Generate helpers for servicepermissions

Author: majst01

generate/Makefile

@@ -17,4 +17,4 @@ go-mocks:
 		--user $$(id -u):$$(id -g) \
 		-w /work \
 		-v $(PWD):/work \
-		vektra/mockery:v2.52.3 --keeptree --inpackage --dir go --output go/tests/mocks --all --log-level debug
+		vektra/mockery:v2.53.0 --keeptree --inpackage --dir go --output go/tests/mocks --all --log-level debug

generate/generate.go

@@ -99,7 +99,10 @@ func servicePermissions(root string) (*permissions.ServicePermissions, error) {
 				serverReflectionInfov1alpha1: true,
 				serverReflectionInfo:         true,
 			},
-			Self: map[string]bool{},
+			Self:    map[string]bool{},
+			Admin:   map[string]bool{},
+			Tenant:  map[string]bool{},
+			Project: map[string]bool{},
 		}
 		auditable = permissions.Auditable{}
 		services  = []string{}
@@ -135,28 +138,37 @@ func servicePermissions(root string) (*permissions.ServicePermissions, error) {
 						switch *methodOpt.IdentifierValue {
 						case v1.TenantRole_TENANT_ROLE_OWNER.String():
 							roles.Tenant[v1.TenantRole_TENANT_ROLE_OWNER.String()] = append(roles.Tenant[v1.TenantRole_TENANT_ROLE_OWNER.String()], methodName)
+							visibility.Tenant[methodName] = true
 						case v1.TenantRole_TENANT_ROLE_EDITOR.String():
 							roles.Tenant[v1.TenantRole_TENANT_ROLE_EDITOR.String()] = append(roles.Tenant[v1.TenantRole_TENANT_ROLE_EDITOR.String()], methodName)
+							visibility.Tenant[methodName] = true
 						case v1.TenantRole_TENANT_ROLE_VIEWER.String():
 							roles.Tenant[v1.TenantRole_TENANT_ROLE_VIEWER.String()] = append(roles.Tenant[v1.TenantRole_TENANT_ROLE_VIEWER.String()], methodName)
+							visibility.Tenant[methodName] = true
 						case v1.TenantRole_TENANT_ROLE_GUEST.String():
 							roles.Tenant[v1.TenantRole_TENANT_ROLE_GUEST.String()] = append(roles.Tenant[v1.TenantRole_TENANT_ROLE_GUEST.String()], methodName)
+							visibility.Tenant[methodName] = true
 						case v1.TenantRole_TENANT_ROLE_UNSPECIFIED.String():
 							// noop
 						// Project
 						case v1.ProjectRole_PROJECT_ROLE_OWNER.String():
 							roles.Project[v1.ProjectRole_PROJECT_ROLE_OWNER.String()] = append(roles.Project[v1.ProjectRole_PROJECT_ROLE_OWNER.String()], methodName)
+							visibility.Project[methodName] = true
 						case v1.ProjectRole_PROJECT_ROLE_EDITOR.String():
+							visibility.Project[methodName] = true
 							roles.Project[v1.ProjectRole_PROJECT_ROLE_EDITOR.String()] = append(roles.Project[v1.ProjectRole_PROJECT_ROLE_EDITOR.String()], methodName)
 						case v1.ProjectRole_PROJECT_ROLE_VIEWER.String():
+							visibility.Project[methodName] = true
 							roles.Project[v1.ProjectRole_PROJECT_ROLE_VIEWER.String()] = append(roles.Project[v1.ProjectRole_PROJECT_ROLE_VIEWER.String()], methodName)
 						case v1.ProjectRole_PROJECT_ROLE_UNSPECIFIED.String():
 							// noop
 						// Admin
 						case v1.AdminRole_ADMIN_ROLE_EDITOR.String():
 							roles.Admin[v1.AdminRole_ADMIN_ROLE_EDITOR.String()] = append(roles.Admin[v1.AdminRole_ADMIN_ROLE_EDITOR.String()], methodName)
+							visibility.Admin[methodName] = true
 						case v1.AdminRole_ADMIN_ROLE_VIEWER.String():
 							roles.Admin[v1.AdminRole_ADMIN_ROLE_VIEWER.String()] = append(roles.Admin[v1.AdminRole_ADMIN_ROLE_VIEWER.String()], methodName)
+							visibility.Admin[methodName] = true
 						case v1.AdminRole_ADMIN_ROLE_UNSPECIFIED.String():
 							// noop
 						// Visibility

generate/go_servicepermissions.tpl

@@ -1,6 +1,10 @@
 // Code generated discover.go. DO NOT EDIT.
 package permissions
 
