Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(api,cli,api-client,schema): Enhance permissions to allow filtering by environments through project roles #599

Merged
Original file line number Diff line number Diff line change
Expand Up @@ -39,5 +39,5 @@ docs {
- `description`: (Optional) A description about the role
- `colorCode`: (Optional) A hex color code for the role
- `authorities`: (Optional) An array of allowed `Authorities`. Refer prisma schema.
- `projectSlugs`: (Optional) An array of project slugs to associate to this role. Associating projects to a role will apply all the authorities in the role to the project aswell.
- `projectEnvironments`: (Optional) An array of record containing projectSlug and environmentSlugs array to associate to this role. Associating project with particular environments to a role will allow access to only provided environments for the project.
}
Original file line number Diff line number Diff line change
Expand Up @@ -36,5 +36,5 @@ docs {
- `description`: (Optional) A description about the role
- `colorCode`: (Optional) A hex color code for the role
- `authorities`: (Optional) An array of allowed `Authorities`. Refer prisma schema.
- `projectIds`: (Optional) An array of project IDs to associate to this role. Associating projects to a role will apply all the authorities in the role to the project aswell.
- `projectEnvironments`: (Optional) An array of record containing projectSlug and environmentSlugs array to associate to this role. Associating project with particular environments to a role will allow access to only provided environments for the project.
}
5 changes: 3 additions & 2 deletions apps/api/src/common/authority-checker.service.ts
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ import { ProjectWithSecrets } from '@/project/project.types'
import { SecretWithProjectAndVersion } from '@/secret/secret.types'
import { CustomLoggerService } from './logger.service'
import {
getCollectiveEnvironmentAuthorities,
getCollectiveProjectAuthorities,
getCollectiveWorkspaceAuthorities
} from './collective-authorities'
Expand Down Expand Up @@ -221,9 +222,9 @@ export class AuthorityCheckerService {
throw new NotFoundException(`Environment ${entity.slug} not found`)
}

const permittedAuthorities = await getCollectiveProjectAuthorities(
const permittedAuthorities = await getCollectiveEnvironmentAuthorities(
userId,
environment.project,
environment,
prisma
)

Expand Down
67 changes: 67 additions & 0 deletions apps/api/src/common/collective-authorities.ts
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
import { EnvironmentWithProject } from '@/environment/environment.types'
import {
Authority,
PrismaClient,
Expand Down Expand Up @@ -93,3 +94,69 @@ export const getCollectiveProjectAuthorities = async (

return authorities
}

/**
* Given the userId and environment, this function returns the set of authorities
* that are formed by accumulating a set of all the authorities across all the
* roles that the user has in the workspace, adding an extra layer of filtering
* by the project and the environment.
* @param userId The id of the user
* @param environment The environment with the project
* @param prisma The prisma client
* @returns
*/
export const getCollectiveEnvironmentAuthorities = async (
userId: User['id'],
environment: EnvironmentWithProject,
prisma: PrismaClient
): Promise<Set<Authority>> => {
const authorities = new Set<Authority>()

const roleAssociations = await prisma.workspaceMemberRoleAssociation.findMany(
{
where: {
workspaceMember: {
userId,
workspaceId: environment.project.workspaceId
},
role: {
OR: [
{
projects: {
muntaxir4 marked this conversation as resolved.
Show resolved Hide resolved
some: {
projectId: environment.project.id,
environments: {
some: {
id: environment.id
}
}
}
}
},
// Check if the user has the WORKSPACE_ADMIN authority
{
authorities: {
has: Authority.WORKSPACE_ADMIN
}
}
]
}
},
select: {
role: {
select: {
authorities: true
}
}
}
}
)

roleAssociations.forEach((roleAssociation) => {
roleAssociation.role.authorities.forEach((authority) => {
authorities.add(authority)
})
})

return authorities
}
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
import { IsNotEmpty, IsOptional, IsString, Matches } from 'class-validator'
import { IsNotEmpty, IsOptional, IsString } from 'class-validator'

export class CreateEnvironment {
@IsString()
Expand Down
2 changes: 1 addition & 1 deletion apps/api/src/event/event.e2e.spec.ts
Original file line number Diff line number Diff line change
Expand Up @@ -438,7 +438,7 @@ describe('Event Controller Tests', () => {
description: 'Some description',
colorCode: '#000000',
authorities: [],
projectSlugs: [project.slug]
projectEnvironments: [{ projectSlug: project.slug }]
}
)

