From fef77a7a47018747e094443bc3332775c3bbb01e Mon Sep 17 00:00:00 2001 From: Vivek Patel Date: Wed, 27 Jul 2022 14:33:56 +0530 Subject: [PATCH] Refactor rules endpoint - Removes specific params - Improves RuleSet.FilterResource to accept multiple resources - Rework FindRules method in access-controller tpl --- automation/rest.yaml | 5 --- automation/rest/permissions.go | 5 ++- automation/rest/request/permissions.go | 18 ---------- automation/service/access_control.gen.go | 36 +++---------------- .../rbac/$component_access_control.go.tpl | 35 +++--------------- compose/rest.yaml | 5 --- compose/rest/permissions.go | 5 ++- compose/rest/request/permissions.go | 18 ---------- compose/service/access_control.gen.go | 36 +++---------------- federation/rest.yaml | 5 --- federation/rest/permissions.go | 5 ++- federation/rest/request/permissions.go | 18 ---------- federation/service/access_control.gen.go | 36 +++---------------- pkg/rbac/rule.go | 30 ++++++++-------- system/rest.yaml | 5 --- system/rest/permissions.go | 5 ++- system/rest/request/permissions.go | 19 ---------- system/service/access_control.gen.go | 36 +++---------------- tests/system/permissions_test.go | 25 ++++--------- 19 files changed, 49 insertions(+), 298 deletions(-) diff --git a/automation/rest.yaml b/automation/rest.yaml index e5284b913..524ddd092 100644 --- a/automation/rest.yaml +++ b/automation/rest.yaml @@ -276,7 +276,6 @@ endpoints: - Client ID - Session ID imports: - - github.com/cortezaproject/corteza-server/pkg/filter - github.com/cortezaproject/corteza-server/pkg/rbac apis: - name: list @@ -320,10 +319,6 @@ endpoints: required: true title: Role ID get: - - name: specific - required: false - title: Exclude (0, default), include (1) or return only (2) specific rules - type: "filter.State" - name: resource type: "[]string" required: false diff --git a/automation/rest/permissions.go b/automation/rest/permissions.go index ad60c34ca..7c3ca9637 100644 --- a/automation/rest/permissions.go +++ b/automation/rest/permissions.go @@ -6,7 +6,6 @@ import ( "github.com/cortezaproject/corteza-server/automation/service" "github.com/cortezaproject/corteza-server/automation/types" "github.com/cortezaproject/corteza-server/pkg/api" - "github.com/cortezaproject/corteza-server/pkg/filter" "github.com/cortezaproject/corteza-server/pkg/rbac" ) @@ -20,7 +19,7 @@ type ( Trace(context.Context, uint64, []uint64, ...string) ([]*rbac.Trace, error) List() []map[string]string FindRulesByRoleID(context.Context, uint64) (rbac.RuleSet, error) - FindRules(ctx context.Context, roleID uint64, specific filter.State, rr ...string) (rbac.RuleSet, error) + FindRules(ctx context.Context, roleID uint64, rr ...string) (rbac.RuleSet, error) Grant(ctx context.Context, rr ...*rbac.Rule) error } ) @@ -44,7 +43,7 @@ func (ctrl Permissions) List(ctx context.Context, r *request.PermissionsList) (i } func (ctrl Permissions) Read(ctx context.Context, r *request.PermissionsRead) (interface{}, error) { - return ctrl.ac.FindRules(ctx, r.RoleID, r.Specific, r.Resource...) + return ctrl.ac.FindRules(ctx, r.RoleID, r.Resource...) } func (ctrl Permissions) Delete(ctx context.Context, r *request.PermissionsDelete) (interface{}, error) { diff --git a/automation/rest/request/permissions.go b/automation/rest/request/permissions.go index 9cf939907..edcd8d92f 100644 --- a/automation/rest/request/permissions.go +++ b/automation/rest/request/permissions.go @@ -11,7 +11,6 @@ package request import ( "encoding/json" "fmt" - "github.com/cortezaproject/corteza-server/pkg/filter" "github.com/cortezaproject/corteza-server/pkg/payload" "github.com/cortezaproject/corteza-server/pkg/rbac" "github.com/go-chi/chi/v5" @@ -68,11 +67,6 @@ type ( // Role ID RoleID uint64 `json:",string"` - // Specific GET parameter - // - // Exclude (0, default), include (1) or