fix(api): introduce priority based logic for RBAC roles (#3374)

* fix(api): introduce priority based logic for RBAC roles * refactor(api): rename method
5 years ago · 81c0bf0632
parent 9decbce511
commit 81c0bf0632
4 changed files with 19 additions and 22 deletions
--- a/api/authorizations.go
+++ b/api/authorizations.go
@ -771,37 +771,25 @@ func getAuthorizationsFromTeamEndpointGroupPolicies(memberships []TeamMembership
 }

 func getAuthorizationsFromRoles(roleIdentifiers []RoleID, roles []Role) Authorizations {
-	var roleAuthorizations []Authorizations
+	var associatedRoles []Role
+
 	for _, id := range roleIdentifiers {
 		for _, role := range roles {
 			if role.ID == id {
-				roleAuthorizations = append(roleAuthorizations, role.Authorizations)
+				associatedRoles = append(associatedRoles, role)
 				break
 			}
 		}
 	}

-	processedAuthorizations := make(Authorizations)
-	if len(roleAuthorizations) > 0 {
-		processedAuthorizations = roleAuthorizations[0]
-		for idx, authorizations := range roleAuthorizations {
-			if idx == 0 {
-				continue
-			}
-			processedAuthorizations = mergeAuthorizations(processedAuthorizations, authorizations)
+	var authorizations Authorizations
+	highestPriority := 0
+	for _, role := range associatedRoles {
+		if role.Priority > highestPriority {
+			highestPriority = role.Priority
+			authorizations = role.Authorizations
 		}
 	}

-	return processedAuthorizations
-}
-
-func mergeAuthorizations(a, b Authorizations) Authorizations {
-	c := make(map[Authorization]bool)
-
-	for k := range b {
-		if _, ok := a[k]; ok {
-			c[k] = true
-		}
-	}
-	return c
+	return authorizations
 }
--- a/api/bolt/init.go
+++ b/api/bolt/init.go
@ -34,6 +34,7 @@ func (store *Store) Init() error {
 		environmentAdministratorRole := &portainer.Role{
 			Name:           "Endpoint administrator",
 			Description:    "Full control of all resources in an endpoint",
+			Priority:       1,
 			Authorizations: portainer.DefaultEndpointAuthorizationsForEndpointAdministratorRole(),
 		}

@ -45,6 +46,7 @@ func (store *Store) Init() error {
 		environmentReadOnlyUserRole := &portainer.Role{
 			Name:           "Helpdesk",
 			Description:    "Read-only access of all resources in an endpoint",
+			Priority:       2,
 			Authorizations: portainer.DefaultEndpointAuthorizationsForHelpDeskRole(false),
 		}

@ -56,6 +58,7 @@ func (store *Store) Init() error {
 		standardUserRole := &portainer.Role{
 			Name:           "Standard user",
 			Description:    "Full control of assigned resources in an endpoint",
+			Priority:       3,
 			Authorizations: portainer.DefaultEndpointAuthorizationsForStandardUserRole(false),
 		}

@ -67,6 +70,7 @@ func (store *Store) Init() error {
 		readOnlyUserRole := &portainer.Role{
 			Name:           "Read-only user",
 			Description:    "Read-only access of assigned resources in an endpoint",
+			Priority:       4,
 			Authorizations: portainer.DefaultEndpointAuthorizationsForReadOnlyUserRole(false),
 		}

--- a/api/bolt/migrator/migrate_dbversion20.go
+++ b/api/bolt/migrator/migrate_dbversion20.go
@ -43,6 +43,7 @@ func (m *Migrator) updateUsersAndRolesToDBVersion22() error {
 	if err != nil {
 		return err
 	}
+	endpointAdministratorRole.Priority = 1
 	endpointAdministratorRole.Authorizations = portainer.DefaultEndpointAuthorizationsForEndpointAdministratorRole()

 	err = m.roleService.UpdateRole(endpointAdministratorRole.ID, endpointAdministratorRole)
@ -51,6 +52,7 @@ func (m *Migrator) updateUsersAndRolesToDBVersion22() error {
 	if err != nil {
 		return err
 	}
+	helpDeskRole.Priority = 2
 	helpDeskRole.Authorizations = portainer.DefaultEndpointAuthorizationsForHelpDeskRole(settings.AllowVolumeBrowserForRegularUsers)

 	err = m.roleService.UpdateRole(helpDeskRole.ID, helpDeskRole)
@ -59,6 +61,7 @@ func (m *Migrator) updateUsersAndRolesToDBVersion22() error {
 	if err != nil {
 		return err
 	}
+	standardUserRole.Priority = 3
 	standardUserRole.Authorizations = portainer.DefaultEndpointAuthorizationsForStandardUserRole(settings.AllowVolumeBrowserForRegularUsers)

 	err = m.roleService.UpdateRole(standardUserRole.ID, standardUserRole)
@ -67,6 +70,7 @@ func (m *Migrator) updateUsersAndRolesToDBVersion22() error {
 	if err != nil {
 		return err
 	}
+	readOnlyUserRole.Priority = 4
 	readOnlyUserRole.Authorizations = portainer.DefaultEndpointAuthorizationsForReadOnlyUserRole(settings.AllowVolumeBrowserForRegularUsers)

 	err = m.roleService.UpdateRole(readOnlyUserRole.ID, readOnlyUserRole)
--- a/api/portainer.go
+++ b/api/portainer.go
@ -303,6 +303,7 @@ type (
 		Name           string         `json:"Name"`
 		Description    string         `json:"Description"`
 		Authorizations Authorizations `json:"Authorizations"`
+		Priority       int            `json:"Priority"`
 	}

 	// AccessPolicy represent a policy that can be associated to a user or team