Merge pull request #1890 from ibuildthecloud/main

Add image granted permissions

Author: ibuildthecloud

go.mod

@@ -13,7 +13,7 @@ replace (
 require (
 	cuelang.org/go v0.5.0
 	github.com/AlecAivazis/survey/v2 v2.3.6
-	github.com/acorn-io/aml v0.0.0-20230619192500-1f56a8955db2
+	github.com/acorn-io/aml v0.0.0-20230707003008-f4b3216ff21f
 	github.com/acorn-io/baaah v0.0.0-20230628211933-3f682344a78d
 	github.com/acorn-io/mink v0.0.0-20230523184405-ceaaa366d500
 	github.com/acorn-io/namegenerator v0.0.0-20220915160418-9e3d5a0ffe78

go.sum

@@ -92,8 +92,8 @@ github.com/ThalesIgnite/crypto11 v1.2.5 h1:1IiIIEqYmBvUYFeMnHqRft4bwf/O36jryEUpY
 github.com/ThalesIgnite/crypto11 v1.2.5/go.mod h1:ILDKtnCKiQ7zRoNxcp36Y1ZR8LBPmR2E23+wTQe/MlE=
 github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d h1:licZJFw2RwpHMqeKTCYkitsPqHNxTmd4SNR5r94FGM8=
 github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d/go.mod h1:asat636LX7Bqt5lYEZ27JNDcqxfjdBQuJ/MM4CN/Lzo=
-github.com/acorn-io/aml v0.0.0-20230619192500-1f56a8955db2 h1:tWz51cHGC6GURkKqA4PdG3ObHz2YBrVzCfxXacNUqVY=
-github.com/acorn-io/aml v0.0.0-20230619192500-1f56a8955db2/go.mod h1:UEx5RRLFjryCEHN2pM59+d8A0mPJ3VAxggJOTzPymwg=
+github.com/acorn-io/aml v0.0.0-20230707003008-f4b3216ff21f h1:50i67wGaxqHzjBAQ0OTJi83mzWqOntKSn9snL7DvpXA=
+github.com/acorn-io/aml v0.0.0-20230707003008-f4b3216ff21f/go.mod h1:UEx5RRLFjryCEHN2pM59+d8A0mPJ3VAxggJOTzPymwg=
 github.com/acorn-io/baaah v0.0.0-20230628211933-3f682344a78d h1:a+geMqB3U52a4+iMmLZ9R/EXkgxrp0QCetoqLAUnTD8=
 github.com/acorn-io/baaah v0.0.0-20230628211933-3f682344a78d/go.mod h1:LtwaWrYK/VuGptWxeD5Sgl0sgJV1ksicpTzyLilow1U=
 github.com/acorn-io/mink v0.0.0-20230523184405-ceaaa366d500 h1:tiM36bM+iMWuW9HM+YlM1GfNDXC7f565z8Be5epO0qM=

integration/build/build_test.go

@@ -30,7 +30,7 @@ func TestBuildDev(t *testing.T) {
 	c := helper.BuilderClient(t, system.DefaultUserNamespace)
 	img, err := c.AcornImageBuild(helper.GetCTX(t), "./testdata/dev/Acornfile", &client.AcornImageBuildOptions{
 		Cwd:      "./testdata/dev",
-		Profiles: []string{"dev"},
+		Profiles: []string{"devMode"},
 	})
 	assert.NoError(t, err)
 	_, ok := img.ImageData.Containers["default"]

pkg/apis/internal.acorn.io/v1/appinstance.go

@@ -3,6 +3,8 @@
 package v1
 
 import (
+	"strings"
+
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -83,26 +85,31 @@ const (
 )
 
