Merge branch 'devel' into phase2/feature-flags/poc

bhavenst · web-flow · commit 1516f170f240 · 2025-11-21T12:40:49.000-07:00
diff --git a/ansible_base/rbac/api/views.py b/ansible_base/rbac/api/views.py
@@ -14,6 +14,7 @@
 from rest_framework.viewsets import GenericViewSet, ModelViewSet, mixins
 
 from ansible_base.lib.utils.auth import get_team_model, get_user_model
+from ansible_base.lib.utils.schema import extend_schema_if_available
 from ansible_base.lib.utils.views.django_app_api import AnsibleBaseDjangoAppApiView
 from ansible_base.lib.utils.views.permissions import try_add_oauth2_scope_permission
 from ansible_base.rbac.api.permissions import RoleDefinitionPermissions
@@ -236,17 +237,24 @@ class RoleTeamAssignmentViewSet(BaseAssignmentViewSet):
     ]
 
 
-class RoleUserAssignmentViewSet(BaseAssignmentViewSet):
-    """
-    Use this endpoint to give a user permission to a resource or an organization.
-    The needed data is the user, the role definition, and the object id.
-    The object must be of the type specified in the role definition.
-    The type given in the role definition and the provided object_id are used
-    to look up the resource.
+# Schema fragments for RoleUserAssignmentViewSet OpenAPI spec
+_USER_ACTOR_ONEOF = {
+    'oneOf': [
+        {'required': ['user'], 'not': {'required': ['user_ansible_id']}},
+        {'required': ['user_ansible_id'], 'not': {'required': ['user']}},
+    ]
+}
+
+_OBJECT_ID_ONEOF = {
+    'oneOf': [
+        {'properties': {'object_id': {'oneOf': [{'type': 'integer'}, {'type': 'string', 'format': 'uuid'}]}, 'object_ansible_id': False}},
+        {'properties': {'object_ansible_id': {'type': 'string', 'format': 'uuid'}, 'object_id': False}},
+        {'not': {'anyOf': [{'required': ['object_id']}, {'required': ['object_ansible_id']}]}},
+    ]
+}
 
-    After creation, the assignment cannot be edited, but can be deleted to
-    remove those permissions.
-    """
+
+class RoleUserAssignmentViewSet(BaseAssignmentViewSet):
 
     resource_purpose = "RBAC role grants assigning permissions to users for specific resources"
 
@@ -257,6 +265,25 @@ class RoleUserAssignmentViewSet(BaseAssignmentViewSet):
         ansible_id_backend.RoleAssignmentFilterBackend,
     ]
 
+    @extend_schema_if_available(
+        request={
+            'application/json': {
+                'allOf': [
+                    {'$ref': '#/components/schemas/RoleUserAssignment'},
+                    _USER_ACTOR_ONEOF,
+                    _OBJECT_ID_ONEOF,
+                ]
+            },
+        },
+        description="Give a user permission to a resource, an organization, or globally (when allowed)."
+        "Must specify 'role_definition' and exactly one of 'user' or 'user_ansible_id'."
+        "Can specify at most one of 'object_id' or 'object_ansible_id' (omit both for global roles)."
+        "The content_type of the role definition and the provided object_id are used to look up the resource."
+        "After creation, the assignment cannot be edited, but can be deleted to remove those permissions.",
+    )
+    def create(self, request, *args, **kwargs):
+        return super().create(request, *args, **kwargs)
+
 
 class AccessURLMixin:
     def get_actor_model(self):
diff --git a/test_app/tests/api_documentation/test_schema_integration.py b/test_app/tests/api_documentation/test_schema_integration.py
@@ -148,3 +148,35 @@ def test_openapi_schema_unauthenticated_access(unauthenticated_api_client):
     if response.status_code == 200:
         schema = response.data
         assert 'openapi' in schema
+
+
+def test_role_user_assignment_create_schema(admin_api_client):
+    """
+    Test that RoleUserAssignmentViewSet's create operation has proper schema constraints.
+
+    Generated by Claude Code (claude-sonnet-4-5@20250929)
+
+    Verifies that the request body schema properly enforces:
+    - Exactly one of 'user' or 'user_ansible_id' is required
+    - At most one of 'object_id' or 'object_ansible_id' can be specified
+    """
+    url = '/api/v1/docs/schema/'
+    response = admin_api_client.get(url)
+    assert response.status_code == 200
+
+    # Navigate directly to the schema - will raise KeyError if path doesn't exist
+    all_of = response.data['paths']['/api/v1/role_user_assignments/']['post']['requestBody']['content']['application/json']['schema']['allOf']
+
+    # Verify structure: [base_schema, user_constraint, object_constraint]
+    assert len(all_of) == 3, "Should have 3 items: base schema + 2 constraint sets"
+    assert all_of[0] == {'$ref': '#/components/schemas/RoleUserAssignment'}
+
+    # Verify user constraint: exactly one of 'user' or 'user_ansible_id'
+    user_one_of = all_of[1]['oneOf']
+    assert len(user_one_of) == 2
+    assert user_one_of[0] == {'required': ['user'], 'not': {'required': ['user_ansible_id']}}
+    assert user_one_of[1] == {'required': ['user_ansible_id'], 'not': {'required': ['user']}}
+
+    # Verify object constraint: at most one of 'object_id' or 'object_ansible_id'
+    object_one_of = all_of[2]['oneOf']
+    assert len(object_one_of) == 3
