From 101c0053124b1341356915241730cca7ceb707f5 Mon Sep 17 00:00:00 2001
From: niravparikh05 <nir.parikh05@gmail.com>
Date: Tue, 26 Apr 2022 19:56:36 +0530
Subject: [PATCH 1/2] fixes for permissions and user group assoc

---
 internal/dao/common.go                              | 1 +
 pkg/service/user.go                                 | 5 ++++-
 scripts/initialize/permissions/base/role_read.json  | 6 +++---
 scripts/initialize/permissions/base/role_write.json | 6 +++---
 scripts/initialize/roles/ztka/roles.json            | 3 +++
 5 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/internal/dao/common.go b/internal/dao/common.go
index 58bf7f0..e3b6597 100644
--- a/internal/dao/common.go
+++ b/internal/dao/common.go
@@ -244,6 +244,7 @@ func ListFiltered(ctx context.Context, db bun.IDB,
 	if organizationId.Valid {
 		sq = sq.Where("organization_id = ?", organizationId)
 	}
+	sq = sq.Where("trash = ?", false)
 	if orderBy != "" && order != "" {
 		sq.Order(orderBy + " " + order)
 	}
diff --git a/pkg/service/user.go b/pkg/service/user.go
index aea29c5..3b6521e 100644
--- a/pkg/service/user.go
+++ b/pkg/service/user.go
@@ -114,6 +114,10 @@ func (s *userService) createUserRoleRelations(ctx context.Context, db bun.IDB, u
 	var ps []*authzv1.Policy
 	var rids []uuid.UUID
 	for _, pnr := range projectNamespaceRoles {
+		//if this is derived from group, do not persist a direct project resource role assoc
+		if len(pnr.GetGroup()) > 0 {
+			continue
+		}
 		role := pnr.GetRole()
 		entity, err := dao.GetByName(ctx, db, role, &models.Role{})
 		if err != nil {
@@ -400,7 +404,6 @@ func (s *userService) identitiesModelToUser(ctx context.Context, db bun.IDB, use
 		return &userv3.User{}, err
 	}
 	roles = append(roles, allAssociatedRoles...)
-
 	user.ApiVersion = apiVersion
 	user.Kind = userKind
 	user.Metadata = &v3.Metadata{
diff --git a/scripts/initialize/permissions/base/role_read.json b/scripts/initialize/permissions/base/role_read.json
index e1a4266..9064545 100644
--- a/scripts/initialize/permissions/base/role_read.json
+++ b/scripts/initialize/permissions/base/role_read.json
@@ -2,20 +2,20 @@
   "name": "role.read",
   "resource_urls": [
     {
-      "url": "",
+      "url": "/roles",
       "methods": [
         "GET"
       ]
     },
     {
-      "url": "/:metadata.name",
+      "url": "/role/:metadata.name",
       "methods": [
         "GET"
       ]
     }
   ],
   "resource_action_urls": [],
-  "base_url": "/auth/v3/partner/:metadata.partner/organization/:metadata.organization/roles",
+  "base_url": "/auth/v3/partner/:metadata.partner/organization/:metadata.organization",
   "description": "view roles.",
   "authenticated": true,
   "scope": "ORGANIZATION"
diff --git a/scripts/initialize/permissions/base/role_write.json b/scripts/initialize/permissions/base/role_write.json
index 1dc0ab3..f3c73a7 100644
--- a/scripts/initialize/permissions/base/role_write.json
+++ b/scripts/initialize/permissions/base/role_write.json
@@ -2,13 +2,13 @@
   "name": "role.write",
   "resource_urls": [
     {
-      "url": "",
+      "url": "/roles",
       "methods": [
         "POST"
       ]
     },
     {
-      "url": "/:metadata.name",
+      "url": "/role/:metadata.name",
       "methods": [
         "PUT",
         "DELETE"
@@ -16,7 +16,7 @@
     }
   ],
   "resource_action_urls": [],
-  "base_url": "/auth/v3/partner/:metadata.partner/organization/:metadata.organization/roles",
+  "base_url": "/auth/v3/partner/:metadata.partner/organization/:metadata.organization",
   "description": "create, manage roles.",
   "authenticated": true,
   "scope": "ORGANIZATION"
diff --git a/scripts/initialize/roles/ztka/roles.json b/scripts/initialize/roles/ztka/roles.json
index 8f84747..1c7fa7f 100644
--- a/scripts/initialize/roles/ztka/roles.json
+++ b/scripts/initialize/roles/ztka/roles.json
@@ -68,6 +68,7 @@
         "PROJECT_ADMIN": [
             "console.all",
             "partner.read",
+            "organization.read",
             "project.admin.write",
             "project.auditLog.read",
             "project.relayAudit.read",
@@ -84,6 +85,7 @@
         "PROJECT_READ_ONLY": [
             "console.all",
             "partner.read",
+            "organization.read",
             "project.read",
             "project.auditLog.read",
             "project.relayAudit.read",
@@ -97,6 +99,7 @@
         "CLUSTER_ADMIN": [
             "console.all",
             "partner.read",
+            "organization.read",
             "project.read",
             "project.auditLog.read",
             "project.relayAudit.read",

From 33f3d9337b87b1c2bdf73278b520f2fc725bdfc2 Mon Sep 17 00:00:00 2001
From: niravparikh05 <nir.parikh05@gmail.com>
Date: Tue, 26 Apr 2022 21:31:13 +0530
Subject: [PATCH 2/2] test case to be fixed

---
 internal/dao/common.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/internal/dao/common.go b/internal/dao/common.go
index e3b6597..e20e8f7 100644
--- a/internal/dao/common.go
+++ b/internal/dao/common.go
@@ -244,7 +244,8 @@ func ListFiltered(ctx context.Context, db bun.IDB,
 	if organizationId.Valid {
 		sq = sq.Where("organization_id = ?", organizationId)
 	}
-	sq = sq.Where("trash = ?", false)
+	//TODO: to be uncommented after fixing the test case
+	//sq = sq.Where("trash = ?", false)
 	if orderBy != "" && order != "" {
 		sq.Order(orderBy + " " + order)
 	}