Merge pull request #15088 from lpichler/fix_tag_filtering_for_indirec…

…t_rbac Fix tag filtering for indirect RBAC (cherry picked from commit 2facb0b) https://bugzilla.redhat.com/show_bug.cgi?id=1451395
ManageIQ · May 16, 2017 · 378e4a3 · 378e4a3
1 parent 2d84cdb
commit 378e4a3
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 3 deletions.
diff --git a/lib/rbac/filterer.rb b/lib/rbac/filterer.rb
@@ -354,7 +354,8 @@ def calc_filtered_ids(scope, user_filters, user, miq_group, scope_tenant_filter)
     end
     #
     # Algorithm: filter = u_filtered_ids UNION (b_filtered_ids INTERSECTION m_filtered_ids)
-    #            filter = (filter UNION d_filtered_ids if filter is not nil) UNION tenant_filter_ids
+    #            filter = (filter UNION d_filtered_ids if filter is not nil)
+    #            filter = filter INTERSECTION tenant_filter_ids if tenant_filter_ids is not nil
     # a nil as input for any field means it does not apply
     # a nil as output means there is not filter
     #
@@ -386,10 +387,12 @@ def combine_filtered_ids(u_filtered_ids, b_filtered_ids, m_filtered_ids, d_filte
         filtered_ids.uniq!
       end
 
-      if filtered_ids.kind_of?(Array)
-        filtered_ids | tenant_filter_ids.to_a
+      if filtered_ids.kind_of?(Array) && tenant_filter_ids
+        filtered_ids & tenant_filter_ids.to_a
       elsif filtered_ids.nil? && tenant_filter_ids.kind_of?(Array) && tenant_filter_ids.present?
         tenant_filter_ids
+      else
+        filtered_ids
       end
     end
 

diff --git a/spec/lib/rbac/filterer_spec.rb b/spec/lib/rbac/filterer_spec.rb
@@ -217,6 +217,37 @@
             results = described_class.search(:class => VmPerformance, :user => admin_user).first
             expect(results).to match_array [vm_performance_other_tenant, vm_performance_root_tenant]
           end
+
+          context 'with tags' do
+            let(:role)         { FactoryGirl.create(:miq_user_role) }
+            let(:tagged_group) { FactoryGirl.create(:miq_group, :tenant => Tenant.root_tenant, :miq_user_role => role) }
+            let(:user)         { FactoryGirl.create(:user, :miq_groups => [tagged_group]) }
+
+            before do
+              tagged_group.entitlement = Entitlement.new
+              tagged_group.entitlement.set_belongsto_filters([])
+              tagged_group.entitlement.set_managed_filters([["/managed/environment/prod"]])
+              tagged_group.save!
+            end
+
+            it 'lists only VmPerformances with tagged resources without any tenant restriction' do
+              root_tenant_vm.tag_with('/managed/environment/prod', :ns => '*')
+
+              results = described_class.search(:class => VmPerformance, :user => user).first
+              expect(results).to match_array [vm_performance_root_tenant]
+            end
+
+            it 'lists only VmPerformances with tagged resources with any tenant restriction' do
+              root_tenant_vm.tag_with('/managed/environment/prod', :ns => '*')
+              other_vm.tag_with('/managed/environment/prod', :ns => '*')
+
+              results = described_class.search(:class => VmPerformance, :user => other_user).first
+              expect(results).to match_array [vm_performance_other_tenant]
+
+              vm_or_template_records = described_class.search(:class => VmOrTemplate, :user => other_user).first
+              expect(results.map(&:resource_id)).to match_array vm_or_template_records.map(&:id)
+            end
+          end
         end
 
         context "searching MiqTemplate" do