fix: corrected rbac parsing

RedHatInsights · Aug 16, 2023 · 9f31aac · 9f31aac
1 parent 4109bc6
commit 9f31aac
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 17 deletions.
diff --git a/manager/rbac_manager.py b/manager/rbac_manager.py
@@ -101,30 +101,34 @@ def _parse_permissions(self, response: dict) -> [RbacPermission]:
         return res
 
     @staticmethod
-    def _find_host_groups(role_list) -> List[List[Dict[str, str]]]:
+    def _find_host_groups(role_list):
         """Retreive list of inventory groups from RBAC response"""
         res = []
         if CFG.disable_inventory_groups:
             return []
-        no_permission = True
         for role in role_list:
-            if role.get("permission") not in {"inventory:hosts:read", "inventory:hosts:*"}:
+            if role.get("permission") not in {
+                "inventory:hosts:read",
+                "inventory:hosts:*",
+                "inventory:*:read",
+                "inventory:*:*"
+            }:
                 continue
-            no_permission = False
-            definitions = role.get('resourceDefinitions', [])
-            # When resourceDefinitions is [], put None to res to include ungroupped systems
-            if not definitions:
-                res.append(None)
-            for rscdef in definitions:
-                attrfilter = rscdef.get('attributeFilter', {})
-                if attrfilter.get('key') != 'group.id':
+            #  If there is no attributeFilter or resourceDefinition for the permission
+            #  (or the values are empty, i.e. []), the user has access to all hosts
+            rscdef = role.get("resourceDefinitions")
+            if not rscdef:
+                return []  # global access
+            for resource_definition in rscdef:
+                attrfilter = resource_definition.get("attributeFilter")
+                if not attrfilter:
+                    return []  # global access
+                if attrfilter.get("key") != "group.id":
                     continue
-                if attrfilter.get('value') == []:
-                    # if there are only [] values /no access to hosts/, `set(res)` will be == {""}
-                    res.append("")
-                res.extend(attrfilter.get('value', []))
+                ids = attrfilter.get("value", [])
+                res.extend(ids)
 
-        if no_permission or set(res) == {""}:
+        if not res:
             return None
         return [[{"id": x}] if x else [] for x in res]
 

diff --git a/tests/manager_tests/test_rbac_manager.py b/tests/manager_tests/test_rbac_manager.py
@@ -279,7 +279,7 @@ def test_fetch_groups_no_inventory(self, monkeypatch):
         self._prepare_user_permissions(RBAC_RESPONSE_ANY, rbac_mng, monkeypatch)
 
         _, group_ids = rbac_mng.fetch_permissions(0)
-        assert group_ids == [[]]
+        assert group_ids == []
 
     def test_fetch_groups_ungrouped_only(self, monkeypatch):
         """Test inventory groups parsing - access to ungrouped systems only"""