PDP: inconsistencies with permissions
The PDP API has different request formats and responses in regards to permissions:
Example 1: request:
RBAC >>> (request)
RBAC <<< (response)
PATCH /pdp/resources/test-resource/grantPermission HTTP/1.1
...
{"permissions":[{"role":"test-role","operation":"view"},{"role":"test-role","operation":"edit"}]}
---
RBAC <<< (response)
HTTP/1.1 200 OK
Example 2: response:
RBAC >>> GET https://didmos.satosa.latest.rustbucket.io/pdp/resources/test-resource
RBAC <<< (response)
HTTP/1.1 200 OK
...
{"resource": "test-resource", "operations": ["view", "edit", "delete"], "permissions": {"test-role": {"assigned": ["edit", "view"]}}}
Example 3: response:
RBAC >>> GET https://didmos.satosa.latest.rustbucket.io/pdp/roles/test-role
RBAC <<< (response)
HTTP/1.1 200 OK
...
{"rolename": "test-role", "users": null, "permissions": {"0223907e-55c4-4f59-a28c-4e7afb3e9820-permission": {"operations": ["edit"]}, "0277feb1-09f9-4133-a247-ea27b0d8db70-permission": {"operations": ["edit"]}, ...
- Expected: the "permissions" object should be consistent on requests and responses,
- Actual: in the examples there are three distinct returns for permissions
The preferred format for requests and responses to make them consistent is as follows:
{"permissions": {"<resource-name>": {"operations": ["edit", "view"]}}}
Example 2 doesn't refer to the same type of response, so the returned key shouldn't be permissions
but roles
.