foreman_rh_cloud 14.1.3 → 14.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 89c6b782cc34fb3ffc4f13ad66c435c5729028df995e7bdba1c15e668a72fe89
-  data.tar.gz: 356fb55567950b341b4509f6ee39e30b24127c695b3924765070167800595f44
+  metadata.gz: 91157d5050744236651134413110454e4d595e1e25644eb1676d58e4990476d1
+  data.tar.gz: acb8689d93c1d2aedf280049ff18075ad7989693ef75fea5a8b1babef63b447c
 SHA512:
-  metadata.gz: 8bdb9ff78ed0950bd67f5bcc1483a0f2568af9a3462633ef6fc25d061bf942712d416d717f43e3dcef448dddb11cc6f7b9ad1fe62d6530ad2dbf44af3a3eb4a6
-  data.tar.gz: f55334cb175a624ae8aeb21242b609ce8af3c49061c7e09b460b46fef3d3239cab42232c0c52eb043ed345a661b331409545344f24e89e46e3fb9a782666e1bc
+  metadata.gz: 5f2378f058fde9220f4fa8ca17a094dfe6e32f3f33456304c0178ca3b5023abf8b6bfd09fdcbff064e914e063c4fc6a9b66536d6703e259a4f28569202c37813
+  data.tar.gz: 1d0adbd1839a3e73eada13ca910522407af5a66e838934ad327f8c36cb41058f5693c7d5d646caa3b7b1fba71670e184f24df1ee90b122d4fdd7f05338a845de

