Merge pull request #2331 from thedadams/revert-sar-changes

thedadams · web-flow · commit 152f48ecb1a8 · 2023-11-14T12:55:57.000-05:00
Revert "Expand * verbs when doing SAR checks on images"
diff --git a/pkg/roles/roles.go b/pkg/roles/roles.go
@@ -30,7 +30,7 @@ var (
 		},
 		ClusterEdit: {
 			{
-				Verbs: []string{"create", "update", "delete", "deletecollection"},
+				Verbs: []string{"create", "update", "delete"},
 				Resources: []string{
 					"projects",
 				},
@@ -91,7 +91,7 @@ var (
 		},
 		Edit: {
 			{
-				Verbs: []string{"create", "update", "delete", "deletecollection", "patch"},
+				Verbs: []string{"create", "update", "delete", "patch"},
 				Resources: []string{
 					"apps",
 					"devsessions",
@@ -100,7 +100,7 @@ var (
 				},
 			},
 			{
-				Verbs: []string{"update", "delete", "deletecollection", "patch"},
+				Verbs: []string{"update", "delete", "patch"},
 				Resources: []string{
 					"images",
 				},
@@ -117,7 +117,7 @@ var (
 				},
 			},
 			{
-				Verbs: []string{"delete", "deletecollection"},
+				Verbs: []string{"delete"},
 				Resources: []string{
 					"services",
 					"volumes",
@@ -136,7 +136,7 @@ var (
 		},
 		Build: {
 			{
-				Verbs: []string{"create", "delete", "deletecollection"},
+				Verbs: []string{"create", "delete"},
 				Resources: []string{
 					"builders",
 					"acornimagebuilds",
@@ -151,7 +151,7 @@ var (
 		},
 		Admin: {
 			{
-				Verbs: []string{"create", "update", "delete", "deletecollection", "patch", "get", "list", "watch"},
+				Verbs: []string{"create", "update", "delete", "patch", "get", "list", "watch"},
 				Resources: []string{
 					"projectvolumeclasses",
 					"clustervolumeclasses",
@@ -163,7 +163,7 @@ var (
 				APIGroups: []string{admin_acorn_io.Group},
 			},
 			{
-				Verbs: []string{"create", "update", "delete", "deletecollection", "patch"},
+				Verbs: []string{"create", "update", "delete", "patch"},
 				Resources: []string{
 					"imageallowrules",
 				},
diff --git a/pkg/server/registry/apigroups/acorn/apps/validator.go b/pkg/server/registry/apigroups/acorn/apps/validator.go
@@ -439,9 +439,6 @@ func (s *RBACValidator) getSARResourceRole(sar *authv1.SubjectAccessReview, serv
 	if len(rule.Verbs) == 0 {
 		return nil, fmt.Errorf("can not deploy acorn due to requesting role with empty verbs")
 	}
-	if slices.Contains(rule.Verbs, "*") {
-		rule.Verbs = v1.DefaultVerbs
-	}
 	if len(rule.Resources) == 0 {
 		rule.Resources = []string{"*"}
 	}

Original file line number	Diff line number	Diff line change
`@@ -439,9 +439,6 @@ func (s RBACValidator) getSARResourceRole(sar authv1.SubjectAccessReview, serv`
`439`	`439`	`if len(rule.Verbs) == 0 {`
`440`	`440`	`return nil, fmt.Errorf("can not deploy acorn due to requesting role with empty verbs")`
`441`	`441`	`}`
`442`		`- if slices.Contains(rule.Verbs, "*") {`
`443`		`- rule.Verbs = v1.DefaultVerbs`
`444`		`- }`
`445`	`442`	`if len(rule.Resources) == 0 {`
`446`	`443`	`rule.Resources = []string{"*"}`
`447`	`444`	`}`