From cfb0d193575337094e5c2d26c70526e8094fd2c4 Mon Sep 17 00:00:00 2001
From: John Niang <johnniang@fastmail.com>
Date: Tue, 6 Dec 2022 22:15:03 +0800
Subject: [PATCH] Add labels for roles system-reserved

---
 .../run/halo/app/core/extension/Role.java     |  3 ++
 .../app/security/SuperAdminInitializer.java   | 46 ++++---------------
 .../extensions/system-default-role.yaml       | 20 +++++++-
 3 files changed, 30 insertions(+), 39 deletions(-)

diff --git a/src/main/java/run/halo/app/core/extension/Role.java b/src/main/java/run/halo/app/core/extension/Role.java
index 778d13d0b8..6b6ddd47ce 100644
--- a/src/main/java/run/halo/app/core/extension/Role.java
+++ b/src/main/java/run/halo/app/core/extension/Role.java
@@ -32,6 +32,9 @@ public class Role extends AbstractExtension {
         "rbac.authorization.halo.run/dependency-rules";
     public static final String ROLE_DEPENDENCIES_ANNO = "rbac.authorization.halo.run/dependencies";
     public static final String UI_PERMISSIONS_ANNO = "rbac.authorization.halo.run/ui-permissions";
+
+    public static final String SYSTEM_RESERVED_LABELS =
+        "rbac.authorization.halo.run/system-reserved";
     public static final String UI_PERMISSIONS_AGGREGATED_ANNO =
         "rbac.authorization.halo.run/ui-permissions-aggregated";
 
diff --git a/src/main/java/run/halo/app/security/SuperAdminInitializer.java b/src/main/java/run/halo/app/security/SuperAdminInitializer.java
index 6c7a5d54bd..9cf3466925 100644
--- a/src/main/java/run/halo/app/security/SuperAdminInitializer.java
+++ b/src/main/java/run/halo/app/security/SuperAdminInitializer.java
@@ -1,9 +1,7 @@
 package run.halo.app.security;
 
 import java.time.Instant;
-import java.util.HashMap;
 import java.util.List;
-import java.util.Map;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.RandomStringUtils;
 import org.springframework.boot.context.event.ApplicationReadyEvent;
@@ -12,7 +10,6 @@
 import org.springframework.util.StringUtils;
 import reactor.core.publisher.Mono;
 import run.halo.app.core.extension.Role;
-import run.halo.app.core.extension.Role.PolicyRule;
 import run.halo.app.core.extension.RoleBinding;
 import run.halo.app.core.extension.RoleBinding.RoleRef;
 import run.halo.app.core.extension.RoleBinding.Subject;
@@ -42,28 +39,21 @@ public SuperAdminInitializer(ReactiveExtensionClient client, PasswordEncoder pas
     @EventListener
     public Mono<Void> initialize(ApplicationReadyEvent readyEvent) {
         return client.fetch(User.class, initializer.getSuperAdminUsername())
-            .switchIfEmpty(Mono.defer(() -> client.create(createAdmin()))
-                .flatMap(admin -> {
-                    var superRole = createSuperRole();
-                    return client.create(superRole)
-                        .flatMap(role -> {
-                            var binding = bindAdminAndSuperRole(admin, superRole);
-                            return client.create(binding).thenReturn(role);
-                        })
-                        .thenReturn(admin);
-                }))
-            .then();
+            .switchIfEmpty(Mono.defer(() -> client.create(createAdmin())).flatMap(admin -> {
+                var binding = bindAdminAndSuperRole(admin);
+                return client.create(binding).thenReturn(admin);
+            })).then();
     }
 
-    RoleBinding bindAdminAndSuperRole(User admin, Role superRole) {
+    RoleBinding bindAdminAndSuperRole(User admin) {
         var metadata = new Metadata();
         String name =
             String.join("-", initializer.getSuperAdminUsername(), SUPER_ROLE_NAME, "binding");
         metadata.setName(name);
         var roleRef = new RoleRef();
-        roleRef.setName(superRole.getMetadata().getName());
-        roleRef.setApiGroup(superRole.groupVersionKind().group());
-        roleRef.setKind(superRole.getKind());
+        roleRef.setName(SUPER_ROLE_NAME);
+        roleRef.setApiGroup(Role.GROUP);
+        roleRef.setKind(Role.KIND);
 
         var subject = new Subject();
         subject.setName(admin.getMetadata().getName());
@@ -78,26 +68,6 @@ RoleBinding bindAdminAndSuperRole(User admin, Role superRole) {
         return roleBinding;
     }
 
-    Role createSuperRole() {
-        var metadata = new Metadata();
-        metadata.setName(SUPER_ROLE_NAME);
-        Map<String, String> annotations = new HashMap<>();
-        annotations.put(Role.UI_PERMISSIONS_ANNO, "[\"*\"]");
-        metadata.setAnnotations(annotations);
-
-        var superRule = new PolicyRule.Builder()
-            .apiGroups("*")
-            .resources("*")
-            .nonResourceURLs("*")
-            .verbs("*")
-            .build();
-
-        var role = new Role();
-        role.setMetadata(metadata);
-        role.setRules(List.of(superRule));
-        return role;
-    }
-
     User createAdmin() {
         var metadata = new Metadata();
         metadata.setName(initializer.getSuperAdminUsername());
diff --git a/src/main/resources/extensions/system-default-role.yaml b/src/main/resources/extensions/system-default-role.yaml
index 9a3a2878b6..1742f5a260 100644
--- a/src/main/resources/extensions/system-default-role.yaml
+++ b/src/main/resources/extensions/system-default-role.yaml
@@ -1,5 +1,23 @@
 apiVersion: v1alpha1
-kind: "Role"
+kind: Role
 metadata:
   name: guest
+  labels:
+    rbac.authorization.halo.run/system-reserved: "true"
 rules: [ ]
+
+---
+apiVersion: v1alpha1
+kind: Role
+metadata:
+  name: super-role
+  labels:
+    rbac.authorization.halo.run/system-reserved: "true"
+  annotations:
+    rbac.authorization.halo.run/ui-permissions: |
+      ["*"]
+rules:
+  - apiGroups: ["*"]
+    resources: ["*"]
+    nonResourceURLs: ["*"]
+    verbs: ["*"]