Skip to content

Commit

Permalink
Merge pull request #13689 from lpichler/add_miq_user_role_to_rbac
Browse files Browse the repository at this point in the history 
Add MiqUserRole to RBAC
  • Loading branch information
@martinpovolny
martinpovolny authored Feb 1, 2017
2 parents 6d1bdbc + 81c67f5 commit f9d354d
Show file tree
Hide file tree
Showing 5 changed files with 50 additions and 2 deletions.
6 changes: 5 additions & 1 deletion app/models/miq_group.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ class MiqGroup < ApplicationRecord
virtual_column :miq_user_role_name, :type => :string, :uses => :miq_user_role
virtual_column :read_only, :type => :boolean

delegate :self_service?, :limited_self_service?, :to => :miq_user_role, :allow_nil => true
delegate :self_service?, :limited_self_service?, :disallowed_roles, :to => :miq_user_role, :allow_nil => true

validates :description, :presence => true, :unique_within_region => true
validate :validate_default_tenant, :on => :update, :if => :tenant_id_changed?
Expand All @@ -43,6 +43,10 @@ def name
description
end

def self.with_allowed_roles_for(user_or_group)
includes(:miq_user_role).where.not({:miq_user_roles => {:name => user_or_group.disallowed_roles}})
end

def self.next_sequence
maximum(:sequence).to_i + 1
end
Expand Down
8 changes: 8 additions & 0 deletions app/models/miq_user_role.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,14 @@ def limited_self_service?
(settings || {}).fetch_path(:restrictions, :vms) == :user
end

def disallowed_roles
!super_admin_user? && Rbac::Filterer::DISALLOWED_ROLES_FOR_USER_ROLE[name]
end

def self.with_allowed_roles_for(user_or_group)
where.not(:name => user_or_group.disallowed_roles)
end

def self.seed
seed_from_array(YAML.load_file(FIXTURE_YAML))

Expand Down
2 changes: 1 addition & 1 deletion app/models/user.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ class User < ApplicationRecord

delegate :miq_user_role, :current_tenant, :get_filters, :has_filters?, :get_managed_filters, :get_belongsto_filters,
:to => :current_group, :allow_nil => true
delegate :super_admin_user?, :admin_user?, :self_service?, :limited_self_service?,
delegate :super_admin_user?, :admin_user?, :self_service?, :limited_self_service?, :disallowed_roles,
:to => :miq_user_role, :allow_nil => true

validates_presence_of :name, :userid
Expand Down
10 changes: 10 additions & 0 deletions lib/rbac/filterer.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,13 @@ class Filterer
Storage
)

# key: MiqUserRole#name - user's role
# value:
# array - disallowed roles for the user's role
DISALLOWED_ROLES_FOR_USER_ROLE = {
'EvmRole-tenant_administrator' => %w(EvmRole-super_administrator)
}.freeze

# key: descendant::klass
# value:
# if it is a symbol/method_name:
Expand Down Expand Up @@ -447,6 +454,9 @@ def scope_targets(klass, scope, rbac_filters, user, miq_group)
elsif klass == MiqGroup && miq_group.try!(:self_service?)
# Self Service users searching for groups only see their group
scope.where(:id => miq_group.id)
elsif [MiqUserRole, MiqGroup].include?(klass) && (user_or_group = miq_group || user) &&
user_or_group.disallowed_roles
scope.with_allowed_roles_for(user_or_group)
else
scope
end
Expand Down
26 changes: 26 additions & 0 deletions spec/lib/rbac/filterer_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -331,6 +331,32 @@ def get_rbac_results_for_and_expect_objects(klass, expected_objects)
get_rbac_results_for_and_expect_objects(MiqGroup, [user.current_group])
end
end

context 'with EvmRole-tenant_administrator' do
let(:tenant_administrator_user_role) do
FactoryGirl.create(:miq_user_role, :name => MiqUserRole::DEFAULT_TENANT_ROLE_NAME)
end

let!(:super_administrator_user_role) do
FactoryGirl.create(:miq_user_role, :name => MiqUserRole::SUPER_ADMIN_ROLE_NAME)
end

let(:group) do
FactoryGirl.create(:miq_group, :tenant => default_tenant, :miq_user_role => tenant_administrator_user_role)
end

let!(:user) { FactoryGirl.create(:user, :miq_groups => [group]) }

it 'can see all roles expect to EvmRole-super_administrator' do
expect(MiqUserRole.count).to eq(2)
get_rbac_results_for_and_expect_objects(MiqUserRole, [tenant_administrator_user_role])
end

it 'can see all groups expect to group with role EvmRole-super_administrator' do
expect(MiqUserRole.count).to eq(2)
get_rbac_results_for_and_expect_objects(MiqGroup, [group])
end
end
end

context "with Hosts" do
Expand Down

0 comments on commit f9d354d

Please sign in to comment.