fix: list COSI APIs for the apid authenticator

As APIs were not listed explicitly, access with `os:reader` was denied
by default, while it should have been checked down in the access filter.

Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
(cherry picked from commit 9df8f1f)

cmd/talosctl/cmd/talos/get.go

@@ -7,13 +7,13 @@ package talos
 import (
 	"context"
 	"fmt"
-	"os"
 	"strings"
 
 	"github.com/cosi-project/runtime/pkg/resource"
 	"github.com/cosi-project/runtime/pkg/resource/meta"
 	"github.com/cosi-project/runtime/pkg/safe"
 	"github.com/cosi-project/runtime/pkg/state"
+	"github.com/hashicorp/go-multierror"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/metadata"
 
@@ -154,11 +154,13 @@ func getResources(args []string) func(ctx context.Context, c *client.Client) err
 			}
 		}
 
+		var multiErr *multierror.Error
+
 		// get <type>
 		// get <type> <id>
 		callbackResource := func(parentCtx context.Context, hostname string, r resource.Resource, callError error) error {
 			if callError != nil {
-				fmt.Fprintf(os.Stderr, "%s: %s\n", hostname, callError)
+				multiErr = multierror.Append(multiErr, callError)
 
 				return nil
 			}
@@ -174,7 +176,12 @@ func getResources(args []string) func(ctx context.Context, c *client.Client) err
 			return out.WriteHeader(definition, false)
 		}
 
-		return helpers.ForEachResource(ctx, c, callbackRD, callbackResource, getCmdFlags.namespace, args...)
+		helperErr := helpers.ForEachResource(ctx, c, callbackRD, callbackResource, getCmdFlags.namespace, args...)
+		if helperErr != nil {
+			return helperErr
+		}
+
+		return multiErr.ErrorOrNil()
 	}
 }
 

internal/app/machined/pkg/system/services/machined.go

@@ -75,6 +75,12 @@ var rules = map[string]role.Set{
 	"/resource.ResourceService/Get":   role.MakeSet(role.Admin, role.Reader),
 	"/resource.ResourceService/List":  role.MakeSet(role.Admin, role.Reader),
 	"/resource.ResourceService/Watch": role.MakeSet(role.Admin, role.Reader),
+	"/cosi.resource.State/Create":     role.MakeSet(role.Admin),
+	"/cosi.resource.State/Destroy":    role.MakeSet(role.Admin),
+	"/cosi.resource.State/Get":        role.MakeSet(role.Admin, role.Reader),
+	"/cosi.resource.State/List":       role.MakeSet(role.Admin, role.Reader),
+	"/cosi.resource.State/Update":     role.MakeSet(role.Admin),
+	"/cosi.resource.State/Watch":      role.MakeSet(role.Admin, role.Reader),
 
 	"/storage.StorageService/Disks": role.MakeSet(role.Admin, role.Reader),
 

internal/app/machined/pkg/system/services/machined_test.go

@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"testing"
 
+	cosi "github.com/cosi-project/runtime/api/v1alpha1"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc"
@@ -24,6 +25,7 @@ func collectMethods(t *testing.T) map[string]struct{} {
 	methods := make(map[string]struct{})
 
 	for _, service := range []grpc.ServiceDesc{
+		cosi.State_ServiceDesc,
 		cluster.ClusterService_ServiceDesc,
 		inspect.InspectService_ServiceDesc,
 		machine.MachineService_ServiceDesc,

internal/integration/cli/config.go

@@ -128,7 +128,7 @@ func (suite *TalosconfigSuite) TestNew() {
 			adminOpts: []base.RunOption{base.StdoutShouldMatch(regexp.MustCompile(`MachineConfig`))},
 			readerOpts: []base.RunOption{
 				base.ShouldFail(),
-				base.StdoutEmpty(),
+				base.StdoutShouldMatch(regexp.MustCompile(`\QNODE   NAMESPACE   TYPE   ID   VERSION`)),
 				base.StderrShouldMatch(regexp.MustCompile(`\Qrpc error: code = PermissionDenied desc = not authorized`)),
 			},
 		},
@@ -137,7 +137,7 @@ func (suite *TalosconfigSuite) TestNew() {
 			adminOpts: []base.RunOption{base.StdoutShouldMatch(regexp.MustCompile(`OSRootSecret`))},
 			readerOpts: []base.RunOption{
 				base.ShouldFail(),
-				base.StdoutEmpty(),
+				base.StdoutShouldMatch(regexp.MustCompile(`\QNODE   NAMESPACE   TYPE   ID   VERSION`)),
 				base.StderrShouldMatch(regexp.MustCompile(`\Qrpc error: code = PermissionDenied desc = not authorized`)),
 			},
 		},