ManageIQ · simaishi · Apr 3, 2017 · Mar 31, 2017 · Mar 31, 2017 · Mar 31, 2017
diff --git a/app/models/cloud_tenant.rb b/app/models/cloud_tenant.rb
@@ -33,6 +33,28 @@ class CloudTenant < ApplicationRecord
 
   virtual_total :total_vms, :vms
 
+  def self.scope_by_cloud_tenant?
+    true
+  end
+
+  def self.accessible_tenant_ids(user_or_group, strategy)
+    tenant = user_or_group.try(:current_tenant)
+    return [] if tenant.nil? || tenant.root?
+
+    tenant.accessible_tenant_ids(strategy)
+  end
+
+  def self.tenant_id_clause(user_or_group)
+    tenant_ids = accessible_tenant_ids(user_or_group, Rbac.accessible_tenant_ids_strategy(self))
+    return if tenant_ids.empty?
+
+    ["(tenants.id IN (?) AND ext_management_systems.tenant_mapping_enabled IS TRUE) OR ext_management_systems.tenant_mapping_enabled IS FALSE OR ext_management_systems.tenant_mapping_enabled IS NULL", tenant_ids]
+  end
+
+  def self.tenant_joins_clause(scope)
+    scope.eager_load(:source_tenant).includes(:ext_management_system)
+  end
+
   def self.class_by_ems(ext_management_system)
     ext_management_system && ext_management_system.class::CloudTenant
   end

diff --git a/lib/rbac/filterer.rb b/lib/rbac/filterer.rb
@@ -430,6 +430,13 @@ def scope_to_tenant(scope, user, miq_group)
       tenant_id_clause ? scope.where(tenant_id_clause) : scope
     end
 
+    def scope_to_cloud_tenant(scope, user, miq_group)
+      klass = scope.respond_to?(:klass) ? scope.klass : scope
+      user_or_group = user || miq_group
+      tenant_id_clause = klass.tenant_id_clause(user_or_group)
+      klass.tenant_joins_clause(scope).where(tenant_id_clause)
+    end
+
     ##
     # Main scoping method
     #
@@ -439,6 +446,8 @@ def scope_targets(klass, scope, rbac_filters, user, miq_group)
       # TENANT_ACCESS_STRATEGY are a consolidated list of them.
       if klass.respond_to?(:scope_by_tenant?) && klass.scope_by_tenant?
         scope = scope_to_tenant(scope, user, miq_group)
+      elsif klass.respond_to?(:scope_by_cloud_tenant?) && klass.scope_by_cloud_tenant?
+        scope = scope_to_cloud_tenant(scope, user, miq_group)
       end
 
       if apply_rbac_directly?(klass)

diff --git a/spec/lib/rbac/filterer_spec.rb b/spec/lib/rbac/filterer_spec.rb
@@ -1344,6 +1344,51 @@ def get_rbac_results_for_and_expect_objects(klass, expected_objects)
     end
   end
 
+  describe "cloud_tenant based search" do
+    let(:ems_openstack)         { FactoryGirl.create(:ems_cloud) }
+
+    let(:project1_tenant)       { FactoryGirl.create(:tenant, :source_type => 'CloudTenant') }
+    let!(:project1_cloud_tenant) { FactoryGirl.create(:cloud_tenant, :source_tenant => project1_tenant, :ext_management_system => ems_openstack) }
+
+    let(:project1_group)        { FactoryGirl.create(:miq_group, :tenant => project1_tenant) }
+    let(:project1_user)         { FactoryGirl.create(:user, :miq_groups => [project1_group]) }
+
+    let(:project2_tenant)       { FactoryGirl.create(:tenant, :source_type => 'CloudTenant') }
+    let!(:project2_cloud_tenant) { FactoryGirl.create(:cloud_tenant, :source_tenant => project2_tenant, :ext_management_system => ems_openstack) }
+    let(:project2_group)        { FactoryGirl.create(:miq_group, :tenant => project2_tenant) }
+    let(:project2_user)         { FactoryGirl.create(:user, :miq_groups => [project2_group]) }
+    let(:ems_other)             { FactoryGirl.create(:ems_cloud, :name => 'ems_other', :tenant_mapping_enabled => false) }
+    let(:tenant_other)          { FactoryGirl.create(:tenant, :source_type => 'CloudTenant') }
+    let!(:cloud_tenant_other) { FactoryGirl.create(:cloud_tenant, :source_tenant => tenant_other, :ext_management_system => ems_other) }
+
+    it "lists its own project's objects and other objects where tenant_mapping is enabled" do
+      ems_openstack.tenant_mapping_enabled = true
+      ems_openstack.save!
+
+      results = described_class.search(:class => CloudTenant, :user => project1_user).first
+      expect(results).to match_array [project1_cloud_tenant, cloud_tenant_other]
+
+      results = described_class.search(:class => CloudTenant, :user => project2_user).first
+      expect(results).to match_array [project2_cloud_tenant, cloud_tenant_other]
+
+      results = described_class.search(:class => CloudTenant, :user => other_user).first
+      expect(results).to match_array [cloud_tenant_other]
+    end
+
+    it "all objects are visible to all users when tenant_mapping is not enabled" do
+      ems_openstack.tenant_mapping_enabled = false
+      ems_openstack.save!
+
+      results = described_class.search(:class => CloudTenant, :user => project1_user).first
+      expect(results).to match_array [project1_cloud_tenant, project2_cloud_tenant, cloud_tenant_other]
+
+      results = described_class.search(:class => CloudTenant, :user => project2_user).first
+      expect(results).to match_array [project1_cloud_tenant, project2_cloud_tenant, cloud_tenant_other]
+
+      results = described_class.search(:class => CloudTenant, :user => other_user).first
+      expect(results).to match_array [project1_cloud_tenant, project2_cloud_tenant, cloud_tenant_other]
+    end
+  end
 
   private