Policies Documentation #22729
Merged
Policies Documentation #22729
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
…nto auditus-docs
23 tasks
br41nslug
added a commit
that referenced
this pull request
Jun 20, 2024
* WIP start on migrations * Add migration * Don't insert if there's no rows * Use service to read/write permissions * Use payload service rather than itemsservice * Start on downgrade command * Update system data structure * Update migrations to keep structure flat * Remove icon from policies * Drop policies table on downgrade * Rearchitect migrations to structure v3 * Add down migration * Update system fields * Add policy to fields import * Fix public role attachment * Update packages/system-data/src/fields/index.ts Co-authored-by: Daniel Biegler <DanielBiegler@users.noreply.github.com> * Update packages/system-data/src/fields/policies.yaml Co-authored-by: Daniel Biegler <DanielBiegler@users.noreply.github.com> * Add nested roles * Remove unused step * Use two o2ms instead of m2a for attachments * Update system data * Implement permission policies in the API (#22384) * Update system data structure * Update migrations to keep structure flat * Remove icon from policies * Drop policies table on downgrade * Rearchitect migrations to structure v3 * Add down migration * Update system fields * Add policy to fields import * Fix public role attachment * Update packages/system-data/src/fields/index.ts Co-authored-by: Daniel Biegler <DanielBiegler@users.noreply.github.com> * Update packages/system-data/src/fields/policies.yaml Co-authored-by: Daniel Biegler <DanielBiegler@users.noreply.github.com> * Add nested roles * Remove unused step * Use two o2ms instead of m2a for attachments * Update system data * [WIP] Start reorging permissions handling * Setup field extraction * Remove watch from vitest * Finish fieldMap creation logic * Add tests for utils * Improve tests * Improve coverage * Split test and test:watch * Continue on this fun * [WIP] Setup processing * Sort roles * Restructure to util files for org * Add missing util tests * More tests * Add cases/whencase to ast * Start on injection logic * Add tests for inject cases * Add tests for process * Add todo * Organize run-ast * Add clear method to kv * Remove reliance on acc.perm * Restructure permissions setup * Drop perm from acc, add roles/policies * Remove get-permissions in middleware * Remove/comment use of acc.perm * Add default roles/permissions * Use knex So we don't have to initialize the schema before we want to use the accountability system * Use new fetching logic in get accountability * Add new fetch global access utils * Gotta redo based on new setup * Replaced with new util * Remove dropping of perm in acc It's no longer there by default, so no need to remove here * Temporarily comment out the enforce tfa check * Update usage of fetch tree to use knex * Don't store policies on accountability * Feed in roles thru acc * Bit of whitespace * Rename role->policy * Wreck some more stuff Jk, this is splitting up the large get-ast-from-query function into smaller individual functions to make it easier to update the wildcard conversion to use permissions * Add ability to lookup all allowed fields in col+ac * Add note so I don't forget stuff which i will * Handle null acc * Introduce parseAst to itemsservice * That cleans things up * Replace checkAccess with validateAccess * Remove checkaccess from service * cleanup imports * Whoops one more * Leave crumbs for next time * Implement most of the fn * Fix various tests * Start on test for fetch roles tree * Add tests for fetch roles tree * Fix process tests * All. of. the. tests. * Update uses of validateAccess * Fix name in runAst * Fix use of accountability in gql sub * Deprecate authorization service * Remove getPermissions use * Drop old getpermissions * Pass services * Replace admin/app uses with fetch global * Update fetch user count to pull from policies * Remove broken admin existence checks * Update min accountability * Remove unused import * Drop permissions override from controller * Refactor reliance on acc.perm * Replace usage of permissions in fields * Replace usage of permissions in import/export * Drop permissions use from relations * Drop no longer used method * Remove unused import * fix type usage of pk in validate * Fix default acc in user * Replace use of permissions in utils * Update reduceSchema in specs/gql * Remove old share merging * Remove empty file * Remove outdated comment * Use ctx objects for large param fns * Add with-cache memoize util * Add cache to fetchpermissions * Update caching use in fetchRolesTree * Add caching to fetchAllowedFieldMap * Add more cache * Refactor call signatures * Move call signature updates * Handle presets * Update process call sig * Prevent infinite recursion in roles tree lookup * Use create util for acc * Remove old checkIp * Fix where equality operator * Break EVERYTHING! Jk just cleaning up the structure some more, and removing the dep injection in favor of mocking * Fix build * Add missing module tests * Don't crash on missing parent * Fix role lookup * add missing type annotation * use logical-OR assignment and avoid a memory allocation * Attach admin policy in default admin creation * Fix admin check * Add todo for later * rm code duplication * fix test it was missing the new `roles` * add types and fix type error policies dont [yet] have an icon * move spread order to avoid potential future mishaps new default keys would override the manually set keys, potentially leading to unintended behavior * reduce allocations, add