featbit · cosmos-explorer · Mar 18, 2023 · Mar 8, 2023 · Mar 9, 2023 · Mar 11, 2023
diff --git a/infra/mongodb/docker-entrypoint-initdb.d/init.js b/infra/mongodb/docker-entrypoint-initdb.d/init.js
@@ -96,37 +96,56 @@ db.Policies.insertOne(
         statements: [
             {
                 _id: getUUIDString(),
-                resourceType: "general",
+                resourceType: "account",
+                effect: "allow",
+                actions: ["UpdateOrgName"],
+                resources: ["account/*"]
+            },
+            {
+                _id: getUUIDString(),
+                resourceType: "iam",
                 effect: "allow",
                 actions: ["CanManageIAM"],
-                resources: ["iam"]
+                resources: ["iam/*"]
             },
             {
                 _id: getUUIDString(),
-                resourceType: "general",
+                resourceType: "access-token",
                 effect: "allow",
-                actions: ["UpdateOrgName"],
-                resources: ["account"]
+                actions: [
+                    "ManageServiceAccessTokens",
+                    "ManagePersonalAccessTokens",
+                    "ListAccessTokens"
+                ],
+                resources: ["access-token/*"]
             },
             {
                 _id: getUUIDString(),
-                resourceType: "general",
+                resourceType: "project",
                 effect: "allow",
                 actions: [
                     "ListProjects",
                     "CreateProject",
                     "DeleteProject",
-                    "AccessEnvs",
                     "UpdateProjectSettings",
                     "ListEnvs",
-                    "CreateEnv",
+                    "CreateEnv"
+                ],
+                resources: ["project/*"]
+            },
+            {
+                _id: getUUIDString(),
+                resourceType: "env",
+                effect: "allow",
+                actions: [
+                    "AccessEnvs",
                     "DeleteEnv",
                     "UpdateEnvSettings",
                     "CreateEnvSecret",
                     "DeleteEnvSecret",
                     "UpdateEnvSecret"
                 ],
-                resources: ["project"]
+                resources: ["project/*:env/*"]
             }
         ],
         createdAt: new Date(),
@@ -143,14 +162,33 @@ db.Policies.insertOne(
         statements: [
             {
                 _id: getUUIDString(),
-                resourceType: "general",
+                resourceType: "access-token",
+                effect: "allow",
+                actions: [
+                    "ManageServiceAccessTokens",
+                    "ManagePersonalAccessTokens",
+                    "ListAccessTokens"
+                ],
+                resources: ["access-token/*"]
+            },
+            {
+                _id: getUUIDString(),
+                resourceType: "project",
                 effect: "allow",
                 actions: [
-                    "AccessEnvs",
                     "ListProjects",
                     "ListEnvs"
                 ],
-                resources: ["project"]
+                resources: ["project/*"]
+            },
+            {
+                _id: getUUIDString(),
+                resourceType: "env",
+                effect: "allow",
+                actions: [
+                    "AccessEnvs"
+                ],
+                resources: ["project/*:env/*"]
             }
         ],
         createdAt: new Date(),

diff --git a/modules/back-end/src/Api/Controllers/AccessTokenController.cs b/modules/back-end/src/Api/Controllers/AccessTokenController.cs
@@ -0,0 +1,79 @@
+using Application.AccessTokens;
+using Application.Bases.Models;
+
+namespace Api.Controllers;
+
+[Route("api/v{version:apiVersion}/organizations/{organizationId:guid}/access-tokens")]
+public class AccessTokenController : ApiControllerBase
+{
