manageiq-api-common 1.1.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f53d5e98416af5bcf21e208dd323bf3995fa35cd8b3acb1ecabe6ceb19d44de8
-  data.tar.gz: 0270d9ce153351bdc7d904cd40d226c259ef0ea55ae908bfdfb811c028c59445
+  metadata.gz: bf558ff2ddd7a2cbed5ffca066b2f769523d4fdd3b835d9497c280d97838f81b
+  data.tar.gz: 160883b30284ec6b53f0c14c43b66413ac9b9ab75a87766ebc91bdfb15b4c658
 SHA512:
-  metadata.gz: fbbf638e19fdf20d3575fed8db27e20e009d444f35ca86a2e6d03613ab41a8723d19ab59c4c77e9e9f4d978b3a07e5b8ef0aae6afc4b147d256f9041d4933fb7
-  data.tar.gz: 486713b3545ef4d3eeb5666c0c74c9669d2dc9cbe9bd81757872d8a4c4ff9b805813d068d11ecd0b6037947346b5fffb750bcca53cd806e47263088b914352fd
+  metadata.gz: 108cba357408d2e2889321672976053c8a2d45a0b2f189ad5c6534b6d1d9d0f30e9637681c6e45751b157acc38061f93cf805c08c5ecba2b367284e639061f44
+  data.tar.gz: 30f9ab415d4b6d949b1ae62d40ee22a53f0f0ec5c5a938da3cec4a98b926b472e95e33531cf7cb7f3f914d9ba3ca204916175ee1ca7a1dc4c8ac18f0dfa826b5

data/lib/manageiq/api/common.rb

@@ -1,4 +1,3 @@
-require "manageiq/api/common/api_error"
 require "manageiq/api/common/engine"
 require "manageiq/api/common/entitlement"
 require "manageiq/api/common/error_document"

data/lib/manageiq/api/common/application_controller_mixins/exception_handling.rb

@@ -0,0 +1,41 @@
+module ManageIQ
+  module API
+    module Common
+      module ApplicationControllerMixins
+        module ExceptionHandling
+          DEFAULT_ERROR_CODE = 400
+
+          def self.included(other)
+            other.rescue_from(StandardError, RuntimeError) do |exception|
+              errors = ManageIQ::API::Common::ErrorDocument.new.tap do |error_document|
+                exception_list_from(exception).each do |exc|
+                  code = exc.respond_to?(:code) ? exc.code : error_code_from_class(exc)
+                  error_document.add(code, "#{exc.class}: #{exc.message}")
+                end
+              end
+
+              render :json => errors.to_h, :status => error_code_from_class(exception)
+            end
+          end
+
+          def exception_list_from(exception)
+            [].tap do |arr|
+              until exception.nil?
+                arr << exception
+                exception = exception.cause
+              end
+            end
+          end
+
+          def error_code_from_class(exception)
+            if ActionDispatch::ExceptionWrapper.rescue_responses.key?(exception.class.to_s)
+              ActionDispatch::ExceptionWrapper.rescue_responses[exception.class.to_s]
+            else
+              DEFAULT_ERROR_CODE
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/manageiq/api/common/application_controller_mixins/request_body_validation.rb

@@ -12,16 +12,6 @@ module ManageIQ
             other.include(OpenapiEnabled)
 
             other.before_action(:validate_request)
-
-            other.rescue_from(ActionController::UnpermittedParameters) do |exception|
-              error_document = ManageIQ::API::Common::ErrorDocument.new.add(400, exception.message)
-              render :json => error_document.to_h, :status => error_document.status
-            end
-
-            other.rescue_from(ManageIQ::API::Common::ApplicationControllerMixins::RequestBodyValidation::BodyParseError) do |_exception|
-              error_document = ManageIQ::API::Common::ErrorDocument.new.add(400, "Failed to parse request body, expected JSON")
-              render :json => error_document.to_h, :status => error_document.status
-            end
           end
 
           private
@@ -32,7 +22,7 @@ module ManageIQ
               parsed_body = raw_body.blank? ? {} : JSON.parse(raw_body)
               ActionController::Parameters.new(parsed_body).permit!
             rescue JSON::ParserError
-              raise ManageIQ::API::Common::ApplicationControllerMixins::RequestBodyValidation::BodyParseError
+              raise ManageIQ::API::Common::ApplicationControllerMixins::RequestBodyValidation::BodyParseError, "Failed to parse request body, expected JSON"
             end
           end
 
