Merge pull request #1680 from rocket-admin/backend_ceadr_refactoring

Backend ceadr refactoring

Author: Artuomka

backend/src/common/application/global-database-context.interface.ts

@@ -23,7 +23,6 @@ import { ICustomFieldsRepository } from '../../entities/custom-field/repository/
 import { IEmailVerificationRepository } from '../../entities/email/repository/email-verification.repository.interface.js';
 import { IGroupRepository } from '../../entities/group/repository/group.repository.interface.js';
 import { ILogOutRepository } from '../../entities/log-out/repository/log-out-repository.interface.js';
-import { IPermissionRepository } from '../../entities/permission/repository/permission.repository.interface.js';
 import { ISecretAccessLogRepository } from '../../entities/secret-access-log/repository/secret-access-log-repository.interface.js';
 import { SecretAccessLogEntity } from '../../entities/secret-access-log/secret-access-log.entity.js';
 import { ActionEventsEntity } from '../../entities/table-actions/table-action-events-module/action-event.entity.js';
@@ -70,7 +69,6 @@ export interface IGlobalDatabaseContext extends IDatabaseContext {
 	userRepository: Repository<UserEntity> & IUserRepository;
 	connectionRepository: Repository<ConnectionEntity> & IConnectionRepository;
 	groupRepository: IGroupRepository;
-	permissionRepository: IPermissionRepository;
 	tableSettingsRepository: Repository<TableSettingsEntity> & ITableSettingsRepository;
 	agentRepository: IAgentRepository;
 	emailVerificationRepository: IEmailVerificationRepository;

backend/src/common/application/global-database-context.ts

@@ -42,9 +42,6 @@ import { groupCustomRepositoryExtension } from '../../entities/group/repository/
 import { LogOutEntity } from '../../entities/log-out/log-out.entity.js';
 import { logOutCustomRepositoryExtension } from '../../entities/log-out/repository/log-out-custom-repository-extension.js';
 import { ILogOutRepository } from '../../entities/log-out/repository/log-out-repository.interface.js';
-import { PermissionEntity } from '../../entities/permission/permission.entity.js';
-import { IPermissionRepository } from '../../entities/permission/repository/permission.repository.interface.js';
-import { permissionCustomRepositoryExtension } from '../../entities/permission/repository/permission-custom-repository-extension.js';
 import { secretAccessLogRepositoryExtension } from '../../entities/secret-access-log/repository/secret-access-log-repository.extension.js';
 import { ISecretAccessLogRepository } from '../../entities/secret-access-log/repository/secret-access-log-repository.interface.js';
 import { SecretAccessLogEntity } from '../../entities/secret-access-log/secret-access-log.entity.js';
@@ -123,7 +120,6 @@ export class GlobalDatabaseContext implements IGlobalDatabaseContext {
 	private _userRepository: Repository<UserEntity> & IUserRepository;
 	private _connectionRepository: Repository<ConnectionEntity> & IConnectionRepository;
 	private _groupRepository: IGroupRepository;
-	private _permissionRepository: IPermissionRepository;
 	private _tableSettingsRepository: Repository<TableSettingsEntity> & ITableSettingsRepository;
 	private _agentRepository: IAgentRepository;
 	private _emailVerificationRepository: IEmailVerificationRepository;
@@ -175,9 +171,6 @@ export class GlobalDatabaseContext implements IGlobalDatabaseContext {
 			.getRepository(ConnectionEntity)
 			.extend(customConnectionRepositoryExtension);
 		this._groupRepository = this.appDataSource.getRepository(GroupEntity).extend(groupCustomRepositoryExtension);
-		this._permissionRepository = this.appDataSource
-			.getRepository(PermissionEntity)
-			.extend(permissionCustomRepositoryExtension);
 		this._tableSettingsRepository = this.appDataSource
 			.getRepository(TableSettingsEntity)
 			.extend(tableSettingsCustomRepositoryExtension);
@@ -285,10 +278,6 @@ export class GlobalDatabaseContext implements IGlobalDatabaseContext {
 		return this._groupRepository;
 	}
 
