feat: add external ops roles and status management in configuration a…

…nd ACL checks
signal18 · svaroqui · Jan 27, 2025 · Jan 22, 2025 · Jan 22, 2025 · Jan 24, 2025
commit 25c41ccc8851e25f2604ef66b2cc45e60adaf4aa
diff --git a/cluster/cluster_acl.go b/cluster/cluster_acl.go
@@ -105,9 +105,9 @@ func (cluster *Cluster) SaveUserAcls(user string) (string, string) {
 
 func (cluster *Cluster) SaveUserRoles(user string) string {
 	var aEnabledRoles []string
-	for grant, value := range cluster.APIUsers[user].Roles {
+	for role, value := range cluster.APIUsers[user].Roles {
 		if value {
-			aEnabledRoles = append(aEnabledRoles, grant)
+			aEnabledRoles = append(aEnabledRoles, role)
 		}
 	}
 	return strings.Join(aEnabledRoles, " ")
@@ -861,17 +861,31 @@ func (cluster *Cluster) IsURLPassACL(strUser string, URL string, errorPrint bool
 		}
 	}
 
+	if cluster.APIUsers[strUser].Grants[config.GrantExternalRole] {
+		if strings.Contains(URL, "/api/clusters/"+cluster.Name+"/ext-role/subscribe") {
+			return true
+		}
+	}
+
 	if cluster.APIUsers[strUser].Grants[config.GrantSalesValidate] {
 		if strings.Contains(URL, "/api/clusters/"+cluster.Name+"/sales/accept-subscription") {
 			return true
 		}
+
+		if strings.Contains(URL, "/api/clusters/"+cluster.Name+"/ext-role/accept") {
+			return true
+		}
 	}
 
 	if cluster.APIUsers[strUser].Grants[config.GrantSalesRefuse] {
 		if strings.Contains(URL, "/api/clusters/"+cluster.Name+"/sales/refuse-subscription") {
 			return true
 		}
 
+		if strings.Contains(URL, "/api/clusters/"+cluster.Name+"/ext-role/refuse") {
+			return true
+		}
+
 		if strings.Contains(URL, "/api/clusters/"+cluster.Name+"/unsubscribe") {
 			return true
 		}
@@ -881,6 +895,10 @@ func (cluster *Cluster) IsURLPassACL(strUser string, URL string, errorPrint bool
 		if strings.Contains(URL, "/api/clusters/"+cluster.Name+"/sales/end-subscription") {
 			return true
 		}
+
+		if strings.Contains(URL, "/api/clusters/"+cluster.Name+"/ext-role/end") {
+			return true
+		}
 	}
 
 	// Print error with no valid ACL

diff --git a/cluster/cluster_get.go b/cluster/cluster_get.go
@@ -469,6 +469,15 @@ func (cluster *Cluster) GetDbaPass() string {
 	return pass
 }
 