+    [HttpGet]
+    public async Task<ApiResponse<PagedResult<AccessTokenVm>>> GetListAsync(
+        Guid organizationId,
+        [FromQuery] AccessTokenFilter filter)
+    {
+        var request = new GetAccessTokenList
+        {
+            OrganizationId = organizationId,
+            Filter = filter
+        };
+
+        var accessTokens = await Mediator.Send(request);
+        return Ok(accessTokens);
+    }
+
+    [HttpGet("is-name-used")]
+    public async Task<ApiResponse<bool>> IsNameUsedAsync(Guid organizationId, string name)
+    {
+        var request = new IsAccessTokenNameUsed
+        {
+            OrganizationId = organizationId,
+            Name = name
+        };
+
+        var isNameUsed = await Mediator.Send(request);
+        return Ok(isNameUsed);
+    }
+
+    [HttpPost]
+    public async Task<ApiResponse<AccessTokenVm>> CreateAsync(Guid organizationId, CreateAccessToken request)
+    {
+        request.OrganizationId = organizationId;
+
+        var accessToken = await Mediator.Send(request);
+        return Ok(accessToken);
+    }
+
+    [HttpPut("{id:guid}/toggle")]
+    public async Task<ApiResponse<bool>> ToggleAsync(Guid id)
+    {
+        var request = new ToggleAccessTokenStatus
+        {
+            Id = id
+        };
+
+        var success = await Mediator.Send(request);
+        return Ok(success);
+    }
+
+    [HttpDelete("{id:guid}")]
+    public async Task<ApiResponse<bool>> DeleteAsync(Guid id)
+    {
+        var request = new DeleteAccessToken
+        {
+            Id = id
+        };
+
+        var success = await Mediator.Send(request);
+        return Ok(success);
+    }
+
+    [HttpPut("{id:guid}")]
+    public async Task<ApiResponse<bool>> UpdateAsync(Guid id, UpdateAccessToken request)
+    {
+        request.Id = id;
+
+        var accessTokenVm = await Mediator.Send(request);
+
+        return Ok(accessTokenVm);
+    }
+}
diff --git a/modules/back-end/src/Application/AccessTokens/AccessTokenFilter.cs b/modules/back-end/src/Application/AccessTokens/AccessTokenFilter.cs
@@ -0,0 +1,12 @@
+using Application.Bases.Models;
+
+namespace Application.AccessTokens;
+
+public class AccessTokenFilter : PagedRequest
+{
+    public string Name { get; set; }
+
+    public Guid? CreatorId { get; set; }
+
+    public string Type { get; set; }
+}
diff --git a/modules/back-end/src/Application/AccessTokens/AccessTokenVm.cs b/modules/back-end/src/Application/AccessTokens/AccessTokenVm.cs
@@ -0,0 +1,23 @@
+using Application.Users;
+using Domain.Policies;
+
+namespace Application.AccessTokens;
+
+public class AccessTokenVm
+{
+    public Guid Id { get; set; }
+
+    public string Name { get; set; }
+
+    public string Type { get; set; }
+
+    public string Status { get; set; }
+
+    public string Token { get; set; }
+
+    public IEnumerable<PolicyStatement> Permissions { get; set; }
+
+    public DateTime? LastUsedAt { get; set; }
+
+    public UserVm Creator { get; set; }
+}
diff --git a/modules/back-end/src/Application/AccessTokens/CreateAccessToken.cs b/modules/back-end/src/Application/AccessTokens/CreateAccessToken.cs
@@ -0,0 +1,116 @@
+using System.Text.RegularExpressions;
+using Application.Bases;
+using Application.Bases.Exceptions;
+using Application.Users;
+using Domain.AccessTokens;
+using Domain.Policies;
+
+namespace Application.AccessTokens;
+
+public class CreateAccessToken : IRequest<AccessTokenVm>
+{
+    public Guid OrganizationId { get; set; }
+
+    public string Name { get; set; }
+
+    public string Type { get; set; }
+
+    public IEnumerable<PolicyStatement> Permissions { get; set; }
+}
+
+public class CreateAccessTokenValidator : AbstractValidator<CreateAccessToken>
+{
+    public CreateAccessTokenValidator()
+    {
+        RuleFor(x => x.Name)
+            .NotEmpty().WithErrorCode(ErrorCodes.NameIsRequired);
+
+        RuleFor(x => x.Type)
+            .Must(AccessTokenTypes.IsDefined).WithErrorCode(ErrorCodes.InvalidAccessTokenType);
+
+        RuleFor(x => x.Permissions)
