Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

policy role sync fixed #417

Merged
merged 8 commits into from
Dec 4, 2024
Merged

policy role sync fixed #417

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
5c798f0
policy role sync fixed
deepakdinesh1123 Dec 3, 2024
716dbe7
schema context removed from policy test
deepakdinesh1123 Dec 3, 2024
1182c68
test change revert
deepakdinesh1123 Dec 3, 2024
4199a43
user created for policy test
deepakdinesh1123 Dec 3, 2024
49fddd5
user created for policy test
deepakdinesh1123 Dec 3, 2024
396ee6a
policy sync fix
deepakdinesh1123 Dec 3, 2024
239376f
ip test fix
deepakdinesh1123 Dec 3, 2024
45c7061
removing role from policy.json fixed
deepakdinesh1123 Dec 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion backend/src/zango/api/platform/permissions/v1/views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -137,12 +137,20 @@ def get(self, request, *args, **kwargs):

return get_api_response(success, response, status)

def put(self, request, *args, **kwargs):
def put(self, request, app_uuid, *args, **kwargs):
try:
obj = self.get_obj(**kwargs)
serializer = PolicySerializer(instance=obj, data=request.data, partial=True)
if serializer.is_valid():
serializer.save(**{"roles": request.data.getlist("roles", [])})

tenant = TenantModel.objects.get(uuid=app_uuid)
connection.set_tenant(tenant)
with connection.cursor() as c:
ws = Workspace(connection.tenant, request=None, as_systemuser=True)
ws.ready()
ws.sync_role_policies()

success = True
status_code = 200
result = {
Expand Down
8 changes: 6 additions & 2 deletions backend/src/zango/api/platform/tenancy/v1/views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -323,7 +323,7 @@ def post(self, request, *args, **kwargs):
connection.set_tenant(tenant)
with connection.cursor() as c:
ws = Workspace(connection.tenant, request=None, as_systemuser=True)
ws.sync_role_with_policies()
ws.sync_role_policies()
else:
success = False
status_code = 400
Expand Down Expand Up @@ -383,7 +383,7 @@ def put(self, request, *args, **kwargs):
connection.set_tenant(tenant)
with connection.cursor() as c:
ws = Workspace(connection.tenant, request=None, as_systemuser=True)
ws.sync_role_with_policies()
ws.sync_role_policies()
else:
success = False
status_code = 400
Expand All @@ -397,6 +397,10 @@ def put(self, request, *args, **kwargs):

result = {"message": error_message}
except Exception as e:
import traceback

traceback.print_exc()

success = False
result = {"message": str(e)}
status_code = 500
Expand Down
73 changes: 30 additions & 43 deletions backend/src/zango/apps/dynamic_models/workspace/base.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,9 @@
import os
import re

from collections import defaultdict

from django.conf import settings
from django.contrib.postgres.aggregates import ArrayAgg
from django.db import connection

from zango.apps.appauth.models import UserRoleModel
Expand Down Expand Up @@ -433,7 +434,7 @@ def sync_policies(self):
existing_policies = list(
PolicyModel.objects.filter(type="user").values_list("id", flat=True)
)
role_with_policies = {}
policy_roles = defaultdict(list)
modules = self.get_all_module_paths()
for module in modules:
policy_file = f"{module}/policies.json"
Expand All @@ -451,10 +452,6 @@ def sync_policies(self):
policy = json.load(f)
except json.decoder.JSONDecodeError as e:
raise Exception(f"Error parsing {policy_file}: {e}")
for policy_dict in policy["policies"]:
roles = policy_dict.get("roles", [])
for role in roles:
role_with_policies[role] = []
for policy_details in policy["policies"]:
if not isinstance(policy_details["statement"], dict):
raise Exception(
Expand All @@ -477,51 +474,41 @@ def sync_policies(self):
raise Exception("Policy name already exists")
existing_policies.remove(policy.id)
roles = policy_details.get("roles", [])
for role in roles:
role_with_policies[role].append(policy.id)
policy_roles[policy.id].extend(roles)
except Exception as e:
raise Exception(
f"Error creating policy {policy_details['name']} in {policy_path}: {e}"
)

for policy_id in existing_policies:
PolicyModel.objects.get(id=policy_id).delete()
self.sync_policies_with_roles(role_with_policies)
self.sync_policies_with_roles(policy_roles)

def sync_policies_with_roles(self, role_with_policies):
def sync_policies_with_roles(self, policy_roles):
"""
mapping roles from policies.json to UserRoleModel
"""
for role, policies in role_with_policies.items():
user_role = UserRoleModel.objects.filter(
name=role,
).first()
if user_role:
user_role.policies.set(policies)

