From 31b6de9a11b77fb14f671d20a036936557797f93 Mon Sep 17 00:00:00 2001
From: testA113 <aliharriss1995@gmail.com>
Date: Sat, 5 Oct 2024 09:28:37 +1300
Subject: [PATCH] cluster role binding delete

---
 .../kubernetes/cluster_role_bindings.go       | 37 ++++++++++++++++++-
 api/http/handler/kubernetes/handler.go        |  1 +
 api/kubernetes/cli/cluster_role_binding.go    | 35 ++++++++++++++++++
 3 files changed, 72 insertions(+), 1 deletion(-)

diff --git a/api/http/handler/kubernetes/cluster_role_bindings.go b/api/http/handler/kubernetes/cluster_role_bindings.go
index 918c4950d..a5ad040cf 100644
--- a/api/http/handler/kubernetes/cluster_role_bindings.go
+++ b/api/http/handler/kubernetes/cluster_role_bindings.go
@@ -3,7 +3,9 @@ package kubernetes
 import (
 	"net/http"
 
+	models "github.com/portainer/portainer/api/http/models/kubernetes"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
+	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
 	"github.com/rs/zerolog/log"
 )
@@ -16,7 +18,7 @@ import (
 // @security ApiKeyAuth || jwt
 // @produce json
 // @param id path int true "Environment identifier"
-// @success 200 {array} kubernetes.K8sClusterRoleBinding "Success"
+// @success 200 {array} models.K8sClusterRoleBinding "Success"
 // @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
 // @failure 401 "Unauthorized access - the user is not authenticated or does not have the necessary permissions. Ensure that you have provided a valid API key or JWT token, and that you have the required permissions."
 // @failure 403 "Permission denied - the user is authenticated but does not have the necessary permissions to access the requested resource or perform the specified operation. Check your user roles and permissions."
@@ -43,3 +45,36 @@ func (handler *Handler) getAllKubernetesClusterRoleBindings(w http.ResponseWrite
 
 	return response.JSON(w, clusterrolebindings)
 }
+
+// @id DeleteClusterRoleBindings
+// @summary Delete the provided cluster role bindings
+// @description Delete the provided cluster role bindings for the given Kubernetes environment
+// @description **Access policy**: administrator
+// @tags rbac_enabled
+// @security ApiKeyAuth
+// @security jwt
+// @produce text/plain
+// @param id path int true "Environment(Endpoint) identifier"
+// @param payload body models.K8sClusterRoleBindingDeleteRequests true "Cluster role bindings to delete"
+// @success 200 "Success"
+// @failure 500 "Server error"
+// @router /kubernetes/{id}/cluster_role_bindings/delete [POST]
+func (handler *Handler) deleteClusterRoleBindings(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	var payload models.K8sClusterRoleBindingDeleteRequests
+	err := request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		return httperror.BadRequest("Invalid request payload", err)
+	}
+
+	cli, handlerErr := handler.getProxyKubeClient(r)
+	if handlerErr != nil {
+		return handlerErr
+	}
+
+	err = cli.DeleteClusterRoleBindings(payload)
+	if err != nil {
+		return httperror.InternalServerError("Failed to delete cluster role bindings", err)
+	}
+
+	return nil
+}
diff --git a/api/http/handler/kubernetes/handler.go b/api/http/handler/kubernetes/handler.go
index bcb56d8a9..4faca2b69 100644
--- a/api/http/handler/kubernetes/handler.go
+++ b/api/http/handler/kubernetes/handler.go
@@ -58,6 +58,7 @@ func NewHandler(bouncer security.BouncerService, authorizationService *authoriza
 	endpointRouter.Handle("/cluster_roles", httperror.LoggerHandler(h.getAllKubernetesClusterRoles)).Methods(http.MethodGet)
 	endpointRouter.Handle("/cluster_roles/delete", httperror.LoggerHandler(h.deleteClusterRoles)).Methods(http.MethodPost)
 	endpointRouter.Handle("/cluster_role_bindings", httperror.LoggerHandler(h.getAllKubernetesClusterRoleBindings)).Methods(http.MethodGet)
+	endpointRouter.Handle("/cluster_role_bindings/delete", httperror.LoggerHandler(h.deleteClusterRoleBindings)).Methods(http.MethodPost)
 	endpointRouter.Handle("/configmaps", httperror.LoggerHandler(h.GetAllKubernetesConfigMaps)).Methods(http.MethodGet)
 	endpointRouter.Handle("/configmaps/count", httperror.LoggerHandler(h.getAllKubernetesConfigMapsCount)).Methods(http.MethodGet)
 	endpointRouter.Handle("/dashboard", httperror.LoggerHandler(h.getKubernetesDashboard)).Methods(http.MethodGet)
diff --git a/api/kubernetes/cli/cluster_role_binding.go b/api/kubernetes/cli/cluster_role_binding.go
index 7be781cbc..70dcc7cc5 100644
--- a/api/kubernetes/cli/cluster_role_binding.go
+++ b/api/kubernetes/cli/cluster_role_binding.go
@@ -6,7 +6,10 @@ import (
 	"strings"
 
 	models "github.com/portainer/portainer/api/http/models/kubernetes"
+	"github.com/portainer/portainer/api/internal/errorlist"
+	"github.com/rs/zerolog/log"
 	rbacv1 "k8s.io/api/rbac/v1"
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -47,6 +50,38 @@ func parseClusterRoleBinding(clusterRoleBinding rbacv1.ClusterRoleBinding) model
 	}
 }
 
+// DeleteClusterRoleBindings processes a K8sClusterRoleBindingDeleteRequest
+// by deleting each cluster role binding in its given namespace. If deleting a specific cluster role binding
+// fails, the error is logged and we continue to delete the remaining cluster role bindings.
+func (kcl *KubeClient) DeleteClusterRoleBindings(reqs models.K8sClusterRoleBindingDeleteRequests) error {
+	var errors []error
+
+	for _, name := range reqs {
+		client := kcl.cli.RbacV1().ClusterRoleBindings()
+
+		clusterRoleBinding, err := client.Get(context.Background(), name, metav1.GetOptions{})
+		if err != nil {
+			if k8serrors.IsNotFound(err) {
+				continue
+			}
+
+			// This is a more serious error to do with the client so we return right away
+			return err
+		}
+
+		if isSystemClusterRoleBinding(clusterRoleBinding) {
+			log.Warn().Str("role_name", name).Msg("ignoring delete of 'system' cluster role binding, not allowed")
+		}
+
+		if err := client.Delete(context.Background(), name, metav1.DeleteOptions{}); err != nil {
+			log.Err(err).Str("role_name", name).Msg("unable to delete the cluster role binding")
+			errors = append(errors, err)
+		}
+	}
+
+	return errorlist.Combine(errors)
+}
+
 func isSystemClusterRoleBinding(binding *rbacv1.ClusterRoleBinding) bool {
 	if strings.HasPrefix(binding.Name, "system:") {
 		return true