RubyGems - foreman_rh_cloud - Versions diffs - 13.1.0 → 13.2.0 - Mend

foreman_rh_cloud 13.1.0 → 13.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (23) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a37e0d6adc3c8b44e73f636a10ee9012c2e14ef450e1a88d65bca7bbcd7c69cc
-  data.tar.gz: f53d45a393d00773a1ac42ffc2ca08f43fc52b861fba0eab2d1d8a4e1226600e
+  metadata.gz: 5707d35255f855b6e11f49080a65c0ca44c2a75d09183edbefb78ca7ceb06023
+  data.tar.gz: f52cff55dc3dfa16e9dc5a151a0866227f37ad99c55016cc42c29eeb1411e151
 SHA512:
-  metadata.gz: 6ceaf758e5d3068fb4540399bc45cc0387f6e32a32b7cddcf38404a86b3279a7c0728707c7363996ab73303407b8977ace52641a40ec066c00d83b02a02d29ba
-  data.tar.gz: 67b81d211aa7f0aba5ea6e81dc3349add6e003b39a27f6b097eed42b9baf5011222a48ebf1e0b9ed30999a84e8fdd4bbeb583dadd6e0043b147818fd48841efc
+  metadata.gz: '0239185072ee7994fc76aef806ac99aaab740b72da7c9a81e699e26df9af5d276b969d9c3279ab0e9a796996eb289739f09cb6d170a932528348c6e7f2972512'
+  data.tar.gz: 577bb25d4bfd6d59f30b6e74b2e6689e38441272841b989f28df1b7e445cc80bfcb30e47287ed9b54649dfeaa265cfdadaa3c847f1b08a2b405690b701ec3a92

data/app/controllers/insights_cloud/ui_requests_controller.rb CHANGED Viewed

@@ -2,7 +2,7 @@ module InsightsCloud
   class UIRequestsController < ::ApplicationController
     layout false
-    before_action :ensure_org, :ensure_loc, :only => [:forward_request]
+    before_action :ensure_org, :find_location, :only => [:forward_request]
     # The method that "proxies" requests over to Cloud
     def forward_request
@@ -18,6 +18,10 @@ module InsightsCloud
           @organization,
           @location
         )
+      rescue ::Foreman::PermissionMissingException => e
+        logger.warn("Permission denied for forwarding request: #{e}")
+        message = e.message
+        return render json: { message: message, error: message }, status: :forbidden
       rescue RestClient::Exceptions::Timeout => e
         response_obj = e.response.presence || e.exception
         return render json: { message: response_obj.to_s, error: response_obj.to_s }, status: :gateway_timeout
@@ -93,9 +97,8 @@ module InsightsCloud
       return render_message 'Organization not found or invalid', :status => 400 unless @organization
     end
-    def ensure_loc
+    def find_location
       @location = Location.current
-      return render_message 'Location not found or invalid', :status => 400 unless @location
     end
     def base_url

