Policy instance update (#520)

* GET policy endpoints for users, teams & organization

* tests for hapi-16

* tests added to hapi17

* npm snuck in on update, removed here

* policy instance updates on PUT endpoints

* merge conflict fixes

* merge issue fix, duplicated function removed

* List policy instances (#521)

* list policy instances

* core tests and swagger docs

* endToEnd tests for instances endpoints

* swagger update for hapi-17

* copyright and license second entry removed

* policy search incorrect tag

* updated swagger, policy search position corrected

CHANGES.md

@@ -7,9 +7,10 @@ Features, enhancements:
 -   Promises support [commit](https://github.com/nearform/udaru/pull/508)
 -   Hooks support [commit](https://github.com/nearform/udaru/pull/503)
 -   Policy instance now returned when associating policy with user,team,org, which can be passed as param to DELETE to delete a specific instance
--   Policy context variables added, which can be used in policy resources and policy condition elements
--   Policy search endpoint added
+-   Policy context variables support added, which can be used in policy resources and policy condition elements
+-   GET Policy search endpoint added
 -   GET Policy variables endpoint added
+-   GET Policy instances endpoint added
 -   GET Policy endpoints added to users, teams and organizations
 
 ## 4.1.0 - March 12, 2018

README.md

@@ -308,8 +308,6 @@ See the [sqlmap][] repository for more details.
 
 ## License
 
-Copyright nearForm Ltd 2017. Licensed under [MIT][license].
-
 [license]: ./LICENSE.md
 [travis-badge]: https://travis-ci.org/nearform/udaru-hapi-plugin.svg?branch=master
 [travis-url]: https://travis-ci.org/nearform/udaru-hapi-plugin
@@ -333,9 +331,7 @@ Copyright nearForm Ltd 2017. Licensed under [MIT][license].
 [npm-udaru-core]: https://www.npmjs.com/package/@nearform/udaru-core
 [udaru-hapi-plugin]: https://www.npmjs.com/package/udaru/@nearform/udaru-hapi-plugin
 [udaru-hapi-16-plugin]: https://www.npmjs.com/package/udaru/@nearform/udaru-hapi-16-plugin
-[udaru-hapi-server]: https://www.npmjs.com/package/udaru/@nearform/udaru-hapi-server
-
-## License
+[udaru-hapi-server]: https://www.npmjs.com/package/udaru/@nearform/udaru-hapi-serve
 
 Copyright nearForm Ltd 2017-2018. Licensed under [MIT license](https://choosealicense.com/licenses/mit).
 

docs/overview.md

@@ -44,16 +44,18 @@ A brief overview of the Management API calls are as follows, see the [Swagger Do
 |/authorization/organizations/{id}/policies|GET|List an organization's policies|
 |/authorization/organizations/{id}/policies|DELETE|Clear all policies of the organization|
 |/authorization/organizations/{id}/policies|POST|Clear and replace the policies of an organization|
-|/authorization/organizations/{id}/policies|PUT|Add one or more policies to an organization|
+|/authorization/organizations/{id}/policies|PUT|Add/Edit organization policies|
 |/authorization/organizations/{id}/policies/{policyId}|DELETE|Remove a policy associated with an organization|
 |/authorization/policies|GET|Fetch all the defined policies|
 |/authorization/policies/search|GET|Search for policies by name|
 |/authorization/policies/{id}|GET|Fetch a single policy by ID|
 |/authorization/policies/{id}/variables|GET|Fetch a template policy's variables by ID|
+|/authorization/policies/{id}/instances|GET|Fetch instances of a policy by ID|
 |/authorization/shared-policies|GET|Fetch all the defined shared policies|
 |/authorization/shared-policies/search|GET|Search for shared policies by name|
 |/authorization/shared-policies/{id}|GET|Fetch a single shared policy|
 |/authorization/shared-policies/{id}/variables|GET|Fetch a template shared policy's variables by ID|
+|/authorization/shared-policies/{id}/instances|GET|Fetch instances of a shared policy by ID|
 |/authorization/teams|POST|Create a team|
 |/authorization/teams|GET|Fetch all teams from the current user organization|
 |/authorization/teams/search|GET|Search for teams from the current user organization|
@@ -63,7 +65,7 @@ A brief overview of the Management API calls are as follows, see the [Swagger Do
 |/authorization/teams/{id}/nest|PUT|Nest a team|
 |/authorization/teams/{id}/nested|GET|Fetch a nested team given its identifier|
 |/authorization/teams/{id}/policies|GET|List a team's policies|
-|/authorization/teams/{id}/policies|PUT|Add one or more policies to a team|
+|/authorization/teams/{id}/policies|PUT|Add/Edit team policies|
 |/authorization/teams/{id}/policies|DELETE|Clear all team policies|
 |/authorization/teams/{id}/policies|POST|Clear and replace policies for a team|
 |/authorization/teams/{id}/unnest|PUT|Unnest a team|
@@ -82,7 +84,7 @@ A brief overview of the Management API calls are as follows, see the [Swagger Do
 |/authorization/users/{id}|PUT|Update a user|
 |/authorization/users/{id}/policies|GET|List a user's policies|
 |/authorization/users/{id}/policies|DELETE|Clear all user's policies|
-|/authorization/users/{id}/policies|PUT|Add one or more policies to a user|
+|/authorization/users/{id}/policies|PUT|Add/Edit user policies|
 |/authorization/users/{id}/policies|POST|Clear and replace policies for a user|
 |/authorization/users/{id}/teams|DELETE|Delete teams for a user|
 |/authorization/users/{id}/teams|POST|Clear and replace user teams|
@@ -199,7 +201,7 @@ For a detailed description of the condition operators see the [AWS Policy Condit
 
