From 5f0539d67f87d56700b606c00950d3c82130a938 Mon Sep 17 00:00:00 2001
From: John Niang <johnniang@fastmail.com>
Date: Wed, 7 Dec 2022 10:49:00 +0800
Subject: [PATCH] Add forgotten label for system-reserved roles (#2865)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

#### What type of PR is this?

/kind bug
/area core

#### What this PR does / why we need it:

Add forgotten label `rbac.authorization.halo.run/system-reserved` for system-reserved roles. See the screenshot below:

![image](https://user-images.githubusercontent.com/16865714/205936031-8a49d4ef-9d10-4c72-a125-973cd361771e.png)

#### Which issue(s) this PR fixes:

Fixes https://github.com/halo-dev/halo/issues/2844

#### Special notes for your reviewer:

For @halo-dev/sig-halo-console : We have to determine whether the role is system-reserved by checking if label `rbac.authorization.halo.run/system-reserved` is equal to `true`.

#### Does this PR introduce a user-facing change?

<!--
如果当前 Pull Request 的修改不会造成用户侧的任何变更，在 `release-note` 代码块儿中填写 `NONE`。
否则请填写用户侧能够理解的 Release Note。如果当前 Pull Request 包含破坏性更新（Break Change），
Release Note 需要以 `action required` 开头。
If no, just write "NONE" in the release-note block below.
If yes, a release note is required:
Enter your extended release note in the block below. If the PR requires additional action from users switching to the new release, include the string "action required".
-->

```release-note
修复每个角色都显示系统保留标签的问题
```
---
 .../run/halo/app/core/extension/Role.java     |  3 ++
 .../app/security/SuperAdminInitializer.java   | 46 ++++---------------
 .../extensions/system-default-role.yaml       | 20 +++++++-
 3 files changed, 30 insertions(+), 39 deletions(-)

diff --git a/src/main/java/run/halo/app/core/extension/Role.java b/src/main/java/run/halo/app/core/extension/Role.java
index 778d13d0b..6b6ddd47c 100644
--- a/src/main/java/run/halo/app/core/extension/Role.java
+++ b/src/main/java/run/halo/app/core/extension/Role.java
@@ -32,6 +32,9 @@ public class Role extends AbstractExtension {
         "rbac.authorization.halo.run/dependency-rules";
     public static final String ROLE_DEPENDENCIES_ANNO = "rbac.authorization.halo.run/dependencies";
     public static final String UI_PERMISSIONS_ANNO = "rbac.authorization.halo.run/ui-permissions";
+
+    public static final String SYSTEM_RESERVED_LABELS =
+        "rbac.authorization.halo.run/system-reserved";
     public static final String UI_PERMISSIONS_AGGREGATED_ANNO =
         "rbac.authorization.halo.run/ui-permissions-aggregated";
 
diff --git a/src/main/java/run/halo/app/security/SuperAdminInitializer.java b/src/main/java/run/halo/app/security/SuperAdminInitializer.java
index 6c7a5d54b..9cf346692 100644
--- a/src/main/java/run/halo/app/security/SuperAdminInitializer.java
+++ b/src/main/java/run/halo/app/security/SuperAdminInitializer.java
@@ -1,9 +1,7 @@
 package run.halo.app.security;
 
 import java.time.Instant;
-import java.util.HashMap;
 import java.util.List;
-import java.util.Map;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.RandomStringUtils;
 import org.springframework.boot.context.event.ApplicationReadyEvent;
@@ -12,7 +10,6 @@ import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.util.StringUtils;
 import reactor.core.publisher.Mono;
 import run.halo.app.core.extension.Role;
-import run.halo.app.core.extension.Role.PolicyRule;
 import run.halo.app.core.extension.RoleBinding;
 import run.halo.app.core.extension.RoleBinding.RoleRef;
 import run.halo.app.core.extension.RoleBinding.Subject;
@@ -42,28 +39,21 @@ public class SuperAdminInitializer {
     @EventListener
     public Mono<Void> initialize(ApplicationReadyEvent readyEvent) {
         return client.fetch(User.class, initializer.getSuperAdminUsername())
-            .switchIfEmpty(Mono.defer(() -> client.create(createAdmin()))
-                .flatMap(admin -> {
-                    var superRole = createSuperRole();
-                    return client.create(superRole)
-                        .flatMap(role -> {
-                            var binding = bindAdminAndSuperRole(admin, superRole);
-                            return client.create(binding).thenReturn(role);
-                        })
-                        .thenReturn(admin);
-                }))
-            .then();
+            .switchIfEmpty(Mono.defer(() -> client.create(createAdmin())).flatMap(admin -> {
+                var binding = bindAdminAndSuperRole(admin);
+                return client.create(binding).thenReturn(admin);
+            })).then();
     }
 
-    RoleBinding bindAdminAndSuperRole(User admin, Role superRole) {
+    RoleBinding bindAdminAndSuperRole(User admin) {
         var metadata = new Metadata();
         String name =
             String.join("-", initializer.getSuperAdminUsername(), SUPER_ROLE_NAME, "binding");
         metadata.setName(name);
         var roleRef = new RoleRef();
-        roleRef.setName(superRole.getMetadata().getName());
-        roleRef.setApiGroup(superRole.groupVersionKind().group());
-        roleRef.setKind(superRole.getKind());
+        roleRef.setName(SUPER_ROLE_NAME);
+        roleRef.setApiGroup(Role.GROUP);
+        roleRef.setKind(Role.KIND);
 
         var subject = new Subject();
         subject.setName(admin.getMetadata().getName());
@@ -78,26 +68,6 @@ public class SuperAdminInitializer {
         return roleBinding;
     }
 
-    Role createSuperRole() {
-        var metadata = new Metadata();
-        metadata.setName(SUPER_ROLE_NAME);
-        Map<String, String> annotations = new HashMap<>();
-        annotations.put(Role.UI_PERMISSIONS_ANNO, "[\"*\"]");
-        metadata.setAnnotations(annotations);
-
-        var superRule = new PolicyRule.Builder()
-            .apiGroups("*")
-            .resources("*")
-            .nonResourceURLs("*")
-            .verbs("*")
-            .build();
-
-        var role = new Role();
-        role.setMetadata(metadata);
-        role.setRules(List.of(superRule));
-        return role;
-    }
-
     User createAdmin() {
         var metadata = new Metadata();
         metadata.setName(initializer.getSuperAdminUsername());
diff --git a/src/main/resources/extensions/system-default-role.yaml b/src/main/resources/extensions/system-default-role.yaml
index 9a3a2878b..1742f5a26 100644
--- a/src/main/resources/extensions/system-default-role.yaml
+++ b/src/main/resources/extensions/system-default-role.yaml
@@ -1,5 +1,23 @@
 apiVersion: v1alpha1
-kind: "Role"
+kind: Role
 metadata:
   name: guest
+  labels:
+    rbac.authorization.halo.run/system-reserved: "true"
 rules: [ ]
+
+---
+apiVersion: v1alpha1
+kind: Role
+metadata:
+  name: super-role
+  labels:
+    rbac.authorization.halo.run/system-reserved: "true"
+  annotations:
+    rbac.authorization.halo.run/ui-permissions: |
+      ["*"]
+rules:
+  - apiGroups: ["*"]
+    resources: ["*"]
+    nonResourceURLs: ["*"]
+    verbs: ["*"]