CORDA-3022 Add wildcard RPC permissions (#5174)

* Added small poc changes to accommodate requested permissions. * Added node user that can only start flows and has the neccessary permissions. * Fixed type in the rpc unit tests. * Finaliase wildcard RPC permissions, remove builtin maintainer/nodeuser roles * Tidy up
2024-12-19 21:17:58 +00:00 · 2019-08-28 15:29:06 +01:00 · 2019-08-28 15:29:06 +01:00 · 3a6787437d
commit 3a6787437d
parent e35c0c1df7
5 changed files with 38 additions and 3 deletions
--- a/client/rpc/src/test/kotlin/net/corda/client/rpc/RPCPermissionsTests.kt
+++ b/client/rpc/src/test/kotlin/net/corda/client/rpc/RPCPermissionsTests.kt
@ -14,6 +14,7 @@ import kotlin.test.assertFailsWith
 class RPCPermissionsTests : AbstractRPCTest() {
    companion object {
        const val DUMMY_FLOW = "StartFlow.net.corda.flows.DummyFlow"
+        const val WILDCARD_FLOW = "StartFlow.net.corda.flows.*"
        const val ALL_ALLOWED = "ALL"
    }

@ -104,6 +105,29 @@ class RPCPermissionsTests : AbstractRPCTest() {
        }
    }

+    @Test
+    fun `joe user can call different methods matching to a wildcard`() {
+        rpcDriver {
+            val joeUser = userOf("joe", setOf(WILDCARD_FLOW))
+            val proxy = testProxyFor(joeUser)
+            assertNotAllowed {
+                proxy.validatePermission("nodeInfo")
+            }
+
+            proxy.validatePermission("startFlowDynamic", "net.corda.flows.OtherFlow")
+            proxy.validatePermission("startFlowDynamic", "net.corda.flows.DummyFlow")
+            proxy.validatePermission("startTrackedFlowDynamic", "net.corda.flows.DummyFlow")
+            proxy.validatePermission("startTrackedFlowDynamic", "net.corda.flows.OtherFlow")
+            assertNotAllowed {
+                proxy.validatePermission("startTrackedFlowDynamic", "net.banned.flows.OtherFlow")
+            }
+            assertNotAllowed {
+                proxy.validatePermission("startTrackedFlowDynamic", "net.banned.flows")
+            }
+
+        }
+    }
+
    @Test
    fun `checking invokeRpc permissions entitlements`() {
        rpcDriver {
@ -120,7 +144,6 @@ class RPCPermissionsTests : AbstractRPCTest() {
    }

    private fun assertNotAllowed(action: () -> Unit) {
-
        assertFailsWith(PermissionException::class, "User should not be allowed to perform this action.", action)
    }
 }
--- a/docs/source/changelog.rst
+++ b/docs/source/changelog.rst
@ -48,6 +48,9 @@ Unreleased
 * :doc:`design/data-model-upgrades/package-namespace-ownership` configurations can be now be set as described in
  :ref:`node_package_namespace_ownership`, when using the Cordformation plugin version 4.0.43.

+* Wildcards can now be used when specifying RPC permissions, for example ``StartFlow.foo.bar.*`` will allow users to start any flow in the
+  ``foo.bar`` package. See :ref:`rpcUsers <corda_configuration_file_rpc_users>` for more information.
+
 .. _changelog_v4.1:

 Version 4.1
--- a/docs/source/corda-configuration-file.rst
+++ b/docs/source/corda-configuration-file.rst
@ -487,7 +487,8 @@ rpcUsers
  permissions
    A list of permissions for starting flows via RPC.
    To give the user the permission to start the flow ``foo.bar.FlowClass``, add the string ``StartFlow.foo.bar.FlowClass`` to the list.
-    If the list contains the string ``ALL``, the user can start any flow via RPC.
+    If the list contains the string ``ALL``, the user can start any flow via RPC. Wildcards are also allowed, for example ``StartFlow.foo.bar.*``
+    will allow the user to start any flow within the ``foo.bar`` package.
    This value is intended for administrator users and for development.

    *Default:* not defined
--- a/docs/source/tutorial-clientrpc-api.rst
+++ b/docs/source/tutorial-clientrpc-api.rst
@ -139,6 +139,14 @@ When starting a standalone node using a configuration file we must supply the RP
        { username=user, password=password, permissions=[ StartFlow.net.corda.finance.flows.CashFlow ] }
    ]

+Wildcard permissions can be set by using the `*` character, e.g.:
+
+.. code-block:: text
+
+    rpcUsers : [
+        { username=user, password=password, permissions=[ StartFlow.net.corda.finance.flows.* ] }
+    ]
+
 When using the gradle Cordformation plugin to configure and deploy a node you must supply the RPC credentials in a similar
 manner:

--- a/node/src/main/kotlin/net/corda/node/internal/security/RPCSecurityManagerImpl.kt
+++ b/node/src/main/kotlin/net/corda/node/internal/security/RPCSecurityManagerImpl.kt
@ -114,7 +114,7 @@ private class RPCPermission : DomainPermission {
     * @param methods Set of allowed RPC methods
     * @param target  An optional "target" type on which methods act
     */
-    constructor(methods: Set<String>, target: String? = null) : super(methods, target?.let { setOf(it) })
+    constructor(methods: Set<String>, target: String? = null) : super(methods, target?.let { setOf(it.replace(".", ":")) })


    /**