Skip to content

Commit

Permalink
feat: use new permission system within oidc provider
Browse files Browse the repository at this point in the history
  • Loading branch information
@n1ru4l
n1ru4l committed Oct 22, 2024
1 parent c2b7126 commit bf2b274
Show file tree
Hide file tree
Showing 2 changed files with 46 additions and 130 deletions.
108 changes: 2 additions & 106 deletions packages/services/api/src/modules/auth/lib/legacy-permissions.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,126 +15,22 @@ export function transformLegacyPolicies(
const policies: Array<AuthorizationPolicyStatement> = [];
for (const scope of scopes) {
switch (scope) {
case OrganizationAccessScope.READ: {
policies.push({
effect: 'allow',
action: ['organization:view'],
resource: [`hrn:${organizationId}:*`],
});
break;
}
case OrganizationAccessScope.DELETE: {
policies.push({
effect: 'allow',
action: ['organization:delete'],
resource: [`hrn:${organizationId}:*`],
});
break;
}
case OrganizationAccessScope.SETTINGS: {
policies.push({
effect: 'allow',
action: ['organization:settings'],
action: ['organization:updateSlug'],
resource: [`hrn:${organizationId}:*`],
});
break;
}
case OrganizationAccessScope.INTEGRATIONS: {
policies.push({
effect: 'allow',
action: ['organization:integrations'],
resource: [`hrn:${organizationId}:*`],
});
break;
}
case OrganizationAccessScope.MEMBERS: {
policies.push({
effect: 'allow',
action: ['organization:members'],
action: ['oidc:modify'],
resource: [`hrn:${organizationId}:*`],
});
break;
}
case ProjectAccessScope.READ: {
policies.push({
effect: 'allow',
action: ['project:view'],
resource: [`hrn:${organizationId}:project:${projectId}`],
});
break;
}
case ProjectAccessScope.DELETE: {
policies.push({
effect: 'allow',
action: ['project:view'],
resource: [`hrn:${organizationId}:project:${projectId}`],
});
break;
}
case ProjectAccessScope.SETTINGS: {
policies.push({
effect: 'allow',
action: ['project:settings'],
resource: [`hrn:${organizationId}:project:${projectId}`],
});
break;
}
case ProjectAccessScope.ALERTS: {
policies.push({
effect: 'allow',
action: ['project:alerts'],
resource: [`hrn:${organizationId}:project:${projectId}`],
});
break;
}
case ProjectAccessScope.OPERATIONS_STORE_READ:
case ProjectAccessScope.OPERATIONS_STORE_WRITE:
// not used right now
continue;
case TargetAccessScope.READ: {
policies.push({
effect: 'allow',
action: ['target:view'],
resource: [`hrn:${organizationId}:target:${targetId}`],
});
break;
}
case TargetAccessScope.DELETE: {
policies.push({
effect: 'allow',
action: ['target:delete'],
resource: [`hrn:${organizationId}:target:${targetId}`],
});
break;
}
case TargetAccessScope.SETTINGS: {
policies.push({
effect: 'allow',
action: ['target:settings'],
resource: [`hrn:${organizationId}:target:${targetId}`],
});
break;
}
case TargetAccessScope.REGISTRY_READ: {
policies.push({
effect: 'allow',
action: ['usage:view'],
resource: [`hrn:${organizationId}:target:${targetId}`],
});
break;
}
case TargetAccessScope.REGISTRY_WRITE: {
policies.push({
effect: 'allow',
action: ['usage:report'],
resource: [`hrn:${organizationId}:target:${targetId}`],
});
break;
}
case TargetAccessScope.TOKENS_READ:
case TargetAccessScope.TOKENS_WRITE:
// not implemented right now
continue;
}
}

