feat(api,cli,api-client,schema): Enhance permissions to allow filtering by environments through project roles (keyshade-xyz#599)

Co-authored-by: rajdip-b <[email protected]>

Author: muntaxir4

api-collection/Workspace Role Controller/Create workspace role.bru

@@ -39,5 +39,5 @@ docs {
   - `description`: (Optional) A description about the role
   - `colorCode`: (Optional) A hex color code for the role
   - `authorities`: (Optional) An array of allowed `Authorities`. Refer prisma schema.
-  - `projectSlugs`: (Optional) An array of project slugs to associate to this role. Associating projects to a role will apply all the authorities in the role to the project aswell.
+  - `projectEnvironments`: (Optional) An array of record containing projectSlug and environmentSlugs array to associate to this role. Associating project with particular environments to a role will allow access to only provided environments for the project.
 }

api-collection/Workspace Role Controller/Update workspace role.bru

@@ -36,5 +36,5 @@ docs {
   - `description`: (Optional) A description about the role
   - `colorCode`: (Optional) A hex color code for the role
   - `authorities`: (Optional) An array of allowed `Authorities`. Refer prisma schema.
-  - `projectIds`: (Optional) An array of project IDs to associate to this role. Associating projects to a role will apply all the authorities in the role to the project aswell.
+  - `projectEnvironments`: (Optional) An array of record containing projectSlug and environmentSlugs array to associate to this role. Associating project with particular environments to a role will allow access to only provided environments for the project.
 }

apps/api/src/common/authority-checker.service.ts

@@ -16,6 +16,7 @@ import { ProjectWithSecrets } from '@/project/project.types'
 import { SecretWithProjectAndVersion } from '@/secret/secret.types'
 import { CustomLoggerService } from './logger.service'
 import {
+  getCollectiveEnvironmentAuthorities,
   getCollectiveProjectAuthorities,
   getCollectiveWorkspaceAuthorities
 } from './collective-authorities'
@@ -221,9 +222,9 @@ export class AuthorityCheckerService {
       throw new NotFoundException(`Environment ${entity.slug} not found`)
     }
 
-    const permittedAuthorities = await getCollectiveProjectAuthorities(
+    const permittedAuthorities = await getCollectiveEnvironmentAuthorities(
       userId,
-      environment.project,
+      environment,
       prisma
     )
 

apps/api/src/common/collective-authorities.ts

@@ -1,3 +1,4 @@
+import { EnvironmentWithProject } from '@/environment/environment.types'
 import {
   Authority,
   PrismaClient,
@@ -93,3 +94,69 @@ export const getCollectiveProjectAuthorities = async (
 
   return authorities
 }
+
+/**
+ * Given the userId and environment, this function returns the set of authorities
+ * that are formed by accumulating a set of all the authorities across all the
+ * roles that the user has in the workspace, adding an extra layer of filtering
+ * by the project and the environment.
+ * @param userId The id of the user
+ * @param environment The environment with the project
+ * @param prisma The prisma client
+ * @returns
+ */
+export const getCollectiveEnvironmentAuthorities = async (
+  userId: User['id'],
+  environment: EnvironmentWithProject,
+  prisma: PrismaClient
+): Promise<Set<Authority>> => {
+  const authorities = new Set<Authority>()
+
+  const roleAssociations = await prisma.workspaceMemberRoleAssociation.findMany(
+    {
+      where: {
+        workspaceMember: {
+          userId,
+          workspaceId: environment.project.workspaceId
+        },
+        role: {
+          OR: [
+            {
+              projects: {
+                some: {
+                  projectId: environment.project.id,
+                  environments: {
+                    some: {
+                      id: environment.id
+                    }
+                  }
+                }
+              }
+            },
+            // Check if the user has the WORKSPACE_ADMIN authority
+            {
+              authorities: {
+                has: Authority.WORKSPACE_ADMIN
+              }
+            }
+          ]
+        }
+      },
+      select: {
+        role: {
+          select: {
+            authorities: true
+          }
+        }
+      }
+    }
+  )
+
+  roleAssociations.forEach((roleAssociation) => {
+    roleAssociation.role.authorities.forEach((authority) => {
+      authorities.add(authority)
+    })
+  })
+
+  return authorities
+}

