feat: ABAC

.changeset/ninety-dodos-confess.md

@@ -0,0 +1,15 @@
+---
+'@rocket.chat/authorization-service': minor
+'@rocket.chat/core-services': minor
+'@rocket.chat/message-types': minor
+'@rocket.chat/model-typings': minor
+'@rocket.chat/core-typings': minor
+'@rocket.chat/apps-engine': minor
+'@rocket.chat/abac': minor
+'@rocket.chat/models': minor
+'@rocket.chat/i18n': minor
+'@rocket.chat/jwt': minor
+'@rocket.chat/meteor': minor
+---
+
+Adds Attribute Based Access Control (ABAC) for private channels & private teams.

apps/meteor/app/api/server/v1/rooms.ts

@@ -22,6 +22,7 @@ import {
 import { Meteor } from 'meteor/meteor';
 
 import { isTruthy } from '../../../../lib/isTruthy';
+import { adminFields } from '../../../../lib/rooms/adminFields';
 import { omit } from '../../../../lib/utils/omit';
 import * as dataExport from '../../../../server/lib/dataExport';
 import { eraseRoom } from '../../../../server/lib/eraseRoom';
@@ -1032,49 +1033,120 @@ const isRoomGetRolesPropsSchema = {
 	additionalProperties: false,
 	required: ['rid'],
 };
-export const roomEndpoints = API.v1.get(
-	'rooms.roles',
-	{
-		authRequired: true,
-		query: ajv.compile<{
-			rid: string;
-		}>(isRoomGetRolesPropsSchema),
-		response: {
-			200: ajv.compile<{
-				roles: RoomRoles[];
-			}>({
-				type: 'object',
-				properties: {
-					roles: {
-						type: 'array',
-						items: {
-							type: 'object',
-							properties: {
-								rid: { type: 'string' },
-								u: {
-									type: 'object',
-									properties: { _id: { type: 'string' }, username: { type: 'string' } },
-									required: ['_id', 'username'],
+export const roomEndpoints = API.v1
+	.get(
+		'rooms.roles',
+		{
+			authRequired: true,
+			query: ajv.compile<{
+				rid: string;
+			}>(isRoomGetRolesPropsSchema),
+			response: {
+				200: ajv.compile<{
+					roles: RoomRoles[];
+				}>({
+					type: 'object',
+					properties: {
+						roles: {
+							type: 'array',
+							items: {
+								type: 'object',
+								properties: {
+									rid: { type: 'string' },
+									u: {
+										type: 'object',
+										properties: { _id: { type: 'string' }, username: { type: 'string' } },
+										required: ['_id', 'username'],
+									},
+									roles: { type: 'array', items: { type: 'string' } },
 								},
-								roles: { type: 'array', items: { type: 'string' } },
+								required: ['rid', 'u', 'roles'],
 							},
-							required: ['rid', 'u', 'roles'],
 						},
 					},
+					required: ['roles'],
+				}),
+			},
+		},
+		async function () {
+			const { rid } = this.queryParams;
+			const roles = await executeGetRoomRoles(rid, this.userId);
+
+			return API.v1.success({
+				roles,
+			});
+		},
+	)
+	.get(
+		'rooms.adminRooms.privateRooms',
+		{
+			authRequired: true,
+			permissionsRequired: ['view-room-administration'],
+			query: ajv.compile<{
+				filter?: string;
+				offset?: number;
+				count?: number;
+				sort?: string;
+			}>({
+				type: 'object',
+				properties: {
+					filter: { type: 'string' },
+					offset: { type: 'number' },
+					count: { type: 'number' },
+					sort: { type: 'string' },
 				},
-				required: ['roles'],
+				additionalProperties: true,
 			}),
+			response: {
+				400: validateBadRequestErrorResponse,
+				401: validateUnauthorizedErrorResponse,
+				403: validateUnauthorizedErrorResponse,
+				200: ajv.compile<{
+					rooms: IRoom[];
+					count: number;
+					offset: number;
+					total: number;
+				}>({
+					type: 'object',
+					properties: {
+						rooms: {
+							type: 'array',
+							items: { type: 'object' },
+						},
+						count: { type: 'number' },
+						offset: { type: 'number' },
+						total: { type: 'number' },
+						success: { type: 'boolean', enum: [true] },
+					},
+					required: ['rooms', 'count', 'offset', 'total', 'success'],
+					additionalProperties: false,
+				}),
+			},
 		},
-	},
-	async function () {
-		const { rid } = this.queryParams;
-		const roles = await executeGetRoomRoles(rid, this.userId);
+		async function action() {
+			const { offset, count } = await getPaginationItems(this.queryParams);
+			const { sort } = await this.parseJsonQuery();
+			const { filter } = this.queryParams;
 
