RBAC defs & generated code

Renamed route definition
2021-07-09 11:51:38 +02:00
parent 4e43020bf0
commit 834610b242
8 changed files with 207 additions and 48 deletions
--- a/system/service/access_control.gen.go
+++ b/system/service/access_control.gen.go
@@ -10,6 +10,7 @@ package service
 // - system.application.yaml
 // - system.auth-client.yaml
 // - system.role.yaml
+// - system.route.yaml
 // - system.template.yaml
 // - system.user.yaml
 // - system.yaml
@@ -17,11 +18,12 @@ package service
 import (
 	"context"
 	"fmt"
+	"strings"
+
 	"github.com/cortezaproject/corteza-server/pkg/actionlog"
 	"github.com/cortezaproject/corteza-server/pkg/rbac"
 	"github.com/cortezaproject/corteza-server/system/types"
 	"github.com/spf13/cast"
-	"strings"
 )

 type (
@@ -116,6 +118,21 @@ func (svc accessControl) List() (out []map[string]string) {
 			"any":  types.RoleRbacResource(0),
 			"op":   "members.manage",
 		},
+		{
+			"type": types.RouteResourceType,
+			"any":  types.RouteRbacResource(0),
+			"op":   "read",
+		},
+		{
+			"type": types.RouteResourceType,
+			"any":  types.RouteRbacResource(0),
+			"op":   "update",
+		},
+		{
+			"type": types.RouteResourceType,
+			"any":  types.RouteRbacResource(0),
+			"op":   "delete",
+		},
 		{
 			"type": types.TemplateResourceType,
 			"any":  types.TemplateRbacResource(0),
@@ -271,6 +288,11 @@ func (svc accessControl) List() (out []map[string]string) {
 			"any":  types.ComponentRbacResource(),
 			"op":   "queues.search",
 		},
+		{
+			"type": types.ComponentResourceType,
+			"any":  types.ComponentRbacResource(),
+			"op":   "api-gw-route.create",
+		},
 	}

 	func(svc interface{}) {
@@ -410,6 +432,27 @@ func (svc accessControl) CanManageMembersOnRole(ctx context.Context, r *types.Ro
 	return svc.can(ctx, "members.manage", r)
 }

+// CanReadRoute checks if current user can read api gateway route
+//
+// This function is auto-generated
+func (svc accessControl) CanReadRoute(ctx context.Context, r *types.Route) bool {
+	return svc.can(ctx, "read", r)
+}
+
+// CanUpdateRoute checks if current user can update api gateway route
+//
+// This function is auto-generated
+func (svc accessControl) CanUpdateRoute(ctx context.Context, r *types.Route) bool {
+	return svc.can(ctx, "update", r)
+}
+
+// CanDeleteRoute checks if current user can delete api gateway route
+//
+// This function is auto-generated
+func (svc accessControl) CanDeleteRoute(ctx context.Context, r *types.Route) bool {
+	return svc.can(ctx, "delete", r)
+}
+
 // CanReadTemplate checks if current user can read template
 //
 // This function is auto-generated
@@ -613,20 +656,27 @@ func (svc accessControl) CanAssignReminder(ctx context.Context) bool {
 	return svc.can(ctx, "reminder.assign", &types.Component{})
 }

-// CanCreateQueue checks if current user can create message queue
+// CanCreateQueue checks if current user can create messagebus queues
 //
 // This function is auto-generated
 func (svc accessControl) CanCreateQueue(ctx context.Context) bool {
 	return svc.can(ctx, "queue.create", &types.Component{})
 }

-// CanSearchQueues checks if current user can list, search or filter message queues
+// CanSearchQueues checks if current user can list, search or filter messagebus queues
 //
 // This function is auto-generated
 func (svc accessControl) CanSearchQueues(ctx context.Context) bool {
 	return svc.can(ctx, "queues.search", &types.Component{})
 }

+// CanCreateApiGwRoute checks if current user can create api gateway route
+//
+// This function is auto-generated
+func (svc accessControl) CanCreateApiGwRoute(ctx context.Context) bool {
+	return svc.can(ctx, "api-gw-route.create", &types.Component{})
+}
+
 // rbacResourceValidator validates known component's resource by routing it to the appropriate validator
 //
 // This function is auto-generated
@@ -638,6 +688,8 @@ func rbacResourceValidator(r string, oo ...string) error {
 		return rbacAuthClientResourceValidator(r, oo...)
 	case types.RoleResourceType:
 		return rbacRoleResourceValidator(r, oo...)
+	case types.RouteResourceType:
+		return rbacRouteResourceValidator(r, oo...)
 	case types.TemplateResourceType:
 		return rbacTemplateResourceValidator(r, oo...)
 	case types.UserResourceType:
@@ -674,6 +726,12 @@ func rbacResourceOperations(r string) map[string]bool {
 			"delete":         true,
 			"members.manage": true,
 		}
+	case types.RouteResourceType:
+		return map[string]bool{
+			"read":   true,
+			"update": true,
+			"delete": true,
+		}
 	case types.TemplateResourceType:
 		return map[string]bool{
 			"read":   true,
@@ -713,6 +771,7 @@ func rbacResourceOperations(r string) map[string]bool {
 			"reminder.assign":         true,
 			"queue.create":            true,
 			"queues.search":           true,
+			"api-gw-route.create":     true,
 		}
 	}

