.com/pulp/pulp_ansible.git --branch 0.14.0
 cd pulp_ansible
 
 if [ -n "$PULP_ANSIBLE_PR_NUMBER" ]; then
@@ -132,7 +132,7 @@ fi
 
 cd ..
 
-git clone --depth=1 https://github.com/pulp/pulp_container.git --branch 2.10.2
+git clone --depth=1 https://github.com/pulp/pulp_container.git --branch 2.13.1
 cd pulp_container
 
 if [ -n "$PULP_CONTAINER_PR_NUMBER" ]; then
@@ -152,8 +152,6 @@ fi
 
 cd ..
 
-
-
 # Intall requirements for ansible playbooks
 pip install docker netaddr boto3 ansible
 

.github/workflows/scripts/install.sh

@@ -28,24 +28,22 @@ pip install -r functest_requirements.txt
 cd .ci/ansible/
 
 TAG=ci_build
-
 if [ -e $REPO_ROOT/../pulp_ansible ]; then
   PULP_ANSIBLE=./pulp_ansible
 else
-  PULP_ANSIBLE=git+https://github.com/pulp/pulp_ansible.git@0.13.0
+  PULP_ANSIBLE=git+https://github.com/pulp/pulp_ansible.git@0.14.0
 fi
-
 if [ -e $REPO_ROOT/../pulp_container ]; then
   PULP_CONTAINER=./pulp_container
 else
-  PULP_CONTAINER=git+https://github.com/pulp/pulp_container.git@2.10.2
+  PULP_CONTAINER=git+https://github.com/pulp/pulp_container.git@2.13.1
 fi
-
 if [ -e $REPO_ROOT/../galaxy-importer ]; then
   GALAXY_IMPORTER=./galaxy-importer
 else
   GALAXY_IMPORTER=git+https://github.com/ansible/[email protected]
 fi
+PULPCORE=./pulpcore
 if [[ "$TEST" == "plugin-from-pypi" ]]; then
   PLUGIN_NAME=galaxy_ng
 elif [[ "${RELEASE_WORKFLOW:-false}" == "true" ]]; then
@@ -87,7 +85,7 @@ plugins:
   - name: galaxy-importer
     source: $GALAXY_IMPORTER
   - name: pulpcore
-    source: ./pulpcore
+    source: "${PULPCORE}"
 VARSYAML
 fi
 

.github/workflows/scripts/script.sh

@@ -121,8 +121,6 @@ export PYTHONPATH=$REPO_ROOT/../pulp_container${PYTHONPATH:+:${PYTHONPATH}}
 export PYTHONPATH=$REPO_ROOT/../galaxy-importer${PYTHONPATH:+:${PYTHONPATH}}
 export PYTHONPATH=$REPO_ROOT${PYTHONPATH:+:${PYTHONPATH}}
 
-
-
 if [[ "$TEST" == "performance" ]]; then
   if [[ -z ${PERFORMANCE_TEST+x} ]]; then
     pytest -vv -r sx --color=yes --pyargs --capture=no --durations=0 galaxy_ng.tests.performance
@@ -137,13 +135,13 @@ if [ -f $FUNC_TEST_SCRIPT ]; then
 else
 
     if [[ "$GITHUB_WORKFLOW" == "Galaxy Nightly CI/CD" ]]; then
-        pytest -v -r sx --color=yes --suppress-no-test-exit-code --pyargs galaxy_ng.tests.functional -m parallel -n 8
-        pytest -v -r sx --color=yes --pyargs galaxy_ng.tests.functional -m "not parallel"
+        pytest -v -r sx --color=yes --suppress-no-test-exit-code --pyargs galaxy_ng.tests.functional -m parallel -n 8  --nightly
+        pytest -v -r sx --color=yes --pyargs galaxy_ng.tests.functional -m "not parallel"  --nightly
 
 
     else
-        pytest -v -r sx --color=yes --suppress-no-test-exit-code --pyargs galaxy_ng.tests.functional -m "parallel and not nightly" -n 8
-        pytest -v -r sx --color=yes --pyargs galaxy_ng.tests.functional -m "not parallel and not nightly"
+        pytest -v -r sx --color=yes --suppress-no-test-exit-code --pyargs galaxy_ng.tests.functional -m parallel -n 8
+        pytest -v -r sx --color=yes --pyargs galaxy_ng.tests.functional -m "not parallel"
 
 
     fi

CHANGES/1092.misc

@@ -0,0 +1 @@
+Create galaxy_ng specific Roles

CHANGES/1093.misc

@@ -0,0 +1 @@
+Removing django-guardian and migrating to RBAC Roles

CHANGES/1128.misc

@@ -0,0 +1 @@
+Migration to move Permissions from Groups to custom Roles, filtering against Galaxy locked Roles where applicable

CHANGES/1526.misc

@@ -0,0 +1 @@
+Update pulp_container to 2.12, update pulpcore to 3.19

CHANGES/1595.bugfix

@@ -0,0 +1 @@
+Fix 500 error when listing Group Roles

CHANGES/1609.misc

@@ -0,0 +1 @@
+Create tests for RBAC roles.

CHANGES/1643.misc

@@ -0,0 +1 @@
+Upgrade to pulpcore 3.20.

CHANGES/1757.misc

@@ -0,0 +1 @@
+Fix bug preventing users with object permissions from adding groups to container namespaces.

CHANGES/1765.bugfix

@@ -0,0 +1 @@
+Remove guardian foreign key contraints in rbac migration

CHANGES/1766.bugfix

@@ -0,0 +1 @@
+Allow roles assignment to group with `change_group` permission

CHANGES/1805.bugfix

@@ -0,0 +1 @@
+Remove conditional `view_task`.

CHANGES/1828.misc

@@ -0,0 +1 @@
+Remove deprecated media type from pulp_container.

CHANGES/1850.misc

@@ -0,0 +1 @@
+Add object integration tests for RBAC roles

dev/common/RUN_INTEGRATION.sh

@@ -41,10 +41,10 @@ docker exec -i galaxy_ng_api_1 /entrypoint.sh manage shell < dev/common/setup_te
 # export HUB_LOCAL=1
 # dev/common/RUN_INTEGRATION.sh --pdb -sv --log-cli-level=DEBUG "-m standalone_only" -k mytest
 if [[ -z $HUB_LOCAL ]]; then
-    pytest --capture=no -m "not standalone_only and not community_only" $@ -v galaxy_ng/tests/integration
+    pytest --capture=no -m "not standalone_only and not community_only and not rbac_roles" $@ -v galaxy_ng/tests/integration
     RC=$?
 else
-    pytest --capture=no -m "not cloud_only and not community_only" -v $@ galaxy_ng/tests/integration
+    pytest --capture=no -m "not cloud_only and not community_only and not rbac_roles" -v $@ galaxy_ng/tests/integration
     RC=$?
 
     if [[ $RC != 0 ]]; then