data/app/services/foreman_rh_cloud/insights_api_forwarder.rb

@@ -8,6 +8,30 @@ module ForemanRhCloud
     #
     # Foreman Permission   | Paths
     # ---------------------|--------------------------------------------------
+    # view_compliance      | GET /api/inventory/v1/hosts(/*)
+    # view_compliance      | GET /api/compliance/v2/systems
+    # view_compliance      | GET /api/compliance/v2/systems/{system_id}
+    # view_compliance      | GET /api/compliance/v2/systems/os_versions
+    # view_compliance      | GET /api/compliance/v2/systems/{system_id}/policies
+    # view_compliance      | GET /api/compliance/v2/systems/{system_id}/reports
+    # view_compliance      | GET /api/compliance/v2/reports/{report_id}/systems
+    # view_compliance      | GET /api/compliance/v2/reports/{report_id}/systems/{system_id}
+    # view_compliance      | GET /api/compliance/v2/reports/{report_id}/systems/os_versions
+    # view_compliance      | GET /api/compliance/v2/policies/{policy_id}/systems/os_versions
+    # view_compliance      | GET /api/compliance/v2/*
+    # edit_compliance      | POST /api/compliance/v2/policies
+    # edit_compliance      | DELETE /api/compliance/v2/policies/{policy_id}
+    # edit_compliance      | PATCH /api/compliance/v2/policies/{policy_id}
+    # edit_compliance      | POST /api/compliance/v2/policies/{policy_id}/systems
+    # edit_compliance      | DELETE /api/compliance/v2/policies/{policy_id}/systems/{system_id}
+    # edit_compliance      | PATCH /api/compliance/v2/policies/{policy_id}/systems/{system_id}
+    # edit_compliance      | POST /api/compliance/v2/policies/{policy_id}/tailorings
+    # edit_compliance      | PATCH /api/compliance/v2/policies/{policy_id}/tailorings/{tailoring_id}
+    # edit_compliance      | POST /api/compliance/v2/policies/{policy_id}/tailorings/{tailoring_id}/rules
+    # edit_compliance      | DELETE /api/compliance/v2/policies/{policy_id}/tailorings/{tailoring_id}/rules/{rule_id}
+    # edit_compliance      | PATCH /api/compliance/v2/policies/{policy_id}/tailorings/{tailoring_id}/rules/{rule_id}
+    # edit_compliance      | DELETE /api/compliance/v2/reports/{report_id}
+    #
     # view_vulnerability   | GET /api/inventory/v1/hosts(/*)
     # view_vulnerability   | GET /api/vulnerability/v1/*
     #                      | POST /api/vulnerability/v1/vulnerabilities/cves
@@ -24,12 +48,140 @@ module ForemanRhCloud
     #                      | POST /api/insights/v1/rule/{rule_id}/unack_hosts/
     #
     SCOPED_REQUESTS = [
-      # Inventory hosts - requires view_vulnerability for GET
+      # Inventory hosts - shared dependency;
+      #                 - requires view_compliance or view_vulnerability for GET
       {
         test: %r{api/inventory/v1/hosts(/.*)?$},
         tag_name: :tags,
         permissions: {
-          'GET' => :view_vulnerability,
+          'GET' => [:view_compliance, :view_vulnerability],
+        },
+      },
+      # Policies - requires view_compliance for GET, edit_compliance for POST/DELETE/PATCH
+      {
+        test: %r{api/compliance/v2/policies(/[^/]*)?$},
+        permissions: {
+          'GET' => :view_compliance,
+          'POST' => :edit_compliance,
+          'DELETE' => :edit_compliance,
+          'PATCH' => :edit_compliance,
+        },
+      },
+      # System and policies assigned to them - requires view_compliance for GET, edit_compliance for POST/DELETE/PATCH
+      {
+        test: %r{api/compliance/v2/policies/[^/]+/systems(/[^/]*)?$},
+        tag_name: :tags,
+        permissions: {
+          'GET' => :view_compliance,
+          'POST' => :edit_compliance,
+          'DELETE' => :edit_compliance,
+          'PATCH' => :edit_compliance,
