feat: RBAC live policy change on permissions update

flanksource · Sep 30, 2024 · 3300b80 · 3300b80
1 parent 0c895ad
commit 3300b80
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 3 deletions.
diff --git a/cmd/server.go b/cmd/server.go
@@ -25,6 +25,7 @@ import (
 	"github.com/flanksource/incident-commander/incidents/responder"
 	"github.com/flanksource/incident-commander/jobs"
 	"github.com/flanksource/incident-commander/notification"
+	"github.com/flanksource/incident-commander/rbac"
 	"github.com/flanksource/incident-commander/teams"
 
 	// register event handlers
@@ -133,6 +134,7 @@ func tableUpdatesHandler(ctx context.Context) {
 
 	notificationUpdateCh := notifyRouter.GetOrCreateChannel("notifications")
 	teamsUpdateChan := notifyRouter.GetOrCreateChannel("teams")
+	permissionUpdateChan := notifyRouter.GetOrCreateChannel("permissions")
 
 	for {
 		select {
@@ -142,6 +144,13 @@ func tableUpdatesHandler(ctx context.Context) {
 		case id := <-teamsUpdateChan:
 			responder.PurgeCache(id)
 			teams.PurgeCache(id)
+
+		case <-permissionUpdateChan:
+			if err := rbac.ReloadPolicy(); err != nil {
+				ctx.Logger.Errorf("error reloading rbac policy due to permission updates: %v", err)
+			} else {
+				ctx.Logger.Debugf("reloading rbac policy due to permission updates")
+			}
 		}
 	}
 }
diff --git a/go.mod b/go.mod
@@ -14,7 +14,7 @@ require (
 	github.com/containrrr/shoutrrr v0.8.0
 	github.com/fergusstrange/embedded-postgres v1.25.0 // indirect
 	github.com/flanksource/commons v1.29.10
-	github.com/flanksource/duty v1.0.689
+	github.com/flanksource/duty v1.0.691
 	github.com/flanksource/gomplate/v3 v3.24.34
 	github.com/flanksource/kopper v1.0.10
 	github.com/gomarkdown/markdown v0.0.0-20240419095408-642f0ee99ae2

diff --git a/go.sum b/go.sum
@@ -877,8 +877,8 @@ github.com/flanksource/artifacts v1.0.14 h1:Vv70bccsae0MwGaf/uSPp34J5V1/PyKfct9z
 github.com/flanksource/artifacts v1.0.14/go.mod h1:qHVCnQu5k50aWNJ5UhpcAKEl7pAzqUrFFKGSm147G70=
 github.com/flanksource/commons v1.29.10 h1:T/S95Pl8kASEFvQjQ7fJjTUqeVdhxQXg1vfkULTYFJQ=
 github.com/flanksource/commons v1.29.10/go.mod h1:iTbrXOSp3Spv570Nly97D/U9cQjLZoVlmWCXqWzsvRU=
-github.com/flanksource/duty v1.0.689 h1:rEww/gBYthQWwjST8Eh9rM8GmNgv9EnjJXTq5lg+yGw=
-github.com/flanksource/duty v1.0.689/go.mod h1:XM1Y1FfW0TB4HvuP/GjwS3ZDvJKYM5o1wobgRIyqkuA=
+github.com/flanksource/duty v1.0.691 h1:hWaKkX1OiK8VbGRvK9m1dkU1K0N6NhYijza9EdZs4oE=
+github.com/flanksource/duty v1.0.691/go.mod h1:XM1Y1FfW0TB4HvuP/GjwS3ZDvJKYM5o1wobgRIyqkuA=
 github.com/flanksource/gomplate/v3 v3.20.4/go.mod h1:27BNWhzzSjDed1z8YShO6W+z6G9oZXuxfNFGd/iGSdc=
 github.com/flanksource/gomplate/v3 v3.24.34 h1:KeA7bim1OzUqBXTftumgdacMlb3fGX95Y0kOtBduYGQ=
 github.com/flanksource/gomplate/v3 v3.24.34/go.mod h1:FdQHxnyrBSmT5zNJTDq08oXxD+eOqti4ERanSoDmQAU=

diff --git a/rbac/init.go b/rbac/init.go
@@ -186,3 +186,7 @@ func Check(ctx context.Context, subject, object, action string) bool {
 
 	return allowed
 }
+
+func ReloadPolicy() error {
+	return enforcer.LoadPolicy()
+}