ArgoCD admin cmd: handle applicationsets RBAC

Fixes [argoproj#11996] Adding more tests on logs/exec Signed-off-by: Shyukri Shyukriev <shyukri.shyukriev@mariadb.com>
shuker85 · Mar 18, 2023 · 9325232 · 9325232
1 parent cca5e1a
commit 9325232
Show file tree

Hide file tree

Showing 4 changed files with 72 additions and 29 deletions.
diff --git a/cmd/argocd/commands/admin/settings_rbac.go b/cmd/argocd/commands/admin/settings_rbac.go
@@ -22,38 +22,40 @@ import (
 
 // Provide a mapping of short-hand resource names to their RBAC counterparts
 var resourceMap map[string]string = map[string]string{
-	"account":     rbacpolicy.ResourceAccounts,
-	"app":         rbacpolicy.ResourceApplications,
-	"apps":        rbacpolicy.ResourceApplications,
-	"application": rbacpolicy.ResourceApplications,
-	"cert":        rbacpolicy.ResourceCertificates,
-	"certs":       rbacpolicy.ResourceCertificates,
-	"certificate": rbacpolicy.ResourceCertificates,
-	"cluster":     rbacpolicy.ResourceClusters,
-	"gpgkey":      rbacpolicy.ResourceGPGKeys,
-	"key":         rbacpolicy.ResourceGPGKeys,
-	"log":         rbacpolicy.ResourceLogs,
-	"logs":        rbacpolicy.ResourceLogs,
-	"exec":        rbacpolicy.ResourceExec,
-	"proj":        rbacpolicy.ResourceProjects,
-	"projs":       rbacpolicy.ResourceProjects,
-	"project":     rbacpolicy.ResourceProjects,
-	"repo":        rbacpolicy.ResourceRepositories,
-	"repos":       rbacpolicy.ResourceRepositories,
-	"repository":  rbacpolicy.ResourceRepositories,
+	"account":         rbacpolicy.ResourceAccounts,
+	"app":             rbacpolicy.ResourceApplications,
+	"apps":            rbacpolicy.ResourceApplications,
+	"application":     rbacpolicy.ResourceApplications,
+	"applicationsets": rbacpolicy.ResourceApplicationSets,
+	"cert":            rbacpolicy.ResourceCertificates,
+	"certs":           rbacpolicy.ResourceCertificates,
+	"certificate":     rbacpolicy.ResourceCertificates,
+	"cluster":         rbacpolicy.ResourceClusters,
+	"gpgkey":          rbacpolicy.ResourceGPGKeys,
+	"key":             rbacpolicy.ResourceGPGKeys,
+	"log":             rbacpolicy.ResourceLogs,
+	"logs":            rbacpolicy.ResourceLogs,
+	"exec":            rbacpolicy.ResourceExec,
+	"proj":            rbacpolicy.ResourceProjects,
+	"projs":           rbacpolicy.ResourceProjects,
+	"project":         rbacpolicy.ResourceProjects,
+	"repo":            rbacpolicy.ResourceRepositories,
+	"repos":           rbacpolicy.ResourceRepositories,
+	"repository":      rbacpolicy.ResourceRepositories,
 }
 
 // List of allowed RBAC resources
 var validRBACResources map[string]bool = map[string]bool{
-	rbacpolicy.ResourceAccounts:     true,
-	rbacpolicy.ResourceApplications: true,
-	rbacpolicy.ResourceCertificates: true,
-	rbacpolicy.ResourceClusters:     true,
-	rbacpolicy.ResourceGPGKeys:      true,
-	rbacpolicy.ResourceLogs:         true,
-	rbacpolicy.ResourceExec:         true,
-	rbacpolicy.ResourceProjects:     true,
-	rbacpolicy.ResourceRepositories: true,
+	rbacpolicy.ResourceAccounts:        true,
+	rbacpolicy.ResourceApplications:    true,
+	rbacpolicy.ResourceApplicationSets: true,
+	rbacpolicy.ResourceCertificates:    true,
+	rbacpolicy.ResourceClusters:        true,
+	rbacpolicy.ResourceGPGKeys:         true,
+	rbacpolicy.ResourceLogs:            true,
+	rbacpolicy.ResourceExec:            true,
+	rbacpolicy.ResourceProjects:        true,
+	rbacpolicy.ResourceRepositories:    true,
 }
 
