Merge pull request #610 from Swirrl/rbac

Rbac
Swirrl · Aug 2, 2022 · dbcd1b0 · dbcd1b0
2 parents 0dba3e4 + 1302e9f
commit dbcd1b0
Show file tree

Hide file tree

Showing 73 changed files with 735 additions and 653 deletions.
diff --git a/.gitignore b/.gitignore
@@ -4,3 +4,4 @@ stardog.log
 .envrc
 drafter/doc/graph_rewriting_fixup.html
 .omni_cache
+.cpcache
diff --git a/drafter-client/deps.edn b/drafter-client/deps.edn
@@ -37,7 +37,7 @@
 
                               }}
 
-           :test {:extra-paths ["test" "test/resources"]
+           :test {:extra-paths ["test" "test/resources" "../drafter/test"]
                   :extra-deps {drafter/drafter {:local/root "../drafter"}
                                org.clojure/test.check {:mvn/version "1.1.1"}
                                lambdaisland/kaocha {:mvn/version "1.60.972"}

diff --git a/drafter-client/env/dev/resources/auth0-test-config.edn b/drafter-client/env/dev/resources/auth0-test-config.edn
@@ -22,5 +22,4 @@
 
  ;; auth0 authentication method
  :drafter.auth.auth0/auth0-auth-method {:auth0-client #ig/ref :swirrl.auth0/client
-                                        :jwk #ig/ref :drafter.auth.auth0/mock-jwk}
- }
+                                        :jwk #ig/ref :drafter.auth.auth0/mock-jwk}}
diff --git a/drafter-client/resources/drafter-mock-middleware.edn b/drafter-client/resources/drafter-mock-middleware.edn
@@ -16,7 +16,6 @@
 
  :drafter.middleware/wrap-authenticate
  {:middleware [#ig/ref :swirrl.auth0.middleware/bearer-token
-               #ig/ref :swirrl.auth0.middleware/normalize-roles
                #ig/ref :drafter.middleware.auth0-auth/identify
                #ig/ref :drafter.middleware.auth0-auth/token-authentication]}
 

diff --git a/drafter-client/src/drafter_client/client.clj b/drafter-client/src/drafter_client/client.clj
@@ -1,5 +1,5 @@
 (ns drafter-client.client
-  (:refer-clojure :exclude [name type get])
+  (:refer-clojure :exclude [get])
   (:require [cheshire.core :as json]
             [clj-time.format :refer [formatters parse]]
             [clojure.spec.alpha :as s]
@@ -18,8 +18,6 @@
             [martian.core :as martian])
   (:import clojure.lang.ExceptionInfo))
 
-(alias 'c 'clojure.core)
-
 (def live draftset/live)
 
 (defn exception? [v]
@@ -75,8 +73,9 @@
    same as for draftsets."
   [client access-token & [include]]
   (let [get-endpoints (partial i/request client i/get-endpoints access-token)
-        include (if (keyword? include) (c/name include) include)
-        endpoints (if include (get-endpoints :include include) (get-endpoints))]
+        endpoints (if include
+                    (get-endpoints :include (name include))
+                    (get-endpoints))]
     (map endpoint/from-json endpoints)))
 
 (defn get-public-endpoint
@@ -147,9 +146,14 @@
 (defn submit-to-user [client access-token id user]
   (i/request client i/submit-draftset-to access-token id :user user))
 
+(defn submit-to-permission [client access-token id permission]
+  (i/request client i/submit-draftset-to access-token id
+             :permission (name permission)))
+
+;; The role parameter is deprecated
 (defn submit-to-role [client access-token id role]
-  (let [role (if (keyword? role) (c/name role) role)]
-    (i/request client i/submit-draftset-to access-token id :role role)))
+  (i/request client i/submit-draftset-to access-token id
+             :role (name role)))
 
 (defn claim [client access-token id]
   (i/request client i/claim-draftset access-token id))

diff --git a/drafter-client/src/drafter_client/client/impl.clj b/drafter-client/src/drafter_client/client/impl.clj
@@ -359,9 +359,9 @@
   (martian/response-for client :status-writes-locked {}))
 
 (defn submit-draftset-to
-  "Submit a Draftset to a user or role"
+  "Submit a Draftset to a user or permission"
   #:drafter-client.client.impl{:generated true}
-  [client id & {:keys [role user] :as opts}]
+  [client id & {:keys [user permission] :as opts}]
   (martian/response-for
    client
    :submit-draftset-to

diff --git a/drafter-client/test/drafter_client/client_test.clj b/drafter-client/test/drafter_client/client_test.clj
@@ -9,15 +9,14 @@
     [drafter-client.client.endpoint :as endpoint]
     [drafter-client.test-helpers :as h]
     [drafter-client.test-util.auth :as auth-util]
-    [drafter-client.test-util.jwt :as jwt]
     [drafter.main :as drafter]
+    [drafter.test-common :refer [mock-jwk]]
     [drafter.util :as util]
     [environ.core :refer [env]]
     [grafter-2.rdf.protocols :as pr]
     [grafter-2.rdf4j.io :as rio]
     [grafter-2.rdf4j.repository :as gr-repo]
-    [integrant.core :as ig]
-    [grafter-2.rdf4j.io :as gio])
+    [integrant.core :as ig])
   (:import clojure.lang.ExceptionInfo
            java.net.URI
            [java.util UUID]
@@ -32,11 +31,11 @@
 ;; Override the :drafter.auth.auth0/jwk init-key otherwise it'll be trying to
 ;; contact auth0
 (defmethod ig/init-key :drafter.auth.auth0/jwk [_ {:keys [endpoint] :as opts}]
-  (jwt/mock-jwk))
+  (mock-jwk))
 
