Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Seeded M2M management APIs application #119

Merged
merged 1 commit into from
Aug 30, 2024
Merged

Seeded M2M management APIs application #119

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions packages/cli/src/commands/database/ogcio/applications.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import { sql, type DatabaseTransactionConnection } from '@silverhand/slonik';

import { type ApplicationSeeder } from './ogcio-seeder.js';
import { createOrUpdateItem } from './queries.js';
import { applyManagementApiRole } from './resources-rbac.js';

type SeedingApplication = {
id: string;
Expand Down Expand Up @@ -91,5 +92,18 @@ export const seedApplications = async (params: {

await Promise.all(queries);

// Seed the M2M application with the correct role
const m2mManagementAPIsApplicationId = params.applications.find(
(app) => app.apply_management_api_role
)?.id;

if (m2mManagementAPIsApplicationId) {
await applyManagementApiRole(
params.transaction,
params.tenantId,
m2mManagementAPIsApplicationId
);
}

return appsToCreate;
};
46 changes: 22 additions & 24 deletions packages/cli/src/commands/database/ogcio/ogcio-seeder-local.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,30 +107,24 @@
"id": "upload-public-servant",
"name": "File Upload Public Servant",
"description": "File Upload Public servant",
"specific_permissions": [
"upload:file:*", "profile:user:read"
]
"specific_permissions": ["upload:file:*", "profile:user:read"]
},
{
"id": "bb-inactive-ps",
"name": "Inactive Public Servant",
"description": "Inactive Public Servant",
"specific_permissions": [
"bb:public-servant.inactive:*"
]
"specific_permissions": ["bb:public-servant.inactive:*"]
},
{
"id": "m2m-ps-profile-reader",
"name": "M2M Public Servant Profile Reader",
"description": "Role for M2M Applications that need to read from Profile resources",
"specific_permissions": [
"profile:user:read"
],
"specific_permissions": ["profile:user:read"],
"type": "MachineToMachine",
"related_applications": [
{"application_id":"ddl4llp30risjwcjymqw3", "organization_id": "ogcio"},
{"application_id":"ddl4llp30risjwcjymqw3", "organization_id": "first-testing"},
{"application_id":"ddl4llp30risjwcjymqw3", "organization_id": "second-testing"}
{ "application_id": "ddl4llp30risjwcjymqw3", "organization_id": "ogcio" },
{ "application_id": "ddl4llp30risjwcjymqw3", "organization_id": "first-testing" },
{ "application_id": "ddl4llp30risjwcjymqw3", "organization_id": "second-testing" }
]
},
{
Expand All @@ -147,8 +141,8 @@
],
"type": "MachineToMachine",
"related_applications": [
{"application_id":"qrtllp45fgbvsdjyasd5", "organization_id": "first-testing"},
{"application_id":"qrtllp45fgbvsdjyasd5", "organization_id": "second-testing"}
{ "application_id": "qrtllp45fgbvsdjyasd5", "organization_id": "first-testing" },
{ "application_id": "qrtllp45fgbvsdjyasd5", "organization_id": "second-testing" }
]
}
],
Expand Down Expand Up @@ -243,6 +237,17 @@
"secret": "e2e_tester_local_secret",
"id": "qrtllp45fgbvsdjyasd5",
"is_third_party": false
},
{
"name": "M2M Management APIs",
"description": "Machine 2 Machine application used to communicate with the Logto Management APIs",
"type": "MachineToMachine",
"redirect_uri": "",
"logout_redirect_uri": "",
"secret": "m2m_management_api_local_secret",
"id": "46ewhh940rn1e29cmecxs",
"is_third_party": false,
"apply_management_api_role": true
}
],
"resources": [
Expand Down Expand Up @@ -308,10 +313,7 @@
},
{
"resource_id": "upload-api",
"specific_permissions": [
"upload:file.self:write",
"upload:file.self:read"
]
"specific_permissions": ["upload:file.self:write", "upload:file.self:read"]
}
],
"resource_roles": [
Expand Down Expand Up @@ -350,9 +352,7 @@
},
{
"resource_id": "upload-api",
"specific_permissions": [
"upload:file.self:read"
]
"specific_permissions": ["upload:file.self:read"]
}
]
},
Expand All @@ -363,9 +363,7 @@
"permissions": [
{
"resource_id": "profile-api",
"specific_permissions": [
"profile:user:read"
]
"specific_permissions": ["profile:user:read"]
}
],
"type": "MachineToMachine",
Expand Down
42 changes: 21 additions & 21 deletions packages/cli/src/commands/database/ogcio/ogcio-seeder-testing.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,22 +91,18 @@
"id": "bb-inactive-ps",
"name": "Inactive Public Servant",
"description": "Inactive Public Servant",
"specific_permissions": [
"bb:public-servant.inactive:*"
]
"specific_permissions": ["bb:public-servant.inactive:*"]
},
{
"id": "m2m-ps-profile-reader",
"name": "M2M Public Servant Profile Reader",
"description": "Role for M2M Applications that need to read from Profile resources",