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
-- CreateTable
CREATE TABLE "_EnvironmentToProjectWorkspaceRoleAssociation" (
"A" TEXT NOT NULL,
"B" TEXT NOT NULL,

CONSTRAINT "_EnvironmentToProjectWorkspaceRoleAssociation_AB_pkey" PRIMARY KEY ("A","B")
);

-- CreateIndex
CREATE INDEX "_EnvironmentToProjectWorkspaceRoleAssociation_B_index" ON "_EnvironmentToProjectWorkspaceRoleAssociation"("B");

-- AddForeignKey
ALTER TABLE "_EnvironmentToProjectWorkspaceRoleAssociation" ADD CONSTRAINT "_EnvironmentToProjectWorkspaceRoleAssociation_A_fkey" FOREIGN KEY ("A") REFERENCES "Environment"("id") ON DELETE CASCADE ON UPDATE CASCADE;

-- AddForeignKey
ALTER TABLE "_EnvironmentToProjectWorkspaceRoleAssociation" ADD CONSTRAINT "_EnvironmentToProjectWorkspaceRoleAssociation_B_fkey" FOREIGN KEY ("B") REFERENCES "ProjectWorkspaceRoleAssociation"("id") ON DELETE CASCADE ON UPDATE CASCADE;
2 changes: 1 addition & 1 deletion apps/api/src/prisma/migrations/migration_lock.toml
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
# Please do not edit this file manually
# It should be added in your version-control system (i.e. Git)
# It should be added in your version-control system (e.g., Git)
provider = "postgresql"
4 changes: 4 additions & 0 deletions apps/api/src/prisma/schema.prisma
Original file line number Diff line number Diff line change
Expand Up @@ -253,6 +253,8 @@ model Environment {
project Project @relation(fields: [projectId], references: [id], onDelete: Cascade, onUpdate: Cascade)
projectId String

projectWorkspaceRoleAssociations ProjectWorkspaceRoleAssociation[]

@@unique([projectId, name])
@@index([name])
}
Expand Down Expand Up @@ -296,6 +298,8 @@ model ProjectWorkspaceRoleAssociation {
project Project @relation(fields: [projectId], references: [id], onDelete: Cascade, onUpdate: Cascade)
projectId String

environments Environment[]

@@unique([roleId, projectId])
}

Expand Down
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
import 'reflect-metadata'
import { CreateWorkspaceRole } from './create-workspace-role'

describe('CreateWorkspaceRole', () => {
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,23 @@
import { Authority } from '@prisma/client'
import { IsArray, IsOptional, IsString } from 'class-validator'
import {
IsArray,
IsNotEmpty,
IsOptional,
IsString,
ValidateNested
} from 'class-validator'
import { Type } from 'class-transformer'

class ProjectEnvironments {
@IsString()
@IsNotEmpty()
readonly projectSlug: string

@IsArray()
@IsOptional()
@IsNotEmpty({ each: true })
readonly environmentSlugs?: string[]
}

export class CreateWorkspaceRole {
@IsString()
Expand All @@ -19,5 +37,7 @@ export class CreateWorkspaceRole {

@IsArray()
@IsOptional()
readonly projectSlugs?: string[]
@ValidateNested({ each: true })
@Type(() => ProjectEnvironments)
readonly projectEnvironments?: ProjectEnvironments[]
}
Loading
Loading