rename existing param for destructive operations to be related only with api requests

petracihalova · petracihalova · commit 390089b5a60b · 2024-07-19T17:01:58.000+02:00
next commit will introduce new param for destructive operations within seeding
that will allow us to have a finer control over destructive RBAC operations
diff --git a/deploy/rbac-clowdapp.yml b/deploy/rbac-clowdapp.yml
@@ -455,8 +455,8 @@ objects:
             value: ${BYPASS_BOP_VERIFICATION}
           - name: ROLE_CREATE_ALLOW_LIST
             value: ${ROLE_CREATE_ALLOW_LIST}
-          - name: RBAC_DESTRUCTIVE_ENABLED_UNTIL
-            value: ${RBAC_DESTRUCTIVE_ENABLED_UNTIL}
+          - name: RBAC_DESTRUCTIVE_API_ENABLED_UNTIL
+            value: ${RBAC_DESTRUCTIVE_API_ENABLED_UNTIL}
           - name: CLOWDER_ENABLED
             value: ${CLOWDER_ENABLED}
           - name: APP_NAMESPACE
@@ -727,7 +727,7 @@ parameters:
   name: ROLE_CREATE_ALLOW_LIST
   value: cost-management,remediations,inventory,drift,policies,advisor,catalog,approval,vulnerability,compliance,automation-analytics,notifications,patch,integrations,ros,staleness,config-manager,idmsvc
 - description: Timestamp expiration allowance on destructive actions through the internal RBAC API
-  name: RBAC_DESTRUCTIVE_ENABLED_UNTIL
+  name: RBAC_DESTRUCTIVE_API_ENABLED_UNTIL
   value: ''
 - description: Image tag
   name: IMAGE_TAG
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -33,7 +33,7 @@ services:
         - PRINCIPAL_PROXY_SERVICE_PATH=${PRINCIPAL_PROXY_SERVICE_PATH}
         - PRINCIPAL_PROXY_SERVICE_SOURCE_CERT=${PRINCIPAL_PROXY_SERVICE_SOURCE_CERT-False}
         - PRINCIPAL_PROXY_SERVICE_SSL_VERIFY=${PRINCIPAL_PROXY_SERVICE_SSL_VERIFY-False}
-        - RBAC_DESTRUCTIVE_ENABLED_UNTIL=${RBAC_DESTRUCTIVE_ENABLED_UNTIL}
+        - RBAC_DESTRUCTIVE_API_ENABLED_UNTIL=${RBAC_DESTRUCTIVE_API_ENABLED_UNTIL}
       privileged: true
       ports:
           - 9080:8080
diff --git a/rbac/core/utils.py b/rbac/core/utils.py
@@ -22,7 +22,12 @@
 from django.conf import settings
 
 
-def destructive_ok():
+def destructive_ok(operation_type):
     """Determine if it's ok to run destructive operations."""
     now = datetime.datetime.utcnow().replace(tzinfo=pytz.UTC)
-    return now < settings.INTERNAL_DESTRUCTIVE_API_OK_UNTIL
+    if operation_type == "api":
+        return now < settings.INTERNAL_DESTRUCTIVE_API_OK_UNTIL
+    if operation_type == "seeding":
+        return False
+
+    return False
diff --git a/rbac/internal/views.py b/rbac/internal/views.py
@@ -137,7 +137,7 @@ def tenant_view(request, org_id):
     """
     logger.info(f"Tenant view: {request.method} {request.user.username}")
     if request.method == "DELETE":
-        if not destructive_ok():
+        if not destructive_ok("api"):
             return HttpResponse("Destructive operations disallowed.", status=400)
 
         tenant_obj = get_object_or_404(Tenant, org_id=org_id)
@@ -391,7 +391,7 @@ def invalid_default_admin_groups(request):
         }
         return HttpResponse(json.dumps(payload), content_type="application/json")
     if request.method == "DELETE":
-        if not destructive_ok():
+        if not destructive_ok("api"):
             return HttpResponse("Destructive operations disallowed.", status=400)
         invalid_default_admin_groups_list.delete()
         return HttpResponse(status=204)
@@ -405,7 +405,7 @@ def role_removal(request):
     """
     logger.info(f"Role removal: {request.method} {request.user.username}")
     if request.method == "DELETE":
-        if not destructive_ok():
+        if not destructive_ok("api"):
             return HttpResponse("Destructive operations disallowed.", status=400)
 
         role_name = request.GET.get("name")
@@ -433,7 +433,7 @@ def permission_removal(request):
     """
     logger.info(f"Permission removal: {request.method} {request.user.username}")
     if request.method == "DELETE":
-        if not destructive_ok():
+        if not destructive_ok("api"):
             return HttpResponse("Destructive operations disallowed.", status=400)
 
         permission = request.GET.get("permission")
diff --git a/rbac/management/role/definer.py b/rbac/management/role/definer.py
@@ -137,7 +137,7 @@ def seed_roles():
     # Find roles in DB but not in config
     roles_to_delete = Role.objects.filter(system=True).exclude(id__in=current_role_ids)
     logger.info(f"The following '{roles_to_delete.count()}' roles(s) eligible for removal: {roles_to_delete.values()}")
-    if destructive_ok():
+    if destructive_ok("seeding"):
         logger.info(f"Removing the following role(s): {roles_to_delete.values()}")
         # Actually remove roles no longer in config
         with transaction.atomic():
@@ -202,7 +202,7 @@ def seed_permissions():
     logger.info(
         f"The following '{perms_to_delete.count()}' permission(s) eligible for removal: {perms_to_delete.values()}"
     )
-    if destructive_ok():
+    if destructive_ok("seeding"):
         logger.info(f"Removing the following permissions(s): {perms_to_delete.values()}")
         # Actually remove perms no longer in DB
         with transaction.atomic():
diff --git a/rbac/rbac/settings.py b/rbac/rbac/settings.py
@@ -367,7 +367,9 @@
 INTERNAL_API_PATH_PREFIXES = ["/_private/"]
 
 try:
-    INTERNAL_DESTRUCTIVE_API_OK_UNTIL = parse_dt(os.environ.get("RBAC_DESTRUCTIVE_ENABLED_UNTIL", "not-a-real-time"))
+    INTERNAL_DESTRUCTIVE_API_OK_UNTIL = parse_dt(
+        os.environ.get("RBAC_DESTRUCTIVE_API_ENABLED_UNTIL", "not-a-real-time")
+    )
     if INTERNAL_DESTRUCTIVE_API_OK_UNTIL.tzinfo is None:
         INTERNAL_DESTRUCTIVE_API_OK_UNTIL = INTERNAL_DESTRUCTIVE_API_OK_UNTIL.replace(tzinfo=pytz.UTC)
 except ValueError as e:
diff --git a/tests/core/test_utils.py b/tests/core/test_utils.py
@@ -33,9 +33,9 @@ def invalid_destructive_time():
     @override_settings(INTERNAL_DESTRUCTIVE_API_OK_UNTIL=valid_destructive_time())
     def test_destructive_ok_true(self):
         """Test that it's true when within date range."""
-        self.assertEqual(destructive_ok(), True)
+        self.assertEqual(destructive_ok("api"), True)
 
     @override_settings(INTERNAL_DESTRUCTIVE_API_OK_UNTIL=invalid_destructive_time())
     def test_destructive_ok_false(self):
         """Test that it's false when not within date range."""
-        self.assertEqual(destructive_ok(), False)
+        self.assertEqual(destructive_ok("api"), False)
