Merge pull request #127 from StackVista/stac-24194

Stac-24194: Add cli commands to retrieve permissions and subjects by source

Author: craffit

cmd/rbac/flags.go

@@ -1,7 +1,13 @@
 package rbac
 
+import (
+	"fmt"
+	"strings"
+)
+
 const (
 	Subject    = "subject"
+	Source     = "source"
 	Permission = "permission"
 	Resource   = "resource"
 	Scope      = "scope"
@@ -21,3 +27,8 @@ const (
 
 	DefaultResource = "system"
 )
+
+var (
+	SourceChoices = []string{"static", "observability", "kubernetes"}
+	SourceUsage   = "Get the subject from a specific authorization source" + fmt.Sprintf(" (must be { %s })", strings.Join(SourceChoices, " | "))
+)

cmd/rbac/rbac_describe_permissions.go

@@ -1,19 +1,23 @@
 package rbac
 
 import (
+	"fmt"
 	"sort"
+	"strings"
 
 	"github.com/spf13/cobra"
 	"github.com/stackvista/stackstate-cli/generated/stackstate_api"
 	"github.com/stackvista/stackstate-cli/internal/common"
 	"github.com/stackvista/stackstate-cli/internal/di"
 	"github.com/stackvista/stackstate-cli/internal/printer"
+	"github.com/stackvista/stackstate-cli/pkg/pflags"
 )
 
 type DescribePermissionsArgs struct {
 	Subject    string
 	Permission string
 	Resource   string
+	Source     string
 }
 
 func DescribePermissionsCommand(deps *di.Deps) *cobra.Command {
@@ -35,6 +39,7 @@ sts rbac describe-permissions --subject my-team --permission access-view`,
 
 	cmd.Flags().StringVar(&args.Permission, Permission, "", PermissionDescribeUsage)
 	cmd.Flags().StringVar(&args.Resource, Resource, "", ResourceDescribeUsage)
+	pflags.EnumVar(cmd.Flags(), &args.Source, Source, "", SourceChoices, SourceUsage)
 
 	return cmd
 }
@@ -46,37 +51,64 @@ func RunDescribePermissionsCommand(args *DescribePermissionsArgs) di.CmdWithApiF
 		api *stackstate_api.APIClient,
 		serverInfo *stackstate_api.ServerInfo,
 	) common.CLIError {
-		description, resp, err := describePermissions(cli, api, args.Subject, args.Permission, args.Resource).Execute()
+		description, resp, err := describePermissions(cli, api, args.Subject, args.Permission, args.Resource, args.Source).Execute()
 
 		if err != nil {
 			return common.NewResponseError(err, resp)
 		}
 
+		sourceStrings := make([]string, 0)
+		if description.FromSources != nil {
+			for _, s := range description.FromSources {
+				sourceStrings = append(sourceStrings, string(s))
+			}
+		} else {
+			sourceStrings = nil
+		}
+
 		if cli.IsJson() {
-			cli.Printer.PrintJson(map[string]interface{}{
-				"subject":     description.SubjectHandle,
-				"permissions": description.Permissions,
-			})
+			if sourceStrings != nil {
+				cli.Printer.PrintJson(map[string]interface{}{
+					"subject":     description.SubjectHandle,
+					"permissions": description.Permissions,
+					"sources":     sourceStrings,
+				})
+			} else {
+				cli.Printer.PrintJson(map[string]interface{}{
+					"subject":     description.SubjectHandle,
+					"permissions": description.Permissions,
+				})
+			}
 		} else {
-			printPermissionsTable(cli, description.Permissions)
+			printPermissionsTable(cli, sourceStrings, description.Permissions)
 		}
 
 		return nil
 	}
 }
 
-func describePermissions(cli *di.Deps, api *stackstate_api.APIClient, subject string, permission string, resource string) stackstate_api.ApiDescribePermissionsRequest {
+func describePermissions(cli *di.Deps, api *stackstate_api.APIClient, subject string, permission string, resource string, source string) stackstate_api.ApiDescribePermissionsRequest {
 	request := api.PermissionsApi.DescribePermissions(cli.Context, subject)
 	if permission != "" {
 		request = request.Permission(permission)
 	}
 	if resource != "" {
 		request = request.Resource(resource)
 	}
+	if source != "" {
+		request = request.Source(stackstate_api.SubjectSource(capitalizeFirst(source)))
+	}
 	return request
 }
 
