@backstage-community/plugin-rbac-backend 6.0.1 → 6.1.0

package/dist/service/policies-rest-api.cjs.js

@@ -11,6 +11,8 @@ var roleMetadata = require('../database/role-metadata.cjs.js');
 var helper = require('../helper.cjs.js');
 var conditionValidation = require('../validation/condition-validation.cjs.js');
 var policiesValidation = require('../validation/policies-validation.cjs.js');
+var conditions = require('../permissions/conditions.cjs.js');
+var rules = require('../permissions/rules.cjs.js');
 
 class PoliciesServer {
   constructor(permissions, options, enforcer, conditionalStorage, pluginPermMetaData, roleMetadata, auditor, rbacProviders) {
@@ -23,7 +25,7 @@ class PoliciesServer {
     this.auditor = auditor;
     this.rbacProviders = rbacProviders;
   }
-  async authorize(request, permission) {
+  async authorizeConditional(request, permission) {
     const credentials = await this.options.httpAuth.credentials(request, {
       allow: ["user", "service"]
     });
@@ -32,31 +34,43 @@ class PoliciesServer {
         `Only creadential principal with type 'user' permitted to modify permissions`
       );
     }
-    const decision = (await this.permissions.authorize(
-      [{ permission, resourceRef: permission.resourceType }],
-      { credentials }
-    ))[0];
+    let decision;
+    if (permission.type === "resource") {
+      decision = (await this.permissions.authorizeConditional([{ permission }], {
+        credentials
+      }))[0];
+    } else {
+      decision = (await this.permissions.authorize([{ permission }], {
+        credentials
+      }))[0];
+    }
     return decision;
   }
   async serve() {
     const router = await pluginPermissionBackend.createRouter(this.options);
-    const { httpAuth } = this.options;
+    const { httpAuth, logger } = this.options;
     if (!httpAuth) {
       throw new errors.ServiceUnavailableError(
         "httpAuth not found, ensure the correct configuration for the RBAC plugin"
       );
     }
-    const permissionsIntegrationRouter = pluginPermissionNode.createPermissionIntegrationRouter({
+    const policyPermissionsIntegrationRouter = pluginPermissionNode.createPermissionIntegrationRouter({
       resourceType: pluginRbacCommon.RESOURCE_TYPE_POLICY_ENTITY,
-      permissions: pluginRbacCommon.policyEntityPermissions
+      getResources: (resourceRefs) => Promise.all(
+        resourceRefs.map((ref) => {
+          return this.roleMetadata.findRoleMetadata(ref);
+        })
+      ),
+      permissions: pluginRbacCommon.policyEntityPermissions,
+      rules: Object.values(rules.rules)
     });
-    router.use(permissionsIntegrationRouter);
+    router.use(policyPermissionsIntegrationRouter);
     const isPluginEnabled = this.options.config.getOptionalBoolean("permission.enabled");
     if (!isPluginEnabled) {
       return router;
     }
     router.get("/", async (request, response) => {
-      const decision = await this.authorize(
+      const decision = await this.authorizeConditional(
         request,
         pluginRbacCommon.policyEntityReadPermission
       );
@@ -69,25 +83,48 @@ class PoliciesServer {
       "/policies",
       restInterceptor.logAuditorEvent(this.auditor),
       async (request, response) => {
-        const decision = await this.authorize(
+        let conditionsFilter;
+        const decision = await this.authorizeConditional(
           request,
           pluginRbacCommon.policyEntityReadPermission
         );
         if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
           throw new errors.NotAllowedError();
         }
-        let policies;
+        if (decision.result === pluginPermissionCommon.AuthorizeResult.CONDITIONAL) {
+          conditionsFilter = conditions.transformConditions(decision.conditions);
+        }
+        const roleMetadata = await this.roleMetadata.filterForOwnerRoleMetadata(conditionsFilter);
+        let policies = [];
         if (this.isPolicyFilterEnabled(request)) {
           const entityRef = this.getFirstQuery(request.query.entityRef);
           const permission = this.getFirstQuery(request.query.permission);
           const policy = this.getFirstQuery(request.query.policy);
           const effect = this.getFirstQuery(request.query.effect);
+          const matchedRoleName = roleMetadata.flatMap(
+            (role) => role.roleEntityRef
+          );
           const filter = [entityRef, permission, policy, effect];
-          policies = await this.enforcer.getFilteredPolicy(0, ...filter);
+          policies = matchedRoleName.includes(entityRef) ? await this.enforcer.getFilteredPolicy(0, ...filter) : [];
