forked from ManageIQ/manageiq
-
Notifications
You must be signed in to change notification settings - Fork 0
/
miq_user_role_spec.rb
318 lines (264 loc) · 12.8 KB
/
miq_user_role_spec.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
describe MiqUserRole do
before do
@expected_user_role_count = 19
end
context ".seed" do
it "empty table" do
MiqUserRole.seed
expect(MiqUserRole.count).to eq(@expected_user_role_count)
end
it "run twice" do
MiqUserRole.seed
MiqUserRole.seed
expect(MiqUserRole.count).to eq(@expected_user_role_count)
end
it "with existing records" do
# administrator is a role that we know is provide with the product
# this is not testing administrator privileges
changed = FactoryGirl.create(:miq_user_role, :name => "EvmRole-administrator", :read_only => false)
unchanged = FactoryGirl.create(:miq_user_role, :name => "xxx", :read_only => false)
unchanged_orig_updated_at = unchanged.updated_at
MiqUserRole.seed
expect(MiqUserRole.count).to eq(@expected_user_role_count + 1)
expect(changed.reload.read_only).to be_truthy
expect(unchanged.reload.updated_at).to be_within(0.1).of(unchanged_orig_updated_at)
end
it "fills up EvmRole-consumption_administrator role with 3 product features" do
MiqProductFeature.seed
MiqUserRole.seed
consumption_role = MiqUserRole.find_by(:name => "EvmRole-consumption_administrator")
expect(consumption_role).not_to be_nil
features = consumption_role.miq_product_features.collect(&:identifier)
expect(features).to match_array(%w(dashboard miq_report chargeback))
end
end
context "testing allows methods" do
before do
EvmSpecHelper.seed_specific_product_features(%w(
dashboard_add
dashboard_view
host_compare
host_edit
host_scan
host_show_list
policy
vm
dialog_edit_editor
rbac_tenant_manage_quotas
))
feature1 = MiqProductFeature.find_all_by_identifier("dashboard_admin")
@role1 = FactoryGirl.create(:miq_user_role, :name => "Role1", :miq_product_features => feature1)
@group1 = FactoryGirl.create(:miq_group, :description => "Group1", :miq_user_role => @role1)
@user1 = FactoryGirl.create(:user, :userid => "user1", :miq_groups => [@group1])
feature2 = MiqProductFeature.find_all_by_identifier("everything")
@role2 = FactoryGirl.create(:miq_user_role, :name => "Role2", :miq_product_features => feature2)
@group2 = FactoryGirl.create(:miq_group, :description => "Group2", :miq_user_role => @role2)
@user2 = FactoryGirl.create(:user, :userid => "user2", :miq_groups => [@group2])
feature3 = MiqProductFeature.find_all_by_identifier(%w(host_show_list host_scan host_edit))
@role3 = FactoryGirl.create(:miq_user_role, :name => "Role3", :miq_product_features => feature3)
@group3 = FactoryGirl.create(:miq_group, :description => "Group3", :miq_user_role => @role3)
@user3 = FactoryGirl.create(:user, :userid => "user3", :miq_groups => [@group3])
end
context "dynamic tenant product features" do
let(:root_tenant) do
Tenant.seed
Tenant.default_tenant
end
let!(:tenant_1) { FactoryGirl.create(:tenant, :parent => root_tenant) }
let!(:tenant_2) { FactoryGirl.create(:tenant, :parent => root_tenant) }
let(:feature) { MiqProductFeature.find_all_by_identifier(["dialog_edit_editor_tenant_#{tenant_2.id}", "rbac_tenant_manage_quotas_tenant_#{tenant_2.id}"]) }
let(:non_dynamic_feature) { MiqProductFeature.find_all_by_identifier(["dialog_edit_editor", "rbac_tenant_manage_quotas"]) }
let(:role) { FactoryGirl.create(:miq_user_role, :miq_product_features => feature) }
let(:role_no_dynamic) { FactoryGirl.create(:miq_user_role, :miq_product_features => non_dynamic_feature) }
let(:group_tenant_1) { FactoryGirl.create(:miq_group, :miq_user_role => role, :tenant => tenant_1) }
let(:group_tenant_2) { FactoryGirl.create(:miq_group, :miq_user_role => role, :tenant => tenant_2) }
let(:group_3) { FactoryGirl.create(:miq_group, :miq_user_role => role_no_dynamic, :tenant => tenant_2) }
let!(:user_1) { FactoryGirl.create(:user, :userid => "user_1", :miq_groups => [group_tenant_1]) }
