lxd: Update GET /1.0/auth/permissions handler.

This updates the handler to ensure we only display valid permissions. All dangling permissions are deleted. Signed-off-by: Mark Laing <mark.laing@canonical.com>
canonical · Feb 28, 2024 · 6812751 · 6812751
1 parent dc5dcd7
commit 6812751
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/lxd/permissions.go b/lxd/permissions.go
@@ -11,6 +11,7 @@ import (
 	"github.com/canonical/lxd/lxd/response"
 	"github.com/canonical/lxd/shared/api"
 	"github.com/canonical/lxd/shared/entity"
+	"github.com/canonical/lxd/shared/logger"
 )
 
 var permissionsCmd = APIEndpoint{
@@ -153,6 +154,19 @@ func getPermissions(d *Daemon, r *http.Request) response.Response {
 				return fmt.Errorf("Failed to get currently assigned permissions: %w", err)
 			}
 
+			// Call GetPermissionEntityURLs to ensure only valid permissions are returned.
+			var danglingPermissions []cluster.Permission
+			permissions, danglingPermissions, _, err = cluster.GetPermissionEntityURLs(ctx, tx.Tx(), permissions)
+			if err != nil {
+				return fmt.Errorf("Failed to get entity URLs for permissions: %w", err)
+			}
+
+			// Clean up dangling permissions if present.
+			err = cluster.DeletePermissions(ctx, tx.Tx(), danglingPermissions)
+			if err != nil {
+				logger.Warn("Failed to clean up dangling permissions", logger.Ctx{"error": err})
+			}
+
 			groupsByPermissionID, err = cluster.GetAllAuthGroupsByPermissionID(ctx, tx.Tx())
 			if err != nil {
 				return fmt.Errorf("Failed to get groups by permission mapping: %w", err)