Merge pull request #13439 from wy65701436/robot2-mgr

add role permission manager for robot enhancement

make/migrations/postgresql/0050_2.2.0_schema.up.sql

@@ -11,3 +11,30 @@ BEGIN
       UPDATE artifact SET size=art_size WHERE id = art.id;
     END LOOP;
 END $$;
+
+ALTER TABLE robot ADD COLUMN IF NOT EXISTS secret varchar(2048);
+
+CREATE TABLE  IF NOT EXISTS role_permission (
+ id SERIAL PRIMARY KEY NOT NULL,
+ role_type varchar(255) NOT NULL,
+ role_id int NOT NULL,
+ permission_policy_id int NOT NULL,
+ creation_time timestamp default CURRENT_TIMESTAMP,
+ CONSTRAINT unique_role_permission UNIQUE (role_type, role_id, permission_policy_id)
+);
+
+CREATE TABLE  IF NOT EXISTS permission_policy (
+ id SERIAL PRIMARY KEY NOT NULL,
+ /*
+  scope:
+   system level: /system
+   project level: /project/{id}
+   all project: /project/ *
+  */
+ scope varchar(255) NOT NULL,
+ resource varchar(255),
+ action varchar(255),
+ effect varchar(255),
+ creation_time timestamp default CURRENT_TIMESTAMP,
+ CONSTRAINT unique_rbac_policy UNIQUE (scope, resource, action, effect)
+);

src/pkg/rbac/dao/dao.go

@@ -0,0 +1,149 @@
+package dao
+
+import (
+	"context"
+	"github.com/goharbor/harbor/src/lib/errors"
+	"github.com/goharbor/harbor/src/lib/orm"
+	"github.com/goharbor/harbor/src/lib/q"
+	"github.com/goharbor/harbor/src/pkg/rbac/model"
+	"time"
+)
+
+// DAO is the data access object interface for rbac policy
+type DAO interface {
+	// CreatePermission ...
+	CreatePermission(ctx context.Context, rp *model.RolePermission) (int64, error)
+	// DeletePermission ...
+	DeletePermission(ctx context.Context, id int64) error
+	// ListPermissions ...
+	ListPermissions(ctx context.Context, query *q.Query) ([]*model.RolePermission, error)
+	// DeletePermissionsByRole ...
+	DeletePermissionsByRole(ctx context.Context, roleType string, roleID int64) error
+
+	// CreateRbacPolicy ...
+	CreateRbacPolicy(ctx context.Context, pp *model.PermissionPolicy) (int64, error)
+	// DeleteRbacPolicy ...
+	DeleteRbacPolicy(ctx context.Context, id int64) error
+	// ListRbacPolicies list PermissionPolicy according to the query.
+	ListRbacPolicies(ctx context.Context, query *q.Query) ([]*model.PermissionPolicy, error)
+
+	// GetPermissionsByRole ...
+	GetPermissionsByRole(ctx context.Context, roleType string, roleID int64) ([]*model.UniversalRolePermission, error)
+}
+
+// New returns an instance of the default DAO
+func New() DAO {
+	return &dao{}
+}
+
+type dao struct{}
+
+func (d *dao) CreatePermission(ctx context.Context, rp *model.RolePermission) (id int64, err error) {
+	ormer, err := orm.FromContext(ctx)
+	if err != nil {
+		return 0, err
+	}
+	rp.CreationTime = time.Now()
+	return ormer.InsertOrUpdate(rp, "role_type, role_id, permission_policy_id")
+}
+
+func (d *dao) DeletePermission(ctx context.Context, id int64) (err error) {
+	ormer, err := orm.FromContext(ctx)
+	if err != nil {
+		return err
+	}
+	n, err := ormer.Delete(&model.RolePermission{
+		ID: id,
+	})
+	if err != nil {
+		return err
+	}
+	if n == 0 {
+		return errors.NotFoundError(nil).WithMessage("role permission %d not found", id)
+	}
+	return nil
+}
+
+func (d *dao) ListPermissions(ctx context.Context, query *q.Query) ([]*model.RolePermission, error) {
+	rps := []*model.RolePermission{}
+	qs, err := orm.QuerySetter(ctx, &model.RolePermission{}, query)
+	if err != nil {
+		return nil, err
+	}
+	if _, err = qs.All(&rps); err != nil {
+		return nil, err
+	}
+	return rps, nil
+}
+
+func (d *dao) DeletePermissionsByRole(ctx context.Context, roleType string, roleID int64) error {
+	qs, err := orm.QuerySetter(ctx, &model.RolePermission{}, &q.Query{
+		Keywords: map[string]interface{}{
+			"role_type": roleType,
+			"role_id":   roleID,
+		},
+	})
+	if err != nil {
+		return err
+	}
+	n, err := qs.Delete()
+	if err != nil {
+		return err
+	}
+	if n == 0 {
+		return errors.NotFoundError(nil).WithMessage("role permission %s:%d not found", roleType, roleID)
+	}
+	return err
+}
+
+func (d *dao) CreateRbacPolicy(ctx context.Context, pp *model.PermissionPolicy) (id int64, err error) {
+	ormer, err := orm.FromContext(ctx)
+	if err != nil {
+		return 0, err
+	}
+	pp.CreationTime = time.Now()
+	return ormer.InsertOrUpdate(pp, "scope, resource, action, effect")
+}
+
+func (d *dao) DeleteRbacPolicy(ctx context.Context, id int64) (err error) {
+	ormer, err := orm.FromContext(ctx)
+	if err != nil {
+		return err
+	}
+	n, err := ormer.Delete(&model.PermissionPolicy{
+		ID: id,
+	})
+	if err != nil {
+		return err
+	}
+	if n == 0 {
+		return errors.NotFoundError(nil).WithMessage("rbac policy %d not found", id)
+	}
+	return nil
+}
+
+func (d *dao) ListRbacPolicies(ctx context.Context, query *q.Query) ([]*model.PermissionPolicy, error) {
+	pps := []*model.PermissionPolicy{}
+	qs, err := orm.QuerySetter(ctx, &model.PermissionPolicy{}, query)
+	if err != nil {
+		return nil, err
+	}
+	if _, err = qs.All(&pps); err != nil {
+		return nil, err
+	}
+	return pps, nil
+}
+
+func (d *dao) GetPermissionsByRole(ctx context.Context, roleType string, roleID int64) ([]*model.UniversalRolePermission, error) {
+	var rps []*model.UniversalRolePermission
+	ormer, err := orm.FromContext(ctx)
+	if err != nil {
+		return rps, err
+	}
+	_, err = ormer.Raw("SELECT rper.role_type, rper.role_id, ppo.scope, ppo.resource, ppo.action, ppo.effect FROM role_permission AS rper LEFT JOIN permission_policy ppo ON (rper.permission_policy_id=ppo.id) where rper.role_type=? and rper.role_id=?", roleType, roleID).QueryRows(&rps)
+	if err != nil {
+		return rps, err
+	}
+
+	return rps, nil
+}

