From 69d7e6590c2854e752537e82d03a1bcdce9b13fb Mon Sep 17 00:00:00 2001 From: gaobinlong Date: Thu, 3 Aug 2023 15:22:32 +0800 Subject: [PATCH] Add acl permission related functions (#65) * Add acl permission check functions Signed-off-by: gaobinlong * Refactor some code Signed-off-by: gaobinlong * Optimize some code Signed-off-by: gaobinlong * Refactor acl Signed-off-by: gaobinlong * Modify index mapping definition code Signed-off-by: gaobinlong * Optimize code Signed-off-by: gaobinlong * Optimize code Signed-off-by: gaobinlong --------- Signed-off-by: gaobinlong --- .../migrations/core/build_active_mappings.ts | 20 ++ .../permission_control/acl.test.ts | 164 +++++++++++ .../saved_objects/permission_control/acl.ts | 264 ++++++++++++++++++ src/core/utils/constants.ts | 5 + 4 files changed, 453 insertions(+) create mode 100644 src/core/server/saved_objects/permission_control/acl.test.ts create mode 100644 src/core/server/saved_objects/permission_control/acl.ts diff --git a/src/core/server/saved_objects/migrations/core/build_active_mappings.ts b/src/core/server/saved_objects/migrations/core/build_active_mappings.ts index 812cc1fd5eb1..05fb534f7a11 100644 --- a/src/core/server/saved_objects/migrations/core/build_active_mappings.ts +++ b/src/core/server/saved_objects/migrations/core/build_active_mappings.ts @@ -36,6 +36,7 @@ import crypto from 'crypto'; import { cloneDeep, mapValues } from 'lodash'; import { IndexMapping, + SavedObjectsFieldMapping, SavedObjectsMappingProperties, SavedObjectsTypeMappingDefinitions, } from './../../mappings'; @@ -137,6 +138,16 @@ function findChangedProp(actual: any, expected: any) { * @returns {IndexMapping} */ function defaultMapping(): IndexMapping { + const principals: SavedObjectsFieldMapping = { + properties: { + users: { + type: 'keyword', + }, + groups: { + type: 'keyword', + }, + }, + }; return { dynamic: 'strict', properties: { @@ -178,6 +189,15 @@ function defaultMapping(): IndexMapping { workspaces: { type: 'keyword', }, + permissions: { + properties: { + read: principals, + write: principals, + management: principals, + library_read: principals, + library_write: principals, + }, + }, }, }; } diff --git a/src/core/server/saved_objects/permission_control/acl.test.ts b/src/core/server/saved_objects/permission_control/acl.test.ts new file mode 100644 index 000000000000..b292fb747b3c --- /dev/null +++ b/src/core/server/saved_objects/permission_control/acl.test.ts @@ -0,0 +1,164 @@ +/* + * Copyright OpenSearch Contributors + * SPDX-License-Identifier: Apache-2.0 + */ + +import { PermissionMode } from '../../../../core/utils/constants'; +import { Principals, Permissions, ACL } from './acl'; + +describe('SavedObjectTypeRegistry', () => { + let acl: ACL; + + it('test has permission', () => { + const principals: Principals = { + users: ['user1'], + groups: [], + }; + const permissions: Permissions = { + read: principals, + }; + acl = new ACL(permissions); + expect( + acl.hasPermission([PermissionMode.Read], { + users: ['user1'], + groups: [], + }) + ).toEqual(true); + expect( + acl.hasPermission([PermissionMode.Read], { + users: ['user2'], + groups: [], + }) + ).toEqual(false); + }); + + it('test add permission', () => { + acl = new ACL(); + const result1 = acl + .addPermission([PermissionMode.Read], { + users: ['user1'], + groups: [], + }) + .getPermissions(); + expect(result1?.read?.users).toEqual(['user1']); + + acl.resetPermissions(); + const result2 = acl + .addPermission([PermissionMode.Write, PermissionMode.Management], { + users: ['user2'], + groups: ['group1', 'group2'], + }) + .getPermissions(); + expect(result2?.write?.users).toEqual(['user2']); + expect(result2?.management?.groups).toEqual(['group1', 'group2']); + }); + + it('test remove permission', () => { + const principals1: Principals = { + users: ['user1'], + groups: ['group1', 'group2'], + }; + const permissions1 = { + read: principals1, + write: principals1, + }; + acl = new ACL(permissions1); + const result1 = acl + .removePermission([PermissionMode.Read], { + users: ['user1'], + groups: [], + }) + .removePermission([PermissionMode.Write], { + users: [], + groups: ['group2'], + }) + .getPermissions(); + expect(result1?.read?.users).toEqual([]); + expect(result1?.write?.groups).toEqual(['group1']); + + const