fix: Deployment version refactor rbac

[adityachoudhari26]

Summary by CodeRabbit

• Refactor

  • Streamlined authorization logic across the platform by shifting from legacy release-based permissions to deployment version–based permissions.
  • Standardized resource type references to ensure consistent access control for deployment operations.
  • Adjusted underlying role-based access configurations and related checks to better align with current deployment version processes.

• New Features

  • Introduced new permissions for managing deployment versions: DeploymentVersionCreate, DeploymentVersionGet, DeploymentVersionUpdate, and DeploymentVersionList.

[coderabbitai]

Walkthrough

This PR updates the authorization logic to shift the focus from release management to deployment version management. Across multiple files, permission checks and resource types have been updated accordingly. The changes affect API endpoints, routers, RBAC utilities, database schemas, SQL queries, and permission enums. No change has been made to the overall request flow beyond the modified permission names and resource identifiers.

Changes

File(s)	Change Summary
apps/webservice/src/app/api/v1/releases/[releaseId]/route.ts apps/webservice/src/app/api/v1/releases/route.ts	PATCH/POST handlers: Updated authorization checks from Permission.ReleaseUpdate/Create to Permission.DeploymentVersionUpdate/Create; updated resource type from "release" to "deploymentVersion".
packages/api/src/router/deployment-version.ts packages/api/src/router/environment-approval.ts packages/api/src/router/job.ts packages/api/src/router/release-deploy.ts packages/api/src/router/release-metadata-keys.ts	Router endpoints: Revised permissions for list, get, create, and related procedures; updated resource types in authorization checks from "release" to "deploymentVersion".
packages/auth/src/utils/rbac.ts packages/db/src/schema/rbac.ts packages/validators/src/auth/index.ts	RBAC & Permission Utilities: Renamed getReleaseScopes to getDeploymentVersionScopes and updated related export; updated enum values by replacing release-based permissions with deployment version-based ones.
packages/job-dispatch/src/policies/release-sequencing.ts	SQL Query: Modified join condition by replacing rjt2.version_id with rjt2.deployment_version_id to correctly link job triggers with deployment versions.

Sequence Diagram(s)

sequenceDiagram
    participant U as User
    participant A as API Endpoint
    participant RB as RBAC Engine
    participant DB as Database

    U->>A: Send request (e.g., PATCH update)
    A->>RB: Check authorization (DeploymentVersionUpdate)
    RB-->>A: Return permission granted/denied
    A->>DB: Process update if authorized
    DB-->>A: Return result
    A-->>U: Send response

Loading

Possibly related PRs

• fix: Deploy release if it is after latest non-pending #200: Updates authorization checks in the release-deploy router, shifting from releases to deployment versions similar to the changes in this PR.

Suggested reviewers

• jsbroks

Poem

A hop, a skip, in code so bright,
From releases to deployment versions in sight.
Permissions change with a gentle flutter,
Like leaves that dance and softly mutter.
With whiskers twitching in pure delight,
I celebrate these changes through day and night! 🐇

Tip

⚡🧪 Multi-step agentic review comment chat (experimental)

• We're introducing multi-step agentic chat in review comments. This experimental feature enhances review discussions with the CodeRabbit agentic chat by enabling advanced interactions, including the ability to create pull requests directly from comments.
  - To enable this feature, set early_access to true under in the settings.

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a475ca7 and 3e26658.

📒 Files selected for processing (1)

• packages/api/src/router/job.ts (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/api/src/router/job.ts

⏰ Context from checks skipped due to timeout of 90000ms (3)

• GitHub Check: Typecheck
• GitHub Check: Lint
• GitHub Check: build (linux/amd64)

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

packages/job-dispatch/src/policies/release-sequencing.ts (1)

54-54: Resource reference updated to deployment_version_id

The SQL query now correctly references deployment_version_id instead of version_id, aligning with the shift from release management to deployment version management.

However, the table alias release2 might be confusing since it references a table now identified as deploymentVersion. Consider updating the alias for consistency.