escape hatch to loop and type db-row * Implement case/when * Clean up comments * Optimize perm fetching in allowed f * Move apply case when to util fn * Optimize fetch-allowed-fields * Add fetch inconsistent util * Allow nulls * Remove obsolete getCacheKey * Remove unused import * Update getAccountabilityForRole test * Update fetchGlobalAccess test with one more test case + fix other test case * Type cleanup * Fix "admin access means automatic app access" in fetchGlobalAccessForQuery * Clean up and expand fetch-inconsistent-field-map.test.ts * Test uncached functions * Test uncached * Remove cases usage in parse-current-level * Only consider non-null rules in inject cases * Fix parseCurrentLevel call * Move service imports into functions to avoid circular imports * Ensure that we test that an error is thrown in processAst test * Add failing test case for flattenFilter * Ensure uniqueness in extractPathsFromQuery * Early exit in validatePath * Add additional test case for process payload test * Update validateCollectionAccess test * Clean up validate-item-access.test.ts * Remove redundant initializer * Use createDefaultAccountability * Fix fetch-user-count.test.ts * Cleanup unused default initializer * Add empty cases to subfilter in _relationCount * Drop AccessService and PermissionsService usage from services * Found some more PermissionsServices * Fix a few more tests * Add nested role relation * Fix query invocation in aggregate and group queries * Fix role property name in auth/refresh * Add some missing relations for permissions, access and roles * Add m2o relation from permissions to policy * Add m2o relation access to role, user, policy * Allow fetchPermissions to fetch all permissions and not just those limited by an action * Add parent to Role type * Make sure that admin users see all fields * Add access and policies controller, add util methods to policies and access service * Change name and description of public policy, update description of admin policy and add on delete trigger. * Make sure access row uuids are auto generated * optimize kvredis clear function and add a unit test to be fair: unit test is also testing implementation details but thats a problem there in general and for future us * Add minimal app permission and dynamic variable injection to the permission fetching * Fix m2o collection name in extractFieldsFromChildren * Make sure to clone permission before injecting dynamic variables * Actually do the cloning in with withAppMinimalPermissions since people might missbehave with the permissions obtained from PermissionsService.readByQuery so it better to go the source of the problem * Use knex transaction in createOne -> processPayload - otherwise deadlock * Make sure to respect '*' field in allowed fields * Fix extractFieldsFromChildren for o2m as well - classic * Fix allowed field check in `FieldsService.readAll` to account for multiple permissions for collection+action * Skip case/when if `allowedFields` includes '*' * Restructure the way the current users permissions are returned * add ability to clear all keys from memory cache * add test for clear method * add await to clear function * Clear permissions caches on changes to policy attachments (directus_access) and policy updates (directus_policies) and permissions updates (directus_permissions) * Make the public role a real role rather than a virtual one * Inject the public role, we're it previously was `null` * Revert adding a fix public role * remove unused variable * Ensure that a user without a role can still use the /me util endpoints * Make sure that the /me endpoints always return minimal information, similar to /users/me * Some fixes after merging main * Update api/src/permissions/utils/with-cache.ts Co-authored-by: Hannes Küttner <4376726+hanneskuettner@users.noreply.github.com> * Avoid broken role query for now * Skip related collection `parseFields` if user has no permissions * Ensure same call order as in `convertWildcards` * Create default admin policy and connect it in cli init command * Remove obsolete middleware mock in app.test.ts * Add validation against non-existent fields and collections to `validatePath` * Split up permission and path existence validation and validate path existence for admin users as well * Make applySearch not async * Fix relation extraction and permissions for `$FOLLOW` fields * Fix case when for related collections and query wrapping * Rework user integrity checks for Auditus (#22737) * Changes to user counting and integrity checks * Ensure that user validation happens in both create one and create many * Rename `checkType` to `flags` * Update api/src/permissions/modules/validate-remaining-admin/validate-remaining-admin-count.ts Co-authored-by: Daniel Biegler <DanielBiegler@users.noreply.github.com> * Update to enum usage Co-authored-by: Daniel Biegler <DanielBiegler@users.noreply.github.com> * A few more changes to enum instead of number * One more enum type update * Make sure to correctly override the callback when combining options * Clean up option type * Update api/src/services/users.ts Co-authored-by: ian <licitdev@gmail.com> * Only take validation shortcut for users We can only be sure that the deletion of users does not increase any other access types count, so in all other cases we need to verify that for example the App or API users have not increased over the limit * Make both app and admin users count against app access limit * Update api/src/permissions/modules/validate-remaining-admin/validate-remaining-admin-count.ts Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch> * One