Check Permissions Order tool and workflow

Adds a NodeJS tool that can inspect yaml role definitions, check if they are in alphabetical order, correct them if required.

Signed-off-by: Peter Nied <peternied@hotmail.com>

Author: peternied

.github/workflows/code-hygiene.yml

@@ -57,3 +57,26 @@ jobs:
       - uses: gradle/gradle-build-action@v2
         with:
           arguments: spotbugsMain
+
+  check-permissions-order:
+    runs-on: ubuntu-latest
+    name: Check permissions orders
+    steps:
+    - uses: actions/checkout@v2
+    - run: npm install yaml
+
+    - name: Check permissions order
+      run: |
+        exclude_pattern="(^|/)roles_invalidxcontent.yml($|/)
+                          (^|/)invalid_config/config.yml($|/)"
+        # Set pattern to exclude certain files
+        set -e
+        exit_code=0
+        for file in $(find . -name '*.yml' | grep -Ev "$exclude_pattern"); do
+          if ! node check-permissions-order.js "$file" --slient; then
+            exit_code=1
+            echo "Error: $file requires changes. Run the following command to fix:"
+            echo "node check-permissions-order.js $file --fix"
+          fi
+        done
+        exit $exit_code

.gitignore

@@ -43,3 +43,7 @@ out/
 build/
 gradle-build/
 .gradle/
+
+# nodejs
+node_modules/
+package-lock.json

check-permissions-order.js

@@ -0,0 +1,86 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+const fs = require('fs')
+const yaml = require('yaml')
+
+function checkPermissionsOrder(file, fix = false) {
+  const contents = fs.readFileSync(file, 'utf8')
+  const doc = yaml.parseDocument(contents, { keepCstNodes: true })
+  const roles = doc.contents.items
+  let requiresChanges = false
+  roles.forEach(role => {
+    const itemsFromRole = role?.value?.items;
+
+    const clusterPermissions = itemsFromRole?.filter(item => item.key && item.key.value === 'cluster_permissions');
+    requiresChanges |= checkPermissionsOrdering(clusterPermissions);
+
+
+    const indexPermissionsArray = itemsFromRole?.filter(item => item.key && item.key.value === 'index_permissions');
+    const indexPermissionObj = indexPermissionsArray?.[0]?.value;
+    const indexPermissionItems = indexPermissionObj?.items[0]?.items;
+    const allowedIndexActions = indexPermissionItems?.filter(item => item.key && item.key.value === 'allowed_actions');
+    
+    requiresChanges |= checkPermissionsOrdering(allowedIndexActions);
+  })
+
+  if (fix && requiresChanges) {
+    const newContents = doc.toString()
+    fs.writeFileSync(file, newContents, 'utf8')
+  }
+
+  return requiresChanges
+}
+
+/*
+  Checks the permissions ordering
+  
+  returns false if they are already stored
+  returns true if the permissions were not sored, note the permissions object are sorted as a side effect of this function
+*/
+function checkPermissionsOrdering(permissions) {
+  let requiresChanges = false;
+  if (!permissions) {
+    return requiresChanges;
+  }
+  permissions.forEach(permission => {
+      const items = permission.value.items;
+      const originalItems = JSON.stringify(items);
+      items.sort();
+      const sortedItems = JSON.stringify(items);
+
+      // If the original items and sorted items are not the same, then changes are required
+      if (originalItems !== sortedItems) {
+        requiresChanges = true;
+      }
+  });
+  return requiresChanges;
+}
+
+// Example usage
+const args = process.argv.slice(2)
+if (args.length === 0) {
+  console.error('Usage: node check-permissions-order.js <file> [--fix] [--silent]')
+  process.exit(1)
+}
+const filePath = args[0]
+const fix = args.includes('--fix')
+const slient = args.includes('--slient')
+if (checkPermissionsOrder(filePath, fix)) {
+  if (fix) {
+    if (!slient) { console.log(`${filePath} has been updated.`) }
+  } else {
+    if (!slient) { console.error(`Error: ${filePath} requires changes.`) }
+    process.exit(1)
+  }
+} else {
+  if (!slient) { console.log(`${filePath} is up-to-date.`) }
+}

config/roles.yml

@@ -257,7 +257,6 @@ cross_cluster_search_remote_full_access:
 ml_read_access:
   reserved: true
   cluster_permissions:
-    - 'cluster:admin/opensearch/ml/stats/nodes'
     - 'cluster:admin/opensearch/ml/model_groups/search'
     - 'cluster:admin/opensearch/ml/models/get'
     - 'cluster:admin/opensearch/ml/models/search'