rename the enum values of keppel.RBACPermission

"GrantsPull" etc. do not read well in the context of ForbiddenPermissions.

Author: majewsky

cmd/api/gui_redirect.go

@@ -77,7 +77,7 @@ func (g *guiRedirecter) tryRedirectToGUI(w http.ResponseWriter, r *http.Request)
 		return
 	}
 	for _, policy := range policies {
-		if !slices.Contains(policy.Permissions, keppel.GrantsAnonymousPull) {
+		if !slices.Contains(policy.Permissions, keppel.RBACAnonymousPullPermission) {
 			continue
 		}
 		ip := httpext.GetRequesterIPFor(r)

internal/api/auth/api_test.go

@@ -66,46 +66,46 @@ type TestCase struct {
 var (
 	policyAnonPull = keppel.RBACPolicy{
 		RepositoryPattern: "fo+",
-		Permissions:       []keppel.RBACPermission{keppel.GrantsAnonymousPull},
+		Permissions:       []keppel.RBACPermission{keppel.RBACAnonymousPullPermission},
 	}
 	policyAnonFirstPull = keppel.RBACPolicy{
 		RepositoryPattern: "fo+",
-		Permissions:       []keppel.RBACPermission{keppel.GrantsAnonymousPull, keppel.GrantsAnonymousFirstPull},
+		Permissions:       []keppel.RBACPermission{keppel.RBACAnonymousPullPermission, keppel.RBACAnonymousFirstPullPermission},
 	}
 	policyPullMatches = keppel.RBACPolicy{
 		RepositoryPattern: "fo+",
 		UserNamePattern:   "correct.*",
-		Permissions:       []keppel.RBACPermission{keppel.GrantsPull},
+		Permissions:       []keppel.RBACPermission{keppel.RBACPullPermission},
 	}
 	policyForbidPush = keppel.RBACPolicy{
 		RepositoryPattern:    "fo+",
 		UserNamePattern:      "correct.*",
-		ForbiddenPermissions: []keppel.RBACPermission{keppel.GrantsPush},
+		ForbiddenPermissions: []keppel.RBACPermission{keppel.RBACPushPermission},
 	}
 	policyPushMatches = keppel.RBACPolicy{
 		RepositoryPattern: "fo+",
 		UserNamePattern:   "correct.*",
-		Permissions:       []keppel.RBACPermission{keppel.GrantsPull, keppel.GrantsPush},
+		Permissions:       []keppel.RBACPermission{keppel.RBACPullPermission, keppel.RBACPushPermission},
 	}
 	policyDeleteMatches = keppel.RBACPolicy{
 		RepositoryPattern: "fo+",
 		UserNamePattern:   "correct.*",
-		Permissions:       []keppel.RBACPermission{keppel.GrantsPull, keppel.GrantsDelete},
+		Permissions:       []keppel.RBACPermission{keppel.RBACPullPermission, keppel.RBACDeletePermission},
 	}
 	policyPullDoesNotMatch = keppel.RBACPolicy{
 		RepositoryPattern: "fo+",
 		UserNamePattern:   "doesnotmatch",
-		Permissions:       []keppel.RBACPermission{keppel.GrantsPull},
+		Permissions:       []keppel.RBACPermission{keppel.RBACPullPermission},
 	}
 	policyPushDoesNotMatch = keppel.RBACPolicy{
 		RepositoryPattern: "doesnotmatch",
 		UserNamePattern:   "correct.*",
-		Permissions:       []keppel.RBACPermission{keppel.GrantsPull, keppel.GrantsPush},
+		Permissions:       []keppel.RBACPermission{keppel.RBACPullPermission, keppel.RBACPushPermission},
 	}
 	policyDeleteDoesNotMatch = keppel.RBACPolicy{
 		RepositoryPattern: "fo+",
 		UserNamePattern:   "doesnotmatch",
-		Permissions:       []keppel.RBACPermission{keppel.GrantsPull, keppel.GrantsDelete},
+		Permissions:       []keppel.RBACPermission{keppel.RBACPullPermission, keppel.RBACDeletePermission},
 	}
 )
 

internal/api/keppel/api_test.go

@@ -53,7 +53,7 @@ func TestAlternativeAuthSchemes(t *testing.T) {
 	mustExec(t, s.DB, `UPDATE accounts SET rbac_policies_json = $2 WHERE name = $1`, "test1",
 		test.ToJSON([]keppel.RBACPolicy{{
 			RepositoryPattern: "foo",
-			Permissions:       []keppel.RBACPermission{keppel.GrantsAnonymousPull},
+			Permissions:       []keppel.RBACPermission{keppel.RBACAnonymousPullPermission},
 		}}),
 	)
 	assert.HTTPRequest{

internal/api/registry/blobs_test.go

@@ -189,7 +189,7 @@ func TestBlobMonolithicUpload(t *testing.T) {
 		_, err := s.DB.Exec(`UPDATE accounts SET rbac_policies_json = $2 WHERE name = $1`, "test1",
 			test.ToJSON([]keppel.RBACPolicy{{
 				RepositoryPattern: "foo",
-				Permissions:       []keppel.RBACPermission{keppel.GrantsAnonymousPull},
+				Permissions:       []keppel.RBACPermission{keppel.RBACAnonymousPullPermission},
 			}}),
 		)
 		if err != nil {

internal/api/registry/manifests_test.go

@@ -335,7 +335,7 @@ func TestImageManifestLifecycle(t *testing.T) {
 			_, err = s.DB.Exec(`UPDATE accounts SET rbac_policies_json = $2 WHERE name = $1`, "test1",
 				test.ToJSON([]keppel.RBACPolicy{{
 					RepositoryPattern: "foo",
-					Permissions:       []keppel.RBACPermission{keppel.GrantsAnonymousPull},
+					Permissions:       []keppel.RBACPermission{keppel.RBACAnonymousPullPermission},
 				}}),
 			)
 			if err != nil {

internal/auth/filter.go

@@ -213,28 +213,28 @@ func filterRepoActions(ip string, scope Scope, uid keppel.UserIdentity, audience
 
