Adding a folder for public resources in order to serve OPA bundle

Open Policy Agent requires a bundle in the form of tar.gz in order to bootstrap itself with base policy and data. The server will serve this policy under the public domain. In the future, we will enable a Basic Authentication scheme in order to lock down this pocliy.

app/server/appsmith-server/src/main/java/com/appsmith/server/acl/AclService.java

@@ -7,13 +7,11 @@ import com.appsmith.server.services.SessionUserService;
 import lombok.extern.slf4j.Slf4j;
 import org.json.JSONObject;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.MediaType;
 import org.springframework.stereotype.Component;
 import org.springframework.web.reactive.function.client.WebClient;
-import reactor.core.publisher.Flux;
 import reactor.core.publisher.Mono;
 
 import java.util.HashSet;
@@ -58,11 +56,9 @@ public class AclService {
                     Set<String> globalPermissions = new HashSet<>();
                     Set<String> groupSet = u.getGroupIds();
                     globalPermissions.addAll(u.getPermissions());
-                    return Flux.fromIterable(groupSet)
-                            .flatMap(groupId ->
-                                    groupService.getById(groupId)
-                                            .map(group -> group.getPermissions())
-                            ).map(obj -> globalPermissions.addAll(obj))
+                    return groupService.getAllById(groupSet)
+                            .map(group -> group.getPermissions())
+                            .map(permissions -> globalPermissions.addAll(permissions))
                             .collectList()
                             .thenReturn(globalPermissions);
                 })

app/server/appsmith-server/src/main/java/com/appsmith/server/configurations/SecurityConfig.java

@@ -6,6 +6,7 @@ import com.appsmith.server.services.OrganizationService;
 import com.appsmith.server.services.UserService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
+import org.springframework.core.io.ClassPathResource;
 import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
 import org.springframework.security.config.web.server.ServerHttpSecurity;
 import org.springframework.security.core.userdetails.MapReactiveUserDetailsService;
@@ -17,6 +18,9 @@ import org.springframework.security.web.server.SecurityWebFilterChain;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.reactive.CorsConfigurationSource;
 import org.springframework.web.cors.reactive.UrlBasedCorsConfigurationSource;
+import org.springframework.web.reactive.function.server.RouterFunction;
+import org.springframework.web.reactive.function.server.RouterFunctions;
+import org.springframework.web.reactive.function.server.ServerResponse;
 
 import java.util.Arrays;
 
@@ -32,6 +36,25 @@ public class SecurityConfig {
     @Autowired
     private CommonConfig commonConfig;
 
+    /**
+     * This routerFunction is required to map /public/** endpoints to the src/main/resources/public folder
+     * This is to allow static resources to be served by the server. Couldn't find an easier way to do this,
+     * hence using RouterFunctions to implement this feature.
+     *
+     * Future folks: Please check out links:
+     * - https://www.baeldung.com/spring-webflux-static-content
+     * - https://docs.spring.io/spring/docs/current/spring-framework-reference/web-reactive.html#webflux-config-static-resources
+     * - Class ResourceHandlerRegistry
+     * for details. If you figure out a cleaner approach, please modify this function
+     *
+     * @return
+     */
+    @Bean
+    public RouterFunction<ServerResponse> publicRouter() {
+        return RouterFunctions
+                .resources("/public/**", new ClassPathResource("public/"));
+    }
+
     /**
      * This configuration enables CORS requests for the most common HTTP Methods
      *
@@ -72,6 +95,7 @@ public class SecurityConfig {
                 .cors().and()
                 .csrf().disable()
                 .authorizeExchange()
+                .pathMatchers("/public/**").permitAll()
                 .anyExchange()
                 .authenticated()
                 .and().httpBasic()

app/server/appsmith-server/src/main/java/com/appsmith/server/filters/AclFilter.java

@@ -34,7 +34,7 @@ public class AclFilter implements WebFilter {
      * The ACL policy filters user access based on the permissions that the user has and the resource they are trying
      * to access
      *
-     * Check @see src/main/resources/acl.policy for details of a sample ACL policy
+     * Check @see src/main/resources/acl.rego for details of a sample ACL policy
      *
      * @param exchange
      * @param chain

app/server/appsmith-server/src/main/java/com/appsmith/server/services/GroupService.java

@@ -1,6 +1,10 @@
 package com.appsmith.server.services;
 
 import com.appsmith.server.domains.Group;
+import reactor.core.publisher.Flux;
+
+import java.util.Set;
 
 public interface GroupService extends CrudService<Group, String> {
+    Flux<Group> getAllById(Set<String> ids);
 }

app/server/appsmith-server/src/main/java/com/appsmith/server/services/GroupServiceImpl.java

@@ -7,9 +7,11 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.data.mongodb.core.ReactiveMongoTemplate;
 import org.springframework.data.mongodb.core.convert.MongoConverter;
 import org.springframework.stereotype.Service;
+import reactor.core.publisher.Flux;
 import reactor.core.scheduler.Scheduler;
 
 import javax.validation.Validator;
+import java.util.Set;
 
 @Service
 public class GroupServiceImpl extends BaseService<GroupRepository, Group, String> implements GroupService  {
@@ -27,4 +29,9 @@ public class GroupServiceImpl extends BaseService<GroupRepository, Group, String
         super(scheduler, validator, mongoConverter, reactiveMongoTemplate, repository, analytics, sessionUserService);
         this.repository = repository;
     }
+
+    @Override
+    public Flux<Group> getAllById(Set<String> ids) {
+        return this.repository.findAllById(ids);
+    }
 }

app/server/appsmith-server/src/main/resources/public/appsmith/authz/acl.rego

@@ -19,8 +19,15 @@ allowed_operations = [
     {"method": "POST", "resource": "organizations", "permission": "create:organizations"},
     {"method": "GET", "resource": "organizations", "permission": "read:organizations"},
     {"method": "POST", "resource": "signup", "permission": "create:organizations"},
+    {"method": "GET", "resource": "pages", "permission": "read:pages"},
+    {"method": "POST", "resource": "pages", "permission": "create:pages"},
+    {"method": "PUT", "resource": "pages", "permission": "update:pages"},
+    {"method": "GET", "resource": "layouts", "permission": "read:layouts"},
+    {"method": "POST", "resource": "layouts", "permission": "create:layouts"},
+    {"method": "PUT", "resource": "layouts", "permission": "update:layouts"},
 ]
 
+
 # This rule is a WIP to create SQL queries based on the policy. For example, the user may be allowed to see a list
 # of records that only belong to them and NOT all the records. While url_allow rule will allow the user to access
 # this functionality, the resource_allow rule will help us create where clauses to query the DB.