-            inner join ${schema.deploymentVersion} as release2 on rjt2.deployment_version_id = release2.id
+            inner join ${schema.deploymentVersion} as deploymentVersion2 on rjt2.deployment_version_id = deploymentVersion2.id

packages/api/src/router/environment-approval.ts (1)

1-181: Consider updating function and variable names

While the authorization resource types have been properly updated from "release" to "deploymentVersion", function parameters and variable names still use "release" terminology (e.g., releaseId).

Consider updating these names in a future refactoring to maintain consistency throughout the codebase.

packages/api/src/router/release-metadata-keys.ts (1)

1-64: Consider renaming router and file in a future update

While the permission checks have been updated correctly, the router name (releaseMetadataKeysRouter) and file name (release-metadata-keys.ts) still reference "release".

Consider updating these names in a future refactoring to maintain consistency with the new deployment version terminology.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 10e7de1 and a475ca7.

📒 Files selected for processing (11)

• apps/webservice/src/app/api/v1/releases/[releaseId]/route.ts (1 hunks)
• apps/webservice/src/app/api/v1/releases/route.ts (1 hunks)
• packages/api/src/router/deployment-version.ts (7 hunks)
• packages/api/src/router/environment-approval.ts (4 hunks)
• packages/api/src/router/job.ts (2 hunks)
• packages/api/src/router/release-deploy.ts (2 hunks)
• packages/api/src/router/release-metadata-keys.ts (2 hunks)
• packages/auth/src/utils/rbac.ts (4 hunks)
• packages/db/src/schema/rbac.ts (1 hunks)
• packages/job-dispatch/src/policies/release-sequencing.ts (1 hunks)
• packages/validators/src/auth/index.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

`**/*.{ts,tsx}`: **Note on Error Handling:** Avoid strict en...

**/*.{ts,tsx}: Note on Error Handling:
Avoid strict enforcement of try/catch blocks. Code may use early returns, Promise chains (.then().catch()), or other patterns for error handling. These are acceptable as long as they maintain clarity and predictability.

• packages/db/src/schema/rbac.ts
• packages/job-dispatch/src/policies/release-sequencing.ts
• apps/webservice/src/app/api/v1/releases/route.ts
• packages/api/src/router/release-metadata-keys.ts
• packages/api/src/router/environment-approval.ts
• apps/webservice/src/app/api/v1/releases/[releaseId]/route.ts
• packages/api/src/router/release-deploy.ts
• packages/validators/src/auth/index.ts
• packages/api/src/router/job.ts
• packages/auth/src/utils/rbac.ts
• packages/api/src/router/deployment-version.ts

🧠 Learnings (1)

packages/db/src/schema/rbac.ts (1)

Learnt from: adityachoudhari26
PR: ctrlplanedev/ctrlplane#181
File: packages/auth/src/utils/rbac.ts:102-118
Timestamp: 2025-03-12T21:38:05.696Z
Learning: The `releaseChannel` scope type is included in the `scopeType` enum in `packages/db/src/schema/rbac.ts`.

⏰ Context from checks skipped due to timeout of 90000ms (5)

• GitHub Check: Typecheck
• GitHub Check: Lint
• GitHub Check: build (linux/amd64)
• GitHub Check: build (linux/amd64)
• GitHub Check: build (linux/amd64)

🔇 Additional comments (23)

packages/db/src/schema/rbac.ts (1)

36-36: Scope type updated to reflect architectural shift

The change from "release" to "deploymentVersion" in the scopeType enum correctly implements the architectural shift from release management to deployment version management.

This change is well aligned with the retrieved learning that the scopeType enum includes various scope types, now including "deploymentVersion".

packages/api/src/router/environment-approval.ts (4)

22-22: Authorization resource type updated

Resource type has been updated from "release" to "deploymentVersion" while maintaining the same permission. This correctly aligns with the updated scope type defined in the RBAC schema.

---

68-68: Resource type updated for approve procedure

The approve procedure now correctly authorizes against "deploymentVersion" resource type instead of "release".

---

130-130: Resource type updated for reject procedure

The reject procedure now correctly authorizes against "deploymentVersion" resource type instead of "release".

