misc: drop use of custom partial index on Service (#63690)

Many tests had to be modified as many Service where used without an OU
defined.

src/authentic2/a2_rbac/utils.py

@@ -31,6 +31,10 @@ def get_default_ou():
         return None
 
 
+def get_default_ou_pk():
+    return models.OrganizationalUnit.objects.filter(default=True).values_list('pk', flat=True).first()
+
+
 def get_view_user_perm(ou=None):
     User = get_user_model()
     view_user_perm, dummy = models.Permission.objects.get_or_create(

src/authentic2/migrations/0038_make_service_ou_non_null.py

@@ -0,0 +1,31 @@
+# Generated by Django 2.2.27 on 2022-04-07 15:05
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+import authentic2.a2_rbac.utils
+from authentic2.migrations import DropPartialIndexes
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('authentic2', '0037_auto_20220331_1513'),
+    ]
+
+    operations = [
+        DropPartialIndexes(
+            'Service', 'authentic2_service', 'authentic2_service_uniq_idx', ('ou_id',), ('slug',)
+        ),
+        migrations.AlterField(
+            model_name='service',
+            name='ou',
+            field=models.ForeignKey(
+                default=authentic2.a2_rbac.utils.get_default_ou_pk,
+                on_delete=django.db.models.deletion.CASCADE,
+                to=settings.RBAC_OU_MODEL,
+                verbose_name='organizational unit',
+            ),
+        ),
+    ]

src/authentic2/migrations/__init__.py

@@ -82,8 +82,24 @@ class CreatePartialIndexes(Operation):
     def database_backwards(self, app_label, schema_editor, from_state, to_state):
         if not self.allowed(app_label, schema_editor, to_state):
             return
-        for i in range(self.indexes()):
+        for i, _index in enumerate(self.indexes()):
             schema_editor.execute('DROP INDEX IF EXISTS "%s_%s"' % (self.index_name, i))
 
     def describe(self):
         return "Create partial indexes"
+
+
+class DropPartialIndexes(CreatePartialIndexes):
+    reversible = True
+
+    def state_forwards(self, app_label, state):
+        pass
+
+    def database_forwards(self, app_label, schema_editor, from_state, to_state):
+        super().database_backwards(app_label, schema_editor, from_state, to_state)
+
+    def database_backwards(self, app_label, schema_editor, from_state, to_state):
+        super().database_forwards(app_label, schema_editor, from_state, to_state)
+
+    def describe(self):
+        return "Drop partial indexes"

src/authentic2/models.py

@@ -37,6 +37,7 @@ from django.utils.translation import ugettext_lazy as _
 from model_utils.managers import QueryManager
 
 from authentic2.a2_rbac.models import Role
+from authentic2.a2_rbac.utils import get_default_ou_pk
 from authentic2.utils.crypto import base64url_decode, base64url_encode
 from authentic2.validators import HexaColourValidator
 
@@ -367,10 +368,9 @@ class Service(models.Model):
     ou = models.ForeignKey(
         verbose_name=_('organizational unit'),
         to='a2_rbac.OrganizationalUnit',
-        null=True,
-        blank=True,
         swappable=False,
         on_delete=models.CASCADE,
+        default=get_default_ou_pk,
     )
     authorized_roles = models.ManyToManyField(
         'a2_rbac.Role',

tests/idp_oidc/test_misc.py

@@ -1648,9 +1648,6 @@ def test_oidc_client_clean():
             identifier_policy=OIDCClient.POLICY_PAIRWISE,
         ).clean()
 
-    with pytest.raises(ValidationError, match=r'within an OU'):
-        OIDCClient(authorization_mode=OIDCClient.AUTHORIZATION_MODE_BY_OU, ou=None).clean()
-
     OIDCClient(
         redirect_uris='https://example.com/ https://example2.com/',
         sector_identifier_uri='https://example.com/',

tests/idp_oidc/test_utils.py

@@ -24,8 +24,9 @@ from authentic2_idp_oidc.utils import make_pairwise_reversible_sub, make_pairwis
 @pytest.mark.parametrize(
     'client',
     [
-        OIDCClient(redirect_uris='https://example.com/'),
+        OIDCClient(ou=None, redirect_uris='https://example.com/'),
         OIDCClient(
+            ou=None,
             redirect_uris='https://other.example.com/ https://other2.example.com/',
             sector_identifier_uri='https://example.com/',
         ),

tests/test_a2_rbac.py

@@ -137,7 +137,7 @@ def test_role_natural_key(db):
         assert Role.objects.get_by_natural_key(*r.natural_key()) == r
     assert r1.natural_key() == ['r1', None, None]
     assert r2.natural_key() == ['r2', ['ou1'], None]
-    assert r3.natural_key() == ['r3', None, [None, 's1']]
+    assert r3.natural_key() == ['r3', ['default'], [['default'], 's1']]
     assert r4.natural_key() == ['r4', ['ou1'], [['ou1'], 's2']]
     ou.delete()
     with pytest.raises(Role.DoesNotExist):
@@ -169,7 +169,11 @@ def test_role_with_service_export_json(db):
     service = Service.objects.create(name='service name', slug='service-name')
     role = Role.objects.create(name='some role', service=service)
     role_dict = role.export_json()
-    assert role_dict['service'] == {'slug': service.slug, 'ou': None}
+    default_ou = get_default_ou()
+    assert role_dict['service'] == {
+        'slug': service.slug,
+        'ou': {'name': 'Default organizational unit', 'slug': 'default', 'uuid': default_ou.uuid},
+    }
 
 
 def test_role_with_service_with_ou_export_json(db):

tests/test_idp_saml2.py

@@ -641,7 +641,7 @@ def add_attributes(rf):
             request = rf.get('/')
             request.user = None
             assertion = lasso.Saml2Assertion()
-            provider = Service()
+            provider = Service(ou=None)
 
             def func():
                 saml2_endpoints.add_attributes(