From 192e830fa491da3423c9bcb2403ef088ac1df3b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Toma=C5=BE=20Jerman?= Date: Wed, 2 Oct 2024 14:24:15 +0200 Subject: [PATCH] Add extra RBAC bits for resource export controll --- server/compose/chart.cue | 1 + server/compose/module.cue | 1 + server/compose/namespace.cue | 4 + server/compose/page.cue | 2 +- server/compose/rest/chart.go | 3 + server/compose/rest/module.go | 4 + server/compose/rest/namespace.go | 19 ++++ server/compose/rest/page.go | 3 + server/compose/service/access_control.gen.go | 91 +++++++++++++++++++ .../000_base/compose_access_control.yaml | 21 +++++ 10 files changed, 148 insertions(+), 1 deletion(-) diff --git a/server/compose/chart.cue b/server/compose/chart.cue index 6b5a7f0ea..0342256ab 100644 --- a/server/compose/chart.cue +++ b/server/compose/chart.cue @@ -99,6 +99,7 @@ chart: { "read": {} "update": {} "delete": {} + "export": description: "Access to export charts" } } diff --git a/server/compose/module.cue b/server/compose/module.cue index d8fbbae86..ee89c78a0 100644 --- a/server/compose/module.cue +++ b/server/compose/module.cue @@ -118,6 +118,7 @@ module: { "read": {} "update": {} "delete": {} + "export": description: "Access to export modules" "record.create": description: "Create record" "owned-record.create": description: "Create record with custom owner" "records.search": description: "List, search or filter records" diff --git a/server/compose/namespace.cue b/server/compose/namespace.cue index 02def2d11..351e4e258 100644 --- a/server/compose/namespace.cue +++ b/server/compose/namespace.cue @@ -77,13 +77,17 @@ namespace: { "read": {} "update": {} "delete": {} + "export": description: "Access to export the entire namespace" "manage": description: "Access to namespace admin panel" "module.create": description: "Create module on namespace" "modules.search": description: "List, search or filter module on namespace" + "modules.export": description: "Export modules on namespace" "chart.create": description: "Create chart on namespace" "charts.search": description: "List, search or filter chart on namespace" + "charts.export": description: "Export charts on namespace" "page.create": description: "Create page on namespace" "pages.search": description: "List, search or filter pages on namespace" + "pages.export": description: "Export pages on namespace" } } diff --git a/server/compose/page.cue b/server/compose/page.cue index 735131d30..de9fd5e61 100644 --- a/server/compose/page.cue +++ b/server/compose/page.cue @@ -166,7 +166,7 @@ page: { "read": {} "update": {} "delete": {} - + "export": description: "Access to export pages" "page-layout.create": description: "Create page layout on namespace" "page-layouts.search": description: "List, search or filter page layouts on namespace" } diff --git a/server/compose/rest/chart.go b/server/compose/rest/chart.go index ac2b5566d..baf999af9 100644 --- a/server/compose/rest/chart.go +++ b/server/compose/rest/chart.go @@ -16,6 +16,7 @@ type ( CanGrant bool `json:"canGrant"` CanUpdateChart bool `json:"canUpdateChart"` + CanExportChart bool `json:"canExportChart"` CanDeleteChart bool `json:"canDeleteChart"` } @@ -42,6 +43,7 @@ type ( CanGrant(context.Context) bool CanUpdateChart(context.Context, *types.Chart) bool + CanExportChart(context.Context, *types.Chart) bool CanDeleteChart(context.Context, *types.Chart) bool } ) @@ -154,6 +156,7 @@ func (ctrl Chart) makePayload(ctx context.Context, c *types.Chart, err error) (* CanGrant: ctrl.ac.CanGrant(ctx), CanUpdateChart: ctrl.ac.CanUpdateChart(ctx, c), + CanExportChart: ctrl.ac.CanExportChart(ctx, c), CanDeleteChart: ctrl.ac.CanDeleteChart(ctx, c), }, nil } diff --git a/server/compose/rest/module.go b/server/compose/rest/module.go index f6a70ebb7..39624fab1 100644 --- a/server/compose/rest/module.go +++ b/server/compose/rest/module.go @@ -24,6 +24,7 @@ type ( Fields []*moduleFieldPayload `json:"fields"` CanGrant bool `json:"canGrant"` + CanExport bool `json:"canExport"` CanUpdateModule bool `json:"canUpdateModule"` CanDeleteModule bool `json:"canDeleteModule"` CanCreateRecord bool `json:"canCreateRecord"` @@ -47,6 +48,7 @@ type ( moduleAccessController interface { CanGrant(context.Context) bool + CanExportModule(context.Context, *types.Module) bool CanUpdateModule(context.Context, *types.Module) bool CanDeleteModule(context.Context, *types.Module) bool CanCreateRecordOnModule(context.Context, *types.Module) bool @@ -189,6 +191,8 @@ func (ctrl Module) makePayload(ctx context.Context, m *types.Module, err error) CanGrant: ctrl.ac.CanGrant(ctx), + CanExport: ctrl.ac.CanExportModule(ctx, m), + CanUpdateModule: ctrl.ac.CanUpdateModule(ctx, m), CanDeleteModule: ctrl.ac.CanDeleteModule(ctx, m), diff --git a/server/compose/rest/namespace.go b/server/compose/rest/namespace.go index 08ce6f909..47023b3dd 100644 --- a/server/compose/rest/namespace.go +++ b/server/compose/rest/namespace.go @@ -31,12 +31,16 @@ type ( *types.Namespace CanGrant bool `json:"canGrant"` + CanExportNamespace bool `json:"canExportNamespace"` CanUpdateNamespace bool `json:"canUpdateNamespace"` CanDeleteNamespace bool `json:"canDeleteNamespace"` CanManageNamespace bool `json:"canManageNamespace"` CanCreateModule bool `json:"canCreateModule"` + CanExportModule bool `json:"canExportModule"` CanCreateChart bool `json:"canCreateChart"` + CanExportChart bool `json:"canExportChart"` CanCreatePage bool `json:"canCreatePage"` + CanExportPage bool `json:"canExportPage"` } namespaceSetPayload struct { @@ -71,13 +75,17 @@ type ( namespaceAccessController interface { CanGrant(context.Context) bool + CanExportNamespace(context.Context, *types.Namespace) bool CanUpdateNamespace(context.Context, *types.Namespace) bool CanDeleteNamespace(context.Context, *types.Namespace) bool CanManageNamespace(context.Context, *types.Namespace) bool CanCreateModuleOnNamespace(context.Context, *types.Namespace) bool + CanExportModulesOnNamespace(context.Context, *types.Namespace) bool CanCreateChartOnNamespace(context.Context, *types.Namespace) bool + CanExportChartsOnNamespace(context.Context, *types.Namespace) bool CanCreatePageOnNamespace(context.Context, *types.Namespace) bool + CanExportPagesOnNamespace(context.Context, *types.Namespace) bool } ) @@ -351,13 +359,17 @@ func (ctrl Namespace) makePayload(ctx context.Context, ns *types.Namespace, err Namespace: ns, CanGrant: ctrl.ac.CanGrant(ctx), + CanExportNamespace: ctrl.ac.CanExportNamespace(ctx, ns), CanUpdateNamespace: ctrl.ac.CanUpdateNamespace(ctx, ns), CanDeleteNamespace: ctrl.ac.CanDeleteNamespace(ctx, ns), CanManageNamespace: ctrl.ac.CanManageNamespace(ctx, ns), CanCreateModule: ctrl.ac.CanCreateModuleOnNamespace(ctx, ns), + CanExportModule: ctrl.ac.CanExportModulesOnNamespace(ctx, ns), CanCreateChart: ctrl.ac.CanCreateChartOnNamespace(ctx, ns), + CanExportChart: ctrl.ac.CanExportChartsOnNamespace(ctx, ns), CanCreatePage: ctrl.ac.CanCreatePageOnNamespace(ctx, ns), + CanExportPage: ctrl.ac.CanExportPagesOnNamespace(ctx, ns), }, nil } @@ -421,6 +433,13 @@ func (ctrl Namespace) exportCompose(ctx context.Context, namespaceID uint64) (re if err != nil { return } + + // @todo this isn't ok, will do for now + if !ctrl.ac.CanExportNamespace(ctx, n) { + err = fmt.Errorf("not allowed to export namespace %s", n.Name) + return + } + nsNode, err := composeEnvoy.NamespaceToEnvoyNode(n) if err != nil { return diff --git a/server/compose/rest/page.go b/server/compose/rest/page.go index 462556960..dedcac471 100644 --- a/server/compose/rest/page.go +++ b/server/compose/rest/page.go @@ -20,6 +20,7 @@ type ( Children []*pagePayload `json:"children,omitempty"` CanGrant bool `json:"canGrant"` + CanExportPage bool `json:"canExportPage"` CanUpdatePage bool `json:"canUpdatePage"` CanDeletePage bool `json:"canDeletePage"` } @@ -60,6 +61,7 @@ type ( CanGrant(context.Context) bool CanUpdatePage(context.Context, *types.Page) bool + CanExportPage(context.Context, *types.Page) bool CanDeletePage(context.Context, *types.Page) bool } ) @@ -273,6 +275,7 @@ func (ctrl Page) makePayload(ctx context.Context, c *types.Page, err error) (*pa CanGrant: ctrl.ac.CanGrant(ctx), CanUpdatePage: ctrl.ac.CanUpdatePage(ctx, c), + CanExportPage: ctrl.ac.CanExportPage(ctx, c), CanDeletePage: ctrl.ac.CanDeletePage(ctx, c), }, nil } diff --git a/server/compose/service/access_control.gen.go b/server/compose/service/access_control.gen.go