Everest-1464: permissions for requests (#687)

* fix: only call storage when allowed * fix: restores call permissions * fix: clusters call permissions * fix: credentials API permissions * fix: monitoring API permissions * chore: remove hidden 403 errors * fix: imports path * fix: unit test * chore: add permissions to useDbBackups * chore: refactor permissions into hooks * chore: add remaining permissions * fix: bad query "enabled" conditional * fix: show empty data when no permissions available
percona · Sep 19, 2024 · 32c85ff · 32c85ff
1 parent 0b199a2
commit 32c85ff
Show file tree

Hide file tree

Showing 25 changed files with 202 additions and 97 deletions.
diff --git a/ui/apps/everest/src/api/api.ts b/ui/apps/everest/src/api/api.ts
@@ -30,9 +30,6 @@ export const addApiErrorInterceptor = () => {
     errorInterceptor = api.interceptors.response.use(
       (response) => response,
       (error) => {
-        if (error.response.status === 403) {
-          return;
-        }
         if (
           error.response &&
           error.response.status >= 400 &&

diff --git a/ui/apps/everest/src/hooks/api/backup-storages/useBackupStorages.ts b/ui/apps/everest/src/hooks/api/backup-storages/useBackupStorages.ts
@@ -27,6 +27,7 @@ import {
   editBackupStorageFn,
   getBackupStoragesFn,
 } from 'api/backupStorage';
+import { useNamespacePermissionsForResource } from 'hooks/rbac';
 import {
   BackupStorage,
   GetBackupStoragesPayload,
@@ -40,21 +41,37 @@ export interface BackupStoragesForNamespaceResult {
   queryResult: UseQueryResult<BackupStorage[], unknown>;
 }
 
-export const useBackupStorages = (namespaces: string[]) => {
-  const queries = namespaces.map<
+export const useBackupStorages = (
+  queriesParams: Array<{
+    namespace: string;
+    options?: PerconaQueryOptions<
+      GetBackupStoragesPayload,
+      unknown,
+      BackupStorage[]
+    >;
+  }>
+) => {
+  const { canRead } = useNamespacePermissionsForResource('backup-storages');
+  const queries = queriesParams.map<
     UseQueryOptions<GetBackupStoragesPayload, unknown, BackupStorage[]>
-  >((namespace) => ({
-    queryKey: [BACKUP_STORAGES_QUERY_KEY, namespace],
-    retry: false,
-    queryFn: () => getBackupStoragesFn(namespace),
-    refetchInterval: 5 * 1000,
-  }));
+  >(({ namespace, options }) => {
+    const allowed = canRead.includes(namespace);
+    return {
+      queryKey: [BACKUP_STORAGES_QUERY_KEY, namespace],
+      retry: false,
+      queryFn: () => getBackupStoragesFn(namespace),
+      refetchInterval: 5 * 1000,
+      select: allowed ? undefined : () => [],
+      ...options,
+      enabled: (options?.enabled ?? true) && allowed,
+    };
+  });
 
   const queryResults = useQueries({ queries });
 
   const results: BackupStoragesForNamespaceResult[] = queryResults.map(
     (item, i) => ({
-      namespace: namespaces[i],
+      namespace: queriesParams[i].namespace,
       queryResult: item,
     })
   );

diff --git a/ui/apps/everest/src/hooks/api/backups/useBackups.ts b/ui/apps/everest/src/hooks/api/backups/useBackups.ts
@@ -20,6 +20,7 @@ import {
 import { mapBackupState } from 'utils/backups';
 import { BackupFormData } from 'pages/db-cluster-details/backups/on-demand-backup-modal/on-demand-backup-modal.types';
 import { PerconaQueryOptions } from 'shared-types/query.types';
+import { useRBACPermissions } from 'hooks/rbac';
 
 export const BACKUPS_QUERY_KEY = 'backups';
 
