-
Notifications
You must be signed in to change notification settings - Fork 13.7k
feat: Virtru as attribute store #40634
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
79 commits
Select commit
Hold shift + click to select a range
7fcd2b9
refactor(abac): extract pure virtru identity/FQN helpers
KevLehman 37493be
refactor(abac): add shared VirtruClient (transport/auth/reachability)
KevLehman cfe96d9
refactor(abac): harden VirtruClient getConfig + assert Bearer header …
KevLehman c14ca48
refactor(abac): VirtruPDP delegates transport/identity to VirtruClient
KevLehman f2f3d35
refactor(abac): remove dead VirtruPDP.updateConfig + tidy VirtruClien…
KevLehman c86025f
chore(abac): add license dep + attribute-store-external error code
KevLehman d21700d
feat(abac): define IAttributeStore + GetEntitlements types
KevLehman 4137b1a
feat(abac): LocalAttributeStore (identity/no-op, zero behavior change)
KevLehman 82e1924
refactor(abac): tidy LocalAttributeStore filter condition + document …
KevLehman d57679f
feat(abac): VirtruAttributeStore list/entitlements/validate (15s enti…
KevLehman 5f168bf
fix(abac): evict VirtruAttributeStore entitlements cache on failure +…
KevLehman 9eff6a8
feat(abac): AbacService owns VirtruClient + effectiveStore/attribute-…
KevLehman 8158fd5
chore(abac): self-contained boot-ordering comment + default lastEffec…
KevLehman e6282fc
feat(abac): ABAC_Attribute_Store setting + listeners + license-up reeval
KevLehman e160284
refactor(abac): tidy attribute-store transition path + harden listene…
KevLehman a8f8420
feat(abac): VirtruAttributeStore scopeRoomsPage + assertCanModifyRoom…
KevLehman 1a91915
test(abac): split assertCanModifyRoom into per-scenario cases
KevLehman bfd84b0
feat(abac): redact denied rooms in listAbacRooms via attribute store
KevLehman 6adec48
feat(abac): 4-site assertCanModifyRoom + validateAssignable store swap
KevLehman 4a7b5a9
test(abac): match mocked validateAssignable arity to interface
KevLehman ee83a5c
feat(abac): block catalog CRUD in virtru attribute-store mode
KevLehman 67a55be
fix(abac): make isExternalAttributeStore async to match IAbacService
KevLehman ce2fa70
feat(abac): serve attribute picker from store in virtru mode
KevLehman ba97b81
feat(abac): redact abacAttributes on rooms.adminRooms.getRoom via CE …
KevLehman 51054f6
fix(abac): use settings-gated isABACManagedRoom in admin-room redacti…
KevLehman cb528d4
feat(abac): add abac.attribute_store.switched audit event type + helper
KevLehman cc7aacc
feat(abac): transition-only destructive attribute wipe (license-gated…
KevLehman 5eee81e
feat(abac): surface attribute_store.switched in /v1/abac/audit + Logs…
KevLehman fa4290e
feat(abac): hide Room Attributes tab in virtru attribute-store mode
KevLehman ae68b68
feat(abac): redacted-room Callout + read-only attribute section + pic…
KevLehman bf3cbd9
test(abac): assert real DOM disability in RoomFormAttributeFields dis…
KevLehman ca6954c
test(abac): mock GetEntitlements for virtru attribute store e2e
KevLehman 0dc2008
test(abac): e2e coverage for virtru attribute store
KevLehman b01990a
feat(abac): show ABAC_Attribute_Store on the ABAC admin settings page
KevLehman 3330995
feat(abac): symmetric attribute-store wipe with asymmetric trigger (r…
KevLehman 4eb380f
refactor(abac): scope attribute-store wipe to explicit Store-setting …
KevLehman d84182e
feat(abac): cascade ABAC_Attribute_Store=local when ABAC_PDP_Type set…
KevLehman d59e19c
refactor(abac): rename audit event key to dot-separated abac.attribut…
KevLehman 4b8f076
move client to folder
KevLehman 074dc1a
types
KevLehman a5bf181
minor improvements
KevLehman cfb6b66
better error
KevLehman ab23858
one audit less
KevLehman 435d026
better caching
KevLehman ccc6d1c
log
KevLehman 966e50c
log malformed
KevLehman 349dc2f
nits
KevLehman dbdd618
license
KevLehman b8d0fe6
fix(abac): seed hasAbacLicense from License service on start
KevLehman e4654f0
fix(abac): refresh license state on reevaluateAttributeStore
KevLehman 05b491f
fix(abac): resolve attribute store from a live license check
KevLehman be0c45d
chore(ci): propagate LOG_LEVEL to microservices
KevLehman 3e70d6e
fix(abac): treat failed decision calls as PDP-unavailable; fix e2e setup
KevLehman 660e177
add validation to remove action
KevLehman e7096fd
simplify
KevLehman f13a483
remove old license tests
KevLehman 407b443
imp
KevLehman 2e7ae27
store selection
KevLehman d3e0fdd
tests
KevLehman 0a83970
wrong test
KevLehman 2fae64e
log
KevLehman 923468c
