Skip to content

Commit

Permalink
feat: custom project roles (#1220)
Browse files Browse the repository at this point in the history 
* wip: environment for permissions

* fix: add migration for roles

* fix: connect environment with access service

* feat: add tests

* chore: Implement scaffolding for new rbac

* fix: add fake store

* feat: Add api endpoints for roles and permissions list

* feat: Add ability to provide permissions when creating a role and rename environmentName to name in the list permissions datastructure

* fix: Make project roles resolve correctly against new environments permissions structure

* fix: Patch migration to also populate permission names

* fix: Make permissions actually work with new environments

* fix: Add back to get permissions working for editor role

* fix: Removed ability to set role type through api during creation - it's now always custom

* feat: Return permissions on get role endpoint

* feat: Add in support for updating roles

* fix: Get a bunch of tests working and delete a few that make no sense anymore

* chore: A few small cleanups - remove logging and restore default on dev server config

* chore: Refactor role/access stores into more logical domains

* feat: Add in validation for roles

* feat: Patch db migration to handle old stucture

* fix: migration for project roles

* fix: patch a few broken tests

* fix: add permissions to editor

* fix: update test name

* fix: update user permission mapping

* fix: create new user

* fix: update root role test

* fix: update tests

* feat: Validation now works when updating a role

* fix: Add in very barebones down migration for rbac so that tests work

* fix: Improve responses from role resolution - getting a non existant role will throw a NotFound error

* fix: remove unused permissions

* fix: add test for connecting roles and deleting project

* fix: add test for adding a project member with a custom role

* fix: add test for changing user role

* fix: add guard for deleting role if the role is in use

* fix: alter migration

* chore: Minor code cleanups

* chore: Small code cleanups

* chore: More minor cleanups of code

* chore: Trim some dead code to make the linter happy

* feat: Schema validation for roles

* fix: setup permission for variant

* fix: remove unused import

* feat: Add cascading delete for role_permissions when deleting a role

* feat: add configuration option for disabling legacy api

* chore: update frontend to beta version

* 4.6.0-beta.0

* fix: export default project constant

* fix: update snapshot

* fix: module pattern ../../lib

* fix: move DEFAULT_PROJECT to types

* fix: remove debug logging

* fix: remove debug log state

* fix: Change permission descriptions

* fix: roles should have unique name

* fix: root roles should be connected to the default project

* fix: typo in role-schema.ts

* fix: Role permission empty string for non environment type

* feat: new permission for moving project

* fix: add event for changeProject

* fix: Removing a user from a project will now check to see if that project has an owner, rather than checking if any project has an owner

* fix: add tests for move project

* fix: Add in missing create/delete tag permissions

* fix: Removed duplicate impl caused by multiple good samaritans putting it back in!

* fix: Trim out add tag permissions, for now at least

* chore: Trim out new add and delete tag permissions - we're going with update feature instead

* chore: update frontend

* 4.6.0-beta.1

* feat: Prevent editing of built in roles

* fix: Patch an issue where permissions for variants/environments didn't match the front end

* fix: lint

Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com>
Co-authored-by: Fredrik Oseberg <fredrik.no@gmail.com>
  • Loading branch information
@sighphyre @ivarconr @FredrikOseberg
3 people committed Jan 13, 2022
1 parent 18c87ce commit 0c78980
Show file tree
Hide file tree
Showing 45 changed files with 2,326 additions and 669 deletions.
4 changes: 2 additions & 2 deletions package.json
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"name": "unleash-server",
"description": "Unleash is an enterprise ready feature toggles service. It provides different strategies for handling feature toggles.",
"version": "4.5.1",
"version": "4.6.0-beta.1",
"keywords": [
"unleash",
"feature toggle",
Expand Down Expand Up @@ -111,7 +111,7 @@
"response-time": "^2.3.2",
"serve-favicon": "^2.5.0",
"stoppable": "^1.1.0",
"unleash-frontend": "4.4.1",
"unleash-frontend": "4.6.0-beta.1",
"uuid": "^8.3.2"
},
"devDependencies": {
Expand Down
7 changes: 4 additions & 3 deletions src/lib/__snapshots__/create-config.test.ts.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,13 +30,14 @@ Object {
"user": "unleash",
"version": undefined,
},
"disableLegacyFeaturesApi": false,
"email": Object {
"host": undefined,
"host": "smtp.ethereal.email",
"port": 587,
"secure": false,
"sender": "noreply@unleash-hosted.com",
"smtppass": undefined,
"smtpuser": undefined,
"smtppass": "DtBAy8kzwhMjzbY5UJ",
"smtpuser": "maureen.heaney@ethereal.email",
},
"enableOAS": false,
"enterpriseVersion": undefined,
Expand Down
5 changes: 5 additions & 0 deletions src/lib/create-config.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -287,6 +287,10 @@ export function createConfig(options: IUnleashOptions): IUnleashConfig {
const enableOAS =
options.enableOAS || safeBoolean(process.env.ENABLE_OAS, false);