+        },
+      },
+      # Tailorings of assigned policies - requires view_compliance for GET, edit_compliance for POST/PATCH
+      {
+        test: %r{api/compliance/v2/policies/[^/]+/tailorings(/[^/]*)?$},
+        permissions: {
+          'GET' => :view_compliance,
+          'POST' => :edit_compliance,
+          'PATCH' => :edit_compliance,
+        },
+      },
+      # Rules of Tailorings - requires view_compliance for GET, edit_compliance for POST/DELETE/PATCH
+      {
+        test: %r{api/compliance/v2/policies/[^/]+/tailorings/[^/]+/rules(/[^/]*)?$},
+        permissions: {
+          'GET' => :view_compliance,
+          'POST' => :edit_compliance,
+          'DELETE' => :edit_compliance,
+          'PATCH' => :edit_compliance,
+        },
+      },
+      # Compliance Reports - requires view_compliance for GET, edit_compliance for DELETE
+      {
+        test: %r{api/compliance/v2/reports(/[^/]*)?$},
+        permissions: {
+          'GET' => :view_compliance,
+          'DELETE' => :edit_compliance,
+        },
+      },
+      # Systems assigned to a report - requires view_compliance for GET
+      {
+        test: %r{api/compliance/v2/reports/[^/]+/systems$},
+        tag_name: :tags,
+        permissions: {
+          'GET' => :view_compliance,
+        },
+      },
+      # Individual system in a report - requires view_compliance for GET
+      {
+        test: %r{api/compliance/v2/reports/[^/]+/systems/[^/]+$},
+        tag_name: :tags,
+        permissions: {
+          'GET' => :view_compliance,
+        },
+      },
+      # OS versions for systems in a report - requires view_compliance for GET
+      {
+        test: %r{api/compliance/v2/reports/[^/]+/systems/os_versions$},
+        tag_name: :tags,
+        permissions: {
+          'GET' => :view_compliance,
+        },
+      },
+      # OS versions for systems in a policy - requires view_compliance for GET
+      {
+        test: %r{api/compliance/v2/policies/[^/]+/systems/os_versions$},
+        tag_name: :tags,
+        permissions: {
+          'GET' => :view_compliance,
+        },
+      },
+      # Compliance Systems list - requires view_compliance for GET
+      {
+        test: %r{api/compliance/v2/systems$},
+        tag_name: :tags,
+        permissions: {
+          'GET' => :view_compliance,
+        },
+      },
+      # Individual compliance system - requires view_compliance for GET
+      {
+        test: %r{api/compliance/v2/systems/[^/]+$},
+        tag_name: :tags,
+        permissions: {
+          'GET' => :view_compliance,
+        },
+      },
+      # OS versions for all systems - requires view_compliance for GET
+      {
+        test: %r{api/compliance/v2/systems/os_versions$},
+        tag_name: :tags,
+        permissions: {
+          'GET' => :view_compliance,
+        },
+      },
+      # Policies for a specific system - requires view_compliance for GET
+      {
+        test: %r{api/compliance/v2/systems/[^/]+/policies$},
+        tag_name: :tags,
+        permissions: {
+          'GET' => :view_compliance,
+        },
+      },
+      # Reports for a specific system - requires view_compliance for GET
+      {
+        test: %r{api/compliance/v2/systems/[^/]+/reports$},
+        tag_name: :tags,
+        permissions: {
+          'GET' => :view_compliance,
+        },
+      },
+      # Other compliance endpoints - GET requires view_compliance
+      {
+        test: %r{api/compliance/v2/.*},
+        permissions: {
+          'GET' => :view_compliance,
         },
       },
       # Vulnerability CVEs list - POST requires view_vulnerability (no tags support per OpenAPI spec)
@@ -136,9 +288,9 @@ module ForemanRhCloud
 