src/pkg/rbac/dao/dao_test.go

@@ -0,0 +1,216 @@
+package dao
+
+import (
+	"fmt"
+	"github.com/goharbor/harbor/src/lib/errors"
+	"github.com/goharbor/harbor/src/lib/orm"
+	"github.com/goharbor/harbor/src/lib/q"
+	"github.com/goharbor/harbor/src/pkg/rbac/model"
+	htesting "github.com/goharbor/harbor/src/testing"
+	"github.com/stretchr/testify/suite"
+	"testing"
+)
+
+type DaoTestSuite struct {
+	htesting.Suite
+	dao DAO
+
+	permissionID1 int64
+	permissionID2 int64
+	permissionID3 int64
+	permissionID4 int64
+
+	rbacPolicyID1 int64
+	rbacPolicyID2 int64
+	rbacPolicyID3 int64
+	rbacPolicyID4 int64
+}
+
+func (suite *DaoTestSuite) SetupSuite() {
+	suite.Suite.SetupSuite()
+	suite.dao = New()
+	suite.Suite.ClearTables = []string{"rbac_policy", "role_permission"}
+
+	suite.prepareRolePermission()
+	suite.preparePermissionPolicy()
+}
+
+func (suite *DaoTestSuite) prepareRolePermission() {
+	rp := &model.RolePermission{
+		RoleType:           "robot",
+		RoleID:             1,
+		PermissionPolicyID: 2,
+	}
+	id, err := suite.dao.CreatePermission(orm.Context(), rp)
+	suite.permissionID1 = id
+	suite.Nil(err)
+
+	rp2 := &model.RolePermission{
+		RoleType:           "robot",
+		RoleID:             1,
+		PermissionPolicyID: 3,
+	}
+	id2, err := suite.dao.CreatePermission(orm.Context(), rp2)
+	suite.permissionID2 = id2
+	suite.Nil(err)
+
+	rp3 := &model.RolePermission{
+		RoleType:           "robot",
+		RoleID:             1,
+		PermissionPolicyID: 4,
+	}
+	id3, err := suite.dao.CreatePermission(orm.Context(), rp3)
+	suite.permissionID3 = id3
+	suite.Nil(err)
+
+	rp4 := &model.RolePermission{
+		RoleType:           "serviceaccount",
+		RoleID:             2,
+		PermissionPolicyID: 1,
+	}
+	id4, err := suite.dao.CreatePermission(orm.Context(), rp4)
+	suite.permissionID4 = id4
+	suite.Nil(err)
+}
+
+func (suite *DaoTestSuite) preparePermissionPolicy() {
+	rp := &model.PermissionPolicy{
+		Scope:    "/system",
+		Resource: "label",
+		Action:   "create",
+	}
+	id, err := suite.dao.CreateRbacPolicy(orm.Context(), rp)
+	suite.rbacPolicyID1 = id
+	suite.Nil(err)
+
+	rp2 := &model.PermissionPolicy{
+		Scope:    "/project/1",
+		Resource: "repository",
+		Action:   "push",
+	}
+	id2, err := suite.dao.CreateRbacPolicy(orm.Context(), rp2)
+	suite.rbacPolicyID2 = id2
+	suite.Nil(err)
+
+	rp3 := &model.PermissionPolicy{
+		Scope:    "/project/1",
+		Resource: "repository",
+		Action:   "pull",
+	}
+	id3, err := suite.dao.CreateRbacPolicy(orm.Context(), rp3)
+	suite.rbacPolicyID3 = id3
+	suite.Nil(err)
+
+	rp4 := &model.PermissionPolicy{
+		Scope:    "/project/2",
+		Resource: "helm-chart",
+		Action:   "create",
+	}
+	id4, err := suite.dao.CreateRbacPolicy(orm.Context(), rp4)
+	suite.rbacPolicyID4 = id4
+	suite.Nil(err)
+}
+
+func (suite *DaoTestSuite) TestCreatePermission() {
