Skip to content

Commit

Permalink
[front/lib/api] - refactor: streamline vault permission updates
Browse files Browse the repository at this point in the history 
 - Consolidate updateVaultPermissions logic into VaultResource's updatePermissions method
 - Remove the updateVaultPermissions function as its logic is now handled within the VaultResource class
 - Ensure error handling consistency by using DustError in the updated permissions method

[front/lib/resources] - refactor: integrate permission updates into VaultResource

 - Migrate functionality of updating vault members into the VaultResource's updatePermissions method
 - Remove redundant checks and assertions by centralizing the permission update logic in a single method
  • Loading branch information
Jules authored and Jules committed Oct 21, 2024
1 parent 50691fe commit aa73104
Show file tree
Hide file tree
Showing 2 changed files with 47 additions and 68 deletions.
61 changes: 0 additions & 61 deletions front/lib/api/vaults.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,11 @@ import { uniq } from "lodash";

import { hardDeleteApp } from "@app/lib/api/apps";
import type { Authenticator } from "@app/lib/auth";
import { DustError } from "@app/lib/error";
import { AppResource } from "@app/lib/resources/app_resource";
import { DataSourceResource } from "@app/lib/resources/data_source_resource";
import { DataSourceViewResource } from "@app/lib/resources/data_source_view_resource";
import { KeyResource } from "@app/lib/resources/key_resource";
import { frontSequelize } from "@app/lib/resources/storage";
import { UserResource } from "@app/lib/resources/user_resource";
import type { VaultResource } from "@app/lib/resources/vault_resource";
import { launchScrubVaultWorkflow } from "@app/poke/temporal/client";

Expand Down Expand Up @@ -150,62 +148,3 @@ export async function hardDeleteVault(

return new Ok(undefined);
}

export async function updateVaultPermissions(
auth: Authenticator,
vault: VaultResource,
{
isRestricted,
memberIds,
}: { isRestricted: boolean; memberIds: string[] | null }
): Promise<Result<undefined, DustError | Error>> {
if (!vault.canAdministrate(auth)) {
return new Err(
new DustError("unauthorized", "Cannot update permissions for vault.")
);
}

const regularGroups = vault.groups.filter(
(group) => group.kind === "regular"
);
// Assert that there is exactly one regular group associated with the vault.
assert(
regularGroups.length === 1,
`Expected exactly one regular group for the vault, but found ${regularGroups.length}.`
);
const [defaultVaultGroup] = regularGroups;

const wasRestricted = vault.groups.every((g) => !g.isGlobal());

if (isRestricted) {
// If the vault should be restricted and was not restricted before, remove the global group.
if (!wasRestricted) {
const updateRes = await vault.updatePermissions(auth, true);
if (updateRes.isErr()) {
return updateRes;
}
}

if (memberIds) {
const users = await UserResource.fetchByIds(memberIds);

return defaultVaultGroup.setMembers(
auth,
users.map((u) => u.toJSON())
);
}

return new Ok(undefined);
} else {
// If the vault should not be restricted and was restricted before, add the global group.
if (wasRestricted) {
const updateRes = await vault.updatePermissions(auth, false);
if (updateRes.isErr()) {
return updateRes;
}
}

// Remove all members.
return defaultVaultGroup.setMembers(auth, []);
}
}
54 changes: 47 additions & 7 deletions front/lib/resources/vault_resource.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@ import type { ReadonlyAttributesType } from "@app/lib/resources/storage/types";
import type { ModelStaticSoftDeletable } from "@app/lib/resources/storage/wrappers";
import { getResourceIdFromSId, makeSId } from "@app/lib/resources/string_ids";
import type { ResourceFindOptions } from "@app/lib/resources/types";
import { DustError } from "@app/lib/error";
import { UserResource } from "@app/lib/resources/user_resource";

// Attributes are marked as read-only to reflect the stateless nature of our Resource.
// This design will be moved up to BaseResource once we transition away from Sequelize.
Expand Down Expand Up @@ -286,27 +288,65 @@ export class VaultResource extends BaseResource<VaultModel> {

async updatePermissions(
auth: Authenticator,
isRestricted: boolean
): Promise<Result<undefined, Error>> {
{
isRestricted,
memberIds,
}: { isRestricted: boolean; memberIds: string[] | null }
): Promise<Result<undefined, DustError>> {
if (!this.canAdministrate(auth)) {
return new Err(
new Error("You do not have permission to update vault permissions.")
new DustError(
"unauthorized",
"You do not have permission to update vault permissions."
)
);
}

const regularGroups = this.groups.filter(
(group) => group.kind === "regular"
);
// Assert that there is exactly one regular group associated with the vault.
assert(
regularGroups.length === 1,
`Expected exactly one regular group for the vault, but found ${regularGroups.length}.`
);
const [defaultVaultGroup] = regularGroups;

const wasRestricted = this.groups.every((g) => !g.isGlobal());

const groupRes = await GroupResource.fetchWorkspaceGlobalGroup(auth);
if (groupRes.isErr()) {
return groupRes;
}

const globalGroup = groupRes.value;
if (isRestricted) {
await this.removeGroup(globalGroup);
// If the vault should be restricted and was not restricted before, remove the global group.
if (!wasRestricted) {
await this.removeGroup(globalGroup);
}

if (memberIds) {
const users = await UserResource.fetchByIds(memberIds);

return defaultVaultGroup.setMembers(
auth,
users.map((u) => u.toJSON())
);
}

return new Ok(undefined);
} else {
await this.addGroup(globalGroup);
}
// If the vault should not be restricted and was restricted before, add the global group.
if (wasRestricted) {
await this.addGroup(globalGroup);
}

return new Ok(undefined);
// Remove all members.
await defaultVaultGroup.setMembers(auth, []);

return new Ok(undefined);
}
}

private async addGroup(group: GroupResource) {
Expand Down

0 comments on commit aa73104

Please sign in to comment.