Merge commit from fork

Signed-off-by: Kent Rancourt <kent.rancourt@gmail.com>

Author: krancour

pkg/server/approve_freight_v1alpha1.go

@@ -9,7 +9,6 @@ import (
 
 	"connectrpc.com/connect"
 	"github.com/gin-gonic/gin"
-	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -92,11 +91,7 @@ func (s *server) ApproveFreight(
 	if err := s.authorizeFn(
 		ctx,
 		"promote",
-		schema.GroupVersionResource{
-			Group:    kargoapi.GroupVersion.Group,
-			Version:  kargoapi.GroupVersion.Version,
-			Resource: "stages",
-		},
+		kargoapi.GroupVersion.WithResource("stages"),
 		"",
 		types.NamespacedName{
 			Namespace: project,
@@ -199,6 +194,20 @@ func (s *server) approveFreight(c *gin.Context) {
 		return
 	}
 
+	if err := s.authorizeFn(
+		ctx,
+		"promote",
+		kargoapi.GroupVersion.WithResource("stages"),
+		"",
+		types.NamespacedName{
+			Namespace: project,
+			Name:      stageName,
+		},
+	); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
 	if freight.IsApprovedFor(stageName) {
 		c.Status(http.StatusOK)
 		return

pkg/server/approve_freight_v1alpha1_test.go

@@ -10,6 +10,7 @@ import (
 	"connectrpc.com/connect"
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
@@ -441,11 +442,46 @@ func Test_server_approveFreight(t *testing.T) {
 					require.Equal(t, http.StatusNotFound, w.Code)
 				},
 			},
+			{
+				name: "not authorized to approve (not authorized to promote)",
+				clientBuilder: fake.NewClientBuilder().
+					WithObjects(testProject, testFreight, testStage).
+					WithStatusSubresource(testFreight),
+				serverSetup: func(_ *testing.T, s *server) {
+					s.authorizeFn = func(
+						context.Context,
+						string,
+						schema.GroupVersionResource,
+						string,
+						client.ObjectKey,
+					) error {
+						return apierrors.NewForbidden(
+							kargoapi.GroupVersion.WithResource("stages").GroupResource(),
+							testStageName,
+							errors.New("not authorized"),
+						)
+					}
+				},
+				assertions: func(t *testing.T, w *httptest.ResponseRecorder, _ client.Client) {
+					require.Equal(t, http.StatusForbidden, w.Code)
+				},
+			},
 			{
 				name: "approves Freight",
 				clientBuilder: fake.NewClientBuilder().
 					WithObjects(testProject, testFreight, testStage).
 					WithStatusSubresource(testFreight),
+				serverSetup: func(_ *testing.T, s *server) {
+					s.authorizeFn = func(
+						context.Context,
+						string,
+						schema.GroupVersionResource,
+						string,
+						client.ObjectKey,
+					) error {
+						return nil
+					}
+				},
 				assertions: func(t *testing.T, w *httptest.ResponseRecorder, c client.Client) {
 					require.Equal(t, http.StatusOK, w.Code)
 

pkg/server/promote_downstream_v1alpha1.go

@@ -300,6 +300,22 @@ func (s *server) promoteDownstream(c *gin.Context) {
 		return
 	}
 
+	for _, downstream := range downstreams {
+		if err := s.authorizeFn(
+			ctx,
+			"promote",
+			kargoapi.GroupVersion.WithResource("stages"),
+			"",
+			types.NamespacedName{
+				Namespace: downstream.Namespace,
+				Name:      downstream.Name,
+			},
+		); err != nil {
+			_ = c.Error(err)
+			return
+		}
+	}
+
 	// Validate that freight is available to all downstream stages
 	for _, downstream := range downstreams {
 		if !downstream.IsFreightAvailable(freight) {

