Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: enthistory perms for realz hopefully #1156

Merged
merged 2 commits into from
Aug 1, 2024
Merged

feat: enthistory perms for realz hopefully #1156

merged 2 commits into from
Aug 1, 2024

Conversation

golanglemonade
Copy link
Contributor

@golanglemonade golanglemonade commented Jul 24, 2024
edited
Loading

  • Adds missing history cli cmds, updates the template to include some base history fields in the output
  • Adds aliases to the org* cli commands so that you can use organization or org so it aligns with the schema names (former) but isn't a breaking change (latter)
  • Uses the updated entfga + enthistory to enable permissions on history schemas, updates entc.go to run the history schema generation + authz check generation before the ent generation.
  • Updates the fga model; requires the audit_history_viewer role to view any history schemas, this is currently set by the model for the owner of an organization. Follow-up PR will be to allow this role to be assigned to any member of an organization
  • Adds an traverse interceptor to enforce authz, and add filters to queries

Now, instead of getting all the history, it should be filtered on the same org owned + user owned policies as the objects + require audit viewer role:

org owner: (inherits audit-viewer role)

go run cmd/cli/main.go organization-history get       
  ID                          REF                         OPERATION  UPDATEDAT                             UPDATEDBY                   
  01J33E29TEBT65P03YF07SQ6ZW  01J33E29S8HYFFG11C2JDM9N4K  INSERT     2024-07-18 17:26:02.792104 +0000 UTC  01J33E1TX4JP7NP2EV4CYM1GH6  
  01J3KFM8TQJCC7PMX8XFJPKSJC  01J33E29S8HYFFG11C2JDM9N4K  UPDATE     2024-07-24 23:01:11.12287 +0000 UTC   01J33E1TX4JP7NP2EV4CYM1GH6

vs. member without audit-viewer:

go run cmd/cli/main.go organization-history get
Error: {"networkErrors":null,"graphqlErrors":[{"message":"you are not authorized to perform this action","path":["organizationHistories"]}]}
exit status 1

Adds an audit log resolver that can be filtered across all history tables. This is very much a v1 cut of this, and will move the filter logic to the enthistory functions once we play with this data more, vs. filtering after in the resolver.

query AuditLogs($where: AuditLogWhereInput) {
  auditLogs(where: $where) {
    edges {
      node {
        table
        time
        operation
        changes
        id
        updatedBy
      }
    }
  }
}
{
  "where": {
    "table": "Organization",
    "operation": "Update",
  }
}
{
  "data": {
    "auditLogs": {
      "edges": [
        {
          "node": {
            "table": "Organization",
            "time": "2024-07-24T23:01:11Z",
            "operation": "UPDATE",
            "changes": [
              "updated_at: \"2024-07-18T17:26:02.792104Z\" -> \"2024-07-24T23:01:11.12287Z\"",
              "deleted_at: \"0001-01-01T00:00:00Z\" -> \"0001-01-01T00:00:00Z\"",
              "description: \"\" -> \"meowzers\""
            ],
            "id": "01J33E29S8HYFFG11C2JDM9N4K",
            "updatedBy": "01J33E1TX4JP7NP2EV4CYM1GH6"
          }
        },
        {
          "node": {
            "table": "Organization",
            "time": "2024-07-27T05:04:23Z",
            "operation": "UPDATE",
            "changes": [
              "updated_at: \"2024-07-24T23:01:11.12287Z\" -> \"2024-07-27T05:04:23.184054Z\"",
              "description: \"meowzers\" -> \"meow\""
            ],
            "id": "01J33E29S8HYFFG11C2JDM9N4K",
            "updatedBy": "01J33E1TX4JP7NP2EV4CYM1GH6"
          }
        }
      ]
    }
  },
  "extensions": {
    "auth": {
      "authentication_type": "pat"
    },
    "server_latency": "72.307792ms",
    "trace_id": "NEhlRsTXjgIfdMSktyaeTLemkNKnpeNl"
  }
}

@github-actions github-actions bot added enhancement New feature or request dbschema graphapi cli codegenerators graphqlschema authorization deals with the authorization layer of the stack labels Jul 24, 2024
@golanglemonade golanglemonade force-pushed the feat-enthistory-perms-for-realz-hopefully branch from f28c70d to d16b23c Compare August 1, 2024 18:00
@golanglemonade
enthistory version
e72682f 
Signed-off-by: Sarah Funkhouser <[email protected]>
@golanglemonade golanglemonade marked this pull request as ready for review August 1, 2024 18:09
@golanglemonade golanglemonade requested a review from a team as a code owner August 1, 2024 18:09
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Aug 1, 2024

Quality Gate Passed Quality Gate passed

Issues
4 New issues
0 Accepted issues

Measures
0 Security Hotspots
26.1% Coverage on New Code
10.9% Duplication on New Code

See analysis details on SonarCloud

@matoszz matoszz merged commit c2dd8f0 into main Aug 1, 2024
21 checks passed
@matoszz matoszz deleted the feat-enthistory-perms-for-realz-hopefully branch August 1, 2024 20:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matoszz matoszz matoszz approved these changes

@hashedlambda hashedlambda Awaiting requested review from hashedlambda hashedlambda was automatically assigned from datum-cloud/blacksmiths

Assignees
No one assigned
Labels
authorization deals with the authorization layer of the stack cli codegenerators dbschema enhancement New feature or request graphapi graphqlschema
Projects
Planning and Development
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@golanglemonade @matoszz