-func printPermissionsTable(cli *di.Deps, permissionsList map[string][]string) {
+func capitalizeFirst(s string) string {
+	if s == "" {
+		return s
+	}
+	return strings.ToUpper(s[:1]) + strings.ToLower(s[1:])
+}
+
+func printPermissionsTable(cli *di.Deps, sources []string, permissionsList map[string][]string) {
 	keys := make([]string, len(permissionsList))
 	for key := range permissionsList {
 		keys = append(keys, key)
@@ -97,6 +129,11 @@ func printPermissionsTable(cli *di.Deps, permissionsList map[string][]string) {
 		}
 	}
 
+	if sources != nil {
+		cli.Printer.PrintLn(fmt.Sprintf("Got subject from the following subject sources: %s", strings.Join(sources, ", ")))
+		cli.Printer.PrintLn("")
+	}
+
 	cli.Printer.Table(printer.TableData{
 		Header:              []string{"permission", "resource"},
 		Data:                data,

cmd/rbac/rbac_describe_permissions_test.go

@@ -44,6 +44,11 @@ var (
 		"subject":     SubjectHandle,
 		"permissions": AllPermissions,
 	}
+	ExpectedSourcesJson = map[string]interface{}{
+		"subject":     SubjectHandle,
+		"permissions": AllPermissions,
+		"sources":     []string{"Static"},
+	}
 )
 
 func TestPermissionsDescribeJson(t *testing.T) {
@@ -112,6 +117,22 @@ func TestPermissionsDescribeFilterPermission(t *testing.T) {
 	assert.Nil(t, calls[0].Presource)
 }
 
+func TestPermissionsDescribeFilterSource(t *testing.T) {
+	cli := di.NewMockDeps(t)
+	cmd := DescribePermissionsCommand(&cli.Deps)
+
+	cli.MockClient.ApiMocks.PermissionsApi.DescribePermissionsResponse.Result = *Description
+
+	di.ExecuteCommandWithContextUnsafe(&cli.Deps, cmd, "--subject", SubjectHandle, "--source", "static")
+
+	s := stackstate_api.SUBJECTSOURCE_STATIC
+	calls := *cli.MockClient.ApiMocks.PermissionsApi.DescribePermissionsCalls
+	assert.Len(t, calls, 1)
+	assert.Equal(t, SubjectHandle, calls[0].Psubject)
+	assert.Equal(t, &s, calls[0].Psource)
+	assert.Nil(t, calls[0].Presource)
+}
+
 func TestPermissionsDescribeFilterResourceAndPermission(t *testing.T) {
 	cli := di.NewMockDeps(t)
 	cmd := DescribePermissionsCommand(&cli.Deps)
@@ -126,3 +147,40 @@ func TestPermissionsDescribeFilterResourceAndPermission(t *testing.T) {
 	assert.Equal(t, "foo", *calls[0].Ppermission)
 	assert.Equal(t, Resource1, *calls[0].Presource)
 }
+
+func TestPermissionsDescribeWithSourcesJson(t *testing.T) {
+	cli := di.NewMockDeps(t)
+	cmd := DescribePermissionsCommand(&cli.Deps)
+
+	cli.MockClient.ApiMocks.PermissionsApi.DescribePermissionsResponse.Result = *Description
+	cli.MockClient.ApiMocks.PermissionsApi.DescribePermissionsResponse.Result.FromSources = []stackstate_api.SubjectSource{stackstate_api.SUBJECTSOURCE_STATIC}
+
+	di.ExecuteCommandWithContextUnsafe(&cli.Deps, cmd, "--subject", SubjectHandle, "-o", "json")
+
+	calls := *cli.MockClient.ApiMocks.PermissionsApi.DescribePermissionsCalls
+	assert.Len(t, calls, 1)
+
+	expected := []map[string]interface{}{
+		ExpectedSourcesJson,
+	}
+	assert.Equal(t, expected, *cli.MockPrinter.PrintJsonCalls)
+}
+
+func TestPermissionsDescribeWithSourcesTable(t *testing.T) {
+	cli := di.NewMockDeps(t)
+	cmd := DescribePermissionsCommand(&cli.Deps)
+
+	cli.MockClient.ApiMocks.PermissionsApi.DescribePermissionsResponse.Result = *Description
+	cli.MockClient.ApiMocks.PermissionsApi.DescribePermissionsResponse.Result.FromSources = []stackstate_api.SubjectSource{stackstate_api.SUBJECTSOURCE_STATIC}
+
+	di.ExecuteCommandWithContextUnsafe(&cli.Deps, cmd, "--subject", SubjectHandle)
+
+	assert.Len(t, *cli.MockClient.ApiMocks.PermissionsApi.DescribePermissionsCalls, 1)
+
+	expected := []printer.TableData{
+		ExpectedTable,
+	}
+
+	assert.Equal(t, expected, *cli.MockPrinter.TableCalls)
+	assert.Equal(t, []string{"Got subject from the following subject sources: Static", ""}, *cli.MockPrinter.PrintLnCalls)
+}

