refactor: extract common helpers in PAT handler and service

Makefile

@@ -4,7 +4,7 @@ TAG := $(shell git rev-list --tags --max-count=1)
 VERSION := $(shell git describe --tags ${TAG})
 .PHONY: build check fmt lint test test-race vet test-cover-html help install proto admin-app compose-up-dev
 .DEFAULT_GOAL := build
-PROTON_COMMIT := "7942a4c43d0d0a07688042bd97a92791f4d04d96"
+PROTON_COMMIT := "6cf988b493611e79377362203eb7782ed19ee5c2"
 
 admin-app:
 	@echo " > generating admin build"

core/userpat/service.go

@@ -27,6 +27,12 @@ import (
 	"golang.org/x/crypto/sha3"
 )
 
+// supportedPATResourceTypes defines resource types allowed for PAT scopes.
+var supportedPATResourceTypes = []string{
+	schema.OrganizationNamespace,
+	schema.ProjectNamespace,
+}
+
 type OrganizationService interface {
 	GetRaw(ctx context.Context, id string) (organization.Organization, error)
 }
@@ -468,10 +474,8 @@ func (s *Service) validateScopes(ctx context.Context, scopes []patmodels.PATScop
 		roleMap[r.ID] = r
 	}
 
-	supportedResourceTypes := []string{schema.OrganizationNamespace, schema.ProjectNamespace}
-
 	for _, sc := range scopes {
-		if !slices.Contains(supportedResourceTypes, sc.ResourceType) {
+		if !slices.Contains(supportedPATResourceTypes, sc.ResourceType) {
 			return fmt.Errorf("resource type %s: %w", sc.ResourceType, paterrors.ErrUnsupportedScope)
 		}
 		r := roleMap[sc.RoleID]
@@ -551,15 +555,14 @@ func (s *Service) ListAllowedRoles(ctx context.Context, scopes []string) ([]role
 	}
 
 	if len(scopes) == 0 {
-		scopes = []string{schema.OrganizationNamespace, schema.ProjectNamespace}
+		scopes = append(scopes, supportedPATResourceTypes...)
 	} else {
 		for i, scope := range scopes {
 			scopes[i] = schema.ParseNamespaceAliasIfRequired(scope)
 		}
-		allowedScopes := []string{schema.OrganizationNamespace, schema.ProjectNamespace}
 		scopes = pkgUtils.Deduplicate(scopes)
 		for _, scope := range scopes {
-			if !slices.Contains(allowedScopes, scope) {
+			if !slices.Contains(supportedPATResourceTypes, scope) {
 				return nil, fmt.Errorf("scope %q: %w", scope, paterrors.ErrUnsupportedScope)
 			}
 		}
@@ -602,47 +605,39 @@ func (s *Service) validateRolePermissions(roles []role.Role) error {
 	return nil
 }
 
-// createOrgScopedPolicy creates a policy on the org with the default "granted" relation.
-func (s *Service) createOrgScopedPolicy(ctx context.Context, patID, orgID, roleID string) error {
+// createPATPolicy creates a single SpiceDB policy for a PAT.
+func (s *Service) createPATPolicy(ctx context.Context, patID, roleID, resourceID, resourceType, grantRelation string) error {
 	if _, err := s.policyService.Create(ctx, policy.Policy{
 		RoleID:        roleID,
-		ResourceID:    orgID,
-		ResourceType:  schema.OrganizationNamespace,
+		ResourceID:    resourceID,
+		ResourceType:  resourceType,
 		PrincipalID:   patID,
 		PrincipalType: schema.PATPrincipal,
+		GrantRelation: grantRelation,
 	}); err != nil {
-		return fmt.Errorf("creating org policy for role %s: %w", roleID, err)
+		s.logger.Error("failed to create PAT policy",
+			"pat_id", patID, "role_id", roleID, "resource_id", resourceID,
+			"resource_type", resourceType, "grant_relation", grantRelation, "error", err)
+		return err
 	}
 	return nil
 }
 
+// createOrgScopedPolicy creates a policy on the org with the default "granted" relation.
+func (s *Service) createOrgScopedPolicy(ctx context.Context, patID, orgID, roleID string) error {
+	return s.createPATPolicy(ctx, patID, roleID, orgID, schema.OrganizationNamespace, schema.RoleGrantRelationName)
+}
+
 // createProjectScopedPolicies creates policies for a project-scoped role.
 // If resourceIDs is empty, it creates a single policy on the org with "pat_granted" relation
 // (cascades to all projects). Otherwise, it creates one policy per project with default "granted".
 func (s *Service) createProjectScopedPolicies(ctx context.Context, patID, orgID, roleID string, resourceIDs []string) error {
 	if len(resourceIDs) == 0 {
-		if _, err := s.policyService.Create(ctx, policy.Policy{
-			RoleID:        roleID,
-			ResourceID:    orgID,
-			ResourceType:  schema.OrganizationNamespace,
-			PrincipalID:   patID,
-			PrincipalType: schema.PATPrincipal,
-			GrantRelation: schema.PATGrantRelationName,
-		}); err != nil {
-			return fmt.Errorf("creating all-projects policy for role %s: %w", roleID, err)
-		}
-		return nil
+		return s.createPATPolicy(ctx, patID, roleID, orgID, schema.OrganizationNamespace, schema.PATGrantRelationName)
 	}
-
 	for _, resourceID := range resourceIDs {
-		if _, err := s.policyService.Create(ctx, policy.Policy{
-			RoleID:        roleID,
-			ResourceID:    resourceID,
-			ResourceType:  schema.ProjectNamespace,
-			PrincipalID:   patID,
-			PrincipalType: schema.PATPrincipal,
-		}); err != nil {
-			return fmt.Errorf("creating project policy for role %s on %s: %w", roleID, resourceID, err)
+		if err := s.createPATPolicy(ctx, patID, roleID, resourceID, schema.ProjectNamespace, schema.RoleGrantRelationName); err != nil {
+			return err
 		}
 	}
 	return nil

core/userpat/service_test.go

@@ -537,6 +537,7 @@ func TestService_CreatePolicies_OrgScopedRole(t *testing.T) {
 		ResourceType:  schema.OrganizationNamespace,
 		PrincipalID:   "pat-1",
 		PrincipalType: schema.PATPrincipal,
+		GrantRelation: schema.RoleGrantRelationName,
 	}).Return(policy.Policy{ID: "pol-1"}, nil)
 	policySvc.On("List", mock.Anything, mock.Anything).Return([]policy.Policy{}, nil).Maybe()
 
@@ -630,13 +631,15 @@ func TestService_CreatePolicies_ProjectScopedSpecificProjects(t *testing.T) {
 		ResourceType:  schema.ProjectNamespace,
 		PrincipalID:   "pat-1",
 		PrincipalType: schema.PATPrincipal,
+		GrantRelation: schema.RoleGrantRelationName,
 	}).Return(policy.Policy{ID: "pol-1"}, nil)
 	policySvc.EXPECT().Create(mock.Anything, policy.Policy{
 		RoleID:        "proj-role-1",
 		ResourceID:    "proj-b",
 		ResourceType:  schema.ProjectNamespace,
 		PrincipalID:   "pat-1",
 		PrincipalType: schema.PATPrincipal,
+		GrantRelation: schema.RoleGrantRelationName,
 	}).Return(policy.Policy{ID: "pol-2"}, nil)
 	policySvc.On("List", mock.Anything, mock.Anything).Return([]policy.Policy{}, nil).Maybe()