+	rp := &model.RolePermission{
+		RoleType:           "robot",
+		RoleID:             1,
+		PermissionPolicyID: 2,
+	}
+	_, err := suite.dao.CreatePermission(orm.Context(), rp)
+	suite.Nil(err)
+}
+
+func (suite *DaoTestSuite) TestDeletePermission() {
+	err := suite.dao.DeletePermission(orm.Context(), 1234)
+	suite.Require().NotNil(err)
+	suite.True(errors.IsErr(err, errors.NotFoundCode))
+
+	err = suite.dao.DeletePermission(orm.Context(), suite.permissionID2)
+	suite.Nil(err)
+}
+
+func (suite *DaoTestSuite) TestListPermissions() {
+	rps, err := suite.dao.ListPermissions(orm.Context(), &q.Query{
+		Keywords: map[string]interface{}{
+			"role_type":            "robot",
+			"role_id":              1,
+			"permission_policy_id": 4,
+		},
+	})
+	suite.Require().Nil(err)
+	suite.Equal(int64(4), rps[0].PermissionPolicyID)
+}
+
+func (suite *DaoTestSuite) TestDeletePermissionsByRole() {
+	err := suite.dao.DeletePermissionsByRole(orm.Context(), "serviceaccount", 2)
+	suite.Require().Nil(err)
+
+	rps, err := suite.dao.ListPermissions(orm.Context(), &q.Query{
+		Keywords: map[string]interface{}{
+			"role_type": "serviceaccount",
+			"role_id":   2,
+		},
+	})
+	suite.Require().Nil(err)
+	suite.Equal(0, len(rps))
+
+}
+
+func (suite *DaoTestSuite) TestCreateRbacPolicy() {
+	rp := &model.PermissionPolicy{
+		Scope:    "/system",
+		Resource: "label",
+		Action:   "create",
+	}
+	_, err := suite.dao.CreateRbacPolicy(orm.Context(), rp)
+	suite.Nil(err)
+}
+
+func (suite *DaoTestSuite) TestDeleteRbacPolicy() {
+	err := suite.dao.DeleteRbacPolicy(orm.Context(), 1234)
+	suite.Require().NotNil(err)
+	suite.True(errors.IsErr(err, errors.NotFoundCode))
+
+	err = suite.dao.DeleteRbacPolicy(orm.Context(), suite.rbacPolicyID2)
+	suite.Nil(err)
+}
+
+func (suite *DaoTestSuite) TestListRbacPolicies() {
+	rps, err := suite.dao.ListRbacPolicies(orm.Context(), &q.Query{
+		Keywords: map[string]interface{}{
+			"scope":    "/project/1",
+			"resource": "repository",
+			"action":   "pull",
+		},
+	})
+	suite.Require().Nil(err)
+	suite.Equal(suite.rbacPolicyID3, rps[0].ID)
+}
+
+func (suite *DaoTestSuite) TestGetPermissionsByRole() {
+	rp := &model.PermissionPolicy{
+		Scope:    "/system",
+		Resource: "label",
+		Action:   "delete",
+	}
+	id, err := suite.dao.CreateRbacPolicy(orm.Context(), rp)
+	suite.Nil(err)
+
+	rpe := &model.RolePermission{
+		RoleType:           "TestGetPermissionsByRole",
+		RoleID:             1,
+		PermissionPolicyID: id,
+	}
+	_, err = suite.dao.CreatePermission(orm.Context(), rpe)
+	suite.Nil(err)
+
+	rpes, err := suite.dao.GetPermissionsByRole(orm.Context(), "TestGetPermissionsByRole", 1)
+	suite.Nil(err)
+	fmt.Println(rpes[0])
+	suite.Equal("/system", rpes[0].Scope)
+}
+
+func TestDaoTestSuite(t *testing.T) {
+	suite.Run(t, &DaoTestSuite{})
+}

