MG-53 - Remove precondition check : User exists in Domain only for Su…

…per admin in add policies (#57) * fix: super admin to create entites in domain Signed-off-by: Arvindh <[email protected]> * remove policy agent from not required function Signed-off-by: Arvindh <[email protected]> --------- Signed-off-by: Arvindh <[email protected]>
absmach · Nov 16, 2023 · 1c6beb2 · 1c6beb2
1 parent 2bccf0c
commit 1c6beb2
Showing 1 changed file with 37 additions and 13 deletions.
diff --git a/auth/spicedb/policies.go b/auth/spicedb/policies.go
@@ -64,7 +64,7 @@ func (pa *policyAgent) AddPolicies(ctx context.Context, prs []auth.PolicyReq) er
 	updates := []*v1.RelationshipUpdate{}
 	var preconds []*v1.Precondition
 	for _, pr := range prs {
-		precond, err := pa.policyPreCondition(pr)
+		precond, err := pa.addPolicyPreCondition(ctx, pr)
 		if err != nil {
 			return err
 		}
@@ -89,7 +89,7 @@ func (pa *policyAgent) AddPolicies(ctx context.Context, prs []auth.PolicyReq) er
 }
 
 func (pa *policyAgent) AddPolicy(ctx context.Context, pr auth.PolicyReq) error {
-	precond, err := pa.policyPreCondition(pr)
+	precond, err := pa.addPolicyPreCondition(ctx, pr)
 	if err != nil {
 		return err
 	}
@@ -364,7 +364,7 @@ func (pa *policyAgent) publishToStream(resp *v1.WatchResponse) {
 	}
 }
 
-func (pa *policyAgent) policyPreCondition(pr auth.PolicyReq) ([]*v1.Precondition, error) {
+func (pa *policyAgent) addPolicyPreCondition(ctx context.Context, pr auth.PolicyReq) ([]*v1.Precondition, error) {
 	// Checks are required for following  ( -> means adding)
 	// 1.) user -> group (both user groups and channels)
 	// 2.) user -> thing
@@ -377,14 +377,14 @@ func (pa *policyAgent) policyPreCondition(pr auth.PolicyReq) ([]*v1.Precondition
 	// - USER with ANY RELATION to DOMAIN
 	// - GROUP with DOMAIN RELATION to DOMAIN
 	case pr.SubjectType == auth.UserType && pr.ObjectType == auth.GroupType:
-		return userGroupPreConditions(pr)
+		return pa.userGroupPreConditions(ctx, pr)
 
 	// 2.) user -> thing
 	// Checks :
 	// - USER with ANY RELATION to DOMAIN
 	// - THING with DOMAIN RELATION to DOMAIN
 	case pr.SubjectType == auth.UserType && pr.ObjectType == auth.ThingType:
-		return userThingPreConditions(pr)
+		return pa.userThingPreConditions(ctx, pr)
 
 	// 3.) group -> group (both for adding parent_group and channels)
 	// Checks :
@@ -420,9 +420,21 @@ func (pa *policyAgent) policyPreCondition(pr auth.PolicyReq) ([]*v1.Precondition
 	return nil, nil
 }
 
-func userGroupPreConditions(pr auth.PolicyReq) ([]*v1.Precondition, error) {
-	preconds := []*v1.Precondition{
-		{
+func (pa *policyAgent) userGroupPreConditions(ctx context.Context, pr auth.PolicyReq) ([]*v1.Precondition, error) {
+	var preconds []*v1.Precondition
+	isSuperAdmin := false
+	if err := pa.CheckPolicy(ctx, auth.PolicyReq{
+		Subject:     pr.Subject,
+		SubjectType: pr.SubjectType,
+		Permission:  auth.AdminPermission,
+		Object:      auth.MagistralaObject,
+		ObjectType:  auth.PlatformType,
+	}); err == nil {
+		isSuperAdmin = true
+	}
+
+	if !isSuperAdmin {
+		preconds = append(preconds, &v1.Precondition{
 			Operation: v1.Precondition_OPERATION_MUST_MATCH,
 			Filter: &v1.RelationshipFilter{
 				ResourceType:       auth.DomainType,
@@ -432,7 +444,7 @@ func userGroupPreConditions(pr auth.PolicyReq) ([]*v1.Precondition, error) {
 					OptionalSubjectId: pr.Subject,
 				},
 			},
-		},
+		})
 	}
 	switch {
 	case pr.ObjectKind == auth.NewGroupKind || pr.ObjectKind == auth.NewChannelKind:
@@ -468,9 +480,21 @@ func userGroupPreConditions(pr auth.PolicyReq) ([]*v1.Precondition, error) {
 	return preconds, nil
 }
 
-func userThingPreConditions(pr auth.PolicyReq) ([]*v1.Precondition, error) {
-	preconds := []*v1.Precondition{
-		{
+func (pa *policyAgent) userThingPreConditions(ctx context.Context, pr auth.PolicyReq) ([]*v1.Precondition, error) {
+	var preconds []*v1.Precondition
+	isSuperAdmin := false
+	if err := pa.CheckPolicy(ctx, auth.PolicyReq{
+		Subject:     pr.Subject,
+		SubjectType: pr.SubjectType,
+		Permission:  auth.AdminPermission,
+		Object:      auth.MagistralaObject,
+		ObjectType:  auth.PlatformType,
+	}); err == nil {
+		isSuperAdmin = true
+	}
+
+	if !isSuperAdmin {
+		preconds = append(preconds, &v1.Precondition{
 			Operation: v1.Precondition_OPERATION_MUST_MATCH,
 			Filter: &v1.RelationshipFilter{
 				ResourceType:       auth.DomainType,
@@ -480,7 +504,7 @@ func userThingPreConditions(pr auth.PolicyReq) ([]*v1.Precondition, error) {
 					OptionalSubjectId: pr.Subject,
 				},
 			},
-		},
+		})
 	}
 	switch {
 	// For New thing