 type AppInstanceSpec struct {
-	Region              string           `json:"region,omitempty"`
-	Labels              []ScopedLabel    `json:"labels,omitempty"`
-	Annotations         []ScopedLabel    `json:"annotations,omitempty"`
-	Image               string           `json:"image,omitempty"`
-	Stop                *bool            `json:"stop,omitempty"`
-	Profiles            []string         `json:"profiles,omitempty"`
-	Volumes             []VolumeBinding  `json:"volumes,omitempty"`
-	Secrets             []SecretBinding  `json:"secrets,omitempty"`
-	Environment         []NameValue      `json:"environment,omitempty"`
-	PublishMode         PublishMode      `json:"publishMode,omitempty"`
-	TargetNamespace     string           `json:"targetNamespace,omitempty"`
-	Links               []ServiceBinding `json:"services,omitempty"`
-	Publish             []PortBinding    `json:"ports,omitempty"`
-	DeployArgs          GenericMap       `json:"deployArgs,omitempty"`
-	Permissions         []Permissions    `json:"permissions,omitempty"`
-	AutoUpgrade         *bool            `json:"autoUpgrade,omitempty"`
-	NotifyUpgrade       *bool            `json:"notifyUpgrade,omitempty"`
-	AutoUpgradeInterval string           `json:"autoUpgradeInterval,omitempty"`
-	ComputeClasses      ComputeClassMap  `json:"computeClass,omitempty"`
-	Memory              MemoryMap        `json:"memory,omitempty"`
+	Region                  string           `json:"region,omitempty"`
+	Labels                  []ScopedLabel    `json:"labels,omitempty"`
+	Annotations             []ScopedLabel    `json:"annotations,omitempty"`
+	Image                   string           `json:"image,omitempty"`
+	Stop                    *bool            `json:"stop,omitempty"`
+	Profiles                []string         `json:"profiles,omitempty"`
+	Volumes                 []VolumeBinding  `json:"volumes,omitempty"`
+	Secrets                 []SecretBinding  `json:"secrets,omitempty"`
+	Environment             []NameValue      `json:"environment,omitempty"`
+	PublishMode             PublishMode      `json:"publishMode,omitempty"`
+	TargetNamespace         string           `json:"targetNamespace,omitempty"`
+	Links                   []ServiceBinding `json:"services,omitempty"`
+	Publish                 []PortBinding    `json:"ports,omitempty"`
+	DeployArgs              GenericMap       `json:"deployArgs,omitempty"`
+	Permissions             []Permissions    `json:"permissions,omitempty"`
+	ImageGrantedPermissions []Permissions    `json:"imageGrantedPermissions,omitempty"`
+	AutoUpgrade             *bool            `json:"autoUpgrade,omitempty"`
+	NotifyUpgrade           *bool            `json:"notifyUpgrade,omitempty"`
+	AutoUpgradeInterval     string           `json:"autoUpgradeInterval,omitempty"`
+	ComputeClasses          ComputeClassMap  `json:"computeClass,omitempty"`
+	Memory                  MemoryMap        `json:"memory,omitempty"`
+}
+
+func (in *AppInstanceSpec) GetPermissions() []Permissions {
+	return append(in.Permissions, in.ImageGrantedPermissions...)
 }
 
 func (in *AppInstance) GetStopped() bool {
@@ -117,20 +124,34 @@ func (in *AppInstanceSpec) GetNotifyUpgrade() bool {
 	return in.NotifyUpgrade != nil && *in.NotifyUpgrade
 }
 
+func addProfile(profiles []string, toAdd string) []string {
+	found := true
+	optional := strings.HasSuffix(toAdd, "?")
+	nonOptionalName := toAdd[:len(toAdd)-1]
+	for _, profile := range profiles {
+		if profile == toAdd {
+			found = true
+			break
+		} else if optional && profile == nonOptionalName {
+			found = true
+			break
+		}
+	}
+	if !found {
+		return append([]string{toAdd}, profiles...)
+	}
+	return profiles
+}
+
 func (in *AppInstanceSpec) GetProfiles(devMode bool) []string {
+	profiles := in.Profiles
 	if devMode {
-		found := false
-		for _, profile := range in.Profiles {
-			if profile == "dev?" {
-				found = true
-				break
-			}
-		}
-		if !found {
-			return append([]string{"dev?"}, in.Profiles...)
-		}
+		profiles = addProfile(profiles, "devMode?")
+	}
+	if in.GetAutoUpgrade() {
+		profiles = addProfile(profiles, "autoUpgrade?")
 	}
-	return in.Profiles
+	return profiles
 }
 
