Project

General

Profile

Download (15.9 KB)

Bug #2863 » 0001-fixes-2863-restrict-APIs-1.2-stable.patch

final rebased for 1.2-stable - Dominic Cleal, 08/19/2013 12:37 PM

View differences:

app/controllers/api/base_controller.rb
@resource_class ||= resource_name.camelize.constantize
end
def resource_scope
@resource_scope ||= resource_class.scoped
end
protected
def process_resource_error(options = { })
......
resource = resource_identifying_attributes.find do |key|
next if key=='id' and params[:id].to_i == 0
method = "find_by_#{key}"
resource_class.respond_to?(method) and
(resource = resource_class.send method, params[:id]) and
resource_scope.respond_to?(method) and
(resource = resource_scope.send method, params[:id]) and
break resource
end
app/controllers/api/v1/compute_resources_controller.rb
process_response @compute_resource.destroy
end
def resource_scope
resource_class.my_compute_resources
end
end
end
end
app/controllers/api/v1/hosts_controller.rb
render :json => { :status => @host.host_status }.to_json if @host
end
# we need to limit resources for a current user
def resource_scope
resource_class.my_hosts
end
private
# this is required for template generation (such as pxelinux) which is not done via a web request
def forward_request_url
@host.request_url = request.host_with_port if @host.respond_to?(:request_url)
end
end
end
end
test/fixtures/compute_resources.yml
password: MyString
uuid: yourcompute
type: Foreman::Model::Libvirt
users: restricted
test/fixtures/hosts.yml
managed: true
compute_resource: one
hostgroup: db
owned_by_restricted:
type: Host::Managed
name: owned_by_restricted.mydomain.net
ip: "2.3.4.155"
mac: deadbeeffeed
environment: production
architecture: x86_64
operatingsystem: redhat
ptable: one
subnet: one
domain: mydomain
puppet_proxy: puppetmaster
managed: true
compute_resource: one
location: location1
organization: organization1
owner: restricted
owner_type: User
test/fixtures/roles.yml
permissions: |
---
manage_compute_resources:
name: View compute resources
id: "11"
builtin: "0"
permissions: |
---
- :view_compute_resources
- :create_compute_resources
- :edit_compute_resources
- :destroy_compute_resources
manage_hosts:
name: CRUD hosts
id: "12"
builtin: "0"
permissions: |
---
- :create_hosts
- :edit_hosts
- :destroy_hosts
- :view_hosts
test/fixtures/user_roles.yml
user_restricted_viewer_role:
user: restricted
role_id: 5
user_restricted_anonymous_role:
user: restricted
role_id: 7
user_restricted_manage_hosts_role:
user: restricted
role_id: 12
user_restricted_manage_compute_resources:
user: restricted
role_id: 11
test/fixtures/users.yml
last_login_on: 2009-10-12 21:50:04
auth_source: one
restricted:
login: restricted
firstname: Restricted
lastname: User
mail: userrestricted@someware.com
admin: false
last_login_on: 2009-10-12 21:50:04
auth_source: one
filter_on_owner: true
admin:
login: admin
firstname: Admin
......
last_login_on: 2009-10-12 21:50:04
auth_source: internal
password_hash: 02d7ff9921071af778ff4f8608579dcd6d80dfba
password_salt: 80a167f1effbd82c2485ed81c3cfd68b11bc40dc
password_salt: 80a167f1effbd82c2485ed81c3cfd68b11bc40dc
test/functional/api/v1/compute_resources_controller_test.rb
assert_response :success
end
test "should get index of owned" do
as_user(:restricted) do
get :index, {}
end
assert_response :success
assert_not_nil assigns(:compute_resources)
compute_resources = ActiveSupport::JSON.decode(@response.body)
ids = compute_resources.map { |hash| hash['compute_resource']['id'] }
assert !ids.include?(compute_resources(:mycompute).id)
assert ids.include?(compute_resources(:yourcompute).id)
end
test "should allow access to a compute resource for owner" do
as_user(:restricted) do
get :show, { :id => compute_resources(:yourcompute).to_param }
end
assert_response :success
end
test "should update compute resource for owner" do
as_user(:restricted) do
put :update, { :id => compute_resources(:yourcompute).to_param, :compute_resource => { :description => "new_description" } }
end
assert_equal "new_description", ComputeResource.find_by_name('yourcompute').description
assert_response :success
end
test "should destroy compute resource for owner" do
assert_difference('ComputeResource.count', -1) do
as_user(:restricted) do
delete :destroy, { :id => compute_resources(:yourcompute).id }
end
end
assert_response :success
end
test "should not allow access to a compute resource out of users compute resources scope" do
as_user(:restricted) do
get :show, { :id => compute_resources(:one).to_param }
end
assert_response :not_found
end
test "should not update compute resource for restricted" do
as_user(:restricted) do
put :update, { :id => compute_resources(:mycompute).to_param, :compute_resource => { :description => "new_description" } }
end
assert_response :not_found
end
test "should not destroy compute resource for restricted" do
as_user(:restricted) do
delete :destroy, { :id => compute_resources(:mycompute).id }
end
assert_response :not_found
end
end
test/functional/api/v1/hosts_controller_test.rb
