feat: permission action to assume plugin roles

[adityathebe]

Summary by CodeRabbit

• New Features
  • Enhanced the access control system with support for plugin role-based actions, enabling formatted invocation and management of role-specific plugin operations.

[coderabbitai]

Walkthrough

This PR adds RBAC policy action support for plugin roles by introducing a new constant prefix and a helper function to format plugin role invocation actions in the policy module.

Changes

Plugin Role Action Support

Layer / File(s)	Summary
Plugin role action constant and helper rbac/policy/policy.go	Added ActionPluginRolePrefix constant and NewPluginRoleAction(plugin, role string) function to generate plugin role action strings formatted as invoke:<plugin-role-prefix><plugin>:<role>.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: permission action to assume plugin roles' accurately describes the main change: adding a new permission action for assuming plugin roles via the new ActionPluginRolePrefix constant and NewPluginRoleAction helper function.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/permission-plugin-role

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch feat/permission-plugin-role

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Benchstat (Other)

Base: 7bedbf1eee8d046f399cebaea9af4ec5ef928eb3
Head: 5773f730a7a11eeed24d76ef65acbab315ecd799

📊 3 minor regression(s) (all within 5% threshold)

Benchmark	Base	Head	Change	p-value
ResourceSelectorQueryBuild/name-4	43.59µ	44.95µ	+3.12%	0.009
ResourceSelectorQueryBuild/name_and_type-4	64.55µ	66.33µ	+2.75%	0.002
ResourceSelectorQueryBuild/tags-4	17.74µ	18.03µ	+1.65%	0.009

Full benchstat output

goos: linux
goarch: amd64
pkg: github.com/flanksource/duty/bench
cpu: AMD EPYC 7763 64-Core Processor                
                                                       │ bench-base.txt │           bench-head.txt           │
                                                       │     sec/op     │    sec/op     vs base              │
InsertionForRowsWithAliases/external_users.aliases-4       585.2µ ± 10%   585.6µ ±  3%       ~ (p=0.699 n=6)
InsertionForRowsWithAliases/config_items.external_id-4     1.097m ± 12%   1.098m ± 12%       ~ (p=0.937 n=6)
InsertionOfConfigsWithProperties-4                         3.752m ±  1%   3.738m ±  7%       ~ (p=0.818 n=6)
UpdateOfConfigsWithProperties-4                            7.567m ±  1%   7.562m ±  1%       ~ (p=1.000 n=6)
ResourceSelectorConfigs/name-4                             223.0µ ±  3%   218.7µ ±  2%       ~ (p=0.240 n=6)
ResourceSelectorConfigs/name_and_type-4                    240.0µ ±  6%   233.7µ ±  4%       ~ (p=0.132 n=6)
ResourceSelectorConfigs/tags-4                             30.26m ±  5%   30.81m ±  5%       ~ (p=0.485 n=6)
ResourceSelectorQueryBuild/name-4                          43.59µ ±  1%   44.95µ ±  2%  +3.12% (p=0.009 n=6)
ResourceSelectorQueryBuild/name_and_type-4                 64.55µ ±  2%   66.33µ ±  1%  +2.75% (p=0.002 n=6)
ResourceSelectorQueryBuild/tags-4                          17.74µ ±  2%   18.03µ ±  2%  +1.65% (p=0.009 n=6)
geomean                                                    521.0µ         523.3µ        +0.44%

[github-actions]

Benchstat (RLS)

Base: 7bedbf1eee8d046f399cebaea9af4ec5ef928eb3
Head: 5773f730a7a11eeed24d76ef65acbab315ecd799

📊 3 minor regression(s) (all within 5% threshold)

Benchmark	Base	Head	Change	p-value
RLS/Sample-15000/config_classes/Without_RLS-4	4.137m	4.200m	+1.53%	0.015
RLS/Sample-15000/catalog_changes/With_RLS-4	139.7m	141.3m	+1.11%	0.002
RLS/Sample-15000/config_names/Without_RLS-4	13.40m	13.51m	+0.83%	0.002

✅ 8 improvement(s)

Benchmark	Base	Head	Change	p-value
RLS/Sample-15000/change_types/With_RLS-4	5.365m	5.272m	-1.72%	0.041
RLS/Sample-15000/config_types/With_RLS-4	139.0m	136.9m	-1.54%	0.002
RLS/Sample-15000/config_summary/Without_RLS-4	95.66m	94.40m	-1.32%	0.015
RLS/Sample-15000/analyzer_types/With_RLS-4	3.787m	3.751m	-0.96%	0.041
RLS/Sample-15000/config_changes/With_RLS-4	140.6m	139.8m	-0.54%	0.015
RLS/Sample-15000/config_detail/Without_RLS-4	4.758m	4.734m	-0.51%	0.041
RLS/Sample-15000/config_summary/With_RLS-4	698.1m	695.1m	-0.43%	0.041
RLS/Sample-15000/analyzer_types/Without_RLS-4	3.741m	3.725m	-0.42%	0.041