"specific_permissions": [
"profile:user:read"
],
"specific_permissions": ["profile:user:read"],
"type": "MachineToMachine",
"related_applications": [
{"application_id":"tty6llp30risjwcjhbvc9", "organization_id": "ogcio"},
{"application_id":"tty6llp30risjwcjhbvc9", "organization_id": "first-testing"},
{"application_id":"tty6llp30risjwcjhbvc9", "organization_id": "second-testing"}
{ "application_id": "tty6llp30risjwcjhbvc9", "organization_id": "ogcio" },
{ "application_id": "tty6llp30risjwcjhbvc9", "organization_id": "first-testing" },
{ "application_id": "tty6llp30risjwcjhbvc9", "organization_id": "second-testing" }
]
},
{
Expand All @@ -123,8 +119,8 @@
],
"type": "MachineToMachine",
"related_applications": [
{"application_id":"treftr21fgbvsdjwlol9", "organization_id": "first-testing"},
{"application_id":"treftr21fgbvsdjwlol9", "organization_id": "second-testing"}
{ "application_id": "treftr21fgbvsdjwlol9", "organization_id": "first-testing" },
{ "application_id": "treftr21fgbvsdjwlol9", "organization_id": "second-testing" }
]
}
],
Expand Down Expand Up @@ -208,6 +204,17 @@
"secret": "<SEEDER_M2M_E2E_TESTER_APP_SECRET>",
"id": "treftr21fgbvsdjwlol9",
"is_third_party": false
},
{
"name": "M2M Management APIs",
"description": "Machine 2 Machine application used to communicate with the Logto Management APIs",
"type": "MachineToMachine",
"redirect_uri": "",
"logout_redirect_uri": "",
"secret": "<SEEDER_M2M_MANAGEMENT_API_APP_SECRET>",
"id": "46ewhh940rn1e29cmecxs",
"is_third_party": false,
"apply_management_api_role": true
}
],
"resources": [
Expand Down Expand Up @@ -273,10 +280,7 @@
},
{
"resource_id": "upload-api",
"specific_permissions": [
"upload:file.self:write",
"upload:file.self:read"
]
"specific_permissions": ["upload:file.self:write", "upload:file.self:read"]
}
],
"resource_roles": [
Expand Down Expand Up @@ -315,9 +319,7 @@
},
{
"resource_id": "upload-api",
"specific_permissions": [
"upload:file.self:read"
]
"specific_permissions": ["upload:file.self:read"]
}
]
},
Expand All @@ -328,9 +330,7 @@
"permissions": [
{
"resource_id": "profile-api",
"specific_permissions": [
"profile:user:read"
]
"specific_permissions": ["profile:user:read"]
}
],
"type": "MachineToMachine",
Expand Down
36 changes: 19 additions & 17 deletions packages/cli/src/commands/database/ogcio/ogcio-seeder.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,19 +103,17 @@
"id": "bb-inactive-ps",
"name": "Inactive Public Servant",
"description": "Inactive Public Servant",
"specific_permissions": [
"bb:public-servant.inactive:*"
]
"specific_permissions": ["bb:public-servant.inactive:*"]
},
{
"id": "m2m-ps-profile-reader",
"name": "M2M Public Servant Profile Reader",
"description": "Role for M2M Applications that need to read from Profile resources",
"specific_permissions": [
"profile:user:read"
],
"specific_permissions": ["profile:user:read"],
"type": "MachineToMachine",
"related_applications": [{"application_id":"tty6llp30risjwcjhbvc9", "organization_id": "ogcio"}]
"related_applications": [
{ "application_id": "tty6llp30risjwcjhbvc9", "organization_id": "ogcio" }
]
}
],
"applications": [
Expand Down Expand Up @@ -199,6 +197,17 @@
"secret": "<SEEDER_M2M_PROFILE_APP_SECRET>",
"id": "tty6llp30risjwcjhbvc9",
"is_third_party": false
},
{
"name": "M2M Management APIs",
"description": "Machine 2 Machine application used to communicate with the Logto Management APIs",
"type": "MachineToMachine",
"redirect_uri": "",
"logout_redirect_uri": "",
"secret": "<SEEDER_M2M_MANAGEMENT_API_APP_SECRET>",
"id": "46ewhh940rn1e29cmecxs",
"is_third_party": false,
"apply_management_api_role": true
}
],
"resources": [
Expand Down Expand Up @@ -264,10 +273,7 @@
},
{
"resource_id": "upload-api",
"specific_permissions": [
"upload:file.self:write",
"upload:file.self:read"
]
"specific_permissions": ["upload:file.self:write", "upload:file.self:read"]
}
],
"resource_roles": [
Expand Down Expand Up @@ -306,9 +312,7 @@
},
{
"resource_id": "upload-api",
"specific_permissions": [
"upload:file.self:read"
]
"specific_permissions": ["upload:file.self:read"]
}
]
},
Expand All @@ -319,9 +323,7 @@
"permissions": [
{
"resource_id": "profile-api",
"specific_permissions": [
"profile:user:read"
]
"specific_permissions": ["profile:user:read"]
}
],
"type": "MachineToMachine",
Expand Down
1 change: 1 addition & 0 deletions packages/cli/src/commands/database/ogcio/ogcio-seeder.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ export type ApplicationSeeder = {
secret: string;
is_third_party?: boolean;
always_issue_refresh_token?: boolean;
apply_management_api_role?: boolean;
};

