Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor(database,authorization,grpc-sdk): Mongo authz query aggregations #657

Open
wants to merge 14 commits into
base: main
Choose a base branch
from
Open

refactor(database,authorization,grpc-sdk): Mongo authz query aggregations #657

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
e96b725
refactor(database,authorization,grpc-sdk): refactor views in mongoose…
ChrisPdgn Jul 6, 2023
c3ac320
refactor(database): wip add authenticated aggregation pipeline
ChrisPdgn Jul 6, 2023
bec5e79
refactor(database): refactor views with authorized query
ChrisPdgn Jul 10, 2023
29c7ca1
Merge branch 'main' into refactor-views
ChrisPdgn Jul 10, 2023
282155e
Merge branch 'main' into refactor-views
ChrisPdgn Jul 14, 2023
dd953b5
Merge branch 'main' into refactor-views
kkopanidis Nov 9, 2023
03aa316
Merge branch 'main' into refactor-views
kon14 Nov 20, 2023
8ca2daf
chore(authentication,database): housekeeping
kon14 Nov 20, 2023
765a5c7
fix(authorization): unrebased mongo access list query
kon14 Nov 20, 2023
4e364cf
Merge branch 'main' into refactor-views
kkopanidis Nov 21, 2023
664c841
Merge branch 'main' into refactor-views
kon14 Nov 24, 2023
a51eeb5
fix(database): mongo schema invalid authz query checks, descriptive e…
kon14 Nov 24, 2023
375adeb
fix(database): query types, Authz check condition cleanups (#817)
kon14 Nov 24, 2023
f5c1d19
Merge branch 'main' into refactor-views
kkopanidis Nov 24, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 4 additions & 0 deletions libraries/grpc-sdk/src/modules/authorization/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,11 +69,15 @@
return this.client!.removePermission(data);
}

getAllowedResources(data: AllowedResourcesRequest): Promise<AllowedResourcesResponse> {

Check notice on line 72 in libraries/grpc-sdk/src/modules/authorization/index.ts

View check run for this annotation

codefactor.io / CodeFactor

libraries/grpc-sdk/src/modules/authorization/index.ts#L72 

Unexpected any. Specify a different type. (@typescript-eslint/no-explicit-any)
return this.client!.getAllowedResources(data);
}

createResourceAccessList(data: ResourceAccessListRequest): Promise<Empty> {
return this.client!.createResourceAccessList(data);
}

getAuthorizedQuery(data: ResourceAccessListRequest): Promise<any> {
return this.client!.getAuthorizedQuery(data).then(r => JSON.parse(r.query));
}
}
15 changes: 15 additions & 0 deletions modules/authorization/src/Authorization.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ import {
Decision,
DeleteResourceRequest,
FindRelationRequest,
GetAuthorizedQueryResponse,
PermissionCheck,
PermissionRequest,
Relation,
Expand Down Expand Up @@ -55,6 +56,7 @@ export default class Authorization extends ManagedModule<Config> {
getAllowedResources: this.getAllowedResources.bind(this),
can: this.can.bind(this),
createResourceAccessList: this.createResourceAccessList.bind(this),
getAuthorizedQuery: this.getAuthorizedQuery.bind(this),
},
};
protected metricsSchema = metricsSchema;
Expand Down Expand Up @@ -205,6 +207,19 @@ export default class Authorization extends ManagedModule<Config> {
callback(null);
}

async getAuthorizedQuery(
call: GrpcRequest<ResourceAccessListRequest>,
callback: GrpcResponse<GetAuthorizedQueryResponse>,
) {
const { subject, action, resourceType } = call.request;
const query = await this.permissionsController.getAuthorizedQuery(
subject,
action,
resourceType,
);
callback(null, { query: JSON.stringify(query) });
}

async can(call: GrpcRequest<PermissionCheck>, callback: GrpcResponse<Decision>) {
const { subject, resource, actions } = call.request;
let allow = false;
Expand Down
5 changes: 5 additions & 0 deletions modules/authorization/src/authorization.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,10 @@ message AllowedResourcesResponse {
int32 count = 2;
}

