feat: support grant dependencies

goto · Dec 3, 2024 · 80ce978 · 80ce978
1 parent d95c75c
commit 80ce978
Show file tree

Hide file tree

Showing 6 changed files with 255 additions and 29 deletions.
diff --git a/core/appeal/mocks/providerService.go b/core/appeal/mocks/providerService.go
diff --git a/core/appeal/service.go b/core/appeal/service.go
@@ -83,6 +83,7 @@ type providerService interface {
 	ValidateAppeal(context.Context, *domain.Appeal, *domain.Provider, *domain.Policy) error
 	GetPermissions(context.Context, *domain.ProviderConfig, string, string) ([]interface{}, error)
 	IsExclusiveRoleAssignment(context.Context, string, string) bool
+	GetDependencyGrants(context.Context, domain.Grant) ([]*domain.Grant, error)
 }
 
 //go:generate mockery --name=resourceService --exported --with-expecter
@@ -1489,15 +1490,46 @@ func (s *Service) GrantAccessToProvider(ctx context.Context, a *domain.Appeal, o
 		}
 	}
 
-	g := a.Grant
 	appealCopy := *a
 	appealCopy.Grant = nil
-	g.Appeal = &appealCopy
-	if err := s.providerService.GrantAccess(ctx, *a.Grant); err != nil {
+	grantWithAppeal := *a.Grant
+	grantWithAppeal.Appeal = &appealCopy
+
+	// grant access dependencies (if any)
+	dependencyGrants, err := s.providerService.GetDependencyGrants(ctx, grantWithAppeal)
+	if err != nil {
+		return fmt.Errorf("getting grant dependencies: %w", err)
+	}
+	for _, dg := range dependencyGrants {
+		activeGrants, err := s.grantService.List(ctx, domain.ListGrantsFilter{
+			Statuses:     []string{string(domain.GrantStatusActive)},
+			AccountIDs:   []string{dg.AccountID},
+			AccountTypes: []string{dg.AccountType},
+			ResourceIDs:  []string{dg.Resource.ID},
+			Permissions:  dg.Permissions,
+			Size:         1,
+		})
+		if err != nil {
+			return fmt.Errorf("failed to get existing active grant dependency: %w", err)
+		}
+
+		if len(activeGrants) > 0 {
+			break
+		}
+
+		dg.Appeal = &appealCopy
+		if err := s.providerService.GrantAccess(ctx, *dg); err != nil {
+			return fmt.Errorf("failed to grant an access dependency: %w", err)
+		}
+		// TODO: store grant to db
+	}
+
+	// grant main access
+	if err := s.providerService.GrantAccess(ctx, grantWithAppeal); err != nil {
 		return fmt.Errorf("granting access: %w", err)
 	}
-	g.Appeal = nil
 
+	grantWithAppeal.Appeal = nil
 	return nil
 }
 

diff --git a/core/provider/service.go b/core/provider/service.go
@@ -56,6 +56,10 @@ type assignmentTyper interface {
 	IsExclusiveRoleAssignment(context.Context) bool
 }
 
+type grantDependenciesResolver interface {
+	GetDependencyGrants(context.Context, domain.Provider, domain.Grant) ([]*domain.Grant, error)
+}
+
 //go:generate mockery --name=resourceService --exported --with-expecter
 type resourceService interface {
 	Find(context.Context, domain.ListResourcesFilter) ([]*domain.Resource, error)
@@ -569,6 +573,49 @@ func (s *Service) IsExclusiveRoleAssignment(ctx context.Context, providerType, r
 	return false
 }
 
+func (s *Service) GetDependencyGrants(ctx context.Context, g domain.Grant) ([]*domain.Grant, error) {
+	client := s.getClient(g.Resource.ProviderType)
+	if client == nil {
+		return nil, ErrInvalidProviderType
+	}
+
+	c, ok := client.(grantDependenciesResolver)
+	if !ok {
+		return nil, nil
+	}
+
+	p, err := s.getProviderConfig(ctx, g.Resource.ProviderType, g.Resource.ProviderURN)
+	if err != nil {
+		return nil, err
+	}
+
+	dependencies, err := c.GetDependencyGrants(ctx, *p, g)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, d := range dependencies {
+		resources, err := s.resourceService.Find(ctx, domain.ListResourcesFilter{
+			ProviderType: d.Resource.ProviderType,
+			ProviderURN:  d.Resource.ProviderURN,
+			ResourceType: d.Resource.Type,
+			ResourceURN:  d.Resource.URN,
+			Size:         1,
+		})
+		if err != nil {
+			return nil, fmt.Errorf("unable to resolve resource %q for grant dependency: %w", d.Resource.URN, err)
+		}
+		if len(resources) == 0 {
+			return nil, fmt.Errorf("unable to resolve resource %q for grant dependency: not found", d.Resource.URN)
+		}
+
+		d.ResourceID = resources[0].ID
+		d.Resource = resources[0]
+	}
+
+	return dependencies, nil
+}
+
 func (s *Service) fetchNewResources(ctx context.Context, p *domain.Provider) ([]*domain.Resource, int, error) {
 	c := s.getClient(p.Type)
 	if c == nil {

diff --git a/domain/provider.go b/domain/provider.go
@@ -84,6 +84,13 @@ func (pc ProviderConfig) GetResourceTypes() (resourceTypes []string) {
 	return
 }
 
+func (pc ProviderConfig) GetParameterKeys() (keys []string) {
+	for _, param := range pc.Parameters {
+		keys = append(keys, param.Key)
+	}
+	return
+}
+
 func (pc ProviderConfig) GetFilterForResourceType(resourceType string) string {
 	for _, resource := range pc.Resources {
 		if resource.Type == resourceType {

diff --git a/plugins/providers/maxcompute/config.go b/plugins/providers/maxcompute/config.go
@@ -17,6 +17,8 @@ const (
 	resourceTypeTable   = "table"
 
 	parameterRAMRoleKey = "ram_role"
+
+	projectPermissionMember = "member"
 )
 
 var (