 ;; But this is the one that everything should use anyway
 (defmethod ig/init-key :drafter.auth.auth0/mock-jwk [_ {:keys [endpoint] :as opts}]
-  (jwt/mock-jwk))
+  (mock-jwk))
 
 (defn start-auth0-drafter-server []
   (drafter/-main (h/res-file "auth0-test-config.edn")
@@ -221,7 +220,7 @@
         token (auth-util/publisher-token)
         ds-1 (sut/new-draftset client token "first" "description")
         ds-2 (sut/new-draftset client token "second" "description")]
-    (sut/submit-to-role client token (draftset/id ds-2) :publisher)
+    (sut/submit-to-permission client token (draftset/id ds-2) :drafter:draft:claim)
     (t/testing "default"
       (let [draftsets (sut/draftsets client token)]
         (t/is (= #{(draftset/id ds-1) (draftset/id ds-2)}
@@ -385,12 +384,12 @@
                 draftset (sut/new-draftset client token name description)
                 _ (sut/add-data-sync client token draftset f {:gzip gzip?})
                 quads* (h/get-user-quads client token draftset)
-                expected-quads (set (gio/statements f))]
+                expected-quads (set (rio/statements f))]
             (t/is (= expected-quads (set quads*)))))))
 
     (t/testing "Add quads from a gzipped file"
       (let [source (io/file "test/resources/test_data.trig")
-            expected-quads (set (gio/statements source))]
+            expected-quads (set (rio/statements source))]
         (t/testing "with format and gzip extension"
           (let [f (File/createTempFile "drafter-client" ".trig.gz")]
             (try

diff --git a/drafter-client/test/drafter_client/test_util/auth.clj b/drafter-client/test/drafter_client/test_util/auth.clj
@@ -1,19 +1,22 @@
 (ns drafter-client.test-util.auth
-  (:require [drafter-client.test-util.jwt :as jwt]
+  (:require [drafter.test-common :refer [token]]
+            [drafter.user :refer [role->permissions]]
             [environ.core :refer [env]]))
 
 (def system-user {:email "system@swirrl.com" :role "system"})
 
 (defn system-token []
-  (jwt/token (env :auth0-domain)
-             (env :auth0-aud)
-             "system@swirrl.com"
-             "drafter:system"))
+  (token (env :auth0-domain)
+         (env :auth0-aud)
+         "system@swirrl.com"
+         "drafter:system"
+         (role->permissions :system)))
 
 (def test-publisher {:email "publisher@swirrl.com" :role "publisher"})
 
 (defn publisher-token []
-  (jwt/token (env :auth0-domain)
-             (env :auth0-aud)
-             "publisher@swirrl.com"
-             "drafter:publisher"))
+  (token (env :auth0-domain)
+         (env :auth0-aud)
+         "publisher@swirrl.com"
+         "drafter:publisher"
+         (role->permissions :publisher)))
diff --git a/drafter-client/test/drafter_client/test_util/jwt.clj b/drafter-client/test/drafter_client/test_util/jwt.clj
diff --git a/drafter/README.md b/drafter/README.md
@@ -73,3 +73,49 @@ tagged with git tag, branch name, and commit sha.
 
 Consumers may want to mount volumes at `/app/config` to provide custom
 configuration, and at `/app/stasher-cache` to persist the cache.
+
+## RBAC
+
+When deploying drafter with auth0 auth, users are expected to have been
+configured with some subset of the following permissions, (depending on what
+they should be allowed to do), and for those permissions to be passed in the
+`permissions` claim of the auth token.
+
+```
+drafter:draft:claim
+drafter:draft:create
+drafter:draft:delete
+drafter:draft:edit
+drafter:draft:publish
+drafter:draft:share
+drafter:draft:submit
+drafter:draft:view
+drafter:job:view
+drafter:public:view
+drafter:user:view
+```
+
+How exactly this is done isn't important, and these permissions can be split
+between roles in a way that makes sense for the specific deployment, but for
+example you might:
+
+1. create a new API called PMD, with audience `https://pmd`
+2. in RBAC Settings, "Enable RBAC" and "Add Permissions in the Access Token"
+3. add all of the above permissions under "Permissions"
+4. authorize the drafter and muttnik "Machine to Machine Applications"
+5. under "User Management" > "Roles" create roles (see below)
+6. assign roles to the relevant users
+
+### Example role mapping:
+
+- PMD-RBAC:User has drafter:public:view
+- PMD-RBAC:Reviewer has drafter:draft:view drafter:job:view drafter:public:view
+  drafter:user:view
+- PMD-RBAC:Editor has drafter:draft:claim drafter:draft:create
+  drafter:draft:delete drafter:draft:edit drafter:draft:share
+  drafter:draft:submit drafter:draft:view drafter:job:view drafter:public:view
+  drafter:user:view
+- PMD-RBAC:Publisher has drafter:draft:claim drafter:draft:create
+  drafter:draft:delete drafter:draft:edit drafter:draft:publish
+  drafter:draft:share drafter:draft:submit drafter:draft:view drafter:job:view
+  drafter:public:view drafter:user:view