Fine-grained authorization support (razee-io#1333)

* config/channel support * lint * cluster support * common/cluster resolver support * channel(s) update * channel - lint fix * cluster.js - iam auth implementation * cluster.js - lint fix * cluster - queryField logging * cluster.js - logging improvement * channel - iam auth implementation and logging improvement * group support * group - updates * common - getAllowedGroups * group - lint update * group - cluster.attach to read * audit fix * audit-ci - extend until friday * subscription support * subscription - remove error causing auth * add local-dev test scripts * channel - add caching * cluster - add caching * group - add caching * subscription - add caching * common - replace filter and find functions with a polymorphic one * subscription - lint fix * subscription - lint fix * subscription - remove auth check for cluster * remove outdated allowList and artifactory packages * deactivate allowList * resolver review changes * audit-erroring * audit fix * audit-ci * audit-ci * Revert "audit-ci" This reverts commit 09ccb11. * remove semver package * package-update for audit-ci * Update app/apollo/resolvers/common.js Co-authored-by: carrolp <[email protected]> * remove name from addResource auth * Update app/apollo/resolvers/common.js Co-authored-by: carrolp <[email protected]> * package-update override make-dir * convert cacheAllAllowed to validAuth * comment changes * logging improvements * lowercase comments * add missing await * move validation log locations * Update app/apollo/resolvers/cluster.js Co-authored-by: carrolp <[email protected]> * valdating location fix * extensive resolver authorization rewrite * rearrange error locations * put editChannelVersion version placement back to required location * remove resource(s) from info logs to avoid log spam * review changes 07/12/23 * editClusterGroup cluster auth * group comment revisions * lower auth position for edit/removeChannelVersion * fix cluster find and mapping * addSubscription group and channel auth * subscription auth additions * Update app/apollo/resolvers/channel.js Co-authored-by: carrolp <[email protected]> * Update app/apollo/resolvers/channel.js * Update app/apollo/resolvers/channel.js * revert git_ops_validation * Update app/apollo/resolvers/channel.js Co-authored-by: carrolp <[email protected]> * Update app/apollo/resolvers/channel.js Co-authored-by: carrolp <[email protected]> * Update app/apollo/resolvers/cluster.js Co-authored-by: carrolp <[email protected]> * Update app/apollo/resolvers/subscription.js Co-authored-by: carrolp <[email protected]> * Update app/apollo/resolvers/subscription.js Co-authored-by: carrolp <[email protected]> * Update app/apollo/resolvers/subscription.js Co-authored-by: carrolp <[email protected]> * Update app/apollo/resolvers/group.js Co-authored-by: carrolp <[email protected]> * Update app/apollo/resolvers/group.js Co-authored-by: carrolp <[email protected]> * Update app/apollo/resolvers/group.js Co-authored-by: carrolp <[email protected]> * Update app/apollo/resolvers/group.js Co-authored-by: carrolp <[email protected]> * review changes 7/19/23 * add filtering to passed cluster info * unit tests for groups * if ungroupCluster or unassignClusterGroups passed clusters empty, continue * functionality for non-existing passed clusterIds * adjust comments * Update app/apollo/resolvers/subscription.js Co-authored-by: carrolp <[email protected]> * Update app/apollo/resolvers/subscription.js Co-authored-by: carrolp <[email protected]> * review changes 7/20/23 * move channel auth check above group check * remove unneeded comment * translations * Update app/apollo/resolvers/channel.js Co-authored-by: carrolp <[email protected]> * Update app/apollo/resolvers/cluster.js Co-authored-by: carrolp <[email protected]> * Update app/apollo/resolvers/group.js Co-authored-by: carrolp <[email protected]> * Update app/apollo/resolvers/group.js Co-authored-by: carrolp <[email protected]> * review changes 7/24/23 * change database operation set to push and pull * database operation * comment change * unit test comment removal * comment update" * editClusterGroup review fix * fine-grained auth unit tests and local fga testing support * npm install * prevent FGA tests from running when non-fga model defined * comment change * local schema review changes * review_changes_8-23-23 * fga-unit-test-additions * change-title * fga-unit-test-additions-2 * remove for loop * remove unused var * change-local-auth-schema-to-array-review-changes * uuid to name * Comment fix * package update * package update 20230914 * package update 20230915 * fix merge conflicts --------- Co-authored-by: ethanstjohn <[email protected]> Co-authored-by: carrolp <[email protected]>
redhat-marketplace · Sep 15, 2023 · 8f1088e · 8f1088e
1 parent dae46dd
commit 8f1088e
Show file tree