data/app/services/foreman_rh_cloud/insights_api_forwarder.rb CHANGED Viewed

@@ -4,17 +4,144 @@ module ForemanRhCloud
   class InsightsApiForwarder
     include ForemanRhCloud::CertAuth
+    # Permission mapping for API paths:
+    #
+    # Foreman Permission   | Paths
+    # ---------------------|--------------------------------------------------
+    # view_vulnerability   | GET /api/inventory/v1/hosts(/*)
+    # view_vulnerability   | GET /api/vulnerability/v1/*
+    #                      | POST /api/vulnerability/v1/vulnerabilities/cves
+    # edit_vulnerability   | PATCH /api/vulnerability/v1/status
+    # edit_vulnerability   | PATCH /api/vulnerability/v1/cves/status
+    #                      | PATCH /api/vulnerability/v1/cves/business_risk
+    # edit_vulnerability   | PATCH /api/vulnerability/v1/systems/opt_out
+    #
+    # view_advisor         | GET /api/insights/v1/*
+    # edit_advisor         | POST /api/insights/v1/ack/
+    #                      | DELETE /api/insights/v1/ack/{rule_id}/
+    #                      | POST /api/insights/v1/hostack/
+    #                      | DELETE /api/insights/v1/hostack/{id}/
+    #                      | POST /api/insights/v1/rule/{rule_id}/unack_hosts/
+    #
     SCOPED_REQUESTS = [
-      { test: %r{api/vulnerability/v1/vulnerabilities/cves}, tag_name: :tags },
-      { test: %r{api/vulnerability/v1/dashbar}, tag_name: :tags },
-      { test: %r{api/vulnerability/v1/cves/[^/]+/affected_systems}, tag_name: :tags },
-      { test: %r{api/vulnerability/v1/systems/[^/]+/cves}, tag_name: :tags },
-      { test: %r{api/insights/.*}, tag_name: :tags },
+      # Inventory hosts - requires view_vulnerability for GET
+      {
+        test: %r{api/inventory/v1/hosts(/.*)?$},
+        tag_name: :tags,
+        permissions: {
+          'GET' => :view_vulnerability,
+        },
+      },
+      # Vulnerability CVEs list - POST requires view_vulnerability (no tags support per OpenAPI spec)
+      {
+        test: %r{api/vulnerability/v1/vulnerabilities/cves},
+        permissions: {
+          'POST' => :view_vulnerability,
+        },
+      },
+      # Vulnerability status - PATCH requires edit_vulnerability
+      # Note: GET /status does not support tags parameter per OpenAPI spec
+      {
+        test: %r{api/vulnerability/v1/status},
+        permissions: {
+          'PATCH' => :edit_vulnerability,
+        },
+      },
+      # CVE status - PATCH requires edit_vulnerability (no GET endpoint)
+      {
+        test: %r{api/vulnerability/v1/cves/status},
+        permissions: {
+          'PATCH' => :edit_vulnerability,
+        },
+      },
+      # CVE business risk - PATCH requires edit_vulnerability (no GET endpoint)
+      {
+        test: %r{api/vulnerability/v1/cves/business_risk},
+        permissions: {
+          'PATCH' => :edit_vulnerability,
+        },
+      },
+      # Systems opt out - PATCH requires edit_vulnerability (no GET endpoint)
+      {
+        test: %r{api/vulnerability/v1/systems/opt_out},
+        permissions: {
+          'PATCH' => :edit_vulnerability,
+        },
+      },
+      # Endpoints without tags support (per OpenAPI spec) - still require view_vulnerability for GET
+      {
+        test: %r{api/vulnerability/v1/(apistatus|version|business_risk|announcement)$},
+        permissions: {
+          'GET' => :view_vulnerability,
+        },
+      },
+      {
+        test: %r{api/vulnerability/v1/cves/[^/]+$},
+        permissions: {
+          'GET' => :view_vulnerability,
+        },
+      },
+      {
+        test: %r{api/vulnerability/v1/(playbooks|report)/},
+        permissions: {
+          'GET' => :view_vulnerability,
+        },
+      },
+      # Other vulnerability endpoints - GET requires view_vulnerability (with tags support)
+      {
+        test: %r{api/vulnerability/v1/.*},
+        tag_name: :tags,
+        permissions: {
+          'GET' => :view_vulnerability,
+        },
+      },
+      # Advisor ack endpoints - POST/DELETE require edit_advisor
+      {
+        test: %r{api/insights/v1/ack(/[^/]*)?$},
+        tag_name: :tags,
+        permissions: {
+          'POST' => :edit_advisor,
+          'DELETE' => :edit_advisor,
+        },
+      },
+      # Advisor hostack endpoints - POST/DELETE require edit_advisor
+      {
+        test: %r{api/insights/v1/hostack(/[^/]*)?$},
+        tag_name: :tags,
+        permissions: {
+          'POST' => :edit_advisor,
+          'DELETE' => :edit_advisor,
+        },
+      },
+      # Advisor rule unack_hosts - POST requires edit_advisor
+      {
+        test: %r{api/insights/v1/rule/[^/]+/unack_hosts},
+        tag_name: :tags,
+        permissions: {
+          'POST' => :edit_advisor,
+        },
+      },
+      # Other Advisor/Insights endpoints - GET requires view_advisor
+      {
+        test: %r{api/insights/v1/.*},
+        tag_name: :tags,
+        permissions: {
+          'GET' => :view_advisor,
+        },
+      },
+      # Other API endpoints (tagging only, no permission enforcement)
       { test: %r{api/inventory/.*}, tag_name: :tags },
       { test: %r{api/tasks/.*}, tag_name: :tags },
     ].freeze
     def forward_request(original_request, path, controller_name, user, organization, location)
+      # Check permissions before forwarding
+      permission = required_permission_for(path, original_request.request_method)
+      if permission && !user&.can?(permission)
+        logger.warn("User #{user&.login || 'anonymous'} lacks permission #{permission} for #{original_request.request_method} #{path}")
+        raise ::Foreman::PermissionMissingException.new(N_("You do not have permission to perform this action"))
+      end
       TagsAuth.new(user, organization, location, logger).update_tag if scope_request?(original_request, path)
       forward_params = prepare_forward_params(original_request, path, user: user, organization: organization, location: location).to_a
@@ -97,8 +224,15 @@ module ForemanRhCloud
     def scope_request?(original_request, path)
       return nil unless original_request.get?
-      request_pattern = SCOPED_REQUESTS.find { |pattern| pattern[:test].match?(path) }
-      request_pattern[:tag_name] if request_pattern
+      # Only consider patterns that define tag_name - this ensures patterns without
+      # tag_name (permission-only entries) cannot override tag-supporting patterns
+      matching_patterns = SCOPED_REQUESTS.select { |pattern| pattern[:tag_name] && pattern[:test].match?(path) }
+      return nil if matching_patterns.empty?
+      # Choose the most specific pattern by regex source length for consistency
+      # with required_permission_for behavior
+      request_pattern = matching_patterns.max_by { |pattern| pattern[:test].source.length }
+      request_pattern[:tag_name]
     end
     def core_app_name
@@ -116,5 +250,27 @@ module ForemanRhCloud
     def logger
       Foreman::Logging.logger('app')
     end
+    # Returns the required permission for the given path and HTTP method
+    # Resolves overlapping patterns by choosing the most specific matcher,
+    # defined as the one with the longest regex source that matches the path.
+    # This avoids permission changes caused by reordering SCOPED_REQUESTS.
+    # @param path [String] The request path
+    # @param http_method [String] The HTTP method (GET, POST, etc.)
+    # @return [Symbol, nil] The required permission symbol or nil if no permission required
+    def required_permission_for(path, http_method)
+      # Collect all matching patterns
+      matching_patterns = SCOPED_REQUESTS.select { |pattern| pattern[:test].match?(path) }
+      return nil if matching_patterns.empty?
+      # Choose the most specific pattern: longest regex source wins.
+      # This makes overlapping patterns deterministic and independent of array order.
+      request_pattern = matching_patterns.max_by { |pattern| pattern[:test].source.length }
+      permissions = request_pattern[:permissions]
+      return nil unless permissions
+      permissions[http_method]
+    end
   end
 end

data/app/services/foreman_rh_cloud/tags_auth.rb CHANGED Viewed

@@ -20,7 +20,8 @@ module ForemanRhCloud
     end
     def update_tag
-      logger.debug("Updating tags for user: #{@user}, org: #{@org.name}, loc: #{@loc.name}")
+      loc_name = location_name_for_tag
+      logger.debug("Updating tags for user: #{@user}, org: #{@org.name}, loc: #{loc_name}")
       payload = tags_query_payload
       params = {
@@ -36,7 +37,9 @@ module ForemanRhCloud
     end
     def allowed_hosts
-      Host.authorized_as(@user, nil, nil).where(organization: @org, location: @loc).joins(:subscription_facet).pluck('katello_subscription_facets.uuid')
+      query = Host.authorized_as(@user, nil, nil).where(organization: @org)
+      query = query.where(location: @loc) if @loc
+      query.joins(:subscription_facet).pluck('katello_subscription_facets.uuid')
     end
     def tags_query_payload
@@ -47,11 +50,18 @@ module ForemanRhCloud
     end
     def tag_value
-      "U:\"#{@user.login}\"O:\"#{@org.name}\"L:\"#{@loc.name}\""
+      location_part = "L:\"#{location_name_for_tag}\""
+      "U:\"#{@user.login}\"O:\"#{@org.name}\"#{location_part}"
     end
     def auth_tag
       "#{TAG_NAME}=#{tag_value}"
     end
+    private
+    def location_name_for_tag
+      @loc ? @loc.name : '*'
+    end
   end
 end

