fix(rbac): handle malformed rbac policy

[zekth]

The rbac parser happens to swallow some malformed entries like the one i added in test:

• p, role:Myrole, applications, *, myapp/* allow

The outcome of this, the whole rbac was broken and then no apps, no clusters were showing up in argo-cd UI. This PR addresses this problem.

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• Optional. My organization is added to USERS.md.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).

[crenshaw-dev]

I wonder if a role could contain a space. Like `p, some spacey role, applications, , myapp/, allow

[zekth]

I made the assumption that not indeed.

[crenshaw-dev]

Want to limit this check to everything besides the role field, so it's an easy-merge?

[zekth]

will push a change

[jannfis]

Can't we just assume that there are two types of policies right now:

• Grants (g), which has two fields (the grantee and the role granted)
• Policy (p), which has five fields (the role, the resource type, the verb, the resource name pattern and the action)

So wouldn't it make more sense to evaluate the policy type and check whether it has the right amount of fields set?

[crenshaw-dev]

I think we might already do that. But the fields are split on commas, not spaces.

[jannfis]

I ment, instead of checking whether a field contains white space, couldn't we just check for len(tokens) according to the type of policy (g or p) of the currently evaluated record?

[crenshaw-dev]

Oh, sure, since we wouldn't hit the right number of tokens when there's a comma missing. I do like that better.

[zekth]

Will push the fix torward that approach then, i wasn't sure if there was special cases that i was not was about.

[jannfis]

@alexmt Are you aware of RBAC policy definitions that have a different pattern, e.g. a variable number of fields in a permission definition?

[codecov]

Codecov Report

Patch coverage: 82.19% and project coverage change: +0.08 🎉

Comparison is base (5662367) 48.98% compared to head (7730660) 49.06%.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #11964      +/-   ##
==========================================
+ Coverage   48.98%   49.06%   +0.08%     
==========================================
  Files         249      249              
  Lines       43066    43127      +61     
==========================================
+ Hits        21094    21160      +66     
+ Misses      19864    19855       -9     
- Partials     2108     2112       +4     

Impacted Files	Coverage Δ
util/git/client.go	50.00% <37.50%> (ø)
server/cluster/cluster.go	50.13% <85.71%> (+10.20%)	⬆️
pkg/apis/application/v1alpha1/types.go	59.68% <100.00%> (+0.09%)	⬆️
util/rbac/rbac.go	78.12% <100.00%> (+0.38%)	⬆️

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

[zekth]

@crenshaw-dev any update on this?

[zekth]

@crenshaw-dev fixed

[crenshaw-dev]

Thanks, @zekth!