MirrorSave
/
budibase
mirror of https://github.com/Budibase/budibase.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'feature/role-multi-inheritance' of github.com:Budibase/budibase into new-rbac-ui

This commit is contained in:
Andrew Kingston 2024-09-30 08:22:07 +01:00
parent adfe467329 d6d4da221d
commit 2e5f07d3c8
No known key found for this signature in database
13 changed files with 330 additions and 204 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
packages/backend-core/src/security/roles.ts
View File

@ -43,7 +43,7 @@ export class Role implements RoleDoc {
_rev?: string _rev?: string
name: string name: string
permissionId: string permissionId: string
inherits?: string inherits?: string | string[]
version?: string version?: string
permissions: Record<string, PermissionLevel[]> = {} permissions: Record<string, PermissionLevel[]> = {}
uiMetadata?: RoleUIMetadata uiMetadata?: RoleUIMetadata
@ -62,8 +62,10 @@ export class Role implements RoleDoc {
this.version = RoleIDVersion.NAME this.version = RoleIDVersion.NAME
} }
addInheritance(inherits: string) { addInheritance(inherits?: string | string[]) {
if (inherits) {
this.inherits = inherits this.inherits = inherits
}
return this return this
} }
} }
@ -154,7 +156,11 @@ export function builtinRoleToNumber(id: string) {
if (!role) { if (!role) {
break break
} }
if (Array.isArray(role.inherits)) {
// TODO: role inheritance
} else {
role = builtins[role.inherits!] role = builtins[role.inherits!]
}
count++ count++
} while (role !== null) } while (role !== null)
return count return count
@ -171,7 +177,12 @@ export async function roleToNumber(id: string) {
defaultPublic: true, defaultPublic: true,
})) as RoleDoc[] })) as RoleDoc[]
for (let role of hierarchy) { for (let role of hierarchy) {
if (role?.inherits && isBuiltin(role.inherits)) { if (!role.inherits) {
continue
}
if (Array.isArray(role.inherits)) {
// TODO: role inheritance
} else if (isBuiltin(role.inherits)) {
return builtinRoleToNumber(role.inherits) + 1 return builtinRoleToNumber(role.inherits) + 1
} }
} }
@ -243,18 +254,29 @@ async function getAllUserRoles(
let currentRole = await getRole(userRoleId, opts) let currentRole = await getRole(userRoleId, opts)
let roles = currentRole ? [currentRole] : [] let roles = currentRole ? [currentRole] : []
let roleIds = [userRoleId] let roleIds = [userRoleId]
const rolesFound = (ids: string | string[]) => {
if (Array.isArray(ids)) {
return ids.filter(id => roleIds.includes(id)).length === ids.length
} else {
return roleIds.includes(ids)
}
}
// get all the inherited roles // get all the inherited roles
while ( while (
currentRole && currentRole &&
currentRole.inherits && currentRole.inherits &&
roleIds.indexOf(currentRole.inherits) === -1 !rolesFound(currentRole.inherits)
) { ) {
if (Array.isArray(currentRole.inherits)) {
// TODO: role inheritance
} else {
roleIds.push(currentRole.inherits) roleIds.push(currentRole.inherits)
currentRole = await getRole(currentRole.inherits) currentRole = await getRole(currentRole.inherits)
if (currentRole) { if (currentRole) {
roles.push(currentRole) roles.push(currentRole)
} }
} }
}
return roles return roles
} }

5
packages/server/src/api/controllers/role.ts
View File

@ -194,7 +194,10 @@ export async function accessible(ctx: UserCtx<void, AccessibleRolesResponse>) {
let filteredRoles = [roleHeader] let filteredRoles = [roleHeader]
for (let role of orderedRoles) { for (let role of orderedRoles) {
filteredRoles = [role, ...filteredRoles] filteredRoles = [role, ...filteredRoles]
if (role === inherits) { if (
(Array.isArray(inherits) && inherits.includes(role)) ||
role === inherits
) {
break break
} }
} }

