Merge pull request #93 from Icinga/permissions-and-restrictions

Permissions and restrictions

application/controllers/ConfigmapController.php

@@ -4,6 +4,7 @@
 
 namespace Icinga\Module\Kubernetes\Controllers;
 
+use Icinga\Module\Kubernetes\Common\Auth;
 use Icinga\Module\Kubernetes\Common\Database;
 use Icinga\Module\Kubernetes\Model\ConfigMap;
 use Icinga\Module\Kubernetes\Web\ConfigMapDetail;
@@ -15,13 +16,15 @@ class ConfigmapController extends Controller
 {
     public function indexAction(): void
     {
+        $this->assertPermission(Auth::SHOW_CONFIG_MAPS);
+
         $this->addTitleTab('Config Map');
 
         $uuid = $this->params->getRequired('id');
         $uuidBytes = Uuid::fromString($uuid)->getBytes();
 
-        /** @var ConfigMap $configMap */
-        $configMap = ConfigMap::on(Database::connection())
+        $configMap = Auth::getInstance()
+            ->withRestrictions(Auth::SHOW_CONFIG_MAPS, ConfigMap::on(Database::connection()))
             ->filter(Filter::equal('uuid', $uuidBytes))
             ->first();
 

application/controllers/ConfigmapsController.php

@@ -4,6 +4,7 @@
 
 namespace Icinga\Module\Kubernetes\Controllers;
 
+use Icinga\Module\Kubernetes\Common\Auth;
 use Icinga\Module\Kubernetes\Common\Database;
 use Icinga\Module\Kubernetes\Model\ConfigMap;
 use Icinga\Module\Kubernetes\Web\ConfigMapList;
@@ -35,4 +36,9 @@ protected function getTitle(): string
     {
         return $this->translate('Config Maps');
     }
+
+    protected function getPermission(): string
+    {
+        return AUTH::SHOW_CONFIG_MAPS;
+    }
 }

application/controllers/CronjobController.php

@@ -4,6 +4,7 @@
 
 namespace Icinga\Module\Kubernetes\Controllers;
 
+use Icinga\Module\Kubernetes\Common\Auth;
 use Icinga\Module\Kubernetes\Common\Database;
 use Icinga\Module\Kubernetes\Model\CronJob;
 use Icinga\Module\Kubernetes\Web\Controller;
@@ -15,13 +16,15 @@ class CronjobController extends Controller
 {
     public function indexAction(): void
     {
+        $this->assertPermission(Auth::SHOW_CRON_JOBS);
+
         $this->addTitleTab($this->translate('Cron Job'));
 
         $uuid = $this->params->getRequired('id');
         $uuidBytes = Uuid::fromString($uuid)->getBytes();
 
-        /** @var CronJob $cronJob */
-        $cronJob = CronJob::on(Database::connection())
+        $cronJob = Auth::getInstance()
+            ->withRestrictions(Auth::SHOW_CRON_JOBS, CronJob::on(Database::connection()))
             ->filter(Filter::equal('uuid', $uuidBytes))
             ->first();
 

application/controllers/CronjobsController.php

@@ -4,6 +4,7 @@
 
 namespace Icinga\Module\Kubernetes\Controllers;
 
+use Icinga\Module\Kubernetes\Common\Auth;
 use Icinga\Module\Kubernetes\Common\Database;
 use Icinga\Module\Kubernetes\Model\CronJob;
 use Icinga\Module\Kubernetes\Web\CronJobList;
@@ -35,4 +36,9 @@ protected function getTitle(): string
     {
         return $this->translate('Cron Jobs');
     }
+
+    protected function getPermission(): string
+    {
+        return Auth::SHOW_CRON_JOBS;
+    }
 }

application/controllers/DaemonsetController.php

@@ -4,6 +4,7 @@
 
 namespace Icinga\Module\Kubernetes\Controllers;
 
+use Icinga\Module\Kubernetes\Common\Auth;
 use Icinga\Module\Kubernetes\Common\Database;
 use Icinga\Module\Kubernetes\Model\DaemonSet;
 use Icinga\Module\Kubernetes\Web\Controller;
@@ -16,13 +17,15 @@ class DaemonsetController extends Controller
 {
     public function indexAction(): void
     {
+        $this->assertPermission(Auth::SHOW_DAEMON_SETS);
+
         $this->addTitleTab($this->translate('Daemon Set'));
 
         $uuid = $this->params->getRequired('id');
         $uuidBytes = Uuid::fromString($uuid)->getBytes();
 
-        /** @var DaemonSet $daemonSet */
-        $daemonSet = DaemonSet::on(Database::connection())
+        $daemonSet = Auth::getInstance()
+            ->withRestrictions(Auth::SHOW_DAEMON_SETS, DaemonSet::on(Database::connection()))
             ->filter(Filter::equal('uuid', $uuidBytes))
             ->first();
 

application/controllers/DaemonsetsController.php

@@ -4,6 +4,7 @@
 
 namespace Icinga\Module\Kubernetes\Controllers;
 