+            .Must(permissions => permissions.Any())
+            .Unless(x => x.Type == AccessTokenTypes.Personal)
+            .WithErrorCode(ErrorCodes.ServiceAccessTokenMustDefinePolicies);
+    }
+}
+
+public class CreateAccessTokenHandler : IRequestHandler<CreateAccessToken, AccessTokenVm>
+{
+    private readonly IMemberService _memberService;
+    private readonly ICurrentUser _currentUser;
+    private readonly IAccessTokenService _service;
+    private readonly IMapper _mapper;
+
+    public CreateAccessTokenHandler(
+        IAccessTokenService service,
+        IMemberService memberService,
+        ICurrentUser currentUser,
+        IMapper mapper)
+    {
+        _service = service;
+        _currentUser = currentUser;
+        _memberService = memberService;
+        _mapper = mapper;
+    }
+
+    public async Task<AccessTokenVm> Handle(CreateAccessToken request, CancellationToken cancellationToken)
+    {
+        if (request.Type == AccessTokenTypes.Service)
+        {
+            var authorizedPolices =
+                await _memberService.GetPoliciesAsync(request.OrganizationId, _currentUser.Id);
+
+            var haveUnauthorizedPermissions = request.Permissions.Any(x =>
+            {
+                var matchedPolicy = authorizedPolices.FirstOrDefault(policy =>
+                    policy.Statements.Any(statement =>
+                        (statement.ResourceType == x.ResourceType || statement.ResourceType == "*") &&
+                        statement.Effect == "allow" &&
+                        x.Resources.All(rsc => statement.Resources.Any(resource => MatchRule(rsc, resource))) &&
+                        x.Actions.All(act => statement.Actions.Any(action => MatchRule(act, action))))
+                );
+
+                return matchedPolicy == null;
+            });
+
+            if (haveUnauthorizedPermissions)
+            {
+                throw new BusinessException(ErrorCodes.Forbidden);
+            }
+        }
+
+        var existed =
+            await _service.FindOneAsync(at => string.Equals(at.Name, request.Name, StringComparison.OrdinalIgnoreCase));
+        if (existed != null)
+        {
+            throw new BusinessException(ErrorCodes.EntityExistsAlready);
+        }
+
+        var accessToken =
+            new AccessToken(request.OrganizationId, _currentUser.Id, request.Name, request.Type, request.Permissions);
+
+        await _service.AddOneAsync(accessToken);
+
+        return _mapper.Map<AccessTokenVm>(accessToken);
+    }
+
+    // use "*" (star) as a wildcard for example:
+    // "a*b" => everything that starts with "a" and ends with "b"
+    // "a*" => everything that starts with "a"
+    // "*b" => everything that ends with "b"
+    // "*a*" => everything that has an "a" in it
+    // "*a*b*"=> everything that has an "a" in it, followed by anything, followed by a "b", followed by anything
+    private static bool MatchRule(string str, string rule)
+    {
+        string EscapeRegex(string s) => Regex.Replace(s, "([.*+?^=!:${}()|\\[\\]\\\\/])", "\\$1");
+
+        var matchPattern = rule
+            .Split('*')
+            .Select(EscapeRegex)
+            .Aggregate((x, y) => $"{x}.*{y}");
+
+        var regex = new Regex($"^{matchPattern}$");
+        return regex.IsMatch(str);
+    }
+}
diff --git a/modules/back-end/src/Application/AccessTokens/DeleteAccessToken.cs b/modules/back-end/src/Application/AccessTokens/DeleteAccessToken.cs
@@ -0,0 +1,23 @@
+namespace Application.AccessTokens;
+
+public class DeleteAccessToken : IRequest<bool>
+{
+    public Guid Id { get; set; }
+}
+
+public class DeleteAccessTokenHandler : IRequestHandler<DeleteAccessToken, bool>
+{
+    private readonly IAccessTokenService _service;
+
+    public DeleteAccessTokenHandler(IAccessTokenService service)
+    {
+        _service = service;
+    }
+
+    public async Task<bool> Handle(DeleteAccessToken request, CancellationToken cancellationToken)
+    {
+        await _service.DeleteAsync(request.Id);
+
+        return true;
+    }
+}