WIP

Change-type: patch
balena-io · Sep 30, 2024 · f6fe793 · f6fe793
1 parent 132d840
commit f6fe793
Show file tree

Hide file tree

Showing 3 changed files with 179 additions and 43 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -49,7 +49,7 @@
     "@balena/env-parsing": "^1.2.0",
     "@balena/es-version": "^1.0.3",
     "@balena/node-metrics-gatherer": "^6.0.3",
-    "@balena/pinejs": "^19.0.2",
+    "@balena/pinejs": "19.1.0-build-compile-auth-f615d178643e42fe5cd03afca19cef8d2867887d-2",
     "@balena/pinejs-webresource-cloudfront": "^0.2.1",
     "@sentry/node": "^8.30.0",
     "@types/basic-auth": "^1.1.8",

diff --git a/src/lib/auth.ts b/src/lib/auth.ts
@@ -2,14 +2,15 @@
 // Declares permissions assigned to default roles and API keys
 //
 
-import type { sbvrUtils } from '@balena/pinejs';
-
+import { permissions, sbvrUtils } from '@balena/pinejs';
+import type Model from '../balena-model.js';
 import {
 	API_VPN_SERVICE_API_KEY,
 	IGNORE_FROZEN_DEVICE_PERMISSIONS,
 	VPN_GUEST_API_KEY,
 	VPN_SERVICE_API_KEY,
 } from './config.js';
+const { api } = sbvrUtils;
 
 const defaultWritePerms = ['create', 'update', 'delete'] as const;
 
@@ -19,8 +20,30 @@ const writePerms = (
 	access: ReadonlyArray<(typeof defaultWritePerms)[number]> = defaultWritePerms,
 ): string[] => access.map((verb) => `${resource}.${verb}?${filter}`);
 