 ### Template Policies
 
-In order to reduce complexity and duplication Udaru introduces template Policies.
+In order to reduce complexity and duplication Udaru introduces Policy Templates.
 
 For an example let's assume we want to create a generic Policy "can read document".
 
@@ -220,7 +222,7 @@ The regular way to do it would be with something like
 
 This will work, but is fixed to "document-1".
 
-With Template Policies you could create
+With Policies Templates you could create
 
 ```javascript
 {
@@ -252,7 +254,22 @@ When a Policy is assigned to a User (or a Team) an additional object can be prov
 
 Currently we support variables in the Resource part of the Policy statement (similar to what PBAC already does).
 
-Once a policy instance is created, it is assigned an instance id, which is returned as a property of the policy instance in the policies array. This can be used to identify and delete that single instance of the policy using the query param 'instance' using the same endpoints to disassociate policies from users, teams and organizations.
+Once a Policy Instance is created, it is auto-assigned an instance ID, which is returned as a property of the Policy Instance in the policies array. This can be used to identify and delete that single instance of the Policy Template using the query param 'instance' using the same endpoints to disassociate policies from users, teams and organizations.
+
+Policy Instances can be updated by specifying the instance ID in the PUT payload on organizations, teams and users as follows.
+
+Policy Variables can be listed using the variables endpoint on the policies and shared-policies routes.
+
+Policy Instances associated with a Policy Template can be listed using the instances endpoint one the policies and shared-policies routes
+
+```javascript
+{
+  id: 'Policy ID',
+  variables: {documentId: 'document-1'},
+  instance: 1
+}
+```
+Omitting an instance id will either cause a the creation of a new policy instance or cause a violation constraint if the variable already exists with the same value.
 
 ## Shared Policies
 

docs/swagger/index.html

@@ -1,96 +1,62 @@
 <!-- HTML for static distribution bundle build -->
 <!DOCTYPE html>
 <html lang="en">
-<head>
-  <meta charset="UTF-8">
-  <title>Swagger UI</title>
-  <link href="https://fonts.googleapis.com/css?family=Open+Sans:400,700|Source+Code+Pro:300,600|Titillium+Web:400,600,700" rel="stylesheet">
-  <link rel="stylesheet" type="text/css" href="./swagger-ui.css" >
+  <head>
+    <meta charset="UTF-8">
+    <title>Swagger UI</title>
+    <link href="https://fonts.googleapis.com/css?family=Open+Sans:400,700|Source+Code+Pro:300,600|Titillium+Web:400,600,700" rel="stylesheet">
+    <link rel="stylesheet" type="text/css" href="./swagger-ui.css" >
 	<link rel="stylesheet" type="text/css" href="./swagger-udaru.css" >
-  <link rel="icon" type="image/png" href="./favicon-32x32.png" sizes="32x32" />
-  <link rel="icon" type="image/png" href="./favicon-16x16.png" sizes="16x16" />
-  <style>
-    html
-    {
-      box-sizing: border-box;
-      overflow: -moz-scrollbars-vertical;
-      overflow-y: scroll;