182
packages/server/src/api/routes/tests/role.spec.js
View File

@ -1,182 +0,0 @@
const { roles, events, permissions } = require("@budibase/backend-core")
const setup = require("./utilities")
const { PermissionLevel } = require("@budibase/types")
const { basicRole } = setup.structures
const { BUILTIN_ROLE_IDS } = roles
const { BuiltinPermissionID } = permissions
describe("/roles", () => {
let request = setup.getRequest()
let config = setup.getConfig()
afterAll(setup.afterAll)
beforeAll(async () => {
await config.init()
})
const createRole = async role => {
if (!role) {
role = basicRole()
}
return request
.post(`/api/roles`)
.send(role)
.set(config.defaultHeaders())
.expect("Content-Type", /json/)
.expect(200)
}
describe("create", () => {
it("returns a success message when role is successfully created", async () => {
const role = basicRole()
const res = await createRole(role)
expect(res.body._id).toBeDefined()
expect(res.body._rev).toBeDefined()
expect(events.role.updated).not.toBeCalled()
expect(events.role.created).toBeCalledTimes(1)
expect(events.role.created).toBeCalledWith(res.body)
})
})
describe("update", () => {
it("updates a role", async () => {
const role = basicRole()
let res = await createRole(role)
jest.clearAllMocks()
res = await createRole(res.body)
expect(res.body._id).toBeDefined()
expect(res.body._rev).toBeDefined()
expect(events.role.created).not.toBeCalled()
expect(events.role.updated).toBeCalledTimes(1)
expect(events.role.updated).toBeCalledWith(res.body)
})
})
describe("fetch", () => {
beforeAll(async () => {
// Recreate the app
await config.init()
})
it("should list custom roles, plus 2 default roles", async () => {
const customRole = await config.createRole()
const res = await request
.get(`/api/roles`)
.set(config.defaultHeaders())
.expect("Content-Type", /json/)
.expect(200)
expect(res.body.length).toBe(5)
const adminRole = res.body.find(r => r._id === BUILTIN_ROLE_IDS.ADMIN)
expect(adminRole).toBeDefined()
expect(adminRole.inherits).toEqual(BUILTIN_ROLE_IDS.POWER)
expect(adminRole.permissionId).toEqual(BuiltinPermissionID.ADMIN)
const powerUserRole = res.body.find(r => r._id === BUILTIN_ROLE_IDS.POWER)
expect(powerUserRole).toBeDefined()
expect(powerUserRole.inherits).toEqual(BUILTIN_ROLE_IDS.BASIC)
expect(powerUserRole.permissionId).toEqual(BuiltinPermissionID.POWER)
const customRoleFetched = res.body.find(r => r._id === customRole.name)
expect(customRoleFetched).toBeDefined()
expect(customRoleFetched.inherits).toEqual(BUILTIN_ROLE_IDS.BASIC)
expect(customRoleFetched.permissionId).toEqual(
BuiltinPermissionID.READ_ONLY
)
})
it("should be able to get the role with a permission added", async () => {
const table = await config.createTable()
await config.api.permission.add({
roleId: BUILTIN_ROLE_IDS.POWER,
resourceId: table._id,
level: PermissionLevel.READ,
})
const res = await request
.get(`/api/roles`)
.set(config.defaultHeaders())
.expect("Content-Type", /json/)
.expect(200)
expect(res.body.length).toBeGreaterThan(0)
const power = res.body.find(role => role._id === BUILTIN_ROLE_IDS.POWER)
expect(power.permissions[table._id]).toEqual(["read"])
})
})
describe("destroy", () => {
it("should delete custom roles", async () => {
const customRole = await config.createRole({
name: "user",
permissionId: BuiltinPermissionID.READ_ONLY,
inherits: BUILTIN_ROLE_IDS.BASIC,
})
delete customRole._rev_tree
await request
.delete(`/api/roles/${customRole._id}/${customRole._rev}`)
.set(config.defaultHeaders())
.expect(200)
await request
.get(`/api/roles/${customRole._id}`)
.set(config.defaultHeaders())
.expect(404)
expect(events.role.deleted).toBeCalledTimes(1)
expect(events.role.deleted).toBeCalledWith(customRole)
})
})
describe("accessible", () => {
it("should be able to fetch accessible roles (with builder)", async () => {
const res = await request
.get("/api/roles/accessible")
.set(config.defaultHeaders())
.expect(200)
expect(res.body.length).toBe(5)
expect(typeof res.body[0]).toBe("string")
})
it("should be able to fetch accessible roles (basic user)", async () => {
const res = await request
.get("/api/roles/accessible")
.set(await config.basicRoleHeaders())
.expect(200)
expect(res.body.length).toBe(2)
expect(res.body[0]).toBe("BASIC")
expect(res.body[1]).toBe("PUBLIC")
})
it("should be able to fetch accessible roles (no user)", async () => {
const res = await request
.get("/api/roles/accessible")
.set(config.publicHeaders())
.expect(200)
expect(res.body.length).toBe(1)
expect(res.body[0]).toBe("PUBLIC")
})
it("should not fetch higher level accessible roles when a custom role header is provided", async () => {
await createRole({
name: `CUSTOM_ROLE`,
inherits: roles.BUILTIN_ROLE_IDS.BASIC,
permissionId: permissions.BuiltinPermissionID.READ_ONLY,
version: "name",
})
const res = await request
.get("/api/roles/accessible")
.set({
...config.defaultHeaders(),
"x-budibase-role": "CUSTOM_ROLE",
})
.expect(200)
expect(res.body.length).toBe(3)
expect(res.body[0]).toBe("CUSTOM_ROLE")
expect(res.body[1]).toBe("BASIC")
expect(res.body[2]).toBe("PUBLIC")
})
})
})