 type ServiceBindings []ServiceBinding

pkg/apis/internal.acorn.io/v1/appspec.go

@@ -233,6 +233,60 @@ type PolicyRule struct {
 	Scopes            []string `json:"scopes,omitempty"`
 }
 
+func matches(allowed, requested []string, emptyAllowedIsAll bool) bool {
+	for _, requested := range requested {
+		if !matchesSingle(allowed, requested, emptyAllowedIsAll) {
+			return false
+		}
+	}
+	return true
+}
+
+func matchesSingle(allowed []string, requested string, emptyAllowedIsAll bool) bool {
+	if len(requested) == 0 {
+		return true
+	}
+	if emptyAllowedIsAll && len(allowed) == 0 {
+		return true
+	}
+	for _, allow := range allowed {
+		if allow == "*" || requested == allow {
+			return true
+		}
+		if strings.HasSuffix(allow, "*") && strings.HasPrefix(requested, allow[:len(allow)-1]) {
+			return true
+		}
+	}
+
+	return false
+}
+
+func (p PolicyRule) Grants(currentNamespace string, requested PolicyRule) bool {
+	if len(p.NonResourceURLs) > 0 && len(p.Resources) == 0 {
+		return len(p.Scopes) == 0 &&
+			len(requested.Scopes) == 0 &&
+			matches(p.NonResourceURLs, requested.NonResourceURLs, false)
+	}
+
+	if len(p.NonResourceURLs) > 0 {
+		return false
+	}
+
+	for _, ns := range p.ResolveNamespaces(currentNamespace) {
+		for _, requestedNamespace := range requested.ResolveNamespaces(currentNamespace) {
+			if ns == requestedNamespace &&
+				matches(p.Verbs, requested.Verbs, false) &&
+				matches(p.APIGroups, requested.APIGroups, false) &&
+				matches(p.Resources, requested.Resources, false) &&
+				matches(p.ResourceNames, requested.ResourceNames, true) {
+				return true
+			}
+		}
+	}
+
+	return false
+}
+
 func (p PolicyRule) IsAccountScoped() bool {
 	for _, scope := range p.Scopes {
 		if scope == "" {
@@ -289,13 +343,38 @@ func (p PolicyRule) Namespaces() (result []string) {
 	return
 }
 
+func GroupByServiceName(perms []Permissions) map[string]Permissions {
+	byServiceName := map[string]Permissions{}
+
+	for _, perm := range perms {
+		existing := byServiceName[perm.ServiceName]
+		existing.ServiceName = perm.ServiceName
+		existing.Rules = append(existing.Rules, perm.Rules...)
+		byServiceName[perm.ServiceName] = existing
+	}
+
+	return byServiceName
+}
+
 type Permissions struct {
 	ServiceName string       `json:"serviceName,omitempty"`
 	Rules       []PolicyRule `json:"rules,omitempty"`
 	// Deprecated, use Rules with the 'scopes: ["cluster"]' field
 	ZZ_ClusterRules []PolicyRule `json:"clusterRules,omitempty"`
 }
 
+func (in Permissions) Grants(currentNamespace string, forService string, requested PolicyRule) bool {
+	if in.ServiceName != forService {
+		return false
+	}
+	for _, granted := range in.GetRules() {
+		if granted.Grants(currentNamespace, requested) {
+			return true
+		}
+	}
+	return false
+}
+
 func (in Permissions) GetRules() []PolicyRule {
 	result := in.Rules
 	for _, rule := range in.ZZ_ClusterRules {
@@ -321,13 +400,27 @@ func (in *Permissions) Get() Permissions {
 	return *in
 }
 
