Add RBAC for TaskGroups

fixes: pulp#5497

Author: gerrod3

CHANGES/5497.feature

@@ -0,0 +1 @@
+Added RBAC for `TaskGroups` API.

pulpcore/app/tasks/test.py

@@ -1,4 +1,6 @@
 import backoff
+from pulpcore.app.models import TaskGroup
+from pulpcore.tasking.tasks import dispatch
 
 
 def dummy_task():
@@ -18,3 +20,13 @@ def gooey_task(interval):
     from time import sleep
 
     sleep(interval)
+
+
+def dummy_group_task(inbetween=3, intervals=None):
+    """A group task that dispatches 'interval' sleep tasks every 'inbetween' seconds.'"""
+    intervals = intervals or range(5)
+    task_group = TaskGroup.current()
+    for interval in intervals:
+        dispatch(sleep, args=(interval,), task_group=task_group)
+        sleep(inbetween)
+    task_group.finish()

pulpcore/app/viewsets/task.py

@@ -249,6 +249,27 @@ class TaskGroupViewSet(NamedModelViewSet, mixins.RetrieveModelMixin, mixins.List
     serializer_class = TaskGroupSerializer
     ordering = "-pulp_created"
 
+    DEFAULT_ACCESS_POLICY = {
+        "statements": [
+            {"action": ["list", "retrieve"], "principal": "authenticated", "effect": "allow"},
+        ],
+        "queryset_scoping": {"function": "scope_queryset"},
+    }
+
+    def scope_queryset(self, qs):
+        """Filter based on having view permission on the parent task of the group."""
+        if not self.request.user.is_superuser:
+            task_viewset = TaskViewSet()
+            setattr(task_viewset, "request", self.request)
+            setattr(task_viewset, "action", "group")  # Set this to avoid extra prefetch queries
+            tasks = (
+                task_viewset.get_queryset()
+                .filter(parent_task__isnull=True, task_group__isnull=False)
+                .values_list("pk", flat=True)
+            )
+            qs = qs.filter(tasks__in=tasks)
+        return qs
+
 
 class WorkerFilter(BaseFilterSet):
     online = filters.BooleanFilter(method="filter_online")

pulpcore/pytest_plugin.py

@@ -1015,19 +1015,21 @@ def _wget_recursive_download_on_host(url, destination):
 
 @pytest.fixture(scope="session")
 def dispatch_task(pulpcore_bindings):
-    def _dispatch_task(*args, **kwargs):
+    def _dispatch_task(*args, task_group_id=None, **kwargs):
         cid = pulpcore_bindings.client.default_headers.get("Correlation-ID") or str(uuid.uuid4())
         username = pulpcore_bindings.client.configuration.username
         commands = (
             "from django_guid import set_guid; "
             "from pulpcore.tasking.tasks import dispatch; "
+            "from pulpcore.app.models import TaskGroup; "
             "from pulpcore.app.util import get_url, set_current_user; "
             "from django.contrib.auth import get_user_model; "
             "User = get_user_model(); "
             f"user = User.objects.filter(username='{username}').first(); "
             "set_current_user(user); "
             f"set_guid({cid!r}); "
-            f"task = dispatch(*{args!r}, **{kwargs!r}); "
+            f"tg = {task_group_id!r} and TaskGroup.objects.filter(pk={task_group_id!r}).first(); "
+            f"task = dispatch(*{args!r}, task_group=tg, **{kwargs!r}); "
             "print(get_url(task))"
         )
 
@@ -1040,6 +1042,25 @@ def _dispatch_task(*args, **kwargs):
     return _dispatch_task
 
 
+@pytest.fixture(scope="session")
+def dispatch_task_group(dispatch_task):
+    def _dispatch_task_group(task_name, *args, **kwargs):
+        commands = (
+            "from pulpcore.app.models import TaskGroup; "
+            "from pulpcore.app.util import get_url; "
+            "task_group = TaskGroup.objects.create(); "
+            "print(task_group.pk, get_url(task_group))"
+        )
+        process = subprocess.run(["pulpcore-manager", "shell", "-c", commands], capture_output=True)
+        assert process.returncode == 0
+        tgroup_id, tgroup_href = process.stdout.decode().strip().split()
+
+        dispatch_task(task_name, *args, task_group_id=tgroup_id, **kwargs)
+        return tgroup_href
+
+    return _dispatch_task_group
+
+
 # GPG related fixtures
 
 

pulpcore/tests/functional/api/test_tasking.py

@@ -367,3 +367,34 @@ def test_emmiting_unblocked_task_telemetry(
         pulpcore_bindings.TasksApi.tasks_cancel(task_href, {"state": "canceled"})
         for task_href in resident_task_hrefs
     ]
+
+
+@pytest.fixture
+def task_group(dispatch_task_group, monitor_task_group):
+    """Fixture containing a finished Task Group."""
+    kwargs = {"inbetween": 0, "intervals": [0]}
+    tgroup_href = dispatch_task_group("pulpcore.app.tasks.test.dummy_group_task", kwargs=kwargs)
+    return monitor_task_group(tgroup_href)
+
+
+@pytest.mark.parallel
+def test_scope_task_groups(pulpcore_bindings, task_group, gen_user):
+    """Test that task groups can be queryset scoped by permission on Tasks."""
+    for task in task_group.tasks:
+        if task.name == "pulpcore.app.tasks.test.dummy_group_task":
+            break
+
+    response = pulpcore_bindings.TaskGroupsApi.list()
+    assert response.count > 0
+
+    with gen_user():
+        response = pulpcore_bindings.TaskGroupsApi.list()
+        assert response.count == 0
+
+    with gen_user(model_roles=["core.task_viewer"]):
+        response = pulpcore_bindings.TaskGroupsApi.list()
+        assert response.count > 0
+
+    with gen_user(object_roles=[("core.task_owner", task.pulp_href)]):
+        response = pulpcore_bindings.TaskGroupsApi.list()
+        assert response.count == 1