164
packages/server/src/api/routes/tests/role.spec.ts Normal file
View File

@ -0,0 +1,164 @@
import { roles, events, permissions } from "@budibase/backend-core"
import * as setup from "./utilities"
import { PermissionLevel } from "@budibase/types"
const { basicRole } = setup.structures
const { BUILTIN_ROLE_IDS } = roles
const { BuiltinPermissionID } = permissions
describe("/roles", () => {
let config = setup.getConfig()
afterAll(setup.afterAll)
beforeAll(async () => {
await config.init()
})
describe("create", () => {
it("returns a success message when role is successfully created", async () => {
const role = basicRole()
const res = await config.api.roles.save(role, {
status: 200,
})
expect(res._id).toBeDefined()
expect(res._rev).toBeDefined()
expect(events.role.updated).not.toHaveBeenCalled()
expect(events.role.created).toHaveBeenCalledTimes(1)
expect(events.role.created).toHaveBeenCalledWith(res)
})
})
describe("update", () => {
it("updates a role", async () => {
const role = basicRole()
let res = await config.api.roles.save(role, {
status: 200,
})
jest.clearAllMocks()
res = await config.api.roles.save(res, {
status: 200,
})
expect(res._id).toBeDefined()
expect(res._rev).toBeDefined()
expect(events.role.created).not.toHaveBeenCalled()
expect(events.role.updated).toHaveBeenCalledTimes(1)
expect(events.role.updated).toHaveBeenCalledWith(res)
})
})
describe("fetch", () => {
beforeAll(async () => {
// Recreate the app
await config.init()
})
it("should list custom roles, plus 2 default roles", async () => {
const customRole = await config.createRole()
const res = await config.api.roles.fetch({
status: 200,
})
expect(res.length).toBe(5)
const adminRole = res.find(r => r._id === BUILTIN_ROLE_IDS.ADMIN)
expect(adminRole).toBeDefined()
expect(adminRole!.inherits).toEqual(BUILTIN_ROLE_IDS.POWER)
expect(adminRole!.permissionId).toEqual(BuiltinPermissionID.ADMIN)
const powerUserRole = res.find(r => r._id === BUILTIN_ROLE_IDS.POWER)
expect(powerUserRole).toBeDefined()
expect(powerUserRole!.inherits).toEqual(BUILTIN_ROLE_IDS.BASIC)
expect(powerUserRole!.permissionId).toEqual(BuiltinPermissionID.POWER)
const customRoleFetched = res.find(r => r._id === customRole.name)
expect(customRoleFetched).toBeDefined()
expect(customRoleFetched!.inherits).toEqual(BUILTIN_ROLE_IDS.BASIC)
expect(customRoleFetched!.permissionId).toEqual(
BuiltinPermissionID.READ_ONLY
)
})
it("should be able to get the role with a permission added", async () => {
const table = await config.createTable()
await config.api.permission.add({
roleId: BUILTIN_ROLE_IDS.POWER,
resourceId: table._id!,
level: PermissionLevel.READ,
})
const res = await config.api.roles.fetch()
expect(res.length).toBeGreaterThan(0)
const power = res.find(role => role._id === BUILTIN_ROLE_IDS.POWER)
expect(power?.permissions[table._id!]).toEqual(["read"])
})
})
describe("destroy", () => {
it("should delete custom roles", async () => {
const customRole = await config.createRole({
name: "user",
permissionId: BuiltinPermissionID.READ_ONLY,
inherits: BUILTIN_ROLE_IDS.BASIC,
})
await config.api.roles.destroy(customRole, {
status: 200,
})
await config.api.roles.find(customRole._id!, {
status: 404,
})
expect(events.role.deleted).toHaveBeenCalledTimes(1)
expect(events.role.deleted).toHaveBeenCalledWith(customRole)
})
})
describe("accessible", () => {
it("should be able to fetch accessible roles (with builder)", async () => {
const res = await config.api.roles.accessible(config.defaultHeaders(), {
status: 200,
})
expect(res.length).toBe(5)
expect(typeof res[0]).toBe("string")
})
it("should be able to fetch accessible roles (basic user)", async () => {
const headers = await config.basicRoleHeaders()
const res = await config.api.roles.accessible(headers, {
status: 200,
})
expect(res.length).toBe(2)
expect(res[0]).toBe("BASIC")
expect(res[1]).toBe("PUBLIC")
})
it("should be able to fetch accessible roles (no user)", async () => {
const res = await config.api.roles.accessible(config.publicHeaders(), {
status: 200,
})
expect(res.length).toBe(1)
expect(res[0]).toBe("PUBLIC")
})
it("should not fetch higher level accessible roles when a custom role header is provided", async () => {
const customRoleName = "CUSTOM_ROLE"
await config.api.roles.save({
name: customRoleName,
inherits: roles.BUILTIN_ROLE_IDS.BASIC,
permissionId: permissions.BuiltinPermissionID.READ_ONLY,
version: "name",
})
const res = await config.api.roles.accessible(
{ "x-budibase-role": customRoleName },
{
status: 200,
}
)
expect(res.length).toBe(3)
expect(res[0]).toBe(customRoleName)
expect(res[1]).toBe("BASIC")
expect(res[2]).toBe("PUBLIC")
})
})
})

