Limit listRoles API visibility

[hsato03]

Description

When calling the listRoles API, users can see roles with more permissions than theirs.

Therefore, the behavior of the listRoles API was changed so that users can only see roles that their role has permission to access (roles with same and less permissions).

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• build/CI

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

1. I created a custom role based on User role and added the listRoles API to it.
2. I created an account using the role from step 1 and logged into it.
3. I called the listRoles API via CloudMonkey and verfied that the roles with more permissions than mine were not listed, such as default admin roles.

[DaanHoogland]

clgtm and unit-test included, but i think some monkey testing is still in order

[codecov]

Codecov Report

Attention: 4 lines in your changes are missing coverage. Please review.

Comparison is base (49cecae) 30.37% compared to head (3dd46d3) 30.78%.
Report is 30 commits behind head on main.

Files	Patch %	Lines
...ava/org/apache/cloudstack/acl/RoleManagerImpl.java	89.47%	1 Missing and 3 partials ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               main    #8639      +/-   ##
============================================
+ Coverage     30.37%   30.78%   +0.41%     
- Complexity    32633    33113     +480     
============================================
  Files          5352     5353       +1     
  Lines        374419   374635     +216     
  Branches      54609    54645      +36     
============================================
+ Hits         113719   115348    +1629     
+ Misses       245523   243994    -1529     
- Partials      15177    15293     +116     

Flag	Coverage Δ
simulator-marvin-tests	24.66% <69.23%> (+0.51%)	⬆️
uitests	4.38% <ø> (-0.01%)	⬇️
unit-tests	16.44% <64.10%> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[GutoVeronezi]

@hsato03, what do you think about naming these parameters as sourceRolePermissions and targetRole? IMO, it seems more intuitive. What do you think?

[hsato03]

Yes, I agree.

[GutoVeronezi]

CLGTM

[JoaoJandre]

@blueorangutan package

[blueorangutan]

@JoaoJandre a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el7 ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 9277

[JoaoJandre]

@DaanHoogland @sureshanaparti @rohityadavcloud @shwstppr could we run the CI here?

[DaanHoogland]

@blueorangutan test

[blueorangutan]

@DaanHoogland a [SL] Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian Build Failed (tid-9857)

[BryanMLima]

@blueorangutan package

[blueorangutan]

@BryanMLima a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el7 ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 9407

[DaanHoogland]

@blueorangutan test

[blueorangutan]

@DaanHoogland a [SL] Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-10015)
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 54141 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr8639-t10015-kvm-centos7.zip
Smoke tests completed. 129 look OK, 1 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_01_events_resource	Error	434.56	test_events_resource.py

[bernardodemarco]

LGTM, I manually tested the PR in a local environment.

1. I created a role called list-roles-test based on the User role.
2. I added the listRoles API to the created role.
3. I created an account called list-roles-test-account with the custom role.
4. Through CloudMonkey, I created a profile for the account and I executed the sync command.
5. I called the listRoles API and I got the following output:

(test-roles-api) 🐱 > listRoles
{
  "count": 2,
  "role": [
    {
      "description": "Default user role",
      "id": "8cead084-771e-11ee-8e59-5254003754dc",
      "isdefault": true,
      "ispublic": true,
      "name": "User",
      "type": "User"
    },
    {
      "id": "ca565c1b-8589-4a78-b7eb-531d5505cadd",
      "isdefault": false,
      "ispublic": true,
      "name": "list-roles-test",
      "type": "User"
    }
  ]
}

6. As it can be noticed, default admin roles and the ones with more permission than the list-roles-test role do not appear in the API's response.