This commit is contained in:
Andrew Nester 2024-10-24 13:31:37 +02:00
parent 1ba769c68f
commit acac0289c5
No known key found for this signature in database
GPG Key ID: 12BC628A44B7DA57
4 changed files with 19 additions and 52 deletions

View File

@ -34,24 +34,15 @@ func (f *folderPermissions) Apply(ctx context.Context, b bundle.ReadOnlyBundle)
rootPath += "/"
}
if !strings.HasPrefix(b.Config().Workspace.ArtifactPath, rootPath) &&
!libraries.IsVolumesPath(b.Config().Workspace.ArtifactPath) {
paths = append(paths, b.Config().Workspace.ArtifactPath)
for _, p := range []string{
b.Config().Workspace.ArtifactPath,
b.Config().Workspace.FilePath,
b.Config().Workspace.StatePath,
b.Config().Workspace.ResourcePath,
} {
if !strings.HasPrefix(p, rootPath) && !libraries.IsVolumesPath(p) {
paths = append(paths, p)
}
if !strings.HasPrefix(b.Config().Workspace.FilePath, rootPath) &&
!libraries.IsVolumesPath(b.Config().Workspace.FilePath) {
paths = append(paths, b.Config().Workspace.FilePath)
}
if !strings.HasPrefix(b.Config().Workspace.StatePath, rootPath) &&
!libraries.IsVolumesPath(b.Config().Workspace.StatePath) {
paths = append(paths, b.Config().Workspace.StatePath)
}
if !strings.HasPrefix(b.Config().Workspace.ResourcePath, rootPath) &&
!libraries.IsVolumesPath(b.Config().Workspace.ResourcePath) {
paths = append(paths, b.Config().Workspace.ResourcePath)
}
var diags diag.Diagnostics

View File

@ -122,7 +122,7 @@ func TestValidateFolderPermissionsFailsOnMissingBundlePermission(t *testing.T) {
diags := bundle.ApplyReadOnly(context.Background(), rb, ValidateFolderPermissions())
require.Len(t, diags, 1)
require.Equal(t, "permissions missing", diags[0].Summary)
require.Equal(t, "untracked permissions apply to target workspace path", diags[0].Summary)
require.Equal(t, diag.Warning, diags[0].Severity)
require.Equal(t, "The following permissions apply to the workspace folder at \"/Workspace/Users/foo@bar.com\" but are not configured in the bundle:\n- level: CAN_MANAGE, user_name: foo2@bar.com\n", diags[0].Detail)
}
@ -167,12 +167,9 @@ func TestValidateFolderPermissionsFailsOnPermissionMismatch(t *testing.T) {
rb := bundle.ReadOnly(b)
diags := bundle.ApplyReadOnly(context.Background(), rb, ValidateFolderPermissions())
require.Len(t, diags, 2)
require.Equal(t, "permissions missing", diags[0].Summary)
require.Len(t, diags, 1)
require.Equal(t, "untracked permissions apply to target workspace path", diags[0].Summary)
require.Equal(t, diag.Warning, diags[0].Severity)
require.Equal(t, "permissions missing", diags[1].Summary)
require.Equal(t, diag.Warning, diags[1].Severity)
}
func TestValidateFolderPermissionsFailsOnNoRootFolder(t *testing.T) {

View File

@ -18,7 +18,7 @@ func ObjectAclToResourcePermissions(path string, acl []workspace.WorkspaceObject
permissions := make([]resources.Permission, 0)
for _, a := range acl {
// Skip the admin group because it's added to all resources by default.
if a.GroupName == "admin" {
if a.GroupName == "admins" {
continue
}
@ -38,22 +38,12 @@ func ObjectAclToResourcePermissions(path string, acl []workspace.WorkspaceObject
func (p WorkspacePathPermissions) Compare(perms []resources.Permission) diag.Diagnostics {
var diags diag.Diagnostics
// Check the permissions in the bundle and see if they are all set in the workspace.
ok, missing := containsAll(perms, p.Permissions)
if !ok {
diags = diags.Append(diag.Diagnostic{
Severity: diag.Warning,
Summary: "permissions missing",
Detail: fmt.Sprintf("The following permissions are configured in the bundle but are do not (yet) apply to the workspace folder at %q:\n%s", p.Path, toString(missing)),
})
}
// Check the permissions in the workspace and see if they are all set in the bundle.
ok, missing = containsAll(p.Permissions, perms)
ok, missing := containsAll(p.Permissions, perms)
if !ok {
diags = diags.Append(diag.Diagnostic{
Severity: diag.Warning,
Summary: "permissions missing",
Summary: "untracked permissions apply to target workspace path",
Detail: fmt.Sprintf("The following permissions apply to the workspace folder at %q but are not configured in the bundle:\n%s", p.Path, toString(missing)),
})
}

View File

@ -41,7 +41,7 @@ func TestWorkspacePathPermissionsCompare(t *testing.T) {
},
},
{
GroupName: "admin",
GroupName: "admins",
AllPermissions: []workspace.WorkspaceObjectPermission{
{PermissionLevel: "CAN_MANAGE"},
},
@ -62,13 +62,7 @@ func TestWorkspacePathPermissionsCompare(t *testing.T) {
},
},
},
expected: diag.Diagnostics{
{
Severity: diag.Warning,
Summary: "permissions missing",
Detail: "The following permissions are configured in the bundle but are do not (yet) apply to the workspace folder at \"path\":\n- level: CAN_MANAGE, service_principal_name: sp.com\n",
},
},
expected: nil,
},
{
perms: []resources.Permission{
@ -91,7 +85,7 @@ func TestWorkspacePathPermissionsCompare(t *testing.T) {
expected: diag.Diagnostics{
{
Severity: diag.Warning,
Summary: "permissions missing",
Summary: "untracked permissions apply to target workspace path",
Detail: "The following permissions apply to the workspace folder at \"path\" but are not configured in the bundle:\n- level: CAN_MANAGE, group_name: foo\n",
},
},
@ -111,12 +105,7 @@ func TestWorkspacePathPermissionsCompare(t *testing.T) {
expected: diag.Diagnostics{
{
Severity: diag.Warning,
Summary: "permissions missing",
Detail: "The following permissions are configured in the bundle but are do not (yet) apply to the workspace folder at \"path\":\n- level: CAN_MANAGE, user_name: foo@bar.com\n",
},
{
Severity: diag.Warning,
Summary: "permissions missing",
Summary: "untracked permissions apply to target workspace path",
Detail: "The following permissions apply to the workspace folder at \"path\" but are not configured in the bundle:\n- level: CAN_MANAGE, user_name: foo2@bar.com\n",
},
},