feat!: support additional vCenter entities for privilege rules (#362)

## Issue
N/A

## Description
- Extend privilege rules to support datastores, the vCenter root object,
and all network types.
- Add `GroupPrincipals` and `Propagated` to the privilege rule spec.
- `GroupPrincipals` are used to identify permissions that grant
privileges to a user on a specific entity. They're required because
non-admin users cannot query the vCenter API to determine their own
group membership.
- `Propagated` is a new flag that further qualifies the assignment of
privileges to a user on a specific entity.
- Clean up some lingering Spectro-internal logic that was filtering
Datacenters and Clusters based on kubernetes tags.

Related:
- validator-labs/validatorctl#217

---------

Signed-off-by: Tyler Gillson <tyler.gillson@gmail.com>

Author: TylerGillson

.golangci.yml

@@ -16,7 +16,6 @@ linters:
   enable:
     - dupl
     - errcheck
-    - exportloopref
     - ginkgolinter
     - goconst
     - gocyclo

api/v1alpha1/vspherevalidator_types.go

@@ -9,10 +9,11 @@ import (
 	"github.com/validator-labs/validator/pkg/validationrule"
 
 	"github.com/validator-labs/validator-plugin-vsphere/api/vcenter"
+	"github.com/validator-labs/validator-plugin-vsphere/api/vcenter/entity"
 	"github.com/validator-labs/validator-plugin-vsphere/pkg/constants"
 )
 
-// VsphereValidatorSpec defines the desired state of VsphereValidator
+// VsphereValidatorSpec defines the desired state of a vSphere validator.
 type VsphereValidatorSpec struct {
 	Auth                     VsphereAuth               `json:"auth" yaml:"auth"`
 	Datacenter               string                    `json:"datacenter" yaml:"datacenter"`
@@ -29,173 +30,187 @@ func (s VsphereValidatorSpec) PluginCode() string {
 	return constants.PluginCode
 }
 
-// ResultCount returns the number of validation results expected for an VsphereValidatorSpec.
+// ResultCount returns the number of validation results expected for a VsphereValidatorSpec.
 func (s VsphereValidatorSpec) ResultCount() int {
 	return len(s.PrivilegeValidationRules) + len(s.ComputeResourceRules) +
 		len(s.TagValidationRules) + len(s.NTPValidationRules)
 }
 
-// VsphereAuth defines authentication configuration for an VsphereValidator.
+// VsphereAuth defines authentication configuration for a vSphere validator.
 type VsphereAuth struct {
-	// SecretName is the name of the secret containing the vSphere credentials
+	// SecretName is the name of the secret containing vCenter credentials.
 	SecretName string `json:"secretName,omitempty" yaml:"secretName,omitempty"`
 
-	// Account is the vCenter account to use for authentication
+	// Account is the vCenter account to use for authentication.
 	Account *vcenter.Account `json:"account,omitempty" yaml:"account,omitempty"`
 }
 
-// NTPValidationRule defines the NTP validation rule
+// NTPValidationRule defines an NTP validation rule.
 type NTPValidationRule struct {
 	validationrule.ManuallyNamed `json:",inline" yaml:",omitempty"`
 
-	// RuleName is the name of the NTP validation rule
+	// RuleName is the name of the NTP validation rule.
 	RuleName string `json:"name" yaml:"name"`
 
-	// ClusterName is required when the vCenter Host(s) reside beneath a Cluster in the vCenter object hierarchy
+	// ClusterName is required when the vCenter Host(s) reside beneath a Cluster in the vCenter object hierarchy.
 	ClusterName string `json:"clusterName,omitempty" yaml:"clusterName,omitempty"`
 
-	// Hosts is the list of vCenter Hosts to validate NTP configuration
+	// Hosts is the list of vCenter Hosts to validate NTP configuration for.
 	Hosts []string `json:"hosts" yaml:"hosts"`
 }
 
 var _ validationrule.Interface = (*NTPValidationRule)(nil)
 
-// Name returns the name of the NTPValidationRule.
+// Name returns the name of the NTP validation rule.
 func (r NTPValidationRule) Name() string {
 	return r.RuleName
 }
 
-// SetName sets the name of the NTPValidationRule.
+// SetName sets the name of the NTP validation rule.
 func (r *NTPValidationRule) SetName(name string) {
 	r.RuleName = name
 }
 
