Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add rbac middleware system #6103

Merged
merged 13 commits into from
Mar 21, 2022
4 changes: 3 additions & 1 deletion engine/api/api_routes.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ func (api *API) InitRouter() {
api.Router.SetHeaderFunc = service.DefaultHeaders
api.Router.Middlewares = append(api.Router.Middlewares, api.tracingMiddleware, api.jwtMiddleware)
api.Router.DefaultAuthMiddleware = api.authMiddleware
api.Router.PostAuthMiddlewares = append(api.Router.PostAuthMiddlewares, api.xsrfMiddleware, api.maintenanceMiddleware)
api.Router.PostAuthMiddlewares = append(api.Router.PostAuthMiddlewares, api.xsrfMiddleware, api.maintenanceMiddleware, api.rbacMiddleware)
api.Router.PostMiddlewares = append(api.Router.PostMiddlewares, service.TracingPostMiddleware)

r := api.Router
Expand Down Expand Up @@ -449,6 +449,8 @@ func (api *API) InitRouter() {
r.Handle("/template/{groupName}/{templateSlug}/instance/{instanceID}", Scope(sdk.AuthConsumerScopeTemplate), r.DELETE(api.deleteTemplateInstanceHandler))
r.Handle("/template/{groupName}/{templateSlug}/usage", Scope(sdk.AuthConsumerScopeTemplate), r.GET(api.getTemplateUsageHandler))

r.Handle("/v2/project/{projectKey}/vcs", nil, r.POSTv2(api.addVCSOnProjectHandler))

//Not Found handler
r.Mux.NotFoundHandler = http.HandlerFunc(r.NotFoundHandler)

Expand Down
30 changes: 30 additions & 0 deletions engine/api/group/dao_rbac.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
package group

import (
"context"

"github.com/go-gorp/gorp"

"github.com/ovh/cds/engine/api/database/gorpmapping"
"github.com/ovh/cds/sdk"
)

func LoadGroupByRbacGlobal(ctx context.Context, db gorp.SqlExecutor, rbacGlobalID int64) ([]sdk.Group, error) {
sguiheux marked this conversation as resolved.
Show resolved Hide resolved
query := `
SELECT g.*
FROM rbac_global_groups rgg
JOIN "group" g ON g.id = rgg.group_id
WHERE rgg.rbac_global_id = $1
`
return getAll(ctx, db, gorpmapping.NewQuery(query).Args(rbacGlobalID))
}

func LoadGroupByRbacProject(ctx context.Context, db gorp.SqlExecutor, rbacProjectID int64) ([]sdk.Group, error) {
sguiheux marked this conversation as resolved.
Show resolved Hide resolved
query := `
SELECT g.*
FROM rbac_project_groups rpg
JOIN "group" g ON g.id = rpg.group_id
WHERE rpg.rbac_project_id = $1
`
return getAll(ctx, db, gorpmapping.NewQuery(query).Args(rbacProjectID))
}
18 changes: 18 additions & 0 deletions engine/api/project/dao_rbac.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
package project

import (
"context"

"github.com/go-gorp/gorp"

"github.com/ovh/cds/sdk"
)

func LoadProjectByRbacProject(ctx context.Context, db gorp.SqlExecutor, rbacProjectID int64) ([]sdk.Project, error) {
query := `
SELECT p.*
FROM rbac_project_ids rpi
JOIN project p ON p.id = rpi.project_id
WHERE rpi.rbac_project_id = $1`
return loadprojects(ctx, db, nil, query, rbacProjectID)
}
132 changes: 132 additions & 0 deletions engine/api/rbac/dao_rbac.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,132 @@
package rbac

import (
"context"
"time"

"github.com/go-gorp/gorp"

