KIALI-2148 Allow restricted access users to retrieve MeshPolicies

business/istio_config.go

@@ -484,7 +484,7 @@ func getPermissions(k8s kubernetes.IstioClientInterface, namespace, objectType,
 }
 
 func (in *IstioConfigService) MeshWidemTLSStatus(namespaces []string) (string, error) {
-	mpp, mpErr := in.hasMeshPolicyEnabled()
+	mpp, mpErr := in.hasMeshPolicyEnabled(namespaces)
 	if mpErr != nil {
 		return "", mpErr
 	}
@@ -503,8 +503,14 @@ func (in *IstioConfigService) MeshWidemTLSStatus(namespaces []string) (string, e
 	return MeshmTLSNotEnabled, nil
 }
 
-func (in *IstioConfigService) hasMeshPolicyEnabled() (bool, error) {
-	mps, err := in.k8s.GetMeshPolicies()
+func (in *IstioConfigService) hasMeshPolicyEnabled(namespaces []string) (bool, error) {
+	if len(namespaces) < 1 {
+		return false, fmt.Errorf("Can't find MeshPolicies without a namespace")
+	}
+
+	// MeshPolicies are not namespaced. So any namespace user has access to
+	// will work to retrieve all the MeshPolicies.
+	mps, err := in.k8s.GetMeshPolicies(namespaces[0])
 	if err != nil {
 		return false, err
 	}

business/istio_config_test.go

@@ -809,10 +809,10 @@ func TestCorrectMeshPolicy(t *testing.T) {
 	assert := assert.New(t)
 
 	k8s := new(kubetest.K8SClientMock)
-	k8s.On("GetMeshPolicies").Return(fakeMeshPolicyEnablingMTLS("default"), nil)
+	k8s.On("GetMeshPolicies", "test").Return(fakeMeshPolicyEnablingMTLS("default"), nil)
 
 	istioConfigService := IstioConfigService{k8s: k8s}
-	meshPolicyEnabled, err := (istioConfigService).hasMeshPolicyEnabled()
+	meshPolicyEnabled, err := (istioConfigService).hasMeshPolicyEnabled([]string{"test"})
 
 	assert.NoError(err)
 	assert.Equal(true, meshPolicyEnabled)
@@ -822,10 +822,10 @@ func TestPolicyWithWrongName(t *testing.T) {
 	assert := assert.New(t)
 
 	k8s := new(kubetest.K8SClientMock)
-	k8s.On("GetMeshPolicies").Return(fakeMeshPolicyEnablingMTLS("wrong-name"), nil)
+	k8s.On("GetMeshPolicies", "test").Return(fakeMeshPolicyEnablingMTLS("wrong-name"), nil)
 
 	istioConfigService := IstioConfigService{k8s: k8s}
-	isGloballyEnabled, err := (istioConfigService).hasMeshPolicyEnabled()
+	isGloballyEnabled, err := (istioConfigService).hasMeshPolicyEnabled([]string{"test"})
 
 	assert.NoError(err)
 	assert.Equal(false, isGloballyEnabled)
@@ -847,10 +847,10 @@ func TestWithoutMeshPolicy(t *testing.T) {
 	assert := assert.New(t)
 
 	k8s := new(kubetest.K8SClientMock)
-	k8s.On("GetMeshPolicies").Return([]kubernetes.IstioObject{}, nil)
+	k8s.On("GetMeshPolicies", "test").Return([]kubernetes.IstioObject{}, nil)
 
 	istioConfigService := IstioConfigService{k8s: k8s}
-	meshPolicyEnabled, err := (istioConfigService).hasMeshPolicyEnabled()
+	meshPolicyEnabled, err := (istioConfigService).hasMeshPolicyEnabled([]string{"test"})
 
 	assert.NoError(err)
 	assert.Equal(false, meshPolicyEnabled)
@@ -860,10 +860,10 @@ func TestMeshPolicyWithTargets(t *testing.T) {
 	assert := assert.New(t)
 
 	k8s := new(kubetest.K8SClientMock)
-	k8s.On("GetMeshPolicies").Return(fakeMeshPolicyEnablingMTLSSpecificTarget(), nil)
+	k8s.On("GetMeshPolicies", "test").Return(fakeMeshPolicyEnablingMTLSSpecificTarget(), nil)
 
