Fixes #38718 - Register feature scope in belongs_to_proxy

Author: adamruzicka

Gemfile

@@ -8,7 +8,7 @@ gem 'rest-client', '>= 2.0.0', '< 3', :require => 'rest_client'
 gem 'audited', '~> 5.0', '!= 5.1.0'
 gem 'will_paginate', '~> 3.3'
 gem 'ancestry', '~> 4.0'
-gem 'scoped_search', '>= 4.1.10', '< 5'
+gem 'scoped_search', '>= 4.3.0', '< 5'
 gem 'ldap_fluff', '>= 0.9.0', '< 1.0'
 gem 'apipie-rails', '>= 0.8.0', '< 2'
 gem 'apipie-dsl', '>= 2.6.2'

app/models/]

@@ -0,0 +1,258 @@
+class Filter < ApplicationRecord
+  audited :associated_with => :role
+
+  include Taxonomix
+  include Authorizable
+  include TopbarCacheExpiry
+
+  attr_writer :resource_type
+  attr_accessor :unlimited
+
+  class ScopedSearchValidator < ActiveModel::Validator
+    def validate(record)
+      resource_class = record.resource_class
+      resource_class.search_for(record.search) unless (resource_class.nil? || record.search.nil?)
+    rescue ScopedSearch::Exception => e
+      record.errors.add(:search, _("invalid search query: %s") % e)
+    end
+  end
+
+  # tune up taxonomix for filters, we don't want to set current taxonomy
+  def add_current_organization?
+    false
+  end
+
+  def add_current_location?
+    false
+  end
+
+  # allow creating filters for non-taxable resources when user is not admin
+  def ensure_taxonomies_not_escalated
+  end
+
+  belongs_to :role
+  has_many :filterings, :autosave => true, :dependent => :destroy
+  has_many :permissions, :through => :filterings
+
+  validates_lengths_from_database
+
+  default_scope -> { order(["#{table_name}.role_id", "#{table_name}.id"]) }
+  scope :unlimited, -> { where(:search => nil, :taxonomy_search => nil) }
+  scope :limited, -> { where("search IS NOT NULL OR taxonomy_search IS NOT NULL") }
+
+  scoped_search :on => :id, :complete_enabled => false, :only_explicit => true, :validator => ScopedSearch::Validators::INTEGER
+  scoped_search :on => :search, :complete_value => true
+  scoped_search :on => :override, :complete_value => { :true => true, :false => false }
+  scoped_search :on => :limited, :complete_value => { :true => true, :false => false }, :ext_method => :search_by_limited, :only_explicit => true
+  scoped_search :on => :unlimited, :complete_value => { :true => true, :false => false }, :ext_method => :search_by_unlimited, :only_explicit => true
+  scoped_search :relation => :role, :on => :id, :rename => :role_id, :complete_enabled => false, :only_explicit => true, :validator => ScopedSearch::Validators::INTEGER
+  scoped_search :relation => :role, :on => :name, :rename => :role
+  scoped_search :relation => :permissions, :on => :resource_type, :rename => :resource
+  scoped_search :relation => :permissions, :on => :name,          :rename => :permission
+
+  before_validation :build_taxonomy_search, :nilify_empty_searches, :enforce_override_flag
+  before_save :enforce_inherited_taxonomies, :nilify_empty_searches
+
+  validates :search, :presence => true, :unless => proc { |o| o.search.nil? }
+  validates_with ScopedSearchValidator
+  validates :role, :presence => true
+
+  validate :role_not_locked
+  before_destroy :role_not_locked
+
+  validate :same_resource_type_permissions, :not_empty_permissions, :allowed_taxonomies
+
+  def self.allows_taxonomy_filtering?(_taxonomy)
+    false
+  end
+
+  def self.search_by_unlimited(key, operator, value)
+    search_by_limited(key, operator, (value == 'true') ? 'false' : 'true')
+  end
+
+  def self.search_by_limited(key, operator, value)
+    value      = value == 'true'
+    value      = !value if operator == '<>'
+    conditions = value ? 'search IS NOT NULL OR taxonomy_search IS NOT NULL' : 'search IS NULL AND taxonomy_search IS NULL'
+    { :conditions => conditions }
+  end
+
+  # This method attempts to return an existing class that is derived from the resource_type.
+  # In some instances, this may not be a real class (e.g. a typo) or may be nil in the case
+  # of a filter not having been saved yet and thus the permissions objects not being currently
+  # accessible.
+  def self.get_resource_class(resource_type)
+    return nil if resource_type.nil?
+    resource_type.constantize
+  rescue NameError => e
+    Foreman::Logging.exception("unknown class #{resource_type}, ignoring", e)
+    nil
+  end
+
+  def unlimited?
+    search.nil? && taxonomy_search.nil?
+  end
+
+  def limited?
+    !unlimited?
+  end
+
+  def to_s
+    _('filter for %s role') % role.try(:name) || 'unknown'
+  end
+
+  def to_label
+    permissions.pluck(:name).to_sentence
+  end
+
+  def resource_type
+    type = @resource_type || filterings.first.try(:permission).try(:resource_type)
+    type.presence
+  end
+
+  def resource_type_label
+    resource_class.try(:humanize_class_name) || resource_type || N_('(Miscellaneous)')
+  end
+
+  def resource_class
+    @resource_class ||= self.class.get_resource_class(resource_type)
+  end
+
+  # We detect granularity by inclusion of Authorizable module and scoped_search definition
