EMS Cloud Refresh is missing

[juliancheal]

When a user role only allows cloud and not infra refresh, that user
is denied refreshing as we only check for infra refresh.

Fixes BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1602413

This shows the roles defined:

[juliancheal]

Even with ems_cloud_refresh added, we still need additional checks. As I believe just by having either ems_cloud_refresh or ems_infra_refresh in a users role, they can perform refreshes over all Provider types, which may not be the desired outcome.

[juliancheal]

@miq-bot assign @gtanzillo

[juliancheal]

@gtanzillo I need to add some tests to confirm/deny my comment
#428 (comment), but apart from that, this'll fix the BZ.

[juliancheal]

Also I don't like where I've added ems_cloud_refresh, I would prefer a separate ems_cloud_* section.

And the same could be true for other provider types too.

[juliancheal]

@miq-bot add_label bug, gaprindashvili/yes

[Fryguy]

I've not seen multiple "names" in the list before, so I'm not sure what happens... Is there an example of this elsewhere in the file? @abellotti ?

[juliancheal]

@Fryguy Yeah exactly, I just put it there "for now" so it was easier for me tbh to comment out ems_infra_refresh during testing 😂

[juliancheal]

@Fryguy @abellotti I've moved the cloud refresh lines now.

[gtanzillo]

LGTM 👍 @abellotti, you ok with merging this?

[abellotti]

We need tests.

[juliancheal]

@abellotti Good reminder thanks. I assume there are existing tests I can look at to create new ones for this. Do you know what/where those tests are?

Sorry I'm still learning the API :)

[abellotti]

this is off, we already have a refresh action, maybe your intent was to add the identifier to the refresh above on line 2076, similar to what query does to allow for 2 identifiers. so they can so a refresh if they have the ems_infra_refresh or ems_cloud_refresh role. In which case we have the refresh test, we could add another test to make sure refresh works with ems_cloud_refresh too.

[juliancheal]

I moved to here after a comment by Jason. Should I put it underneath identifier: ems_infra_refresh

Yes my intent was to allow a user to refresh if they have either ems_infra_refresh or ems_cloud_refresh role

[abellotti]

yes please, that's the intent of the multiple identifiers in the actions list (user must have at least one such role).

[abellotti]

I think for this we want the specific identifier, maybe api_basic_authorize('ems_cloud_refresh')

[juliancheal]

Does this look right @abellotti?

[abellotti]

If we're just testing the cloud refresh, we only want to test the ems_cloud_refresh identifier so probably drop the , collection_action_identifier(:providers, :refresh).

[juliancheal]

@gtanzillo The issues breaking the API repo have been fixed, so this is now green, if @abellotti agrees, should we merge this?

[juliancheal]

Ping @gtanzillo

[gtanzillo]

@abellotti You good with merging?

[miq-bot]

Checked commits https://github.com/juliancheal/manageiq-api/compare/8fba92b1f01b253902411d2abfc7e5ced4d09120~...55df8349b68d728db4f3c508b54ccc3404eae893 with ruby 2.3.3, rubocop 0.52.1, haml-lint 0.20.0, and yamllint 1.10.0
1 file checked, 0 offenses detected
Everything looks fine. 🍰

[juliancheal]

@abellotti @gtanzillo change made, all green ❇️

[abellotti]

Thanks @juliancheal for the update, LGTM!! 👍