def sync_role_with_policies(self):
"""
mapping roles from UserRoleModel to policies.json
"""
all_policies = {}
policies_without_roles = list(
PolicyModel.objects.filter(type="user", role_policies__isnull=True).values(
"name", "description", "statement"
)
)
policies_with_roles = list(
PolicyModel.objects.filter(type="user", role_policies__isnull=False)
.values("name", "description", "statement")
.annotate(roles=ArrayAgg("role_policies__name", distinct=True))
)
all_policies["policies"] = policies_without_roles + policies_with_roles
modules = self.get_all_module_paths()
for module in modules:
policy_file = f"{module}/policies.json"
if os.path.isfile(policy_file):
model_module = (
module.replace(str(settings.BASE_DIR) + "/", "") + "/policies"
)
model_module = model_module.lstrip("/").replace("/", ".")
with open(policy_file, "w") as f:
f.write(json.dumps(all_policies, indent=4))
for policy_id, roles in policy_roles.items():
try:
policy = PolicyModel.objects.get(id=policy_id)
role_ids = [UserRoleModel.objects.get(name=role).id for role in roles]
policy.role_policies.set(role_ids)
except Exception as e:
raise Exception(f"Error adding roles to policy {policy.name}: {e}")
except UserRoleModel.DoesNotExist:
raise Exception("Role does not exist")

def sync_role_policies(self):
for policy in PolicyModel.objects.all():
if not policy.path:
continue
if policy.path and "packages" in policy.path:
continue
roles = policy.role_policies.all()
with open(f"{self.path}/{policy.path}/policies.json", "r") as f:
policies = json.load(f)
for policy_details in policies["policies"]:
if policy_details["name"] == policy.name:
policy_details["roles"] = [role.name for role in roles]
with open(f"{self.path}/{policy.path}/policies.json", "w") as f:
json.dump(policies, f, indent=4)
58 changes: 28 additions & 30 deletions backend/src/zango/tests/apps/permissions/policy_framework/test_policy_ip_permission/tests.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,61 +25,59 @@ def sync_policies(self):
ws = Workspace(self.tenant, as_systemuser=True)
ws.ready()
ws.sync_policies()

def test_role_ip_permissions(self):

self.sync_policies()
# delete the all ip view policy as we have to check for specific IPs.
PolicyModel.objects.get(name="AllIPGetViewAccess").delete()
PolicyModel.objects.get(name="AllowFromAnywhere").delete()

self.client = ZangoClient(self.tenant)
res = self.client.get("/customers/customer/",**{
'REMOTE_ADDR': '1.2.3.4'
})
self.assertHTMLEqual(res.content.decode(), "<h1>Hey! This is IP testing response</h1>")
res = self.client.get("/customers/customer/", **{"REMOTE_ADDR": "1.2.3.4"})
self.assertHTMLEqual(
res.content.decode(), "<h1>Hey! This is IP testing response</h1>"
)

# Permission denied for IP not listed in policies.json.
res = self.client.get("/customers/customer/",**{
'REMOTE_ADDR': '1.2.3.5'
})
res = self.client.get("/customers/customer/", **{"REMOTE_ADDR": "1.2.3.5"})
self.assertEqual(res.status_code, 403)

def test_cidr_ip_permissions(self):

self.sync_policies()
# delete the all ip view policy as we have to check for specific IPs.
PolicyModel.objects.get(name="AllIPGetViewAccess").delete()
PolicyModel.objects.get(name="AllowFromAnywhere").delete()

self.client = ZangoClient(self.tenant)
res = self.client.get("/customers/cidr/",**{
'REMOTE_ADDR': '10.0.0.2'
})
self.assertHTMLEqual(res.content.decode(), "<h1>Hey! This is CIDR IP testing response</h1>")
res = self.client.get("/customers/cidr/", **{"REMOTE_ADDR": "10.0.0.2"})
self.assertHTMLEqual(
res.content.decode(), "<h1>Hey! This is CIDR IP testing response</h1>"
)

# Permission denied for IP outside the range of "10.0.0.0/24" as listed in policies.json.
res = self.client.get("/customers/cidr/",**{
'REMOTE_ADDR': '10.0.1.252'
})
res = self.client.get("/customers/cidr/", **{"REMOTE_ADDR": "10.0.1.252"})
self.assertEqual(res.status_code, 403)

def test_all_ip_permissions(self):

self.sync_policies()

self.client = ZangoClient(self.tenant)

