Skip to content

Commit

Permalink
Merge pull request #14095 from lpichler/add_rbac_to_resouces_for_perf…
Browse files Browse the repository at this point in the history 
…omance_reports

Add tenant scoping for resources of performance reports in RBAC
(cherry picked from commit f46d363)

https://bugzilla.redhat.com/show_bug.cgi?id=1431168
  • Loading branch information
@gtanzillo @simaishi
gtanzillo authored and simaishi committed Mar 10, 2017
1 parent 33a86fa commit 997b55c
Show file tree
Hide file tree
Showing 3 changed files with 38 additions and 9 deletions.
26 changes: 17 additions & 9 deletions lib/rbac/filterer.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -332,31 +332,31 @@ def get_self_service_objects(user, miq_group, klass)
klass.user_or_group_owned(user, miq_group).except(:order)
end

def calc_filtered_ids(scope, user_filters, user, miq_group)
def calc_filtered_ids(scope, user_filters, user, miq_group, scope_tenant_filter)
klass = scope.respond_to?(:klass) ? scope.klass : scope
u_filtered_ids = pluck_ids(get_self_service_objects(user, miq_group, klass))
b_filtered_ids = get_belongsto_filter_object_ids(klass, user_filters['belongsto'])
m_filtered_ids = pluck_ids(get_managed_filter_object_ids(scope, user_filters['managed']))
d_filtered_ids = pluck_ids(matches_via_descendants(rbac_class(klass), user_filters['match_via_descendants'],
:user => user, :miq_group => miq_group))

combine_filtered_ids(u_filtered_ids, b_filtered_ids, m_filtered_ids, d_filtered_ids)
combine_filtered_ids(u_filtered_ids, b_filtered_ids, m_filtered_ids, d_filtered_ids, scope_tenant_filter.try(:ids))
end

#
# Algorithm: filter = u_filtered_ids UNION (b_filtered_ids INTERSECTION m_filtered_ids)
# filter = filter UNION d_filtered_ids if filter is not nil
#
# filter = (filter UNION d_filtered_ids if filter is not nil) UNION tenant_filter_ids
# a nil as input for any field means it does not apply
# a nil as output means there is not filter
#
# @param u_filtered_ids [nil|Array<Integer>] self service user owned objects
# @param b_filtered_ids [nil|Array<Integer>] objects that belong to parent
# @param m_filtered_ids [nil|Array<Integer>] managed filter object ids
# @param d_filtered_ids [nil|Array<Integer>] ids from descendants
# @param tenant_filter_ids [nil|Array<Integer>] ids
# @return nil if filters do not aply
# @return [Array<Integer>] target ids for filter
def combine_filtered_ids(u_filtered_ids, b_filtered_ids, m_filtered_ids, d_filtered_ids)

def combine_filtered_ids(u_filtered_ids, b_filtered_ids, m_filtered_ids, d_filtered_ids, tenant_filter_ids)
filtered_ids =
if b_filtered_ids.nil?
m_filtered_ids
Expand All @@ -376,7 +376,11 @@ def combine_filtered_ids(u_filtered_ids, b_filtered_ids, m_filtered_ids, d_filte
filtered_ids.uniq!
end

filtered_ids
if filtered_ids.kind_of?(Array)
filtered_ids | tenant_filter_ids.to_a
elsif filtered_ids.nil? && tenant_filter_ids.kind_of?(Array) && tenant_filter_ids.present?
tenant_filter_ids
end
end

# @param parent_class [Class] Class of parent (e.g. Host)
Expand Down Expand Up @@ -435,14 +439,18 @@ def scope_targets(klass, scope, rbac_filters, user, miq_group)
end

if apply_rbac_directly?(klass)
filtered_ids = calc_filtered_ids(scope, rbac_filters, user, miq_group)
filtered_ids = calc_filtered_ids(scope, rbac_filters, user, miq_group, nil)
scope_by_ids(scope, filtered_ids)
elsif apply_rbac_through_association?(klass)
# if subclasses of MetricRollup or Metric, use the associated
# model to derive permissions from
associated_class = rbac_class(scope)
filtered_ids = calc_filtered_ids(associated_class, rbac_filters, user, miq_group)

if associated_class.try(:scope_by_tenant?)
scope_tenant_filter = scope_to_tenant(associated_class, user, miq_group)
end

filtered_ids = calc_filtered_ids(associated_class, rbac_filters, user, miq_group, scope_tenant_filter)
scope_by_parent_ids(associated_class, scope, filtered_ids)
elsif klass == User && user.try!(:self_service?)
# Self service users searching for users only see themselves
Expand Down
5 changes: 5 additions & 0 deletions spec/factories/vm_performance.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
FactoryGirl.define do
factory :vm_performance do
timestamp { Time.now.utc }
end
end
16 changes: 16 additions & 0 deletions spec/lib/rbac/filterer_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,22 @@
let(:child_tenant) { FactoryGirl.create(:tenant, :divisible => false, :parent => owner_tenant) }
let(:child_group) { FactoryGirl.create(:miq_group, :tenant => child_tenant) }

context 'with Vm as resource of VmPerformance model' do
let!(:root_tenant_vm) { FactoryGirl.create(:vm_vmware, :tenant => Tenant.root_tenant) }
let!(:vm_performance_root_tenant) { FactoryGirl.create(:vm_performance, :resource => root_tenant_vm) }
let!(:vm_performance_other_tenant) { FactoryGirl.create(:vm_performance, :resource => other_vm) }

it 'list only other_user\'s VmPerformances' do
results = described_class.search(:class => VmPerformance, :user => other_user).first
expect(results).to match_array [vm_performance_other_tenant]
end

it 'list all VmPerformances' do
results = described_class.search(:class => VmPerformance, :user => admin_user).first
expect(results).to match_array [vm_performance_other_tenant, vm_performance_root_tenant]
end
end

context "searching MiqTemplate" do
it "can't see descendant tenant's templates" do
owned_template.update_attributes!(:tenant_id => child_tenant.id, :miq_group_id => child_group.id)
Expand Down

0 comments on commit 997b55c

Please sign in to comment.