added group functionality for global_policies

DavidGitter · DavidGitter · commit 8b4f15973419 · 2025-03-06T21:57:15.000+01:00
diff --git a/rego/nifi_global_logic.rego b/rego/nifi_global_logic.rego
@@ -15,41 +15,90 @@ res_is_global_type := nifi_inp.resource_id in global_policy_types       # return
 
 has_key(obj, key) := true if _ = obj[key] # helper function
 
-# Searches an entry in the nifi_global_policies abstraction layer  
+# Searches user entry in the nifi_global_policies abstraction layer  
 global_policy_user_has_permissions(res_id, user_name, action) := true if {
     has_key(global_policies, res_id)
     has_key(global_policies[res_id]["users"], user_name)
     global_policies[res_id]["users"][user_name] == action
 }
 
+# Searches user-group entry in the nifi_global_policies abstraction layer  
+global_policy_group_has_permissions(res_id, user_groups, action) := true if {
+    has_key(global_policies, res_id)
+    x := { k | k = object.keys(global_policies[nifi_inp.inherit_resource_id]["groups"])[_] }
+    y := { k | k = nifi_inp.user_groups[_] }
+    count(x & y) > 0 # check if there is atleast one intersecting group
+}
+
+### READ
 # true, if user is allowed to read on a given global policy
-global_policy_user_read := true if {
+global_policy_read := true if {
     global_policy_user_has_permissions(
         nifi_inp.inherit_resource_id, 
         nifi_inp.user_name, 
         "READ")
 }
+# true, if user is allowed to read on a given global policy
+global_policy_read := true if {
+    global_policy_group_has_permissions(
+        nifi_inp.inherit_resource_id, 
+        nifi_inp.user_groups, 
+        "READ")
+}
 
+
+### WRITE
 # true, if user is allowed to write on a given global policy
-global_policy_user_write := true if {
+global_policy_write := true if {
     global_policy_user_has_permissions(
         nifi_inp.inherit_resource_id, 
         nifi_inp.user_name, 
         "WRITE")
 }
+# true, if user-group is allowed to write on a given global policy
+global_policy_write := true if {
+    global_policy_group_has_permissions(
+        nifi_inp.inherit_resource_id, 
+        nifi_inp.user_groups, 
+        "WRITE")
+}
+
 
+### FULL
 # true, if user is allowed to read AND write on a given global policy
-global_policy_user_full := true if {
+global_policy_full := true if {
     global_policy_user_has_permissions(
         nifi_inp.inherit_resource_id, 
         nifi_inp.user_name, 
         "FULL")
 }
 
+# true, if a user-group is allowed to read AND write on a given global policy
+global_policy_full := true if {
+    global_policy_group_has_permissions(
+        nifi_inp.inherit_resource_id, 
+        nifi_inp.user_groups, 
+        "FULL")
+}
+
+
+### DENY
 # true, if user is explicitly denied on a given global policy
 global_policy_user_denied := true if {
     global_policy_user_has_permissions(
         nifi_inp.inherit_resource_id, 
         nifi_inp.user_name, 
         "DENY")
-}
+}
+
+# true, if user-group is explicitly denied on a given global policy
+global_policy_user_denied := true if {
+    global_policy_group_has_permissions(
+        nifi_inp.inherit_resource_id, 
+        nifi_inp.user_groups, 
+        "DENY")
+}
+
+
+# e2 = is_array(y)
+# z := intersection(x|y)
diff --git a/rego/nifi_global_policies.rego b/rego/nifi_global_policies.rego
@@ -11,7 +11,10 @@ global_policies := {
             "User1": "FULL",
             "User2": "READ"
         },
-        "groups": {}
+        "groups": {
+            "Group 1": "FULL",
+            "Test123": "READ"
+        }
     },
     "/controller": {
         "users": {
diff --git a/rego/nifi_input.rego b/rego/nifi_input.rego
@@ -10,7 +10,11 @@ resource_safeDescr := input.requestedResource.safeDescription
 resource_context := input.resourceContext
 action := input.action.name
 user_name := input.user.name
-user_groups := split(input.user.name.groups, ",")
+user_groups := split(input.user.groups, ",")
 user_context := input.userContext
 isAccessAttempt := input.properties.isAccessAttempt
-isAnonymous := input.properties.isAnonymous
+isAnonymous := input.properties.isAnonymous
+
+# test := true if {
+#     action == "read"
+# }
diff --git a/rego/nifi_rules.rego b/rego/nifi_rules.rego
@@ -30,7 +30,7 @@ allow := {
 } if {
     nifi_glob.res_is_global_type
     nifi_inp.action == "read"
-    nifi_glob.global_policy_user_read
+    nifi_glob.global_policy_read
 }
 
 # check for writing permission
@@ -40,7 +40,7 @@ allow := {
 } if {
     nifi_glob.res_is_global_type
     nifi_inp.action == "write"
-    nifi_glob.global_policy_user_write
+    nifi_glob.global_policy_write
 }
 
 # check for full permission when action is read
@@ -50,7 +50,7 @@ allow := {
 } if {
     nifi_glob.res_is_global_type
     nifi_inp.action == "read"
-    nifi_glob.global_policy_user_full
+    nifi_glob.global_policy_full
 }
 
 # check for full permission when action is write
@@ -60,7 +60,7 @@ allow := {
 } if {
     nifi_glob.res_is_global_type
     nifi_inp.action == "write"
-    nifi_glob.global_policy_user_full
+    nifi_glob.global_policy_full
 }
 
 # check for denied permission
@@ -70,7 +70,7 @@ allow := {
     "message": sprintf("Action %s on global resource %s denied.", [nifi_inp.action, nifi_inp.resource_name])
 } if {
     nifi_glob.res_is_global_type
-    nifi_glob.global_policy_user_denied
+    nifi_glob.global_policy_denied
 }
 
 