src/pkg/rbac/manager.go

@@ -0,0 +1,79 @@
+package rbac
+
+import (
+	"context"
+	"github.com/goharbor/harbor/src/lib/q"
+	"github.com/goharbor/harbor/src/pkg/rbac/dao"
+	"github.com/goharbor/harbor/src/pkg/rbac/model"
+)
+
+var (
+	// Mgr is a global role permission/rbac policy manager instance
+	Mgr = NewManager()
+)
+
+// Manager is the interface of role permission and rbac policy
+type Manager interface {
+	// CreatePermission ...
+	CreatePermission(ctx context.Context, rp *model.RolePermission) (int64, error)
+	// DeletePermission ...
+	DeletePermission(ctx context.Context, id int64) error
+	// ListPermissions list role permissions according to the query.
+	ListPermissions(ctx context.Context, query *q.Query) ([]*model.RolePermission, error)
+	// DeletePermissionsByRole get permissions by role type and id
+	DeletePermissionsByRole(ctx context.Context, roleType string, roleID int64) error
+
+	// CreateRbacPolicy ...
+	CreateRbacPolicy(ctx context.Context, pp *model.PermissionPolicy) (int64, error)
+	// DeleteRbacPolicy ...
+	DeleteRbacPolicy(ctx context.Context, id int64) error
+	// ListRbacPolicies list PermissionPolicy according to the query.
+	ListRbacPolicies(ctx context.Context, query *q.Query) ([]*model.PermissionPolicy, error)
+	// GetPermissionsByRole ...
+	GetPermissionsByRole(ctx context.Context, roleType string, roleID int64) ([]*model.UniversalRolePermission, error)
+}
+
+// NewManager returns an instance of the default manager
+func NewManager() Manager {
+	return &manager{
+		dao.New(),
+	}
+}
+
+var _ Manager = &manager{}
+
+type manager struct {
+	dao dao.DAO
+}
+
+func (m *manager) CreatePermission(ctx context.Context, rp *model.RolePermission) (int64, error) {
+	return m.dao.CreatePermission(ctx, rp)
+}
+
+func (m *manager) DeletePermission(ctx context.Context, id int64) error {
+	return m.dao.DeletePermission(ctx, id)
+}
+
+func (m *manager) ListPermissions(ctx context.Context, query *q.Query) ([]*model.RolePermission, error) {
+	return m.dao.ListPermissions(ctx, query)
+}
+
+func (m *manager) DeletePermissionsByRole(ctx context.Context, roleType string, roleID int64) error {
+	return m.dao.DeletePermissionsByRole(ctx, roleType, roleID)
+}
+
+func (m *manager) CreateRbacPolicy(ctx context.Context, pp *model.PermissionPolicy) (int64, error) {
+	return m.dao.CreateRbacPolicy(ctx, pp)
+}
+
+func (m *manager) DeleteRbacPolicy(ctx context.Context, id int64) error {
+	return m.dao.DeleteRbacPolicy(ctx, id)
+}
+
+func (m *manager) ListRbacPolicies(ctx context.Context, query *q.Query) ([]*model.PermissionPolicy, error) {
+	return m.dao.ListRbacPolicies(ctx, query)
+}
+
+func (m *manager) GetPermissionsByRole(ctx context.Context, roleType string, roleID int64) ([]*model.UniversalRolePermission, error) {
+	return m.dao.GetPermissionsByRole(ctx, roleType, roleID)
+}

