feat(rbac): support for adding conditional permissions

Author: divyanshiGupta

packages/backend/package.json

@@ -38,7 +38,7 @@
     "@backstage/plugin-search-backend-module-pg": "^0.5.25",
     "@backstage/plugin-search-backend-node": "^1.2.20",
     "@backstage/plugin-techdocs-backend": "^1.10.3",
-    "@janus-idp/backstage-plugin-rbac-backend": "^2.4.1",
+    "@janus-idp/backstage-plugin-rbac-backend": "^2.7.0",
     "@backstage/plugin-catalog-backend-module-scaffolder-entity-model": "^0.1.14",
     "@backstage/plugin-search-backend-module-catalog": "^0.1.21",
     "@backstage/plugin-search-backend-module-techdocs": "^0.1.21",

plugins/rbac/dev/index.tsx

@@ -19,7 +19,7 @@ import { mockPermissionPolicies } from '../src/__fixtures__/mockPermissionPolici
 import { mockPolicies } from '../src/__fixtures__/mockPolicies';
 import { RBACAPI, rbacApiRef } from '../src/api/RBACBackendClient';
 import { RbacPage, rbacPlugin } from '../src/plugin';
-import { MemberEntity } from '../src/types';
+import { MemberEntity, RoleBasedConditions } from '../src/types';
 
 class MockPermissionApi implements PermissionApi {
   readonly result;
@@ -113,6 +113,12 @@ class MockRBACApi implements RBACAPI {
   async getPluginsConditionRules(): Promise<any | Response> {
     return mockConditionRules;
   }
+
+  async createConditionalPermission(
+    _conditionalPermission: RoleBasedConditions,
+  ): Promise<Response> {
+    return { status: 200 } as Response;
+  }
 }
 
 const mockPermissionApi = new MockPermissionApi({ result: 'ALLOW' });

plugins/rbac/package.json

@@ -31,6 +31,7 @@
     "@backstage/core-plugin-api": "^1.9.1",
     "@backstage/plugin-catalog": "^1.18.2",
     "@backstage/plugin-catalog-common": "^1.0.22",
+    "@backstage/plugin-permission-common": "^0.7.13",
     "@backstage/plugin-permission-react": "^0.4.21",
     "@backstage/theme": "^0.5.2",
     "@janus-idp/backstage-plugin-rbac-common": "1.4.1",
@@ -40,6 +41,10 @@
     "@material-ui/lab": "^4.0.0-alpha.45",
     "@mui/icons-material": "5.14.11",
     "@mui/material": "^5.14.18",
+    "@rjsf/core": "^5.18.2",
+    "@rjsf/mui": "^5.18.2",
+    "@rjsf/utils": "^5.18.2",
+    "@rjsf/validator-ajv8": "^5.18.2",
     "autosuggest-highlight": "^3.3.4",
     "formik": "^2.4.5",
     "react-use": "^17.4.0",

plugins/rbac/src/__fixtures__/mockPermissionPolicies.ts

@@ -7,6 +7,7 @@ export const mockPermissionPolicies: PermissionPolicy[] = [
       {
         permission: 'catalog-entity',
         policy: 'read',
+        isResourced: true,
       },
       {
         permission: 'catalog.entity.create',
@@ -15,10 +16,12 @@ export const mockPermissionPolicies: PermissionPolicy[] = [
       {
         permission: 'catalog-entity',
         policy: 'delete',
+        isResourced: true,
       },
       {
         permission: 'catalog-entity',
         policy: 'update',
+        isResourced: true,
       },
       {
         permission: 'catalog.location.read',
@@ -40,14 +43,17 @@ export const mockPermissionPolicies: PermissionPolicy[] = [
       {
         permission: 'scaffolder-template',
         policy: 'read',
+        isResourced: true,
       },
       {
         permission: 'scaffolder-template',
         policy: 'read',
+        isResourced: true,
       },
       {
         permission: 'scaffolder-action',
         policy: 'use',
+        isResourced: true,
       },
     ],
   },

plugins/rbac/src/__fixtures__/mockTransformedConditionRules.ts

@@ -0,0 +1,30 @@
+import { ConditionRulesData } from '../components/ConditionalAccess/types';
+import { mockConditionRules } from './mockConditionRules';
+
+export const mockTransformedConditionRules: ConditionRulesData = {
+  catalog: {
+    'catalog-entity': {
+      HAS_ANNOTATION: {
+        description: mockConditionRules[0].rules[0].description,
+        schema: mockConditionRules[0].rules[0].paramsSchema,
+      },
+      HAS_LABEL: {
+        description: mockConditionRules[0].rules[1].description,
+        schema: mockConditionRules[0].rules[1].paramsSchema,
+      },
+      rules: [
+        mockConditionRules[0].rules[0].name,
+        mockConditionRules[0].rules[1].name,
+      ],
+    },
+  },
+  scaffolder: {
+    'scaffolder-template': {
+      HAS_TAG: {
+        description: mockConditionRules[1].rules[0].description,
+        schema: mockConditionRules[1].rules[0].paramsSchema,
+      },
+      rules: [mockConditionRules[1].rules[0].name],
+    },
+  },
+};

plugins/rbac/src/api/RBACBackendClient.ts

@@ -10,7 +10,12 @@ import {
   RoleBasedPolicy,
 } from '@janus-idp/backstage-plugin-rbac-common';
 
-import { MemberEntity, RoleError } from '../types';
+import {
+  MemberEntity,
+  PluginConditionRules,
+  RoleBasedConditions,
+  RoleError,
+} from '../types';
 import { getKindNamespaceName } from '../utils/rbac-utils';
 
