From 54eb0fe977f6db0c7c1bbfe5e3da346b5bf899c9 Mon Sep 17 00:00:00 2001 From: Mattias Jiderhamn Date: Wed, 19 May 2021 08:55:30 +0200 Subject: [PATCH] Introduce execute verb for check #3458 --- api/core/v2/rbac.go | 1 + api/core/v2/rbac.pb.go | 2 +- api/core/v2/rbac.proto | 2 +- api/core/v2/rbac_test.go | 2 +- backend/api/check.go | 13 ++++++++++++- backend/api/check_test.go | 2 +- backend/apid/graphql/schema/rbac.graphql | 2 +- 7 files changed, 18 insertions(+), 6 deletions(-) diff --git a/api/core/v2/rbac.go b/api/core/v2/rbac.go index 78a3dfc82c..365ab3c6cd 100644 --- a/api/core/v2/rbac.go +++ b/api/core/v2/rbac.go @@ -65,6 +65,7 @@ var allowedVerbs = []string{ "create", "update", "delete", + "execute", } // FixtureSubject creates a Subject for testing diff --git a/api/core/v2/rbac.pb.go b/api/core/v2/rbac.pb.go index 07243bfab4..52acae79e9 100644 --- a/api/core/v2/rbac.pb.go +++ b/api/core/v2/rbac.pb.go @@ -29,7 +29,7 @@ const _ = proto.ProtoPackageIsVersion3 // please upgrade the proto package type Rule struct { // Verbs is a list of verbs that apply to all of the listed resources for // this rule. These include "get", "list", "watch", "create", "update", - // "delete". + // "delete", "execute". // TODO: add support for "patch" (this is expensive and should be delayed // until a further release). TODO: add support for "watch" (via websockets) Verbs []string `protobuf:"bytes,1,rep,name=verbs,proto3" json:"verbs"` diff --git a/api/core/v2/rbac.proto b/api/core/v2/rbac.proto index b63c33e077..1c68b4da41 100644 --- a/api/core/v2/rbac.proto +++ b/api/core/v2/rbac.proto @@ -17,7 +17,7 @@ option (gogoproto.testgen_all) = true; message Rule { // Verbs is a list of verbs that apply to all of the listed resources for // this rule. These include "get", "list", "watch", "create", "update", - // "delete". + // "delete", "execute". // TODO: add support for "patch" (this is expensive and should be delayed // until a further release). TODO: add support for "watch" (via websockets) repeated string verbs = 1 [ (gogoproto.jsontag) = "verbs" ]; diff --git a/api/core/v2/rbac_test.go b/api/core/v2/rbac_test.go index accc4e3aff..10465608e4 100644 --- a/api/core/v2/rbac_test.go +++ b/api/core/v2/rbac_test.go @@ -156,7 +156,7 @@ func Test_validateVerbs(t *testing.T) { }, { name: "explicit verbs", - verbs: []string{"get", "list", "create", "update", "delete"}, + verbs: []string{"get", "list", "create", "update", "delete", "execute"}, wantErr: false, }, } diff --git a/backend/api/check.go b/backend/api/check.go index f6090bc330..6167d655f4 100644 --- a/backend/api/check.go +++ b/backend/api/check.go @@ -59,7 +59,7 @@ func (c *CheckClient) DeleteCheck(ctx context.Context, name string) error { // ExecuteCheck queues an ahoc check request, if authorized. func (c *CheckClient) ExecuteCheck(ctx context.Context, name string, req *corev2.AdhocRequest) error { - attrs := checkCreateAttributes(ctx, name) + attrs := checkExecuteAttributes(ctx, name) if err := authorize(ctx, c.auth, attrs); err != nil { return err } @@ -141,3 +141,14 @@ func checkDeleteAttributes(ctx context.Context, name string) *authorization.Attr ResourceName: name, } } + +func checkExecuteAttributes(ctx context.Context, name string) *authorization.Attributes { + return &authorization.Attributes{ + APIGroup: "core", + APIVersion: "v2", + Namespace: corev2.ContextNamespace(ctx), + Resource: "checks", + Verb: "execute", + ResourceName: name, + } +} diff --git a/backend/api/check_test.go b/backend/api/check_test.go index 84468ced2f..dc4e58df9a 100644 --- a/backend/api/check_test.go +++ b/backend/api/check_test.go @@ -794,7 +794,7 @@ func TestExecuteCheck(t *testing.T) { Resource: "checks", ResourceName: "default", UserName: "legit", - Verb: "create", + Verb: "execute", }: true, }, } diff --git a/backend/apid/graphql/schema/rbac.graphql b/backend/apid/graphql/schema/rbac.graphql index e51c6ddd15..2b513cc6ae 100644 --- a/backend/apid/graphql/schema/rbac.graphql +++ b/backend/apid/graphql/schema/rbac.graphql @@ -4,7 +4,7 @@ Rule holds information that describes an action that can be taken type Rule { """ Verbs is a list of verbs that apply to all of the listed resources for this - rule. These include "get", "list", "watch", "create", "update", "delete". + rule. These include "get", "list", "watch", "create", "update", "delete", "execute". TODO: add support for "patch" (this is expensive and should be delayed until a further release). TODO: add support for "watch" (via websockets) """