         } else {
-          policies = await this.enforcer.getPolicy();
+          for (const role of roleMetadata) {
+            policies.push(
+              ...await this.enforcer.getFilteredPolicy(
+                0,
+                ...[role.roleEntityRef]
+              )
+            );
+          }
         }
         const body = await this.transformPolicyArray(...policies);
+        body.map((policy) => {
+          if (policy.permission === "policy-entity" && policy.policy === "create") {
+            policy.permission = "policy.entity.create";
+            logger.warn(
+              `Permission policy with resource type 'policy-entity' and action 'create' has been removed. Please consider updating policy ${[policy.entityReference, "policy-entity", policy.policy, policy.effect]} to use 'policy.entity.create' instead of 'policy-entity' from source ${policy.metadata?.source}`
+            );
+          }
+        });
         response.json(body);
       }
     );
@@ -95,17 +132,33 @@ class PoliciesServer {
       "/policies/:kind/:namespace/:name",
       restInterceptor.logAuditorEvent(this.auditor),
       async (request, response) => {
-        const decision = await this.authorize(
+        let conditionsFilter;
+        const decision = await this.authorizeConditional(
           request,
           pluginRbacCommon.policyEntityReadPermission
         );
         if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
           throw new errors.NotAllowedError();
         }
+        if (decision.result === pluginPermissionCommon.AuthorizeResult.CONDITIONAL) {
+          conditionsFilter = conditions.transformConditions(decision.conditions);
+        }
+        const roleMetadata = await this.roleMetadata.filterForOwnerRoleMetadata(conditionsFilter);
+        const matchedRoleName = roleMetadata.flatMap((role) => {
+          return role.roleEntityRef;
+        });
         const entityRef = this.getEntityReference(request);
-        const policy = await this.enforcer.getFilteredPolicy(0, entityRef);
+        const policy = matchedRoleName.includes(entityRef) ? await this.enforcer.getFilteredPolicy(0, entityRef) : [];
         if (policy.length !== 0) {
           const body = await this.transformPolicyArray(...policy);
+          body.map((bodyPolicy) => {
+            if (bodyPolicy.permission === "policy-entity" && bodyPolicy.policy === "create") {
+              bodyPolicy.permission = "policy.entity.create";
+              logger.warn(
+                `Permission policy with resource type 'policy-entity' and action 'create' has been removed. Please consider updating policy ${[bodyPolicy.entityReference, "policy-entity", bodyPolicy.policy, bodyPolicy.effect]} to use 'policy.entity.create' instead of 'policy-entity' from source ${bodyPolicy.metadata?.source}`
+              );
+            }
+          });
           response.json(body);
         } else {
           throw new errors.NotFoundError();
@@ -116,13 +169,17 @@ class PoliciesServer {
       "/policies/:kind/:namespace/:name",
       restInterceptor.logAuditorEvent(this.auditor),
       async (request, response) => {
-        const decision = await this.authorize(
+        let conditionsFilter;
+        const decision = await this.authorizeConditional(
           request,
           pluginRbacCommon.policyEntityDeletePermission
         );
         if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
           throw new errors.NotAllowedError();
         }
+        if (decision.result === pluginPermissionCommon.AuthorizeResult.CONDITIONAL) {
+          conditionsFilter = conditions.transformConditions(decision.conditions);
+        }
         const entityRef = this.getEntityReference(request);
         const policyRaw = request.body;
         if (lodash.isEmpty(policyRaw)) {
@@ -131,7 +188,12 @@ class PoliciesServer {
         policyRaw.forEach((element) => {
           element.entityReference = entityRef;
         });
-        const processedPolicies = await this.processPolicies(policyRaw, true);
+        const processedPolicies = await this.processPolicies(
+          policyRaw,
+          true,
+          undefined,
+          conditionsFilter
+        );
         await this.enforcer.removePolicies(processedPolicies);
         response.locals.meta = { policies: processedPolicies };
         response.status(204).end();
@@ -141,7 +203,7 @@ class PoliciesServer {
       "/policies",
       restInterceptor.logAuditorEvent(this.auditor),
       async (request, response) => {
-        const decision = await this.authorize(
