Add RBAC checks to the env var editor

openshift · May 17, 2019 · 286c449 · 286c449
1 parent c21d600
commit 286c449
Show file tree

Hide file tree

Showing 2 changed files with 75 additions and 7 deletions.
diff --git a/frontend/__tests__/components/environment.spec.tsx b/frontend/__tests__/components/environment.spec.tsx
@@ -3,6 +3,7 @@ import { shallow } from 'enzyme';
 import { FieldLevelHelp } from 'patternfly-react';
 
 import { EnvironmentPage } from '../../public/components/environment';
+import { DeploymentModel } from '../../public/models';
 import * as k8s from '../../public/module/k8s';
 
 describe(EnvironmentPage.name, () => {
@@ -16,11 +17,35 @@ describe(EnvironmentPage.name, () => {
     beforeEach(() => {
       environmentPageRO=<EnvironmentPage.WrappedComponent
         obj={objects}
+        model={DeploymentModel}
         rawEnvData={[ { 'env': [ { 'name': 'test', 'value': ':0', 'ID': 0 } ] } ]}
         envPath={[]}
         readOnly={true}
       />;
       wrapperRO = shallow(environmentPageRO);
+      wrapperRO.setState({allowed: true});
+    });
+
+    it('does not show field level help', () => {
+      expect(wrapperRO.find(FieldLevelHelp).exists()).toEqual(false);
+    });
+
+    it('does not render save and reload buttons', () => {
+      expect(wrapperRO.find('.environment-buttons button').exists()).toEqual(false);
+    });
+  });
+
+  describe('When user does not have permission', () => {
+    beforeEach(() => {
+      environmentPageRO=<EnvironmentPage.WrappedComponent
+        obj={objects}
+        model={DeploymentModel}
+        rawEnvData={[ { 'env': [ { 'name': 'test', 'value': ':0', 'ID': 0 } ] } ]}
+        envPath={[]}
+        readOnly={false}
+      />;
+      wrapperRO = shallow(environmentPageRO);
+      wrapperRO.setState({allowed: false});
     });
 
     it('does not show field level help', () => {
@@ -37,12 +62,13 @@ describe(EnvironmentPage.name, () => {
       spyOn(k8s, 'k8sGet').and.callFake(() => Promise.resolve());
       environmentPage=<EnvironmentPage.WrappedComponent
         obj={objects}
+        model={DeploymentModel}
         rawEnvData={[ { 'env': [ { 'name': 'test', 'value': ':0', 'ID': 0 } ] } ]}
         envPath={[]}
         readOnly={false}
       />;
       wrapper = shallow(environmentPage);
-      wrapper.setState({secrets, configMaps});
+      wrapper.setState({secrets, configMaps, allowed: true});
     });
 
     it('shows field level help component', () => {
@@ -58,12 +84,13 @@ describe(EnvironmentPage.name, () => {
     beforeEach(() => {
       environmentPage=<EnvironmentPage.WrappedComponent
         obj={objects}
+        model={DeploymentModel}
         rawEnvData={[ { 'env': [ { 'name': 'test', 'value': ':0', 'ID': 0 } ] } ]}
         envPath={[]}
         readOnly={true}
       />;
       wrapper = shallow(environmentPage);
-      wrapper.setState({secrets, configMaps});
+      wrapper.setState({secrets, configMaps, allowed: true});
     });
 
     it('renders error message when error in state', () => {
@@ -86,6 +113,7 @@ describe(EnvironmentPage.name, () => {
     beforeEach(() => {
       environmentPage=<EnvironmentPage.WrappedComponent
         obj={objects}
+        model={DeploymentModel}
         rawEnvData={[ { 'env': [ { 'name': 'test', 'value': ':0', 'ID': 0 } ] } ]}
         envPath={[]}
         readOnly={true}

diff --git a/frontend/public/components/environment.jsx b/frontend/public/components/environment.jsx
@@ -6,7 +6,18 @@ import { FieldLevelHelp, Alert } from 'patternfly-react';
 import * as classNames from 'classnames';
 
 import { k8sPatch, k8sGet, referenceFor, referenceForOwnerRef } from '../module/k8s';
-import { PromiseComponent, NameValueEditorPair, EnvType, EnvFromPair, LoadingInline, LoadingBox, AsyncComponent, ContainerDropdown, ResourceLink } from './utils';
+import {
+  AsyncComponent,
+  checkAccess,
+  ContainerDropdown,
+  EnvFromPair,
+  EnvType,
+  LoadingBox,
+  LoadingInline,
+  NameValueEditorPair,
+  PromiseComponent,
+  ResourceLink,
+} from './utils';
 import { ConfigMapModel, SecretModel } from '../models';
 
 /**
@@ -84,8 +95,9 @@ const getContainersObjectForDropdown = (containerArray) => {
 };
 
 /** @type {(state: any, props: {obj?: object, rawEnvData?: any, readOnly: boolean, envPath: any, onChange?: (env: any) => void, addConfigMapSecret?: boolean, useLoadingInline?: boolean}) => {model: K8sKind}} */
-const stateToProps = ({k8s}, {obj}) => ({
+const stateToProps = ({k8s, UI}, {obj}) => ({
   model: k8s.getIn(['RESOURCES', 'models', referenceFor(obj)]) || k8s.getIn(['RESOURCES', 'models', obj.kind]),
+  impersonate: UI.get('impersonate'),
 });
 
 class CurrentEnvVars {
@@ -257,6 +269,7 @@ export const EnvironmentPage = connect(stateToProps)(
     }
 
     componentDidMount() {
+      this._checkEditAccess();
       const {addConfigMapSecret, readOnly} = this.props;
       if (!addConfigMapSecret || readOnly) {
         const configMaps = {}, secrets = {};
@@ -285,7 +298,33 @@ export const EnvironmentPage = connect(stateToProps)(
           };
         }),
       ])
-        .then(_.spread((configMaps, secrets) => this.setState({configMaps, secrets})));
+        .then((([configMaps, secrets]) => this.setState({configMaps, secrets})));
+    }
+
+    componentDidUpdate(prevProps) {
+      const { obj, model, impersonate, readOnly } = this.props;
+      if (prevProps.obj !== obj ||
+          prevProps.model !== model ||
+          prevProps.impersonate !== impersonate ||
+          prevProps.readOnly !== readOnly) {
+        this._checkEditAccess();
+      }
+    }
+
+    _checkEditAccess() {
+      const { obj, model, impersonate, readOnly } = this.props;
+      if (!obj || !model || readOnly) {
+        this.setState({ allowed: false });
+      }
+      const { name, namespace } = obj.metadata;
+      const resourceAttributes = {
+        group: model.apiGroup,
+        resource: model.path,
+        verb: 'patch',
+        name,
+        namespace,
+      };
+      checkAccess(resourceAttributes, impersonate).then(resp => this.setState({ allowed: resp.status.allowed }));
     }
 
     /**
@@ -401,8 +440,9 @@ export const EnvironmentPage = connect(stateToProps)(
     }
 
     render() {
-      const {errorMessage, success, inProgress, currentEnvVars, stale, configMaps, secrets, containerIndex, containerType} = this.state;
-      const {rawEnvData, readOnly, obj, addConfigMapSecret, useLoadingInline} = this.props;
+      const {errorMessage, success, inProgress, currentEnvVars, stale, configMaps, secrets, containerIndex, containerType, allowed} = this.state;
+      const {rawEnvData, obj, addConfigMapSecret, useLoadingInline} = this.props;
+      const readOnly = this.props.readOnly || !allowed;
 
       if (!configMaps || !currentEnvVars || !secrets) {
         if (useLoadingInline) {