Merge pull request #3334 from mjudeikis/mjudeikis/add.bind.permissions.claims.flag

kcp-ci-bot · web-flow · commit 5ae636ac7972 · 2025-03-16T15:12:26.000+01:00
✨ Add --{accept/reject}-permission-claim flag to bind cli
diff --git a/cli/pkg/bind/cmd/cmd.go b/cli/pkg/bind/cmd/cmd.go
@@ -30,6 +30,12 @@ var (
 	bindExampleUses = `
 	# Create an APIBinding named "my-binding" that binds to the APIExport "my-export" in the "root:my-service" workspace.
 	%[1]s bind apiexport root:my-service:my-export --name my-binding
+
+	# Create an APIBinding named "my-binding" that binds to the APIExport "my-export" in the "root:my-service" workspace with accepted permission claims.
+	%[1]s bind apiexport root:my-service:my-export --name my-binding --accept-permission-claims core.secrets,core.configmaps
+
+	# Create an APIBinding named "my-binding" that binds to the APIExport "my-export" in the "root:my-service" workspace with rejected permission claims.
+	%[1]s bind apiexport root:my-service:my-export --name my-binding --reject-permission-claims core.secrets,core.configmaps
 	`
 )
 
diff --git a/cli/pkg/bind/plugin/bind.go b/cli/pkg/bind/plugin/bind.go
@@ -21,6 +21,7 @@ import (
 	"errors"
 	"fmt"
 	"net/url"
+	"strings"
 	"time"
 
 	"github.com/spf13/cobra"
@@ -48,6 +49,15 @@ type BindOptions struct {
 	APIBindingName string
 	// BindWaitTimeout is how long to wait for the APIBinding to be created and successful.
 	BindWaitTimeout time.Duration
+	// AcceptedPermissionClaims is the list of accepted permission claims for the APIBinding.
+	AcceptedPermissionClaims []string
+	// RejectedPermissionClaims is the list of rejected permission claims for the APIBinding.
+	RejectedPermissionClaims []string
+
+	// acceptedPermissionClaims is the parsed list of accepted permission claims for the APIBinding parsed from AcceptedPermissionClaims.
+	acceptedPermissionClaims []apisv1alpha1.AcceptablePermissionClaim
+	// rejectedPermissionClaims is the parsed list of rejected permission claims for the APIBinding parsed from RejectedPermissionClaims.
+	rejectedPermissionClaims []apisv1alpha1.AcceptablePermissionClaim
 }
 
 // NewBindOptions returns new BindOptions.
@@ -63,6 +73,8 @@ func (b *BindOptions) BindFlags(cmd *cobra.Command) {
 
 	cmd.Flags().StringVar(&b.APIBindingName, "name", b.APIBindingName, "Name of the APIBinding to create.")
 	cmd.Flags().DurationVar(&b.BindWaitTimeout, "timeout", time.Second*30, "Duration to wait for APIBinding to be created successfully.")
+	cmd.Flags().StringSliceVar(&b.AcceptedPermissionClaims, "accept-permission-claim", nil, "List of accepted permission claims for the APIBinding. Format:  --accept-permission-claim resource.group")
+	cmd.Flags().StringSliceVarP(&b.RejectedPermissionClaims, "reject-permission-claim", "", nil, "List of rejected permission claims for the APIBinding. Format:  --reject-permission-claim resource.group")
 }
 
 // Complete ensures all fields are initialized.
@@ -90,6 +102,37 @@ func (b *BindOptions) Validate() error {
 		return fmt.Errorf("fully qualified reference to workspace where APIExport exists is required. The format is `<logical-cluster-name>:<apiexport>` or `<full>:<path>:<to>:<apiexport>`")
 	}
 
+	if b.AcceptedPermissionClaims != nil {
+		var errs []error
+		for _, claim := range b.AcceptedPermissionClaims {
+			if err := b.parsePermissionClaim(claim, true); err != nil {
+				errs = append(errs, err)
+			}
+		}
+		if len(errs) > 0 {
+			return fmt.Errorf("invalid accepted permission claims: %v", errs)
+		}
+	}
+	if b.RejectedPermissionClaims != nil {
+		var errs []error
+		for _, claim := range b.RejectedPermissionClaims {
+			if err := b.parsePermissionClaim(claim, false); err != nil {
+				errs = append(errs, err)
+			}
+		}
+		if len(errs) > 0 {
+			return fmt.Errorf("invalid rejected permission claims: %v", errs)
+		}
+	}
+	// once parsed we can validate if the dont conflict with each other
+	for _, acceptedClaim := range b.acceptedPermissionClaims {
+		for _, rejectedClaim := range b.rejectedPermissionClaims {
+			if acceptedClaim.Group == rejectedClaim.Group && acceptedClaim.Resource == rejectedClaim.Resource {
+				return fmt.Errorf("accepted permission claim %s conflicts with rejected permission claim %s", acceptedClaim, rejectedClaim)
+			}
+		}
+	}
+
 	return b.Options.Validate()
 }
 
