added changes related to policy update

factly · Sep 1, 2022 · 33db7a8 · 33db7a8
1 parent 4a586ff
commit 33db7a8
Show file tree

Hide file tree

Showing 7 changed files with 185 additions and 26 deletions.
diff --git a/server/action/organisation/application/policy/update.go b/server/action/organisation/application/policy/update.go
@@ -9,8 +9,8 @@ import (
 
 	"github.com/factly/kavach-server/model"
 	"github.com/factly/kavach-server/util"
-	"github.com/factly/kavach-server/util/application"
 	keto "github.com/factly/kavach-server/util/keto/relationTuple"
+	"github.com/factly/kavach-server/util/user"
 	"github.com/factly/x/errorx"
 	"github.com/factly/x/loggerx"
 	"github.com/factly/x/renderx"
@@ -59,10 +59,19 @@ func update(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// check if the user is part of application or not
-	flag := application.CheckAuthorisation(uint(appID), uint(userID))
-	if !flag {
-		loggerx.Error(errors.New("user is not part of application"))
+	// VERIFY WHETHER THE USER IS PART OF APPLICATION OR NOT
+	isAuthorised, err := user.IsUserAuthorised(
+		namespace,
+		fmt.Sprintf("org:%d:app:%d", orgID, appID),
+		fmt.Sprintf("%d", userID),
+	)
+	if err != nil {
+		loggerx.Error(err)
+		errorx.Render(w, errorx.Parser(errorx.DecodeError()))
+		return
+	}
+	if !isAuthorised {
+		loggerx.Error(errors.New("user is not part of the application"))
 		errorx.Render(w, errorx.Parser(errorx.Unauthorized()))
 		return
 	}
@@ -121,6 +130,56 @@ func update(w http.ResponseWriter, r *http.Request) {
 
 	policy.Roles = roles
 
+	// policyBeforeUpdate : it is used to store a policy object which helps in deleting the relation tuples which are not needed after updating policy
+	policyBeforeUpdate := model.OrganisationPolicy{}
+	err = tx.Model(&model.ApplicationPolicy{}).Where(&model.ApplicationPolicy{
+		Base: model.Base{
+			ID: uint(policyID),
+		},
+	}).Preload("Roles").Find(&policyBeforeUpdate).Error
+	if err != nil {
+		tx.Rollback()
+		loggerx.Error(err)
+		errorx.Render(w, errorx.Parser(errorx.DBError()))
+		return
+	}
+
+	var oldPermissions []permission
+	err = json.Unmarshal(policyBeforeUpdate.Permissions.RawMessage, &oldPermissions)
+	if err != nil {
+		tx.Rollback()
+		loggerx.Error(err)
+		errorx.Render(w, errorx.Parser(errorx.Unauthorized()))
+		return
+	}
+
+	for _, role := range policyBeforeUpdate.Roles {
+		for _, eachPermission := range oldPermissions {
+			for _, action := range eachPermission.Actions {
+				tuple := &model.KetoRelationTupleWithSubjectSet{
+					KetoSubjectSet: model.KetoSubjectSet{
+						Namespace: namespace,
+						Object:    fmt.Sprintf("resource:org:%d:app:%d:%s", orgID, appID, eachPermission.Resource),
+						Relation:  action,
+					},
+					SubjectSet: model.KetoSubjectSet{
+						Namespace: namespace,
+						Object:    fmt.Sprintf("roles:org%d:app:%d", orgID, appID),
+						Relation:  role.Name,
+					},
+				}
+
+				err = keto.DeleteRelationTupleWithSubjectSet(tuple)
+				if err != nil {
+					tx.Rollback()
+					loggerx.Error(err)
+					errorx.Render(w, errorx.Parser(errorx.InternalServerError()))
+					return
+				}
+			}
+		}
+	}
+
 	// updating the application policy on the kavachDB
 	err = tx.Model(&model.ApplicationPolicy{}).Where("id = ?", policyID).Updates(&policy).Error
 	if err != nil {

diff --git a/server/action/organisation/application/space/policy/update.go b/server/action/organisation/application/space/policy/update.go
@@ -140,6 +140,56 @@ func update(w http.ResponseWriter, r *http.Request) {
 