data/lib/foreman_rh_cloud/plugin.rb CHANGED Viewed

@@ -71,12 +71,46 @@ module ForemanRhCloud
             :control_organization_insights,
             'insights_cloud/settings': [:set_org_parameter]
           )
+          # Insights Vulnerability permissions
+          permission(
+            :view_vulnerability,
+            {},
+            :resource_type => 'ForemanRhCloud'
+          )
+          permission(
+            :edit_vulnerability,
+            {},
+            :resource_type => 'ForemanRhCloud'
+          )
+          # Insights Advisor permissions
+          permission(
+            :view_advisor,
+            {},
+            :resource_type => 'ForemanRhCloud'
+          )
+          permission(
+            :edit_advisor,
+            {},
+            :resource_type => 'ForemanRhCloud'
+          )
         end
-        plugin_permissions = [:view_foreman_rh_cloud, :generate_foreman_rh_cloud, :view_insights_hits, :dispatch_cloud_requests, :control_organization_insights]
+        # Core RH Cloud permissions for inventory upload and sync
+        rh_cloud_permissions = [:view_foreman_rh_cloud, :generate_foreman_rh_cloud, :view_insights_hits, :dispatch_cloud_requests, :control_organization_insights]
+        # Insights application permissions (Vulnerability, Advisor)
+        insights_permissions = [:view_vulnerability, :edit_vulnerability, :view_advisor, :edit_advisor]
+        plugin_permissions = rh_cloud_permissions + insights_permissions
+        read_only_permissions = [:view_foreman_rh_cloud, :view_insights_hits, :view_vulnerability, :view_advisor]
         role 'ForemanRhCloud', plugin_permissions, 'Role granting permissions to view the hosts inventory,
-                                                    generate a report, upload it to the cloud and download it locally'
+                                                    generate a report, upload it to the cloud, download it locally,
+                                                    and manage Insights Vulnerability and Advisor features'
+        role 'ForemanRhCloud Read Only', read_only_permissions, 'Role granting read-only permissions to view
+                                                                 Insights Vulnerability, Advisor, and host inventory'
         add_permissions_to_default_roles Role::ORG_ADMIN => plugin_permissions,
           Role::MANAGER => plugin_permissions,

data/lib/foreman_rh_cloud/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module ForemanRhCloud
-  VERSION = '13.1.0'.freeze
+  VERSION = '13.2.0'.freeze
 end

data/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "foreman_rh_cloud",
-  "version": "13.1.0",
+  "version": "13.2.0",
   "description": "Inventory Upload =============",
   "main": "index.js",
   "scripts": {

data/test/controllers/insights_cloud/ui_requests_controller_test.rb CHANGED Viewed

@@ -180,6 +180,32 @@ module InsightsCloud
         assert_equal 'Cloud request failed', JSON.parse(@response.body)['message']
         assert_match(/#{@body}/, JSON.parse(@response.body)['response'])
       end
+      test "should allow forward_request with nil location (Any location)" do
+        net_http_resp = Net::HTTPResponse.new(1.0, 200, "OK")
+        res = RestClient::Response.create(@body, net_http_resp, @http_req)
+        ::ForemanRhCloud::InsightsApiForwarder.any_instance.stubs(:forward_request).returns(res)
+        # Set session with nil location_id to simulate "Any location"
+        session_with_nil_location = set_session_user.merge(
+          organization_id: @org.id,
+          location_id: nil
+        )
+        get :forward_request, params: { "controller" => "vulnerabilities", "path" => "api/vulnerability/v1/cves" }, session: session_with_nil_location
+        assert_equal 200, @response.status
+        assert_equal @body, @response.body
+      end
+      test "should allow forward_request with location set" do
+        net_http_resp = Net::HTTPResponse.new(1.0, 200, "OK")
+        res = RestClient::Response.create(@body, net_http_resp, @http_req)
+        ::ForemanRhCloud::InsightsApiForwarder.any_instance.stubs(:forward_request).returns(res)
+        get :forward_request, params: { "controller" => "vulnerabilities", "path" => "api/vulnerability/v1/cves" }, session: set_session
+        assert_equal 200, @response.status
+        assert_equal @body, @response.body
+      end
     end
     def set_session

data/test/unit/services/foreman_rh_cloud/insights_api_forwarder_test.rb CHANGED Viewed