@@ -50,9 +40,6 @@ module ManageIQ
               api_version,
               body_params.as_json
             )
-          rescue OpenAPIParser::OpenAPIError => exception
-            error_document = ManageIQ::API::Common::ErrorDocument.new.add(400, exception.message)
-            render :json => error_document.to_h, :status => :bad_request
           end
         end
       end

data/lib/manageiq/api/common/application_controller_mixins/request_path.rb

@@ -10,11 +10,6 @@ module ManageIQ
             other.extend(self::ClassMethods)
 
             other.before_action(:validate_primary_collection_id)
-
-            other.rescue_from(ManageIQ::API::Common::ApplicationControllerMixins::RequestPath::RequestPathError) do |exception|
-              error_document = ManageIQ::API::Common::ErrorDocument.new.add(400, exception.message)
-              render :json => error_document.to_h, :status => error_document.status
-            end
           end
 
           def request_path

data/lib/manageiq/api/common/open_api/generator.rb

@@ -105,6 +105,34 @@ module ManageIQ
             "##{SCHEMAS_PATH}/#{klass_name}"
           end
 
+          def build_schema_error_not_found
+            klass_name = "ErrorNotFound"
+
+            schemas[klass_name] = {
+              "type"       => "object",
+              "properties" => {
+                "errors"  => {
+                  "type"  => "array",
+                  "items" => {
+                    "type"        => "object",
+                    "properties"  => {
+                      "status"    => {
+                        "type"    => "integer",
+                        "example" => 404
+                      },
+                      "detail"    => {
+                        "type"    => "string",
+                        "example" => "Record not found"
+                      }
+                    }
+                  }
+                }
+              }
+            }
+
+            "##{SCHEMAS_PATH}/#{klass_name}"
+          end
+
           def parameters
             @parameters ||= {
               "QueryFilter" => {
@@ -158,10 +186,10 @@ module ManageIQ
           end
 
           def openapi_list_description(klass_name, primary_collection)
-            primary_collection = nil if primary_collection == klass_name
+            sub_collection = (primary_collection != klass_name)
             {
-              "summary"     => "List #{klass_name.pluralize}#{" for #{primary_collection}" if primary_collection}",
-              "operationId" => "list#{primary_collection}#{klass_name.pluralize}",
+              "summary"     => "List #{klass_name.pluralize}#{" for #{primary_collection}" if sub_collection}",
+              "operationId" => "list#{primary_collection if sub_collection}#{klass_name.pluralize}",
               "description" => "Returns an array of #{klass_name} objects",
               "parameters"  => [
                 { "$ref" => "##{PARAMETERS_PATH}/QueryLimit"  },
@@ -179,7 +207,18 @@ module ManageIQ
                 }
               }
             }.tap do |h|
-              h["parameters"] << { "$ref" => build_parameter("ID") } if primary_collection
+              h["parameters"] << { "$ref" => build_parameter("ID") } if sub_collection
+
+              next unless sub_collection
+
+              h["responses"]["404"] = {
+                "description" => "Not found",
+                "content"     => {
+                  "application/json" => {
+                    "schema"         => { "$ref" => build_schema_error_not_found }
+                  }
+                }
+              }
             end
           end
 
@@ -215,7 +254,14 @@ module ManageIQ
                     }
                   }
                 },
-                "404" => {"description" => "Not found"}
+                "404" => {
+                  "description" => "Not found",
+                  "content"     => {
+                    "application/json" => {
+                      "schema"         => { "$ref" => build_schema_error_not_found }
+                    }
+                  }
+                }
               }
             }
           end
@@ -228,7 +274,14 @@ module ManageIQ
               "parameters"  => [{ "$ref" => build_parameter("ID") }],
               "responses"   => {
                 "204" => { "description" => "#{klass_name} deleted" },
-                "404" => { "description" => "Not found"             }
+                "404" => {
+                  "description" => "Not found",
+                  "content"     => {
+                    "application/json" => {
+                      "schema"         => { "$ref" => build_schema_error_not_found }
+                    }
+                  }
+                }
               }
             }
           end
@@ -281,7 +334,14 @@ module ManageIQ
               "responses"   => {
                 "204" => { "description" => "Updated, no content" },
                 "400" => { "description" => "Bad request"         },
-                "404" => { "description" => "Not found"           }
+                "404" => {
+                  "description" => "Not found",
+                  "content"     => {
+                    "application/json" => {
+                      "schema"         => { "$ref" => build_schema_error_not_found }
+                    }
+                  }
+                }
               }
             }
           end

