percona · mayankshah1607 · Jul 10, 2024 · Jul 5, 2024 · Jul 5, 2024 · Jul 5, 2024
@@ -39,11 +39,11 @@ import (
 	"golang.org/x/time/rate"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	"github.com/percona/everest/api/rbac"
 	"github.com/percona/everest/cmd/config"
 	"github.com/percona/everest/pkg/common"
 	"github.com/percona/everest/pkg/kubernetes"
 	"github.com/percona/everest/pkg/oidc"
+	"github.com/percona/everest/pkg/rbac"
 	"github.com/percona/everest/pkg/session"
 	"github.com/percona/everest/public"
 )

@@ -8,7 +8,7 @@ import (
 	"github.com/labstack/echo/v4"
 	"go.uber.org/zap"
 
-	"github.com/percona/everest/api/rbac"
+	"github.com/percona/everest/pkg/rbac"
 )
 
 // GetUserPermissions returns the permissions for the currently logged in user.

@@ -30,6 +30,6 @@ func newSettingsCommand(l *zap.SugaredLogger) *cobra.Command {
 		Short: "Configure Everest settings",
 	}
 	cmd.AddCommand(settings.NewOIDCCmd(l))
-
+	cmd.AddCommand(settings.NewRBACCmd(l))
 	return cmd
 }
@@ -0,0 +1,20 @@
+// Package settings ...
+package settings
+
+import (
+	"github.com/spf13/cobra"
+	"go.uber.org/zap"
+
+	"github.com/percona/everest/commands/settings/rbac"
+)
+
+// NewRBACCmd returns an new RBAC sub-command.
+func NewRBACCmd(l *zap.SugaredLogger) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "rbac",
+		Long:  "Manage RBAC settings",
+		Short: "Manage RBAC settings",
+	}
+	cmd.AddCommand(rbac.NewValidateCommand(l))
+	return cmd
+}
@@ -0,0 +1,89 @@
+// everest
+// Copyright (C) 2023 Percona LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package rbac ...
+package rbac
+
+import (
+	"errors"
+	"fmt"
+	"net/url"
+	"os"
+	"strings"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+	"go.uber.org/zap"
+	"k8s.io/client-go/tools/clientcmd"
+
+	"github.com/percona/everest/pkg/kubernetes"
+	"github.com/percona/everest/pkg/output"
+	"github.com/percona/everest/pkg/rbac"
+)
+
+// NewValidateCommand returns a new command for validating RBAC.
+func NewValidateCommand(l *zap.SugaredLogger) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "validate",
+		Long:  "Validate RBAC settings",
+		Short: "Validate RBAC settings",
+		Run: func(cmd *cobra.Command, args []string) { //nolint:revive
+			initValidateViperFlags(cmd)
+
+			kubeconfigPath := viper.GetString("kubeconfig")
+			policyFilepath := viper.GetString("policy-file")
+			if kubeconfigPath == "" && policyFilepath == "" {
+				l.Error("Either --kubeconfig or --policy-file must be set")
+				os.Exit(1)
+			}
+
+			var k *kubernetes.Kubernetes
+			if kubeconfigPath != "" && policyFilepath == "" {
+				client, err := kubernetes.New(kubeconfigPath, l)
+				if err != nil {
+					var u *url.Error
+					if errors.As(err, &u) || errors.Is(err, clientcmd.ErrEmptyConfig) {
+						l.Error("Could not connect to Kubernetes. " +
+							"Make sure Kubernetes is running and is accessible from this computer/server.")
+					}
+					os.Exit(1)
+				}
+				k = client
+			}
+
+			err := rbac.ValidatePolicy(cmd.Context(), k, policyFilepath)
+			if err != nil {
+				fmt.Fprint(os.Stdout, output.Failure("Invalid"))
+				msg := err.Error()
+				msg = strings.Join(strings.Split(msg, "\n"), " - ")
+				fmt.Fprintln(os.Stdout, msg)
+				os.Exit(1)
+			}
+			fmt.Fprintln(os.Stdout, output.Success("Valid"))
+		},
+	}
+	initValidateFlags(cmd)
+	return cmd
+}
+
+func initValidateFlags(cmd *cobra.Command) {
+	cmd.Flags().String("policy-file", "", "Path to the policy file to use")
+}
+
+func initValidateViperFlags(cmd *cobra.Command) {
+	viper.BindEnv("kubeconfig")                                       //nolint:errcheck,gosec
+	viper.BindPFlag("kubeconfig", cmd.Flags().Lookup("kubeconfig"))   //nolint:errcheck,gosec
+	viper.BindPFlag("policy-file", cmd.Flags().Lookup("policy-file")) //nolint:errcheck,gosec
+}
@@ -152,6 +152,7 @@ paths:
               schema:
                 $ref: '#/components/schemas/Error'
   '/namespaces':
+    x-everest-resource-name: namespaces
     get:
       tags:
         - General info

@@ -22,24 +22,31 @@ import (
 	"strings"
 
 	"github.com/casbin/casbin/v2/model"
-	"github.com/casbin/casbin/v2/persist"
+	"go.uber.org/zap"
 	"k8s.io/apimachinery/pkg/types"
 
 	"github.com/percona/everest/pkg/kubernetes"
+	rbacutils "github.com/percona/everest/pkg/rbac/utils"
 )
 
 // Adapter is the ConfigMap adapter for Casbin.
 // It can load policy from ConfigMap and save policy to ConfigMap.
 type Adapter struct {
 	kubeClient     *kubernetes.Kubernetes
 	namespacedName types.NamespacedName
+	l              *zap.SugaredLogger
 }
 
-// NewAdapter is the constructor for Adapter.
-func NewAdapter(kubeClient *kubernetes.Kubernetes, namespacedName types.NamespacedName) *Adapter {
+// New constructs a new adapter that manages a policy inside a ConfigMap.
+func New(
+	l *zap.SugaredLogger,
+	kubeClient *kubernetes.Kubernetes,
+	namespacedName types.NamespacedName,
+) *Adapter {
 	return &Adapter{
 		kubeClient:     kubeClient,
 		namespacedName: namespacedName,
+		l:              l,
 	}
 }
 
@@ -68,9 +75,11 @@ func (a *Adapter) LoadPolicy(model model.Model) error {
 		if str == "" {
 			continue
 		}
-		_ = persist.LoadPolicyLine(str, model)
+		if err := rbacutils.LoadPolicyLine(str, model); err != nil {
+			a.l.Error("failed to load policy", zap.Error(err))
+			return err
+		}
 	}
-
 	return nil
 }