 // List of allowed RBAC actions

diff --git a/cmd/argocd/commands/admin/settings_rbac_test.go b/cmd/argocd/commands/admin/settings_rbac_test.go
@@ -102,6 +102,22 @@ func Test_PolicyFromK8s(t *testing.T) {
 		ok := checkPolicy("role:user", "get", "certificates", ".*", assets.BuiltinPolicyCSV, uPol, "role:readonly", "regex", true)
 		require.False(t, ok)
 	})
+	t.Run("get logs", func(t *testing.T) {
+		ok := checkPolicy("role:test", "get", "logs", "*/*", assets.BuiltinPolicyCSV, uPol, dRole, "", true)
+		require.True(t, ok)
+	})
+	t.Run("create exec", func(t *testing.T) {
+		ok := checkPolicy("role:test", "create", "exec", "*/*", assets.BuiltinPolicyCSV, uPol, dRole, "", true)
+		require.True(t, ok)
+	})
+	t.Run("create applicationsets", func(t *testing.T) {
+		ok := checkPolicy("role:user", "create", "applicationsets", "*/*", assets.BuiltinPolicyCSV, uPol, dRole, "", true)
+		require.True(t, ok)
+	})
+	t.Run("delete applicationsets", func(t *testing.T) {
+		ok := checkPolicy("role:user", "delete", "applicationsets", "*/*", assets.BuiltinPolicyCSV, uPol, dRole, "", true)
+		require.True(t, ok)
+	})
 }
 
 func Test_PolicyFromK8sUsingRegex(t *testing.T) {
@@ -111,7 +127,12 @@ func Test_PolicyFromK8sUsingRegex(t *testing.T) {
 p, role:user, clusters, get, .+, allow
 p, role:user, clusters, get, https://kubernetes.*, deny
 p, role:user, applications, get, .*, allow
-p, role:user, applications, create, .*/.*, allow`
+p, role:user, applications, create, .*/.*, allow
+p, role:user, applicationsets, create, .*/.*, allow
+p, role:user, applicationsets, delete, .*/.*, allow
+p, role:user, logs, get, .*/.*, allow
+p, role:user, exec, create, .*/.*, allow
+`
 
 	kubeclientset := fake.NewSimpleClientset(&v1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
@@ -157,4 +178,20 @@ p, role:, certificates, get, .*, allow`
 		ok := checkPolicy("role:user", "get", "certificates", ".+", builtInPolicy, uPol, dRole, "glob", true)
 		require.False(t, ok)
 	})
+	t.Run("get logs via glob match mode", func(t *testing.T) {
+		ok := checkPolicy("role:user", "get", "logs", ".*/.*", builtInPolicy, uPol, dRole, "glob", true)
+		require.True(t, ok)
+	})
+	t.Run("create exec", func(t *testing.T) {
+		ok := checkPolicy("role:user", "create", "exec", ".*/.*", builtInPolicy, uPol, dRole, "regex", true)
+		require.True(t, ok)
+	})
+	t.Run("create applicationsets", func(t *testing.T) {
+		ok := checkPolicy("role:user", "create", "applicationsets", ".*/.*", builtInPolicy, uPol, dRole, "regex", true)
+		require.True(t, ok)
+	})
+	t.Run("delete applicationsets", func(t *testing.T) {
+		ok := checkPolicy("role:user", "delete", "applicationsets", ".*/.*", builtInPolicy, uPol, dRole, "regex", true)
+		require.True(t, ok)
+	})
 }
diff --git a/cmd/argocd/commands/admin/testdata/rbac/argocd-rbac-cm.yaml b/cmd/argocd/commands/admin/testdata/rbac/argocd-rbac-cm.yaml
@@ -8,6 +8,8 @@ data:
     p, role:user, applications, create, */*, allow
     p, role:user, applications, delete, *, allow
     p, role:user, applications, delete, */guestbook, deny
+    p, role:user, applicationsets, create, */*, allow
+    p, role:user, applicationsets, delete, */*, allow
     p, role:user, logs, get, */*, allow
     g, test, role:user
   policy.default: role:unknown

diff --git a/cmd/argocd/commands/admin/testdata/rbac/policy.csv b/cmd/argocd/commands/admin/testdata/rbac/policy.csv
@@ -5,6 +5,8 @@ p, role:user, applications, get, *, allow
 p, role:user, applications, create, */*, allow
 p, role:user, applications, delete, *, allow
 p, role:user, applications, delete, */guestbook, deny
+p, role:user, applicationsets, create, */*, allow
+p, role:user, applicationsets, delete, */*, allow
 p, role:test, certificates, get, *, allow
 p, role:test, logs, get, */*, allow
 p, role:test, exec, create, */*, allow