+  # we can define exceptions for resources with more complex hierarchy (e.g. Host is proxy module)
+  def granular?
+    @granular ||= begin
+      return false if resource_class.nil?
+      return true if resource_type == 'Host'
+      resource_class.included_modules.include?(Authorizable) && resource_class.respond_to?(:search_for)
+    end
+  end
+
+  def resource_taxable?
+    resource_taxable_by_organization? || resource_taxable_by_location?
+  end
+
+  def resource_taxable_by_organization?
+    granular? && resource_class.allows_organization_filtering?
+  end
+
+  def resource_taxable_by_location?
+    granular? && resource_class.allows_location_filtering?
+  end
+
+  def search_condition
+    QueryBuilder.join('AND', search_condition_parts)
+  end
+
+  def search_condition_for_user(user)
+    return search_condition if override? || !granular?
+
+    parts = search_condition_parts
+    parts += taxonomy_search_condition_for_user(user)
+    QueryBuilder.join('AND', parts)
+  end
+
+  def taxonomy_search_condition_for_user(user)
+    parts = []
+    if resource_taxable_by_organization?
+      parts << merge_taxonomy_search('organization_id', taxonomy_search, user.organization_and_child_ids)
+    end
+    if resource_taxable_by_location?
+      parts << merge_taxonomy_search('location_id', taxonomy_search, user.location_and_child_ids)
+    end
+    parts
+  end
+
+  def merge_taxonomy_search(key, search, user_ids)
+    ids = if search.nil?
+            user_ids
+          else
+            search.scan(/\d+/).map(&:to_i) & user_ids
+          end
+    QueryBuilder.key_value_in(key, ids, :block)
+  end
+
+  def expire_topbar_cache
+    role.users.each      { |u| u.expire_topbar_cache }
+    role.usergroups.each { |g| g.expire_topbar_cache }
+  end
+
+  def disable_overriding!
+    self.override = false
+    save!
+  end
+
+  def enforce_inherited_taxonomies
+    inherit_taxonomies! unless override?
+  end
+
+  def inherit_taxonomies!
+    self.organization_ids = role.organization_ids if resource_taxable_by_organization?
+    self.location_ids = role.location_ids if resource_taxable_by_location?
+    build_taxonomy_search
+  end
+
+  private
+
+  def search_condition_parts
+    [search, taxonomy_search].compact
+  end
+
+  def build_taxonomy_search
+    orgs = build_taxonomy_search_string('organization')
+    locs = build_taxonomy_search_string('location')
+
+    self.taxonomy_search = QueryBuilder.join('AND', [orgs, locs])
+  end
+
+  def build_taxonomy_search_string(name)
+    return unless send("resource_taxable_by_#{name}?")
+    relation = send(name.pluralize).pluck(:id)
+
+    QueryBuilder.key_value_in("#{name}_id", relation)
+  end
+
+  def nilify_empty_searches
+    self.search = nil if search.empty? || unlimited == '1'
+    self.taxonomy_search = nil if taxonomy_search.empty?
+  end
+
+  # if we have 0 types, empty validation will set error, we can't have more than one type
+  def same_resource_type_permissions
+    types = permissions.map(&:resource_type).uniq
+    if types.size > 1
+      errors.add(
+        :permissions,
+        _('must be of same resource type (%{types}) - Role (%{role})') %
+          {
+            types: types.join(','),
+            role: role.name,
+          }
+      )
+    end
+  end
+
+  def not_empty_permissions
+    errors.add(:permissions, _('You must select at least one permission')) if permissions.blank? && filterings.blank?
+  end
+
+  def allowed_taxonomies
+    if organization_ids.present? && !resource_taxable_by_organization?
+      errors.add(:organization_ids, _('You can\'t assign organizations to this resource'))
+    end
+
+    if location_ids.present? && !resource_taxable_by_location?
+      errors.add(:location_ids, _('You can\'t assign locations to this resource'))
+    end
+  end
+
+  def enforce_override_flag
+    self.override = false unless resource_taxable?
+    true
+  end
+
+  def role_not_locked
+    errors.add(:role_id, _('is locked for user modifications.')) if role.locked? && !role.modify_locked
+    errors.empty?
+  end
+end

app/models/concerns/belongs_to_proxies.rb

@@ -16,7 +16,7 @@ def belongs_to_proxy(name, options)
 
     def register_smart_proxy(name, options)
       self.registered_smart_proxies = registered_smart_proxies.merge(name => options)
-      belongs_to name, :class_name => 'SmartProxy'
+      belongs_to name, -> { with_features(options[:feature]) }, :class_name => 'SmartProxy'
       validates name, :proxy_features => { :feature => options[:feature], :required => options[:required] }
     end
 

app/validators/proxy_features_validator.rb

@@ -5,11 +5,13 @@ def initialize(args)
   end
 
   def validate_each(record, attribute, value)
-    if !value && @options[:required]
+    id = record.public_send("#{attribute}_id")
+    if (!id || !value) && @options[:required]
       record.errors.add("#{attribute}_id", _('was not found'))
     end
 