-	public get permissionRepository(): IPermissionRepository {
-		return this._permissionRepository;
-	}
-
 	public get tableSettingsRepository(): Repository<TableSettingsEntity> & ITableSettingsRepository {
 		return this._tableSettingsRepository;
 	}

backend/src/entities/cedar-authorization/cedar-authorization.service.ts

@@ -1,12 +1,10 @@
 import { HttpException, HttpStatus, Inject, Injectable, Logger, OnModuleInit } from '@nestjs/common';
-import { AccessLevelEnum, PermissionTypeEnum } from '../../enums/index.js';
 import { Messages } from '../../exceptions/text/messages.js';
 import { Cacher } from '../../helpers/cache/cacher.js';
 import { IGlobalDatabaseContext } from '../../common/application/global-database-context.interface.js';
 import { BaseType } from '../../common/data-injection.tokens.js';
 import { GroupEntity } from '../group/group.entity.js';
 import { IComplexPermission } from '../permission/permission.interface.js';
-import { PermissionEntity } from '../permission/permission.entity.js';
 import {
 	CedarAction,
 	CedarResourceType,
@@ -87,14 +85,12 @@ export class CedarAuthorizationService implements ICedarAuthorizationService, On
 	): Promise<{ cedarPolicy: string; classicalPermissions: IComplexPermission }> {
 		this.validateCedarPolicyText(cedarPolicy);
 
-		const group = await this.globalDbContext.groupRepository.findGroupWithPermissionsById(groupId);
+		const group = await this.globalDbContext.groupRepository.findGroupByIdWithConnectionAndUsers(groupId);
 		if (!group) {
 			throw new HttpException({ message: Messages.GROUP_NOT_FOUND }, HttpStatus.BAD_REQUEST);
 		}
 
-		const groupWithConnection = await this.globalDbContext.groupRepository.findGroupByIdWithConnectionAndUsers(groupId);
-
-		if (groupWithConnection?.connection?.id !== connectionId) {
+		if (group.connection?.id !== connectionId) {
 			throw new HttpException({ message: Messages.GROUP_NOT_FROM_THIS_CONNECTION }, HttpStatus.BAD_REQUEST);
 		}
 
@@ -106,8 +102,6 @@ export class CedarAuthorizationService implements ICedarAuthorizationService, On
 
 		const classicalPermissions = parseCedarPolicyToClassicalPermissions(cedarPolicy, connectionId, groupId);
 
-		await this.syncClassicalPermissions(group, classicalPermissions);
-
 		group.cedarPolicy = cedarPolicy;
 		await this.globalDbContext.groupRepository.saveNewOrUpdatedGroup(group);
 		Cacher.invalidateCedarPolicyCache(connectionId);
@@ -181,7 +175,7 @@ export class CedarAuthorizationService implements ICedarAuthorizationService, On
 		const userGroups = await this.globalDbContext.groupRepository.findAllUserGroupsInConnection(connectionId, userId);
 		if (userGroups.length === 0) return false;
 
-		const groupPolicies = await this.loadPoliciesPerGroup(connectionId, userGroups);
+		const groupPolicies = this.loadPoliciesPerGroup(userGroups);
 		if (groupPolicies.length === 0) return false;
 
 		const entities = buildCedarEntities(userId, userGroups, connectionId, tableName, dashboardId);
@@ -210,13 +204,8 @@ export class CedarAuthorizationService implements ICedarAuthorizationService, On
 		return false;
 	}
 
-	private async loadPoliciesPerGroup(connectionId: string, userGroups: Array<GroupEntity>): Promise<string[]> {
-		const groups = await this.globalDbContext.groupRepository.findAllGroupsInConnection(connectionId);
-		const userGroupIdSet = new Set(userGroups.map((g) => g.id));
-		return groups
-			.filter((g) => userGroupIdSet.has(g.id))
-			.map((g) => g.cedarPolicy)
-			.filter(Boolean);
+	private loadPoliciesPerGroup(userGroups: Array<GroupEntity>): string[] {
+		return userGroups.map((g) => g.cedarPolicy).filter(Boolean);
 	}
 
 	private async assertUserNotSuspended(userId: string): Promise<void> {
@@ -316,74 +305,4 @@ export class CedarAuthorizationService implements ICedarAuthorizationService, On
 		}
 	}
 