@@ -32,23 +33,33 @@ export const useDbBackups = (
   dbClusterName: string,
   namespace: string,
   options?: PerconaQueryOptions<GetBackupsPayload, unknown, Backup[]>
-) =>
-  useQuery<GetBackupsPayload, unknown, Backup[]>({
+) => {
+  const { canRead } = useRBACPermissions(
+    'database-cluster-backups',
+    `${namespace}/${dbClusterName}`
+  );
+  return useQuery<GetBackupsPayload, unknown, Backup[]>({
     queryKey: [BACKUPS_QUERY_KEY, namespace, dbClusterName],
     queryFn: () => getBackupsFn(dbClusterName, namespace),
-    select: ({ items = [] }) =>
-      items.map(
-        ({ metadata: { name }, status, spec: { backupStorageName } }) => ({
-          name,
-          created: status?.created ? new Date(status.created) : null,
-          completed: status?.completed ? new Date(status.completed) : null,
-          state: status ? mapBackupState(status?.state) : BackupStatus.UNKNOWN,
-          dbClusterName,
-          backupStorageName,
-        })
-      ),
+    select: canRead
+      ? ({ items = [] }) =>
+          items.map(
+            ({ metadata: { name }, status, spec: { backupStorageName } }) => ({
+              name,
+              created: status?.created ? new Date(status.created) : null,
+              completed: status?.completed ? new Date(status.completed) : null,
+              state: status
+                ? mapBackupState(status?.state)
+                : BackupStatus.UNKNOWN,
+              dbClusterName,
+              backupStorageName,
+            })
+          )
+      : () => [],
     ...options,
+    enabled: (options?.enabled ?? true) && canRead,
   });
+};
 
 export const useCreateBackupOnDemand = (
   dbClusterName: string,

diff --git a/ui/apps/everest/src/hooks/api/db-cluster/useDbCluster.ts b/ui/apps/everest/src/hooks/api/db-cluster/useDbCluster.ts
@@ -19,15 +19,20 @@ import { DbCluster } from 'shared-types/dbCluster.types';
 import { getDbClusterFn } from 'api/dbClusterApi';
 import { PerconaQueryOptions } from 'shared-types/query.types';
 import cronConverter from 'utils/cron-converter';
+import { useRBACPermissions } from 'hooks/rbac';
 
 export const DB_CLUSTER_QUERY = 'dbCluster';
 
 export const useDbCluster = (
   dbClusterName: string,
   namespace: string,
   options?: PerconaQueryOptions<DbCluster, unknown, DbCluster>
-) =>
-  useQuery<DbCluster, unknown, DbCluster>({
+) => {
+  const { canRead } = useRBACPermissions(
+    'database-clusters',
+    `${namespace}/${dbClusterName}`
+  );
+  return useQuery<DbCluster, unknown, DbCluster>({
     queryKey: [DB_CLUSTER_QUERY, dbClusterName],
     queryFn: () => getDbClusterFn(dbClusterName, namespace),
     select: (cluster) => ({
@@ -50,4 +55,6 @@ export const useDbCluster = (
       },
     }),
     ...options,
+    enabled: options?.enabled && canRead,
   });
+};
diff --git a/ui/apps/everest/src/hooks/api/db-clusters/useDbClusters.ts b/ui/apps/everest/src/hooks/api/db-clusters/useDbClusters.ts
@@ -20,6 +20,10 @@ import {
   UseQueryResult,
 } from '@tanstack/react-query';
 import { getDbClustersFn } from 'api/dbClusterApi';
+import {
+  useNamespacePermissionsForResource,
+  useRBACPermissions,
+} from 'hooks/rbac';
 import { DbCluster, GetDbClusterPayload } from 'shared-types/dbCluster.types';
 import { PerconaQueryOptions } from 'shared-types/query.types';
 import cronConverter from 'utils/cron-converter';
@@ -57,30 +61,45 @@ export const dbClustersQuerySelect = ({
 export const useDbClusters = (
   namespace: string,
   options?: PerconaQueryOptions<GetDbClusterPayload, unknown, DbCluster[]>
-) =>
-  useQuery({
+) => {
+  const { canRead } = useRBACPermissions('database-clusters', `${namespace}/*`);
+  return useQuery({
     queryKey: [DB_CLUSTERS_QUERY_KEY],
     queryFn: () => getDbClustersFn(namespace),
     refetchInterval: 5 * 1000,
-    select: dbClustersQuerySelect,
+    select: canRead ? dbClustersQuerySelect : () => [],
     ...options,
+    enabled: (options?.enabled ?? true) && canRead,
   });
+};
 
