Skip to content

Commit

Permalink
feat(station): update initial policies/permissions (#499)
Browse files Browse the repository at this point in the history
  • Loading branch information
@olaszakos
olaszakos authored Feb 10, 2025
1 parent 0864bf2 commit e78ead3
Show file tree
Hide file tree
Showing 6 changed files with 166 additions and 194 deletions.
157 changes: 89 additions & 68 deletions core/station/impl/src/core/init.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ use crate::models::{
PermissionResourceAction, RequestResourceAction, Resource, ResourceAction, ResourceId,
ResourceIds, SystemResourceAction, UserResourceAction,
},
ADMIN_GROUP_ID,
NamedRuleId, ADMIN_GROUP_ID, OPERATOR_GROUP_ID,
};
use lazy_static::lazy_static;

Expand All @@ -20,154 +20,154 @@ lazy_static! {
),
// Admins can read the system info which includes the canister's version, cycles, etc.
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::System(SystemResourceAction::SystemInfo),
),
// Admins can manage the system info (e.g. change the canister's name)
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::System(SystemResourceAction::ManageSystemInfo),
),
// Admins can upgrade the canister
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::System(SystemResourceAction::Upgrade),
),
// users
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::User(UserResourceAction::List),
),
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::User(UserResourceAction::Create),
),
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::User(UserResourceAction::Read(ResourceId::Any)),
),
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::User(UserResourceAction::Update(ResourceId::Any)),
),
// user groups
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::UserGroup(ResourceAction::List),
),
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::UserGroup(ResourceAction::Create),
),
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::UserGroup(ResourceAction::Read(ResourceId::Any)),
),
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::UserGroup(ResourceAction::Update(ResourceId::Any)),
),
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::UserGroup(ResourceAction::Delete(ResourceId::Any)),
),
// permissions
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::Permission(PermissionResourceAction::Read),
),
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::Permission(PermissionResourceAction::Update),
),
// request policies
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::RequestPolicy(ResourceAction::List),
),
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::RequestPolicy(ResourceAction::Create),
),
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::RequestPolicy(ResourceAction::Read(ResourceId::Any)),
),
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::RequestPolicy(ResourceAction::Update(ResourceId::Any)),
),
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::RequestPolicy(ResourceAction::Delete(ResourceId::Any)),
),
// requests
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::Request(RequestResourceAction::List),
),
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::Request(RequestResourceAction::Read(ResourceId::Any)),
),
// address book
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::AddressBook(ResourceAction::Create),
),
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::AddressBook(ResourceAction::List),
),
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::AddressBook(ResourceAction::Read(ResourceId::Any)),
),
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::AddressBook(ResourceAction::Update(ResourceId::Any)),
),
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::AddressBook(ResourceAction::Delete(ResourceId::Any)),
),
// accounts
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::Account(AccountResourceAction::Create),
),
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::Account(AccountResourceAction::List),
),
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::Account(AccountResourceAction::Read(ResourceId::Any)),
),
// external canisters
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::ExternalCanister(ExternalCanisterResourceAction::List),
),
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::ExternalCanister(ExternalCanisterResourceAction::Read(ExternalCanisterId::Any)),
),
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::ExternalCanister(ExternalCanisterResourceAction::Create),
),
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::ExternalCanister(ExternalCanisterResourceAction::Change(ExternalCanisterId::Any)),
),
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::ExternalCanister(ExternalCanisterResourceAction::Fund(ExternalCanisterId::Any)),
),
// assets
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::Asset(ResourceAction::Create),
),
(
Expand All @@ -179,146 +179,167 @@ lazy_static! {
Resource::Asset(ResourceAction::Read(ResourceId::Any)),
),
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::Asset(ResourceAction::Update(ResourceId::Any)),
),
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::Asset(ResourceAction::Delete(ResourceId::Any)),
),
// named rules
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::NamedRule(ResourceAction::List),
),
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::NamedRule(ResourceAction::Create),
),
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::NamedRule(ResourceAction::Read(ResourceId::Any)),
),
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::NamedRule(ResourceAction::Update(ResourceId::Any)),
),
(
Allow::user_groups(vec![*ADMIN_GROUP_ID]),
Allow::authenticated(),
Resource::NamedRule(ResourceAction::Delete(ResourceId::Any)),
),
];

