Merge pull request #3075 from uselagoon/add_proj_env_var_perm

update RBAC for project add env var to maintainer
uselagoon · May 13, 2022 · 4d1900a · 4d1900a
2 parents 365ceb4 + 8676762
commit 4d1900a
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 2 deletions.
diff --git a/docs/administering-lagoon/rbac.md b/docs/administering-lagoon/rbac.md
@@ -54,7 +54,7 @@ Here is a table that lists the roles and the access they have:
 | deleteAllBackups | backup | deleteAll |  | Yes | No | No | No | No | No | No |  |
 | getBackupsByEnvironmentId | backup | view | projectID | Yes | Yes | Yes | Yes | Yes | No | No |  |
 |  | deployment | view | projectID | Yes | Yes | Yes | Yes | Yes | Yes | Yes |  |
-| addEnvVariable \(to Project\) | env\_var | project:add | projectID | Yes | Yes | Yes | No | No | No | No |  |
+| addEnvVariable \(to Project\) | env\_var | project:add | projectID | Yes | Yes | Yes | Yes | No | No | No |  |
 | addEnvVariable \(to Environment\) | env\_var | environment:add:development | projectID | Yes | Yes | Yes | Yes | Yes | No | No |  |
 | addEnvVariable \(to Environment\) | env\_var | environment:add:production | projectID | Yes | Yes | Yes | Yes | No | No | No |  |
 | deleteEnvVariable | env\_var | delete | projectID | Yes | Yes | Yes | Yes | No | No | No |  |

diff --git a/services/keycloak/start.sh b/services/keycloak/start.sh
@@ -729,7 +729,7 @@ EOF
   "decisionStrategy": "UNANIMOUS",
   "resources": ["env_var"],
   "scopes": ["project:add"],
-  "policies": ["Users role for project is Owner","User has access to project"]
+  "policies": ["Users role for project is Maintainer","User has access to project"]
 }
 EOF
 
@@ -1753,6 +1753,24 @@ function regen_client_secrets {
   /opt/jboss/keycloak/bin/kcadm.sh create clients/$SERVICE_API_CLIENT_ID/client-secret --config $CONFIG_PATH -r ${KEYCLOAK_REALM:-master}
 }
 
+function update_add_env_var_to_project {
+  CLIENT_ID=$(/opt/jboss/keycloak/bin/kcadm.sh get -r lagoon clients?clientId=api --config $CONFIG_PATH | python -c 'import sys, json; print json.load(sys.stdin)[0]["id"]')
+  echo Reconfiguring Add Environment Variable to Project
+  ADD_PROJECT_ENV_VAR_PERMISSION_ID=$(/opt/jboss/keycloak/bin/kcadm.sh get -r lagoon clients/$CLIENT_ID/authz/resource-server/permission?name=Add+Environment+Variable+to+Project --config $CONFIG_PATH | python -c 'import sys, json; print json.load(sys.stdin)[0]["id"]')
+  /opt/jboss/keycloak/bin/kcadm.sh delete -r lagoon clients/$CLIENT_ID/authz/resource-server/permission/$ADD_PROJECT_ENV_VAR_PERMISSION_ID --config $CONFIG_PATH
+  /opt/jboss/keycloak/bin/kcadm.sh create clients/$CLIENT_ID/authz/resource-server/permission/scope --config $CONFIG_PATH -r lagoon -f - <<EOF
+{
+  "name": "Add Environment Variable to Project",
+  "type": "scope",
+  "logic": "POSITIVE",
+  "decisionStrategy": "UNANIMOUS",
+  "resources": ["env_var"],
+  "scopes": ["project:add"],
+  "policies": ["Users role for project is Maintainer","User has access to project"]
+}
+EOF
+}
+
 function configure_keycloak {
     until is_keycloak_running; do
         echo Keycloak still not running, waiting 5 seconds
@@ -1782,6 +1800,7 @@ function configure_keycloak {
     configure_service_api_client
     configure_token_exchange
     regen_client_secrets
+    update_add_env_var_to_project
 
     echo "Config of Keycloak done. Log in via admin user '$KEYCLOAK_ADMIN_USER' and password '$KEYCLOAK_ADMIN_PASSWORD'"