-    if value && !value.has_feature?(@options[:feature])
+    # Due to scope being set on the association, it can happen that the id is present but the association is nil
+    if (id || value) && !value.try(:has_feature?, @options[:feature])
       if @options[:message].nil?
         message = _('does not have the %s feature') % @options[:feature]
       else

test/controllers/concerns/auto_complete_search_test.rb

@@ -13,6 +13,6 @@ class AutoCompleteSearchTest < ActionController::TestCase
     assert_predicate response, :successful?
     suggestions = ActiveSupport::JSON.decode(response.body)
     assert_equal 1, suggestions.length
-    assert_equal suggestions.first['part'], "name = #{domain1.name}"
+    assert_equal suggestions.first['label'], "name = \"#{domain1.name}\""
   end
 end

test/controllers/subnets_controller_test.rb

@@ -16,11 +16,11 @@ class SubnetsControllerTest < ActionController::TestCase
   context 'three similar subnets exists' do
     def setup
       as_admin do
-        @s1 = FactoryBot.create(:subnet_ipv4, :network => '100.20.100.100', :cidr => '24', :organization_ids => [taxonomies(:organization1).id], :location_ids => [taxonomies(:location1).id])
-        @s3 = FactoryBot.create(:subnet_ipv4, :network => '200.100.100.100', :cidr => '24', :organization_ids => [taxonomies(:organization1).id], :location_ids => [taxonomies(:location1).id])
-        @s2 = FactoryBot.create(:subnet_ipv4, :network => '100.100.100.100', :cidr => '24', :organization_ids => [taxonomies(:organization1).id], :location_ids => [taxonomies(:location1).id])
-        @s4 = FactoryBot.create(:subnet_ipv6, :network => 'beef::', :cidr => '64', :organization_ids => [taxonomies(:organization1).id], :location_ids => [taxonomies(:location1).id])
-        @s5 = FactoryBot.create(:subnet_ipv6, :network => 'ffee::', :cidr => '64', :organization_ids => [taxonomies(:organization1).id], :location_ids => [taxonomies(:location1).id])
+        @s1 = FactoryBot.create(:subnet_ipv4, :dhcp, :network => '100.20.100.100', :cidr => '24', :organization_ids => [taxonomies(:organization1).id], :location_ids => [taxonomies(:location1).id])
+        @s3 = FactoryBot.create(:subnet_ipv4, :dhcp, :network => '200.100.100.100', :cidr => '24', :organization_ids => [taxonomies(:organization1).id], :location_ids => [taxonomies(:location1).id])
+        @s2 = FactoryBot.create(:subnet_ipv4, :dhcp, :network => '100.100.100.100', :cidr => '24', :organization_ids => [taxonomies(:organization1).id], :location_ids => [taxonomies(:location1).id])
+        @s4 = FactoryBot.create(:subnet_ipv6, :dhcp, :network => 'beef::', :cidr => '64', :organization_ids => [taxonomies(:organization1).id], :location_ids => [taxonomies(:location1).id])
+        @s5 = FactoryBot.create(:subnet_ipv6, :dhcp, :network => 'ffee::', :cidr => '64', :organization_ids => [taxonomies(:organization1).id], :location_ids => [taxonomies(:location1).id])
       end
     end
 

test/models/concerns/belongs_to_proxies_test.rb

@@ -5,7 +5,7 @@ class SampleModel
     include BelongsToProxies
 
     class << self
-      def belongs_to(name, options = {})
+      def belongs_to(name, scope, options = {})
       end
 
       def validates(name, options = {})

test/unit/validators/proxy_features_validator_test.rb

@@ -4,7 +4,7 @@ class ProxyFeaturesValidatorTest < ActiveSupport::TestCase
   class Validatable
     include ActiveModel::Validations
     validates :proxy, :proxy_features => { :feature => 'DNS' }
-    attr_accessor :proxy
+    attr_accessor :proxy, :proxy_id
   end
 
   def setup
@@ -21,4 +21,10 @@ def setup
     refute_valid @validatable
     assert_equal ['does not have the DNS feature'], @validatable.errors[:proxy_id]
   end
+
+  test 'should fail when id is present but association returns nil' do
+    @validatable.proxy_id = FactoryBot.create(:dhcp_smart_proxy).id
+    refute_valid @validatable
+    assert_equal ['does not have the DNS feature'], @validatable.errors[:proxy_id]
+  end
 end