feat(rbac): nested condition (#1814)

* feat(rbac): nested condition

Signed-off-by: Yi Cai <[email protected]>

* Bug fix

Signed-off-by: Yi Cai <[email protected]>

* Updated remove button disabled condition

Signed-off-by: Yi Cai <[email protected]>

* Bug fix and updates to address comments

Signed-off-by: Yi Cai <[email protected]>

* Sonarcloud fix 1

Signed-off-by: Yi Cai <[email protected]>

* Fixed tsc issues

Signed-off-by: Yi Cai <[email protected]>

* Fixed tsc and sonarcloud issue

Signed-off-by: Yi Cai <[email protected]>

* Sonarcloud issue fix

Signed-off-by: Yi Cai <[email protected]>

* updates

Signed-off-by: Yi Cai <[email protected]>

* Updated CLI link url

Signed-off-by: Yi Cai <[email protected]>

* Fixed sonarcloud issues

Signed-off-by: Yi Cai <[email protected]>

* Fixed sonarcloud issues

Signed-off-by: Yi Cai <[email protected]>

* Refactored code to reduce line numbers

Signed-off-by: Yi Cai <[email protected]>

* Code refactor

Signed-off-by: Yi Cai <[email protected]>

* Fix sonarcloud issue

Signed-off-by: Yi Cai <[email protected]>

* Removed CLI link

Signed-off-by: Yi Cai <[email protected]>

---------

Signed-off-by: Yi Cai <[email protected]>

Author: ciiay

plugins/rbac/src/__fixtures__/mockConditions.ts

@@ -53,4 +53,106 @@ export const mockConditions: RoleConditionalPolicyDecision<PermissionAction>[] =
       id: 2,
       ...mockNewConditions[1],
     },
+    {
+      id: 3,
+      result: AuthorizeResult.CONDITIONAL,
+      pluginId: 'catalog',
+      resourceType: 'catalog-entity',
+      conditions: {
+        anyOf: [
+          {
+            rule: 'IS_ENTITY_OWNER',
+            resourceType: 'catalog-entity',
+            params: {
+              claims: ['user:default/ciiay'],
+            },
+          },
+          {
+            rule: 'IS_ENTITY_KIND',
+            resourceType: 'catalog-entity',
+            params: { kinds: ['Group'] },
+          },
+          {
+            allOf: [
+              {
+                rule: 'IS_ENTITY_OWNER',
+                resourceType: 'catalog-entity',
+                params: {
+                  claims: ['user:default/ciiay'],
+                },
+              },
+              {
+                rule: 'IS_ENTITY_KIND',
+                resourceType: 'catalog-entity',
+                params: {
+                  kinds: ['User'],
+                },
+              },
+              {
+                not: {
+                  rule: 'HAS_LABEL',
+                  resourceType: 'catalog-entity',
+                  params: { label: 'temp' },
+                },
+              },
+              {
+                anyOf: [
+                  {
+                    rule: 'HAS_TAG',
+                    resourceType: 'catalog-entity',
+                    params: { tag: 'dev' },
+                  },
+                  {
+                    rule: 'HAS_TAG',
+                    resourceType: 'catalog-entity',
+                    params: { tag: 'test' },
+                  },
+                ],
+              },
+            ],
+          },
+        ],
+      },
+      roleEntityRef: 'role:default/rbac_admin',
+      permissionMapping: ['read', 'delete', 'update'],
+    },
+    {
+      id: 4,
+      result: AuthorizeResult.CONDITIONAL,
+      pluginId: 'catalog',
+      resourceType: 'catalog-entity',
+      conditions: {
+        not: {
+          rule: 'HAS_LABEL',
+          resourceType: 'catalog-entity',
+          params: { label: 'temp' },
+        },
+      },
+      roleEntityRef: 'role:default/rbac_admin',
+      permissionMapping: ['delete', 'update'],
+    },
+    {
+      id: 5,
+      result: AuthorizeResult.CONDITIONAL,
+      pluginId: 'scaffolder',
+      resourceType: 'scaffolder-template',
+      conditions: {
+        not: {
+          anyOf: [
+            {
+              rule: 'HAS_TAG',
+              resourceType: 'scaffolder-template',
+              params: { tag: 'dev' },
+            },
+            {
+              rule: 'HAS_TAG',
+              resourceType: 'scaffolder-template',
+              params: { tag: 'test' },
+            },
+          ],
+        },
+      },
+      roleEntityRef: 'role:default/rbac_admin',
+      permissionMapping: ['read'],
+    },
   ];

plugins/rbac/src/components/ConditionalAccess/AddNestedConditionButton.tsx

@@ -0,0 +1,36 @@
+import React from 'react';
+
+import { Box } from '@material-ui/core';
+import Tooltip from '@material-ui/core/Tooltip';
+import HelpOutlineIcon from '@material-ui/icons/HelpOutline';
+
+export const AddNestedConditionButton = () => {
+  const tooltipTitle = () => (
+    <div>
+      <p style={{ textAlign: 'center' }}>
+        Nested conditions are <b>1 layer rules within a main condition</b>. It
+        lets you allow appropriate access by using detailed permissions based on
+        various conditions. You can add multiple nested conditions.
+      </p>
+      <p style={{ textAlign: 'center' }}>
+        For example, you can allow access to all entity types in the main
+        condition and use a nested condition to limit the access to entities
+        owned by the user.
+      </p>
+    </div>
+  );
+  return (
+    <Box
+      style={{
+        display: 'flex',
+        justifyContent: 'center',
+        alignItems: 'center',
+      }}
+    >
+      <span>Add Nested Condition</span>
+      <Tooltip title={tooltipTitle()} placement="top">
+        <HelpOutlineIcon fontSize="inherit" style={{ marginLeft: '0.25rem' }} />
+      </Tooltip>
+    </Box>
+  );
+};