+    <link rel="icon" type="image/png" href="./favicon-32x32.png" sizes="32x32" />
+    <link rel="icon" type="image/png" href="./favicon-16x16.png" sizes="16x16" />
+    <style>
+      html
+      {
+        box-sizing: border-box;
+        overflow: -moz-scrollbars-vertical;
+        overflow-y: scroll;
+      }
+
+      *,
+      *:before,
+      *:after
+      {
+        box-sizing: inherit;
+      }
+
+      body
+      {
+        margin:0;
+        background: #fafafa;
+      }
+    </style>
+  </head>
+
+  <body>
+    <div id="swagger-ui"></div>
+
+    <script src="./swagger-ui-bundle.js"> </script>
+    <script src="./swagger-ui-standalone-preset.js"> </script>
+    <script>
+    window.onload = function() {
+
+      // Build a system
+      const ui = SwaggerUIBundle({
+        url: "http://petstore.swagger.io/v2/swagger.json",
+        dom_id: '#swagger-ui',
+        deepLinking: true,
+        presets: [
+          SwaggerUIBundle.presets.apis,
+          SwaggerUIStandalonePreset
+        ],
+        plugins: [
+          SwaggerUIBundle.plugins.DownloadUrl
+        ],
+        layout: "StandaloneLayout"
+      })
+
+      window.ui = ui
     }
-    *,
-    *:before,
-    *:after
-    {
-      box-sizing: inherit;
-    }
-
-    body {
-      margin:0;
-      background: #fafafa;
-    }
-  </style>
-</head>
-
-<body>
-
-<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" style="position:absolute;width:0;height:0">
-  <defs>
-    <symbol viewBox="0 0 20 20" id="unlocked">
-          <path d="M15.8 8H14V5.6C14 2.703 12.665 1 10 1 7.334 1 6 2.703 6 5.6V6h2v-.801C8 3.754 8.797 3 10 3c1.203 0 2 .754 2 2.199V8H4c-.553 0-1 .646-1 1.199V17c0 .549.428 1.139.951 1.307l1.197.387C5.672 18.861 6.55 19 7.1 19h5.8c.549 0 1.428-.139 1.951-.307l1.196-.387c.524-.167.953-.757.953-1.306V9.199C17 8.646 16.352 8 15.8 8z"></path>
-    </symbol>
-
-    <symbol viewBox="0 0 20 20" id="locked">
-      <path d="M15.8 8H14V5.6C14 2.703 12.665 1 10 1 7.334 1 6 2.703 6 5.6V8H4c-.553 0-1 .646-1 1.199V17c0 .549.428 1.139.951 1.307l1.197.387C5.672 18.861 6.55 19 7.1 19h5.8c.549 0 1.428-.139 1.951-.307l1.196-.387c.524-.167.953-.757.953-1.306V9.199C17 8.646 16.352 8 15.8 8zM12 8H8V5.199C8 3.754 8.797 3 10 3c1.203 0 2 .754 2 2.199V8z"/>
-    </symbol>
-
-    <symbol viewBox="0 0 20 20" id="close">
-      <path d="M14.348 14.849c-.469.469-1.229.469-1.697 0L10 11.819l-2.651 3.029c-.469.469-1.229.469-1.697 0-.469-.469-.469-1.229 0-1.697l2.758-3.15-2.759-3.152c-.469-.469-.469-1.228 0-1.697.469-.469 1.228-.469 1.697 0L10 8.183l2.651-3.031c.469-.469 1.228-.469 1.697 0 .469.469.469 1.229 0 1.697l-2.758 3.152 2.758 3.15c.469.469.469 1.229 0 1.698z"/>
-    </symbol>
-
-    <symbol viewBox="0 0 20 20" id="large-arrow">
-      <path d="M13.25 10L6.109 2.58c-.268-.27-.268-.707 0-.979.268-.27.701-.27.969 0l7.83 7.908c.268.271.268.709 0 .979l-7.83 7.908c-.268.271-.701.27-.969 0-.268-.269-.268-.707 0-.979L13.25 10z"/>
-    </symbol>
-
-    <symbol viewBox="0 0 20 20" id="large-arrow-down">
-      <path d="M17.418 6.109c.272-.268.709-.268.979 0s.271.701 0 .969l-7.908 7.83c-.27.268-.707.268-.979 0l-7.908-7.83c-.27-.268-.27-.701 0-.969.271-.268.709-.268.979 0L10 13.25l7.418-7.141z"/>