src/pkg/rbac/manager_test.go

@@ -0,0 +1,108 @@
+package rbac
+
+import (
+	"context"
+	"github.com/goharbor/harbor/src/pkg/rbac/model"
+	"github.com/goharbor/harbor/src/testing/mock"
+	"github.com/goharbor/harbor/src/testing/pkg/rbac/dao"
+	"github.com/stretchr/testify/suite"
+	"testing"
+)
+
+type managerTestSuite struct {
+	suite.Suite
+	mgr *manager
+	dao *dao.DAO
+}
+
+func (m *managerTestSuite) SetupTest() {
+	m.dao = &dao.DAO{}
+	m.mgr = &manager{
+		dao: m.dao,
+	}
+}
+
+func (m *managerTestSuite) TestCreatePermission() {
+	m.dao.On("CreatePermission", mock.Anything, mock.Anything).Return(int64(1), nil)
+	_, err := m.mgr.CreatePermission(context.Background(), &model.RolePermission{})
+	m.Require().Nil(err)
+	m.dao.AssertExpectations(m.T())
+}
+
+func (m *managerTestSuite) TestDeletePermission() {
+	m.dao.On("DeletePermission", mock.Anything, mock.Anything).Return(nil)
+	err := m.mgr.DeletePermission(context.Background(), 1)
+	m.Require().Nil(err)
+	m.dao.AssertExpectations(m.T())
+}
+
+func (m *managerTestSuite) TestListPermissions() {
+	m.dao.On("ListPermissions", mock.Anything, mock.Anything).Return([]*model.RolePermission{
+		{
+			ID:                 1,
+			RoleType:           "robot",
+			RoleID:             2,
+			PermissionPolicyID: 3,
+		},
+	}, nil)
+	rpers, err := m.mgr.ListPermissions(context.Background(), nil)
+	m.Require().Nil(err)
+	m.Equal(1, len(rpers))
+	m.dao.AssertExpectations(m.T())
+}
+
+func (m *managerTestSuite) TestDeletePermissionsByRole() {
+	m.dao.On("DeletePermissionsByRole", mock.Anything, mock.Anything, mock.Anything).Return(nil)
+	err := m.mgr.DeletePermissionsByRole(context.Background(), "robot", 1)
+	m.Require().Nil(err)
+	m.dao.AssertExpectations(m.T())
+}
+
+func (m *managerTestSuite) TestCreateRbacPolicy() {
+	m.dao.On("CreateRbacPolicy", mock.Anything, mock.Anything).Return(int64(1), nil)
+	_, err := m.mgr.CreateRbacPolicy(context.Background(), &model.PermissionPolicy{})
+	m.Require().Nil(err)
+	m.dao.AssertExpectations(m.T())
+}
+
+func (m *managerTestSuite) TestDeleteRbacPolicy() {
+	m.dao.On("DeleteRbacPolicy", mock.Anything, mock.Anything).Return(nil)
+	err := m.mgr.DeleteRbacPolicy(context.Background(), 1)
+	m.Require().Nil(err)
+	m.dao.AssertExpectations(m.T())
+}
+
+func (m *managerTestSuite) TestListRbacPolicies() {
+	m.dao.On("ListRbacPolicies", mock.Anything, mock.Anything).Return([]*model.PermissionPolicy{
+		{
+			ID:       1,
+			Scope:    "/system",
+			Resource: "repository",
+			Action:   "create",
+		},
+	}, nil)
+	rpers, err := m.mgr.ListRbacPolicies(context.Background(), nil)
+	m.Require().Nil(err)
+	m.Equal(1, len(rpers))
+	m.dao.AssertExpectations(m.T())
+}
+
+func (m *managerTestSuite) TestGetPermissionsByRole() {
+	m.dao.On("GetPermissionsByRole", mock.Anything, mock.Anything, mock.Anything).Return([]*model.UniversalRolePermission{
+		{
+			RoleType: "robot",
+			RoleID:   1,
+			Scope:    "/system",
+			Resource: "repository",
+			Action:   "create",
+		},
+	}, nil)
+	rpers, err := m.mgr.GetPermissionsByRole(context.Background(), "robot", 1)
+	m.Require().Nil(err)
+	m.Equal(1, len(rpers))
+	m.dao.AssertExpectations(m.T())
+}
+
+func TestManager(t *testing.T) {
+	suite.Run(t, &managerTestSuite{})
+}

