[WIP] RBAC mappings for 'Systems'

java/code/src/com/redhat/rhn/frontend/action/groups/AddSystemsAction.java

@@ -15,7 +15,10 @@
 
 package com.redhat.rhn.frontend.action.groups;
 
+import static com.redhat.rhn.manager.user.UserManager.ensureAccess;
+
 import com.redhat.rhn.GlobalInstanceHolder;
+import com.redhat.rhn.domain.access.Namespace;
 import com.redhat.rhn.domain.server.ManagedServerGroup;
 import com.redhat.rhn.domain.server.Server;
 import com.redhat.rhn.domain.user.User;
@@ -56,6 +59,7 @@ public ActionForward handleDispatch(ListSessionSetHelper helper,
         RequestContext context = new RequestContext(request);
         ManagedServerGroup sg = context.lookupAndBindServerGroup();
         User user = context.getCurrentUser();
+        ensureAccess(user, "systems.groups.target_systems", Namespace.AccessMode.W);
         Set<String> set = helper.getSet();
         List<Server> servers = new LinkedList<>();
         for (String id : set) {

java/code/src/com/redhat/rhn/frontend/action/groups/AdminListAction.java

@@ -14,6 +14,9 @@
  */
 package com.redhat.rhn.frontend.action.groups;
 
+import static com.redhat.rhn.manager.user.UserManager.ensureAccess;
+
+import com.redhat.rhn.domain.access.Namespace;
 import com.redhat.rhn.domain.role.RoleFactory;
 import com.redhat.rhn.domain.server.ManagedServerGroup;
 import com.redhat.rhn.domain.server.ServerGroupFactory;
@@ -75,6 +78,7 @@ protected ActionForward handleDispatch(
         if (!UserManager.canAdministerSystemGroup(user, serverGroup)) {
             throw new PermissionCheckFailureException();
         }
+        ensureAccess(user, "systems.groups.admins", Namespace.AccessMode.W);
 
         long updated = 0;
         // remove admins

java/code/src/com/redhat/rhn/frontend/action/groups/ErrataSystemsAffectedAction.java

@@ -14,6 +14,9 @@
  */
 package com.redhat.rhn.frontend.action.groups;
 
+import static com.redhat.rhn.manager.user.UserManager.ensureAccess;
+
+import com.redhat.rhn.domain.access.Namespace;
 import com.redhat.rhn.domain.errata.Errata;
 import com.redhat.rhn.domain.rhnset.RhnSet;
 import com.redhat.rhn.domain.server.ManagedServerGroup;
@@ -68,6 +71,8 @@ protected ActionForward handleDispatch(
             ActionForm formIn, HttpServletRequest request,
             HttpServletResponse response) {
 
+        User user = new RequestContext(request).getCurrentUser();
+        ensureAccess(user, "systems.groups.patches", Namespace.AccessMode.W);
         RhnSet set = RhnSetDecl.SYSTEMS_AFFECTED.get(
             new RequestContext(request).getCurrentUser());
 

java/code/src/com/redhat/rhn/frontend/action/groups/ListRemoveSystemsAction.java

@@ -16,6 +16,7 @@
 package com.redhat.rhn.frontend.action.groups;
 
 import com.redhat.rhn.GlobalInstanceHolder;
+import com.redhat.rhn.domain.access.Namespace;
 import com.redhat.rhn.domain.server.ManagedServerGroup;
 import com.redhat.rhn.domain.server.Server;
 import com.redhat.rhn.domain.user.User;
@@ -25,6 +26,7 @@
 import com.redhat.rhn.frontend.taglibs.list.helper.ListSessionSetHelper;
 import com.redhat.rhn.manager.system.ServerGroupManager;
 import com.redhat.rhn.manager.system.SystemManager;
+import com.redhat.rhn.manager.user.UserManager;
 
 import org.apache.struts.action.ActionForm;
 import org.apache.struts.action.ActionForward;
@@ -56,6 +58,8 @@ public ActionForward handleDispatch(ListSessionSetHelper helper,
         RequestContext context = new RequestContext(request);
         ManagedServerGroup sg = context.lookupAndBindServerGroup();
         User user = context.getCurrentUser();
+        UserManager.ensureAccess(user, "systems.groups.systems", Namespace.AccessMode.W);
+
         Set<String> set = helper.getSet();
         List<Server> servers = new LinkedList<>();
         for (String id : set) {

java/code/src/com/redhat/rhn/frontend/action/systems/entitlements/SystemEntitlementsSubmitAction.java