data/lib/manageiq/api/common/rbac/access.rb

@@ -0,0 +1,66 @@
+module ManageIQ
+  module API
+    module Common
+      module RBAC
+        class Access
+          attr_reader :acl
+          DEFAULT_LIMIT = 500
+          def initialize(resource, verb)
+            @resource = resource
+            @verb     = verb
+            @regexp   = Regexp.new(":(#{Regexp.escape(@resource)}|\\*):(#{Regexp.escape(@verb)}|\\*)")
+            @app_name = ENV["APP_NAME"]
+          end
+
+          def process
+            Service.call(RBACApiClient::AccessApi) do |api|
+              @acl ||= Service.paginate(api, :get_principal_access, {:limit => DEFAULT_LIMIT}, @app_name).select do |item|
+                @regexp.match?(item.permission)
+              end
+            end
+            self
+          end
+
+          def accessible?
+            @acl.any?
+          end
+
+          def id_list
+            ids.include?('*') ? [] : ids
+          end
+
+          def owner_scoped?
+            ids.include?('*') ? false : owner_scope_filter?
+          end
+
+          def self.enabled?
+            ENV['BYPASS_RBAC'].blank?
+          end
+
+          private
+
+          def ids
+            @ids ||= @acl.each_with_object([]) do |item, ids|
+              item.resource_definitions.each do |rd|
+                next unless rd.attribute_filter.key == 'id'
+                next unless rd.attribute_filter.operation == 'equal'
+
+                ids << rd.attribute_filter.value
+              end
+            end
+          end
+
+          def owner_scope_filter?
+            @acl.any? do |item|
+              item.resource_definitions.any? do |rd|
+                rd.attribute_filter.key == 'owner' &&
+                  rd.attribute_filter.operation == 'equal' &&
+                  rd.attribute_filter.value == '{{username}}'
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/manageiq/api/common/rbac/acl.rb

@@ -0,0 +1,74 @@
+module ManageIQ
+  module API
+    module Common
+      module RBAC
+        class ACL
+          def create(resource_id, permissions)
+            permissions.collect do |permission|
+              create_acl(permission, resource_id)
+            end
+          end
+
+          def remove(acls, resource_id, permissions)
+            permissions.each_with_object(acls) do |permission, as|
+              delete_matching(as, resource_id, permission)
+            end
+          end
+
+          def add(acls, resource_id, permissions)
+            new_acls = permissions.each_with_object([]) do |permission, as|
+              next if find_matching(acls, resource_id, permission)
+
+              as << create_acl(permission, resource_id)
+            end
+            new_acls + acls
+          end
+
+          def resource_defintions_empty?(acls, permission)
+            acls.each do |acl|
+              if acl.permission == permission
+                return acl.resource_definitions.empty?
+              end
+            end
+            true
+          end
+
+          private
+
+          def create_acl(permission, resource_id = nil)
+            resource_def = resource_definition(resource_id) if resource_id
+            RBACApiClient::Access.new.tap do |access|
+              access.permission = permission
+              access.resource_definitions = resource_def ? [resource_def] : []
+            end
+          end
+
+          def resource_definition(resource_id)
+            rdf = RBACApiClient::ResourceDefinitionFilter.new.tap do |obj|
+              obj.key       = 'id'
+              obj.operation = 'equal'
+              obj.value     = resource_id.to_s
+            end
+
+            RBACApiClient::ResourceDefinition.new.tap do |rd|
+              rd.attribute_filter = rdf
+            end
+          end
+
+          def matches?(access, resource_id, permission)
+            access.permission == permission &&
+              access.resource_definitions.any? { |rdf| rdf.attribute_filter.key == 'id' && rdf.attribute_filter.operation == 'equal' && rdf.attribute_filter.value == resource_id.to_s }
+          end
+
+          def find_matching(acls, resource_id, permission)
+            acls.detect { |access| matches?(access, resource_id, permission) }
+          end
+
+          def delete_matching(acls, resource_id, permission)
+            acls.delete_if { |access| matches?(access, resource_id, permission) }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/manageiq/api/common/rbac/policies.rb

@@ -0,0 +1,33 @@
+module ManageIQ
+  module API
+    module Common
+      module RBAC
+        class Policies
+          def initialize(prefix)
+            @prefix = prefix
+          end
+
+          def add_policy(policy_name, description, group_name, role_uuid)
+            Service.call(RBACApiClient::PolicyApi) do |api_instance|
+              policy_in = RBACApiClient::PolicyIn.new
+              policy_in.name = policy_name
+              policy_in.description = description
+              policy_in.group = group_name
+              policy_in.roles = [role_uuid]
+              api_instance.create_policies(policy_in)
+            end
+          end
+
+          # delete all policies that contains the role.
+          def delete_policy(role)
+            Service.call(RBACApiClient::PolicyApi) do |api_instance|
+              Service.paginate(api_instance, :list_policies, :name => @prefix).each do |policy|
+                api_instance.delete_policy(policy.uuid) if policy.roles.map(&:uuid).include?(role.uuid)
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/manageiq/api/common/rbac/query_shared_resource.rb

