feat(rbac): lazy load temporary enforcer (janus-idp#1513)

PatAKnight · web-flow · commit b5f1552f0690 · 2024-04-18T20:49:08.000Z
diff --git a/plugins/rbac-backend/src/service/enforcer-delegate.ts b/plugins/rbac-backend/src/service/enforcer-delegate.ts
@@ -1,6 +1,6 @@
 import { NotAllowedError, NotFoundError } from '@backstage/errors';
 
-import { Enforcer, newEnforcer, newModelFromString } from 'casbin';
+import { Enforcer, newModelFromString } from 'casbin';
 import { Knex } from 'knex';
 
 import {
@@ -575,26 +575,51 @@ export class EnforcerDelegate {
     }
   }
 
+  /**
+   * enforce aims to enforce a particular permission policy based on the user that it receives.
+   * Under the hood, enforce uses the `enforce` method from the enforcer`.
+   *
+   * Before enforcement, a filter is set up to reduce the number of permission policies that will
+   * be loaded in.
+   * This will reduce the amount of checks that need to be made to determine if a user is authorize
+   * to perform an action
+   *
+   * A temporary enforcer will also be used while enforcing.
+   * This is to ensure that the filter does not interact with the base enforcer.
+   * The temporary enforcer has lazy loading of the permission policies enabled to reduce the amount
+   * of time it takes to initialize the temporary enforcer.
+   * The justification for lazy loading is because permission policies are already present in the
+   * role manager / database and it will be filtered and loaded whenever `loadFilteredPolicy` is called.
+   * @param entityRef The user to enforce
+   * @param resourceType The resource type / name of the permission policy
+   * @param action The action of the permission policy
+   * @param roles Any roles that the user is directly or indirectly attached to.
+   * Used for filtering permission policies.
+   * @returns True if the user is allowed based on the particular permission
+   */
   async enforce(
     entityRef: string,
     resourceType: string,
     action: string,
+    roles: string[],
   ): Promise<boolean> {
-    const filter = [
-      {
-        ptype: 'p',
-        v1: resourceType,
-        v2: action,
-      },
-      {
-        ptype: 'g',
-        v0: entityRef,
-      },
-    ];
+    const filter = [];
+    if (roles.length > 0) {
+      roles.forEach(role => {
+        filter.push({ ptype: 'p', v0: role, v1: resourceType, v2: action });
+      });
+    } else {
+      filter.push({ ptype: 'p', v1: resourceType, v2: action });
+    }
 
     const adapt = this.enforcer.getAdapter();
     const roleManager = this.enforcer.getRoleManager();
-    const tempEnforcer = await newEnforcer(newModelFromString(MODEL), adapt);
+    const tempEnforcer = new Enforcer();
+    await tempEnforcer.initWithModelAndAdapter(
+      newModelFromString(MODEL),
+      adapt,
+      true,
+    );
     tempEnforcer.setRoleManager(roleManager);
 
     await tempEnforcer.loadFilteredPolicy(filter);
diff --git a/plugins/rbac-backend/src/service/permission-policy.ts b/plugins/rbac-backend/src/service/permission-policy.ts
@@ -284,6 +284,7 @@ export class RBACPermissionPolicy implements PermissionPolicy {
 
       const userEntityRef = identityResp.identity.userEntityRef;
       const permissionName = request.permission.name;
+      const roles = await this.enforcer.getRolesForUser(userEntityRef);
 
       if (isResourcePermission(request.permission)) {
         const resourceType = request.permission.resourceType;
@@ -295,6 +296,7 @@ export class RBACPermissionPolicy implements PermissionPolicy {
             resourceType,
             request.permission.name,
             action,
+            roles,
           );
           if (conditionResult) {
             return conditionResult;
@@ -311,10 +313,15 @@ export class RBACPermissionPolicy implements PermissionPolicy {
         // Let's set up higher priority for permission specified by name, than by resource type
         const obj = hasNamedPermission ? permissionName : resourceType;
 
-        status = await this.isAuthorized(userEntityRef, obj, action);
+        status = await this.isAuthorized(userEntityRef, obj, action, roles);
       } else {
         // handle permission with 'basic' type
-        status = await this.isAuthorized(userEntityRef, permissionName, action);
+        status = await this.isAuthorized(
+          userEntityRef,
+          permissionName,
+          action,
+          roles,
+        );
       }
 
       const result = status ? AuthorizeResult.ALLOW : AuthorizeResult.DENY;
@@ -357,6 +364,7 @@ export class RBACPermissionPolicy implements PermissionPolicy {
     userIdentity: string,
     permission: string,
     action: string,
+    roles: string[],
   ): Promise<boolean> => {
     if (this.superUserList!.includes(userIdentity)) {
       return true;
@@ -373,17 +381,16 @@ export class RBACPermissionPolicy implements PermissionPolicy {
       );
     }
 
-    return await this.enforcer.enforce(userIdentity, permission, action);
+    return await this.enforcer.enforce(userIdentity, permission, action, roles);
   };
 
   private async handleConditions(
     userEntityRef: string,
     resourceType: string,
     permissionName: string,
     action: PermissionAction,
+    roles: string[],
   ): Promise<PolicyDecision | undefined> {
-    const roles = await this.enforcer.getRolesForUser(userEntityRef);
-
     const conditions: PermissionCriteria<
       PermissionCondition<string, PermissionRuleParams>
     >[] = [];
