feat(RBAC): RHINENG-13334 allow reading SSG with any read permission

RedHatInsights · Oct 1, 2024 · dd087f0 · dd087f0
1 parent 66a61ea
commit dd087f0
Show file tree

Hide file tree

Showing 12 changed files with 17 additions and 16 deletions.
diff --git a/app/controllers/v1/benchmarks_controller.rb b/app/controllers/v1/benchmarks_controller.rb
@@ -6,12 +6,12 @@ class BenchmarksController < ApplicationController
     def index
       render_json benchmarks
     end
-    permission_for_action :index, Rbac::COMPLIANCE_VIEWER
+    permission_for_action :index, Rbac::V1_COMPLIANCE_VIEWER
 
     def show
       render_json benchmark
     end
-    permission_for_action :show, Rbac::COMPLIANCE_VIEWER
+    permission_for_action :show, Rbac::V1_COMPLIANCE_VIEWER
 
     private
 

diff --git a/app/controllers/v1/profiles_controller.rb b/app/controllers/v1/profiles_controller.rb
@@ -13,12 +13,12 @@ def index
       permitted_params[:sort_by] ||= 'score'
       render_json resolve_collection
     end
-    permission_for_action :index, Rbac::COMPLIANCE_VIEWER
+    permission_for_action :index, Rbac::V1_COMPLIANCE_VIEWER
 
     def show
       render_json profile
     end
-    permission_for_action :show, Rbac::COMPLIANCE_VIEWER
+    permission_for_action :show, Rbac::V1_COMPLIANCE_VIEWER
 
     def create
       Policy.transaction do
@@ -65,7 +65,7 @@ def tailoring_file
 
       audit_tailoring_file
     end
-    permission_for_action :tailoring_file, Rbac::COMPLIANCE_VIEWER
+    permission_for_action :tailoring_file, Rbac::V1_COMPLIANCE_VIEWER
     permitted_params_for_action :tailoring_file, id: ID_TYPE.required
 
     private

diff --git a/app/controllers/v1/rules_controller.rb b/app/controllers/v1/rules_controller.rb
@@ -6,7 +6,7 @@ class RulesController < ApplicationController
     def index
       render_json resolve_collection
     end
-    permission_for_action :index, Rbac::COMPLIANCE_VIEWER
+    permission_for_action :index, Rbac::V1_COMPLIANCE_VIEWER
     permitted_params_for_action :index, policy_id: ID_TYPE
 
     def show
@@ -20,7 +20,7 @@ def show
 
       render_json rule
     end
-    permission_for_action :show, Rbac::COMPLIANCE_VIEWER
+    permission_for_action :show, Rbac::V1_COMPLIANCE_VIEWER
 
     private
 

diff --git a/app/controllers/v1/supported_ssgs_controller.rb b/app/controllers/v1/supported_ssgs_controller.rb
@@ -8,7 +8,7 @@ class SupportedSsgsController < ApplicationController
     def index
       render_json supported_ssgs
     end
-    permission_for_action :index, Rbac::COMPLIANCE_VIEWER
+    permission_for_action :index, Rbac::V1_COMPLIANCE_VIEWER
 
     private
 

diff --git a/app/controllers/v1/value_definitions_controller.rb b/app/controllers/v1/value_definitions_controller.rb
@@ -6,7 +6,7 @@ class ValueDefinitionsController < ApplicationController
     def index
       render_json resolve_collection
     end
-    permission_for_action :index, Rbac::COMPLIANCE_VIEWER
+    permission_for_action :index, Rbac::V1_COMPLIANCE_VIEWER
 
     private
 

diff --git a/app/graphql/types/benchmark.rb b/app/graphql/types/benchmark.rb
@@ -20,7 +20,7 @@ class Benchmark < Types::BaseObject
     cached_static_field :value_definitions, [::Types::ValueDefinition], null: true
     cached_static_field :rule_tree, GraphQL::Types::JSON, null: true
 
-    enforce_rbac Rbac::COMPLIANCE_VIEWER
+    enforce_rbac Rbac::V1_COMPLIANCE_VIEWER
 
     def profiles
       object.profiles.canonical

diff --git a/app/graphql/types/operating_system.rb b/app/graphql/types/operating_system.rb
@@ -10,6 +10,6 @@ class OperatingSystem < Types::BaseObject
     field :major, Int, null: false
     field :minor, Int, null: false
 
-    enforce_rbac Rbac::COMPLIANCE_VIEWER
+    enforce_rbac Rbac::V1_COMPLIANCE_VIEWER
   end
 end
diff --git a/app/graphql/types/os_major_version.rb b/app/graphql/types/os_major_version.rb
@@ -10,6 +10,6 @@ class OsMajorVersion < Types::BaseObject
     field :os_major_version, Int, null: false
     cached_static_field :profiles, [::Types::Profile], null: true
 
-    enforce_rbac Rbac::COMPLIANCE_VIEWER
+    enforce_rbac Rbac::V1_COMPLIANCE_VIEWER
   end
 end
diff --git a/app/graphql/types/query.rb b/app/graphql/types/query.rb
@@ -40,7 +40,7 @@ class Query < Types::BaseObject
       description 'All business objectives visible by the user'
     end
 
-    enforce_rbac Rbac::COMPLIANCE_VIEWER
+    enforce_rbac Rbac::V1_COMPLIANCE_VIEWER
 
     def system(id:)
       Pundit.authorize(context[:current_user], ::Host.find(id), :show?)

diff --git a/app/graphql/types/rule.rb b/app/graphql/types/rule.rb
@@ -20,7 +20,7 @@ class Rule < Types::BaseObject
     field :failed_count, Int, null: true
     field :compliant, Boolean, null: false
 
-    enforce_rbac Rbac::COMPLIANCE_VIEWER
+    enforce_rbac Rbac::V1_COMPLIANCE_VIEWER
 
     def compliant
       system_id && profile_id && %w[pass notapplicable notselected].include?(

diff --git a/app/graphql/types/value_definition.rb b/app/graphql/types/value_definition.rb
@@ -13,6 +13,6 @@ class ValueDefinition < Types::BaseObject
     field :description, String, null: true
     field :default_value, String, null: false
 
-    enforce_rbac Rbac::COMPLIANCE_VIEWER
+    enforce_rbac Rbac::V1_COMPLIANCE_VIEWER
   end
 end
diff --git a/app/services/rbac.rb b/app/services/rbac.rb
@@ -11,7 +11,8 @@ class Rbac
 
   INVENTORY_UNGROUPED_ENTRIES = [].freeze
   INVENTORY_HOSTS_READ = 'inventory:hosts:read'
-  COMPLIANCE_VIEWER = 'compliance:policy:read' # universal read permission accross all roles
+  V1_COMPLIANCE_VIEWER = 'compliance:policy:read'
+  COMPLIANCE_VIEWER = 'compliance:*:read'
   COMPLIANCE_ADMIN = 'compliance:*:*'
   POLICY_READ = 'compliance:policy:read'
   POLICY_CREATE = 'compliance:policy:create'