fix(rbac): csv updates no longer require server restarts (#1171)

* fix(rbac): csv updates no longer require server restarts

* fix(rbac): address some of the sonarcloud issues

* fix(rbac): fix build error

* fix(rbac): address review suggestions

* fix(rbac): make reloading configurable

plugins/rbac-backend/README.md

@@ -143,6 +143,16 @@ permission:
     policies-csv-file: /some/path/rbac-policy.csv
 ```
 
+Also, there is an additional configuration value that allows for the reloading of the CSV file without the need to restart.
+
+```YAML
+permission:
+  enabled: true
+  rbac:
+    policies-csv-file: /some/path/rbac-policy.csv
+    policyFileReload: true
+```
+
 For more information on the available permissions within Showcase and RHDH, refer to the [permissions documentation](./docs/permissions.md).
 
 ### Configuring Database Storage for policies

plugins/rbac-backend/config.d.ts

@@ -2,6 +2,11 @@ export interface Config {
   permission: {
     rbac: {
       'policies-csv-file'?: string;
+      /**
+       * Allow for reloading of the CSV file.
+       * @visibility frontend
+       */
+      policyFileReload?: boolean;
       /**
        * Optional configuration for admins, can declare individual users and / or groups
        * @visibility frontend

plugins/rbac-backend/src/__fixtures__/data/invalid-csv/duplicate-policies-actions.csv

@@ -0,0 +1,3 @@
+p, role:default/catalog-writer, catalog.entity.create, use, allow
+
+p, role:default/catalog-writer, catalog.entity.create, use, deny

plugins/rbac-backend/src/__fixtures__/data/invalid-csv/duplicate-policy.csv

@@ -0,0 +1,9 @@
+g, user:default/guest, role:default/catalog-deleter
+g, user:default/guest, role:default/catalog-deleter
+
+g, user:default/guest, role:default/catalog-updater
+
+p, role:default/catalog-writer, catalog.entity.create, use, allow
+p, role:default/catalog-writer, catalog.entity.create, use, allow
+
+p, role:default/catalog-writer, catalog-entity, delete, allow

plugins/rbac-backend/src/__fixtures__/data/invalid-csv/entityref-policy.csv

@@ -0,0 +1 @@
+g, user:default/, role:default/catalog-deleter

plugins/rbac-backend/src/__fixtures__/data/invalid-csv/permission-policy.csv

@@ -0,0 +1 @@
+p, role:default/, catalog.entity.create, use, allow

plugins/rbac-backend/src/__fixtures__/data/invalid-csv/role-entityref-policy.csv

@@ -0,0 +1 @@
+g, user:default/test, role:default/

plugins/rbac-backend/src/__fixtures__/data/valid-csv/rbac-policy.csv

@@ -0,0 +1,12 @@
+g, user:default/guest, role:default/catalog-writer
+g, user:default/guest, role:default/catalog-reader
+g, user:default/guest, role:default/catalog-deleter
+
+p, role:default/catalog-writer, catalog-entity, update, allow
+p, role:default/catalog-writer, catalog-entity, read, allow
+p, role:default/catalog-writer, catalog.entity.create, use, allow
+p, role:default/catalog-deleter, catalog-entity, delete, deny
+
+p, role:default/known_role, test.resource.deny, use, allow
+
+g, user:default/known_user, role:default/known_role

plugins/rbac-backend/src/__fixtures__/data/valid-csv/updated-rbac-policy.csv

@@ -0,0 +1,10 @@
+g, user:default/guest, role:default/catalog-writer
+g, user:default/guest, role:default/catalog-updater
+
+g, user:default/guest, role:default/catalog-tester
+
+p, role:default/catalog-writer, catalog-entity, update, allow
+p, role:default/catalog-writer, catalog.entity.create, use, deny
+p, role:default/catalog-deleter, catalog-entity, delete, allow
+
+p, role:default/catalog-writer, catalog.entity.delete, delete, allow