feat(rbac): put back condition matcher for workspace permission check and added migration function

2026-01-10 16:08:20 -05:00 · 2023-09-07 22:28:08 +05:30
parent c91a93ef2a
commit 38c044f9a7
4 changed files with 38 additions and 29 deletions
--- a/backend/src/utils/setup/backfillData.ts
+++ b/backend/src/utils/setup/backfillData.ts
@@ -3,13 +3,7 @@ import crypto from "crypto";
 import { Types } from "mongoose";
 import { encryptSymmetric128BitHexKeyUTF8 } from "../crypto";
 import { EESecretService } from "../../ee/services";
-import {
-  IPType,
-  ISecretVersion,
-  SecretSnapshot,
-  SecretVersion,
-  TrustedIP
-} from "../../ee/models";
+import { IPType, ISecretVersion, SecretSnapshot, SecretVersion, TrustedIP } from "../../ee/models";
 import {
  AuthMethod,
  BackupPrivateKey,
@@ -18,6 +12,7 @@ import {
  ISecret,
  Integration,
  IntegrationAuth,
+  Membership,
  Organization,
  Secret,
  SecretBlindIndexData,
@@ -30,7 +25,9 @@ import { client, getEncryptionKey, getRootEncryptionKey } from "../../config";
 import {
  ALGORITHM_AES_256_GCM,
  ENCODING_SCHEME_BASE64,
-  ENCODING_SCHEME_UTF8
+  ENCODING_SCHEME_UTF8,
+  MEMBER,
+  VIEWER
 } from "../../variables";
 import { InternalServerError } from "../errors";

@@ -582,7 +579,7 @@ export const backfillTrustedIps = async () => {
        filter: {
          workspace: Types.ObjectId;
          ipAddress: string;
-        },
+        };
        update: {
          workspace: Types.ObjectId;
          ipAddress: string;
@@ -590,9 +587,9 @@ export const backfillTrustedIps = async () => {
          prefix: number;
          isActive: boolean;
          comment: string;
-        },
+        };
        upsert: boolean;
-      }
+      };
    }[] = [];

    workspaceIdsToAddTrustedIp.forEach((workspaceId) => {
@@ -638,7 +635,7 @@ export const backfillTrustedIps = async () => {
    await TrustedIP.bulkWrite(operations);
    console.log("Backfill: Trusted IPs complete");
  }
-}
+};

 export const backfillUserAuthMethods = async () => {
  await User.updateMany(
@@ -655,7 +652,6 @@ export const backfillUserAuthMethods = async () => {
    }
  );

-
  const documentsToUpdate = await User.find({
    authProvider: { $exists: true },
    authMethods: { $exists: false }
@@ -676,4 +672,23 @@ export const backfillUserAuthMethods = async () => {
      }
    );
  }
-}
+};
+
+export const backfillPermission = async () => {
+  await Membership.updateMany(
+    {
+      deniedPermissions: {
+        $exists: true
+      },
+      role: MEMBER
+    },
+    [
+      {
+        $set: {
+          role: VIEWER
+        }
+      }
+    ]
+  );
+  console.log("Backfill: Finishing converting old denied permission in workspace to viewers");
+};
--- a/backend/src/utils/setup/index.ts
+++ b/backend/src/utils/setup/index.ts
@@ -11,6 +11,7 @@ import {
  backfillBots,
  backfillEncryptionMetadata,
  backfillIntegration,
+  backfillPermission,
  backfillSecretBlindIndexData,
  backfillSecretFolders,
  backfillSecretVersions,
@@ -24,12 +25,7 @@ import {
  reencryptBotPrivateKeys,
  reencryptSecretBlindIndexDataSalts
 } from "./reencryptData";
-import {
-  getMongoURL,
-  getNodeEnv,
-  getRedisUrl,
-  getSentryDSN
-} from "../../config";
+import { getMongoURL, getNodeEnv, getRedisUrl, getSentryDSN } from "../../config";
 import { initializePassport } from "../auth";

 /**
@@ -43,8 +39,10 @@ import { initializePassport } from "../auth";
 * - Re-encrypting data
 */
 export const setup = async () => {
-  if (await getRedisUrl() === undefined || await getRedisUrl() === "") {
-    console.error("WARNING: Redis is not yet configured. Infisical may not function as expected without it.")
+  if ((await getRedisUrl()) === undefined || (await getRedisUrl()) === "") {
+    console.error(
+      "WARNING: Redis is not yet configured. Infisical may not function as expected without it."
+    );
  }

  await validateEncryptionKeysConfig();
@@ -86,6 +84,7 @@ export const setup = async () => {
  await backfillServiceTokenMultiScope();
  await backfillTrustedIps();
  await backfillUserAuthMethods();
+  await backfillPermission();

  // re-encrypt any data previously encrypted under server hex 128-bit ENCRYPTION_KEY
  // to base64 256-bit ROOT_ENCRYPTION_KEY
--- a/frontend/src/hooks/api/roles/queries.tsx
+++ b/frontend/src/hooks/api/roles/queries.tsx
@@ -28,11 +28,6 @@ const glob: JsInterpreter<FieldCondition<string>> = (node, object, context) => {
  const secretPath = context.get(object, node.field);
  const permissionSecretGlobPath = node.value;
  if (!secretPath) return false;
-  // console.log(
-  //   secretPath,
-  //   picomatch.isMatch(secretPath, permissionSecretGlobPath, { strictSlashes: false }),
-  //   permissionSecretGlobPath
-  // );
  return picomatch.isMatch(secretPath, permissionSecretGlobPath, { strictSlashes: false });
 };

@@ -102,7 +97,7 @@ export const useGetUserProjectPermissions = ({ workspaceId }: TGetUserProjectPer
    enabled: Boolean(workspaceId),
    select: (data) => {
      const rule = unpackRules<RawRuleOf<MongoAbility<ProjectPermissionSet>>>(data);
-      const ability = createMongoAbility<ProjectPermissionSet>(rule);
+      const ability = createMongoAbility<ProjectPermissionSet>(rule, { conditionsMatcher });
      return ability;
    }
  });
--- a/frontend/src/views/SecretOverviewPage/SecretOverviewPage.tsx
+++ b/frontend/src/views/SecretOverviewPage/SecretOverviewPage.tsx
@@ -81,7 +81,7 @@ export const SecretOverviewPage = () => {
  const workspaceId = currentWorkspace?._id as string;
  const { data: latestFileKey } = useGetUserWsKey(workspaceId);
  const [searchFilter, setSearchFilter] = useState("");
-  const secretPath = router.query?.secretPath as string;
+  const secretPath = (router.query?.secretPath as string) || "/";
  const permission = useProjectPermission();

  useEffect(() => {