Skip to content

Commit

Permalink
feat: allow assignment of multiple teams (#4198)
Browse files Browse the repository at this point in the history
  • Loading branch information
@adrians5j
adrians5j authored Sep 16, 2024
1 parent a25dbef commit b6d0bfe
Show file tree
Hide file tree
Showing 40 changed files with 767 additions and 373 deletions.
13 changes: 7 additions & 6 deletions packages/api-aco/src/createAcoContext.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,23 +58,24 @@ const setupAcoContext = async (

const folderLevelPermissions = new FolderLevelPermissions({
getIdentity: () => security.getIdentity(),
getIdentityTeam: async () => {
listIdentityTeams: async () => {
return security.withoutAuthorization(async () => {
const identity = security.getIdentity();
if (!identity) {
return null;
return [];
}

const adminUser = await context.adminUsers.getUser({ where: { id: identity.id } });
if (!adminUser) {
return null;
return [];
}

if (!adminUser.team) {
return null;
const hasTeams = adminUser.teams && adminUser.teams.length > 0;
if (hasTeams) {
return context.security.listTeams({ where: { id_in: adminUser.teams } });
}

return context.security.getTeam({ where: { id: adminUser.team } });
return [];
});
},
listPermissions: () => security.listPermissions(),
Expand Down
35 changes: 18 additions & 17 deletions packages/api-aco/src/utils/FolderLevelPermissions.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ interface ListFolderPermissionsParams {

export interface FolderLevelPermissionsParams {
getIdentity: Authentication["getIdentity"];
getIdentityTeam: () => Promise<Team | null>;
listIdentityTeams: () => Promise<Team[]>;
listPermissions: () => Promise<SecurityPermission[]>;
listAllFolders: (folderType: string) => Promise<Folder[]>;
canUseTeams: () => boolean;
Expand All @@ -57,7 +57,7 @@ export class FolderLevelPermissions {
canUseFolderLevelPermissions: () => boolean;

private readonly getIdentity: Authentication["getIdentity"];
private readonly getIdentityTeam: () => Promise<Team | null>;
private readonly listIdentityTeams: () => Promise<Team[]>;
private readonly listPermissions: () => Promise<SecurityPermission[]>;
private readonly listAllFoldersCallback: (folderType: string) => Promise<Folder[]>;
private readonly canUseTeams: () => boolean;
Expand All @@ -67,7 +67,7 @@ export class FolderLevelPermissions {

constructor(params: FolderLevelPermissionsParams) {
this.getIdentity = params.getIdentity;
this.getIdentityTeam = params.getIdentityTeam;
this.listIdentityTeams = params.listIdentityTeams;
this.listPermissions = params.listPermissions;
this.listAllFoldersCallback = params.listAllFolders;
this.canUseTeams = params.canUseTeams;
Expand Down Expand Up @@ -152,7 +152,6 @@ export class FolderLevelPermissions {
if (!this.canUseFolderLevelPermissions() || !this.isAuthorizationEnabled()) {
resolve([]);
return;
// return [];
}

const { folderType, foldersList } = params;
Expand All @@ -161,9 +160,9 @@ export class FolderLevelPermissions {
const identity = this.getIdentity();
const permissions = await this.listPermissions();

let identityTeam: Team | null;
let identityTeams: Team[];
if (this.canUseTeams()) {
identityTeam = await this.getIdentityTeam();
identityTeams = await this.listIdentityTeams();
}

const processedFolderPermissions: FolderPermissionsListItem[] = [];
Expand Down Expand Up @@ -285,18 +284,20 @@ export class FolderLevelPermissions {
level: "owner",
inheritedFrom: "role:full-access"
};
} else if (identityTeam) {
// 2. Check the team user belongs to grants access to the folder.
const teamPermission = currentFolderPermissions.permissions.find(
p => p.target === `team:${identityTeam!.id}`
);
} else if (identityTeams.length) {
// 2. Check the teams user belongs to and that grant access to the folder.
for (const identityTeam of identityTeams) {
const teamPermission = currentFolderPermissions.permissions.find(
p => p.target === `team:${identityTeam!.id}`
);

if (teamPermission) {
currentIdentityPermission = {
target: `admin:${identity.id}`,
level: teamPermission.level,
inheritedFrom: "team:" + identityTeam!.id
};
if (teamPermission) {
currentIdentityPermission = {
target: `admin:${identity.id}`,
level: teamPermission.level,
inheritedFrom: "team:" + identityTeam!.id
};
}
}
}

