#+TITLE: Metal API Policy
#+AUTHOR: Adam Mohammed
* How to produce this information?
Using this snippet placed in =config/initializers/packet.rb=
#+begin_src ruby
    def permission_logger
      Class.new do
        def initialize(db)
          @db = db
        end

        def permissions_sql
          <<-SQL
          INSERT INTO metal_permissions (
            controller_name, path, resource, action
         ) VALUES ( ?, ?, ?, ?);
        SQL
        end

        def check_access(*args, **kwargs)
          context = kwargs[:context]
          controller = context[:controller]
          path = controller.request.path
          controller_action = "#{controller.class.name}##{controller.action_name}"
          @db.execute(permissions_sql, [controller_action, path, args[1], args[2]])
          true
        end
      end
    end

    def permissions_checker
      ::Authorization::PolicyEngine::IAMChecker.new(client: permission_logger.new(sqlite_db))
    end

#+end_src

I then pushed a branch so the standard CI pipeline build would spit out
a DB with the results:

#+begin_src diff
modified   .buildkite/pipeline.yaml
@@ -96,6 +96,8 @@ steps:
     commands:
       - /home/packet/api/.buildkite/script/parallel_test_setup.sh
       - /home/packet/api/.buildkite/script/cucumber-container.sh
+    artifact_paths:
+      - 'test.db'
     retry:
       automatic:
         - exit_status: "*"
@@ -109,6 +111,7 @@ steps:
     env:
       BUILD_NUMBER: ${BUILDKITE_BUILD_NUMBER}
       API_BUILD_IMAGE: ${API_BUILD_IMAGE}
+      POLICY_ENGINE: "cancancan_wins"

   - label: Rspec
     key: "rspec"
@@ -117,6 +120,8 @@ steps:
     commands:
       - /home/packet/api/.buildkite/script/parallel_test_setup.sh
       - /home/packet/api/.buildkite/script/rspec-container.sh
+    artifact_paths:
+      - 'test.db'
     retry:
       automatic:
         - exit_status: "*"
@@ -132,6 +137,7 @@ steps:
     env:
       BUILD_NUMBER: ${BUILDKITE_BUILD_NUMBER}
       API_BUILD_IMAGE: ${API_BUILD_IMAGE}
+      POLICY_ENGINE: "cancancan_wins"

   - label: Build spec image
     key: "spec-build"

#+end_src

If later you want to combine these dbs you can do so as follows:

1. Download =test.db= from the rspec step and name it =test-rspec.db=
2. Download =test.db= from the cucumber step and name it =test-cucumber.db=
3. Create the merged =test-full-suite.db=
#+begin_src bash
  $ cp test-rspec.db test-full-suite.db
  $ sqlite3 'test-full-suite.db'
  sqlite> ATTACH 'test-cucumber' AS cuke
  sqlite> BEGIN;
  sqlite> INSERT INTO metal_permissions SELECT * FROM cuke.metal_permissions;
  sqlite> COMMIT;
  sqlite> DETACH cuke;
  sqlite> .quit
#+end_src


* Organization actions
#+begin_src
metal_billing_information_get
metal_billing_information_update
metal_capability_list
metal_coupon_usage_list
metal_coupon_usage_redeem
metal_credit_create
metal_credit_delete
metal_credit_list
metal_discount_create
metal_enforce_2fa_create
metal_instances_listing_list
metal_interconnection_create
metal_interconnection_delete
metal_interconnection_get
metal_interconnection_list
metal_interconnection_port_get
metal_interconnection_port_list
metal_interconnection_update
metal_interconnection_virtual_circuit_create
metal_interconnection_virtual_circuit_list
metal_interconnection_virtual_circuit_update
metal_invitation_create
metal_invitation_delete
metal_invitation_get
metal_invitation_list
metal_invitation_resend
metal_invitation_update
metal_ip_address_delete
metal_ip_address_get
metal_lab_get
metal_leave_organization_create
metal_member_delete
metal_member_list
metal_member_update
metal_membership_delete
metal_membership_update
metal_organization_create
metal_organization_delete
metal_organization_get
metal_organization_logos
metal_organization_update
metal_payment_get
metal_payment_method_create
metal_payment_method_delete
metal_payment_method_get
metal_payment_method_list
metal_payment_method_update
metal_project_create
metal_search_search_plans
metal_tier_inquiry_create
metal_vendor_list
#+end_src