@@ -0,0 +1,45 @@
+module ManageIQ
+  module API
+    module Common
+      module RBAC
+        class QuerySharedResource
+          require 'rbac-api-client'
+
+          include Utilities
+          attr_accessor :share_info
+
+          def initialize(options)
+            @app_name = options[:app_name]
+            @resource_id = options[:resource_id]
+            @resource_name = options[:resource_name]
+            @share_info = []
+            @roles = RBAC::Roles.new("#{@app_name}-#{@resource_name}-#{@resource_id}")
+          end
+
+          def process
+            build_share_info
+            self
+          end
+
+          private
+
+          def build_share_info
+            @roles.with_each_role do |role|
+              _id, group_uuid = parse_ids_from_name(role.name)
+              group = get_group(group_uuid)
+              @share_info << { 'group_name'  => group.name,
+                               'group_uuid'  => group.uuid,
+                               'permissions' => role.access.collect(&:permission)}
+            end
+          end
+
+          def get_group(uuid)
+            Service.call(RBACApiClient::GroupApi) do |api_instance|
+              api_instance.get_group(uuid)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/manageiq/api/common/rbac/roles.rb

@@ -0,0 +1,77 @@
+module ManageIQ
+  module API
+    module Common
+      module RBAC
+        class Roles
+          attr_reader :roles
+
+          def initialize(prefix = nil, scope = 'principal')
+            @roles = {}
+            load(prefix, scope)
+          end
+
+          def find(name)
+            uuid = @roles[name]
+            get(uuid) if uuid
+          end
+
+          def with_each_role
+            @roles.each_value do |uuid|
+              yield get(uuid)
+            end
+          end
+
+          def add(name, acls)
+            Service.call(RBACApiClient::RoleApi) do |api_instance|
+              role_in = RBACApiClient::RoleIn.new
+              role_in.name = name
+              role_in.access = acls
+              api_instance.create_roles(role_in).tap do |role|
+                @roles[name] = role.uuid
+              end
+            end
+          end
+
+          def update(role)
+            Service.call(RBACApiClient::RoleApi) do |api_instance|
+              api_instance.update_role(role.uuid, role)
+            end
+          end
+
+          def delete(role)
+            @roles.delete(role.name)
+            Service.call(RBACApiClient::RoleApi) do |api_instance|
+              api_instance.delete_role(role.uuid)
+            end
+          end
+
+          def self.assigned_role?(role_name)
+            opts = { :name  => role_name,
+                     :scope => 'principal' }
+
+            Service.call(RBACApiClient::RoleApi) do |api_instance|
+              Service.paginate(api_instance, :list_roles, opts).count.positive?
+            end
+          end
+
+          private
+
+          def load(prefix, scope)
+            opts = { :scope => scope, :name => prefix, :limit => 500 }
+            Service.call(RBACApiClient::RoleApi) do |api_instance|
+              Service.paginate(api_instance, :list_roles, opts).each do |role|
+                @roles[role.name] = role.uuid
+              end
+            end
+          end
+
+          def get(uuid)
+            Service.call(RBACApiClient::RoleApi) do |api_instance|
+              api_instance.get_role(uuid)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/manageiq/api/common/rbac/seed.rb

