feat: infra view role

internal/access/access_key.go

@@ -22,7 +22,7 @@ func currentAccessKey(c *gin.Context) *models.AccessKey {
 }
 
 func ListAccessKeys(c *gin.Context, identityID uid.ID, name string) ([]models.AccessKey, error) {
-	db, err := RequireInfraRole(c, models.InfraAdminRole)
+	db, err := RequireInfraRole(c, models.InfraAdminRole, models.InfraViewRole)
 	if err != nil {
 		return nil, err
 	}

internal/access/access_test.go

@@ -1,6 +1,7 @@
 package access
 
 import (
+	"fmt"
 	"net/http/httptest"
 	"os"
 	"testing"
@@ -45,7 +46,7 @@ func setupAccessTestContext(t *testing.T) (*gin.Context, *gorm.DB, *models.Provi
 	adminGrant := &models.Grant{
 		Subject:   admin.PolyID(),
 		Privilege: models.InfraAdminRole,
-		Resource:  "infra",
+		Resource:  ResourceInfraAPI,
 	}
 	err = data.CreateGrant(db, adminGrant)
 	assert.NilError(t, err)
@@ -101,7 +102,6 @@ func TestUsersGroupGrant(t *testing.T) {
 	c, _ := gin.CreateTestContext(httptest.NewRecorder())
 	c.Set("db", db)
 	c.Set("identity", tom)
-	c.Set("user", tom)
 
 	grant(t, db, tom, tomsGroup.PolyID(), models.InfraUserRole, "infra")
 
@@ -118,6 +118,58 @@ func TestUsersGroupGrant(t *testing.T) {
 	assert.Assert(t, authDB != nil)
 }
 
+func TestInfraRequireInfraRole(t *testing.T) {
+	db := setupDB(t)
+
+	setup := func(t *testing.T, infraRole string) *gin.Context {
+		testIdentity := &models.Identity{Name: fmt.Sprintf("infra-%s-%s", infraRole, time.Now()), Kind: models.MachineKind}
+
+		err := data.CreateIdentity(db, testIdentity)
+		assert.NilError(t, err)
+
+		err = data.CreateGrant(db, &models.Grant{Subject: testIdentity.PolyID(), Privilege: infraRole, Resource: ResourceInfraAPI})
+		assert.NilError(t, err)
+
+		c, _ := gin.CreateTestContext(httptest.NewRecorder())
+		c.Set("db", db)
+		c.Set("identity", testIdentity)
+
+		return c
+	}
+
+	t.Run("has specific required role", func(t *testing.T) {
+		c := setup(t, models.InfraAdminRole)
+
+		authDB, err := RequireInfraRole(c, models.InfraAdminRole)
+		assert.NilError(t, err)
+		assert.Assert(t, authDB != nil)
+	})
+
+	t.Run("does not have specific required role", func(t *testing.T) {
+		c := setup(t, models.InfraViewRole)
+
+		authDB, err := RequireInfraRole(c, models.InfraAdminRole)
+		assert.Error(t, err, "forbidden: requestor does not have required grant")
+		assert.Assert(t, authDB == nil)
+	})
+
+	t.Run("has required role in list", func(t *testing.T) {
+		c := setup(t, models.InfraViewRole)
+
+		authDB, err := RequireInfraRole(c, models.InfraAdminRole, models.InfraViewRole)
+		assert.NilError(t, err)
+		assert.Assert(t, authDB != nil)
+	})
+
+	t.Run("does not have required role in list", func(t *testing.T) {
+		c := setup(t, models.InfraViewRole)
+
+		authDB, err := RequireInfraRole(c, models.InfraAdminRole, models.InfraConnectorRole)
+		assert.Error(t, err, "forbidden: requestor does not have required grant")
+		assert.Assert(t, authDB == nil)
+	})
+}
+
 func grant(t *testing.T, db *gorm.DB, currentUser *models.Identity, subject uid.PolymorphicID, privilege, resource string) {
 	err := data.CreateGrant(db, &models.Grant{
 		Subject:   subject,

internal/access/destination.go

@@ -27,7 +27,7 @@ func SaveDestination(c *gin.Context, destination *models.Destination) error {
 }
 
 func GetDestination(c *gin.Context, id uid.ID) (*models.Destination, error) {
-	db, err := RequireInfraRole(c, models.InfraAdminRole, models.InfraConnectorRole, models.InfraUserRole)
+	db, err := RequireInfraRole(c, models.InfraAdminRole, models.InfraViewRole, models.InfraConnectorRole, models.InfraUserRole)
 	if err != nil {
 		return nil, err
 	}
@@ -36,7 +36,7 @@ func GetDestination(c *gin.Context, id uid.ID) (*models.Destination, error) {
 }
 
