feat: add support for Kong Enterprise RBAC resources

cmd/common.go

@@ -2,6 +2,7 @@ package cmd
 
 import (
 	"context"
+	"fmt"
 	"net/http"
 	"os"
 
@@ -145,6 +146,9 @@ func syncMain(filenames []string, dry bool, parallelism, delay int, workspace st
 	if err != nil {
 		return err
 	}
+	if err := checkForRBACResources(*rawState, dumpConfig.RBACResourcesOnly); err != nil {
+		return err
+	}
 	targetState, err := state.Get(rawState)
 	if err != nil {
 		return err
@@ -216,3 +220,34 @@ func validateNoArgs(cmd *cobra.Command, args []string) error {
 	}
 	return nil
 }
+
+func checkForRBACResources(content utils.KongRawState,
+	rbacResourcesOnly bool) error {
+	proxyConfig := containsProxyConfiguration(content)
+	rbacConfig := containsRBACConfiguration(content)
+	if proxyConfig && rbacConfig {
+		common := "At a time, state file(s) must entirely consist of either proxy " +
+			"configuration or RBAC configuration."
+		if rbacResourcesOnly {
+			return fmt.Errorf("When --rbac-resources-only is used, state file(s) " +
+				"cannot contain any resources other than RBAC resources. " + common)
+		}
+		return fmt.Errorf("State file(s) contains RBAC resources. " +
+			"Please use --rbac-resources-only flag to manage these resources. " + common)
+	}
+	return nil
+}
+
+func containsProxyConfiguration(content utils.KongRawState) bool {
+	return len(content.Services) != 0 ||
+		len(content.Routes) != 0 ||
+		len(content.Plugins) != 0 ||
+		len(content.Upstreams) != 0 ||
+		len(content.Certificates) != 0 ||
+		len(content.CACertificates) != 0 ||
+		len(content.Consumers) != 0
+}
+
+func containsRBACConfiguration(content utils.KongRawState) bool {
+	return len(content.RBACRoles) != 0
+}

cmd/diff.go

@@ -54,6 +54,8 @@ func init() {
 		"select-tag", []string{},
 		"only entities matching tags specified via this flag are diffed.\n"+
 			"Multiple tags are ANDed together.")
+	diffCmd.Flags().BoolVar(&dumpConfig.RBACResourcesOnly, "rbac-resources-only",
+		false, "sync only the RBAC resources (Kong Enterprise only)")
 	diffCmd.Flags().BoolVar(&diffCmdNonZeroExitCode, "non-zero-exit-code",
 		false, "return exit code 2 if there is a diff present,\n"+
 			"exit code 0 if no diff is found,\n"+

cmd/dump.go

@@ -168,5 +168,6 @@ func init() {
 		"select-tag", []string{},
 		"only entities matching tags specified via this flag are exported.\n"+
 			"Multiple tags are ANDed together.")
-
+	dumpCmd.Flags().BoolVar(&dumpConfig.RBACResourcesOnly, "rbac-resources-only",
+		false, "export only the RBAC resources (Kong Enterprise only)")
 }

cmd/reset.go

@@ -135,4 +135,6 @@ func init() {
 		"select-tag", []string{},
 		"only entities matching tags specified via this flag are deleted.\n"+
 			"Multiple tags are ANDed together.")
+	resetCmd.Flags().BoolVar(&dumpConfig.RBACResourcesOnly, "rbac-resources-only",
+		false, "reset only the RBAC resources (Kong Enterprise only)")
 }

cmd/sync.go

@@ -51,6 +51,8 @@ func init() {
 		"select-tag", []string{},
 		"only entities matching tags specified via this flag are synced.\n"+
 			"Multiple tags are ANDed together.")
+	syncCmd.Flags().BoolVar(&dumpConfig.RBACResourcesOnly, "rbac-resources-only",
+		false, "diff only the RBAC resources (Kong Enterprise only)")
 	syncCmd.Flags().IntVar(&syncCmdDBUpdateDelay, "db-update-propagation-delay",
 		0, "aritificial delay in seconds that is injected between insert operations \n"+
 			"for related entities (usually for cassandra deployments).\n"+

cmd/validate.go

@@ -8,7 +8,8 @@ import (
 )
 
 var (
-	validateCmdKongStateFile []string
+	validateCmdKongStateFile     []string
+	validateCmdRBACResourcesOnly bool
 )
 
