AccessPermissionsTest does not pick up plugin permissions
|Assigned To:||Dominic Cleal|
|Found in release:||Pull request:||https://github.com/theforeman/foreman/pull/3939, https://github.com/theforeman/foreman/pull/3933|
|Velocity based estimate||-|
All of the plugins that use permissions are now failing. AccessPermissionsTest in core attempts to look for a Permission for the plugins' routes but it never succeeds.
During plugin initialization the engine calls 'permission' to register permissions in the db: https://github.com/theforeman/foreman_discovery/blob/develop/lib/foreman_discovery/engine.rb#L49
'permission' in core will not run because there are pending migrations: https://github.com/theforeman/foreman/blob/develop/app/services/foreman/plugin.rb#L219
The test checks in the database for those permissions, so it fails. It used to work before #16557 because the 'test:lib' task ran after 'test:unit', and on the 2nd Rails initialization, there were no 'pending_migrations' so permissions from plugins were added just fine.
A few possible solutions:
- Modify the task in foreman-infra so that it runs 'RAILS_ENV=test rake db:migrate' prior to running tests. Currently Foreman kind of does this in the background via this setting (https://github.com/theforeman/foreman/blob/develop/config/environments/test.rb#L59) but it happens after plugins initialization, so during the 'permission' calls there are still pending migrations.
- Call ActiveRecord::Migration.maintain_test_schema! at some point before plugin initialization
- Modify the code so that permissions can be added even if there are pending_migrations (bad idea as the table may not exist)
- Add plugin permissions via fixtures (we'd have to do this in all plugins now, and adding fixtures in plugins is annoying)
fixes #16821 - store plugin permissions in AccessControl in tests
When initialising a new test database, the "permission" directive in a
plugin registration would skip the Foreman::AccessControl mapping so
later tests using the access control lists would fail (e.g.
AccessPermissionsTest, if a route added by a plugin to the main app
engine used a plugin permission.)
The AccessControl entry is now always created as it's safe to do so even
without a database, but the Permission resource is not created from the
initialiser in the test environment. Instead, permissions, roles and
filters are added to the database via fixtures so plugins can rely on
them for unit or functional tests.
#5 Updated by Dominic Cleal 6 months ago
This is less about permissions in the database, because AccessControl (which is what's being tested in AccessPermissionsTest) doesn't use the Permission objects, it uses an in-memory control list. The AccessControl mapping isn't set up if there are pending migrations, which should only really prevent the Permission record being created.