fix(rbac): check source before throwing duplicate warning (#1278)

PatAKnight · web-flow · commit a100eef67983 · 2024-03-07T11:36:44.000Z
diff --git a/plugins/rbac-backend/src/file-permissions/csv.test.ts b/plugins/rbac-backend/src/file-permissions/csv.test.ts
@@ -798,6 +798,17 @@ describe('CSV file', () => {
     let enfDelegate: EnforcerDelegate;
 
     beforeEach(async () => {
+      policyMetadataStorageMock.findPolicyMetadata = jest
+        .fn()
+        .mockImplementation(
+          async (
+            _policy: string[],
+            _trx: Knex.Knex.Transaction,
+          ): Promise<PermissionPolicyMetadata> => {
+            return { source: 'csv-file' };
+          },
+        );
+
       const adapter = new StringAdapter(
         `
           p, user:default/known_user, test.resource.deny, use, allow
@@ -828,6 +839,7 @@ describe('CSV file', () => {
 
     afterEach(() => {
       (loggerMock.warn as jest.Mock).mockReset();
+      (policyMetadataStorageMock.findPolicyMetadata as jest.Mock).mockReset();
     });
 
     it('should add policies from the CSV file', async () => {
@@ -926,6 +938,23 @@ describe('CSV file', () => {
         'role:default/catalog-updater',
       ];
 
+      policyMetadataStorageMock.findPolicyMetadata = jest
+        .fn()
+        .mockImplementation(
+          async (
+            policy: string[],
+            _trx: Knex.Knex.Transaction,
+          ): Promise<PermissionPolicyMetadata> => {
+            if (
+              isEqual(policy, duplicatePolicyEnforcer) ||
+              isEqual(policy, duplicateRoleEnforcer)
+            ) {
+              return { source: 'rest' };
+            }
+            return { source: 'csv-file' };
+          },
+        );
+
       await enfDelegate.addPolicy(duplicatePolicyEnforcer, 'rest');
       await enfDelegate.addGroupingPolicy(duplicateRoleEnforcer, 'rest');
 
@@ -943,7 +972,7 @@ describe('CSV file', () => {
 
       expect(loggerMock.warn).toHaveBeenNthCalledWith(
         1,
-        `Duplicate policy: ${duplicatePolicyEnforcer} found in the file ${errorPolicyFile}`,
+        `Duplicate policy: ${duplicatePolicyEnforcer} found in the file ${errorPolicyFile}, originates from source: rest`,
       );
       expect(loggerMock.warn).toHaveBeenNthCalledWith(
         2,
diff --git a/plugins/rbac-backend/src/service/permission-policy.test.ts b/plugins/rbac-backend/src/service/permission-policy.test.ts
@@ -100,7 +100,19 @@ const policyMetadataStorageMock: PolicyMetadataStorage = {
         return [];
       },
     ),
-  findPolicyMetadata: jest.fn().mockImplementation(),
+  findPolicyMetadata: jest
+    .fn()
+    .mockImplementation(
+      async (
+        _policy: string[],
+        _trx: Knex.Knex.Transaction,
+      ): Promise<PermissionPolicyMetadata> => {
+        const test: PermissionPolicyMetadata = {
+          source: 'csv-file',
+        };
+        return test;
+      },
+    ),
   createPolicyMetadata: jest.fn().mockImplementation(),
   removePolicyMetadata: jest.fn().mockImplementation(),
 };
diff --git a/plugins/rbac-backend/src/service/policies-validation.ts b/plugins/rbac-backend/src/service/policies-validation.ts
@@ -154,7 +154,7 @@ async function validateGroupingPolicy(
   const metadata = await roleMetadataStorage.findRoleMetadata(parent);
   if (metadata && metadata.source !== source && metadata.source !== 'legacy') {
     return new Error(
-      `You could not add user or group to the role created with source ${metadata.source}`,
+      `Group policy is invalid: ${groupPolicy}. You could not add user or group to the role created with source ${metadata.source}`,
     );
   }
   return undefined;
@@ -176,9 +176,12 @@ export async function validateAllPredefinedPolicies(
     }
 
     if (await enforcer.hasPolicy(...policy)) {
-      return new Error(
-        `Duplicate policy: ${policy} found in the file ${preDefinedPoliciesFile}`,
-      );
+      const source = (await enforcer.getMetadata(policy)).source;
+      if (source !== 'csv-file') {
+        return new Error(
+          `Duplicate policy: ${policy} found in the file ${preDefinedPoliciesFile}, originates from source: ${source}`,
+        );
+      }
     }
   }
 
@@ -194,9 +197,12 @@ export async function validateAllPredefinedPolicies(
     }
 
     if (await enforcer.hasGroupingPolicy(...groupPolicy)) {
-      return new Error(
-        `Duplicate role: ${groupPolicy} found in the file ${preDefinedPoliciesFile}`,
-      );
+      const source = (await enforcer.getMetadata(groupPolicy)).source;
+      if (source !== 'csv-file') {
+        return new Error(
+          `Duplicate role: ${groupPolicy} found in the file ${preDefinedPoliciesFile}, originates from source: ${source}`,
+        );
+      }
     }
   }
   return undefined;

Original file line number	Diff line number	Diff line change
`@@ -154,7 +154,7 @@ async function validateGroupingPolicy(`
`154`	`154`	`const metadata = await roleMetadataStorage.findRoleMetadata(parent);`
`155`	`155`	`if (metadata && metadata.source !== source && metadata.source !== 'legacy') {`
`156`	`156`	`return new Error(`
`157`		- `You could not add user or group to the role created with source ${metadata.source}`,
	`157`	+ `Group policy is invalid: ${groupPolicy}. You could not add user or group to the role created with source ${metadata.source}`,
`158`	`158`	`);`
`159`	`159`	`}`
`160`	`160`	`return undefined;`
`@@ -176,9 +176,12 @@ export async function validateAllPredefinedPolicies(`
`176`	`176`	`}`
`177`	`177`
`178`	`178`	`if (await enforcer.hasPolicy(...policy)) {`
`179`		`- return new Error(`
`180`		- `Duplicate policy: ${policy} found in the file ${preDefinedPoliciesFile}`,
`181`		`- );`
	`179`	`+ const source = (await enforcer.getMetadata(policy)).source;`
	`180`	`+ if (source !== 'csv-file') {`
	`181`	`+ return new Error(`
	`182`	+ `Duplicate policy: ${policy} found in the file ${preDefinedPoliciesFile}, originates from source: ${source}`,
	`183`	`+ );`
	`184`	`+ }`
`182`	`185`	`}`
`183`	`186`	`}`
`184`	`187`
`@@ -194,9 +197,12 @@ export async function validateAllPredefinedPolicies(`
`194`	`197`	`}`
`195`	`198`
`196`	`199`	`if (await enforcer.hasGroupingPolicy(...groupPolicy)) {`
`197`		`- return new Error(`
`198`		- `Duplicate role: ${groupPolicy} found in the file ${preDefinedPoliciesFile}`,
`199`		`- );`
	`200`	`+ const source = (await enforcer.getMetadata(groupPolicy)).source;`
	`201`	`+ if (source !== 'csv-file') {`
	`202`	`+ return new Error(`
	`203`	+ `Duplicate role: ${groupPolicy} found in the file ${preDefinedPoliciesFile}, originates from source: ${source}`,
	`204`	`+ );`
	`205`	`+ }`
`200`	`206`	`}`
`201`	`207`	`}`
`202`	`208`	`return undefined;`