🐛 Fix analyses RBAC. (#472)

Fix RBAC for: - /analyses - _This is the primary endpoint for analyses_ - /applications/:id/analyses endpoints - _This is the analyses subresource under applications_. Roles: - Addon: CRUD for: - /applications/:id/analyses - Admin, Architect: CRUD for: - /analyses - /applications/:id/analyses - Migrator, Project-Manager: Read-Only, - /analyses - /applications/:id/analyses --------- Signed-off-by: Jeff Ortel <jortel@redhat.com>
konveyor · Aug 10, 2023 · f18f21c · f18f21c
1 parent f9552d7
commit f18f21c
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 5 deletions.
diff --git a/api/analysis.go b/api/analysis.go
@@ -54,23 +54,24 @@ type AnalysisHandler struct {
 //
 // AddRoutes adds routes.
 func (h AnalysisHandler) AddRoutes(e *gin.Engine) {
+	// Primary
 	routeGroup := e.Group("/")
-	routeGroup.Use(Required("application"))
-	//
+	routeGroup.Use(Required("analyses"))
 	routeGroup.GET(AnalysisRoot, h.Get)
 	routeGroup.DELETE(AnalysisRoot, h.Delete)
 	routeGroup.GET(AnalysesDepsRoot, h.Deps)
 	routeGroup.GET(AnalysesIssuesRoot, h.Issues)
 	routeGroup.GET(AnalysesIssueRoot, h.Issue)
 	routeGroup.GET(AnalysisIncidentsRoot, h.Incidents)
-	//
 	routeGroup.GET(AnalysisReportRuleRoot, h.RuleReports)
 	routeGroup.GET(AnalysisReportAppsIssuesRoot, h.AppIssueReports)
 	routeGroup.GET(AnalysisReportIssuesAppsRoot, h.IssueAppReports)
 	routeGroup.GET(AnalysisReportFileRoot, h.FileReports)
 	routeGroup.GET(AnalysisReportDepsRoot, h.DepReports)
 	routeGroup.GET(AnalysisReportDepsAppsRoot, h.DepAppReports)
-	//
+	// Application
+	routeGroup = e.Group("/")
+	routeGroup.Use(Required("applications.analyses"))
 	routeGroup.POST(AppAnalysesRoot, h.AppCreate)
 	routeGroup.GET(AppAnalysesRoot, h.AppList)
 	routeGroup.GET(AppAnalysisRoot, h.AppLatest)

diff --git a/auth/role.go b/auth/role.go
@@ -18,6 +18,7 @@ var AddonRole = []string{
 	"applications.tags:*",
 	"applications.facts:*",
 	"applications.bucket:*",
+	"applications.analyses:*",
 	"identities:get",
 	"identities:decrypt",
 	"proxies:get",

diff --git a/auth/roles.yaml b/auth/roles.yaml
@@ -33,6 +33,12 @@
         - get
         - post
         - put
+    - name: applications.analyses
+      verbs:
+        - delete
+        - get
+        - post
+        - put
     - name: applications.stakeholders
       verbs:
         - put
@@ -173,6 +179,12 @@
         - get
         - post
         - put
+    - name: analyses
+      verbs:
+        - delete
+        - get
+        - post
+        - put
 - role: tackle-architect
   resources:
     - name: addons
@@ -208,6 +220,12 @@
         - get
         - post
         - put
+    - name: applications.analyses
+      verbs:
+        - delete
+        - get
+        - post
+        - put
     - name: applications.stakeholders
       verbs:
         - put
@@ -335,6 +353,12 @@
         - get
         - post
         - put
+    - name: analyses
+      verbs:
+        - delete
+        - get
+        - post
+        - put
 - role: tackle-migrator
   resources:
     - name: addons
@@ -355,6 +379,9 @@
     - name: applications.bucket
       verbs:
         - get
+    - name: applications.analyses
+      verbs:
+        - get
     - name: assessments
       verbs:
         - get
@@ -436,6 +463,9 @@
     - name: targets
       verb:
         - get
+    - name: analyses
+      verbs:
+        - get
 - role: tackle-project-manager
   resources:
     - name: addons
@@ -456,6 +486,9 @@
     - name: applications.bucket
       verbs:
         - get
+    - name: applications.analyses
+      verbs:
+        - get
     - name: applications.stakeholders
       verbs:
         - put
@@ -530,4 +563,7 @@
         - put
     - name: targets
       verbs:
-        - get
+        - get
+    - name: analyses
+      verbs:
+        - get