apps/api/src/environment/dto/create.environment/create.environment.ts

@@ -1,4 +1,4 @@
-import { IsNotEmpty, IsOptional, IsString, Matches } from 'class-validator'
+import { IsNotEmpty, IsOptional, IsString } from 'class-validator'
 
 export class CreateEnvironment {
   @IsString()

apps/api/src/event/event.e2e.spec.ts

@@ -438,7 +438,7 @@ describe('Event Controller Tests', () => {
         description: 'Some description',
         colorCode: '#000000',
         authorities: [],
-        projectSlugs: [project.slug]
+        projectEnvironments: [{ projectSlug: project.slug }]
       }
     )
 

apps/api/src/prisma/migrations/20241226231705_add_accessible_environments_in_role/migration.sql

@@ -0,0 +1,16 @@
+-- CreateTable
+CREATE TABLE "_EnvironmentToProjectWorkspaceRoleAssociation" (
+    "A" TEXT NOT NULL,
+    "B" TEXT NOT NULL,
+
+    CONSTRAINT "_EnvironmentToProjectWorkspaceRoleAssociation_AB_pkey" PRIMARY KEY ("A","B")
+);
+
+-- CreateIndex
+CREATE INDEX "_EnvironmentToProjectWorkspaceRoleAssociation_B_index" ON "_EnvironmentToProjectWorkspaceRoleAssociation"("B");
+
+-- AddForeignKey
+ALTER TABLE "_EnvironmentToProjectWorkspaceRoleAssociation" ADD CONSTRAINT "_EnvironmentToProjectWorkspaceRoleAssociation_A_fkey" FOREIGN KEY ("A") REFERENCES "Environment"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "_EnvironmentToProjectWorkspaceRoleAssociation" ADD CONSTRAINT "_EnvironmentToProjectWorkspaceRoleAssociation_B_fkey" FOREIGN KEY ("B") REFERENCES "ProjectWorkspaceRoleAssociation"("id") ON DELETE CASCADE ON UPDATE CASCADE;

apps/api/src/prisma/migrations/migration_lock.toml

@@ -1,3 +1,3 @@
 # Please do not edit this file manually
-# It should be added in your version-control system (i.e. Git)
+# It should be added in your version-control system (e.g., Git)
 provider = "postgresql"

apps/api/src/prisma/schema.prisma

@@ -253,6 +253,8 @@ model Environment {
   project   Project @relation(fields: [projectId], references: [id], onDelete: Cascade, onUpdate: Cascade)
   projectId String
 
+  projectWorkspaceRoleAssociations ProjectWorkspaceRoleAssociation[]
+
   @@unique([projectId, name])
   @@index([name])
 }
@@ -296,6 +298,8 @@ model ProjectWorkspaceRoleAssociation {
   project   Project @relation(fields: [projectId], references: [id], onDelete: Cascade, onUpdate: Cascade)
   projectId String
 
+  environments Environment[]
+
   @@unique([roleId, projectId])
 }
 

apps/api/src/workspace-role/dto/create-workspace-role/create-workspace-role.spec.ts

@@ -1,3 +1,4 @@
+import 'reflect-metadata'
 import { CreateWorkspaceRole } from './create-workspace-role'
 
 describe('CreateWorkspaceRole', () => {

apps/api/src/workspace-role/dto/create-workspace-role/create-workspace-role.ts

@@ -1,5 +1,23 @@
 import { Authority } from '@prisma/client'
-import { IsArray, IsOptional, IsString } from 'class-validator'
+import {
+  IsArray,
+  IsNotEmpty,
+  IsOptional,
+  IsString,
+  ValidateNested
+} from 'class-validator'
+import { Type } from 'class-transformer'
+
+class ProjectEnvironments {
+  @IsString()
+  @IsNotEmpty()
+  readonly projectSlug: string
+
+  @IsArray()
+  @IsOptional()
+  @IsNotEmpty({ each: true })
+  readonly environmentSlugs?: string[]
+}
 
 export class CreateWorkspaceRole {
   @IsString()
@@ -19,5 +37,7 @@ export class CreateWorkspaceRole {
 
   @IsArray()
   @IsOptional()
-  readonly projectSlugs?: string[]
+  @ValidateNested({ each: true })
+  @Type(() => ProjectEnvironments)
+  readonly projectEnvironments?: ProjectEnvironments[]
 }