-	private async syncClassicalPermissions(group: GroupEntity, permissions: IComplexPermission): Promise<void> {
-		if (group.permissions && group.permissions.length > 0) {
-			for (const perm of group.permissions) {
-				await this.globalDbContext.permissionRepository.removePermissionEntity(perm);
-			}
-		}
-		group.permissions = [];
-
-		if (permissions.connection.accessLevel !== AccessLevelEnum.none) {
-			const connPerm = new PermissionEntity();
-			connPerm.type = PermissionTypeEnum.Connection;
-			connPerm.accessLevel = permissions.connection.accessLevel;
-			const saved = await this.globalDbContext.permissionRepository.saveNewOrUpdatedPermission(connPerm);
-			group.permissions.push(saved);
-		}
-
-		if (permissions.group.accessLevel !== AccessLevelEnum.none) {
-			const groupPerm = new PermissionEntity();
-			groupPerm.type = PermissionTypeEnum.Group;
-			groupPerm.accessLevel = permissions.group.accessLevel;
-			const saved = await this.globalDbContext.permissionRepository.saveNewOrUpdatedPermission(groupPerm);
-			group.permissions.push(saved);
-		}
-
-		for (const table of permissions.tables) {
-			const access = table.accessLevel;
-			if (access.visibility) {
-				const perm = new PermissionEntity();
-				perm.type = PermissionTypeEnum.Table;
-				perm.accessLevel = AccessLevelEnum.visibility;
-				perm.tableName = table.tableName;
-				const saved = await this.globalDbContext.permissionRepository.saveNewOrUpdatedPermission(perm);
-				group.permissions.push(saved);
-			}
-			if (access.readonly) {
-				const perm = new PermissionEntity();
-				perm.type = PermissionTypeEnum.Table;
-				perm.accessLevel = AccessLevelEnum.readonly;
-				perm.tableName = table.tableName;
-				const saved = await this.globalDbContext.permissionRepository.saveNewOrUpdatedPermission(perm);
-				group.permissions.push(saved);
-			}
-			if (access.add) {
-				const perm = new PermissionEntity();
-				perm.type = PermissionTypeEnum.Table;
-				perm.accessLevel = AccessLevelEnum.add;
-				perm.tableName = table.tableName;
-				const saved = await this.globalDbContext.permissionRepository.saveNewOrUpdatedPermission(perm);
-				group.permissions.push(saved);
-			}
-			if (access.edit) {
-				const perm = new PermissionEntity();
-				perm.type = PermissionTypeEnum.Table;
-				perm.accessLevel = AccessLevelEnum.edit;
-				perm.tableName = table.tableName;
-				const saved = await this.globalDbContext.permissionRepository.saveNewOrUpdatedPermission(perm);
-				group.permissions.push(saved);
-			}
-			if (access.delete) {
-				const perm = new PermissionEntity();
-				perm.type = PermissionTypeEnum.Table;
-				perm.accessLevel = AccessLevelEnum.delete;
-				perm.tableName = table.tableName;
-				const saved = await this.globalDbContext.permissionRepository.saveNewOrUpdatedPermission(perm);
-				group.permissions.push(saved);
-			}
-		}
-
-		await this.globalDbContext.groupRepository.saveNewOrUpdatedGroup(group);
-	}
 }

backend/src/entities/cedar-authorization/cedar-policy-parser.ts

@@ -79,6 +79,10 @@ export function parseCedarPolicyToClassicalPermissions(
 	}
 
 	result.tables = Array.from(tableMap.values());
+	for (const table of result.tables) {
+		const a = table.accessLevel;
+		a.readonly = a.visibility && !a.add && !a.edit && !a.delete;
+	}
 	result.dashboards = Array.from(dashboardMap.values());
 
 	return result;
@@ -215,7 +219,6 @@ function applyTableAction(entry: ITablePermissionData, action: string): void {
 	switch (action) {
 		case 'table:read':
 			entry.accessLevel.visibility = true;
-			entry.accessLevel.readonly = true;
 			break;
 		case 'table:add':
 			entry.accessLevel.add = true;

backend/src/entities/cedar-authorization/scripts/migrate-permissions-to-cedar.ts

@@ -9,7 +9,6 @@ import { ConnectionPropertiesEntity } from '../connection-properties/connection-
 import { CustomFieldsEntity } from '../custom-field/custom-fields.entity.js';
 import { GroupEntity } from '../group/group.entity.js';
 import { LogOutEntity } from '../log-out/log-out.entity.js';
-import { PermissionEntity } from '../permission/permission.entity.js';
 import { TableLogsEntity } from '../table-logs/table-logs.entity.js';
 import { TableSettingsEntity } from '../table-settings/common-table-settings/table-settings.entity.js';
 import { UserEntity } from '../user/user.entity.js';
@@ -50,7 +49,6 @@ import { VerifyInviteUserInCompanyAndConnectionGroupUseCase } from './use-cases/
 			ConnectionEntity,
 			UserEntity,
 			GroupEntity,
-			PermissionEntity,
 			TableSettingsEntity,
 			TableLogsEntity,
 			CustomFieldsEntity,

