Added action level rbac access checks

Author: akclace

internal/app/action/action.go

@@ -4,6 +4,7 @@
 package action
 
 import (
+	"context"
 	"embed"
 	"encoding/json"
 	"fmt"
@@ -36,8 +37,10 @@ var embedHtml embed.FS
 var embedFS = hashfs.NewFS(embedHtml)
 
 type ActionLink struct {
-	Name string
-	Path string
+	Name       string
+	Path       string
+	Permits    []string
+	Authorized bool
 }
 
 // Action represents a single action that is exposed by the App. Actions
@@ -69,13 +72,16 @@ type Action struct {
 	esmLibs           []types.JSLibrary
 	appPathDomain     types.AppPathDomain
 	serverConfig      *types.ServerConfig
+	permit            []string
+	authorizer        types.AuthorizerFunc // can be null
 }
 
 // NewAction creates a new action
 func NewAction(logger *types.Logger, sourceFS *appfs.SourceFs, isDev bool, name, description, apath string, run, suggest starlark.Callable,
 	params []apptype.AppParam, paramValuesStr map[string]string, paramDict starlark.StringDict,
 	appPath string, styleType types.StyleType, containerProxyUrl string, hidden []string, showValidate bool,
-	auditInsert func(*types.AuditEvent) error, containerManager any, jsLibs []types.JSLibrary, appPathDomain types.AppPathDomain, serverConfig *types.ServerConfig) (*Action, error) {
+	auditInsert func(*types.AuditEvent) error, containerManager any, jsLibs []types.JSLibrary, appPathDomain types.AppPathDomain,
+	serverConfig *types.ServerConfig, permit []string, authorizer types.AuthorizerFunc) (*Action, error) {
 
 	funcMap := system.GetFuncMap()
 
@@ -151,13 +157,16 @@ func NewAction(logger *types.Logger, sourceFS *appfs.SourceFs, isDev bool, name,
 		// Links, AppTemplate and Theme names are initialized later
 		appPathDomain: appPathDomain,
 		serverConfig:  serverConfig,
+		permit:        permit,
+		authorizer:    authorizer,
 	}, nil
 }
 
 func (a *Action) GetLink() ActionLink {
 	return ActionLink{
-		Name: a.name,
-		Path: a.pagePath,
+		Name:    a.name,
+		Path:    a.pagePath,
+		Permits: a.permit,
 	}
 }
 
@@ -203,7 +212,27 @@ func (a *Action) validateAction(w http.ResponseWriter, r *http.Request) {
 	a.execAction(w, r, false, true, "validate")
 }
 
+func (a *Action) authorizeAction(w http.ResponseWriter, r *http.Request) bool {
+	if a.authorizer != nil && len(a.permit) > 0 {
+		authorized, err := a.authorizer(r.Context(), a.permit)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return false
+		}
+		if !authorized {
+			userId := system.GetContextUserId(r.Context())
+			http.Error(w, fmt.Sprintf("Unauthorized : %s does not have access to action %s", userId, a.name), http.StatusUnauthorized)
+			return false
+		}
+	}
+	return true
+}
+
 func (a *Action) execAction(w http.ResponseWriter, r *http.Request, isSuggest, isValidate bool, op string) {
+	if !a.authorizeAction(w, r) {
+		return
+	}
+
 	if isSuggest && a.suggest == nil {
 		http.Error(w, "suggest not supported for this action", http.StatusNotImplemented)
 		return
@@ -406,7 +435,7 @@ func (a *Action) execAction(w http.ResponseWriter, r *http.Request, isSuggest, i
 	}
 
 	if isSuggest {
-		a.handleSuggestResponse(w, qsParams.Encode(), ret)
+		a.handleSuggestResponse(r.Context(), w, qsParams.Encode(), ret)
 		return
 	}
 
@@ -487,7 +516,7 @@ func (a *Action) execAction(w http.ResponseWriter, r *http.Request, isSuggest, i
 	}
 
 	if len(a.Links) > 1 {
-		linksWithQS := a.getLinksWithQS(qsParams.Encode())
+		linksWithQS := a.getLinksWithQS(r.Context(), qsParams.Encode())
 		input := map[string]any{"links": linksWithQS}
 		err = a.actionTemplate.ExecuteTemplate(w, "dropdown", input)
 		if err != nil {
@@ -730,6 +759,10 @@ const (
 )
 
 func (a *Action) getForm(w http.ResponseWriter, r *http.Request) {
+	if !a.authorizeAction(w, r) {
+		return
+	}
+
 	queryParams := r.URL.Query()
 	params := make([]ParamDef, 0, len(a.params))
 
@@ -810,7 +843,7 @@ func (a *Action) getForm(w http.ResponseWriter, r *http.Request) {
 		params = append(params, param)
 	}
 
-	linksWithQS := a.getLinksWithQS(r.URL.RawQuery)
+	linksWithQS := a.getLinksWithQS(r.Context(), r.URL.RawQuery)
 	input := map[string]any{
 		"dev":           a.isDev,
 		"name":          a.name,
@@ -833,20 +866,29 @@ func (a *Action) getForm(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
-func (a *Action) getLinksWithQS(qs string) []ActionLink {
+func (a *Action) getLinksWithQS(ctx context.Context, qs string) []ActionLink {
 	linksWithQS := make([]ActionLink, 0, len(a.Links))
 	for _, link := range a.Links {
+		authorized := true
+		if a.authorizer != nil && len(link.Permits) > 0 {
+			var err error
+			authorized, err = a.authorizer(ctx, link.Permits)
+			if err != nil {
+				a.Error().Msgf("error authorizing link %s: %s", link.Name, err)
+			}
+		}
 		if link.Path != a.pagePath { // Don't add self link
 			if qs != "" {
 				link.Path = link.Path + "?" + qs
 			}
+			link.Authorized = authorized // whether this user has access to this action
 			linksWithQS = append(linksWithQS, link)
 		}
 	}
 	return linksWithQS
 }
 
-func (a *Action) handleSuggestResponse(w http.ResponseWriter, paramQS string, retVal starlark.Value) {
+func (a *Action) handleSuggestResponse(ctx context.Context, w http.ResponseWriter, paramQS string, retVal starlark.Value) {
 	ret, err := starlark_type.UnmarshalStarlark(retVal)
 	if err != nil {
 		http.Error(w, fmt.Sprintf("error unmarshalling suggest response: %s", err), http.StatusInternalServerError)
@@ -865,7 +907,7 @@ func (a *Action) handleSuggestResponse(w http.ResponseWriter, paramQS string, re
 	}
 
 	if len(a.Links) > 1 {
-		linksWithQS := a.getLinksWithQS(paramQS)
+		linksWithQS := a.getLinksWithQS(ctx, paramQS)
 		input := map[string]any{"links": linksWithQS}
 		err = a.actionTemplate.ExecuteTemplate(w, "dropdown", input)
 		if err != nil {

internal/app/action/form.go.html

@@ -64,7 +64,13 @@
                 tabindex="0"
                 class="dropdown-content menu bg-base-100 rounded-box z-[1] w-52 p-2 shadow">
                 {{ range .links }}
-                  <li><a href="{{ .Path }}">{{ .Name }}</a></li>
+                  {{ if .Authorized }}
+                    <li><a class="link" href="{{ .Path }}">{{ .Name }}</a></li>
+                  {{ else }}
+                    <li class="disabled menu-disabled">
+                      <a aria-disabled="true">{{ .Name }}</a>
+                    </li>
+                  {{ end }}
                 {{ end }}
               </ul>
             {{ end }}

internal/app/app.go

@@ -85,7 +85,8 @@ type App struct {
 	lastRequestTime atomic.Int64
 	secretEvalFunc  func([][]string, string, string) (string, error)
 	auditInsert     func(*types.AuditEvent) error
-	AppRunPath      string // path to the app run directory
+	AppRunPath      string               // path to the app run directory
+	authorizer      types.AuthorizerFunc // the authorizer function to use, can be null
 }
 
 type starlarkCacheEntry struct {
@@ -102,7 +103,7 @@ func NewApp(sourceFS *appfs.SourceFs, workFS *appfs.WorkFs, logger *types.Logger
 	appEntry *types.AppEntry, systemConfig *types.SystemConfig,
 	plugins map[string]types.PluginSettings, appConfig types.AppConfig, notifyClose chan<- types.AppPathDomain,
 	secretEvalFunc func([][]string, string, string) (string, error),
-	auditInsert func(*types.AuditEvent) error, serverConfig *types.ServerConfig) (*App, error) {
+	auditInsert func(*types.AuditEvent) error, serverConfig *types.ServerConfig, authorizer types.AuthorizerFunc) (*App, error) {
 	newApp := &App{
 		sourceFS:       sourceFS,
 		Logger:         logger,
@@ -114,6 +115,7 @@ func NewApp(sourceFS *appfs.SourceFs, workFS *appfs.WorkFs, logger *types.Logger
 		appStyle:       &dev.AppStyle{},
 		auditInsert:    auditInsert,
 		serverConfig:   serverConfig,
+		authorizer:     authorizer,
 	}
 	newApp.plugins = NewAppPlugins(newApp, plugins, appEntry.Metadata.Accounts)
 	newApp.AppConfig = appConfig

internal/app/apptype/builtins.go

@@ -310,17 +310,20 @@ func createLibraryBuiltin(_ *starlark.Thread, _ *starlark.Builtin, args starlark
 func createActionBuiltin(_ *starlark.Thread, _ *starlark.Builtin, args starlark.Tuple, kwargs []starlark.Tuple) (starlark.Value, error) {
 	var name, desc, path starlark.String
 	var suggest, executor starlark.Callable
-	var hidden *starlark.List
+	var hidden, permit *starlark.List
 	var showValidate starlark.Bool
 	if err := starlark.UnpackArgs(ACTION, args, kwargs, "name", &name, "path", &path,
 		"run", &executor, "suggest?", &suggest, "description?", &desc, "hidden?", &hidden,
-		"show_validate?", &showValidate); err != nil {
+		"show_validate?", &showValidate, "permit?", &permit); err != nil {
 		return nil, fmt.Errorf("error unpacking action args: %w", err)
 	}
 
 	if hidden == nil {
 		hidden = starlark.NewList([]starlark.Value{})
 	}
+	if permit == nil {
+		permit = starlark.NewList([]starlark.Value{})
+	}
 
 	fields := starlark.StringDict{
 		"name":          name,
@@ -329,6 +332,7 @@ func createActionBuiltin(_ *starlark.Thread, _ *starlark.Builtin, args starlark.
 		"run":           executor,
 		"hidden":        hidden,
 		"show_validate": showValidate,
+		"permit":        permit,
 	}
 
 	if suggest != nil {

internal/app/setup.go

@@ -521,7 +521,7 @@ func (a *App) addAction(count int, val starlark.Value, router *chi.Mux) (err err
 
 	var name, path, description string
 	var run, suggest starlark.Callable
-	var hidden []string
+	var hidden, permit []string
 	var showValidate bool
 	if name, err = apptype.GetStringAttr(actionDef, "name"); err != nil {
 		return err
@@ -538,6 +538,11 @@ func (a *App) addAction(count int, val starlark.Value, router *chi.Mux) (err err
 	if hidden, err = apptype.GetListStringAttr(actionDef, "hidden", true); err != nil {
 		return err
 	}
+
+	if permit, err = apptype.GetListStringAttr(actionDef, "permit", true); err != nil {
+		return err
+	}
+
 	if showValidate, err = apptype.GetBoolAttr(actionDef, "show_validate"); err != nil {
 		return err
 	}
@@ -557,7 +562,7 @@ func (a *App) addAction(count int, val starlark.Value, router *chi.Mux) (err err
 	}
 	action, err := action.NewAction(a.Logger, a.sourceFS, a.IsDev, name, description, path, run, suggest,
 		slices.Collect(maps.Values(a.paramInfo)), a.paramValuesStr, a.paramDict, a.Path, a.appStyle.GetStyleType(),
-		containerProxyUrl, hidden, showValidate, a.auditInsert, a.containerManager, a.jsLibs, a.AppPathDomain(), a.serverConfig)
+		containerProxyUrl, hidden, showValidate, a.auditInsert, a.containerManager, a.jsLibs, a.AppPathDomain(), a.serverConfig, permit, a.authorizer)
 	if err != nil {
 		return fmt.Errorf("error creating action %s: %w", name, err)
 	}

internal/app/tests/app_test_helper.go

@@ -107,7 +107,7 @@ func CreateTestAppInt(logger *types.Logger, path string, fileData map[string]str
 	workFS := appfs.NewWorkFs("", &TestWriteFS{TestReadFS: &TestReadFS{fileData: map[string]string{}}})
 	a, err := app.NewApp(sourceFS, workFS, logger,
 		createTestAppEntry(id, path, isDev, metadata), &systemConfig, pluginConfig, *appConfig,
-		nil, secretManager.AppEvalTemplate, nil, &types.ServerConfig{})
+		nil, secretManager.AppEvalTemplate, nil, &types.ServerConfig{}, nil)
 	if err != nil {
 		return nil, nil, err
 	}

internal/app/tests/appaction_test.go

@@ -939,21 +939,21 @@ app = ace.app("testApp",
 
 	testutil.AssertEqualsInt(t, "code", 200, response.Code)
 	body := response.Body.String()
-	if strings.Contains(body, `<li><a href="/test/test1">test1Action</a></li>`) {
+	if strings.Contains(body, `<li><a class="link" href="/test/test1">test1Action</a></li>`) {
 		t.Errorf("actions switcher should not have current action, got %s", body)
 	}
-	testutil.AssertStringContains(t, body, `<li><a href="/test/test2">test2Action</a></li>`)
+	testutil.AssertStringContains(t, body, `<li><a class="link" href="/test/test2">test2Action</a></li>`)
 
 	request = httptest.NewRequest("GET", "/test/test2?param1=abc", nil)
 	response = httptest.NewRecorder()
 	a.ServeHTTP(response, request)
 
 	testutil.AssertEqualsInt(t, "code", 200, response.Code)
 	body = response.Body.String()
-	if strings.Contains(body, `<li><a href="/test/test2">test2Action</a></li>`) {
+	if strings.Contains(body, `<li><a class="link" href="/test/test2">test2Action</a></li>`) {
 		t.Errorf("actions switcher should not have current action, got %s", body)
 	}
-	testutil.AssertStringContains(t, body, `<li><a href="/test/test1?param1=abc">test1Action</a></li>`)
+	testutil.AssertStringContains(t, body, `<li><a class="link" href="/test/test1?param1=abc">test1Action</a></li>`)
 
 	values := url.Values{
 		"param1": {"p1val"},
@@ -977,7 +977,7 @@ app = ace.app("testApp",
                         tabindex="0"
                         class="dropdown-content menu bg-base-100 rounded-box z-[1] w-52 p-2 shadow">
                         
-                          <li><a href="/test/test2?param1=p1val">test2Action</a></li>
+                          <li><a class="link" href="/test/test2?param1=p1val">test2Action</a></li>
                         
                       </ul>
 		 <div

internal/server/app_apis.go

@@ -355,7 +355,7 @@ func (s *Server) setupApp(appEntry *types.AppEntry, tx types.Transaction) (*app.
 		})
 	return app.NewApp(sourceFS, workFS, &appLogger, appEntry, &s.config.System,
 		s.config.Plugins, s.config.AppConfig, s.notifyClose, s.secretsManager.AppEvalTemplate,
-		s.InsertAuditEvent, s.config)
+		s.InsertAuditEvent, s.config, s.AuthorizeAny)
 }
 
 func (s *Server) GetAppApi(ctx context.Context, appPath string) (*types.AppGetResponse, error) {
@@ -513,7 +513,7 @@ func (s *Server) authenticateAndServeApp(w http.ResponseWriter, r *http.Request,
 	}
 
 	s.Trace().Msgf("Authenticated user %s, doing authorization check", userId)
-	authorized, err := s.rbacManager.Authorize(userId, app.AppEntry.AppPathDomain(), string(appAuth), types.PermissionAccess, groups)
+	authorized, err := s.rbacManager.Authorize(userId, app.AppEntry.AppPathDomain(), string(appAuth), types.PermissionAccess, groups, false)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
@@ -527,6 +527,8 @@ func (s *Server) authenticateAndServeApp(w http.ResponseWriter, r *http.Request,
 	// Create a new context with the user ID
 	ctx := context.WithValue(r.Context(), types.USER_ID, userId)
 	ctx = context.WithValue(ctx, types.APP_ID, string(app.Id))
+	ctx = context.WithValue(ctx, types.APP_PATH_DOMAIN, app.AppEntry.AppPathDomain())
+	ctx = context.WithValue(ctx, types.APP_AUTH, appAuth)
 	ctx = context.WithValue(ctx, types.GROUPS, groups)
 
 	contextShared := ctx.Value(types.SHARED)

internal/server/rbac.go

@@ -41,7 +41,7 @@ func NewRBACHandler(logger *types.Logger, rbacConfig *types.RBACConfig, serverCo
 }
 
 func (h *RBACManager) Authorize(user string, appPathDomain types.AppPathDomain,
-	appAuthSetting string, permission types.RBACPermission, groups []string) (bool, error) {
+	appAuthSetting string, permission types.RBACPermission, groups []string, isAppLevelPermission bool) (bool, error) {
 	h.mu.RLock()
 	defer h.mu.RUnlock()
 
@@ -55,7 +55,7 @@ func (h *RBACManager) Authorize(user string, appPathDomain types.AppPathDomain,
 		return true, nil
 	}
 
-	if !strings.HasPrefix(appAuthSetting, RBAC_AUTH_PREFIX) && permission == types.PermissionAccess {
+	if !strings.HasPrefix(appAuthSetting, RBAC_AUTH_PREFIX) && (permission == types.PermissionAccess || isAppLevelPermission) {
 		// if app auth does not have rbac enabled, authorize access for Access permission
 		// If authenticated, then app access is allowed
 		return true, nil