post-merge fix, two small fixes * Simplify flag updating and callback calling * Changing app access in a policy only requires user limit checking, not full check * Only the status of a created user should matter to determine if a check is neccessary * Add count alias to count query --------- Co-authored-by: Daniel Biegler <DanielBiegler@users.noreply.github.com> Co-authored-by: ian <licitdev@gmail.com> Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch> Co-authored-by: Rijk van Zanten <rijkvanzanten@me.com> * Add roles and permissions to the app (#22654) * Initial app changes * Fix getRelationsForField * Add changeset * Remove app-permissions from role settings * Make sure access row uuids are auto generated * Move a few things around, set up policies m2m properly * Show roles as tree in sidebar Change avatar field query for user * Show user and role count in policy table * Default to not adding app access for a policy, makes composability less annoying * Correctly fall back to 0 for counts * Change the structure of current user permissions * Start bringing back the public role * Make the public role a real role rather than a virtual one * Revert public role changes * Extend list-m2m to allow for very custom junction matching and a primary key of `null` * Remove unused * Fix public role policy update payload * Fix app access for users without role (which is a thing now apparently) * Make sure that the /me endpoints always return minimal information, similar to /users/me * Tweak nav icons * Pull policy id from constants * Update permissions interface design to match New design language in figma * Some minor adjustments - Make chip hover border more consistent - Add "Remove" button to remove a full row of permissions, as in the UI mockup - Fix table layout * Clean up a few more things * Fix `setFullAccess` * Align collection view icons with navigation * Don't query 'admin_access' for role * Fix relation extraction and permissions for `$FOLLOW` fields * Don't show `0 Items` for child rows, but `--` instead * Make policy detail work in nested policy creating use case * Remove unused v-icon override * Move system collections to separate visual table * Navigate before refresh Prevents a flash of the previous value to be visible in the table * Move composable to separate file --------- Co-authored-by: Daniel Biegler <DanielBiegler@users.noreply.github.com> Co-authored-by: Rijk van Zanten <rijkvanzanten@me.com> * Optimize types * Clone query deep * Optimize type order * Throw error on invalid role id * Rename run.js -> run-ast.js * Re-add filesizes to telemetry report collection that got lost in the merge * Make `systemCollections` reactive * Use one column per action to avoid unwanted shifting if some actions are not allowed at all * Render system and custom together * Add divider between regular and system permissions if both have elements * Add AccessService and PoliciesService to `getService` * Move policy global flags fetching to util * Move collection access fetching into util * Remove permissions for `directus_access`, `directus_permissions` and `directus_policies` from schema permissions * use formatted-value display for name & description in roles & policies * Rename `process.ts` to `process-ast.ts` * Fix process-ast import after renaming * Perform user integrity check on item deletion * Fix first admin creation on bootstrap * Revert "Fix first admin creation on bootstrap" This reverts commit bf480d0. Will be fixed by adjusting the check in access service * Don't perform admin integrity check if a new access row is created. Only check user limits * Don't set an alias to the raw column value if it is wrapped in a case/when * Correctly handle aliases when in field map and case injection --------- Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch> Co-authored-by: Daniel Biegler <DanielBiegler@users.noreply.github.com> Co-authored-by: Hannes Küttner <kuettner.hannes@gmail.com> Co-authored-by: Hannes Küttner <4376726+hanneskuettner@users.noreply.github.com> Co-authored-by: ian <licitdev@gmail.com> * Remove changeset of already merged PR (#22653) * Fix multi cache subscribe call to preserve context Co-authored-by: Brainslug <br41nslug@users.noreply.github.com> * Add max length to name for policy and role names Co-authored-by: Brainslug <br41nslug@users.noreply.github.com> * Update app/src/modules/settings/routes/policies/collection.vue Co-authored-by: Brainslug <br41nslug@users.noreply.github.com> * Organize settings sidebar for clarity * Remove query limit override from access and policies controller THe query limit was added previously, where the idea was to fetch all policies in the app, but since that is not required anymore we can remove the override again, which in turn fixed pagination for policies. Woop * Rework MetaService * Fix filtered counting (previously it did not account for left join caused by permissions filter) * Collect permissions for current collection and dedupe access to align filter with the one used in the actual query * Use applyFilter and an _or filter to retrieve permitted items * Prevent certain skips in _or filters We can only skip empty filters in `_or` if either they are not equal to the value of `cases` or if _or has exactly only exactly one empty filter This is needed to prevent dropping joins that are required for the case/when construction. For example when having the permissions `_or: [ {}, {related_item: { id: 1} }]` all joins need to be retained * Revert unintentional with-cache commit * Remove check for id in children which fails