Add role based access control

2019-10-14 02:51:36 -04:00
parent 85a74ed30c
commit deb5b93c81
13 changed files with 645 additions and 350 deletions
--- a/serv/config.go
+++ b/serv/config.go
@ -71,18 +71,14 @@ type config struct {
 	} `mapstructure:"database"`

 	Tables []configTable
+	Roles  []configRoles
 }

 type configTable struct {
-	Name         string
-	Filter       []string
-	FilterQuery  []string `mapstructure:"filter_query"`
-	FilterInsert []string `mapstructure:"filter_insert"`
-	FilterUpdate []string `mapstructure:"filter_update"`
-	FilterDelete []string `mapstructure:"filter_delete"`
-	Table        string
-	Blocklist    []string
-	Remotes      []configRemote
+	Name      string
+	Table     string
+	Blocklist []string
+	Remotes   []configRemote
 }

 type configRemote struct {
@ -98,6 +94,41 @@ type configRemote struct {
 	} `mapstructure:"set_headers"`
 }

+type configRoles struct {
+	Name   string
+	Tables []struct {
+		Name string
+
+		Query struct {
+			Limit              int
+			Filter             []string
+			Columns            []string
+			DisableAggregation bool `mapstructure:"disable_aggregation"`
+			Deny               bool
+		}
+
+		Insert struct {
+			Filter  []string
+			Columns []string
+			Set     map[string]string
+			Deny    bool
+		}
+
+		Update struct {
+			Filter  []string
+			Columns []string
+			Set     map[string]string
+			Deny    bool
+		}
+
+		Delete struct {
+			Filter  []string
+			Columns []string
+			Deny    bool
+		}
+	}
+}
+
 func newConfig() *viper.Viper {
 	vi := viper.New()

--- a/serv/core.go
+++ b/serv/core.go
@ -59,7 +59,7 @@ func (c *coreContext) execQuery() ([]byte, error) {

 	} else {

-		qc, err = qcompile.Compile([]byte(c.req.Query))
+		qc, err = qcompile.Compile([]byte(c.req.Query), "user")
 		if err != nil {
 			return nil, err
 		}
--- a/serv/prepare.go
+++ b/serv/prepare.go
@ -40,7 +40,7 @@ func prepareStmt(key, gql string, varBytes json.RawMessage) error {
 		return nil
 	}

-	qc, err := qcompile.Compile([]byte(gql))
+	qc, err := qcompile.Compile([]byte(gql), "user")
 	if err != nil {
 		return err
 	}
--- a/serv/serv.go
+++ b/serv/serv.go
@ -12,7 +12,6 @@ import (
 	rice "github.com/GeertJohan/go.rice"
 	"github.com/dosco/super-graph/psql"
 	"github.com/dosco/super-graph/qcode"
-	"github.com/gobuffalo/flect"
 )

 func initCompilers(c *config) (*qcode.Compiler, *psql.Compiler, error) {
@ -22,49 +21,50 @@ func initCompilers(c *config) (*qcode.Compiler, *psql.Compiler, error) {
 	}

 	conf := qcode.Config{
-		DefaultFilter: c.DB.Defaults.Filter,
-		FilterMap: qcode.Filters{
-			All:    make(map[string][]string, len(c.Tables)),
-			Query:  make(map[string][]string, len(c.Tables)),
-			Insert: make(map[string][]string, len(c.Tables)),
-			Update: make(map[string][]string, len(c.Tables)),
-			Delete: make(map[string][]string, len(c.Tables)),
-		},
 		Blocklist: c.DB.Defaults.Blocklist,
 		KeepArgs:  false,
 	}

-	for i := range c.Tables {
-		t := c.Tables[i]
-
-		singular := flect.Singularize(t.Name)
-		plural := flect.Pluralize(t.Name)
-
-		setFilter := func(fm map[string][]string, fil []string) {
-			switch {
-			case len(fil) == 0:
-				return
-			case fil[0] == "none" || len(fil[0]) == 0:
-				fm[singular] = []string{}
-				fm[plural] = []string{}
-			default:
-				fm[singular] = t.Filter
-				fm[plural] = t.Filter
-			}
-		}
-
-		setFilter(conf.FilterMap.All, t.Filter)
-		setFilter(conf.FilterMap.Query, t.FilterQuery)
-		setFilter(conf.FilterMap.Insert, t.FilterInsert)
-		setFilter(conf.FilterMap.Update, t.FilterUpdate)
-		setFilter(conf.FilterMap.Delete, t.FilterDelete)
-	}
-
 	qc, err := qcode.NewCompiler(conf)
 	if err != nil {
 		return nil, nil, err
 	}

+	for _, r := range c.Roles {
+		for _, t := range r.Tables {
+			query := qcode.QueryConfig{
+				Limit:            t.Query.Limit,
+				Filter:           t.Query.Filter,
+				Columns:          t.Query.Columns,
+				DisableFunctions: t.Query.DisableAggregation,
+			}
+
+			insert := qcode.InsertConfig{
+				Filter:  t.Insert.Filter,
+				Columns: t.Insert.Columns,
+				Set:     t.Insert.Set,
+			}
+
+			update := qcode.UpdateConfig{
+				Filter:  t.Insert.Filter,
+				Columns: t.Insert.Columns,
+				Set:     t.Insert.Set,
+			}
+
+			delete := qcode.DeleteConfig{
+				Filter:  t.Insert.Filter,
+				Columns: t.Insert.Columns,
+			}
+
+			qc.AddRole(r.Name, t.Name, qcode.TRConfig{
+				Query:  query,
+				Insert: insert,
+				Update: update,
+				Delete: delete,
+			})
+		}
+	}
+
 	pc := psql.NewCompiler(psql.Config{
 		Schema: schema,
 		Vars:   c.getVariables(),