IDP Permissions feature

Manage permissions for identity providers (IDPs) at the bucket and object level.
This includes creating, updating, deleting, and searching for permissions associated with IDPs.
The implementation involves changes to the database models, controllers,
services, routes, and validators to support IDP permissions functionality.

Author: TimCsaky

app/src/controllers/bucketIdpPermission.js

@@ -0,0 +1,178 @@
+const errorToProblem = require('../components/errorToProblem');
+const utils = require('../db/models/utils');
+const {
+  addDashesToUuid,
+  mixedQueryToArray,
+  getCurrentIdentity,
+  groupByObject,
+  isTruthy
+} = require('../components/utils');
+const { NIL: SYSTEM_USER } = require('uuid');
+const { bucketIdpPermissionService, userService, bucketService } = require('../services');
+
+const SERVICE = 'BucketIdpPermissionService';
+
+/**
+ * The Permission Controller
+ */
+const controller = {
+
+  /**
+   * @function searchPermissions
+   * Searches for bucket permissions granted to idps
+   * @param {object} req Express request object
+   * @param {object} res Express response object
+   * @param {function} next The next callback function
+   * @returns {function} Express middleware function
+   */
+  async searchPermissions(req, res, next) {
+    try {
+      const bucketIds = mixedQueryToArray(req.query.bucketId);
+      const idps = mixedQueryToArray(req.query.idp);
+      const bucketPermissions = await bucketIdpPermissionService.searchPermissions({
+        bucketId: bucketIds ? bucketIds.map(id => addDashesToUuid(id)) : bucketIds,
+        idp: idps,
+        permCode: mixedQueryToArray(req.query.permCode)
+      });
+      const response = groupByObject('bucketId', 'permissions', bucketPermissions);
+
+      // if also returning buckets with implicit object permissions
+      if (isTruthy(req.query.objectPerms)) {
+
+        const buckets = await bucketIdpPermissionService.listInheritedBucketIds(idps);
+        // merge list of bucket permissions
+        buckets.forEach(bucketId => {
+          if (!response.map(r => r.bucketId).includes(bucketId) &&
+            // limit to to bucketId(s) request query parameter if given
+            (!bucketIds?.length || bucketIds?.includes(bucketId))) {
+            response.push({
+              bucketId: bucketId,
+              permissions: []
+            });
+          }
+        });
+      }
+
+      res.status(200).json(response);
+    } catch (e) {
+      next(errorToProblem(SERVICE, e));
+    }
+  },
+
+  /**
+   * @function listPermissions
+   * Returns the bucket permissions
+   * @param {object} req Express request object
+   * @param {object} res Express response object
+   * @param {function} next The next callback function
+   * @returns {function} Express middleware function
+   */
+  async listPermissions(req, res, next) {
+    try {
+      const idps = mixedQueryToArray(req.query.idp);
+      const response = await bucketIdpPermissionService.searchPermissions({
+        bucketId: addDashesToUuid(req.params.bucketId),
+        idp: idps,
+        permCode: mixedQueryToArray(req.query.permCode)
+      });
+      res.status(200).json(response);
+    } catch (e) {
+      next(errorToProblem(SERVICE, e));
+    }
+  },
+
+  /**
+   * @function addPermissions
+   * Grants bucket permissions to idps
+   * @param {object} req Express request object
+   * @param {object} res Express response object
