tenancy updates in api

Author: davidqhr

api/errors/handler.go

@@ -22,9 +22,20 @@ type ErrDetail struct {
 	Message string `json:"message"`
 }
 
+type ErrorWithCode interface {
+	error
+	Status() string
+	StatusCode() int
+}
+
 func CustomHTTPErrorHandler(err error, c echo.Context) {
 	log.Debug("return error message to client", zap.Error(err))
 
+	if errWithCode, ok := err.(ErrorWithCode); ok {
+		 c.JSON(errWithCode.StatusCode(), &ErrorRes{Status: errWithCode.Status(), Message: errWithCode.Error()})
+		 return
+	}
+
 	statusError, ok := err.(*errors.StatusError)
 	if ok && statusError.Status().Code > 0 {
 		c.JSON(int(statusError.ErrStatus.Code), &ErrorRes{Status: statusError.ErrStatus.Status, Message: statusError.ErrStatus.Message})

api/go.mod

@@ -5,7 +5,6 @@ go 1.15
 require (
 	github.com/casbin/casbin/v2 v2.11.2
 	github.com/coreos/go-oidc v2.2.1+incompatible
-	github.com/davecgh/go-spew v1.1.1
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/go-openapi/runtime v0.19.20 // indirect
 	github.com/go-openapi/spec v0.19.9 // indirect
@@ -20,7 +19,6 @@ require (
 	github.com/kalmhq/kalm/controller v0.0.0-20200722131031-2336d7eaf4c9
 	github.com/labstack/echo/v4 v4.1.17
 	github.com/mattn/go-sqlite3 v2.0.3+incompatible
-	github.com/opencontainers/image-spec v1.0.1 // indirect
 	github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
 	github.com/stretchr/testify v1.6.1
 	github.com/urfave/cli/v2 v2.2.0

api/go.sum

@@ -538,6 +538,7 @@ github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGi
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/konsorten/go-windows-terminal-sequences v1.0.3 h1:CE8S1cTafDpPvMhIxNJKvHsGVBgn1xWYf1NbHQhywc8=
 github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
@@ -548,9 +549,6 @@ github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/labstack/echo v1.4.4 h1:1bEiBNeGSUKxcPDGfZ/7IgdhJJZx8wV/pICJh4W2NJI=
-github.com/labstack/echo v3.3.10+incompatible h1:pGRcYk231ExFAyoAjAfD85kQzRJCRI8bbnE7CX5OEgg=
-github.com/labstack/echo v3.3.10+incompatible/go.mod h1:0INS7j/VjnFxD4E2wkz67b8cVwCLbBmJyDaka6Cmk1s=
 github.com/labstack/echo/v4 v4.1.17 h1:PQIBaRplyRy3OjwILGkPg89JRtH2x5bssi59G2EL3fo=
 github.com/labstack/echo/v4 v4.1.17/go.mod h1:Tn2yRQL/UclUalpb5rPdXDevbkJ+lp/2svdyFBg6CHQ=
 github.com/labstack/gommon v0.3.0 h1:JEeO0bvc78PKdyHxloTKiF8BD5iGrH8T6MSeGvSgob0=
@@ -913,6 +911,7 @@ golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCc
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
 golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0 h1:RM4zey1++hCTbCVQfnWeKs9/IEsaBLA8vTkd0WVtmH4=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20170915142106-8351a756f30f/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1066,6 +1065,7 @@ golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f h1:kDxGY2VmgABOe55qheT/TFqUMtcTHnomIPS1iv3G4Ms=
 golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200616133436-c1934b75d054 h1:HHeAlu5H9b71C+Fx0K+1dGgVFN1DM1/wz4aoGOA5qS8=
 golang.org/x/tools v0.0.0-20200616133436-c1934b75d054/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

api/handler/access_token.go

@@ -48,9 +48,7 @@ func (h *ApiHandler) handleCreateAccessToken(c echo.Context) error {
 	accessToken.Name = v1alpha1.GetAccessTokenNameFromToken(accessToken.Token)
 	accessToken.Tenant = currentUser.Tenant
 
