new permission model with write and delete

Author: vcarluer

src/main/kotlin/com/cosmotech/api/rbac/RolesDefinition.kt

@@ -13,48 +13,53 @@ const val ROLE_USER = "user"
 const val ROLE_NONE = "none"
 
 // apply same format rules for permission for consistency
-const val PERMISSION_READ_DATA = "read_data"
+const val PERMISSION_READ = "read"
 const val PERMISSION_READ_SECURITY = "read_security"
 const val PERMISSION_CREATE_CHILDREN = "create_children"
-const val PERMISSION_EDIT = "edit"
-const val PERMISSION_EDIT_SECURITY = "edit_security"
+const val PERMISSION_WRITE = "write"
+const val PERMISSION_WRITE_SECURITY = "write_security"
+const val PERMISSION_DELETE = "delete"
 const val PERMISSION_LAUNCH = "launch"
 const val PERMISSION_VALIDATE = "validate"
 
 val COMMON_ROLE_NONE_PERMISSIONS: List<String> = listOf()
-val COMMON_ROLE_READER_PERMISSIONS = listOf(PERMISSION_READ_DATA, PERMISSION_READ_SECURITY)
+val COMMON_ROLE_READER_PERMISSIONS = listOf(PERMISSION_READ, PERMISSION_READ_SECURITY)
 val COMMON_ROLE_USER_PERMISSIONS =
-    listOf(PERMISSION_READ_DATA, PERMISSION_READ_SECURITY, PERMISSION_CREATE_CHILDREN)
+    listOf(PERMISSION_READ, PERMISSION_READ_SECURITY, PERMISSION_CREATE_CHILDREN)
 val COMMON_ROLE_EDITOR_PERMISSIONS =
     listOf(
-        PERMISSION_READ_DATA, PERMISSION_READ_SECURITY, PERMISSION_CREATE_CHILDREN, PERMISSION_EDIT)
+        PERMISSION_READ, PERMISSION_READ_SECURITY, PERMISSION_CREATE_CHILDREN, PERMISSION_WRITE)
 val COMMON_ROLE_ADMIN_PERMISSIONS =
     listOf(
-        PERMISSION_READ_DATA,
+        PERMISSION_READ,
         PERMISSION_READ_SECURITY,
         PERMISSION_CREATE_CHILDREN,
-        PERMISSION_EDIT,
-        PERMISSION_EDIT_SECURITY)
+        PERMISSION_WRITE,
+        PERMISSION_WRITE_SECURITY,
+        PERMISSION_DELETE,
+      )
 
 // Scenario roles & permissions
-val SCENARIO_ROLE_VIEWER_PERMISSIONS = listOf(PERMISSION_READ_DATA, PERMISSION_READ_SECURITY)
+val SCENARIO_ROLE_VIEWER_PERMISSIONS = listOf(PERMISSION_READ, PERMISSION_READ_SECURITY)
 val SCENARIO_ROLE_EDITOR_PERMISSIONS =
-    listOf(PERMISSION_READ_DATA, PERMISSION_READ_SECURITY, PERMISSION_LAUNCH, PERMISSION_EDIT)
+    listOf(PERMISSION_READ, PERMISSION_READ_SECURITY, PERMISSION_LAUNCH, PERMISSION_WRITE)
 val SCENARIO_ROLE_VALIDATOR_PERMISSIONS =
     listOf(
-        PERMISSION_READ_DATA,
+        PERMISSION_READ,
         PERMISSION_READ_SECURITY,
         PERMISSION_LAUNCH,
-        PERMISSION_EDIT,
+        PERMISSION_WRITE,
         PERMISSION_VALIDATE)
 val SCENARIO_ROLE_ADMIN_PERMISSIONS =
     listOf(
-        PERMISSION_READ_DATA,
+        PERMISSION_READ,
         PERMISSION_READ_SECURITY,
         PERMISSION_LAUNCH,
-        PERMISSION_EDIT,
+        PERMISSION_WRITE,
         PERMISSION_VALIDATE,
-        PERMISSION_EDIT_SECURITY)
+        PERMISSION_WRITE_SECURITY,
+        PERMISSION_DELETE,
+      )
 