"github.com/ovh/cds/engine/api/database/gorpmapping"
"github.com/ovh/cds/engine/gorpmapper"
"github.com/ovh/cds/sdk"
)

func LoadRbacUUIDByName(ctx context.Context, db gorp.SqlExecutor, name string) (string, error) {
sguiheux marked this conversation as resolved.
Show resolved Hide resolved
sguiheux marked this conversation as resolved.
Show resolved Hide resolved
query := `SELECT * FROM rbac WHERE name = $1`
var r rbac
if _, err := gorpmapping.Get(ctx, db, gorpmapping.NewQuery(query).Args(name), &r); err != nil {
return "", err
}
return r.UUID, nil
}
func LoadRbacByName(ctx context.Context, db gorp.SqlExecutor, name string, opts ...LoadOptionFunc) (sdk.Rbac, error) {
query := `SELECT * FROM rbac WHERE name = $1`
var r sdk.Rbac
var rbacDB rbac
if _, err := gorpmapping.Get(ctx, db, gorpmapping.NewQuery(query).Args(name), &rbacDB); err != nil {
return r, err
}
sguiheux marked this conversation as resolved.
Show resolved Hide resolved
for _, f := range opts {
if err := f(ctx, db, &rbacDB); err != nil {
return r, err
}
}
r = rbacDB.Rbac
return r, nil
}

func LoadRbacProjectIDsByUserID(_ context.Context, db gorp.SqlExecutor, role string, userID string) ([]sdk.Project, error) {
query := `
WITH userRbac as (
SELECT distinct(rpi.project_id) as id
FROM rbac_project_ids rpi
JOIN rbac_project rp ON rp.id = rpi.rbac_project_id AND rp.role = $1
JOIN rbac_project_users rpu ON rpu.rbac_project_id = rp.id AND rpu.user_id = $2
),
groupRbac as (
SELECT distinct(rpi.project_id) as id
FROM rbac_project_ids rpi
JOIN rbac_project rp ON rp.id = rpi.rbac_project_id AND rp.role = $1
JOIN rbac_project_groups rpg ON rpg.rbac_project_id = rp.id
JOIN "group" g ON g.id = rpg.group_id
JOIN group_authentified_user gau ON gau.group_id = g.id AND gau.authentified_user_id = $2
),
userAllRbac as (
SELECT distinct(p.id) as id
FROM project p
JOIN rbac_project_ids rpi ON rpi.project_id = p.id
JOIN rbac_project rp ON rp.id = rpi.rbac_project_id AND rp.all = true AND rp.role = $1
JOIN rbac_project_users rpu ON rpu.rbac_project_id = rp.id AND rpu.user_id = $2
),
groupAllRbac as (
SELECT distinct(p.id) as id
FROM project p
JOIN rbac_project_ids rpi ON rpi.project_id = p.id
JOIN rbac_project rp ON rp.id = rpi.rbac_project_id AND rp.role = $1 AND rp.all = true
JOIN rbac_project_groups rpg ON rpg.rbac_project_id = rp.id
JOIN "group" g ON g.id = rpg.group_id
JOIN group_authentified_user gau ON gau.group_id = g.id AND gau.authentified_user_id = $2
),
concat as (
SELECT distinct(id) as id FROM (
SELECT id FROM userRbac UNION SELECT id FROM groupRbac UNION SELECT id FROM userAllRbac UNION SELECT id FROM groupAllRbac
) tmp
)
SELECT p.* FROM concat c
JOIN project p ON p.id = c.id`
var projects []sdk.Project
if _, err := db.Select(&projects, query, role, userID); err != nil {
sguiheux marked this conversation as resolved.
Show resolved Hide resolved
return nil, err
}
return projects, nil
}

// Insert a RBAC permission in database
func Insert(ctx context.Context, db gorpmapper.SqlExecutorWithTx, rb *sdk.Rbac) error {
if err := sdk.IsValidRbac(rb); err != nil {
return err
}
rb.UUID = sdk.UUID()
rb.Created = time.Now()
rb.LastModified = time.Now()
dbRb := rbac{Rbac: *rb}
if err := gorpmapping.InsertAndSign(ctx, db, &dbRb); err != nil {
return err
}

for i := range rb.Globals {
dbRbGlobal := rbacGlobal{
RbacUUID: dbRb.UUID,
RbacGlobal: rb.Globals[i],
}
if err := insertRbacGlobal(ctx, db, &dbRbGlobal); err != nil {
return err
}
}
for i := range rb.Projects {
dbRbProject := rbacProject{
RbacUUID: dbRb.UUID,
RbacProject: rb.Projects[i],
}
if err := insertRbacProject(ctx, db, &dbRbProject); err != nil {
return err
}
}
*rb = dbRb.Rbac
return nil
}

