Skip to content

Commit

Permalink
auto policies setup fix (#2195)
Browse files Browse the repository at this point in the history
johnnyaug authored Jul 5, 2021

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
1 parent 9ceed49 commit 8288f4f
Showing 4 changed files with 28 additions and 3 deletions.
4 changes: 4 additions & 0 deletions pkg/auth/setup.go
Original file line number Diff line number Diff line change
@@ -117,6 +117,8 @@ func SetupBaseGroups(ctx context.Context, authService Service, ts time.Time) err
{
Action: []string{
"ci:*",
"retention:*",
"fs:ReadConfig",
},
Resource: permissions.All,
Effect: model.StatementEffectAllow,
@@ -130,6 +132,8 @@ func SetupBaseGroups(ctx context.Context, authService Service, ts time.Time) err
{
Action: []string{
"ci:Read*",
"retention:Get*",
"fs:ReadConfig",
},
Resource: permissions.All,
Effect: model.StatementEffectAllow,
Empty file.
20 changes: 20 additions & 0 deletions pkg/ddl/000030_repeat_auth_migrations.up.sql
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
-- repeat migration 28 and 29: they were only now added auth/setup.go
BEGIN;

UPDATE auth_policies
SET statement = statement || '[{"Action": ["fs:ReadConfig"], "Effect": "allow", "Resource": "*"}]'::jsonb
WHERE display_name = 'RepoManagementReadAll' AND NOT statement @> '[{"Action": ["fs:ReadConfig"], "Effect": "allow", "Resource": "*"}]'::jsonb;

UPDATE auth_policies
SET statement = statement || '[{"Action": ["fs:ReadConfig"], "Effect": "allow", "Resource": "*"}]'::jsonb
WHERE display_name = 'RepoManagementFullAccess' AND NOT statement @> '[{"Action": ["fs:ReadConfig"], "Effect": "allow", "Resource": "*"}]'::jsonb;

UPDATE auth_policies
SET statement = statement || '[{"Action": ["retention:Get*"], "Effect": "allow", "Resource": "*"}]'::jsonb
WHERE display_name = 'RepoManagementReadAll' AND NOT statement @> '[{"Action": ["retention:Get*"], "Effect": "allow", "Resource": "*"}]'::jsonb;

UPDATE auth_policies
SET statement = statement || '[{"Action": ["retention:*"], "Effect": "allow", "Resource": "*"}]'::jsonb
WHERE display_name = 'RepoManagementFullAccess' AND NOT statement @> '[{"Action": ["retention:*"], "Effect": "allow", "Resource": "*"}]'::jsonb;

COMMIT;
7 changes: 4 additions & 3 deletions pkg/permissions/actions.go
Original file line number Diff line number Diff line change
@@ -64,9 +64,10 @@ const (
)

var serviceSet = map[string]struct{}{
"fs": {},
"auth": {},
"ci": {},
"fs": {},
"auth": {},
"ci": {},
"retention": {},
}

func IsValidAction(name string) error {

0 comments on commit 8288f4f

Please sign in to comment.