Expand Down
68 changes: 44 additions & 24 deletions packages/services/api/src/modules/oidc-integrations/providers/oidc-integrations.provider.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,7 @@ import { Inject, Injectable, Scope } from 'graphql-modules';
import zod from 'zod';
import { OIDCIntegration } from '../../../shared/entities';
import { HiveError } from '../../../shared/errors';
import { AuthManager } from '../../auth/providers/auth-manager';
import { OrganizationAccessScope } from '../../auth/providers/organization-access';
import { Session } from '../../auth/lib/authz';
import { CryptoProvider } from '../../shared/providers/crypto';
import { Logger } from '../../shared/providers/logger';
import { PUB_SUB_CONFIG, type HivePubSub } from '../../shared/providers/pub-sub';
Expand All @@ -20,10 +19,10 @@ export class OIDCIntegrationsProvider {
constructor(
logger: Logger,
private storage: Storage,
private authManager: AuthManager,
private crypto: CryptoProvider,
@Inject(PUB_SUB_CONFIG) private pubSub: HivePubSub,
@Inject(OIDC_INTEGRATIONS_ENABLED) private enabled: boolean,
private session: Session,
) {
this.logger = logger.child({ source: 'OIDCIntegrationsProvider' });
}
Expand All @@ -38,9 +37,12 @@ export class OIDCIntegrationsProvider {
}

try {
await this.authManager.ensureOrganizationAccess({
organization: organizationId,
scope: OrganizationAccessScope.INTEGRATIONS,
await this.session.assertPerformAction({
organizationId,
action: 'oidc:modify',
params: {
organizationId,
},
});
return true;
} catch {
Expand All @@ -60,9 +62,12 @@ export class OIDCIntegrationsProvider {
return null;
}

await this.authManager.ensureOrganizationAccess({
organization: args.organizationId,
scope: OrganizationAccessScope.INTEGRATIONS,
await this.session.assertPerformAction({
organizationId: args.organizationId,
action: 'oidc:modify',
params: {
organizationId: args.organizationId,
},
});

return await this.storage.getOIDCIntegrationForOrganization({
Expand Down Expand Up @@ -90,9 +95,12 @@ export class OIDCIntegrationsProvider {
} as const;
}

await this.authManager.ensureOrganizationAccess({
organization: args.organizationId,
scope: OrganizationAccessScope.INTEGRATIONS,
await this.session.assertPerformAction({
organizationId: args.organizationId,
action: 'oidc:modify',
params: {
organizationId: args.organizationId,
},
});

const organization = await this.storage.getOrganization({ organization: args.organizationId });
Expand Down Expand Up @@ -192,9 +200,12 @@ export class OIDCIntegrationsProvider {
} as const;
}

await this.authManager.ensureOrganizationAccess({
organization: integration.linkedOrganizationId,
scope: OrganizationAccessScope.INTEGRATIONS,
await this.session.assertPerformAction({
action: 'oidc:modify',
organizationId: integration.linkedOrganizationId,
params: {
organizationId: integration.linkedOrganizationId,
},
});

const clientIdResult = maybe(OIDCIntegrationClientIdModel).safeParse(args.clientId);
Expand Down Expand Up @@ -269,9 +280,12 @@ export class OIDCIntegrationsProvider {
} as const;
}

await this.authManager.ensureOrganizationAccess({
organization: integration.linkedOrganizationId,
scope: OrganizationAccessScope.INTEGRATIONS,
await this.session.assertPerformAction({
organizationId: integration.linkedOrganizationId,
action: 'oidc:modify',
params: {
organizationId: integration.linkedOrganizationId,
},
});

await this.storage.deleteOIDCIntegration(args);
Expand Down Expand Up @@ -301,9 +315,12 @@ export class OIDCIntegrationsProvider {
} as const;
}

await this.authManager.ensureOrganizationAccess({
organization: oidcIntegration.linkedOrganizationId,
scope: OrganizationAccessScope.INTEGRATIONS,
await this.session.assertPerformAction({
organizationId: oidcIntegration.linkedOrganizationId,
action: 'oidc:modify',
params: {
organizationId: oidcIntegration.linkedOrganizationId,
},
});

return {
Expand Down Expand Up @@ -346,9 +363,12 @@ export class OIDCIntegrationsProvider {
throw new HiveError('Integration not found.');
}

await this.authManager.ensureOrganizationAccess({
organization: integration.linkedOrganizationId,
scope: OrganizationAccessScope.INTEGRATIONS,
await this.session.assertPerformAction({
organizationId: integration.linkedOrganizationId,
action: 'oidc:modify',
params: {
organizationId: integration.linkedOrganizationId,
},
});

return this.pubSub.subscribe('oidcIntegrationLogs', integration.id);
Expand Down

0 comments on commit bf2b274

Please sign in to comment.