Skip to content

Bypass feature validation for dynamic tenant features #9523

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Aug 20, 2025
Merged

Bypass feature validation for dynamic tenant features #9523

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
0252b33
Bypass feature validation for dynamic tenant features
jrafanie Jul 22, 2025
8b7c094
Add a test for Settings, Access Control, Tenant Add and Delete
jrafanie Aug 13, 2025
4b749f2
Reuse flashClassMap from just merged #9554
jrafanie Aug 14, 2025
6f11925
Simplify the defining of constants and access
jrafanie Aug 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions app/controllers/ops_controller/ops_rbac.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ def role_allows?(**options)
end

options[:feature] = MiqProductFeature.tenant_identifier(options[:feature], id)
# dynamic tenant feature identifiers need to bypass feature validation
options[:skip_feature_validation] = true
end

super(**options)
Expand Down
16 changes: 11 additions & 5 deletions app/helpers/application_helper.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,16 @@ def role_allows?(**options)
return false
end

# ops_rbac role_allows's dynamic tenant features are supported in rbac but not
# with direct lookup in validate_features so we skip it.
validate_features(features) unless !!options.delete(:skip_feature_validation)

Rbac.role_allows?(:user => User.current_user, **options) rescue false
end
module_function :role_allows?
public :role_allows?

def validate_features(features)
# Detect if queried features are missing from the database and possibly invalid
if !Rails.env.production? && features.detect { |feature| !MiqProductFeature.feature_exists?(feature) }
message = "#{__method__} no feature was found with identifier: #{features.inspect}. Correct the identifier or add it to miq_product_features.yml."
Expand All @@ -114,12 +124,8 @@ def role_allows?(**options)
raise("#{message} Note: detected features: #{identifiers.inspect}")
end
end

Rbac.role_allows?(:user => User.current_user, **options) rescue false
end

module_function :role_allows?
public :role_allows?
module_function :validate_features

# NB: This differs from controller_for_model; until they're unified,
# make sure you have the right one.
Expand Down
51 changes: 51 additions & 0 deletions cypress/e2e/ui/Settings/Application-Settings/settings_access_control.cy.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
/* eslint-disable no-undef */
import { flashClassMap } from '../../../../support/assertions/assertion_constants';

describe('Settings > Application Settings > Access Control', () => {
// Navigation
const PRIMARY_MENU_OPTION = 'Settings';
const SECONDARY_MENU_OPTION = 'Application Settings';
const ACCORDION = 'Access Control';
const TOOLBAR_MENU = 'Configuration';

// Created item information
const INITIAL_TENANT_NAME = 'Test-name';
const INITIAL_TENANT_DESCRIPTION = 'test description';

// CRUD actions
const FLASH_MESSAGE_OPERATION_ADDED = 'added';
const FLASH_MESSAGE_OPERATION_DELETED = 'delete';
const DELETE_ITEM = 'Delete this item';
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This list of constants can be updated/consolidated when we add more access control tests. It's hard to decide what should be constants vs. inline.

My thinking is:

  • If it's used in a selector and unique to the test, it probably should be left as an inline string to make the test more readable. If it's used often enough, it should should become a shared function.
  • Simple text we input for CRUD will likely be reused by other tests so constants make sense there
  • Shared navigation for the whole set of tests and not unique to the test could be constants...

I don't know, that's my thinking here.


beforeEach(() => {
cy.login();
cy.menu(PRIMARY_MENU_OPTION, SECONDARY_MENU_OPTION);
cy.accordion(ACCORDION);
});

it('should be able to create and delete a tenant', () => {
cy.selectAccordionItem([
/^ManageIQ Region/,
'Tenants',
'My Company',
]);

cy.toolbar(TOOLBAR_MENU, 'Add child Tenant to this Tenant');
cy.getFormInputFieldById('name').type(INITIAL_TENANT_NAME);
cy.getFormInputFieldById('description').type(INITIAL_TENANT_DESCRIPTION);
cy.getFormFooterButtonByType('Add', 'submit').click();
cy.expect_flash(flashClassMap.success, FLASH_MESSAGE_OPERATION_ADDED);
cy.selectAccordionItem([
/^ManageIQ Region/,
'Tenants',
'My Company',
INITIAL_TENANT_NAME
]);

cy.expect_browser_confirm_with_text({
confirmTriggerFn: () => cy.toolbar(TOOLBAR_MENU, DELETE_ITEM),
containsText: DELETE_ITEM,
});
cy.expect_flash(flashClassMap.success, FLASH_MESSAGE_OPERATION_DELETED);
});
});