mirror of
https://github.com/SigNoz/signoz.git
synced 2026-02-03 08:33:26 +00:00
1c815b130c
* feat(authz): initial commit for migrating rbac to openfga * feat(authz): make the role updates idempotant * feat(authz): split role module into role and grant * feat(authz): some naming changes * feat(authz): integrate the grant module * feat(authz): add support for migrating existing user role * feat(authz): add support for migrating existing user role * feat(authz): figure out the * selector * feat(authz): merge main * feat(authz): merge main * feat(authz): address couple of todos * feat(authz): address couple of todos * feat(authz): fix tests and revert public dashboard change * feat(authz): fix tests and revert public dashboard change * feat(authz): add open api spec * feat(authz): add open api spec * feat(authz): add api key changes and missing migration * feat(authz): split role into getter and setter * feat(authz): add integration tests for authz register * feat(authz): add more tests for user invite and delete * feat(authz): update user tests * feat(authz): rename grant to granter * feat(authz): address review comments * feat(authz): address review comments * feat(authz): address review comments * feat(authz): add the migration for existing roles * feat(authz): go mod tidy * feat(authz): fix integration tests * feat(authz): handle community changes * feat(authz): handle community changes * feat(authz): role selectors for open claims * feat(authz): role selectors for open claims * feat(authz): prevent duplicate entries for changelog * feat(authz): scafolding for rbac migration * feat(authz): scafolding for rbac migration * feat(authz): scafolding for rbac migration * feat(authz): scafolding for rbac migration * feat(authz): scafolding for rbac migration
99 lines
3.4 KiB
Go
99 lines
3.4 KiB
Go
package openfgaauthz
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/SigNoz/signoz/pkg/authz"
|
|
pkgopenfgaauthz "github.com/SigNoz/signoz/pkg/authz/openfgaauthz"
|
|
"github.com/SigNoz/signoz/pkg/factory"
|
|
"github.com/SigNoz/signoz/pkg/sqlstore"
|
|
"github.com/SigNoz/signoz/pkg/types/authtypes"
|
|
"github.com/SigNoz/signoz/pkg/valuer"
|
|
openfgav1 "github.com/openfga/api/proto/openfga/v1"
|
|
openfgapkgtransformer "github.com/openfga/language/pkg/go/transformer"
|
|
)
|
|
|
|
type provider struct {
|
|
pkgAuthzService authz.AuthZ
|
|
}
|
|
|
|
func NewProviderFactory(sqlstore sqlstore.SQLStore, openfgaSchema []openfgapkgtransformer.ModuleFile) factory.ProviderFactory[authz.AuthZ, authz.Config] {
|
|
return factory.NewProviderFactory(factory.MustNewName("openfga"), func(ctx context.Context, ps factory.ProviderSettings, config authz.Config) (authz.AuthZ, error) {
|
|
return newOpenfgaProvider(ctx, ps, config, sqlstore, openfgaSchema)
|
|
})
|
|
}
|
|
|
|
func newOpenfgaProvider(ctx context.Context, settings factory.ProviderSettings, config authz.Config, sqlstore sqlstore.SQLStore, openfgaSchema []openfgapkgtransformer.ModuleFile) (authz.AuthZ, error) {
|
|
pkgOpenfgaAuthzProvider := pkgopenfgaauthz.NewProviderFactory(sqlstore, openfgaSchema)
|
|
pkgAuthzService, err := pkgOpenfgaAuthzProvider.New(ctx, settings, config)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return &provider{
|
|
pkgAuthzService: pkgAuthzService,
|
|
}, nil
|
|
}
|
|
|
|
func (provider *provider) Start(ctx context.Context) error {
|
|
return provider.pkgAuthzService.Start(ctx)
|
|
}
|
|
|
|
func (provider *provider) Stop(ctx context.Context) error {
|
|
return provider.pkgAuthzService.Stop(ctx)
|
|
}
|
|
|
|
func (provider *provider) Check(ctx context.Context, tuple *openfgav1.TupleKey) error {
|
|
return provider.pkgAuthzService.Check(ctx, tuple)
|
|
}
|
|
|
|
func (provider *provider) CheckWithTupleCreation(ctx context.Context, claims authtypes.Claims, orgID valuer.UUID, relation authtypes.Relation, typeable authtypes.Typeable, selectors []authtypes.Selector, _ []authtypes.Selector) error {
|
|
subject, err := authtypes.NewSubject(authtypes.TypeableUser, claims.UserID, orgID, nil)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
tuples, err := typeable.Tuples(subject, relation, selectors, orgID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
err = provider.BatchCheck(ctx, tuples)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (provider *provider) CheckWithTupleCreationWithoutClaims(ctx context.Context, orgID valuer.UUID, relation authtypes.Relation, typeable authtypes.Typeable, selectors []authtypes.Selector, _ []authtypes.Selector) error {
|
|
subject, err := authtypes.NewSubject(authtypes.TypeableAnonymous, authtypes.AnonymousUser.String(), orgID, nil)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
tuples, err := typeable.Tuples(subject, relation, selectors, orgID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
err = provider.BatchCheck(ctx, tuples)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (provider *provider) BatchCheck(ctx context.Context, tuples []*openfgav1.TupleKey) error {
|
|
return provider.pkgAuthzService.BatchCheck(ctx, tuples)
|
|
}
|
|
|
|
func (provider *provider) ListObjects(ctx context.Context, subject string, relation authtypes.Relation, typeable authtypes.Typeable) ([]*authtypes.Object, error) {
|
|
return provider.pkgAuthzService.ListObjects(ctx, subject, relation, typeable)
|
|
}
|
|
|
|
func (provider *provider) Write(ctx context.Context, additions []*openfgav1.TupleKey, deletions []*openfgav1.TupleKey) error {
|
|
return provider.pkgAuthzService.Write(ctx, additions, deletions)
|
|
}
|