-	if !h.clientManager.CanEdit(currentUser, currentUser.Tenant+"/*", "accessTokens/*") {
-		return resources.InsufficientPermissionsError
-	}
+	h.MustCanEdit(currentUser, currentUser.Tenant+"/*", "accessTokens/*")
 
 	if !h.clientManager.PermissionsGreaterThanOrEqualToAccessToken(currentUser, accessToken) {
 		return resources.InsufficientPermissionsError
@@ -90,9 +88,7 @@ func (h *ApiHandler) handleDeleteAccessToken(c echo.Context) error {
 
 	token := tokens[0]
 
-	if !h.clientManager.CanEdit(currentUser, currentUser.Tenant+"/*", "accessTokens/"+token.Name) {
-		return resources.InsufficientPermissionsError
-	}
+	h.MustCanEdit(currentUser, currentUser.Tenant+"/*", "accessTokens/*")
 
 	if !h.clientManager.PermissionsGreaterThanOrEqualToAccessToken(currentUser, &resources.AccessToken{
 		Name: token.Name, AccessTokenSpec: token.AccessTokenSpec, Tenant: token.Tenant,

api/handler/access_token_test.go

@@ -85,7 +85,7 @@ func (suite *AccessTokenTestSuite) TestCreateAndDelete() {
 		Body:   key,
 		Path:   "/v1alpha1/access_tokens",
 		TestWithoutRoles: func(rec *ResponseRecorder) {
-			suite.IsMissingRoleError(rec, resources.InsufficientPermissionsError.Error())
+			suite.IsUnauthorizedError(rec, resources.InsufficientPermissionsError.Error())
 		},
 		TestWithRoles: func(rec *ResponseRecorder) {
 			var res resources.AccessToken
@@ -137,7 +137,7 @@ func (suite *AccessTokenTestSuite) TestCreateAndDelete() {
 		Path:   "/v1alpha1/access_tokens",
 		Body:   key,
 		TestWithoutRoles: func(rec *ResponseRecorder) {
-			suite.IsMissingRoleError(rec, resources.InsufficientPermissionsError.Error())
+			suite.IsUnauthorizedError(rec, resources.InsufficientPermissionsError.Error())
 		},
 		TestWithRoles: func(rec *ResponseRecorder) {
 			suite.Equal(200, rec.Code)

api/handler/acmeserver_test.go

@@ -33,7 +33,7 @@ func (suite *ACMEServerHandlerTestSuite) TestGetEmpty() {
 		Method:    http.MethodGet,
     	Path:      "/v1alpha1/acmeserver",
 		TestWithoutRoles: func(rec *ResponseRecorder) {
-			suite.IsMissingRoleError(rec, "view", "cluster")
+			suite.IsUnauthorizedError(rec, "view", "cluster")
 		},
 		TestWithRoles: func(rec *ResponseRecorder) {
 			suite.Equal(200, rec.Code)
@@ -59,7 +59,7 @@ func (suite *ACMEServerHandlerTestSuite) TestCreateGetDelete() {
 			NSDomain:   nsDomain,
 		},
 		TestWithoutRoles: func(rec *ResponseRecorder) {
-			suite.IsMissingRoleError(rec, "editor", "cluster")
+			suite.IsUnauthorizedError(rec, "editor", "cluster")
 		},
 		TestWithRoles: func(rec *ResponseRecorder) {
 			var res resources.ACMEServer
@@ -79,7 +79,7 @@ func (suite *ACMEServerHandlerTestSuite) TestCreateGetDelete() {
 		Method:    http.MethodGet,
 		Path:      "/v1alpha1/acmeserver",
 		TestWithoutRoles: func(rec *ResponseRecorder) {
-			suite.IsMissingRoleError(rec, "viewer", "cluster")
+			suite.IsUnauthorizedError(rec, "viewer", "cluster")
 		},
 		TestWithRoles: func(rec *ResponseRecorder) {
 			var acmeResp resources.ACMEServerResp
@@ -102,7 +102,7 @@ func (suite *ACMEServerHandlerTestSuite) TestCreateGetDelete() {
 		Method:    http.MethodDelete,
 		Path:      "/v1alpha1/acmeserver",
 		TestWithoutRoles: func(rec *ResponseRecorder) {
-			suite.IsMissingRoleError(rec, "editor", "cluster")
+			suite.IsUnauthorizedError(rec, "editor", "cluster")
 		},
 		TestWithRoles: func(rec *ResponseRecorder) {
 			suite.Equal(200, rec.Code)
@@ -118,7 +118,7 @@ func (suite *ACMEServerHandlerTestSuite) TestCreateGetDelete() {
 		Method:    http.MethodGet,
 		Path:      "/v1alpha1/acmeserver",
 		TestWithoutRoles: func(rec *ResponseRecorder) {
-			suite.IsMissingRoleError(rec, "viewer", "cluster")
+			suite.IsUnauthorizedError(rec, "viewer", "cluster")
 		},
 		TestWithRoles: func(rec *ResponseRecorder) {
 			suite.Equal(200, rec.Code)

