RHINENG-18385: allow 'equal' opration in resourceDefinitions

Author: MichaelMraka

manager/middlewares/rbac.go

@@ -161,9 +161,7 @@ func findInventoryGroups(access *rbac.AccessPagination) (map[string]string, erro
 				continue
 			}
 
-			// https://github.com/RedHatInsights/insights-host-inventory/
-			//     blob/a7c8a7c980012c89e18ec0f7074609e216b37a8d/lib/middleware.py#L124
-			if rd.AttributeFilter.Operation != "in" {
+			if rd.AttributeFilter.Operation != "in" && rd.AttributeFilter.Operation != "equal" {
 				err := fmt.Errorf(
 					"invalid value '%s' for attributeFilter.Operation",
 					rd.AttributeFilter.Operation,

manager/middlewares/rbac_test.go

@@ -3,6 +3,7 @@ package middlewares
 import (
 	"app/base/rbac"
 	"app/base/utils"
+	"encoding/json"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@@ -412,3 +413,104 @@ func TestMultiplePermissions(t *testing.T) {
 	assert.True(t, checkPermissions(&access, handler, "GET"))
 	assert.False(t, checkPermissions(&access, handler, "DELETE"))
 }
+
+func TestPermissionsAllowedOperations(t *testing.T) {
+	handler := "SystemsListHandler"
+	access := rbac.AccessPagination{}
+	data := `{"data": [
+    {
+      "resourceDefinitions": [],
+      "permission": "patch:*:read"
+    },
+    {
+      "resourceDefinitions": [
+        {
+          "attributeFilter": {
+            "key": "group.id",
+            "value": "00000000-f688-49d4-a8e2-87394f1ac1b1",
+            "operation": "equal"
+          }
+        }
+      ],
+      "permission": "inventory:hosts:read"
+    },
+    {
+      "resourceDefinitions": [
+        {
+          "attributeFilter": {
+            "key": "group.id",
+            "value": [ "00000000-f7a6-45a1-b5a8-410f20052fb1", "00000000-78e0-4cad-bf01-63cf1e4b1dca" ],
+            "operation": "in"
+          }
+        }
+      ],
+      "permission": "inventory:hosts:read"
+    },
+    {
+      "resourceDefinitions": [
+        {
+          "attributeFilter": {
+            "key": "group.id",
+            "value": [ "00000000-f688-49d4-a8e2-ee394f1ac1b1" ],
+            "operation": "in"
+          }
+        }
+      ],
+      "permission": "inventory:hosts:read"
+    },
+    {
+      "resourceDefinitions": [
+        {
+          "attributeFilter": {
+            "key": "group.id",
+            "value": null,
+            "operation": "equal"
+          }
+        }
+      ],
+      "permission": "inventory:hosts:read"
+    }
+  ]
+}
+	`
+	err := json.Unmarshal([]byte(data), &access)
+	assert.NoError(t, err)
+	assert.True(t, checkPermissions(&access, handler, "GET"))
+	groups, err := findInventoryGroups(&access)
+	assert.NoError(t, err)
+	assert.Equal(t, "[]", groups["ungrouped"])
+	assert.Equal(t, `{"[{\"id\":\"00000000-f688-49d4-a8e2-87394f1ac1b1\"}]",`+
+		`"[{\"id\":\"00000000-f7a6-45a1-b5a8-410f20052fb1\"}]",`+
+		`"[{\"id\":\"00000000-78e0-4cad-bf01-63cf1e4b1dca\"}]",`+
+		`"[{\"id\":\"00000000-f688-49d4-a8e2-ee394f1ac1b1\"}]"}`, groups["grouped"])
+}
+
+func TestPermissionsUnknownOperation(t *testing.T) {
+	handler := "SystemsListHandler"
+	access := rbac.AccessPagination{}
+	data := `{"data": [
+    {
+      "resourceDefinitions": [],
+      "permission": "patch:*:read"
+    },
+    {
+      "resourceDefinitions": [
+        {
+          "attributeFilter": {
+            "key": "group.id",
+            "value": "00000000-f688-49d4-a8e2-87394f1ac1b1",
+            "operation": "not_in"
+          }
+        }
+      ],
+      "permission": "inventory:hosts:read"
+    }
+  ]
+}
+	`
+	err := json.Unmarshal([]byte(data), &access)
+	assert.NoError(t, err)
+	assert.True(t, checkPermissions(&access, handler, "GET"))
+	_, err = findInventoryGroups(&access)
+	assert.EqualError(t, err, "invalid value 'not_in' for attributeFilter.Operation")
+}