Project

General

Profile

hosts_escalation.patch

Marek Hulán, 08/02/2013 05:01 AM

View differences:

app/controllers/api/base_controller.rb
35 35
      @resource_class ||= resource_name.camelize.constantize
36 36
    end
37 37

  
38
    def resource_scope
39
      @resource_scope ||= resource_class.scoped
40
    end
41

  
38 42
    protected
39 43

  
40 44
    def process_resource_error(options = { })
......
110 114
      resource = resource_identifying_attributes.find do |key|
111 115
        next if key=='id' and params[:id].to_i == 0
112 116
        method = "find_by_#{key}"
113
        resource_class.respond_to?(method) and
114
          (resource = resource_class.send method, params[:id]) and
117
        resource_scope.respond_to?(method) and
118
          (resource = resource_scope.send method, params[:id]) and
115 119
          break resource
116 120
      end
117 121

  
app/controllers/api/v1/compute_resources_controller.rb
66 66
        process_response @compute_resource.destroy
67 67
      end
68 68

  
69
      def resource_scope
70
        resource_class.my_compute_resources
71
      end
72

  
69 73
    end
70 74
  end
71 75
end
app/controllers/api/v1/hosts_controller.rb
101 101
        render :json => { :status => @host.host_status }.to_json if @host
102 102
      end
103 103

  
104
      # we need to limit resources for a current user
105
      def resource_scope
106
        resource_class.my_hosts
107
      end
108

  
104 109
      private
105 110

  
106 111
      # this is required for template generation (such as pxelinux) which is not done via a web request
107 112
      def forward_request_url
108 113
        @host.request_url = request.host_with_port if @host.respond_to?(:request_url)
109 114
      end
110

  
111 115
    end
112 116
  end
113 117
end
test/fixtures/compute_resources.yml
26 26
  password: MyString
27 27
  uuid: yourcompute
28 28
  type: Foreman::Model::Libvirt
29
  users: restricted
test/fixtures/hosts.yml
196 196
  managed: true
197 197
  compute_resource: one
198 198
  hostgroup: db
199

  
200
owned_by_restricted:
201
  type: Host::Managed
202
  name: owned_by_restricted.mydomain.net
203
  ip: "2.3.4.155"
204
  mac: deadbeeffeed
205
  environment: production
206
  architecture: x86_64
207
  operatingsystem: redhat
208
  ptable: one
209
  subnet: one
210
  domain: mydomain
211
  puppet_proxy: puppetmaster
212
  managed: true
213
  compute_resource: one
214
  location: location1
215
  organization: organization1
216
  owner: restricted
217
  owner_type: User
test/fixtures/roles.yml
197 197
  permissions: |
198 198
    ---
199 199

  
200
manage_compute_resources:
201
  name: View compute resources
202
  id: "11"
203
  builtin: "0"
204
  permissions: |
205
    ---
206
    - :view_compute_resources
207
    - :create_compute_resources
208
    - :edit_compute_resources
209
    - :destroy_compute_resources
210

  
211
manage_hosts:
212
  name: CRUD hosts
213
  id: "12"
214
  builtin: "0"
215
  permissions: |
216
    ---
217
    - :create_hosts
218
    - :edit_hosts
219
    - :destroy_hosts
220
    - :view_hosts
test/fixtures/user_roles.yml
1
user_restricted_viewer_role:
2
  user: restricted
3
  role_id: 5
4

  
5
user_restricted_anonymous_role:
6
  user: restricted
7
  role_id: 7
8

  
9
user_restricted_manage_hosts_role:
10
  user: restricted
11
  role_id: 12
12

  
13
user_restricted_manage_compute_resources:
14
  user: restricted
15
  role_id: 11
test/fixtures/users.yml
18 18
  last_login_on: 2009-10-12 21:50:04
19 19
  auth_source: one
20 20

  
21
restricted:
22
  login: restricted
23
  firstname: Restricted
24
  lastname: User
25
  mail: userrestricted@someware.com
26
  admin: false
27
  last_login_on: 2009-10-12 21:50:04
28
  auth_source: one
29
  filter_on_owner: true
30

  
21 31
admin:
22 32
  login: admin
23 33
  firstname: Admin
......
49 59
  last_login_on: 2009-10-12 21:50:04
50 60
  auth_source: internal
51 61
  password_hash: 02d7ff9921071af778ff4f8608579dcd6d80dfba
52
  password_salt: 80a167f1effbd82c2485ed81c3cfd68b11bc40dc
62
  password_salt: 80a167f1effbd82c2485ed81c3cfd68b11bc40dc
test/functional/api/v1/compute_resources_controller_test.rb
47 47
    assert_response :success
48 48
  end
49 49

