Skip to content

Commit

Permalink
use matchPerm
Browse files Browse the repository at this point in the history 
this simplifies the casbin policy
  • Loading branch information
@adityathebe
adityathebe committed Nov 26, 2024
1 parent a7a7e33 commit 7922f26
Show file tree
Hide file tree
Showing 5 changed files with 15 additions and 27 deletions.
23 changes: 8 additions & 15 deletions models/permission.go
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
package models

import (
"encoding/json"
"fmt"
"strings"
"time"

"github.com/flanksource/commons/collections"
"github.com/flanksource/duty/types"
"github.com/google/uuid"
"github.com/lib/pq"
Expand Down Expand Up @@ -35,7 +35,7 @@ type Permission struct {
Agents pq.StringArray `json:"agents,omitempty" gorm:"type:[]text"`

// List of config/component tags a person is allowed access to when RLS is enabled
Tags types.JSONMap `json:"tags,omitempty"`
Tags types.JSONStringMap `json:"tags,omitempty"`
}

func (t *Permission) Principal() string {
Expand All @@ -54,35 +54,28 @@ func (t *Permission) Condition() string {
var rule []string

if t.ComponentID != nil {
rule = append(rule, fmt.Sprintf("!isString(r.obj) && r.obj.component != undefined && r.obj.component.id == %q", t.ComponentID.String()))
rule = append(rule, fmt.Sprintf("r.obj.component != undefined && r.obj.component.id == %q", t.ComponentID.String()))
}

if t.ConfigID != nil {
rule = append(rule, fmt.Sprintf("!isString(r.obj) && r.obj.config != undefined && r.obj.config.id == %q", t.ConfigID.String()))
rule = append(rule, fmt.Sprintf("r.obj.config != undefined && r.obj.config.id == %q", t.ConfigID.String()))
}

if t.CanaryID != nil {
rule = append(rule, fmt.Sprintf("!isString(r.obj) && r.obj.canary != undefined && r.obj.canary.id == %q", t.CanaryID.String()))
rule = append(rule, fmt.Sprintf("r.obj.canary != undefined && r.obj.canary.id == %q", t.CanaryID.String()))
}

if t.PlaybookID != nil {
rule = append(rule, fmt.Sprintf("!isString(r.obj) && r.obj.playbook != undefined && r.obj.playbook.id == %q", t.PlaybookID.String()))
rule = append(rule, fmt.Sprintf("r.obj.playbook != undefined && r.obj.playbook.id == %q", t.PlaybookID.String()))
}

if len(t.Agents) > 0 {
if len(t.Agents) > 0 || len(t.Tags) > 0 {
var agents []string
for _, agentID := range t.Agents {
agents = append(agents, fmt.Sprintf("'%s'", agentID))
}

rule = append(rule, fmt.Sprintf("!isString(r.obj) && r.obj.config != undefined && r.obj.config.agent_id in (%s)", strings.Join(agents, ",")))
rule = append(rule, fmt.Sprintf("!isString(r.obj) && r.obj.component != undefined && r.obj.component.agent_id in (%s)", strings.Join(agents, ",")))
rule = append(rule, fmt.Sprintf("!isString(r.obj) && r.obj.canary != undefined && r.obj.canary.agent_id in (%s)", strings.Join(agents, ",")))
}

if len(t.Tags) > 0 {
b, _ := json.Marshal(t.Tags)
rule = append(rule, fmt.Sprintf("!isString(r.obj) && r.obj.config != undefined && mapContains(%q, r.obj.config.tags)", string(b)))
rule = append(rule, fmt.Sprintf(`"matchPerm(r.obj, (%s), '%s')"`, strings.Join(agents, ","), collections.SortedMap(t.Tags)))
}

return strings.Join(rule, " && ")
Expand Down
13 changes: 6 additions & 7 deletions models/permission_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ package models
import (
"testing"

