From 9fee5b57883782c5732f46b719308643cdc5f504 Mon Sep 17 00:00:00 2001 From: Asaf Cohen Date: Sun, 15 Oct 2023 20:48:57 +0300 Subject: [PATCH] added new permission check: get user permissions --- src/main/java/io/permit/sdk/Permit.java | 5 ++ .../io/permit/sdk/enforcement/Enforcer.java | 59 +++++++++++++++++++ .../enforcement/GetUserPermissionsQuery.java | 47 +++++++++++++++ .../permit/sdk/enforcement/IEnforcerApi.java | 9 +++ .../sdk/enforcement/ObjectPermissions.java | 19 ++++++ .../sdk/enforcement/ResourceDetails.java | 16 +++++ .../permit/sdk/enforcement/TenantDetails.java | 2 +- .../sdk/enforcement/UserPermissions.java | 8 +++ .../java/io/permit/sdk/e2e/RbacE2ETest.java | 22 +++++-- 9 files changed, 182 insertions(+), 5 deletions(-) create mode 100644 src/main/java/io/permit/sdk/enforcement/GetUserPermissionsQuery.java create mode 100644 src/main/java/io/permit/sdk/enforcement/ObjectPermissions.java create mode 100644 src/main/java/io/permit/sdk/enforcement/ResourceDetails.java create mode 100644 src/main/java/io/permit/sdk/enforcement/UserPermissions.java diff --git a/src/main/java/io/permit/sdk/Permit.java b/src/main/java/io/permit/sdk/Permit.java index c0f5704..886bc49 100644 --- a/src/main/java/io/permit/sdk/Permit.java +++ b/src/main/java/io/permit/sdk/Permit.java @@ -150,4 +150,9 @@ public List checkInAllTenants(User user, String action, Resource public List checkInAllTenants(User user, String action, Resource resource) throws IOException { return this.enforcer.checkInAllTenants(user, action, resource); } + + @Override + public UserPermissions getUserPermissions(GetUserPermissionsQuery input) throws IOException { + return this.enforcer.getUserPermissions(input); + } } diff --git a/src/main/java/io/permit/sdk/enforcement/Enforcer.java b/src/main/java/io/permit/sdk/enforcement/Enforcer.java index 6c42c1b..16d6e3b 100644 --- a/src/main/java/io/permit/sdk/enforcement/Enforcer.java +++ b/src/main/java/io/permit/sdk/enforcement/Enforcer.java @@ -439,6 +439,65 @@ public List checkInAllTenants(User user, String action, Resource return checkInAllTenants(user, action, resource, new Context()); } + @Override + public UserPermissions getUserPermissions(GetUserPermissionsQuery input) throws IOException { + // request body + Gson gson = new Gson(); + String requestBody = gson.toJson(input); + RequestBody body = RequestBody.create(requestBody, MediaType.parse("application/json")); + + // create the request + String url = String.format("%s/user-permissions", this.config.getPdpAddress()); + Request request = new Request.Builder() + .url(url) + .post(body) + .addHeader("Content-Type", "application/json") + .addHeader("Authorization", String.format("Bearer %s", this.config.getToken())) + .addHeader("X-Permit-SDK-Version", String.format("java:%s", this.config.version)) + .build(); + + try (Response response = client.newCall(request).execute()) { + if (!response.isSuccessful()) { + String errorMessage = String.format( + "Error in permit.getUserPermissions(%s, %s, %s, %s): got unexpected status code %d", + input.user.toString(), + input.tenants.toString(), + input.resource_types.toString(), + input.resources.toString(), + response.code() + ); + logger.error(errorMessage); + throw new IOException(errorMessage); + } + ResponseBody responseBody = response.body(); + if (responseBody == null) { + String errorMessage = String.format( + "Error in permit.getUserPermissions(%s, %s, %s, %s): got empty response", + input.user.toString(), + input.tenants.toString(), + input.resource_types.toString(), + input.resources.toString() + ); + logger.error(errorMessage); + throw new IOException(errorMessage); + } + String responseString = responseBody.string(); + UserPermissions result = gson.fromJson(responseString, UserPermissions.class); + if (this.config.isDebugMode()) { + logger.info(String.format( + "permit.getUserPermissions(%s, %s, %s, %s) => returned %d permissions on %d objects", + input.user.toString(), + input.tenants != null ? input.tenants.toString() : "null", + input.resource_types != null ? input.resource_types.toString() : "null", + input.resources != null ? input.resources.toString() : "null", + result.values().stream().map(obj -> obj.permissions.size()).reduce(0, Integer::sum), + result.keySet().size() + )); + } + return result; + } + } + @Override public boolean checkUrl(User user, String httpMethod, String url, String tenant) throws IOException { return this.checkUrl(user, httpMethod, url, tenant, new Context()); diff --git a/src/main/java/io/permit/sdk/enforcement/GetUserPermissionsQuery.java b/src/main/java/io/permit/sdk/enforcement/GetUserPermissionsQuery.java new file mode 100644 index 0000000..fa38fe3 --- /dev/null +++ b/src/main/java/io/permit/sdk/enforcement/GetUserPermissionsQuery.java @@ -0,0 +1,47 @@ +package io.permit.sdk.enforcement; + +import io.permit.sdk.util.Context; + +import java.util.ArrayList; +import java.util.List; + +public final class GetUserPermissionsQuery { + public final User user; + public final List tenants; + public final List resource_types; + public final List resources; + public final Context context; + + /** + * input to get user permissions api + * + * @param user the user we'd like to get a list of permissions for. + * @param tenants filter only permissions granted on specific tenants. + * @param resource_types filter permissions based on resource type. + * @param resources filter permissions based on resource instance key. + * @param context The context for the authorization check. + */ + public GetUserPermissionsQuery(User user, List tenants, List resource_types, List resources, Context context) { + this.user = user; + this.tenants = tenants; + this.resource_types = resource_types; + this.resources = resources; + this.context = context; + } + + public GetUserPermissionsQuery(User user, List tenants, List resource_types, List resources) { + this(user, tenants, resource_types, resources, new Context()); + } + + public GetUserPermissionsQuery(User user, List tenants, List resource_types) { + this(user, tenants, resource_types, null); + } + + public GetUserPermissionsQuery(User user, List tenants) { + this(user, tenants, null); + } + + public GetUserPermissionsQuery(User user) { + this(user, null); + } +} diff --git a/src/main/java/io/permit/sdk/enforcement/IEnforcerApi.java b/src/main/java/io/permit/sdk/enforcement/IEnforcerApi.java index 8dbd6f5..a4f9711 100644 --- a/src/main/java/io/permit/sdk/enforcement/IEnforcerApi.java +++ b/src/main/java/io/permit/sdk/enforcement/IEnforcerApi.java @@ -93,4 +93,13 @@ public interface IEnforcerApi { * @throws IOException if an error occurs while sending the authorization request to the PDP. */ List checkInAllTenants(User user, String action, Resource resource) throws IOException; + + /** + * list all the permissions granted to a user (by default in all tenants and for all objects). + * + * @param input input to get user permissions api + * @return A UserPermissions object, that contains all the permissions granted to the user. + * @throws IOException if an error occurs while sending the authorization request to the PDP. + */ + UserPermissions getUserPermissions(GetUserPermissionsQuery input) throws IOException; } diff --git a/src/main/java/io/permit/sdk/enforcement/ObjectPermissions.java b/src/main/java/io/permit/sdk/enforcement/ObjectPermissions.java new file mode 100644 index 0000000..e546b19 --- /dev/null +++ b/src/main/java/io/permit/sdk/enforcement/ObjectPermissions.java @@ -0,0 +1,19 @@ +package io.permit.sdk.enforcement; + +import java.util.List; + +/** + * The {@code ObjectPermissions} class represents a single object (tenant or resource instance) that the queried user can access. + */ +public class ObjectPermissions { + + public final TenantDetails tenant; + public final ResourceDetails resource; + public final List permissions; + + public ObjectPermissions(TenantDetails tenant, ResourceDetails resource, List permissions) { + this.tenant = tenant; + this.resource = resource; + this.permissions = permissions; + } +} diff --git a/src/main/java/io/permit/sdk/enforcement/ResourceDetails.java