Updates

- session refresh in case of role modification
- better error messages

Author: parmesant

src/handlers/http/modal/ingest/ingestor_role.rs

@@ -16,14 +16,19 @@
  *
  */
 
+use std::collections::HashSet;
+
 use actix_web::{
     web::{self, Json},
     HttpResponse, Responder,
 };
 
 use crate::{
     handlers::http::{modal::utils::rbac_utils::get_metadata, role::RoleError},
-    rbac::{map::mut_roles, role::model::DefaultPrivilege},
+    rbac::{
+        map::{mut_roles, mut_sessions, read_user_groups, users},
+        role::model::DefaultPrivilege,
+    },
     storage,
 };
 
@@ -40,5 +45,25 @@ pub async fn put(
     let _ = storage::put_staging_metadata(&metadata);
     mut_roles().insert(name.clone(), privileges);
 
+    // refresh the sessions of all users using this role
+    // for this, iterate over all user_groups and users and create a hashset of users
+    let mut session_refresh_users: HashSet<String> = HashSet::new();
+    for user_group in read_user_groups().values().cloned() {
+        if user_group.roles.contains(&name) {
+            session_refresh_users.extend(user_group.users);
+        }
+    }
+
+    // iterate over all users to see if they have this role
+    for user in users().values().cloned() {
+        if user.roles.contains(&name) {
+            session_refresh_users.insert(user.username().to_string());
+        }
+    }
+
+    for username in session_refresh_users {
+        mut_sessions().remove_user(&username);
+    }
+
     Ok(HttpResponse::Ok().finish())
 }

src/handlers/http/modal/query/querier_role.rs

@@ -16,6 +16,8 @@
  *
  */
 
+use std::collections::HashSet;
+
 use actix_web::{
     web::{self, Json},
     HttpResponse, Responder,
@@ -27,7 +29,10 @@ use crate::{
         modal::utils::rbac_utils::{get_metadata, put_metadata},
         role::RoleError,
     },
-    rbac::{map::mut_roles, role::model::DefaultPrivilege},
+    rbac::{
+        map::{mut_roles, mut_sessions, read_user_groups, users},
+        role::model::DefaultPrivilege,
+    },
 };
 
 // Handler for PUT /api/v1/role/{name}
@@ -43,6 +48,26 @@ pub async fn put(
     put_metadata(&metadata).await?;
     mut_roles().insert(name.clone(), privileges.clone());
 
+    // refresh the sessions of all users using this role
+    // for this, iterate over all user_groups and users and create a hashset of users
+    let mut session_refresh_users: HashSet<String> = HashSet::new();
+    for user_group in read_user_groups().values().cloned() {
+        if user_group.roles.contains(&name) {
+            session_refresh_users.extend(user_group.users);
+        }
+    }
+
+    // iterate over all users to see if they have this role
+    for user in users().values().cloned() {
+        if user.roles.contains(&name) {
+            session_refresh_users.insert(user.username().to_string());
+        }
+    }
+
+    for username in session_refresh_users {
+        mut_sessions().remove_user(&username);
+    }
+
     sync_role_update_with_ingestors(name.clone(), privileges.clone()).await?;
 
     Ok(HttpResponse::Ok().finish())

src/handlers/http/rbac.rs

@@ -379,9 +379,9 @@ pub enum RBACError {
     Anyhow(#[from] anyhow::Error),
     #[error("User cannot be created without a role")]
     RoleValidationError,
-    #[error("User group already exists: '{0}'")]
+    #[error("User group `{0}` already exists")]
     UserGroupExists(String),
-    #[error("UserGroup does not exist: {0}")]
+    #[error("UserGroup `{0}` does not exist")]
     UserGroupDoesNotExist(String),
     #[error("Invalid Roles: {0:?}")]
     RolesDoNotExist(Vec<String>),
@@ -391,9 +391,9 @@ pub enum RBACError {
     InvalidUserGroupRequest(Box<InvalidUserGroupError>),
     #[error("{0}")]
     InvalidSyncOperation(String),
-    #[error("User group still being used by users: {0}")]
+    #[error("User group `{0}` is still being used")]
     UserGroupNotEmpty(String),
-    #[error("Resource in use: {0}")]
+    #[error("Resource `{0}` is still in use")]
     ResourceInUse(String),
     #[error("{0}")]
     InvalidDeletionRequest(String),

src/handlers/http/role.rs

@@ -16,6 +16,8 @@
  *
  */
 
+use std::collections::HashSet;
+
 use actix_web::{
     http::header::ContentType,
     web::{self, Json},
@@ -26,7 +28,7 @@ use http::StatusCode;
 use crate::{
     parseable::PARSEABLE,
     rbac::{
-        map::{mut_roles, DEFAULT_ROLE},
+        map::{mut_roles, mut_sessions, read_user_groups, users, DEFAULT_ROLE},
         role::model::DefaultPrivilege,
     },
     storage::{self, ObjectStorageError, StorageMetadata},
@@ -45,6 +47,26 @@ pub async fn put(
     put_metadata(&metadata).await?;
     mut_roles().insert(name.clone(), privileges.clone());
 
+    // refresh the sessions of all users using this role
+    // for this, iterate over all user_groups and users and create a hashset of users
+    let mut session_refresh_users: HashSet<String> = HashSet::new();
+    for user_group in read_user_groups().values().cloned() {
+        if user_group.roles.contains(&name) {
+            session_refresh_users.extend(user_group.users);
+        }
+    }
+
+    // iterate over all users to see if they have this role
+    for user in users().values().cloned() {
+        if user.roles.contains(&name) {
+            session_refresh_users.insert(user.username().to_string());
+        }
+    }
+
+    for username in session_refresh_users {
+        mut_sessions().remove_user(&username);
+    }
+
     Ok(HttpResponse::Ok().finish())
 }