"github.com/flanksource/duty/types"
"github.com/google/uuid"
"github.com/lib/pq"
"github.com/samber/lo"
Expand All @@ -20,15 +19,15 @@ func TestPermission_Condition(t *testing.T) {
perm: Permission{
PlaybookID: lo.ToPtr(uuid.MustParse("33333333-3333-3333-3333-333333333333")),
},
expected: `!isString(r.obj) && r.obj.playbook != undefined && r.obj.playbook.id == "33333333-3333-3333-3333-333333333333"`,
expected: `r.obj.playbook != undefined && r.obj.playbook.id == "33333333-3333-3333-3333-333333333333"`,
},
{
name: "Multiple fields II",
perm: Permission{
ConfigID: lo.ToPtr(uuid.MustParse("88888888-8888-8888-8888-888888888888")),
PlaybookID: lo.ToPtr(uuid.MustParse("aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa")),
},
expected: `!isString(r.obj) && r.obj.config != undefined && r.obj.config.id == "88888888-8888-8888-8888-888888888888" && !isString(r.obj) && r.obj.playbook != undefined && r.obj.playbook.id == "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"`,
expected: `r.obj.config != undefined && r.obj.config.id == "88888888-8888-8888-8888-888888888888" && r.obj.playbook != undefined && r.obj.playbook.id == "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"`,
},
{
name: "No fields set",
Expand All @@ -40,16 +39,16 @@ func TestPermission_Condition(t *testing.T) {
perm: Permission{
Agents: pq.StringArray([]string{"aws", "azure"}),
},
expected: "!isString(r.obj) && r.obj.config != undefined && r.obj.config.agent_id in ('aws','azure') && !isString(r.obj) && r.obj.component != undefined && r.obj.component.agent_id in ('aws','azure') && !isString(r.obj) && r.obj.canary != undefined && r.obj.canary.agent_id in ('aws','azure')",
expected: `"matchPerm(r.obj, ('aws','azure'), '')"`,
},
{
name: "tags",
perm: Permission{
Tags: types.JSONMap{
"cluster": []string{"aws"},
Tags: map[string]string{
"cluster": "aws",
},
},
expected: `!isString(r.obj) && r.obj.config != undefined && mapContains("{\"cluster\":[\"aws\"]}", r.obj.config.tags)`,
expected: `"matchPerm(r.obj, (), 'cluster=aws')"`,
},
}

Expand Down
2 changes: 1 addition & 1 deletion schema/permissions.hcl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ table "permissions" {
column "tags" {
null = true
type = jsonb
comment = "a list of tags a user is allowed to access when row-level security is enabled"
comment = "a list of tags user is allowed to access when row-level security is enabled"
}

primary_key {
Expand Down
2 changes: 0 additions & 2 deletions views/034_rls_enable.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,12 +112,10 @@ ALTER VIEW checks_by_config OWNER TO api_views_owner;
ALTER VIEW config_analysis_analyzers OWNER TO api_views_owner;
ALTER VIEW config_analysis_by_severity OWNER TO api_views_owner;
ALTER VIEW config_analysis_items OWNER TO api_views_owner;
ALTER VIEW config_changes OWNER TO api_views_owner;
ALTER VIEW config_changes_by_types OWNER TO api_views_owner;
ALTER VIEW config_class_summary OWNER TO api_views_owner;
ALTER VIEW config_classes OWNER TO api_views_owner;
ALTER VIEW config_detail OWNER TO api_views_owner;
ALTER VIEW config_items OWNER TO api_views_owner;
ALTER VIEW config_items_aws OWNER TO api_views_owner;
ALTER VIEW config_labels OWNER TO api_views_owner;
ALTER VIEW config_names OWNER TO api_views_owner;
Expand Down
2 changes: 0 additions & 2 deletions views/035_rls_disable.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,8 +34,6 @@ ALTER VIEW config_analysis_items OWNER TO CURRENT_USER;

ALTER VIEW config_changes_by_types OWNER TO CURRENT_USER;

ALTER VIEW config_changes_items OWNER TO CURRENT_USER;

ALTER VIEW config_class_summary OWNER TO CURRENT_USER;

ALTER VIEW config_classes OWNER TO CURRENT_USER;
Expand Down

0 comments on commit 7922f26

Please sign in to comment.