@@ -29,6 +29,7 @@ class UIRequestForwarderTest < ActiveSupport::TestCase
       'action_dispatch.request.query_parameters' => params
     )
+    @user.stubs(:can?).with(:view_vulnerability).returns(true)
     ::ForemanRhCloud::TagsAuth.any_instance.expects(:update_tag)
     @forwarder.expects(:execute_cloud_request).with do |actual_params|
       actual = actual_params[:headers][:params]
@@ -37,9 +38,6 @@ class UIRequestForwarderTest < ActiveSupport::TestCase
     end
     @forwarder.forward_request(req, '/api/vulnerability/v1/cves/abc-123/affected_systems', 'test_controller', @user, @organization, @location)
-    # This test asserts the parameters that are sent to the execute_cloud_request method.
-    # This is done by setting the expectation before the actual call.
   end
   test 'should not scope GET requests for unknown uris' do
@@ -62,9 +60,6 @@ class UIRequestForwarderTest < ActiveSupport::TestCase
     end
     @forwarder.forward_request(req, '/api/vulnerability/foo/bar', 'test_controller', @user, @organization, @location)
-    # This test asserts the parameters that are sent to the execute_cloud_request method.
-    # This is done by setting the expectation before the actual call.
   end
   test 'should merge URI params in GET requests' do
@@ -79,6 +74,7 @@ class UIRequestForwarderTest < ActiveSupport::TestCase
       'action_dispatch.request.query_parameters' => params
     )
+    @user.stubs(:can?).with(:view_vulnerability).returns(true)
     ::ForemanRhCloud::TagsAuth.any_instance.expects(:update_tag)
     @forwarder.expects(:execute_cloud_request).with do |actual_params|
       actual = actual_params[:headers][:params]
@@ -89,8 +85,6 @@ class UIRequestForwarderTest < ActiveSupport::TestCase
     end
     @forwarder.forward_request(req, '/api/vulnerability/v1/cves/abc-123/affected_systems', 'test_controller', @user, @organization, @location)
-    # This test asserts the parameters that are sent to the execute_cloud_request method.
-    # This is done by setting the expectation before the actual call.
   end
   test 'should not scope POST requests' do
@@ -110,9 +104,6 @@ class UIRequestForwarderTest < ActiveSupport::TestCase
     end
     @forwarder.forward_request(req, '/api/vulnerability/v1/cves', 'test_controller', @user, @organization, @location)
-    # This test asserts the parameters that are sent to the execute_cloud_request method.
-    # This is done by setting the expectation before the actual call.
   end
   test 'should not scope PUT requests' do
@@ -132,9 +123,6 @@ class UIRequestForwarderTest < ActiveSupport::TestCase
     end
     @forwarder.forward_request(req, '/api/vulnerability/v1/cves', 'test_controller', @user, @organization, @location)
-    # This test asserts the parameters that are sent to the execute_cloud_request method.
-    # This is done by setting the expectation before the actual call.
   end
   test 'should not scope PATCH requests' do
@@ -155,9 +143,6 @@ class UIRequestForwarderTest < ActiveSupport::TestCase
     end
     @forwarder.forward_request(req, '/api/vulnerability/v1/cves', 'test_controller', @user, @organization, @location)
-    # This test asserts the parameters that are sent to the execute_cloud_request method.
-    # This is done by setting the expectation before the actual call.
   end
   test 'scope_request? should return tag_name for scoped requests' do
@@ -214,4 +199,196 @@ class UIRequestForwarderTest < ActiveSupport::TestCase
     tag_string = CGI.unescape(param_value)
     tag_string.split('=')[0]
   end
+  # Helper to build test requests with minimal boilerplate
+  def build_request(method:, uri:, params: {}, data: nil)
+    env = {
+      'REQUEST_URI' => uri,
+      'REQUEST_METHOD' => method,
+      'rack.input' => ::Puma::NullIO.new,
+      'action_dispatch.request.query_parameters' => params,
+    }
+    env['RAW_POST_DATA'] = data if data
+    env['action_dispatch.request.path_parameters'] = { format: 'json' } if method == 'PATCH'
+    ActionDispatch::Request.new(env)
+  end
+  # Permission enforcement tests
+  # GET /api/inventory/v1/hosts requires view_vulnerability
+  test 'should allow GET request to inventory hosts when user has view_vulnerability permission' do
+    user_agent = { :foo => :bar }
+    params = {}
+    req = ActionDispatch::Request.new(
+      'REQUEST_URI' => '/api/inventory/v1/hosts',
+      'REQUEST_METHOD' => 'GET',
+      'HTTP_USER_AGENT' => user_agent,
+      'rack.input' => ::Puma::NullIO.new,
+      'action_dispatch.request.query_parameters' => params
+    )
+    @user.stubs(:can?).with(:view_vulnerability).returns(true)
+    ::ForemanRhCloud::TagsAuth.any_instance.expects(:update_tag)
+    @forwarder.expects(:execute_cloud_request).returns(true)
+    @forwarder.forward_request(req, 'api/inventory/v1/hosts', 'test_controller', @user, @organization, @location)
+  end
+  test 'should deny GET request to inventory hosts when user lacks view_vulnerability permission' do
+    user_agent = { :foo => :bar }
+    params = {}
+    req = ActionDispatch::Request.new(
+      'REQUEST_URI' => '/api/inventory/v1/hosts',
+      'REQUEST_METHOD' => 'GET',
+      'HTTP_USER_AGENT' => user_agent,
+      'rack.input' => ::Puma::NullIO.new,
+      'action_dispatch.request.query_parameters' => params
+    )
+    @user.stubs(:can?).with(:view_vulnerability).returns(false)
+    assert_raises(::Foreman::PermissionMissingException) do
+      @forwarder.forward_request(req, 'api/inventory/v1/hosts', 'test_controller', @user, @organization, @location)
+    end
+  end
+  # POST /api/vulnerability/v1/vulnerabilities/cves requires view_vulnerability
+  test 'should deny POST request to vulnerabilities cves when user lacks view_vulnerability permission' do
+    post_data = '{"test": "data"}'
+    req = ActionDispatch::Request.new(
+      'REQUEST_URI' => '/api/vulnerability/v1/vulnerabilities/cves',
+      'REQUEST_METHOD' => 'POST',
+      'rack.input' => ::Puma::NullIO.new,
+      'RAW_POST_DATA' => post_data
+    )
+    @user.stubs(:can?).with(:view_vulnerability).returns(false)
+    assert_raises(::Foreman::PermissionMissingException) do
+      @forwarder.forward_request(req, 'api/vulnerability/v1/vulnerabilities/cves', 'test_controller', @user, @organization, @location)
+    end
+  end
+  # PATCH /api/vulnerability/v1/status requires edit_vulnerability
