MB-38322 GET /_uiroles REST API

called without parameters

returns the following json:

{"folders": [....],
 "parameters": {....}}

value of folders key is an array of maps:
{
   "name": <name of folder>,
   "roles": [....]
}

roles array contains roles that belong to the folder in the
following format

{"role": <role>,
 "params": <array of role parameters>,
 "name": <name of the role to show in UI>,
 "desc": <description of the role>}

value of the key "parameters" is a tree structure representing
all possible parameter values

Here's how UI should enumerate all possible parameters:
Let's say the role has parameters [bucket_name, scope_name,
collection_name]

1. UI code should look in the "parameters" map for "bucket_name"
and retrieve an array of the following structures:
{"value": <bucket name>, "children": <optional map of child parameters>}

2. If "children" is specified, UI code should look for the second
parameter "scope_name" in the map and so on..

It is implied that each parameter can also be a wildcard, therefore
wildcards are not returned by the API.

Example of output:

{
  "folders": [
    {
      "name": "Administrative Roles",
      "roles": [
        {
          "role": "admin",
          "params": [],
          "name": "Full Admin",
          "desc": "Can manage all cluster features..."
        },
..................
    {
      "name": "Data Service",
      "roles": [
        {
          "role": "data_reader",
          "params": [
            "bucket_name",
            "scope_name",
            "collection_name"
          ],
          "name": "Data Reader",
          "desc": "Can read data from a given bucket, scope..."
        },
..................
    {
      "name": "Views",
      "roles": [
        {
          "role": "views_admin",
          "params": [
            "bucket_name"
          ],
          "name": "Views Admin",
          "desc": "Can create and manage views of a given..."
        }
      ]
    },
-------------
  "parameters": {
    "bucket_name": [
      {
        "value": "test",
        "children": {
          "scope_name": [
            {
              "value": "_default",
              "children": {
                "collection_name": [
                  {
                    "value": "_default"
                  }
                ]
              }
            }
          ]
        }
      }
    ]
  }
}

Change-Id: I8341456851efb93a52e85bb05b25cb1152fcfa4f
Reviewed-on: http://review.couchbase.org/c/ns_server/+/129449
Tested-by: Artem Stemkovski <[email protected]>
Well-Formed: Build Bot <[email protected]>
Reviewed-by: Timofey Barmin <[email protected]>

Author: vzasade

src/collections.erl

@@ -36,7 +36,9 @@
          get_manifest/1,
          get_scope/2,
          get_collection/2,
-         get_uid/1]).
+         get_uid/1,
+         get_scopes/1,
+         get_collections/1]).
 
 %% rpc from other nodes
 -export([wait_for_manifest_uid/4]).

src/menelaus_roles.erl

@@ -69,6 +69,7 @@
          external_auth_polling_interval/0,
          get_param_defs/2,
          ui_folders/0,
+         get_visible_role_definitions/1,
          strip_ids/2]).
 
 -export([start_compiled_roles_cache/0]).
@@ -953,13 +954,16 @@ validate_role(Role, Params, Definitions, Buckets) ->
             false
     end.
 
+get_visible_role_definitions(Config) ->
+    pipes:run(pipes:stream_list(get_definitions(Config, public)),
+              visible_roles_filter(),
+              pipes:collect()).
+
 -spec validate_roles([rbac_role()], ns_config()) ->
                             {GoodRoles :: [rbac_role()],
                              BadRoles :: [rbac_role()]}.
 validate_roles(Roles, Config) ->
-    Definitions = pipes:run(pipes:stream_list(get_definitions(Config, public)),
-                            visible_roles_filter(),
-                            pipes:collect()),
+    Definitions = get_visible_role_definitions(Config),
     Buckets = ns_bucket:get_buckets(Config),
     lists:foldl(fun (Role, {Validated, Unknown}) ->
                         case validate_role(Role, Definitions, Buckets) of

src/menelaus_web.erl

@@ -226,6 +226,8 @@ get_action(Req, {AppRoot, IsSSL, Plugins}, Path, PathTokens) ->
                 ["_uistats"] ->
                     {{[ui], read},
                      fun menelaus_stats:serve_ui_stats/1};
+                ["_uiroles"] ->
+                    {{[ui], read}, fun menelaus_web_rbac:handle_get_uiroles/1};
                 ["_uiEnv"] ->
                     {done, serve_ui_env(Req)};
                 ["poolsStreaming", "default"] ->

src/menelaus_web_rbac.erl

@@ -58,7 +58,8 @@
          handle_delete_profile/2,
          handle_put_profile/2,
          handle_lookup_ldap_user/2,
-         gen_password/1
+         gen_password/1,
+         handle_get_uiroles/1
 ]).
 
