unleash.unleash/src/lib/db/role-store.ts

import EventEmitter from 'events';
import { Knex } from 'knex';
import { Logger, LogProvider } from '../logger';
import NotFoundError from '../error/notfound-error';
import { ICustomRole } from 'lib/types/model';
import {
    ICustomRoleInsert,
    ICustomRoleUpdate,
    IRoleStore,
} from 'lib/types/stores/role-store';
import { IRole, IUserRole } from 'lib/types/stores/access-store';

const T = {
    ROLE_USER: 'role_user',
    GROUP_ROLE: 'group_role',
    ROLES: 'roles',
};

const COLUMNS = ['id', 'name', 'description', 'type'];

interface IRoleRow {
    id: number;
    name: string;
    description: string;
    type: string;
}

export default class RoleStore implements IRoleStore {
    private logger: Logger;

    private eventBus: EventEmitter;

    private db: Knex;

    constructor(db: Knex, eventBus: EventEmitter, getLogger: LogProvider) {
        this.db = db;
        this.eventBus = eventBus;
        this.logger = getLogger('lib/db/role-store.ts');
    }

    async getAll(): Promise<ICustomRole[]> {
        const rows = await this.db
            .select(COLUMNS)
            .from(T.ROLES)
            .orderBy('name', 'asc');

        return rows.map(this.mapRow);
    }

    async create(role: ICustomRoleInsert): Promise<ICustomRole> {
        const row = await this.db(T.ROLES)
            .insert({
                name: role.name,
                description: role.description,
                type: role.roleType,
            })
            .returning('*');
        return this.mapRow(row[0]);
    }

    async delete(id: number): Promise<void> {
        return this.db(T.ROLES).where({ id }).del();
    }

    async get(id: number): Promise<ICustomRole> {
        const rows = await this.db.select(COLUMNS).from(T.ROLES).where({ id });
        if (rows.length === 0) {
            throw new NotFoundError(`Could not find role with id: ${id}`);
        }
        return this.mapRow(rows[0]);
    }

    async update(role: ICustomRoleUpdate): Promise<ICustomRole> {
        const rows = await this.db(T.ROLES)
            .where({
                id: role.id,
            })
            .update({
                id: role.id,
                name: role.name,
                description: role.description,
            })
            .returning('*');
        return this.mapRow(rows[0]);
    }

    async exists(id: number): Promise<boolean> {
        const result = await this.db.raw(
            `SELECT EXISTS (SELECT 1 FROM ${T.ROLES} WHERE id = ?) AS present`,
            [id],
        );
        const { present } = result.rows[0];
        return present;
    }

    async nameInUse(name: string, existingId?: number): Promise<boolean> {
        let query = this.db(T.ROLES).where({ name }).returning('id');
        if (existingId) {
            query = query.andWhereNot({ id: existingId });
        }
        const result = await query;
        return result.length > 0;
    }

    async deleteAll(): Promise<void> {
        return this.db(T.ROLES).del();
    }

    mapRow(row: IRoleRow): ICustomRole {
        if (!row) {
            throw new NotFoundError('No row');
        }

        return {
            id: row.id,
            name: row.name,
            description: row.description,
            type: row.type,
        };
    }

    async getRoles(): Promise<IRole[]> {
        return this.db
            .select(['id', 'name', 'type', 'description'])
            .from<IRole>(T.ROLES);
    }

    async getRoleWithId(id: number): Promise<IRole> {
        return this.db
            .select(['id', 'name', 'type', 'description'])
            .where('id', id)
            .first()
            .from<IRole>(T.ROLES);
    }

    async getProjectRoles(): Promise<IRole[]> {
        return this.db
            .select(['id', 'name', 'type', 'description'])
            .from<IRole>(T.ROLES)
            .where('type', 'custom')
            .orWhere('type', 'project');
    }

    async getRolesForProject(projectId: string): Promise<IRole[]> {
        return this.db
            .select(['r.id', 'r.name', 'r.type', 'ru.project', 'r.description'])
            .from<IRole>(`${T.ROLE_USER} as ru`)
            .innerJoin(`${T.ROLES} as r`, 'ru.role_id', 'r.id')
            .where('project', projectId);
    }

    async getRootRoles(): Promise<IRole[]> {
        return this.db
            .select(['id', 'name', 'type', 'description'])
            .from<IRole>(T.ROLES)
            .where('type', 'root');
    }

