use matchPerm

this simplifies the casbin policy

models/permission.go

@@ -1,11 +1,11 @@
 package models
 
 import (
-	"encoding/json"
 	"fmt"
 	"strings"
 	"time"
 
+	"github.com/flanksource/commons/collections"
 	"github.com/flanksource/duty/types"
 	"github.com/google/uuid"
 	"github.com/lib/pq"
@@ -35,7 +35,7 @@ type Permission struct {
 	Agents pq.StringArray `json:"agents,omitempty" gorm:"type:[]text"`
 
 	// List of config/component tags a person is allowed access to when RLS is enabled
-	Tags types.JSONMap `json:"tags,omitempty"`
+	Tags types.JSONStringMap `json:"tags,omitempty"`
 }
 
 func (t *Permission) Principal() string {
@@ -69,20 +69,13 @@ func (t *Permission) Condition() string {
 		rule = append(rule, fmt.Sprintf("!isString(r.obj) && r.obj.playbook != undefined && r.obj.playbook.id == %q", t.PlaybookID.String()))
 	}
 
-	if len(t.Agents) > 0 {
+	if len(t.Agents) > 0 || len(t.Tags) > 0 {
 		var agents []string
 		for _, agentID := range t.Agents {
 			agents = append(agents, fmt.Sprintf("'%s'", agentID))
 		}
 
-		rule = append(rule, fmt.Sprintf("!isString(r.obj) && r.obj.config != undefined && r.obj.config.agent_id in (%s)", strings.Join(agents, ",")))
-		rule = append(rule, fmt.Sprintf("!isString(r.obj) && r.obj.component != undefined && r.obj.component.agent_id in (%s)", strings.Join(agents, ",")))
-		rule = append(rule, fmt.Sprintf("!isString(r.obj) && r.obj.canary != undefined && r.obj.canary.agent_id in (%s)", strings.Join(agents, ",")))
-	}
-
-	if len(t.Tags) > 0 {
-		b, _ := json.Marshal(t.Tags)
-		rule = append(rule, fmt.Sprintf("!isString(r.obj) && r.obj.config != undefined && mapContains(%q, r.obj.config.tags)", string(b)))
+		rule = append(rule, fmt.Sprintf(`"matchPerm(r.obj, (%s), '%s')"`, strings.Join(agents, ","), collections.SortedMap(t.Tags)))
 	}
 
 	return strings.Join(rule, " && ")

models/permission_test.go

@@ -3,7 +3,6 @@ package models
 import (
 	"testing"
 
-	"github.com/flanksource/duty/types"
 	"github.com/google/uuid"
 	"github.com/lib/pq"
 	"github.com/samber/lo"
@@ -40,16 +39,16 @@ func TestPermission_Condition(t *testing.T) {
 			perm: Permission{
 				Agents: pq.StringArray([]string{"aws", "azure"}),
 			},
-			expected: "!isString(r.obj) && r.obj.config != undefined && r.obj.config.agent_id in ('aws','azure') && !isString(r.obj) && r.obj.component != undefined && r.obj.component.agent_id in ('aws','azure') && !isString(r.obj) && r.obj.canary != undefined && r.obj.canary.agent_id in ('aws','azure')",
+			expected: `"matchPerm(r.obj, ('aws','azure'), '')"`,
 		},
 		{
 			name: "tags",
 			perm: Permission{
-				Tags: types.JSONMap{
-					"cluster": []string{"aws"},
+				Tags: map[string]string{
+					"cluster": "aws",
 				},
 			},
-			expected: `!isString(r.obj) && r.obj.config != undefined && mapContains("{\"cluster\":[\"aws\"]}", r.obj.config.tags)`,
+			expected: `"matchPerm(r.obj, (), 'cluster=aws')"`,
 		},
 	}
 

schema/permissions.hcl

@@ -99,7 +99,7 @@ table "permissions" {
   column "tags" {
     null = true
     type = jsonb
-    comment = "a list of tags a user is allowed to access when row-level security is enabled"
+    comment = "a list of tags user is allowed to access when row-level security is enabled"
   }
 
   primary_key {

views/034_rls_enable.sql

@@ -112,12 +112,11 @@ ALTER VIEW checks_by_config OWNER TO api_views_owner;
 ALTER VIEW config_analysis_analyzers OWNER TO api_views_owner;
 ALTER VIEW config_analysis_by_severity OWNER TO api_views_owner;
 ALTER VIEW config_analysis_items OWNER TO api_views_owner;
-ALTER VIEW config_changes OWNER TO api_views_owner;
 ALTER VIEW config_changes_by_types OWNER TO api_views_owner;
+ALTER VIEW config_changes_items OWNER TO api_views_owner;
 ALTER VIEW config_class_summary OWNER TO api_views_owner;
 ALTER VIEW config_classes OWNER TO api_views_owner;
 ALTER VIEW config_detail OWNER TO api_views_owner;
-ALTER VIEW config_items OWNER TO api_views_owner;
 ALTER VIEW config_items_aws OWNER TO api_views_owner;
 ALTER VIEW config_labels OWNER TO api_views_owner;
 ALTER VIEW config_names OWNER TO api_views_owner;