@@ -17,6 +17,7 @@
 import com.redhat.rhn.GlobalInstanceHolder;
 import com.redhat.rhn.common.db.datasource.DataResult;
 import com.redhat.rhn.common.validator.ValidatorResult;
+import com.redhat.rhn.domain.access.Namespace;
 import com.redhat.rhn.domain.entitlement.Entitlement;
 import com.redhat.rhn.domain.rhnset.RhnSet;
 import com.redhat.rhn.domain.rhnset.RhnSetElement;
@@ -32,6 +33,7 @@
 import com.redhat.rhn.manager.rhnset.RhnSetDecl;
 import com.redhat.rhn.manager.system.SystemManager;
 import com.redhat.rhn.manager.system.entitling.SystemEntitlementManager;
+import com.redhat.rhn.manager.user.UserManager;
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
@@ -154,6 +156,10 @@ public ActionForward operateAddOnEntitlements(ActionMapping mapping,
             boolean add) {
         log.debug("operateAddOnEntitlements");
 
+        RequestContext rctx = new RequestContext(request);
+        User user = rctx.getCurrentUser();
+        UserManager.ensureAccess(user, "systems.list", Namespace.AccessMode.W);
+
         RhnSet set = updateSet(request);
 
         //if they chose no probe suites, return to the same page with a message
@@ -162,8 +168,6 @@ public ActionForward operateAddOnEntitlements(ActionMapping mapping,
         }
 
         Map<String, Object> params = makeParamMap(formIn, request);
-        RequestContext rctx = new RequestContext(request);
-        User user = rctx.getCurrentUser();
 
         int successCount = 0;
         int failureCount = 0;

java/code/src/com/redhat/rhn/frontend/action/systems/groups/ListRemoveGroupsAction.java

@@ -15,7 +15,10 @@
 
 package com.redhat.rhn.frontend.action.systems.groups;
 
+import static com.redhat.rhn.manager.user.UserManager.ensureAccess;
+
 import com.redhat.rhn.GlobalInstanceHolder;
+import com.redhat.rhn.domain.access.Namespace;
 import com.redhat.rhn.domain.server.ManagedServerGroup;
 import com.redhat.rhn.domain.server.Server;
 import com.redhat.rhn.domain.server.ServerGroup;
@@ -76,6 +79,7 @@ public ActionForward handleDispatch(
             HttpServletResponse response) {
         RequestContext context = new RequestContext(request);
         User user = context.getCurrentUser();
+        ensureAccess(user, "systems.groups.list", Namespace.AccessMode.W);
         Server server = context.lookupAndBindServer();
         List<Server> servers = new LinkedList<>();
         servers.add(server);

java/code/src/com/redhat/rhn/frontend/action/token/ActivationKeysListAction.java

@@ -14,6 +14,9 @@
  */
 package com.redhat.rhn.frontend.action.token;
 
+import static com.redhat.rhn.manager.user.UserManager.ensureAccess;
+
+import com.redhat.rhn.domain.access.Namespace;
 import com.redhat.rhn.domain.rhnset.RhnSet;
 import com.redhat.rhn.domain.token.Token;
 import com.redhat.rhn.domain.token.TokenFactory;
@@ -116,6 +119,7 @@ private ActionForward handleDispatchAction(ActionMapping mapping,
             RequestContext context, RhnSet set,
             List<ActivationKeyDto> currentKeys) {
         User user = context.getCurrentUser();
+        ensureAccess(user, "system.activation_keys.list", Namespace.AccessMode.W);
         int numEnabled = 0;
         int numDisabled = 0;
         for (ActivationKeyDto dto : currentKeys) {

java/code/src/com/redhat/rhn/frontend/action/token/configuration/ListRemoveChannelsAction.java

@@ -15,10 +15,14 @@
 
 package com.redhat.rhn.frontend.action.token.configuration;
 
+import static com.redhat.rhn.manager.user.UserManager.ensureAccess;
+
+import com.redhat.rhn.domain.access.Namespace;
 import com.redhat.rhn.domain.config.ConfigChannel;
 import com.redhat.rhn.domain.config.ConfigChannelListProcessor;
 import com.redhat.rhn.domain.config.ConfigurationFactory;
 import com.redhat.rhn.domain.token.ActivationKey;
+import com.redhat.rhn.domain.user.User;
 import com.redhat.rhn.frontend.action.token.BaseListAction;
 import com.redhat.rhn.frontend.dto.ConfigChannelDto;
 import com.redhat.rhn.frontend.struts.RequestContext;
@@ -52,14 +56,16 @@ public ActionForward handleDispatch(ListSessionSetHelper helper,
             ActionForm formIn, HttpServletRequest request,
             HttpServletResponse response) {
         RequestContext context = new RequestContext(request);
+        User user = context.getCurrentUser();
+        ensureAccess(user, "systems.activation_keys.config", Namespace.AccessMode.W);
         ActivationKey key = context.lookupAndBindActivationKey();
         ConfigChannelListProcessor proc = new ConfigChannelListProcessor();
         Set<String> set = helper.getSet();
 