     def forward_request(original_request, path, controller_name, user, organization, location)
       # Check permissions before forwarding
-      permission = required_permission_for(path, original_request.request_method)
-      if permission && !user&.can?(permission)
-        logger.warn("User #{user&.login || 'anonymous'} lacks permission #{permission} for #{original_request.request_method} #{path}")
+      permissions = required_permission_for(path, original_request.request_method)
+      if permissions && Array(permissions).none? { |p| user&.can?(p) }
+        logger.warn("User #{user&.login || 'anonymous'} lacks permissions #{Array(permissions).join(', ')} for #{original_request.request_method} #{path}")
         raise ::Foreman::PermissionMissingException.new(N_("You do not have permission to perform this action"))
       end
 

data/lib/foreman_rh_cloud/plugin.rb

@@ -71,6 +71,17 @@ module ForemanRhCloud
             :control_organization_insights,
             'insights_cloud/settings': [:set_org_parameter]
           )
+          # Insights Compliance permissions
+          permission(
+            :view_compliance,
+            {},
+            :resource_type => 'ForemanRhCloud'
+          )
+          permission(
+            :edit_compliance,
+            {},
+            :resource_type => 'ForemanRhCloud'
+          )
           # Insights Vulnerability permissions
           permission(
             :view_vulnerability,
@@ -98,19 +109,19 @@ module ForemanRhCloud
         # Core RH Cloud permissions for inventory upload and sync
         rh_cloud_permissions = [:view_foreman_rh_cloud, :generate_foreman_rh_cloud, :view_insights_hits, :dispatch_cloud_requests, :control_organization_insights]
 
-        # Insights application permissions (Vulnerability, Advisor)
-        insights_permissions = [:view_vulnerability, :edit_vulnerability, :view_advisor, :edit_advisor]
+        # Insights application permissions (Compliance, Vulnerability, Advisor)
+        insights_permissions = [:view_compliance, :edit_compliance, :view_vulnerability, :edit_vulnerability, :view_advisor, :edit_advisor]
 
         plugin_permissions = rh_cloud_permissions + insights_permissions
 
-        read_only_permissions = [:view_foreman_rh_cloud, :view_insights_hits, :view_vulnerability, :view_advisor]
+        read_only_permissions = [:view_foreman_rh_cloud, :view_insights_hits, :view_compliance, :view_vulnerability, :view_advisor]
 
         role 'ForemanRhCloud', plugin_permissions, 'Role granting permissions to view the hosts inventory,
                                                     generate a report, upload it to the cloud, download it locally,
-                                                    and manage Insights Vulnerability and Advisor features'
+                                                    and manage Insights Compliance, Vulnerability and Advisor features'
 
         role 'ForemanRhCloud Read Only', read_only_permissions, 'Role granting read-only permissions to view
-                                                                 Insights Vulnerability, Advisor, and host inventory'
+                                                                 Insights Compliance, Vulnerability, Advisor, and host inventory'
 
         add_permissions_to_default_roles Role::ORG_ADMIN => plugin_permissions,
           Role::MANAGER => plugin_permissions,

data/lib/foreman_rh_cloud/version.rb

@@ -1,3 +1,3 @@
 module ForemanRhCloud
-  VERSION = '14.1.3'.freeze
+  VERSION = '14.2.0'.freeze
 end

data/package.json

@@ -1,6 +1,6 @@
 {
   "name": "foreman_rh_cloud",
-  "version": "14.1.3",
+  "version": "14.2.0",
   "description": "Inventory Upload =============",
   "main": "index.js",
   "scripts": {

data/test/unit/services/foreman_rh_cloud/insights_api_forwarder_test.rb

@@ -178,6 +178,61 @@ class UIRequestForwarderTest < ActiveSupport::TestCase
     assert_nil result
   end
 
