diff --git a/src/commands/security.rs b/src/commands/security.rs index 7da9a7a..3f7baf6 100644 --- a/src/commands/security.rs +++ b/src/commands/security.rs @@ -645,7 +645,7 @@ pub async fn asm_exclusions_delete(cfg: &Config, exclusion_filter_id: &str) -> R // ---- Restriction Policies ---- pub async fn restriction_policy_get(cfg: &Config, resource_id: &str) -> Result<()> { - let api = crate::make_api_no_auth!(RestrictionPoliciesAPI, cfg); + let api = crate::make_api!(RestrictionPoliciesAPI, cfg); let resp = api .get_restriction_policy(resource_id.to_string()) .await @@ -655,7 +655,7 @@ pub async fn restriction_policy_get(cfg: &Config, resource_id: &str) -> Result<( pub async fn restriction_policy_update(cfg: &Config, resource_id: &str, file: &str) -> Result<()> { let body: RestrictionPolicyUpdateRequest = util::read_json_file(file)?; - let api = crate::make_api_no_auth!(RestrictionPoliciesAPI, cfg); + let api = crate::make_api!(RestrictionPoliciesAPI, cfg); let resp = api .update_restriction_policy( resource_id.to_string(), @@ -668,7 +668,7 @@ pub async fn restriction_policy_update(cfg: &Config, resource_id: &str, file: &s } pub async fn restriction_policy_delete(cfg: &Config, resource_id: &str) -> Result<()> { - let api = crate::make_api_no_auth!(RestrictionPoliciesAPI, cfg); + let api = crate::make_api!(RestrictionPoliciesAPI, cfg); api.delete_restriction_policy(resource_id.to_string()) .await .map_err(|e| anyhow::anyhow!("failed to delete restriction policy: {e:?}"))?; diff --git a/src/main.rs b/src/main.rs index c3e6fb8..1501d7c 100644 --- a/src/main.rs +++ b/src/main.rs @@ -4566,7 +4566,26 @@ enum SecurityActions { action: AsmExclusionActions, }, /// Manage resource restriction policies - #[command(name = "restriction-policies")] + /// + /// Restriction policies live at `/api/v2/restriction_policy/{resource}` + /// where `{resource}` is `:` (ex: `dashboard:abc-123`, + /// `monitor:12345`). The server accepts OAuth2 or DD_API_KEY + + /// DD_APP_KEY. + /// + /// The required OAuth scope depends on the resource type embedded in + /// the resource ID. The server enforces the same permission a user would + /// need to view/edit the underlying resource (ex: `dashboards_read` for + /// a `dashboard:*` GET, `monitors_write` for a `monitor:*` POST). + /// + /// Common types covered by pup's default OAuth scopes today: dashboard, + /// monitor, slo, workflow, notebook, security-rule, logs-archive, + /// rum-application, reference-table, case-management-project, + /// on-call-*, status-page, integration-*. Other resource types (ex: + /// connection, app-builder-app, obs-pipelines-*, spreadsheet, + /// feature-flag, agent-builder-agent, product-analytics-*) require + /// scopes pup does not yet request; for those, use DD_API_KEY + + /// DD_APP_KEY. + #[command(name = "restriction-policies", verbatim_doc_comment)] RestrictionPolicies { #[command(subcommand)] action: RestrictionPolicyActions,