api/handler/applications.go

@@ -1,6 +1,7 @@
 package handler
 
 import (
+	"fmt"
 	"net/http"
 
 	"github.com/kalmhq/kalm/api/errors"
@@ -19,7 +20,7 @@ func (h *ApiHandler) InstallApplicationsHandlers(e *echo.Group) {
 	e.GET("/applications", h.handleGetApplications)
 	e.POST("/applications", h.handleCreateApplication)
 	e.GET("/applications/:name", h.handleGetApplicationDetails, h.setApplicationIntoContext)
-	e.DELETE("/applications/:name", h.handleDeleteApplication, h.requireIsTenantOwner, h.setApplicationIntoContext)
+	e.DELETE("/applications/:name", h.handleDeleteApplication, h.setApplicationIntoContext)
 }
 
 // middlewares
@@ -74,10 +75,7 @@ func (h *ApiHandler) handleGetApplications(c echo.Context) error {
 func (h *ApiHandler) handleGetApplicationDetails(c echo.Context) error {
 	namespace := h.getApplicationFromContext(c)
 	currentUser := getCurrentUser(c)
-
-	if !h.clientManager.CanViewScope(currentUser, namespace.Name) {
-		return resources.NoNamespaceViewerRoleError(namespace.Name)
-	}
+	h.MustCanView(currentUser, fmt.Sprintf("%s/%s", currentUser.Tenant, namespace.Name), "applications/"+namespace.Name)
 
 	res, err := h.resourceManager.BuildApplicationDetails(namespace)
 
@@ -90,10 +88,7 @@ func (h *ApiHandler) handleGetApplicationDetails(c echo.Context) error {
 
 func (h *ApiHandler) handleCreateApplication(c echo.Context) error {
 	currentUser := getCurrentUser(c)
-
-	if !h.clientManager.Can(currentUser, "create", currentUser.Tenant+"/*", "applications/*") {
-		panic("TODO: fix this")
-	}
+	h.MustCanEdit(currentUser, currentUser.Tenant+"/*", "applications/*")
 
 	ns, err := bindKalmNamespaceFromRequestBody(c)
 
@@ -119,6 +114,9 @@ func (h *ApiHandler) handleCreateApplication(c echo.Context) error {
 }
 
 func (h *ApiHandler) handleDeleteApplication(c echo.Context) error {
+	currentUser := getCurrentUser(c)
+	h.MustCanEdit(currentUser, currentUser.Tenant+"/*", "applications/*")
+
 	namespace := h.getApplicationFromContext(c)
 
