feat(permission): add AssignRole/AssignAdditionalPrivileges with conditions for Members, Identities, and Groups

backend/src/ee/services/permission/default-roles.ts

@@ -192,7 +192,8 @@ const buildAdminPermissionRules = () => {
       ProjectPermissionGroupActions.Edit,
       ProjectPermissionGroupActions.Delete,
       ProjectPermissionGroupActions.Read,
-      ProjectPermissionGroupActions.GrantPrivileges
+      ProjectPermissionGroupActions.GrantPrivileges,
+      ProjectPermissionGroupActions.AssignRole
     ],
     ProjectPermissionSub.Groups
   );

backend/src/ee/services/permission/permission-fns.ts

@@ -10,6 +10,9 @@ import { ActorAuthMethod, AuthMethod } from "@app/services/auth/auth-type";
 import { OrgPermissionSet } from "./org-permission";
 import {
   ActionAllowedConditions,
+  ProjectPermissionGroupActions,
+  ProjectPermissionIdentityActions,
+  ProjectPermissionMemberActions,
   ProjectPermissionSecretActions,
   ProjectPermissionSet,
   ProjectPermissionSub,
@@ -102,6 +105,69 @@ export function checkForInvalidPermissionCombination(permissions: z.infer<typeof
       }
     }
 
+    if (permission.subject === ProjectPermissionSub.Member) {
+      if (permission.action.includes(ProjectPermissionMemberActions.GrantPrivileges)) {
+        const hasAssignRole = permission.action.includes(ProjectPermissionMemberActions.AssignRole);
+        const hasAssignAdditionalPrivileges = permission.action.includes(
+          ProjectPermissionMemberActions.AssignAdditionalPrivileges
+        );
+
+        if (hasAssignRole || hasAssignAdditionalPrivileges) {
+          const hasBothNewActions = hasAssignRole && hasAssignAdditionalPrivileges;
+
+          throw new BadRequestError({
+            message: `You have selected Grant Privileges, and ${
+              hasBothNewActions
+                ? "both Assign Role and Assign Additional Privileges"
+                : hasAssignRole
+                  ? "Assign Role"
+                  : hasAssignAdditionalPrivileges
+                    ? "Assign Additional Privileges"
+                    : ""
+            }. You cannot select Assign Role or Assign Additional Privileges if you have selected Grant Privileges. The Grant Privileges permission is a legacy action which has been replaced by Assign Role and Assign Additional Privileges.`
+          });
+        }
+      }
+    }
+
+    if (permission.subject === ProjectPermissionSub.Identity) {
+      if (permission.action.includes(ProjectPermissionIdentityActions.GrantPrivileges)) {
+        const hasAssignRole = permission.action.includes(ProjectPermissionIdentityActions.AssignRole);
+        const hasAssignAdditionalPrivileges = permission.action.includes(
+          ProjectPermissionIdentityActions.AssignAdditionalPrivileges
+        );
+
+        if (hasAssignRole || hasAssignAdditionalPrivileges) {
+          const hasBothNewActions = hasAssignRole && hasAssignAdditionalPrivileges;
+
+          throw new BadRequestError({
+            message: `You have selected Grant Privileges, and ${
+              hasBothNewActions
+                ? "both Assign Role and Assign Additional Privileges"
+                : hasAssignRole
+                  ? "Assign Role"
+                  : hasAssignAdditionalPrivileges
+                    ? "Assign Additional Privileges"
+                    : ""
+            }. You cannot select Assign Role or Assign Additional Privileges if you have selected Grant Privileges. The Grant Privileges permission is a legacy action which has been replaced by Assign Role and Assign Additional Privileges.`
+          });
+        }
+      }
+    }
+
+    if (permission.subject === ProjectPermissionSub.Groups) {
+      if (permission.action.includes(ProjectPermissionGroupActions.GrantPrivileges)) {
+        const hasAssignRole = permission.action.includes(ProjectPermissionGroupActions.AssignRole);
+
+        if (hasAssignRole) {
+          throw new BadRequestError({
+            message:
+              "You have selected Grant Privileges and Assign Role. You cannot select Assign Role if you have selected Grant Privileges. The Grant Privileges permission is a legacy action which has been replaced by Assign Role."
+          });
+        }
+      }
+    }
+
     const subjectConditions = ActionAllowedConditions[permission.subject as ProjectPermissionSub];
     const permissionConditions = "conditions" in permission ? permission.conditions : undefined;
     if (permissionConditions && subjectConditions) {
@@ -190,10 +256,13 @@ const validatePrivilegeChangeOperation = (
   opAction: OrgPermissionSet[0] | ProjectPermissionSet[0],
   opSubject: OrgPermissionSet[1] | ProjectPermissionSet[1],
   actorPermission: MongoAbility,
-  managedPermission: MongoAbility
+  managedPermission: MongoAbility,
+  subjectFields?: Record<string, string | undefined>
 ) => {
   if (shouldUseNewPrivilegeSystem) {
-    if (actorPermission.can(opAction, opSubject)) {
+    const subjectToCheck = subjectFields ? subject(opSubject as string, subjectFields) : opSubject;
+
+    if (actorPermission.can(opAction, subjectToCheck)) {
       return {
         isValid: true,
         missingPermissions: []
@@ -223,7 +292,7 @@ const constructPermissionErrorMessage = (
 ) => {
   return `${baseMessage}${
     shouldUseNewPrivilegeSystem
-      ? `. Actor is missing permission ${opAction as string} on ${opSubject as string}`
+      ? `. Actor is missing permission to perform ${opAction as string} on ${opSubject as string}`
       : ". Actor privilege level is not high enough to perform this action"
   }`;
 };

backend/src/ee/services/permission/permission-service.ts

@@ -678,7 +678,8 @@ export const permissionServiceFactory = ({
           {
             conditionsMatcher
           }
-        )
+        ),
+        role: { slug: el.name }
       };
     });
   };