+const { compileAuth: resinAuth } = permissions.getAuthCompiler<Model>({
+	pinejsClient: api.resin,
+	modelName: 'resin',
+});
+
+const matchesActorFilter = {
+	actor: {
+		'@': '__ACTOR_ID',
+	},
+} as const;
+
+const matchesUserFilter = {
+	user: {
+		$any: {
+			$alias: 'u',
+			$expr: {
+				u: matchesActorFilter,
+			},
+		},
+	},
+} as const;
+
 const matchesActor = 'actor eq @__ACTOR_ID';
-const matchesUser = `user/any(u:u/${matchesActor})`;
+// const matchesUser = `user/any(u:u/${matchesActor})`;
 const matchesNonFrozenDeviceActor = (alias = '') => {
 	if (alias) {
 		alias += '/';
@@ -40,39 +63,141 @@ export const ROLES: {
 	],
 	// also default-user (see below)
 	'named-user-api-key': [
-		'resin.actor.delete?id eq @__ACTOR_ID',
-		'resin.api_key.read?is_of__actor eq @__ACTOR_ID',
-		'resin.application.all',
-		'resin.device_type.read',
-		'resin.device_type_alias.read',
-		'resin.cpu_architecture.read',
-		'resin.application_config_variable.all',
-		'resin.application_environment_variable.all',
-		'resin.application_tag.all',
-		'resin.application_type.all',
-		'resin.device.all',
-		'resin.device.tunnel-22222',
-		'resin.device_config_variable.all',
-		'resin.device_environment_variable.all',
-		'resin.device_tag.all',
-		'resin.device_service_environment_variable.all',
-		'resin.image.all',
-		'resin.image__is_part_of__release.all',
-		'resin.image_environment_variable.all',
-		'resin.image_install.all',
-		'resin.image_label.all',
-		'resin.organization.read',
-		'resin.organization_membership.read',
-		'resin.release.all',
-		'resin.release_tag.all',
-		'resin.service.all',
-		'resin.service_environment_variable.all',
-		'resin.service_install.all',
-		"resin.service_instance.read?service_type eq 'vpn'",
-		'resin.service_label.all',
-		'resin.user.read',
-		`resin.user__has__public_key.all?${matchesUser}`,
-		'resin.release_asset.all',
+		// 'resin.actor.delete?id eq @__ACTOR_ID',
+		resinAuth({
+			resource: 'actor',
+			access: 'delete',
+			options: {
+				$filter: {
+					id: {
+						'@': '__ACTOR_ID',
+					},
+				},
+			},
+		}),
+
+		// 'resin.api_key.read?is_of__actor eq @__ACTOR_ID',
+		resinAuth({
+			resource: 'api_key',
+			access: 'read',
+			options: {
+				$filter: {
+					is_of__actor: {
+						'@': '__ACTOR_ID',
+					},
+				},
+			},
+		}),
+
+		// 'resin.application.all',
+		resinAuth({ resource: 'application', access: 'all' }),
+
+		// 'resin.device_type.read',
+		resinAuth({ resource: 'device_type', access: 'read' }),
+
+		// 'resin.device_type_alias.read',
+		resinAuth({ resource: 'device_type_alias', access: 'read' }),
+
+		// 'resin.cpu_architecture.read',
+		resinAuth({ resource: 'cpu_architecture', access: 'read' }),
+
+		// 'resin.application_config_variable.all',
+		resinAuth({ resource: 'application_config_variable', access: 'all' }),
+
+		// 'resin.application_environment_variable.all',
+		resinAuth({ resource: 'application_environment_variable', access: 'all' }),
+
+		// 'resin.application_tag.all',
+		resinAuth({ resource: 'application_tag', access: 'all' }),
+
+		// 'resin.application_type.all',
+		resinAuth({ resource: 'application_type', access: 'all' }),
+
+		// 'resin.device.all',
+		resinAuth({ resource: 'device', access: 'all' }),
+
+		// 'resin.device.tunnel-22222',
+		resinAuth({ resource: 'device', access: 'tunnel-22222' }),
+
+		// 'resin.device_config_variable.all',
+		resinAuth({ resource: 'device_config_variable', access: 'all' }),
+
+		// 'resin.device_environment_variable.all',
+		resinAuth({ resource: 'device_environment_variable', access: 'all' }),
+
+		// 'resin.device_tag.all',
+		resinAuth({ resource: 'device_tag', access: 'all' }),
+
+		// 'resin.device_service_environment_variable.all',
+		resinAuth({
+			resource: 'device_service_environment_variable',
+			access: 'all',
+		}),
+
+		// 'resin.image.all',
+		resinAuth({ resource: 'image', access: 'all' }),
+
+		// 'resin.image__is_part_of__release.all',
+		resinAuth({ resource: 'image__is_part_of__release', access: 'all' }),
+
+		// 'resin.image_environment_variable.all',
+		resinAuth({ resource: 'image_environment_variable', access: 'all' }),
+
+		// 'resin.image_install.all',
+		resinAuth({ resource: 'image_install', access: 'all' }),
+
+		// 'resin.image_label.all',
+		resinAuth({ resource: 'image_label', access: 'all' }),
+
+		// 'resin.organization.read',
+		resinAuth({ resource: 'organization', access: 'read' }),
+
+		// 'resin.organization_membership.read',
+		resinAuth({ resource: 'organization_membership', access: 'read' }),
+
+		// 'resin.release.all',
+		resinAuth({ resource: 'release', access: 'all' }),
+
+		// 'resin.release_tag.all',
+		resinAuth({ resource: 'release_tag', access: 'all' }),
+
+		// 'resin.service.all',
+		resinAuth({ resource: 'service', access: 'all' }),
+
+		// 'resin.service_environment_variable.all',
+		resinAuth({ resource: 'service_environment_variable', access: 'all' }),
+
+		// 'resin.service_install.all',
+		resinAuth({ resource: 'service_install', access: 'all' }),
+
+		// "resin.service_instance.read?service_type eq 'vpn'",
+		resinAuth({
+			resource: 'service_instance',
+			access: 'read',
+			options: {
+				$filter: {
+					service_type: 'vpn',
+				},
+			},
+		}),
+
+		// 'resin.service_label.all',
+		resinAuth({ resource: 'service_label', access: 'all' }),
+
+		// 'resin.user.read',
+		resinAuth({ resource: 'user', access: 'read' }),
+
+		// `resin.user__has__public_key.all?${matchesUser}`,
+		resinAuth({
+			resource: 'user__has__public_key',
+			access: 'all',
+			options: {
+				$filter: matchesUserFilter,
+			},
+		}),
+
+		// 'resin.release_asset.all',
+		resinAuth({ resource: 'release_asset', access: 'all' }),
 	],
 };