@@ -0,0 +1,140 @@
+module ManageIQ
+  module API
+    module Common
+      module RBAC
+        require 'rbac-api-client'
+
+        class Seed
+          def initialize(seed_file, user_file)
+            @acl_data = YAML.load_file(seed_file)
+            @request = create_request(user_file)
+          end
+
+          def process
+            ManageIQ::API::Common::Request.with_request(@request) do
+              create_groups
+              create_roles
+              create_policies
+            end
+          end
+
+          private
+
+          def create_groups
+            current = current_groups
+            names = current.collect(&:name)
+            group = RBACApiClient::Group.new
+            begin
+              Service.call(RBACApiClient::GroupApi) do |api_instance|
+                @acl_data['groups'].each do |grp|
+                  next if names.include?(grp['name'])
+
+                  Rails.logger.info("Creating #{grp['name']}")
+                  group.name = grp['name']
+                  group.description = grp['description']
+                  api_instance.create_group(group)
+                end
+              end
+            rescue RBACApiClient::ApiError => e
+              Rails.logger.error("Exception when calling GroupApi->create_group: #{e}")
+              raise
+            end
+          end
+
+          def current_groups
+            Service.call(RBACApiClient::GroupApi) do |api|
+              Service.paginate(api, :list_groups,  {}).to_a
+            end
+          end
+
+          def create_roles
+            current = current_roles
+            names = current.collect(&:name)
+            role_in = RBACApiClient::RoleIn.new
+            begin
+              Service.call(RBACApiClient::RoleApi) do |api_instance|
+                @acl_data['roles'].each do |role|
+                  next if names.include?(role['name'])
+
+                  role_in.name = role['name']
+                  role_in.access = []
+                  role['access'].each do |obj|
+                    access = RBACApiClient::Access.new
+                    access.permission = obj['permission']
+                    access.resource_definitions = create_rds(obj)
+                    role_in.access << access
+                  end
+                  api_instance.create_roles(role_in)
+                end
+              end
+            rescue RBACApiClient::ApiError => e
+              Rails.logger.error("Exception when calling RoleApi->create_roles: #{e}")
+              raise
+            end
+          end
+
+          def create_rds(obj)
+            obj.fetch('resource_definitions', []).collect do |item|
+              RBACApiClient::ResourceDefinition.new.tap do |rd|
+                rd.attribute_filter = RBACApiClient::ResourceDefinitionFilter.new.tap do |rdf|
+                  rdf.key = item['attribute_filter']['key']
+                  rdf.value = item['attribute_filter']['value']
+                  rdf.operation = item['attribute_filter']['operation']
+                end
+              end
+            end
+          end
+
+          def current_roles
+            Service.call(RBACApiClient::RoleApi) do |api|
+              Service.paginate(api, :list_roles, {}).to_a
+            end
+          end
+
+          def create_policies
+            names = current_policies.collect(&:name)
+            groups = current_groups
+            roles = current_roles
+            policy_in = RBACApiClient::PolicyIn.new
+            begin
+              Service.call(RBACApiClient::PolicyApi) do |api_instance|
+                @acl_data['policies'].each do |policy|
+                  next if names.include?(policy['name'])
+
+                  policy_in.name = policy['name']
+                  policy_in.description = policy['description']
+                  policy_in.group = find_uuid('Group', groups, policy['group']['name'])
+                  policy_in.roles = [find_uuid('Role', roles, policy['role']['name'])]
+                  api_instance.create_policies(policy_in)
+                end
+              end
+            rescue RBACApiClient::ApiError => e
+              Rails.logger.error("Exception when calling PolicyApi->create_policies: #{e}")
+              raise
+            end
+          end
+
+          def current_policies
+            Service.call(RBACApiClient::PolicyApi) do |api|
+              Service.paginate(api, :list_policies, {}).to_a
+            end
+          end
+
+          def find_uuid(type, data, name)
+            result = data.detect { |item| item.name == name }
+            raise "#{type} #{name} not found in RBAC service" unless result
+
+            result.uuid
+          end
+
+          def create_request(user_file)
+            raise "File #{user_file} not found" unless File.exist?(user_file)
+
+            user = YAML.load_file(user_file)
+            {:headers => {'x-rh-identity' => Base64.strict_encode64(user.to_json)}, :original_url => '/'}
+          end
+        end
+      end
+    end
+  end
+end

data/lib/manageiq/api/common/rbac/service.rb

@@ -0,0 +1,67 @@
+module ManageIQ
+  module API
+    module Common
+      module RBAC
+        require 'rbac-api-client'
+
+        class Service
+          def self.call(klass)
+            setup
+            yield init(klass)
+          rescue RBACApiClient::ApiError => err
+            Rails.logger.error("RBACApiClient::ApiError #{err.message} ")
+            raise
+          end
+
+          def self.paginate(obj, method, pagination_options, *method_args)
+            Enumerator.new do |enum|
+              opts = { :limit => 10, :offset => 0 }.merge(pagination_options)
+              count = nil
+              fetched = 0
+              begin
+                loop do
+                  args = [method_args, opts].flatten.compact
+                  result = obj.send(method, *args)
+                  count ||= result.meta.count
+                  opts[:offset] = opts[:offset] + result.data.count
+                  result.data.each do |element|
+                    enum.yield element
+                  end
+                  fetched += result.data.count
+                  break if count == fetched || result.data.empty?
+                end
+              rescue StandardError => e
+                Rails.logger.error("Exception when calling pagination on #{method} #{e}")
+                raise
+              end
+            end
+          end
+
+          private_class_method def self.setup
+            RBACApiClient.configure do |config|
+              config.host   = ENV['RBAC_URL'] || 'localhost'
+              config.scheme = URI.parse(ENV['RBAC_URL']).try(:scheme) || 'http'
+              dev_credentials(config)
+            end
+          end
+
+          private_class_method def self.init(klass)
+            headers = ManageIQ::API::Common::Request.current_forwardable
+            Rails.logger.info("Sending Headers to RBAC #{headers}")
+            klass.new.tap do |api|
+              api.api_client.default_headers = api.api_client.default_headers.merge(headers)
+            end
+          end
+
+          private_class_method def self.dev_credentials(config)
+            # Set up user/pass for basic auth if we're in dev and they exist.
+            if Rails.env.development?
+              config.username = ENV.fetch('DEV_USERNAME')
+              config.password = ENV.fetch('DEV_PASSWORD')
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/manageiq/api/common/rbac/share_resource.rb

