feat(rbac): load filtered policies before enforcing (#1387)

PatAKnight · web-flow · commit 66980baebd4d · 2024-03-28T14:51:50.000Z
diff --git a/plugins/rbac-backend/src/__fixtures__/data/valid-csv/basic-and-resource-policies.csv b/plugins/rbac-backend/src/__fixtures__/data/valid-csv/basic-and-resource-policies.csv
@@ -0,0 +1,21 @@
+# ========== basic type permission policies ========== #
+# case 1
+p, user:default/known_user, test.resource.deny, use, deny
+# case 2 is about user without listed permissions
+# case 3
+p, user:default/duplicated, test.resource, use, allow
+p, user:default/duplicated, test.resource, use, deny
+# case 4
+p, user:default/known_user, test.resource, use, allow
+# case 5
+unknown user
+
+# ========== resource type permission policies ========== #
+# case 1
+p, user:default/known_user, test-resource-deny, update, deny
+# case 2 is about user without listed permissions
+# case 3
+p, user:default/duplicated, test-resource, update, allow
+p, user:default/duplicated, test-resource, update, deny
+# case 4
+p, user:default/known_user, test-resource, update, allow
diff --git a/plugins/rbac-backend/src/__fixtures__/data/valid-csv/policy-checks.csv b/plugins/rbac-backend/src/__fixtures__/data/valid-csv/policy-checks.csv
@@ -0,0 +1,67 @@
+# basic type permission policies
+### Let's deny 'use' action for 'test.resource' for group:default/data_admin
+p, group:default/data_admin, test.resource, use, deny
+
+# case1:
+# g, user:default/alice, group:default/data_admin
+p, user:default/alice, test.resource, use, allow
+
+# case2:
+# g, user:default/akira, group:default/data_admin
+
+# case3:
+# g, user:default/antey, group:default/data_admin
+p, user:default/antey, test.resource, use, deny
+
+### Let's allow 'use' action for 'test.resource' for group:default/data_read_admin
+p, group:default/data_read_admin, test.resource, use, allow
+
+# case4:
+# g, user:default/julia, group:default/data_read_admin
+p, user:default/julia, test.resource, use, allow
+
+# case5:
+# g, user:default/mike, group:default/data_read_admin
+
+# case6:
+# g, user:default/tom, group:default/data_read_admin
+p, user:default/tom, test.resource, use, deny
+
+
+# resource type permission policies
+### Let's deny 'read' action for 'test.resource' permission for group:default/data_admin
+p, group:default/data_admin, test-resource, read, deny
+
+# case1:
+# g, user:default/alice, group:default/data_admin
+p, user:default/alice, test-resource, read, allow
+
+# case2:
+# g, user:default/akira, group:default/data_admin
+
+# case3:
+# g, user:default/antey, group:default/data_admin
+p, user:default/antey, test-resource, read, deny
+
+### Let's allow 'read' action for 'test-resource' permission for group:default/data_read_admin
+p, group:default/data_read_admin, test-resource, read, allow
+
+# case4:
+# g, user:default/julia, group:default/data_read_admin
+p, user:default/julia, test-resource, read, allow
+
+# case5:
+# g, user:default/mike, group:default/data_read_admin
+
+# case6:
+# g, user:default/tom, group:default/data_read_admin
+p, user:default/tom, test-resource, read, deny
+
+
+# group inheritance:
+# g, group:default/data-read-admin, group:default/data_parent_admin
+# and we know case5:
+# g, user:default/mike, data-read-admin
+
+p, group:default/data_parent_admin, test.resource.2, use, allow
+p, group:default/data_parent_admin, test-resource, create, allow
diff --git a/plugins/rbac-backend/src/service/enforcer-delegate.ts b/plugins/rbac-backend/src/service/enforcer-delegate.ts
@@ -1,6 +1,6 @@
 import { NotAllowedError, NotFoundError } from '@backstage/errors';
 
-import { Enforcer } from 'casbin';
+import { Enforcer, newEnforcer, newModelFromString } from 'casbin';
 import { Knex } from 'knex';
 
 import {
@@ -17,6 +17,7 @@ import {
   RoleMetadataStorage,
 } from '../database/role-metadata';
 import { policiesToString, policyToString } from '../helper';
+import { MODEL } from './permission-model';
 
 export class EnforcerDelegate {
   constructor(
@@ -534,7 +535,26 @@ export class EnforcerDelegate {
     resourceType: string,
     action: string,
   ): Promise<boolean> {
-    return await this.enforcer.enforce(entityRef, resourceType, action);
+    const filter = [
+      {
+        ptype: 'p',
+        v1: resourceType,
+        v2: action,
+      },
+      {
+        ptype: 'g',
+        v0: entityRef,
+      },
+    ];
+
+    const adapt = this.enforcer.getAdapter();
+    const roleManager = this.enforcer.getRoleManager();
+    const tempEnforcer = await newEnforcer(newModelFromString(MODEL), adapt);
+    tempEnforcer.setRoleManager(roleManager);
+
+    await tempEnforcer.loadFilteredPolicy(filter);
+
+    return await tempEnforcer.enforce(entityRef, resourceType, action);
   }
 
   async getMetadata(policy: string[]): Promise<PermissionPolicyMetadata> {
@@ -609,4 +629,8 @@ export class EnforcerDelegate {
   async getImplicitPermissionsForUser(user: string): Promise<string[][]> {
     return this.enforcer.getImplicitPermissionsForUser(user);
   }
+
+  async getAllRoles(): Promise<string[]> {
+    return this.enforcer.getAllRoles();
+  }
 }
diff --git a/plugins/rbac-backend/src/service/permission-policy.test.ts b/plugins/rbac-backend/src/service/permission-policy.test.ts
