feat(rbac): implement RBAC group support (janus-idp#803)

* feat(rbac): implement RBAC group support

Signed-off-by: Oleksandr Andriienko <oandriie@redhat.com>

* fix(rbac): improve tests.

* fix(rbac): fix sonarcloud warnings.

Signed-off-by: Oleksandr Andriienko <oandriie@redhat.com>

* feat(rbac): add group cycle dependencies detection
This commit introduces a cycle dependencies detection mechanism for RBAC groups in the codebase. BackstageRoleManager#hasLink returns false in case cycle in the group graph to deny user's permission request, because we couldn't collect group hierarchy information in a proper way. Without this information permission evaluation can be wrong.

Signed-off-by: Oleksandr Andriienko <oandriie@redhat.com>

* fix(rbac): fix some bugs in building group subgraph, add more tests

Signed-off-by: Oleksandr Andriienko <oandriie@redhat.com>

* fix(rbac): move BackstageManager initialization to policy-builder

Signed-off-by: Oleksandr Andriienko <oandriie@redhat.com>

---------

Signed-off-by: Oleksandr Andriienko <oandriie@redhat.com>

plugins/rbac-backend/package.json

@@ -24,6 +24,7 @@
   },
   "dependencies": {
     "@backstage/backend-common": "^0.19.1",
+    "@backstage/catalog-client": "^1.4.3",
     "@backstage/catalog-model": "^1.4.1",
     "@backstage/config": "^1.0.8",
     "@backstage/core-plugin-api": "^1.5.3",
@@ -32,6 +33,7 @@
     "@backstage/plugin-permission-backend": "^0.5.20",
     "@backstage/plugin-permission-common": "^0.7.7",
     "@backstage/plugin-permission-node": "^0.7.10",
+    "@dagrejs/graphlib": "^2.1.13",
     "@janus-idp/backstage-plugin-rbac-common": "1.0.0",
     "casbin": "5.27.0",
     "express": "^4.17.1",

plugins/rbac-backend/src/service/permission-model.ts

@@ -12,5 +12,5 @@ e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
 g = _, _
 
 [matchers]
-m = r.sub == p.sub && r.obj == p.obj && r.act == p.act
+m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act
 `;