@@ -0,0 +1,60 @@
+module ManageIQ
+  module API
+    module Common
+      module RBAC
+        class ShareResource
+          require 'rbac-api-client'
+          include Utilities
+
+          def initialize(options)
+            @app_name = options[:app_name]
+            @resource_name = options[:resource_name]
+            @permissions = options[:permissions]
+            @resource_ids = options[:resource_ids]
+            @group_uuids = SortedSet.new(options[:group_uuids])
+            @acls = RBAC::ACL.new
+          end
+
+          def process
+            validate_groups
+            @roles = RBAC::Roles.new("#{@app_name}-#{@resource_name}-")
+            @group_uuids.each { |uuid| manage_roles_for_group(uuid) }
+            self
+          end
+
+          private
+
+          def manage_roles_for_group(group_uuid)
+            @resource_ids.each do |resource_id|
+              name = unique_name(resource_id, group_uuid)
+              role = @roles.find(name)
+              role ? update_existing_role(role, resource_id) : add_new_role(name, group_uuid, resource_id)
+            end
+          end
+
+          def update_existing_role(role, resource_id)
+            role.access = @acls.add(role.access, resource_id, @permissions)
+            @roles.update(role) if role.access.present?
+          end
+
+          def add_new_role(name, group_uuid, resource_id)
+            acls = @acls.create(resource_id, @permissions)
+            role = @roles.add(name, acls)
+            add_policy(name, group_uuid, role.uuid)
+          end
+
+          def add_policy(name, group_uuid, role_uuid)
+            Service.call(RBACApiClient::PolicyApi) do |api_instance|
+              policy_in = RBACApiClient::PolicyIn.new
+              policy_in.name = name
+              policy_in.description = 'Shared Policy'
+              policy_in.group = group_uuid
+              policy_in.roles = [role_uuid]
+              api_instance.create_policies(policy_in)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/manageiq/api/common/rbac/unshare_resource.rb

@@ -0,0 +1,32 @@
+module ManageIQ
+  module API
+    module Common
+      module RBAC
+        require 'rbac-api-client'
+
+        class UnshareResource < ShareResource
+          attr_accessor :count
+
+          def initialize(options)
+            @count = 0
+            super
+          end
+
+          private
+
+          def manage_roles_for_group(group_uuid)
+            @resource_ids.each do |resource_id|
+              name = unique_name(resource_id, group_uuid)
+              role = @roles.find(name)
+              next unless role
+
+              role.access = @acls.remove(role.access, resource_id, @permissions)
+              role.access.present? ? @roles.update(role) : @roles.delete(role)
+              @count += 1
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/manageiq/api/common/rbac/utilities.rb

@@ -0,0 +1,30 @@
+module ManageIQ
+  module API
+    module Common
+      module RBAC
+        module Utilities
+          def validate_groups
+            Service.call(RBACApiClient::GroupApi) do |api|
+              uuids = SortedSet.new
+              Service.paginate(api, :list_groups, {}).each { |group| uuids << group.uuid }
+              missing = @group_uuids - uuids
+              raise ManageIQ::API::Common::InvalidParameter, "The following group uuids are missing #{missing.to_a.join(",")}" unless missing.empty?
+            end
+          end
+
+          def unique_name(resource_id, group_id)
+            "#{@app_name}-#{@resource_name}-#{resource_id}-group-#{group_id}"
+          end
+
+          def parse_ids_from_name(name)
+            @regexp ||= Regexp.new("#{@app_name}-#{@resource_name}-(?<resource_id>.*)-group-(?<group_uuid>.*)")
+            result = @regexp.match(name)
+            if result
+              [result[:resource_id], result[:group_uuid]]
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/manageiq/api/common/request.rb

