From 531b79ad8d03e777806a888404de54c7bda472ce Mon Sep 17 00:00:00 2001
From: Mason Liu <meteorainl@163.com>
Date: Tue, 17 Jun 2025 15:55:27 +0100
Subject: [PATCH] fix: #23041 Add resource support to 'argocd proj role
 add-policy/remove-policy' (#23213)

Signed-off-by: Mason Liu <fuyin.liu@fmr.com>
---
 cmd/argocd/commands/project.go                |  2 +
 cmd/argocd/commands/project_role.go           | 42 ++++++++++++++++---
 .../commands/argocd_proj_role_add-policy.md   | 16 +++++++
 .../argocd_proj_role_remove-policy.md         | 17 ++++++++
 4 files changed, 72 insertions(+), 5 deletions(-)

diff --git a/cmd/argocd/commands/project.go b/cmd/argocd/commands/project.go
index 3477d3eecb..bb3b5b04bc 100644
--- a/cmd/argocd/commands/project.go
+++ b/cmd/argocd/commands/project.go
@@ -35,6 +35,7 @@ type policyOpts struct {
 	action     string
 	permission string
 	object     string
+	resource   string
 }
 
 // NewProjectCommand returns a new instance of an `argocd proj` command
@@ -91,6 +92,7 @@ func addPolicyFlags(command *cobra.Command, opts *policyOpts) {
 	command.Flags().StringVarP(&opts.action, "action", "a", "", "Action to grant/deny permission on (e.g. get, create, list, update, delete)")
 	command.Flags().StringVarP(&opts.permission, "permission", "p", "allow", "Whether to allow or deny access to object with the action.  This can only be 'allow' or 'deny'")
 	command.Flags().StringVarP(&opts.object, "object", "o", "", "Object within the project to grant/deny access.  Use '*' for a wildcard. Will want access to '<project>/<object>'")
+	command.Flags().StringVarP(&opts.resource, "resource", "r", "applications", "Resource e.g. 'applications', 'applicationsets', 'logs', 'exec', etc.")
 }
 
 func humanizeTimestamp(epoch int64) string {
diff --git a/cmd/argocd/commands/project_role.go b/cmd/argocd/commands/project_role.go
index d506afce9a..4e4c4c8984 100644
--- a/cmd/argocd/commands/project_role.go
+++ b/cmd/argocd/commands/project_role.go
@@ -19,11 +19,12 @@ import (
 	"github.com/argoproj/argo-cd/v3/util/errors"
 	utilio "github.com/argoproj/argo-cd/v3/util/io"
 	"github.com/argoproj/argo-cd/v3/util/jwt"
+	"github.com/argoproj/argo-cd/v3/util/rbac"
 	"github.com/argoproj/argo-cd/v3/util/templates"
 )
 
 const (
-	policyTemplate = "p, proj:%s:%s, applications, %s, %s/%s, %s"
+	policyTemplate = "p, proj:%s:%s, %s, %s, %s/%s, %s"
 )
 
 // NewProjectRoleCommand returns a new instance of the `argocd proj role` command
@@ -79,11 +80,26 @@ p, proj:test-project:test-role, applications, update, test-project/project, allo
 JWT Tokens:
 ID          ISSUED-AT                                EXPIRES-AT
 1696759698  2023-10-08T11:08:18+01:00 (3 hours ago)  <none>
+
+# Add a new policy to allow get logs to the project
+$ argocd proj role add-policy test-project test-role -a get -p allow -o project -r logs
+
+# Policy should be updated
+$  argocd proj role get test-project test-role
+Role Name:     test-role
+Description:
+Policies:
+p, proj:test-project:test-role, projects, get, test-project, allow
+p, proj:test-project:test-role, applications, update, test-project/project, allow
+p, proj:test-project:test-role, logs, get, test-project/project, allow
+JWT Tokens:
+ID          ISSUED-AT                                EXPIRES-AT
+1696759698  2023-10-08T11:08:18+01:00 (3 hours ago)  <none>
 `,
 		Run: func(c *cobra.Command, args []string) {
 			ctx := c.Context()
 
-			if len(args) != 2 {
+			if len(args) != 2 || !rbac.ProjectScoped[opts.resource] {
 				c.HelpFunc()(c, args)
 				os.Exit(1)
 			}
@@ -98,7 +114,7 @@ ID          ISSUED-AT                                EXPIRES-AT
 			role, roleIndex, err := proj.GetRoleByName(roleName)
 			errors.CheckError(err)
 
-			policy := fmt.Sprintf(policyTemplate, proj.Name, role.Name, opts.action, proj.Name, opts.object, opts.permission)
+			policy := fmt.Sprintf(policyTemplate, proj.Name, role.Name, opts.resource, opts.action, proj.Name, opts.object, opts.permission)
 			proj.Spec.Roles[roleIndex].Policies = append(role.Policies, policy)
 
 			_, err = projIf.Update(ctx, &projectpkg.ProjectUpdateRequest{Project: proj})
@@ -122,6 +138,7 @@ Description:
 Policies:
 p, proj:test-project:test-role, projects, get, test-project, allow
 p, proj:test-project:test-role, applications, update, test-project/project, allow
+p, proj:test-project:test-role, logs, get, test-project/project, allow
 JWT Tokens:
 ID          ISSUED-AT                                EXPIRES-AT
 1696759698  2023-10-08T11:08:18+01:00 (3 hours ago)  <none>
@@ -129,6 +146,21 @@ ID          ISSUED-AT                                EXPIRES-AT
 # Remove the policy to allow update to objects
 $ argocd proj role remove-policy test-project test-role -a update -p allow -o project
 