Expand Down
60 changes: 60 additions & 0 deletions packages/api-admin-users/src/createExternalIdpAdminUserHooks.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
import { ContextPlugin } from "@webiny/api";
import { AdminUsersContext } from "~/types";

export const createExternalIdpAdminUserHooks = () => {
return new ContextPlugin<AdminUsersContext>(async context => {
const { security, adminUsers } = context;

security.onLogin.subscribe(async ({ identity }) => {
await security.withoutAuthorization(async () => {
const user = await adminUsers.getUser({ where: { id: identity.id } });

const id = identity.id;
const email = identity.email || `id:${id}`;
const displayName = identity.displayName || "Missing display name";

const data = {
displayName,
email,
groups: [] as string[],
teams: [] as string[]
};

let groupSlugs: string[] = [];
if (identity.group) {
groupSlugs = [identity.group];
}

if (Array.isArray(identity.groups)) {
groupSlugs = groupSlugs.concat(identity.groups);
}

let teamSlugs: string[] = [];
if (identity.team) {
teamSlugs = [identity.team];
}

if (Array.isArray(identity.teams)) {
teamSlugs = teamSlugs.concat(identity.teams);
}

if (groupSlugs.length > 0) {
const groups = await security.listGroups({ where: { slug_in: groupSlugs } });
data.groups = groups.map(group => group.id);
}

if (teamSlugs.length > 0) {
const teams = await security.listTeams({ where: { slug_in: teamSlugs } });
data.teams = teams.map(team => team.id);
}

if (user) {
await adminUsers.updateUser(identity.id, data);
return;
}

await adminUsers.createUser({ id, ...data });
});
});
});
};
19 changes: 10 additions & 9 deletions packages/api-admin-users/src/graphql/user.gql.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ export default (params: CreateUserGraphQlPluginsParams) => {
displayName: String!
email: String!
group: SecurityGroup
groups: [SecurityGroup]
firstName: String
lastName: String
avatar: JSON
Expand Down Expand Up @@ -103,12 +103,12 @@ export default (params: CreateUserGraphQlPluginsParams) => {
gravatar(user: AdminUser) {
return "https://www.gravatar.com/avatar/" + md5(user.email);
},
group(user, _, context) {
if (!user.group) {
groups(user: AdminUser, _, context) {
if (!user.groups) {
return null;
}

return context.security.getGroup({ where: { id: user.group } });
return context.security.listGroups({ where: { id_in: user.groups } });
}
},
AdminUsersQuery: {
Expand Down Expand Up @@ -164,17 +164,18 @@ export default (params: CreateUserGraphQlPluginsParams) => {
new GraphQLSchemaPlugin<AdminUsersContext>({
typeDefs: /* GraphQL */ `
extend type AdminUser {
team: SecurityTeam
teams: [SecurityTeam]
}
`,
resolvers: {
AdminUser: {
team(user, _, context) {
if (!user.team) {
return null;
teams(user: AdminUser, _, context) {
const hasTeams = Array.isArray(user.teams) && user.teams.length > 0;
if (!hasTeams) {
return [];
}

return context.security.getTeam({ where: { id: user.team } });
return context.security.listTeams({ where: { id_in: user.teams } });
}
}
}
Expand Down
8 changes: 5 additions & 3 deletions packages/api-admin-users/src/types.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,10 @@ export interface BaseUserAttributes {
// Check `api-security-okta` package for an example.
email: string;

groups?: string[];
teams?: string[];