 func ListDestinations(c *gin.Context, uniqueID, name string) ([]models.Destination, error) {
-	db, err := RequireInfraRole(c, models.InfraAdminRole, models.InfraConnectorRole, models.InfraUserRole)
+	db, err := RequireInfraRole(c, models.InfraAdminRole, models.InfraViewRole, models.InfraConnectorRole, models.InfraUserRole)
 	if err != nil {
 		return nil, err
 	}

internal/access/grant.go

@@ -18,7 +18,7 @@ func GetGrant(c *gin.Context, id uid.ID) (*models.Grant, error) {
 }
 
 func ListGrants(c *gin.Context, subject uid.PolymorphicID, resource string, privilege string) ([]models.Grant, error) {
-	db, err := RequireInfraRole(c, models.InfraAdminRole, models.InfraConnectorRole)
+	db, err := RequireInfraRole(c, models.InfraAdminRole, models.InfraViewRole, models.InfraConnectorRole)
 	if err != nil {
 		return nil, err
 	}
@@ -27,7 +27,7 @@ func ListGrants(c *gin.Context, subject uid.PolymorphicID, resource string, priv
 }
 
 func ListIdentityGrants(c *gin.Context, identityID uid.ID) ([]models.Grant, error) {
-	db, err := hasAuthorization(c, identityID, isIdentitySelf, models.InfraAdminRole)
+	db, err := hasAuthorization(c, identityID, isIdentitySelf, models.InfraAdminRole, models.InfraViewRole)
 	if err != nil {
 		return nil, err
 	}
@@ -36,7 +36,7 @@ func ListIdentityGrants(c *gin.Context, identityID uid.ID) ([]models.Grant, erro
 }
 
 func ListGroupGrants(c *gin.Context, groupID uid.ID) ([]models.Grant, error) {
-	db, err := hasAuthorization(c, groupID, isUserInGroup, models.InfraAdminRole)
+	db, err := hasAuthorization(c, groupID, isUserInGroup, models.InfraAdminRole, models.InfraViewRole)
 	if err != nil {
 		return nil, err
 	}

internal/access/group.go

@@ -31,7 +31,7 @@ func isUserInGroup(c *gin.Context, requestedResourceID uid.ID) (bool, error) {
 }
 
 func ListGroups(c *gin.Context, name string, providerID uid.ID) ([]models.Group, error) {
-	db, err := RequireInfraRole(c, models.InfraAdminRole, models.InfraConnectorRole)
+	db, err := RequireInfraRole(c, models.InfraAdminRole, models.InfraViewRole, models.InfraConnectorRole)
 	if err != nil {
 		return nil, err
 	}
@@ -49,7 +49,7 @@ func CreateGroup(c *gin.Context, group *models.Group) error {
 }
 
 func GetGroup(c *gin.Context, id uid.ID) (*models.Group, error) {
-	db, err := hasAuthorization(c, id, isUserInGroup, models.InfraAdminRole, models.InfraConnectorRole)
+	db, err := hasAuthorization(c, id, isUserInGroup, models.InfraAdminRole, models.InfraViewRole, models.InfraConnectorRole)
 	if err != nil {
 		return nil, err
 	}
@@ -58,7 +58,7 @@ func GetGroup(c *gin.Context, id uid.ID) (*models.Group, error) {
 }
 
 func ListIdentityGroups(c *gin.Context, userID uid.ID) ([]models.Group, error) {
-	db, err := hasAuthorization(c, userID, isIdentitySelf, models.InfraAdminRole)
+	db, err := hasAuthorization(c, userID, isIdentitySelf, models.InfraAdminRole, models.InfraViewRole)
 	if err != nil {
 		return nil, err
 	}

internal/access/identity.go

@@ -29,7 +29,7 @@ func CurrentIdentity(c *gin.Context) *models.Identity {
 }
 
 func GetIdentity(c *gin.Context, id uid.ID) (*models.Identity, error) {
-	db, err := hasAuthorization(c, id, isIdentitySelf, models.InfraAdminRole, models.InfraConnectorRole)
+	db, err := hasAuthorization(c, id, isIdentitySelf, models.InfraAdminRole, models.InfraViewRole, models.InfraConnectorRole)
 	if err != nil {
 		return nil, err
 	}
@@ -78,7 +78,7 @@ func DeleteIdentity(c *gin.Context, id uid.ID) error {
 }
 
 func ListIdentities(c *gin.Context, email string, providerID uid.ID) ([]models.Identity, error) {
-	db, err := RequireInfraRole(c, models.InfraAdminRole, models.InfraConnectorRole)
+	db, err := RequireInfraRole(c, models.InfraAdminRole, models.InfraViewRole, models.InfraConnectorRole)
 	if err != nil {
 		return nil, err
 	}

internal/server/models/grant.go

@@ -7,6 +7,7 @@ import (
 
 const (
 	InfraAdminRole     = "admin"
+	InfraViewRole      = "view"
 	InfraUserRole      = "user"
 	InfraConnectorRole = "connector"
 )