src/pkg/rbac/model/model.go

@@ -0,0 +1,50 @@
+package model
+
+import (
+	"github.com/astaxie/beego/orm"
+	"time"
+)
+
+func init() {
+	orm.RegisterModel(&RolePermission{})
+	orm.RegisterModel(&PermissionPolicy{})
+}
+
+// RolePermission records the relations of role and permission
+type RolePermission struct {
+	ID                 int64     `orm:"pk;auto;column(id)"`
+	RoleType           string    `orm:"column(role_type)"`
+	RoleID             int64     `orm:"column(role_id)"`
+	PermissionPolicyID int64     `orm:"column(permission_policy_id)"`
+	CreationTime       time.Time `orm:"column(creation_time);auto_now_add" json:"creation_time"`
+}
+
+// TableName for role permission
+func (rp *RolePermission) TableName() string {
+	return "role_permission"
+}
+
+// PermissionPolicy records the policy of rbac
+type PermissionPolicy struct {
+	ID           int64     `orm:"pk;auto;column(id)"`
+	Scope        string    `orm:"column(scope)"`
+	Resource     string    `orm:"column(resource)"`
+	Action       string    `orm:"column(action)"`
+	Effect       string    `orm:"column(effect)"`
+	CreationTime time.Time `orm:"column(creation_time);auto_now_add" json:"creation_time"`
+}
+
+// TableName for permission policy
+func (permissionPolicy *PermissionPolicy) TableName() string {
+	return "permission_policy"
+}
+
+// UniversalRolePermission ...
+type UniversalRolePermission struct {
+	RoleType string `orm:"column(role_type)"`
+	RoleID   int64  `orm:"column(role_id)"`
+	Scope    string `orm:"column(scope)"`
+	Resource string `orm:"column(resource)"`
+	Action   string `orm:"column(action)"`
+	Effect   string `orm:"column(effect)"`
+}

src/testing/pkg/pkg.go

@@ -29,3 +29,5 @@ package pkg
 //go:generate mockery --case snake --dir ../../pkg/task --name ExecutionManager --output ./task --outpkg task
 //go:generate mockery --case snake --dir ../../pkg/user --name Manager --output ./user --outpkg user
 //go:generate mockery --case snake --dir ../../pkg/robot/dao --name RobotAccountDao --output ./robot/dao --outpkg dao
+//go:generate mockery --case snake --dir ../../pkg/rbac --name Manager --output ./rbac --outpkg rbac
+//go:generate mockery --case snake --dir ../../pkg/rbac/dao --name DAO --output ./rbac/dao --outpkg dao