cmd/rbac/rbac_describe_subjects.go

@@ -1,15 +1,20 @@
 package rbac
 
 import (
+	"fmt"
+	"strings"
+
 	"github.com/spf13/cobra"
 	"github.com/stackvista/stackstate-cli/generated/stackstate_api"
 	"github.com/stackvista/stackstate-cli/internal/common"
 	"github.com/stackvista/stackstate-cli/internal/di"
 	"github.com/stackvista/stackstate-cli/internal/printer"
+	"github.com/stackvista/stackstate-cli/pkg/pflags"
 )
 
 type DescribeSubjectsArgs struct {
 	Subject string
+	Source  string
 }
 
 func DescribeSubjectsCommand(deps *di.Deps) *cobra.Command {
@@ -27,6 +32,7 @@ sts rbac describe-subjects --subject my-team`,
 	}
 
 	cmd.Flags().StringVar(&args.Subject, Subject, "", SubjectUsage)
+	pflags.EnumVar(cmd.Flags(), &args.Source, Source, "", SourceChoices, SourceUsage)
 
 	return cmd
 }
@@ -38,45 +44,34 @@ func RunDescribeSubjectsCommand(args *DescribeSubjectsArgs) di.CmdWithApiFn {
 		api *stackstate_api.APIClient,
 		serverInfo *stackstate_api.ServerInfo,
 	) common.CLIError {
-		if args.Subject != "" {
-			subject, resp, err := api.SubjectApi.GetSubject(cli.Context, args.Subject).Execute()
+		// Why do wre use the list api instead of the GetSubject api for retrieving a subject? The reason is that due to rbac
+		// subjects can come from multiple sources. Instead of updating the GetSubject api in a breaking way, we have deprecated that
+		// api and use the list api with a client side filter to get all subjects.
+		subjects, resp, err := api.SubjectApi.ListSubjects(cli.Context).Execute()
 
-			if err != nil {
-				return common.NewResponseError(err, resp)
-			}
+		if err != nil {
+			return common.NewResponseError(err, resp)
+		}
 
-			if cli.IsJson() {
-				cli.Printer.PrintJson(map[string]interface{}{
-					"handle": subject.Handle,
-					"source": subject.Source,
-				})
-			} else {
-				cli.Printer.Table(printer.TableData{
-					Header: []string{"Subject", "Source"},
-					Data: [][]interface{}{
-						{
-							subject.Handle,
-							subject.Source,
-						},
-					},
-					MissingTableDataMsg: printer.NotFoundMsg{Types: "matching subjects"},
-				})
-			}
-		} else {
-			subjects, resp, err := api.SubjectApi.ListSubjects(cli.Context).Execute()
+		filteredSubjects := make([]stackstate_api.SubjectConfig, 0)
 
-			if err != nil {
-				return common.NewResponseError(err, resp)
+		for _, subject := range subjects {
+			if (args.Subject == "" || subject.Handle == args.Subject) && (args.Source == "" || strings.EqualFold(string(subject.Source), args.Source)) {
+				filteredSubjects = append(filteredSubjects, subject)
 			}
+		}
 
+		if len(filteredSubjects) == 0 && args.Subject != "" {
+			return common.NewNotFoundError(fmt.Errorf("could not find subject: '%s'", args.Subject))
+		} else {
 			if cli.IsJson() {
 				cli.Printer.PrintJson(map[string]interface{}{
-					"subjects": subjects,
+					"subjects": filteredSubjects,
 				})
 			} else {
 				data := make([][]interface{}, 0)
 
-				for _, subject := range subjects {
+				for _, subject := range filteredSubjects {
 					data = append(data, []interface{}{subject.Handle, subject.Source})
 				}