 	policy.Roles = roles
 
+	// policyBeforeUpdate : it is used to store a policy object which helps in deleting the relation tuples which are not needed after updating policy
+	policyBeforeUpdate := model.SpacePolicy{}
+	err = tx.Model(&model.SpacePolicy{}).Where(&model.SpacePolicy{
+		Base: model.Base{
+			ID: uint(policyID),
+		},
+	}).Preload("Roles").Find(&policyBeforeUpdate).Error
+	if err != nil {
+		tx.Rollback()
+		loggerx.Error(err)
+		errorx.Render(w, errorx.Parser(errorx.DBError()))
+		return
+	}
+
+	var oldPermissions []permission
+	err = json.Unmarshal(policyBeforeUpdate.Permissions.RawMessage, &oldPermissions)
+	if err != nil {
+		tx.Rollback()
+		loggerx.Error(err)
+		errorx.Render(w, errorx.Parser(errorx.Unauthorized()))
+		return
+	}
+
+	for _, role := range policyBeforeUpdate.Roles {
+		for _, eachPermission := range oldPermissions {
+			for _, action := range eachPermission.Actions {
+				tuple := &model.KetoRelationTupleWithSubjectSet{
+					KetoSubjectSet: model.KetoSubjectSet{
+						Namespace: namespace,
+						Object:    fmt.Sprintf("resource:org:%d:app:%d:space:%d:%s", orgID, appID, spaceID, eachPermission.Resource),
+						Relation:  action,
+					},
+					SubjectSet: model.KetoSubjectSet{
+						Namespace: namespace,
+						Object:    fmt.Sprintf("roles:org%d:app:%d:space:%d", orgID, appID, spaceID),
+						Relation:  role.Name,
+					},
+				}
+
+				err = keto.DeleteRelationTupleWithSubjectSet(tuple)
+				if err != nil {
+					tx.Rollback()
+					loggerx.Error(err)
+					errorx.Render(w, errorx.Parser(errorx.InternalServerError()))
+					return
+				}
+			}
+		}
+	}
+
 	// updating the policy in the kavachDB
 	err = tx.Model(&model.SpacePolicy{}).Where("id = ?", policyID).Updates(&policy).Error
 	if err != nil {

diff --git a/server/action/organisation/policy/update.go b/server/action/organisation/policy/update.go
@@ -114,8 +114,58 @@ func update(w http.ResponseWriter, r *http.Request) {
 
 	policy.Roles = roles
 
-	err = model.DB.Model(&model.OrganisationPolicy{}).Where("id = ?", policyID).Updates(policy).Error
+	// policyBeforeUpdate : it is used to store a policy object which helps in deleting the relation tuples which are not needed after updating policy
+	policyBeforeUpdate := model.OrganisationPolicy{}
+	err = tx.Model(&model.OrganisationPolicy{}).Where(&model.OrganisationPolicy{
+		Base: model.Base{
+			ID: uint(policyID),
+		},
+	}).Preload("Roles").Find(&policyBeforeUpdate).Error
 	if err != nil {
+		tx.Rollback()
+		loggerx.Error(err)
+		errorx.Render(w, errorx.Parser(errorx.DBError()))
+		return
+	}
+
+	var oldPermissions []permission
+	err = json.Unmarshal(policyBeforeUpdate.Permissions.RawMessage, &oldPermissions)
+	if err != nil {
+		tx.Rollback()
+		loggerx.Error(err)
+		errorx.Render(w, errorx.Parser(errorx.Unauthorized()))
+		return
+	}
+
+	for _, role := range policyBeforeUpdate.Roles {
+		for _, eachPermission := range oldPermissions {
+			for _, action := range eachPermission.Actions {
+				tuple := &model.KetoRelationTupleWithSubjectSet{
+					KetoSubjectSet: model.KetoSubjectSet{
+						Namespace: namespace,
+						Object:    fmt.Sprintf("resource:org:%d:%s", orgID, eachPermission.Resource),
+						Relation:  action,
+					},
+					SubjectSet: model.KetoSubjectSet{
+						Namespace: namespace,
+						Object:    fmt.Sprintf("roles:org:%d", orgID),
+						Relation:  role.Name,
+					},
+				}
+				err = keto.DeleteRelationTupleWithSubjectSet(tuple)
+				if err != nil {
+					tx.Rollback()
+					loggerx.Error(err)
+					errorx.Render(w, errorx.Parser(errorx.InternalServerError()))
+					return
+				}
+			}
+		}
+	}
+
+	err = tx.Model(&model.OrganisationPolicy{}).Where("id = ?", policyID).Updates(policy).Error
+	if err != nil {
+		tx.Rollback()
 		loggerx.Error(err)
 		errorx.Render(w, errorx.Parser(errorx.DBError()))
 		return
@@ -132,14 +182,14 @@ func update(w http.ResponseWriter, r *http.Request) {
 	var permissions []permission
 	err = json.Unmarshal(reqBody.Permissions.RawMessage, &permissions)
 	if err != nil {
+		tx.Rollback()
 		loggerx.Error(err)
 		errorx.Render(w, errorx.Parser(errorx.Unauthorized()))
 		return
 	}
 
 	// ----------- Creating policy on the keto server ---------------
 	for _, role := range policy.Roles {
-
 		for _, permission := range permissions {
 			for _, action := range permission.Actions {
 				tuple := &model.KetoRelationTupleWithSubjectSet{

diff --git a/web/src/actions/space.js b/web/src/actions/space.js
@@ -131,10 +131,14 @@ export const getSpaceByID = (appID, spaceID) => {
       ) // eslint-disable-next-line
       .then((response) => {
         deleteKeys([response.data], ['application']);
-        dispatch(addSpaceRoles(spaceID, buildObjectOfItems(response.data.roles)));
-        dispatch(addSpacePolicy(spaceID, buildObjectOfItems(response.data.policies)));
-        response.data.roleIDs = getIds(response.data.roles);
-        response.data.policyIDs = getIds(response.data.policies);
+        if(response.data?.roles){
+          dispatch(addSpaceRoles(spaceID, buildObjectOfItems(response.data.roles)));
+          response.data.roleIDs = getIds(response.data?.roles);
+        }
+        if(response.data?.policies){
+          dispatch(addSpacePolicy(spaceID, buildObjectOfItems(response.data.policies)));
+          response.data.policyIDs = getIds(response.data.policies);
+        }
         delete response.data.roles;
         delete response.data.policies;
         dispatch(addSpaces([response.data]));