+        const decision = await this.authorizeConditional(
           request,
           pluginRbacCommon.policyEntityCreatePermission
         );
@@ -152,7 +214,11 @@ class PoliciesServer {
         if (lodash.isEmpty(policyRaw)) {
           throw new errors.InputError(`permission policy must be present`);
         }
-        const processedPolicies = await this.processPolicies(policyRaw);
+        const processedPolicies = await this.processPolicies(
+          policyRaw,
+          false,
+          undefined
+        );
         const entityRef = processedPolicies[0][0];
         const roleMetadata = await this.roleMetadata.findRoleMetadata(entityRef);
         if (entityRef.startsWith("role:default") && !roleMetadata) {
@@ -167,13 +233,17 @@ class PoliciesServer {
       "/policies/:kind/:namespace/:name",
       restInterceptor.logAuditorEvent(this.auditor),
       async (request, response) => {
-        const decision = await this.authorize(
+        let conditionsFilter;
+        const decision = await this.authorizeConditional(
           request,
           pluginRbacCommon.policyEntityUpdatePermission
         );
         if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
           throw new errors.NotAllowedError();
         }
+        if (decision.result === pluginPermissionCommon.AuthorizeResult.CONDITIONAL) {
+          conditionsFilter = conditions.transformConditions(decision.conditions);
+        }
         const entityRef = this.getEntityReference(request);
         const oldPolicyRaw = request.body.oldPolicy;
         if (lodash.isEmpty(oldPolicyRaw)) {
@@ -189,7 +259,8 @@ class PoliciesServer {
         const processedOldPolicy = await this.processPolicies(
           oldPolicyRaw,
           true,
-          "old policy"
+          "old policy",
+          conditionsFilter
         );
         oldPolicyRaw.sort(
           (a, b) => a.permission === b.permission ? this.nameSort(a.policy, b.policy) : this.nameSort(a.permission, b.permission)
@@ -207,7 +278,8 @@ class PoliciesServer {
         const processedNewPolicy = await this.processPolicies(
           newPolicyRaw,
           false,
-          "new policy"
+          "new policy",
+          conditionsFilter
         );
         const roleMetadata = await this.roleMetadata.findRoleMetadata(entityRef);
         if (entityRef.startsWith("role:default") && !roleMetadata) {
@@ -225,15 +297,19 @@ class PoliciesServer {
       "/roles",
       restInterceptor.logAuditorEvent(this.auditor),
       async (request, response) => {
-        const decision = await this.authorize(
+        let conditionsFilter;
+        const decision = await this.authorizeConditional(
           request,
           pluginRbacCommon.policyEntityReadPermission
         );
         if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
           throw new errors.NotAllowedError();
         }
+        if (decision.result === pluginPermissionCommon.AuthorizeResult.CONDITIONAL) {
+          conditionsFilter = conditions.transformConditions(decision.conditions);
+        }
         const roles = await this.enforcer.getGroupingPolicy();
-        const body = await this.transformRoleArray(...roles);
+        const body = await this.transformRoleArray(conditionsFilter, ...roles);
         response.json(body);
       }
     );
@@ -241,20 +317,24 @@ class PoliciesServer {
       "/roles/:kind/:namespace/:name",
       restInterceptor.logAuditorEvent(this.auditor),
       async (request, response) => {
-        const decision = await this.authorize(
+        let conditionsFilter;
+        const decision = await this.authorizeConditional(
           request,
           pluginRbacCommon.policyEntityReadPermission
         );
         if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
           throw new errors.NotAllowedError();
         }
+        if (decision.result === pluginPermissionCommon.AuthorizeResult.CONDITIONAL) {
+          conditionsFilter = conditions.transformConditions(decision.conditions);
+        }
         const roleEntityRef = this.getEntityReference(request, true);
         const role = await this.enforcer.getFilteredGroupingPolicy(
           1,
           roleEntityRef
         );
-        if (role.length !== 0) {
-          const body = await this.transformRoleArray(...role);
+        const body = await this.transformRoleArray(conditionsFilter, ...role);
+        if (body.length !== 0) {
           response.json(body);
         } else {
           throw new errors.NotFoundError();
@@ -266,7 +346,7 @@ class PoliciesServer {
       restInterceptor.logAuditorEvent(this.auditor),