+  test 'scope_request? should return tag_name for compliance systems endpoint' do
+    get_req = ActionDispatch::Request.new(
+      'REQUEST_URI' => '/api/compliance/v2/systems',
+      'REQUEST_METHOD' => 'GET',
+      'rack.input' => ::Puma::NullIO.new
+    )
+
+    result = @forwarder.send(:scope_request?, get_req, 'api/compliance/v2/systems')
+    assert_equal :tags, result
+  end
+
+  test 'scope_request? should return tag_name for compliance report systems endpoint' do
+    get_req = ActionDispatch::Request.new(
+      'REQUEST_URI' => '/api/compliance/v2/reports/report-123/systems',
+      'REQUEST_METHOD' => 'GET',
+      'rack.input' => ::Puma::NullIO.new
+    )
+
+    result = @forwarder.send(:scope_request?, get_req, 'api/compliance/v2/reports/report-123/systems')
+    assert_equal :tags, result
+  end
+
+  test 'scope_request? should return tag_name for individual compliance system endpoint' do
+    get_req = ActionDispatch::Request.new(
+      'REQUEST_URI' => '/api/compliance/v2/systems/system-456',
+      'REQUEST_METHOD' => 'GET',
+      'rack.input' => ::Puma::NullIO.new
+    )
+
+    result = @forwarder.send(:scope_request?, get_req, 'api/compliance/v2/systems/system-456')
+    assert_equal :tags, result
+  end
+
+  test 'scope_request? should return tag_name for system policies endpoint' do
+    get_req = ActionDispatch::Request.new(
+      'REQUEST_URI' => '/api/compliance/v2/systems/system-456/policies',
+      'REQUEST_METHOD' => 'GET',
+      'rack.input' => ::Puma::NullIO.new
+    )
+
+    result = @forwarder.send(:scope_request?, get_req, 'api/compliance/v2/systems/system-456/policies')
+    assert_equal :tags, result
+  end
+
+  test 'scope_request? should return tag_name for system reports endpoint' do
+    get_req = ActionDispatch::Request.new(
+      'REQUEST_URI' => '/api/compliance/v2/systems/system-456/reports',
+      'REQUEST_METHOD' => 'GET',
+      'rack.input' => ::Puma::NullIO.new
+    )
+
+    result = @forwarder.send(:scope_request?, get_req, 'api/compliance/v2/systems/system-456/reports')
+    assert_equal :tags, result
+  end
+
   test 'prepare_tags should use provided tag_name' do
     result = @forwarder.send(:prepare_tags, @user, @organization, @location, :custom_tag)
 
@@ -215,7 +270,7 @@ class UIRequestForwarderTest < ActiveSupport::TestCase
 
   # Permission enforcement tests
 
-  # GET /api/inventory/v1/hosts requires view_vulnerability
+  # GET /api/inventory/v1/hosts is a shared dependency - view_compliance OR view_vulnerability grants access
   test 'should allow GET request to inventory hosts when user has view_vulnerability permission' do
     user_agent = { :foo => :bar }
     params = {}
@@ -228,6 +283,7 @@ class UIRequestForwarderTest < ActiveSupport::TestCase
       'action_dispatch.request.query_parameters' => params
     )
 
+    @user.stubs(:can?).with(:view_compliance).returns(false)
     @user.stubs(:can?).with(:view_vulnerability).returns(true)
     ::ForemanRhCloud::TagsAuth.any_instance.expects(:update_tag)
     @forwarder.expects(:execute_cloud_request).returns(true)
@@ -235,7 +291,18 @@ class UIRequestForwarderTest < ActiveSupport::TestCase
     @forwarder.forward_request(req, 'api/inventory/v1/hosts', 'test_controller', @user, @organization, @location)
   end
 
