feat(rbac): nested condition

Signed-off-by: Yi Cai <yicai@redhat.com>
janus-idp · Jun 20, 2024 · fd72565 · fd72565
1 parent 32c5553
commit fd72565
Show file tree

Hide file tree

Showing 5 changed files with 715 additions and 106 deletions.
diff --git a/plugins/rbac/src/__fixtures__/mockConditions.ts b/plugins/rbac/src/__fixtures__/mockConditions.ts
@@ -42,4 +42,85 @@ export const mockConditions: RoleConditionalPolicyDecision<PermissionAction>[] =
       roleEntityRef: 'role:default/rbac_admin',
       permissionMapping: ['delete', 'update'],
     },
+    {
+      id: 3,
+      result: AuthorizeResult.CONDITIONAL,
+      pluginId: 'catalog',
+      resourceType: 'catalog-entity',
+      conditions: {
+        anyOf: [
+          {
+            rule: 'IS_ENTITY_OWNER',
+            resourceType: 'catalog-entity',
+            params: {
+              claims: ['user:default/ciiay'],
+            },
+          },
+          {
+            rule: 'IS_ENTITY_KIND',
+            resourceType: 'catalog-entity',
+            params: { kinds: ['Group'] },
+          },
+          {
+            allOf: [
+              {
+                rule: 'IS_ENTITY_OWNER',
+                resourceType: 'catalog-entity',
+                params: {
+                  claims: ['user:default/ciiay'],
+                },
+              },
+              {
+                rule: 'IS_ENTITY_KIND',
+                resourceType: 'catalog-entity',
+                params: {
+                  kinds: ['User'],
+                },
+              },
+            ],
+          },
+        ],
+      },
+      roleEntityRef: 'role:default/rbac_admin',
+      permissionMapping: ['read', 'delete', 'update'],
+    },
+    {
+      id: 4,
+      result: AuthorizeResult.CONDITIONAL,
+      pluginId: 'catalog',
+      resourceType: 'catalog-entity',
+      conditions: {
+        not: {
+          rule: 'HAS_LABEL',
+          resourceType: 'catalog-entity',
+          params: { label: 'temp' },
+        },
+      },
+      roleEntityRef: 'role:default/rbac_admin',
+      permissionMapping: ['delete', 'update'],
+    },
+    {
+      id: 5,
+      result: AuthorizeResult.CONDITIONAL,
+      pluginId: 'catalog',
+      resourceType: 'catalog.location.read',
+      conditions: {
+        not: {
+          anyOf: [
+            {
+              rule: 'HAS_LABEL',
+              resourceType: 'catalog-entity',
+              params: { label: 'temp' },
+            },
+            {
+              rule: 'HAS_METADATA',
+              resourceType: 'catalog-entity',
+              params: { key: 'status' },
+            },
+          ],
+        },
+      },
+      roleEntityRef: 'role:default/rbac_admin',
+      permissionMapping: ['delete'],
+    },
   ];
diff --git a/plugins/rbac/src/components/ConditionalAccess/ConditionsForm.tsx b/plugins/rbac/src/components/ConditionalAccess/ConditionsForm.tsx
@@ -1,5 +1,7 @@
 import React from 'react';
 
+import { PermissionCondition } from '@backstage/plugin-permission-common';
+
 import { makeStyles } from '@material-ui/core';
 import Box from '@mui/material/Box';
 import Button from '@mui/material/Button';
@@ -67,13 +69,13 @@ export const ConditionsForm = ({
         return !conditions.condition?.rule;
       }
       case criterias.not: {
-        return !conditions.not?.rule;
+        return !(conditions.not as PermissionCondition)?.rule;
       }
       case criterias.allOf: {
-        return !!conditions.allOf?.find(c => !c.rule);
+        return !!conditions.allOf?.find(c => !(c as PermissionCondition).rule);
       }
       case criterias.anyOf: {
-        return !!conditions.anyOf?.find(c => !c.rule);
+        return !!conditions.anyOf?.find(c => !(c as PermissionCondition).rule);
       }
       default:
         return true;