         for (String id : set) {
             Long ccid = Long.valueOf(id);
             ConfigChannel cc = ConfigurationFactory.lookupConfigChannelById(ccid);
-            proc.remove(key.getConfigChannelsFor(context.getCurrentUser()), cc);
+            proc.remove(key.getConfigChannelsFor(user), cc);
         }
         getStrutsDelegate().saveMessage(
                     "config_channels_to_unsubscribe.unsubscribe.success",

java/code/src/com/redhat/rhn/frontend/action/token/groups/ListRemoveGroupsAction.java

@@ -15,7 +15,10 @@
 
 package com.redhat.rhn.frontend.action.token.groups;
 
+import static com.redhat.rhn.manager.user.UserManager.ensureAccess;
+
 import com.redhat.rhn.GlobalInstanceHolder;
+import com.redhat.rhn.domain.access.Namespace;
 import com.redhat.rhn.domain.server.ManagedServerGroup;
 import com.redhat.rhn.domain.token.ActivationKey;
 import com.redhat.rhn.domain.user.User;
@@ -56,6 +59,7 @@ public ActionForward handleDispatch(ListSessionSetHelper helper,
         RequestContext context = new RequestContext(request);
         ActivationKey key = context.lookupAndBindActivationKey();
         User user = context.getCurrentUser();
+        ensureAccess(user, "systems.activation_keys.groups", Namespace.AccessMode.W);
         Set<String> set = helper.getSet();
         for (String id : set) {
             Long sgid = Long.valueOf(id);

schema/rbac/data/endpoints/systems.csv

@@ -1,54 +1,56 @@
 class_method,endpoint,http_method,scope,authorized,namespace,access_mode
 
+# Many of the struts handlers handle table/list selection besides actual 'Modify'
+# operations on the same POST route. These POST routes are mapped as 'View' in the DB.
+# 'Modify' access is enforced for specific modify operations in the controller methods.
+# TODO: grep 'ensureAccess' in java to find the additional namespaces to be inserted.
+
 # Systems list
-# TODO: List pages do a POST to SSM, ignore the 403 (or not?)
 ,/manager/systems/list/all,GET,W,t,systems.list,R
 ,/manager/systems/list/virtual,GET,W,t,systems.list,R
 ,/manager/api/systems/list/all,GET,W,t,systems.list,R
 ,/manager/api/systems/list/virtual,GET,W,t,systems.list,R
 ,/systems/BootstrapSystemList.do,GET,W,t,systems.list,R
-# TODO: 'Delete selected' is also handled by the same POST pathts
+
 ,/systems/DuplicateIPList.do,GET,W,t,systems.list,R
-,/systems/DuplicateIPList.do,POST,W,t,systems.list,W
+,/systems/DuplicateIPList.do,POST,W,t,systems.list,R
 ,/systems/DuplicateIPv6List.do,GET,W,t,systems.list,R
-,/systems/DuplicateIPv6List.do,POST,W,t,systems.list,W
+,/systems/DuplicateIPv6List.do,POST,W,t,systems.list,R
 ,/systems/DuplicateHostName.do,GET,W,t,systems.list,R
-,/systems/DuplicateHostName.do,POST,W,t,systems.list,W
+,/systems/DuplicateHostName.do,POST,W,t,systems.list,R
 ,/systems/DuplicateMacAddress.do,GET,W,t,systems.list,R
-,/systems/DuplicateMacAddress.do,POST,W,t,systems.list,W
+,/systems/DuplicateMacAddress.do,POST,W,t,systems.list,R
+# TODO: Duplicate systems 'Delete'
+
 ,/systems/SystemCurrency.do,GET,W,t,systems.list,R
 ,/systems/SystemCurrency.do,POST,W,t,systems.list,R
-# TODO: 'Add/remove system type' is also handled by the same POST path
 ,/systems/SystemEntitlements.do,GET,W,t,systems.list,R
-,/systems/SystemEntitlementsSubmit.do,POST,W,t,systems.list,W
+,/systems/SystemEntitlementsSubmit.do,POST,W,t,systems.list,R
 ,/manager/systems/csv/all,GET,W,t,systems.list,R
 ,/manager/systems/csv/virtualSystems,GET,W,t,systems.list,R
-# TODO: POST path also handles SSM
-,/systems/SystemGroupList.do,GET,W,t,systems.groups.list,R
-,/systems/SystemGroupList.do,POST,W,t,systems.groups.list,R
 