-func FindPermission(serviceName string, perms []Permissions) Permissions {
+func Grants(grantedPermissions Permissions, currentNamespace string, requestedPermissions Permissions) (missing Permissions, granted bool) {
+	missing.ServiceName = requestedPermissions.ServiceName
+
+	for _, requested := range requestedPermissions.Rules {
+		if grantedPermissions.Grants(currentNamespace, requestedPermissions.ServiceName, requested) {
+			continue
+		}
+		missing.Rules = append(missing.Rules, requested)
+	}
+
+	return missing, len(missing.Rules) == 0
+}
+
+func FindPermission(serviceName string, perms []Permissions) (result Permissions) {
+	result.ServiceName = serviceName
 	for _, perm := range perms {
-		if serviceName == perm.ServiceName {
-			return perm
+		if perm.ServiceName == serviceName {
+			result.Rules = append(result.Rules, perm.GetRules()...)
 		}
 	}
-	return Permissions{}
+	return
 }
 
 type Files map[string]File
@@ -418,24 +511,33 @@ type Router struct {
 	Routes      Routes            `json:"routes,omitempty"`
 }
 
+func (in Acorn) GetOriginalImage() string {
+	originalImage := in.Image
+	if in.Build != nil && in.Build.OriginalImage != "" {
+		originalImage = in.Build.OriginalImage
+	}
+	return originalImage
+}
+
 type Acorn struct {
-	Labels              ScopedLabels    `json:"labels,omitempty"`
-	Annotations         ScopedLabels    `json:"annotations,omitempty"`
-	Image               string          `json:"image,omitempty"`
-	Build               *AcornBuild     `json:"build,omitempty"`
-	Profiles            []string        `json:"profiles,omitempty"`
-	DeployArgs          GenericMap      `json:"deployArgs,omitempty"`
-	Publish             PortBindings    `json:"publish,omitempty"`
-	PublishMode         PublishMode     `json:"publishMode,omitempty"`
-	Environment         NameValues      `json:"environment,omitempty"`
-	Secrets             SecretBindings  `json:"secrets,omitempty"`
-	Volumes             VolumeBindings  `json:"volumes,omitempty"`
-	Links               ServiceBindings `json:"links,omitempty"`
-	AutoUpgrade         *bool           `json:"autoUpgrade,omitempty"`
-	NotifyUpgrade       *bool           `json:"notifyUpgrade,omitempty"`
-	AutoUpgradeInterval string          `json:"autoUpgradeInterval,omitempty"`
-	Memory              MemoryMap       `json:"memory,omitempty"`
-	ComputeClasses      ComputeClassMap `json:"computeClasses,omitempty"`
+	Labels              ScopedLabels           `json:"labels,omitempty"`
+	Annotations         ScopedLabels           `json:"annotations,omitempty"`
+	Image               string                 `json:"image,omitempty"`
+	Build               *AcornBuild            `json:"build,omitempty"`
+	Profiles            []string               `json:"profiles,omitempty"`
+	DeployArgs          GenericMap             `json:"deployArgs,omitempty"`
+	Publish             PortBindings           `json:"publish,omitempty"`
+	PublishMode         PublishMode            `json:"publishMode,omitempty"`
+	Environment         NameValues             `json:"environment,omitempty"`
+	Secrets             SecretBindings         `json:"secrets,omitempty"`
+	Volumes             VolumeBindings         `json:"volumes,omitempty"`
+	Links               ServiceBindings        `json:"links,omitempty"`
+	AutoUpgrade         *bool                  `json:"autoUpgrade,omitempty"`
+	NotifyUpgrade       *bool                  `json:"notifyUpgrade,omitempty"`
+	AutoUpgradeInterval string                 `json:"autoUpgradeInterval,omitempty"`
+	Memory              MemoryMap              `json:"memory,omitempty"`
+	ComputeClasses      ComputeClassMap        `json:"computeClasses,omitempty"`
+	Permissions         map[string]Permissions `json:"permissions,omitempty"`
 }
 