 	// certain policies can never be granted to anonymous users by an RBAC policy
 	if uid.UserType() == keppel.AnonymousUser {
-		delete(permOverride, keppel.GrantsPull)
-		delete(permOverride, keppel.GrantsPush)
-		delete(permOverride, keppel.GrantsDelete)
+		delete(permOverride, keppel.RBACPullPermission)
+		delete(permOverride, keppel.RBACPushPermission)
+		delete(permOverride, keppel.RBACDeletePermission)
 	}
 
 	// evaluate final permission set
 	isAllowedAction := map[string]bool{
-		"pull": permOverride[keppel.GrantsPull].UnwrapOr(
+		"pull": permOverride[keppel.RBACPullPermission].UnwrapOr(
 			uid.HasPermission(keppel.CanPullFromAccount, authTenantID),
 		),
-		"push": permOverride[keppel.GrantsPush].UnwrapOr(
+		"push": permOverride[keppel.RBACPushPermission].UnwrapOr(
 			uid.HasPermission(keppel.CanPushToAccount, authTenantID),
 		),
-		"delete": permOverride[keppel.GrantsDelete].UnwrapOr(
+		"delete": permOverride[keppel.RBACDeletePermission].UnwrapOr(
 			uid.HasPermission(keppel.CanDeleteFromAccount, authTenantID),
 		),
 	}
-	if permOverride[keppel.GrantsAnonymousPull].UnwrapOr(false) {
+	if permOverride[keppel.RBACAnonymousPullPermission].UnwrapOr(false) {
 		isAllowedAction["pull"] = true
 	}
 	if isAllowedAction["pull"] {
-		isAllowedAction["anonymous_first_pull"] = permOverride[keppel.GrantsAnonymousFirstPull].UnwrapOr(false)
+		isAllowedAction["anonymous_first_pull"] = permOverride[keppel.RBACAnonymousFirstPullPermission].UnwrapOr(false)
 	}
 
 	// grant requested actions as possible

internal/keppel/rbac_policy.go

@@ -44,19 +44,19 @@ type RBACPolicy struct {
 type RBACPermission string
 
 const (
-	GrantsPull               RBACPermission = "pull"
-	GrantsPush               RBACPermission = "push"
-	GrantsDelete             RBACPermission = "delete"
-	GrantsAnonymousPull      RBACPermission = "anonymous_pull"
-	GrantsAnonymousFirstPull RBACPermission = "anonymous_first_pull"
+	RBACPullPermission               RBACPermission = "pull"
+	RBACPushPermission               RBACPermission = "push"
+	RBACDeletePermission             RBACPermission = "delete"
+	RBACAnonymousPullPermission      RBACPermission = "anonymous_pull"
+	RBACAnonymousFirstPullPermission RBACPermission = "anonymous_first_pull"
 )
 
 var isRBACPermission = map[RBACPermission]bool{
-	GrantsPull:               true,
-	GrantsPush:               true,
-	GrantsDelete:             true,
-	GrantsAnonymousPull:      true,
-	GrantsAnonymousFirstPull: true,
+	RBACPullPermission:               true,
+	RBACPushPermission:               true,
+	RBACDeletePermission:             true,
+	RBACAnonymousPullPermission:      true,
+	RBACAnonymousFirstPullPermission: true,
 }
 
 // Matches evaluates the cidr and regexes in this policy.
@@ -123,19 +123,19 @@ func (r *RBACPolicy) ValidateAndNormalize(strategy ReplicationStrategy) error {
 	if r.CidrPattern == "" && r.UserNamePattern == "" && r.RepositoryPattern == "" {
 		return errors.New(`RBAC policy must have at least one "match_..." attribute`)
 	}
-	if (refersToPerm[GrantsAnonymousPull] || refersToPerm[GrantsAnonymousFirstPull]) && r.UserNamePattern != "" {
+	if (refersToPerm[RBACAnonymousPullPermission] || refersToPerm[RBACAnonymousFirstPullPermission]) && r.UserNamePattern != "" {
 		return errors.New(`RBAC policy with "anonymous_pull" or "anonymous_first_pull" may not have the "match_username" attribute`)
 	}
-	if refersToPerm[GrantsPull] && r.CidrPattern == "" && r.UserNamePattern == "" {
+	if refersToPerm[RBACPullPermission] && r.CidrPattern == "" && r.UserNamePattern == "" {
 		return errors.New(`RBAC policy with "pull" must have the "match_cidr" or "match_username" attribute`)
 	}
-	if grantsPerm[GrantsPush] && !grantsPerm[GrantsPull] {
+	if grantsPerm[RBACPushPermission] && !grantsPerm[RBACPullPermission] {
 		return errors.New(`RBAC policy with "push" must also grant "pull"`)
 	}
-	if refersToPerm[GrantsDelete] && r.UserNamePattern == "" {
+	if refersToPerm[RBACDeletePermission] && r.UserNamePattern == "" {
 		return errors.New(`RBAC policy with "delete" must have the "match_username" attribute`)
 	}
-	if refersToPerm[GrantsAnonymousFirstPull] && strategy != FromExternalOnFirstUseStrategy {
+	if refersToPerm[RBACAnonymousFirstPullPermission] && strategy != FromExternalOnFirstUseStrategy {
 		return errors.New(`RBAC policy with "anonymous_first_pull" may only be for external replica accounts`)
 	}