-    </symbol>
-
-
-    <symbol viewBox="0 0 24 24" id="jump-to">
-      <path d="M19 7v4H5.83l3.58-3.59L8 6l-6 6 6 6 1.41-1.41L5.83 13H21V7z"/>
-    </symbol>
-
-    <symbol viewBox="0 0 24 24" id="expand">
-      <path d="M10 18h4v-2h-4v2zM3 6v2h18V6H3zm3 7h12v-2H6v2z"/>
-    </symbol>
-
-  </defs>
-</svg>
-
-<div id="swagger-ui"></div>
-
-<script src="./swagger-ui-bundle.js"> </script>
-<script src="./swagger-ui-standalone-preset.js"> </script>
-<script src='./swagger-json.js' type="text/javascript"></script>
-<script>
-window.onload = function() {
-
-  // Build a system
-  const ui = SwaggerUIBundle({
-    spec: swaggerJSON,
-    dom_id: '#swagger-ui',
-    presets: [
-      SwaggerUIBundle.presets.apis,
-      SwaggerUIStandalonePreset
-    ],
-    plugins: [
-      SwaggerUIBundle.plugins.DownloadUrl
-    ],
-    layout: "StandaloneLayout"
-  })
-
-  window.ui = ui
-}
-</script>
-</body>
-
+  </script>
+  </body>
 </html>

package.json

@@ -65,8 +65,7 @@
   "pre-commit": [
     "test:commit-check"
   ],
-  "dependencies": {
-  },
+  "dependencies": {},
   "devDependencies": {
     "depcheck": "^0.6.9",
     "joi": "^13.1.2",

packages/udaru-core/auth.js

@@ -22,6 +22,7 @@ const Actions = {
   DeleteOrganization: 'authorization:organizations:delete',
   ListOrganizations: 'authorization:organizations:list',
   AddOrganizationPolicy: 'authorization:organizations:policy:add',
+  AmendOrganizationPolicies: 'authorization:organizations:policy:amend',
   ReplaceOrganizationPolicy: 'authorization:organizations:policy:replace',
   RemoveOrganizationPolicy: 'authorization:organizations:policy:remove',
   ListOrganizationPolicies: 'authorization:organizations:policies',
@@ -37,6 +38,7 @@ const Actions = {
   SearchTeamsUsers: 'authorization:teams:users:search',
   ManageTeams: 'authorization:teams:manage',
   AddTeamPolicy: 'authorization:teams:policy:add',
+  AmendTeamPolicies: 'authorization:teams:policy:amend',
   ReplaceTeamPolicy: 'authorization:teams:policy:replace',
   RemoveTeamPolicy: 'authorization:teams:policy:remove',
   AddTeamMember: 'authorization:teams:user:add',
@@ -55,6 +57,7 @@ const Actions = {
   SearchUsers: 'authorization:users:search',
   AddUserPolicy: 'authorization:users:policy:add',
   ReplaceUserPolicy: 'authorization:users:policy:replace',
+  AmendUserPolicies: 'authorization:users:policy:amend',
   RemoveUserPolicy: 'authorization:users:policy:remove',
   ListUserTeams: 'authorization:users:teams:list',
   ReplaceUserTeams: 'authorization:users:teams:replace',
@@ -70,6 +73,7 @@ const Actions = {
   ListPolicies: 'authorization:policies:list',
   SearchPolicies: 'authorization:policies:search',
   ReadPolicyVariables: 'authorization:policies:variables',
+  ListPolicyInstances: 'authorization:policies:instances',
   AllPolicy: 'authorization:policies:*',
 
   // authorization

packages/udaru-core/config.js

@@ -66,7 +66,7 @@ const defaultConfig = {
               },
               {
                 Effect: 'Allow',
-                Action: [Action.ListPolicies],
+                Action: [Action.ListPolicyInstances],