export type ResourceSeeder = {
Expand Down
10 changes: 10 additions & 0 deletions packages/cli/src/commands/database/ogcio/queries.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@
/* eslint-disable @silverhand/fp/no-mutating-methods */
/* eslint-disable @silverhand/fp/no-mutation */
/* eslint-disable @typescript-eslint/no-non-null-assertion */

import { Roles } from '@logto/schemas';
import { generateStandardId } from '@logto/shared';
import {
type DatabaseTransactionConnection,
Expand Down Expand Up @@ -201,3 +203,11 @@ export const deleteQuery = (whereClauses: ValueExpression[], table: string) => {
where ${sql.join(whereClauses, sql` AND `)}
`;
};

export const findManagementApiRole = async (transaction: DatabaseTransactionConnection) => {
const role = await transaction.query<Record<string, string>>(sql`
select id from ${sql.identifier([Roles.table])}
where name='Logto Management API access' limit 1`);

return getColumnValueByQueryResult(role, 'id');
};
18 changes: 17 additions & 1 deletion packages/cli/src/commands/database/ogcio/resources-rbac.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ import {
type ResourcePermissionSeeder,
type ScopePerResourceRoleSeeder,
} from './ogcio-seeder.js';
import { createOrUpdateItem, deleteQuery } from './queries.js';
import { createOrUpdateItem, deleteQuery, findManagementApiRole } from './queries.js';
import { type SeedingResource } from './resources.js';

type SeedingScope = {
Expand Down Expand Up @@ -303,3 +303,19 @@ const assignRoleToM2MApplication = async (
],
toInsert: relation,
});

export const applyManagementApiRole = async (
transaction: DatabaseTransactionConnection,
tenantId: string,
appId: string
) => {
const roleId = await findManagementApiRole(transaction);
if (!roleId) {
throw new Error("Cannot find 'Logto Management API access' role");
}

return assignRoleToM2MApplication(transaction, tenantId, {
role_id: roleId,
application_id: appId,
});
};