const disableLegacyFeaturesApi =
options.disableLegacyFeaturesApi ||
safeBoolean(process.env.DISABLE_LEGACY_FEATURES_API, false);

return {
db,
session,
Expand All @@ -301,6 +305,7 @@ export function createConfig(options: IUnleashOptions): IUnleashConfig {
email,
secureHeaders,
enableOAS,
disableLegacyFeaturesApi,
preHook: options.preHook,
preRouterHook: options.preRouterHook,
eventHook: options.eventHook,
Expand Down
251 changes: 164 additions & 87 deletions src/lib/db/access-store.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,32 @@ import {
IAccessStore,
IRole,
IUserPermission,
IUserRole,
} from '../types/stores/access-store';
import { IPermission } from '../types/model';
import NotFoundError from '../error/notfound-error';
import {
ENVIRONMENT_PERMISSION_TYPE,
ROOT_PERMISSION_TYPE,
} from '../util/constants';

const T = {
ROLE_USER: 'role_user',
ROLES: 'roles',
ROLE_PERMISSION: 'role_permission',
PERMISSIONS: 'permissions',
PERMISSION_TYPES: 'permission_types',
};

interface IPermissionRow {
id: number;
permission: string;
display_name: string;
environment?: string;
type: string;
project?: string;
role_id: number;
}

export class AccessStore implements IAccessStore {
private logger: Logger;

Expand Down Expand Up @@ -53,75 +70,141 @@ export class AccessStore implements IAccessStore {
}

async get(key: number): Promise<IRole> {
return this.db
const role = await this.db
.select(['id', 'name', 'type', 'description'])
.where('id', key)
.first()
.from<IRole>(T.ROLES);

if (!role) {
throw new NotFoundError(`Could not find role with id: ${key}`);
}

return role;
}

async getAll(): Promise<IRole[]> {
return Promise.resolve([]);
}

async getAvailablePermissions(): Promise<IPermission[]> {
const rows = await this.db
.select(['id', 'permission', 'type', 'display_name'])
.where('type', 'project')
.orWhere('type', 'environment')
.from(`${T.PERMISSIONS} as p`);
return rows.map(this.mapPermission);
}

mapPermission(permission: IPermissionRow): IPermission {
return {
id: permission.id,
name: permission.permission,
displayName: permission.display_name,
type: permission.type,
};
}

async getPermissionsForUser(userId: number): Promise<IUserPermission[]> {
const stopTimer = this.timer('getPermissionsForUser');
const rows = await this.db
.select('project', 'permission')
.from<IUserPermission>(`${T.ROLE_PERMISSION} AS rp`)
.leftJoin(`${T.ROLE_USER} AS ur`, 'ur.role_id', 'rp.role_id')
.select(
'project',
'permission',
'environment',
'type',
'ur.role_id',
)
.from<IPermissionRow>(`${T.ROLE_PERMISSION} AS rp`)
.join(`${T.ROLE_USER} AS ur`, 'ur.role_id', 'rp.role_id')
.join(`${T.PERMISSIONS} AS p`, 'p.id', 'rp.permission_id')
.where('ur.user_id', '=', userId);
stopTimer();
return rows;
return rows.map(this.mapUserPermission);
}

async getPermissionsForRole(roleId: number): Promise<IUserPermission[]> {
const stopTimer = this.timer('getPermissionsForRole');
const rows = await this.db
.select('project', 'permission')
.from<IUserPermission>(`${T.ROLE_PERMISSION}`)
.where('role_id', '=', roleId);
stopTimer();
return rows;
}
mapUserPermission(row: IPermissionRow): IUserPermission {
let project: string = undefined;
// Since the editor should have access to the default project,
// we map the project to the project and environment specific
// permissions that are connected to the editor role.
if (row.type !== ROOT_PERMISSION_TYPE) {
project = row.project;
}

async getRoles(): Promise<IRole[]> {
return this.db
.select(['id', 'name', 'type', 'description'])
.from<IRole>(T.ROLES);
}
const environment =
row.type === ENVIRONMENT_PERMISSION_TYPE
? row.environment
: undefined;

async getRoleWithId(id: number): Promise<IRole> {
return this.db
.select(['id', 'name', 'type', 'description'])
.where('id', id)
.first()
.from<IRole>(T.ROLES);
const result = {
project,
environment,
permission: row.permission,
};
return result;
}

