From 826ef2432f2a59649b90b5d1f0d316b3a85f6263 Mon Sep 17 00:00:00 2001
From: Gabriel Mougard <gabriel.mougard@canonical.com>
Date: Mon, 18 Nov 2024 14:26:22 +0100
Subject: [PATCH] lxd/storage-volumes: Add entitlements for 'storage-volume'
 entities

Signed-off-by: Gabriel Mougard <gabriel.mougard@canonical.com>
---
 lxd/storage_volumes.go | 29 ++++++++++++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

diff --git a/lxd/storage_volumes.go b/lxd/storage_volumes.go
index 6c5e906deff9..4201ee825519 100644
--- a/lxd/storage_volumes.go
+++ b/lxd/storage_volumes.go
@@ -625,6 +625,9 @@ func storagePoolVolumesGet(d *Daemon, r *http.Request) response.Response {
 		return response.SmartError(err)
 	}
 
+	// Detect if we want to also returns entitlements for each volume.
+	withEntitlements := request.QueryParam(r, "with-entitlements") == "true"
+
 	// Check if current route is in /1.0/storage-volumes
 	allPools := poolName == ""
 
@@ -816,7 +819,8 @@ func storagePoolVolumesGet(d *Daemon, r *http.Request) response.Response {
 
 	if util.IsRecursionRequest(r) {
 		volumes := make([]*api.StorageVolume, 0, len(dbVolumes))
-		for _, dbVol := range dbVolumes {
+		openfgaURLs := make([]*api.URL, len(dbVolumes))
+		for i, dbVol := range dbVolumes {
 			vol := &dbVol.StorageVolume
 
 			volumeName, _, _ := api.GetParentAndSnapshotName(vol.Name)
@@ -835,6 +839,19 @@ func storagePoolVolumesGet(d *Daemon, r *http.Request) response.Response {
 			}
 
 			volumes = append(volumes, vol)
+			openfgaURLs[i] = entity.StorageVolumeURL(vol.Project, vol.Location, vol.Pool, vol.Type, vol.Name)
+		}
+
+		if withEntitlements {
+			entitiesWithEntitlements := make([]entity.EntityWithEntitlements, len(volumes))
+			for i, v := range volumes {
+				entitiesWithEntitlements[i] = v
+			}
+
+			err = d.authorizer.AddEntitlementsToEntities(r.Context(), entity.TypeStorageVolume, openfgaURLs, entitiesWithEntitlements)
+			if err != nil {
+				return response.SmartError(err)
+			}
 		}
 
 		return response.SyncResponse(true, volumes)
@@ -2013,6 +2030,9 @@ func storagePoolVolumeGet(d *Daemon, r *http.Request) response.Response {
 		return response.SmartError(err)
 	}
 
+	// Detect if we want to also returns entitlements for each volume.
+	withEntitlements := request.QueryParam(r, "with-entitlements") == "true"
+
 	resp := forwardedResponseIfTargetIsRemote(s, r)
 	if resp != nil {
 		return resp
@@ -2043,6 +2063,13 @@ func storagePoolVolumeGet(d *Daemon, r *http.Request) response.Response {
 
 	etag := []any{details.volumeName, dbVolume.Type, dbVolume.Config}
 
+	if withEntitlements {
+		err = d.authorizer.AddEntitlements(r.Context(), entity.TypeProject, entity.StorageVolumeURL(dbVolume.Project, dbVolume.Location, dbVolume.Pool, dbVolume.Type, dbVolume.Name), &dbVolume.StorageVolume)
+		if err != nil {
+			return response.SmartError(err)
+		}
+	}
+
 	return response.SyncResponseETag(true, dbVolume.StorageVolume, etag)
 }