src/testing/pkg/rbac/dao/dao.go

@@ -0,0 +1,171 @@
+// Code generated by mockery v2.1.0. DO NOT EDIT.
+
+package dao
+
+import (
+	context "context"
+
+	mock "github.com/stretchr/testify/mock"
+
+	model "github.com/goharbor/harbor/src/pkg/rbac/model"
+
+	q "github.com/goharbor/harbor/src/lib/q"
+)
+
+// DAO is an autogenerated mock type for the DAO type
+type DAO struct {
+	mock.Mock
+}
+
+// CreatePermission provides a mock function with given fields: ctx, rp
+func (_m *DAO) CreatePermission(ctx context.Context, rp *model.RolePermission) (int64, error) {
+	ret := _m.Called(ctx, rp)
+
+	var r0 int64
+	if rf, ok := ret.Get(0).(func(context.Context, *model.RolePermission) int64); ok {
+		r0 = rf(ctx, rp)
+	} else {
+		r0 = ret.Get(0).(int64)
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(context.Context, *model.RolePermission) error); ok {
+		r1 = rf(ctx, rp)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// CreateRbacPolicy provides a mock function with given fields: ctx, pp
+func (_m *DAO) CreateRbacPolicy(ctx context.Context, pp *model.PermissionPolicy) (int64, error) {
+	ret := _m.Called(ctx, pp)
+
+	var r0 int64
+	if rf, ok := ret.Get(0).(func(context.Context, *model.PermissionPolicy) int64); ok {
+		r0 = rf(ctx, pp)
+	} else {
+		r0 = ret.Get(0).(int64)
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(context.Context, *model.PermissionPolicy) error); ok {
+		r1 = rf(ctx, pp)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// DeletePermission provides a mock function with given fields: ctx, id
+func (_m *DAO) DeletePermission(ctx context.Context, id int64) error {
+	ret := _m.Called(ctx, id)
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(context.Context, int64) error); ok {
+		r0 = rf(ctx, id)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// DeletePermissionsByRole provides a mock function with given fields: ctx, roleType, roleID
+func (_m *DAO) DeletePermissionsByRole(ctx context.Context, roleType string, roleID int64) error {
+	ret := _m.Called(ctx, roleType, roleID)
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(context.Context, string, int64) error); ok {
+		r0 = rf(ctx, roleType, roleID)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// DeleteRbacPolicy provides a mock function with given fields: ctx, id
+func (_m *DAO) DeleteRbacPolicy(ctx context.Context, id int64) error {
+	ret := _m.Called(ctx, id)
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(context.Context, int64) error); ok {
+		r0 = rf(ctx, id)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// GetPermissionsByRole provides a mock function with given fields: ctx, roleType, roleID
+func (_m *DAO) GetPermissionsByRole(ctx context.Context, roleType string, roleID int64) ([]*model.UniversalRolePermission, error) {
+	ret := _m.Called(ctx, roleType, roleID)
+
+	var r0 []*model.UniversalRolePermission
+	if rf, ok := ret.Get(0).(func(context.Context, string, int64) []*model.UniversalRolePermission); ok {
+		r0 = rf(ctx, roleType, roleID)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]*model.UniversalRolePermission)
+		}
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(context.Context, string, int64) error); ok {
+		r1 = rf(ctx, roleType, roleID)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// ListPermissions provides a mock function with given fields: ctx, query
+func (_m *DAO) ListPermissions(ctx context.Context, query *q.Query) ([]*model.RolePermission, error) {
+	ret := _m.Called(ctx, query)
+
+	var r0 []*model.RolePermission
+	if rf, ok := ret.Get(0).(func(context.Context, *q.Query) []*model.RolePermission); ok {
+		r0 = rf(ctx, query)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]*model.RolePermission)
+		}
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(context.Context, *q.Query) error); ok {
+		r1 = rf(ctx, query)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// ListRbacPolicies provides a mock function with given fields: ctx, query
+func (_m *DAO) ListRbacPolicies(ctx context.Context, query *q.Query) ([]*model.PermissionPolicy, error) {
+	ret := _m.Called(ctx, query)
+
+	var r0 []*model.PermissionPolicy
+	if rf, ok := ret.Get(0).(func(context.Context, *q.Query) []*model.PermissionPolicy); ok {
+		r0 = rf(ctx, query)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]*model.PermissionPolicy)
+		}
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(context.Context, *q.Query) error); ok {
+		r1 = rf(ctx, query)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}

