diff --git a/lib/rbac/filterer.rb b/lib/rbac/filterer.rb index 4610f551aa90..7d304f58c007 100644 --- a/lib/rbac/filterer.rb +++ b/lib/rbac/filterer.rb @@ -48,6 +48,16 @@ class Filterer TAGGABLE_FILTER_CLASSES = CLASSES_THAT_PARTICIPATE_IN_RBAC - %w(EmsFolder) + %w(MiqGroup User) + NETWORK_MODELS_FOR_BELONGSTO_FILTER = %w( + CloudNetwork + CloudSubnet + FloatingIp + LoadBalancer + NetworkPort + NetworkRouter + SecurityGroup + ).freeze + BELONGSTO_FILTER_CLASSES = %w( VmOrTemplate Host @@ -56,8 +66,7 @@ class Filterer EmsCluster ResourcePool Storage - CloudNetwork - ) + ) + NETWORK_MODELS_FOR_BELONGSTO_FILTER # key: MiqUserRole#name - user's role # value: @@ -588,8 +597,8 @@ def get_belongsto_matches(blist, klass) # typically, this is the only one we want: vcmeta = vcmeta_list.last - if [ExtManagementSystem, Host].any? { |x| vcmeta.kind_of?(x) } && klass <= VmOrTemplate || - vcmeta.kind_of?(ManageIQ::Providers::NetworkManager) && klass <= CloudNetwork + if ([ExtManagementSystem, Host].any? { |x| vcmeta.kind_of?(x) } && klass <= VmOrTemplate) || + (vcmeta.kind_of?(ManageIQ::Providers::NetworkManager) && NETWORK_MODELS_FOR_BELONGSTO_FILTER.any? { |association_class| klass <= association_class.safe_constantize }) vcmeta.send(association_name).to_a else vcmeta_list.grep(klass) + vcmeta.descendants.grep(klass) diff --git a/spec/lib/rbac/filterer_spec.rb b/spec/lib/rbac/filterer_spec.rb index d91edaa31b49..704ba39fbf4a 100644 --- a/spec/lib/rbac/filterer_spec.rb +++ b/spec/lib/rbac/filterer_spec.rb @@ -1026,13 +1026,11 @@ def get_rbac_results_for_and_expect_objects(klass, expected_objects) end end - context 'with cloud network and network manager' do + context "with cloud network and network manager" do let!(:network_manager) { FactoryGirl.create(:ems_openstack).network_manager } - let!(:cloud_network) { FactoryGirl.create(:cloud_network, :ext_management_system => network_manager) } let!(:network_manager_1) { FactoryGirl.create(:ems_openstack).network_manager } - let!(:cloud_network_1) { FactoryGirl.create(:cloud_network, :ext_management_system => network_manager_1) } - context 'with belongs_to_filter' do + context "with belongs_to_filter" do before do group.entitlement = Entitlement.new group.entitlement.set_managed_filters([]) @@ -1040,86 +1038,100 @@ def get_rbac_results_for_and_expect_objects(klass, expected_objects) group.save! end - context 'when records match belognsto filter' do - it 'lists cloud networks with network manager according to belongsto filter' do - User.with_user(user) do - results = described_class.search(:class => CloudNetwork).first - expect(results).to match_array([cloud_network]) - expect(results.first.ext_management_system).to eq(network_manager) + (described_class::NETWORK_MODELS_FOR_BELONGSTO_FILTER + [ManageIQ::Providers::NetworkManager]).each do |network_model| + describe ".search" do + let!(:network_object) do + return network_manager if network_model == ManageIQ::Providers::NetworkManager + FactoryGirl.create(network_model.underscore, :ext_management_system => network_manager) end - end - it 'lists network manager according to belongsto filter' do - User.with_user(user) do - results = described_class.search(:class => ManageIQ::Providers::NetworkManager).first - expect(results).to match_array([network_manager]) + let!(:network_object_with_different_network_manager) do + return network_manager_1 if network_model == ManageIQ::Providers::NetworkManager + FactoryGirl.create(network_model.underscore, :ext_management_system => network_manager_1) + end + + context "when records match belogns to filter" do + it "lists records of #{network_model} manager according to belongsto filter" do + User.with_user(user) do + results = described_class.search(:class => network_model).first + expect(results).to match_array([network_object]) + expect(results.first.ext_management_system).to eq(network_manager) + end + end + end + + context "when records don't match belogns to filter" do + before do + group.entitlement = Entitlement.new + group.entitlement.set_managed_filters([]) + group.entitlement.set_belongsto_filters(["/belongsto/ExtManagementSystem|XXXX"]) + group.save! + end + + it "lists no records of #{network_model}" do + User.with_user(user) do + results = described_class.search(:class => network_model).first + expect(results).to be_empty + end + end end end end + end + + context "network manager with/without tagging" do + let!(:cloud_network) { FactoryGirl.create(:cloud_network, :ext_management_system => network_manager) } + let!(:cloud_network_1) { FactoryGirl.create(:cloud_network, :ext_management_system => network_manager_1) } - context 'when records don\'t match belognsto filter' do + context "network manager is tagged" do before do group.entitlement = Entitlement.new - group.entitlement.set_managed_filters([]) - group.entitlement.set_belongsto_filters(["/belongsto/ExtManagementSystem|XXXX"]) + group.entitlement.set_managed_filters([["/managed/environment/prod"]]) + group.entitlement.set_belongsto_filters([]) group.save! + + network_manager.tag_with("/managed/environment/prod", :ns => "*") end - it 'lists no cloud networks' do + it "doesn't list cloud networks" do User.with_user(user) do results = described_class.search(:class => CloudNetwork).first expect(results).to be_empty end end - it 'lists no network manager' do + it "lists only tagged network manager" do User.with_user(user) do results = described_class.search(:class => ManageIQ::Providers::NetworkManager).first - expect(results).to be_empty + expect(results).to match_array([network_manager]) end end end - context 'network manager is tagged' do + context "network manager not is tagged" do before do group.entitlement = Entitlement.new - group.entitlement.set_managed_filters([['/managed/environment/prod']]) + group.entitlement.set_managed_filters([]) group.entitlement.set_belongsto_filters([]) group.save! - - network_manager.tag_with('/managed/environment/prod', :ns => '*') end - it 'doesn\'t list cloud networks' do + it "lists all cloud networks" do User.with_user(user) do results = described_class.search(:class => CloudNetwork).first - expect(results).to be_empty + expect(results).to match_array(CloudNetwork.all) + expect(results.first.ext_management_system).to eq(network_manager) end end - it 'lists only tagged network manager' do + it "lists all network managers" do User.with_user(user) do results = described_class.search(:class => ManageIQ::Providers::NetworkManager).first - expect(results).to match_array([network_manager]) + expect(results).to match_array(ManageIQ::Providers::NetworkManager.all) end end end end - - it 'lists all cloud networks' do - User.with_user(user) do - results = described_class.search(:class => CloudNetwork).first - expect(results).to match_array(CloudNetwork.all) - expect(results.first.ext_management_system).to eq(network_manager) - end - end - - it 'lists all network managers' do - User.with_user(user) do - results = described_class.search(:class => ManageIQ::Providers::NetworkManager).first - expect(results).to match_array(ManageIQ::Providers::NetworkManager.all) - end - end end context 'with network models' do