       async (request, response) => {
         const uniqueItems = /* @__PURE__ */ new Set();
-        const decision = await this.authorize(
+        const decision = await this.authorizeConditional(
           request,
           pluginRbacCommon.policyEntityCreatePermission
         );
@@ -314,7 +394,8 @@ class PoliciesServer {
           source: "rest",
           description: roleRaw.metadata?.description ?? "",
           author: modifiedBy,
-          modifiedBy
+          modifiedBy,
+          owner: roleRaw.metadata?.owner ?? modifiedBy
         };
         await this.enforcer.addGroupingPolicies(roles, metadata);
         response.locals.meta = { ...metadata, members: roles.map((gp) => gp[0]) };
@@ -326,13 +407,17 @@ class PoliciesServer {
       restInterceptor.logAuditorEvent(this.auditor),
       async (request, response) => {
         const uniqueItems = /* @__PURE__ */ new Set();
-        const decision = await this.authorize(
+        let conditionsFilter;
+        const decision = await this.authorizeConditional(
           request,
           pluginRbacCommon.policyEntityUpdatePermission
         );
         if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
           throw new errors.NotAllowedError();
         }
+        if (decision.result === pluginPermissionCommon.AuthorizeResult.CONDITIONAL) {
+          conditionsFilter = conditions.transformConditions(decision.conditions);
+        }
         const roleEntityRef = this.getEntityReference(request, true);
         const oldRoleRaw = request.body.oldRole;
         if (!oldRoleRaw) {
@@ -368,7 +453,8 @@ class PoliciesServer {
           ...newRoleRaw.metadata,
           source: newRoleRaw.metadata?.source ?? "rest",
           roleEntityRef: newRoleRaw.name,
-          modifiedBy: credentials.principal.userEntityRef
+          modifiedBy: credentials.principal.userEntityRef,
+          owner: newRoleRaw.metadata?.owner ?? ""
         };
         const oldMetadata = await this.roleMetadata.findRoleMetadata(roleEntityRef);
         if (!oldMetadata) {
@@ -380,11 +466,15 @@ class PoliciesServer {
         if (err) {
           throw new errors.NotAllowedError(`Unable to edit role: ${err.message}`);
         }
+        if (!helper.matches(oldMetadata, conditionsFilter)) {
+          throw new errors.NotAllowedError();
+        }
         if (lodash.isEqual(oldRole, newRole) && helper.deepSortedEqual(oldMetadata, newMetadata, [
           "author",
           "modifiedBy",
           "createdAt",
-          "lastModified"
+          "lastModified",
+          "owner"
         ])) {
           response.status(204).end();
           return;
@@ -447,14 +537,26 @@ class PoliciesServer {
       "/roles/:kind/:namespace/:name",
       restInterceptor.logAuditorEvent(this.auditor),
       async (request, response) => {
-        const decision = await this.authorize(
+        let conditionsFilter;
+        const decision = await this.authorizeConditional(
           request,
           pluginRbacCommon.policyEntityDeletePermission
         );
         if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
           throw new errors.NotAllowedError();
         }
+        if (decision.result === pluginPermissionCommon.AuthorizeResult.CONDITIONAL) {
+          conditionsFilter = conditions.transformConditions(decision.conditions);
+        }
         const roleEntityRef = this.getEntityReference(request, true);
+        const currentMetadata = await this.roleMetadata.findRoleMetadata(roleEntityRef);
+        if (!helper.matches(currentMetadata, conditionsFilter)) {
+          throw new errors.NotAllowedError();
+        }
+        const err = await policiesValidation.validateSource("rest", currentMetadata);
+        if (err) {
+          throw new errors.NotAllowedError(`Unable to delete role: ${err.message}`);
+        }
         let roleMembers = [];
         if (request.query.memberReferences) {
           const memberReference = this.getFirstQuery(
@@ -483,11 +585,6 @@ class PoliciesServer {
             throw new errors.NotFoundError(`role member '${role[0]}' was not found`);
           }
         }
-        const currentMetadata = await this.roleMetadata.findRoleMetadata(roleEntityRef);
-        const err = await policiesValidation.validateSource("rest", currentMetadata);
-        if (err) {
-          throw new errors.NotAllowedError(`Unable to delete role: ${err.message}`);
-        }
         const credentials = await httpAuth.credentials(request, {
           allow: ["user"]
         });
@@ -512,7 +609,7 @@ class PoliciesServer {
       "/plugins/policies",
