db/ui: add tenant filtering by ip address advanced topics

[tpurschke]

Goal

• give access (via API!) to tenant-filtered rulebases
• need to add tenant-filtering within the API (currently implemented in UI filter line
• filtering logic see diagram below

  challenges

  • ip matching operators from postgresql (<<, >>) not implemented in hasura
  • filter out non-matching rules
  • filter out non-relevant parts of rules (harder)
  • performance - do not negatively impact reports for non-reporter users (which do not need ip-based tenant-filtering

Possible Implementations

• view
• function

Current Implementation Approach

• computed fields {rule, rule-to, rule-from, object}_relevant_for_tenant(...)
• computed field has_relevant_change(changelog_rule)
• hasura-permission based filtering according to computed fields for reporter, recertifier

Next Steps

• [x] Test performance with large rule set @tpurschke - perf test with 880 rules takes 3s unfiltered and 160s with 5 networks; re-generating takes about the same time
• [x] remove all section header when filtering for IP addresses
• [x] adjust ip mapping in stored procedures to new ip ranges in tenant_network table
• [x] Find out performance/functional differences between views/materialized views/computed_fields, ...
• [x] verify current ip filtering functionality in filter line (not implemented, just tenant-filtering in LSB)
• [x] design filter logic within API
• [x] add tenant_network table
• [x] add view_tenant_rules materialized view
• [x] add sample tenant networks via API directly to test reporting (include this in ansible installer for demo systems)
• [x] decide on how to filter groups (flattening, ...)
• [x] also need to add views for sub tables: rule_to, rule_from, ...
• [x] ~change all existing reports from using rule table to view_tenant_rules~ -> not necessary with current approach
• [x] finally remove all permissions for reporter role from rule, rule_to, rule_from
• [x] find a way to filter out irrelevant rule parts for a tenant (lines 4, 6 below)
• [x] #2202
• [x] #2214
• [ ] adjust help pages
• [x] add disclaimer: If used, no API access must be provided to Reporter Users (not needed with latest approach)
• [ ] add tenant filtering to recertification page?
• [ ] write unit tests
• [x] #2279
• [x] #1701
• [x] #2280
• [x] #2284
• [x] in tenant-filtered report export, only show devices the user is allowed to see (also in simulated mode!)
• [x] #2306

UI settings

• [ ] reverse collapse state (collapse unfiltered and hidden, show gateways of shared managements)
• [ ] when editing tenant - device mappings, collapse all default value is wrong
• [ ] when saving tenant_networks (2.0.0.0/8): Save tenant - Unclassified error: : Foreign key violation. insert or update on table "tenant_network" violates foreign key constraint "tenant_network_tenant_id_fkey" . See log for details!
• [ ] tenant sorting does not work as expected (when UI is German?)
• [ ] double-check if adding all devices to tenant0 is really necessary

  advanced (later)

• [ ] re-generate JWTs of currently logged-in users belonging to a changed tenant?
• [ ] saving tenant-mapping: in case of error during writing: restore old mappings for the tenant? (which have just been deleted)
• [ ] RSB: show objects for unfiltered managements

Optimizations

• [ ] add btree index for ip (range) operations (see compliance module for reference)
• [ ] might add nightly scheduler for calculating tenant mapping in extra n:m tables tenant_object_mapping and tenant_rule_mapping

filter logic

[tpurschke]

in beta state - moved to separate branch