 	if err := h.resourceManager.DeleteNamespace(namespace); err != nil {

api/handler/applications_test.go

@@ -101,7 +101,7 @@ func (suite *ApplicationsHandlerTestSuite) TestCreateEmptyApplication() {
 		Path:   "/v1alpha1/applications",
 		Body:   fmt.Sprintf(`{"name": "%s"}`, name),
 		TestWithoutRoles: func(rec *ResponseRecorder) {
-			suite.IsMissingRoleError(rec, "editor", "cluster")
+			suite.IsUnauthorizedError(rec, "edit")
 		},
 		TestWithRoles: func(rec *ResponseRecorder) {
 			var res resources.ApplicationDetails
@@ -121,7 +121,7 @@ func (suite *ApplicationsHandlerTestSuite) TestCreateEmptyApplication() {
 		Method:    http.MethodGet,
 		Path:      "/v1alpha1/applications/" + name,
 		TestWithoutRoles: func(rec *ResponseRecorder) {
-			suite.IsMissingRoleError(rec, "viewer", name)
+			suite.IsUnauthorizedError(rec, "view", name)
 		},
 		TestWithRoles: func(rec *ResponseRecorder) {
 			var res resources.ApplicationDetails
@@ -172,7 +172,7 @@ func (suite *ApplicationsHandlerTestSuite) TestDeleteApplication() {
 		Method: http.MethodDelete,
 		Path:   "/v1alpha1/applications/test3",
 		TestWithoutRoles: func(rec *ResponseRecorder) {
-			suite.IsMissingRoleError(rec, "editor", "cluster")
+			suite.IsUnauthorizedError(rec, "edit")
 		},
 		TestWithRoles: func(rec *ResponseRecorder) {
 			suite.Equal(http.StatusNoContent, rec.Code)

api/handler/cluster.go

@@ -200,10 +200,7 @@ type SetupClusterResponse struct {
 }
 
 func (h *ApiHandler) handleInitializeCluster(c echo.Context) error {
-
-	if !h.clientManager.CanManageCluster(getCurrentUser(c)) {
-		return resources.NoClusterOwnerRoleError
-	}
+	h.MustCanManageCluster(getCurrentUser(c))
 
 	clusterInfo := h.getClusterInfo(c)
 
@@ -337,9 +334,7 @@ func (h *ApiHandler) handleInitializeCluster(c echo.Context) error {
 
 func (h *ApiHandler) handleResetCluster(c echo.Context) error {
 
-	if !h.clientManager.CanManageCluster(getCurrentUser(c)) {
-		return resources.NoClusterOwnerRoleError
-	}
+	h.MustCanManageCluster(getCurrentUser(c))
 
 	wg := sync.WaitGroup{}
 

api/handler/cluster_test.go

@@ -1,10 +1,11 @@
 package handler
 
 import (
-	"github.com/kalmhq/kalm/api/resources"
-	"github.com/stretchr/testify/suite"
 	"net/http"
 	"testing"
+
+	"github.com/kalmhq/kalm/api/resources"
+	"github.com/stretchr/testify/suite"
 )
 
 type ClusterHandlerTestSuite struct {
@@ -26,7 +27,7 @@ func (suite *ClusterHandlerTestSuite) TestClusterInfo() {
 		Path:   "/v1alpha1/initialize",
 		Body:   `{"domain": "kalm.test"}`,
 		TestWithoutRoles: func(rec *ResponseRecorder) {
-			suite.IsMissingRoleError(rec, "owner", "cluster")
+			suite.IsUnauthorizedError(rec)
 		},
 		TestWithRoles: func(rec *ResponseRecorder) {
 			var setupClusterResponse SetupClusterResponse
@@ -45,7 +46,7 @@ func (suite *ClusterHandlerTestSuite) TestClusterInfo() {
 		Path:   "/v1alpha1/cluster",
 		Body:   `{}`,
 		TestWithoutRoles: func(rec *ResponseRecorder) {
-			suite.IsMissingRoleError(rec, "viewer", "cluster")
+			suite.IsUnauthorizedError(rec)
 		},
 		TestWithRoles: func(rec *ResponseRecorder) {
 			var clusterInfo ClusterInfo
@@ -78,7 +79,7 @@ func (suite *ClusterHandlerTestSuite) TestClusterInfo() {
 		Path:   "/v1alpha1/reset",
 		Body:   `{}`,
 		TestWithoutRoles: func(rec *ResponseRecorder) {
-			suite.IsMissingRoleError(rec, "owner", "cluster")
+			suite.IsUnauthorizedError(rec)
 		},
 		TestWithRoles: func(rec *ResponseRecorder) {
 			suite.Equal(200, rec.Code)