Project

General

Profile

Download (10 KB)

Bug #2863 » hosts_escalation.patch

Marek Hulán, 08/02/2013 05:01 AM

View differences:

app/controllers/api/base_controller.rb
@resource_class ||= resource_name.camelize.constantize
end
def resource_scope
@resource_scope ||= resource_class.scoped
end
protected
def process_resource_error(options = { })
......
resource = resource_identifying_attributes.find do |key|
next if key=='id' and params[:id].to_i == 0
method = "find_by_#{key}"
resource_class.respond_to?(method) and
(resource = resource_class.send method, params[:id]) and
resource_scope.respond_to?(method) and
(resource = resource_scope.send method, params[:id]) and
break resource
end
app/controllers/api/v1/compute_resources_controller.rb
process_response @compute_resource.destroy
end
def resource_scope
resource_class.my_compute_resources
end
end
end
end
app/controllers/api/v1/hosts_controller.rb
render :json => { :status => @host.host_status }.to_json if @host
end
# we need to limit resources for a current user
def resource_scope
resource_class.my_hosts
end
private
# this is required for template generation (such as pxelinux) which is not done via a web request
def forward_request_url
@host.request_url = request.host_with_port if @host.respond_to?(:request_url)
end
end
end
end
test/fixtures/compute_resources.yml
password: MyString
uuid: yourcompute
type: Foreman::Model::Libvirt
users: restricted
test/fixtures/hosts.yml
managed: true
compute_resource: one
hostgroup: db
owned_by_restricted:
type: Host::Managed
name: owned_by_restricted.mydomain.net
ip: "2.3.4.155"
mac: deadbeeffeed
environment: production
architecture: x86_64
operatingsystem: redhat
ptable: one
subnet: one
domain: mydomain
puppet_proxy: puppetmaster
managed: true
compute_resource: one
location: location1
organization: organization1
owner: restricted
owner_type: User
test/fixtures/roles.yml
permissions: |
---
manage_compute_resources:
name: View compute resources
id: "11"
builtin: "0"
permissions: |
---
- :view_compute_resources
- :create_compute_resources
- :edit_compute_resources
- :destroy_compute_resources
manage_hosts:
name: CRUD hosts
id: "12"
builtin: "0"
permissions: |
---
- :create_hosts
- :edit_hosts
- :destroy_hosts
- :view_hosts
test/fixtures/user_roles.yml
user_restricted_viewer_role:
user: restricted
role_id: 5
user_restricted_anonymous_role:
user: restricted
role_id: 7
user_restricted_manage_hosts_role:
user: restricted
role_id: 12
user_restricted_manage_compute_resources:
user: restricted
role_id: 11
test/fixtures/users.yml
last_login_on: 2009-10-12 21:50:04
auth_source: one
restricted:
login: restricted
firstname: Restricted
lastname: User
mail: userrestricted@someware.com
admin: false
last_login_on: 2009-10-12 21:50:04
auth_source: one
filter_on_owner: true
admin:
login: admin
firstname: Admin
......
last_login_on: 2009-10-12 21:50:04
auth_source: internal
password_hash: 02d7ff9921071af778ff4f8608579dcd6d80dfba
password_salt: 80a167f1effbd82c2485ed81c3cfd68b11bc40dc
password_salt: 80a167f1effbd82c2485ed81c3cfd68b11bc40dc
test/functional/api/v1/compute_resources_controller_test.rb
assert_response :success
end
test "should get index of owned" do
as_user(:restricted) do
get :index, {}
end
assert_response :success
assert_not_nil assigns(:compute_resources)
compute_resources = ActiveSupport::JSON.decode(@response.body)
ids = compute_resources.map { |hash| hash['compute_resource']['id'] }
assert !ids.include?(compute_resources(:mycompute).id)
assert ids.include?(compute_resources(:yourcompute).id)
end
test "should allow access to a compute resource for owner" do
as_user(:restricted) do
get :show, { :id => compute_resources(:yourcompute).to_param }
end
assert_response :success
end
test "should update compute resource for owner" do
as_user(:restricted) do
put :update, { :id => compute_resources(:yourcompute).to_param, :compute_resource => { :description => "new_description" } }
end
assert_equal "new_description", ComputeResource.find_by_name('yourcompute').description
assert_response :success
end
test "should destroy compute resource for owner" do
assert_difference('ComputeResource.count', -1) do
as_user(:restricted) do
delete :destroy, { :id => compute_resources(:yourcompute).id }
end
end
assert_response :success
end
test "should not allow access to a compute resource out of users compute resources scope" do
as_user(:restricted) do
get :show, { :id => compute_resources(:one).to_param }
end
assert_response :not_found
end
test "should not update compute resource for restricted" do
as_user(:restricted) do
put :update, { :id => compute_resources(:mycompute).to_param, :compute_resource => { :description => "new_description" } }
end
assert_response :not_found
end
test "should not destroy compute resource for restricted" do
as_user(:restricted) do
delete :destroy, { :id => compute_resources(:mycompute).id }
end
assert_response :not_found
end
end
test/functional/api/v1/hosts_controller_test.rb
assert_response :success
end
test "should be able to create hosts even when restricted" do
disable_orchestration
assert_difference('Host.count') do
post :create, { :host => valid_attrs }
end
assert_response :success
end
test "should allow access to restricted user who owns the host" do
as_user :restricted do
get :show, { :id => hosts(:owned_by_restricted).to_param }
end
assert_response :success
end
test "should allow to update for restricted user who owns the host" do
disable_orchestration
as_user :restricted do
put :update, { :id => hosts(:owned_by_restricted).to_param, :host => {} }
end
assert_response :success
end
test "should allow destroy for restricted user who owns the hosts" do
assert_difference('Host.count', -1) do
as_user :restricted do
delete :destroy, { :id => hosts(:owned_by_restricted).to_param }
end
end
assert_response :success
end
test "should allow show status for restricted user who owns the hosts" do
as_user :restricted do
get :status, { :id => hosts(:owned_by_restricted).to_param }
end
assert_response :success
end
test "should not allow access to a host out of users hosts scope" do
as_user :restricted do
get :show, { :id => hosts(:one).to_param }
end
assert_response :not_found
end
test "should not list a host out of users hosts scope" do
as_user :restricted do
get :index, {}
end
assert_response :success
hosts = ActiveSupport::JSON.decode(@response.body)
ids = hosts.map { |hash| hash['host']['id'] }
assert !ids.include?(hosts(:one).id)
assert ids.include?(hosts(:owned_by_restricted).id)
end
test "should not update host out of users hosts scope" do
as_user :restricted do
put :update, { :id => hosts(:one).to_param }
end
assert_response :not_found
end
test "should not delete hosts out of users hosts scope" do
as_user :restricted do
delete :destroy, { :id => hosts(:one).to_param }
end
assert_response :not_found
end
test "should not show status of hosts out of users hosts scope" do
as_user :restricted do
get :status, { :id => hosts(:one).to_param }
end
assert_response :not_found
end
end
(4-4/7)