 	istioConfigService := IstioConfigService{k8s: k8s}
-	meshPolicyEnabled, err := (istioConfigService).hasMeshPolicyEnabled()
+	meshPolicyEnabled, err := (istioConfigService).hasMeshPolicyEnabled([]string{"test"})
 
 	assert.NoError(err)
 	assert.Equal(false, meshPolicyEnabled)
@@ -895,10 +895,10 @@ func TestDestinationRuleEnabled(t *testing.T) {
 		data.CreateEmptyDestinationRule("istio-system", "default", "*.local"))
 
 	k8s := new(kubetest.K8SClientMock)
-	k8s.On("GetAllDestinationRules").Return([]kubernetes.IstioObject{dr}, nil)
+	k8s.On("GetAllDestinationRules", []string{"test"}).Return([]kubernetes.IstioObject{dr}, nil)
 
 	istioConfigService := IstioConfigService{k8s: k8s}
-	drEnabled, err := (istioConfigService).hasDestinationRuleEnabled()
+	drEnabled, err := (istioConfigService).hasDestinationRuleEnabled([]string{"test"})
 
 	assert.NoError(err)
 	assert.Equal(true, drEnabled)
@@ -911,10 +911,10 @@ func TestDRWildcardLocalHost(t *testing.T) {
 		data.CreateEmptyDestinationRule("myproject", "default", "sleep.foo.svc.cluster.local"))
 
 	k8s := new(kubetest.K8SClientMock)
-	k8s.On("GetAllDestinationRules").Return([]kubernetes.IstioObject{dr}, nil)
+	k8s.On("GetAllDestinationRules", []string{"test"}).Return([]kubernetes.IstioObject{dr}, nil)
 
 	istioConfigService := IstioConfigService{k8s: k8s}
-	drEnabled, err := (istioConfigService).hasDestinationRuleEnabled()
+	drEnabled, err := (istioConfigService).hasDestinationRuleEnabled([]string{"test"})
 
 	assert.NoError(err)
 	assert.Equal(false, drEnabled)
@@ -933,10 +933,10 @@ func TestDRNotMutualTLSMode(t *testing.T) {
 		data.CreateEmptyDestinationRule("istio-system", "default", "*.local"))
 
 	k8s := new(kubetest.K8SClientMock)
-	k8s.On("GetAllDestinationRules").Return([]kubernetes.IstioObject{dr}, nil)
+	k8s.On("GetAllDestinationRules", []string{"test"}).Return([]kubernetes.IstioObject{dr}, nil)
 
 	istioConfigService := IstioConfigService{k8s: k8s}
-	drEnabled, err := (istioConfigService).hasDestinationRuleEnabled()
+	drEnabled, err := (istioConfigService).hasDestinationRuleEnabled([]string{"test"})
 
 	assert.NoError(err)
 	assert.Equal(false, drEnabled)
@@ -949,11 +949,11 @@ func TestMeshStatusEnabled(t *testing.T) {
 		data.CreateEmptyDestinationRule("istio-system", "default", "*.local"))
 
 	k8s := new(kubetest.K8SClientMock)
-	k8s.On("GetAllDestinationRules").Return([]kubernetes.IstioObject{dr}, nil)
-	k8s.On("GetMeshPolicies").Return(fakeMeshPolicyEnablingMTLS("default"), nil)
+	k8s.On("GetAllDestinationRules", []string{"test"}).Return([]kubernetes.IstioObject{dr}, nil)
+	k8s.On("GetMeshPolicies", "test").Return(fakeMeshPolicyEnablingMTLS("default"), nil)
 
 	istioConfigService := IstioConfigService{k8s: k8s}
-	status, err := (istioConfigService).MeshWidemTLSStatus()
+	status, err := (istioConfigService).MeshWidemTLSStatus([]string{"test"})
 
 	assert.NoError(err)
 	assert.Equal(MeshmTLSEnabled, status)
@@ -966,11 +966,11 @@ func TestMeshStatusPartiallyEnabled(t *testing.T) {
 		data.CreateEmptyDestinationRule("istio-system", "default", "sleep.foo.svc.cluster.local"))
 
 	k8s := new(kubetest.K8SClientMock)
-	k8s.On("GetAllDestinationRules").Return([]kubernetes.IstioObject{dr}, nil)
-	k8s.On("GetMeshPolicies").Return(fakeMeshPolicyEnablingMTLS("default"), nil)
+	k8s.On("GetAllDestinationRules", []string{"test"}).Return([]kubernetes.IstioObject{dr}, nil)
+	k8s.On("GetMeshPolicies", "test").Return(fakeMeshPolicyEnablingMTLS("default"), nil)
 