+use Icinga\Module\Kubernetes\Common\Auth;
 use Icinga\Module\Kubernetes\Common\Database;
 use Icinga\Module\Kubernetes\Model\DaemonSet;
 use Icinga\Module\Kubernetes\Web\DaemonSetList;
@@ -35,4 +36,9 @@ protected function getTitle(): string
     {
         return $this->translate('Daemon Sets');
     }
+
+    protected function getPermission(): string
+    {
+        return Auth::SHOW_DAEMON_SETS;
+    }
 }

application/controllers/DeploymentController.php

@@ -4,6 +4,7 @@
 
 namespace Icinga\Module\Kubernetes\Controllers;
 
+use Icinga\Module\Kubernetes\Common\Auth;
 use Icinga\Module\Kubernetes\Common\Database;
 use Icinga\Module\Kubernetes\Model\Deployment;
 use Icinga\Module\Kubernetes\Web\Controller;
@@ -16,13 +17,15 @@ class DeploymentController extends Controller
 {
     public function indexAction(): void
     {
+        $this->assertPermission(Auth::SHOW_DEPLOYMENTS);
+
         $this->addTitleTab($this->translate('Deployment'));
 
         $uuid = $this->params->getRequired('id');
         $uuidBytes = Uuid::fromString($uuid)->getBytes();
 
-        /** @var Deployment $deployment */
-        $deployment = Deployment::on(Database::connection())
+        $deployment = Auth::getInstance()
+            ->withRestrictions(Auth::SHOW_DEPLOYMENTS, Deployment::on(Database::connection()))
             ->filter(Filter::equal('uuid', $uuidBytes))
             ->first();
 

application/controllers/DeploymentsController.php

@@ -4,6 +4,7 @@
 
 namespace Icinga\Module\Kubernetes\Controllers;
 
+use Icinga\Module\Kubernetes\Common\Auth;
 use Icinga\Module\Kubernetes\Common\Database;
 use Icinga\Module\Kubernetes\Model\Deployment;
 use Icinga\Module\Kubernetes\Web\DeploymentList;
@@ -35,4 +36,9 @@ protected function getTitle(): string
     {
         return $this->translate('Deployments');
     }
+
+    protected function getPermission(): string
+    {
+        return Auth::SHOW_DEPLOYMENTS;
+    }
 }

application/controllers/EventController.php

@@ -4,6 +4,7 @@
 
 namespace Icinga\Module\Kubernetes\Controllers;
 
+use Icinga\Module\Kubernetes\Common\Auth;
 use Icinga\Module\Kubernetes\Common\Database;
 use Icinga\Module\Kubernetes\Model\Event;
 use Icinga\Module\Kubernetes\Web\Controller;
@@ -15,17 +16,19 @@ class EventController extends Controller
 {
     public function indexAction(): void
     {
+        $this->assertPermission(Auth::SHOW_EVENTS);
+
         $this->addTitleTab($this->translate('Event'));
 
         $uuid = $this->params->getRequired('id');
         $uuidBytes = Uuid::fromString($uuid)->getBytes();
 
-        /** @var Event $event */
-        $event = Event::on(Database::connection())
+        $event = Auth::getInstance()
+            ->withRestrictions(Auth::SHOW_EVENTS, Event::on(Database::connection()))
             ->filter(Filter::equal('uuid', $uuidBytes))
             ->first();
 
-        if ($event === null) {
+        if ($event === null || ! Auth::getInstance()->canList($event->reference_kind)) {
             $this->httpNotFound($this->translate('Event not found'));
         }
 

application/controllers/EventsController.php

@@ -4,11 +4,13 @@
 
 namespace Icinga\Module\Kubernetes\Controllers;
 
+use Icinga\Module\Kubernetes\Common\Auth;
 use Icinga\Module\Kubernetes\Common\Database;
 use Icinga\Module\Kubernetes\Model\Event;
 use Icinga\Module\Kubernetes\Web\EventList;
 use Icinga\Module\Kubernetes\Web\ListController;
 use ipl\Orm\Query;
+use ipl\Stdlib\Filter;
 
 class EventsController extends ListController
 {
@@ -19,7 +21,20 @@ protected function getContentClass(): string
 
     protected function getQuery(): Query
     {
-        return Event::on(Database::connection());
+        $events = Auth::getInstance()->withRestrictions(Auth::SHOW_EVENTS, Event::on(Database::connection()));
+
+        $allowedKinds = [];
+        foreach (Auth::PERMISSIONS as $kind => $permission) {
+            if (Auth::getInstance()->canList($kind)) {
+                $allowedKinds[] = $kind;
+            }
+        }
+
+        if (! empty($allowedKinds)) {
+            $events->filter(Filter::equal('reference_kind', $allowedKinds));
+        }
+
+        return $events;
     }
 
     protected function getSortColumns(): array
@@ -31,4 +46,9 @@ protected function getTitle(): string
     {
         return $this->translate('Events');
     }
+
+    protected function getPermission(): string
+    {
+        return Auth::SHOW_EVENTS;
+    }
 }

application/controllers/IngressController.php

@@ -4,6 +4,7 @@
 
 namespace Icinga\Module\Kubernetes\Controllers;
 