    async removeRolesForProject(projectId: string): Promise<void> {
        return this.db(T.ROLE_USER)
            .where({
                project: projectId,
            })
            .delete();
    }

    async getRootRoleForAllUsers(): Promise<IUserRole[]> {
        const rows = await this.db
            .select('id', 'user_id')
            .distinctOn('user_id')
            .from(`${T.ROLES} AS r`)
            .leftJoin(`${T.ROLE_USER} AS ru`, 'r.id', 'ru.role_id')
            .where('r.type', '=', 'root');

        return rows.map((row) => ({
            roleId: Number(row.id),
            userId: Number(row.user_id),
        }));
    }

    async getRoleByName(name: string): Promise<IRole> {
        return this.db(T.ROLES).where({ name }).first();
    }

    destroy(): void {}
}
feat: custom project roles (#1220) * wip: environment for permissions * fix: add migration for roles * fix: connect environment with access service * feat: add tests * chore: Implement scaffolding for new rbac * fix: add fake store * feat: Add api endpoints for roles and permissions list * feat: Add ability to provide permissions when creating a role and rename environmentName to name in the list permissions datastructure * fix: Make project roles resolve correctly against new environments permissions structure * fix: Patch migration to also populate permission names * fix: Make permissions actually work with new environments * fix: Add back to get permissions working for editor role * fix: Removed ability to set role type through api during creation - it's now always custom * feat: Return permissions on get role endpoint * feat: Add in support for updating roles * fix: Get a bunch of tests working and delete a few that make no sense anymore * chore: A few small cleanups - remove logging and restore default on dev server config * chore: Refactor role/access stores into more logical domains * feat: Add in validation for roles * feat: Patch db migration to handle old stucture * fix: migration for project roles * fix: patch a few broken tests * fix: add permissions to editor * fix: update test name * fix: update user permission mapping * fix: create new user * fix: update root role test * fix: update tests * feat: Validation now works when updating a role * fix: Add in very barebones down migration for rbac so that tests work * fix: Improve responses from role resolution - getting a non existant role will throw a NotFound error * fix: remove unused permissions * fix: add test for connecting roles and deleting project * fix: add test for adding a project member with a custom role * fix: add test for changing user role * fix: add guard for deleting role if the role is in use * fix: alter migration * chore: Minor code cleanups * chore: Small code cleanups * chore: More minor cleanups of code * chore: Trim some dead code to make the linter happy * feat: Schema validation for roles * fix: setup permission for variant * fix: remove unused import * feat: Add cascading delete for role_permissions when deleting a role * feat: add configuration option for disabling legacy api * chore: update frontend to beta version * 4.6.0-beta.0 * fix: export default project constant * fix: update snapshot * fix: module pattern ../../lib * fix: move DEFAULT_PROJECT to types * fix: remove debug logging * fix: remove debug log state * fix: Change permission descriptions * fix: roles should have unique name * fix: root roles should be connected to the default project * fix: typo in role-schema.ts * fix: Role permission empty string for non environment type * feat: new permission for moving project * fix: add event for changeProject * fix: Removing a user from a project will now check to see if that project has an owner, rather than checking if any project has an owner * fix: add tests for move project * fix: Add in missing create/delete tag permissions * fix: Removed duplicate impl caused by multiple good samaritans putting it back in! * fix: Trim out add tag permissions, for now at least * chore: Trim out new add and delete tag permissions - we're going with update feature instead * chore: update frontend * 4.6.0-beta.1 * feat: Prevent editing of built in roles * fix: Patch an issue where permissions for variants/environments didn't match the front end * fix: lint Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com> Co-authored-by: Fredrik Oseberg <fredrik.no@gmail.com> 2022-01-13 11:14:17 +01:00			`import EventEmitter from 'events';`
			`import { Knex } from 'knex';`
			`import { Logger, LogProvider } from '../logger';`
			`import NotFoundError from '../error/notfound-error';`
			`import { ICustomRole } from 'lib/types/model';`
			`import {`
			`ICustomRoleInsert,`
			`ICustomRoleUpdate,`
			`IRoleStore,`
			`} from 'lib/types/stores/role-store';`
			`import { IRole, IUserRole } from 'lib/types/stores/access-store';`