 # System groups
+
+,/systems/SystemGroupList.do,GET,W,t,systems.groups.list,R
+,/systems/SystemGroupList.do,POST,W,t,systems.groups.list,R
+,/systems/WorkWithGroup.do,GET,W,t,systems.groups.details,R
 ,/groups/GroupDetail.do,GET,W,t,systems.groups.details,R
 ,/groups/EditGroup.do,GET,W,t,systems.groups.details,W
 ,/groups/EditGroup.do,POST,W,t,systems.groups.details,W
 ,/groups/Delete.do,GET,W,t,systems.groups.details.delete,W
 ,/groups/Delete.do,POST,W,t,systems.groups.details.delete,W
-# TODO: POST path also handles SSM and Remove
 ,/groups/ListRemoveSystems.do,GET,W,t,systems.groups.systems,R
-,/groups/ListRemoveSystems.do,POST,W,t,systems.groups.systems,W
-# TODO: POST path also handles SSM and Add
+,/groups/ListRemoveSystems.do,POST,W,t,systems.groups.systems,R
 ,/groups/AddSystems.do,GET,W,t,systems.groups.target_systems,W
 ,/groups/AddSystems.do,POST,W,t,systems.groups.target_systems,W
-# TODO: Move to system.details.software.errata ..etc
+# TODO: ? Move to system.details.software.errata ..etc
 ,/groups/ListErrata.do,GET,W,t,systems.groups.patches,R
 ,/groups/ListErrata.do,POST,W,t,systems.groups.patches,R
-# TODO: POST path also handles SSM and patch apply
-# TODO: Move to system.details.software.errata ..etc
+# TODO: ? Move to system.details.software.errata ..etc
 ,/groups/SystemsAffected.do,GET,W,t,systems.groups.patches,R
 ,/groups/SystemsAffected.do,POST,W,t,systems.groups.patches,R
-# TODO: POST path also handles Update
 ,/groups/AdminList.do,GET,W,t,systems.groups.admins,R
-,/groups/AdminList.do,POST,W,t,systems.groups.admins,W
+,/groups/AdminList.do,POST,W,t,systems.groups.admins,R
 
 # System details
 # TODO: systems/details/Connection.do
@@ -86,6 +88,10 @@ class_method,endpoint,http_method,scope,authorized,namespace,access_mode
 ,/systems/details/SystemMigrate.do,GET,W,t,systems.details.transfer,W
 ,/systems/details/SystemMigrate.do,POST,W,t,systems.details.transfer,W
 
+# SSM add/remove (unauthorized)
+,/systems/details/RemoveFromSSM.do,GET,W,f,systems.details.overview,R
+,/systems/details/AddToSSM.do,GET,W,f,systems.details.overview,R
+
 # System software
 ,/systems/details/packages/Packages.do,GET,W,t,systems.software.packages,R
 ,/systems/details/packages/Packages.do,POST,W,t,systems.software.refresh,W
@@ -127,11 +133,6 @@ class_method,endpoint,http_method,scope,authorized,namespace,access_mode
 ,/systems/details/SPMigration.do,GET,W,t,systems.software.migration,W
 ,/systems/details/SPMigration.do,POST,W,t,systems.software.migration,W
 
-# TODO: Add/Remove to/from SSM endpoints
-
-# TODO: SSM (maybe always allow?)
-# ,/systems/WorkWithGroup.do,GET,W,t,?,?
-
 # TODO: CSV download should be split and grouped together with the list namespaces(OR always allow CSV via list page)
 # ,/CSVDownloadAction.do,GET,W,t,?,?
 
@@ -158,7 +159,6 @@ class_method,endpoint,http_method,scope,authorized,namespace,access_mode
 ,/systems/details/configuration/RankChannels.do,POST,W,t,systems.config.channels,W
 
 # System groups
-# TODO: Select All POST
 ,/systems/details/groups/ListRemove.do,GET,W,t,systems.groups.list,R
 ,/systems/details/groups/ListRemove.do,POST,W,t,systems.groups.list,R
 ,/systems/details/groups/Add.do,GET,W,t,systems.groups.join,W
@@ -201,7 +201,6 @@ class_method,endpoint,http_method,scope,authorized,namespace,access_mode
 ,/manager/api/recurringactions/:id/delete,DELETE,W,t,systems.recurring,W
 