+# The role should be removed now.
+$ argocd proj role get test-project test-role
+Role Name:     test-role
+Description:
+Policies:
+p, proj:test-project:test-role, projects, get, test-project, allow
+p, proj:test-project:test-role, logs, get, test-project/project, allow
+JWT Tokens:
+ID          ISSUED-AT                                EXPIRES-AT
+1696759698  2023-10-08T11:08:18+01:00 (4 hours ago)  <none>
+
+
+# Remove the logs read policy
+$ argocd proj role remove-policy test-project test-role -a get -p allow -o project -r logs
+
 # The role should be removed now.
 $ argocd proj role get test-project test-role
 Role Name:     test-role
@@ -142,7 +174,7 @@ ID          ISSUED-AT                                EXPIRES-AT
 		Run: func(c *cobra.Command, args []string) {
 			ctx := c.Context()
 
-			if len(args) != 2 {
+			if len(args) != 2 || !rbac.ProjectScoped[opts.resource] {
 				c.HelpFunc()(c, args)
 				os.Exit(1)
 			}
@@ -157,7 +189,7 @@ ID          ISSUED-AT                                EXPIRES-AT
 			role, roleIndex, err := proj.GetRoleByName(roleName)
 			errors.CheckError(err)
 
-			policyToRemove := fmt.Sprintf(policyTemplate, proj.Name, role.Name, opts.action, proj.Name, opts.object, opts.permission)
+			policyToRemove := fmt.Sprintf(policyTemplate, proj.Name, role.Name, opts.resource, opts.action, proj.Name, opts.object, opts.permission)
 			duplicateIndex := -1
 			for i, policy := range role.Policies {
 				if policy == policyToRemove {
diff --git a/docs/user-guide/commands/argocd_proj_role_add-policy.md b/docs/user-guide/commands/argocd_proj_role_add-policy.md
index 36d2b4f07c..eaa5b6c4f7 100644
--- a/docs/user-guide/commands/argocd_proj_role_add-policy.md
+++ b/docs/user-guide/commands/argocd_proj_role_add-policy.md
@@ -35,6 +35,21 @@ JWT Tokens:
 ID          ISSUED-AT                                EXPIRES-AT
 1696759698  2023-10-08T11:08:18+01:00 (3 hours ago)  <none>
 
+# Add a new policy to allow get logs to the project
+$ argocd proj role add-policy test-project test-role -a get -p allow -o project -r logs
+
+# Policy should be updated
+$  argocd proj role get test-project test-role
+Role Name:     test-role
+Description:
+Policies:
+p, proj:test-project:test-role, projects, get, test-project, allow
+p, proj:test-project:test-role, applications, update, test-project/project, allow
+p, proj:test-project:test-role, logs, get, test-project/project, allow
+JWT Tokens:
+ID          ISSUED-AT                                EXPIRES-AT
+1696759698  2023-10-08T11:08:18+01:00 (3 hours ago)  <none>
+
 ```
 
 ### Options
@@ -44,6 +59,7 @@ ID          ISSUED-AT                                EXPIRES-AT
   -h, --help                help for add-policy
   -o, --object string       Object within the project to grant/deny access.  Use '*' for a wildcard. Will want access to '<project>/<object>'
   -p, --permission string   Whether to allow or deny access to object with the action.  This can only be 'allow' or 'deny' (default "allow")
+  -r, --resource string     Resource e.g. 'applications', 'applicationsets', 'logs', 'exec', etc. (default "applications")
 ```
 
 ### Options inherited from parent commands
diff --git a/docs/user-guide/commands/argocd_proj_role_remove-policy.md b/docs/user-guide/commands/argocd_proj_role_remove-policy.md
index 9de0fc478d..d8ff627dbc 100644
--- a/docs/user-guide/commands/argocd_proj_role_remove-policy.md
+++ b/docs/user-guide/commands/argocd_proj_role_remove-policy.md
@@ -18,6 +18,7 @@ Description:
 Policies:
 p, proj:test-project:test-role, projects, get, test-project, allow
 p, proj:test-project:test-role, applications, update, test-project/project, allow
+p, proj:test-project:test-role, logs, get, test-project/project, allow
 JWT Tokens:
 ID          ISSUED-AT                                EXPIRES-AT
 1696759698  2023-10-08T11:08:18+01:00 (3 hours ago)  <none>
@@ -25,6 +26,21 @@ ID          ISSUED-AT                                EXPIRES-AT
 # Remove the policy to allow update to objects
 $ argocd proj role remove-policy test-project test-role -a update -p allow -o project
 
+# The role should be removed now.
+$ argocd proj role get test-project test-role
+Role Name:     test-role
+Description:
+Policies:
+p, proj:test-project:test-role, projects, get, test-project, allow
+p, proj:test-project:test-role, logs, get, test-project/project, allow
+JWT Tokens:
+ID          ISSUED-AT                                EXPIRES-AT
+1696759698  2023-10-08T11:08:18+01:00 (4 hours ago)  <none>
+
+
+# Remove the logs read policy
+$ argocd proj role remove-policy test-project test-role -a get -p allow -o project -r logs
+
 # The role should be removed now.
 $ argocd proj role get test-project test-role
 Role Name:     test-role
@@ -44,6 +60,7 @@ ID          ISSUED-AT                                EXPIRES-AT
   -h, --help                help for remove-policy
   -o, --object string       Object within the project to grant/deny access.  Use '*' for a wildcard. Will want access to '<project>/<object>'
   -p, --permission string   Whether to allow or deny access to object with the action.  This can only be 'allow' or 'deny' (default "allow")
+  -r, --resource string     Resource e.g. 'applications', 'applicationsets', 'logs', 'exec', etc. (default "applications")
 ```
 
 ### Options inherited from parent commands