let!(:user_2) { FactoryGirl.create(:user, :userid => "user_2", :miq_groups => [group_tenant_2]) }
let!(:user_3) { FactoryGirl.create(:user, :userid => "user_3", :miq_groups => [group_3]) }
it "doesn't authorize user without dynamic product feature" do
User.with_user(user_1) do
expect(user_1.role_allows?(:identifier => "dialog_edit_editor")).to be_falsey
expect(user_1.role_allows?(:identifier => "rbac_tenant_manage_quotas")).to be_falsey
end
end
it "authorize user with dynamic product feature" do
User.with_user(user_2) do
expect(user_2.role_allows?(:identifier => "dialog_edit_editor")).to be_truthy
expect(user_2.role_allows?(:identifier => "rbac_tenant_manage_quotas")).to be_truthy
end
end
it "authorize user with non-dynamic product feature" do
User.with_user(user_3) do
expect(user_3.role_allows?(:identifier => "dialog_edit_editor")).to be_truthy
expect(user_3.role_allows?(:identifier => "rbac_tenant_manage_quotas")).to be_truthy
end
end
end
it "should return the correct answer calling allows? when requested feature is directly assigned or a descendant of a feature in a role" do
expect(@role1.allows?(:identifier => "dashboard_admin")).to eq(true)
expect(@role1.allows?(:identifier => "dashboard_add")).to eq(true)
expect(@role1.allows?(:identifier => "dashboard_view")).to eq(false)
expect(@role1.allows?(:identifier => "policy")).to eq(false)
expect(@role2.allows?(:identifier => "dashboard_admin")).to eq(true)
expect(@role2.allows?(:identifier => "dashboard_add")).to eq(true)
expect(@role2.allows?(:identifier => "dashboard_view")).to eq(true)
expect(@role2.allows?(:identifier => "policy")).to eq(true)
end
it "should return the correct answer calling allows_any? with default scope => :sub" do
expect(@role1.allows_any?(:identifiers => %w(dashboard_admin dashboard_add dashboard_view policy))).to eq(true)
expect(@role2.allows_any?(:identifiers => %w(dashboard_admin dashboard_add dashboard_view policy))).to eq(true)
expect(@role3.allows_any?(:identifiers => ["host_view"])).to eq(true)
expect(@role3.allows_any?(:identifiers => ["vm"])).to eq(false)
expect(@role3.allows_any?(:identifiers => ["everything"])).to eq(true)
end
end
describe "#allow?" do
it "allows everything" do
EvmSpecHelper.seed_specific_product_features(%w(everything miq_report))
user = FactoryGirl.create(:user, :features => "everything")
expect(user.role_allows?(:identifier => "miq_report")).to be_truthy
end
it "dissallows unentitled" do
EvmSpecHelper.seed_specific_product_features(%w(miq_report container_dashboard))
user = FactoryGirl.create(:user, :features => "container_dashboard")
expect(user.role_allows?(:identifier => "miq_report")).to be_falsey
end
it "allows entitled" do
EvmSpecHelper.seed_specific_product_features(%w(miq_report))
user = FactoryGirl.create(:user, :features => "miq_report")
expect(user.role_allows?(:identifier => "miq_report")).to be_truthy
end
# - container_dashboard
# - miq_report_view
# - render_report_csv (H)
it "disallows hidden child with not-entitled parent" do
EvmSpecHelper.seed_specific_product_features(%w(miq_report_view render_report_csv container_dashboard))
user = FactoryGirl.create(:user, :features => "container_dashboard")
expect(user.role_allows?(:identifier => "render_report_csv")).to be_falsey
end
it "allows hidden child with entitled parent" do
EvmSpecHelper.seed_specific_product_features(%w(miq_report_view render_report_csv))
user = FactoryGirl.create(:user, :features => "miq_report_view")
expect(user.role_allows?(:identifier => "render_report_csv")).to be_truthy
end
# - container_dashboard
# - miq_report_widget_admin
# - widget_edit
# - widget_copy
# - widget_refresh (H)
it "allows hidden child of not entitled, if a sibling is entitled" do
EvmSpecHelper.seed_specific_product_features(
%w(miq_report_widget_admin widget_refresh widget_edit widget_copy container_dashboard)
)
user = FactoryGirl.create(:user, :features => "widget_edit")
expect(user.role_allows?(:identifier => "widget_refresh")).to be_truthy
end
