added group support for both component policies

DavidGitter · DavidGitter · commit 6fdee2062788 · 2025-03-06T23:19:31.000+01:00
diff --git a/rego/nifi_component_logic.rego b/rego/nifi_component_logic.rego
@@ -11,49 +11,59 @@ has_key(obj, key) := true if _ = obj[key]
 
 # Root Component Rules Logic
 root_policy_types := [key | key := object.keys(root_policies)[_]]
-get_root_type := x if {
+get_root_type := rt if {
     comp_type = root_policy_types[_]
     startswith(nifi_inp.inherit_resource_id, comp_type)
-    x = comp_type
+    rt = comp_type
 }
 comp_is_root_type := get_root_type in root_policy_types
 
 component_exists_in_root(comp_type, res_name) := true if {
     has_key(root_policies, comp_type)
     has_key(root_policies[comp_type], res_name)
 }
+
 root_policy_user_has_permissions(comp_type, res_name, user_name, action) := true if {
     component_exists_in_root(comp_type, res_name)
     user_name in root_policies[comp_type][res_name][action]["users"]
+} 
+root_policy_group_has_permissions(comp_type, res_name, user_groups, action) := true if {
+    component_exists_in_root(comp_type, res_name)
+    x := { trim(k, " ") | k = root_policies[comp_type][res_name][action]["groups"][_] }
+    y := { trim(k, " ") | k = user_groups[_] }
+    count(x & y) > 0
 }
 
 
-
 # node Component Rules Logic
 node_policy_types := [key | key := object.keys(node_policies)[_]]
-get_node_type := x if {
+get_node_type := nt if {
     comp_type = node_policy_types[_]
     startswith(nifi_inp.inherit_resource_id, comp_type)
-    x = comp_type
+    nt = comp_type
 }
 comp_is_node_type := get_node_type in node_policy_types
 compID := array.reverse(split(nifi_inp.resource_id, "/"))[0]
 inheritCompID := array.reverse(split(nifi_inp.inherit_resource_id, "/"))[0]
 
-component_exists_in_node(comp_type, comp_ID) := true if {
+component_exists_in_node(comp_type, res_ID) := true if {
     has_key(node_policies, comp_type)
-    has_key(node_policies[comp_type], comp_ID)
+    has_key(node_policies[comp_type], res_ID)
 }
 
-node_policy_user_has_permissions(comp_type, comp_ID, user_name, action) := true if {
-    component_exists_in_node(comp_type, comp_ID)
-    user_name in node_policies[comp_type][comp_ID][action]["users"]
+node_policy_user_has_permissions(comp_type, res_ID, user_name, action) := true if {
+    component_exists_in_node(comp_type, res_ID)
+    user_name in node_policies[comp_type][res_ID][action]["users"]
+}
+node_policy_group_has_permissions(comp_type, res_ID, user_groups, action) := true if {
+    component_exists_in_node(comp_type, res_ID)
+    x := { trim(k, " ") | k = node_policies[comp_type][res_ID][action]["groups"][_] }
+    y := { trim(k, " ") | k = user_groups[_] }
+    count(x & y) > 0
 }
 
 
-
-
-## Flow Access
+### "NiFi Flow" - Access
 flow_allowed:= true if {
     root_policy_user_has_permissions(
         get_root_type, 
@@ -69,36 +79,71 @@ flow_denied:= true if { # macht nur Sinn für Unter-Res zu denyn
         "deny")
 }
 