 -define(MIN_USERS_PAGE_SIZE, 2).
@@ -189,19 +190,23 @@ get_roles_by_permission(Permission, Config) ->
       menelaus_roles:produce_roles_by_permission(Permission, Config),
       pipes:collect()).
 
+maybe_remove_security_roles(Req, Config, Roles) ->
+    Roles --
+        case menelaus_auth:has_permission(?SECURITY_READ, Req) of
+            true ->
+                [];
+            false ->
+                menelaus_roles:get_security_roles(Config)
+        end.
+
 handle_get_roles(Req) ->
     Config = ns_config:get(),
     validator:handle(
       fun (Values) ->
               Permission = proplists:get_value(permission, Values),
-              Roles =
-                  get_roles_by_permission(Permission, Config) --
-                  case menelaus_auth:has_permission(?SECURITY_READ, Req) of
-                      true ->
-                          [];
-                      false ->
-                          menelaus_roles:get_security_roles(Config)
-                  end,
+              Roles = maybe_remove_security_roles(
+                        Req, Config,
+                        get_roles_by_permission(Permission, Config)),
               Json =
                   [{role_to_json(Role) ++ jsonify_props(Props)} ||
                       {Role, Props} <- Roles],
@@ -1677,6 +1682,72 @@ handle_put_profile(RawIdentity, Req) ->
             menelaus_util:reply_json(Req, <<"Invalid Json">>, 400)
     end.
 
+handle_get_uiroles(Req) ->
+    menelaus_util:require_permission(Req, {[admin, security], read}),
+
+    Roles =
+        maybe_remove_security_roles(Req, ns_config:latest(),
+                                    menelaus_roles:get_visible_role_definitions(
+                                      ns_config:latest())),
+    Folders =
+        lists:filtermap(build_ui_folder(_, Roles), menelaus_roles:ui_folders()),
+
+    Buckets = menelaus_auth:get_accessible_buckets(
+                ?cut({[{bucket, _}, settings], read}), Req),
+
+    Parameters = {[build_ui_parameters(bucket_name, Buckets)]},
+
+    menelaus_util:reply_json(Req, {[{folders, Folders},
+                                    {parameters, Parameters}]}).
+
+build_ui_folder({Key, Name}, Roles) ->
+    case lists:filter(fun ({_, _, Props, _}) ->
+                              proplists:get_value(folder, Props) =:= Key
+                      end, Roles) of
+        [] ->
+            false;
+        FolderRoles ->
+            {true, {[{name, list_to_binary(Name)},
+                     {roles, [build_ui_role(Role) || Role <- FolderRoles]}]}}
+    end.
+
+build_ui_role({Role, Params, Props, _}) ->
+    {[{role, Role}, {params, Params} | jsonify_props(Props)]}.
+
+build_ui_value(Value, Children) ->
+    case lists:filter(fun ({_, L}) -> L =/= [] end, Children) of
+        [] ->
+            {[{value, list_to_binary(Value)}]};
+        NonEmpty ->
+            {[{value, list_to_binary(Value)},
+              {children, {NonEmpty}}]}
+    end.
+
+build_ui_parameters(Name, List) ->
+    {Name, build_ui_values(Name, List)}.
+
+build_ui_values(bucket_name, Buckets) ->
+    lists:map(
+      fun ({Name, BucketCfg}) ->
+              Scopes =
+                  case cluster_compat_mode:is_enterprise() andalso
+                      collections:enabled(BucketCfg) of
+                      true ->
+                          collections:get_scopes(
+                            collections:get_manifest(BucketCfg));
+                      false ->
+                          []
+                  end,
+              build_ui_value(Name, [build_ui_parameters(scope_name, Scopes)])
+      end, Buckets);
+build_ui_values(scope_name, Scopes) ->
+    [build_ui_value(
+       Name, [build_ui_parameters(collection_name,
+                                  collections:get_collections(Scope))]) ||
+        {Name, Scope} <- Scopes];
+build_ui_values(collection_name, Collections) ->
+    [build_ui_value(Name, []) || {Name, _} <- Collections].
+
 -ifdef(TEST).
 role_to_string_test() ->
     ?assertEqual("role", role_to_string(role)),