WIP: feat(rbac): pattern on rbac policy objects

Motivation: There is no way to capture multiple objects in a single policy today and match against it. The outcome is that policies for basic permission, where the objects are not catalog entities, are not fine grained. Either you have permission on an action on all the category, or not at all. For example the workflows that the orchestrator plugin exposes are not a catalog entity. They only have a workflow ID the plugin exposes and there is no way today to deny or allow some of the workflows usage. It has today this permission: orchestrator.workflow.read, read, allow Modification: The only modification for the rbac plugin is to use a regexp match: [matchers] m = g(r.sub, p.sub) && regexMatch(r.obj, p.obj) && r.act == p.act Result: With this change we have the permission be matched by a regexp: orchestrator.workflow , read, allow // catches all workflow orchestrator.workflow.banned ,read, deny // catches banned workflow Resolves: #2025 Signed-off-by: Roy Golan <[email protected]>
janus-idp · Sep 13, 2024 · 5289c2a · 5289c2a
1 parent 5291d32
commit 5289c2a
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 11 deletions.
diff --git a/plugins/orchestrator-backend/src/service/router.ts b/plugins/orchestrator-backend/src/service/router.ts
@@ -14,6 +14,7 @@ import { DiscoveryApi } from '@backstage/core-plugin-api';
 import {
   AuthorizeResult,
   BasicPermission,
+  createPermission,
 } from '@backstage/plugin-permission-common';
 import { createPermissionIntegrationRouter } from '@backstage/plugin-permission-node';
 import { JsonObject, JsonValue } from '@backstage/types';
@@ -352,7 +353,10 @@ function setupInternalRoutes(
 
       const decision = await authorize(
         _req,
-        orchestratorWorkflowReadPermission,
+        createPermission({
+          name: 'orchestrator.workflow.' + workflowId,
+          attributes: { action: 'read' },
+        }),
         permissions,
         httpAuth,
       );
@@ -393,7 +397,10 @@ function setupInternalRoutes(
 
       const decision = await authorize(
         req,
-        orchestratorWorkflowExecutePermission,
+        createPermission({
+          name: 'orchestrator.workflow.' + workflowId,
+          attributes: {},
+        }),
         permissions,
         httpAuth,
       );
@@ -439,7 +446,10 @@ function setupInternalRoutes(
 
       const decision = await authorize(
         _req,
-        orchestratorWorkflowReadPermission,
+        createPermission({
+          name: 'orchestrator.workflow.' + workflowId,
+          attributes: { action: 'read' },
+        }),
         permissions,
         httpAuth,
       );
@@ -473,7 +483,10 @@ function setupInternalRoutes(
 
     const decision = await authorize(
       req,
-      orchestratorWorkflowReadPermission,
+      createPermission({
+        name: 'orchestrator.workflow.' + workflowId,
+        attributes: { action: 'read' },
+      }),
       permissions,
       httpAuth,
     );
@@ -676,7 +689,10 @@ function setupInternalRoutes(
       });
       const decision = await authorize(
         req,
-        orchestratorWorkflowInstanceReadPermission,
+        createPermission({
+          name: 'orchestrator.workflow.' + workflowId,
+          attributes: { action: 'read' },
+        }),
         permissions,
         httpAuth,
       );
@@ -929,7 +945,7 @@ function setupInternalRoutes(
 
     const decision = await authorize(
       req,
-      orchestratorWorkflowExecutePermission,
+      createPermission({ name: 'orchestrator.workflow', attributes: {} }),
       permissions,
       httpAuth,
     );

diff --git a/plugins/orchestrator/docs/rbac-policy.csv b/plugins/orchestrator/docs/rbac-policy.csv
@@ -1,11 +1,15 @@
 p, role:default/workflowViewer, orchestrator.workflowInstances.read, read, allow
 p, role:default/workflowViewer, orchestrator.workflowInstance.read, read, allow
 
-p, role:default/workflowAdmin, orchestrator.workflow.read, read, allow
-p, role:default/workflowAdmin, orchestrator.workflow.execute, use, allow
+p, role:default/workflowAdmin, orchestrator.workflow, read, allow
+p, role:default/workflowAdmin, orchestrator.workflow.hello_world, read, deny 
+
+p, role:default/workflowAdmin, orchestrator.workflow, use, allow
+p, role:default/workflowAdmin, orchestrator.workflow.ansible, use, deny
+
 p, role:default/workflowAdmin, orchestrator.workflowInstance.abort, use, allow
 p, role:default/workflowAdmin, orchestrator.workflowInstances.read, read, allow
 p, role:default/workflowAdmin, orchestrator.workflowInstance.read, read, allow
 
 g, user:default/guest, role:default/workflowViewer
-g, user:default/rgolangh, role:default/workflowAdmin
+g, user:development/guest, role:default/workflowAdmin
diff --git a/plugins/rbac-backend/src/service/enforcer-delegate.ts b/plugins/rbac-backend/src/service/enforcer-delegate.ts
@@ -452,7 +452,9 @@ export class EnforcerDelegate implements RoleEventEmitter<RoleEvents> {
 
     await tempEnforcer.loadFilteredPolicy(filter);
 
-    return await tempEnforcer.enforce(entityRef, resourceType, action);
+    // this is a workaround because the tempEnforcer doesn't work with the regexpMatch probably because the policy filtering.
+    //return await tempEnforcer.enforce(entityRef, resourceType, action);
+    return await this.enforcer.enforce(entityRef, resourceType, action);
   }
 
   async getImplicitPermissionsForUser(user: string): Promise<string[][]> {

diff --git a/plugins/rbac-backend/src/service/permission-model.ts b/plugins/rbac-backend/src/service/permission-model.ts
@@ -12,5 +12,5 @@ e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
 g = _, _
 
 [matchers]
-m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act
+m = g(r.sub, p.sub) && regexMatch(r.obj, p.obj) && r.act == p.act
 `;