Added partial provisioning of rbac rules for auth clients

2021-03-16 12:51:32 +01:00 · 2021-03-16 12:51:32 +01:00 · 5a159838ba
commit 5a159838ba
parent 0589c8e6fa
5 changed files with 103 additions and 29 deletions
--- a/pkg/provision/config.go
+++ b/pkg/provision/config.go
@ -3,12 +3,11 @@ package provision
 import (
 	"context"
 	"fmt"
 	"github.com/cortezaproject/corteza-server/pkg/filter"
 	"github.com/cortezaproject/corteza-server/pkg/rbac"
 	"github.com/cortezaproject/corteza-server/system/types"
 	"path/filepath"
 	"strings"
 	"github.com/cortezaproject/corteza-server/pkg/rbac"
 	"github.com/cortezaproject/corteza-server/pkg/envoy"
 	"github.com/cortezaproject/corteza-server/pkg/envoy/directory"
 	"github.com/cortezaproject/corteza-server/pkg/envoy/resource"
@ -81,36 +80,49 @@ func canImportConfig(ctx context.Context, s store.Storer) (bool, error) {
 }
 func collectUnimportedConfigs(ctx context.Context, log *zap.Logger, s store.Storer, sources []string, dec directory.Decoder) (nn []resource.Interface, err error) {
 	// @todo when these parts starts multiplying, refactor
 	var (
-		aux          []resource.Interface
+		searchPartialDirectories = []uConfig{
-		hasSourceDir = func(dir string) (string, bool) {
+			{dir: "002_templates", fn: provisionPartialTemplates},
-			for _, source := range sources {
+			{dir: "003_auth", fn: provisionPartialAuthClients},
 				if strings.HasSuffix(source, dir) {
 					return source, true
 				}
 			}
 			return "", false
 		}
 	)
 	return nn, store.Tx(ctx, s, func(ctx context.Context, s store.Storer) (err error) {
-		log.Debug("verifying partial config import for templates")
+		for _, d := range searchPartialDirectories {
-		set, _, err := store.SearchTemplates(ctx, s, types.TemplateFilter{Deleted: filter.StateInclusive})
+			// first, check if we need to import at all
-		// Import only of no templates exist
+			if !d.fn(ctx, s, log) {
-		if err != nil || len(set) > 0 {
+				log.Debug("skipping partial config import, changes detected", zap.String("dir", d.dir))
-			// return err
+				continue
-		}
+			}
-		if source, has := hasSourceDir("002_templates"); !has {
+			if list, e := decodeDirectory(ctx, sources, d.dir, dec); e != nil {
-			log.Debug("failed to execute partial config import for templates, 002_templates dir not found")
+				return fmt.Errorf("failed to decode template configs: %w", err)
-			return
+			} else if len(list) == 0 {
-		} else if aux, err = directory.Decode(ctx, source, dec); err != nil {
+				log.Error("failed to execute partial config import for templates, directory not found or no configs", zap.Any("dir", d))
-			return fmt.Errorf("failed to decode template configs: %w", err)
+				return
-		} else {
+			} else {
-			nn = append(nn, aux...)
+				log.Debug("partial import", zap.String("dir", d.dir))
 				nn = append(nn, list...)
 			}
 		}
 		return
 	})
 }
 func hasSourceDir(sources []string, dir string) (string, bool) {
 	for _, source := range sources {
 		if strings.HasSuffix(source, dir) {
 			return source, true
 		}
 	}
 	return "", false
 }
 func decodeDirectory(ctx context.Context, sources []string, dir string, dec directory.Decoder) (res []resource.Interface, err error) {
 	if source, has := hasSourceDir(sources, dir); has {
 		res, err = directory.Decode(ctx, source, dec)
 	}
 	return
 }
--- a/pkg/provision/migrations_202103_templates.go
+++ b/pkg/provision/migrations_202103_templates.go
@ -3,12 +3,13 @@ package provision
 import (
 	"context"
 	"fmt"
 	"time"
 	"github.com/cortezaproject/corteza-server/pkg/errors"
 	"github.com/cortezaproject/corteza-server/pkg/id"
 	"github.com/cortezaproject/corteza-server/store"
 	"github.com/cortezaproject/corteza-server/system/types"
 	"go.uber.org/zap"
 	"time"
 )
 // Pre 2021.3 versions had email templates stored in settings
--- a/pkg/provision/partial.go
+++ b/pkg/provision/partial.go
@ -0,0 +1,49 @@
 package provision
 import (
 	"context"
 	"github.com/cortezaproject/corteza-server/pkg/filter"
 	"github.com/cortezaproject/corteza-server/pkg/rbac"
 	"github.com/cortezaproject/corteza-server/store"
 	"github.com/cortezaproject/corteza-server/system/types"
 	"go.uber.org/zap"
 )
 type (
 	uConfigFn func(context.Context, store.Storer, *zap.Logger) bool
 	uConfig   struct {
 		dir string
 		fn  uConfigFn
 	}
 )
 // provisionPartialAuthClients checks for a specific set of auth client rbac rules
 func provisionPartialAuthClients(ctx context.Context, s store.Storer, log *zap.Logger) bool {
 	set, _, err := store.SearchRbacRules(ctx, s, rbac.RuleFilter{})
 	if err != nil {
 		log.Warn("could not make a partial import of templates", zap.Error(err))
 		return false
 	}
 	set, _ = set.Filter(func(r *rbac.Rule) (bool, error) {
 		// check only auth client rbac rules
 		if r.Resource.String() != "system:auth-client:*" {
 			return false, nil
 		}
 		return true, nil
 	})
 	return len(set) == 0
 }
 // provisionPartialTemplates checks if any templates are in the store at all
 func provisionPartialTemplates(ctx context.Context, s store.Storer, log *zap.Logger) bool {
 	set, _, err := store.SearchTemplates(ctx, s, types.TemplateFilter{Deleted: filter.StateInclusive})
 	if err != nil {
 		log.Warn("could not make a partial import of templates", zap.Error(err))
 	}
 	return err != nil || len(set) == 0
 }
--- a/provision/000_base/system_access_control.yaml
+++ b/provision/000_base/system_access_control.yaml
@ -11,8 +11,8 @@ allow:
    system:role:
      - read
-    system:auth-client:
+    system:template:
-      - authorize
+      - render
  admins:
    system:
@ -23,6 +23,7 @@ allow:
      - application.create
      - authClient.create
      - user.create
      - template.create
      - role.create
      - reminder.assign
@ -46,7 +47,8 @@ allow:
      - delete
      - members.manage
-    system:auth-client:
+    system:template:
      - read
      - update
      - delete
      - render
--- a/provision/003_auth/auth_client_access_control.yaml
+++ b/provision/003_auth/auth_client_access_control.yaml
@ -0,0 +1,10 @@
 allow:
  everyone:
    system:auth-client:
      - authorize
  admins:
    system:auth-client:
      - read
      - update
      - delete