on some DBs if no children are set * Show users and roles in policy item view * Update directus_access policy/roles + policy/users `one_deselect_action` This ensures that the access rows are cleaned up when removing users or roles from the policy side of the relation * Merge policy loaded from API with current edits * Make `app_access` default to false * Split field map into read specific and other fields This change is necessary since process-ast is used to verify item access for actions other than `read`. But, if a user does not have action permissions for fields used in the query filter or sort field the validation for `xByQuery` would have failed until now. * The fields are verified separately checked against read and action specific permission. * Updated all the tests accordingly * Fix `hasCaseWhen` check in `getDBQuery` Previously it was checking if `cases.length > 0` which was always true, since we always pass in at least one case (`{}`), now it checks if there are actually field nodes with a whenCase property * Don't expose o2m fields that the user might not have access to for some items This approach uses a flag that is introduced into the parent item db query, that uses the case/when construct to determine if a user has access to the o2m field on the specific item. The flag is 1 if the user has access and null otherwise. It is set in the resulting query object for all o2m fields that have a whenCase (the ones with partial access) and used when merging the nested query items into the parent items. * Accept O2MNode as fieldNode * Filter policies in fetchGlobalAccess by ip_access if applicable and use `withCache` util * Filter the policies influencing the global access by ip_access filter if an ip is available * Use `withCache` util for top level function and the two lower level functions Co-authored-by: Daniel Biegler <DanielBiegler@users.noreply.github.com> * Fix filter in roles. Again. Almost like I didn't properly test it. huh * Add cache key stability by only picking the props that are relevant from accountability and enforcing an order in the provided options object * Improve `fetchAllowedFields` to only return fields that are actually in the schema * Make a local copy of `junctionFilter` in order to prevent reloads on form value changes * Remove debug log * Update packages/system-data/src/fields/policies.yaml Co-authored-by: ian <licitdev@gmail.com> * Update api/src/permissions/utils/filter-policies-by-ip.ts Co-authored-by: ian <licitdev@gmail.com> * Conditionally add IP to request level cache key Add `accountability.ip` to the request level cache key if, and only if, the IP is matched by any of the `ip_access` filters of the current users policies. This ensures that, if the request IP influences the request result, it is path of the cache key, but also not included if there are no IP filters configured for the current user. * Update api/src/permissions/modules/fetch-policies-ip-access/fetch-policies-ip-access.ts Co-authored-by: ian <licitdev@gmail.com> * Make sure that fetchAllowedFields does not remove field wildcard '*' * Temporarily disable cache key picking * Refine cache key picking + remove `undefined` from Accountability['ip'] type * Rename `pick` to `prepareArg` * Define the sort field for the `directus_access` junction table * Verify that user has access to automatically selected sort field and default to first allowed field if not * Sort the fetched permissions to match the order of the passed in policies * Some clean-up of TODOs and unused code * Take care of a special case, where no fields are requested and we are still interested the correct items being returned This surfaced when running `validateItemAccess` with an update permission that did not include the primary key field. * 3 less * Update api/src/database/migrations/20240328A-permissions-policies.ts Co-authored-by: ian <licitdev@gmail.com> * Change /permissions/me response and add corresponding types and constants * Fix payload validation - Field validation needs to happen for admin users as well - Add back injection of validation rules for non-nullable fields Tests added/adjusted accordingly * Mark `system-permissions` interface as `system` * Remove special handling for public policy. It's one of us now. - Add `icon` field to policies - Add notice to the public role * Rename migration to most recent date * Clear permissions cache in `clearSystemCache` * Make `getDBQuery` not async * Set the sort field to `null` if the user does not have any allowed fields, not even the primary key * Handle the case where `null` is returned as item edits by the permission detail drawer and remove the existing item, if any. * Prevent role recursion (this is a simple check right now and I would expect it to fail on nested role updates that do funky stuff) * Add overflow to permissions table * Ensure fields are always passed to validation-errors When v-form is used with the `collection` prop, instead of directly passing fields via `fields` prop, the validation-errors component didn't receive any field information. This is fixed, by passing down the "finalFields" from `useForm`. This is not directly related to 'auditus', but since it seems like this will be the only place (so far) where we want to show validation-errors on a system collection, I'm committing here. * Outsource 'useSave' for roles, exactly as in policies * Clean-up policies & roles item views - Remove leftover styles, use clearer naming 'content' - Fix types (policies was using role type) - Show validation errors, handle errors on save & delete - Use loading state of