From 2a37de4a34552feac221771278236fb23f8e83c0 Mon Sep 17 00:00:00 2001 From: mo khan Date: Wed, 2 Apr 2025 11:40:37 -0600 Subject: refactor: update cedar entities to match hierarchy defined in csv files --- pkg/policies/album.cedar | 5 + pkg/policies/entities.json | 266 +++++++++++++++++++++++++++++++++++++++- pkg/policies/organization.cedar | 5 + pkg/policies/project.cedar | 5 - pkg/rpc/server_test.go | 6 +- 5 files changed, 275 insertions(+), 12 deletions(-) create mode 100644 pkg/policies/album.cedar create mode 100644 pkg/policies/organization.cedar delete mode 100644 pkg/policies/project.cedar (limited to 'pkg') diff --git a/pkg/policies/album.cedar b/pkg/policies/album.cedar new file mode 100644 index 00000000..6ba3cbdf --- /dev/null +++ b/pkg/policies/album.cedar @@ -0,0 +1,5 @@ +permit ( + principal == User::"alice", + action == Action::"view", + resource in Album::"jane_vacation" +); diff --git a/pkg/policies/entities.json b/pkg/policies/entities.json index e6d41459..cfdc0996 100644 --- a/pkg/policies/entities.json +++ b/pkg/policies/entities.json @@ -28,19 +28,277 @@ "id": "1" } }, + { + "uid": { + "type": "Organization", + "id": "1", + "attrs": { + "name": "default" + } + } + }, + { + "uid": { + "type": "Organization", + "id": "2", + "attrs": { + "name": "gitlab" + } + } + }, + { + "uid": { + "type": "Group", + "id": "1", + "attrs": { + "name": "A" + }, + "parents": [ + { + "type": "Organization", + "id": "1" + } + ] + } + }, + { + "uid": { + "type": "Group", + "id": "2", + "attrs": { + "name": "B" + }, + "parents": [ + { + "type": "Organization", + "id": "1" + } + ] + } + }, + { + "uid": { + "type": "Group", + "id": "3", + "attrs": { + "name": "gitlab-org" + }, + "parents": [ + { + "type": "Organization", + "id": "2" + } + ] + } + }, + { + "uid": { + "type": "Group", + "id": "4", + "attrs": { + "name": "gitlab-com" + }, + "parents": [ + { + "type": "Organization", + "id": "2" + } + ] + } + }, + { + "uid": { + "type": "Group", + "id": "5", + "attrs": { + "name": "gl-security" + }, + "parents": [ + { + "type": "Organization", + "id": "2" + }, + { + "type": "Group", + "id": "4" + } + ] + } + }, + { + "uid": { + "type": "Group", + "id": "6", + "attrs": { + "name": "test-projects" + }, + "parents": [ + { + "type": "Organization", + "id": "2" + }, + { + "type": "Group", + "id": "5" + } + ] + } + }, + { + "uid": { + "type": "Group", + "id": "7", + "attrs": { + "name": "support" + }, + "parents": [ + { + "type": "Organization", + "id": "2" + }, + { + "type": "Group", + "id": "4" + } + ] + } + }, + { + "uid": { + "type": "Group", + "id": "8", + "attrs": { + "name": "toolbox" + }, + "parents": [ + { + "type": "Organization", + "id": "2" + }, + { + "type": "Group", + "id": "7" + } + ] + } + }, + { + "uid": { + "type": "Project", + "id": "1", + "attrs": { + "name": "A1" + } + }, + "parents": [ + { + "type": "Group", + "id": "1" + } + ] + }, + { + "uid": { + "type": "Project", + "id": "2", + "attrs": { + "name": "B1" + } + }, + "parents": [ + { + "type": "Group", + "id": "2" + } + ] + }, { "uid": { "type": "Project", - "id": "3" + "id": "3", + "attrs": { + "name": "gitlab" + } }, "parents": [ { "type": "Group", "id": "3" - }, + } + ] + }, + { + "uid": { + "type": "Project", + "id": "4", + "attrs": { + "name": "eicar-test-project" + } + }, + "parents": [ + { + "type": "Group", + "id": "6" + } + ] + }, + { + "uid": { + "type": "Project", + "id": "5", + "attrs": { + "name": "disclosures" + } + }, + "parents": [ + { + "type": "Group", + "id": "5" + } + ] + }, + { + "uid": { + "type": "Project", + "id": "6", + "attrs": { + "name": "changelog-parser" + } + }, + "parents": [ + { + "type": "Group", + "id": "8" + } + ] + }, + { + "uid": { + "type": "Project", + "id": "7", + "attrs": { + "name": "handbook" + } + }, + "parents": [ + { + "type": "Group", + "id": "4" + } + ] + }, + { + "uid": { + "type": "Project", + "id": "8", + "attrs": { + "name": "www-gitlab-com" + } + }, + "parents": [ { - "type": "Path", - "id": "/projects.json" + "type": "Group", + "id": "4" } ] } diff --git a/pkg/policies/organization.cedar b/pkg/policies/organization.cedar new file mode 100644 index 00000000..22e4b6aa --- /dev/null +++ b/pkg/policies/organization.cedar @@ -0,0 +1,5 @@ +permit ( + principal == User::"1", + action == Action::"read", + resource in Organization::"1" +); diff --git a/pkg/policies/project.cedar b/pkg/policies/project.cedar deleted file mode 100644 index 6ba3cbdf..00000000 --- a/pkg/policies/project.cedar +++ /dev/null @@ -1,5 +0,0 @@ -permit ( - principal == User::"alice", - action == Action::"view", - resource in Album::"jane_vacation" -); diff --git a/pkg/rpc/server_test.go b/pkg/rpc/server_test.go index 8f333a5b..0871173b 100644 --- a/pkg/rpc/server_test.go +++ b/pkg/rpc/server_test.go @@ -51,11 +51,11 @@ func TestServer(t *testing.T) { assert.True(t, reply.Result) }) - t.Run("returns gid://User/1:read_projects:gid://Organization/1", func(t *testing.T) { + t.Run("returns gid://User/1:read:gid://Organization/2", func(t *testing.T) { reply, err := client.Allowed(t.Context(), &AllowRequest{ Subject: "gid://User/1", - Permission: "read_projects", - Resource: "gid://Organization/1", + Permission: "read", + Resource: "gid://Organization/2", }) require.NoError(t, err) assert.True(t, reply.Result) -- cgit v1.2.3