-  test 'should deny GET request to inventory hosts when user lacks view_vulnerability permission' do
+  test 'should allow GET request to inventory hosts when user has view_compliance permission' do
+    req = build_request(method: 'GET', uri: '/api/inventory/v1/hosts')
+
+    @user.stubs(:can?).with(:view_compliance).returns(true)
+    @user.stubs(:can?).with(:view_vulnerability).returns(false)
+    ::ForemanRhCloud::TagsAuth.any_instance.expects(:update_tag)
+    @forwarder.expects(:execute_cloud_request).returns(true)
+
+    @forwarder.forward_request(req, 'api/inventory/v1/hosts', 'test_controller', @user, @organization, @location)
+  end
+
+  test 'should deny GET request to inventory hosts when user lacks both view_compliance and view_vulnerability' do
     user_agent = { :foo => :bar }
     params = {}
 
@@ -247,6 +314,7 @@ class UIRequestForwarderTest < ActiveSupport::TestCase
       'action_dispatch.request.query_parameters' => params
     )
 
+    @user.stubs(:can?).with(:view_compliance).returns(false)
     @user.stubs(:can?).with(:view_vulnerability).returns(false)
 
     assert_raises(::Foreman::PermissionMissingException) do
@@ -307,9 +375,43 @@ class UIRequestForwarderTest < ActiveSupport::TestCase
 
   # Data-driven tests for required_permission_for
   PERMISSION_MAPPINGS = [
+    # Shared inventory hosts endpoint - either view_compliance or view_vulnerability grants GET access
+    { path: 'api/inventory/v1/hosts', method: 'GET', expected: [:view_compliance, :view_vulnerability] },
+    { path: 'api/inventory/v1/hosts/abc-123', method: 'GET', expected: [:view_compliance, :view_vulnerability] },
+    # Compliance endpoints
+    { path: 'api/compliance/v2/policies', method: 'GET', expected: :view_compliance },
+    { path: 'api/compliance/v2/policies', method: 'POST', expected: :edit_compliance },
+    { path: 'api/compliance/v2/policies/policy-123', method: 'GET', expected: :view_compliance },
+    { path: 'api/compliance/v2/policies/policy-123', method: 'DELETE', expected: :edit_compliance },
+    { path: 'api/compliance/v2/policies/policy-123', method: 'PATCH', expected: :edit_compliance },
+    { path: 'api/compliance/v2/policies/policy-123/systems', method: 'GET', expected: :view_compliance },
+    { path: 'api/compliance/v2/policies/policy-123/systems', method: 'POST', expected: :edit_compliance },
+    { path: 'api/compliance/v2/policies/policy-123/systems/system-456', method: 'GET', expected: :view_compliance },
+    { path: 'api/compliance/v2/policies/policy-123/systems/system-456', method: 'DELETE', expected: :edit_compliance },
+    { path: 'api/compliance/v2/policies/policy-123/systems/system-456', method: 'PATCH', expected: :edit_compliance },
+    { path: 'api/compliance/v2/policies/policy-123/tailorings', method: 'GET', expected: :view_compliance },
+    { path: 'api/compliance/v2/policies/policy-123/tailorings', method: 'POST', expected: :edit_compliance },
+    { path: 'api/compliance/v2/policies/policy-123/tailorings/tailoring-789', method: 'GET', expected: :view_compliance },
+    { path: 'api/compliance/v2/policies/policy-123/tailorings/tailoring-789', method: 'PATCH', expected: :edit_compliance },
+    { path: 'api/compliance/v2/policies/policy-123/tailorings/tailoring-789/rules', method: 'GET', expected: :view_compliance },
+    { path: 'api/compliance/v2/policies/policy-123/tailorings/tailoring-789/rules', method: 'POST', expected: :edit_compliance },
+    { path: 'api/compliance/v2/policies/policy-123/tailorings/tailoring-789/rules/rule-999', method: 'GET', expected: :view_compliance },
+    { path: 'api/compliance/v2/policies/policy-123/tailorings/tailoring-789/rules/rule-999', method: 'DELETE', expected: :edit_compliance },
+    { path: 'api/compliance/v2/policies/policy-123/tailorings/tailoring-789/rules/rule-999', method: 'PATCH', expected: :edit_compliance },
+    { path: 'api/compliance/v2/reports', method: 'GET', expected: :view_compliance },
+    { path: 'api/compliance/v2/reports/report-123', method: 'GET', expected: :view_compliance },
+    { path: 'api/compliance/v2/reports/report-123', method: 'DELETE', expected: :edit_compliance },
+    { path: 'api/compliance/v2/reports/report-123/systems', method: 'GET', expected: :view_compliance },
+    { path: 'api/compliance/v2/reports/report-123/systems/system-456', method: 'GET', expected: :view_compliance },
+    { path: 'api/compliance/v2/reports/report-123/systems/os_versions', method: 'GET', expected: :view_compliance },
+    { path: 'api/compliance/v2/policies/policy-123/systems/os_versions', method: 'GET', expected: :view_compliance },
+    { path: 'api/compliance/v2/systems', method: 'GET', expected: :view_compliance },
+    { path: 'api/compliance/v2/systems/system-456', method: 'GET', expected: :view_compliance },
+    { path: 'api/compliance/v2/systems/os_versions', method: 'GET', expected: :view_compliance },
+    { path: 'api/compliance/v2/systems/system-456/policies', method: 'GET', expected: :view_compliance },
+    { path: 'api/compliance/v2/systems/system-456/reports', method: 'GET', expected: :view_compliance },
+    { path: 'api/compliance/v2/profiles', method: 'GET', expected: :view_compliance },
     # Vulnerability endpoints
-    { path: 'api/inventory/v1/hosts', method: 'GET', expected: :view_vulnerability },
-    { path: 'api/inventory/v1/hosts/abc-123', method: 'GET', expected: :view_vulnerability },
     { path: 'api/vulnerability/v1/vulnerabilities/cves', method: 'POST', expected: :view_vulnerability },
     { path: 'api/vulnerability/v1/status', method: 'PATCH', expected: :edit_vulnerability },
     { path: 'api/vulnerability/v1/cves/status', method: 'PATCH', expected: :edit_vulnerability },
@@ -383,6 +485,140 @@ class UIRequestForwarderTest < ActiveSupport::TestCase
     end
   end
 
