shuttle-hq · chesedo · Apr 16, 2024 · Apr 11, 2024 · Apr 11, 2024 · Apr 11, 2024
diff --git a/backends/src/client/gateway.rs b/backends/src/client/gateway.rs
@@ -107,13 +107,17 @@ mod tests {
                     id: "00000000000000000000000001".to_string(),
                     name: "user-1-project-1".to_string(),
                     state: State::Stopped,
-                    idle_minutes: Some(30)
+                    idle_minutes: Some(30),
+                    owner: shuttle_common::models::project::Owner::User("user-1".to_string()),
+                    is_admin: true,
                 },
                 Response {
                     id: "00000000000000000000000002".to_string(),
                     name: "user-1-project-2".to_string(),
                     state: State::Ready,
-                    idle_minutes: Some(30)
+                    idle_minutes: Some(30),
+                    owner: shuttle_common::models::project::Owner::User("user-1".to_string()),
+                    is_admin: true,
                 }
             ]
         )

diff --git a/backends/src/client/permit.rs b/backends/src/client/permit.rs
@@ -29,12 +29,12 @@ use permit_pdp_client_rs::{
         policy_updater_api::trigger_policy_update_policy_updater_trigger_post,
         Error as PermitPDPClientError,
     },
-    models::{AuthorizationQuery, Resource, User, UserPermissionsQuery, UserPermissionsResult},
+    models::{AuthorizationQuery, Resource, User, UserPermissionsQuery},
 };
 use serde::{Deserialize, Serialize};
 use shuttle_common::{
     claims::AccountTier,
-    models::{error::ApiError, organization},
+    models::{error::ApiError, organization, project},
 };
 use tracing::error;
 
@@ -60,6 +60,9 @@ pub trait PermissionsDal {
     /// Deletes a Project resource
     async fn delete_project(&self, project_id: &str) -> Result<()>;
 
+    /// Get list of all projects the user has direct permissions for
+    async fn get_personal_projects(&self, user_id: &str) -> Result<Vec<String>>;
+
     // Organization management
 
     /// Creates an Organization resource and assigns the user as admin for the organization
@@ -68,6 +71,10 @@ pub trait PermissionsDal {
     /// Deletes an Organization resource
     async fn delete_organization(&self, user_id: &str, org_id: &str) -> Result<()>;
 
+    /// Get the details of an organization
+    async fn get_organization(&self, user_id: &str, org_id: &str)
+        -> Result<organization::Response>;
+
     /// Get a list of all the organizations a user has access to
     async fn get_organizations(&self, user_id: &str) -> Result<Vec<organization::Response>>;
 
@@ -123,10 +130,11 @@ pub trait PermissionsDal {
 
     // Permissions queries
 
-    /// Get list of all projects user has permissions for
-    async fn get_user_projects(&self, user_id: &str) -> Result<Vec<UserPermissionsResult>>;
     /// Check if user can perform action on this project
     async fn allowed(&self, user_id: &str, project_id: &str, action: &str) -> Result<bool>;
+
+    /// Get the owner of a project
+    async fn get_project_owner(&self, user_id: &str, project_id: &str) -> Result<Owner>;
 }
 
 /// Simple details of an organization to create
@@ -153,6 +161,21 @@ impl OrganizationAttributes {
     }
 }
 
+#[derive(Debug, PartialEq)]
+pub enum Owner {
+    User(String),
+    Organization(String),
+}
+
+impl From<Owner> for project::Owner {
+    fn from(owner: Owner) -> Self {
+        match owner {
+            Owner::User(id) => project::Owner::User(id),
+            Owner::Organization(id) => project::Owner::Organization(id),
+        }
+    }
+}
+
 /// Wrapper for the Permit.io API and PDP (Policy decision point) API
 #[derive(Clone)]
 pub struct Client {
@@ -280,24 +303,31 @@ impl PermissionsDal for Client {
         .await?)
     }
 
-    async fn get_user_projects(&self, user_id: &str) -> Result<Vec<UserPermissionsResult>> {
-        let perms = get_user_permissions_user_permissions_post(
-            &self.pdp,
-            UserPermissionsQuery {
-                user: Box::new(User {
-                    key: user_id.to_owned(),
-                    ..Default::default()
-                }),
-                resource_types: Some(vec!["Project".to_owned()]),
-                tenants: Some(vec!["default".to_owned()]),
-                ..Default::default()
-            },
+    async fn get_personal_projects(&self, user_id: &str) -> Result<Vec<String>> {
+        let projects = list_role_assignments(
+            &self.api,
+            &self.proj_id,
+            &self.env_id,
+            Some(user_id),
+            Some("admin"),
+            Some("default"),
+            Some("Project"),
+            None,
+            None,
             None,
             None,
         )
-        .await?;
+        .await?
+        .into_iter()
+        .map(|ra| ra.resource_instance.expect("to have resource instance"))
+        .map(|ri| {
+            ri.strip_prefix("Project:")
+                .expect("ID to start with the 'Project:' prefix")
+                .to_string()
+        })
+        .collect();
 