+func (cluster *Cluster) GetSponsorEmail() string {
+	for user, u := range cluster.APIUsers {
+		if u.Roles[config.RoleSponsor] {
+			return user
+		}
+	}
+	return ""
+}
+
 func (cluster *Cluster) GetSponsorUser() string {
 	user, _ := misc.SplitPair(cluster.Conf.Secrets["cloud18-sponsor-user-credentials"].Value)
 	return user
@@ -1397,3 +1406,12 @@ func (cluster *Cluster) GetExecEnv() []string {
 		`REPLICATION_MANAGER_CLUSTER_NAME=`+cluster.Name,
 	)
 }
+
+func (cluster *Cluster) GetExternalCost(role string) float64 {
+	if role == config.RoleExtDBOps {
+		return cluster.Conf.Cloud18MonthlyDbopsCost
+	} else if role == config.RoleExtSysOps {
+		return cluster.Conf.Cloud18MonthlySysopsCost
+	}
+	return 0
+}
diff --git a/config/config.go b/config/config.go
@@ -712,7 +712,9 @@ type Config struct {
 	Cloud18InfraGeoLocalizations              string                 `mapstructure:"cloud18-infra-geo-localizations"  toml:"cloud18-infra-geo-localizations" json:"cloud18InfraGeoLocalizations"`
 	Cloud18DbOps                              string                 `mapstructure:"cloud18-dbops"  toml:"cloud18-dbops" json:"cloud18DbOps"`
 	Cloud18ExternalDbOps                      string                 `mapstructure:"cloud18-external-dbops"  toml:"cloud18-external-dbops" json:"cloud18ExternalDbOps"`
+	Cloud18ExternalDbOpsStatus                string                 `mapstructure:"cloud18-external-dbops-status"  toml:"cloud18-external-dbops-status" json:"cloud18ExternalDbOpsStatus"`
 	Cloud18ExternalSysOps                     string                 `mapstructure:"cloud18-external-sysops" toml:"cloud18-external-sysops" json:"cloud18ExternalSysOps"`
+	Cloud18ExternalSysOpsStatus               string                 `mapstructure:"cloud18-external-sysops-status" toml:"cloud18-external-sysops-status" json:"cloud18ExternalSysOpsStatus"`
 	Cloud18InfraCertifications                string                 `mapstructure:"cloud18-infra-certifications"  toml:"cloud18-infra-certifications" json:"cloud18InfraCertifications"`
 	Cloud18OpenDbops                          bool                   `mapstructure:"cloud18-open-dbops"  toml:"cloud18-open-dbops" json:"cloud18OpenDbops"`
 	Cloud18SubscribedDbops                    bool                   `mapstructure:"cloud18-subscribed-dbops"  toml:"cloud18-subscribed-dbops" json:"cloud18SubscribedDbops"`
@@ -725,6 +727,8 @@ type Config struct {
 	Cloud18SalesSubscriptionScript            string                 `mapstructure:"cloud18-sales-subscription-script"  toml:"cloud18-sales-subscription-script" json:"cloud18SalesSubscriptionScript"`
 	Cloud18SalesSubscriptionValidateScript    string                 `mapstructure:"cloud18-sales-subscription-validate-script"  toml:"cloud18-sales-subscription-validate-script" json:"cloud18SalesSubscriptionValidateScript"`
 	Cloud18SalesUnsubscribeScript             string                 `mapstructure:"cloud18-sales-unsubscribe-script"  toml:"cloud18-sales-unsubscribe-script" json:"cloud18SalesUnsubscribeScript"`
+	Cloud18SalesExternalOpsValidateScript     string                 `mapstructure:"cloud18-sales-external-ops-validate-script"  toml:"cloud18-sales-external-ops-validate-script" json:"cloud18SalesExternalOpsValidateScript"`
+	Cloud18SalesExternalOpsStopScript         string                 `mapstructure:"cloud18-sales-external-ops-stop-script"  toml:"cloud18-sales-external-ops-stop-script" json:"cloud18SalesExternalOpsStopScript"`
 	LogSecrets                                bool                   `mapstructure:"log-secrets"  toml:"log-secrets" json:"-"`
 	Secrets                                   map[string]Secret      `toml:"-" json:"-"`
 	SecretKey                                 []byte                 `toml:"-" json:"-"`
@@ -999,14 +1003,24 @@ type Role struct {
 }
 