5
packages/server/src/api/routes/utils/validators.ts
View File

@ -226,7 +226,10 @@ export function roleValidator() {
) )
) )
.optional(), .optional(),
inherits: OPTIONAL_STRING, inherits: Joi.alternatives().try(
OPTIONAL_STRING,
Joi.array().items(OPTIONAL_STRING)
),
}).unknown(true) }).unknown(true)
) )
} }

1
packages/server/src/tests/utilities/TestConfiguration.ts
View File

@ -459,6 +459,7 @@ export default class TestConfiguration {
const headers: any = { const headers: any = {
Accept: "application/json", Accept: "application/json",
Cookie: "",
} }
if (appId) { if (appId) {
headers[constants.Header.APP_ID] = appId headers[constants.Header.APP_ID] = appId

11
packages/server/src/tests/utilities/api/role.ts
View File

@ -4,6 +4,7 @@ import {
FindRoleResponse, FindRoleResponse,
SaveRoleRequest, SaveRoleRequest,
SaveRoleResponse, SaveRoleResponse,
Role,
} from "@budibase/types" } from "@budibase/types"
import { Expectations, TestAPI } from "./base" import { Expectations, TestAPI } from "./base"
@ -27,14 +28,18 @@ export class RoleAPI extends TestAPI {
}) })
} }
destroy = async (roleId: string, expectations?: Expectations) => { destroy = async (role: Role, expectations?: Expectations) => {
return await this._delete(`/api/roles/${roleId}`, { return await this._delete(`/api/roles/${role._id}/${role._rev}`, {
expectations, expectations,
}) })
} }
accesssible = async (expectations?: Expectations) => { accessible = async (
headers: Record<string, string | string[]>,
expectations?: Expectations
) => {
return await this._get<AccessibleRolesResponse>(`/api/roles/accessible`, { return await this._get<AccessibleRolesResponse>(`/api/roles/accessible`, {
headers,
expectations, expectations,
}) })
} }

4
packages/server/src/tests/utilities/structures.ts
View File

@ -30,6 +30,7 @@ import {
BBReferenceFieldSubType, BBReferenceFieldSubType,
JsonFieldSubType, JsonFieldSubType,
AutoFieldSubType, AutoFieldSubType,
Role,
CreateViewRequest, CreateViewRequest,
} from "@budibase/types" } from "@budibase/types"
import { LoopInput } from "../../definitions/automations" import { LoopInput } from "../../definitions/automations"
@ -510,11 +511,12 @@ export function basicLinkedRow(
} }
} }
export function basicRole() { export function basicRole(): Role {
return { return {
name: `NewRole_${utils.newid()}`, name: `NewRole_${utils.newid()}`,
inherits: roles.BUILTIN_ROLE_IDS.BASIC, inherits: roles.BUILTIN_ROLE_IDS.BASIC,
permissionId: permissions.BuiltinPermissionID.READ_ONLY, permissionId: permissions.BuiltinPermissionID.READ_ONLY,
permissions: {},
version: "name", version: "name",
} }
} }

