stackrox · rhybrillou · Nov 8, 2022 · Sep 15, 2022 · Sep 22, 2022 · Sep 22, 2022
diff --git a/central/activecomponent/updater/updater_impl.go b/central/activecomponent/updater/updater_impl.go
@@ -25,7 +25,7 @@ var (
 
 	updaterCtx = sac.WithGlobalAccessScopeChecker(context.Background(),
 		sac.AllowFixedScopes(sac.AccessModeScopeKeys(storage.Access_READ_ACCESS, storage.Access_READ_WRITE_ACCESS),
-			sac.ResourceScopeKeys(resources.Deployment, resources.Image, resources.Indicator)))
+			sac.ResourceScopeKeys(resources.Deployment, resources.Image, resources.DeploymentExtension)))
 )
 
 type updaterImpl struct {

diff --git a/central/apitoken/backend/singleton.go b/central/apitoken/backend/singleton.go
@@ -29,7 +29,7 @@ func Singleton() Backend {
 		ctx := sac.WithGlobalAccessScopeChecker(context.Background(),
 			sac.AllowFixedScopes(
 				sac.AccessModeScopeKeys(storage.Access_READ_ACCESS, storage.Access_READ_WRITE_ACCESS),
-				sac.ResourceScopeKeys(resources.APIToken)))
+				sac.ResourceScopeKeys(resources.Integration)))
 
 		// Create and initialize source.
 		src := newSource()

diff --git a/central/apitoken/datastore/datastore_impl.go b/central/apitoken/datastore/datastore_impl.go
@@ -13,7 +13,7 @@ import (
 )
 
 var (
-	apiTokenSAC = sac.ForResource(resources.APIToken)
+	integrationSAC = sac.ForResource(resources.Integration)
 )
 
 type datastoreImpl struct {
@@ -23,7 +23,7 @@ type datastoreImpl struct {
 }
 
 func (b *datastoreImpl) AddToken(ctx context.Context, token *storage.TokenMetadata) error {
-	if ok, err := apiTokenSAC.WriteAllowed(ctx); err != nil {
+	if ok, err := integrationSAC.WriteAllowed(ctx); err != nil {
 		return err
 	} else if !ok {
 		return sac.ErrResourceAccessDenied
@@ -36,7 +36,7 @@ func (b *datastoreImpl) AddToken(ctx context.Context, token *storage.TokenMetada
 }
 
 func (b *datastoreImpl) GetTokenOrNil(ctx context.Context, id string) (token *storage.TokenMetadata, err error) {
-	if ok, err := apiTokenSAC.ReadAllowed(ctx); err != nil {
+	if ok, err := integrationSAC.ReadAllowed(ctx); err != nil {
 		return nil, err
 	} else if !ok {
 		return nil, nil
@@ -56,7 +56,7 @@ func (b *datastoreImpl) GetTokenOrNil(ctx context.Context, id string) (token *st
 }
 
 func (b *datastoreImpl) GetTokens(ctx context.Context, req *v1.GetAPITokensRequest) ([]*storage.TokenMetadata, error) {
-	if ok, err := apiTokenSAC.ReadAllowed(ctx); err != nil {
+	if ok, err := integrationSAC.ReadAllowed(ctx); err != nil {
 		return nil, err
 	} else if !ok {
 		return nil, nil
@@ -83,7 +83,7 @@ func (b *datastoreImpl) GetTokens(ctx context.Context, req *v1.GetAPITokensReque
 }
 
 func (b *datastoreImpl) RevokeToken(ctx context.Context, id string) (bool, error) {
-	if ok, err := apiTokenSAC.WriteAllowed(ctx); err != nil {
+	if ok, err := integrationSAC.WriteAllowed(ctx); err != nil {
 		return false, err
 	} else if !ok {
 		return false, sac.ErrResourceAccessDenied

diff --git a/central/apitoken/datastore/datastore_test.go b/central/apitoken/datastore/datastore_test.go
@@ -24,9 +24,6 @@ type apiTokenDataStoreTestSuite struct {
 	hasReadCtx  context.Context
 	hasWriteCtx context.Context
 
-	hasReadIntegrationCtx  context.Context
-	hasWriteIntegrationCtx context.Context
-
 	dataStore DataStore
 	storage   *storeMocks.MockStore
 
