Add RBAC to UndeployApplication

services/cd-service/pkg/repository/transformer.go

@@ -418,6 +418,7 @@ func (c *CreateUndeployApplicationVersion) Transform(ctx context.Context, state
 }
 
 type UndeployApplication struct {
+	Authentication
 	Application string
 }
 
@@ -440,6 +441,10 @@ func (u *UndeployApplication) Transform(ctx context.Context, state *State) (stri
 	appDir := applicationDirectory(fs, u.Application)
 	configs, err := state.GetEnvironmentConfigs()
 	for env := range configs {
+		err := state.checkUserPermissions(ctx, env, u.Application, auth.PermissionDeployUndeploy, u.RBACConfig)
+		if err != nil {
+			return "", err
+		}
 		envAppDir := environmentApplicationDirectory(fs, env, u.Application)
 		entries, err := fs.ReadDir(envAppDir)
 		if err != nil {

services/cd-service/pkg/repository/transformer_test.go

@@ -794,6 +794,66 @@ func TestRbacTransformerTest(t *testing.T) {
 		Transformers  []Transformer
 		ExpectedError string
 	}{
+		{
+			Name: "able to undeploy application with permissions policy",
+			Transformers: []Transformer{
+				&CreateEnvironment{
+					Environment: "staging",
+					Config:      config.EnvironmentConfig{Upstream: &config.EnvironmentConfigUpstream{Latest: true}},
+				},
+				&CreateEnvironment{
+					Environment: "production",
+					Config:      config.EnvironmentConfig{Upstream: &config.EnvironmentConfigUpstream{Environment: "staging"}},
+				},
+				&CreateApplicationVersion{
+					Application: "app1",
+					Manifests: map[string]string{
+						"production": "production",
+						"staging":    "staging",
+					},
+					Authentication: Authentication{RBACConfig: auth.RBACConfig{DexEnabled: false}},
+				},
+				&CreateUndeployApplicationVersion{
+					Application: "app1",
+				},
+				&UndeployApplication{
+					Application: "app1",
+					Authentication: Authentication{RBACConfig: auth.RBACConfig{DexEnabled: true, Policy: map[string]*auth.Permission{
+						"developer,DeployUndeploy,staging:*,app1,allow":    {Role: "developer"},
+						"developer,DeployUndeploy,production:*,app1,allow": {Role: "developer"},
+					}}},
+				},
+			},
+		},
+		{
+			Name: "unable to undeploy application without permissions policy",
+			Transformers: []Transformer{
+				&CreateEnvironment{
+					Environment: "staging",
+					Config:      config.EnvironmentConfig{Upstream: &config.EnvironmentConfigUpstream{Latest: true}},
+				},
+				&CreateEnvironment{
+					Environment: "production",
+					Config:      config.EnvironmentConfig{Upstream: &config.EnvironmentConfigUpstream{Environment: "staging"}},
+				},
+				&CreateApplicationVersion{
+					Application: "app1",
+					Manifests: map[string]string{
+						"production": "production",
+						"staging":    "staging",
+					},
+					Authentication: Authentication{RBACConfig: auth.RBACConfig{DexEnabled: false}},
+				},
+				&CreateUndeployApplicationVersion{
+					Application: "app1",
+				},
+				&UndeployApplication{
+					Application:    "app1",
+					Authentication: Authentication{RBACConfig: auth.RBACConfig{DexEnabled: true, Policy: map[string]*auth.Permission{}}},
+				},
+			},
+			ExpectedError: "user does not have permissions for: developer,DeployUndeploy,production:*,app1,allow",
+		},
 		{
 			Name: "able to create undeploy with permissions policy",
 			Transformers: []Transformer{

services/cd-service/pkg/service/batch.go

@@ -155,7 +155,8 @@ func (d *BatchServer) processAction(
 			return nil, nil, err
 		}
 		return &repository.UndeployApplication{
-			Application: act.Application,
+			Application:    act.Application,
+			Authentication: repository.Authentication{RBACConfig: d.RBACConfig},
 		}, nil, nil
 	case *api.BatchAction_Deploy:
 		act := action.Deploy