-export const useDBClustersForNamespaces = (namespaces: string[]) => {
-  const queries = namespaces.map<
+export const useDBClustersForNamespaces = (
+  queryParams: Array<{
+    namespace: string;
+    options?: PerconaQueryOptions<GetDbClusterPayload, unknown, DbCluster[]>;
+  }>
+) => {
+  const { canRead } = useNamespacePermissionsForResource('database-clusters');
+  const queries = queryParams.map<
     UseQueryOptions<GetDbClusterPayload, unknown, DbCluster[]>
-  >((namespace) => ({
-    queryKey: [DB_CLUSTERS_QUERY_KEY, namespace],
-    retry: false,
-    queryFn: () => getDbClustersFn(namespace),
-    refetchInterval: 5 * 1000,
-    select: dbClustersQuerySelect,
-  }));
+  >(({ namespace, options }) => {
+    const allowed = canRead.includes(namespace);
+    const enabled = (options?.enabled ?? true) && allowed;
+    return {
+      queryKey: [DB_CLUSTERS_QUERY_KEY, namespace],
+      retry: false,
+      queryFn: () => getDbClustersFn(namespace),
+      refetchInterval: 5 * 1000,
+      select: allowed ? dbClustersQuerySelect : () => [],
+      ...options,
+      enabled,
+    };
+  });
 
   const queryResults = useQueries({ queries });
   const results: DbClusterForNamespaceResult[] = queryResults.map(
     (item, i) => ({
-      namespace: namespaces[i],
+      namespace: queryParams[i].namespace,
       queryResult: item,
     })
   );

diff --git a/ui/apps/everest/src/hooks/api/db-engines/useDbEngines.ts b/ui/apps/everest/src/hooks/api/db-engines/useDbEngines.ts
@@ -31,6 +31,7 @@ import {
   getOperatorsUpgradePlan,
   upgradeOperator,
 } from 'api/dbEngineApi';
+import { useRBACPermissions } from 'hooks/rbac';
 
 const DB_TYPE_ORDER_MAP: Record<DbEngineType, number> = {
   // Lower is more important
@@ -108,15 +109,19 @@ export const useDbEngines = (
   namespace: string,
   options?: PerconaQueryOptions<GetDbEnginesPayload, unknown, DbEngine[]>,
   retrieveUpgradingEngines = false
-) =>
-  useQuery<GetDbEnginesPayload, unknown, DbEngine[]>({
+) => {
+  const { canRead } = useRBACPermissions('database-engines', `${namespace}/*`);
+  return useQuery<GetDbEnginesPayload, unknown, DbEngine[]>({
     queryKey: [`dbEngines_${namespace}`],
     queryFn: () => getDbEnginesFn(namespace),
-    select: (data) => dbEnginesQuerySelect(data, retrieveUpgradingEngines),
-    enabled: !!namespace,
+    select: canRead
+      ? (data) => dbEnginesQuerySelect(data, retrieveUpgradingEngines)
+      : () => [],
     retry: 2,
     ...options,
+    enabled: !!namespace && (options?.enabled ?? true) && canRead,
   });
+};
 
 export const useOperatorUpgrade = (
   namespace: string,

diff --git a/ui/apps/everest/src/hooks/api/monitoring/useMonitoringInstancesList.ts b/ui/apps/everest/src/hooks/api/monitoring/useMonitoringInstancesList.ts
@@ -25,12 +25,14 @@ import {
   deleteMonitoringInstanceFn,
   updateMonitoringInstanceFn,
 } from 'api/monitoring';
+import { useNamespacePermissionsForResource } from 'hooks/rbac';
 import {
   CreateMonitoringInstancePayload,
   MonitoringInstance,
   MonitoringInstanceList,
   UpdateMonitoringInstancePayload,
 } from 'shared-types/monitoring.types';
+import { PerconaQueryOptions } from 'shared-types/query.types';
 
 type HookUpdateParam = {
   instanceName: string;
@@ -45,23 +47,37 @@ export interface MonitoringInstanceForNamespaceResult {
 }
 
 export const useMonitoringInstancesList = (
-  namespaces: string[],
-  enabled?: boolean
+  queryParams: Array<{
+    namespace: string;
+    options?: PerconaQueryOptions<
+      MonitoringInstanceList,
+      unknown,
+      MonitoringInstance[]
+    >;
+  }>
 ) => {
-  const queries = namespaces.map<
+  const { canRead } = useNamespacePermissionsForResource(
+    'monitoring-instances'
+  );
+  const queries = queryParams.map<
     UseQueryOptions<MonitoringInstanceList, unknown, MonitoringInstance[]>
-  >((namespace) => ({
-    queryKey: [MONITORING_INSTANCES_QUERY_KEY, namespace],
-    retry: false,
-    queryFn: () => getMonitoringInstancesFn(namespace),
-    refetchInterval: 5 * 1000,
-    enabled,
-  }));
+  >(({ namespace, options }) => {
+    const allowed = canRead.includes(namespace);
+    return {
+      queryKey: [MONITORING_INSTANCES_QUERY_KEY, namespace],
+      retry: false,
+      queryFn: () => getMonitoringInstancesFn(namespace),
+      refetchInterval: 5 * 1000,
+      select: allowed ? undefined : () => [],
+      ...options,
+      enabled: (options?.enabled ?? true) && allowed,
+    };
+  });
   const queryResults = useQueries({ queries });
 