+   * @param {function} next The next callback function
+   * @returns {function} Express middleware function
+   */
+  async addPermissions(req, res, next) {
+    try {
+      const currUserId = await userService.getCurrentUserId(
+        getCurrentIdentity(req.currentUser, SYSTEM_USER), SYSTEM_USER);
+      const currBucketId = addDashesToUuid(req.params.bucketId);
+
+      if (isTruthy(req.query.recursive)) {
+
+        const parentBucket = await bucketService.read(currBucketId);
+
+        // Only apply permissions to child buckets that currentUser can MANAGE
+        // If the current user is SYSTEM_USER, apply permissions to all child buckets
+        const childBuckets = currUserId !== SYSTEM_USER ?
+          await bucketService.getChildrenWithManagePermissions(currBucketId, currUserId) :
+          await bucketService.searchChildBuckets(parentBucket, true, currUserId);
+
+        const allBuckets = [parentBucket, ...childBuckets];
+
+        const responses = await utils.trxWrapper(async (trx) => {
+          return await Promise.all(
+            allBuckets.map(b =>
+              bucketIdpPermissionService.addPermissions(b.bucketId, req.body, currUserId, trx)
+            )
+          );
+        });
+        res.status(201).json(responses.flat());
+      }
+      else {
+        const response = await bucketIdpPermissionService.addPermissions(
+          currBucketId, req.body, currUserId);
+        res.status(201).json(response);
+      }
+    } catch (e) {
+      next(errorToProblem(SERVICE, e));
+    }
+  },
+
+  /**
+   * @function removePermissions
+   * Deletes bucket permissions for a idp
+   * @param {object} req Express request object
+   * @param {object} res Express response object
+   * @param {function} next The next callback function
+   * @returns {function} Express middleware function
+   */
+  async removePermissions(req, res, next) {
+    try {
+      const idps = mixedQueryToArray(req.query.idp);
+      const permissions = mixedQueryToArray(req.query.permCode);
+
+      const currUserId = await userService.getCurrentUserId(
+        getCurrentIdentity(req.currentUser, SYSTEM_USER), SYSTEM_USER);
+      const currBucketId = addDashesToUuid(req.params.bucketId);
+
+      if (isTruthy(req.query.recursive)) {
+
+        const parentBucket = await bucketService.read(currBucketId);
+        // Only apply permissions to child buckets that currentUser can MANAGE
+        // If the current user is SYSTEM_USER, apply permissions to all child buckets
+        const childBuckets = currUserId !== SYSTEM_USER ?
+          await bucketService.getChildrenWithManagePermissions(currBucketId, currUserId) :
+          await bucketService.searchChildBuckets(parentBucket, true, currUserId);
+
+        const allBuckets = [parentBucket, ...childBuckets];
+
+        const responses = await utils.trxWrapper(async (trx) => {
+          return await Promise.all(
+            allBuckets.map(b =>
+              bucketIdpPermissionService.removePermissions(b.bucketId, idps, permissions, trx)
+            )
+          );
+        });
+        res.status(200).json(responses.flat());
+      }
+      else {
+        const response = await bucketIdpPermissionService.removePermissions(currBucketId, idps, permissions);
+        res.status(200).json(response);
+      }
+
+    } catch (e) {
+      next(errorToProblem(SERVICE, e));
+    }
+  },
+
+};
+
+module.exports = controller;