			`const T = {`
			`ROLE_USER: 'role_user',`
Feat/grouping (#1845) * Implement user grouping feature for permissions Co-authored-by: Thomas Heartman <thomas@getunleash.ai> Co-authored-by: Jaanus Sellin <sellinjaanus@gmail.com> Co-authored-by: Nuno Góis <github@nunogois.com> Co-authored-by: Thomas Heartman <thomas@getunleash.ai> 2022-07-21 16:23:56 +02:00			`GROUP_ROLE: 'group_role',`
feat: custom project roles (#1220) * wip: environment for permissions * fix: add migration for roles * fix: connect environment with access service * feat: add tests * chore: Implement scaffolding for new rbac * fix: add fake store * feat: Add api endpoints for roles and permissions list * feat: Add ability to provide permissions when creating a role and rename environmentName to name in the list permissions datastructure * fix: Make project roles resolve correctly against new environments permissions structure * fix: Patch migration to also populate permission names * fix: Make permissions actually work with new environments * fix: Add back to get permissions working for editor role * fix: Removed ability to set role type through api during creation - it's now always custom * feat: Return permissions on get role endpoint * feat: Add in support for updating roles * fix: Get a bunch of tests working and delete a few that make no sense anymore * chore: A few small cleanups - remove logging and restore default on dev server config * chore: Refactor role/access stores into more logical domains * feat: Add in validation for roles * feat: Patch db migration to handle old stucture * fix: migration for project roles * fix: patch a few broken tests * fix: add permissions to editor * fix: update test name * fix: update user permission mapping * fix: create new user * fix: update root role test * fix: update tests * feat: Validation now works when updating a role * fix: Add in very barebones down migration for rbac so that tests work * fix: Improve responses from role resolution - getting a non existant role will throw a NotFound error * fix: remove unused permissions * fix: add test for connecting roles and deleting project * fix: add test for adding a project member with a custom role * fix: add test for changing user role * fix: add guard for deleting role if the role is in use * fix: alter migration * chore: Minor code cleanups * chore: Small code cleanups * chore: More minor cleanups of code * chore: Trim some dead code to make the linter happy * feat: Schema validation for roles * fix: setup permission for variant * fix: remove unused import * feat: Add cascading delete for role_permissions when deleting a role * feat: add configuration option for disabling legacy api * chore: update frontend to beta version * 4.6.0-beta.0 * fix: export default project constant * fix: update snapshot * fix: module pattern ../../lib * fix: move DEFAULT_PROJECT to types * fix: remove debug logging * fix: remove debug log state * fix: Change permission descriptions * fix: roles should have unique name * fix: root roles should be connected to the default project * fix: typo in role-schema.ts * fix: Role permission empty string for non environment type * feat: new permission for moving project * fix: add event for changeProject * fix: Removing a user from a project will now check to see if that project has an owner, rather than checking if any project has an owner * fix: add tests for move project * fix: Add in missing create/delete tag permissions * fix: Removed duplicate impl caused by multiple good samaritans putting it back in! * fix: Trim out add tag permissions, for now at least * chore: Trim out new add and delete tag permissions - we're going with update feature instead * chore: update frontend * 4.6.0-beta.1 * feat: Prevent editing of built in roles * fix: Patch an issue where permissions for variants/environments didn't match the front end * fix: lint Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com> Co-authored-by: Fredrik Oseberg <fredrik.no@gmail.com> 2022-01-13 11:14:17 +01:00			`ROLES: 'roles',`
			`};`

			`const COLUMNS = ['id', 'name', 'description', 'type'];`

			`interface IRoleRow {`
			`id: number;`
			`name: string;`
			`description: string;`
			`type: string;`
			`}`

			`export default class RoleStore implements IRoleStore {`
			`private logger: Logger;`

			`private eventBus: EventEmitter;`

			`private db: Knex;`

			`constructor(db: Knex, eventBus: EventEmitter, getLogger: LogProvider) {`
			`this.db = db;`
			`this.eventBus = eventBus;`
			`this.logger = getLogger('lib/db/role-store.ts');`
			`}`

			`async getAll(): Promise<ICustomRole[]> {`
			`const rows = await this.db`
			`.select(COLUMNS)`
			`.from(T.ROLES)`
			`.orderBy('name', 'asc');`