-		return API.v1.success({
-			roles,
-		});
-	},
-);
+			const name = (filter || '').trim();
+
+			const { cursor, totalCount } = Rooms.findPrivateRoomsAndTeamsPaginated(name, {
+				skip: offset,
+				limit: count,
+				sort: sort || { default: -1, name: 1 },
+				projection: adminFields,
+			});
+
+			const [rooms, total] = await Promise.all([cursor.toArray(), totalCount]);
+
+			return API.v1.success({
+				rooms,
+				count: rooms.length,
+				offset,
+				total,
+			});
+		},
+	);
 
 const roomInviteEndpoints = API.v1.post(
 	'rooms.invite',

apps/meteor/app/api/server/v1/teams.ts

@@ -20,6 +20,7 @@ import { eraseRoom } from '../../../../server/lib/eraseRoom';
 import { canAccessRoomAsync } from '../../../authorization/server';
 import { hasPermissionAsync, hasAtLeastOnePermissionAsync } from '../../../authorization/server/functions/hasPermission';
 import { removeUserFromRoom } from '../../../lib/server/functions/removeUserFromRoom';
+import { settings } from '../../../settings/server';
 import { API } from '../api';
 import { getPaginationItems } from '../helpers/getPaginationItems';
 import { eraseTeam } from '../lib/eraseTeam';
@@ -235,6 +236,13 @@ API.v1.addRoute(
 			}
 			const canUpdateAny = !!(await hasPermissionAsync(this.userId, 'view-all-team-channels', team.roomId));
 
+			if (settings.get('ABAC_Enabled') && isDefault) {
+				const room = await Rooms.findOneByIdAndType(roomId, 'p', { projection: { abacAttributes: 1 } });
+				if (room?.abacAttributes?.length) {
+					return API.v1.failure('error-room-is-abac-managed');
+				}
+			}
+
 			const room = await Team.updateRoom(this.userId, roomId, isDefault, canUpdateAny);
 
 			return API.v1.success({ room });

apps/meteor/app/channel-settings/server/methods/saveRoomSettings.ts

@@ -1,5 +1,5 @@
 import { Team } from '@rocket.chat/core-services';
-import type { IRoom, IRoomWithRetentionPolicy, IUser, MessageTypesValues } from '@rocket.chat/core-typings';
+import type { IRoom, IRoomWithRetentionPolicy, IUser, MessageTypesValues, ITeam } from '@rocket.chat/core-typings';
 import { TEAM_TYPE } from '@rocket.chat/core-typings';
 import type { ServerMethods } from '@rocket.chat/ddp-client';
 import { Rooms, Users } from '@rocket.chat/models';
@@ -11,6 +11,7 @@ import { roomCoordinator } from '../../../../server/lib/rooms/roomCoordinator';
 import { hasPermissionAsync } from '../../../authorization/server/functions/hasPermission';
 import { setRoomAvatar } from '../../../lib/server/functions/setRoomAvatar';
 import { notifyOnRoomChangedById } from '../../../lib/server/lib/notifyListener';
+import { settings } from '../../../settings/server';
 import { saveReactWhenReadOnly } from '../functions/saveReactWhenReadOnly';
 import { saveRoomAnnouncement } from '../functions/saveRoomAnnouncement';
 import { saveRoomCustomFields } from '../functions/saveRoomCustomFields';
@@ -61,14 +62,33 @@ type RoomSettingsValidators = {
 const hasRetentionPolicy = (room: IRoom & { retention?: any }): room is IRoomWithRetentionPolicy =>
 	'retention' in room && room.retention !== undefined;
 
