From 0e4ef2b176d7563408b4614d9aa28414d0aa58db Mon Sep 17 00:00:00 2001
From: Shawn Carey <shawn.carey@netfoundry.io>
Date: Wed, 28 Feb 2024 10:47:51 -0500
Subject: [PATCH] respect service policies for admin identities. fixes #1781.

---
 controller/model/edge_service_manager.go | 36 +++++++++---------------
 1 file changed, 14 insertions(+), 22 deletions(-)

diff --git a/controller/model/edge_service_manager.go b/controller/model/edge_service_manager.go
index 5918b45c3..954f22f27 100644
--- a/controller/model/edge_service_manager.go
+++ b/controller/model/edge_service_manager.go
@@ -119,21 +119,11 @@ func (self *EdgeServiceManager) ReadForIdentity(id string, identityId string, co
 }
 
 func (self *EdgeServiceManager) ReadForIdentityInTx(tx *bbolt.Tx, id string, identityId string, configTypes map[string]struct{}) (*ServiceDetail, error) {
-	identity, err := self.GetEnv().GetManagers().Identity.readInTx(tx, identityId)
-	if err != nil {
-		return nil, err
-	}
-
+	var err error
 	var service *ServiceDetail
 
-	if identity.IsAdmin {
-		service, err = self.readInTx(tx, id)
-		if err == nil && service != nil {
-			service.Permissions = []string{db.PolicyTypeBindName, db.PolicyTypeDialName}
-		}
-	} else {
-		service, err = self.ReadForNonAdminIdentityInTx(tx, id, identityId)
-	}
+	// service permissions for admin & non-admin identities will be set according to policies
+	service, err = self.ReadForNonAdminIdentityInTx(tx, id, identityId)
 	if err == nil && len(configTypes) > 0 {
 		identityServiceConfigs := self.env.GetStores().Identity.LoadServiceConfigsByServiceAndType(tx, identityId, configTypes)
 		self.mergeConfigs(tx, configTypes, service, identityServiceConfigs)
@@ -143,10 +133,14 @@ func (self *EdgeServiceManager) ReadForIdentityInTx(tx *bbolt.Tx, id string, ide
 
 func (self *EdgeServiceManager) ReadForNonAdminIdentityInTx(tx *bbolt.Tx, id string, identityId string) (*ServiceDetail, error) {
 	edgeServiceStore := self.env.GetStores().EdgeService
+	identity, err := self.GetEnv().GetManagers().Identity.readInTx(tx, identityId)
+	if err != nil {
+		return nil, err
+	}
 	isBindable := edgeServiceStore.IsBindableByIdentity(tx, id, identityId)
 	isDialable := edgeServiceStore.IsDialableByIdentity(tx, id, identityId)
 
-	if !isBindable && !isDialable {
+	if !isBindable && !isDialable && !identity.IsAdmin { // admin can view services even if policies don't permit bind/dial
 		return nil, boltz.NewNotFoundError(self.GetStore().GetSingularEntityType(), "id", id)
 	}
 
@@ -163,6 +157,10 @@ func (self *EdgeServiceManager) ReadForNonAdminIdentityInTx(tx *bbolt.Tx, id str
 	if isDialable {
 		result.Permissions = append(result.Permissions, db.PolicyTypeDialName)
 	}
+	if result.Permissions == nil {
+		// don't return results with no permissions, since some SDKs assume non-nil permissions
+		result.Permissions = []string{db.PolicyTypeInvalidName}
+	}
 	return result, nil
 }
 
@@ -259,14 +257,8 @@ func (result *ServiceListResult) collect(tx *bbolt.Tx, ids []string, queryMetaDa
 	identityServiceConfigs := result.manager.env.GetStores().Identity.LoadServiceConfigsByServiceAndType(tx, result.identityId, result.configTypes)
 
 	for _, key := range ids {
-		if !result.isAdmin && result.identityId != "" {
-			service, err = result.manager.ReadForNonAdminIdentityInTx(tx, key, result.identityId)
-		} else {
-			service, err = result.manager.readInTx(tx, key)
-			if service != nil && result.isAdmin {
-				service.Permissions = []string{db.PolicyTypeBindName, db.PolicyTypeDialName}
-			}
-		}
+		// service permissions for admin & non-admin identities will be set according to policies
+		service, err = result.manager.ReadForNonAdminIdentityInTx(tx, key, result.identityId)
 		if err != nil {
 			return err
 		}