---

164-164: Resource type updated for statusByReleasePolicyId procedure

The statusByReleasePolicyId procedure now correctly authorizes against "deploymentVersion" resource type instead of "release".

packages/api/src/router/release-metadata-keys.ts (2)

14-14: Permission updated to DeploymentVersionGet

The permission check has been correctly updated from Permission.ReleaseGet to Permission.DeploymentVersionGet, aligning with the shift from release management to deployment version management.

---

39-39: Permission updated to DeploymentVersionGet

The permission check for the byWorkspace procedure has been correctly updated from Permission.ReleaseGet to Permission.DeploymentVersionGet, maintaining consistency with the updated permission structure.

apps/webservice/src/app/api/v1/releases/route.ts (1)

43-43: LGTM - Permission update aligns with deployment version refactoring

This change correctly updates the permission check from ReleaseCreate to DeploymentVersionCreate to align with the shift from release management to deployment version management.

apps/webservice/src/app/api/v1/releases/[releaseId]/route.ts (1)

32-33: LGTM - Permission and resource type updates aligned with deployment version focus

The changes correctly update both the permission check (from ReleaseUpdate to DeploymentVersionUpdate) and the resource type (from "release" to "deploymentVersion"), maintaining consistency with the deployment version management refactoring.

packages/api/src/router/release-deploy.ts (2)

24-27: LGTM - Permission and resource type updates for toEnvironment

The changes correctly update both the permission check (replacing ReleaseGet with DeploymentVersionGet) and the resource type (from "release" to "deploymentVersion"), maintaining consistency with the deployment version management refactoring.

---

71-74: LGTM - Permission and resource type updates for toResource

The changes correctly update both the permission check (replacing ReleaseGet with DeploymentVersionGet) and the resource type (from "release" to "deploymentVersion"), maintaining consistency with the deployment version management refactoring.

packages/auth/src/utils/rbac.ts (3)

91-110: LGTM - Function rename and return type updates

The function has been correctly renamed from getReleaseScopes to getDeploymentVersionScopes and the return type values have been updated to reflect deployment version instead of release, maintaining consistency with the deployment version management refactoring.

---

375-375: LGTM - Updated type in job scopes return array

The type in the job scopes return array has been correctly updated from "release" to "deploymentVersion", maintaining consistency with the deployment version management refactoring.

---

398-398: LGTM - Updated key in scopeHandlers object

The key in the scopeHandlers object has been correctly updated from release to deploymentVersion, maintaining consistency with the deployment version management refactoring.

packages/validators/src/auth/index.ts (1)

85-88: Permission enum update to reflect deployment version focus

The changes correctly implement the transition from release-based permissions to deployment version-based permissions, aligning with the PR's objective to refocus authorization logic on deployment version management.

packages/api/src/router/job.ts (1)

774-776: LGTM - Properly updated authorization check

The permission and resource type have been correctly updated to use Permission.DeploymentVersionGet and "deploymentVersion" respectively, maintaining consistency with the new permission model.

packages/api/src/router/deployment-version.ts (7)

52-55: LGTM - Permission correctly updated

The permission has been properly updated to Permission.DeploymentVersionList, aligning with the new permission structure.

---

123-126: LGTM - Authorization check properly updated

Both the permission and resource type have been correctly updated to Permission.DeploymentVersionGet and "deploymentVersion" respectively.

---

173-176: LGTM - Create permission properly updated

The permission has been correctly updated to Permission.DeploymentVersionCreate while maintaining the same resource type.

---

242-249: LGTM - Blocked check authorization properly updated

The permission and resource type have been properly updated to Permission.DeploymentVersionGet and "deploymentVersion" for the blocked checks.

---

354-359: LGTM - Status authorization check properly updated

The permission and resource type are correctly updated for the status retrieval by environment ID.

---

401-410: LGTM - System directory authorization check properly updated

The conditional check maintains proper permission structure, using DeploymentVersionGet for release ID checks and DeploymentGet for deployment ID checks.

---

461-466: LGTM - Latest completion check properly updated

The permission has been correctly updated while maintaining the same resource type for checking deployment access.