@@ -739,6 +798,8 @@ func rbacApplicationResourceValidator(r string, oo ...string) error {

 	const sep = "/"
 	var (
+		specIdUsed = true
+
 		pp  = strings.Split(strings.Trim(r[len(types.ApplicationResourceType):], sep), sep)
 		prc = []string{
 			"ID",
@@ -749,17 +810,22 @@ func rbacApplicationResourceValidator(r string, oo ...string) error {
 		return fmt.Errorf("invalid resource path structure")
 	}

-	for i := 0; i < len(pp); i++ {
-		if pp[i] != "*" {
-			if i > 0 && pp[i-1] == "*" {
+	for i, p := range pp {
+		if p == "*" {
+			if !specIdUsed {
 				return fmt.Errorf("invalid resource path wildcard level (%d) for Application", i)
 			}

-			if _, err := cast.ToUint64E(pp[i]); err != nil {
-				return fmt.Errorf("invalid reference for %s: '%s'", prc[i], pp[i])
-			}
+			specIdUsed = false
+			continue
+		}
+
+		specIdUsed = true
+		if _, err := cast.ToUint64E(p); err != nil {
+			return fmt.Errorf("invalid reference for %s: '%s'", prc[i], p)
 		}
 	}
+
 	return nil
 }

@@ -783,6 +849,8 @@ func rbacAuthClientResourceValidator(r string, oo ...string) error {

 	const sep = "/"
 	var (
+		specIdUsed = true
+
 		pp  = strings.Split(strings.Trim(r[len(types.AuthClientResourceType):], sep), sep)
 		prc = []string{
 			"ID",
@@ -793,9 +861,9 @@ func rbacAuthClientResourceValidator(r string, oo ...string) error {
 		return fmt.Errorf("invalid resource path structure")
 	}

-	for i := 0; i < len(pp); i++ {
-		if pp[i] != "*" {
-			if i > 0 && pp[i-1] == "*" {
+	for i, p := range pp {
+		if p == "*" {
+			if !specIdUsed {
 				return fmt.Errorf("invalid resource path wildcard level (%d) for AuthClient", i)
 			}

@@ -827,6 +895,8 @@ func rbacRoleResourceValidator(r string, oo ...string) error {

 	const sep = "/"
 	var (
+		specIdUsed = true
+
 		pp  = strings.Split(strings.Trim(r[len(types.RoleResourceType):], sep), sep)
 		prc = []string{
 			"ID",
@@ -837,9 +907,9 @@ func rbacRoleResourceValidator(r string, oo ...string) error {
 		return fmt.Errorf("invalid resource path structure")
 	}

-	for i := 0; i < len(pp); i++ {
-		if pp[i] != "*" {
-			if i > 0 && pp[i-1] == "*" {
+	for i, p := range pp {
+		if p == "*" {
+			if !specIdUsed {
 				return fmt.Errorf("invalid resource path wildcard level (%d) for Role", i)
 			}

@@ -851,6 +921,52 @@ func rbacRoleResourceValidator(r string, oo ...string) error {
 	return nil
 }

+// rbacRouteResourceValidator checks validity of rbac resource and operations
+//
+// Can be called without operations to check for validity of resource string only
+//
+// This function is auto-generated
+func rbacRouteResourceValidator(r string, oo ...string) error {
+	defOps := rbacResourceOperations(r)
+	for _, o := range oo {
+		if !defOps[o] {
+			return fmt.Errorf("invalid operation '%s' for system Route resource", o)
+		}
+	}
+
+	if !strings.HasPrefix(r, types.RouteResourceType) {
+		// expecting resource to always include path
+		return fmt.Errorf("invalid resource type")
+	}
+
+	const sep = "/"
+	var (
+		specIdUsed = true
+
+		pp  = strings.Split(strings.Trim(r[len(types.RouteResourceType):], sep), sep)
+		prc = []string{
+			"ID",
+		}
+	)
+
+	if len(pp) != len(prc) {
+		return fmt.Errorf("invalid resource path structure")
+	}
+
+	for i, p := range pp {
+		if p == "*" {
+			if !specIdUsed {
+				return fmt.Errorf("invalid resource path wildcard level (%d) for Route", i)
+			}
+
+			if _, err := cast.ToUint64E(pp[i]); err != nil {
+				return fmt.Errorf("invalid reference for %s: '%s'", prc[i], pp[i])
+			}
+		}
+	}
+	return nil
+}
+
 // rbacTemplateResourceValidator checks validity of rbac resource and operations
 //
 // Can be called without operations to check for validity of resource string only
--- a/system/types/function.go
+++ b/system/types/function.go
@@ -6,24 +6,20 @@ import (
 	"fmt"
 	"time"

