forked from opensearch-project/OpenSearch-Dashboards
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Permission control service for saved objects (opensearch-project#63)
* feat: move permission control to saved objects directory Signed-off-by: SuZhou-Joe <suzhou@amazon.com> * feat: use bulkGetObjects and fix unit test Signed-off-by: SuZhou-Joe <suzhou@amazon.com> * feat: add http routes for validate & list Signed-off-by: SuZhou-Joe <suzhou@amazon.com> * feat: move permissionModes to common place Signed-off-by: SuZhou-Joe <suzhou@amazon.com> * feat: rename routes Signed-off-by: SuZhou-Joe <suzhou@amazon.com> * feat: some side effects Signed-off-by: SuZhou-Joe <suzhou@amazon.com> * feat: some side effects Signed-off-by: SuZhou-Joe <suzhou@amazon.com> --------- Signed-off-by: SuZhou-Joe <suzhou@amazon.com>
- Loading branch information
1 parent
fbd1155
commit d27bcc4
Showing
15 changed files
with
273 additions
and
62 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
15 changes: 15 additions & 0 deletions
15
src/core/server/saved_objects/permission_control/client.mock.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
/* | ||
* Copyright OpenSearch Contributors | ||
* SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
|
||
import { SavedObjectsPermissionControlContract } from './client'; | ||
|
||
export const savedObjectsPermissionControlMock: SavedObjectsPermissionControlContract = { | ||
setup: jest.fn(), | ||
validate: jest.fn(), | ||
addPrinciplesToObjects: jest.fn(), | ||
removePrinciplesFromObjects: jest.fn(), | ||
getPrinciplesOfObjects: jest.fn(), | ||
getPermittedWorkspaceIds: jest.fn(), | ||
}; |
83 changes: 83 additions & 0 deletions
83
src/core/server/saved_objects/permission_control/client.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,83 @@ | ||
/* | ||
* Copyright OpenSearch Contributors | ||
* SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
|
||
import { OpenSearchDashboardsRequest } from '../../http'; | ||
import { SavedObjectsServiceStart } from '../saved_objects_service'; | ||
import { SavedObjectsBulkGetObject } from '../service'; | ||
|
||
export type SavedObjectsPermissionControlContract = Pick< | ||
SavedObjectsPermissionControl, | ||
keyof SavedObjectsPermissionControl | ||
>; | ||
|
||
export type SavedObjectsPermissionModes = string[]; | ||
|
||
export class SavedObjectsPermissionControl { | ||
private getScopedClient?: SavedObjectsServiceStart['getScopedClient']; | ||
private getScopedSavedObjectsClient(request: OpenSearchDashboardsRequest) { | ||
return this.getScopedClient?.(request); | ||
} | ||
private async bulkGetSavedObjects( | ||
request: OpenSearchDashboardsRequest, | ||
savedObjects: SavedObjectsBulkGetObject[] | ||
) { | ||
return ( | ||
(await this.getScopedSavedObjectsClient(request)?.bulkGet(savedObjects))?.saved_objects || [] | ||
); | ||
} | ||
public async setup(getScopedClient: SavedObjectsServiceStart['getScopedClient']) { | ||
this.getScopedClient = getScopedClient; | ||
} | ||
public async validate( | ||
request: OpenSearchDashboardsRequest, | ||
savedObject: SavedObjectsBulkGetObject, | ||
permissionModeOrModes: SavedObjectsPermissionModes | ||
) { | ||
const savedObjectsGet = await this.bulkGetSavedObjects(request, [savedObject]); | ||
if (savedObjectsGet) { | ||
return { | ||
success: true, | ||
result: true, | ||
}; | ||
} | ||
|
||
return { | ||
success: true, | ||
result: false, | ||
}; | ||
} | ||
|
||
public async addPrinciplesToObjects( | ||
request: OpenSearchDashboardsRequest, | ||
savedObjects: SavedObjectsBulkGetObject[], | ||
personas: string[], | ||
permissionModeOrModes: SavedObjectsPermissionModes | ||
): Promise<boolean> { | ||
return true; | ||
} | ||
|
||
