lxd/storage-buckets: Add entitlements for 'storage-bucket' entities

Signed-off-by: Gabriel Mougard <gabriel.mougard@canonical.com>
canonical · Nov 19, 2024 · 5733f0f · 5733f0f
1 parent c97ba5a
commit 5733f0f
Showing 1 changed file with 30 additions and 1 deletion.
diff --git a/lxd/storage_buckets.go b/lxd/storage_buckets.go
@@ -196,6 +196,8 @@ func storagePoolBucketsGet(d *Daemon, r *http.Request) response.Response {
 		return response.SmartError(err)
 	}
 
+	withEntitlements := request.QueryParam(r, "with-entitlements") == "true"
+
 	poolName, err := url.PathUnescape(mux.Vars(r)["poolName"])
 	if err != nil {
 		return response.SmartError(err)
@@ -259,13 +261,27 @@ func storagePoolBucketsGet(d *Daemon, r *http.Request) response.Response {
 
 	if util.IsRecursionRequest(r) {
 		buckets := make([]*api.StorageBucket, 0, len(filteredDBBuckets))
-		for _, dbBucket := range filteredDBBuckets {
+		openfgaURLs := make([]*api.URL, len(filteredDBBuckets))
+		for i, dbBucket := range filteredDBBuckets {
 			u := pool.GetBucketURL(dbBucket.Name)
 			if u != nil {
 				dbBucket.S3URL = u.String()
 			}
 
 			buckets = append(buckets, &dbBucket.StorageBucket)
+			openfgaURLs[i] = entity.StorageBucketURL(dbBucket.Project, dbBucket.Location, dbBucket.PoolName, dbBucket.Name)
+		}
+
+		if withEntitlements {
+			entitiesWithEntitlements := make([]entity.EntityWithEntitlements, len(buckets))
+			for i, b := range buckets {
+				entitiesWithEntitlements[i] = b
+			}
+
+			err = d.authorizer.AddEntitlementsToEntities(r.Context(), entity.TypeStorageBucket, openfgaURLs, entitiesWithEntitlements)
+			if err != nil {
+				return response.SmartError(err)
+			}
 		}
 
 		return response.SyncResponse(true, buckets)
@@ -337,6 +353,8 @@ func storagePoolBucketGet(d *Daemon, r *http.Request) response.Response {
 		return response.SmartError(err)
 	}
 
+	withEntitlements := request.QueryParam(r, "with-entitlements") == "true"
+
 	if !details.pool.Driver().Info().Buckets {
 		return response.BadRequest(fmt.Errorf("Storage pool does not support buckets"))
 	}
@@ -358,6 +376,17 @@ func storagePoolBucketGet(d *Daemon, r *http.Request) response.Response {
 		bucket.S3URL = u.String()
 	}
 
+	if util.IsRecursionRequest(r) {
+		if withEntitlements {
+			err = d.authorizer.AddEntitlements(r.Context(), entity.TypeStorageBucket, entity.StorageBucketURL(effectiveProjectName, bucket.Location, details.pool.Name(), bucket.Name), &bucket.StorageBucket)
+			if err != nil {
+				return response.SmartError(err)
+			}
+		}
+
+		return response.SyncResponse(true, &bucket.StorageBucket)
+	}
+
 	return response.SyncResponseETag(true, bucket, bucket.Etag())
 }