@@ -7,6 +7,9 @@ module ManageIQ
         end
       end
 
+      class InvalidParameter < StandardError
+      end
+
       class Request
         REQUEST_ID_KEY = "x-rh-insights-request-id".freeze
         IDENTITY_KEY   = 'x-rh-identity'.freeze

data/lib/manageiq/api/common/version.rb

@@ -1,7 +1,7 @@
 module ManageIQ
   module API
     module Common
-      VERSION = "1.1.0".freeze
+      VERSION = "2.0.0".freeze
     end
   end
 end

data/spec/support/rbac_shared_contexts.rb

@@ -0,0 +1,44 @@
+RSpec.shared_context "rbac_objects" do
+  let(:app_name) { 'catalog' }
+  let(:resource) { "portfolios" }
+  let(:permissions) { ["#{app_name}:#{resource}:read"] }
+  let(:resource_id1) { "1" }
+  let(:resource_id2) { "2" }
+  let(:resource_id3) { "3" }
+  let(:group1) { instance_double(RBACApiClient::GroupOut, :name => 'group1', :uuid => "123") }
+  let(:group2) { instance_double(RBACApiClient::GroupOut, :name => 'group2', :uuid => "12345") }
+  let(:group3) { instance_double(RBACApiClient::GroupOut, :name => 'group3', :uuid => "45665") }
+  let(:role1) { instance_double(RBACApiClient::RoleOut, :name => "#{app_name}-#{resource}-#{resource_id1}-group-#{group1.uuid}", :uuid => "67899") }
+  let(:role2) { instance_double(RBACApiClient::RoleOut, :name => "#{app_name}-#{resource}-#{resource_id2}-group-#{group1.uuid}", :uuid => "55555") }
+  let(:role1_detail) { instance_double(RBACApiClient::RoleWithAccess, :name => role1.name, :uuid => role1.uuid, :access => [access1]) }
+  let(:role2_detail) { instance_double(RBACApiClient::RoleWithAccess, :name => role2.name, :uuid => role2.uuid, :access => []) }
+  let(:role1_detail_updated) { instance_double(RBACApiClient::RoleWithAccess, :name => role1.name, :uuid => role1.uuid, :access => []) }
+  let(:groups) { [group1, group2, group3] }
+  let(:roles) { [role1] }
+  let(:policies) { [instance_double(RBACApiClient::PolicyIn, :group => group1, :roles => roles)] }
+  let(:filter1) { instance_double(RBACApiClient::ResourceDefinitionFilter, :key => 'id', :operation => 'equal', :value => resource_id1) }
+  let(:resource_def1) { instance_double(RBACApiClient::ResourceDefinition, :attribute_filter => filter1) }
+  let(:filter2) { instance_double(RBACApiClient::ResourceDefinitionFilter, :key => 'id', :operation => 'equal', :value => resource_id2) }
+  let(:resource_def2) { instance_double(RBACApiClient::ResourceDefinition, :attribute_filter => filter2) }
+  let(:filter3) { instance_double(RBACApiClient::ResourceDefinitionFilter, :key => 'id', :operation => 'equal', :value => resource_id3) }
+  let(:resource_def3) { instance_double(RBACApiClient::ResourceDefinition, :attribute_filter => filter3) }
+  let(:filter4) { instance_double(RBACApiClient::ResourceDefinitionFilter, :key => 'id', :operation => 'equal', :value => '*') }
+  let(:resource_def4) { instance_double(RBACApiClient::ResourceDefinition, :attribute_filter => filter4) }
+  let(:access1) { instance_double(RBACApiClient::Access, :permission => "#{app_name}:#{resource}:read", :resource_definitions => [resource_def1]) }
+  let(:access2) { instance_double(RBACApiClient::Access, :permission => "#{app_name}:#{resource}:write", :resource_definitions => [resource_def2]) }
+  let(:access3) { instance_double(RBACApiClient::Access, :permission => "#{app_name}:#{resource}:order", :resource_definitions => []) }
+  let(:admin_access) { instance_double(RBACApiClient::Access, :permission => "#{app_name}:#{resource}:read", :resource_definitions => [resource_def4]) }
+  let(:group_uuids) { [group1.uuid, group2.uuid, group3.uuid] }
+  let(:api_instance) { double }
+  let(:rs_class) { class_double("ManageIQ::API::Common::RBAC::Service").as_stubbed_const(:transfer_nested_constants => true) }
+  let(:current_user) { '{{username}}' }
+  let(:id_value) { '*' }
+  let(:owner_filter) { instance_double(RBACApiClient::ResourceDefinitionFilter, :key => 'owner', :operation => 'equal', :value => current_user) }
+  let(:owner_resource_def) { instance_double(RBACApiClient::ResourceDefinition, :attribute_filter => owner_filter) }
+  let(:id_filter) { instance_double(RBACApiClient::ResourceDefinitionFilter, :key => 'id', :operation => 'equal', :value => id_value) }
+  let(:id_resource_def) { instance_double(RBACApiClient::ResourceDefinition, :attribute_filter => id_filter) }
+  let(:owner_resource) { 'orders' }
+  let(:owner_permission) { "#{app_name}:#{owner_resource}:read" }
+  let(:owner_access) { instance_double(RBACApiClient::Access, :permission => owner_permission, :resource_definitions => [owner_resource_def]) }
+  let(:all_access) { instance_double(RBACApiClient::Access, :permission => owner_permission, :resource_definitions => [id_resource_def]) }
+end

