Raito 2451 rlf cli model update (#279)

* Unmarshal policyRule and FilterCriteria for row-level filtering

* Implement filter to target for role wrapper

* Exhaustive switch ok if default is present

* Update tests

.golangci.yml

@@ -59,6 +59,9 @@ linters-settings:
     skip-tests: true
     package-average: 0.0
 
+  exhaustive:
+    default-signifies-exhaustive: true
+
 linters:
   disable-all: true
   enable:

base/access_provider/sync_from_target/model.go

@@ -1,6 +1,10 @@
 package sync_from_target
 
-import "github.com/raito-io/cli/base/data_source"
+import (
+	"github.com/raito-io/bexpression"
+
+	"github.com/raito-io/cli/base/data_source"
+)
 
 // AccessProvider describes data access in the format that is suitable to be imported into Raito.x
 type AccessProvider struct {
@@ -35,6 +39,10 @@ type AccessProvider struct {
 	// Who represents who has access to the 'what'. Nil means that the 'who' is unknown.
 	What []WhatItem `yaml:"what" json:"what"`
 
+	// Row level filter properties
+	PolicyRule     *string                       `yaml:"policyRule,omitempty" json:"policyRule,omitempty"`
+	FilterCriteria *bexpression.BinaryExpression `yaml:"filterCriteria,omitempty" json:"filterCriteria,omitempty"`
+
 	// Allows the plugin to indicate that the access provider is incomplete (because not all who items, what items or permissions could be handled)
 	Incomplete *bool `json:"incomplete"`
 }

base/access_provider/sync_to_target/model.go

@@ -134,3 +134,7 @@ func (a *Action) UnmarshalJSON(b []byte) error {
 
 	return nil
 }
+
+func (a *Action) String() string {
+	return actionNames[*a]
+}

base/wrappers/role_based/data_access.go

@@ -21,6 +21,7 @@ type AccessProviderRoleSyncer interface {
 
 	SyncAccessProviderRolesToTarget(ctx context.Context, apToRemoveMap map[string]*sync_to_target.AccessProvider, apMap map[string]*sync_to_target.AccessProvider, feedbackHandler wrappers.AccessProviderFeedbackHandler, configMap *config.ConfigMap) error
 	SyncAccessProviderMasksToTarget(ctx context.Context, apToRemoveMap map[string]*sync_to_target.AccessProvider, apMap map[string]*sync_to_target.AccessProvider, roleNameMap map[string]string, feedbackHandler wrappers.AccessProviderFeedbackHandler, configMap *config.ConfigMap) error
+	SyncAccessProviderFiltersToTarget(ctx context.Context, apToRemoveMap map[string]*sync_to_target.AccessProvider, apMap map[string]*sync_to_target.AccessProvider, roleNameMap map[string]string, feedbackHandler wrappers.AccessProviderFeedbackHandler, configMap *config.ConfigMap) error
 
 	SyncAccessAsCodeToTarget(ctx context.Context, accesses map[string]*sync_to_target.AccessProvider, prefix string, configMap *config.ConfigMap) error
 }
@@ -87,17 +88,29 @@ func (s *accessProviderRoleSyncFunction) SyncAccessProviderToTarget(ctx context.
 	masksMap := make(map[string]*sync_to_target.AccessProvider)
 	masksToRemove := make(map[string]*sync_to_target.AccessProvider)
 
+	filtersMap := make(map[string]*sync_to_target.AccessProvider)
+	filtersToRemove := make(map[string]*sync_to_target.AccessProvider)
+
 	rolesMap := make(map[string]*sync_to_target.AccessProvider)
 	rolesToRemove := make(map[string]*sync_to_target.AccessProvider)
 
 	for _, ap := range apList {
 		var err2 error
-		if ap.Action == sync_to_target.Mask {
+
+		switch ap.Action {
+		case sync_to_target.Mask:
 			_, masksMap, masksToRemove, err2 = handleAccessProvider(ap, masksMap, masksToRemove, accessProviderFeedbackHandler, uniqueRoleNameGenerator)
-		} else {
+		case sync_to_target.Filtered:
+			_, filtersMap, filtersToRemove, err2 = handleAccessProvider(ap, filtersMap, filtersToRemove, accessProviderFeedbackHandler, uniqueRoleNameGenerator)
+		case sync_to_target.Grant, sync_to_target.Purpose:
 			var roleName string
 			roleName, rolesMap, rolesToRemove, err2 = handleAccessProvider(ap, rolesMap, rolesToRemove, accessProviderFeedbackHandler, uniqueRoleNameGenerator)
 			apIdNameMap[ap.Id] = roleName
+		default:
+			err2 = accessProviderFeedbackHandler.AddAccessProviderFeedback(sync_to_target.AccessProviderSyncFeedback{
+				AccessProvider: ap.Id,
+				Errors:         []string{fmt.Sprintf("Unsupported action %s", ap.Action.String())},
+			})
 		}
 
 		if err2 != nil {
@@ -106,13 +119,28 @@ func (s *accessProviderRoleSyncFunction) SyncAccessProviderToTarget(ctx context.
 	}
 
 	// Step 1 first initiate all the masks
-	err = s.syncer.SyncAccessProviderMasksToTarget(ctx, masksToRemove, masksMap, apIdNameMap, accessProviderFeedbackHandler, configMap)
+	if len(masksMap) > 0 || len(masksToRemove) > 0 {
+		err = s.syncer.SyncAccessProviderMasksToTarget(ctx, masksToRemove, masksMap, apIdNameMap, accessProviderFeedbackHandler, configMap)
+		if err != nil {
+			return fmt.Errorf("sync masks to target: %w", err)
+		}
+	}
+
+	// Step 2 then initialize all filters
+	if len(filtersMap) > 0 || len(filtersToRemove) > 0 {
+		err = s.syncer.SyncAccessProviderFiltersToTarget(ctx, filtersToRemove, filtersMap, apIdNameMap, accessProviderFeedbackHandler, configMap)
+		if err != nil {
+			return fmt.Errorf("sync filters to target: %w", err)
+		}
+	}
+
+	// Step 3 then initiate all the roles
+	err = s.syncer.SyncAccessProviderRolesToTarget(ctx, rolesToRemove, rolesMap, accessProviderFeedbackHandler, configMap)
 	if err != nil {
-		return err
+		return fmt.Errorf("sync roles to target: %w", err)
 	}
 
-	// Step 2 then initiate all the roles
-	return s.syncer.SyncAccessProviderRolesToTarget(ctx, rolesToRemove, rolesMap, accessProviderFeedbackHandler, configMap)
+	return nil
 }
 
 func handleAccessProvider(ap *sync_to_target.AccessProvider, apMap map[string]*sync_to_target.AccessProvider, apToRemoveMap map[string]*sync_to_target.AccessProvider, accessProviderFeedbackHandler wrappers.AccessProviderFeedbackHandler, roleNameGenerator naming_hint.UniqueGenerator) (string, map[string]*sync_to_target.AccessProvider, map[string]*sync_to_target.AccessProvider, error) {