test(plugins): add end-to-end plugin authorization coverage

[adityathebe]

resoles: #3126

Plugin invocation needs to enforce both catalog access and plugin operation permissions.

Add a full plugin E2E suite that starts Mission Control with real basic auth, envtest Kubernetes API, embedded Postgres, and a real hasher plugin process. The test applies Plugin and Permission CRDs, then verifies /invoke/ and /proxy/ for allowed users, bad credentials, missing plugin invoke permission, and missing config read permission.

Also require config read permission before invoking plugin operations for a specific config.

Summary by CodeRabbit

Release Notes

• New Features

  • Enhanced plugin invocation security with additional role-based access control checks. Users must now have both config read and plugin invoke permissions to execute plugin operations.

• Tests

  • Added comprehensive end-to-end tests validating plugin authorization and permission enforcement across multiple user roles.

[coderabbitai]

Warning

Review limit reached

@adityathebe, we couldn't start this review because you've used your available PR reviews for now.

Your plan includes 1 review of capacity. Refill in 5 minutes and 36 seconds.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more review capacity refills, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 85febfea-a41c-471c-a6f0-96941be94876

📥 Commits

Reviewing files that changed from the base of the PR and between 9f46af5 and 028dbbb.

📒 Files selected for processing (5)

• plugin/runtime/invoke.go
• tests/e2e/plugins/helpers_test.go
• tests/e2e/plugins/plugins_test.go
• tests/e2e/plugins/suite_test.go
• tests/e2e/plugins/testdata/plugins/hasher/main.go

Walkthrough

This PR adds a config read permission check before plugin invocation, implements an end-to-end test plugin and test harness to validate the new authorization flow with multiple users and permission roles across Kubernetes, mission control, and HTTP endpoints.

Changes

Plugin Config Read Authorization and E2E Testing

Layer / File(s)	Summary
Config Read Authorization Check plugin/runtime/invoke.go	EnforceInvokePermission now verifies the subject has policy.ActionRead permission on the loaded config before proceeding to the existing plugin invoke permission check; returns EFORBIDDEN if the read permission is denied.
Test Plugin: Hasher Operation tests/e2e/plugins/testdata/plugins/hasher/main.go	Implements a test plugin exposing a sha256 HTTP GET operation that fetches a config item by ID, hashes its name field using SHA-256, and returns JSON with the original name and hex-encoded digest.
E2E Test Infrastructure and Lifecycle tests/e2e/plugins/suite_test.go	Sets up Ginkgo E2E test suite with BeforeSuite initialization (database-backed test users, plugin binary build, Kubernetes envtest startup, mission control server with basic auth), AfterSuite cleanup, and helper functions for envtest/kubernetes setup, port selection, htpasswd generation, and repo root discovery.
E2E Test Cases and Authorization Assertions tests/e2e/plugins/plugins_test.go	Provisions hasher plugin and Permission CRDs for multiple users with different RBAC roles, polls for plugin availability, executes authenticated HTTP requests to invoke and proxy endpoints, and asserts expected status codes (200 OK with correct hash, 403 Forbidden for missing invoke permission, non-200 for missing read permission, 401 Unauthorized for invalid credentials).

Possibly related PRs

• flanksource/mission-control#3110: Changes how canInvokePluginOperation computes the plugin invoke permission, directly impacting the same authorization decision logic as this PR.
• flanksource/mission-control#3116: Modifies the same EnforceInvokePermission RBAC enforcement in plugin/runtime/invoke.go used during plugin invocations.

Suggested reviewers

• moshloop

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding end-to-end test coverage for plugin authorization.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch e2e-plugin-hasher

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch e2e-plugin-hasher

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tests/e2e/plugins/plugins_test.go`:
- Around line 70-72: The test currently asserts that the response is not 200
which can mask errors; change the assertion to explicitly expect a 403 Forbidden
for the missing-config-read case by replacing the negative check on
resp.StatusCode with an explicit equality check to http.StatusForbidden (update
the Expect call that uses resp.StatusCode and resp.Body). Locate the assertion
around ginkgo.By(endpoint.name + " rejects user without config read") and the
doPluginRequest invocation and modify the Expect(...) call to assert
Equal(http.StatusForbidden).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 43ff70e6-57d4-4882-ba6d-c0a2bdec2d3c

📥 Commits

Reviewing files that changed from the base of the PR and between 78733ea and 9f46af5.

📒 Files selected for processing (4)

• plugin/runtime/invoke.go
• tests/e2e/plugins/plugins_test.go
• tests/e2e/plugins/suite_test.go
• tests/e2e/plugins/testdata/plugins/hasher/main.go