feat: add permissions virtual flag. fixes #175 (#478)

Author: justinedelson

.eslintrc

@@ -27,6 +27,18 @@
         "rules" : {
           "aio-cli-plugin-cloudmanager-error-usage": "off"
         }
+      },
+      {
+        "files" : ["src/commands/**/*.js"],
+        "rules" : {
+          "aio-cli-plugin-cloudmanager-command-permissions": "error"
+        }
+      },
+      {
+        "files" : ["src/commands/cloudmanager/commerce/**/*.js"],
+        "rules" : {
+          "aio-cli-plugin-cloudmanager-command-permissions": "off"
+        }
       }
     ]
 }

.gitignore

@@ -14,3 +14,4 @@ junit.xml
 .vscode/
 /package-lock.json
 .aio
+permissions.json

CONTRIBUTING.md

@@ -24,6 +24,13 @@ In order to ensure proper error handling, individual commands should generally *
 
 Hooks should work in a similar fashion -- see the prerun `check-ims-context-config` hook as a point of reference.
 
+## Custom Command Class Properties
+
+In addition to the standard [oclif command properties](https://oclif.io/docs/commands), commands in this plugin may define these extra properties:
+
+* `skipOrgIdCheck` -- This should be set to `true` if the command does *not* require an IMS Organization ID to be configured in the current IMS context. This is primarily used when using browser-based authentication as service account authentication will always have an organization ID.
+* `permissionInfo` -- This is used to output information to the CLI user about the permissions required to execute a particular command. This must be an object. Currently a single key is supported `operation` which must correspond to one of the operations defined in https://raw.githubusercontent.com/AdobeDocs/cloudmanager-api-docs/main/src/data/permissions.json. If a command doesn't require specific permissions (e.g. is a read-only operation), this should be set to an empty object.
+
 ## Commits and Releasing
 
 Commits (generally via merged pull requests) to the `main` branch of this repository will automatically generate [semantically versioned releases](https://github.com/semantic-release). To accomplish this, commit messages must follow the [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) syntax, specifically:

README.md

@@ -1272,6 +1272,16 @@ ALIASES
 _See code: [src/commands/cloudmanager/program/list-pipelines.js](https://github.com/adobe/aio-cli-plugin-cloudmanager/blob/2.13.0/src/commands/cloudmanager/program/list-pipelines.js)_
 <!-- commandsstop -->
 
+# Permissions
+
+Information about Cloud Manager API permissions can be found on https://www.adobe.io/experience-cloud/cloud-manager/guides/getting-started/permissions/. To see the
+permissions required for a specific command, you can also run any command with the flag `--permissions`, e.g.
+
+```
+$ aio cloudmanager:current-execution:advance --permissions
+To execute cloudmanager:current-execution:advance, one of the following product profiles is required: Business Owner, Deployment Manager, Program Manager
+```
+
 # Variables From Standard Input
 
 The `environment:set-variables` and `pipeline:set-variables` commands allow for variables to be passed both as flags to the command and as a JSON array provided as standard input or as a file. The objects in this array are expected to have a `name`, `value`, and `type` keys following the same syntax as the Cloud Manager API. Deleting a variable can be done by passing an empty `value`. For example, given a file named `variables.json` that contains this:

eslint_rules/aio-cli-plugin-cloudmanager-command-permissions.js

@@ -0,0 +1,87 @@
+/*
+Copyright 2021 Adobe. All rights reserved.
+This file is licensed to you under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License. You may obtain a copy
+of the License at http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software distributed under
+the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+OF ANY KIND, either express or implied. See the License for the specific language
+governing permissions and limitations under the License.
+*/
+
+const availableOperations = require('../permissions.json').map(perm => perm.operation)
+
+module.exports = {
+  create: function (context) {
+    return {
+      Program: (node) => {
+        const classDeclarations = node.body.filter(bodyNode => bodyNode.type === 'ClassDeclaration')
+        if (classDeclarations.length === 0) {
+          context.report({
+            node: node,
+            message: "Command file didn't contain command",
+          })
+        }
+        classDeclarations.forEach(classDeclaration => {
+          const className = classDeclaration.id.name
+          const propertiesAssignedToClass = node.body.map(bodyNode => {
+            if (bodyNode.type === 'ExpressionStatement' && bodyNode.expression.type === 'AssignmentExpression' &&
+              bodyNode.expression.left.type === 'MemberExpression' && bodyNode.expression.left.object && bodyNode.expression.left.object.name === className &&
+              bodyNode.expression.left.property) {
+              return {
+                name: bodyNode.expression.left.property.name,
+                node: bodyNode.expression.right,
+              }
+            }
+            return {}
+          }).filter(property => property.name)
+
+          // if skipOrgIdCheck is defined, we don't need permissions
+          if (!propertiesAssignedToClass.find(prop => prop.name === 'skipOrgIdCheck')) {
+            const permissionInfo = propertiesAssignedToClass.find(prop => prop.name === 'permissionInfo')
+            if (!permissionInfo) {
+              context.report({
+                node: classDeclaration,
+                message: 'Class {{ className }} does not define permissionInfo.',
+                data: {
+                  className,
+                },
+              })
+            } else if (permissionInfo.node.type !== 'ObjectExpression') {
+              context.report({
+                node: permissionInfo.node,
+                message: 'Class {{ className }} has permissionInfo but it is not an object.',
+                data: {
+                  className,
+                },
+              })
+            } else {
+              const operation = permissionInfo.node.properties.find(prop => prop.key.name === 'operation')
+              if (operation && operation.value) {
+                if (operation.value.type !== 'Literal') {
+                  context.report({
+                    node: permissionInfo.node,
+                    message: 'Class {{ className }} has permissionInfo with operation {{ operation }} but it is not a literal.',
+                    data: {
+                      className,
+                      operation,
+                    },
+                  })
+                } else if (!availableOperations.includes(operation.value.value)) {
+                  context.report({
+                    node: permissionInfo.node,
+                    message: 'Class {{ className }} has permissionInfo with operation {{ operation }} but that operation is not defined.',
+                    data: {
+                      className,
+                      operation: operation.value.value,
+                    },
+                  })
+                }
+              }
+            }
+          }
+        })
+      },
+    }
+  },
+}