 // validateCmd represents the diff command
@@ -43,6 +44,9 @@ this command.
 		if err != nil {
 			return err
 		}
+		if err := checkForRBACResources(*rawState, validateCmdRBACResourcesOnly); err != nil {
+			return err
+		}
 		// this catches foreign relation errors
 		_, err = state.Get(rawState)
 		if err != nil {
@@ -62,6 +66,8 @@ this command.
 
 func init() {
 	rootCmd.AddCommand(validateCmd)
+	validateCmd.Flags().BoolVar(&validateCmdRBACResourcesOnly, "rbac-resources-only",
+		false, "indicate that the state file(s) contain RBAC resources only (Kong Enterprise only)")
 	validateCmd.Flags().StringSliceVarP(&validateCmdKongStateFile,
 		"state", "s", []string{"kong.yaml"}, "file(s) containing Kong's configuration.\n"+
 			"This flag can be specified multiple times for multiple files.\n"+

crud/registry.go

@@ -1,6 +1,8 @@
 package crud
 
-import "github.com/pkg/errors"
+import (
+	"github.com/pkg/errors"
+)
 
 // Kind represents Kind of an entity or object.
 type Kind string

diff/diff.go

@@ -71,6 +71,8 @@ func NewSyncer(current, target *state.KongState) (*Syncer, error) {
 	s.postProcess.MustRegister("acl-group", &aclGroupPostAction{current})
 	s.postProcess.MustRegister("oauth2-cred", &oauth2CredPostAction{current})
 	s.postProcess.MustRegister("mtls-auth", &mtlsAuthPostAction{current})
+	s.postProcess.MustRegister("rbac-role", &rbacRolePostAction{current})
+	s.postProcess.MustRegister("rbac-endpointpermission", &rbacEndpointPermissionPostAction{current})
 	return s, nil
 }
 
@@ -179,6 +181,20 @@ func (sc *Syncer) delete() error {
 		return err
 	}
 
+	err = sc.deleteRBACEndpointPermissions()
+	if err != nil {
+		return err
+	}
+
+	// barrier for foreign relations
+	// RBAC endpoint permissions must be deleted before RBAC roles
+	sc.wait()
+
+	err = sc.deleteRBACRoles()
+	if err != nil {
+		return err
+	}
+
 	// finish delete before returning
 	sc.wait()
 
@@ -272,6 +288,20 @@ func (sc *Syncer) createUpdate() error {
 		return err
 	}
 
+	err = sc.createUpdateRBACRoles()
+	if err != nil {
+		return err
+	}
+
+	// barrier for foreign relations
+	// RBAC roles must be created before endpoint permissions
+	sc.wait()
+
+	err = sc.createUpdateRBACEndpointPermissions()
+	if err != nil {
+		return err
+	}
+
 	// finish createUpdate before returning
 	sc.wait()
 

