Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new endpoint checkpermissions #2047

Merged
merged 16 commits into from
Nov 6, 2024
Merged

Add new endpoint checkpermissions #2047

merged 16 commits into from
Nov 6, 2024

Conversation

hu-ahmed
Copy link
Contributor

@hu-ahmed hu-ahmed commented Oct 21, 2024
edited
Loading

fixes #1137

This PR introduces the implementation of the /checkPermissions endpoint in Ditto’s API, enhancing the authorization model by allowing permission checks on thing, message, and policy resources without modifying them. This endpoint validates whether specified entities have the required permissions for resources, returning authorization statuses in the response. This feature is particularly beneficial for UI-driven applications that rely on dynamic permission-based display logic, where interface elements can be enabled or disabled based on user access rights. Documentation includes usage examples, request structure, and response details.

Example Request
A POST request to /checkPermissions to verify permissions for multiple entities:

{
  "lamp_reader": {
    "resource": "thing:/features/lamp/properties/on",
    "entityId": "org.eclipse.ditto:some-thing-1",
    "hasPermissions": ["READ"]
  },
  "lamp_toggler": {
    "resource": "message:/features/lamp/inbox/messages/toggle",
    "entityId": "org.eclipse.ditto:some-thing-1",
    "hasPermissions": ["WRITE"]
  },
  "policy_admin": {
    "resource": "policy:/",
    "entityId": "org.eclipse.ditto:some-policy-1",
    "hasPermissions": ["READ", "WRITE"]
  }
}

Example Response

{
  "lamp_reader": true,
  "lamp_toggler": false,
  "policy_admin": true
}

@hu-ahmed hu-ahmed marked this pull request as draft October 21, 2024 07:34
@hu-ahmed hu-ahmed force-pushed the add-permission-availability-api branch from d9de88f to aec95e4 Compare October 21, 2024 07:39
@thjaeckle thjaeckle added this to the 3.7.0 milestone Oct 21, 2024
thjaeckle
thjaeckle requested changes Oct 23, 2024
View reviewed changes
Copy link
Member

@thjaeckle thjaeckle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot @hu-ahmed for the PR.
Functionality already looks good, I had a first look and did some inline comments.

We should definitely add some unit tests as well for this feature (model classes + for the actor + for the HTTP route).
Javadoc has to be added for every public class/method, etc. .. so choose wisely what to make "public" and what not ;)

...vice/src/main/java/org/eclipse/ditto/edge/service/dispatching/EdgeCommandForwarderActor.java Outdated Show resolved Hide resolved
...c/main/java/org/eclipse/ditto/gateway/service/endpoints/actors/AbstractHttpRequestActor.java Outdated Show resolved Hide resolved
...c/main/java/org/eclipse/ditto/gateway/service/endpoints/actors/AbstractHttpRequestActor.java Outdated Show resolved Hide resolved
.../src/main/java/org/eclipse/ditto/gateway/service/endpoints/actors/CheckPermissionsActor.java Outdated Show resolved Hide resolved
.../src/main/java/org/eclipse/ditto/gateway/service/endpoints/actors/CheckPermissionsActor.java Outdated Show resolved Hide resolved
.../org/eclipse/ditto/policies/model/signals/commands/query/PolicyCheckPermissionsResponse.java Outdated Show resolved Hide resolved
.../org/eclipse/ditto/policies/model/signals/commands/query/PolicyCheckPermissionsResponse.java Outdated Show resolved Hide resolved
.../policies/service/persistence/actors/strategies/commands/PolicyCheckPermissionsStrategy.java Outdated Show resolved Hide resolved
.../org/eclipse/ditto/policies/model/signals/commands/query/PolicyCheckPermissionsResponse.java Outdated Show resolved Hide resolved
.../org/eclipse/ditto/policies/model/signals/commands/query/PolicyCheckPermissionsResponse.java Outdated Show resolved Hide resolved
thjaeckle
thjaeckle requested changes Oct 28, 2024
View reviewed changes
Copy link
Member

@thjaeckle thjaeckle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great progress, @hu-ahmed - thanks a lot. 👍
I did another round of review and provided feedback inline, please have a look :)