       restInterceptor.logAuditorEvent(this.auditor),
       async (request, response) => {
-        const decision = await this.authorize(
+        const decision = await this.authorizeConditional(
           request,
           pluginRbacCommon.policyEntityReadPermission
         );
@@ -529,7 +626,7 @@ class PoliciesServer {
       "/plugins/condition-rules",
       restInterceptor.logAuditorEvent(this.auditor),
       async (request, response) => {
-        const decision = await this.authorize(
+        const decision = await this.authorizeConditional(
           request,
           pluginRbacCommon.policyEntityReadPermission
         );
@@ -546,26 +643,36 @@ class PoliciesServer {
       "/roles/conditions",
       restInterceptor.logAuditorEvent(this.auditor),
       async (request, response) => {
-        const decision = await this.authorize(
+        let conditionsFilter;
+        const decision = await this.authorizeConditional(
           request,
           pluginRbacCommon.policyEntityReadPermission
         );
         if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
           throw new errors.NotAllowedError();
         }
-        const conditions = await this.conditionalStorage.filterConditions(
+        if (decision.result === pluginPermissionCommon.AuthorizeResult.CONDITIONAL) {
+          conditionsFilter = conditions.transformConditions(decision.conditions);
+        }
+        const roleMetadata = await this.roleMetadata.filterForOwnerRoleMetadata(conditionsFilter);
+        const matchedRoleName = roleMetadata.flatMap((role) => {
+          return role.roleEntityRef;
+        });
+        const conditions$1 = await this.conditionalStorage.filterConditions(
           this.getFirstQuery(request.query.roleEntityRef),
           this.getFirstQuery(request.query.pluginId),
           this.getFirstQuery(request.query.resourceType),
           this.getActionQueries(request.query.actions)
         );
-        const body = conditions.map((condition) => {
+        const body = conditions$1.map((condition) => {
           return {
             ...condition,
             permissionMapping: condition.permissionMapping.map(
               (pm) => pm.action
             )
           };
+        }).filter((condition) => {
+          return matchedRoleName.includes(condition.roleEntityRef);
         });
         response.json(body);
       }
@@ -574,7 +681,7 @@ class PoliciesServer {
       "/roles/conditions",
       restInterceptor.logAuditorEvent(this.auditor),
       async (request, response) => {
-        const decision = await this.authorize(
+        const decision = await this.authorizeConditional(
           request,
           pluginRbacCommon.policyEntityCreatePermission
         );
@@ -598,7 +705,8 @@ class PoliciesServer {
       "/roles/conditions/:id",
       restInterceptor.logAuditorEvent(this.auditor),
       async (request, response) => {
-        const decision = await this.authorize(
+        let conditionsFilter;
+        const decision = await this.authorizeConditional(
           request,
           pluginRbacCommon.policyEntityReadPermission
         );
@@ -613,10 +721,19 @@ class PoliciesServer {
         if (!condition) {
           throw new errors.NotFoundError();
         }
-        const body = {
+        if (decision.result === pluginPermissionCommon.AuthorizeResult.CONDITIONAL) {
+          conditionsFilter = conditions.transformConditions(decision.conditions);
+        }
+        const roleMetadata = await this.roleMetadata.filterForOwnerRoleMetadata(conditionsFilter);
+        const matchedRoleName = roleMetadata.flatMap((role) => {
+          return role.roleEntityRef;
+        });
+        const body = matchedRoleName.includes(condition.roleEntityRef) ? {
           ...condition,
-          permissionMapping: condition.permissionMapping.map((pm) => pm.action)
-        };
+          permissionMapping: condition.permissionMapping.map(
+            (pm) => pm.action
+          )
+        } : [];
         response.json(body);
       }
     );
@@ -624,13 +741,17 @@ class PoliciesServer {
       "/roles/conditions/:id",
       restInterceptor.logAuditorEvent(this.auditor),
       async (request, response) => {
-        const decision = await this.authorize(
+        let conditionsFilter;
+        const decision = await this.authorizeConditional(
           request,
           pluginRbacCommon.policyEntityDeletePermission
         );
         if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
           throw new errors.NotAllowedError();
         }
+        if (decision.result === pluginPermissionCommon.AuthorizeResult.CONDITIONAL) {