public async removePrinciplesFromObjects( | ||
request: OpenSearchDashboardsRequest, | ||
savedObjects: SavedObjectsBulkGetObject[], | ||
personas: string[], | ||
permissionModeOrModes: SavedObjectsPermissionModes | ||
): Promise<boolean> { | ||
return true; | ||
} | ||
|
||
public async getPrinciplesOfObjects( | ||
request: OpenSearchDashboardsRequest, | ||
savedObjects: SavedObjectsBulkGetObject[] | ||
): Promise<Record<string, unknown>> { | ||
return {}; | ||
} | ||
|
||
public async getPermittedWorkspaceIds( | ||
request: OpenSearchDashboardsRequest, | ||
permissionModeOrModes: SavedObjectsPermissionModes | ||
) { | ||
return []; | ||
} | ||
} |
20 changes: 20 additions & 0 deletions
20
src/core/server/saved_objects/permission_control/routes/index.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
/* | ||
* Copyright OpenSearch Contributors | ||
* SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
|
||
import { InternalHttpServiceSetup } from '../../../http'; | ||
import { SavedObjectsPermissionControlContract } from '../client'; | ||
import { registerValidateRoute } from './validate'; | ||
|
||
export function registerPermissionCheckRoutes({ | ||
http, | ||
permissionControl, | ||
}: { | ||
http: InternalHttpServiceSetup; | ||
permissionControl: SavedObjectsPermissionControlContract; | ||
}) { | ||
const router = http.createRouter('/api/saved_objects_permission_control/'); | ||
|
||
registerValidateRoute(router, permissionControl); | ||
} |
33 changes: 33 additions & 0 deletions
33
src/core/server/saved_objects/permission_control/routes/principles.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
/* | ||
* Copyright OpenSearch Contributors | ||
* SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
|
||
import { schema } from '@osd/config-schema'; | ||
import { IRouter } from '../../../http'; | ||
import { SavedObjectsPermissionControlContract } from '../client'; | ||
|
||
export const registerListRoute = ( | ||
router: IRouter, | ||
permissionControl: SavedObjectsPermissionControlContract | ||
) => { | ||
router.post( | ||
{ | ||
path: '/principles', | ||
validate: { | ||
body: schema.object({ | ||
objects: schema.arrayOf( | ||
schema.object({ | ||
type: schema.string(), | ||
id: schema.string(), | ||
}) | ||
), | ||
}), | ||
}, | ||
}, | ||
router.handleLegacyErrors(async (context, req, res) => { | ||
const result = await permissionControl.getPrinciplesOfObjects(req, req.body.objects); | ||
return res.ok({ body: result }); | ||
}) | ||
); | ||
}; |
40 changes: 40 additions & 0 deletions
40
src/core/server/saved_objects/permission_control/routes/validate.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
/* | ||
* Copyright OpenSearch Contributors | ||
* SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
|
||
import { schema } from '@osd/config-schema'; | ||
import { IRouter } from '../../../http'; | ||
import { SavedObjectsPermissionControlContract } from '../client'; | ||
|
||
export const registerValidateRoute = ( | ||
router: IRouter, | ||
permissionControl: SavedObjectsPermissionControlContract | ||
) => { | ||
router.post( | ||
{ | ||
path: '/validate/{type}/{id}', | ||
validate: { | ||
params: schema.object({ | ||
type: schema.string(), | ||
id: schema.string(), | ||
}), | ||
body: schema.object({ | ||
permissionModes: schema.arrayOf(schema.string()), | ||
}), | ||
}, | ||
}, | ||
router.handleLegacyErrors(async (context, req, res) => { | ||
const { type, id } = req.params; | ||
const result = await permissionControl.validate( | ||
req, | ||
{ | ||
type, | ||
id, | ||
}, | ||
req.body.permissionModes | ||
); | ||
return res.ok({ body: result }); | ||
}) | ||
); | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.