...vice/src/main/java/org/eclipse/ditto/edge/service/dispatching/EdgeCommandForwarderActor.java Outdated Show resolved Hide resolved
...vice/src/main/java/org/eclipse/ditto/edge/service/dispatching/EdgeCommandForwarderActor.java Outdated Show resolved Hide resolved
.../src/main/java/org/eclipse/ditto/gateway/service/endpoints/actors/CheckPermissionsActor.java Show resolved Hide resolved
.../src/main/java/org/eclipse/ditto/gateway/service/endpoints/actors/CheckPermissionsActor.java Show resolved Hide resolved
.../src/main/java/org/eclipse/ditto/gateway/service/endpoints/actors/CheckPermissionsActor.java Outdated Show resolved Hide resolved
.../eclipse/ditto/gateway/service/endpoints/routes/checkpermissions/PermissionCheckWrapper.java Outdated Show resolved Hide resolved
.../eclipse/ditto/gateway/service/endpoints/routes/checkpermissions/PermissionCheckWrapper.java Outdated Show resolved Hide resolved
.../src/main/java/org/eclipse/ditto/gateway/service/endpoints/actors/CheckPermissionsActor.java Outdated Show resolved Hide resolved
gateway/service/src/main/resources/gateway.conf Outdated Show resolved Hide resolved
...c/main/java/org/eclipse/ditto/policies/api/commands/sudo/CheckPolicyPermissionsResponse.java Outdated Show resolved Hide resolved
@hu-ahmed hu-ahmed force-pushed the add-permission-availability-api branch from d6d9d0e to 7588065 Compare October 28, 2024 20:35
@hu-ahmed hu-ahmed marked this pull request as ready for review October 29, 2024 09:30
@hu-ahmed hu-ahmed marked this pull request as draft October 29, 2024 09:54
thjaeckle
thjaeckle requested changes Oct 30, 2024
View reviewed changes
Copy link
Member

@thjaeckle thjaeckle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added some remarks for the added documentation.

documentation/src/main/resources/openapi/ditto-api-2.yml Outdated Show resolved Hide resolved
documentation/src/main/resources/openapi/ditto-api-2.yml Outdated Show resolved Hide resolved
documentation/src/main/resources/openapi/ditto-api-2.yml Show resolved Hide resolved
documentation/src/main/resources/openapi/ditto-api-2.yml Outdated Show resolved Hide resolved
documentation/src/main/resources/pages/ditto/baic-auth-checkpermissions.md Outdated Show resolved Hide resolved
documentation/src/main/resources/pages/ditto/httpapi-concepts.md Outdated Show resolved Hide resolved
documentation/src/main/resources/pages/ditto/httpapi-concepts.md Outdated Show resolved Hide resolved
thjaeckle
thjaeckle requested changes Oct 30, 2024
View reviewed changes
Copy link
Member

@thjaeckle thjaeckle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some few minor fixes needed ..

documentation/src/main/resources/openapi/ditto-api-2.yml Outdated Show resolved Hide resolved
documentation/src/main/resources/pages/ditto/baic-auth-checkpermissions.md Outdated Show resolved Hide resolved
@hu-ahmed hu-ahmed marked this pull request as ready for review October 31, 2024 07:41
@thjaeckle
Copy link
Member

@hu-ahmed changes look good to me 👍 Thanks a lot for your patience.

Looking forward to a system test: https://github.com/eclipse-ditto/ditto-testing

@thjaeckle thjaeckle mentioned this pull request Nov 4, 2024
Merged
@thjaeckle
Copy link
Member

System tests passed: https://github.com/eclipse-ditto/ditto/actions/runs/11667112664/job/32584674693
See PR for those: eclipse-ditto/ditto-testing/pull/11

@thjaeckle thjaeckle merged commit df6f261 into eclipse-ditto:master Nov 6, 2024
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thjaeckle thjaeckle thjaeckle approved these changes

Assignees

@hu-ahmed hu-ahmed

Labels
None yet
Projects
Ditto Planning
Status: Done
Milestone
3.7.0
Development

Successfully merging this pull request may close these issues.

Introduce policy decision API
2 participants
@hu-ahmed @thjaeckle