# returns a response to all IPs.
res = self.client.get("/customers/all-ip/",**{
'REMOTE_ADDR': '1.2.3.9'
})
self.assertHTMLEqual(res.content.decode(), "<h1>Hey! This view can be viewed from all IPs.</h1>")

res = self.client.get("/customers/all-ip/",**{
'REMOTE_ADDR': '10.0.4.2'
})
self.assertHTMLEqual(res.content.decode(), "<h1>Hey! This view can be viewed from all IPs.</h1>")

res = self.client.get("/customers/all-ip/",**{
'REMOTE_ADDR': '10.0.3.1'
})
self.assertHTMLEqual(res.content.decode(), "<h1>Hey! This view can be viewed from all IPs.</h1>")
res = self.client.get("/customers/all-ip/", **{"REMOTE_ADDR": "1.2.3.9"})
self.assertHTMLEqual(
res.content.decode(), "<h1>Hey! This view can be viewed from all IPs.</h1>"
)

res = self.client.get("/customers/all-ip/", **{"REMOTE_ADDR": "10.0.4.2"})
self.assertHTMLEqual(
res.content.decode(), "<h1>Hey! This view can be viewed from all IPs.</h1>"
)

res = self.client.get("/customers/all-ip/", **{"REMOTE_ADDR": "10.0.3.1"})
self.assertHTMLEqual(
res.content.decode(), "<h1>Hey! This view can be viewed from all IPs.</h1>"
)
34 changes: 18 additions & 16 deletions backend/src/zango/tests/apps/permissions/policy_framework/test_role_policy_mapping/tests.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
import os
import os

from django_tenants.utils import schema_context
from zango.test.cases import ZangoAppBaseTestCase
Expand All @@ -18,63 +18,65 @@ def get_test_module_path(self):
return os.path.join(
"apps/permissions/policy_framework/test_role_policy_mapping"
)

@classmethod
def sync_policies(self):
with schema_context(self.tenant.schema_name):
ws = Workspace(self.tenant, as_systemuser=True)
ws.ready()
ws.sync_policies()

def test_multi_role_with_one_policy_mapping(self):
def test_multi_role_with_one_policy_mapping(self):

expected_role_names = ["test_role_1", "test_role_2"]
expected_policy_name = "CustomerGetViewAccess"
UserRoleModel.objects.create(name="test_role_1")
UserRoleModel.objects.create(name="test_role_2")

UserRoleModel.objects.create(name="dummy_role_1")

self.sync_policies()

for role_name in expected_role_names:
role = UserRoleModel.objects.filter(name=role_name).first()
self.assertIsNotNone(role, f"Role '{role_name}' does not exist")

policies = role.policies.all()

self.assertTrue(
policies.filter(name=expected_policy_name).exists(),
f"Role '{role_name}' does not have expected policy '{expected_policy_name}'"
f"Role '{role_name}' does not have expected policy '{expected_policy_name}'",
)

policy = PolicyModel.objects.filter(name=expected_policy_name).first()
self.assertIsNotNone(policy, f"Policy '{expected_policy_name}' does not exist")


roles = policy.role_policies.all()

for role_name in expected_role_names:
self.assertTrue(
roles.filter(name=role_name).exists(),
f"Policy '{expected_policy_name}' is not associated with role '{role_name}'"
f"Policy '{expected_policy_name}' is not associated with role '{role_name}'",
)

def test_one_role_with_multi_policy_mapping(self):
expected_role_name = "dummy_role_1"
expected_policy_names = ["RetailersGetViewAccess", "DummyGetViewAccess"]
with schema_context(self.tenant.schema_name):
UserRoleModel.objects.create(name="test_role_1")
UserRoleModel.objects.create(name="test_role_2")
UserRoleModel.objects.create(name=expected_role_name)

self.sync_policies()

role = UserRoleModel.objects.filter(name=expected_role_name).first()
self.assertIsNotNone(role, f"Role '{expected_role_name}' does not exist")

policies = role.policies.all()

for policy_name in expected_policy_names:
self.assertTrue(
policies.filter(name=policy_name).exists(),
f"Role '{expected_role_name}' does not have expected policy '{policy_name}'"
f"Role '{expected_role_name}' does not have expected policy '{policy_name}'",
)

for policy_name in expected_policy_names:
Expand All @@ -84,5 +86,5 @@ def test_one_role_with_multi_policy_mapping(self):

self.assertTrue(
roles.filter(name=expected_role_name).exists(),
f"Policy '{policy_name}' is not associated with role '{expected_role_name}'"
f"Policy '{policy_name}' is not associated with role '{expected_role_name}'",
)
Loading