+use Icinga\Module\Kubernetes\Common\Auth;
 use Icinga\Module\Kubernetes\Common\Database;
 use Icinga\Module\Kubernetes\Model\Ingress;
 use Icinga\Module\Kubernetes\Web\Controller;
@@ -15,13 +16,15 @@ class IngressController extends Controller
 {
     public function indexAction(): void
     {
+        $this->assertPermission(Auth::SHOW_INGRESSES);
+
         $this->addTitleTab($this->translate('Ingress'));
 
         $uuid = $this->params->getRequired('id');
         $uuidBytes = Uuid::fromString($uuid)->getBytes();
 
-        /** @var Ingress $ingress */
-        $ingress = Ingress::on(Database::connection())
+        $ingress = Auth::getInstance()
+            ->withRestrictions(Auth::SHOW_INGRESSES, Ingress::on(Database::connection()))
             ->filter(Filter::equal('uuid', $uuidBytes))
             ->first();
 

application/controllers/IngressesController.php

@@ -4,6 +4,7 @@
 
 namespace Icinga\Module\Kubernetes\Controllers;
 
+use Icinga\Module\Kubernetes\Common\Auth;
 use Icinga\Module\Kubernetes\Common\Database;
 use Icinga\Module\Kubernetes\Model\Ingress;
 use Icinga\Module\Kubernetes\Web\IngressList;
@@ -35,4 +36,9 @@ protected function getTitle(): string
     {
         return $this->translate('Ingresses');
     }
+
+    protected function getPermission(): string
+    {
+        return Auth::SHOW_INGRESSES;
+    }
 }

application/controllers/JobController.php

@@ -4,6 +4,7 @@
 
 namespace Icinga\Module\Kubernetes\Controllers;
 
+use Icinga\Module\Kubernetes\Common\Auth;
 use Icinga\Module\Kubernetes\Common\Database;
 use Icinga\Module\Kubernetes\Model\Job;
 use Icinga\Module\Kubernetes\Web\Controller;
@@ -16,13 +17,15 @@ class JobController extends Controller
 {
     public function indexAction(): void
     {
+        $this->assertPermission(Auth::SHOW_JOBS);
+
         $this->addTitleTab($this->translate('Job'));
 
         $uuid = $this->params->getRequired('id');
         $uuidBytes = Uuid::fromString($uuid)->getBytes();
 
-        /** @var Job $job */
-        $job = Job::on(Database::connection())
+        $job = Auth::getInstance()
+            ->withRestrictions(Auth::SHOW_JOBS, Job::on(Database::connection()))
             ->filter(Filter::equal('uuid', $uuidBytes))
             ->first();
 

application/controllers/JobsController.php

@@ -4,6 +4,7 @@
 
 namespace Icinga\Module\Kubernetes\Controllers;
 
+use Icinga\Module\Kubernetes\Common\Auth;
 use Icinga\Module\Kubernetes\Common\Database;
 use Icinga\Module\Kubernetes\Model\Job;
 use Icinga\Module\Kubernetes\Web\JobList;
@@ -35,4 +36,9 @@ protected function getTitle(): string
     {
         return $this->translate('Jobs');
     }
+
+    protected function getPermission(): string
+    {
+        return Auth::SHOW_JOBS;
+    }
 }

application/controllers/NamespaceController.php

@@ -4,6 +4,7 @@
 
 namespace Icinga\Module\Kubernetes\Controllers;
 
+use Icinga\Module\Kubernetes\Common\Auth;
 use Icinga\Module\Kubernetes\Common\Database;
 use Icinga\Module\Kubernetes\Model\NamespaceModel;
 use Icinga\Module\Kubernetes\Web\Controller;
@@ -15,13 +16,15 @@ class NamespaceController extends Controller
 {
     public function indexAction(): void
     {
+        $this->assertPermission(Auth::SHOW_NAMESPACES);
+
         $this->addTitleTab($this->translate('Namespace'));
 
         $uuid = $this->params->getRequired('id');
         $uuidBytes = Uuid::fromString($uuid)->getBytes();
 
-        /** @var NamespaceModel $namespace */
-        $namespace = NamespaceModel::on(Database::connection())
+        $namespace = Auth::getInstance()
+            ->withRestrictions(Auth::SHOW_NAMESPACES, NamespaceModel::on(Database::connection()))
             ->filter(Filter::equal('uuid', $uuidBytes))
             ->first();
 

application/controllers/NamespacesController.php

@@ -4,6 +4,7 @@
 
 namespace Icinga\Module\Kubernetes\Controllers;
 
+use Icinga\Module\Kubernetes\Common\Auth;
 use Icinga\Module\Kubernetes\Common\Database;
 use Icinga\Module\Kubernetes\Model\NamespaceModel;
 use Icinga\Module\Kubernetes\Web\ListController;
@@ -34,4 +35,9 @@ protected function getTitle(): string
     {
         return $this->translate('Namespaces');
     }
+
+    protected function getPermission(): string
+    {
+        return Auth::SHOW_NAMESPACES;
+    }
 }