fix(rbac): enable create button for default role:default/rbac_admin (#…

…1137) Signed-off-by: Oleksandr Andriienko <[email protected]>
janus-idp · Jan 30, 2024 · 9926463 · 9926463
1 parent 7d0cb4f
commit 9926463
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 11 deletions.
diff --git a/plugins/rbac-backend/src/service/permission-policy.test.ts b/plugins/rbac-backend/src/service/permission-policy.test.ts
@@ -24,6 +24,8 @@ import { MODEL } from './permission-model';
 import { RBACPermissionPolicy } from './permission-policy';
 import { BackstageRoleManager } from './role-manager';
 
+type PermissionAction = 'create' | 'read' | 'update' | 'delete';
+
 const catalogApi = {
   getEntityAncestors: jest.fn().mockImplementation(),
   getLocationById: jest.fn().mockImplementation(),
@@ -345,16 +347,49 @@ describe('RBACPermissionPolicy Tests', () => {
     });
 
     // Tests for admin added through app config
-    it('should allow access to permission resource for admin added through app config', async () => {
-      const decision = await policy.handle(
-        newPolicyQueryWithResourcePermission(
-          'policy-entity.read',
-          'policy-entity',
-          'read',
-        ),
-        newIdentityResponse('user:default/guest'),
-      );
-      expect(decision.result).toBe(AuthorizeResult.ALLOW);
+    it('should allow access to permission resources for admin added through app config', async () => {
+      const adminPerm: {
+        name: string;
+        resource: string;
+        action: PermissionAction;
+      }[] = [
+        {
+          name: 'policy.entity.read',
+          resource: 'policy-entity',
+          action: 'read',
+        },
+        {
+          name: 'policy.entity.create',
+          resource: 'policy-entity',
+          action: 'create',
+        },
+        {
+          name: 'policy.entity.update',
+          resource: 'policy-entity',
+          action: 'update',
+        },
+        {
+          name: 'policy.entity.delete',
+          resource: 'policy-entity',
+          action: 'delete',
+        },
+        {
+          name: 'catalog.entity.read',
+          resource: 'catalog-entity',
+          action: 'read',
+        },
+      ];
+      for (const perm of adminPerm) {
+        const decision = await policy.handle(
+          newPolicyQueryWithResourcePermission(
+            perm.name,
+            perm.resource,
+            perm.action,
+          ),
+          newIdentityResponse('user:default/guest'),
+        );
+        expect(decision.result).toBe(AuthorizeResult.ALLOW);
+      }
     });
   });
 });
@@ -988,7 +1023,7 @@ function newPolicyQueryWithBasicPermission(name: string): PolicyQuery {
 function newPolicyQueryWithResourcePermission(
   name: string,
   resource: string,
-  action: 'create' | 'read' | 'update' | 'delete',
+  action: PermissionAction,
 ): PolicyQuery {
   const mockPermission = createPermission({
     name: name,

diff --git a/plugins/rbac-backend/src/service/permission-policy.ts b/plugins/rbac-backend/src/service/permission-policy.ts
@@ -60,6 +60,17 @@ const useAdmins = async (admins: Config[], enf: Enforcer) => {
   if (!(await enf.hasPolicy(...adminUpdatePermission))) {
     await enf.addPolicy(...adminUpdatePermission);
   }
+
+  // needed for rbac frontend.
+  const adminCatalogReadPermission = [
+    adminRoleName,
+    'catalog-entity',
+    'read',
+    'allow',
+  ];
+  if (!(await enf.hasPolicy(...adminCatalogReadPermission))) {
+    await enf.addPolicy(...adminCatalogReadPermission);
+  }
 };
 
 const addPredefinedPoliciesAndGroupPolicies = async (