feat: ABAC accessors

flanksource · Sep 25, 2024 · a8fa7b1 · a8fa7b1
1 parent d684c03
commit a8fa7b1
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 4 deletions.
diff --git a/models/accessors.go b/models/accessors.go
@@ -0,0 +1,17 @@
+package models
+
+type AccessorObjects []AccessorObject
+
+func (t AccessorObjects) AsMap() map[string]any {
+	output := make(map[string]any)
+	for _, accessor := range t {
+		output[accessor.Name] = accessor.Data
+	}
+
+	return output
+}
+
+type AccessorObject struct {
+	Name string
+	Data any
+}
diff --git a/models/permission.go b/models/permission.go
@@ -43,19 +43,19 @@ func (t *Permission) Condition() string {
 	var rule []string
 
 	if t.ComponentID != nil {
-		rule = append(rule, fmt.Sprintf("r.obj.component.id == %q", t.ComponentID.String()))
+		rule = append(rule, fmt.Sprintf("r.obj.component != undefined && r.obj.component.id == %q", t.ComponentID.String()))
 	}
 
 	if t.ConfigID != nil {
-		rule = append(rule, fmt.Sprintf("r.obj.config.id == %q", t.ConfigID.String()))
+		rule = append(rule, fmt.Sprintf("r.obj.config != undefined && r.obj.config.id == %q", t.ConfigID.String()))
 	}
 
 	if t.CanaryID != nil {
-		rule = append(rule, fmt.Sprintf("r.obj.canary.id == %q", t.CanaryID.String()))
+		rule = append(rule, fmt.Sprintf("r.obj.canary != undefined && r.obj.canary.id == %q", t.CanaryID.String()))
 	}
 
 	if t.PlaybookID != nil {
-		rule = append(rule, fmt.Sprintf("r.obj.playbook.id == %q", t.PlaybookID.String()))
+		rule = append(rule, fmt.Sprintf("r.obj.playbook != undefined && r.obj.playbook.id == %q", t.PlaybookID.String()))
 	}
 
 	return strings.Join(rule, " && ")

diff --git a/models/playbooks.go b/models/playbooks.go
@@ -334,7 +334,42 @@ func (p *PlaybookRun) String(db *gorm.DB) string {
 		s += fmt.Sprintf("\t\t%s\n", &action)
 	}
 	return s
+}
+
+func (run *PlaybookRun) GetAccessors(db *gorm.DB) (AccessorObjects, error) {
+	var output []AccessorObject
+
+	var playbook Playbook
+	if err := db.First(&playbook, run.PlaybookID).Error; err != nil {
+		return nil, err
+	}
+	output = append(output, AccessorObject{Name: "playbook", Data: playbook})
+
+	if run.ComponentID != nil {
+		var component Component
+		if err := db.First(&component, run.ComponentID).Error; err != nil {
+			return nil, err
+		}
+		output = append(output, AccessorObject{Name: "component", Data: component})
+	}
+
+	if run.CheckID != nil {
+		var check Check
+		if err := db.First(&check, run.CheckID).Error; err != nil {
+			return nil, err
+		}
+		output = append(output, AccessorObject{Name: "check", Data: check})
+	}
+
+	if run.ConfigID != nil {
+		var config ConfigItem
+		if err := db.First(&config, run.ConfigID).Error; err != nil {
+			return nil, err
+		}
+		output = append(output, AccessorObject{Name: "config", Data: config})
+	}
 
+	return output, nil
 }
 
 type PlaybookRunAction struct {