async getRolesForProject(projectId: string): Promise<IRole[]> {
return this.db
.select(['id', 'name', 'type', 'project', 'description'])
.from<IRole>(T.ROLES)
.where('project', projectId)
.andWhere('type', 'project');
async getPermissionsForRole(roleId: number): Promise<IPermission[]> {
const stopTimer = this.timer('getPermissionsForRole');
const rows = await this.db
.select(
'p.id',
'p.permission',
'rp.environment',
'p.display_name',
'p.type',
)
.from<IPermission>(`${T.ROLE_PERMISSION} as rp`)
.join(`${T.PERMISSIONS} as p`, 'p.id', 'rp.permission_id')
.where('rp.role_id', '=', roleId);
stopTimer();
return rows.map((permission) => {
return {
id: permission.id,
name: permission.permission,
environment: permission.environment,
displayName: permission.display_name,
type: permission.type,
};
});
}

async getRootRoles(): Promise<IRole[]> {
return this.db
.select(['id', 'name', 'type', 'project', 'description'])
.from<IRole>(T.ROLES)
.andWhere('type', 'root');
async addEnvironmentPermissionsToRole(
role_id: number,
permissions: IPermission[],
): Promise<void> {
const rows = permissions.map((permission) => {
return {
role_id,
permission_id: permission.id,
environment: permission.environment,
};
});
this.db.batchInsert(T.ROLE_PERMISSION, rows);
}

async removeRolesForProject(projectId: string): Promise<void> {
return this.db(T.ROLES)
async unlinkUserRoles(userId: number): Promise<void> {
return this.db(T.ROLE_USER)
.where({
project: projectId,
user_id: userId,
})
.delete();
}

async getProjectUserIdsForRole(
roleId: number,
projectId?: string,
): Promise<number[]> {
const rows = await this.db
.select(['user_id'])
.from<IRole>(`${T.ROLE_USER} AS ru`)
.join(`${T.ROLES} as r`, 'ru.role_id', 'id')
.where('r.id', roleId)
.andWhere('ru.project', projectId);
return rows.map((r) => r.user_id);
}

async getRolesForUserId(userId: number): Promise<IRole[]> {
return this.db
.select(['id', 'name', 'type', 'project', 'description'])
Expand All @@ -138,18 +221,28 @@ export class AccessStore implements IAccessStore {
return rows.map((r) => r.user_id);
}

async addUserToRole(userId: number, roleId: number): Promise<void> {
async addUserToRole(
userId: number,
roleId: number,
projecId?: string,
): Promise<void> {
return this.db(T.ROLE_USER).insert({
user_id: userId,
role_id: roleId,
project: projecId,
});
}

async removeUserFromRole(userId: number, roleId: number): Promise<void> {
async removeUserFromRole(
userId: number,
roleId: number,
projectId?: string,
): Promise<void> {
return this.db(T.ROLE_USER)
.where({
user_id: userId,
role_id: roleId,
project: projectId,
})
.delete();
}
Expand All @@ -168,67 +261,51 @@ export class AccessStore implements IAccessStore {
.delete();
}

async createRole(
name: string,
type: string,
project?: string,
description?: string,
): Promise<IRole> {
const [id] = await this.db(T.ROLES)
.insert({
name,
description,
type,
project,
})
.returning('id');
return {
id,
name,
description,
type,
project,
};
}

async addPermissionsToRole(
role_id: number,
permissions: string[],
projectId?: string,
environment?: string,
): Promise<void> {
const rows = permissions.map((permission) => ({
const rows = await this.db
.select('id as permissionId')
.from<number>(T.PERMISSIONS)
.whereIn('permission', permissions);

const newRoles = rows.map((row) => ({
role_id,
project: projectId,
permission,
environment,
permission_id: row.permissionId,
}));
return this.db.batchInsert(T.ROLE_PERMISSION, rows);

return this.db.batchInsert(T.ROLE_PERMISSION, newRoles);
}

async removePermissionFromRole(
roleId: number,
role_id: number,
permission: string,
projectId?: string,
environment?: string,
): Promise<void> {
const rows = await this.db
.select('id as permissionId')
.from<number>(T.PERMISSIONS)
.where('permission', permission);

const permissionId = rows[0].permissionId;

return this.db(T.ROLE_PERMISSION)
.where({
role_id: roleId,
permission,
project: projectId,
role_id,
permission_id: permissionId,
environment,
})
.delete();
}

async getRootRoleForAllUsers(): Promise<IUserRole[]> {
const rows = await this.db
.select('id', 'user_id')
.distinctOn('user_id')
.from(`${T.ROLES} AS r`)
.leftJoin(`${T.ROLE_USER} AS ru`, 'r.id', 'ru.role_id')
.where('r.type', '=', 'root');

return rows.map((row) => ({
roleId: +row.id,
userId: +row.user_id,
}));
async wipePermissionsFromRole(role_id: number): Promise<void> {
return this.db(T.ROLE_PERMISSION)
.where({
role_id,
})
.delete();
}
}
Loading

1 comment on commit 0c78980

@vercel
Copy link

@vercel vercel bot commented on 0c78980 Jan 13, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Successfully deployed to the following URLs:

Please sign in to comment.