Clean up IAM to allow relations w/o explicit definitions

3 years ago · 5645e8fae1
parent a7ed5d09f1
commit 5645e8fae1
2 changed files with 36 additions and 11 deletions
--- a/app/models/iam/Policy.model.js
+++ b/app/models/iam/Policy.model.js
@ -65,34 +65,65 @@ class PolicyModel extends Model {
        return user_denials.length > 0 || group_denials.length > 0
    }

+    static async get_all_related(target_id) {
+        const all = [target_id]
+        const Machine = this.prototype.models.get('ldap:Machine')
+        const MachineGroup = this.prototype.models.get('ldap:MachineGroup')
+
+        const machine = await Machine.findById(target_id)
+        if ( machine?.active ) {
+            const groups = await MachineGroup.find({
+                active: true,
+                machine_ids: machine.id,
+            })
+
+            groups.map(x => all.push(x.id))
+        }
+
+        const group = await MachineGroup.findById(target_id)
+        if ( group?.active ) {
+            const machines = await Machine.find({
+                active: true,
+                _id: {
+                    $in: group.machine_ids.map(x => Machine.to_object_id(x)),
+                }
+            })
+
+            machines.map(x => all.push(x.id))
+        }
+
+        return all
+    }
+
    static async check_user_access(user, target_id) {
        const groups = await user.groups()
        const group_ids = groups.map(x => x.id)
+        const target_ids = await this.get_all_related(target_id)

        const user_approvals = await this.find({
            entity_id: user.id,
-            target_id,
+            target_id: { $in: target_ids },
            access_type: 'allow',
            active: true,
        })

        const user_denials = await this.find({
            entity_id: user.id,
-            target_id,
+            target_id: { $in: target_ids },
            access_type: 'deny',
            active: true,
        })

        const group_approvals = await this.find({
            entity_id: { $in: group_ids },
-            target_id,
+            target_id: { $in: target_ids },
            access_type: 'allow',
            active: true,
        })

        const group_denials = await this.find({
            entity_id: { $in: group_ids },
-            target_id,
+            target_id: { $in: target_ids },
            access_type: 'deny',
            active: true,
        })
--- a/app/models/ldap/Machine.model.js
+++ b/app/models/ldap/Machine.model.js
@ -20,12 +20,6 @@ class MachineModel extends Model {
    }

    async to_api() {
-        let iam_filter = `(|(iamTarget=${this.id})`
-        for ( const group of (await this.groups()) ) {
-            iam_filter += `(iamTarget=${group.id})`
-        }
-        iam_filter += ')'
-
        return {
            id: this.id,
            name: this.name,
@ -33,7 +27,7 @@ class MachineModel extends Model {
            host_name: this.host_name,
            location: this.location,
            ldap_visible: this.ldap_visible,
-            iam_filter,
+            iam_filter: `(|(iamTarget=${this.id}))`,
        }
    }