From 68127519b76c14e57ab32f4c01797361be321e1d Mon Sep 17 00:00:00 2001
From: Mark Laing <mark.laing@canonical.com>
Date: Wed, 28 Feb 2024 23:09:57 +0000
Subject: [PATCH] lxd: Update GET /1.0/auth/permissions handler.

This updates the handler to ensure we only display valid permissions.
All dangling permissions are deleted.

Signed-off-by: Mark Laing <mark.laing@canonical.com>
---
 lxd/permissions.go | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/lxd/permissions.go b/lxd/permissions.go
index b5d871c9c52f..f7e4ffca367e 100644
--- a/lxd/permissions.go
+++ b/lxd/permissions.go
@@ -11,6 +11,7 @@ import (
 	"github.com/canonical/lxd/lxd/response"
 	"github.com/canonical/lxd/shared/api"
 	"github.com/canonical/lxd/shared/entity"
+	"github.com/canonical/lxd/shared/logger"
 )
 
 var permissionsCmd = APIEndpoint{
@@ -153,6 +154,19 @@ func getPermissions(d *Daemon, r *http.Request) response.Response {
 				return fmt.Errorf("Failed to get currently assigned permissions: %w", err)
 			}
 
+			// Call GetPermissionEntityURLs to ensure only valid permissions are returned.
+			var danglingPermissions []cluster.Permission
+			permissions, danglingPermissions, _, err = cluster.GetPermissionEntityURLs(ctx, tx.Tx(), permissions)
+			if err != nil {
+				return fmt.Errorf("Failed to get entity URLs for permissions: %w", err)
+			}
+
+			// Clean up dangling permissions if present.
+			err = cluster.DeletePermissions(ctx, tx.Tx(), danglingPermissions)
+			if err != nil {
+				logger.Warn("Failed to clean up dangling permissions", logger.Ctx{"error": err})
+			}
+
 			groupsByPermissionID, err = cluster.GetAllAuthGroupsByPermissionID(ctx, tx.Tx())
 			if err != nil {
 				return fmt.Errorf("Failed to get groups by permission mapping: %w", err)