From d9512c366d0f35744ec7198d41802c2506ce1630 Mon Sep 17 00:00:00 2001
From: Darren Shepherd <darren@rancher.com>
Date: Fri, 13 Aug 2021 11:02:38 -0700
Subject: [PATCH] Add ability to disallow methods per a schema attribute

---
 pkg/attributes/attributes.go | 19 +++++++++++++++++++
 pkg/schema/factory.go        | 19 +++++++++++++------
 2 files changed, 32 insertions(+), 6 deletions(-)

diff --git a/pkg/attributes/attributes.go b/pkg/attributes/attributes.go
index f07034b7..81be0b34 100644
--- a/pkg/attributes/attributes.go
+++ b/pkg/attributes/attributes.go
@@ -127,6 +127,25 @@ func Access(s *types.APISchema) interface{} {
 	return s.Attributes["access"]
 }
 
+func AddDisallowMethods(s *types.APISchema, methods ...string) {
+	data, ok := s.Attributes["disallowMethods"].(map[string]bool)
+	if !ok {
+		data = map[string]bool{}
+		s.Attributes["disallowMethods"] = data
+	}
+	for _, method := range methods {
+		data[method] = true
+	}
+}
+
+func DisallowMethods(s *types.APISchema) map[string]bool {
+	data, ok := s.Attributes["disallowMethods"].(map[string]bool)
+	if !ok {
+		return nil
+	}
+	return data
+}
+
 func SetAPIResource(s *types.APISchema, resource v1.APIResource) {
 	SetResource(s, resource.Name)
 	SetVerbs(s, resource.Verbs)
diff --git a/pkg/schema/factory.go b/pkg/schema/factory.go
index 3b9f1504..b16af184 100644
--- a/pkg/schema/factory.go
+++ b/pkg/schema/factory.go
@@ -99,21 +99,28 @@ func (c *Collection) schemasForSubject(access *accesscontrol.AccessSet) (*types.
 			}
 		}
 
+		allowed := func(method string) string {
+			if attributes.DisallowMethods(s)[method] {
+				return "blocked-" + method
+			}
+			return method
+		}
+
 		s = s.DeepCopy()
 		attributes.SetAccess(s, verbAccess)
 		if verbAccess.AnyVerb("list", "get") {
-			s.ResourceMethods = append(s.ResourceMethods, http.MethodGet)
-			s.CollectionMethods = append(s.CollectionMethods, http.MethodGet)
+			s.ResourceMethods = append(s.ResourceMethods, allowed(http.MethodGet))
+			s.CollectionMethods = append(s.CollectionMethods, allowed(http.MethodGet))
 		}
 		if verbAccess.AnyVerb("delete") {
-			s.ResourceMethods = append(s.ResourceMethods, http.MethodDelete)
+			s.ResourceMethods = append(s.ResourceMethods, allowed(http.MethodDelete))
 		}
 		if verbAccess.AnyVerb("update") {
-			s.ResourceMethods = append(s.ResourceMethods, http.MethodPut)
-			s.ResourceMethods = append(s.ResourceMethods, http.MethodPatch)
+			s.ResourceMethods = append(s.ResourceMethods, allowed(http.MethodPut))
+			s.ResourceMethods = append(s.ResourceMethods, allowed(http.MethodPatch))
 		}
 		if verbAccess.AnyVerb("create") {
-			s.CollectionMethods = append(s.CollectionMethods, http.MethodPost)
+			s.CollectionMethods = append(s.CollectionMethods, allowed(http.MethodPost))
 		}
 
 		if len(s.CollectionMethods) == 0 && len(s.ResourceMethods) == 0 {