+### Root component access
+
 root_comp_allowed := true if {
     root_policy_user_has_permissions(
         get_root_type, 
         nifi_inp.resource_name,
         nifi_inp.user_name,
         nifi_inp.action)
 }
+root_comp_allowed := true if {
+    root_policy_group_has_permissions(
+        get_root_type, 
+        nifi_inp.resource_name,
+        nifi_inp.user_groups,
+        nifi_inp.action)
+}
+
 root_comp_denied := true if {
     root_policy_user_has_permissions(
         get_root_type, 
         nifi_inp.resource_name,
         nifi_inp.user_name,
         "deny")
 }
+root_comp_denied := true if {
+    root_policy_group_has_permissions(
+        get_root_type, 
+        nifi_inp.resource_name,
+        nifi_inp.user_groups,
+        "deny")
+}
+
 root_inherit_comp_allowed := true if {
     root_policy_user_has_permissions(
         get_root_type, 
         nifi_inp.inherit_resource_name,
         nifi_inp.user_name,
         nifi_inp.action)
 }
+root_inherit_comp_allowed := true if {
+    root_policy_group_has_permissions(
+        get_root_type, 
+        nifi_inp.inherit_resource_name,
+        nifi_inp.user_groups,
+        nifi_inp.action)
+}
+
 root_inherit_comp_denied := true if {
     root_policy_user_has_permissions(
         get_root_type, 
         nifi_inp.inherit_resource_name,
         nifi_inp.user_name,
         "deny")
 }
+root_inherit_comp_denied := true if {
+    root_policy_group_has_permissions(
+        get_root_type, 
+        nifi_inp.inherit_resource_name,
+        nifi_inp.user_groups,
+        "deny")
+}
+
 
 
+### Node component access
 
 node_comp_allowed := true if {
     node_policy_user_has_permissions(
@@ -107,27 +152,58 @@ node_comp_allowed := true if {
         nifi_inp.user_name,
         nifi_inp.action)
 }
+node_comp_allowed := true if {
+    node_policy_group_has_permissions(
+        get_node_type, 
+        compID,
+        nifi_inp.user_groups,
+        nifi_inp.action)
+}
+
 node_comp_denied := true if {
     node_policy_user_has_permissions(
         get_node_type, 
         compID,
         nifi_inp.user_name,
         "deny")
 }
+node_comp_denied := true if {
+    node_policy_group_has_permissions(
+        get_node_type, 
+        compID,
+        nifi_inp.user_groups,
+        "deny")
+}
+
 node_inherit_comp_allowed := true if {
     node_policy_user_has_permissions(
         get_node_type, 
         inheritCompID,
         nifi_inp.user_name,
         nifi_inp.action)
 }
+node_inherit_comp_allowed := true if {
+    node_policy_group_has_permissions(
+        get_node_type, 
+        inheritCompID,
+        nifi_inp.user_groups,
+        nifi_inp.action)
+}
+
 node_inherit_comp_denied := true if {
     node_policy_user_has_permissions(
         get_node_type, 
         inheritCompID,
         nifi_inp.user_name,
         "deny")
 }
+node_inherit_comp_denied := true if {
+    node_policy_group_has_permissions(
+        get_node_type, 
+        inheritCompID,
+        nifi_inp.user_groups,
+        "deny")
+}
 
 node_comp_has_action := true if {
     component_exists_in_node(get_node_type, inheritCompID)
diff --git a/rego/nifi_global_logic.rego b/rego/nifi_global_logic.rego
@@ -25,11 +25,12 @@ global_policy_user_has_permissions(res_id, user_name, action) := true if {
 # Searches user-group entry in the nifi_global_policies abstraction layer  
 global_policy_group_has_permissions(res_id, user_groups, action) := true if {
     has_key(global_policies, res_id)
-    x := { k | k = object.keys(global_policies[nifi_inp.inherit_resource_id]["groups"])[_] }
-    y := { k | k = nifi_inp.user_groups[_] }
+    x := { trim(k, " ") | k = object.keys(global_policies[res_id]["groups"])[_] }
+    y := { trim(k, " ") | k = user_groups[_] }
     count(x & y) > 0 # check if there is atleast one intersecting group
 }
 
+
 ### READ
 # true, if user is allowed to read on a given global policy
 global_policy_read := true if {
@@ -97,8 +98,4 @@ global_policy_user_denied := true if {
         nifi_inp.inherit_resource_id, 
         nifi_inp.user_groups, 
         "DENY")
-}
-
-
-# e2 = is_array(y)
-# z := intersection(x|y)
+}
diff --git a/rego/nifi_root_policies.rego b/rego/nifi_root_policies.rego
@@ -34,15 +34,15 @@ root_policies := {
         "Peter":{
             "read": {
                 "users": ["User1"],
-                "groups": []
+                "groups": ["Group2","Group234"]
             },
             "write": {
                 "users": ["User1"],
                 "groups": []
             },
             "deny": {
                 "users": [],
-                "groups": []
+                "groups": ["denyGroup"]
             }
         },
 