 type Secret struct {
@@ -474,31 +576,40 @@ type GeneratedService struct {
 }
 
 type Service struct {
-	Labels              ScopedLabels      `json:"labels,omitempty"`
-	Annotations         ScopedLabels      `json:"annotations,omitempty"`
-	Default             bool              `json:"default,omitempty"`
-	External            string            `json:"external,omitempty"`
-	Alias               string            `json:"alias,omitempty"`
-	Address             string            `json:"address,omitempty"`
-	Ports               Ports             `json:"ports,omitempty"`
-	Container           string            `json:"container,omitempty"`
-	Data                GenericMap        `json:"data,omitempty"`
-	Generated           *GeneratedService `json:"generated,omitempty"`
-	Image               string            `json:"image,omitempty"`
-	Build               *AcornBuild       `json:"build,omitempty"`
-	ServiceArgs         GenericMap        `json:"serviceArgs,omitempty"`
-	Environment         NameValues        `json:"environment,omitempty"`
-	Secrets             SecretBindings    `json:"secrets,omitempty"`
-	Links               ServiceBindings   `json:"links,omitempty"`
-	AutoUpgrade         *bool             `json:"autoUpgrade,omitempty"`
-	NotifyUpgrade       *bool             `json:"notifyUpgrade,omitempty"`
-	AutoUpgradeInterval string            `json:"autoUpgradeInterval,omitempty"`
-	Memory              MemoryMap         `json:"memory,omitempty"`
-}
-
-func (s Service) GetJob() string {
-	if s.Generated == nil {
+	Labels              ScopedLabels           `json:"labels,omitempty"`
+	Annotations         ScopedLabels           `json:"annotations,omitempty"`
+	Default             bool                   `json:"default,omitempty"`
+	External            string                 `json:"external,omitempty"`
+	Alias               string                 `json:"alias,omitempty"`
+	Address             string                 `json:"address,omitempty"`
+	Ports               Ports                  `json:"ports,omitempty"`
+	Container           string                 `json:"container,omitempty"`
+	Data                GenericMap             `json:"data,omitempty"`
+	Generated           *GeneratedService      `json:"generated,omitempty"`
+	Image               string                 `json:"image,omitempty"`
+	Build               *AcornBuild            `json:"build,omitempty"`
+	ServiceArgs         GenericMap             `json:"serviceArgs,omitempty"`
+	Environment         NameValues             `json:"environment,omitempty"`
+	Secrets             SecretBindings         `json:"secrets,omitempty"`
+	Links               ServiceBindings        `json:"links,omitempty"`
+	AutoUpgrade         *bool                  `json:"autoUpgrade,omitempty"`
+	NotifyUpgrade       *bool                  `json:"notifyUpgrade,omitempty"`
+	AutoUpgradeInterval string                 `json:"autoUpgradeInterval,omitempty"`
+	Memory              MemoryMap              `json:"memory,omitempty"`
+	Permissions         map[string]Permissions `json:"permissions,omitempty"`
+}
+
+func (in Service) GetOriginalImage() string {
+	originalImage := in.Image
+	if in.Build != nil && in.Build.OriginalImage != "" {
+		originalImage = in.Build.OriginalImage
+	}
+	return originalImage
+}
+
+func (in Service) GetJob() string {
+	if in.Generated == nil {
 		return ""
 	}
-	return s.Generated.Job
+	return in.Generated.Job
 }

pkg/apis/internal.acorn.io/v1/unmarshal.go

@@ -1368,7 +1368,8 @@ func ParseNameValues(fillEnv bool, s ...string) (result []NameValue) {
 	for _, s := range s {
 		k, v, _ := strings.Cut(s, "=")
 		if v == "" && fillEnv {
-			v = os.Getenv(k)
+			parts := strings.Split(k, ".")
+			v = os.Getenv(parts[len(parts)-1])
 		}
 		result = append(result, NameValue{
 			Name:  k,