fix: remove ABAC

Author: CasLubbers

src/authz.ts

@@ -1,6 +1,6 @@
 import { Ability, Subject, subject } from '@casl/ability'
 import Debug from 'debug'
-import { each, forIn, get, isEmpty, isEqual, omit, set } from 'lodash'
+import { each, forIn, get, isEmpty } from 'lodash'
 import { Acl, AclAction, OpenAPIDoc, Schema, SessionUser, TeamAuthz, UserAuthz } from 'src/otomi-models'
 import OtomiStack from 'src/otomi-stack'
 import { extract, flattenObject } from 'src/utils'
@@ -197,50 +197,6 @@ export default class Authz {
     return iCan
   }
 
-  validateWithAbac = (action: string, schemaName: string, teamId: string, body?: any, dataOrig?: any): string[] => {
-    const violatedAttributes: string[] = []
-    if (this.user.roles.includes('platformAdmin')) return violatedAttributes
-
-    if (!['create', 'update'].includes(action))
-      throw new Error('validateWithAbac should only be used for mutating actions')
-    const deniedRoleAttributes = this.getAbacDenied(action, schemaName, teamId)
-    // check if we are denied any attributes by role
-    // also check if we are denied by lack of self service
-    const deniedSelfServiceAttributes = get(
-      this.user.authz,
-      `${teamId}.deniedAttributes.teamMembers`,
-      [],
-    ) as Array<string>
-    // merge denied attributes from both role-based and self-service restrictions
-    const deniedAttributes = [...deniedRoleAttributes, ...deniedSelfServiceAttributes]
-
-    deniedAttributes.forEach((path) => {
-      const val = get(body, path)
-      const origVal = get(dataOrig, path)
-      // undefined value expected for forbidden props, so put back original before save
-      if (val === undefined) set(body, path, origVal)
-      // if a value is provided which is not allowed, mark it as violated
-      else if (!isEqual(val, origVal)) violatedAttributes.push(path)
-    })
-    return violatedAttributes
-  }
-
-  getAbacDenied = (action: string, schemaName: string, teamId: string): string[] => {
-    const schema = this.specRules[schemaName]
-    const aclProps = getAclProps(schema)
-    const violatedAttributes: Array<string> = aclProps.filter(
-      (prop) => !this.validateWithCasl(action, `${schemaName}.${prop}`, teamId),
-    )
-    return violatedAttributes
-  }
-
-  filterWithAbac = (schemaName: string, teamId: string, body: Record<string, any>): any => {
-    if (typeof body !== 'object') return body
-    const deniedRoleAttributes = this.getAbacDenied('read', schemaName, teamId)
-    const ret = (body.length !== undefined ? body : [body]).map((obj) => omit(obj, deniedRoleAttributes))
-    return body.length !== undefined ? ret : ret[0]
-  }
-
   hasSelfService = (teamId: string, attribute: string): boolean => {
     const deniedAttributes = get(this.user.authz, `${teamId}.deniedAttributes.teamMembers`, []) as Array<string>
     return !deniedAttributes.includes(attribute)

src/middleware/authz.ts

@@ -1,12 +1,6 @@
-/* eslint-disable no-param-reassign */
-import { getSpec } from 'src/app'
-import { debug } from 'console'
-import { find } from 'lodash'
-import get from 'lodash/get'
 import Authz from 'src/authz'
 import { HttpError } from 'src/error'
 import { OpenApiRequestExt } from 'src/otomi-models'
-import { RepoService } from '../services/RepoService'
 
 const HttpMethodMapping: Record<string, string> = {
   DELETE: 'delete',
@@ -16,34 +10,12 @@ const HttpMethodMapping: Record<string, string> = {
   PUT: 'update',
 }
 