 	istioConfigService := IstioConfigService{k8s: k8s}
-	status, err := (istioConfigService).MeshWidemTLSStatus()
+	status, err := (istioConfigService).MeshWidemTLSStatus([]string{"test"})
 
 	assert.NoError(err)
 	assert.Equal(MeshmTLSPartiallyEnabled, status)
@@ -983,11 +983,11 @@ func TestMeshStatusNotEnabled(t *testing.T) {
 		data.CreateEmptyDestinationRule("istio-system", "default", "sleep.foo.svc.cluster.local"))
 
 	k8s := new(kubetest.K8SClientMock)
-	k8s.On("GetAllDestinationRules").Return([]kubernetes.IstioObject{dr}, nil)
-	k8s.On("GetMeshPolicies").Return(fakeMeshPolicyEnablingMTLS("wrong-name"), nil)
+	k8s.On("GetAllDestinationRules", []string{"test"}).Return([]kubernetes.IstioObject{dr}, nil)
+	k8s.On("GetMeshPolicies", "test").Return(fakeMeshPolicyEnablingMTLS("wrong-name"), nil)
 
 	istioConfigService := IstioConfigService{k8s: k8s}
-	status, err := (istioConfigService).MeshWidemTLSStatus()
+	status, err := (istioConfigService).MeshWidemTLSStatus([]string{"test"})
 
 	assert.NoError(err)
 	assert.Equal(MeshmTLSNotEnabled, status)

kubernetes/client.go

@@ -53,7 +53,7 @@ type IstioClientInterface interface {
 	GetIstioRule(namespace string, istiorule string) (IstioObject, error)
 	GetIstioRules(namespace string) ([]IstioObject, error)
 	GetJobs(namespace string) ([]batch_v1.Job, error)
-	GetMeshPolicies() ([]IstioObject, error)
+	GetMeshPolicies(namespace string) ([]IstioObject, error)
 	GetNamespace(namespace string) (*v1.Namespace, error)
 	GetNamespaces() ([]v1.Namespace, error)
 	GetPods(namespace, labelSelector string) ([]v1.Pod, error)

kubernetes/istio_details_service.go

@@ -370,8 +370,10 @@ func (in *IstioClient) GetPolicy(namespace string, policyName string) (IstioObje
 	return policy.DeepCopyIstioObject(), nil
 }
 
-func (in *IstioClient) GetMeshPolicies() ([]IstioObject, error) {
-	result, err := in.istioAuthenticationApi.Get().Resource(meshPolicies).Do().Get()
+func (in *IstioClient) GetMeshPolicies(namespace string) ([]IstioObject, error) {
+	// MeshPolicies are not namespaced. However, API returns all the instances even asking for one specific namespace.
+	// Due to soft-multitenancy, the call performed is namespaced to avoid triggering an error for cluster-wide access.
+	result, err := in.istioAuthenticationApi.Get().Namespace(namespace).Resource(meshPolicies).Do().Get()
 	if err != nil {
 		return nil, err
 	}

kubernetes/kubetest/mock.go

@@ -85,8 +85,8 @@ func (o *K8SClientMock) GetDestinationRule(namespace string, destinationrule str
 	return args.Get(0).(kubernetes.IstioObject), args.Error(1)
 }
 
-func (o *K8SClientMock) GetAllDestinationRules() ([]kubernetes.IstioObject, error) {
-	args := o.Called()
+func (o *K8SClientMock) GetAllDestinationRules(namespaces []string) ([]kubernetes.IstioObject, error) {
+	args := o.Called(namespaces)
 	return args.Get(0).([]kubernetes.IstioObject), args.Error(1)
 }
 
@@ -245,8 +245,8 @@ func (o *K8SClientMock) GetPolicy(namespace string, policyName string) (kubernet
 	return args.Get(0).(kubernetes.IstioObject), args.Error(1)
 }
 
-func (o *K8SClientMock) GetMeshPolicies() ([]kubernetes.IstioObject, error) {
-	args := o.Called()
+func (o *K8SClientMock) GetMeshPolicies(namespace string) ([]kubernetes.IstioObject, error) {
+	args := o.Called(namespace)
 	return args.Get(0).([]kubernetes.IstioObject), args.Error(1)
 }