message GetAuthorizedQueryResponse {
string query = 1;
}

message ResourceAccessListRequest {
string subject = 1;
string action = 2;
Expand Down Expand Up @@ -101,4 +105,5 @@ service Authorization {
rpc Can(PermissionCheck) returns (Decision);
rpc GetAllowedResources(AllowedResourcesRequest) returns (AllowedResourcesResponse);
rpc CreateResourceAccessList(ResourceAccessListRequest) returns (google.protobuf.Empty);
rpc GetAuthorizedQuery(ResourceAccessListRequest) returns (GetAuthorizedQueryResponse);
}
145 changes: 29 additions & 116 deletions modules/authorization/src/controllers/permissions.controller.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
import ConduitGrpcSdk from '@conduitplatform/grpc-sdk';
import {
AccessListQueryParams,
checkRelation,
computePermissionTuple,
getMongoAccessListQuery,
getPostgresAccessListQuery,
getSQLAccessListQuery,
} from '../utils';
Expand Down Expand Up @@ -65,21 +67,21 @@ export class PermissionsController {
}
// if the actor is the object itself, all permissions are provided
if (subject === object) {
await RuleCache.storeResolution(this.grpcSdk, computedTuple, true);
RuleCache.storeResolution(this.grpcSdk, computedTuple, true);
return true;
}

const permission = await Permission.getInstance().findOne({
computedTuple,
});
if (permission) {
await RuleCache.storeResolution(this.grpcSdk, computedTuple, true);
RuleCache.storeResolution(this.grpcSdk, computedTuple, true);
return true;
}

const index = await this.indexController.findIndex(subject, action, object);

await RuleCache.storeResolution(this.grpcSdk, computedTuple, index ?? false);
RuleCache.storeResolution(this.grpcSdk, computedTuple, index ?? false);

return index ?? false;
}
Expand Down Expand Up @@ -128,124 +130,35 @@ export class PermissionsController {
}

async createAccessList(subject: string, action: string, objectType: string) {
const computedTuple = `${subject}#${action}@${objectType}`;
const objectTypeCollection = await this.grpcSdk
.database!.getSchema(objectType)
.then(r => r.collectionName);
const dbType = await this.grpcSdk.database!.getDatabaseType().then(r => r.result);
const query = await this.getAuthorizedQuery(subject, action, objectType);
await this.grpcSdk.database?.createView(
objectType,
createHash('sha256').update(`${objectType}_${subject}_${action}`).digest('hex'),
['Permission', 'ActorIndex', 'ObjectIndex'],
{
mongoQuery: [
// permissions lookup won't work this way
{
$lookup: {
from: 'cnd_permissions',
let: { x_id: { $toString: '$_id' } },
pipeline: [
{
$match: {
$expr: {
$eq: [
'$computedTuple',
{ $concat: [`${subject}#${action}@${objectType}:`, '$$x_id'] },
],
},
},
},
],
as: 'permissions',
},
},
{
$lookup: {
from: 'cnd_actorindexes',
let: {
subject: subject,
},
pipeline: [
{
$match: {
$expr: {
$eq: ['$subject', '$$subject'],
},
},
},
],
as: 'actors',
},
},
{
$lookup: {
from: 'cnd_objectindexes',
let: {
id_action: {
$concat: [`${objectType}:`, { $toString: '$_id' }, `#${action}`],
},
entities: '$actors.entity',
},
pipeline: [
{
$match: {
$and: [
{
$expr: {
$eq: ['$subject', '$$id_action'],
},
},
{
$expr: {
$in: ['$entity', '$$entities'],
},
},
],
},
},
],
as: 'intersection',
},
},
{
$match: {
$or: [
{
'intersection.0': { $exists: true },
},
{
'permissions.0': { $exists: true },
},
],
},
},
{
$project: {
actors: 0,
objects: 0,
permissions: 0,
intersection: 0,
},
},
],
sqlQuery:
dbType === 'PostgreSQL'
? getPostgresAccessListQuery(
objectTypeCollection,
computedTuple,
subject,
objectType,
action,
)
: getSQLAccessListQuery(
objectTypeCollection,
computedTuple,
subject,
objectType,
action,
),
},
query,
);
return;
}

async getAuthorizedQuery(subject: string, action: string, objectType: string) {
const computedTuple = `${subject}#${action}@${objectType}`;
const objectTypeCollection = await this.grpcSdk
.database!.getSchema(objectType)
.then(r => r.collectionName);
const dbType = await this.grpcSdk.database!.getDatabaseType().then(r => r.result);
const params: AccessListQueryParams = {
objectTypeCollection,
computedTuple,
subject,
objectType,
action,
};
return {
mongoQuery: getMongoAccessListQuery(params),
sqlQuery:
dbType === 'PostgreSQL'
? getPostgresAccessListQuery(params)
: getSQLAccessListQuery(params),
};
}
}