Fixes #38731 - User taxonomy checks during permission checks

[adamruzicka]

TL;DR

Additionally perform resource organization and location checks inside Authorizer, to prevent the RBAC system from allowing users to see resources outside of their organizations and locations.

Background

Foreman currently has two mechanisms, which can be used to control what users can do - the permission system and user's orgnization/location membership. These two mechanisms were originally expected to work together. In Foreman, models come with a set of modules facilitating the plumbing between the model, user's taxonomies (Taxonomix) and the RBAC system (Authorizable) and a default scope. The default scope does two things - it sets up the scope in a way that honors current organization/location selection (coming from Taxonomix) as well as limiting the view to only organizations and locations of the current user. This is the usually followed by a call to .authorized(permission) (relying on Authorizable being included in the model), which loops in the RBAC system and further tightens what the user is allowed to do. While this approach nicely separates concerns, it can give misleading results if the two parts are used separately.

This changes the meaning of what user's membership in an organization or location means. Previously, this relationship only marked the user as a resource to be managed within that organization/location, just as subnets or domains are. With this change we would shift it from "a resource to me managed within the scope" to "an actor which manages other things within the scope".

Changes done here

Resource organization and location checks were added to the RBAC system. This makes the RBAC system (Authorizable, Authorizer and #authorized(permission)) one-stop solution for user permission checking.

From the user's point of view, this change should make dealing with permissions in Foreman more consistent as well as making it more intuitive by making organization and location membership set up firmer boundaries than it did previously.

This could also simplify certain workflows. Currently delegating control over a specific organization to a user involves cloning the default "Organization admin" role, setting organization on it, assigning the role to a user and assigning that user to that organization. After this change, this could be reduced to giving the user the default "Organization admin" role without cloning it and just assigning the user to the organization.

This should also benefit Katello, which in general omits the default scope and which scopes resources to organizations differently than Foreman.

"Steps to reproduce"-styled example

Vanilla Foreman

1. Have orgnizations org1 and org2
2. Create a user u
3. Assign the user to org1
4. Create domain d1 in org1
5. Create domain d2 in org2
6. Create a custom role, do not set any taxonomies on the role, add view_domains permission to it, assign it to the user
7. In rails console:

User.current = User.find_by(login: 'u')
::Domain.unscoped.authorized(:view_domains).map(&:name)

Actual results:
Both d1 and d2 domains are found.

Expected results:
Only d1 domain is found.

Note: On Foreman resources, there is a default scope that performs the organization and location scoping, hence the unscoped, but it is not part of authorization checks.

Katello-flavor

1. Have orgnizations org1 and org2
2. Create a user u
3. Assign the user to org1
4. Create product p1 in org1
5. Create product p2 in org2
6. Create a custom role, do not set any taxonomies on the role, add view_products permission to it, assign it to the user
7. In rails console:

User.current = User.find_by(login: 'u')
::Katello::Product.authorized(:view_products).map(&:name)

Actual results:
Both p1 and p2 products are found.

Expected results:
Only p1 product is found.

[ofedoren]

Is this a replacement for #10652?

[adamruzicka]

Is this a replacement for #10652?

No. 10652 outlines "when is page access allowed" vs "what is shown inside the page". 10652 focuses on the first problem, this PR tightens the second one.

[adamruzicka]

Looking at the katello test failures, it seems katello never really relied on the user being in the same org as the resources they manage. Now the question is whether that was the intent or if it is that way just because matching user's orgs to resource's orgs wasn't necessary.

[pondrejk]

Checked on stream + packit using the described reproducers, also with hammer:

~]# hammer domain list
---|---------------------------------
ID | NAME                            
---|---------------------------------
3  | o1 domain                       
2  | o2 domain                       
...
---|---------------------------------
[root@ip-10-0-168-113 ~]# hammer -u domain-viewer -p .. domain list
---|----------
ID | NAME     
---|----------
2  | o2 domain
---|----------

[pondrejk]

ack from user pov

[adamlazik1]

Question: Does the pipeline here automatically run with the test versions from the PR?

[adamlazik1]

Nitpick: one of these tests is probably enough because the form of the conjunction does not impact anything. Or alternatively both asserts can go into single test case.

[adamruzicka]

True, merged a couple and dropped some others.

[adamlazik1]

Nitpick no. 2: This assert could also go to the 'joins multiple parts' testcase

[adamlazik1]

Nitpick no. 3: probably redundant test.

[adamlazik1]

Probably doesn't matter, but couldn't we just return '(FALSE)'?

[adamruzicka]

Sadly not, scoped search would treat that just as a string.

[adamruzicka]

But yeah, this should be changed somehow. This might break in some cases

> ForemanTasks::Task.search_for("id = 1 and id != 1").count
ActiveRecord::StatementInvalid: PG::InvalidTextRepresentation: ERROR:  invalid input syntax for type uuid: "1"
LINE 1: ...asks_tasks" WHERE ((("foreman_tasks_tasks"."id" = '1') AND (...

[adamruzicka]

Changed

[adamlazik1]

This test appears to be a duplicate of test 'joins multiple parts with OR conjunction'

[adamlazik1]

Suggested change

	sub_loc = FactoryBot.create(:organization, parent_id: @loc2.id)
	sub_loc = FactoryBot.create(:location, parent_id: @loc2.id)

[adamlazik1]

These appear to be just QueryBuilder tests, unless I am mistaken.

[adamlazik1]

Suggested change

# ensure_selected_option_of_multiselect(@org1.name, select_id: 'domain_organization_ids')

Can this be deleted or is it kept here as a hint of sorts?

[adamruzicka]

Does the pipeline here automatically run with the test versions from the PR?

It does

[adamlazik1]

LGTM. The katello counterpart should be merged first so that the tests are green here.

[adamruzicka]

Oh come on katello tests, you were green just a moment ago on the other end

[adamlazik1]

I would like to rerun the tests but it appears I don't have permissions to do that.

[adamruzicka]

Finally green

[adamlazik1]

Thanks @adamruzicka! Feel free to merge as I am unable to do it myself.

[adamruzicka]

squashed to make the check happy