 @Component
 data class RolesDefinition(

src/test/kotlin/com/cosmotech/api/rbac/CsmRbacTests.kt

@@ -519,7 +519,7 @@ class CsmRbacTests {
   fun `add custom role definition`() {
     val definition = getCommonRolesDefinition()
     val customRole = "custom_role"
-    val customRolePermissions = listOf(PERMISSION_READ_DATA, "custom_permission")
+    val customRolePermissions = listOf(PERMISSION_READ, "custom_permission")
     definition.permissions.put(customRole, customRolePermissions)
     val expected: MutableMap<String, List<String>> =
         mutableMapOf(
@@ -538,7 +538,7 @@ class CsmRbacTests {
     val definition = getCommonRolesDefinition()
     val customRole = "custom_role"
     val customPermission = "custom_permission"
-    val customRolePermissions = listOf(PERMISSION_READ_DATA, customPermission)
+    val customRolePermissions = listOf(PERMISSION_READ, customPermission)
     definition.permissions.put(customRole, customRolePermissions)
     val rbacTest = CsmRbac(csmPlatformProperties, admin)
     rbacTest.setUserRole(rbacSecurity, USER_NEW_READER, customRole, definition)
@@ -553,7 +553,7 @@ class CsmRbacTests {
     val rbacTest = CsmRbac(csmPlatformProperties, admin)
     rbacTest.setUserRole(rbacSecurity, USER_READER, ROLE_VIEWER, definition)
     every { securityContext.authentication } returns (userAuthentication as Authentication)
-    assertTrue(rbacTest.check(rbacSecurity, PERMISSION_READ_DATA, USER_READER, definition))
+    assertTrue(rbacTest.check(rbacSecurity, PERMISSION_READ, USER_READER, definition))
   }
 
   @Test
@@ -567,7 +567,7 @@ class CsmRbacTests {
                 RbacAccessControl(USER_READER, ROLE_VIEWER),
             ))
     every { securityContext.authentication } returns (userAuthentication as Authentication)
-    assertTrue(rbacTest.check(rbacSecurity, PERMISSION_READ_DATA, USER_READER, definition))
+    assertTrue(rbacTest.check(rbacSecurity, PERMISSION_READ, USER_READER, definition))
   }
 
   @Test
@@ -581,7 +581,7 @@ class CsmRbacTests {
                 RbacAccessControl(USER_WRITER, ROLE_EDITOR),
             ))
     every { securityContext.authentication } returns (userAuthentication as Authentication)
-    assertTrue(rbacTest.check(rbacSecurity, PERMISSION_READ_DATA, USER_READER, definition))
+    assertTrue(rbacTest.check(rbacSecurity, PERMISSION_READ, USER_READER, definition))
   }
 
   @Test
@@ -595,7 +595,7 @@ class CsmRbacTests {
                 RbacAccessControl(USER_WRITER, ROLE_EDITOR),
             ))
     every { securityContext.authentication } returns (userAuthentication as Authentication)
-    assertFalse(rbacTest.check(rbacSecurity, PERMISSION_EDIT_SECURITY, USER_READER, definition))
+    assertFalse(rbacTest.check(rbacSecurity, PERMISSION_WRITE_SECURITY, USER_READER, definition))
   }
 
   @Test
@@ -624,7 +624,7 @@ class CsmRbacTests {
                 RbacAccessControl(USER_WRITER, ROLE_EDITOR),
             ))
     every { securityContext.authentication } returns (userAuthentication as Authentication)
-    assertTrue(rbacTest.check(rbacSecurity, PERMISSION_EDIT, USER_WRITER, definition))
+    assertTrue(rbacTest.check(rbacSecurity, PERMISSION_WRITE, USER_WRITER, definition))
   }
 
   @Test
@@ -638,7 +638,7 @@ class CsmRbacTests {
                 RbacAccessControl(USER_MAIL_TOKEN, ROLE_EDITOR),
             ))
     every { securityContext.authentication } returns (userAuthentication as Authentication)
-    assertDoesNotThrow { rbacTest.verify(rbacSecurity, PERMISSION_EDIT, definition) }
+    assertDoesNotThrow { rbacTest.verify(rbacSecurity, PERMISSION_WRITE, definition) }
   }
 
   @Test
@@ -652,7 +652,7 @@ class CsmRbacTests {
                 RbacAccessControl(USER_WRITER, ROLE_EDITOR),
             ))
     every { securityContext.authentication } returns (userAuthentication as Authentication)
-    assertTrue(rbacTest.check(rbacSecurity, PERMISSION_EDIT, USER_WRITER, definition))
+    assertTrue(rbacTest.check(rbacSecurity, PERMISSION_WRITE, USER_WRITER, definition))
   }
 
   @Test