Full benchstat output

goos: linux
goarch: amd64
pkg: github.com/flanksource/duty/bench
cpu: AMD EPYC 7763 64-Core Processor                
                                               │ bench-base.txt │          bench-head.txt           │
                                               │     sec/op     │   sec/op     vs base              │
RLS/Sample-15000/catalog_changes/Without_RLS-4      5.326m ± 1%   5.301m ± 1%       ~ (p=0.180 n=6)
RLS/Sample-15000/catalog_changes/With_RLS-4         139.7m ± 0%   141.3m ± 2%  +1.11% (p=0.002 n=6)
RLS/Sample-15000/config_changes/Without_RLS-4       5.213m ± 1%   5.271m ± 1%       ~ (p=0.180 n=6)
RLS/Sample-15000/config_changes/With_RLS-4          140.6m ± 1%   139.8m ± 1%  -0.54% (p=0.015 n=6)
RLS/Sample-15000/config_detail/Without_RLS-4        4.758m ± 1%   4.734m ± 0%  -0.51% (p=0.041 n=6)
RLS/Sample-15000/config_detail/With_RLS-4           135.2m ± 1%   135.0m ± 1%       ~ (p=0.485 n=6)
RLS/Sample-15000/config_names/Without_RLS-4         13.40m ± 0%   13.51m ± 1%  +0.83% (p=0.002 n=6)
RLS/Sample-15000/config_names/With_RLS-4            137.2m ± 1%   138.0m ± 1%       ~ (p=0.093 n=6)
RLS/Sample-15000/config_summary/Without_RLS-4       95.66m ± 1%   94.40m ± 1%  -1.32% (p=0.015 n=6)
RLS/Sample-15000/config_summary/With_RLS-4          698.1m ± 1%   695.1m ± 0%  -0.43% (p=0.041 n=6)
RLS/Sample-15000/configs/Without_RLS-4              7.945m ± 1%   7.974m ± 2%       ~ (p=0.394 n=6)
RLS/Sample-15000/configs/With_RLS-4                 136.0m ± 1%   135.3m ± 1%       ~ (p=0.310 n=6)
RLS/Sample-15000/analysis_types/Without_RLS-4       3.894m ± 2%   3.915m ± 1%       ~ (p=0.589 n=6)
RLS/Sample-15000/analysis_types/With_RLS-4          3.937m ± 3%   3.933m ± 1%       ~ (p=0.937 n=6)
RLS/Sample-15000/analyzer_types/Without_RLS-4       3.741m ± 1%   3.725m ± 1%  -0.42% (p=0.041 n=6)
RLS/Sample-15000/analyzer_types/With_RLS-4          3.787m ± 2%   3.751m ± 2%  -0.96% (p=0.041 n=6)
RLS/Sample-15000/change_types/Without_RLS-4         5.336m ± 1%   5.326m ± 1%       ~ (p=0.589 n=6)
RLS/Sample-15000/change_types/With_RLS-4            5.365m ± 3%   5.272m ± 2%  -1.72% (p=0.041 n=6)
RLS/Sample-15000/config_classes/Without_RLS-4       4.137m ± 1%   4.200m ± 1%  +1.53% (p=0.015 n=6)
RLS/Sample-15000/config_classes/With_RLS-4          136.1m ± 1%   136.5m ± 1%       ~ (p=0.394 n=6)
RLS/Sample-15000/config_types/Without_RLS-4         4.789m ± 2%   4.761m ± 2%       ~ (p=0.180 n=6)
RLS/Sample-15000/config_types/With_RLS-4            139.0m ± 1%   136.9m ± 1%  -1.54% (p=0.002 n=6)
geomean                                             20.88m        20.85m       -0.14%

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@rbac/policy/policy.go`:
- Around line 275-277: The NewPluginRoleAction function currently returns
"plugin-role:<plugin>:<role>" which omits the invoke namespace; change its
construction to include the invoke prefix so it produces
"invoke:plugin-role:<plugin>:<role>" (i.e., prepend ActionInvokePrefix before
ActionPluginRolePrefix when formatting the action string in
NewPluginRoleAction).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 89ea3995-8f4e-421e-bcc7-4a1e17fd29ca

📥 Commits

Reviewing files that changed from the base of the PR and between 7bedbf1 and 5773f73.

📒 Files selected for processing (1)

• rbac/policy/policy.go

[github-actions]

Gavel results

Gavel exited with code .

View full results