b/src/main/java/io/permit/sdk/enforcement/ResourceDetails.java new file mode 100644 index 0000000..3215fa0 --- /dev/null +++ b/src/main/java/io/permit/sdk/enforcement/ResourceDetails.java @@ -0,0 +1,16 @@ +package io.permit.sdk.enforcement; + +import io.permit.sdk.util.Context; + +import java.util.HashMap; + +/** + * The {@code ResourceDetails} class represents a single resource instance information fetched from the PDP (key and attributes). + */ +public final class ResourceDetails extends TenantDetails { + public final String type; + public ResourceDetails(String type, String key, HashMap attributes) { + super(key, attributes); + this.type = type; + } +} \ No newline at end of file diff --git a/src/main/java/io/permit/sdk/enforcement/TenantDetails.java b/src/main/java/io/permit/sdk/enforcement/TenantDetails.java index 80ef3e0..4166cde 100644 --- a/src/main/java/io/permit/sdk/enforcement/TenantDetails.java +++ b/src/main/java/io/permit/sdk/enforcement/TenantDetails.java @@ -7,7 +7,7 @@ /** * The {@code TenantDetails} class represents a single tenant information fetched from the PDP (key and attributes). */ -public final class TenantDetails { +public class TenantDetails { public final String key; public final HashMap attributes; public TenantDetails(String key, HashMap attributes) { diff --git a/src/main/java/io/permit/sdk/enforcement/UserPermissions.java b/src/main/java/io/permit/sdk/enforcement/UserPermissions.java new file mode 100644 index 0000000..7027f3c --- /dev/null +++ b/src/main/java/io/permit/sdk/enforcement/UserPermissions.java @@ -0,0 +1,8 @@ +package io.permit.sdk.enforcement; + +import java.util.HashMap; + +/** + * The {@code UserPermissions} class represents all the objects a user can access. + */ +final public class UserPermissions extends HashMap {} diff --git a/src/test/java/io/permit/sdk/e2e/RbacE2ETest.java b/src/test/java/io/permit/sdk/e2e/RbacE2ETest.java index a34c085..205d8b3 100644 --- a/src/test/java/io/permit/sdk/e2e/RbacE2ETest.java +++ b/src/test/java/io/permit/sdk/e2e/RbacE2ETest.java @@ -6,10 +6,7 @@ import io.permit.sdk.api.PermitContextError; import io.permit.sdk.Permit; import io.permit.sdk.api.models.CreateOrUpdateResult; -import io.permit.sdk.enforcement.CheckQuery; -import io.permit.sdk.enforcement.Resource; -import io.permit.sdk.enforcement.TenantDetails; -import io.permit.sdk.enforcement.User; +import io.permit.sdk.enforcement.*; import io.permit.sdk.openapi.models.*; import org.junit.jupiter.api.Test; import org.slf4j.Logger; @@ -20,6 +17,7 @@ import java.util.Arrays; import java.util.HashMap; import java.util.List; +import java.util.stream.Collectors; import static org.junit.jupiter.api.Assertions.*; @@ -32,6 +30,8 @@ public class RbacE2ETest extends PermitE2ETestBase { private final Logger logger = LoggerFactory.getLogger(RbacE2ETest.class); + private static final String TENANT_RESOURCE_KEY = "__tenant"; + @Test void testPermissionCheckRBAC() { // init the client @@ -244,6 +244,20 @@ void testPermissionCheckRBAC() { assertEquals(allowedTenants2.get(0).key, tenant2.key); assertEquals(((String)allowedTenants2.get(0).attributes.get("unit")), "one"); + logger.info("testing 'get user permissions' on user 'elon'"); + UserPermissions permissions = permit.getUserPermissions( + new GetUserPermissionsQuery( + User.fromString("auth0|elon") + ) + ); + assertEquals(permissions.keySet().size(), 2); // elon has access to 2 tenants + String tenantObjectKey = String.format("%s:%s", TENANT_RESOURCE_KEY, tenant.key); + String tenant2ObjectKey = String.format("%s:%s", TENANT_RESOURCE_KEY, tenant2.key); + assertTrue(permissions.containsKey(tenantObjectKey)); + assertTrue(permissions.containsKey(tenant2ObjectKey)); + assertTrue(permissions.get(tenantObjectKey).permissions.contains("document:read")); + assertTrue(permissions.get(tenant2ObjectKey).permissions.contains("document:create")); + // change the user role permit.api.users.assignRole(user.key, admin.key, tenant.key); permit.api.users.unassignRole(user.key, viewer.key, tenant.key);