return only (2) specific rules - Specific filter.State - // Resource GET parameter // // Show only rules for a specific resource @@ -228,7 +222,6 @@ func NewPermissionsRead() *PermissionsRead { func (r PermissionsRead) Auditable() map[string]interface{} { return map[string]interface{}{ "roleID": r.RoleID, - "specific": r.Specific, "resource": r.Resource, } } @@ -238,11 +231,6 @@ func (r PermissionsRead) GetRoleID() uint64 { return r.RoleID } -// Auditable returns all auditable/loggable parameters -func (r PermissionsRead) GetSpecific() filter.State { - return r.Specific -} - // Auditable returns all auditable/loggable parameters func (r PermissionsRead) GetResource() []string { return r.Resource @@ -255,12 +243,6 @@ func (r *PermissionsRead) Fill(req *http.Request) (err error) { // GET params tmp := req.URL.Query() - if val, ok := tmp["specific"]; ok && len(val) > 0 { - r.Specific, err = payload.ParseFilterState(val[0]), nil - if err != nil { - return err - } - } if val, ok := tmp["resource[]"]; ok { r.Resource, err = val, nil if err != nil { diff --git a/automation/service/access_control.gen.go b/automation/service/access_control.gen.go index a5c074bae..3df3cb3b3 100644 --- a/automation/service/access_control.gen.go +++ b/automation/service/access_control.gen.go @@ -12,7 +12,6 @@ import ( "github.com/cortezaproject/corteza-server/automation/types" "github.com/cortezaproject/corteza-server/pkg/actionlog" internalAuth "github.com/cortezaproject/corteza-server/pkg/auth" - "github.com/cortezaproject/corteza-server/pkg/filter" "github.com/cortezaproject/corteza-server/pkg/rbac" "github.com/cortezaproject/corteza-server/store" systemTypes "github.com/cortezaproject/corteza-server/system/types" @@ -266,25 +265,17 @@ func (svc accessControl) logGrants(ctx context.Context, rr []*rbac.Rule) { // FindRules find all rules based on filters // // This function is auto-generated -func (svc accessControl) FindRules(ctx context.Context, roleID uint64, specific filter.State, rr ...string) (out rbac.RuleSet, err error) { +func (svc accessControl) FindRules(ctx context.Context, roleID uint64, rr ...string) (out rbac.RuleSet, err error) { if !svc.CanGrant(ctx) { return nil, AccessControlErrNotAllowedToSetPermissions() } - rules, err := svc.FindRulesByRoleID(ctx, roleID) + out, err = svc.FindRulesByRoleID(ctx, roleID) if err != nil { return } - var ( - resources []rbac.Resource - ruleMap = make(map[string]bool) - uniqRuleID = func(r *rbac.Rule) string { - return fmt.Sprintf("%s|%s|%d", r.Resource, r.Operation, r.RoleID) - } - ) - - // Filter based on resource + var resources []rbac.Resource if len(rr) > 0 { resources = make([]rbac.Resource, 0, len(rr)) for _, r := range rr { @@ -298,26 +289,7 @@ func (svc accessControl) FindRules(ctx context.Context, roleID uint64, specific resources = svc.Resources() } - for _, res := range resources { - for _, rule := range rules.FilterResource(res.RbacResource()) { - if _, ok := ruleMap[uniqRuleID(rule)]; !ok { - out = append(out, rule) - ruleMap[uniqRuleID(rule)] = true - } - } - } - - // Filter for Excluded, Include, or Exclusive specific rules - switch specific { - // Exclude all the specific rules - case filter.StateExcluded: - out = out.FilterRules(false) - // Returns only all the specific rules - case filter.StateExclusive: - out = out.FilterRules(true) - } - - return + return out.FilterResource(resources...), nil } // FindRulesByRoleID find all rules for a specific role diff --git a/codegen/assets/templates/gocode/rbac/$component_access_control.go.tpl b/codegen/assets/templates/gocode/rbac/$component_access_control.go.tpl index d3c834114..c1c695539 100644 --- a/codegen/assets/templates/gocode/rbac/$component_access_control.go.tpl +++ b/codegen/assets/templates/gocode/rbac/$component_access_control.go.tpl @@ -211,25 +211,17 @@ func (svc accessControl) logGrants(ctx context.Context, rr []*rbac.Rule) { // FindRules find all rules based on filters // // This function is auto-generated -func (svc accessControl) FindRules(ctx context.Context, roleID uint64, specific filter.State, rr ...string) (out rbac.RuleSet, err error) { +func (svc accessControl) FindRules(ctx context.Context, roleID uint64, rr ...string) (out rbac.RuleSet, err error) { if !svc.CanGrant(ctx) { return nil, AccessControlErrNotAllowedToSetPermissions() } - rules, err := svc.FindRulesByRoleID(ctx, roleID) + out, err = svc.FindRulesByRoleID(ctx, roleID) if err != nil { return } - var ( - resources []rbac.Resource - ruleMap = make(map[string]bool) - uniqRuleID = func(r *rbac.Rule) string { - return fmt.Sprintf("%s|%s|%d", r.Resource, r.Operation, r.RoleID) - } - ) - - // Filter based on resource + var resources []rbac.Resource if len(rr) > 0 { resources = make([]rbac.Resource, 0, len(rr)) for _, r := range rr { @@ -243,26 +235,7 @@ func (svc accessControl) FindRules(ctx context.Context, roleID uint64, specific resources = svc.Resources() } - for _, res := range resources { - for _, rule := range rules.FilterResource(res.RbacResource()) { - if _, ok := ruleMap[uniqRuleID(rule)]; !ok { - out = append(out, rule) - ruleMap[uniqRuleID(rule)] = true - } - } - } - - // Filter for Excluded, Include, or Exclusive specific rules - switch specific { - // Exclude all the specific rules - case filter.StateExcluded: - out = out.FilterRules(false) - // Returns only all the specific rules - case filter.StateExclusive: - out = out.FilterRules(true) - } - - return + return out.FilterResource(resources...), nil } // FindRulesByRoleID find all rules for a specific role diff --git a/compose/rest.yaml b/compose/rest.yaml index b47dcf1a0..a30986d99 100644 --- a/compose/rest.yaml +++ b/compose/rest.yaml @@ -1291,7 +1291,6 @@ endpoints: - Client ID - Session ID imports: - - github.com/cortezaproject/corteza-server/pkg/filter - github.com/cortezaproject/corteza-server/pkg/rbac apis: - name: list @@ -1335,10 +1334,6 @@ endpoints: required: true title: Role ID get: - - name: specific - required: false - title: Exclude (0, default), include (1) or return only (2) specific rules - type: "filter.State" - name: resource type: "[]string" required: false diff --git a/compose/rest/permissions.go b/compose/rest/permissions.go index 9197ba550..1f3b86838 100644 --- a/compose/rest/permissions.go +++ b/compose/rest/permissions.go @@ -6,7 +6,6 @@ import ( "github.com/cortezaproject/corteza-server/compose/service" "github.com/cortezaproject/corteza-server/compose/types" "github.com/cortezaproject/corteza-server/pkg/api" - "github.com/cortezaproject/corteza-server/pkg/filter" "github.com/cortezaproject/corteza-server/pkg/rbac" ) @@ -20,7 +19,7 @@ type ( Trace(context.Context, uint64, []uint64, ...string) ([]*rbac.Trace, error) List() []map[string]string FindRulesByRoleID(context.Context, uint64) (rbac.RuleSet, error) - FindRules(ctx context.Context, roleID uint64, specific filter.State, rr ...string) (rbac.RuleSet, error) + FindRules(ctx context.Context, roleID uint64, rr ...string) (rbac.RuleSet, error) Grant(ctx context.Context, rr ...*rbac.Rule) error } ) @@ -44,7 +43,7 @@ func (ctrl Permissions) List(ctx context.Context, r *request.PermissionsList) (i } func (ctrl Permissions) Read(ctx context.Context, r *request.PermissionsRead) (interface{}, error) { - return ctrl.ac.FindRules(ctx, r.RoleID, r.Specific, r.Resource...) + return ctrl.ac.FindRules(ctx, r.RoleID, r.Resource...) } func (ctrl Permissions) Delete(ctx context.Context, r *request.PermissionsDelete) (interface{}, error) { diff --git a/compose/rest/request/permissions.go b/compose/rest/request/permissions.go index 9cf939907..edcd8d92f 100644 --- a/compose/rest/request/permissions.go +++ b/compose/rest/request/permissions.go @@ -11,7 +11,6 @@ package request import ( "encoding/json" "fmt" - "github.com/cortezaproject/corteza-server/pkg/filter" "github.com/cortezaproject/corteza-server/pkg/payload" "github.com/cortezaproject/corteza-server/pkg/rbac" "github.com/go-chi/chi/v5" @@ -68,11 +67,6 @@ type ( // Role ID RoleID uint64 `json:",string"` - // Specific GET parameter - // - // Exclude (0, default), include (1) or return only (2) specific rules - Specific filter.State - // Resource GET parameter // // Show only rules for a specific resource @@ -228,7 +222,6 @@ func NewPermissionsRead() *PermissionsRead { func (r PermissionsRead) Auditable() map[string]interface{} { return map[string]interface{}{ "roleID": r.RoleID, - "specific": r.Specific, "resource": r.Resource, } } @@ -238,11 +231,6 @@ func (r PermissionsRead) GetRoleID() uint64 { return r.RoleID } -// Auditable returns all auditable/loggable parameters -func (r PermissionsRead) GetSpecific() filter.State { - return r.Specific -} - // Auditable returns all auditable/loggable parameters func (r PermissionsRead) GetResource() []string { return r.Resource @@ -255,12 +243,6 @@ func (r *PermissionsRead) Fill(req *http.Request) (err error) { // GET params tmp := req.URL.Query() - if val, ok := tmp["specific"]; ok && len(val) > 0 { - r.Specific, err = payload.ParseFilterState(val[0]), nil - if err != nil { - return err - } - } if val, ok := tmp["resource[]"]; ok { r.Resource, err = val, nil if err != nil { diff --git a/compose/service/access_control.gen.go b/compose/service/access_control.gen.go index eb7a172bb..38395a0c3 100644 --- a/compose/service/access_control.gen.go +++ b/compose/service/access_control.gen.go @@ -14,7 +14,6 @@ import ( "github.com/cortezaproject/corteza-server/compose/types" "github.com/cortezaproject/corteza-server/pkg/actionlog" internalAuth "github.com/cortezaproject/corteza-server/pkg/auth" - "github.com/cortezaproject/corteza-server/pkg/filter" "github.com/cortezaproject/corteza-server/pkg/rbac" "github.com/cortezaproject/corteza-server/store" systemTypes "github.com/cortezaproject/corteza-server/system/types" @@ -377,25 +376,17 @@ func (svc accessControl) logGrants(ctx context.Context, rr []*rbac.Rule) { // FindRules find all rules based on filters // // This function is auto-generated -func (svc accessControl) FindRules(ctx context.Context, roleID uint64, specific filter.State, rr ...string) (out rbac.RuleSet, err error) { +func (svc accessControl) FindRules(ctx context.Context, roleID uint64, rr ...string) (out rbac.RuleSet, err error) { if !svc.CanGrant(ctx) { return nil, AccessControlErrNotAllowedToSetPermissions() } - rules, err := svc.FindRulesByRoleID(ctx, roleID) + out, err = svc.FindRulesByRoleID(ctx, roleID) if err != nil { return } - var ( - resources []rbac.Resource - ruleMap = make(map[string]bool) - uniqRuleID = func(r *rbac.Rule) string { - return fmt.Sprintf("%s|%s|%d", r.Resource, r.Operation, r.RoleID) - } - ) - - // Filter based on resource + var resources []rbac.Resource if len(rr) > 0 { resources = make([]rbac.Resource, 0, len(rr)) for _, r := range rr { @@ -409,26 +400,7 @@ func (svc accessControl) FindRules(ctx context.Context, roleID uint64, specific resources = svc.Resources() } - for _, res := range resources { - for _, rule := range rules.FilterResource(res.RbacResource()) { - if _, ok := ruleMap[uniqRuleID(rule)]; !ok { - out = append(out, rule) - ruleMap[uniqRuleID(rule)] = true - } - } - } - - // Filter for Excluded, Include, or Exclusive specific rules - switch specific { - // Exclude all the specific rules - case filter.StateExcluded: - out = out.FilterRules(false) - // Returns only all the specific rules - case filter.StateExclusive: - out = out.FilterRules(true) - } - - return + return out.FilterResource(resources...), nil } // FindRulesByRoleID find all rules for a specific role diff --git a/federation/rest.yaml b/federation/rest.yaml index fce40a112..87524b947 100644 --- a/federation/rest.yaml +++ b/federation/rest.yaml @@ -503,7 +503,6 @@ endpoints: - Client ID - Session ID imports: - - github.com/cortezaproject/corteza-server/pkg/filter - github.com/cortezaproject/corteza-server/pkg/rbac apis: - name: list @@ -547,10 +546,6 @@ endpoints: required: true title: Role ID get: - - name: specific - required: false - title: Exclude (0, default), include (1) or return only (2) specific rules - type: "filter.State" - name: resource type: "[]string" required: false diff --git a/federation/rest/permissions.go b/federation/rest/permissions.go index 47e8abec4..f53a473b8 100644 --- a/federation/rest/permissions.go +++ b/federation/rest/permissions.go @@ -6,7 +6,6 @@ import ( "github.com/cortezaproject/corteza-server/federation/service" "github.com/cortezaproject/corteza-server/federation/types" "github.com/cortezaproject/corteza-server/pkg/api" - "github.com/cortezaproject/corteza-server/pkg/filter" "github.com/cortezaproject/corteza-server/pkg/rbac" ) @@ -20,7 +19,7 @@ type ( Trace(context.Context, uint64, []uint64, ...string) ([]*rbac.Trace, error) List() []map[string]string FindRulesByRoleID(context.Context, uint64) (rbac.RuleSet, error) - FindRules(ctx context.Context, roleID uint64, specific filter.State, rr ...string) (rbac.RuleSet, error) + FindRules(ctx context.Context, roleID uint64, rr ...string) (rbac.RuleSet, error) Grant(ctx context.Context, rr ...*rbac.Rule) error } ) @@ -44,7 +43,7 @@ func (ctrl Permissions) List(ctx context.Context, r *request.PermissionsList) (i } func (ctrl Permissions) Read(ctx context.Context, r *request.PermissionsRead) (interface{}, error) { - return ctrl.ac.FindRules(ctx, r.RoleID, r.Specific, r.Resource...) + return ctrl.ac.FindRules(ctx, r.RoleID, r.Resource...) } func (ctrl Permissions) Delete(ctx context.Context, r *request.PermissionsDelete) (interface{}, error) { diff --git a/federation/rest/request/permissions.go b/federation/rest/request/permissions.go index 9cf939907..edcd8d92f 100644 --- a/federation/rest/request/permissions.go +++ b/federation/rest/request/permissions.go @@ -11,7 +11,6 @@ package request import ( "encoding/json" "fmt" - "github.com/cortezaproject/corteza-server/pkg/filter" "github.com/cortezaproject/corteza-server/pkg/payload" "github.com/cortezaproject/corteza-server/pkg/rbac" "github.com/go-chi/chi/v5" @@ -68,11 +67,6 @@ type ( // Role ID RoleID uint64 `json:",string"` - // Specific GET parameter - // - // Exclude (0, default), include (1) or return only (2) specific rules - Specific filter.State - // Resource GET parameter // // Show only rules for a specific resource @@ -228,7 +222,6 @@ func NewPermissionsRead() *PermissionsRead { func (r PermissionsRead) Auditable() map[string]interface{} { return map[string]interface{}{ "roleID": r.RoleID, - "specific": r.Specific, "resource": r.Resource, } } @@ -238,11 +231,6 @@ func (r PermissionsRead) GetRoleID() uint64 { return r.RoleID } -// Auditable returns all auditable/loggable parameters -func (r PermissionsRead) GetSpecific() filter.State { - return r.Specific -} - // Auditable returns all auditable/loggable parameters func (r PermissionsRead) GetResource() []string { return r.Resource @@ -255,12 +243,6 @@ func (r *PermissionsRead) Fill(req *http.Request) (err error) { // GET params tmp := req.URL.Query() - if val, ok := tmp["specific"]; ok && len(val) > 0 { - r.Specific, err = payload.ParseFilterState(val[0]), nil - if err != nil { - return err - } - } if val, ok := tmp["resource[]"]; ok { r.Resource, err = val, nil if err != nil { diff --git a/federation/service/access_control.gen.go b/federation/service/access_control.gen.go index 44194d752..eddb2484f 100644 --- a/federation/service/access_control.gen.go +++ b/federation/service/access_control.gen.go @@ -12,7 +12,6 @@ import ( "github.com/cortezaproject/corteza-server/federation/types" "github.com/cortezaproject/corteza-server/pkg/actionlog" internalAuth "github.com/cortezaproject/corteza-server/pkg/auth" - "github.com/cortezaproject/corteza-server/pkg/filter" "github.com/cortezaproject/corteza-server/pkg/rbac" "github.com/cortezaproject/corteza-server/store" systemTypes "github.com/cortezaproject/corteza-server/system/types" @@ -253,25 +252,17 @@ func (svc accessControl) logGrants(ctx context.Context, rr []*rbac.Rule) { // FindRules find all rules based on filters // // This function is auto-generated -func (svc accessControl) FindRules(ctx context.Context, roleID uint64, specific filter.State, rr ...string) (out rbac.RuleSet, err error) { +func (svc accessControl) FindRules(ctx context.Context, roleID uint64, rr ...string) (out rbac.RuleSet, err error) { if !svc.CanGrant(ctx) { return nil, AccessControlErrNotAllowedToSetPermissions() } - rules, err := svc.FindRulesByRoleID(ctx, roleID) + out, err = svc.FindRulesByRoleID(ctx, roleID) if err != nil { return } - var ( - resources []rbac.Resource - ruleMap = make(map[string]bool) - uniqRuleID = func(r *rbac.Rule) string { - return fmt.Sprintf("%s|%s|%d", r.Resource, r.Operation, r.RoleID) - } - ) - - // Filter based on resource + var resources []rbac.Resource if len(rr) > 0 { resources = make([]rbac.Resource, 0, len(rr)) for _, r := range rr { @@ -285,26 +276,7 @@ func (svc accessControl) FindRules(ctx context.Context, roleID uint64, specific resources = svc.Resources() } - for _, res := range resources { - for _, rule := range rules.FilterResource(res.RbacResource()) { - if _, ok := ruleMap[uniqRuleID(rule)]; !ok { - out = append(out, rule) - ruleMap[uniqRuleID(rule)] = true - } - } - } - - // Filter for Excluded, Include, or Exclusive specific rules - switch specific { - // Exclude all the specific rules - case filter.StateExcluded: - out = out.FilterRules(false) - // Returns only all the specific rules - case filter.StateExclusive: - out = out.FilterRules(true) - } - - return + return out.FilterResource(resources...), nil } // FindRulesByRoleID find all rules for a specific role diff --git a/pkg/rbac/rule.go b/pkg/rbac/rule.go index 8ab9d16db..c8e28dc43 100644 --- a/pkg/rbac/rule.go +++ b/pkg/rbac/rule.go @@ -60,23 +60,23 @@ func (set RuleSet) FilterAccess(a Access) (out RuleSet) { return out } -func (set RuleSet) FilterResource(res string) (out RuleSet) { - for _, r := range set { - if !matchResource(res, r.Resource) { - continue +func (set RuleSet) FilterResource(rr ...Resource) (out RuleSet) { + var ( + ruleMap = make(map[string]bool) + uniqRuleID = func(r *Rule) string { + return fmt.Sprintf("%s|%s|%d", r.Resource, r.Operation, r.RoleID) } - out = append(out, r) - } + ) - return -} - -// FilterRules will filter the rules based on given parameter(specific), -// If params is true then it will return only the specific rules otherwise it will return non-specific rules -func (set RuleSet) FilterRules(specific bool) (out RuleSet) { - for _, r := range set { - if specific == isSpecific(r.Resource) { - out = append(out, r) + for _, res := range rr { + for _, rule := range set { + if !matchResource(res.RbacResource(), rule.Resource) { + continue + } + if _, ok := ruleMap[uniqRuleID(rule)]; !ok { + out = append(out, rule) + ruleMap[uniqRuleID(rule)] = true + } } } diff --git a/system/rest.yaml b/system/rest.yaml index c2ce337eb..895c4f926 100644 --- a/system/rest.yaml +++ b/system/rest.yaml @@ -1219,7 +1219,6 @@ endpoints: - Client ID - Session ID imports: - - github.com/cortezaproject/corteza-server/pkg/filter - github.com/cortezaproject/corteza-server/pkg/rbac apis: - name: list @@ -1264,10 +1263,6 @@ endpoints: required: true title: Role ID get: - - name: specific - required: false - title: Exclude (0, default), include (1) or return only (2) specific rules - type: "filter.State" - name: resource type: "[]string" required: false diff --git a/system/rest/permissions.go b/system/rest/permissions.go index e663776de..c90111c22 100644 --- a/system/rest/permissions.go +++ b/system/rest/permissions.go @@ -3,7 +3,6 @@ package rest import ( "context" "github.com/cortezaproject/corteza-server/pkg/api" - "github.com/cortezaproject/corteza-server/pkg/filter" "github.com/cortezaproject/corteza-server/pkg/rbac" "github.com/cortezaproject/corteza-server/system/rest/request" "github.com/cortezaproject/corteza-server/system/service" @@ -20,7 +19,7 @@ type ( Trace(context.Context, uint64, []uint64, ...string) ([]*rbac.Trace, error) List() []map[string]string FindRulesByRoleID(context.Context, uint64) (rbac.RuleSet, error) - FindRules(ctx context.Context, roleID uint64, specific filter.State, rr ...string) (rbac.RuleSet, error) + FindRules(ctx context.Context, roleID uint64, rr ...string) (rbac.RuleSet, error) Grant(ctx context.Context, rr ...*rbac.Rule) error } ) @@ -44,7 +43,7 @@ func (ctrl Permissions) List(ctx context.Context, r *request.PermissionsList) (i } func (ctrl Permissions) Read(ctx context.Context, r *request.PermissionsRead) (interface{}, error) { - return ctrl.ac.FindRules(ctx, r.RoleID, r.Specific, r.Resource...) + return ctrl.ac.FindRules(ctx, r.RoleID, r.Resource...) } func (ctrl Permissions) Delete(ctx context.Context, r *request.PermissionsDelete) (interface{}, error) { diff --git a/system/rest/request/permissions.go b/system/rest/request/permissions.go index 99452e4cb..edcd8d92f 100644 --- a/system/rest/request/permissions.go +++ b/system/rest/request/permissions.go @@ -11,7 +11,6 @@ package request import ( "encoding/json" "fmt" - "github.com/cortezaproject/corteza-server/pkg/filter" "github.com/cortezaproject/corteza-server/pkg/payload" "github.com/cortezaproject/corteza-server/pkg/rbac" "github.com/go-chi/chi/v5" @@ -68,11 +67,6 @@ type ( // Role ID RoleID uint64 `json:",string"` - // Specific GET parameter - // - // Exclude (0, default), include (1) or return only (2) specific rules - Specific filter.State - // Resource GET parameter // // Show only rules for a specific resource @@ -228,7 +222,6 @@ func NewPermissionsRead() *PermissionsRead { func (r PermissionsRead) Auditable() map[string]interface{} { return map[string]interface{}{ "roleID": r.RoleID, - "specific": r.Specific, "resource": r.Resource, } } @@ -238,11 +231,6 @@ func (r PermissionsRead) GetRoleID() uint64 { return r.RoleID } -// Auditable returns all auditable/loggable parameters -func (r PermissionsRead) GetSpecific() filter.State { - return r.Specific -} - // Auditable returns all auditable/loggable parameters func (r PermissionsRead) GetResource() []string { return r.Resource @@ -255,13 +243,6 @@ func (r *PermissionsRead) Fill(req *http.Request) (err error) { // GET params tmp := req.URL.Query() - if val, ok := tmp["specific"]; ok && len(val) > 0 { - - r.Specific, err = payload.ParseFilterState(val[0]), nil - if err != nil { - return err - } - } if val, ok := tmp["resource[]"]; ok { r.Resource, err = val, nil if err != nil { diff --git a/system/service/access_control.gen.go b/system/service/access_control.gen.go index c71d75671..f56aa9a15 100644 --- a/system/service/access_control.gen.go +++ b/system/service/access_control.gen.go @@ -11,7 +11,6 @@ import ( "fmt" "github.com/cortezaproject/corteza-server/pkg/actionlog" internalAuth "github.com/cortezaproject/corteza-server/pkg/auth" - "github.com/cortezaproject/corteza-server/pkg/filter" "github.com/cortezaproject/corteza-server/pkg/rbac" "github.com/cortezaproject/corteza-server/store" "github.com/cortezaproject/corteza-server/system/types" @@ -555,25 +554,17 @@ func (svc accessControl) logGrants(ctx context.Context, rr []*rbac.Rule) { // FindRules find all rules based on filters // // This function is auto-generated -func (svc accessControl) FindRules(ctx context.Context, roleID uint64, specific filter.State, rr ...string) (out rbac.RuleSet, err error) { +func (svc accessControl) FindRules(ctx context.Context, roleID uint64, rr ...string) (out rbac.RuleSet, err error) { if !svc.CanGrant(ctx) { return nil, AccessControlErrNotAllowedToSetPermissions() } - rules, err := svc.FindRulesByRoleID(ctx, roleID) + out, err = svc.FindRulesByRoleID(ctx, roleID) if err != nil { return } - var ( - resources []rbac.Resource - ruleMap = make(map[string]bool) - uniqRuleID = func(r *rbac.Rule) string { - return fmt.Sprintf("%s|%s|%d", r.Resource, r.Operation, r.RoleID) - } - ) - - // Filter based on resource + var resources []rbac.Resource if len(rr) > 0 { resources = make([]rbac.Resource, 0, len(rr)) for _, r := range rr { @@ -587,26 +578,7 @@ func (svc accessControl) FindRules(ctx context.Context, roleID uint64, specific resources = svc.Resources() } - for _, res := range resources { - for _, rule := range rules.FilterResource(res.RbacResource()) { - if _, ok := ruleMap[uniqRuleID(rule)]; !ok { - out = append(out, rule) - ruleMap[uniqRuleID(rule)] = true - } - } - } - - // Filter for Excluded, Include, or Exclusive specific rules - switch specific { - // Exclude all the specific rules - case filter.StateExcluded: - out = out.FilterRules(false) - // Returns only all the specific rules - case filter.StateExclusive: - out = out.FilterRules(true) - } - - return + return out.FilterResource(resources...), nil } // FindRulesByRoleID find all rules for a specific role diff --git a/tests/system/permissions_test.go b/tests/system/permissions_test.go index 67e04426e..0c2509159 100644 --- a/tests/system/permissions_test.go +++ b/tests/system/permissions_test.go @@ -67,23 +67,11 @@ func TestPermissionsReadWithFilter(t *testing.T) { // Specific resource related rules testID := id.Next() helpers.AllowMe(h, types.UserRbacResource(testID), "read") - helpers.AllowMe(h, types.UserRbacResource(testID), "update") + helpers.AllowMe(h, types.UserRbacResource(id.Next()), "update") - // Only non-specific resource rules with `specific: 0` filter + // all rules h.apiInit(). Getf("/permissions/%d/rules", h.roleID). - Query("specific", "0"). - Header("Accept", "application/json"). - Expect(t). - Status(http.StatusOK). - Assert(helpers.AssertNoErrors). - Assert(jsonpath.Len(`$.response`, 2)). - End() - - // Including all specific and non-specific resource rules with `specific: 1` filter - h.apiInit(). - Getf("/permissions/%d/rules", h.roleID). - Query("specific", "1"). Header("Accept", "application/json"). Expect(t). Status(http.StatusOK). @@ -91,10 +79,10 @@ func TestPermissionsReadWithFilter(t *testing.T) { Assert(jsonpath.Len(`$.response`, 4)). End() - // Only specific resource rules with `specific: 2` filter + // Resource related rules h.apiInit(). Getf("/permissions/%d/rules", h.roleID). - Query("specific", "2"). + Query("resource", "corteza::system:user/*"). Header("Accept", "application/json"). Expect(t). Status(http.StatusOK). @@ -102,16 +90,15 @@ func TestPermissionsReadWithFilter(t *testing.T) { Assert(jsonpath.Len(`$.response`, 2)). End() - // Only resource related rules with `resource: corteza::system:user/{ID}` + // Only specific resource rules with `specific: 2` filter h.apiInit(). Getf("/permissions/%d/rules", h.roleID). - Query("specific", "1"). Query("resource", fmt.Sprintf("corteza::system:user/%d", testID)). Header("Accept", "application/json"). Expect(t). Status(http.StatusOK). Assert(helpers.AssertNoErrors). - Assert(jsonpath.Len(`$.response`, 2)). + Assert(jsonpath.Len(`$.response`, 1)). End() }