index 8513edaf1..a905a11eb 100644 --- a/server/compose/service/access_control.gen.go +++ b/server/compose/service/access_control.gen.go @@ -167,6 +167,11 @@ func (svc accessControl) List() (out []map[string]string) { "any": types.ChartRbacResource(0, 0), "op": "delete", }, + { + "type": types.ChartResourceType, + "any": types.ChartRbacResource(0, 0), + "op": "export", + }, { "type": types.ModuleResourceType, "any": types.ModuleRbacResource(0, 0), @@ -182,6 +187,11 @@ func (svc accessControl) List() (out []map[string]string) { "any": types.ModuleRbacResource(0, 0), "op": "delete", }, + { + "type": types.ModuleResourceType, + "any": types.ModuleRbacResource(0, 0), + "op": "export", + }, { "type": types.ModuleResourceType, "any": types.ModuleRbacResource(0, 0), @@ -222,6 +232,11 @@ func (svc accessControl) List() (out []map[string]string) { "any": types.NamespaceRbacResource(0), "op": "delete", }, + { + "type": types.NamespaceResourceType, + "any": types.NamespaceRbacResource(0), + "op": "export", + }, { "type": types.NamespaceResourceType, "any": types.NamespaceRbacResource(0), @@ -237,6 +252,11 @@ func (svc accessControl) List() (out []map[string]string) { "any": types.NamespaceRbacResource(0), "op": "modules.search", }, + { + "type": types.NamespaceResourceType, + "any": types.NamespaceRbacResource(0), + "op": "modules.export", + }, { "type": types.NamespaceResourceType, "any": types.NamespaceRbacResource(0), @@ -247,6 +267,11 @@ func (svc accessControl) List() (out []map[string]string) { "any": types.NamespaceRbacResource(0), "op": "charts.search", }, + { + "type": types.NamespaceResourceType, + "any": types.NamespaceRbacResource(0), + "op": "charts.export", + }, { "type": types.NamespaceResourceType, "any": types.NamespaceRbacResource(0), @@ -257,6 +282,11 @@ func (svc accessControl) List() (out []map[string]string) { "any": types.NamespaceRbacResource(0), "op": "pages.search", }, + { + "type": types.NamespaceResourceType, + "any": types.NamespaceRbacResource(0), + "op": "pages.export", + }, { "type": types.PageResourceType, "any": types.PageRbacResource(0, 0), @@ -272,6 +302,11 @@ func (svc accessControl) List() (out []map[string]string) { "any": types.PageRbacResource(0, 0), "op": "delete", }, + { + "type": types.PageResourceType, + "any": types.PageRbacResource(0, 0), + "op": "export", + }, { "type": types.PageResourceType, "any": types.PageRbacResource(0, 0), @@ -470,6 +505,13 @@ func (svc accessControl) CanDeleteChart(ctx context.Context, r *types.Chart) boo return svc.can(ctx, "delete", r) } +// CanExportChart checks if current user can access to export charts +// +// This function is auto-generated +func (svc accessControl) CanExportChart(ctx context.Context, r *types.Chart) bool { + return svc.can(ctx, "export", r) +} + // CanReadModule checks if current user can read // // This function is auto-generated @@ -491,6 +533,13 @@ func (svc accessControl) CanDeleteModule(ctx context.Context, r *types.Module) b return svc.can(ctx, "delete", r) } +// CanExportModule checks if current user can access to export modules +// +// This function is auto-generated +func (svc accessControl) CanExportModule(ctx context.Context, r *types.Module) bool { + return svc.can(ctx, "export", r) +} + // CanCreateRecordOnModule checks if current user can create record // // This function is auto-generated @@ -547,6 +596,13 @@ func (svc accessControl) CanDeleteNamespace(ctx context.Context, r *types.Namesp return svc.can(ctx, "delete", r) } +// CanExportNamespace checks if current user can access to export the entire namespace +// +// This function is auto-generated +func (svc accessControl) CanExportNamespace(ctx context.Context, r *types.Namespace) bool { + return svc.can(ctx, "export", r) +} + // CanManageNamespace checks if current user can access to namespace admin panel // // This function is auto-generated @@ -568,6 +624,13 @@ func (svc accessControl) CanSearchModulesOnNamespace(ctx context.Context, r *typ return svc.can(ctx, "modules.search", r) } +// CanExportModulesOnNamespace checks if current user can export modules on namespace +// +// This function is auto-generated +func (svc accessControl) CanExportModulesOnNamespace(ctx