diff/postProcess.go

@@ -262,3 +262,35 @@ func (crud *mtlsAuthPostAction) Delete(args ...crud.Arg) (crud.Arg, error) {
 func (crud *mtlsAuthPostAction) Update(args ...crud.Arg) (crud.Arg, error) {
 	return nil, crud.currentState.MTLSAuths.Update(*args[0].(*state.MTLSAuth))
 }
+
+type rbacRolePostAction struct {
+	currentState *state.KongState
+}
+
+func (crud *rbacRolePostAction) Create(args ...crud.Arg) (crud.Arg, error) {
+	return nil, crud.currentState.RBACRoles.Add(*args[0].(*state.RBACRole))
+}
+
+func (crud *rbacRolePostAction) Delete(args ...crud.Arg) (crud.Arg, error) {
+	return nil, crud.currentState.RBACRoles.Delete(*((args[0].(*state.RBACRole)).ID))
+}
+
+func (crud *rbacRolePostAction) Update(args ...crud.Arg) (crud.Arg, error) {
+	return nil, crud.currentState.RBACRoles.Update(*args[0].(*state.RBACRole))
+}
+
+type rbacEndpointPermissionPostAction struct {
+	currentState *state.KongState
+}
+
+func (crud *rbacEndpointPermissionPostAction) Create(args ...crud.Arg) (crud.Arg, error) {
+	return nil, crud.currentState.RBACEndpointPermissions.Add(*args[0].(*state.RBACEndpointPermission))
+}
+
+func (crud *rbacEndpointPermissionPostAction) Delete(args ...crud.Arg) (crud.Arg, error) {
+	return nil, crud.currentState.RBACEndpointPermissions.Delete(args[0].(*state.RBACEndpointPermission).Identifier())
+}
+
+func (crud *rbacEndpointPermissionPostAction) Update(args ...crud.Arg) (crud.Arg, error) {
+	return nil, crud.currentState.RBACEndpointPermissions.Update(*args[0].(*state.RBACEndpointPermission))
+}

diff/rbac_endpoint_permission.go

@@ -0,0 +1,94 @@
+package diff
+
+import (
+	"github.com/kong/deck/crud"
+	"github.com/kong/deck/state"
+	"github.com/pkg/errors"
+)
+
+func (sc *Syncer) deleteRBACEndpointPermissions() error {
+	currentRBACEndpointPermissions, err := sc.currentState.RBACEndpointPermissions.GetAll()
+	if err != nil {
+		return errors.Wrap(err, "error fetching eps from state")
+	}
+
+	for _, ep := range currentRBACEndpointPermissions {
+		n, err := sc.deleteRBACEndpointPermission(ep)
+		if err != nil {
+			return err
+		}
+		if n != nil {
+			err = sc.queueEvent(*n)
+			if err != nil {
+				return err
+			}
+		}
+
+	}
+	return nil
+}
+
+func (sc *Syncer) deleteRBACEndpointPermission(ep *state.RBACEndpointPermission) (*Event, error) {
+	_, err := sc.targetState.RBACEndpointPermissions.Get(ep.Identifier())
+	if err == state.ErrNotFound {
+		return &Event{
+			Op:   crud.Delete,
+			Kind: "rbac-endpointpermission",
+			Obj:  ep,
+		}, nil
+	}
+	if err != nil {
+		return nil, errors.Wrapf(err, "looking up rbac ep '%v'",
+			ep.ID)
+	}
+	return nil, nil
+}
+
+func (sc *Syncer) createUpdateRBACEndpointPermissions() error {
+	targetRBACEndpointPermissions, err := sc.targetState.RBACEndpointPermissions.GetAll()
+	if err != nil {
+		return errors.Wrap(err, "error fetching rbac eps from state")
+	}
+
+	for _, ep := range targetRBACEndpointPermissions {
+		n, err := sc.createUpdateRBACEndpointPermission(ep)
+		if err != nil {
+			return err
+		}
+		if n != nil {
+			err = sc.queueEvent(*n)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func (sc *Syncer) createUpdateRBACEndpointPermission(ep *state.RBACEndpointPermission) (*Event, error) {
+	epCopy := &state.RBACEndpointPermission{RBACEndpointPermission: *ep.DeepCopy()}
+	currentEp, err := sc.currentState.RBACEndpointPermissions.Get(ep.Identifier())
+
+	if err == state.ErrNotFound {
+		return &Event{
+			Op:   crud.Create,
+			Kind: "rbac-endpointpermission",
+			Obj:  epCopy,
+		}, nil
+	}
+	if err != nil {
+		return nil, errors.Wrapf(err, "error looking up rbac endpoint permission %v",
+			ep.Identifier())
+	}
+
+	// found, check if update needed
+	if !currentEp.EqualWithOpts(epCopy, false, true, false) {
+		return &Event{
+			Op:     crud.Update,
+			Kind:   "rbac-endpointpermission",
+			Obj:    epCopy,
+			OldObj: currentEp,
+		}, nil
+	}
+	return nil, nil
+}