+const isAbacManagedRoom = (room: IRoom): boolean => {
+	return room.t === 'p' && settings.get<boolean>('ABAC_Enabled') && Array.isArray(room?.abacAttributes) && room.abacAttributes.length > 0;
+};
+
+const isAbacManagedTeam = (team: Partial<ITeam> | null, teamRoom: IRoom): boolean => {
+	return (
+		team?.type === TEAM_TYPE.PRIVATE &&
+		settings.get<boolean>('ABAC_Enabled') &&
+		Array.isArray(teamRoom?.abacAttributes) &&
+		teamRoom.abacAttributes.length > 0
+	);
+};
+
 const validators: RoomSettingsValidators = {
-	async default({ userId }) {
+	async default({ userId, room, value }) {
 		if (!(await hasPermissionAsync(userId, 'view-room-administration'))) {
 			throw new Meteor.Error('error-action-not-allowed', 'Viewing room administration is not allowed', {
 				method: 'saveRoomSettings',
 				action: 'Viewing_room_administration',
 			});
 		}
+		if (isAbacManagedRoom(room) && value) {
+			throw new Meteor.Error('error-action-not-allowed', 'Setting an ABAC managed room as default is not allowed', {
+				method: 'saveRoomSettings',
+				action: 'Viewing_room_administration',
+			});
+		}
 	},
 	async featured({ userId }) {
 		if (!(await hasPermissionAsync(userId, 'view-room-administration'))) {
@@ -98,6 +118,13 @@ const validators: RoomSettingsValidators = {
 			});
 		}
 
+		if (isAbacManagedRoom(room) && value !== 'p') {
+			throw new Meteor.Error('error-action-not-allowed', 'Changing an ABAC managed private room to public is not allowed', {
+				method: 'saveRoomSettings',
+				action: 'Change_Room_Type',
+			});
+		}
+
 		if (!room.teamId) {
 			return;
 		}
@@ -116,6 +143,13 @@ const validators: RoomSettingsValidators = {
 				action: 'Change_Room_Type',
 			});
 		}
+
+		if (isAbacManagedTeam(team, room) && value !== 'p') {
+			throw new Meteor.Error('error-action-not-allowed', 'Changing an ABAC managed private team room to public is not allowed', {
+				method: 'saveRoomSettings',
+				action: 'Change_Room_Type',
+			});
+		}
 	},
 	async encrypted({ userId, value, room, rid }) {
 		if (value !== room.encrypted) {

apps/meteor/app/invites/server/functions/findOrCreateInvite.ts

@@ -63,6 +63,13 @@ export const findOrCreateInvite = async (userId: string, invite: Pick<IInvite, '
 		});
 	}
 
+	if (settings.get('ABAC_Enabled') && room?.abacAttributes?.length) {
+		throw new Meteor.Error('error-invalid-room', 'Room is ABAC managed', {
+			method: 'findOrCreateInvite',
+			field: 'rid',
+		});
+	}
+
 	if (!(await roomCoordinator.getRoomDirectives(room.t).allowMemberAction(room, RoomMemberActions.INVITE, userId))) {
 		throw new Meteor.Error('error-room-type-not-allowed', 'Cannot create invite links for this room type', {
 			method: 'findOrCreateInvite',

apps/meteor/app/invites/server/functions/validateInviteToken.ts

@@ -1,6 +1,8 @@
 import { Invites, Rooms } from '@rocket.chat/models';
 import { Meteor } from 'meteor/meteor';
 
