feat: ABAC accessors (#1092)

* feat: ABAC accessors * chore: rename method to GetRBACAttributes
flanksource · Sep 25, 2024 · ed6824a · ed6824a
1 parent dd59083
commit ed6824a
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 6 deletions.
diff --git a/models/permission.go b/models/permission.go
@@ -43,19 +43,19 @@ func (t *Permission) Condition() string {
 	var rule []string
 
 	if t.ComponentID != nil {
-		rule = append(rule, fmt.Sprintf("r.obj.component.id == %q", t.ComponentID.String()))
+		rule = append(rule, fmt.Sprintf("r.obj.component != undefined && r.obj.component.id == %q", t.ComponentID.String()))
 	}
 
 	if t.ConfigID != nil {
-		rule = append(rule, fmt.Sprintf("r.obj.config.id == %q", t.ConfigID.String()))
+		rule = append(rule, fmt.Sprintf("r.obj.config != undefined && r.obj.config.id == %q", t.ConfigID.String()))
 	}
 
 	if t.CanaryID != nil {
-		rule = append(rule, fmt.Sprintf("r.obj.canary.id == %q", t.CanaryID.String()))
+		rule = append(rule, fmt.Sprintf("r.obj.canary != undefined && r.obj.canary.id == %q", t.CanaryID.String()))
 	}
 
 	if t.PlaybookID != nil {
-		rule = append(rule, fmt.Sprintf("r.obj.playbook.id == %q", t.PlaybookID.String()))
+		rule = append(rule, fmt.Sprintf("r.obj.playbook != undefined && r.obj.playbook.id == %q", t.PlaybookID.String()))
 	}
 
 	return strings.Join(rule, " && ")

diff --git a/models/permission_test.go b/models/permission_test.go
@@ -18,15 +18,15 @@ func TestPermission_Condition(t *testing.T) {
 			perm: Permission{
 				PlaybookID: lo.ToPtr(uuid.MustParse("33333333-3333-3333-3333-333333333333")),
 			},
-			expected: `r.obj.playbook.id == "33333333-3333-3333-3333-333333333333"`,
+			expected: `r.obj.playbook != undefined && r.obj.playbook.id == "33333333-3333-3333-3333-333333333333"`,
 		},
 		{
 			name: "Multiple fields II",
 			perm: Permission{
 				ConfigID:   lo.ToPtr(uuid.MustParse("88888888-8888-8888-8888-888888888888")),
 				PlaybookID: lo.ToPtr(uuid.MustParse("aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa")),
 			},
-			expected: `r.obj.config.id == "88888888-8888-8888-8888-888888888888" && r.obj.playbook.id == "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"`,
+			expected: `r.obj.config != undefined && r.obj.config.id == "88888888-8888-8888-8888-888888888888" && r.obj.playbook != undefined && r.obj.playbook.id == "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"`,
 		},
 		{
 			name:     "No fields set",

diff --git a/models/playbooks.go b/models/playbooks.go
@@ -334,7 +334,42 @@ func (p *PlaybookRun) String(db *gorm.DB) string {
 		s += fmt.Sprintf("\t\t%s\n", &action)
 	}
 	return s
+}
+
+func (run *PlaybookRun) GetRBACAttributes(db *gorm.DB) (map[string]any, error) {
+	output := map[string]any{}
+
+	var playbook Playbook
+	if err := db.First(&playbook, run.PlaybookID).Error; err != nil {
+		return nil, err
+	}
+	output["playbook"] = playbook
+
+	if run.ComponentID != nil {
+		var component Component
+		if err := db.First(&component, run.ComponentID).Error; err != nil {
+			return nil, err
+		}
+		output["component"] = component
+	}
+
+	if run.CheckID != nil {
+		var check Check
+		if err := db.First(&check, run.CheckID).Error; err != nil {
+			return nil, err
+		}
+		output["check"] = check
+	}
+
+	if run.ConfigID != nil {
+		var config ConfigItem
+		if err := db.First(&config, run.ConfigID).Error; err != nil {
+			return nil, err
+		}
+		output["config"] = config
+	}
 
+	return output, nil
 }
 
 type PlaybookRunAction struct {