}

pub fn default_policies(admin_quorum: u16) -> Vec<(RequestSpecifier, RequestPolicyRule)> {
pub fn get_default_named_rules(
quorum: u16,
) -> ((String, RequestPolicyRule), (String, RequestPolicyRule)) {
(
(
"Operator approval".to_string(),
RequestPolicyRule::Quorum(
UserSpecifier::Group(vec![*OPERATOR_GROUP_ID, *ADMIN_GROUP_ID]),
quorum,
),
),
(
"Admin approval".to_string(),
RequestPolicyRule::Quorum(UserSpecifier::Group(vec![*ADMIN_GROUP_ID]), quorum),
),
)
}

pub fn default_policies(
regular_named_rule_id: NamedRuleId,
admin_named_rule_id: NamedRuleId,
) -> Vec<(RequestSpecifier, RequestPolicyRule)> {
vec![
// System upgrade
(
RequestSpecifier::SystemUpgrade,
RequestPolicyRule::Quorum(UserSpecifier::Group(vec![*ADMIN_GROUP_ID]), admin_quorum),
RequestPolicyRule::NamedRule(admin_named_rule_id),
),
// system info
(
RequestSpecifier::ManageSystemInfo,
RequestPolicyRule::Quorum(UserSpecifier::Group(vec![*ADMIN_GROUP_ID]), admin_quorum),
RequestPolicyRule::NamedRule(admin_named_rule_id),
),
// accounts
(
RequestSpecifier::AddAccount,
RequestPolicyRule::Quorum(UserSpecifier::Group(vec![*ADMIN_GROUP_ID]), admin_quorum),
RequestPolicyRule::NamedRule(regular_named_rule_id),
),
// users
(
RequestSpecifier::AddUser,
RequestPolicyRule::Quorum(UserSpecifier::Group(vec![*ADMIN_GROUP_ID]), admin_quorum),
RequestPolicyRule::NamedRule(admin_named_rule_id),
),
(
RequestSpecifier::EditUser(ResourceIds::Any),
RequestPolicyRule::Quorum(UserSpecifier::Group(vec![*ADMIN_GROUP_ID]), admin_quorum),
RequestPolicyRule::NamedRule(admin_named_rule_id),
),
// address book
(
RequestSpecifier::AddAddressBookEntry,
RequestPolicyRule::Quorum(UserSpecifier::Group(vec![*ADMIN_GROUP_ID]), admin_quorum),
RequestPolicyRule::NamedRule(regular_named_rule_id),
),
(
RequestSpecifier::EditAddressBookEntry(ResourceIds::Any),
RequestPolicyRule::Quorum(UserSpecifier::Group(vec![*ADMIN_GROUP_ID]), admin_quorum),
RequestPolicyRule::NamedRule(regular_named_rule_id),
),
(
RequestSpecifier::RemoveAddressBookEntry(ResourceIds::Any),
RequestPolicyRule::Quorum(UserSpecifier::Group(vec![*ADMIN_GROUP_ID]), admin_quorum),
RequestPolicyRule::NamedRule(regular_named_rule_id),
),
// permissions
(
RequestSpecifier::EditPermission(ResourceSpecifier::Any),
RequestPolicyRule::Quorum(UserSpecifier::Group(vec![*ADMIN_GROUP_ID]), admin_quorum),
RequestPolicyRule::NamedRule(admin_named_rule_id),
),
// request policies
(
RequestSpecifier::AddRequestPolicy,
RequestPolicyRule::Quorum(UserSpecifier::Group(vec![*ADMIN_GROUP_ID]), admin_quorum),
RequestPolicyRule::NamedRule(admin_named_rule_id),
),
(
RequestSpecifier::EditRequestPolicy(ResourceIds::Any),
RequestPolicyRule::Quorum(UserSpecifier::Group(vec![*ADMIN_GROUP_ID]), admin_quorum),
