Skip to content

Commit

Permalink
feat(rbac): add role support for policies-csv-file (#894)
Browse files Browse the repository at this point in the history
Signed-off-by: Oleksandr Andriienko <[email protected]>
  • Loading branch information
AndrienkoAleksandr authored Oct 30, 2023
1 parent 912e696 commit 7ad4902
Show file tree
Hide file tree
Showing 4 changed files with 118 additions and 2 deletions.
26 changes: 26 additions & 0 deletions plugins/rbac-backend/src/service/permission-policy.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,32 @@ describe('RBACPermissionPolicy Tests', () => {
);
expect(decision.result).toBe(AuthorizeResult.ALLOW);
});

// case1 with role
it('should allow update access to resource permission for user from csv file', async () => {
const decision = await policy.handle(
newPolicyQueryWithResourcePermission(
'catalog.entity.read',
'catalog-entity',
'update',
),
newIdentityResponse('user:default/guest'),
);
expect(decision.result).toBe(AuthorizeResult.ALLOW);
});

// case2 with role
it('should allow update access to resource permission for role from csv file', async () => {
const decision = await policy.handle(
newPolicyQueryWithResourcePermission(
'catalog.entity.read',
'catalog-entity',
'update',
),
newIdentityResponse('role:default/catalog-writer'),
);
expect(decision.result).toBe(AuthorizeResult.ALLOW);
});
});

describe('Policy checks for users', () => {
Expand Down
30 changes: 28 additions & 2 deletions plugins/rbac-backend/src/service/permission-policy.ts
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import { Enforcer, FileAdapter, newEnforcer, newModelFromString } from 'casbin';
import { Logger } from 'winston';

import { MODEL } from './permission-model';
import { validateEntityReference } from './policies-validation';

const useAdmins = async (admins: Config[], enf: Enforcer) => {
const adminRoleName = 'role:default/rbac_admin';
Expand Down Expand Up @@ -63,7 +64,7 @@ const useAdmins = async (admins: Config[], enf: Enforcer) => {
}
};

const addPredefinedPolicies = async (
const addPredefinedPoliciesAndGroupPolicies = async (
preDefinedPoliciesFile: string,
enf: Enforcer,
) => {
Expand All @@ -73,10 +74,35 @@ const addPredefinedPolicies = async (
);
const policies = await fileEnf.getPolicy();
for (const policy of policies) {
const err = validateEntityReference(policy[0]);
if (err) {
throw new Error(
`Failed to validate policy from file ${preDefinedPoliciesFile}. Cause: ${err.message}`,
);
}

if (!(await enf.hasPolicy(...policy))) {
await enf.addPolicy(...policy);
}
}
const groupPolicies = await fileEnf.getGroupingPolicy();
for (const groupPolicy of groupPolicies) {
let err = validateEntityReference(groupPolicy[0]);
if (err) {
throw new Error(
`Failed to validate group policy from file ${preDefinedPoliciesFile}. Cause: ${err.message}`,
);
}
err = validateEntityReference(groupPolicy[1]);
if (err) {
throw new Error(
`Failed to validate group policy from file ${preDefinedPoliciesFile}. Cause: ${err.message}`,
);
}
if (!(await enf.hasGroupingPolicy(...groupPolicy))) {
await enf.addGroupingPolicy(...groupPolicy);
}
}
};

export class RBACPermissionPolicy implements PermissionPolicy {
Expand All @@ -97,7 +123,7 @@ export class RBACPermissionPolicy implements PermissionPolicy {
);

if (policiesFile) {
await addPredefinedPolicies(policiesFile, enf);
await addPredefinedPoliciesAndGroupPolicies(policiesFile, enf);
}

if (adminUsers) {
Expand Down
2 changes: 2 additions & 0 deletions plugins/rbac-backend/src/service/test/data/rbac-policy.csv
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@