+          conditionsFilter = conditions.transformConditions(decision.conditions);
+        }
         const id = parseInt(request.params.id, 10);
         if (isNaN(id)) {
           throw new errors.InputError("Id is not a valid number.");
@@ -643,6 +764,12 @@ class PoliciesServer {
           ...condition,
           permissionMapping: condition.permissionMapping.map((pm) => pm.action)
         };
+        const roleMetadata = await this.roleMetadata.findRoleMetadata(
+          conditionToDelete.roleEntityRef
+        );
+        if (!helper.matches(roleMetadata, conditionsFilter)) {
+          throw new errors.NotAllowedError();
+        }
         await this.conditionalStorage.deleteCondition(id);
         response.locals.meta = { condition: conditionToDelete };
         response.status(204).end();
@@ -652,17 +779,31 @@ class PoliciesServer {
       "/roles/conditions/:id",
       restInterceptor.logAuditorEvent(this.auditor),
       async (request, response) => {
-        const decision = await this.authorize(
+        let conditionsFilter;
+        const decision = await this.authorizeConditional(
           request,
           pluginRbacCommon.policyEntityUpdatePermission
         );
         if (decision.result === pluginPermissionCommon.AuthorizeResult.DENY) {
           throw new errors.NotAllowedError();
         }
+        if (decision.result === pluginPermissionCommon.AuthorizeResult.CONDITIONAL) {
+          conditionsFilter = conditions.transformConditions(decision.conditions);
+        }
         const id = parseInt(request.params.id, 10);
         if (isNaN(id)) {
           throw new errors.InputError("Id is not a valid number.");
         }
+        const condition = await this.conditionalStorage.getCondition(id);
+        if (!condition) {
+          throw new errors.NotFoundError(`Condition with id ${id} was not found`);
+        }
+        const roleMetadata = await this.roleMetadata.findRoleMetadata(
+          condition.roleEntityRef
+        );
+        if (!helper.matches(roleMetadata, conditionsFilter)) {
+          throw new errors.NotAllowedError();
+        }
         const roleConditionPolicy = request.body;
         conditionValidation.validateRoleCondition(roleConditionPolicy);
         const conditionToUpdate = await helper.processConditionMapping(
@@ -679,7 +820,7 @@ class PoliciesServer {
       "/refresh/:id",
       restInterceptor.logAuditorEvent(this.auditor),
       async (request, response) => {
-        const decision = await this.authorize(
+        const decision = await this.authorizeConditional(
           request,
           pluginRbacCommon.policyEntityCreatePermission
         );
@@ -734,7 +875,7 @@ class PoliciesServer {
     }
     return roleBasedPolices;
   }
-  async transformRoleArray(...roles) {
+  async transformRoleArray(filter, ...roles) {
     const combinedRoles = {};
     roles.forEach(([value, role]) => {
       if (combinedRoles.hasOwnProperty(role)) {
@@ -744,7 +885,7 @@ class PoliciesServer {
       }
     });
     const result = await Promise.all(
-      Object.entries(combinedRoles).map(async ([role, value]) => {
+      Object.entries(combinedRoles).flatMap(async ([role, value]) => {
         const metadataDao = await this.roleMetadata.findRoleMetadata(role);
         const metadata = metadataDao ? roleMetadata.daoToMetadata(metadataDao) : undefined;
         return Promise.resolve({
@@ -754,7 +895,10 @@ class PoliciesServer {
         });
       })
     );
-    return result;
+    const filteredResult = result.filter((role) => {
+      return role.metadata && helper.matches(role.metadata, filter);
+    });
+    return filteredResult;
   }
   transformPolicyToArray(policy) {
     return [
@@ -818,7 +962,7 @@ class PoliciesServer {
   isPolicyFilterEnabled(request) {
     return !!request.query.entityRef || !!request.query.permission || !!request.query.policy || !!request.query.effect;
   }
-  async processPolicies(policyArray, isOld, errorMessage) {
+  async processPolicies(policyArray, isOld, errorMessage, filter) {
     const policies = [];
     const uniqueItems = /* @__PURE__ */ new Set();
     for (const policy of policyArray) {
@@ -831,6 +975,9 @@ class PoliciesServer {
       const metadata = await this.roleMetadata.findRoleMetadata(
         policy.entityReference
       );
+      if (!helper.matches(metadata, filter)) {
+        throw new errors.NotAllowedError();
+      }
       let action = errorMessage ? "edit" : "delete";
       action = isOld ? action : "add";
       err = await policiesValidation.validateSource("rest", metadata);