From 3aedac32014347fcefcf8b14b677b007b58be429 Mon Sep 17 00:00:00 2001 From: Abin Simon Date: Mon, 14 Mar 2022 11:47:03 +0530 Subject: [PATCH] Fix scope for roles This might not really be necessary but a good check --- pkg/service/role.go | 11 ++++++++++- pkg/service/role_test.go | 10 +++++----- pkg/service/utils.go | 9 +++++++++ scripts/resourceroles/initialize.go | 2 +- 4 files changed, 25 insertions(+), 7 deletions(-) diff --git a/pkg/service/role.go b/pkg/service/role.go index 4d767ce..9ae4023 100644 --- a/pkg/service/role.go +++ b/pkg/service/role.go @@ -3,6 +3,7 @@ package service import ( "context" "fmt" + "strings" "time" "github.com/RafaySystems/rcloud-base/internal/dao" @@ -138,6 +139,14 @@ func (s *roleService) Create(ctx context.Context, role *rolev3.Role) (*rolev3.Ro return nil, fmt.Errorf("role '%v' already exists", role.GetMetadata().GetName()) } + scope := role.GetSpec().GetScope() + // since this is purely additional metadata at this point, we + // can kinda treat it as optional, and so we are allowing empty + // TODO: check if "" is valid + if !contains([]string{"system", "organization", "project", ""}, strings.ToLower(scope)) { + return nil, fmt.Errorf("unknown scope '%v'", scope) + } + // convert v3 spec to internal models rle := models.Role{ Name: role.GetMetadata().GetName(), @@ -148,7 +157,7 @@ func (s *roleService) Create(ctx context.Context, role *rolev3.Role) (*rolev3.Ro OrganizationId: organizationId, PartnerId: partnerId, IsGlobal: role.GetSpec().GetIsGlobal(), - Scope: role.GetSpec().GetScope(), // TODO: validate scope is SYSTEM/ORG/PROJECT? + Scope: strings.ToLower(scope), } entity, err := s.dao.Create(ctx, &rle) if err != nil { diff --git a/pkg/service/role_test.go b/pkg/service/role_test.go index 62f84a6..ea1e9d9 100644 --- a/pkg/service/role_test.go +++ b/pkg/service/role_test.go @@ -71,7 +71,7 @@ func TestCreateRole(t *testing.T) { role := &rolev3.Role{ Metadata: &v3.Metadata{Partner: "partner-" + puuid, Organization: "org-" + ouuid, Name: "role-" + ruuid}, - Spec: &rolev3.RoleSpec{IsGlobal: true, Scope: "cluster"}, + Spec: &rolev3.RoleSpec{IsGlobal: true, Scope: "system"}, } role, err := rs.Create(context.Background(), role) if err != nil { @@ -107,7 +107,7 @@ func TestCreateRoleWithPermissions(t *testing.T) { role := &rolev3.Role{ Metadata: &v3.Metadata{Partner: "partner-" + puuid, Organization: "org-" + ouuid, Name: "role-" + ruuid}, - Spec: &rolev3.RoleSpec{IsGlobal: true, Scope: "cluster", Rolepermissions: []string{"ops_star.all"}}, + Spec: &rolev3.RoleSpec{IsGlobal: true, Scope: "system", Rolepermissions: []string{"ops_star.all"}}, } role, err := rs.Create(context.Background(), role) if err != nil { @@ -141,7 +141,7 @@ func TestCreateRoleDuplicate(t *testing.T) { role := &rolev3.Role{ Metadata: &v3.Metadata{Partner: "partner-" + puuid, Organization: "org-" + ouuid, Name: "role-" + ruuid}, - Spec: &rolev3.RoleSpec{IsGlobal: true, Scope: "cluster"}, + Spec: &rolev3.RoleSpec{IsGlobal: true, Scope: "system"}, } _, err := rs.Create(context.Background(), role) if err == nil { @@ -168,7 +168,7 @@ func TestUpdateRole(t *testing.T) { mock.ExpectQuery(`SELECT "resourcerole"."id", "resourcerole"."name", .*FROM "authsrv_resourcerole" AS "resourcerole" WHERE .organization_id = '` + ouuid + `'. AND .partner_id = '` + puuid + `'. AND .name = 'role-` + ruuid + `'.`). WithArgs().WillReturnRows(sqlmock.NewRows([]string{"id", "name", "organization_id", "partner_id"}).AddRow(ruuid, "role-"+ruuid, ouuid, puuid)) - mock.ExpectExec(`UPDATE "authsrv_resourcerole" AS "resourcerole" SET "name" = 'role-` + ruuid + `', .*"organization_id" = '` + ouuid + `', "partner_id" = '` + puuid + `', "is_global" = TRUE, "scope" = 'cluster' WHERE .id = '` + ruuid + `'.`). + mock.ExpectExec(`UPDATE "authsrv_resourcerole" AS "resourcerole" SET "name" = 'role-` + ruuid + `', .*"organization_id" = '` + ouuid + `', "partner_id" = '` + puuid + `', "is_global" = TRUE, "scope" = 'system' WHERE .id = '` + ruuid + `'.`). WillReturnResult(sqlmock.NewResult(1, 1)) mock.ExpectExec(`DELETE FROM "authsrv_resourcerolepermission" AS "resourcerolepermission" WHERE ."resource_role_id" = '` + ruuid + `'.`). WillReturnResult(sqlmock.NewResult(1, 1)) @@ -180,7 +180,7 @@ func TestUpdateRole(t *testing.T) { role := &rolev3.Role{ Metadata: &v3.Metadata{Partner: "partner-" + puuid, Organization: "org-" + ouuid, Name: "role-" + ruuid}, - Spec: &rolev3.RoleSpec{IsGlobal: true, Scope: "cluster", Rolepermissions: []string{"ops_star.all"}}, + Spec: &rolev3.RoleSpec{IsGlobal: true, Scope: "system", Rolepermissions: []string{"ops_star.all"}}, } role, err := rs.Update(context.Background(), role) if err != nil { diff --git a/pkg/service/utils.go b/pkg/service/utils.go index e08dbcd..55ce70e 100644 --- a/pkg/service/utils.go +++ b/pkg/service/utils.go @@ -11,3 +11,12 @@ func unique(items []string) []string { } return list } + +func contains(s []string, str string) bool { + for _, v := range s { + if v == str { + return true + } + } + return false +} diff --git a/scripts/resourceroles/initialize.go b/scripts/resourceroles/initialize.go index d32fa8d..5440660 100644 --- a/scripts/resourceroles/initialize.go +++ b/scripts/resourceroles/initialize.go @@ -91,7 +91,7 @@ func main() { fmt.Println(scope, name, len(perms)) _, err := rs.Create(context.Background(), &rolev3.Role{ Metadata: &commonv3.Metadata{Name: name, Partner: partner, Organization: org, Description: "..."}, - Spec: &rolev3.RoleSpec{IsGlobal: true, Scope: "cluster", Rolepermissions: perms}, // TODO: look into scope + Spec: &rolev3.RoleSpec{IsGlobal: true, Scope: scope, Rolepermissions: perms}, }) if err != nil { log.Fatal(err)