Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add MiqUserRole to RBAC #13689

Merged
merged 4 commits into from
Feb 1, 2017
Merged

Add MiqUserRole to RBAC #13689

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
0428548
Array determines list of disallowed roles for specific role
lpichler Jan 30, 2017
a79cb4a
Where clause for MiqGroup and User without allowed roles
lpichler Jan 30, 2017
2a6e0d6
Add MiqUserRole to RBAC
lpichler Jan 30, 2017
81c67f5
Spec for cases with tenant_administrator
lpichler Jan 30, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion app/models/miq_group.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ class MiqGroup < ApplicationRecord
virtual_column :miq_user_role_name, :type => :string, :uses => :miq_user_role
virtual_column :read_only, :type => :boolean

delegate :self_service?, :limited_self_service?, :to => :miq_user_role, :allow_nil => true
delegate :self_service?, :limited_self_service?, :disallowed_roles, :to => :miq_user_role, :allow_nil => true

validates :description, :presence => true, :unique_within_region => true
validate :validate_default_tenant, :on => :update, :if => :tenant_id_changed?
Expand All @@ -43,6 +43,10 @@ def name
description
end

def self.with_allowed_roles_for(user_or_group)
includes(:miq_user_role).where.not({:miq_user_roles => {:name => user_or_group.disallowed_roles}})
end

def self.next_sequence
maximum(:sequence).to_i + 1
end
Expand Down
8 changes: 8 additions & 0 deletions app/models/miq_user_role.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,14 @@ def limited_self_service?
(settings || {}).fetch_path(:restrictions, :vms) == :user
end

def disallowed_roles
!super_admin_user? && Rbac::Filterer::DISALLOWED_ROLES_FOR_USER_ROLE[name]
end

def self.with_allowed_roles_for(user_or_group)
where.not(:name => user_or_group.disallowed_roles)
end

def self.seed
seed_from_array(YAML.load_file(FIXTURE_YAML))

Expand Down
2 changes: 1 addition & 1 deletion app/models/user.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ class User < ApplicationRecord

delegate :miq_user_role, :current_tenant, :get_filters, :has_filters?, :get_managed_filters, :get_belongsto_filters,
:to => :current_group, :allow_nil => true
delegate :super_admin_user?, :admin_user?, :self_service?, :limited_self_service?,
delegate :super_admin_user?, :admin_user?, :self_service?, :limited_self_service?, :disallowed_roles,
:to => :miq_user_role, :allow_nil => true

validates_presence_of :name, :userid
Expand Down
10 changes: 10 additions & 0 deletions lib/rbac/filterer.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,13 @@ class Filterer
Storage
)

# key: MiqUserRole#name - user's role
# value:
# array - disallowed roles for the user's role
DISALLOWED_ROLES_FOR_USER_ROLE = {
'EvmRole-tenant_administrator' => %w(EvmRole-super_administrator)
}.freeze

# key: descendant::klass
# value:
# if it is a symbol/method_name:
Expand Down Expand Up @@ -441,6 +448,9 @@ def scope_targets(klass, scope, rbac_filters, user, miq_group)
elsif klass == MiqGroup && miq_group.try!(:self_service?)
# Self Service users searching for groups only see their group
scope.where(:id => miq_group.id)
elsif [MiqUserRole, MiqGroup].include?(klass) && (user_or_group = miq_group || user) &&
user_or_group.disallowed_roles
scope.with_allowed_roles_for(user_or_group)
else
scope
end
Expand Down
26 changes: 26 additions & 0 deletions spec/lib/rbac/filterer_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -331,6 +331,32 @@ def get_rbac_results_for_and_expect_objects(klass, expected_objects)
get_rbac_results_for_and_expect_objects(MiqGroup, [user.current_group])
end
end

context 'with EvmRole-tenant_administrator' do
let(:tenant_administrator_user_role) do
FactoryGirl.create(:miq_user_role, :name => MiqUserRole::DEFAULT_TENANT_ROLE_NAME)
end

let!(:super_administrator_user_role) do
FactoryGirl.create(:miq_user_role, :name => MiqUserRole::SUPER_ADMIN_ROLE_NAME)
end

let(:group) do
FactoryGirl.create(:miq_group, :tenant => default_tenant, :miq_user_role => tenant_administrator_user_role)
end

let!(:user) { FactoryGirl.create(:user, :miq_groups => [group]) }

it 'can see all roles expect to EvmRole-super_administrator' do
expect(MiqUserRole.count).to eq(2)
get_rbac_results_for_and_expect_objects(MiqUserRole, [tenant_administrator_user_role])
end

it 'can see all groups expect to group with role EvmRole-super_administrator' do
expect(MiqUserRole.count).to eq(2)
get_rbac_results_for_and_expect_objects(MiqGroup, [group])
end
end
end

context "with Hosts" do
Expand Down