+  # Compliance permission integration tests
+  test 'should allow GET request to compliance policies when user has view_compliance permission' do
+    req = build_request(method: 'GET', uri: '/api/compliance/v2/policies')
+
+    @user.stubs(:can?).with(:view_compliance).returns(true)
+    @forwarder.expects(:execute_cloud_request).returns(true)
+
+    @forwarder.forward_request(req, 'api/compliance/v2/policies', 'test_controller', @user, @organization, @location)
+  end
+
+  test 'should deny GET request to compliance policies when user lacks view_compliance permission' do
+    req = build_request(method: 'GET', uri: '/api/compliance/v2/policies')
+
+    @user.stubs(:can?).with(:view_compliance).returns(false)
+
+    assert_raises(::Foreman::PermissionMissingException) do
+      @forwarder.forward_request(req, 'api/compliance/v2/policies', 'test_controller', @user, @organization, @location)
+    end
+  end
+
+  test 'should allow POST request to compliance policies when user has edit_compliance permission' do
+    req = build_request(method: 'POST', uri: '/api/compliance/v2/policies', data: '{"name": "test-policy"}')
+
+    @user.stubs(:can?).with(:edit_compliance).returns(true)
+    @forwarder.expects(:execute_cloud_request).returns(true)
+
+    @forwarder.forward_request(req, 'api/compliance/v2/policies', 'test_controller', @user, @organization, @location)
+  end
+
+  test 'should deny POST request to compliance policies when user lacks edit_compliance permission' do
+    req = build_request(method: 'POST', uri: '/api/compliance/v2/policies', data: '{"name": "test-policy"}')
+
+    @user.stubs(:can?).with(:edit_compliance).returns(false)
+
+    assert_raises(::Foreman::PermissionMissingException) do
+      @forwarder.forward_request(req, 'api/compliance/v2/policies', 'test_controller', @user, @organization, @location)
+    end
+  end
+
+  test 'should allow PATCH request to compliance policy when user has edit_compliance permission' do
+    req = build_request(method: 'PATCH', uri: '/api/compliance/v2/policies/policy-123', data: '{"name": "updated-policy"}')
+
+    @user.stubs(:can?).with(:edit_compliance).returns(true)
+    @forwarder.expects(:execute_cloud_request).returns(true)
+
+    @forwarder.forward_request(req, 'api/compliance/v2/policies/policy-123', 'test_controller', @user, @organization, @location)
+  end
+
+  test 'should deny PATCH request to compliance policy when user lacks edit_compliance permission' do
+    req = build_request(method: 'PATCH', uri: '/api/compliance/v2/policies/policy-123', data: '{"name": "updated-policy"}')
+
+    @user.stubs(:can?).with(:edit_compliance).returns(false)
+
+    assert_raises(::Foreman::PermissionMissingException) do
+      @forwarder.forward_request(req, 'api/compliance/v2/policies/policy-123', 'test_controller', @user, @organization, @location)
+    end
+  end
+
+  test 'should allow DELETE request to compliance policy when user has edit_compliance permission' do
+    req = build_request(method: 'DELETE', uri: '/api/compliance/v2/policies/policy-123')
+
+    @user.stubs(:can?).with(:edit_compliance).returns(true)
+    @forwarder.expects(:execute_cloud_request).returns(true)
+
+    @forwarder.forward_request(req, 'api/compliance/v2/policies/policy-123', 'test_controller', @user, @organization, @location)
+  end
+
+  test 'should deny DELETE request to compliance policy when user lacks edit_compliance permission' do
+    req = build_request(method: 'DELETE', uri: '/api/compliance/v2/policies/policy-123')
+
+    @user.stubs(:can?).with(:edit_compliance).returns(false)
+
+    assert_raises(::Foreman::PermissionMissingException) do
+      @forwarder.forward_request(req, 'api/compliance/v2/policies/policy-123', 'test_controller', @user, @organization, @location)
+    end
+  end
+
+  test 'should allow POST request to compliance policy systems when user has edit_compliance permission' do
+    req = build_request(method: 'POST', uri: '/api/compliance/v2/policies/policy-123/systems', data: '{"id": "system-456"}')
+
+    @user.stubs(:can?).with(:edit_compliance).returns(true)
+    @forwarder.expects(:execute_cloud_request).returns(true)
+
+    @forwarder.forward_request(req, 'api/compliance/v2/policies/policy-123/systems', 'test_controller', @user, @organization, @location)
+  end
+
+  test 'should deny POST request to compliance policy systems when user lacks edit_compliance permission' do
+    req = build_request(method: 'POST', uri: '/api/compliance/v2/policies/policy-123/systems', data: '{"id": "system-456"}')
+
+    @user.stubs(:can?).with(:edit_compliance).returns(false)
+
+    assert_raises(::Foreman::PermissionMissingException) do
+      @forwarder.forward_request(req, 'api/compliance/v2/policies/policy-123/systems', 'test_controller', @user, @organization, @location)
+    end
+  end
+
+  test 'should allow DELETE request to compliance report when user has edit_compliance permission' do
+    req = build_request(method: 'DELETE', uri: '/api/compliance/v2/reports/report-123')
+
+    @user.stubs(:can?).with(:edit_compliance).returns(true)
+    @forwarder.expects(:execute_cloud_request).returns(true)
+
+    @forwarder.forward_request(req, 'api/compliance/v2/reports/report-123', 'test_controller', @user, @organization, @location)
+  end
+
+  test 'should deny DELETE request to compliance report when user lacks edit_compliance permission' do
+    req = build_request(method: 'DELETE', uri: '/api/compliance/v2/reports/report-123')
+
+    @user.stubs(:can?).with(:edit_compliance).returns(false)
+
+    assert_raises(::Foreman::PermissionMissingException) do
+      @forwarder.forward_request(req, 'api/compliance/v2/reports/report-123', 'test_controller', @user, @organization, @location)
+    end
+  end
+
+  test 'should allow DELETE request to compliance tailoring rule when user has edit_compliance permission' do
+    req = build_request(method: 'DELETE', uri: '/api/compliance/v2/policies/policy-123/tailorings/tailoring-789/rules/rule-999')
+
+    @user.stubs(:can?).with(:edit_compliance).returns(true)
+    @forwarder.expects(:execute_cloud_request).returns(true)
+
+    @forwarder.forward_request(req, 'api/compliance/v2/policies/policy-123/tailorings/tailoring-789/rules/rule-999', 'test_controller', @user, @organization, @location)
+  end
+
+  test 'should deny DELETE request to compliance tailoring rule when user lacks edit_compliance permission' do
+    req = build_request(method: 'DELETE', uri: '/api/compliance/v2/policies/policy-123/tailorings/tailoring-789/rules/rule-999')
+
+    @user.stubs(:can?).with(:edit_compliance).returns(false)
+
+    assert_raises(::Foreman::PermissionMissingException) do
+      @forwarder.forward_request(req, 'api/compliance/v2/policies/policy-123/tailorings/tailoring-789/rules/rule-999', 'test_controller', @user, @organization, @location)
+    end
+  end
+
   # Edge case: anonymous user
   test 'should deny request when user is nil' do
     req = build_request(method: 'GET', uri: '/api/insights/v1/stats/systems')