@@ -36,19 +33,10 @@ type apiTokenDataStoreTestSuite struct {
 func (s *apiTokenDataStoreTestSuite) SetupTest() {
 	s.hasNoneCtx = sac.WithGlobalAccessScopeChecker(context.Background(), sac.DenyAllAccessScopeChecker())
 	s.hasReadCtx = sac.WithGlobalAccessScopeChecker(context.Background(),
-		sac.AllowFixedScopes(
-			sac.AccessModeScopeKeys(storage.Access_READ_ACCESS),
-			sac.ResourceScopeKeys(resources.APIToken)))
-	s.hasWriteCtx = sac.WithGlobalAccessScopeChecker(context.Background(),
-		sac.AllowFixedScopes(
-			sac.AccessModeScopeKeys(storage.Access_READ_ACCESS, storage.Access_READ_WRITE_ACCESS),
-			sac.ResourceScopeKeys(resources.APIToken)))
-
-	s.hasReadIntegrationCtx = sac.WithGlobalAccessScopeChecker(context.Background(),
 		sac.AllowFixedScopes(
 			sac.AccessModeScopeKeys(storage.Access_READ_ACCESS),
 			sac.ResourceScopeKeys(resources.Integration)))
-	s.hasWriteIntegrationCtx = sac.WithGlobalAccessScopeChecker(context.Background(),
+	s.hasWriteCtx = sac.WithGlobalAccessScopeChecker(context.Background(),
 		sac.AllowFixedScopes(
 			sac.AccessModeScopeKeys(storage.Access_READ_ACCESS, storage.Access_READ_WRITE_ACCESS),
 			sac.ResourceScopeKeys(resources.Integration)))
@@ -64,59 +52,39 @@ func (s *apiTokenDataStoreTestSuite) TearDownTest() {
 
 func (s *apiTokenDataStoreTestSuite) TestAddToken() {
 	token := &storage.TokenMetadata{Id: "id"}
-	s.storage.EXPECT().Upsert(gomock.Any(), token).Return(nil).MaxTimes(2)
+	s.storage.EXPECT().Upsert(gomock.Any(), token).Return(nil).MaxTimes(1)
 
 	s.NoError(s.dataStore.AddToken(s.hasWriteCtx, token))
-
-	token.Id = "id2"
-
-	s.NoError(s.dataStore.AddToken(s.hasWriteIntegrationCtx, token))
 }
 
 func (s *apiTokenDataStoreTestSuite) TestGetTokenOrNil() {
 	expectedToken := &storage.TokenMetadata{Id: "id"}
-	s.storage.EXPECT().Get(gomock.Any(), "id").Return(nil, false, nil).MaxTimes(2)
+	s.storage.EXPECT().Get(gomock.Any(), "id").Return(nil, false, nil).MaxTimes(1)
 
 	token, err := s.dataStore.GetTokenOrNil(s.hasReadCtx, "id")
 	s.NoError(err)
 	s.Nil(token)
 
-	token, err = s.dataStore.GetTokenOrNil(s.hasReadIntegrationCtx, "id")
-	s.NoError(err)
-	s.Nil(token)
-
-	s.storage.EXPECT().Get(gomock.Any(), "id").Return(expectedToken, true, nil).MaxTimes(2)
+	s.storage.EXPECT().Get(gomock.Any(), "id").Return(expectedToken, true, nil).MaxTimes(1)
 
 	token, err = s.dataStore.GetTokenOrNil(s.hasReadCtx, "id")
 	s.NoError(err)
 	s.Equal(expectedToken, token)
-
-	token, err = s.dataStore.GetTokenOrNil(s.hasReadIntegrationCtx, "id")
-	s.NoError(err)
-	s.Equal(expectedToken, token)
 }
 
 func (s *apiTokenDataStoreTestSuite) TestRevokeToken() {
 	expectedToken := &storage.TokenMetadata{Id: "id"}
-	s.storage.EXPECT().Get(gomock.Any(), "id").Return(nil, false, nil).MaxTimes(2)
+	s.storage.EXPECT().Get(gomock.Any(), "id").Return(nil, false, nil).MaxTimes(1)
 
 	exists, err := s.dataStore.RevokeToken(s.hasWriteCtx, "id")
 	s.NoError(err)
 	s.False(exists)
 
