From 94b42bffdffc64466c4aa4bff703ac8455229273 Mon Sep 17 00:00:00 2001 From: Madalyn Parker Date: Tue, 30 Oct 2018 13:11:29 -0400 Subject: [PATCH 1/2] add test for revoking lease with update capabilities, change capabilities prefix logic --- ui/app/models/capabilities.js | 2 +- ui/tests/unit/models/capabilities-test.js | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/ui/app/models/capabilities.js b/ui/app/models/capabilities.js index 2fea24ba7703..04b91b146c93 100644 --- a/ui/app/models/capabilities.js +++ b/ui/app/models/capabilities.js @@ -33,7 +33,7 @@ const computedCapability = function(capability) { return false; } // if the path is sudo protected, they'll need sudo + the appropriate capability - if (SUDO_PATHS.includes(path) || SUDO_PATH_PREFIXES.find(item => item.startsWith(path))) { + if (SUDO_PATHS.includes(path) || SUDO_PATH_PREFIXES.find(item => path.startsWith(item))) { return capabilities.includes('sudo') && capabilities.includes(capability); } return capabilities.includes(capability); diff --git a/ui/tests/unit/models/capabilities-test.js b/ui/tests/unit/models/capabilities-test.js index fdd545022858..65c01048d5f5 100644 --- a/ui/tests/unit/models/capabilities-test.js +++ b/ui/tests/unit/models/capabilities-test.js @@ -81,4 +81,18 @@ module('Unit | Model | capabilities', function(hooks) { assert.notOk(model.get('canDelete')); assert.notOk(model.get('canList')); }); + + test('it does not require sudo on sys/leases/revoke if update capability is present', function(assert) { + let model = run(() => + this.owner.lookup('service:store').createRecord('capabilities', { + path: 'sys/leases/revoke', + capabilities: ['update', 'read'], + }) + ); + assert.ok(model.get('canRead')); + assert.notOk(model.get('canCreate'), 'sudo requires the capability to be set as well'); + assert.ok(model.get('canUpdate'), 'should not require sudo if it has update'); + assert.notOk(model.get('canDelete')); + assert.notOk(model.get('canList')); + }); }); From 8873339a7e1963d81fba7928d0b3ba6b1c2cffa4 Mon Sep 17 00:00:00 2001 From: Madalyn Parker Date: Tue, 30 Oct 2018 15:15:23 -0400 Subject: [PATCH 2/2] add a couple more tests for capabilities function --- ui/tests/unit/models/capabilities-test.js | 30 ++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/ui/tests/unit/models/capabilities-test.js b/ui/tests/unit/models/capabilities-test.js index 65c01048d5f5..cd490fce972c 100644 --- a/ui/tests/unit/models/capabilities-test.js +++ b/ui/tests/unit/models/capabilities-test.js @@ -82,7 +82,7 @@ module('Unit | Model | capabilities', function(hooks) { assert.notOk(model.get('canList')); }); - test('it does not require sudo on sys/leases/revoke if update capability is present', function(assert) { + test('it does not require sudo on sys/leases/revoke if update capability is present and path is not fully a sudo prefix', function(assert) { let model = run(() => this.owner.lookup('service:store').createRecord('capabilities', { path: 'sys/leases/revoke', @@ -95,4 +95,32 @@ module('Unit | Model | capabilities', function(hooks) { assert.notOk(model.get('canDelete')); assert.notOk(model.get('canList')); }); + + test('it requires sudo on prefix path even if capability is present', function(assert) { + let model = run(() => + this.owner.lookup('service:store').createRecord('capabilities', { + path: SUDO_PATH_PREFIXES[0] + '/aws', + capabilities: ['update', 'read'], + }) + ); + assert.notOk(model.get('canRead')); + assert.notOk(model.get('canCreate')); + assert.notOk(model.get('canUpdate'), 'should still require sudo'); + assert.notOk(model.get('canDelete')); + assert.notOk(model.get('canList')); + }); + + test('it does not require sudo on prefix path if both update and sudo capabilities are present', function(assert) { + let model = run(() => + this.owner.lookup('service:store').createRecord('capabilities', { + path: SUDO_PATH_PREFIXES[0] + '/aws', + capabilities: ['sudo', 'update', 'read'], + }) + ); + assert.ok(model.get('canRead')); + assert.notOk(model.get('canCreate')); + assert.ok(model.get('canUpdate'), 'should not require sudo'); + assert.notOk(model.get('canDelete')); + assert.notOk(model.get('canList')); + }); });