+import { settings } from '../../../settings/server';
+
 export const validateInviteToken = async (token: string) => {
 	if (!token || typeof token !== 'string') {
 		throw new Meteor.Error('error-invalid-token', 'The invite token is invalid.', {
@@ -25,6 +27,13 @@ export const validateInviteToken = async (token: string) => {
 		});
 	}
 
+	if (settings.get('ABAC_Enabled') && room?.abacAttributes?.length) {
+		throw new Meteor.Error('error-invalid-room', 'Room is ABAC managed', {
+			method: 'validateInviteToken',
+			field: 'rid',
+		});
+	}
+
 	if (inviteData.expires && new Date(inviteData.expires).getTime() <= Date.now()) {
 		throw new Meteor.Error('error-invite-expired', 'The invite token has expired.', {
 			method: 'validateInviteToken',

apps/meteor/app/lib/server/functions/addUserToDefaultChannels.ts

@@ -5,6 +5,7 @@ import { Subscriptions } from '@rocket.chat/models';
 import { getDefaultChannels } from './getDefaultChannels';
 import { callbacks } from '../../../../server/lib/callbacks';
 import { getSubscriptionAutotranslateDefaultConfig } from '../../../../server/lib/getSubscriptionAutotranslateDefaultConfig';
+import { settings } from '../../../settings/server';
 import { getDefaultSubscriptionPref } from '../../../utils/lib/getDefaultSubscriptionPref';
 import { notifyOnSubscriptionChangedById } from '../lib/notifyListener';
 
@@ -13,6 +14,10 @@ export const addUserToDefaultChannels = async function (user: IUser, silenced?:
 	const defaultRooms = await getDefaultChannels();
 
 	for await (const room of defaultRooms) {
+		if (settings.get('ABAC_Enabled') && room?.abacAttributes?.length) {
+			continue;
+		}
+
 		if (!(await Subscriptions.findOneByRoomIdAndUserId(room._id, user._id, { projection: { _id: 1 } }))) {
 			const autoTranslateConfig = getSubscriptionAutotranslateDefaultConfig(user);
 

apps/meteor/app/lib/server/functions/addUserToRoom.ts

@@ -10,6 +10,7 @@ import { callbacks } from '../../../../server/lib/callbacks';
 import { beforeAddUserToRoom } from '../../../../server/lib/callbacks/beforeAddUserToRoom';
 import { roomCoordinator } from '../../../../server/lib/rooms/roomCoordinator';
 import { settings } from '../../../settings/server';
+import { beforeAddUserToRoom as beforeAddUserToRoomPatch } from '../lib/beforeAddUserToRoom';
 import { notifyOnRoomChangedById } from '../lib/notifyListener';
 
 /**
@@ -61,7 +62,10 @@ export const addUserToRoom = async (
 	}
 
 	try {
-		await beforeAddUserToRoom.run({ user: userToBeAdded, inviter: (inviter && (await Users.findOneById(inviter._id))) || undefined }, room);
+		const inviterUser = inviter && ((await Users.findOneById(inviter._id)) || undefined);
+		// Not "duplicated": we're moving away from callbacks so this is a patch function. We should migrate the next one to be a patch or use this same patch, instead of calling both
+		await beforeAddUserToRoomPatch([userToBeAdded.username!], room, inviterUser);
+		await beforeAddUserToRoom.run({ user: userToBeAdded, inviter: inviterUser }, room);
 	} catch (error) {
 		throw new Meteor.Error((error as any)?.message);
 	}

apps/meteor/app/lib/server/functions/getFullUserData.ts

@@ -22,6 +22,7 @@ const defaultFields = {
 	extension: 1,
 	federated: 1,
 	statusLivechat: 1,
+	abacAttributes: 1,
 } as const;
 
 const fullFields = {