Update az aro permissions validation to mirror RP frontend validation

Azure · Feb 8, 2024 · 43f4ed2 · 43f4ed2
1 parent 9eb8db1
commit 43f4ed2
Show file tree

Hide file tree

Showing 2 changed files with 90 additions and 9 deletions.
diff --git a/python/az/aro/azext_aro/_dynamic_validators.py b/python/az/aro/azext_aro/_dynamic_validators.py
@@ -27,16 +27,27 @@
 
 def can_do_action(perms, action):
     for perm in perms:
-        for not_action in perm.not_actions:
-            match = re.escape(not_action)
-            match = re.match("(?i)^" + match.replace(r"\*", ".*") + "$", action)
-            if match:
-                return f"{action} permission is disabled"
+        matched = False
+
         for perm_action in perm.actions:
             match = re.escape(perm_action)
             match = re.match("(?i)^" + match.replace(r"\*", ".*") + "$", action)
             if match:
-                return None
+                matched = True
+                break
+
+        if not matched:
+            continue
+
+        for not_action in perm.not_actions:
+            match = re.escape(not_action)
+            match = re.match("(?i)^" + match.replace(r"\*", ".*") + "$", action)
+            if match:
+                matched = False
+                break
+
+        if matched:
+            return None
 
     return f"{action} permission is missing"
 

diff --git a/python/az/aro/azext_aro/tests/latest/unit/test_dynamic_validators.py b/python/az/aro/azext_aro/tests/latest/unit/test_dynamic_validators.py
@@ -3,12 +3,82 @@
 
 from unittest.mock import Mock, patch
 from azext_aro._dynamic_validators import (
-    dyn_validate_cidr_ranges, dyn_validate_subnet_and_route_tables, dyn_validate_vnet, dyn_validate_resource_permissions, dyn_validate_version
+    can_do_action,
+    dyn_validate_cidr_ranges,
+    dyn_validate_subnet_and_route_tables,
+    dyn_validate_vnet,
+    dyn_validate_resource_permissions,
+    dyn_validate_version
 )
 
 from azure.mgmt.authorization.models import Permission
 import pytest
 
+test_can_do_action_data = [
+    (
+        "empty permissions list",
+        [],
+        "Microsoft.Network/virtualNetworks/subnets/join/action",
+        "Microsoft.Network/virtualNetworks/subnets/join/action permission is missing"
+    ),
+    (
+        "has permission - exact",
+        [
+            Permission(actions=["Microsoft.Compute/virtualMachines/*"], not_actions=[]),
+            Permission(actions=["Microsoft.Network/virtualNetworks/subnets/join/action"], not_actions=[]),
+        ],
+        "Microsoft.Network/virtualNetworks/subnets/join/action",
+        None
+    ),
+    (
+        "has permission - wildcard",
+        [
+            Permission(actions=["Microsoft.Network/virtualNetworks/subnets/*/action"], not_actions=[]),
+        ],
+        "Microsoft.Network/virtualNetworks/subnets/join/action",
+        None
+    ),
+    (
+        "has permission - exact, conflict",
+        [
+            Permission(actions=[], not_actions=["Microsoft.Network/virtualNetworks/subnets/join/action"]),
+            Permission(actions=["Microsoft.Network/virtualNetworks/subnets/join/action"], not_actions=[]),
+        ],
+        "Microsoft.Network/virtualNetworks/subnets/join/action",
+        None
+    ),
+    (
+        "has permission excluded - exact",
+        [
+            Permission(actions=["Microsoft.Network/*"], not_actions=["Microsoft.Network/virtualNetworks/subnets/join/action"]),
+        ],
+        "Microsoft.Network/virtualNetworks/subnets/join/action",
+        "Microsoft.Network/virtualNetworks/subnets/join/action permission is missing"
+    ),
+    (
+        "has permission excluded - wildcard",
+        [
+            Permission(actions=["Microsoft.Network/*"], not_actions=["Microsoft.Network/virtualNetworks/subnets/*/action"]),
+        ],
+        "Microsoft.Network/virtualNetworks/subnets/join/action",
+        "Microsoft.Network/virtualNetworks/subnets/join/action permission is missing"
+    )
+]
+
+
+@pytest.mark.parametrize(
+    "test_description, perms, action, expected_error",
+    test_can_do_action_data,
+    ids=[i[0] for i in test_can_do_action_data]
+)
+def test_can_do_action(
+    test_description, perms, action, expected_error
+):
+    error = can_do_action(perms, action)
+
+    if error != expected_error:
+        raise Exception(f"Error mismatch, expected: {expected_error}, actual: {error}")
+
 
 test_validate_cidr_data = [
     (
@@ -166,7 +236,7 @@ def test_validate_cidr(
             "child_name_1": None
         },
         Mock(),
-        "Microsoft.Network/routeTables/join/action permission is disabled"
+        "Microsoft.Network/routeTables/join/action permission is missing"
     ),
     (
         "should return missing permission when actions are not present",
@@ -301,7 +371,7 @@ def test_validate_subnets(
             "child_name_1": None
         },
         Mock(),
-        "Microsoft.Network/virtualNetworks/join/action permission is disabled"
+        "Microsoft.Network/virtualNetworks/join/action permission is missing"
     ),
     (
         "should return missing permission when actions are not present",