sec
KevLehman 86ca41a
store transition
KevLehman 4d7a5d9
Update index.ts
KevLehman ce6431b
fixes:
KevLehman 7bd254e
fix tests
KevLehman 7807d5e
staleTime 0 when using an external store
KevLehman 7bb6e5a
tests
KevLehman 28e6420
lint
KevLehman 1b1f544
scope room list
KevLehman 40c353a
remove superfluous tests
KevLehman 419f6b5
unify
KevLehman a6bc7c2
merge hook
KevLehman 82c14a4
simplify a lil bit
KevLehman 0f9582d
turbo
KevLehman 4ab2119
feat(abac): bypass-abac-store-validation permission (#40738)
KevLehman 12a5736
use hook
KevLehman b370b89
Create khaki-gifts-follow.md
KevLehman 7e3fa4d
use hook
KevLehman File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| --- | ||
| "@rocket.chat/meteor": minor | ||
| "@rocket.chat/abac": minor | ||
| --- | ||
|
|
||
| Allows using Virtru as the attribute store for ABAC decisions. | ||
|
|
||
| ### Important | ||
|
|
||
| - When using virtru as the store, the internal attribute store is disabled. | ||
| - On switch, existing ABAC attributes from rooms will be removed. Rooms will continue to be private & no users will be removed until you add attributes again. | ||
| - Users are only allowed to see & edit rooms they have access to. Access decision is evaluated on Virtru | ||
| - A user/app with the `bypass-abac-store-validation` permission can assign any attributes to rooms, even if the user doesn't have them assigned on Virtru. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| import type { IRoom, IRoomAbacRedaction, RoomAdminFieldsType } from '@rocket.chat/core-typings'; | ||
| import { makeFunction } from '@rocket.chat/patch-injection'; | ||
|
|
||
| export const scopeAdminRoomsForAbac = makeFunction( | ||
| async (rooms: Pick<IRoom, RoomAdminFieldsType>[], _uid: string): Promise<Array<Pick<IRoom, RoomAdminFieldsType> & IRoomAbacRedaction>> => | ||
| rooms, | ||
| ); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
49 changes: 31 additions & 18 deletions
49
apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAttributeFields.tsx
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,39 +1,52 @@ | ||
| import { Field, FieldLabel, InputBoxSkeleton } from '@rocket.chat/fuselage'; | ||
| import { Box, Field, FieldLabel, InputBoxSkeleton } from '@rocket.chat/fuselage'; | ||
| import { useTranslation } from 'react-i18next'; | ||
|
|
||
| import RoomFormAttributeField from './RoomFormAttributeField'; | ||
| import { useAttributeList } from '../hooks/useAttributeList'; | ||
| import { useIsExternalAttributeStore } from '../hooks/useIsExternalAttributeStore'; | ||
|
|
||
| type RoomFormAttributeFieldsProps = { | ||
| fields: { id: string }[]; | ||
| remove: (index: number) => void; | ||
| disabled?: boolean; | ||
| }; | ||
|
|
||
| const RoomFormAttributeFields = ({ fields, remove }: RoomFormAttributeFieldsProps) => { | ||
| const RoomFormAttributeFields = ({ fields, remove, disabled = false }: RoomFormAttributeFieldsProps) => { | ||
| const { t } = useTranslation(); | ||
| const isExternalAttributeStore = useIsExternalAttributeStore(); | ||
|
|
||
| const { data: attributeList, isLoading } = useAttributeList(); | ||
|
|
||
| if (isLoading || !attributeList) { | ||
| return <InputBoxSkeleton />; | ||
| } | ||
|
|
||
| return fields.map((field, index) => ( | ||
| <Field key={field.id}> | ||
| <FieldLabel id={field.id} required={index === 0}> | ||
| {t('Attribute')} | ||
| </FieldLabel> | ||
| <RoomFormAttributeField | ||
| labelId={field.id} | ||
| attributeList={attributeList.attributes} | ||
| required={index === 0} | ||
| onRemove={() => { | ||
| remove(index); | ||
| }} | ||
| index={index} | ||
| /> | ||
| </Field> | ||
| )); | ||
| return ( | ||
| <> | ||
| {isExternalAttributeStore && ( | ||
| <Box mbe={8} color='annotation' fontSize='p2'> | ||
| {t('ABAC_Picker_External_Store_Helper')} | ||
| </Box> | ||
|
KevLehman marked this conversation as resolved.
|
||
| )} | ||
| {fields.map((field, index) => ( | ||
| <Field key={field.id}> | ||
| <FieldLabel id={field.id} required={index === 0}> | ||
| {t('Attribute')} | ||
| </FieldLabel> | ||
| <RoomFormAttributeField | ||
| labelId={field.id} | ||
| attributeList={attributeList.attributes} | ||
| required={index === 0} | ||
| onRemove={() => { | ||
| remove(index); | ||
| }} | ||
| index={index} | ||
| disabled={disabled} | ||
| /> | ||
| </Field> | ||
| ))} | ||
| </> | ||
| ); | ||
| }; | ||
|
|
||
| export default RoomFormAttributeFields; | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.