@@ -127,6 +170,13 @@ func (b *BindOptions) Run(ctx context.Context) error {
 		},
 	}
 
+	if len(b.acceptedPermissionClaims) > 0 {
+		binding.Spec.PermissionClaims = b.acceptedPermissionClaims
+	}
+	if len(b.rejectedPermissionClaims) > 0 {
+		binding.Spec.PermissionClaims = append(binding.Spec.PermissionClaims, b.rejectedPermissionClaims...)
+	}
+
 	kcpclient, err := newKCPClusterClient(config)
 	if err != nil {
 		return err
@@ -164,6 +214,38 @@ func (b *BindOptions) Run(ctx context.Context) error {
 	return nil
 }
 
+func (b *BindOptions) parsePermissionClaim(claim string, accepted bool) error {
+	claimParts := strings.Split(claim, ".")
+	if len(claimParts) != 2 {
+		return fmt.Errorf("invalid permission claim %q", claim)
+	}
+
+	parsedClaim := apisv1alpha1.AcceptablePermissionClaim{}
+	resource := claimParts[0]
+	group := claimParts[1]
+	if group == "core" {
+		group = ""
+	}
+
+	parsedClaim.Group = group
+	parsedClaim.Resource = resource
+	if accepted {
+		parsedClaim.State = apisv1alpha1.ClaimAccepted
+	} else {
+		parsedClaim.State = apisv1alpha1.ClaimRejected
+	}
+	// TODO(mjudeikis): Once we add support for selectors/
+	parsedClaim.All = true
+
+	if accepted {
+		b.acceptedPermissionClaims = append(b.acceptedPermissionClaims, parsedClaim)
+	} else {
+		b.rejectedPermissionClaims = append(b.rejectedPermissionClaims, parsedClaim)
+	}
+
+	return nil
+}
+
 func newKCPClusterClient(config *rest.Config) (kcpclientset.ClusterInterface, error) {
 	clusterConfig := rest.CopyConfig(config)
 	u, err := url.Parse(config.Host)
diff --git a/cli/pkg/bind/plugin/bind_test.go b/cli/pkg/bind/plugin/bind_test.go
@@ -14,50 +14,89 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package plugin_test
+package plugin
 
 import (
 	"testing"
-
-	"github.com/kcp-dev/kcp/cli/pkg/bind/plugin"
 )
 
