Added partial provisioning of rbac rules for auth clients

pkg/provision/config.go

@@ -3,12 +3,11 @@ package provision
 import (
 	"context"
 	"fmt"
-	"github.com/cortezaproject/corteza-server/pkg/filter"
-	"github.com/cortezaproject/corteza-server/pkg/rbac"
-	"github.com/cortezaproject/corteza-server/system/types"
 	"path/filepath"
 	"strings"
 
+	"github.com/cortezaproject/corteza-server/pkg/rbac"
+
 	"github.com/cortezaproject/corteza-server/pkg/envoy"
 	"github.com/cortezaproject/corteza-server/pkg/envoy/directory"
 	"github.com/cortezaproject/corteza-server/pkg/envoy/resource"
@@ -81,36 +80,49 @@ func canImportConfig(ctx context.Context, s store.Storer) (bool, error) {
 }
 
 func collectUnimportedConfigs(ctx context.Context, log *zap.Logger, s store.Storer, sources []string, dec directory.Decoder) (nn []resource.Interface, err error) {
-	// @todo when these parts starts multiplying, refactor
 	var (
-		aux          []resource.Interface
-		hasSourceDir = func(dir string) (string, bool) {
-			for _, source := range sources {
-				if strings.HasSuffix(source, dir) {
-					return source, true
-				}
-			}
-			return "", false
+		searchPartialDirectories = []uConfig{
+			{dir: "002_templates", fn: provisionPartialTemplates},
+			{dir: "003_auth", fn: provisionPartialAuthClients},
 		}
 	)
 
 	return nn, store.Tx(ctx, s, func(ctx context.Context, s store.Storer) (err error) {
-		log.Debug("verifying partial config import for templates")
-		set, _, err := store.SearchTemplates(ctx, s, types.TemplateFilter{Deleted: filter.StateInclusive})
-		// Import only of no templates exist
-		if err != nil || len(set) > 0 {
-			// return err
-		}
+		for _, d := range searchPartialDirectories {
+			// first, check if we need to import at all
+			if !d.fn(ctx, s, log) {
+				log.Debug("skipping partial config import, changes detected", zap.String("dir", d.dir))
+				continue
+			}
 
-		if source, has := hasSourceDir("002_templates"); !has {
-			log.Debug("failed to execute partial config import for templates, 002_templates dir not found")
-			return
-		} else if aux, err = directory.Decode(ctx, source, dec); err != nil {
-			return fmt.Errorf("failed to decode template configs: %w", err)
-		} else {
-			nn = append(nn, aux...)
+			if list, e := decodeDirectory(ctx, sources, d.dir, dec); e != nil {
+				return fmt.Errorf("failed to decode template configs: %w", err)
+			} else if len(list) == 0 {
+				log.Error("failed to execute partial config import for templates, directory not found or no configs", zap.Any("dir", d))
+				return
+			} else {
+				log.Debug("partial import", zap.String("dir", d.dir))
+				nn = append(nn, list...)
+			}
 		}
 
 		return
 	})
 }
+
+func hasSourceDir(sources []string, dir string) (string, bool) {
+	for _, source := range sources {
+		if strings.HasSuffix(source, dir) {
+			return source, true
+		}
+	}
+	return "", false
+}
+
+func decodeDirectory(ctx context.Context, sources []string, dir string, dec directory.Decoder) (res []resource.Interface, err error) {
+	if source, has := hasSourceDir(sources, dir); has {
+		res, err = directory.Decode(ctx, source, dec)
+	}
+
+	return
+}

pkg/provision/migrations_202103_templates.go

@@ -3,12 +3,13 @@ package provision
 import (
 	"context"
 	"fmt"
+	"time"
+
 	"github.com/cortezaproject/corteza-server/pkg/errors"
 	"github.com/cortezaproject/corteza-server/pkg/id"
 	"github.com/cortezaproject/corteza-server/store"
 	"github.com/cortezaproject/corteza-server/system/types"
 	"go.uber.org/zap"
-	"time"
 )
 
 // Pre 2021.3 versions had email templates stored in settings

pkg/provision/partial.go

@@ -0,0 +1,49 @@
+package provision
+
+import (
+	"context"
+
+	"github.com/cortezaproject/corteza-server/pkg/filter"
+	"github.com/cortezaproject/corteza-server/pkg/rbac"
+	"github.com/cortezaproject/corteza-server/store"
+	"github.com/cortezaproject/corteza-server/system/types"
+	"go.uber.org/zap"
+)
+
+type (
+	uConfigFn func(context.Context, store.Storer, *zap.Logger) bool
+	uConfig   struct {
+		dir string
+		fn  uConfigFn
+	}
+)
+
+// provisionPartialAuthClients checks for a specific set of auth client rbac rules
+func provisionPartialAuthClients(ctx context.Context, s store.Storer, log *zap.Logger) bool {
+	set, _, err := store.SearchRbacRules(ctx, s, rbac.RuleFilter{})
+
+	if err != nil {
+		log.Warn("could not make a partial import of templates", zap.Error(err))
+		return false
+	}
+
+	set, _ = set.Filter(func(r *rbac.Rule) (bool, error) {
+		// check only auth client rbac rules
+		if r.Resource.String() != "system:auth-client:*" {
+			return false, nil
+		}
+		return true, nil
+	})
+
+	return len(set) == 0
+}
+
+// provisionPartialTemplates checks if any templates are in the store at all
+func provisionPartialTemplates(ctx context.Context, s store.Storer, log *zap.Logger) bool {
+	set, _, err := store.SearchTemplates(ctx, s, types.TemplateFilter{Deleted: filter.StateInclusive})
+	if err != nil {
+		log.Warn("could not make a partial import of templates", zap.Error(err))
+	}
+
+	return err != nil || len(set) == 0
+}

provision/000_base/system_access_control.yaml

@@ -11,8 +11,8 @@ allow:
     system:role:
       - read
 
-    system:auth-client:
-      - authorize
+    system:template:
+      - render
 
   admins:
     system:
@@ -23,6 +23,7 @@ allow:
       - application.create
       - authClient.create
       - user.create
+      - template.create
       - role.create
       - reminder.assign
 
@@ -46,7 +47,8 @@ allow:
       - delete
       - members.manage
 
-    system:auth-client:
+    system:template:
       - read
       - update
       - delete
+      - render

provision/003_auth/auth_client_access_control.yaml

@@ -0,0 +1,10 @@
+allow:
+  everyone:
+    system:auth-client:
+      - authorize
+
+  admins:
+    system:auth-client:
+      - read
+      - update
+      - delete