-// ComputeResourceRule defines the compute resource validation rule
+// ComputeResourceRule defines a compute resource validation rule.
 type ComputeResourceRule struct {
 	validationrule.ManuallyNamed `json:",inline" yaml:",omitempty"`
 
-	// RuleName is the name of the compute resource validation rule
+	// RuleName is the name of the compute resource validation rule.
 	RuleName string `json:"name" yaml:"name"`
 
-	// ClusterName is required when the vCenter Entity resides beneath a Cluster in the vCenter object hierarchy
+	// ClusterName is required when the vCenter entity resides beneath a Cluster in the vCenter object hierarchy.
 	ClusterName string `json:"clusterName,omitempty" yaml:"clusterName"`
 
-	// Scope is the scope of the compute resource validation rule
-	Scope vcenter.Entity `json:"scope" yaml:"scope"`
+	// Scope is the scope of the compute resource validation rule.
+	Scope entity.Entity `json:"scope" yaml:"scope"`
 
-	// EntityName is the name of the entity to validate
+	// EntityName is the name of the entity to validate.
 	EntityName string `json:"entityName" yaml:"entityName"`
 
-	// NodepoolResourceRequirements is the list of nodepool resource requirements
+	// NodepoolResourceRequirements is the list of nodepool resource requirements.
 	NodepoolResourceRequirements []NodepoolResourceRequirement `json:"nodepoolResourceRequirements" yaml:"nodepoolResourceRequirements"`
 }
 
 var _ validationrule.Interface = (*ComputeResourceRule)(nil)
 
-// Name returns the name of the ComputeResourceRule.
+// Name returns the name of the compute resource validation rule.
 func (r ComputeResourceRule) Name() string {
 	return r.RuleName
 }
 
-// SetName sets the name of the ComputeResourceRule.
+// SetName sets the name of the compute resource validation rule.
 func (r *ComputeResourceRule) SetName(name string) {
 	r.RuleName = name
 }
 
-// PrivilegeValidationRule defines the privilege validation rule
+// PrivilegeValidationRule defines a privilege validation rule.
 type PrivilegeValidationRule struct {
 	validationrule.ManuallyNamed `json:",inline" yaml:",omitempty"`
 
-	// RuleName is the name of the entity privilege validation rule
+	// RuleName is the name of the privilege validation rule.
 	RuleName string `json:"name" yaml:"name"`
 
-	// Username is the username to validate against
-	Username string `json:"username" yaml:"username"`
-
-	// ClusterName is required when the vCenter Entity resides beneath a Cluster in the vCenter object hierarchy
+	// ClusterName is required when the vCenter entity resides beneath a Cluster in the vCenter object hierarchy.
 	ClusterName string `json:"clusterName,omitempty" yaml:"clusterName,omitempty"`
 
-	// EntityType is the type of the entity to validate
-	EntityType vcenter.Entity `json:"entityType" yaml:"entityType"`
+	// EntityType is the type of the vCenter entity to validate.
+	EntityType entity.Entity `json:"entityType" yaml:"entityType"`
 
-	// EntityName is the name of the entity to validate
+	// EntityName is the name of the vCenter entity to validate privileges on.
 	EntityName string `json:"entityName" yaml:"entityName"`
 
-	// Privileges is the list of privileges to validate that the user has
+	// Privileges is the list of privileges to validate that the user has with respect to the designated vCenter entity.
 	Privileges []string `json:"privileges" yaml:"privileges"`
 
-	// TODO: consider propagation somehow
+	// Propagation validation configuration for permissions that grant the user privileges on the vCenter entity.
+	Propagation Propagation `json:"propagation,omitempty" yaml:"propagation,omitempty"`
+}
+
+// Propagation contains configuration related to propagation validation.
+type Propagation struct {
+	// Enabled controls whether propagation validation is performed.
+	Enabled bool `json:"enabled" yaml:"enabled"`
+
+	// GroupPrincipals is an optional list of vCenter group principals that the user is a member of.
+	// Group membership can be determined dynamically by a vSphere admin user, but specifying
+	// group principals manually allows privilege validation for non-admin users.
+	// Group principals must be of the format DOMAIN\group-name, e.g., VSPHERE.LOCAL\my-custom-group.
+	GroupPrincipals []string `json:"groupPrincipals,omitempty" yaml:"groupPrincipals,omitempty"`
+
+	// Propagated indicates whether the permission that grants privileges to the user for the rule's
+	// entity is expected to be propagated or not.
+	Propagated bool `json:"propagated" yaml:"propagated"`
 }
 
 var _ validationrule.Interface = (*PrivilegeValidationRule)(nil)
 