data/spec/support/service_spec_helper.rb

@@ -0,0 +1,26 @@
+module ServiceSpecHelper
+  RSpec.configure do |config|
+    config.around(:example, :type => :service) do |example|
+      default_tenant = Tenant.first_or_create!(:external_tenant => default_account_number)
+
+      ActsAsTenant.with_tenant(default_tenant) do
+        example.call
+      end
+
+      Tenant.delete_all
+    end
+  end
+
+  def default_headers
+    { 'x-rh-identity'            => encoded_user_hash,
+      'x-rh-insights-request-id' => 'gobbledygook' }
+  end
+
+  def original_url
+    "http://example.com"
+  end
+
+  def default_request
+    { :headers => default_headers, :original_url => original_url }
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: manageiq-api-common
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 2.0.0
 platform: ruby
 authors:
 - ManageIQ Authors
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-10-15 00:00:00.000000000 Z
+date: 2019-10-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: acts_as_tenant
@@ -134,14 +134,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.5.0
+        version: 0.6.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.5.0
+        version: 0.6.1
 - !ruby/object:Gem::Dependency
   name: graphql
   requirement: !ruby/object:Gem::Requirement
@@ -288,6 +288,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Header, Encryption, RBAC, Serialization, Pagination and other common
   behavior for microservices
 email: 
@@ -307,9 +321,9 @@ files:
 - lib/generators/shared_utilities/templates/migration_existing.rb
 - lib/manageiq-api-common.rb
 - lib/manageiq/api/common.rb
-- lib/manageiq/api/common/api_error.rb
 - lib/manageiq/api/common/application_controller_mixins/api_doc.rb
 - lib/manageiq/api/common/application_controller_mixins/common.rb
+- lib/manageiq/api/common/application_controller_mixins/exception_handling.rb
 - lib/manageiq/api/common/application_controller_mixins/openapi_enabled.rb
 - lib/manageiq/api/common/application_controller_mixins/parameters.rb
 - lib/manageiq/api/common/application_controller_mixins/request_body_validation.rb
@@ -341,13 +355,25 @@ files:
 - lib/manageiq/api/common/open_api/serializer.rb
 - lib/manageiq/api/common/option_redirect_enhancements.rb
 - lib/manageiq/api/common/paginated_response.rb
+- lib/manageiq/api/common/rbac/access.rb
+- lib/manageiq/api/common/rbac/acl.rb
+- lib/manageiq/api/common/rbac/policies.rb
+- lib/manageiq/api/common/rbac/query_shared_resource.rb
+- lib/manageiq/api/common/rbac/roles.rb
+- lib/manageiq/api/common/rbac/seed.rb
+- lib/manageiq/api/common/rbac/service.rb
+- lib/manageiq/api/common/rbac/share_resource.rb
+- lib/manageiq/api/common/rbac/unshare_resource.rb
+- lib/manageiq/api/common/rbac/utilities.rb
 - lib/manageiq/api/common/request.rb
 - lib/manageiq/api/common/routing.rb
 - lib/manageiq/api/common/user.rb
 - lib/manageiq/api/common/version.rb
 - lib/tasks/manageiq/api/common_tasks.rake
 - spec/support/default_as_json.rb
+- spec/support/rbac_shared_contexts.rb
 - spec/support/requests_spec_helper.rb
+- spec/support/service_spec_helper.rb
 - spec/support/user_header_spec_helper.rb
 homepage: https://github.com/ManageIQ/manageiq-api-common.git
 licenses:

data/lib/manageiq/api/common/api_error.rb

@@ -1,21 +0,0 @@
-module ManageIQ
-  module API
-    module Common
-      class ApiError < StandardError
-        attr_reader :errors
-
-        def initialize(status, detail)
-          @errors = ErrorDocument.new.add(status, detail)
-        end
-
-        def status
-          @errors.status
-        end
-
-        def add(status, detail)
-          @errors.add(status, detail)
-        end
-      end
-    end
-  end
-end