feat: Permissions and PermissionGroups

api/v1/permission_group_types.go

@@ -0,0 +1,58 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+//
+// PermissionGroup is the Schema for the Mission Control Permission Groups
+type PermissionGroup struct {
+	metav1.TypeMeta   `json:",inline" yaml:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+
+	Spec   PermissionGroupSpec   `json:"spec,omitempty" yaml:"spec,omitempty"`
+	Status PermissionGroupStatus `json:"status,omitempty" yaml:"status,omitempty"`
+}
+
+// +kubebuilder:object:generate=true
+type PermissionGroupSpec struct {
+	PermissionGroupSubjects `json:",inline" yaml:",inline"`
+
+	// Name for the group
+	Name string `json:"name"`
+}
+
+type PermissionGroupStatus struct {
+}
+
+// +kubebuilder:object:generate=true
+type PermissionGroupSubjects struct {
+	Notifications []PermissionGroupSelector `json:"notifications,omitempty"`
+	People        []string                  `json:"people,omitempty"`
+	Teams         []string                  `json:"teams,omitempty"`
+}
+
+// +kubebuilder:object:generate=true
+type PermissionGroupSelector struct {
+	Namespace string `json:"namespace,omitempty"`
+	Name      string `json:"name,omitempty"`
+}
+
+func (t PermissionGroupSelector) Empty() bool {
+	return t.Name == "" && t.Namespace == ""
+}
+
+// +kubebuilder:object:root=true
+//
+// PermissionGroupList contains a list of PermissionGroup
+type PermissionGroupList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []PermissionGroup `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&PermissionGroup{}, &PermissionGroupList{})
+}

api/v1/permission_types.go

@@ -0,0 +1,167 @@
+package v1
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/flanksource/duty/context"
+	"github.com/flanksource/duty/models"
+	"github.com/flanksource/duty/types"
+	"github.com/google/uuid"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+//
+// Permission is the Schema for the Mission Control Permission
+type Permission struct {
+	metav1.TypeMeta   `json:",inline" yaml:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+
+	Spec   PermissionSpec   `json:"spec,omitempty" yaml:"spec,omitempty"`
+	Status PermissionStatus `json:"status,omitempty" yaml:"status,omitempty"`
+}
+
+// Subject of the permission.
+// Can be
+// - a permission group name
+// - id of a resource
+// - <namespace>/<name> of a resource
+type PermissionSubjectSelector string
+
+func (t PermissionSubjectSelector) Find(ctx context.Context, table string) (string, models.PermissionSubjectType, error) {
+	if uuid.Validate(string(t)) == nil {
+		return string(t), "", nil
+	}
+
+	switch table {
+	case "people":
+		var id string
+		err := ctx.DB().Select("id").Table(table).Where("name = ? OR email = ?", string(t), string(t)).Find(&id).Error
+		return id, models.PermissionSubjectTypePerson, err
+
+	case "teams":
+		var id string
+		err := ctx.DB().Select("id").Table(table).Where("name = ?", string(t)).Find(&id).Error
+		return id, models.PermissionSubjectTypeTeam, err
+
+	case "notifications":
+		splits := strings.Split(string(t), "/")
+		switch len(splits) {
+		case 1:
+			return string(t), models.PermissionSubjectTypeGroup, nil // assume it's the group name
+
+		case 2:
+			namespace, name := splits[0], splits[1]
+			var id string
+			err := ctx.DB().Select("id").Table(table).
+				Where("namespace = ?", namespace).
+				Where("name = ?", name).
+				Find(&id).Error
+			return id, models.PermissionSubjectTypeNotification, err
+		}
+
+	default:
+		return "", "", fmt.Errorf("unknown table: %v", table)
+	}
+
+	return "", "", nil
+}
+
+type PermissionSubject struct {
+	Person       PermissionSubjectSelector `json:"person,omitempty"`
+	Team         PermissionSubjectSelector `json:"team,omitempty"`
+	Notification PermissionSubjectSelector `json:"notification,omitempty"`
+}
+
+func (t *PermissionSubject) Validate() error {
+	if t.Person == "" && t.Team == "" && t.Notification == "" {
+		return errors.New("subject is empty: one of permission, team or notification is required")
+	}
+
+	return nil
+}
+
+func (t *PermissionSubject) Populate(ctx context.Context) (string, models.PermissionSubjectType, error) {
+	if err := t.Validate(); err != nil {
+		return "", "", err
+	}
+
+	if t.Person != "" {
+		return t.Person.Find(ctx, "people")
+	}
+	if t.Team != "" {
+		return t.Team.Find(ctx, "teams")
+	}
+	if t.Notification != "" {
+		return t.Notification.Find(ctx, "notifications")
+	}
+
+	return "", "", errors.New("subject not found")
+}
+
+type PermissionObject struct {
+	Playbooks  []types.ResourceSelector `json:"playbooks,omitempty"`
+	Configs    []types.ResourceSelector `json:"configs,omitempty"`
+	Components []types.ResourceSelector `json:"components,omitempty"`
+}
+
+func (t PermissionObject) RequiredMatchCount() int {
+	var count int
+	if len(t.Playbooks) > 0 {
+		count++
+	}
+	if len(t.Configs) > 0 {
+		count++
+	}
+	if len(t.Components) > 0 {
+		count++
+	}
+
+	return count
+}
+
+// +kubebuilder:object:generate=true
+type PermissionSpec struct {
+	// Description provides a brief explanation of the permission.
+	Description string `json:"description,omitempty"`
+
+	//+kubebuilder:validation:MinItems=1
+	// Actions specify the operation that the permission allows or denies.
+	Actions []string `json:"actions"`
+
+	// Subject defines the entity (e.g., user, group) to which the permission applies.
+	Subject PermissionSubject `json:"subject"`
+
+	// Object identifies the resource or object that the permission is associated with.
+	Object PermissionObject `json:"object"`
+
+	// Deny indicates whether the permission should explicitly deny the specified action.
+	//
+	// Default: false
+	Deny bool `json:"deny,omitempty"`
+
+	// List of agent ids whose configs/components are accessible to a person when RLS is enabled
+	Agents []string `json:"agents,omitempty"`
+
+	// List of config/component tags a person is allowed to access to when RLS is enabled
+	Tags map[string]string `json:"tags,omitempty"`
+}
+
+type PermissionStatus struct {
+}
+
+// +kubebuilder:object:root=true
+//
+// PermissionList contains a list of Permission
+type PermissionList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Permission `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&Permission{}, &PermissionList{})
+}

api/v1/playbook_types.go

@@ -11,7 +11,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 )
 
-type Permission struct {
+type PlaybookPermission struct {
 	Role string `json:"role,omitempty" yaml:"role,omitempty"`
 	Team string `json:"team,omitempty" yaml:"team,omitempty"`
 	Ref  string `json:"ref,omitempty" yaml:"ref,omitempty"`
@@ -177,7 +177,7 @@ type PlaybookSpec struct {
 	TemplatesOn string `json:"templatesOn,omitempty" yaml:"templatesOn,omitempty"`
 
 	// Permissions ...
-	Permissions []Permission `json:"permissions,omitempty" yaml:"permissions,omitempty"`
+	Permissions []PlaybookPermission `json:"permissions,omitempty" yaml:"permissions,omitempty"`
 
 	// Configs filters what config items can run on this playbook.
 	Configs dutyTypes.ResourceSelectors `json:"configs,omitempty" yaml:"configs,omitempty"`