principals2: Principals = { + users: ['*'], + groups: ['*'], + }; + + const permissions2 = { + read: principals2, + write: principals2, + }; + + acl = new ACL(permissions2); + const result2 = acl + .removePermission([PermissionMode.Read, PermissionMode.Write], { + users: ['user1'], + groups: ['group1'], + }) + .getPermissions(); + expect(result2?.read?.users).toEqual(['*']); + expect(result2?.write?.groups).toEqual(['*']); + }); + + it('test transform permission', () => { + const principals: Principals = { + users: ['user1'], + groups: ['group1', 'group2'], + }; + const permissions = { + read: principals, + write: principals, + }; + acl = new ACL(permissions); + const result = acl.transformPermissions(); + expect(result?.length).toEqual(3); + }); + + it('test genereate query DSL', () => { + const principals = { + users: ['user1'], + groups: ['group1'], + }; + const result = ACL.genereateGetPermittedSavedObjectsQueryDSL( + PermissionMode.Read, + principals, + 'workspace' + ); + expect(result).toEqual({ + query: { + bool: { + filter: [ + { + bool: { + should: [ + { + terms: { + 'permissions.read.users': ['user1'], + }, + }, + { + term: { + 'permissions.read.users': '*', + }, + }, + { + terms: { + 'permissions.read.groups': ['group1'], + }, + }, + { + term: { + 'permissions.read.groups': '*', + }, + }, + ], + }, + }, + { + terms: { + type: ['workspace'], + }, + }, + ], + }, + }, + }); + }); +}); diff --git a/src/core/server/saved_objects/permission_control/acl.ts b/src/core/server/saved_objects/permission_control/acl.ts new file mode 100644 index 000000000000..4b7d506e11ba --- /dev/null +++ b/src/core/server/saved_objects/permission_control/acl.ts @@ -0,0 +1,264 @@ +/* + * Copyright OpenSearch Contributors + * SPDX-License-Identifier: Apache-2.0 + */ + +import { PrincipalType } from '../../../../core/utils/constants'; + +export interface Principals { + users?: string[]; + groups?: string[]; +} + +export type Permissions = Partial>; + +export interface TransformedPermission { + type: string; + name: string; + permissions: string[]; +} + +const addToPrincipals = (principals?: Principals, users?: string[], groups?: string[]) => { + if (!principals) { + principals = {}; + } + if (!!users) { + if (!principals.users) { + principals.users = []; + } + principals.users = Array.from(new Set([...principals.users, ...users])); + } + if (!!groups) { + if (!principals.groups) { + principals.groups = []; + } + principals.groups = Array.from(new Set([...principals.groups, ...groups])); + } + return principals; +}; + +const deleteFromPrincipals = (principals?: Principals, users?: string[], groups?: string[]) => { + if (!principals) { + return principals; + } + if (!!users && !!principals.users) { + principals.users = principals.users.filter((item) => !users.includes(item)); + } + if (!!groups && !!principals.groups) { + principals.groups = principals.groups.filter((item) => !groups.includes(item)); + } + return principals; +}; + +const checkPermission = (currentPrincipals: Principals | undefined, principals: Principals) => { + return ( + (currentPrincipals?.users && + principals?.users && + checkPermissionForSinglePrincipalType(currentPrincipals.users, principals.users)) || + (currentPrincipals?.groups && + principals.groups && + checkPermissionForSinglePrincipalType(currentPrincipals.groups, principals.groups)) + ); +}; + +const checkPermissionForSinglePrincipalType = ( + currentPrincipalArray: string[], + principalArray: string[] +) => { + return ( + currentPrincipalArray && + principalArray && + (currentPrincipalArray.includes('*') || + principalArray.some((item) => currentPrincipalArray.includes(item))) + ); +}; + +export class ACL { + private permissions?: Permissions; + constructor(initialPermissions?: Permissions) { + this.permissions = initialPermissions || {}; + } + + // parse the permissions object to check whether the specific principal has the specific permission types or not + public hasPermission(permissionTypes: string[], principals: Principals) { + if (!permissionTypes || permissionTypes.length === 0 || !this.permissions || !principals) { + return false; + } + + const currentPermissions = this.permissions; + return