ci: add role permissions validation

integration/Jenkinsfile

@@ -301,6 +301,7 @@ def void setupWorkspace() {
     git clone --single-branch --branch $BRANCH https://github.com/NetApp/harvest.git
     cp /u/mpeg/harvest/harvest_cert.yml $WORKSPACE/harvest/integration/test/
     cp /u/mpeg/harvest/harvest.yml $WORKSPACE/harvest/integration/test/
+    cp /u/mpeg/harvest/harvest_admin.yml $WORKSPACE/harvest/integration/test/
     ls -ltr $WORKSPACE/harvest/integration/test/
 '''
 }

integration/go.mod

@@ -7,9 +7,9 @@ toolchain go1.23.0
 replace github.com/netapp/harvest/v2 => ../
 
 require (
-	github.com/carlmjohnson/requests v0.24.2
-	github.com/netapp/harvest/v2 v2.0.0-20241001142758-f137ab714dd8
-	golang.org/x/text v0.20.0
+	github.com/carlmjohnson/requests v0.24.3
+	github.com/netapp/harvest/v2 v2.0.0-20241209123857-e401e50ef260
+	golang.org/x/text v0.21.0
 )
 
 require (
@@ -31,11 +31,11 @@ require (
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
 	github.com/tklauser/go-sysconf v0.3.14 // indirect
-	github.com/tklauser/numcpus v0.8.0 // indirect
+	github.com/tklauser/numcpus v0.9.0 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
-	golang.org/x/net v0.29.0 // indirect
-	golang.org/x/sys v0.27.0 // indirect
-	golang.org/x/term v0.26.0 // indirect
+	golang.org/x/net v0.32.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
+	golang.org/x/term v0.27.0 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

integration/go.sum

@@ -1,5 +1,5 @@
-github.com/carlmjohnson/requests v0.24.2 h1:JDakhAmTIKL/qL/1P7Kkc2INGBJIkIFP6xUeUmPzLso=
-github.com/carlmjohnson/requests v0.24.2/go.mod h1:duYA/jDnyZ6f3xbcF5PpZ9N8clgopubP2nK5i6MVMhU=
+github.com/carlmjohnson/requests v0.24.3 h1:LYcM/jVIVPkioigMjEAnBACXl2vb42TVqiC8EYNoaXQ=
+github.com/carlmjohnson/requests v0.24.3/go.mod h1:duYA/jDnyZ6f3xbcF5PpZ9N8clgopubP2nK5i6MVMhU=
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -53,21 +53,21 @@ github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4=
 github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
 github.com/tklauser/go-sysconf v0.3.14 h1:g5vzr9iPFFz24v2KZXs/pvpvh8/V9Fw6vQK5ZZb78yU=
 github.com/tklauser/go-sysconf v0.3.14/go.mod h1:1ym4lWMLUOhuBOPGtRcJm7tEGX4SCYNEEEtghGG/8uY=
-github.com/tklauser/numcpus v0.8.0 h1:Mx4Wwe/FjZLeQsK/6kt2EOepwwSl7SmJrK5bV/dXYgY=
-github.com/tklauser/numcpus v0.8.0/go.mod h1:ZJZlAY+dmR4eut8epnzf0u/VwodKmryxR8txiloSqBE=
+github.com/tklauser/numcpus v0.9.0 h1:lmyCHtANi8aRUgkckBgoDk1nHCux3n2cgkJLXdQGPDo=
+github.com/tklauser/numcpus v0.9.0/go.mod h1:SN6Nq1O3VychhC1npsWostA+oW+VOQTxZrS604NSRyI=
 github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
 github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
-golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo=
-golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0=
+golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI=
+golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs=
 golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
-golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/term v0.26.0 h1:WEQa6V3Gja/BhNxg540hBip/kkaYtRg3cxg4oXSw4AU=
-golang.org/x/term v0.26.0/go.mod h1:Si5m1o57C5nBNQo5z1iq+XDijt21BDBDp2bK0QI8e3E=
-golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug=
-golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=

integration/test/counter_test.go

@@ -47,14 +47,16 @@ func TestCounters(t *testing.T) {
 	var (
 		poller *conf.Poller
 		client *rest2.Client
+		err    error
 	)
 
 	utils.SkipIfMissing(t, utils.Regression)
-	_, err := conf.LoadHarvestConfig(installer.HarvestConfigFile)
+	err = validateRolePermissions()
 	if err != nil {
-		slog.Error("Unable to load harvest config", slogx.Err(err))
+		slog.Error("role permission validation failed", slogx.Err(err))
 		os.Exit(1)
 	}
+	conf.TestLoadHarvestConfig(installer.HarvestConfigFile)
 
 	pollerName := "dc1"
 	if poller, err = conf.PollerNamed(pollerName); err != nil {
@@ -89,6 +91,55 @@ func TestCounters(t *testing.T) {
 
 }
 
+func validateRolePermissions() error {
+	var (
+		adminPoller *conf.Poller
+		adminClient *rest2.Client
+		err         error
+	)
+
+	// Load the admin poller from harvest_admin.yml
+	conf.TestLoadHarvestConfig(installer.HarvestAdminConfigFile)
+
+	pollerName := "dc1-admin"
+	if adminPoller, err = conf.PollerNamed(pollerName); err != nil {
+		return fmt.Errorf("unable to find poller %s: %w", pollerName, err)
+	}
+	if adminPoller.Addr == "" {
+		return fmt.Errorf("admin poller address is empty for poller %s", pollerName)
+	}
+
+	timeout, _ := time.ParseDuration(rest2.DefaultTimeout)
+	if adminClient, err = rest2.New(adminPoller, timeout, auth.NewCredentials(adminPoller, slog.Default())); err != nil {
+		return fmt.Errorf("error creating new admin client for poller %s: %w", pollerName, err)
+	}
+
+	if err = adminClient.Init(5, conf.Remote{}); err != nil {
+		return fmt.Errorf("admin client init failed for poller %s: %w", pollerName, err)
+	}
+
+	// Invoke the REST call to the specified endpoint
+	apiEndpoint := "api/private/cli/security/login/rest-role"
+	href := rest2.NewHrefBuilder().
+		APIPath(apiEndpoint).
+		Filter([]string{"role=harvest-rest-role", "api=/api/private/cli"}).
+		Build()
+
+	response, err := collectors.InvokeRestCall(adminClient, href)
+	if err != nil {
+		return fmt.Errorf("failed to invoke admin rest call to %s: %w", apiEndpoint, err)
+	}
+
+	for _, instanceData := range response {
+		api := instanceData.Get("api")
+		if api.Exists() {
+			return fmt.Errorf("unexpected 'api' field found in the response data; permissions for /api/private/cli should not be present")
+		}
+	}
+
+	return nil
+}
+
 func invokeRestCall(client *rest2.Client, counters map[string][]counterData) error {
 	for _, countersDetail := range counters {
 		for _, counterDetail := range countersDetail {

integration/test/installer/installerFactory.go

@@ -5,11 +5,12 @@ import (
 )
 
 const (
-	RHEL              = "rpm"
-	NATIVE            = "tar"
-	HarvestConfigFile = "harvest.yml"
-	GRAFANA           = "grafana"
-	PROMETHEUS        = "prometheus"
+	RHEL                   = "rpm"
+	NATIVE                 = "tar"
+	HarvestConfigFile      = "harvest.yml"
+	HarvestAdminConfigFile = "harvest_admin.yml"
+	GRAFANA                = "grafana"
+	PROMETHEUS             = "prometheus"
 )
 
 func GetInstaller(installType string, path string) (Installer, error) {