+import (
+	"connectrpc.com/connect"
+)
+
 func GetServices() []string {
 	return []string{
 {{- range $s := .Services }}
@@ -54,6 +58,21 @@ func GetServicePermissions() *ServicePermissions {
 			Self:    map[string]bool{
 {{- range $key, $value := .Visibility.Self }}
 	"{{ $key }}": {{ $value }} ,
+{{- end }}
+			},
+			Admin:    map[string]bool{
+{{- range $key, $value := .Visibility.Admin }}
+	"{{ $key }}": {{ $value }} ,
+{{- end }}
+			},
+			Tenant:    map[string]bool{
+{{- range $key, $value := .Visibility.Tenant }}
+	"{{ $key }}": {{ $value }} ,
+{{- end }}
+			},
+			Project:    map[string]bool{
+{{- range $key, $value := .Visibility.Project }}
+	"{{ $key }}": {{ $value }} ,
 {{- end }}
 			},
 		},
@@ -64,3 +83,50 @@ func GetServicePermissions() *ServicePermissions {
 		},
 	}
 }
+
+func IsPublicScope(req connect.AnyRequest) bool {
+	_, ok := GetServicePermissions().Visibility.Public[req.Spec().Procedure]
+	return ok
+}
+
+func IsSelfScope(req connect.AnyRequest) bool {
+	_, ok := GetServicePermissions().Visibility.Self[req.Spec().Procedure]
+	return ok
+}
+
+func IsAdminScope(req connect.AnyRequest) bool {
+	_, ok := GetServicePermissions().Visibility.Admin[req.Spec().Procedure]
+	return ok
+}
+
+func IsTenantScope(req connect.AnyRequest) bool {
+	_, ok := GetServicePermissions().Visibility.Tenant[req.Spec().Procedure]
+	return ok
+}
+
+func IsProjectScope(req connect.AnyRequest) bool {
+	_, ok := GetServicePermissions().Visibility.Project[req.Spec().Procedure]
+	return ok
+}
+
+func GetTenantFromRequest(req connect.AnyRequest) (string, bool) {
+	if !IsTenantScope(req) {
+		return "", false
+	}
+	switch rq := req.Any().(type) {
+	case interface{ GetLogin() string }:
+		return rq.GetLogin(), true
+	}
+	return "", false
+}
+
+func GetProjectFromRequest(req connect.AnyRequest) (string, bool) {
+	if !IsProjectScope(req) {
+		return "", false
+	}
+	switch rq := req.Any().(type) {
+	case interface{ GetProject() string }:
+		return rq.GetProject(), true
+	}
+	return "", false
+}

