[AAP-54064] Decoupling apps from ansible_base.rbac

[AlanCoding]

Description

Re-raising #849

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Test update
• Refactoring (no functional changes)
• Development environment change
• Configuration change

---

Note

Make RBAC optional by adding is_rbac_installed() and guarding RBAC-dependent logic across auth, routers, resource registry, sync, and tests.

• RBAC decoupling:
  • Add lib/utils/apps.py:is_rbac_installed() and replace direct INSTALLED_APPS checks.
  • Convert top-level RBAC imports to lazy/conditional imports across modules.
• Authentication (authentication/utils/claims.py):
  • Use is_rbac_installed() in ReconcileUser; make RoleUserAssignmentsCache RBAC-aware and gate content types/local prefixes.
• Routers (lib/routers/association_resource_router.py):
  • Move RBAC imports inside permission checks; only enforce parent permissions when RBAC registered.
• Resource Registry:
  • registry.py: Dynamically include shared.roledefinition processor only when RBAC installed.
  • rest_client.py: Guard assignment sync/delete methods with RBAC checks, raising RuntimeError if absent.
  • shared_types.py: Lazy RBAC lookups; RoleDefinitionType raises if RBAC missing and sets content_type field conditionally.
  • tasks/sync.py: Gate RBAC-dependent helpers and assignment sync; skip assignment sync when RBAC absent.
• Testing utilities:
  • StaticResourceAPIClient: move mutable router to instance in __init__.
• App wiring (test_app/resource_api.py):
  • Conditionally register RoleDefinition resource only when RBAC installed.
• Tests:
  • Add suites verifying behavior with and without RBAC (test_rbac_conditional.py, test_sync_rbac_errors.py); minor test updates/marks.

^{Written by Cursor Bugbot for commit b6cd309. This will update automatically on new commits. Configure here.}

[AlanCoding]

Other failures were a test bug that is resolved here, next is:

FAILED test_app/tests/resource_registry/test_rbac_conditional.py::TestResourceRegistryWithoutRBAC::test_resource_api_client_rbac_methods_raise_errors - requests.exceptions.ConnectionError: HTTPConnectionPool(host='test', port=80): Max retries exceeded with url: /test/role-types/ (Caused by NameResolutionError("<urllib3.connection.HTTPConnection object at 0x7f3015862410>: Failed to resolve 'test' ([Errno -3] Temporary failure in name resolution)"))
FAILED test_app/tests/resource_registry/test_rbac_conditional.py::TestResourceRegistryWithoutRBAC::test_lenient_permission_slug_list_field_raises_error - AssertionError: Regex pattern did not match.
 Regex: 'requires ansible_base.rbac to be installed'
 Input: 'Database access not allowed, use the "django_db" mark, or the "db" or "transactional_db" fixtures to enable it.'

[github-actions]

DVCS PR Check Results:

PR appears valid (JIRA key(s) found)

[cursor]

Bug: RBAC Dependency Issue in Permission Slug Field

The LenientPermissionSlugListField.to_internal_value method imports DABPermission without checking if ansible_base.rbac is installed. This causes an ImportError when RBAC is unavailable, which is less clear than an explicit RuntimeError. While RoleDefinitionType includes an RBAC check, this field could be used independently and would fail.

 

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
85.4% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud