Merge pull request #2397 from solliancenet/cj-extend-role-assignments

(0.9.7-beta135.1) Add new role definitions for agent and vectorization pipelines

Author: alistar-andrei

src/dotnet/AIModel/ResourceProviders/AIModelResourceProviderService.cs

@@ -88,7 +88,13 @@ protected override async Task<object> GetResourcesAsync(
             };
 
         /// <inheritdoc/>
-        protected override async Task<object> UpsertResourceAsync(ResourcePath resourcePath, string? serializedResource, ResourceProviderFormFile? formFile, UnifiedUserIdentity userIdentity) =>
+        protected override async Task<object> UpsertResourceAsync(
+            ResourcePath resourcePath,
+            string? serializedResource,
+            ResourceProviderFormFile? formFile,
+            ResourcePathAuthorizationResult authorizationResult,
+            UnifiedUserIdentity userIdentity) =>
+
             resourcePath.MainResourceTypeName switch
             {
                 AIModelResourceTypeNames.AIModels => await UpdateAIModel(resourcePath, serializedResource!, userIdentity),

src/dotnet/Agent/ResourceProviders/AgentResourceProviderService.cs

@@ -28,6 +28,7 @@
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
+using Microsoft.Graph.Models;
 using System.Data;
 using System.Text;
 using System.Text.Json;
@@ -122,12 +123,18 @@ protected override async Task<object> GetResourcesAsync(
             };
 
         /// <inheritdoc/>
-        protected override async Task<object> UpsertResourceAsync(ResourcePath resourcePath, string? serializedResource, ResourceProviderFormFile? formFile, UnifiedUserIdentity userIdentity) =>
+        protected override async Task<object> UpsertResourceAsync(
+            ResourcePath resourcePath,
+            string? serializedResource,
+            ResourceProviderFormFile? formFile,
+            ResourcePathAuthorizationResult authorizationResult,
+            UnifiedUserIdentity userIdentity) =>
+
             resourcePath.ResourceTypeName switch
             {
-                AgentResourceTypeNames.Agents => await UpdateAgent(resourcePath, serializedResource!, userIdentity),
+                AgentResourceTypeNames.Agents => await UpdateAgent(resourcePath, serializedResource!, authorizationResult, userIdentity),
                 AgentResourceTypeNames.AgentFiles => await UpdateAgentFile(resourcePath, formFile!, userIdentity),
-                AgentResourceTypeNames.AgentAccessTokens => await UpdateAgentAccessToken(resourcePath, serializedResource!),
+                AgentResourceTypeNames.AgentAccessTokens => await UpdateAgentAccessToken(resourcePath, serializedResource!, authorizationResult, userIdentity),
                 AgentResourceTypeNames.AgentFileToolAssociations => await UpdateFileToolAssociations(resourcePath, serializedResource!, userIdentity),
                 _ => throw new ResourceProviderException($"The resource type {resourcePath.ResourceTypeName} is not supported by the {_name} resource provider.",
                     StatusCodes.Status400BadRequest)
@@ -220,14 +227,30 @@ protected override async Task<T> GetResourceAsyncInternal<T>(
 
         #region Resource management
 
-        private async Task<ResourceProviderUpsertResult> UpdateAgent(ResourcePath resourcePath, string serializedAgent, UnifiedUserIdentity userIdentity)
+        private async Task<ResourceProviderUpsertResult> UpdateAgent(
+            ResourcePath resourcePath,
+            string serializedAgent,
+            ResourcePathAuthorizationResult authorizationResult,
+            UnifiedUserIdentity userIdentity)
         {
             var agent = JsonSerializer.Deserialize<AgentBase>(serializedAgent)
                 ?? throw new ResourceProviderException("The object definition is invalid.",
                     StatusCodes.Status400BadRequest);
 
             var existingAgentReference = await _resourceReferenceStore!.GetResourceReference(agent.Name);
 
+            if (existingAgentReference is not null
+                && !authorizationResult.Authorized)
+            {
+                // The resource already exists and the user is not authorized to update it.
+                // Irrespective of whether the user has the required role or not, we need to throw an exception in the case of existing resources.
+                // The required role only allows the user to create a new resource.
+                // This check is needed because it's only here that we can determine if the resource exists.
+                _logger.LogWarning("Access to the resource path {ResourcePath} was not authorized for user {UserName} : userId {UserId}.",
+                    resourcePath.RawResourcePath, userIdentity!.Username, userIdentity!.UserId);
+                throw new ResourceProviderException("Access is not authorized.", StatusCodes.Status403Forbidden);
+            }
+
             if (resourcePath.ResourceTypeInstances[0].ResourceId != agent.Name)
                 throw new ResourceProviderException("The resource path does not match the object definition (name mismatch).",
                     StatusCodes.Status400BadRequest);
@@ -479,7 +502,7 @@ private async Task<List<ResourceProviderGetResult<AgentAccessToken>>> LoadAgentA
                 agentClientSecretKey.InstanceId,
                 agentClientSecretKey.ContextId);
 
-            return secretKeys.Select(k => new ResourceProviderGetResult<AgentAccessToken>()
+            return [.. secretKeys.Select(k => new ResourceProviderGetResult<AgentAccessToken>()
             {
                 Actions = [],
                 Roles = [],
@@ -491,15 +514,28 @@ private async Task<List<ResourceProviderGetResult<AgentAccessToken>>> LoadAgentA
                     Active = k.Active,
                     ExpirationDate = k.ExpirationDate
                 }
-            }).ToList();
+            })];
         }
 
-        private async Task<ResourceProviderUpsertResult> UpdateAgentAccessToken(ResourcePath resourcePath, string serializedAgentAccessToken)
+        private async Task<ResourceProviderUpsertResult> UpdateAgentAccessToken(
+            ResourcePath resourcePath,
+            string serializedAgentAccessToken,
+            ResourcePathAuthorizationResult authorizationResult,
+            UnifiedUserIdentity userIdentity)
         {
             var agentAccessToken = JsonSerializer.Deserialize<AgentAccessToken>(serializedAgentAccessToken)
                 ?? throw new ResourceProviderException("The object definition is invalid.",
                     StatusCodes.Status400BadRequest);
 
+            if (!authorizationResult.Authorized
+                || !authorizationResult.HasRequiredRole)
+            {
+                // Agent access keys can be created or updated only by users with the required role and authorization on the agent.
+                _logger.LogWarning("Access to the resource path {ResourcePath} was not authorized for user {UserName} : userId {UserId}.",
+                    resourcePath.RawResourcePath, userIdentity!.Username, userIdentity!.UserId);
+                throw new ResourceProviderException("Access is not authorized.", StatusCodes.Status403Forbidden);
+            }
+
             var agentClientSecretKey = new AgentClientSecretKey
             {
                 InstanceId = resourcePath.InstanceId!,

src/dotnet/Authorization/ResourceProviders/AuthorizationResourceProviderService.cs

@@ -89,7 +89,13 @@ private static List<RoleDefinition> LoadRoleDefinitions(ResourceTypeInstance ins
         #endregion
 
         /// <inheritdoc/>
-        protected override async Task<object> UpsertResourceAsync(ResourcePath resourcePath, string? serializedResource, ResourceProviderFormFile? formFile, UnifiedUserIdentity userIdentity) =>
+        protected override async Task<object> UpsertResourceAsync(
+            ResourcePath resourcePath,
+            string? serializedResource,
+            ResourceProviderFormFile? formFile,
+            ResourcePathAuthorizationResult authorizationResult,
+            UnifiedUserIdentity userIdentity) =>
+
             resourcePath.MainResourceTypeName switch
             {
                 AuthorizationResourceTypeNames.RoleAssignments => await UpdateRoleAssignments(resourcePath, serializedResource!, userIdentity),

src/dotnet/AuthorizationEngine/Services/AuthorizationCore.cs

@@ -310,10 +310,9 @@ public ActionAuthorizationResult ProcessAuthorizationRequest(string instanceId,
                             authorizationResults[rp] = ProcessAuthorizationRequestForResourcePath(parsedResourcePath, new ActionAuthorizationRequest()
                             {
                                 Action = authorizationRequest.Action,
+                                RoleName = authorizationRequest.RoleName,
                                 ResourcePaths = [rp],
-                                ExpandResourceTypePaths = parsedResourcePath.IsResourceTypePath
-                                    ? authorizationRequest.ExpandResourceTypePaths
-                                    : false,
+                                ExpandResourceTypePaths = parsedResourcePath.IsResourceTypePath && authorizationRequest.ExpandResourceTypePaths,
                                 IncludeRoles = authorizationRequest.IncludeRoles,
                                 IncludeActions = authorizationRequest.IncludeActions,
                                 UserContext = authorizationRequest.UserContext
@@ -351,6 +350,7 @@ private ResourcePathAuthorizationResult ProcessAuthorizationRequestForResourcePa
                 ResourceName = resourcePath.MainResourceId,
                 ResourcePath = resourcePath.RawResourcePath,
                 Authorized = false,
+                HasRequiredRole = false,
                 Roles = [],
                 PolicyDefinitionIds = [],
                 SubordinateResourcePathsAuthorizationResults = []
@@ -364,11 +364,10 @@ private ResourcePathAuthorizationResult ProcessAuthorizationRequestForResourcePa
             if (_policyAssignmentCaches.TryGetValue(resourcePath.InstanceId!, out var policyAssignmentCache))
             {
                 // Policies are only assigned to resource type paths.
-                result.PolicyDefinitionIds = policyAssignmentCache
+                result.PolicyDefinitionIds = [.. policyAssignmentCache
                     .GetPolicyAssignments(resourcePath.GetResourceTypeObjectId())
                     .Where(pa => securityPrincipalIds.Contains(pa.PrincipalId))
-                    .Select(pa => pa.PolicyDefinitionId)
-                    .ToList();
+                    .Select(pa => pa.PolicyDefinitionId)];
             }
 
             // Get cache associated with the instance id.
@@ -387,21 +386,26 @@ private ResourcePathAuthorizationResult ProcessAuthorizationRequestForResourcePa
                         {
                             // Check if the scope of the role assignment covers the resource.
                             // Check if the actions of the role definition include the requested action.
-                            if (resourcePath.IncludesResourcePath(roleAssignment.ScopeResourcePath!)
-                                && roleAssignment.AllowedActions.Contains(authorizationRequest.Action))
+                            if (resourcePath.IncludesResourcePath(roleAssignment.ScopeResourcePath!))
                             {
-                                result.Authorized = true;
-
-                                // If we are not asked to include roles or actions and not asked to expand resource paths,
-                                // we can return immediately (this is the most common case).
-                                // Otherwise, we need to go through the entire list of security principals and their role assignments,
-                                // to include collect all the roles/actions and/or all the subordinate authorized resource paths.
-                                if (!authorizationRequest.IncludeRoles
-                                    && !authorizationRequest.IncludeActions
-                                    && !authorizationRequest.ExpandResourceTypePaths)
-                                    return result;
-
-                                allSecurableActions.UnionWith(roleAssignment.AllowedActions);
+                                if (roleAssignment.RoleDefinition!.Name == authorizationRequest.RoleName)
+                                    result.HasRequiredRole = true;
+
+                                if (roleAssignment.AllowedActions.Contains(authorizationRequest.Action))
+                                {
+                                    result.Authorized = true;
+
+                                    // If we are not asked to include roles or actions and not asked to expand resource paths,
+                                    // we can return immediately (this is the most common case).
+                                    // Otherwise, we need to go through the entire list of security principals and their role assignments,
+                                    // to include collect all the roles/actions and/or all the subordinate authorized resource paths.
+                                    if (!authorizationRequest.IncludeRoles
+                                        && !authorizationRequest.IncludeActions
+                                        && !authorizationRequest.ExpandResourceTypePaths)
+                                        return result;
+
+                                    allSecurableActions.UnionWith(roleAssignment.AllowedActions);
+                                }
                             }
                         }
                         else
@@ -424,12 +428,14 @@ private ResourcePathAuthorizationResult ProcessAuthorizationRequestForResourcePa
                 if (authorizationRequest.IncludeRoles
                     && allRoleAssignments.Count > 0)
                 {
-                    // Include the display names of the roles in the result that match the scope of the resource.
-                    result.Roles = allRoleAssignments
+                    var matchingRoleAssignments = allRoleAssignments
                         .Where(ra => resourcePath.IncludesResourcePath(ra.ScopeResourcePath!))
-                        .Select(ra => ra.RoleDefinition!.DisplayName!)
-                        .Distinct()
                         .ToList();
+
+                    // Include the display names of the roles in the result that match the scope of the resource.
+                    result.Roles = [.. matchingRoleAssignments
+                        .Select(ra => ra.RoleDefinition!.DisplayName!)
+                        .Distinct()];
                 }
 
                 if (authorizationRequest.IncludeActions
@@ -618,15 +624,15 @@ public List<SecretKey> GetSecretKeys(string instanceId, string contextId)
             {
                 var persistedSecretKeys = secretKeyCache.GetKeys(contextId);
 
-                return persistedSecretKeys.Select(x => new SecretKey()
+                return [.. persistedSecretKeys.Select(x => new SecretKey()
                 {
                     Id = x.Id,
                     ContextId = contextId,
                     InstanceId = x.InstanceId,
                     Description = x.Description,
                     Active = x.Active,
                     ExpirationDate = x.ExpirationDate,
-                }).ToList();
+                })];
             }
 
             return [];

src/dotnet/Common/Clients/AuthorizationServiceClient.cs

@@ -49,6 +49,7 @@ public AuthorizationServiceClient(
         public async Task<ActionAuthorizationResult> ProcessAuthorizationRequest(
             string instanceId,
             string action,
+            string? roleName,
             List<string> resourcePaths,
             bool expandResourceTypePaths,
             bool includeRoleAssignments,
@@ -69,6 +70,7 @@ public async Task<ActionAuthorizationResult> ProcessAuthorizationRequest(
                 var authorizationRequest = new ActionAuthorizationRequest
                 {
                     Action = action,
+                    RoleName = roleName,
                     ResourcePaths = resourcePaths,
                     ExpandResourceTypePaths = expandResourceTypePaths,
                     IncludeRoles = includeRoleAssignments,

src/dotnet/Common/Clients/NullAuthorizationServiceClient.cs

@@ -14,6 +14,7 @@ public class NullAuthorizationServiceClient : IAuthorizationServiceClient
         public async Task<ActionAuthorizationResult> ProcessAuthorizationRequest(
             string instanceId,
             string action,
+            string? roleName,
             List<string> resourcePaths,
             bool expandResourceTypePaths,
             bool includeRoleAssignments,
@@ -26,7 +27,8 @@ public async Task<ActionAuthorizationResult> ProcessAuthorizationRequest(
                 {
                     ResourceName = string.Empty,
                     ResourcePath = rp,
-                    Authorized = true
+                    Authorized = true,
+                    HasRequiredRole = true,
                 });
 
             await Task.CompletedTask;

src/dotnet/Common/Constants/Data/RoleDefinitions.json

@@ -185,5 +185,90 @@
 		"updated_on": "2024-10-22T00:00:00.0000000Z",
 		"created_by": null,
 		"updated_by": null
+	},
+	{
+		"type": "FoundationaLLM.Authorization/roleDefinitions",
+		"name": "2da16a58-ed63-431a-b90e-9df32c2cae4a",
+		"object_id": "/providers/FoundationaLLM.Authorization/roleDefinitions/2da16a58-ed63-431a-b90e-9df32c2cae4a",
+		"display_name": "Data Pipelines Contributor",
+		"description": "Create new data pipelines.",
+		"assignable_scopes": [
+			"/"
+		],
+		"permissions": [
+			{
+				"actions": [
+					"FoundationaLLM.DataPipeline/dataPipelines/read",
+					"FoundationaLLM.Vectorization/vectorizationPipelines/read",
+					"FoundationaLLM.DataSource/dataSources/read",
+					"FoundationaLLM.Vectorization/textPartitioningProfiles/read",
+					"FoundationaLLM.Vectorization/textEmbeddingProfiles/read",
+					"FoundationaLLM.Vectorization/indexingProfiles/read",
+					"FoundationaLLM.Plugin/plugins/read"
+				],
+				"not_actions": [],
+				"data_actions": [],
+				"not_data_actions": []
+			}
+		],
+		"created_on": "2025-05-01T00:00:00.0000000Z",
+		"updated_on": "2025-05-01T00:00:00.0000000Z",
+		"created_by": null,
+		"updated_by": null
+	},
+	{
+		"type": "FoundationaLLM.Authorization/roleDefinitions",
+		"name": "3f28aa77-a854-4aa7-ae11-ffda238275c9",
+		"object_id": "/providers/FoundationaLLM.Authorization/roleDefinitions/3f28aa77-a854-4aa7-ae11-ffda238275c9",
+		"display_name": "Agents Contributor",
+		"description": "Create new agents.",
+		"assignable_scopes": [
+			"/"
+		],
+		"permissions": [
+			{
+				"actions": [
+					"FoundationaLLM.Agent/agents/read",
+					"FoundationaLLM.Agent/workflows/read",
+					"FoundationaLLM.Agent/tools/read",
+					"FoundationaLLM.Prompt/prompts/read",
+					"FoundationaLLM.DataSource/dataSources/read",
+					"FoundationaLLM.Vectorization/textEmbeddingProfiles/read",
+					"FoundationaLLM.Vectorization/indexingProfiles/read",
+					"FoundationaLLM.Configuration/apiEndpointConfigurations/read",
+					"FoundationaLLM.AIModel/aiModels/read",
+					"FoundationaLLM.Plugin/plugins/read"
+				],
+				"not_actions": [],
+				"data_actions": [],
+				"not_data_actions": []
+			}
+		],
+		"created_on": "2025-05-01T00:00:00.0000000Z",
+		"updated_on": "2025-05-01T00:00:00.0000000Z",
+		"created_by": null,
+		"updated_by": null
+	},
+	{
+		"type": "FoundationaLLM.Authorization/roleDefinitions",
+		"name": "8c5ea0d3-f5a1-4be5-90a7-a12921c45542",
+		"object_id": "/providers/FoundationaLLM.Authorization/roleDefinitions/8c5ea0d3-f5a1-4be5-90a7-a12921c45542",
+		"display_name": "Agent Access Tokens Contributor",
+		"description": "Create new agent access tokens.",
+		"assignable_scopes": [
+			"/"
+		],
+		"permissions": [
+			{
+				"actions": [],
+				"not_actions": [],
+				"data_actions": [],
+				"not_data_actions": []
+			}
+		],
+		"created_on": "2025-05-01T00:00:00.0000000Z",
+		"updated_on": "2025-05-01T00:00:00.0000000Z",
+		"created_by": null,
+		"updated_by": null
 	}
 ]