go.mod

@@ -18,16 +18,16 @@ require (
 	cel.dev/expr v0.21.2 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/google/cel-go v0.23.2 // indirect
+	github.com/google/cel-go v0.24.1 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/stoewer/go-strcase v1.3.0 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
-	golang.org/x/exp v0.0.0-20250218142911-aa4b98e5adaa // indirect
+	golang.org/x/exp v0.0.0-20250228200357-dead58393ab7 // indirect
 	golang.org/x/text v0.22.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250219182151-9fdb1cabc7b2 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250219182151-9fdb1cabc7b2 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250227231956-55c901821b1e // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250227231956-55c901821b1e // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -18,8 +18,8 @@ github.com/envoyproxy/protoc-gen-validate v1.2.1 h1:DEo3O99U8j4hBFwbJfrz9VtgcDfU
 github.com/envoyproxy/protoc-gen-validate v1.2.1/go.mod h1:d/C80l/jxXLdfEIhX1W2TmLfsJ31lvEjwamM4DxlWXU=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
-github.com/google/cel-go v0.23.2 h1:UdEe3CvQh3Nv+E/j9r1Y//WO0K0cSyD7/y0bzyLIMI4=
-github.com/google/cel-go v0.23.2/go.mod h1:52Pb6QsDbC5kvgxvZhiL9QX1oZEkcUF/ZqaPx1J5Wwo=
+github.com/google/cel-go v0.24.1 h1:jsBCtxG8mM5wiUJDSGUqU0K7Mtr3w7Eyv00rw4DiZxI=
+github.com/google/cel-go v0.24.1/go.mod h1:Hdf9TqOaTNSFQA1ybQaRqATVoK7m/zcf7IMhGXP5zI8=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
@@ -50,16 +50,16 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-golang.org/x/exp v0.0.0-20250218142911-aa4b98e5adaa h1:t2QcU6V556bFjYgu4L6C+6VrCPyJZ+eyRsABUPs1mz4=
-golang.org/x/exp v0.0.0-20250218142911-aa4b98e5adaa/go.mod h1:BHOTPb3L19zxehTsLoJXVaTktb06DFgmdW6Wb9s8jqk=
+golang.org/x/exp v0.0.0-20250228200357-dead58393ab7 h1:aWwlzYV971S4BXRS9AmqwDLAD85ouC6X+pocatKY58c=
+golang.org/x/exp v0.0.0-20250228200357-dead58393ab7/go.mod h1:BHOTPb3L19zxehTsLoJXVaTktb06DFgmdW6Wb9s8jqk=
 golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
 golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
-google.golang.org/genproto/googleapis/api v0.0.0-20250219182151-9fdb1cabc7b2 h1:35ZFtrCgaAjF7AFAK0+lRSf+4AyYnWRbH7og13p7rZ4=
-google.golang.org/genproto/googleapis/api v0.0.0-20250219182151-9fdb1cabc7b2/go.mod h1:W9ynFDP/shebLB1Hl/ESTOap2jHd6pmLXPNZC7SVDbA=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250219182151-9fdb1cabc7b2 h1:DMTIbak9GhdaSxEjvVzAeNZvyc03I61duqNbnm3SU0M=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250219182151-9fdb1cabc7b2/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
+google.golang.org/genproto/googleapis/api v0.0.0-20250227231956-55c901821b1e h1:nsxey/MfoGzYNduN0NN/+hqP9iiCIYsrVbXb/8hjFM8=
+google.golang.org/genproto/googleapis/api v0.0.0-20250227231956-55c901821b1e/go.mod h1:Xsh8gBVxGCcbV8ZeTB9wI5XPyZ5RvC6V3CTeeplHbiA=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250227231956-55c901821b1e h1:YA5lmSs3zc/5w+xsRcHqpETkaYyK63ivEPzNTcUUlSA=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250227231956-55c901821b1e/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
 google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
 google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

go/permissions/permissions.go

@@ -30,6 +30,9 @@ type Roles struct {
 }
 
 type Visibility struct {
-	Public map[string]bool `json:"public,omitempty"`
-	Self   map[string]bool `json:"self,omitempty"`
+	Public  map[string]bool `json:"public,omitempty"`
+	Self    map[string]bool `json:"self,omitempty"`
+	Admin   map[string]bool `json:"admin,omitempty"`
+	Tenant  map[string]bool `json:"tenant,omitempty"`
+	Project map[string]bool `json:"project,omitempty"`
 }

go/permissions/permissions_test.go

@@ -12,4 +12,6 @@ func TestGetServicePermissions(t *testing.T) {
 	// TODO more coverage
 	require.Contains(t, perms.Methods, "/metalstack.api.v2.IPService/List")
 	require.Contains(t, perms.Visibility.Self, "/metalstack.api.v2.TokenService/Create")
+	require.Contains(t, perms.Visibility.Admin, "/metalstack.admin.v2.TenantService/List")
+	require.Contains(t, perms.Visibility.Project, "/metalstack.api.v2.IPService/List")
 }