func Update(ctx context.Context, db gorpmapper.SqlExecutorWithTx, rb *sdk.Rbac) error {
if err := Delete(ctx, db, *rb); err != nil {
sguiheux marked this conversation as resolved.
Show resolved Hide resolved
return err
}
return Insert(ctx, db, rb)
sguiheux marked this conversation as resolved.
Show resolved Hide resolved
}

func Delete(_ context.Context, db gorpmapper.SqlExecutorWithTx, rb sdk.Rbac) error {
dbRb := rbac{Rbac: rb}
if err := gorpmapping.Delete(db, &dbRb); err != nil {
return err
}
return nil
}
80 changes: 80 additions & 0 deletions engine/api/rbac/dao_rbac_global.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
package rbac

import (
"context"

"github.com/go-gorp/gorp"

"github.com/ovh/cds/engine/api/database/gorpmapping"
"github.com/ovh/cds/engine/api/group"
"github.com/ovh/cds/engine/api/user"
"github.com/ovh/cds/engine/gorpmapper"
)

func insertRbacGlobal(ctx context.Context, db gorpmapper.SqlExecutorWithTx, rg *rbacGlobal) error {
if err := gorpmapping.InsertAndSign(ctx, db, rg); err != nil {
return err
}

for _, userID := range rg.RbacUsersIDs {
if err := insertRbacGlobalUser(ctx, db, rg.ID, userID); err != nil {
return err
}
}
for _, groupID := range rg.RbacGroupsIDs {
if err := insertRbacGlobalGroup(ctx, db, rg.ID, groupID); err != nil {
return err
}
}
return nil
}

func insertRbacGlobalUser(ctx context.Context, db gorpmapper.SqlExecutorWithTx, rbacGlobalID int64, userID string) error {
rgu := rbacGlobalUser{
RbacGlobalID: rbacGlobalID,
RbacGlobalUserID: userID,
}
if err := gorpmapping.InsertAndSign(ctx, db, &rgu); err != nil {
return err
}
return nil
}

func insertRbacGlobalGroup(ctx context.Context, db gorpmapper.SqlExecutorWithTx, rbacGlobalID int64, groupID int64) error {
rgu := rbacGlobalGroup{
RbacGlobalID: rbacGlobalID,
RbacGlobalGroupID: groupID,
}
if err := gorpmapping.InsertAndSign(ctx, db, &rgu); err != nil {
return err
}
return nil
}

func loadRbacRbacGlobalUsersTargeted(ctx context.Context, db gorp.SqlExecutor, rbacGlobal *rbacGlobal) error {
sguiheux marked this conversation as resolved.
Show resolved Hide resolved
users, err := user.LoadUsersByRbacGlobal(ctx, db, rbacGlobal.ID)
if err != nil {
return err
}
rbacGlobal.RbacUsersName = make([]string, 0, len(users))
rbacGlobal.RbacUsersIDs = make([]string, 0, len(users))
for _, u := range users {
rbacGlobal.RbacUsersName = append(rbacGlobal.RbacUsersName, u.Username)
rbacGlobal.RbacUsersIDs = append(rbacGlobal.RbacUsersIDs, u.ID)
}
return nil
}

func loadRbacRbacGlobalGroupsTargeted(ctx context.Context, db gorp.SqlExecutor, rbacGlobal *rbacGlobal) error {
sguiheux marked this conversation as resolved.
Show resolved Hide resolved
groups, err := group.LoadGroupByRbacGlobal(ctx, db, rbacGlobal.ID)
sguiheux marked this conversation as resolved.
Show resolved Hide resolved
if err != nil {
return err
}
rbacGlobal.RbacGroupsName = make([]string, 0, len(groups))
rbacGlobal.RbacGroupsIDs = make([]int64, 0, len(groups))
for _, g := range groups {
rbacGlobal.RbacGroupsName = append(rbacGlobal.RbacGroupsName, g.Name)
rbacGlobal.RbacGroupsIDs = append(rbacGlobal.RbacGroupsIDs, g.ID)
}
return nil
}
110 changes: 110 additions & 0 deletions engine/api/rbac/dao_rbac_project.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
package rbac

import (
"context"

