feat: only allow admins to generate new agents

flanksource · Aug 18, 2023 · 211f5a5 · 211f5a5
1 parent 5227153
commit 211f5a5
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 5 deletions.
diff --git a/cmd/server.go b/cmd/server.go
@@ -149,7 +149,7 @@ func createHTTPServer(gormDB *gorm.DB) *echo.Echo {
 	upstreamGroup.GET("/canary/pull/:agent_name", canary.Pull)
 	upstreamGroup.GET("/status/:agent_name", upstream.Status)
 
-	e.POST("/agent/generate", agent.GenerateAgent)
+	e.POST("/agent/generate", agent.GenerateAgent, rbac.Authorization(rbac.ObjectAgentCreate, rbac.ActionWrite))
 
 	forward(e, "/config", configDb)
 	forward(e, "/canary", api.CanaryCheckerPath)

diff --git a/rbac/init.go b/rbac/init.go
@@ -43,10 +43,11 @@ const (
 	ActionCreate = "create"
 
 	// Objects
-	ObjectRBAC      = "rbac"
-	ObjectAuth      = "auth"
-	ObjectAgentPush = "agent-push"
-	ObjectDatabase  = "database"
+	ObjectRBAC        = "rbac"
+	ObjectAuth        = "auth"
+	ObjectAgentPush   = "agent-push"
+	ObjectAgentCreate = "agent-create"
+	ObjectDatabase    = "database"
 
 	ObjectDatabaseResponder      = "database.responder"
 	ObjectDatabaseIncident       = "database.incident"
@@ -101,6 +102,7 @@ func Init(adminUserID string) error {
 		{RoleAdmin, ObjectRBAC, ActionWrite},
 		{RoleAdmin, ObjectAuth, ActionWrite},
 		{RoleAdmin, ObjectAgentPush, ActionWrite},
+		{RoleAdmin, ObjectAgentCreate, ActionWrite},
 		{RoleAdmin, ObjectDatabaseIdentity, ActionRead},
 		{RoleAdmin, ObjectDatabaseConnection, ActionRead},
 		{RoleAdmin, ObjectDatabaseConnection, ActionCreate},