Skip to content

Commit

Permalink
fix: map RBAC to ABAC
Browse files Browse the repository at this point in the history
  • Loading branch information
@adityathebe @moshloop
adityathebe authored and moshloop committed Jan 17, 2025
1 parent e1e89b6 commit ef93fbf
Showing 1 changed file with 29 additions and 12 deletions.
41 changes: 29 additions & 12 deletions rbac/adapter/permission.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,12 @@ import (
gormadapter "github.com/casbin/gorm-adapter/v3"
"github.com/flanksource/commons/collections"
"github.com/flanksource/duty/models"
"github.com/samber/lo"
"gorm.io/gorm"
"gorm.io/gorm/clause"

v1 "github.com/flanksource/incident-commander/api/v1"
"github.com/flanksource/incident-commander/rbac/policy"
pkgPolicy "github.com/flanksource/incident-commander/rbac/policy"
)

type PermissionAdapter struct {
Expand Down Expand Up @@ -74,28 +75,44 @@ func (a *PermissionAdapter) LoadPolicy(model model.Model) error {

func PermissionToCasbinRule(permission models.Permission) [][]string {
var policies [][]string

patterns := strings.Split(permission.Action, ",")
for _, action := range policy.AllActions {

for _, action := range pkgPolicy.AllActions {
if !collections.MatchItems(action, patterns...) {
continue
}

policy := []string{
"p",
permission.Principal(),
permission.GetObject(),
action,
permission.Effect(),
permission.Condition(),
permission.ID.String(),
policies = append(policies, createPolicy(permission, action))

if shouldMapToABAC(permission, action) {
abacPermission := permission
abacPermission.Object = ""
abacPermission.ObjectSelector = []byte(`{"playbooks": [{"name":"*"}]}`)
policies = append(policies, createPolicy(abacPermission, action))
}
policies = append(policies, policy)
}

return policies
}

// createPolicy generates a Casbin policy rule from a permission.
func createPolicy(permission models.Permission, action string) []string {
return []string{
"p",
permission.Principal(),
permission.GetObject(),
action,
permission.Effect(),
permission.Condition(),
permission.ID.String(),
}
}

func shouldMapToABAC(permission models.Permission, action string) bool {
return permission.Object == pkgPolicy.ObjectPlaybooks &&
lo.Contains([]string{pkgPolicy.ActionPlaybookRun, pkgPolicy.ActionPlaybookApprove}, action)
}

func (a *PermissionAdapter) permissionGroupToCasbinRule(permission models.PermissionGroup) ([][]string, error) {
var subject v1.PermissionGroupSubjects
if err := json.Unmarshal(permission.Selectors, &subject); err != nil {
Expand Down

0 comments on commit ef93fbf

Please sign in to comment.