Add permission to cloudConnectorStatus GQL call

Matthias Käpplerrequested to merge
476656-cc-status-policy into master

What does this MR do and why?

In the initial iteration of the cloudConnectorStatus GraphQL call, we did not add authorization logic via our internal permissions system. This means anyone with a valid token can call this endpoint.

Since this endpoint is currently only used by instance admins, we should restrict this API to this particular type of persona.

This MR introduces the read_cloud_connector_status permission, which is directly tied to the admin user role. I also streamlined the resolver a little by returning a proper error message instead of null when the caller is not allowed to call this API for whichever reason.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Note: The UI for this API call is by definition only available to admins because it is scoped to AdminController. Ordinary users cannot access this page to begin with.

image

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Log in as admin and obtain a PAT. The following curl should provide a response (note that "success" here is just payload and relates to the status probe run, not the call itself!): 
    curl -v -H'content-type: application/json' -H'Authorization: Bearer <admin_pat>' -d'{"query":"query { cloudConnectorStatus {success} }"}' localhost:3000/api/graphql

{"data":{"cloudConnectorStatus":{"success":false}}}
  2. Log in as normal user and obtain a PAT. The following curl should return an errors object now: 
    curl -v -H'content-type: application/json' -H'Authorization: Bearer <user_pat>' -d'{"query":"query { cloudConnectorStatus {success} }"}' localhost:3000/api/graphql

{"errors":[{"message":"The resource that you are attempting to access does not exist or you don't have permission to perform this action","locations":[{"line":1,"column":9}],"path":["cloudConnectorStatus"]}],"data":{"cloudConnectorStatus":null}}

Related to #476656 (closed)

Edited by Matthias Käppler

Merge request reports