 # System Events
-# TODO: Pagination POST
 ,/systems/details/history/Pending.do,GET,W,t,systems.events,R
 ,/systems/details/history/Pending.do,POST,W,t,systems.events,W
 ,/systems/details/history/History.do,GET,W,t,systems.events,R
@@ -223,9 +222,8 @@ class_method,endpoint,http_method,scope,authorized,namespace,access_mode
 ,/systems/Search.do,POST,W,t,systems.search,R
 
 # Activation keys
-# TODO: Pagination POST
 ,/activationkeys/List.do,GET,W,t,systems.activation_keys.list,R
-,/activationkeys/List.do,POST,W,t,systems.activation_keys.list,W
+,/activationkeys/List.do,POST,W,t,systems.activation_keys.list,R
 ,/activationkeys/Create.do,GET,W,t,systems.activation_keys.details,W
 ,/activationkeys/Create.do,POST,W,t,systems.activation_keys.details,W
 ,/activationkeys/Edit.do,GET,W,t,systems.activation_keys.details,R
@@ -236,19 +234,15 @@ class_method,endpoint,http_method,scope,authorized,namespace,access_mode
 ,/activationkeys/Edit.do,POST,W,t,systems.activation_keys.details,W
 ,/activationkeys/packages/Packages.do,GET,W,t,systems.activation_keys.packages,R
 ,/activationkeys/packages/Packages.do,POST,W,t,systems.activation_keys.packages,W
-# TODO: Pagination POST
 ,/activationkeys/configuration/List.do,GET,W,t,systems.activation_keys.config,R
-,/activationkeys/configuration/List.do,POST,W,t,systems.activation_keys.config,W
-# TODO: Pagination POST
+,/activationkeys/configuration/List.do,POST,W,t,systems.activation_keys.config,R
 ,/activationkeys/configuration/Subscribe.do,GET,W,t,systems.activation_keys.config,W
 ,/activationkeys/configuration/Subscribe.do,POST,W,t,systems.activation_keys.config,W
 ,/activationkeys/configuration/Rank.do,GET,W,t,systems.activation_keys.config,W
 ,/activationkeys/configuration/Rank.do,POST,W,t,systems.activation_keys.config,W
 
-# TODO: Pagination POST
-,/activationkeys/groups/List.do,GET,W,t,systems.activation_keys.groups,W
-,/activationkeys/groups/List.do,POST,W,t,systems.activation_keys.groups,W
-# TODO: Pagination POST
+,/activationkeys/groups/List.do,GET,W,t,systems.activation_keys.groups,R
+,/activationkeys/groups/List.do,POST,W,t,systems.activation_keys.groups,R
 ,/activationkeys/groups/Add.do,GET,W,t,systems.activation_keys.groups,W
 ,/activationkeys/groups/Add.do,POST,W,t,systems.activation_keys.groups,W
 
@@ -264,15 +258,13 @@ class_method,endpoint,http_method,scope,authorized,namespace,access_mode
 ,/profiles/List.do,GET,W,t,systems.profiles,R
 ,/profiles/Details.do,GET,W,t,systems.profiles,R
 ,/profiles/Details.do,POST,W,t,systems.profiles,W
-# TODO: Pagination POST
 ,/profiles/PackageList.do,GET,W,t,systems.profiles,R
 ,/profiles/PackageList.do,POST,W,t,systems.profiles,R
 ,/profiles/Delete.do,GET,W,t,systems.profiles,W
 ,/profiles/Delete.do,POST,W,t,systems.profiles,W
 
 # Custom keys
 # TODO: Download CSV action
-# TODO: Post pagination
 ,/systems/customdata/CustomDataList.do,GET,W,t,systems.custom_data,R
 ,/systems/customdata/CustomDataList.do,POST,W,t,systems.custom_data,R
 ,/systems/customdata/CreateCustomKey.do,GET,W,t,systems.custom_data,W

schema/rbac/data/endpoints/unauthorized.csv

@@ -20,3 +20,7 @@ com.redhat.rhn.frontend.xmlrpc.api.ApiHandler.productName,/manager/api/api/produ
 com.redhat.rhn.frontend.xmlrpc.sync.master.MasterHandler.hasMaster,/manager/api/sync/master/hasMaster,GET,A,f,,
 ,/ajax/item-selector,POST,W,f,,
 ,/manager/frontend-log,POST,W,f,,
+
+# SSM
+,/manager/api/sets/:label,POST,W,f,,
+,/manager/api/sets/:label/clear,POST,W,f,,