+  test 'should allow PATCH request to vulnerability status when user has edit_vulnerability permission' do
+    patch_data = '{"status": "resolved"}'
+    req = ActionDispatch::Request.new(
+      'REQUEST_URI' => '/api/vulnerability/v1/status',
+      'REQUEST_METHOD' => 'PATCH',
+      'rack.input' => ::Puma::NullIO.new,
+      'RAW_POST_DATA' => patch_data,
+      "action_dispatch.request.path_parameters" => { :format => "json" }
+    )
+    @user.stubs(:can?).with(:edit_vulnerability).returns(true)
+    @forwarder.expects(:execute_cloud_request).returns(true)
+    @forwarder.forward_request(req, 'api/vulnerability/v1/status', 'test_controller', @user, @organization, @location)
+  end
+  test 'should deny PATCH request to vulnerability status when user lacks edit_vulnerability permission' do
+    patch_data = '{"status": "resolved"}'
+    req = ActionDispatch::Request.new(
+      'REQUEST_URI' => '/api/vulnerability/v1/status',
+      'REQUEST_METHOD' => 'PATCH',
+      'rack.input' => ::Puma::NullIO.new,
+      'RAW_POST_DATA' => patch_data,
+      "action_dispatch.request.path_parameters" => { :format => "json" }
+    )
+    @user.stubs(:can?).with(:edit_vulnerability).returns(false)
+    assert_raises(::Foreman::PermissionMissingException) do
+      @forwarder.forward_request(req, 'api/vulnerability/v1/status', 'test_controller', @user, @organization, @location)
+    end
+  end
+  # Data-driven tests for required_permission_for
+  PERMISSION_MAPPINGS = [
+    # Vulnerability endpoints
+    { path: 'api/inventory/v1/hosts', method: 'GET', expected: :view_vulnerability },
+    { path: 'api/inventory/v1/hosts/abc-123', method: 'GET', expected: :view_vulnerability },
+    { path: 'api/vulnerability/v1/vulnerabilities/cves', method: 'POST', expected: :view_vulnerability },
+    { path: 'api/vulnerability/v1/status', method: 'PATCH', expected: :edit_vulnerability },
+    { path: 'api/vulnerability/v1/cves/status', method: 'PATCH', expected: :edit_vulnerability },
+    { path: 'api/vulnerability/v1/cves/business_risk', method: 'PATCH', expected: :edit_vulnerability },
+    { path: 'api/vulnerability/v1/systems/opt_out', method: 'PATCH', expected: :edit_vulnerability },
+    { path: 'api/vulnerability/v1/dashbar', method: 'GET', expected: :view_vulnerability },
+    { path: 'api/vulnerability/v1/cves/CVE-2024-1234/affected_systems', method: 'GET', expected: :view_vulnerability },
+    # Endpoints without tags support (still require view_vulnerability)
+    { path: 'api/vulnerability/v1/apistatus', method: 'GET', expected: :view_vulnerability },
+    { path: 'api/vulnerability/v1/version', method: 'GET', expected: :view_vulnerability },
+    { path: 'api/vulnerability/v1/business_risk', method: 'GET', expected: :view_vulnerability },
+    { path: 'api/vulnerability/v1/announcement', method: 'GET', expected: :view_vulnerability },
+    { path: 'api/vulnerability/v1/cves/CVE-2024-1234', method: 'GET', expected: :view_vulnerability },
+    { path: 'api/vulnerability/v1/playbooks/abc-123', method: 'GET', expected: :view_vulnerability },
+    { path: 'api/vulnerability/v1/report/abc-123', method: 'GET', expected: :view_vulnerability },
+    # Advisor endpoints
+    { path: 'api/insights/v1/stats/systems', method: 'GET', expected: :view_advisor },
+    { path: 'api/insights/v1/ack/', method: 'POST', expected: :edit_advisor },
+    { path: 'api/insights/v1/ack/rule_id', method: 'DELETE', expected: :edit_advisor },
+    { path: 'api/insights/v1/hostack/', method: 'POST', expected: :edit_advisor },
+    { path: 'api/insights/v1/hostack/123', method: 'DELETE', expected: :edit_advisor },
+    { path: 'api/insights/v1/rule/test_rule/unack_hosts', method: 'POST', expected: :edit_advisor },
+    # Unknown endpoints
+    { path: 'api/unknown/endpoint', method: 'GET', expected: nil },
+  ].freeze
+  PERMISSION_MAPPINGS.each do |mapping|
+    test "required_permission_for returns #{mapping[:expected].inspect} for #{mapping[:method]} #{mapping[:path]}" do
+      permission = @forwarder.send(:required_permission_for, mapping[:path], mapping[:method])
+      assert_equal mapping[:expected], permission
+    end
+  end
+  # Advisor permission integration tests
+  test 'should allow GET request to insights endpoint when user has view_advisor permission' do
+    req = build_request(method: 'GET', uri: '/api/insights/v1/stats/systems')
+    @user.stubs(:can?).with(:view_advisor).returns(true)
+    ::ForemanRhCloud::TagsAuth.any_instance.expects(:update_tag)
+    @forwarder.expects(:execute_cloud_request).returns(true)
+    @forwarder.forward_request(req, 'api/insights/v1/stats/systems', 'test_controller', @user, @organization, @location)
+  end
+  test 'should deny GET request to insights endpoint when user lacks view_advisor permission' do
+    req = build_request(method: 'GET', uri: '/api/insights/v1/stats/systems')
+    @user.stubs(:can?).with(:view_advisor).returns(false)
+    assert_raises(::Foreman::PermissionMissingException) do
+      @forwarder.forward_request(req, 'api/insights/v1/stats/systems', 'test_controller', @user, @organization, @location)
+    end
+  end
+  test 'should allow POST request to insights ack when user has edit_advisor permission' do
+    req = build_request(method: 'POST', uri: '/api/insights/v1/ack/', data: '{"rule_id": "test|RULE"}')
+    @user.stubs(:can?).with(:edit_advisor).returns(true)
+    @forwarder.expects(:execute_cloud_request).returns(true)
+    @forwarder.forward_request(req, 'api/insights/v1/ack/', 'test_controller', @user, @organization, @location)
+  end
+  test 'should deny POST request to insights ack when user lacks edit_advisor permission' do
+    req = build_request(method: 'POST', uri: '/api/insights/v1/ack/', data: '{"rule_id": "test|RULE"}')
+    @user.stubs(:can?).with(:edit_advisor).returns(false)
+    assert_raises(::Foreman::PermissionMissingException) do
+      @forwarder.forward_request(req, 'api/insights/v1/ack/', 'test_controller', @user, @organization, @location)
+    end
+  end
+  # Edge case: anonymous user
+  test 'should deny request when user is nil' do
+    req = build_request(method: 'GET', uri: '/api/insights/v1/stats/systems')
+    assert_raises(::Foreman::PermissionMissingException) do
+      @forwarder.forward_request(req, 'api/insights/v1/stats/systems', 'test_controller', nil, @organization, @location)
+    end
+  end
 end

