feat: add alias permissions to RBAC

Author: bevzzz

src/roles/index.ts

@@ -5,6 +5,7 @@ import {
   Role as WeaviateRole,
 } from '../openapi/types.js';
 import {
+  AliasPermission,
   BackupsPermission,
   ClusterPermission,
   CollectionsPermission,
@@ -150,6 +151,32 @@ const roles = (connection: ConnectionREST): Roles => {
 };
 
 export const permissions = {
+  /**
+   * Create a set of permissions specific to Weaviate's collection aliasing functionality.
+   *
+   * For all collections, provide the `collection` argument as `'*'`.
+   *
+   * @param {string | string[]} [args.alias] Aliases to create permissions for.
+   * @returns {BackupsPermission[]} The permissions for the specified collections.
+   */
+  aliases: (args: {
+    alias: string | string[];
+    create?: boolean;
+    read?: boolean;
+    update?: boolean;
+    delete?: boolean;
+  }): AliasPermission[] => {
+    const aliases = Array.isArray(args.alias) ? args.alias : [args.alias];
+    return aliases.flatMap((alias) => {
+      const out: AliasPermission = { alias, actions: [] };
+      if (args.create) out.actions.push('create_aliases');
+      if (args.read) out.actions.push('read_aliases');
+      if (args.update) out.actions.push('update_aliases');
+      if (args.delete) out.actions.push('delete_aliases');
+      return out;
+    });
+  },
+
   /**
    * Create a set of permissions specific to Weaviate's backup functionality.
    *

src/roles/integration.test.ts

@@ -16,9 +16,11 @@ type TestCase = {
   roleName: string;
   permissions: Permission[];
   expected: Role;
+  requireVersion?: [number, number, number];
 };
 
 const emptyPermissions = {
+  aliasPermissions: [],
   backupsPermissions: [],
   clusterPermissions: [],
   collectionsPermissions: [],
@@ -277,6 +279,20 @@ const testCases: TestCase[] = [
       usersPermissions: [{ users: 'some-user', actions: ['assign_and_revoke_users', 'read_users'] }],
     },
   },
+  {
+    roleName: 'aliases',
+    requireVersion: [1, 32, 0],
+    permissions: weaviate.permissions.aliases({
+      alias: 'SomeAlias',
+      create: true,
+      delete: true,
+    }),
+    expected: {
+      name: 'aliases',
+      ...emptyPermissions,
+      aliasPermissions: [{ alias: 'SomeAlias', actions: ['create_aliases', 'delete_aliases'] }],
+    }
+  },
 ];
 
 requireAtLeast(1, 29, 0).describe('Integration testing of the roles namespace', () => {
@@ -345,11 +361,13 @@ requireAtLeast(1, 29, 0).describe('Integration testing of the roles namespace',
 
   describe('should be able to create roles using the permissions factory', () => {
     testCases.forEach((testCase) => {
-      it(`with ${testCase.roleName} permissions`, async () => {
-        await client.roles.create(testCase.roleName, testCase.permissions);
-        const role = await client.roles.byName(testCase.roleName);
-        expect(role).toEqual(testCase.expected);
-      });
+      (testCase.requireVersion !== undefined
+        ? requireAtLeast(...testCase.requireVersion).it
+        : it)(`with ${testCase.roleName} permissions`, async () => {
+          await client.roles.create(testCase.roleName, testCase.permissions);
+          const role = await client.roles.byName(testCase.roleName);
+          expect(role).toEqual(testCase.expected);
+        });
     });
   });
 

src/roles/types.ts

@@ -1,5 +1,6 @@
 import { Action, WeaviateUserType } from '../openapi/types.js';
 
+export type AliasAction = Extract<Action, 'create_aliases' | 'read_aliases' | 'update_aliases' | 'delete_aliases'>;
 export type BackupsAction = Extract<Action, 'manage_backups'>;
 export type ClusterAction = Extract<Action, 'read_cluster'>;
 export type CollectionsAction = Extract<
@@ -27,6 +28,11 @@ export type UserAssignment = {
   userType: WeaviateUserType;
 };
 
