Merge pull request #13827 from abellotti/api_multiple_identifiers

Allows specification for optional multiple identifiers

app/controllers/api/base_controller/renderer.rb

@@ -387,7 +387,7 @@ def fetch_typed_subcollection_actions(method, is_subcollection)
 
       def api_user_role_allows?(action_identifier)
         return true unless action_identifier
-        User.current_user.role_allows?(:identifier => action_identifier)
+        Array(action_identifier).any? { |identifier| User.current_user.role_allows?(:identifier => identifier) }
       end
 
       def render_actions(resource)

spec/requests/api/authentication_spec.rb

@@ -292,4 +292,50 @@ def systoken(server_guid, userid, timestamp)
       expect_result_to_have_keys(ENTRYPOINT_KEYS)
     end
   end
+
+  context "Role Based Authorization" do
+    before do
+      FactoryGirl.create(:vm_vmware, :name => "vm1")
+    end
+
+    context "actions with single role identifier" do
+      it "are rejected when user is not authorized with the single role identifier" do
+        stub_api_action_role(:vms, :collection_actions, :get, :read, "vm_view_role1")
+        api_basic_authorize
+
+        run_get vms_url
+
+        expect(response).to have_http_status(:forbidden)
+      end
+
+      it "are accepted when user is authorized with the single role identifier" do
+        stub_api_action_role(:vms, :collection_actions, :get, :read, "vm_view_role1")
+        api_basic_authorize "vm_view_role1"
+
+        run_get vms_url
+
+        expect_query_result(:vms, 1, 1)
+      end
+    end
+
+    context "actions with multiple role identifiers" do
+      it "are rejected when user is not authorized with any of the role identifiers" do
+        stub_api_action_role(:vms, :collection_actions, :get, :read, %w(vm_view_role1 vm_view_role2))
+        api_basic_authorize
+
+        run_get vms_url
+
+        expect(response).to have_http_status(:forbidden)
+      end
+
+      it "are accepted when user is authorized with at least one of the role identifiers" do
+        stub_api_action_role(:vms, :collection_actions, :get, :read, %w(vm_view_role1 vm_view_role2))
+        api_basic_authorize "vm_view_role2"
+
+        run_get vms_url
+
+        expect_query_result(:vms, 1, 1)
+      end
+    end
+  end
 end

spec/support/api_helper.rb

@@ -93,7 +93,7 @@ def basic_authorize(user, password)
 
       def update_user_role(role, *identifiers)
         return if identifiers.blank?
-        product_features = identifiers.collect do |identifier|
+        product_features = identifiers.flatten.collect do |identifier|
           MiqProductFeature.find_or_create_by(:identifier => identifier)
         end
         role.update_attributes!(:miq_product_features => product_features)
@@ -103,6 +103,14 @@ def miq_server_guid
         @miq_server_guid ||= MiqUUID.new_guid
       end
 
+      def stub_api_action_role(collection, action_type, method, action, identifier)
+        new_action_role = Config::Options.new.merge!("name" => action.to_s, "identifier" => identifier)
+        updated_method = Api::ApiConfig.collections[collection][action_type][method].collect do |method_action|
+          method_action.name == action.to_s ? new_action_role : method_action
+        end
+        allow(Api::ApiConfig.collections[collection][action_type]).to receive(method) { updated_method }
+      end
+
       def action_identifier(type, action, selection = :resource_actions, method = :post)
         Api::ApiConfig.collections[type][selection][method]
           .detect { |spec| spec[:name] == action.to_s }[:identifier]