From c41d75fb31aaa04aa189bc12e645b7fd5b67eaad Mon Sep 17 00:00:00 2001
From: Daniel Jiang <jiangd@vmware.com>
Date: Tue, 18 May 2021 16:06:58 +0800
Subject: [PATCH] Use system configuration resource for permission checking

This commit uses system configuration resource for permission check
against API to ping OIDC and update systen CVE allowlist.
Fixes #14386

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
---
 src/common/rbac/const.go                     | 2 --
 src/common/rbac/system/policies.go           | 6 ++----
 src/server/v2.0/handler/oidc.go              | 2 +-
 src/server/v2.0/handler/sys_cve_allowlist.go | 2 +-
 4 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/src/common/rbac/const.go b/src/common/rbac/const.go
index d5eb32eca..3e45f5350 100755
--- a/src/common/rbac/const.go
+++ b/src/common/rbac/const.go
@@ -73,6 +73,4 @@ const (
 	ResourceReplicationPolicy  = Resource("replication-policy")
 	ResourceScanAll            = Resource("scan-all")
 	ResourceSystemVolumes      = Resource("system-volumes")
-	ResourceOIDCEndpoint       = Resource("oidc-endpoint")
-	ResourceSystemCVEAllowList = Resource("system-cve-allowlist")
 )
diff --git a/src/common/rbac/system/policies.go b/src/common/rbac/system/policies.go
index 84ae9008b..6bb28e440 100644
--- a/src/common/rbac/system/policies.go
+++ b/src/common/rbac/system/policies.go
@@ -61,11 +61,9 @@ var (
 
 		{Resource: rbac.ResourceSystemVolumes, Action: rbac.ActionRead},
 
-		{Resource: rbac.ResourceOIDCEndpoint, Action: rbac.ActionUpdate},
-		{Resource: rbac.ResourceOIDCEndpoint, Action: rbac.ActionRead},
 		{Resource: rbac.ResourceLdapUser, Action: rbac.ActionCreate},
 		{Resource: rbac.ResourceLdapUser, Action: rbac.ActionList},
-		{Resource: rbac.ResourceSystemCVEAllowList, Action: rbac.ActionRead},
-		{Resource: rbac.ResourceSystemCVEAllowList, Action: rbac.ActionUpdate},
+		{Resource: rbac.ResourceConfiguration, Action: rbac.ActionRead},
+		{Resource: rbac.ResourceConfiguration, Action: rbac.ActionUpdate},
 	}
 )
diff --git a/src/server/v2.0/handler/oidc.go b/src/server/v2.0/handler/oidc.go
index 06dbaa642..cbd4031e5 100644
--- a/src/server/v2.0/handler/oidc.go
+++ b/src/server/v2.0/handler/oidc.go
@@ -20,7 +20,7 @@ func newOIDCAPI() *oidcAPI {
 }
 
 func (o oidcAPI) PingOIDC(ctx context.Context, params oidc.PingOIDCParams) middleware.Responder {
-	if err := o.RequireSystemAccess(ctx, rbac.ActionUpdate, rbac.ResourceOIDCEndpoint); err != nil {
+	if err := o.RequireSystemAccess(ctx, rbac.ActionUpdate, rbac.ResourceConfiguration); err != nil {
 		return o.SendError(ctx, err)
 	}
 	err := oidcpkg.TestEndpoint(oidcpkg.Conn{
diff --git a/src/server/v2.0/handler/sys_cve_allowlist.go b/src/server/v2.0/handler/sys_cve_allowlist.go
index d30439a75..83fc9a9e2 100644
--- a/src/server/v2.0/handler/sys_cve_allowlist.go
+++ b/src/server/v2.0/handler/sys_cve_allowlist.go
@@ -38,7 +38,7 @@ func newSystemCVEAllowListAPI() *systemCVEAllowListAPI {
 }
 
 func (s systemCVEAllowListAPI) PutSystemCVEAllowlist(ctx context.Context, params system_cve_allowlist.PutSystemCVEAllowlistParams) middleware.Responder {
-	if err := s.RequireSystemAccess(ctx, rbac.ActionUpdate, rbac.ResourceSystemCVEAllowList); err != nil {
+	if err := s.RequireSystemAccess(ctx, rbac.ActionUpdate, rbac.ResourceConfiguration); err != nil {
 		return s.SendError(ctx, err)
 	}
 	l := models.CVEAllowlist{}