+export type AliasPermission = {
+  alias: string;
+  actions: AliasAction[];
+}
+
 export type BackupsPermission = {
   collection: string;
   actions: BackupsAction[];
@@ -71,6 +77,7 @@ export type UsersPermission = {
 
 export type Role = {
   name: string;
+  aliasPermissions: AliasPermission[];
   backupsPermissions: BackupsPermission[];
   clusterPermissions: ClusterPermission[];
   collectionsPermissions: CollectionsPermission[];
@@ -82,6 +89,7 @@ export type Role = {
 };
 
 export type Permission =
+  | AliasPermission
   | BackupsPermission
   | ClusterPermission
   | CollectionsPermission

src/roles/util.ts

@@ -7,6 +7,8 @@ import {
 } from '../openapi/types.js';
 import { User, UserDB } from '../users/types.js';
 import {
+  AliasAction,
+  AliasPermission,
   BackupsAction,
   BackupsPermission,
   ClusterAction,
@@ -35,6 +37,14 @@ const ZERO_TIME = '0001-01-01T00:00:00.000Z';
 export class PermissionGuards {
   private static includes = <A extends string>(permission: Permission, ...actions: A[]): boolean =>
     actions.filter((a) => Array.from<string>(permission.actions).includes(a)).length > 0;
+  static isAlias = (permission: Permission): permission is AliasPermission =>
+    PermissionGuards.includes<AliasAction>(
+      permission,
+      'create_aliases',
+      'read_aliases',
+      'update_aliases',
+      'delete_aliases',
+    );
   static isBackups = (permission: Permission): permission is BackupsPermission =>
     PermissionGuards.includes<BackupsAction>(permission, 'manage_backups');
   static isCluster = (permission: Permission): permission is ClusterPermission =>
@@ -94,6 +104,12 @@ export class Map {
     !Array.isArray(permissions) ? [permissions] : permissions.flat(2);
 
   static permissionToWeaviate = (permission: Permission): WeaviatePermission[] => {
+    if (PermissionGuards.isAlias(permission)) {
+      return Array.from(permission.actions).map((action) => ({
+        aliases: permission,
+        action,
+      }));
+    }
     if (PermissionGuards.isBackups(permission)) {
       return Array.from(permission.actions).map((action) => ({
         backups: permission,
@@ -178,6 +194,7 @@ class PermissionsMapping {
 
   private constructor(role: WeaviateRole) {
     this.mappings = {
+      aliases: {},
       backups: {},
       cluster: {},
       collections: {},
@@ -200,6 +217,7 @@ class PermissionsMapping {
     }
     return {
       name: this.role.name,
+      aliasPermissions: Object.values(this.mappings.aliases),
       backupsPermissions: Object.values(this.mappings.backups),
       clusterPermissions: Object.values(this.mappings.cluster),
       collectionsPermissions: Object.values(this.mappings.collections),
@@ -211,6 +229,15 @@ class PermissionsMapping {
     };
   };
 
+  private aliases = (permission: WeaviatePermission) => {
+    if (permission.aliases !== undefined) {
+      const key = permission.aliases.alias;
+      if (key === undefined) throw new Error('Alias permission missing an alias');
+      if (this.mappings.aliases[key] === undefined) this.mappings.aliases[key] = { alias: key, actions: [] };
+      this.mappings.aliases[key].actions.push(permission.action as AliasAction);
+    }
+  }
+
   private backups = (permission: WeaviatePermission) => {
     if (permission.backups !== undefined) {
       const key = permission.backups.collection;
@@ -295,6 +322,7 @@ class PermissionsMapping {
   };
 
   private permissionFromWeaviate = (permission: WeaviatePermission) => {
+    this.aliases(permission);
     this.backups(permission);
     this.cluster(permission);
     this.collections(permission);
@@ -307,6 +335,7 @@ class PermissionsMapping {
 }
 
 type PermissionMappings = {
+  aliases: Record<string, AliasPermission>;
   backups: Record<string, BackupsPermission>;
   cluster: Record<string, ClusterPermission>;
   collections: Record<string, CollectionsPermission>;