[WIP] Expose Insights permissions to Scalprum apps via ForemanContext

app/controllers/insights_cloud/ui_requests_controller.rb

@@ -18,6 +18,10 @@ def forward_request
           @organization,
           @location
         )
+      rescue ::Foreman::Exception => e
+        logger.warn("Permission denied for forwarding request: #{e}")
+        message = e.message
+        return render json: { message: message, error: message }, status: :forbidden
       rescue RestClient::Exceptions::Timeout => e
         response_obj = e.response.presence || e.exception
         return render json: { message: response_obj.to_s, error: response_obj.to_s }, status: :gateway_timeout

app/services/foreman_rh_cloud/insights_api_forwarder.rb

@@ -4,17 +4,125 @@ module ForemanRhCloud
   class InsightsApiForwarder
     include ForemanRhCloud::CertAuth
 
+    # Permission mapping for API paths:
+    #
+    # Foreman Permission   | Paths
+    # ---------------------|--------------------------------------------------
+    # view_vulnerability   | GET /api/inventory/v1/hosts(/*)
+    # view_vulnerability   | GET /api/vulnerability/v1/*
+    #                      | POST /api/vulnerability/v1/vulnerabilities/cves
+    # edit_vulnerability   | PATCH /api/vulnerability/v1/status
+    # edit_vulnerability   | PATCH /api/vulnerability/v1/cves/status
+    #                      | PATCH /api/vulnerability/v1/cves/business_risk
+    # edit_vulnerability   | PATCH /api/vulnerability/v1/systems/opt_out
+    #
+    # view_advisor         | GET /api/insights/v1/*
+    # edit_advisor         | POST /api/insights/v1/ack/
+    #                      | DELETE /api/insights/v1/ack/{rule_id}/
+    #                      | POST /api/insights/v1/hostack/
+    #                      | DELETE /api/insights/v1/hostack/{id}/
+    #                      | POST /api/insights/v1/rule/{rule_id}/unack_hosts/
+    #
     SCOPED_REQUESTS = [
-      { test: %r{api/vulnerability/v1/vulnerabilities/cves}, tag_name: :tags },
+      # Inventory hosts - requires view_vulnerability for GET
+      {
+        test: %r{api/inventory/v1/hosts(/.*)?$},
+        tag_name: :tags,
+        permissions: {
+          'GET' => :view_vulnerability,
+        },
+      },
+      # Vulnerability CVEs list - POST requires view_vulnerability (for filtering)
+      {
+        test: %r{api/vulnerability/v1/vulnerabilities/cves},
+        tag_name: :tags,
+        permissions: {
+          'POST' => :view_vulnerability,
+        },
+      },
+      # Vulnerability status - PATCH requires edit_vulnerability
+      {
+        test: %r{api/vulnerability/v1/status},
+        tag_name: :tags,
+        permissions: {
+          'PATCH' => :edit_vulnerability,
+        },
+      },
+      # CVE status - PATCH requires edit_vulnerability
+      {
+        test: %r{api/vulnerability/v1/cves/status},
+        tag_name: :tags,
+        permissions: {
+          'PATCH' => :edit_vulnerability,
+        },
+      },
+      # CVE business risk - PATCH requires edit_vulnerability
+      {
+        test: %r{api/vulnerability/v1/cves/business_risk},
+        tag_name: :tags,
+        permissions: {
+          'PATCH' => :edit_vulnerability,
+        },
+      },
+      # Systems opt out - PATCH requires edit_vulnerability
+      {
+        test: %r{api/vulnerability/v1/systems/opt_out},
+        tag_name: :tags,
+        permissions: {
+          'PATCH' => :edit_vulnerability,
+        },
+      },
+      # Other vulnerability endpoints (no specific permission enforcement, just tagging)
       { test: %r{api/vulnerability/v1/dashbar}, tag_name: :tags },
       { test: %r{api/vulnerability/v1/cves/[^/]+/affected_systems}, tag_name: :tags },
       { test: %r{api/vulnerability/v1/systems/[^/]+/cves}, tag_name: :tags },
-      { test: %r{api/insights/.*}, tag_name: :tags },
+      # Advisor ack endpoints - POST/DELETE require edit_advisor
+      {
+        test: %r{api/insights/v1/ack(/[^/]+)?$},
+        tag_name: :tags,
+        permissions: {
+          'POST' => :edit_advisor,
+          'DELETE' => :edit_advisor,
+        },
+      },
+      # Advisor hostack endpoints - POST/DELETE require edit_advisor
+      {
+        test: %r{api/insights/v1/hostack(/[^/]+)?$},
+        tag_name: :tags,
+        permissions: {
+          'POST' => :edit_advisor,
+          'DELETE' => :edit_advisor,
+        },
+      },
+      # Advisor rule unack_hosts - POST requires edit_advisor
+      {
+        test: %r{api/insights/v1/rule/[^/]+/unack_hosts},
+        tag_name: :tags,
+        permissions: {
+          'POST' => :edit_advisor,
+        },
+      },
+      # Other Advisor/Insights endpoints - GET requires view_advisor
+      {
+        test: %r{api/insights/v1/.*},
+        tag_name: :tags,
+        permissions: {
+          'GET' => :view_advisor,
+        },
+      },
+      # Other API endpoints (tagging only, no permission enforcement)
       { test: %r{api/inventory/.*}, tag_name: :tags },
       { test: %r{api/tasks/.*}, tag_name: :tags },
     ].freeze
 