pkg/server/promote_downstream_v1alpha1_test.go

@@ -10,6 +10,7 @@ import (
 	"connectrpc.com/connect"
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
@@ -791,13 +792,54 @@ func Test_server_promoteDownstream(t *testing.T) {
 				},
 			},
 			{
-				name: "Successfully promote downstream",
+				name: "not authorized to promote to a downstream stage",
 				clientBuilder: fake.NewClientBuilder().WithObjects(
 					testProject,
 					testStage,
 					testDownstreamStage,
 					testFreight,
 				),
+				serverSetup: func(_ *testing.T, s *server) {
+					s.authorizeFn = func(
+						context.Context,
+						string,
+						schema.GroupVersionResource,
+						string,
+						client.ObjectKey,
+					) error {
+						return apierrors.NewForbidden(
+							kargoapi.GroupVersion.WithResource("stages").GroupResource(),
+							testDownstreamStage.Name,
+							errors.New("not authorized"),
+						)
+					}
+				},
+				body: mustJSONBody(promoteDownstreamRequest{
+					Freight: testFreight.Name,
+				}),
+				assertions: func(t *testing.T, w *httptest.ResponseRecorder, _ client.Client) {
+					require.Equal(t, http.StatusForbidden, w.Code)
+				},
+			},
+			{
+				name: "successfully promotes downstream",
+				clientBuilder: fake.NewClientBuilder().WithObjects(
+					testProject,
+					testStage,
+					testDownstreamStage,
+					testFreight,
+				),
+				serverSetup: func(_ *testing.T, s *server) {
+					s.authorizeFn = func(
+						context.Context,
+						string,
+						schema.GroupVersionResource,
+						string,
+						client.ObjectKey,
+					) error {
+						return nil
+					}
+				},
 				body: mustJSONBody(promoteDownstreamRequest{
 					Freight: testFreight.Name,
 				}),

pkg/server/promote_to_stage_v1alpha1.go

@@ -9,7 +9,6 @@ import (
 	"connectrpc.com/connect"
 	"github.com/gin-gonic/gin"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -94,26 +93,10 @@ func (s *server) PromoteToStage(
 		return nil, connect.NewError(connect.CodeNotFound, err)
 	}
 
-	if !s.isFreightAvailableFn(stage, freight) {
-		// nolint:staticcheck
-		return nil, connect.NewError(
-			connect.CodeInvalidArgument,
-			fmt.Errorf(
-				"Freight %q is not available to Stage %q",
-				freightName,
-				stageName,
-			),
-		)
-	}
-
 	if err = s.authorizeFn(
 		ctx,
 		"promote",
-		schema.GroupVersionResource{
-			Group:    kargoapi.GroupVersion.Group,
-			Version:  kargoapi.GroupVersion.Version,
-			Resource: "stages",
-		},
+		kargoapi.GroupVersion.WithResource("stages"),
 		"",
 		types.NamespacedName{
 			Namespace: project,
@@ -123,6 +106,18 @@ func (s *server) PromoteToStage(
 		return nil, err
 	}
 
+	if !s.isFreightAvailableFn(stage, freight) {
+		// nolint:staticcheck
+		return nil, connect.NewError(
+			connect.CodeInvalidArgument,
+			fmt.Errorf(
+				"Freight %q is not available to Stage %q",
+				freightName,
+				stageName,
+			),
+		)
+	}
+
 	promotion, err := kargo.NewPromotionBuilder(s.client).Build(ctx, *stage, freight.Name)
 	if err != nil {
 		return nil, fmt.Errorf("build promotion: %w", err)
@@ -250,6 +245,20 @@ func (s *server) promoteToStage(c *gin.Context) {
 		freight = &list.Items[0]
 	}
 
+	if err := s.authorizeFn(
+		ctx,
+		"promote",
+		kargoapi.GroupVersion.WithResource("stages"),
+		"",
+		types.NamespacedName{
+			Namespace: project,
+			Name:      stageName,
+		},
+	); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
 	// Validate that the Freight is available to the Stage
 	if !stage.IsFreightAvailable(freight) {
 		_ = c.Error(libhttp.ErrorStr(