-	exists, err = s.dataStore.RevokeToken(s.hasWriteIntegrationCtx, "id")
-	s.NoError(err)
-	s.False(exists)
-
-	s.storage.EXPECT().Get(gomock.Any(), "id").Return(expectedToken, true, nil).MaxTimes(2)
+	s.storage.EXPECT().Get(gomock.Any(), "id").Return(expectedToken, true, nil).MaxTimes(1)
 	expectedToken.Revoked = true
-	s.storage.EXPECT().Upsert(gomock.Any(), expectedToken).Return(nil).MaxTimes(2)
+	s.storage.EXPECT().Upsert(gomock.Any(), expectedToken).Return(nil).MaxTimes(1)
 
 	exists, err = s.dataStore.RevokeToken(s.hasWriteCtx, "id")
 	s.NoError(err)
 	s.True(exists)
-
-	exists, err = s.dataStore.RevokeToken(s.hasWriteIntegrationCtx, "id")
-	s.NoError(err)
-	s.True(exists)
 }
diff --git a/central/apitoken/service/service_impl.go b/central/apitoken/service/service_impl.go
@@ -24,11 +24,11 @@ import (
 
 var (
 	authorizer = perrpc.FromMap(map[authz.Authorizer][]string{
-		user.With(permissions.View(resources.APIToken)): {
+		user.With(permissions.View(resources.Integration)): {
 			"/v1.APITokenService/GetAPIToken",
 			"/v1.APITokenService/GetAPITokens",
 		},
-		user.With(permissions.Modify(resources.APIToken)): {
+		user.With(permissions.Modify(resources.Integration)): {
 			"/v1.APITokenService/GenerateToken",
 			"/v1.APITokenService/RevokeToken",
 		},

diff --git a/central/authprovider/datastore/datastore_impl.go b/central/authprovider/datastore/datastore_impl.go
@@ -14,7 +14,7 @@ import (
 )
 
 var (
-	authProviderSAC = sac.ForResource(resources.AuthProvider)
+	accessSAC = sac.ForResource(resources.Access)
 )
 
 type datastoreImpl struct {
@@ -30,7 +30,7 @@ func (b *datastoreImpl) GetAllAuthProviders(ctx context.Context) ([]*storage.Aut
 
 // AddAuthProvider adds an auth provider into bolt.
 func (b *datastoreImpl) AddAuthProvider(ctx context.Context, authProvider *storage.AuthProvider) error {
-	if ok, err := authProviderSAC.WriteAllowed(ctx); err != nil {
+	if ok, err := accessSAC.WriteAllowed(ctx); err != nil {
 		return err
 	} else if !ok {
 		return sac.ErrResourceAccessDenied
@@ -49,7 +49,7 @@ func (b *datastoreImpl) AddAuthProvider(ctx context.Context, authProvider *stora
 
 // UpdateAuthProvider upserts an auth provider into bolt.
 func (b *datastoreImpl) UpdateAuthProvider(ctx context.Context, authProvider *storage.AuthProvider) error {
-	if ok, err := authProviderSAC.WriteAllowed(ctx); err != nil {
+	if ok, err := accessSAC.WriteAllowed(ctx); err != nil {
 		return err
 	} else if !ok {
 		return sac.ErrResourceAccessDenied
@@ -67,7 +67,7 @@ func (b *datastoreImpl) UpdateAuthProvider(ctx context.Context, authProvider *st
 
 // RemoveAuthProvider removes an auth provider from bolt.
 func (b *datastoreImpl) RemoveAuthProvider(ctx context.Context, id string, force bool) error {
-	if ok, err := authProviderSAC.WriteAllowed(ctx); err != nil {
+	if ok, err := accessSAC.WriteAllowed(ctx); err != nil {
 		return err
 	} else if !ok {
 		return sac.ErrResourceAccessDenied

diff --git a/central/authprovider/datastore/datastore_impl_test.go b/central/authprovider/datastore/datastore_impl_test.go
@@ -38,11 +38,11 @@ func (s *authProviderDataStoreEnforceTestSuite) SetupTest() {
 	s.hasReadCtx = sac.WithGlobalAccessScopeChecker(context.Background(),
 		sac.AllowFixedScopes(
 			sac.AccessModeScopeKeys(storage.Access_READ_ACCESS),
-			sac.ResourceScopeKeys(resources.AuthProvider)))
+			sac.ResourceScopeKeys(resources.Access)))
 	s.hasWriteCtx = sac.WithGlobalAccessScopeChecker(context.Background(),
 		sac.AllowFixedScopes(
 			sac.AccessModeScopeKeys(storage.Access_READ_ACCESS, storage.Access_READ_WRITE_ACCESS),
-			sac.ResourceScopeKeys(resources.AuthProvider)))
+			sac.ResourceScopeKeys(resources.Access)))
 
 	s.mockCtrl = gomock.NewController(s.T())
 	s.storage = storeMocks.NewMockStore(s.mockCtrl)
@@ -97,8 +97,6 @@ type authProviderDataStoreTestSuite struct {
 	hasReadCtx  context.Context
 	hasWriteCtx context.Context
 