-// Name returns the name of the PrivilegeValidationRule.
+// Name returns the name of the privilege validation rule.
 func (r PrivilegeValidationRule) Name() string {
 	return r.RuleName
 }
 
-// SetName sets the name of the PrivilegeValidationRule.
+// SetName sets the name of the privilege validation rule.
 func (r *PrivilegeValidationRule) SetName(name string) {
 	r.RuleName = name
 }
 
-// TagValidationRule defines the tag validation rule
+// TagValidationRule defines a tag validation rule.
 type TagValidationRule struct {
 	validationrule.ManuallyNamed `json:",inline" yaml:",omitempty"`
 
-	// RuleName is the name of the tag validation rule
+	// RuleName is the name of the tag validation rule.
 	RuleName string `json:"name" yaml:"name"`
 
-	// ClusterName is required when the vCenter Entity resides beneath a Cluster in the vCenter object hierarchy
+	// ClusterName is required when the vCenter entity resides beneath a Cluster in the vCenter object hierarchy.
 	ClusterName string `json:"clusterName,omitempty" yaml:"clusterName"`
 
-	// EntityType is the type of the entity to validate
-	EntityType vcenter.Entity `json:"entityType" yaml:"entityType"`
+	// EntityType is the type of the vCenter entity to validate.
+	EntityType entity.Entity `json:"entityType" yaml:"entityType"`
 
-	// EntityName is the name of the entity to validate
+	// EntityName is the name of the vCenter entity to validate tags on.
 	EntityName string `json:"entityName" yaml:"entityName"`
 
-	// Tag is the tag to validate on the entity
+	// Tag is the tag to validate on the vCenter entity.
 	Tag string `json:"tag" yaml:"tag"`
 }
 
 var _ validationrule.Interface = (*TagValidationRule)(nil)
 
-// Name returns the name of the TagValidationRule.
+// Name returns the name of the tag validation rule.
 func (r TagValidationRule) Name() string {
 	return r.RuleName
 }
 
-// SetName sets the name of the TagValidationRule.
+// SetName sets the name of the tag validation rule.
 func (r *TagValidationRule) SetName(name string) {
 	r.RuleName = name
 }
 
-// NodepoolResourceRequirement defines the resource requirements for a nodepool
+// NodepoolResourceRequirement defines the resource requirements for a node pool.
 type NodepoolResourceRequirement struct {
-	// Name is the name of the nodepool
+	// Name is the name of the node pool.
 	Name string `json:"name" yaml:"name"`
 
-	// NumberOfNodes is the number of nodes in the nodepool
+	// NumberOfNodes is the number of nodes in the node pool.
 	NumberOfNodes int `json:"numberOfNodes" yaml:"numberOfNodes"`
 
-	// CPU is the CPU requirement for the nodepool
+	// CPU is the CPU requirement for the node pool.
 	CPU string `json:"cpu" yaml:"cpu"`
 
-	// Memory is the memory requirement for the nodepool
+	// Memory is the memory requirement for the node pool.
 	Memory string `json:"memory" yaml:"memory"`
 
-	// DiskSpace is the disk space requirement for the nodepool
+	// DiskSpace is the disk space requirement for the node pool.
 	DiskSpace string `json:"diskSpace" yaml:"diskSpace"`
 }
 
-// VsphereValidatorStatus defines the observed state of VsphereValidator
+// VsphereValidatorStatus defines the observed state of a vSphere validator.
 type VsphereValidatorStatus struct{}
 
 //+kubebuilder:object:root=true
 //+kubebuilder:subresource:status
 
-// VsphereValidator is the Schema for the vspherevalidators API
+// VsphereValidator is the Schema for the vspherevalidators API.
 type VsphereValidator struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
@@ -214,14 +229,14 @@ func (v VsphereValidator) PluginCode() string {
 	return v.Spec.PluginCode()
 }
 
-// ResultCount returns the number of validation results expected for a VsphereValidator.
+// ResultCount returns the number of validation results expected for a vSphere validator.
 func (v VsphereValidator) ResultCount() int {
 	return v.Spec.ResultCount()
 }
 
 //+kubebuilder:object:root=true
 
-// VsphereValidatorList contains a list of VsphereValidator
+// VsphereValidatorList contains a list of vSphere validator.
 type VsphereValidatorList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`