Merge pull request #536 from lpichler/authorise_manage_tenant_quotas_…

…as_tenant_product_feature_api Authorise action managing tenant quotas for according tenants in API
ManageIQ · Jan 7, 2019 · fadf393 · fadf393
2 parents 5301b29 + a485c9a
commit fadf393
Show file tree

Hide file tree

Showing 4 changed files with 69 additions and 0 deletions.
diff --git a/app/controllers/api/base_controller/renderer.rb b/app/controllers/api/base_controller/renderer.rb
@@ -500,8 +500,15 @@ def fetch_typed_subcollection_actions(method, is_subcollection)
         collection_config.typed_subcollection_action(@req.collection, @req.subcollection, method)
       end
 
+      def custom_api_user_role_allows_method?(_action_identifier)
+        false
+      end
+
       def api_user_role_allows?(action_identifier)
         return true unless action_identifier
+
+        return custom_api_user_role_allows?(action_identifier) if custom_api_user_role_allows_method?(action_identifier)
+
         Array(action_identifier).any? { |identifier| User.current_user.role_allows?(:identifier => identifier) }
       end
 

diff --git a/app/controllers/api/subcollections/quotas.rb b/app/controllers/api/subcollections/quotas.rb
@@ -3,6 +3,15 @@ module Subcollections
     module Quotas
       INVALID_QUOTA_ATTRS = %w(id href tenant_id unit).freeze
 
+      def custom_api_user_role_allows_method?(identifier)
+        MiqProductFeature.my_root_tenant_identifier?(identifier)
+      end
+
+      def custom_api_user_role_allows?(identifier)
+        tenant_identifier = MiqProductFeature.tenant_identifier(identifier, @req.collection_id)
+        User.current_user.role_allows?(:identifier => tenant_identifier)
+      end
+
       def quotas_create_resource(object, type, _id, data)
         bad_attrs = data.keys & INVALID_QUOTA_ATTRS
         errmsg = "Attributes %s should not be specified for creating a new tenant quota resource"

diff --git a/spec/requests/tenant_quotas_spec.rb b/spec/requests/tenant_quotas_spec.rb
@@ -40,6 +40,49 @@
       expect(response).to have_http_status(:ok)
     end
 
+    context 'with dynamic tenant features' do
+      let!(:tenant_alpha) { FactoryBot.create(:tenant, :parent => Tenant.root_tenant) }
+      let!(:tenant_omega) { FactoryBot.create(:tenant, :parent => tenant_alpha) }
+
+      let(:feature) { MiqProductFeature.find_all_by_identifier(["rbac_tenant_manage_quotas_tenant_#{tenant_omega.id}"]) }
+      let(:role_with_access_to_omega_rbac_tenant_manage_quota_permission) { FactoryGirl.create(:miq_user_role, :miq_product_features => feature) }
+
+      let(:group_alpha) { FactoryBot.create(:miq_group, :tenant => tenant_alpha, :miq_user_role => role_with_access_to_omega_rbac_tenant_manage_quota_permission) }
+      let(:user_alpha)  { FactoryBot.create(:user, :miq_groups => [group_alpha]) }
+
+      before do
+        Tenant.seed
+        @user.update(:miq_groups => [group_alpha])
+        @role = role_with_access_to_omega_rbac_tenant_manage_quota_permission
+      end
+
+      it "cannot create a quota for alpha tenant without tenant product permission for alpha tenant" do
+        api_basic_authorize ["rbac_tenant_manage_quotas_tenant_#{tenant_omega.id}"]
+
+        expect do
+          post "/api/tenants/#{tenant_alpha.id}/quotas/", :params => { :name => :cpu_allocated, :value => 1 }
+        end.not_to change(TenantQuota, :count)
+
+        expect(response).to have_http_status(:forbidden)
+      end
+
+      it "can create a quota from a tenant omega with tenant product permission for omega" do
+        api_basic_authorize ["rbac_tenant_manage_quotas_tenant_#{tenant_omega.id}"]
+
+        expected = {
+          'results' => [
+            a_hash_including('href' => a_string_including(api_tenant_quotas_url(nil, tenant_omega)))
+          ]
+        }
+
+        expect do
+          post "/api/tenants/#{tenant_omega.id}/quotas/", :params => { :name => :cpu_allocated, :value => 1 }
+        end.to change(TenantQuota, :count).by(1)
+        expect(response.parsed_body).to include(expected)
+        expect(response).to have_http_status(:ok)
+      end
+    end
+
     it "can create a quota from a tenant" do
       api_basic_authorize action_identifier(:quotas, :create, :subcollection_actions, :post)
 

diff --git a/spec/requests/tenants_spec.rb b/spec/requests/tenants_spec.rb
@@ -1,6 +1,16 @@
 RSpec.describe "tenants API" do
   let!(:root_tenant) { Tenant.seed }
 
+  describe "custom_api_user_role_allows_method?" do
+    it "validates role in basic way for requests about some action of tenants" do
+      expect(Api::TenantsController.new.custom_api_user_role_allows_method?('rbac_tenant_add')).to be_falsey
+    end
+
+    it "validates role in custom way for requests about managing tenant quotas" do
+      expect(Api::TenantsController.new.custom_api_user_role_allows_method?('rbac_tenant_manage_quotas')).to be_truthy
+    end
+  end
+
   it "can list all the tenants" do
     api_basic_authorize action_identifier(:tenants, :read, :collection_actions, :get)
     tenant_1 = FactoryBot.create(:tenant, :parent => root_tenant)