-	"github.com/cortezaproject/corteza-server/automation/types"
 	"github.com/cortezaproject/corteza-server/pkg/filter"
 )

 type (
-	FuncArgs []*types.Expr
-
 	ApigwFunctionKind string

 	FuncParams map[string]interface{}

 	Function struct {
-		ID     uint64 `json:"functionID,string"`
-		Route  uint64 `json:"routeID,string"`
-		Weight uint64 `json:"weight"`
-		Ref    string `json:"ref,omitempty"`
-		Kind   string `json:"kind,omitempty"`
-		// Arguments FuncArgs               `json:"args"`
+		ID     uint64     `json:"functionID,string"`
+		Route  uint64     `json:"routeID,string"`
+		Weight uint64     `json:"weight"`
+		Ref    string     `json:"ref,omitempty"`
+		Kind   string     `json:"kind,omitempty"`
 		Params FuncParams `json:"params"`

 		CreatedAt time.Time  `json:"createdAt,omitempty"`
@@ -61,23 +57,6 @@ const (
 	ApigwFunctionKindExpediter ApigwFunctionKind = "functionExpediter"
 )

-func (vv *FuncArgs) Scan(value interface{}) (err error) {
-	aux := []*types.Expr{}
-	err = json.Unmarshal([]byte(value.([]byte)), &aux)
-
-	if err != nil {
-		return
-	}
-
-	*vv = aux
-
-	return
-}
-
-func (vv FuncArgs) Value() (driver.Value, error) {
-	return json.Marshal(vv)
-}
-
 func (vv *FuncParams) Scan(value interface{}) (err error) {
 	if err := json.Unmarshal(value.([]byte), vv); err != nil {
 		return fmt.Errorf("cannot scan '%v' into FuncParams", value)
--- a/system/types/parsers.go
+++ b/system/types/parsers.go
@@ -4,11 +4,6 @@ import (
 	"encoding/json"
 )

-func ParseApigwfFunctionArguments(ss []string) (p FuncArgs, err error) {
-	p = FuncArgs{}
-	return p, parseStringsInput(ss, p)
-}
-
 func ParseApigwfFunctionParams(ss []string) (p FuncParams, err error) {
 	p = FuncParams{}
 	return p, parseStringsInput(ss, p)
--- a/system/types/rbac.gen.go
+++ b/system/types/rbac.gen.go
@@ -10,6 +10,7 @@ package types
 // - system.application.yaml
 // - system.auth-client.yaml
 // - system.role.yaml
+// - system.route.yaml
 // - system.template.yaml
 // - system.user.yaml
 // - system.yaml
@@ -30,6 +31,7 @@ const (
 	ApplicationResourceType = "corteza::system:application"
 	AuthClientResourceType  = "corteza::system:auth-client"
 	RoleResourceType        = "corteza::system:role"
+	RouteResourceType       = "corteza::system:route"
 	TemplateResourceType    = "corteza::system:template"
 	UserResourceType        = "corteza::system:user"
 	ComponentResourceType   = "corteza::system"
@@ -128,6 +130,37 @@ func RoleRbacResourceTpl() string {
 	return "%s/%s"
 }

+// RbacResource returns string representation of RBAC resource for Route by calling RouteRbacResource fn
+//
+// RBAC resource is in the corteza::system:route/... format
+//
+// This function is auto-generated
+func (r Route) RbacResource() string {
+	return RouteRbacResource(r.ID)
+}
+
+// RouteRbacResource returns string representation of RBAC resource for Route
+//
+// RBAC resource is in the corteza::system:route/... format
+//
+// This function is auto-generated
+func RouteRbacResource(id uint64) string {
+	cpts := []interface{}{RouteResourceType}
+	if id != 0 {
+		cpts = append(cpts, strconv.FormatUint(id, 10))
+	} else {
+		cpts = append(cpts, "*")
+	}
+
+	return fmt.Sprintf(RouteRbacResourceTpl(), cpts...)
+
+}
+
+// @todo template
+func RouteRbacResourceTpl() string {
+	return "%s/%s"
+}
+
 // RbacResource returns string representation of RBAC resource for Template by calling TemplateRbacResource fn
 //
 // RBAC resource is in the corteza::system:template/... format