metal-stack · majst01 · Dec 24, 2025 · Dec 25, 2025 · Dec 26, 2025 · Jan 13, 2026
@@ -17,4 +17,4 @@ go-mocks:
 		--tmpfs /.cache:uid=$$(id -u),gid=$$(id -g) \
 		-w /work \
 		-v ${PWD}:/work \
-		vektra/mockery:v3.6.1
+		vektra/mockery:v3.6.3
@@ -97,6 +97,7 @@ func servicePermissions(root string) (*permissions.ServicePermissions, error) {
 		roles = permissions.Roles{
 			Admin:   permissions.Admin{},
 			Infra:   permissions.Infra{},
+			Machine: permissions.Machine{},
 			Tenant:  permissions.Tenant{},
 			Project: permissions.Project{},
 		}
@@ -114,6 +115,7 @@ func servicePermissions(root string) (*permissions.ServicePermissions, error) {
 			Self:    map[string]bool{},
 			Admin:   map[string]bool{},
 			Infra:   map[string]bool{},
+			Machine: map[string]bool{},
 			Tenant:  map[string]bool{},
 			Project: map[string]bool{},
 		}
@@ -167,6 +169,12 @@ func servicePermissions(root string) (*permissions.ServicePermissions, error) {
 							visibility.Infra[methodName] = true
 						case v1.InfraRole_INFRA_ROLE_UNSPECIFIED.String():
 							// noop
+						// Machine
+						case v1.MachineRole_MACHINE_ROLE_EDITOR.String(), v1.MachineRole_MACHINE_ROLE_VIEWER.String():
+							roles.Machine[role] = append(roles.Machine[role], methodName)
+							visibility.Machine[methodName] = true
+						case v1.MachineRole_MACHINE_ROLE_UNSPECIFIED.String():
+							// noop
 						// Visibility
 						case v1.Visibility_VISIBILITY_PUBLIC.String():
 							visibility.Public[methodName] = true

@@ -34,6 +34,15 @@ func GetServicePermissions() *ServicePermissions {
 					},
 				{{- end }}
 			},
+			Machine:   Machine{
+				{{- range $role, $methods := .Roles.Machine }}
+					"{{ $role }}": []string{
+						{{- range $method := $methods }}
+							"{{ $method }}",
+						{{- end }}
+					},
+				{{- end }}
+			},
 			Tenant:  Tenant{
 				{{- range $role, $methods := .Roles.Tenant }}
 					"{{ $role }}": []string{
@@ -77,6 +86,11 @@ func GetServicePermissions() *ServicePermissions {
 			Infra:    map[string]bool{
 {{- range $key, $value := .Visibility.Infra }}
 	"{{ $key }}": {{ $value }} ,
+{{- end }}
+			},
+			Machine:    map[string]bool{
+{{- range $key, $value := .Visibility.Machine }}
+	"{{ $key }}": {{ $value }} ,
 {{- end }}
 			},
 			Tenant:    map[string]bool{
@@ -118,6 +132,11 @@ func IsInfraScope(req connect.AnyRequest) bool {
 	return ok
 }
 
+func IsMachineScope(req connect.AnyRequest) bool {
+	_, ok := GetServicePermissions().Visibility.Machine[req.Spec().Procedure]
+	return ok
+}
+
 func IsTenantScope(req connect.AnyRequest) bool {
 	_, ok := GetServicePermissions().Visibility.Tenant[req.Spec().Procedure]
 	return ok
@@ -153,4 +172,15 @@ func GetProjectFromRequest(req connect.AnyRequest) (string, bool) {
 		return rq.GetProject(), true
 	}
 	return "", false
+}
+
+func GetMachineIdFromRequest(req connect.AnyRequest) (string, bool) {
+	if !IsMachineScope(req) {
+		return "", false
+	}
+	switch rq := req.Any().(type) {
+	case interface{ GetUuid() string }:
+		return rq.GetUuid(), true
+	}
+	return "", false
 }
@@ -192,7 +192,7 @@ func Test_ClientInterceptors(t *testing.T) {
 	bs.token = ""
 
 	// Asynchronous call has authheader set
-	stream, err := c.Infrav2().BMC().WaitForMachineEvent(ctx, &infrav2.WaitForMachineEventRequest{})
+	stream, err := c.Infrav2().BMC().WaitForBMCCommand(ctx, &infrav2.WaitForBMCCommandRequest{})
 	require.NoError(t, err)
 	require.NotNil(t, stream)
 	require.Equal(t, tokenString, bs.token)
@@ -215,7 +215,7 @@ func (m *mockBMCService) UpdateBMCInfo(ctx context.Context, _ *infrav2.UpdateBMC
 	return &infrav2.UpdateBMCInfoResponse{}, nil
 }
 
-func (m *mockBMCService) WaitForMachineEvent(ctx context.Context, _ *infrav2.WaitForMachineEventRequest, stream *connect.ServerStream[infrav2.WaitForMachineEventResponse]) error {
+func (m *mockBMCService) WaitForBMCCommand(ctx context.Context, _ *infrav2.WaitForBMCCommandRequest, stream *connect.ServerStream[infrav2.WaitForBMCCommandResponse]) error {
 	callinfo, _ := connect.CallInfoForHandlerContext(ctx)
 	authHeader := callinfo.RequestHeader().Get("Authorization")
 
@@ -226,5 +226,5 @@ func (m *mockBMCService) WaitForMachineEvent(ctx context.Context, _ *infrav2.Wai
 	}
 
 	m.token = token
-	return stream.Send(&infrav2.WaitForMachineEventResponse{})
+	return stream.Send(&infrav2.WaitForBMCCommandResponse{})
 }