chore: remove permission adapter

rbac/custom_functions.go

@@ -9,11 +9,32 @@ import (
 	"github.com/casbin/govaluate"
 	"github.com/flanksource/commons/collections"
 	"github.com/flanksource/duty/models"
-	"github.com/flanksource/duty/rbac/types"
+	"github.com/flanksource/duty/types"
 	"github.com/google/uuid"
 	"github.com/samber/lo"
 )
 
+type Selectors struct {
+	Playbooks  []types.ResourceSelector `json:"playbooks,omitempty"`
+	Configs    []types.ResourceSelector `json:"configs,omitempty"`
+	Components []types.ResourceSelector `json:"components,omitempty"`
+}
+
+func (t Selectors) RequiredMatchCount() int {
+	var count int
+	if len(t.Playbooks) > 0 {
+		count++
+	}
+	if len(t.Configs) > 0 {
+		count++
+	}
+	if len(t.Components) > 0 {
+		count++
+	}
+
+	return count
+}
+
 func matchPerm(attr *models.ABACAttribute, _agents any, tagsEncoded string) (bool, error) {
 	var rAgents []string
 	switch v := _agents.(type) {
@@ -43,7 +64,7 @@ type addableEnforcer interface {
 	AddFunction(name string, function govaluate.ExpressionFunction)
 }
 
-func addCustomFunctions(enforcer addableEnforcer) {
+func AddCustomFunctions(enforcer addableEnforcer) {
 	enforcer.AddFunction("matchPerm", func(args ...any) (any, error) {
 		if len(args) != 3 {
 			return false, fmt.Errorf("matchPerm needs 3 arguments. got %d", len(args))
@@ -98,7 +119,7 @@ func addCustomFunctions(enforcer addableEnforcer) {
 			return false, err
 		}
 
-		var objectSelector types.PermissionObject
+		var objectSelector Selectors
 		if err := json.Unmarshal([]byte(rs), &objectSelector); err != nil {
 			return false, err
 		}

rbac/init.go → rbac/enforcer.go

@@ -8,12 +8,13 @@ import (
 
 	"github.com/casbin/casbin/v2"
 	"github.com/casbin/casbin/v2/model"
+	"github.com/casbin/casbin/v2/persist"
 	gormadapter "github.com/casbin/gorm-adapter/v3"
 	"github.com/flanksource/duty/context"
 	"github.com/flanksource/duty/query"
-	pkgAdapater "github.com/flanksource/duty/rbac/adapter"
 	"github.com/flanksource/duty/rbac/policy"
 	"gopkg.in/yaml.v3"
+	"gorm.io/gorm"
 )
 
 var enforcer *casbin.SyncedCachedEnforcer
@@ -22,10 +23,12 @@ var enforcer *casbin.SyncedCachedEnforcer
 var defaultPolicies string
 
 //go:embed model.ini
-var defaultModel string
+var DefaultModel string
 
-func Init(ctx context.Context, adminUserID string) error {
-	model, err := model.NewModelFromString(defaultModel)
+type Adapter func(db *gorm.DB, main *gormadapter.Adapter) persist.Adapter
+
+func Init(ctx context.Context, adminUserID string, adapters ...Adapter) error {
+	model, err := model.NewModelFromString(DefaultModel)
 	if err != nil {
 		return fmt.Errorf("error creating rbac model: %v", err)
 	}
@@ -54,7 +57,11 @@ func Init(ctx context.Context, adminUserID string) error {
 		return fmt.Errorf("error creating rbac adapter: %v", err)
 	}
 
-	adapter := pkgAdapater.NewPermissionAdapter(db, casbinRuleAdapter)
+	var adapter any = casbinRuleAdapter
+	for _, a := range adapters {
+		adapter = a(db, casbinRuleAdapter)
+	}
+
 	enforcer, err = casbin.NewSyncedCachedEnforcer(model, adapter)
 	if err != nil {
 		return fmt.Errorf("error creating rbac enforcer: %v", err)
@@ -69,7 +76,7 @@ func Init(ctx context.Context, adminUserID string) error {
 		enforcer.EnableLog(true)
 	}
 
-	addCustomFunctions(enforcer)
+	AddCustomFunctions(enforcer)
 
 	if adminUserID != "" {
 		if _, err := enforcer.AddRoleForUser(adminUserID, policy.RoleAdmin); err != nil {

rbac/rbac_test.go → rbac/enforcer_test.go

@@ -7,21 +7,18 @@ import (
 	casbinModel "github.com/casbin/casbin/v2/model"
 	stringadapter "github.com/casbin/casbin/v2/persist/string-adapter"
 	"github.com/flanksource/duty/models"
-	"github.com/flanksource/duty/rbac/adapter"
-	"github.com/flanksource/duty/rbac/policy"
 	"github.com/google/uuid"
-	"github.com/samber/lo"
 )
 
 func NewEnforcer(policy string) (*casbin.Enforcer, error) {
-	model, err := casbinModel.NewModelFromString(defaultModel)
+	model, err := casbinModel.NewModelFromString(DefaultModel)
 	if err != nil {
 		return nil, err
 	}
 
 	sa := stringadapter.NewAdapter(policy)
 	e, err := casbin.NewEnforcer(model, sa)
-	addCustomFunctions(e)
+	AddCustomFunctions(e)
 	return e, err
 }
 
@@ -37,42 +34,11 @@ p, alice, *, playbook:run, deny, r.obj.Playbook.Name == 'restart-deployment' &&
 
 	var userID = uuid.New()
 
-	permissions := []models.Permission{
-		{
-			ID:       uuid.New(),
-			PersonID: lo.ToPtr(userID),
-			Object:   policy.ObjectCatalog,
-			Action:   policy.ActionRead,
-			Tags: map[string]string{
-				"namespace": "default",
-				"cluster":   "aws",
-			},
-			Agents: []string{"123"},
-		},
-		{
-			ID:       uuid.New(),
-			PersonID: lo.ToPtr(userID),
-			Object:   "*",
-			Action:   policy.ActionRead,
-			Tags: map[string]string{
-				"namespace": "default",
-			},
-		},
-	}
-
 	enforcer, err := NewEnforcer(policies)
 	if err != nil {
 		t.Fatal(err)
 	}
 
-	for _, p := range permissions {
-		for _, policy := range adapter.PermissionToCasbinRule(p) {
-			if ok, err := enforcer.AddPolicy(policy[1:]); err != nil || !ok {
-				t.Fatal()
-			}
-		}
-	}
-
 	testData := []struct {
 		description string
 		user        string
@@ -138,13 +104,6 @@ p, alice, *, playbook:run, deny, r.obj.Playbook.Name == 'restart-deployment' &&
 			act:         "read",
 			allowed:     false,
 		},
-		{
-			description: "abac catalog test",
-			user:        userID.String(),
-			obj:         &models.ABACAttribute{Config: models.ConfigItem{ID: uuid.New(), Tags: map[string]string{"namespace": "default"}}},
-			act:         "read",
-			allowed:     true,
-		},
 	}
 
 	for _, td := range testData {