backend/src/entities/company-info/company-info.module.ts

@@ -10,7 +10,6 @@ import { ConnectionPropertiesEntity } from '../connection-properties/connection-
 import { CustomFieldsEntity } from '../custom-field/custom-fields.entity.js';
 import { GroupEntity } from '../group/group.entity.js';
 import { LogOutEntity } from '../log-out/log-out.entity.js';
-import { PermissionEntity } from '../permission/permission.entity.js';
 import { TableLogsEntity } from '../table-logs/table-logs.entity.js';
 import { TableSettingsEntity } from '../table-settings/common-table-settings/table-settings.entity.js';
 import { UserEntity } from '../user/user.entity.js';
@@ -43,7 +42,6 @@ import { ValidateConnectionTokenUseCase } from './use-cases/validate-connection-
 			ConnectionEntity,
 			UserEntity,
 			GroupEntity,
-			PermissionEntity,
 			TableSettingsEntity,
 			TableLogsEntity,
 			CustomFieldsEntity,

backend/src/entities/connection/connection.module.ts

@@ -99,7 +99,6 @@ export class CreateConnectionUseCase
 				savedConnection,
 				connectionAuthor,
 			);
-			await this._dbContext.permissionRepository.createdDefaultAdminPermissionsInGroup(createdAdminGroup);
 			createdAdminGroup.cedarPolicy = generateCedarPolicyForGroup(
 				savedConnection.id,
 				true,

backend/src/entities/connection/use-cases/create-connection.use.case.ts

@@ -8,14 +8,13 @@ import { isSaaS } from '../../../helpers/app/is-saas.js';
 import { Constants } from '../../../helpers/constants/constants.js';
 import { AmplitudeService } from '../../amplitude/amplitude.service.js';
 import { CedarPermissionsService } from '../../cedar-authorization/cedar-permissions.service.js';
+import { generateCedarPolicyForGroup } from '../../cedar-authorization/cedar-policy-generator.js';
 import { GroupEntity } from '../../group/group.entity.js';
-import { PermissionEntity } from '../../permission/permission.entity.js';
 import { CreateUserDs } from '../../user/application/data-structures/create-user.ds.js';
 import { FindUserDs } from '../../user/application/data-structures/find-user.ds.js';
 import { UserRoleEnum } from '../../user/enums/user-role.enum.js';
 import { buildConnectionEntitiesFromTestDtos } from '../../user/utils/build-connection-entities-from-test-dtos.js';
 import { buildDefaultAdminGroups } from '../../user/utils/build-default-admin-groups.js';
-import { buildDefaultAdminPermissions } from '../../user/utils/build-default-admin-permissions.js';
 import { FoundConnectionsDs } from '../application/data-structures/found-connections.ds.js';
 import { ConnectionEntity } from '../connection.entity.js';
 import { buildFoundConnectionDs } from '../utils/build-found-connection.ds.js';
@@ -76,10 +75,16 @@ export class FindAllConnectionsUseCase
 						return await this._dbContext.groupRepository.saveNewOrUpdatedGroup(group);
 					}),
 				);
-				const testPermissionsEntities = buildDefaultAdminPermissions(createdTestGroups);
 				await Promise.all(
-					testPermissionsEntities.map(async (permission: PermissionEntity) => {
-						await this._dbContext.permissionRepository.saveNewOrUpdatedPermission(permission);
+					createdTestGroups.map(async (group: GroupEntity) => {
+						const connectionId = group.connection?.id;
+						if (!connectionId) return;
+						group.cedarPolicy = generateCedarPolicyForGroup(connectionId, group.isMain, {
+							connection: { connectionId, accessLevel: AccessLevelEnum.edit },
+							group: { groupId: group.id, accessLevel: AccessLevelEnum.edit },
+							tables: [],
+						});
+						await this._dbContext.groupRepository.saveNewOrUpdatedGroup(group);
 					}),
 				);
 				allFoundUserTestConnections.push(...createdTestConnections);