package.json

@@ -20,7 +20,8 @@
     "halfred": "^2.0.0",
     "inquirer": "^8.1.0",
     "lodash": "^4.17.15",
-    "moment": "^2.29.0"
+    "moment": "^2.29.0",
+    "node-fetch": "^2.6.2"
   },
   "devDependencies": {
     "@adobe/eslint-config-aio-lib-config": "1.3.0",
@@ -40,10 +41,12 @@
     "eslint-plugin-promise": "5.1.0",
     "eslint-plugin-standard": "4.1.0",
     "execa": "5.1.1",
+    "fetch-mock": "9.11.0",
     "husky": "5.2.0",
     "jest": "27.2.0",
     "jest-extended": "0.11.5",
     "jest-junit": "12.2.0",
+    "node-wget": "0.4.3",
     "pinst": "2.1.6",
     "semantic-release": "17.4.7",
     "stdout-stderr": "0.1.13",
@@ -74,7 +77,10 @@
     "repositoryPrefix": "<%- repo %>/blob/<%- version %>/<%- commandPath %>",
     "hooks": {
       "prerun": "./src/hooks/prerun/prerun-all.js",
-      "init": "./src/hooks/init/migrate-jwt-context-hook.js"
+      "init": [
+        "./src/hooks/init/migrate-jwt-context-hook.js",
+        "./src/hooks/init/load-permission-info.js"
+      ]
     },
     "topics": {
       "cloudmanager": {
@@ -125,7 +131,8 @@
   },
   "scripts": {
     "posttest": "npm run lint",
-    "lint": "eslint src test e2e --rulesdir eslint_rules",
+    "lint:download-permissions": "wget https://raw.githubusercontent.com/AdobeDocs/cloudmanager-api-docs/main/src/data/permissions.json",
+    "lint": "npm run lint:download-permissions && eslint src test e2e --rulesdir eslint_rules",
     "lint-fix": "eslint src test e2e --fix --rulesdir eslint_rules",
     "test": "npm run unit-tests",
     "unit-tests": "jest --ci",

src/cloudmanager-hook-helpers.js

@@ -11,9 +11,18 @@ governing permissions and limitations under the License.
 */
 
 function isThisPlugin (hookOptions) {
-  return hookOptions.Command.plugin.name === '@adobe/aio-cli-plugin-cloudmanager'
+  if (hookOptions && hookOptions.Command) {
+    return hookOptions.Command.plugin.name === '@adobe/aio-cli-plugin-cloudmanager'
+  } else if (hookOptions && hookOptions.id) {
+    return hookOptions.id.startsWith('cloudmanager:')
+  }
+}
+
+function isPermissionsRequest (hookOptions) {
+  return hookOptions.argv && hookOptions.argv.length === 1 && hookOptions.argv[0] === '--permissions'
 }
 
 module.exports = {
   isThisPlugin,
+  isPermissionsRequest,
 }

src/commands/cloudmanager/current-execution/advance.js

@@ -51,4 +51,8 @@ AdvanceCurrentExecutionCommand.aliases = [
   'cloudmanager:advance-current-execution',
 ]
 
+AdvanceCurrentExecutionCommand.permissionInfo = {
+  operation: 'advancePipelineExecution',
+}
+
 module.exports = AdvanceCurrentExecutionCommand

src/commands/cloudmanager/current-execution/cancel.js

@@ -51,4 +51,8 @@ CancelCurrentExecutionCommand.aliases = [
   'cloudmanager:cancel-current-execution',
 ]
 
+CancelCurrentExecutionCommand.permissionInfo = {
+  operation: 'cancelPipelineExecutionStep',
+}
+
 module.exports = CancelCurrentExecutionCommand

src/commands/cloudmanager/current-execution/get.js

@@ -49,4 +49,6 @@ GetCurrentExecutionCommand.aliases = [
   'cloudmanager:get-current-execution',
 ]
 
+GetCurrentExecutionCommand.permissionInfo = {}
+
 module.exports = GetCurrentExecutionCommand