forked from opensearch-project/OpenSearch-Dashboards
-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add workspace saved objects client wrapper #51
Merged
wanglam
merged 6 commits into
ruanyl:workspace
from
wanglam:feat-add-workspace-saved-objects-client-wrapper
Jul 21, 2023
Merged
Changes from all commits
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
1e6f878
add workspace savedd objects client wrapper
wanglam 3d2a451
feat: add more methods to saved objects client wrapper
wanglam ecd356e
feat: add findWithWorkspacePermissionControl in workspace saved objec…
wanglam b098b3b
feat: throw 451 instead of interval error
wanglam 51ade6d
chore: fix workspace client init method type error
wanglam a5b7e17
feat: fix workspaces attribute type error in client wrapper
wanglam File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
188 changes: 188 additions & 0 deletions
188
src/core/server/workspaces/saved_objects/workspace_saved_objects_client_wrapper.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,188 @@ | ||
/* | ||
* Copyright OpenSearch Contributors | ||
* SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
|
||
import { i18n } from '@osd/i18n'; | ||
import Boom from '@hapi/boom'; | ||
|
||
import { | ||
OpenSearchDashboardsRequest, | ||
SavedObject, | ||
SavedObjectsBaseOptions, | ||
SavedObjectsBulkCreateObject, | ||
SavedObjectsBulkGetObject, | ||
SavedObjectsBulkResponse, | ||
SavedObjectsClientWrapperFactory, | ||
SavedObjectsCreateOptions, | ||
SavedObjectsDeleteOptions, | ||
SavedObjectsFindOptions, | ||
} from 'opensearch-dashboards/server'; | ||
import { | ||
WorkspacePermissionControl, | ||
WorkspacePermissionMode, | ||
} from '../workspace_permission_control'; | ||
|
||
// Can't throw unauthorized for now, the page will be refreshed if unauthorized | ||
const generateWorkspacePermissionError = () => | ||
Boom.illegal( | ||
i18n.translate('workspace.permission.invalidate', { | ||
defaultMessage: 'Invalidate workspace permission', | ||
}) | ||
); | ||
|
||
interface AttributesWithWorkspaces { | ||
workspaces: string[]; | ||
} | ||
|
||
const isWorkspacesLikeAttributes = (attributes: unknown): attributes is AttributesWithWorkspaces => | ||
typeof attributes === 'object' && | ||
!!attributes && | ||
attributes.hasOwnProperty('workspaces') && | ||
Array.isArray((attributes as { workspaces: unknown }).workspaces); | ||
|
||
export class WorkspaceSavedObjectsClientWrapper { | ||
private async validateMultiWorkspacesPermissions( | ||
workspaces: string[] | undefined, | ||
request: OpenSearchDashboardsRequest, | ||
permissionMode: WorkspacePermissionMode | WorkspacePermissionMode[] | ||
) { | ||
if (!workspaces) { | ||
return; | ||
} | ||
for (const workspaceId of workspaces) { | ||
if (!(await this.permissionControl.validate(workspaceId, permissionMode, request))) { | ||
throw generateWorkspacePermissionError(); | ||
} | ||
} | ||
} | ||
|
||
private async validateAtLeastOnePermittedWorkspaces( | ||
workspaces: string[] | undefined, | ||
request: OpenSearchDashboardsRequest, | ||
permissionMode: WorkspacePermissionMode | WorkspacePermissionMode[] | ||
) { | ||
if (!workspaces) { | ||
return; | ||
} | ||
let permitted = false; | ||
for (const workspaceId of workspaces) { | ||
if (await this.permissionControl.validate(workspaceId, permissionMode, request)) { | ||
permitted = true; | ||
break; | ||
} | ||
} | ||
if (!permitted) { | ||
throw generateWorkspacePermissionError(); | ||
} | ||
} | ||
|
||
public wrapperFactory: SavedObjectsClientWrapperFactory = (wrapperOptions) => { | ||
const deleteWithWorkspacePermissionControl = async ( | ||
type: string, | ||
id: string, | ||
options: SavedObjectsDeleteOptions = {} | ||
) => { | ||