     def forward_request(original_request, path, controller_name, user, organization, location)
+      # Check permissions before forwarding
+      permission = required_permission_for(path, original_request.request_method)
+      if permission && !user_has_permission?(user, permission)
+        logger.warn("User #{user.login} lacks permission #{permission} for #{original_request.request_method} #{path}")
+        raise ::Foreman::Exception.new(N_("You do not have permission to perform this action"))
+      end
+
       TagsAuth.new(user, organization, location, logger).update_tag if scope_request?(original_request, path)
 
       forward_params = prepare_forward_params(original_request, path, user: user, organization: organization, location: location).to_a
@@ -116,5 +224,29 @@ def http_user_agent(original_request)
     def logger
       Foreman::Logging.logger('app')
     end
+
+    # Returns the required permission for the given path and HTTP method
+    # @param path [String] The request path
+    # @param http_method [String] The HTTP method (GET, POST, etc.)
+    # @return [Symbol, nil] The required permission symbol or nil if no permission required
+    def required_permission_for(path, http_method)
+      request_pattern = SCOPED_REQUESTS.find { |pattern| pattern[:test].match?(path) }
+      return nil unless request_pattern
+
+      permissions = request_pattern[:permissions]
+      return nil unless permissions
+
+      permissions[http_method]
+    end
+
+    # Checks if the user has the specified permission
+    # @param user [User] The user to check
+    # @param permission [Symbol] The permission to check for
+    # @return [Boolean] true if user has permission, false otherwise
+    def user_has_permission?(user, permission)
+      return false unless user
+
+      user.can?(permission)
+    end
   end
 end

lib/foreman_rh_cloud/plugin.rb

@@ -71,9 +71,37 @@ def self.register
             :control_organization_insights,
             'insights_cloud/settings': [:set_org_parameter]
           )
+          # Insights Vulnerability permissions
+          permission(
+            :view_vulnerability,
+            {},
+            :resource_type => 'ForemanRhCloud'
+          )
+          permission(
+            :edit_vulnerability,
+            {},
+            :resource_type => 'ForemanRhCloud'
+          )
+          # Insights Advisor permissions
+          permission(
+            :view_advisor,
+            {},
+            :resource_type => 'ForemanRhCloud'
+          )
+          permission(
+            :edit_advisor,
+            {},
+            :resource_type => 'ForemanRhCloud'
+          )
         end
 
-        plugin_permissions = [:view_foreman_rh_cloud, :generate_foreman_rh_cloud, :view_insights_hits, :dispatch_cloud_requests, :control_organization_insights]
+        # Core RH Cloud permissions for inventory upload and sync
+        rh_cloud_permissions = [:view_foreman_rh_cloud, :generate_foreman_rh_cloud, :view_insights_hits, :dispatch_cloud_requests, :control_organization_insights]
+
+        # Insights application permissions (Vulnerability, Advisor)
+        insights_permissions = [:view_vulnerability, :edit_vulnerability, :view_advisor, :edit_advisor]
+
+        plugin_permissions = rh_cloud_permissions + insights_permissions
 
         role 'ForemanRhCloud', plugin_permissions, 'Role granting permissions to view the hosts inventory,
                                                     generate a report, upload it to the cloud and download it locally'
@@ -147,10 +175,19 @@ def self.register
           end
         end
 
+        # Register static plugin metadata for ForemanContext
+        # Accessible in frontend via useForemanContext().metadata?.foreman_rh_cloud
+        # NOTE: This is static (evaluated at boot), not per-user.
+        # For per-user permissions, see ApplicationHelperExtensions below.
         ::Foreman::Plugin.app_metadata_registry.register(:foreman_rh_cloud, {
           iop: ForemanRhCloud.with_iop_smart_proxy?,
         })
 
+        # Permissions are now handled via Foreman's native context-based permission system
+        # (PR #10338). The frontend hook useInsightsPermissions() reads Foreman permissions
+        # from context and converts them to Chrome API format for Scalprum apps.
+        # See: https://github.com/theforeman/foreman/blob/develop/developer_docs/handling_user_permissions.asciidoc
+
         extend_template_helpers ForemanRhCloud::TemplateRendererHelper
         allowed_template_helpers :remediations_playbook, :download_rh_playbook
       end