Add filters to permissions for role route

It allows filtering for specific rules and also the rules which are applied to the resource, and not to a specific resource. Introduces generic methods for RuleSet and FindRules method to access_control generation template.
2022-07-06 11:17:49 +05:30
parent 149d75578a
commit f160d391f5
24 changed files with 712 additions and 14 deletions
--- a/codegen/assets/templates/gocode/rbac/$component_access_control.go.tpl
+++ b/codegen/assets/templates/gocode/rbac/$component_access_control.go.tpl
@@ -9,6 +9,7 @@ import (
 	"context"
 	"github.com/cortezaproject/corteza-server/pkg/rbac"
 	"github.com/cortezaproject/corteza-server/pkg/actionlog"
+	"github.com/cortezaproject/corteza-server/pkg/filter"
 	systemTypes "github.com/cortezaproject/corteza-server/system/types"
 	internalAuth "github.com/cortezaproject/corteza-server/pkg/auth"
 {{- range .imports }}
@@ -204,6 +205,63 @@ func (svc accessControl) logGrants(ctx context.Context, rr []*rbac.Rule) {
 	}
 }

+// FindRules find all rules based on filters
+//
+// This function is auto-generated
+func (svc accessControl) FindRules(ctx context.Context, roleID uint64, specific filter.State, rr ...string) (out rbac.RuleSet, err error) {
+	if !svc.CanGrant(ctx) {
+        return nil, AccessControlErrNotAllowedToSetPermissions()
+    }
+
+    rules, err := svc.FindRulesByRoleID(ctx, roleID)
+    if err != nil {
+        return
+    }
+
+    var (
+        resources  []rbac.Resource
+        ruleMap    = make(map[string]bool)
+        uniqRuleID = func(r *rbac.Rule) string {
+            return fmt.Sprintf("%s|%s|%d", r.Resource, r.Operation, r.RoleID)
+        }
+    )
+
+    // Filter based on resource
+    if len(rr) > 0 {
+        resources = make([]rbac.Resource, 0, len(rr))
+        for _, r := range rr {
+            if err = rbacResourceValidator(r); err != nil {
+                return nil, fmt.Errorf("can not use resource %q: %w", r, err)
+            }
+
+            resources = append(resources, rbac.NewResource(r))
+        }
+    } else {
+        resources = svc.Resources()
+    }
+
+    for _, res := range resources {
+        for _, rule := range rules.FilterResource(res.RbacResource()) {
+            if _, ok := ruleMap[uniqRuleID(rule)]; !ok {
+                out = append(out, rule)
+                ruleMap[uniqRuleID(rule)] = true
+            }
+        }
+    }
+
+    // Filter for Excluded, Include, or Exclusive specific rules
+    switch specific {
+    // Exclude all the specific rules
+    case filter.StateExcluded:
+        out = out.FilterRules(false)
+    // Returns only all the specific rules
+    case filter.StateExclusive:
+        out = out.FilterRules(true)
+    }
+
+    return
+}
+
 // FindRulesByRoleID find all rules for a specific role
 //
 // This function is auto-generated