diff --git a/data/host-service-account.json b/data/host-service-account.json index 11972bee..e827fbdf 100644 --- a/data/host-service-account.json +++ b/data/host-service-account.json @@ -1,7 +1,7 @@ { "rhelHost": { "metadata": { - "workspace": "" + "workspace": "workspace1" }, "reporter_data": { "reporter_type": "OCM", diff --git a/data/host.json b/data/host.json index 2f508045..2250e679 100644 --- a/data/host.json +++ b/data/host.json @@ -2,7 +2,7 @@ "rhelHost": { "metadata": { "resource_type": "rhel-host", - "workspace": "" + "workspace": "workspace1" }, "reporter_data": { "reporter_type": "OCM", diff --git a/deploy/schema.yaml b/deploy/schema.yaml index 098d91f2..721b1467 100644 --- a/deploy/schema.yaml +++ b/deploy/schema.yaml @@ -85,3 +85,7 @@ schema: |- permission disable = workspace->notifications_integration_disable permission enable = workspace->notifications_integration_enable } + + definition hbi/rhel_host { + relation workspace: rbac/workspace + } diff --git a/internal/authz/allow/allow.go b/internal/authz/allow/allow.go index d844e082..fc74901c 100644 --- a/internal/authz/allow/allow.go +++ b/internal/authz/allow/allow.go @@ -31,3 +31,7 @@ func (a *AllowAllAuthz) CreateTuples(ctx context.Context, r *kessel.CreateTuples func (a *AllowAllAuthz) DeleteTuples(ctx context.Context, r *kessel.DeleteTuplesRequest) (*kessel.DeleteTuplesResponse, error) { return &kessel.DeleteTuplesResponse{}, nil } + +func (a *AllowAllAuthz) SetWorkspace(ctx context.Context, local_resource_id, workspace, name, namespace string) (*kessel.CreateTuplesResponse, error) { + return &kessel.CreateTuplesResponse{}, nil +} diff --git a/internal/authz/api/authz-service.go b/internal/authz/api/authz-service.go index ffe191f8..3d3157f2 100644 --- a/internal/authz/api/authz-service.go +++ b/internal/authz/api/authz-service.go @@ -10,4 +10,5 @@ type Authorizer interface { Check(context.Context, *kessel.CheckRequest) (*kessel.CheckResponse, error) CreateTuples(context.Context, *kessel.CreateTuplesRequest) (*kessel.CreateTuplesResponse, error) DeleteTuples(context.Context, *kessel.DeleteTuplesRequest) (*kessel.DeleteTuplesResponse, error) + SetWorkspace(context.Context, string, string, string, string) (*kessel.CreateTuplesResponse, error) } diff --git a/internal/authz/kessel/kessel.go b/internal/authz/kessel/kessel.go index c0f87645..f04de57f 100644 --- a/internal/authz/kessel/kessel.go +++ b/internal/authz/kessel/kessel.go @@ -2,6 +2,8 @@ package kessel import ( "context" + "fmt" + "github.com/go-kratos/kratos/v2/log" authzapi "github.com/project-kessel/inventory-api/internal/authz/api" kessel "github.com/project-kessel/relations-api/api/kessel/relations/v1beta1" @@ -69,3 +71,41 @@ func (a *KesselAuthz) DeleteTuples(ctx context.Context, r *kessel.DeleteTuplesRe } return a.TupleService.DeleteTuples(ctx, r, opts...) } + +func (a *KesselAuthz) SetWorkspace(ctx context.Context, local_resource_id, workspace, namespace, name string) (*kessel.CreateTuplesResponse, error) { + if workspace == "" { + return nil, fmt.Errorf("workspace is required") + } + + // TODO: remove previous tuple for workspace + + rels := []*kessel.Relationship{{ + Resource: &kessel.ObjectReference{ + Type: &kessel.ObjectType{ + Name: name, + Namespace: namespace, + }, + Id: local_resource_id, + }, + Relation: "workspace", + Subject: &kessel.SubjectReference{ + Subject: &kessel.ObjectReference{ + Type: &kessel.ObjectType{ + Name: "workspace", + Namespace: "rbac", + }, + Id: workspace, + }, + }, + }} + + response, err := a.CreateTuples(ctx, &kessel.CreateTuplesRequest{ + Tuples: rels, + }) + + if err != nil { + return nil, err + } + + return response, nil +} diff --git a/internal/data/hosts/hosts.go b/internal/data/hosts/hosts.go index 828153ac..2d0f98c5 100644 --- a/internal/data/hosts/hosts.go +++ b/internal/data/hosts/hosts.go @@ -49,6 +49,14 @@ func (r *hostsRepo) Save(ctx context.Context, model *biz.Host) (*biz.Host, error return nil, err } } + + if r.Authz != nil { + _, err := r.Authz.SetWorkspace(ctx, model.Metadata.Reporters[0].LocalResourceId, model.Metadata.Workspace, "hbi", "rhel_host") + if err != nil { + return nil, err + } + } + return model, nil } @@ -73,6 +81,14 @@ func (r *hostsRepo) Update(ctx context.Context, model *biz.Host, id string) (*bi return nil, err } } + + if r.Authz != nil { + _, err := r.Authz.SetWorkspace(ctx, model.Metadata.Reporters[0].LocalResourceId, model.Metadata.Workspace, "hbi", "rhel_host") + if err != nil { + return nil, err + } + } + return model, nil } @@ -96,6 +112,9 @@ func (r *hostsRepo) Delete(ctx context.Context, id string) error { return err } } + + // TODO: delete the workspace tuple + return nil } diff --git a/internal/data/k8sclusters/k8sclusters.go b/internal/data/k8sclusters/k8sclusters.go index b3c737b6..c6bd88bf 100644 --- a/internal/data/k8sclusters/k8sclusters.go +++ b/internal/data/k8sclusters/k8sclusters.go @@ -46,6 +46,14 @@ func (r *k8sclustersRepo) Save(ctx context.Context, model *biz.K8SCluster) (*biz return nil, err } } + + if r.Authz != nil { + _, err := r.Authz.SetWorkspace(ctx, model.Metadata.Reporters[0].LocalResourceId, model.Metadata.Workspace, "acm", "k8scluster") + if err != nil { + return nil, err + } + } + return model, nil } @@ -71,6 +79,14 @@ func (r *k8sclustersRepo) Update(ctx context.Context, model *biz.K8SCluster, id return nil, err } } + + if r.Authz != nil { + _, err := r.Authz.SetWorkspace(ctx, model.Metadata.Reporters[0].LocalResourceId, model.Metadata.Workspace, "acm", "k8scluster") + if err != nil { + return nil, err + } + } + return model, nil } @@ -94,6 +110,9 @@ func (r *k8sclustersRepo) Delete(ctx context.Context, id string) error { return err } } + + // TODO: delete the workspace tuple + return nil } diff --git a/internal/data/k8spolicies/k8spolicies.go b/internal/data/k8spolicies/k8spolicies.go index fac210a5..1d720e5d 100644 --- a/internal/data/k8spolicies/k8spolicies.go +++ b/internal/data/k8spolicies/k8spolicies.go @@ -49,6 +49,14 @@ func (r *k8spoliciesRepo) Save(ctx context.Context, model *biz.K8sPolicy) (*biz. return nil, err } } + + if r.Authz != nil { + _, err := r.Authz.SetWorkspace(ctx, model.Metadata.Reporters[0].LocalResourceId, model.Metadata.Workspace, "acm", "k8spolicy") + if err != nil { + return nil, err + } + } + return model, nil } @@ -74,6 +82,14 @@ func (r *k8spoliciesRepo) Update(ctx context.Context, model *biz.K8sPolicy, id s return nil, err } } + + if r.Authz != nil { + _, err := r.Authz.SetWorkspace(ctx, model.Metadata.Reporters[0].LocalResourceId, model.Metadata.Workspace, "acm", "k8spolicy") + if err != nil { + return nil, err + } + } + return model, nil } @@ -97,6 +113,9 @@ func (r *k8spoliciesRepo) Delete(ctx context.Context, id string) error { return err } } + + // TODO: delete the workspace tuple + return nil } diff --git a/internal/data/notificationsintegrations/notificationsintegrations.go b/internal/data/notificationsintegrations/notificationsintegrations.go index 72b50a7b..fc105df6 100644 --- a/internal/data/notificationsintegrations/notificationsintegrations.go +++ b/internal/data/notificationsintegrations/notificationsintegrations.go @@ -49,6 +49,14 @@ func (r *notificationsintegrationsRepo) Save(ctx context.Context, model *biz.Not return nil, err } } + + if r.Authz != nil { + _, err := r.Authz.SetWorkspace(ctx, model.Metadata.Reporters[0].LocalResourceId, model.Metadata.Workspace, "notifications", "integration") + if err != nil { + return nil, err + } + } + return model, nil } @@ -73,6 +81,14 @@ func (r *notificationsintegrationsRepo) Update(ctx context.Context, model *biz.N return nil, err } } + + if r.Authz != nil { + _, err := r.Authz.SetWorkspace(ctx, model.Metadata.Reporters[0].LocalResourceId, model.Metadata.Workspace, "notifications", "integration") + if err != nil { + return nil, err + } + } + return model, nil } @@ -96,6 +112,9 @@ func (r *notificationsintegrationsRepo) Delete(ctx context.Context, id string) e return err } } + + // TODO: delete the workspace tuple + return nil }