data/test/unit/services/foreman_rh_cloud/tags_auth_test.rb CHANGED Viewed

@@ -40,4 +40,18 @@ class TagsAuthTest < ActiveSupport::TestCase
     @auth.update_tag
   end
+  test 'Generates tags with wildcard location when location is nil' do
+    auth_with_nil_loc = ::ForemanRhCloud::TagsAuth.new(@user, @org, nil, @logger)
+    uuid1 = 'test_uuid1'
+    auth_with_nil_loc.expects(:allowed_hosts).returns([uuid1])
+    auth_with_nil_loc.expects(:execute_cloud_request).with do |actual_params|
+      actual = JSON.parse(actual_params[:payload])
+      assert_includes actual['host_id_list'], uuid1
+      assert_equal "U:\"#{@user.login}\"O:\"#{@org.name}\"L:\"*\"", actual['tags'].first['value']
+    end
+    auth_with_nil_loc.update_tag
+  end
 end

data/webpack/CVEsHostDetailsTab/CVEsHostDetailsTab.js CHANGED Viewed

@@ -1,7 +1,8 @@
 import React from 'react';
 import PropTypes from 'prop-types';
 import { ScalprumComponent, ScalprumProvider } from '@scalprum/react-core';
-import { providerOptions } from '../common/ScalprumModule/ScalprumContext';
+import { createProviderOptions } from '../common/ScalprumModule/ScalprumContext';
+import { useInsightsPermissions } from '../common/Hooks/PermissionsHooks';
 import './CVEsHostDetailsTab.scss';
 const CVEsHostDetailsTab = ({ systemId }) => {
@@ -18,14 +19,17 @@ CVEsHostDetailsTab.propTypes = {
   systemId: PropTypes.string.isRequired,
 };
-const CVEsHostDetailsTabWrapper = ({ response }) => (
-  <ScalprumProvider {...providerOptions}>
-    <CVEsHostDetailsTab
-      // eslint-disable-next-line camelcase
-      systemId={response?.subscription_facet_attributes?.uuid}
-    />
-  </ScalprumProvider>
-);
+const CVEsHostDetailsTabWrapper = ({ response }) => {
+  const permissions = useInsightsPermissions();
+  return (
+    <ScalprumProvider {...createProviderOptions(permissions)}>
+      <CVEsHostDetailsTab
+        // eslint-disable-next-line camelcase
+        systemId={response?.subscription_facet_attributes?.uuid}
+      />
+    </ScalprumProvider>
+  );
+};
 CVEsHostDetailsTabWrapper.propTypes = {
   response: PropTypes.shape({

data/webpack/CVEsHostDetailsTab/__tests__/CVEsHostDetailsTab.test.js CHANGED Viewed

@@ -2,6 +2,15 @@ import React from 'react';
 import { render } from '@testing-library/react';
 import CVEsHostDetailsTabWrapper from '../CVEsHostDetailsTab';
+jest.mock('foremanReact/Root/Context/ForemanContext', () => ({
+  useForemanContext: () => ({
+    metadata: {
+      permissions: new Set(['view_vulnerability']),
+    },
+  }),
+  useForemanPermissions: () => new Set(['view_vulnerability']),
+}));
 jest.mock('@scalprum/react-core', () => ({
   ScalprumComponent: jest.fn(props => (
     <div data-testid="mock-scalprum-component">{JSON.stringify(props)}</div>

data/webpack/CveDetailsPage/CveDetailsPage.js CHANGED Viewed

@@ -1,15 +1,17 @@
 import React from 'react';
 import { useParams } from 'react-router-dom';
 import { ScalprumComponent, ScalprumProvider } from '@scalprum/react-core';
-import { providerOptions } from '../common/ScalprumModule/ScalprumContext';
+import { createProviderOptions } from '../common/ScalprumModule/ScalprumContext';
+import { useInsightsPermissions } from '../common/Hooks/PermissionsHooks';
 const CveDetailsPage = () => {
   const { cveId } = useParams();
+  const permissions = useInsightsPermissions();
   const scope = 'vulnerability';
   const module = './CveDetailPage';
   return (
-    <ScalprumProvider {...providerOptions}>
+    <ScalprumProvider {...createProviderOptions(permissions)}>
       <div className="rh-cloud-cve-details-page vulnerability">
         <ScalprumComponent scope={scope} module={module} cveId={cveId} />
       </div>

data/webpack/CveDetailsPage/CveDetailsPage.test.js CHANGED Viewed

@@ -8,6 +8,15 @@ jest.mock('react-router-dom', () => ({
   useParams: jest.fn(() => ({ cveId: 'CVE-2021-1234' })),
 }));
+jest.mock('foremanReact/Root/Context/ForemanContext', () => ({
+  useForemanContext: () => ({
+    metadata: {
+      permissions: new Set(['view_vulnerability']),
+    },
+  }),
+  useForemanPermissions: () => new Set(['view_vulnerability']),
+}));
 jest.mock('@scalprum/react-core', () => ({
   ScalprumComponent: jest.fn(props => (
     <div data-testid="mock-scalprum-component">{JSON.stringify(props)}</div>

data/webpack/InsightsCloudSync/InsightsCloudSync.js CHANGED Viewed

@@ -14,7 +14,8 @@ import './InsightsCloudSync.scss';
 import Pagination from './Components/InsightsTable/Pagination';
 import ToolbarDropdown from './Components/ToolbarDropdown';
 import InsightsSettings from './Components/InsightsSettings';
-import { providerOptions } from '../common/ScalprumModule/ScalprumContext';
+import { createProviderOptions } from '../common/ScalprumModule/ScalprumContext';
+import { useInsightsPermissions } from '../common/Hooks/PermissionsHooks';
 // Hosted Insights advisor
 const InsightsCloudSync = ({ syncInsights, query, fetchInsights }) => {
@@ -78,11 +79,14 @@ const IopRecommendationsPage = props => (
   </div>
 );
-const IopRecommendationsPageWrapped = props => (
-  <ScalprumProvider {...providerOptions}>
-    <IopRecommendationsPage {...props} />
-  </ScalprumProvider>
-);
+const IopRecommendationsPageWrapped = props => {
+  const permissions = useInsightsPermissions();
+  return (
+    <ScalprumProvider {...createProviderOptions(permissions)}>
+      <IopRecommendationsPage {...props} />
+    </ScalprumProvider>
+  );
+};
 const RecommendationsPage = props => {
   const isIop = useIopConfig();

data/webpack/InsightsHostDetailsTab/NewHostDetailsTab.js CHANGED Viewed

@@ -23,7 +23,8 @@ import {
 import { redHatAdvisorSystems } from '../InsightsCloudSync/InsightsCloudSyncHelpers';
 import { useIopConfig } from '../common/Hooks/ConfigHooks';
 import { generateRuleUrl } from '../InsightsCloudSync/InsightsCloudSync';
-import { providerOptions } from '../common/ScalprumModule/ScalprumContext';
+import { createProviderOptions } from '../common/ScalprumModule/ScalprumContext';
+import { useInsightsPermissions } from '../common/Hooks/PermissionsHooks';
 // Hosted Insights advisor
 const NewHostDetailsTab = ({ hostName, router }) => {
@@ -124,11 +125,14 @@ const IopInsightsTab = props => (
   </div>
 );
-const IopInsightsTabWrapped = props => (
-  <ScalprumProvider {...providerOptions}>
-    <IopInsightsTab {...props} />
-  </ScalprumProvider>
-);
+const IopInsightsTabWrapped = props => {
+  const permissions = useInsightsPermissions();
+  return (
+    <ScalprumProvider {...createProviderOptions(permissions)}>
+      <IopInsightsTab {...props} />
+    </ScalprumProvider>
+  );
+};
 const InsightsTab = props => {
   const isIop = useIopConfig();

data/webpack/InsightsVulnerability/InsightsVulnerabilityListPage.js CHANGED Viewed