it "disallows hidden child of not entitled, if no sibling is entitled" do
EvmSpecHelper.seed_specific_product_features(
%w(miq_report_widget_admin widget_refresh widget_edit widget_copy container_dashboard)
)
user = FactoryGirl.create(:user, :features => "container_dashboard")
expect(user.role_allows?(:identifier => "widget_refresh")).to be_falsey
end
# - container_dashboard
# - policy_profile_admin (H)
# - profile_new (H)
it "allows hidden child of hidden parent" do
EvmSpecHelper.seed_specific_product_features(
%w(policy_profile_admin profile_new container_dashboard)
)
user = FactoryGirl.create(:user, :features => "container_dashboard")
expect(user.role_allows?(:identifier => "profile_new")).to be_truthy
end
end
it "deletes with no group assigned" do
role = FactoryGirl.create(:miq_user_role, :name => "test role")
role.destroy
expect(MiqUserRole.count).to eq(0)
end
it "does not delete with group assigned" do
role = FactoryGirl.create(:miq_user_role, :name => "test role")
FactoryGirl.create(:miq_group, :description => "test group", :miq_user_role => role)
expect { role.destroy }.to raise_error(ActiveRecord::DeleteRestrictionError)
expect(MiqUserRole.count).to eq(1)
end
let(:super_admin_role) { FactoryGirl.create(:miq_user_role, :features => MiqProductFeature::SUPER_ADMIN_FEATURE) }
let(:tenant_admin_role) { FactoryGirl.create(:miq_user_role, :features => MiqProductFeature::TENANT_ADMIN_FEATURE) }
let(:report_admin_role) { FactoryGirl.create(:miq_user_role, :features => MiqProductFeature::REPORT_ADMIN_FEATURE) }
let(:request_admin_role) { FactoryGirl.create(:miq_user_role, :features => MiqProductFeature::REQUEST_ADMIN_FEATURE) }
let(:regular_role) { FactoryGirl.create(:miq_user_role) }
describe "#super_admin_user?" do
it "detects super admin" do
expect(super_admin_role).to be_super_admin_user
end
it "detects admin" do
expect(report_admin_role).not_to be_super_admin_user
end
it "detects non-admin" do
expect(regular_role).not_to be_super_admin_user
end
end
describe "#report_admin_user?" do
it "detects super admin" do
expect(super_admin_role).to be_report_admin_user
end
it "detects admin" do
expect(report_admin_role).to be_report_admin_user
end
it "detects non-admin" do
expect(regular_role).not_to be_report_admin_user
end
end
describe "#tenant_admin" do
it "detects tenant_admin" do
expect(tenant_admin_role).to be_tenant_admin_user
end
it "detects super_admin" do
expect(super_admin_role).to be_tenant_admin_user
end
it "does not detect regular role" do
expect(regular_role).not_to be_tenant_admin_user
end
end
describe "#destroy" do
subject { miq_group.entitlement.miq_user_role }
let!(:miq_group) { FactoryGirl.create(:miq_group, :role => "EvmRole-administrator") }
context "when the role has any entitlements" do
it "does not allow the role to be deleted" do
expect { subject.destroy! }.to raise_error(ActiveRecord::DeleteRestrictionError)
end
end
context "with the entitlement removed" do
before { miq_group.entitlement.destroy! }
it "allows the role to be deleted" do
expect { subject.destroy! }.not_to raise_error
end
end
context "temporary backwards compatibility - groups destroy entitlements, allowing the role to be destroyed" do
before { miq_group.destroy! }
it "allows the role to be deleted" do
expect { subject.destroy! }.not_to raise_error
end
end
end
describe "#group_count" do
it "counts none in ruby" do
role = FactoryGirl.create(:miq_user_role)
expect(role.group_count).to eq(0)
end
it "counts some in ruby" do
role = FactoryGirl.create(:miq_user_role)
FactoryGirl.create_list(:miq_group, 2, :miq_user_role => role)
expect(role.group_count).to eq(2)
end
end
describe ".with_roles_excluding" do
it "handles multiple columns" do
a = FactoryGirl.create(:miq_user_role, :features => "good")
FactoryGirl.create(:miq_user_role, :features => %w(good everything))
FactoryGirl.create(:miq_user_role, :features => "everything")
expect(MiqUserRole.select(:id, :name).with_roles_excluding("everything")).to match_array([a])
end
end
end