wip

ManageIQ · Aug 7, 2023 · 4a1f00b · 4a1f00b
1 parent 75bbc75
commit 4a1f00b
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 0 deletions.
diff --git a/spec/requests/authentications_spec.rb b/spec/requests/authentications_spec.rb
@@ -27,6 +27,28 @@
 
       expect(response).to have_http_status(:forbidden)
     end
+
+    it 'limits authentications that a user can see' do
+      unauth_tenant = FactoryBot.create(:tenant)
+      unauth_group  = FactoryBot.create(:miq_group, :tenant => unauth_tenant)
+      unauth_user   = FactoryBot.create(:user, :miq_groups => [unauth_group])
+
+      auth  = FactoryBot.create(:authentication)
+      auth2 = FactoryBot.create(:authentication, :evm_owner => unauth_user, :miq_group => unauth_group)
+
+      api_basic_authorize collection_action_identifier(:authentications, :read, :get)
+
+      get(api_authentications_url)
+
+      expected = {
+        'count'     => 1,
+        'subcount'  => 1,
+        'name'      => 'authentications',
+        'resources' => [hash_including('href' => api_authentication_url(nil, auth))]
+      }
+      expect(response.parsed_body).to include(expected)
+      expect(response).to have_http_status(:ok)
+    end
   end
 
   describe 'GET /api/authentications/:id' do

diff --git a/spec/requests/configuration_script_payloads_spec.rb b/spec/requests/configuration_script_payloads_spec.rb
@@ -82,6 +82,17 @@
       context "with an authentication reference in credentials" do
         let!(:authentication) { FactoryBot.create(:authentication, :ems_ref => "my-credential", :resource => manager) }
 
+        it "fails if the credential is owned by another tenant" do
+          unauth_tenant = FactoryBot.create(:tenant)
+          unauth_group  = FactoryBot.create(:miq_group, :tenant => unauth_tenant)
+          unauth_user   = FactoryBot.create(:user, :miq_groups => [unauth_group])
+
+          authentication.update!(:evm_owner => unauth_user, :miq_group => unauth_group)
+          api_basic_authorize(collection_action_identifier(:configuration_script_payloads, :edit, :post))
+          post(api_configuration_script_payloads_url, :params => {:action => 'edit', :resources => [{:id => script_payload.id, :name => 'foo', :credentials => {"my-cred" => {"credential_ref" => "my-credential", "credential_field" => "userid"}}}]})
+          expect(response).to have_http_status(:bad_request)
+        end
+
         it "adds the authentication to the configuration_script_payload.authentications" do
           api_basic_authorize collection_action_identifier(:configuration_script_payloads, :edit, :post)