-        Ok(perms.into_values().collect())
+        Ok(projects)
     }
 
     async fn allowed(&self, user_id: &str, project_id: &str, action: &str) -> Result<bool> {
@@ -436,6 +466,52 @@ impl PermissionsDal for Client {
         Ok(projects)
     }
 
+    async fn get_organization(
+        &self,
+        user_id: &str,
+        org_id: &str,
+    ) -> Result<organization::Response> {
+        let mut perms = get_user_permissions_user_permissions_post(
+            &self.pdp,
+            UserPermissionsQuery {
+                user: Box::new(User {
+                    key: user_id.to_owned(),
+                    ..Default::default()
+                }),
+                resources: Some(vec![format!("Organization:{org_id}")]),
+                tenants: Some(vec!["default".to_owned()]),
+                ..Default::default()
+            },
+            None,
+            None,
+        )
+        .await?;
+
+        let Some(org) = perms.remove(&format!("Organization:{org_id}")) else {
+            return Err(Error::ResponseError(ResponseContent {
+                status: StatusCode::FORBIDDEN,
+                content: "User does not have permission to view the organization".to_owned(),
+                entity: "Organization".to_owned(),
+            }));
+        };
+
+        let res = if let Some(resource) = org.resource {
+            let attributes = resource.attributes.unwrap_or_default();
+            let org_attrs = serde_json::from_value::<OrganizationAttributes>(attributes)
+                .expect("to read organization attributes");
+
+            organization::Response {
+                id: resource.key,
+                display_name: org_attrs.display_name,
+                is_admin: org.roles.unwrap_or_default().contains(&"admin".to_string()),
+            }
+        } else {
+            unreachable!("the permission will always have a resource")
+        };
+
+        Ok(res)
+    }
+
     async fn get_organizations(&self, user_id: &str) -> Result<Vec<organization::Response>> {
         let perms = get_user_permissions_user_permissions_post(
             &self.pdp,
@@ -644,6 +720,40 @@ impl PermissionsDal for Client {
 
         Ok(members)
     }
+
+    async fn get_project_owner(&self, user_id: &str, project_id: &str) -> Result<Owner> {
+        if !self.allowed(user_id, project_id, "view").await? {
+            return Err(Error::ResponseError(ResponseContent {
+                status: StatusCode::FORBIDDEN,
+                content: "User does not have permission to view the project".to_owned(),
+                entity: "Project".to_owned(),
+            }));
+        }
+
+        let relationships = list_relationship_tuples(
+            &self.api,
+            &self.proj_id,
+            &self.env_id,
+            Some(true),
+            None,
+            None,
+            Some("default"),
+            None,
+            Some("parent"),
+            Some(&format!("Project:{project_id}")),
+            None,
+            Some("Organization"),
+        )
+        .await?;
+
+        if let Some(rel) = relationships.into_iter().next() {
+            let org_id = rel.subject_details.expect("to have subject details").key;
+            Ok(Owner::Organization(org_id))
+        } else {
+            // If a user is able to view a project while the project has no parent org, then this user must be the project owner
+            Ok(Owner::User(user_id.to_owned()))
+        }
+    }
 }
 
 // Helpers for trait methods

diff --git a/backends/src/test_utils/gateway.rs b/backends/src/test_utils/gateway.rs
@@ -2,7 +2,6 @@ use std::sync::Arc;
 
 use async_trait::async_trait;
 use permit_client_rs::models::UserRead;
-use permit_pdp_client_rs::models::UserPermissionsResult;
 use serde::Serialize;
 use shuttle_common::models::organization;
 use tokio::sync::Mutex;
@@ -13,7 +12,7 @@ use wiremock::{
 };
 
 use crate::client::{
-    permit::{Organization, Result},
+    permit::{Organization, Owner, Result},
     PermissionsDal,
 };
 
@@ -148,11 +147,11 @@ impl PermissionsDal for PermissionsMock {
         Ok(())
     }
 
-    async fn get_user_projects(&self, user_id: &str) -> Result<Vec<UserPermissionsResult>> {
+    async fn get_personal_projects(&self, user_id: &str) -> Result<Vec<String>> {
         self.calls
             .lock()
             .await
-            .push(format!("get_user_projects {user_id}"));
+            .push(format!("get_personal_projects {user_id}"));
         Ok(vec![])
     }
 
@@ -180,6 +179,18 @@ impl PermissionsDal for PermissionsMock {
         Ok(())
     }
 
+    async fn get_organization(
+        &self,
+        user_id: &str,
+        org_id: &str,
+    ) -> Result<organization::Response> {
+        self.calls
+            .lock()
+            .await
+            .push(format!("get_organization {user_id} {org_id}"));
+        Ok(Default::default())
+    }
+
     async fn get_organization_projects(&self, user_id: &str, org_id: &str) -> Result<Vec<String>> {
         self.calls
             .lock()
@@ -268,4 +279,12 @@ impl PermissionsDal for PermissionsMock {
             .push(format!("get_organization_members {user_id} {org_id}"));
         Ok(Default::default())
     }
+
+    async fn get_project_owner(&self, user_id: &str, project_id: &str) -> Result<Owner> {
+        self.calls
+            .lock()
+            .await
+            .push(format!("get_project_owner {user_id} {project_id}"));
+        Ok(Owner::User(user_id.to_string()))
+    }
 }