assert_response :success
end
test "should be able to create hosts even when restricted" do
disable_orchestration
assert_difference('Host.count') do
post :create, { :host => valid_attrs }
end
assert_response :success
end
test "should allow access to restricted user who owns the host" do
as_user :restricted do
get :show, { :id => hosts(:owned_by_restricted).to_param }
end
assert_response :success
end
test "should allow to update for restricted user who owns the host" do
disable_orchestration
as_user :restricted do
put :update, { :id => hosts(:owned_by_restricted).to_param, :host => {} }
end
assert_response :success
end
test "should allow destroy for restricted user who owns the hosts" do
assert_difference('Host.count', -1) do
as_user :restricted do
delete :destroy, { :id => hosts(:owned_by_restricted).to_param }
end
end
assert_response :success
end
test "should allow show status for restricted user who owns the hosts" do
as_user :restricted do
get :status, { :id => hosts(:owned_by_restricted).to_param }
end
assert_response :success
end
test "should not allow access to a host out of users hosts scope" do
as_user :restricted do
get :show, { :id => hosts(:one).to_param }
end
assert_response :not_found
end
test "should not list a host out of users hosts scope" do
as_user :restricted do
get :index, {}
end
assert_response :success
hosts = ActiveSupport::JSON.decode(@response.body)
ids = hosts.map { |hash| hash['host']['id'] }
assert !ids.include?(hosts(:one).id)
assert ids.include?(hosts(:owned_by_restricted).id)
end
test "should not update host out of users hosts scope" do
as_user :restricted do
put :update, { :id => hosts(:one).to_param }
end
assert_response :not_found
end
test "should not delete hosts out of users hosts scope" do
as_user :restricted do
delete :destroy, { :id => hosts(:one).to_param }
end
assert_response :not_found
end
test "should not show status of hosts out of users hosts scope" do
as_user :restricted do
get :status, { :id => hosts(:one).to_param }
end
assert_response :not_found
end
end
test/functional/hosts_controller_test.rb
test "update multiple location imports taxable_taxonomies rows if succeeds on optimistic import" do
@request.env['HTTP_REFERER'] = hosts_path
location = taxonomies(:location1)
assert_difference "location.taxable_taxonomies.count", 14 do
assert_difference "location.taxable_taxonomies.count", 15 do
post :update_multiple_location, {
:location => {:id => location.id, :optimistic_import => "yes"},
:host_ids => Host.all.map(&:id)
......
test "update multiple organization imports taxable_taxonomies rows if succeeds on optimistic import" do
@request.env['HTTP_REFERER'] = hosts_path
organization = taxonomies(:organization1)
assert_difference "organization.taxable_taxonomies.count", 14 do
assert_difference "organization.taxable_taxonomies.count", 15 do
post :update_multiple_organization, {
:organization => {:id => organization.id, :optimistic_import => "yes"},
:host_ids => Host.all.map(&:id)
test/functional/locations_controller_test.rb
end
test "should assign all hosts with no location to selected location and add taxable_taxonomies" do
location = taxonomies(:location1)
assert_difference "location.taxable_taxonomies.count", 14 do
assert_difference "location.taxable_taxonomies.count", 15 do
post :assign_all_hosts, {:id => location.id}, set_session_user
end
end
test/functional/organizations_controller_test.rb
end
test "should assign all hosts with no organization to selected organization and add taxable_taxonomies" do
organization = taxonomies(:organization1)
assert_difference "organization.taxable_taxonomies.count", 14 do
assert_difference "organization.taxable_taxonomies.count", 15 do
post :assign_all_hosts, {:id => organization.id}, set_session_user
end
end
test/unit/location_test.rb
assert_equal used_ids[:domain_ids].sort, Array([domains(:yourdomain).id, domains(:mydomain).id]).sort
assert_equal used_ids[:medium_ids].sort, Array(media(:one).id).sort
assert_equal used_ids[:compute_resource_ids].sort, Array(compute_resources(:one).id).sort
assert_equal used_ids[:user_ids], Array.new
assert_equal used_ids[:user_ids], [users(:restricted).id]
assert_equal used_ids[:smart_proxy_ids].sort, Array([smart_proxies(:one).id, smart_proxies(:two).id, smart_proxies(:three).id, smart_proxies(:puppetmaster).id]).sort
assert_equal used_ids[:config_template_ids].sort, Array(config_templates(:mystring2).id).sort
end
test/unit/organization_test.rb
assert_equal used_ids[:domain_ids].sort, Array(domains(:mydomain).id).sort
assert_equal used_ids[:medium_ids].sort, Array.new
assert_equal used_ids[:compute_resource_ids].sort, Array(compute_resources(:one).id).sort
assert_equal used_ids[:user_ids], Array.new
assert_equal used_ids[:user_ids], [users(:restricted).id]
assert_equal used_ids[:smart_proxy_ids].sort, Array([smart_proxies(:one).id, smart_proxies(:two).id, smart_proxies(:three).id, smart_proxies(:puppetmaster).id]).sort
assert_equal used_ids[:config_template_ids].sort, Array(config_templates(:mystring2).id).sort
end
(6-6/7)