From bea02fce40f2b3b90ae4bbab64be9ed7cea3e885 Mon Sep 17 00:00:00 2001
From: Keenan Brock <keenan@thebrocks.net>
Date: Wed, 26 Sep 2018 11:21:32 -0400
Subject: [PATCH] Properly create tenant default group for population

When creating a tenant, if there are already groups in the database,
it would assign a random group.
This would manifest by having a seemingly random group assigned to newly
discovered VMs/Hosts. There can then be privilege issues as the admins
possibly don't have access to the group.

This only happens for customers who had a database before tenancy
was introduced in 2015. It incorrectly assigned during the migration
process in 20151021174140_assign_tenant_default_group

The fix: it will now only assign a tenant group.

https://bugzilla.redhat.com/show_bug.cgi?id=1625788

I'm also adding a migration to automatically fix customer's databases
Since the issue was introduced in a migration in the first place.
---
 app/models/miq_group.rb    |  6 ++++--
 spec/models/tenant_spec.rb | 21 +++++++++++++++++++++
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/app/models/miq_group.rb b/app/models/miq_group.rb
index f978cf6491e..60799a1cbc8 100644
--- a/app/models/miq_group.rb
+++ b/app/models/miq_group.rb
@@ -229,9 +229,11 @@ def self.create_tenant_group(tenant)
 
     create_with(
       :description         => "Tenant #{tenant_full_name} access",
-      :group_type          => TENANT_GROUP,
       :default_tenant_role => MiqUserRole.default_tenant_role
-    ).find_or_create_by!(:tenant_id => tenant.id)
+    ).find_or_create_by!(
+      :group_type => TENANT_GROUP,
+      :tenant_id  => tenant.id,
+    )
   end
 
   def self.sort_by_desc
diff --git a/spec/models/tenant_spec.rb b/spec/models/tenant_spec.rb
index 94874428fad..2a8690cee50 100644
--- a/spec/models/tenant_spec.rb
+++ b/spec/models/tenant_spec.rb
@@ -830,4 +830,25 @@
       expect(sub_tenant.parent_id = tenant.id).to eq(tenant.id)
     end
   end
+
+  describe "#create" do
+    it "properly creates a default group" do
+      # create a tenant, but one that doesn't have a default_miq_group
+      # this is only possibly during an upgrade
+      tenant.save!
+      tenant.default_miq_group.delete
+      # We are using update_attribute to create an invalid tenant.
+      # rubocop:disable Rails/SkipsModelValidations
+      tenant.update_attribute(:default_miq_group_id, nil)
+      # rubocop:enable Rails/SkipsModelValidations
+      # lets make sure the tenant doesn't get assigned this user created group (the bug)
+      false_group = FactoryGirl.create(:miq_group, :tenant_id => tenant.id)
+
+      # 20151021174140_assign_tenant_default_group.rb
+      tenant.send(:create_tenant_group)
+
+      expect(tenant.default_miq_group).not_to eq(false_group)
+      expect(tenant.default_miq_group).to be_tenant_group
+    end
+  end
 end