// Optional fields.
group?: string | null;
team?: string | null;
firstName?: string;
lastName?: string;
avatar?: Record<string, any>;
Expand Down Expand Up @@ -157,7 +158,8 @@ export interface InstallParams {
lastName: string;
email: string;
password: string;
group?: string;
groups?: string[];
teams?: string[];
}

export interface AdminUsers {
Expand Down
8 changes: 8 additions & 0 deletions packages/api-authentication/src/types.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,16 @@ export interface Identity {
// the group and team information is retrieved from the IdP and the verified auth token. See:
// - https://www.webiny.com/docs/enterprise/okta-integration#3-configure-okta-in-the-graph-ql-api
// - https://www.webiny.com/docs/enterprise/auth0-integration#3-configure-auth0-in-the-graph-ql-api

// @deprecated Use `groups` instead.
group?: string;

// @deprecated Use `teams` instead.
team?: string;

// Using these properties assigning multiple groups or teams.
groups?: string[];
teams?: string[];

[key: string]: any;
}
1 change: 0 additions & 1 deletion packages/api-security-auth0/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@
"author": "Webiny Ltd.",
"license": "Webiny Enterprise",
"dependencies": {
"@webiny/api": "0.0.0",
"@webiny/api-admin-users": "0.0.0",
"@webiny/api-i18n": "0.0.0",
"@webiny/api-security": "0.0.0",
Expand Down
50 changes: 2 additions & 48 deletions packages/api-security-auth0/src/createAdminUsersHooks.ts
View file
Original file line number Diff line number Diff line change
@@ -1,49 +1,3 @@
import { ContextPlugin } from "@webiny/api";
import { AdminUsersContext } from "@webiny/api-admin-users/types";
import { createExternalIdpAdminUserHooks } from "@webiny/api-admin-users/createExternalIdpAdminUserHooks";

export const createAdminUsersHooks = () => {
return new ContextPlugin<AdminUsersContext>(async context => {
const { security, adminUsers } = context;

security.onLogin.subscribe(async ({ identity }) => {
await security.withoutAuthorization(async () => {
const user = await adminUsers.getUser({ where: { id: identity.id } });

const id = identity.id;
const email = identity.email || `id:${id}`;
const displayName = identity.displayName || "Missing display name";

let groupId: string | null = null;
let teamId: string | null = null;

if (identity.group) {
const group = await security.getGroup({ where: { slug: identity.group } });
if (group) {
groupId = group.id;
}
}

if (identity.team) {
const team = await security.getTeam({ where: { slug: identity.team } });
if (team) {
teamId = team.id;
}
}

const data = {
displayName,
email,
group: groupId,
team: teamId
};

if (user) {
await adminUsers.updateUser(identity.id, data);
return;
}

await adminUsers.createUser({ id, ...data });
});
});
});
};
export const createAdminUsersHooks = createExternalIdpAdminUserHooks;
1 change: 0 additions & 1 deletion packages/api-security-auth0/tsconfig.build.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@
"extends": "../../tsconfig.build.json",
"include": ["src"],
"references": [
{ "path": "../api/tsconfig.build.json" },
{ "path": "../api-admin-users/tsconfig.build.json" },
{ "path": "../api-i18n/tsconfig.build.json" },
{ "path": "../api-security/tsconfig.build.json" },
Expand Down
3 changes: 0 additions & 3 deletions packages/api-security-auth0/tsconfig.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@
"extends": "../../tsconfig.json",
"include": ["src", "__tests__"],
"references": [
{ "path": "../api" },
{ "path": "../api-admin-users" },
{ "path": "../api-i18n" },
{ "path": "../api-security" },
Expand All @@ -19,8 +18,6 @@
"paths": {
"~/*": ["./src/*"],
"~tests/*": ["./__tests__/*"],
"@webiny/api/*": ["../api/src/*"],
"@webiny/api": ["../api/src"],
"@webiny/api-admin-users/*": ["../api-admin-users/src/*"],
"@webiny/api-admin-users": ["../api-admin-users/src"],
"@webiny/api-i18n/*": ["../api-i18n/src/*"],
Expand Down
2 changes: 1 addition & 1 deletion packages/api-security-cognito/__tests__/graphql/users.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ const DATA_FIELD = /* GraphQL */ `
lastName
avatar
gravatar
group {
groups {
id
slug
name
Expand Down
Loading

0 comments on commit b6d0bfe

Please sign in to comment.