Hide file tree

Showing 35 changed files with 3,902 additions and 794 deletions.
diff --git a/app/apollo/models/user.local.schema.js b/app/apollo/models/user.local.schema.js
@@ -1,5 +1,5 @@
 /**
- * Copyright 2020 IBM Corp. All Rights Reserved.
+ * Copyright 2020, 2023 IBM Corp. All Rights Reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,6 +18,7 @@ const bcrypt = require('bcrypt');
 const isEmail = require('validator/lib/isEmail');
 const jwt = require('jsonwebtoken');
 const mongoose = require('mongoose');
+const objectPath = require('object-path');
 const { v4: uuid } = require('uuid');
 const { AuthenticationError, UserInputError, ForbiddenError} = require('apollo-server');
 const _ = require('lodash');
@@ -70,6 +71,34 @@ const UserLocalSchema = new mongoose.Schema({
         role: {
           type: String,
         },
+        authorization: {
+          cluster: {
+            read: [{type: String}],
+            attach: [{type: String}],
+            detach: [{type: String}],
+            register: [{type: String}],
+            update: [{type: String}],
+          },
+          group: {
+            manage: [{type: String}],
+            read: [{type: String}],
+            setversion: [{type: String}],
+          },
+          channel: {
+            create: [{type: String}],
+            delete: [{type: String}],
+            manageversion: [{type: String}],
+            read: [{type: String}],
+            update: [{type: String}],
+          },
+          subscription: {
+            create: [{type: String}],
+            delete: [{type: String}],
+            read: [{type: String}],
+            setversion: [{type: String}],
+            update: [{type: String}],
+          }
+        }
       },
     ],
   },
@@ -119,6 +148,7 @@ UserLocalSchema.statics.createUser = async function(models, args) {
           _id: org._id,
           name: org.name,
           role: args.role === 'ADMIN' ? 'ADMIN' : 'READER',
+          authorization: args.authorization,
         },
       ],
     },
@@ -299,9 +329,18 @@ UserLocalSchema.statics.isAuthorizedBatch = async function(me, orgId, objectArra
 
   if (orgMeta) {
     const results = objectArray.map( o => {
-      if (o.action === ACTIONS.READ) {
-        return !!orgMeta;
-      } else {
+      // If this user has FGA rules for this type+action, use them
+      const fineGrainedArray = objectPath.get(orgMeta, `authorization.${o.type}.${o.action}`) || [];
+      if( fineGrainedArray.length > 0 ) {
+        const attributes = [o.name, o.uuid];
+        return attributes.some( a => fineGrainedArray.includes( a ) );
+      }
+      // If this user does NOT have FGA rules for this type+action, they always have READ if they're in the org
+      else if (o.action === ACTIONS.READ) {
+        return true;
+      }
+      // If this user does NOT have FGA rules for this type+action, and it's not READ, they are authorized only if ADMIN
+      else {
         return orgMeta.role === 'ADMIN';
       }
     });
@@ -332,9 +371,18 @@ UserLocalSchema.statics.isAuthorized = async function(me, orgId, action, type, a
   if(!orgMeta){
     return false;
   }
-  if (action === ACTIONS.READ) {
-    return !!orgMeta;
-  } else {
+
+  // If this user has FGA rules for this type+action, use them
+  const fineGrainedArray = objectPath.get(orgMeta, `authorization.${type}.${action}`) || [];
+  if( fineGrainedArray.length > 0 ) {
+    return attributes.some( a => fineGrainedArray.includes( a ) );
+  }
+  // If this user does NOT have FGA rules for this type+action, they always have READ if they're in the org
+  else if (action === ACTIONS.READ) {
+    return true;
+  }
+  // If this user does NOT have FGA rules for this type+action, and it's not READ, they are authorized only if ADMIN
+  else {
     return orgMeta.role === 'ADMIN';
   }
 };

diff --git a/app/apollo/resolvers/channel.js b/app/apollo/resolvers/channel.js