v-form (to have some indicator and less layout shift) * Mark name field in policy & role as required That way, an indicator is shown in the form, and value is checked when editing via drawer * remove role filter from public registration m2o roles dont have access fields anymore, simply allow admin roles for now * Remove overflow again. It broke * Add cache purging for permission related updates. * Add `dropForeign` in migration Fixes migration on MySQL * Add parsed field name to field map instead of raw field name This fixes filtering & sorting with function as keys, e.g. `year(date_updated)` * Account for $FOLLOW field filters earlier and don't confuse them with functions (see prev commit) * Update migration to also work with CockroachDB Instead of altering the `policy` column on `directus_permissions` to add the NOT NULL constraint it needs to be created with NOT NULL in the first place, as this will fail in CockroachDB. That means we need to drop the foreign key constraint for the role column in order to update to `null` `role` to the public policy ID before we copy the values into the `policy` column * Fix typo * Add icon to default admin policy * Be more clear about where the public role applies * Update api/src/permissions/lib/fetch-policies.ts Co-authored-by: ian <licitdev@gmail.com> * Update api/src/permissions/lib/fetch-policies.test.ts Co-authored-by: ian <licitdev@gmail.com> * Enable GH workflows * Make eslint happy, cleanup and improve role sidebar in users view * Fix wrong suggestion application and move comments in block * Format files * Update isFullPermission test * Clean up policy filter logic * Flip order in test * Update mocking in user/flows store tests * Update expected results of a lot of api tests that changed during development (all stay true to the original idea) * Update parseFilter test * Update injectCases test * Manually set parent to `null` if a role gets deleted and remove the `SET NULL` on delete action. The `SET NULL` action causes problems problems on OracleDB * Fix limit check for new users w/o "status" field status defaults to "active", thus if the field is not in payload, the user limit check needs to be triggered * Fixed migration "inconsistent datatypes: expected - got CLOB" error in oracle * Update extractFieldsFromChildren test * Fix `count(o2m)` type queries * Update UsersService tests - Adapt to new user integrity logic - Add basic ItemsService tests to ensure user integrity checks take place * Move withAppMinimalPermissions to appropriate dir * Fixed boolean logic error for graphql counting * Make sure that relational function aliases are recognized as `functionField` * Fix permission for relational functions Before this functions that operated on a o2m field like `count(o2m)` did not respect permissions on the related collection. Now function field nodes have a cases list as well and correctly get the cases injected for the related collection. The permissions are then correctly injected in the query that is passed down to the relational count function helper. * Fix mock in withAppMinimalPermissions test * Update RolesService tests Copied and commented out old checks from roles to policies, so we can re-check later on * Add preliminary changesets * Reword changeset to "Policies" * Update .changeset/strong-numbers-warn.md Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch> * Policies Documentation (#22729) Co-authored-by: Hannes Küttner <kuettner.hannes@gmail.com> Co-authored-by: Brainslug <tim@brainslug.nl> * Reformat docs * SDK functions for auditus (#22795) * Updated sdk types * added policy commands * prettier * Added new and missing websocket subscription hooks * Added missing endpoints * Added missing graphql endpoints * prettier * Added changesets * updated changesets * Update .changeset/nine-geckos-jog.md * Update api/src/services/graphql/index.ts Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch> * Update sdk/src/rest/commands/create/policies.ts Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch> * Update sdk/src/rest/commands/create/policies.ts Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch> * Update sdk/src/rest/commands/read/policies.ts Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch> * Update sdk/src/rest/commands/read/roles.ts Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch> * Update sdk/src/rest/commands/read/policies.ts Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch> * Update sdk/src/rest/commands/read/policies.ts Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch> * Update sdk/src/rest/commands/read/policies.ts Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch> * Update sdk/src/schema/policy.ts Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch> * Update sdk/src/schema/policy.ts Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch> --------- Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch> --------- Co-authored-by: Daniel Biegler <DanielBiegler@users.noreply.github.com> Co-authored-by: Hannes Küttner <kuettner.hannes@gmail.com> Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch> Co-authored-by: Hannes Küttner <4376726+hanneskuettner@users.noreply.github.com> Co-authored-by: ian <licitdev@gmail.com> Co-authored-by: Brainslug <br41nslug@users.noreply.github.com> Co-authored-by: Brainslug <tim@brainslug.nl> Co-authored-by: Kevin Lewis <kvn@lws.io>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Note (and apologies): I also changed 'admin app' to 'Data Studio' throughout, hence the high files touched count.
Related core code changes: #22654 (App) #22384 (API) #22795 (SDK)