fix: enumerate all permissions for system-admin and admin roles#275
Merged
fix: enumerate all permissions for system-admin and admin roles#275
Conversation
system-admin previously held only virtual_server:create, leaving service users bound to it unable to perform any in-VS operation. Enumerate the full permission set for system-admin (everything in the catalog except the system_user wildcard sentinel), and for admin (system-admin minus virtual_server:create). admin gains role:delete, which had no role binding in the catalog. Tests encode the design rules so the two lists can't drift apart. Signed-off-by: karo <karolin.kostial@gmail.com>
The127
force-pushed
the
fix/system-admin-all-permissions
branch
from
2e297bf to
6209739
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
system-adminpreviously had onlyvirtual_server:create, so service users bound to it (e.g.portal-provisionerused by keyline-saas-admin-api to provision portal users on access-request approval) got 401 on every other call. Enumerate the full permission catalog (minus thesystem_userwildcard sentinel) forsystem-admin, and the same minusvirtual_server:createforadmin.role:deletepermission, which existed in the catalog but no role granted it.system-admin = admin ∪ {virtual_server:create},system_usersentinel must not leak into operator roles, no duplicate perms per role, everyRoleconstant is registered inAllRoles.Test plan
go test ./internal/authentication/roles/...— 4 new tests pass