equinor · Richard87 · Sep 19, 2024 · Sep 19, 2024 · Sep 19, 2024 · Sep 19, 2024
diff --git a/api/applications/applications_handler_factory.go b/api/applications/applications_handler_factory.go
@@ -2,6 +2,7 @@ package applications
 
 import (
 	"context"
+
 	"github.com/equinor/radix-api/api/utils/access"
 	"github.com/equinor/radix-api/models"
 	authorizationapi "k8s.io/api/authorization/v1"

diff --git a/api/environments/component_handler.go b/api/environments/component_handler.go
@@ -108,6 +108,11 @@ func (eh EnvironmentHandler) RestartComponent(ctx context.Context, appName, envN
 // RestartComponentAuxiliaryResource Restarts a component's auxiliary resource
 func (eh EnvironmentHandler) RestartComponentAuxiliaryResource(ctx context.Context, appName, envName, componentName, auxType string) error {
 	log.Ctx(ctx).Info().Msgf("Restarting auxiliary resource %s for component %s, %s", auxType, componentName, appName)
+	if isAdmin, err := kubequery.IsRadixApplicationAdmin(ctx, eh.accounts.UserAccount.Client, appName); err != nil {
+		return err
+	} else if !isAdmin {
+		return http.ForbiddenError("you must be administrator to restart the Oauth2 Proxy service")
+	}
 
 	radixDeployment, err := kubequery.GetLatestRadixDeployment(ctx, eh.accounts.UserAccount.RadixClient, appName, envName)
 	if err != nil {
@@ -163,7 +168,7 @@ func canDeploymentBeRestarted(deployment *appsv1.Deployment) bool {
 }
 
 func (eh EnvironmentHandler) patchDeploymentForRestart(ctx context.Context, deployment *appsv1.Deployment) error {
-	deployClient := eh.accounts.UserAccount.Client.AppsV1().Deployments(deployment.GetNamespace())
+	deployClient := eh.accounts.ServiceAccount.Client.AppsV1().Deployments(deployment.GetNamespace())
 
 	return retry.RetryOnConflict(retry.DefaultRetry, func() error {
 		deployToPatch, err := deployClient.Get(ctx, deployment.GetName(), metav1.GetOptions{})

diff --git a/api/environments/environment_handler.go b/api/environments/environment_handler.go
@@ -23,7 +23,7 @@ import (
 	"github.com/equinor/radix-common/utils/slice"
 	deployUtils "github.com/equinor/radix-operator/pkg/apis/deployment"
 	"github.com/equinor/radix-operator/pkg/apis/kube"
-	v1 "github.com/equinor/radix-operator/pkg/apis/radix/v1"
+	radixv1 "github.com/equinor/radix-operator/pkg/apis/radix/v1"
 	k8sObjectUtils "github.com/equinor/radix-operator/pkg/apis/utils"
 	"github.com/rs/zerolog/log"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -126,7 +126,7 @@ func (eh EnvironmentHandler) GetEnvironmentSummary(ctx context.Context, appName
 	if err != nil {
 		return nil, err
 	}
-	envNames := slice.Map(reList, func(re v1.RadixEnvironment) string { return re.Spec.EnvName })
+	envNames := slice.Map(reList, func(re radixv1.RadixEnvironment) string { return re.Spec.EnvName })
 	rdList, err := kubequery.GetRadixDeploymentsForEnvironments(ctx, eh.accounts.UserAccount.RadixClient, appName, envNames, 10)
 	if err != nil {
 		return nil, err
@@ -208,7 +208,7 @@ func (eh EnvironmentHandler) GetEnvironment(ctx context.Context, appName, envNam
 }
 
 // CreateEnvironment Handler for CreateEnvironment. Creates an environment if it does not exist
-func (eh EnvironmentHandler) CreateEnvironment(ctx context.Context, appName, envName string) (*v1.RadixEnvironment, error) {
+func (eh EnvironmentHandler) CreateEnvironment(ctx context.Context, appName, envName string) (*radixv1.RadixEnvironment, error) {
 	// ensure application exists
 	rr, err := eh.accounts.UserAccount.RadixClient.RadixV1().RadixRegistrations().Get(ctx, appName, metav1.GetOptions{})
 	if err != nil {
@@ -286,7 +286,7 @@ func (eh EnvironmentHandler) getNotOrphanedEnvNames(ctx context.Context, appName
 	}
 	return slice.Map(
 		slice.FindAll(reList, predicate.IsNotOrphanEnvironment),
-		func(re v1.RadixEnvironment) string { return re.Spec.EnvName },
+		func(re radixv1.RadixEnvironment) string { return re.Spec.EnvName },
 	), nil
 }
 