			`return rows.map(this.mapRow);`
			`}`

			`async create(role: ICustomRoleInsert): Promise<ICustomRole> {`
			`const row = await this.db(T.ROLES)`
			`.insert({`
			`name: role.name,`
			`description: role.description,`
			`type: role.roleType,`
			`})`
			`.returning('*');`
			`return this.mapRow(row[0]);`
			`}`

			`async delete(id: number): Promise<void> {`
			`return this.db(T.ROLES).where({ id }).del();`
			`}`

			`async get(id: number): Promise<ICustomRole> {`
			`const rows = await this.db.select(COLUMNS).from(T.ROLES).where({ id });`
			`if (rows.length === 0) {`
			throw new NotFoundError(`Could not find role with id: ${id}`);
			`}`
			`return this.mapRow(rows[0]);`
			`}`

			`async update(role: ICustomRoleUpdate): Promise<ICustomRole> {`
			`const rows = await this.db(T.ROLES)`
			`.where({`
			`id: role.id,`
			`})`
			`.update({`
			`id: role.id,`
			`name: role.name,`
			`description: role.description,`
			`})`
			`.returning('*');`
			`return this.mapRow(rows[0]);`
			`}`

			`async exists(id: number): Promise<boolean> {`
			`const result = await this.db.raw(`
			`SELECT EXISTS (SELECT 1 FROM ${T.ROLES} WHERE id = ?) AS present`,
			`[id],`
			`);`
			`const { present } = result.rows[0];`
			`return present;`
			`}`

			`async nameInUse(name: string, existingId?: number): Promise<boolean> {`
			`let query = this.db(T.ROLES).where({ name }).returning('id');`
			`if (existingId) {`
			`query = query.andWhereNot({ id: existingId });`
			`}`
			`const result = await query;`
			`return result.length > 0;`
			`}`

			`async deleteAll(): Promise<void> {`
			`return this.db(T.ROLES).del();`
			`}`

			`mapRow(row: IRoleRow): ICustomRole {`
			`if (!row) {`
			`throw new NotFoundError('No row');`
			`}`

			`return {`
			`id: row.id,`
			`name: row.name,`
			`description: row.description,`
			`type: row.type,`
			`};`
			`}`

			`async getRoles(): Promise<IRole[]> {`
			`return this.db`
			`.select(['id', 'name', 'type', 'description'])`
			`.from<IRole>(T.ROLES);`
			`}`

			`async getRoleWithId(id: number): Promise<IRole> {`
			`return this.db`
			`.select(['id', 'name', 'type', 'description'])`
			`.where('id', id)`
			`.first()`
			`.from<IRole>(T.ROLES);`
			`}`

			`async getProjectRoles(): Promise<IRole[]> {`
			`return this.db`
			`.select(['id', 'name', 'type', 'description'])`
			`.from<IRole>(T.ROLES)`
			`.where('type', 'custom')`
			`.orWhere('type', 'project');`
			`}`

			`async getRolesForProject(projectId: string): Promise<IRole[]> {`
			`return this.db`
			`.select(['r.id', 'r.name', 'r.type', 'ru.project', 'r.description'])`
			.from<IRole>(`${T.ROLE_USER} as ru`)
			.innerJoin(`${T.ROLES} as r`, 'ru.role_id', 'r.id')
			`.where('project', projectId);`
			`}`

			`async getRootRoles(): Promise<IRole[]> {`
			`return this.db`
			`.select(['id', 'name', 'type', 'description'])`
			`.from<IRole>(T.ROLES)`
			`.where('type', 'root');`
			`}`

			`async removeRolesForProject(projectId: string): Promise<void> {`
			`return this.db(T.ROLE_USER)`
			`.where({`
			`project: projectId,`
			`})`
			`.delete();`
			`}`

			`async getRootRoleForAllUsers(): Promise<IUserRole[]> {`
			`const rows = await this.db`
			`.select('id', 'user_id')`
			`.distinctOn('user_id')`
			.from(`${T.ROLES} AS r`)
			.leftJoin(`${T.ROLE_USER} AS ru`, 'r.id', 'ru.role_id')
			`.where('r.type', '=', 'root');`

			`return rows.map((row) => ({`
			`roleId: Number(row.id),`
			`userId: Number(row.user_id),`
			`}));`
			`}`

			`async getRoleByName(name: string): Promise<IRole> {`
			`return this.db(T.ROLES).where({ name }).first();`
			`}`

			`destroy(): void {}`
			`}`