   const results: MonitoringInstanceForNamespaceResult[] = queryResults.map(
     (item, i) => ({
-      namespace: namespaces[i],
+      namespace: queryParams[i].namespace,
       queryResult: item,
     })
   );

diff --git a/ui/apps/everest/src/hooks/api/restores/useDbClusterRestore.ts b/ui/apps/everest/src/hooks/api/restores/useDbClusterRestore.ts
@@ -23,7 +23,9 @@ import {
   deleteRestore,
   getDbClusterRestores,
 } from 'api/restores';
+import { useRBACPermissions } from 'hooks/rbac';
 import { generateShortUID } from 'pages/database-form/database-form-body/steps/first/utils';
+import { PerconaQueryOptions } from 'shared-types/query.types';
 import { GetRestorePayload, Restore } from 'shared-types/restores.types';
 
 export const RESTORES_QUERY_KEY = 'restores';
@@ -97,22 +99,32 @@ export const useDbClusterRestoreFromPointInTime = (
 
 export const useDbClusterRestores = (
   namespace: string,
-  dbClusterName: string
-) =>
-  useQuery<GetRestorePayload, unknown, Restore[]>({
+  dbClusterName: string,
+  options?: PerconaQueryOptions<GetRestorePayload, unknown, Restore[]>
+) => {
+  const { canRead } = useRBACPermissions(
+    'database-cluster-restores',
+    `${namespace}/${dbClusterName}`
+  );
+  return useQuery<GetRestorePayload, unknown, Restore[]>({
     queryKey: [RESTORES_QUERY_KEY, namespace, dbClusterName],
     queryFn: () => getDbClusterRestores(namespace, dbClusterName),
     refetchInterval: 5 * 1000,
-    select: (data) =>
-      data.items.map((item) => ({
-        name: item.metadata.name,
-        startTime: item.metadata.creationTimestamp,
-        endTime: item.status.completed,
-        state: item.status.state || 'unknown',
-        type: item.spec.dataSource.pitr ? 'pitr' : 'full',
-        backupSource: item.spec.dataSource.dbClusterBackupName || '',
-      })),
+    select: canRead
+      ? (data) =>
+          data.items.map((item) => ({
+            name: item.metadata.name,
+            startTime: item.metadata.creationTimestamp,
+            endTime: item.status.completed,
+            state: item.status.state || 'unknown',
+            type: item.spec.dataSource.pitr ? 'pitr' : 'full',
+            backupSource: item.spec.dataSource.dbClusterBackupName || '',
+          }))
+      : () => [],
+    ...options,
+    enabled: (options?.enabled ?? true) && canRead,
   });
+};
 
 export const useDeleteRestore = (
   namespace: string,

diff --git a/ui/apps/everest/src/hooks/rbac/rbac.ts b/ui/apps/everest/src/hooks/rbac/rbac.ts
@@ -1,4 +1,3 @@
-// import { useNamespaces } from 'hooks/api/namespaces';
 import { useNamespaces } from 'hooks/api/namespaces';
 import { useCallback, useEffect, useState } from 'react';
 import {

diff --git a/ui/apps/everest/src/pages/database-form/database-form-body/steps/monitoring/monitoring.tsx b/ui/apps/everest/src/pages/database-form/database-form-body/steps/monitoring/monitoring.tsx
@@ -29,14 +29,15 @@ export const Monitoring = () => {
     'monitoring-instances',
     `${selectedNamespace}/*`
   );
-
   const mode = useDatabasePageMode();
   const { mutate: createMonitoringInstance, isPending: creatingInstance } =
     useCreateMonitoringInstance();
   const { setValue } = useFormContext();
 
   const monitoringInstancesResult = useMonitoringInstancesList([
-    selectedNamespace,
+    {
+      namespace: selectedNamespace,
+    },
   ]);
 
   const monitoringInstancesLoading = monitoringInstancesResult.some(