RequestPolicyRule::NamedRule(admin_named_rule_id),
),
(
RequestSpecifier::RemoveRequestPolicy(ResourceIds::Any),
RequestPolicyRule::Quorum(UserSpecifier::Group(vec![*ADMIN_GROUP_ID]), admin_quorum),
RequestPolicyRule::NamedRule(admin_named_rule_id),
),
// user groups
(
RequestSpecifier::AddUserGroup,
RequestPolicyRule::Quorum(UserSpecifier::Group(vec![*ADMIN_GROUP_ID]), admin_quorum),
RequestPolicyRule::NamedRule(admin_named_rule_id),
),
(
RequestSpecifier::EditUserGroup(ResourceIds::Any),
RequestPolicyRule::Quorum(UserSpecifier::Group(vec![*ADMIN_GROUP_ID]), admin_quorum),
RequestPolicyRule::NamedRule(admin_named_rule_id),
),
(
RequestSpecifier::RemoveUserGroup(ResourceIds::Any),
RequestPolicyRule::Quorum(UserSpecifier::Group(vec![*ADMIN_GROUP_ID]), admin_quorum),
RequestPolicyRule::NamedRule(admin_named_rule_id),
),
// external canisters
(
RequestSpecifier::CreateExternalCanister,
RequestPolicyRule::Quorum(UserSpecifier::Group(vec![*ADMIN_GROUP_ID]), admin_quorum),
RequestPolicyRule::NamedRule(regular_named_rule_id),
),
(
RequestSpecifier::ChangeExternalCanister(ExternalCanisterId::Any),
RequestPolicyRule::Quorum(UserSpecifier::Group(vec![*ADMIN_GROUP_ID]), admin_quorum),
RequestPolicyRule::NamedRule(regular_named_rule_id),
),
(
RequestSpecifier::FundExternalCanister(ExternalCanisterId::Any),
RequestPolicyRule::Quorum(UserSpecifier::Group(vec![*ADMIN_GROUP_ID]), admin_quorum),
RequestPolicyRule::NamedRule(regular_named_rule_id),
),
// create, edit, and remove assets
(
RequestSpecifier::AddAsset,
RequestPolicyRule::Quorum(UserSpecifier::Group(vec![*ADMIN_GROUP_ID]), admin_quorum),
RequestPolicyRule::NamedRule(regular_named_rule_id),
),
(
RequestSpecifier::EditAsset(ResourceIds::Any),
RequestPolicyRule::Quorum(UserSpecifier::Group(vec![*ADMIN_GROUP_ID]), admin_quorum),
RequestPolicyRule::NamedRule(regular_named_rule_id),
),
(
RequestSpecifier::RemoveAsset(ResourceIds::Any),
RequestPolicyRule::Quorum(UserSpecifier::Group(vec![*ADMIN_GROUP_ID]), admin_quorum),
RequestPolicyRule::NamedRule(regular_named_rule_id),
),
// named rules
(
RequestSpecifier::AddNamedRule,
RequestPolicyRule::Quorum(UserSpecifier::Group(vec![*ADMIN_GROUP_ID]), admin_quorum),
RequestPolicyRule::NamedRule(admin_named_rule_id),
),
(
RequestSpecifier::EditNamedRule(ResourceIds::Any),
RequestPolicyRule::Quorum(UserSpecifier::Group(vec![*ADMIN_GROUP_ID]), admin_quorum),
RequestPolicyRule::NamedRule(admin_named_rule_id),
),
(
RequestSpecifier::RemoveNamedRule(ResourceIds::Any),
RequestPolicyRule::Quorum(UserSpecifier::Group(vec![*ADMIN_GROUP_ID]), admin_quorum),
RequestPolicyRule::NamedRule(admin_named_rule_id),
),
]
}
Loading

0 comments on commit e78ead3

Please sign in to comment.