context.Context, r *types.Namespace) bool { + return svc.can(ctx, "modules.export", r) +} + // CanCreateChartOnNamespace checks if current user can create chart on namespace // // This function is auto-generated @@ -582,6 +645,13 @@ func (svc accessControl) CanSearchChartsOnNamespace(ctx context.Context, r *type return svc.can(ctx, "charts.search", r) } +// CanExportChartsOnNamespace checks if current user can export charts on namespace +// +// This function is auto-generated +func (svc accessControl) CanExportChartsOnNamespace(ctx context.Context, r *types.Namespace) bool { + return svc.can(ctx, "charts.export", r) +} + // CanCreatePageOnNamespace checks if current user can create page on namespace // // This function is auto-generated @@ -596,6 +666,13 @@ func (svc accessControl) CanSearchPagesOnNamespace(ctx context.Context, r *types return svc.can(ctx, "pages.search", r) } +// CanExportPagesOnNamespace checks if current user can export pages on namespace +// +// This function is auto-generated +func (svc accessControl) CanExportPagesOnNamespace(ctx context.Context, r *types.Namespace) bool { + return svc.can(ctx, "pages.export", r) +} + // CanReadPage checks if current user can read // // This function is auto-generated @@ -617,6 +694,13 @@ func (svc accessControl) CanDeletePage(ctx context.Context, r *types.Page) bool return svc.can(ctx, "delete", r) } +// CanExportPage checks if current user can access to export pages +// +// This function is auto-generated +func (svc accessControl) CanExportPage(ctx context.Context, r *types.Page) bool { + return svc.can(ctx, "export", r) +} + // CanCreatePageLayoutOnPage checks if current user can create page layout on namespace // // This function is auto-generated @@ -848,12 +932,14 @@ func rbacResourceOperations(r string) map[string]bool { "read": true, "update": true, "delete": true, + "export": true, } case types.ModuleResourceType: return map[string]bool{ "read": true, "update": true, "delete": true, + "export": true, "record.create": true, "owned-record.create": true, "records.search": true, @@ -868,19 +954,24 @@ func rbacResourceOperations(r string) map[string]bool { "read": true, "update": true, "delete": true, + "export": true, "manage": true, "module.create": true, "modules.search": true, + "modules.export": true, "chart.create": true, "charts.search": true, + "charts.export": true, "page.create": true, "pages.search": true, + "pages.export": true, } case types.PageResourceType: return map[string]bool{ "read": true, "update": true, "delete": true, + "export": true, "page-layout.create": true, "page-layouts.search": true, } diff --git a/server/provision/000_base/compose_access_control.yaml b/server/provision/000_base/compose_access_control.yaml index 928f40414..56ce4e29e 100644 --- a/server/provision/000_base/compose_access_control.yaml +++ b/server/provision/000_base/compose_access_control.yaml @@ -5,12 +5,17 @@ allow: corteza::compose:namespace/*: - read + - export + - modules.export + - charts.export + - pages.export - pages.search - modules.search - charts.search corteza::compose:module/*/*: - read + - export - records.search corteza::compose:module-field/*/*/*: @@ -18,12 +23,14 @@ allow: corteza::compose:page/*/*: - read + - export corteza::compose:page-layout/*/*/*: - read corteza::compose:chart/*/*: - read + - export corteza::compose:record/*/*/*: - read @@ -41,6 +48,10 @@ allow: - update - delete - manage + - export + - modules.export + - charts.export + - pages.export - page.create - pages.search - module.create @@ -52,6 +63,7 @@ allow: - read - update - delete + - export - record.create - records.search @@ -69,11 +81,13 @@ allow: - read - update - delete + - export corteza::compose:page/*/*: - read - update - delete + - export corteza::compose:page-layout/*/*/*: - read @@ -93,6 +107,10 @@ allow: - update - delete - manage + - export + - modules.export + - charts.export + - pages.export - page.create - pages.search - module.create @@ -104,6 +122,7 @@ allow: - read - update - delete + - export - record.create - records.search @@ -120,8 +139,10 @@ allow: - read - update - delete + - export corteza::compose:page/*/*: - read - update - delete + - export