feature: drop matched roles action in user transforms

greenpau · Mar 10, 2024 · 0e86490 · 0e86490
1 parent e0f59e7
commit 0e86490
Show file tree

Hide file tree

Showing 4 changed files with 77 additions and 8 deletions.
diff --git a/Makefile b/Makefile
@@ -104,7 +104,7 @@ qtest: covdir
 	@#time richgo test -v -coverprofile=.coverage/coverage.out internal/tag/*.go
 	@#time richgo test -v -coverprofile=.coverage/coverage.out internal/testutils/*.go
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out ./pkg/util/data/...
-	@time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out ./pkg/util/...
+	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out ./pkg/util/...
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out -run TestNewConfig ./*.go
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out -run TestNewServer ./*.go
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out ./pkg/registry/...
@@ -125,6 +125,7 @@ qtest: covdir
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out -run TestGetMetadata ./pkg/sso/*.go
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out -run TestValidateJwksKey ./pkg/authn/backends/oauth2/jwks*.go
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out -run TestTransformData ./pkg/authn/transformer/*.go
+	@time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out ./pkg/authn/transformer/*.go
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out ./pkg/authn/icons/...
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out ./pkg/idp/...
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out ./pkg/idp/saml/*.go

diff --git a/pkg/authn/transformer/transformer.go b/pkg/authn/transformer/transformer.go
@@ -78,7 +78,7 @@ func NewFactory(cfgs []*Config) (*Factory, error) {
 				default:
 					return nil, fmt.Errorf("transformer for %q erred: invalid ui config", encodedArgs)
 				}
-			case "add", "overwrite":
+			case "add", "overwrite", "drop":
 				if len(args) < 3 {
 					return nil, fmt.Errorf("transformer for %q erred: invalid add/overwrite config", encodedArgs)
 				}
@@ -93,7 +93,7 @@ func NewFactory(cfgs []*Config) (*Factory, error) {
 					return nil, fmt.Errorf("transformer for %q erred: action config too short", encodedArgs)
 				}
 				switch args[1] {
-				case "add", "overwrite", "delete":
+				case "add", "overwrite", "delete", "drop":
 				default:
 					return nil, fmt.Errorf("transformer for %q erred: invalid action config", encodedArgs)
 				}
@@ -141,7 +141,7 @@ func (f *Factory) Transform(m map[string]interface{}) error {
 			case "link":
 				frontendLinks = append(frontendLinks, cfgutil.EncodeArgs(args[1:]))
 			default:
-				if err := transformData(args, m); err != nil {
+				if err := transformData(args, m, transform.matcher); err != nil {
 					return fmt.Errorf("transformer for %v erred: %v", args, err)
 				}
 			}
@@ -153,15 +153,16 @@ func (f *Factory) Transform(m map[string]interface{}) error {
 	if len(frontendLinks) > 0 {
 		m["frontend_links"] = frontendLinks
 	}
+
 	return nil
 }
 
-func transformData(args []string, m map[string]interface{}) error {
+func transformData(args []string, m map[string]interface{}, matcher *acl.AccessList) error {
 	if len(args) < 3 {
 		return fmt.Errorf("too short")
 	}
 	switch args[0] {
-	case "add", "delete", "overwrite":
+	case "add", "delete", "overwrite", "drop":
 	default:
 		return fmt.Errorf("unsupported action %v", args[0])
 	}
@@ -262,6 +263,45 @@ func transformData(args []string, m map[string]interface{}) error {
 		default:
 			return fmt.Errorf("unsupported %q field for %q action in %v", k, args[0], args)
 		}
+	case "drop":
+		if len(args) != 3 {
+			return fmt.Errorf("malformed %q action in %v", args[0], args)
+		}
+		if args[1] != "matched" || args[2] != "role" {
+			return fmt.Errorf("malformed %q action in %v", args[0], args)
+		}
+
+		if args[1] == "matched" && args[2] == "role" {
+			if _, exists := m["roles"]; exists {
+				var entries, newEntries []string
+				switch val := m["roles"].(type) {
+				case []string:
+					entries = val
+				case []interface{}:
+					for _, entry := range val {
+						switch e := entry.(type) {
+						case string:
+							entries = append(entries, e)
+						}
+						return fmt.Errorf("failed to %q action in %v due to unsupported data type inside the input data", args[0], args)
+					}
+				default:
+					return fmt.Errorf("failed to %q action in %v due to unsupported data type inside the input data", args[0], args)
+				}
+
+				for _, e := range entries {
+					em := map[string]interface{}{
+						"roles": []string{e},
+					}
+					if matched := matcher.Allow(context.Background(), em); matched {
+						continue
+					}
+					newEntries = append(newEntries, e)
+
+				}
+				m["roles"] = newEntries
+			}
+		}
 	default:
 		return fmt.Errorf("unsupported %q action in %v", args[0], args)
 	}

diff --git a/pkg/authn/transformer/transformer_test.go b/pkg/authn/transformer/transformer_test.go
@@ -18,6 +18,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"github.com/greenpau/go-authcrunch/internal/tests"
+	"github.com/greenpau/go-authcrunch/pkg/acl"
 	"testing"
 )
 
@@ -66,6 +67,32 @@ func TestFactory(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "drop existing authp/viewer role",
+			user: map[string]interface{}{
+				"email": "[email protected]",
+				"roles": []string{"authp/admin", "authp/editor", "authp/viewer"},
+			},
+			keys: []string{
+				"roles",
+			},
+			configs: []*Config{
+				{
+					Matchers: []string{
+						"regex match role viewer",
+					},
+					Actions: []string{
+						"action drop matched role",
+					},
+				},
+			},
+			want: map[string]interface{}{
+				"roles": []string{
+					"authp/admin",
+					"authp/editor",
+				},
+			},
+		},
 	}
 	for _, tc := range testcases {
 		t.Run(tc.name, func(t *testing.T) {
@@ -96,6 +123,7 @@ func TestTransformData(t *testing.T) {
 	var testcases = []struct {
 		name      string
 		args      []string
+		matcher   *acl.AccessList
 		user      map[string]interface{}
 		want      map[string]interface{}
 		shouldErr bool
@@ -233,7 +261,7 @@ func TestTransformData(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			msgs := []string{fmt.Sprintf("test name: %s", tc.name)}
 			got := deepCopy(tc.user)
-			if err := transformData(tc.args, got); err != nil {
+			if err := transformData(tc.args, got, tc.matcher); err != nil {
 				if tests.EvalErrWithLog(t, err, "transformer", tc.shouldErr, tc.err, msgs) {
 					return
 				}

diff --git a/pkg/identity/database.go b/pkg/identity/database.go
@@ -65,7 +65,7 @@ func init() {
 	app.Documentation = "https://github.com/greenpau/go-authcrunch"
 	app.SetVersion(appVersion, "1.0.47")
 	app.SetGitBranch(gitBranch, "main")
-	app.SetGitCommit(gitCommit, "v1.0.47-1-g8bbffec")
+	app.SetGitCommit(gitCommit, "v1.0.47-2-ge0f59e7")
 	app.SetBuildUser(buildUser, "")
 	app.SetBuildDate(buildDate, "")
 }