"github.com/go-gorp/gorp"
"github.com/ovh/cds/engine/api/database/gorpmapping"
"github.com/ovh/cds/engine/api/group"
"github.com/ovh/cds/engine/api/project"
"github.com/ovh/cds/engine/api/user"
"github.com/ovh/cds/engine/gorpmapper"
)

func insertRbacProject(ctx context.Context, db gorpmapper.SqlExecutorWithTx, dbRP *rbacProject) error {
if err := gorpmapping.InsertAndSign(ctx, db, dbRP); err != nil {
return err
}

for _, rbProjectID := range dbRP.RbacProjectsIDs {
if err := insertRbacProjectID(ctx, db, dbRP.ID, rbProjectID); err != nil {
return err
}
}
for _, rbUserID := range dbRP.RbacUsersIDs {
if err := insertRbacProjectUser(ctx, db, dbRP.ID, rbUserID); err != nil {
return err
}
}
for _, rbGroupID := range dbRP.RbacGroupsIDs {
if err := insertRbacProjectGroup(ctx, db, dbRP.ID, rbGroupID); err != nil {
return err
}
}
return nil
}

func insertRbacProjectID(ctx context.Context, db gorpmapper.SqlExecutorWithTx, rbacParentID int64, projectID int64) error {
rgu := rbacProjectID{
RbacProjectID: rbacParentID,
ProjectID: projectID,
}
if err := gorpmapping.InsertAndSign(ctx, db, &rgu); err != nil {
return err
}
return nil
}

func insertRbacProjectUser(ctx context.Context, db gorpmapper.SqlExecutorWithTx, rbacProjectID int64, userID string) error {
rgu := rbacProjectUser{
RbacProjectID: rbacProjectID,
RbacProjectUserID: userID,
}
if err := gorpmapping.InsertAndSign(ctx, db, &rgu); err != nil {
return err
}
return nil
}

func insertRbacProjectGroup(ctx context.Context, db gorpmapper.SqlExecutorWithTx, rbacProjectID int64, groupID int64) error {
rgu := rbacProjectGroup{
RbacProjectID: rbacProjectID,
RbacProjectGroupID: groupID,
}
if err := gorpmapping.InsertAndSign(ctx, db, &rgu); err != nil {
return err
}
return nil
}

func loadRbacProjectTargeted(ctx context.Context, db gorp.SqlExecutor, rbacProject *rbacProject) error {
prjs, err := project.LoadProjectByRbacProject(ctx, db, rbacProject.ID)
sguiheux marked this conversation as resolved.
Show resolved Hide resolved
if err != nil {
return err
}
rbacProject.RbacProjectKeys = make([]string, 0, len(prjs))
rbacProject.RbacProjectsIDs = make([]int64, 0, len(prjs))
for _, pj := range prjs {
rbacProject.RbacProjectKeys = append(rbacProject.RbacProjectKeys, pj.Key)
rbacProject.RbacProjectsIDs = append(rbacProject.RbacProjectsIDs, pj.ID)
}
return nil
}

func loadRbacRbacProjectUsersTargeted(ctx context.Context, db gorp.SqlExecutor, rbacProject *rbacProject) error {
users, err := user.LoadUsersByRbacProject(ctx, db, rbacProject.ID)
if err != nil {
return err
}
rbacProject.RbacUsersName = make([]string, 0, len(users))
rbacProject.RbacUsersIDs = make([]string, 0, len(users))
for _, u := range users {
rbacProject.RbacUsersName = append(rbacProject.RbacUsersName, u.Username)
rbacProject.RbacUsersIDs = append(rbacProject.RbacUsersIDs, u.ID)
}
return nil
}

func loadRbacRbacProjectGroupsTargeted(ctx context.Context, db gorp.SqlExecutor, rbacProject *rbacProject) error {
groups, err := group.LoadGroupByRbacProject(ctx, db, rbacProject.ID)
if err != nil {
return err
}
rbacProject.RbacGroupsName = make([]string, 0, len(groups))
rbacProject.RbacGroupsIDs = make([]int64, 0, len(groups))
for _, g := range groups {
rbacProject.RbacGroupsName = append(rbacProject.RbacGroupsName, g.Name)
rbacProject.RbacGroupsIDs = append(rbacProject.RbacGroupsIDs, g.ID)
}
return nil
}
Loading