* Project actions

#+begin_src
metal_acl_list
metal_activate_create
metal_allocation_list
metal_batch_delete
metal_batch_get
metal_batch_list
metal_bgp_config_delete
metal_bgp_config_request_create
metal_bgp_config_update
metal_bgp_config_view
metal_bgp_dynamic_neighbor_create
metal_bgp_dynamic_neighbor_list
metal_bgp_neighbor_list
metal_bgp_session_create
metal_bgp_session_delete
metal_bgp_session_get
metal_bgp_session_list
metal_bgp_session_update
metal_discount_create
metal_dn_create
metal_dn_list
metal_ecx_connection_create
metal_ecx_connection_list
metal_error_report_create
metal_error_report_get
metal_event_alert_configuration_create
metal_event_alert_configuration_get
metal_event_alert_configuration_update
metal_firmware_set_get
metal_global_bgp_range_list
metal_hardware_reservation_get
metal_health_get
metal_instance_action_create
metal_instance_action_list
metal_instance_batch_create
metal_instance_create
metal_instance_delete
metal_instance_get
metal_instance_list
metal_instance_metadatum_show_by_ip
metal_instance_password_create
metal_instance_update
metal_instances_listing_list
metal_interconnection_create
metal_interconnection_list
metal_interconnection_virtual_circuit_create
metal_interconnection_virtual_circuit_list
metal_interconnection_virtual_circuit_update
metal_invitation_create
metal_invitation_list
metal_ip_address_delete
metal_ip_address_get
metal_ip_address_update
metal_ip_assignment_create
metal_ip_assignment_list
metal_ip_availability_available
metal_ip_reservation_create
metal_ip_reservation_list
metal_ip_reservation_request_create
metal_ip_reservation_update
metal_leave_project_create
metal_license_activation_get
metal_license_create
metal_license_delete
metal_license_get
metal_license_list
metal_license_update
metal_membership_delete
metal_membership_get
metal_membership_list
metal_membership_update
metal_metal_gateway_create
metal_metal_gateway_delete
metal_metal_gateway_elastic_ip_create
metal_metal_gateway_elastic_ip_list
metal_metal_gateway_get
metal_metal_gateway_list
metal_metering_limit_create
metal_move_create
metal_project_api_key_create
metal_project_api_key_list
metal_project_create
metal_project_delete
metal_project_get
metal_project_update
metal_reservation_create
metal_reservation_get
metal_reservation_list
metal_screenshot_get
metal_spot_market_request_create
metal_spot_market_request_delete
metal_spot_market_request_get
metal_spot_market_request_list
metal_subscribed_event_create
metal_subscribed_event_delete
metal_subscribed_event_get
metal_subscribed_event_list
metal_subscribed_events_all_create
metal_subscribed_events_all_delete
metal_traffic_list
metal_transfer_request_create
metal_transfer_request_delete
metal_transfer_request_get
metal_transfer_request_update
metal_userdatum_show_by_ip
metal_virtual_network_create
metal_virtual_network_delete
metal_virtual_network_get
metal_virtual_network_list
metal_virtual_network_update
metal_vrf_create
metal_vrf_delete
metal_vrf_get
metal_vrf_list
metal_vrf_route_create
metal_vrf_route_delete
metal_vrf_route_get
metal_vrf_route_list
metal_vrf_route_update
metal_vrf_update
#+end_src

* User actions

#+begin_src
metal_discount_create
metal_metering_limit_create
metal_sales_report_get
metal_user_avatars
metal_user_force_verify
metal_user_get
metal_user_update
#+end_src