 const (
-	RoleSysOps       string = "sysops"
-	RoleDBOps        string = "dbops"
-	RoleExtSysOps    string = "extsysops"
-	RoleExtDBOps     string = "extdbops"
-	RoleSponsor      string = "sponsor"
-	RoleUnsubscribed string = "unsubscribed"
-	RolePending      string = "pending"
-	RoleVisitor      string = "visitor"
+	ExternalPending string = "pending"
+	ExternalActive  string = "active"
+	ExternalExpired string = "expired"
+)
+
+const (
+	RoleSysOps                string = "sysops"
+	RoleDBOps                 string = "dbops"
+	RoleExtSysOps             string = "extsysops"
+	RoleExtDBOps              string = "extdbops"
+	RoleSponsor               string = "sponsor"
+	RoleUnsubscribed          string = "unsubscribed"
+	RoleUnsubscribedExtDBOps  string = "unsubscribed-extdbops"
+	RoleUnsubscribedExtSysOps string = "unsubscribed-extsysops"
+	RolePending               string = "pending"
+	RolePendingExtDBOps       string = "pending-extdbops"
+	RolePendingExtSysOps      string = "pending-extsysops"
+	RoleVisitor               string = "visitor"
 )
 
 const (
@@ -1085,11 +1099,12 @@ const (
 	GrantGrantModify string = "grant-modify" // Can modify user ACL
 	GrantGrantGlobal string = "grant-global" // Can grant global acl
 
-	GrantShow string = "show" // Can show basic view
+	GrantShow         string = "show"    // Can show basic view
+	GrantExternalRole string = "extrole" // Can manage external ops
 
-	GrantSalesValidate    string = "sales-validate"    // Can update sales settings
-	GrantSalesRefuse      string = "sales-refuse"      // Can grant sales settings
-	GrantSalesUnsubscribe string = "sales-unsubscribe" // Can grant sales settings
+	GrantSalesValidate    string = "sales-validate"    // Can validate sales
+	GrantSalesRefuse      string = "sales-refuse"      // Can refuse sales
+	GrantSalesUnsubscribe string = "sales-unsubscribe" // Can unsubscribe sales
 )
 
 const (
@@ -2172,6 +2187,7 @@ func GetGrantType() map[string]string {
 		GrantSalesValidate:             GrantSalesValidate,
 		GrantSalesRefuse:               GrantSalesRefuse,
 		GrantSalesUnsubscribe:          GrantSalesUnsubscribe,
+		GrantExternalRole:              GrantExternalRole,
 		GrantGrantShow:                 GrantGrantShow,
 		GrantGrantAdd:                  GrantGrantAdd,
 		GrantGrantModify:               GrantGrantModify,
@@ -2510,19 +2526,29 @@ func GetCompactGrants(grants map[string]bool) ([]string, []string) {
 		compactDiscardGrants = append(compactDiscardGrants, "show")
 	}
 
+	if grants["extrole"] {
+		compactGrants = append(compactGrants, "extrole")
+	} else {
+		compactDiscardGrants = append(compactDiscardGrants, "extrole")
+	}
+
 	return compactGrants, compactDiscardGrants
 }
 
 func GetRoleType() map[string]string {
 	return map[string]string{
-		RoleSysOps:       RoleSysOps,
-		RoleDBOps:        RoleDBOps,
-		RoleExtSysOps:    RoleExtSysOps,
-		RoleExtDBOps:     RoleExtDBOps,
-		RoleSponsor:      RoleSponsor,
-		RolePending:      RolePending,
-		RoleUnsubscribed: RoleUnsubscribed,
-		RoleVisitor:      RoleVisitor,
+		RoleSysOps:                RoleSysOps,
+		RoleDBOps:                 RoleDBOps,
+		RoleExtSysOps:             RoleExtSysOps,
+		RoleExtDBOps:              RoleExtDBOps,
+		RoleSponsor:               RoleSponsor,
+		RolePending:               RolePending,
+		RolePendingExtDBOps:       RolePendingExtDBOps,
+		RolePendingExtSysOps:      RolePendingExtSysOps,
+		RoleUnsubscribed:          RoleUnsubscribed,
+		RoleUnsubscribedExtDBOps:  RoleUnsubscribedExtDBOps,
+		RoleUnsubscribedExtSysOps: RoleUnsubscribedExtSysOps,
+		RoleVisitor:               RoleVisitor,
 	}
 }