data/webpack/ForemanInventoryUpload/Components/AccountList/AccountList.fixtures.js

@@ -32,11 +32,6 @@ export const processStatusName = 'upload_report_status';
 
 export const filterTerm = 'some_filter';
 
-export const CloudConnectorStatus = {
-  id: 7,
-  task: { id: 11 },
-};
-
 export const props = {
   accounts,
   fetchAccountsStatus: noop,
@@ -47,7 +42,6 @@ export const props = {
 
 export const pollingResponse = {
   accounts,
-  CloudConnectorStatus,
 };
 
 export const fetchAccountsStatusResponse = {

data/webpack/ForemanInventoryUpload/Components/AccountList/AccountListReducer.js

@@ -20,7 +20,6 @@ export default (state = initialState, action) => {
       accounts,
       accountID,
       processStatusName,
-      CloudConnectorStatus,
     } = {},
   } = action;
 
@@ -29,7 +28,6 @@ export default (state = initialState, action) => {
       return state.merge({
         ...state,
         accounts,
-        CloudConnectorStatus,
         error: null,
       });
     case INVENTORY_ACCOUNT_STATUS_POLLING_ERROR:

data/webpack/ForemanInventoryUpload/Components/AccountList/__tests__/AccountListReducer.test.js

@@ -13,7 +13,6 @@ import {
   processStatusName,
   pollingResponse,
   accounts,
-  CloudConnectorStatus,
 } from '../AccountList.fixtures';
 
 describe('AccountList reducer', () => {
@@ -30,7 +29,6 @@ describe('AccountList reducer', () => {
       payload: pollingResponse,
     });
     expect(state.accounts).toEqual(accounts);
-    expect(state.CloudConnectorStatus).toEqual(CloudConnectorStatus);
     expect(state.error).toBeNull();
   });
 

data/webpack/ForemanInventoryUpload/Components/PageHeader/PageHeader.js

@@ -4,7 +4,6 @@ import InventorySettings from '../InventorySettings';
 import PageDescription from './components/PageDescription';
 import InventoryFilter from '../InventoryFilter';
 import ToolbarButtons from './components/ToolbarButtons';
-import SettingsWarning from './components/SettingsWarning';
 import PageTitle from './PageTitle';
 import { useIopConfig } from '../../../common/Hooks/ConfigHooks';
 import './PageHeader.scss';
@@ -14,7 +13,6 @@ const PageHeader = () => {
 
   return (
     <div className="inventory-upload-header">
-      <SettingsWarning />
       <PageTitle />
       {!isIop && (
         <div className="inventory-upload-header-description">

data/webpack/ForemanInventoryUpload/Components/PageHeader/PageHeader.scss

@@ -1,6 +1,6 @@
 .rh-cloud-inventory-page {
   .inventory-upload-header {
-    margin-top: 35px;
+    padding: var(--pf-v5-global--spacer--md) var(--pf-v5-global--spacer--lg) var(--pf-v5-global--spacer--lg) var(--pf-v5-global--spacer--lg);
 
     h1 {
       font-family: 'RedHatDisplay';
@@ -33,7 +33,6 @@
     }
 
     .inventory-upload-header-title {
-      margin-top: -15px;
       margin-bottom: 8px;
     }