-	hasWriteAccessCtx context.Context
-
 	storage   *storeMocks.MockStore
 	dataStore authproviders.Store
 
@@ -110,12 +108,8 @@ func (s *authProviderDataStoreTestSuite) SetupTest() {
 	s.hasReadCtx = sac.WithGlobalAccessScopeChecker(context.Background(),
 		sac.AllowFixedScopes(
 			sac.AccessModeScopeKeys(storage.Access_READ_ACCESS),
-			sac.ResourceScopeKeys(resources.AuthProvider)))
+			sac.ResourceScopeKeys(resources.Access)))
 	s.hasWriteCtx = sac.WithGlobalAccessScopeChecker(context.Background(),
-		sac.AllowFixedScopes(
-			sac.AccessModeScopeKeys(storage.Access_READ_ACCESS, storage.Access_READ_WRITE_ACCESS),
-			sac.ResourceScopeKeys(resources.AuthProvider)))
-	s.hasWriteAccessCtx = sac.WithGlobalAccessScopeChecker(context.Background(),
 		sac.AllowFixedScopes(
 			sac.AccessModeScopeKeys(storage.Access_READ_ACCESS, storage.Access_READ_WRITE_ACCESS),
 			sac.ResourceScopeKeys(resources.Access)))
@@ -131,14 +125,11 @@ func (s *authProviderDataStoreTestSuite) TearDownTest() {
 }
 
 func (s *authProviderDataStoreTestSuite) TestAllowsAdd() {
-	s.storage.EXPECT().Upsert(gomock.Any(), gomock.Any()).Return(nil).Times(2)
-	s.storage.EXPECT().Exists(gomock.Any(), gomock.Any()).Return(false, nil).Times(2)
+	s.storage.EXPECT().Upsert(gomock.Any(), gomock.Any()).Return(nil).Times(1)
+	s.storage.EXPECT().Exists(gomock.Any(), gomock.Any()).Return(false, nil).Times(1)
 
 	err := s.dataStore.AddAuthProvider(s.hasWriteCtx, &storage.AuthProvider{})
 	s.NoError(err, "expected no error trying to write with permissions")
-
-	err = s.dataStore.AddAuthProvider(s.hasWriteAccessCtx, &storage.AuthProvider{})
-	s.NoError(err, "expected no error trying to write with Access permission")
 }
 
 func (s *authProviderDataStoreTestSuite) TestErrorOnAdd() {
@@ -149,14 +140,11 @@ func (s *authProviderDataStoreTestSuite) TestErrorOnAdd() {
 }
 
 func (s *authProviderDataStoreTestSuite) TestAllowsUpdate() {
-	s.storage.EXPECT().Upsert(gomock.Any(), gomock.Any()).Return(nil).Times(2)
-	s.storage.EXPECT().Get(gomock.Any(), gomock.Any()).Return(&storage.AuthProvider{}, true, nil).Times(2)
+	s.storage.EXPECT().Upsert(gomock.Any(), gomock.Any()).Return(nil).Times(1)
+	s.storage.EXPECT().Get(gomock.Any(), gomock.Any()).Return(&storage.AuthProvider{}, true, nil).Times(1)
 
 	err := s.dataStore.UpdateAuthProvider(s.hasWriteCtx, &storage.AuthProvider{})
 	s.NoError(err, "expected no error trying to write with permissions")
-
-	err = s.dataStore.UpdateAuthProvider(s.hasWriteAccessCtx, &storage.AuthProvider{})
-	s.NoError(err, "expected no error trying to write with Access permission")
 }
 
 func (s *authProviderDataStoreTestSuite) TestErrorOnUpdate() {
@@ -167,14 +155,11 @@ func (s *authProviderDataStoreTestSuite) TestErrorOnUpdate() {
 }
 