 func TestBindOptionsValidate(t *testing.T) {
 	testCases := []struct {
 		description string
-		bindOptions plugin.BindOptions
+		bindOptions BindOptions
 		wantValid   bool
 	}{
 		{
 			description: "Fully-qualified APIExport reference with dashes",
-			bindOptions: plugin.BindOptions{APIExportRef: "test-root:test-workspace:test-apiexport-123"},
+			bindOptions: BindOptions{APIExportRef: "test-root:test-workspace:test-apiexport-123"},
 			wantValid:   true,
 		},
 		{
 			description: "Fully-qualified APIExport reference with dots in the name",
-			bindOptions: plugin.BindOptions{APIExportRef: "test-root:test-workspace:test.apiexport.123"},
+			bindOptions: BindOptions{APIExportRef: "test-root:test-workspace:test.apiexport.123"},
 			wantValid:   true,
 		},
 		{
 			description: "Fully-qualified APIExport reference with special characters in the name",
-			bindOptions: plugin.BindOptions{APIExportRef: "test-root:test-workspace:test@apiexport=123"},
+			bindOptions: BindOptions{APIExportRef: "test-root:test-workspace:test@apiexport=123"},
 			wantValid:   true,
 		},
 		{
 			description: "Fully-qualified APIExport reference with upper-case characters in the name",
-			bindOptions: plugin.BindOptions{APIExportRef: "test-root:test-workspace:testAPIExport123"},
+			bindOptions: BindOptions{APIExportRef: "test-root:test-workspace:testAPIExport123"},
 			wantValid:   true,
 		},
 		{
 			description: "Fully-qualified APIExport reference with special characters in the path",
-			bindOptions: plugin.BindOptions{APIExportRef: "test-root:t@st-workspace:test-apiexport"},
+			bindOptions: BindOptions{APIExportRef: "test-root:t@st-workspace:test-apiexport"},
 			wantValid:   false,
 		},
 		{
 			description: "Fully-qualified APIExport reference with upper-case characters in the path",
-			bindOptions: plugin.BindOptions{APIExportRef: "test-root:TestWorkspace:test-apiexport"},
+			bindOptions: BindOptions{APIExportRef: "test-root:TestWorkspace:test-apiexport"},
 			wantValid:   false,
 		},
+		{
+			description: "Valid accepted permission claims",
+			bindOptions: BindOptions{
+				APIExportRef:             "test-root:test-workspace:test-apiexport",
+				AcceptedPermissionClaims: []string{"group.resource"},
+			},
+			wantValid: true,
+		},
+		{
+			description: "Valid rejected permission claims",
+			bindOptions: BindOptions{
+				APIExportRef:             "test-root:test-workspace:test-apiexport",
+				RejectedPermissionClaims: []string{"resource.group"},
+			},
+			wantValid: true,
+		},
+		{
+			description: "Conflicting accepted and rejected permission claims",
+			bindOptions: BindOptions{
+				APIExportRef:             "test-root:test-workspace:test-apiexport",
+				AcceptedPermissionClaims: []string{"resource.group"},
+				RejectedPermissionClaims: []string{"resource.group"},
+			},
+			wantValid: false,
+		},
+		{
+			description: "Invalid accepted permission claim format",
+			bindOptions: BindOptions{
+				APIExportRef:             "test-root:test-workspace:test-apiexport",
+				AcceptedPermissionClaims: []string{"invalidclaim"},
+			},
+			wantValid: false,
+		},
+		{
+			description: "Invalid rejected permission claim format",
+			bindOptions: BindOptions{
+				APIExportRef:             "test-root:test-workspace:test-apiexport",
+				RejectedPermissionClaims: []string{"invalidclaim"},
+			},
+			wantValid: false,
+		},
 	}
 
 	for _, c := range testCases {
@@ -74,3 +113,58 @@ func TestBindOptionsValidate(t *testing.T) {
 		})
 	}
 }
+
+func TestParsePermissionClaim(t *testing.T) {
+	testCases := []struct {
+		description string
+		claim       string
+		accepted    bool
+		wantError   bool
+	}{
+		{
+			description: "Valid accepted permission claim",
+			claim:       "resource.group",
+			accepted:    true,
+			wantError:   false,
+		},
+		{
+			description: "Valid rejected permission claim",
+			claim:       "resource.group",
+			accepted:    false,
+			wantError:   false,
+		},
+		{
+			description: "Invalid permission claim format",
+			claim:       "invalidclaim",
+			accepted:    true,
+			wantError:   true,
+		},
+		{
+			description: "Empty permission claim",
+			claim:       "",
+			accepted:    true,
+			wantError:   true,
+		},
+		{
+			description: "Core group permission claim",
+			claim:       "resource.core",
+			accepted:    true,
+			wantError:   false,
+		},
+	}
+
+	for _, c := range testCases {
+		t.Run(c.description, func(t *testing.T) {
+			b := &BindOptions{}
+			err := b.parsePermissionClaim(c.claim, c.accepted)
+
+			if (err != nil) && !c.wantError {
+				t.Errorf("wanted %q to be parsed without error, but got error: %v", c.claim, err)
+			}
+
+			if (err == nil) && c.wantError {
+				t.Errorf("wanted %q to be parsed with error, but got no error", c.claim)
+			}
+		})
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,12 @@ var (`
`30`	`30`	bindExampleUses = `
`31`	`31`	`# Create an APIBinding named "my-binding" that binds to the APIExport "my-export" in the "root:my-service" workspace.`
`32`	`32`	`%[1]s bind apiexport root:my-service:my-export --name my-binding`
	`33`	`+`
	`34`	`+ # Create an APIBinding named "my-binding" that binds to the APIExport "my-export" in the "root:my-service" workspace with accepted permission claims.`
	`35`	`+ %[1]s bind apiexport root:my-service:my-export --name my-binding --accept-permission-claims core.secrets,core.configmaps`
	`36`	`+`
	`37`	`+ # Create an APIBinding named "my-binding" that binds to the APIExport "my-export" in the "root:my-service" workspace with rejected permission claims.`
	`38`	`+ %[1]s bind apiexport root:my-service:my-export --name my-binding --reject-permission-claims core.secrets,core.configmaps`
`33`	`39`	`
`34`	`40`	`)`
`35`	`41`