permissionTypes.some((permissionType) => + checkPermission(currentPermissions[permissionType], principals) + ); + } + + // permissions object build function, add principal with specific permission to the object + public addPermission(permissionTypes: string[], principals: Principals) { + if (!permissionTypes || !principals) { + return this; + } + if (!this.permissions) { + this.permissions = {}; + } + + for (const permissionType of permissionTypes) { + this.permissions[permissionType] = addToPrincipals( + this.permissions[permissionType], + principals.users, + principals.groups + ); + } + + return this; + } + + // permissions object build funciton, remove specific permission of specific principal from the object + public removePermission(permissionTypes: string[], principals: Principals) { + if (!permissionTypes || !principals) { + return this; + } + if (!this.permissions) { + this.permissions = {}; + } + + for (const permissionType of permissionTypes) { + this.permissions[permissionType] = deleteFromPrincipals( + this.permissions![permissionType], + principals.users, + principals.groups + ); + } + + return this; + } + + /* + transfrom permissions format + original permissions: { + read: { + users:['user1'] + }, + write:{ + groups:['group1'] + } + } + + transformed permissions: [ + {type:'users',name:'user1',permissions:['read']}, + {type:'groups',name:'group1',permissions:['write']}, + ] + */ + public transformPermissions(): TransformedPermission[] { + const result: TransformedPermission[] = []; + if (!this.permissions) { + return result; + } + + const permissionMapResult: Record> = {}; + const principalTypes = [PrincipalType.Users, PrincipalType.Groups]; + for (const permissionType in this.permissions) { + if (!!permissionType) { + const value = this.permissions[permissionType]; + principalTypes.forEach((principalType) => { + if (value?.[principalType]) { + for (const principal of value[principalType]!) { + if (!permissionMapResult[principalType]) { + permissionMapResult[principalType] = {}; + } + if (!permissionMapResult[principalType][principal]) { + permissionMapResult[principalType][principal] = []; + } + permissionMapResult[principalType][principal] = [ + ...permissionMapResult[principalType][principal]!, + permissionType, + ]; + } + } + }); + } + } + + Object.entries(permissionMapResult).forEach(([type, permissionMap]) => { + Object.entries(permissionMap).forEach(([principal, permissions]) => { + result.push({ + type, + name: principal, + permissions, + }); + }); + }); + + return result; + } + + public resetPermissions() { + // reset permissions + this.permissions = {}; + } + + // return the permissions object + public getPermissions() { + return this.permissions; + } + + /* + generate query DSL by the specific conditions, used for fetching saved objects from the saved objects index + */ + public static genereateGetPermittedSavedObjectsQueryDSL( + permissionType: string, + principals: Principals, + savedObjectType?: string | string[] + ) { + if (!principals || !permissionType) { + return { + query: { + match_none: {}, + }, + }; + } + + const bool: any = { + filter: [], + }; + const subBool: any = { + should: [], + }; + if (!!principals.users) { + subBool.should.push({ + terms: { + ['permissions.' + permissionType + '.users']: principals.users, + }, + }); + subBool.should.push({ + term: { + ['permissions.' + permissionType + '.users']: '*', + }, + }); + } + if (!!principals.groups) { + subBool.should.push({ + terms: { + ['permissions.' + permissionType + '.groups']: principals.groups, + }, + }); + subBool.should.push({ + term: { + ['permissions.' + permissionType + '.groups']: '*', + }, + }); + } + + bool.filter.push({ + bool: subBool, + }); + + if (!!savedObjectType) { + bool.filter.push({ + terms: { + type: Array.isArray(savedObjectType) ? savedObjectType : [savedObjectType], + }, + }); + } + + return { query: { bool } }; + } +} diff --git a/src/core/utils/constants.ts b/src/core/utils/constants.ts index 5bd25db2c848..a58af8947131 100644 --- a/src/core/utils/constants.ts +++ b/src/core/utils/constants.ts @@ -12,3 +12,8 @@ export enum PermissionMode { LibraryRead = 'library_read', LibraryWrite = 'library_write', } + +export enum PrincipalType { + Users = 'users', + Groups = 'groups', +}