src/testing/pkg/rbac/manager.go

@@ -0,0 +1,170 @@
+// Code generated by mockery v2.1.0. DO NOT EDIT.
+
+package rbac
+
+import (
+	context "context"
+
+	model "github.com/goharbor/harbor/src/pkg/rbac/model"
+	mock "github.com/stretchr/testify/mock"
+
+	q "github.com/goharbor/harbor/src/lib/q"
+)
+
+// Manager is an autogenerated mock type for the Manager type
+type Manager struct {
+	mock.Mock
+}
+
+// CreatePermission provides a mock function with given fields: ctx, rp
+func (_m *Manager) CreatePermission(ctx context.Context, rp *model.RolePermission) (int64, error) {
+	ret := _m.Called(ctx, rp)
+
+	var r0 int64
+	if rf, ok := ret.Get(0).(func(context.Context, *model.RolePermission) int64); ok {
+		r0 = rf(ctx, rp)
+	} else {
+		r0 = ret.Get(0).(int64)
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(context.Context, *model.RolePermission) error); ok {
+		r1 = rf(ctx, rp)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// CreateRbacPolicy provides a mock function with given fields: ctx, pp
+func (_m *Manager) CreateRbacPolicy(ctx context.Context, pp *model.PermissionPolicy) (int64, error) {
+	ret := _m.Called(ctx, pp)
+
+	var r0 int64
+	if rf, ok := ret.Get(0).(func(context.Context, *model.PermissionPolicy) int64); ok {
+		r0 = rf(ctx, pp)
+	} else {
+		r0 = ret.Get(0).(int64)
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(context.Context, *model.PermissionPolicy) error); ok {
+		r1 = rf(ctx, pp)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// DeletePermission provides a mock function with given fields: ctx, id
+func (_m *Manager) DeletePermission(ctx context.Context, id int64) error {
+	ret := _m.Called(ctx, id)
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(context.Context, int64) error); ok {
+		r0 = rf(ctx, id)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// DeletePermissionsByRole provides a mock function with given fields: ctx, roleType, roleID
+func (_m *Manager) DeletePermissionsByRole(ctx context.Context, roleType string, roleID int64) error {
+	ret := _m.Called(ctx, roleType, roleID)
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(context.Context, string, int64) error); ok {
+		r0 = rf(ctx, roleType, roleID)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// DeleteRbacPolicy provides a mock function with given fields: ctx, id
+func (_m *Manager) DeleteRbacPolicy(ctx context.Context, id int64) error {
+	ret := _m.Called(ctx, id)
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(context.Context, int64) error); ok {
+		r0 = rf(ctx, id)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// GetPermissionsByRole provides a mock function with given fields: ctx, roleType, roleID
+func (_m *Manager) GetPermissionsByRole(ctx context.Context, roleType string, roleID int64) ([]*model.UniversalRolePermission, error) {
+	ret := _m.Called(ctx, roleType, roleID)
+
+	var r0 []*model.UniversalRolePermission
+	if rf, ok := ret.Get(0).(func(context.Context, string, int64) []*model.UniversalRolePermission); ok {
+		r0 = rf(ctx, roleType, roleID)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]*model.UniversalRolePermission)
+		}
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(context.Context, string, int64) error); ok {
+		r1 = rf(ctx, roleType, roleID)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// ListPermissions provides a mock function with given fields: ctx, query
+func (_m *Manager) ListPermissions(ctx context.Context, query *q.Query) ([]*model.RolePermission, error) {
+	ret := _m.Called(ctx, query)
+
+	var r0 []*model.RolePermission
+	if rf, ok := ret.Get(0).(func(context.Context, *q.Query) []*model.RolePermission); ok {
+		r0 = rf(ctx, query)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]*model.RolePermission)
+		}
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(context.Context, *q.Query) error); ok {
+		r1 = rf(ctx, query)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// ListRbacPolicies provides a mock function with given fields: ctx, query
+func (_m *Manager) ListRbacPolicies(ctx context.Context, query *q.Query) ([]*model.PermissionPolicy, error) {
+	ret := _m.Called(ctx, query)
+
+	var r0 []*model.PermissionPolicy
+	if rf, ok := ret.Get(0).(func(context.Context, *q.Query) []*model.PermissionPolicy); ok {
+		r0 = rf(ctx, query)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]*model.PermissionPolicy)
+		}
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(context.Context, *q.Query) error); ok {
+		r1 = rf(ctx, query)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}