Skip to content

Commit

Permalink
Add acl permission related functions (opensearch-project#65)
Browse files Browse the repository at this point in the history
* Add acl permission check functions

Signed-off-by: gaobinlong <[email protected]>

* Refactor some code

Signed-off-by: gaobinlong <[email protected]>

* Optimize some code

Signed-off-by: gaobinlong <[email protected]>

* Refactor acl

Signed-off-by: gaobinlong <[email protected]>

* Modify index mapping definition code

Signed-off-by: gaobinlong <[email protected]>

* Optimize code

Signed-off-by: gaobinlong <[email protected]>

* Optimize code

Signed-off-by: gaobinlong <[email protected]>

---------

Signed-off-by: gaobinlong <[email protected]>
  • Loading branch information
gaobinlong authored and ruanyl committed Sep 15, 2023
1 parent 55dca3e commit 5649e4f
Show file tree
Hide file tree
Showing 4 changed files with 453 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ import crypto from 'crypto';
import { cloneDeep, mapValues } from 'lodash';
import {
IndexMapping,
SavedObjectsFieldMapping,
SavedObjectsMappingProperties,
SavedObjectsTypeMappingDefinitions,
} from './../../mappings';
Expand Down Expand Up @@ -137,6 +138,16 @@ function findChangedProp(actual: any, expected: any) {
* @returns {IndexMapping}
*/
function defaultMapping(): IndexMapping {
const principals: SavedObjectsFieldMapping = {
properties: {
users: {
type: 'keyword',
},
groups: {
type: 'keyword',
},
},
};
return {
dynamic: 'strict',
properties: {
Expand Down Expand Up @@ -178,6 +189,15 @@ function defaultMapping(): IndexMapping {
workspaces: {
type: 'keyword',
},
permissions: {
properties: {
read: principals,
write: principals,
management: principals,
library_read: principals,
library_write: principals,
},
},
},
};
}
Expand Down
164 changes: 164 additions & 0 deletions src/core/server/saved_objects/permission_control/acl.test.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,164 @@
/*
* Copyright OpenSearch Contributors
* SPDX-License-Identifier: Apache-2.0
*/

import { PermissionMode } from '../../../../core/utils/constants';
import { Principals, Permissions, ACL } from './acl';

describe('SavedObjectTypeRegistry', () => {
let acl: ACL;

it('test has permission', () => {
const principals: Principals = {
users: ['user1'],
groups: [],
};
const permissions: Permissions = {
read: principals,
};
acl = new ACL(permissions);
expect(
acl.hasPermission([PermissionMode.Read], {
users: ['user1'],
groups: [],
})
).toEqual(true);
expect(
acl.hasPermission([PermissionMode.Read], {
users: ['user2'],
groups: [],
})
).toEqual(false);
});

it('test add permission', () => {
acl = new ACL();
const result1 = acl
.addPermission([PermissionMode.Read], {
users: ['user1'],
groups: [],
})
.getPermissions();
expect(result1?.read?.users).toEqual(['user1']);

acl.resetPermissions();
const result2 = acl
.addPermission([PermissionMode.Write, PermissionMode.Management], {
users: ['user2'],
groups: ['group1', 'group2'],
})
.getPermissions();
expect(result2?.write?.users).toEqual(['user2']);
expect(result2?.management?.groups).toEqual(['group1', 'group2']);
});

it('test remove permission', () => {
const principals1: Principals = {
users: ['user1'],
groups: ['group1', 'group2'],
};
const permissions1 = {
read: principals1,
write: principals1,
};
acl = new ACL(permissions1);
const result1 = acl
.removePermission([PermissionMode.Read], {
users: ['user1'],
groups: [],
})
.removePermission([PermissionMode.Write], {
users: [],
groups: ['group2'],
})
.getPermissions();
expect(result1?.read?.users).toEqual([]);
expect(result1?.write?.groups).toEqual(['group1']);

const principals2: Principals = {
users: ['*'],
groups: ['*'],
};

const permissions2 = {
read: principals2,
write: principals2,
};

acl = new ACL(permissions2);
const result2 = acl
.removePermission([PermissionMode.Read, PermissionMode.Write], {
users: ['user1'],
groups: ['group1'],
})
.getPermissions();
expect(result2?.read?.users).toEqual(['*']);
expect(result2?.write?.groups).toEqual(['*']);
});

it('test transform permission', () => {
const principals: Principals = {
users: ['user1'],
groups: ['group1', 'group2'],
};
const permissions = {
read: principals,
write: principals,
};
acl = new ACL(permissions);
const result = acl.transformPermissions();
expect(result?.length).toEqual(3);
});

it('test genereate query DSL', () => {
const principals = {
users: ['user1'],
groups: ['group1'],
};
const result = ACL.genereateGetPermittedSavedObjectsQueryDSL(
PermissionMode.Read,
principals,
'workspace'
);
expect(result).toEqual({
query: {
bool: {
filter: [
{
bool: {
should: [
{
terms: {
'permissions.read.users': ['user1'],
},
},
{
term: {
'permissions.read.users': '*',
},
},
{
terms: {
'permissions.read.groups': ['group1'],
},
},
{
term: {
'permissions.read.groups': '*',
},
},
],
},
},
{
terms: {
type: ['workspace'],
},
},
],
},
},
});
});
});
Loading

0 comments on commit 5649e4f

Please sign in to comment.