[Task]: sync enforcement actions from cinder policies api endpoint

[eviljeff]

Description

When we implemented cinder policies api sync the enforcement action was unavailable via the API response - only the name and uuid was exposed. Because of this we required AMO operations admin to manually set some enforcement actions (default_cinder_action) to make some reviewer tools functionality work. Now this is exposed via their API we can skip this manual setup.

Things to note though:

• there can be multiple enforcement actions
• some reviewer tools functionality may only expect default_cinder_action to be set on certain policies - we will need to check something doesn't break in unexpected ways.

Acceptance Criteria

  ### Milestones/checkpoints
  - [ ] enforcement_action list saved to AMO CinderPolicy model instances
  - [ ] these enforcement actions are used instead of manually defined `default_cinder_action` property

Checks

• If I have identified that the work is specific to a repository, I have removed "repository:addons-server" or "repository:addons-frontend"

┆Issue is synchronized with this Jira Task

[eviljeff]

This could be thought of as part of https://mozilla-hub.atlassian.net/browse/AMOENG-672, or a prerequisite to it.

[eviljeff]

QA: Some of this is foundation for AMOENG-672, but immediately this impacts the reviewer tools (though should not be any functional change).

• check existing (2) Ignore policies, and the Approve policy, have enforcement_actions prefilled with the previous default cinder actions in django admin.
• Then run sync Cinder policies in django admin, and see all* the policies now have enforcement_actions defined. *(not actually all - the parent policies don't have them, for example)
• In reviewer tools, on the review page for an add-on, resolve an abuse report job as Invalid. This should work without form errors.
• Repeat, but resolve an abuse report job as Approve
• In reviewer tools 2nd level approval queue, on a review page, make a 2nd level approval decision to Approve an add-on. Check in Cinder that this override to Approve was recorded as a decision.
  • to set up you will need to make an add-on promoted and make a reject or disable decision on a version of that add-on in the reviewer tools.

[ioanarusiczki]

Tried on dev:

• Approve with Ignore policies already had an enforcement action attached. (enforcement_action has replaced default_cinder_action column)

• after sync many more got this enforcement action. Parent policies didn't but I'm also seeing some other (sub)policies missing it yet I think it should be ok. For example, if I look into this spreadsheet with Cinder policies , "Security" or "Sources" with their sub-policies have a N/A -> I guess this aren't used in Cinder, they're only available in rev tools (and it's confirmed if I check AMO's stage settings for reject/disable reasons).

• I resolved reports with Approve/Ignore from rev tools for a regular addon and I did not have errors, emails were sent to the reporter. There is an api decisions logged in Cinder too.

• I resolved by disabling from Cinder or rejecting from rev tools promoted extensions , then from 2nd level approvals queue I "approved" decisions. Email was sent to reporter, decisions logged in Cinder as "override"

I won't sync for AMO stage - I've agreed with @wagnerand that I won't touch that, so I'll let operations try it.

[wagnerand]

I won't sync for AMO stage - I've agreed with @wagnerand that I won't touch that, so I'll let operations try it.

@ioanarusiczki can you point me to the conversation about this? I do not recall that. Thanks!

[ioanarusiczki]

@wagnerand #15000 (comment)

[wagnerand]

Thank you!

@abhn we probably need to this on stage as well, before it makes its way to prod. Could you do that, in coordination with George?

[eviljeff]

fwiw, there's a migration that should mean there's no immediate requirement to re-sync if the policies were already manually configured correctly.

[abhn]

@wagnerand

To confirm my understanding here: is this just about syncing the rejection reasons from prod and attaching them to the right cinder policies after the re-sync from cinder? As I understand, once this lands and stage is updated, this would be automatic upon the "re-sync from cinder" action. Is that accurate?