@@ -1,6 +1,7 @@
 import React from 'react';
 import { ScalprumComponent, ScalprumProvider } from '@scalprum/react-core';
-import { providerOptions } from '../common/ScalprumModule/ScalprumContext';
+import { createProviderOptions } from '../common/ScalprumModule/ScalprumContext';
+import { useInsightsPermissions } from '../common/Hooks/PermissionsHooks';
 const InsightsVulnerabilityListPage = () => {
   const scope = 'vulnerability';
@@ -12,10 +13,13 @@ const InsightsVulnerabilityListPage = () => {
   );
 };
-const InsightsVulnerabilityListPageWrap = () => (
-  <ScalprumProvider {...providerOptions}>
-    <InsightsVulnerabilityListPage />
-  </ScalprumProvider>
-);
+const InsightsVulnerabilityListPageWrap = () => {
+  const permissions = useInsightsPermissions();
+  return (
+    <ScalprumProvider {...createProviderOptions(permissions)}>
+      <InsightsVulnerabilityListPage />
+    </ScalprumProvider>
+  );
+};
 export default InsightsVulnerabilityListPageWrap;

data/webpack/InsightsVulnerability/InsightsVulnerabilityListPage.test.js CHANGED Viewed

@@ -3,6 +3,15 @@ import { render } from '@testing-library/react';
 import '@testing-library/jest-dom';
 import InsightsVulnerabilityListPage from './InsightsVulnerabilityListPage';
+jest.mock('foremanReact/Root/Context/ForemanContext', () => ({
+  useForemanContext: () => ({
+    metadata: {
+      permissions: new Set(['view_vulnerability']),
+    },
+  }),
+  useForemanPermissions: () => new Set(['view_vulnerability']),
+}));
 jest.mock('@scalprum/react-core', () => ({
   ScalprumComponent: jest.fn(props => (
     <div data-testid="mock-scalprum-component">{JSON.stringify(props)}</div>

data/webpack/IopRecommendationDetails/IopRecommendationDetails.js CHANGED Viewed

@@ -3,7 +3,8 @@ import { useRouteMatch } from 'react-router-dom';
 import { ScalprumComponent, ScalprumProvider } from '@scalprum/react-core';
 import RemediationModal from '../InsightsCloudSync/Components/RemediationModal';
-import { providerOptions } from '../common/ScalprumModule/ScalprumContext';
+import { createProviderOptions } from '../common/ScalprumModule/ScalprumContext';
+import { useInsightsPermissions } from '../common/Hooks/PermissionsHooks';
 const scope = 'advisor';
 const module = './RecommendationDetailsWrapped';
@@ -25,10 +26,13 @@ const IopRecommendationDetails = props => {
   );
 };
-const IopRecommendationDetailsWrapped = props => (
-  <ScalprumProvider {...providerOptions}>
-    <IopRecommendationDetails {...props} />
-  </ScalprumProvider>
-);
+const IopRecommendationDetailsWrapped = props => {
+  const permissions = useInsightsPermissions();
+  return (
+    <ScalprumProvider {...createProviderOptions(permissions)}>
+      <IopRecommendationDetails {...props} />
+    </ScalprumProvider>
+  );
+};
 export default IopRecommendationDetailsWrapped;

data/webpack/common/Hooks/PermissionsHooks.js ADDED Viewed

@@ -0,0 +1,57 @@
+import { useMemo } from 'react';
+import { useForemanPermissions } from 'foremanReact/Root/Context/ForemanContext';
+/**
+ * Mapping from Foreman permissions to Insights Chrome API permissions.
+ * Used to convert Foreman's permission names to the format expected by
+ * Scalprum-loaded Insights apps (vulnerability-ui, advisor).
+ *
+ * When adding new permissions, update both:
+ * - This mapping (for front-end RBAC in Scalprum apps)
+ * - The SCOPED_REQUESTS in app/services/foreman_rh_cloud/insights_api_forwarder.rb (for backend API enforcement)
+ */
+const PERMISSION_MAPPING = {
+  view_vulnerability: [
+    'inventory:hosts:read',
+    'vulnerability:vulnerability_results:read',
+    'vulnerability:system.opt_out:read',
+    'vulnerability:report_and_export:read',
+    'vulnerability:advanced_report:read',
+  ],
+  edit_vulnerability: [
+    'vulnerability:system.cve.status:write',
+    'vulnerability:cve.business_risk_and_status:write',
+    'vulnerability:system.opt_out:write',
+  ],
+  view_advisor: ['advisor:recommendation-results:read', 'advisor:exports:read'],
+  edit_advisor: ['advisor:disable-recommendations:write'],
+};
+/**
+ * Hook to access Insights permissions in Chrome API format.
+ * Reads Foreman permissions from context and converts them to the format
+ * expected by Scalprum-loaded Insights apps.
+ *
+ * Uses ForemanContext.metadata.permissions (added in Foreman PR #10338).
+ * Falls back to empty permissions if not available (older Foreman versions).
+ *
+ * @see https://github.com/theforeman/foreman/blob/develop/developer_docs/handling_user_permissions.asciidoc
+ * @returns {Array<{permission: string, resourceDefinitions: Array}>} User's Insights permissions
+ */
+export const useInsightsPermissions = () => {
+  const userPermissions = useForemanPermissions() || new Set();
+  return useMemo(
+    () =>
+      Object.entries(PERMISSION_MAPPING).flatMap(
+        ([foremanPerm, insightsPerms]) =>
+          userPermissions.has(foremanPerm)
+            ? insightsPerms.map(perm => ({
+                permission: perm,
+                resourceDefinitions: [],
+              }))
+            : []
+      ),
+    [userPermissions]
+  );
+};