-function renameKeys(obj: Record<string, any>) {
-  const newKeys = {
-    serviceId: 'id',
-    secretId: 'id',
-  }
-  if (Object.keys(obj).length === 1 && 'teamId' in obj) return { id: obj.teamId }
-  const keyValues = Object.keys(obj).map((key) => {
-    const newKey = newKeys[key] || key
-    return { [newKey]: obj[key] }
-  })
-  return Object.assign({}, ...keyValues)
-}
-
-// const badCode = (code) => code >= 300 || code < 200
-// const wrapResponse = (filter, orig) => {
-//   return function (obj) {
-//     if (badCode(this.statusCode)) return orig(obj)
-//     const ret = filter(obj)
-//     return orig(ret)
-//   }
-// }
-
 /**
  * Authorize a request based on RBAC and ABAC rules.
  * Called by the security handler.
  * Throws HttpError if authorization fails.
  */
-export function authorize(req: OpenApiRequestExt, authz: Authz, repoService: RepoService): void {
+export function authorize(req: OpenApiRequestExt, authz: Authz): void {
   const { body, user } = req
   // express-openapi-validator stores path params in req.openapi.pathParams
   const teamId = req.openapi?.pathParams?.teamId ?? req.params?.teamId ?? req.query?.teamId ?? body?.teamId
@@ -55,8 +27,6 @@ export function authorize(req: OpenApiRequestExt, authz: Authz, repoService: Rep
   // If there is no RBAC then we allow the request
   if (!schemaName) return
 
-  const apiSpec = getSpec().spec
-
   // Initialize rules for the user
   authz.init(user)
 
@@ -80,53 +50,4 @@ export function authorize(req: OpenApiRequestExt, authz: Authz, repoService: Rep
   if (!valid) {
     throw new HttpError(403, `User not allowed to perform "${action}" on "${schemaName}" resource`)
   }
-
-  // Check ABAC permissions for create/update operations
-  const schemaToRepoMap: Record<string, string> = {
-    Service: 'services',
-    Team: 'teamConfig',
-    App: 'apps',
-    Build: 'builds',
-    Workload: 'workloads',
-    Settings: 'otomi',
-    Netpol: 'netpols',
-    Policy: 'policies',
-    SealedSecret: 'sealedSecrets',
-  }
-  const teamSpecificCollections = ['builds', 'services', 'workloads', 'netpols', 'policies', 'sealedSecrets']
-
-  //TODO lookup if we can remove this
-  const collectionId = schemaToRepoMap[schemaName]
-  if (collectionId && ['create', 'update'].includes(action)) {
-    // Look up x-allow-values from the API spec for ABAC validation
-    let dataOrig = get(
-      apiSpec,
-      `components.schemas.TeamSelfService.properties.${schemaName.toLowerCase()}.x-allow-values`,
-      {},
-    )
-
-    if (action === 'update') {
-      try {
-        const pathParams = req.openapi?.pathParams ?? req.params
-        const selector = renameKeys(pathParams)
-        let collection
-        if (teamSpecificCollections.includes(collectionId)) {
-          collection = repoService.getTeamConfigService(teamId).getCollection(collectionId)
-        } else {
-          collection = repoService.getCollection(collectionId)
-        }
-        dataOrig = find(collection, selector) || {}
-      } catch (error) {
-        debug('Error in authorize', error)
-      }
-    }
-
-    const violatedAttributes = authz.validateWithAbac(action, schemaName, teamId, req.body, dataOrig)
-    if (violatedAttributes.length > 0) {
-      throw new HttpError(
-        403,
-        `User not allowed to modify the following attributes: ${violatedAttributes.join(', ')} of ${schemaName} resource`,
-      )
-    }
-  }
 }

src/middleware/security-handlers.ts

@@ -1,4 +1,4 @@
-import { Request, Response } from 'express'
+import { Request } from 'express'
 import { getSpec } from 'src/app'
 import Authz, { getTeamSelfServiceAuthz } from 'src/authz'
 import { OpenApiRequestExt } from 'src/otomi-models'
@@ -38,7 +38,7 @@ export async function groupAuthzSecurityHandler(req: Request, scopes: string[],
   // Perform authorization check
   try {
     const authz = new Authz(getSpec().spec)
-    authorize(extReq, authz, otomiStack.repoService)
+    authorize(extReq, authz)
     return true
   } catch (error: any) {
     // authorize threw an error (e.g., HttpError for 403)