g, user:default/guest, role:default/catalog-writer

p, role:default/catalog-writer, catalog-entity, update, allow
p, user:default/guest, catalog-entity, read, allow
p, user:default/guest, catalog.entity.create, use, allow
62 changes: 62 additions & 0 deletions yarn.lock
Original file line number Diff line number Diff line change
Expand Up @@ -4790,6 +4790,68 @@
resolved "https://registry.yarnpkg.com/@istanbuljs/schema/-/schema-0.1.3.tgz#e45e384e4b8ec16bce2fd903af78450f6bf7ec98"
integrity sha512-ZXRY4jNvVgSVQ8DL3LTcakaAtXwTVUxE81hslsyD2AtoXW/wVob10HkOJ1X/pAlcI7D+2YoZKg5do8G/w6RYgA==

"@janus-idp/[email protected]":
version "1.3.0"
resolved "https://registry.yarnpkg.com/@janus-idp/cli/-/cli-1.3.0.tgz#adccc6828abd85517e9b67eab0d1c286bf1c500d"
integrity sha512-Cq0qZ5UqNqOCQhVMqNnKR4gd0zS6fnefQ7J6DDX0VkgjBxej3V7j2nJfSFVsLNNibSAvAAweNK7GL1mneFRGTw==
dependencies:
"@backstage/cli-common" "^0.1.13"
"@backstage/cli-node" "^0.1.5"
"@backstage/config" "^1.1.1"
"@backstage/config-loader" "^1.5.1"
"@backstage/errors" "^1.2.3"
"@backstage/eslint-plugin" "^0.1.3"
"@backstage/types" "^1.1.1"
"@manypkg/get-packages" "^1.1.3"
"@openshift/dynamic-plugin-sdk-webpack" "^3.0.0"
"@pmmmwh/react-refresh-webpack-plugin" "^0.5.7"
"@rollup/plugin-commonjs" "^25.0.4"
"@rollup/plugin-json" "^6.0.0"
"@rollup/plugin-node-resolve" "^15.2.1"
"@rollup/plugin-yaml" "^4.0.0"
"@svgr/rollup" "^8.1.0"
"@svgr/webpack" "^6.5.1"
"@yarnpkg/lockfile" "^1.1.0"
"@yarnpkg/parsers" "^3.0.0-rc.4"
bfj "^7.0.2"
chalk "^4.0.0"
chokidar "^3.3.1"
commander "^9.1.0"
css-loader "^6.5.1"
esbuild "^0.19.0"
esbuild-loader "^2.18.0"
eslint "^8.49.0"
eslint-config-prettier "^8.10.0"
eslint-webpack-plugin "^3.2.0"
express "^4.18.2"
fork-ts-checker-webpack-plugin "^7.0.0-alpha.8"
fs-extra "^10.1.0"
handlebars "^4.7.7"
html-webpack-plugin "^5.3.1"
inquirer "^8.2.0"
lodash "^4.17.21"
mini-css-extract-plugin "^2.4.2"
node-libs-browser "^2.2.1"
npm-packlist "^5.0.0"
ora "^5.3.0"
postcss "^8.2.13"
process "^0.11.10"
react-dev-utils "^12.0.0-next.60"
react-refresh "^0.14.0"
recursive-readdir "^2.2.2"
rollup "^2.78.0"
rollup-plugin-dts "^4.0.1"
rollup-plugin-esbuild "^4.7.2"
rollup-plugin-postcss "^4.0.0"
rollup-pluginutils "^2.8.2"
semver "^7.5.4"
style-loader "^3.3.1"
swc-loader "^0.2.3"
webpack "^5.89.0"
webpack-dev-server "^4.15.1"
yml-loader "^2.1.0"
yn "^4.0.0"

"@jest/console@^29.7.0":
version "29.7.0"
resolved "https://registry.yarnpkg.com/@jest/console/-/console-29.7.0.tgz#cd4822dbdb84529265c5a2bdb529a3c9cc950ffc"
Expand Down

0 comments on commit 7ad4902

Please sign in to comment.