Fixes #37772 - Add guardrails to HostsController

app/controllers/katello/concerns/api/v2/hosts_controller_extensions.rb

@@ -41,6 +41,7 @@ def purpose_addon_params
           params[:host][:subscription_facet_attributes].delete(:purpose_addons)
         end
 
+        # rubocop:disable Metrics/CyclomaticComplexity
         def set_content_view_environments
           content_facet_attributes = params.dig(:host, :content_facet_attributes)
           return if content_facet_attributes.blank? || @host&.content_facet.blank? ||
@@ -54,15 +55,19 @@ def set_content_view_environments
             new_cves = environment_names.map do |name|
               ::Katello::ContentViewEnvironment.with_candlepin_name(name, organization: @host.organization)
             end
+            fail "No content view environments found with names: #{environment_names}" if new_cves.compact.empty?
           end
           if cve_params[:content_view_environment_ids].present?
             new_cves = cve_params[:content_view_environment_ids].map do |id|
               ::Katello::ContentViewEnvironment.find_by(id: id)
             end
+            fail "No content view environments found with ids: #{cve_params[:content_view_environment_ids]}" if new_cves.compact.empty?
           end
+          new_cves.compact!
 
-          @host.content_facet.content_view_environments = new_cves.compact if new_cves.present?
+          @host.content_facet.content_view_environments = new_cves if new_cves.present?
         end
+        # rubocop:enable Metrics/CyclomaticComplexity
 
         def cve_params
           params.require(:host).require(:content_facet_attributes).permit(:content_view_id, :lifecycle_environment_id, content_view_environments: [], content_view_environment_ids: [])

test/controllers/api/v2/hosts_controller_test.rb

@@ -145,6 +145,54 @@ def test_host_update_with_cv_only
     assert_response 422
   end
 
+  def test_set_content_view_environments_with_valid_content_view_environs_param
+    host = FactoryBot.create(:host, :with_content, :with_subscription,
+                              :content_view => @content_view, :lifecycle_environment => @environment)
+    put :update, params: {
+      :id => host.id,
+      :content_facet_attributes => {
+        :content_view_environments => "Library"
+      }
+    }, session: set_session_user
+    assert_response :success
+  end
+
+  def test_set_content_view_environments_with_valid_ids_param
+    host = FactoryBot.create(:host, :with_content, :with_subscription,
+                              :content_view => @content_view, :lifecycle_environment => @environment)
+    put :update, params: {
+      :id => host.id,
+      :content_facet_attributes => {
+        :content_view_environment_ids => @cv2.content_view_environments.first.id
+      }
+    }, session: set_session_user
+    assert_response
+  end
+
+  def test_set_content_view_environments_with_invalid_ids_param
+    host = FactoryBot.create(:host, :with_content, :with_subscription,
+                              :content_view => @content_view, :lifecycle_environment => @environment)
+    put :update, params: {
+      :id => host.id,
+      :content_facet_attributes => {
+        :content_view_environment_ids => "invalid string"
+      }
+    }, session: set_session_user
+    assert_response 422
+  end
+
+  def test_set_content_view_environments_with_invalid_content_view_environs_param
+    host = FactoryBot.create(:host, :with_content, :with_subscription,
+                              :content_view => @content_view, :lifecycle_environment => @environment)
+    put :update, params: {
+      :id => host.id,
+      :content_facet_attributes => {
+        :content_view_environments => "invalid string"
+      }
+    }, session: set_session_user
+    assert_response 422
+  end
+
   def test_host_update_with_invalid_env
     host = FactoryBot.create(:host, :with_content, :with_subscription,
                               :content_view => @content_view, :lifecycle_environment => @environment)