 // @public
@@ -37,7 +42,10 @@ export type RBACAPI = {
     entityReference: string,
     polices: RoleBasedPolicy[],
   ) => Promise<RoleError | Response>;
-  getPluginsConditionRules: () => Promise<any | Response>;
+  getPluginsConditionRules: () => Promise<PluginConditionRules[] | Response>;
+  createConditionalPermission: (
+    conditionalPermission: RoleBasedConditions,
+  ) => Promise<RoleError | Response>;
 };
 
 export type Options = {
@@ -331,4 +339,27 @@ export class RBACBackendClient implements RBACAPI {
     }
     return jsonResponse.json();
   }
+
+  async createConditionalPermission(
+    conditionalPermission: RoleBasedConditions,
+  ) {
+    const { token: idToken } = await this.identityApi.getCredentials();
+    const backendUrl = this.configApi.getString('backend.baseUrl');
+    const jsonResponse = await fetch(
+      `${backendUrl}/api/permission/roles/conditions`,
+      {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          Accept: 'application/json',
+          ...(idToken && { Authorization: `Bearer ${idToken}` }),
+        },
+        body: JSON.stringify(conditionalPermission),
+      },
+    );
+    if (jsonResponse.status !== 200 && jsonResponse.status !== 201) {
+      return jsonResponse.json();
+    }
+    return jsonResponse;
+  }
 }

plugins/rbac/src/components/ConditionalAccess/ConditionalAccessSidebar.tsx

@@ -3,14 +3,16 @@ import React from 'react';
 import { makeStyles } from '@material-ui/core';
 import CloseIcon from '@mui/icons-material/Close';
 import Box from '@mui/material/Box';
-import Button from '@mui/material/Button';
 import Drawer from '@mui/material/Drawer';
 import IconButton from '@mui/material/IconButton';
 import Typography from '@mui/material/Typography';
 
+import { ConditionsForm } from './ConditionsForm';
+import { ConditionsData, RulesData } from './types';
+
 const useDrawerStyles = makeStyles(() => ({
   paper: {
-    width: '40%',
+    width: '50%',
     gap: '3%',
   },
 }));
@@ -27,39 +29,34 @@ const useDrawerContentStyles = makeStyles(theme => ({
     flexDirection: 'row',
     justifyContent: 'space-between',
     alignItems: 'baseline',
-    borderBottom: `2px solid ${theme.palette.border}`,
     padding: theme.spacing(2.5),
+    fontFamily: theme.typography.fontFamily,
   },
-  body: {
-    padding: theme.spacing(2.5),
+  headerSubtitle: {
+    fontWeight: 400,
+    fontFamily: theme.typography.fontFamily,
     paddingTop: theme.spacing(1),
-    paddingBottom: theme.spacing(1),
-    flexGrow: 1,
-  },
-  footer: {
-    display: 'flex',
-    flexDirection: 'row',
-    gap: '15px',
-    alignItems: 'baseline',
-    borderTop: `2px solid ${theme.palette.border}`,
-    padding: theme.spacing(2.5),
   },
 }));
 
 type ConditionalAccessSidebarProps = {
   open: boolean;
   onClose: () => void;
-  selPlugin: string;
-  rules?: any;
-  error?: Error;
+  onSave: (conditions: ConditionsData) => void;
+  onRemoveAll: () => void;
+  selPluginResourceType: string;
+  conditionRulesData?: RulesData;
+  conditionsFormVal?: ConditionsData;
 };
 
 export const ConditionalAccessSidebar = ({
   open,
   onClose,
-  selPlugin,
-  rules,
-  error,
+  onSave,
+  onRemoveAll,
+  selPluginResourceType,
+  conditionRulesData,
+  conditionsFormVal,
 }: ConditionalAccessSidebarProps) => {
   const classes = useDrawerStyles();
   const contentClasses = useDrawerContentStyles();
@@ -75,10 +72,18 @@ export const ConditionalAccessSidebar = ({
       <Box className={contentClasses.sidebar}>
         <Box className={contentClasses.header}>
           <Typography variant="h5">
-            <span style={{ fontWeight: '500' }}>
-              Conditional access for the
-            </span>{' '}
-            {selPlugin} plugin
+            <span style={{ fontWeight: '500' }}>Configure access for the</span>{' '}
+            {selPluginResourceType}
+            <Typography
+              variant="body2"
+              className={contentClasses.headerSubtitle}
+              align="left"
+            >
+              By default, the selected resource type will be visible to the
+              chosen users in step two. If you want to restrict or grant
+              permission to specific plugin resource type rule, select it and
+              add the required parameters.
+            </Typography>
           </Typography>
           <IconButton
             key="dismiss"
@@ -89,30 +94,14 @@ export const ConditionalAccessSidebar = ({
             <CloseIcon fontSize="small" />
           </IconButton>
         </Box>
-        <Box className={contentClasses.body}>
-          {rules ? (
-            <>
-              <Typography variant="body2">Rules</Typography>
-              <ul>
-                {rules.map((rule: any) => (
-                  <li key={rule.name}>{rule.name}</li>
-                ))}
-              </ul>
-            </>
-          ) : (
-            <Typography variant="body2">
-              {error ? error.message : 'No rules found'}
-            </Typography>
-          )}
-        </Box>
-        <Box className={contentClasses.footer}>
-          <Button variant="contained" disabled>
-            Save
-          </Button>{' '}
-          <Button variant="outlined" onClick={onClose}>
-            Cancel
-          </Button>
-        </Box>
+        <ConditionsForm
+          conditionRulesData={conditionRulesData}
+          selPluginResourceType={selPluginResourceType}
+          conditionsFormVal={conditionsFormVal}
+          onClose={onClose}
+          onSave={onSave}
+          onRemoveAll={onRemoveAll}
+        />
       </Box>
     </Drawer>
   );