47
packages/shared-core/src/helpers/roles.ts Normal file
View File

@ -0,0 +1,47 @@
import { Role } from "@budibase/types"
// Function to detect loops in roles
export function checkForRoleInheritanceLoops(roles: Role[]): boolean {
const roleMap = new Map<string, Role>()
roles.forEach(role => {
roleMap.set(role._id!, role)
})
const checked = new Set<string>()
const checking = new Set<string>()
function hasLoop(roleId: string): boolean {
if (checking.has(roleId)) {
return true
}
if (checked.has(roleId)) {
return false
}
checking.add(roleId)
const role = roleMap.get(roleId)
if (!role) {
// role not found - ignore
checking.delete(roleId)
return false
}
const inherits = Array.isArray(role.inherits)
? role.inherits
: [role.inherits]
for (const inheritedId of inherits) {
if (inheritedId && hasLoop(inheritedId)) {
return true
}
}
// mark this role has been fully checked
checking.delete(roleId)
checked.add(roleId)
return false
}
return !!roles.find(role => hasLoop(role._id!))
}

61
packages/shared-core/src/helpers/tests/roles.spec.ts Normal file
View File

@ -0,0 +1,61 @@
import { checkForRoleInheritanceLoops } from "../roles"
import { Role } from "@budibase/types"
/**
* This unit test exists as this utility will be used in the frontend and backend, confirmation
* of its API and expected results is useful since the backend tests won't confirm it works
* exactly as the frontend needs it to - easy to add specific test cases here that the frontend
* might need to check/cover.
*/
interface TestRole extends Omit<Role, "_id"> {
_id: string
}
let allRoles: TestRole[] = []
function role(id: string, inherits: string | string[]): TestRole {
const role = {
_id: id,
inherits: inherits,
name: "ROLE",
permissionId: "PERMISSION",
permissions: {}, // not needed for this test
}
allRoles.push(role)
return role
}
describe("role utilities", () => {
let role1: TestRole, role2: TestRole
beforeEach(() => {
role1 = role("role_1", [])
role2 = role("role_2", [role1._id])
})
afterEach(() => {
allRoles = []
})
function check(hasLoop: boolean) {
const result = checkForRoleInheritanceLoops(allRoles)
expect(result).toBe(hasLoop)
}
describe("checkForRoleInheritanceLoops", () => {
it("should confirm no loops", () => {
check(false)
})
it("should confirm there is a loop", () => {
const role3 = role("role_3", [role2._id])
const role4 = role("role_4", [role3._id, role2._id, role1._id])
role3.inherits = [
...(Array.isArray(role3.inherits) ? role3.inherits : []),
role4._id,
]
check(true)
})
})
})

4
packages/types/src/api/web/role.ts
View File

@ -4,9 +4,9 @@ export interface SaveRoleRequest {
_id?: string _id?: string
_rev?: string _rev?: string
name: string name: string
inherits: string inherits?: string | string[]
permissionId: string permissionId: string
version: string version?: string
uiMetadata?: RoleUIMetadata uiMetadata?: RoleUIMetadata
} }

2
packages/types/src/documents/app/role.ts
View File

@ -9,7 +9,7 @@ export interface RoleUIMetadata {
export interface Role extends Document { export interface Role extends Document {
permissionId: string permissionId: string
inherits?: string inherits?: string | string[]
permissions: Record<string, PermissionLevel[]> permissions: Record<string, PermissionLevel[]>
version?: string version?: string
name: string name: string

6
packages/types/src/sdk/events/role.ts
View File

@ -3,19 +3,19 @@ import { BaseEvent } from "./event"
export interface RoleCreatedEvent extends BaseEvent { export interface RoleCreatedEvent extends BaseEvent {
roleId: string roleId: string
permissionId: string permissionId: string
inherits?: string inherits?: string | string[]
} }
export interface RoleUpdatedEvent extends BaseEvent { export interface RoleUpdatedEvent extends BaseEvent {
roleId: string roleId: string
permissionId: string permissionId: string
inherits?: string inherits?: string | string[]
} }
export interface RoleDeletedEvent extends BaseEvent { export interface RoleDeletedEvent extends BaseEvent {
roleId: string roleId: string
permissionId: string permissionId: string
inherits?: string inherits?: string | string[]
} }
export interface RoleAssignedEvent extends BaseEvent { export interface RoleAssignedEvent extends BaseEvent {