const objectToDeleted = await wrapperOptions.client.get(type, id, options); | ||
await this.validateMultiWorkspacesPermissions( | ||
objectToDeleted.workspaces, | ||
wrapperOptions.request, | ||
WorkspacePermissionMode.Admin | ||
); | ||
return await wrapperOptions.client.delete(type, id, options); | ||
}; | ||
|
||
const bulkCreateWithWorkspacePermissionControl = async <T = unknown>( | ||
objects: Array<SavedObjectsBulkCreateObject<T>>, | ||
options: SavedObjectsCreateOptions = {} | ||
): Promise<SavedObjectsBulkResponse<T>> => { | ||
return await wrapperOptions.client.bulkCreate(objects, options); | ||
}; | ||
|
||
const createWithWorkspacePermissionControl = async <T = unknown>( | ||
type: string, | ||
attributes: T, | ||
options?: SavedObjectsCreateOptions | ||
) => { | ||
if (isWorkspacesLikeAttributes(attributes)) { | ||
await this.validateMultiWorkspacesPermissions( | ||
attributes.workspaces, | ||
wrapperOptions.request, | ||
WorkspacePermissionMode.Admin | ||
); | ||
} | ||
return await wrapperOptions.client.create(type, attributes, options); | ||
}; | ||
|
||
const getWithWorkspacePermissionControl = async <T = unknown>( | ||
type: string, | ||
id: string, | ||
options: SavedObjectsBaseOptions = {} | ||
): Promise<SavedObject<T>> => { | ||
const objectToGet = await wrapperOptions.client.get<T>(type, id, options); | ||
await this.validateAtLeastOnePermittedWorkspaces( | ||
objectToGet.workspaces, | ||
wrapperOptions.request, | ||
WorkspacePermissionMode.Read | ||
); | ||
return objectToGet; | ||
}; | ||
|
||
const bulkGetWithWorkspacePermissionControl = async <T = unknown>( | ||
objects: SavedObjectsBulkGetObject[] = [], | ||
options: SavedObjectsBaseOptions = {} | ||
): Promise<SavedObjectsBulkResponse<T>> => { | ||
const objectToBulkGet = await wrapperOptions.client.bulkGet<T>(objects, options); | ||
for (const object of objectToBulkGet.saved_objects) { | ||
await this.validateAtLeastOnePermittedWorkspaces( | ||
object.workspaces, | ||
wrapperOptions.request, | ||
WorkspacePermissionMode.Read | ||
); | ||
} | ||
return objectToBulkGet; | ||
}; | ||
|
||
const findWithWorkspacePermissionControl = async <T = unknown>( | ||
options: SavedObjectsFindOptions | ||
) => { | ||
if (options.workspaces) { | ||
options.workspaces = options.workspaces.filter( | ||
async (workspaceId) => | ||
await this.permissionControl.validate( | ||
workspaceId, | ||
WorkspacePermissionMode.Read, | ||
wrapperOptions.request | ||
) | ||
); | ||
} else { | ||
options.workspaces = [ | ||
'public', | ||
...(await this.permissionControl.getPermittedWorkspaceIds( | ||
WorkspacePermissionMode.Read, | ||
wrapperOptions.request | ||
)), | ||
]; | ||
} | ||
return await wrapperOptions.client.find<T>(options); | ||
}; | ||
|
||
return { | ||
...wrapperOptions.client, | ||
get: getWithWorkspacePermissionControl, | ||
checkConflicts: wrapperOptions.client.checkConflicts, | ||
find: findWithWorkspacePermissionControl, | ||
bulkGet: bulkGetWithWorkspacePermissionControl, | ||
errors: wrapperOptions.client.errors, | ||
addToNamespaces: wrapperOptions.client.addToNamespaces, | ||
deleteFromNamespaces: wrapperOptions.client.deleteFromNamespaces, | ||
create: createWithWorkspacePermissionControl, | ||
bulkCreate: bulkCreateWithWorkspacePermissionControl, | ||
delete: deleteWithWorkspacePermissionControl, | ||
update: wrapperOptions.client.update, | ||
bulkUpdate: wrapperOptions.client.bulkUpdate, | ||
}; | ||
}; | ||
|
||
constructor(private readonly permissionControl: WorkspacePermissionControl) {} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually
saved_objects
directory is used to store the saved object type registration file according to OSD convention, I'd recommend placing this file to other directory.