Skip to content

Commit

Permalink
feat(rbac): lazy load temporary enforcer (janus-idp#1513)
Browse files Browse the repository at this point in the history
  • Loading branch information
PatAKnight authored Apr 18, 2024
1 parent ffcd101 commit b5f1552
Show file tree
Hide file tree
Showing 2 changed files with 50 additions and 18 deletions.
51 changes: 38 additions & 13 deletions plugins/rbac-backend/src/service/enforcer-delegate.ts
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
import { NotAllowedError, NotFoundError } from '@backstage/errors';

import { Enforcer, newEnforcer, newModelFromString } from 'casbin';
import { Enforcer, newModelFromString } from 'casbin';
import { Knex } from 'knex';

import {
Expand Down Expand Up @@ -575,26 +575,51 @@ export class EnforcerDelegate {
}
}

/**
* enforce aims to enforce a particular permission policy based on the user that it receives.
* Under the hood, enforce uses the `enforce` method from the enforcer`.
*
* Before enforcement, a filter is set up to reduce the number of permission policies that will
* be loaded in.
* This will reduce the amount of checks that need to be made to determine if a user is authorize
* to perform an action
*
* A temporary enforcer will also be used while enforcing.
* This is to ensure that the filter does not interact with the base enforcer.
* The temporary enforcer has lazy loading of the permission policies enabled to reduce the amount
* of time it takes to initialize the temporary enforcer.
* The justification for lazy loading is because permission policies are already present in the
* role manager / database and it will be filtered and loaded whenever `loadFilteredPolicy` is called.
* @param entityRef The user to enforce
* @param resourceType The resource type / name of the permission policy
* @param action The action of the permission policy
* @param roles Any roles that the user is directly or indirectly attached to.
* Used for filtering permission policies.
* @returns True if the user is allowed based on the particular permission
*/
async enforce(
entityRef: string,
resourceType: string,
action: string,
roles: string[],
): Promise<boolean> {
const filter = [
{
ptype: 'p',
v1: resourceType,
v2: action,
},
{
ptype: 'g',
v0: entityRef,
},
];
const filter = [];
if (roles.length > 0) {
roles.forEach(role => {
filter.push({ ptype: 'p', v0: role, v1: resourceType, v2: action });
});
} else {
filter.push({ ptype: 'p', v1: resourceType, v2: action });
}

const adapt = this.enforcer.getAdapter();
const roleManager = this.enforcer.getRoleManager();
const tempEnforcer = await newEnforcer(newModelFromString(MODEL), adapt);
const tempEnforcer = new Enforcer();
await tempEnforcer.initWithModelAndAdapter(
newModelFromString(MODEL),
adapt,
true,
);
tempEnforcer.setRoleManager(roleManager);

await tempEnforcer.loadFilteredPolicy(filter);
Expand Down
17 changes: 12 additions & 5 deletions plugins/rbac-backend/src/service/permission-policy.ts
Original file line number Diff line number Diff line change
Expand Up @@ -284,6 +284,7 @@ export class RBACPermissionPolicy implements PermissionPolicy {

const userEntityRef = identityResp.identity.userEntityRef;
const permissionName = request.permission.name;
const roles = await this.enforcer.getRolesForUser(userEntityRef);

if (isResourcePermission(request.permission)) {
const resourceType = request.permission.resourceType;
Expand All @@ -295,6 +296,7 @@ export class RBACPermissionPolicy implements PermissionPolicy {
resourceType,
request.permission.name,
action,
roles,
);
if (conditionResult) {
return conditionResult;
Expand All @@ -311,10 +313,15 @@ export class RBACPermissionPolicy implements PermissionPolicy {
// Let's set up higher priority for permission specified by name, than by resource type
const obj = hasNamedPermission ? permissionName : resourceType;

status = await this.isAuthorized(userEntityRef, obj, action);
status = await this.isAuthorized(userEntityRef, obj, action, roles);
} else {
// handle permission with 'basic' type
status = await this.isAuthorized(userEntityRef, permissionName, action);
status = await this.isAuthorized(
userEntityRef,
permissionName,
action,
roles,
);
}

const result = status ? AuthorizeResult.ALLOW : AuthorizeResult.DENY;
Expand Down Expand Up @@ -357,6 +364,7 @@ export class RBACPermissionPolicy implements PermissionPolicy {
userIdentity: string,
permission: string,
action: string,
roles: string[],
): Promise<boolean> => {
if (this.superUserList!.includes(userIdentity)) {
return true;
Expand All @@ -373,17 +381,16 @@ export class RBACPermissionPolicy implements PermissionPolicy {
);
}

return await this.enforcer.enforce(userIdentity, permission, action);
return await this.enforcer.enforce(userIdentity, permission, action, roles);
};

private async handleConditions(
userEntityRef: string,
resourceType: string,
permissionName: string,
action: PermissionAction,
roles: string[],
): Promise<PolicyDecision | undefined> {
const roles = await this.enforcer.getRolesForUser(userEntityRef);

const conditions: PermissionCriteria<
PermissionCondition<string, PermissionRuleParams>
>[] = [];
Expand Down

0 comments on commit b5f1552

Please sign in to comment.