From 31208473dfdc8b16ceb8224cbacc069d748efe21 Mon Sep 17 00:00:00 2001
From: Magnus Jensen <magnus@fleetdm.com>
Date: Mon, 11 Aug 2025 17:54:57 +0200
Subject: [PATCH] Add certificate authority type to permission policy (#31783)

Piece of work to avoid duplicate work being made in parallel.

Adds CA specific permission entries, for admins and gitops which can
both read and write [as per the permission
change](https://github.com/fleetdm/fleet/pull/30930/files#diff-61a0f8c7cd442fab953eefa601995b52cce1b360efacec358968ef6f2c6a195c)

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

## Testing

- [x] Added/updated automated tests
---
 server/authz/policy.rego                | 10 +++++++
 server/authz/policy_test.go             | 40 +++++++++++++++++++++++++
 server/fleet/certificate_authorities.go |  4 +++
 3 files changed, 54 insertions(+)

diff --git a/server/authz/policy.rego b/server/authz/policy.rego
index 365d2b858f..d778c62654 100644
--- a/server/authz/policy.rego
+++ b/server/authz/policy.rego
@@ -1095,3 +1095,13 @@ allow {
   subject.global_role == admin
   action == write
 }
+
+##
+# Certificate Authorities
+##
+# Global admins and GitOps can configure and read certificate Authorities
+allow {
+  object.type == "certificate_authority"
+  subject.global_role == [admin, gitops][_]
+  action == [read, write][_]
+}
\ No newline at end of file
diff --git a/server/authz/policy_test.go b/server/authz/policy_test.go
index 3aa7f43e98..124ee2a0a7 100644
--- a/server/authz/policy_test.go
+++ b/server/authz/policy_test.go
@@ -2438,3 +2438,43 @@ func TestMDMAppleEULA(t *testing.T) {
 		{user: test.UserTeamMaintainerTeam2, object: eula, action: write, allow: false},
 	})
 }
+
+func TestCertificateAuthorities(t *testing.T) {
+	t.Parallel()
+	certificateAuthority := &fleet.CertificateAuthority{}
+
+	runTestCases(t, []authTestCase{
+		{user: nil, object: certificateAuthority, action: read, allow: false},
+		{user: test.UserGitOps, object: certificateAuthority, action: read, allow: true},
+		{user: test.UserGitOps, object: certificateAuthority, action: write, allow: true},
+
+		{user: test.UserTeamGitOpsTeam1, object: certificateAuthority, action: read, allow: false},
+		{user: test.UserTeamGitOpsTeam1, object: certificateAuthority, action: write, allow: false},
+		{user: test.UserTeamGitOpsTeam2, object: certificateAuthority, action: read, allow: false},
+		{user: test.UserTeamGitOpsTeam2, object: certificateAuthority, action: write, allow: false},
+
+		{user: test.UserAdmin, object: certificateAuthority, action: read, allow: true},
+		{user: test.UserAdmin, object: certificateAuthority, action: write, allow: true},
+
+		{user: test.UserTeamAdminTeam1, object: certificateAuthority, action: read, allow: false},
+		{user: test.UserTeamAdminTeam1, object: certificateAuthority, action: write, allow: false},
+		{user: test.UserTeamAdminTeam2, object: certificateAuthority, action: read, allow: false},
+		{user: test.UserTeamAdminTeam2, object: certificateAuthority, action: write, allow: false},
+
+		{user: test.UserObserver, object: certificateAuthority, action: read, allow: false},
+		{user: test.UserObserver, object: certificateAuthority, action: write, allow: false},
+
+		{user: test.UserTeamObserverTeam1, object: certificateAuthority, action: read, allow: false},
+		{user: test.UserTeamObserverTeam1, object: certificateAuthority, action: write, allow: false},
+		{user: test.UserTeamObserverTeam2, object: certificateAuthority, action: read, allow: false},
+		{user: test.UserTeamObserverTeam2, object: certificateAuthority, action: write, allow: false},
+
+		{user: test.UserMaintainer, object: certificateAuthority, action: read, allow: false},
+		{user: test.UserMaintainer, object: certificateAuthority, action: write, allow: false},
+
+		{user: test.UserTeamMaintainerTeam1, object: certificateAuthority, action: read, allow: false},
+		{user: test.UserTeamMaintainerTeam1, object: certificateAuthority, action: write, allow: false},
+		{user: test.UserTeamMaintainerTeam2, object: certificateAuthority, action: read, allow: false},
+		{user: test.UserTeamMaintainerTeam2, object: certificateAuthority, action: write, allow: false},
+	})
+}
diff --git a/server/fleet/certificate_authorities.go b/server/fleet/certificate_authorities.go
index 357abb05cb..f8e3ec9015 100644
--- a/server/fleet/certificate_authorities.go
+++ b/server/fleet/certificate_authorities.go
@@ -57,3 +57,7 @@ type CertificateAuthority struct {
 	CreatedAt time.Time `json:"created_at" db:"created_at"`
 	UpdatedAt time.Time `json:"updated_at" db:"updated_at"`
 }
+
+func (c *CertificateAuthority) AuthzType() string {
+	return "certificate_authority"
+}