fix(access): make validate list aware of the mesh - WIP (#5280)

fix(access): make validate list aware of the mesh

Signed-off-by: slonka <slonka@users.noreply.github.com>

pkg/api-server/dataplane_overview_endpoints.go

@@ -93,6 +93,7 @@ func (r *dataplaneOverviewEndpoints) inspectDataplanes(request *restful.Request,
 	meshName := request.PathParameter("mesh")
 
 	if err := r.resourceAccess.ValidateList(
+		meshName,
 		mesh.NewDataplaneOverviewResource().Descriptor(),
 		user.FromCtx(request.Request.Context()),
 	); err != nil {

pkg/api-server/resource_endpoints.go

@@ -83,6 +83,7 @@ func (r *resourceEndpoints) listResources(request *restful.Request, response *re
 	meshName := r.meshFromRequest(request)
 
 	if err := r.resourceAccess.ValidateList(
+		meshName,
 		r.descriptor,
 		user.FromCtx(request.Request.Context()),
 	); err != nil {

pkg/api-server/zone_overview_endpoints.go

@@ -82,6 +82,7 @@ func (r *zoneOverviewEndpoints) fetchOverview(ctx context.Context, name string)
 
 func (r *zoneOverviewEndpoints) inspectZones(request *restful.Request, response *restful.Response) {
 	if err := r.resourceAccess.ValidateList(
+		"",
 		system.NewZoneResource().Descriptor(),
 		user.FromCtx(request.Request.Context()),
 	); err != nil {

pkg/api-server/zoneegressoverview_endpoints.go

@@ -91,6 +91,7 @@ func (r *zoneEgressOverviewEndpoints) inspectZoneEgresses(
 	response *restful.Response,
 ) {
 	if err := r.resourceAccess.ValidateList(
+		"",
 		mesh.NewZoneEgressOverviewResource().Descriptor(),
 		user.FromCtx(request.Request.Context()),
 	); err != nil {

pkg/api-server/zoneingress_overview_endpoints.go

@@ -82,6 +82,7 @@ func (r *zoneIngressOverviewEndpoints) fetchOverview(ctx context.Context, name s
 
 func (r *zoneIngressOverviewEndpoints) inspectZoneIngresses(request *restful.Request, response *restful.Response) {
 	if err := r.resourceAccess.ValidateList(
+		"",
 		mesh.NewZoneIngressOverviewResource().Descriptor(),
 		user.FromCtx(request.Request.Context()),
 	); err != nil {

pkg/core/resources/access/admin_resource_access.go

@@ -42,7 +42,7 @@ func (a *adminResourceAccess) ValidateDelete(_ model.ResourceKey, _ model.Resour
 	return a.validateAdminAccess(user, descriptor)
 }
 
-func (a *adminResourceAccess) ValidateList(descriptor model.ResourceTypeDescriptor, user user.User) error {
+func (a *adminResourceAccess) ValidateList(_ string, descriptor model.ResourceTypeDescriptor, user user.User) error {
 	return a.validateAdminAccess(user, descriptor)
 }
 

pkg/core/resources/access/admin_resource_access_test.go

@@ -125,6 +125,7 @@ var _ = Describe("Admin Resource Access", func() {
 	It("should allow admin to access List", func() {
 		// when
 		err := resourceAccess.ValidateList(
+			"",
 			system.NewSecretResource().Descriptor(),
 			user.Admin,
 		)
@@ -136,6 +137,7 @@ var _ = Describe("Admin Resource Access", func() {
 	It("should deny user to access List", func() {
 		// when
 		err := resourceAccess.ValidateList(
+			"",
 			system.NewSecretResource().Descriptor(),
 			user.User{Name: "john doe", Groups: []string{"users"}},
 		)

pkg/core/resources/access/resource_access.go

@@ -9,6 +9,6 @@ type ResourceAccess interface {
 	ValidateCreate(key model.ResourceKey, spec model.ResourceSpec, desc model.ResourceTypeDescriptor, user user.User) error
 	ValidateUpdate(key model.ResourceKey, currentSpec model.ResourceSpec, newSpec model.ResourceSpec, desc model.ResourceTypeDescriptor, user user.User) error
 	ValidateDelete(key model.ResourceKey, spec model.ResourceSpec, desc model.ResourceTypeDescriptor, user user.User) error
-	ValidateList(desc model.ResourceTypeDescriptor, user user.User) error
+	ValidateList(mesh string, desc model.ResourceTypeDescriptor, user user.User) error
 	ValidateGet(key model.ResourceKey, desc model.ResourceTypeDescriptor, user user.User) error
 }