diff --git a/web/src/pages/application/settings/policies/components/EditApplicationPolicy.js b/web/src/pages/application/settings/policies/components/EditApplicationPolicy.js
@@ -25,7 +25,7 @@ export default function EditApplicationPolicy() {
   });
 
   const onUpdate = (data) => {
-    dispatch(updateApplicationPolicy(appID, policyID, data)).then(() =>
+    dispatch(updateApplicationPolicy(appID, policyID, {...policy, ...data})).then(() =>
       history.push(`/applications/${appID}/settings/policies`),
     );
   };
@@ -46,7 +46,6 @@ export default function EditApplicationPolicy() {
 
   React.useEffect(() => {
     fetchPolicy();
-    dispatch(getApplication(appID));
     // eslint-disable-next-line
   }, []);
 

diff --git a/web/src/pages/application/settings/spaces/settings/policies/components/EditSpacePolicy.js b/web/src/pages/application/settings/spaces/settings/policies/components/EditSpacePolicy.js
@@ -1,7 +1,7 @@
 import React from 'react';
 import { Button, Card, Form, Input, Skeleton } from 'antd';
 import { getSpacePolicyByID, updateSpacePolicy } from '../../../../../../../actions/policy';
-import { Link, useParams } from 'react-router-dom';
+import { Link, useHistory, useParams } from 'react-router-dom';
 import { useDispatch, useSelector } from 'react-redux';
 import DynamicPermissionField from '../../../../../../../components/Policies';
 import ErrorComponent from '../../../../../../../components/ErrorsAndImage/ErrorComponent';
@@ -12,7 +12,7 @@ export default function EditSpacePolicy() {
   const [form] = Form.useForm();
   const dispatch = useDispatch();
   const { appID, spaceID, policyID } = useParams();
-
+  const history = useHistory()
   const { policy, loading, role, loadingRole, space, loadingSpace } = useSelector((state) => {
     return {
       policy: state.policy.space[spaceID][policyID],
@@ -25,7 +25,8 @@ export default function EditSpacePolicy() {
   });
 
   const onUpdate = (data) => {
-    dispatch(updateSpacePolicy(policyID, appID, spaceID, data));
+    dispatch(updateSpacePolicy(policyID, appID, spaceID, { ...policy, ...data}))
+    .then(() => history.push(`/applications/${appID}/settings/spaces/${spaceID}/settings/policies`));
   };
 
   const onReset = () => {
@@ -38,13 +39,8 @@ export default function EditSpacePolicy() {
     });
   };
 
-  const fetchPolicy = () => {
-    dispatch(getSpacePolicyByID(appID, spaceID, policyID));
-  };
-
   React.useEffect(() => {
-    fetchPolicy();
-    dispatch(getSpaceByID(appID, spaceID));
+    dispatch(getSpacePolicyByID(appID, spaceID, policyID));
     // eslint-disable-next-line
   }, []);
 

diff --git a/web/src/pages/organisation/settings/policies/components/EditOrganistionPolicy.js b/web/src/pages/organisation/settings/policies/components/EditOrganistionPolicy.js
@@ -1,7 +1,7 @@
 import React from 'react';
 import { Button, Card, Form, Input, Skeleton } from 'antd';
 import { getOrganisationPolicyByID, updateOrganisationPolicy } from '../../../../../actions/policy';
-import { Link, useParams } from 'react-router-dom';
+import { Link, useHistory, useParams } from 'react-router-dom';
 import { useDispatch, useSelector } from 'react-redux';
 import DynamicPermissionField from '../../../../../components/Policies';
 import ErrorComponent from '../../../../../components/ErrorsAndImage/ErrorComponent';
@@ -12,10 +12,10 @@ export default function EditOrganisationPolicy() {
   const [form] = Form.useForm();
   const dispatch = useDispatch();
   const { orgID, policyID } = useParams();
-
+  const history = useHistory();
   const { policy, loading, role, loadingRole, organisation, loadingOrg } = useSelector((state) => {
     return {
-      policy: state.policy.organisation[orgID][policyID],
+      policy: state.policy.organisation?.[orgID]?.[policyID],
       loading: state.policy.loading,
       role: state.profile.roles[state.organisations.selected],
       loadingRole: state.profile.loading,
@@ -25,7 +25,8 @@ export default function EditOrganisationPolicy() {
   });
 
   const onUpdate = (data) => {
-    dispatch(updateOrganisationPolicy(policyID, data));
+    dispatch(updateOrganisationPolicy(policyID, {...policy, ...data}))
+    .then(() => history.push(`/organisation/${orgID}/settings/policies`));
   };
 
   const onReset = () => {