data/webpack/common/ScalprumModule/ScalprumContext.js CHANGED Viewed

@@ -39,7 +39,25 @@ export const mockUser = {
   },
 };
-export const providerOptions = {
+/**
+ * Creates getUserPermissions function for Chrome API.
+ * @param {Array} permissions - Permissions array from ForemanContext
+ * @returns {Function} getUserPermissions function
+ */
+const createGetUserPermissions = permissions => async (app, _bypassCache) =>
+  app
+    ? permissions.filter(p => p.permission?.startsWith(`${app}:`))
+    : permissions;
+/**
+ * Creates provider options with the given permissions.
+ * Call this from wrapper components with permissions from useInsightsPermissions().
+ *
+ * @see https://github.com/theforeman/foreman/blob/develop/developer_docs/foreman-context.asciidoc
+ * @param {Array} permissions - Permissions from useInsightsPermissions()
+ * @returns {Object} Provider options for ScalprumProvider
+ */
+export const createProviderOptions = (permissions = []) => ({
   pluginSDKOptions: {
     pluginLoaderOptions: {
       transformPluginManifest: manifest => {
@@ -66,8 +84,9 @@ export const providerOptions = {
       on: () => {},
       auth: {
         getUser: () => Promise.resolve(mockUser),
+        getUserPermissions: createGetUserPermissions(permissions),
       },
     },
   },
   config: modulesConfig,
-};
+});

data/webpack/common/ScalprumModule/__tests__/ScalprumContext.test.js ADDED Viewed

@@ -0,0 +1,120 @@
+import {
+  modulesConfig,
+  mockUser,
+  createProviderOptions,
+} from '../ScalprumContext';
+describe('ScalprumContext', () => {
+  describe('modulesConfig', () => {
+    it('should have vulnerability module config', () => {
+      expect(modulesConfig.vulnerability).toBeDefined();
+      expect(modulesConfig.vulnerability.name).toBe('vulnerability');
+    });
+    it('should have advisor module config', () => {
+      expect(modulesConfig.advisor).toBeDefined();
+      expect(modulesConfig.advisor.name).toBe('advisor');
+    });
+    it('should have inventory module config', () => {
+      expect(modulesConfig.inventory).toBeDefined();
+      expect(modulesConfig.inventory.name).toBe('inventory');
+    });
+  });
+  describe('mockUser', () => {
+    it('should have identity with org_id FOREMAN', () => {
+      expect(mockUser.identity.org_id).toBe('FOREMAN');
+    });
+  });
+  describe('createProviderOptions', () => {
+    it('should have isBeta function', () => {
+      const options = createProviderOptions([]);
+      expect(options.api.chrome.isBeta).toBeInstanceOf(Function);
+      expect(options.api.chrome.isBeta()).toBe(false);
+    });
+    it('should have auth.getUser that resolves to mockUser', async () => {
+      const options = createProviderOptions([]);
+      expect(options.api.chrome.auth.getUser).toBeInstanceOf(Function);
+      const user = await options.api.chrome.auth.getUser();
+      expect(user).toEqual(mockUser);
+    });
+    it('should return empty array when no permissions provided', async () => {
+      const options = createProviderOptions([]);
+      const permissions = await options.api.chrome.auth.getUserPermissions();
+      expect(permissions).toEqual([]);
+    });
+    describe('getUserPermissions', () => {
+      const testPermissions = [
+        { permission: 'inventory:hosts:read', resourceDefinitions: [] },
+        {
+          permission: 'vulnerability:vulnerability_results:read',
+          resourceDefinitions: [],
+        },
+        {
+          permission: 'vulnerability:system.opt_out:read',
+          resourceDefinitions: [],
+        },
+      ];
+      it('should filter vulnerability permissions by app prefix', async () => {
+        const options = createProviderOptions(testPermissions);
+        const permissions = await options.api.chrome.auth.getUserPermissions(
+          'vulnerability'
+        );
+        expect(permissions).toHaveLength(2);
+        expect(permissions[0].permission).toBe(
+          'vulnerability:vulnerability_results:read'
+        );
+      });
+      it('should filter inventory permissions by app prefix', async () => {
+        const options = createProviderOptions(testPermissions);
+        const permissions = await options.api.chrome.auth.getUserPermissions(
+          'inventory'
+        );
+        expect(permissions).toHaveLength(1);
+        expect(permissions[0].permission).toBe('inventory:hosts:read');
+      });
+      it('should return all permissions when no app filter is provided', async () => {
+        const options = createProviderOptions(testPermissions);
+        const permissions = await options.api.chrome.auth.getUserPermissions();
+        expect(permissions).toHaveLength(3);
+      });
+      it('should return permissions in Chrome API format', async () => {
+        const options = createProviderOptions(testPermissions);
+        const permissions = await options.api.chrome.auth.getUserPermissions(
+          'vulnerability'
+        );
+        expect(permissions[0]).toHaveProperty('permission');
+        expect(permissions[0]).toHaveProperty('resourceDefinitions');
+        expect(Array.isArray(permissions[0].resourceDefinitions)).toBe(true);
+      });
+      it('should handle permissions with missing permission field', async () => {
+        const malformedPermissions = [
+          { permission: 'inventory:hosts:read', resourceDefinitions: [] },
+          { resourceDefinitions: [] }, // missing permission field
+          { permission: null, resourceDefinitions: [] },
+        ];
+        const options = createProviderOptions(malformedPermissions);
+        const permissions = await options.api.chrome.auth.getUserPermissions(
+          'inventory'
+        );
+        expect(permissions).toHaveLength(1);
+        expect(permissions[0].permission).toBe('inventory:hosts:read');
+      });
+    });
+  });
+});

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: foreman_rh_cloud
 version: !ruby/object:Gem::Version
-  version: 13.1.0
+  version: 13.2.0
 platform: ruby
 authors:
 - Foreman Red Hat Cloud team
@@ -631,7 +631,9 @@ files:
 - webpack/common/ForemanTasks/ForemanTasksHelpers.js
 - webpack/common/ForemanTasks/index.js
 - webpack/common/Hooks/ConfigHooks.js
+- webpack/common/Hooks/PermissionsHooks.js
 - webpack/common/ScalprumModule/ScalprumContext.js
+- webpack/common/ScalprumModule/__tests__/ScalprumContext.test.js
 - webpack/common/Switcher/HelpLabel.js
 - webpack/common/Switcher/SwitcherPF4.js
 - webpack/common/Switcher/SwitcherPF4.scss