@@ -315,7 +315,7 @@ func (eh EnvironmentHandler) StopEnvironment(ctx context.Context, appName, envNa
 		return err
 	}
 	if radixDeployment == nil {
-		return http.ValidationError(v1.KindRadixDeployment, "no radix deployments found")
+		return http.ValidationError(radixv1.KindRadixDeployment, "no radix deployments found")
 	}
 
 	log.Ctx(ctx).Info().Msgf("Stopping components in environment %s, %s", envName, appName)
@@ -335,7 +335,7 @@ func (eh EnvironmentHandler) ResetManuallyStoppedComponentsInEnvironment(ctx con
 		return err
 	}
 	if radixDeployment == nil {
-		return http.ValidationError(v1.KindRadixDeployment, "no radix deployments found")
+		return http.ValidationError(radixv1.KindRadixDeployment, "no radix deployments found")
 	}
 
 	log.Ctx(ctx).Info().Msgf("Starting components in environment %s, %s", envName, appName)
@@ -356,7 +356,7 @@ func (eh EnvironmentHandler) RestartEnvironment(ctx context.Context, appName, en
 		return err
 	}
 	if radixDeployment == nil {
-		return http.ValidationError(v1.KindRadixDeployment, "no radix deployments found")
+		return http.ValidationError(radixv1.KindRadixDeployment, "no radix deployments found")
 	}
 
 	log.Ctx(ctx).Info().Msgf("Restarting components in environment %s, %s", envName, appName)
@@ -423,7 +423,7 @@ func (eh EnvironmentHandler) getRadixCommonComponentUpdater(ctx context.Context,
 		return nil, err
 	}
 	if rd == nil {
-		return nil, http.ValidationError(v1.KindRadixDeployment, "no radix deployments found")
+		return nil, http.ValidationError(radixv1.KindRadixDeployment, "no radix deployments found")
 	}
 	baseUpdater := &baseComponentUpdater{
 		appName:         appName,
@@ -432,7 +432,7 @@ func (eh EnvironmentHandler) getRadixCommonComponentUpdater(ctx context.Context,
 		radixDeployment: rd,
 	}
 	var updater radixDeployCommonComponentUpdater
-	var componentToPatch v1.RadixCommonDeployComponent
+	var componentToPatch radixv1.RadixCommonDeployComponent
 	componentIndex, componentToPatch := deployUtils.GetDeploymentComponent(rd, componentName)
 	if !radixutils.IsNil(componentToPatch) {
 		updater = &radixDeployComponentUpdater{base: baseUpdater}

diff --git a/api/kubequery/radixapplication.go b/api/kubequery/radixapplication.go
@@ -3,14 +3,27 @@ package kubequery
 import (
 	"context"
 
+	"github.com/equinor/radix-api/api/utils/access"
 	radixv1 "github.com/equinor/radix-operator/pkg/apis/radix/v1"
 	operatorUtils "github.com/equinor/radix-operator/pkg/apis/utils"
 	radixclient "github.com/equinor/radix-operator/pkg/client/clientset/versioned"
+	authorizationapi "k8s.io/api/authorization/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
 )
 
 // GetRadixApplication returns the RadixApplication for the specified application name.
 func GetRadixApplication(ctx context.Context, client radixclient.Interface, appName string) (*radixv1.RadixApplication, error) {
 	ns := operatorUtils.GetAppNamespace(appName)
 	return client.RadixV1().RadixApplications(ns).Get(ctx, appName, metav1.GetOptions{})
 }
+
+func IsRadixApplicationAdmin(ctx context.Context, kubeClient kubernetes.Interface, appName string) (bool, error) {
+	return access.HasAccess(ctx, kubeClient, &authorizationapi.ResourceAttributes{
+		Verb:     "patch",
+		Group:    "",
-		Group:    "",
+		Group: radixv1.GroupName,
-		Group:    "",
+		Group: radixv1.GroupName,
+		Resource: radixv1.KindRadixRegistration,
-		Resource: radixv1.KindRadixRegistration,
+		Resource: radixv1.ResourceRadixRegistrations,
-		Resource: radixv1.KindRadixRegistration,
+		Resource: radixv1.ResourceRadixRegistrations,
+		Version:  "*",
+		Name:     appName,
+	})
+}
diff --git a/go.mod b/go.mod
@@ -6,7 +6,7 @@ toolchain go1.22.5
 
 require (
 	github.com/cert-manager/cert-manager v1.15.0
-	github.com/equinor/radix-common v1.9.4
+	github.com/equinor/radix-common v1.9.5
 	github.com/equinor/radix-job-scheduler v1.11.0
 	github.com/equinor/radix-operator v1.58.3
 	github.com/evanphx/json-patch/v5 v5.9.0

diff --git a/go.sum b/go.sum
@@ -83,8 +83,8 @@ github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymF
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/equinor/radix-common v1.9.4 h1:ErSnB2tqlRwaQuQdaA0qzsReDtHDgubcvqRO098ncEw=
-github.com/equinor/radix-common v1.9.4/go.mod h1:+g0Wj0D40zz29DjNkYKVmCVeYy4OsFWKI7Qi9rA6kpY=
+github.com/equinor/radix-common v1.9.5 h1:p1xldkYUoavwIMguoxxOyVkOXLPA6K8qMsgzeztQtQw=
+github.com/equinor/radix-common v1.9.5/go.mod h1:+g0Wj0D40zz29DjNkYKVmCVeYy4OsFWKI7Qi9rA6kpY=
 github.com/equinor/radix-job-scheduler v1.11.0 h1:8wCmXOVl/1cto8q2WJQEE06Cw68/QmfoifYVR49vzkY=
 github.com/equinor/radix-job-scheduler v1.11.0/go.mod h1:yPXn3kDcMY0Z3kBkosjuefsdY1x2g0NlBeybMmHz5hc=
 github.com/equinor/radix-operator v1.58.3 h1:F4YhNkQ4uRONP125OTfG8hdy9PiyKlOWVO8/p2NIi70=