                 Resource: [resources.policies({ organizationId: ':organizationId' })]
               }
             ]

packages/udaru-core/index.js

@@ -49,6 +49,7 @@ function buildUdaruCore (dbPool, config) {
       delete: hooks.wrap('organization:delete', organizationOps.deleteById),
       update: hooks.wrap('organization:update', organizationOps.update),
       addPolicies: hooks.wrap('organization:addPolicies', organizationOps.addOrganizationPolicies),
+      amendPolicies: hooks.wrap('organization:amendPolicies', organizationOps.amendOrganizationPolicies),
       replacePolicies: hooks.wrap('organization:replacePolicies', organizationOps.replaceOrganizationPolicies),
       deletePolicies: hooks.wrap('organization:deletePolicies', organizationOps.deleteOrganizationAttachedPolicies),
       deletePolicy: hooks.wrap('organization:deletePolicy', organizationOps.deleteOrganizationAttachedPolicy),
@@ -67,7 +68,8 @@ function buildUdaruCore (dbPool, config) {
       deleteShared: hooks.wrap('policy:deleteShared', policyOps.deleteSharedPolicy),
       readShared: hooks.wrap('policy:readShared', policyOps.readSharedPolicy),
       search: hooks.wrap('policy:search', policyOps.search),
-      readPolicyVariables: hooks.wrap('policy:variables', policyOps.readPolicyVariables)
+      readPolicyVariables: hooks.wrap('policy:variables', policyOps.readPolicyVariables),
+      listPolicyInstances: hooks.wrap('policy:variables', policyOps.listPolicyInstances)
     },
 
     teams: {
@@ -80,6 +82,7 @@ function buildUdaruCore (dbPool, config) {
       listUsers: hooks.wrap('team:listUsers', teamOps.readTeamUsers),
       replacePolicies: hooks.wrap('team:replacePolicies', teamOps.replaceTeamPolicies),
       addPolicies: hooks.wrap('team:addPolicies', teamOps.addTeamPolicies),
+      amendPolicies: hooks.wrap('team:amendPolicies', teamOps.amendTeamPolicies),
       deletePolicies: hooks.wrap('team:deletePolicies', teamOps.deleteTeamPolicies),
       deletePolicy: hooks.wrap('team:deletePolicy', teamOps.deleteTeamPolicy),
       addUsers: hooks.wrap('team:addUsers', teamOps.addUsersToTeam),
@@ -100,6 +103,7 @@ function buildUdaruCore (dbPool, config) {
       delete: hooks.wrap('users:delete', userOps.deleteUser),
       replacePolicies: hooks.wrap('users:replacePolicies', userOps.replaceUserPolicies),
       addPolicies: hooks.wrap('users:addPolicies', userOps.addUserPolicies),
+      amendPolicies: hooks.wrap('users:amendPolicies', userOps.amendUserPolicies),
       deletePolicies: hooks.wrap('users:deletePolicies', userOps.deleteUserPolicies),
       deletePolicy: hooks.wrap('users:deletePolicy', userOps.deleteUserPolicy),
       listUserTeams: hooks.wrap('users:listUserTeams', userOps.listUserTeams),

packages/udaru-core/lib/mapping.js

@@ -59,8 +59,18 @@ function mapPolicySimple (row) {
   }
 }
 
+function mapPolicyInstances (row) {
+  return {
+    entityType: row.entity_type,
+    entityId: row.entity_id,
+    instance: row.policy_instance,
+    variables: row.variables || {}
+  }
+}
+
 mapPolicy.iam = mapIamPolicy
 mapPolicy.simple = mapPolicySimple
+mapPolicy.instances = mapPolicyInstances
 
 function mapUser (row) {
   var user = { id: row.id,