 func (s *authProviderDataStoreTestSuite) TestAllowsRemove() {
-	s.storage.EXPECT().Delete(gomock.Any(), gomock.Any()).Return(nil).Times(2)
-	s.storage.EXPECT().Get(gomock.Any(), gomock.Any()).Return(&storage.AuthProvider{}, true, nil).Times(2)
+	s.storage.EXPECT().Delete(gomock.Any(), gomock.Any()).Return(nil).Times(1)
+	s.storage.EXPECT().Get(gomock.Any(), gomock.Any()).Return(&storage.AuthProvider{}, true, nil).Times(1)
 
 	err := s.dataStore.RemoveAuthProvider(s.hasWriteCtx, "id", false)
 	s.NoError(err, "expected no error trying to write with permissions")
-
-	err = s.dataStore.RemoveAuthProvider(s.hasWriteAccessCtx, "id", false)
-	s.NoError(err, "expect no error trying to write with Access permissions")
 }
 
 func (s *authProviderDataStoreTestSuite) TestUpdateMutableToImmutable() {

diff --git a/central/authprovider/datastore/internal/store/postgres/store.go b/central/authprovider/datastore/internal/store/postgres/store.go
diff --git a/central/authprovider/service/service_impl.go b/central/authprovider/service/service_impl.go
@@ -32,11 +32,11 @@ var (
 			"/v1.AuthProviderService/GetLoginAuthProviders",
 			"/v1.AuthProviderService/ExchangeToken",
 		},
-		user.With(permissions.View(resources.AuthProvider)): {
+		user.With(permissions.View(resources.Access)): {
 			"/v1.AuthProviderService/GetAuthProvider",
 			"/v1.AuthProviderService/GetAuthProviders",
 		},
-		user.With(permissions.Modify(resources.AuthProvider)): {
+		user.With(permissions.Modify(resources.Access)): {
 			"/v1.AuthProviderService/PostAuthProvider",
 			"/v1.AuthProviderService/UpdateAuthProvider",
 			"/v1.AuthProviderService/PutAuthProvider",

diff --git a/central/certgen/service.go b/central/certgen/service.go
@@ -35,20 +35,23 @@ func (s *serviceImpl) RegisterServiceHandler(_ context.Context, _ *runtime.Serve
 func (s *serviceImpl) CustomRoutes() []routes.CustomRoute {
 	return []routes.CustomRoute{
 		{
-			Route:         "/api/extensions/certgen/central",
+			Route: "/api/extensions/certgen/central",
+			// TODO: ROX-12750 replace ServiceIdentity with Administration
 			Authorizer:    user.With(permissions.Modify(resources.ServiceIdentity)),
 			ServerHandler: http.HandlerFunc(s.centralHandler),
 			Compression:   false,
 		},
 		{
-			Route:         "/api/extensions/certgen/scanner",
+			Route: "/api/extensions/certgen/scanner",
+			// TODO: ROX-12750 replace ServiceIdentity with Administration
 			Authorizer:    user.With(permissions.Modify(resources.ServiceIdentity)),
 			ServerHandler: http.HandlerFunc(s.scannerHandler),
 			Compression:   false,
 		},
 
 		{
-			Route:         "/api/extensions/certgen/cluster",
+			Route: "/api/extensions/certgen/cluster",
+			// TODO: ROX-12750 replace ServiceIdentity with Administration
 			Authorizer:    user.With(permissions.Modify(resources.ServiceIdentity)),
 			ServerHandler: http.HandlerFunc(s.securedClusterHandler),
 			Compression:   false,

diff --git a/central/clusterinit/backend/access/access.go b/central/clusterinit/backend/access/access.go
@@ -12,7 +12,8 @@ import (
 
 // CheckAccess returns nil if requested access level is granted in context.
 func CheckAccess(ctx context.Context, access storage.Access) error {
-	helper := sac.ForResources(sac.ForResource(resources.ServiceIdentity), sac.ForResource(resources.APIToken))
+	// TODO: ROX-12750 replace ServiceIdentity with Administration
+	helper := sac.ForResources(sac.ForResource(resources.ServiceIdentity), sac.ForResource(resources.Integration))
 	if allowed, err := helper.AccessAllowedToAll(ctx, access); err != nil {
 		return errors.Wrap(err, "checking access")
 	} else if !allowed {