  
50
  test "should get index of owned" do
51
    as_user(:restricted) do
52
      get :index, {}
53
    end
54
    assert_response :success
55
    assert_not_nil assigns(:compute_resources)
56
    compute_resources = ActiveSupport::JSON.decode(@response.body)
57
    ids               = compute_resources.map { |hash| hash['compute_resource']['id'] }
58
    assert !ids.include?(compute_resources(:mycompute).id)
59
    assert ids.include?(compute_resources(:yourcompute).id)
60
  end
61

  
62
  test "should allow access to a compute resource for owner" do
63
    as_user(:restricted) do
64
      get :show, { :id => compute_resources(:yourcompute).to_param }
65
    end
66
    assert_response :success
67
  end
68

  
69
  test "should update compute resource for owner" do
70
    as_user(:restricted) do
71
      put :update, { :id => compute_resources(:yourcompute).to_param, :compute_resource => { :description => "new_description" } }
72
    end
73
    assert_equal "new_description", ComputeResource.find_by_name('yourcompute').description
74
    assert_response :success
75
  end
76

  
77
  test "should destroy compute resource for owner" do
78
    assert_difference('ComputeResource.count', -1) do
79
      as_user(:restricted) do
80
        delete :destroy, { :id => compute_resources(:yourcompute).id }
81
      end
82
    end
83
    assert_response :success
84
  end
85

  
86
  test "should not allow access to a compute resource out of users compute resources scope" do
87
    as_user(:restricted) do
88
      get :show, { :id => compute_resources(:one).to_param }
89
    end
90
    assert_response :not_found
91
  end
92

  
93
  test "should not update compute resource for restricted" do
94
    as_user(:restricted) do
95
      put :update, { :id => compute_resources(:mycompute).to_param, :compute_resource => { :description => "new_description" } }
96
    end
97
    assert_response :not_found
98
  end
99

  
100
  test "should not destroy compute resource for restricted" do
101
    as_user(:restricted) do
102
      delete :destroy, { :id => compute_resources(:mycompute).id }
103
    end
104
    assert_response :not_found
105
  end
106

  
50 107
end
test/functional/api/v1/hosts_controller_test.rb
63 63
    assert_response :success
64 64
  end
65 65

  
66
  test "should be able to create hosts even when restricted" do
67
    disable_orchestration
68
    assert_difference('Host.count') do
69
      post :create, { :host => valid_attrs }
70
    end
71
    assert_response :success
72
  end
73

  
74
  test "should allow access to restricted user who owns the host" do
75
    as_user :restricted do
76
      get :show, { :id => hosts(:owned_by_restricted).to_param }
77
    end
78
    assert_response :success
79
  end
80

  
81
  test "should allow to update for restricted user who owns the host" do
82
    disable_orchestration
83
    as_user :restricted do
84
      put :update, { :id => hosts(:owned_by_restricted).to_param, :host => {} }
85
    end
86
    assert_response :success
87
  end
88

  
89
  test "should allow destroy for restricted user who owns the hosts" do
90
    assert_difference('Host.count', -1) do
91
      as_user :restricted do
92
        delete :destroy, { :id => hosts(:owned_by_restricted).to_param }
93
      end
94
    end
95
    assert_response :success
96
  end
97

  
98
  test "should allow show status for restricted user who owns the hosts" do
99
    as_user :restricted do
100
      get :status, { :id => hosts(:owned_by_restricted).to_param }
101
    end
102
    assert_response :success
103
  end
104

  
105
  test "should not allow access to a host out of users hosts scope" do
106
    as_user :restricted do
107
      get :show, { :id => hosts(:one).to_param }
108
    end
109
    assert_response :not_found
110
  end
111

  
112
  test "should not list a host out of users hosts scope" do
113
    as_user :restricted do
114
      get :index, {}
115
    end
116
    assert_response :success
117
    hosts = ActiveSupport::JSON.decode(@response.body)
118
    ids = hosts.map { |hash| hash['host']['id'] }
119
    assert !ids.include?(hosts(:one).id)
120
    assert ids.include?(hosts(:owned_by_restricted).id)
121
  end
122

  
123
  test "should not update host out of users hosts scope" do
124
    as_user :restricted do
125
      put :update, { :id => hosts(:one).to_param }
126
    end
127
    assert_response :not_found
128
  end
129

  
130
  test "should not delete hosts out of users hosts scope" do
131
    as_user :restricted do
132
      delete :destroy, { :id => hosts(:one).to_param }
133
    end
134
    assert_response :not_found
135
  end
136

  
137
  test "should not show status of hosts out of users hosts scope" do
138
    as_user :restricted do
139
      get :status, { :id => hosts(:one).to_param }
140
    end
141
    assert_response :not_found
142
  end
66 143
end