app/src/controllers/index.js

@@ -1,10 +1,12 @@
 module.exports = {
   bucketController: require('./bucket'),
   bucketPermissionController: require('./bucketPermission'),
+  bucketIdpPermissionController: require('./bucketIdpPermission'),
   inviteController: require('./invite'),
   metadataController: require('./metadata'),
   objectController: require('./object'),
   objectPermissionController: require('./objectPermission'),
+  objectIdpPermissionController: require('./objectIdpPermission'),
   syncController: require('./sync'),
   userController: require('./user'),
   tagController: require('./tag'),

app/src/controllers/objectIdpPermission.js

@@ -0,0 +1,121 @@
+const { NIL: SYSTEM_USER } = require('uuid');
+const errorToProblem = require('../components/errorToProblem');
+const utils = require('../components/utils');
+
+const { objectIdpPermissionService, userService } = require('../services');
+
+const SERVICE = 'ObjectIdpPermissionService';
+
+/**
+ * The Object IDP Permission Controller
+ */
+const controller = {
+  /**
+   * @function searchPermissions
+   * Searches for object permissions granted to idps
+   * @param {object} req Express request object
+   * @param {object} res Express response object
+   * @param {function} next The next callback function
+   * @returns {function} Express middleware function
+   */
+  async searchPermissions(req, res, next) {
+    try {
+      const bucketIds = utils.mixedQueryToArray(req.query.bucketId);
+      const objIds = utils.mixedQueryToArray(req.query.objectId);
+      const permCodes = utils.mixedQueryToArray(req.query.permCode);
+      const idps = utils.mixedQueryToArray(req.query.idp);
+      const result = await objectIdpPermissionService.searchPermissions({
+        bucketId: bucketIds ? bucketIds.map(id => utils.addDashesToUuid(id)) : bucketIds,
+        objId: objIds ? objIds.map(id => utils.addDashesToUuid(id)) : objIds,
+        idp: idps,
+        permCode: permCodes
+      });
+      const response = utils.groupByObject('objectId', 'permissions', result);
+
+      // if also returning inheritied permissions
+      if (utils.isTruthy(req.query.bucketPerms)) {
+        const objectIds = await objectIdpPermissionService.listInheritedObjectIds(idps, bucketIds, permCodes);
+
+        // merge list of object permissions
+        objectIds.forEach(objectId => {
+          if (!response.map(r => r.objectId).includes(objectId) &&
+            // limit to objectId request query parameter if given
+            (!objIds?.length || objIds?.includes(objectId))) {
+            response.push({
+              objectId: objectId,
+              permissions: []
+            });
+          }
+        });
+      }
+
+      res.status(200).json(response);
+    } catch (e) {
+      next(errorToProblem(SERVICE, e));
+    }
+  },
+
+  /**
+   * @function listPermissions
+   * Returns the object permissions
+   * @param {object} req Express request object
+   * @param {object} res Express response object
+   * @param {function} next The next callback function
+   * @returns {function} Express middleware function
+   */
+  async listPermissions(req, res, next) {
+    try {
+      const idps = utils.mixedQueryToArray(req.query.idp);
+      const response = await objectIdpPermissionService.searchPermissions({
+        objId: utils.addDashesToUuid(req.params.objectId),
+        idp: idps,
+        permCode: utils.mixedQueryToArray(req.query.permCode)
+      });
+      res.status(200).json(response);
+    } catch (e) {
+      next(errorToProblem(SERVICE, e));
+    }
+  },
+
+  /**
+   * @function addPermissions
+   * Grants object permissions to idps
+   * @param {object} req Express request object
+   * @param {object} res Express response object
+   * @param {function} next The next callback function
+   * @returns {function} Express middleware function
+   */
+  async addPermissions(req, res, next) {
+    try {
+      const userId = await userService.getCurrentUserId(utils.getCurrentIdentity(req.currentUser, SYSTEM_USER));
+      const response = await objectIdpPermissionService.addPermissions(
+        utils.addDashesToUuid(req.params.objectId), req.body, userId
+      );
+      res.status(201).json(response);
+    } catch (e) {
+      next(errorToProblem(SERVICE, e));
+    }
+  },
+
+  /**
+   * @function removePermissions
+   * Deletes object permissions for a idp
+   * @param {object} req Express request object
+   * @param {object} res Express response object
+   * @param {function} next The next callback function
+   * @returns {function} Express middleware function
+   */
+  async removePermissions(req, res, next) {
+    try {
+      const idps = utils.mixedQueryToArray(req.query.idp);
+      const permissions = utils.mixedQueryToArray(req.query.permCode);
+      const response = await objectIdpPermissionService.removePermissions(req.params.objectId, idps, permissions);
+      res.status(200).json(response);
+    } catch (e) {
+      next(errorToProblem(SERVICE, e));
+    }
+  },
+
+};
+
+module.exports = controller;

app/src/db/migrations/20260225000000_018-idp-permission.js

@@ -0,0 +1,48 @@
+const stamps = require('../stamps');
+
+exports.up = function (knex) {
+  return Promise.resolve()
+
+    // create tables
+    .then(() => knex.schema.createTable('object_idp_permission', table => {
+      table.uuid('id').primary();
+      table.uuid('objectId').references('id').inTable('object').notNullable().onUpdate('CASCADE')
+        .onDelete('CASCADE');
+      table.string('idp').references('idp').inTable('identity_provider').notNullable().onUpdate('CASCADE')
+        .onDelete('CASCADE');
+      table.string('permCode').references('permCode').inTable('permission').notNullable().onUpdate('CASCADE')
+        .onDelete('CASCADE');
+      stamps(knex, table);
+    }))
+    .then(() => knex.schema.createTable('bucket_idp_permission', table => {
+      table.uuid('id').primary();
+      table.uuid('bucketId').references('bucketId').inTable('bucket').notNullable().onUpdate('CASCADE')
+        .onDelete('CASCADE');
+      table.string('idp').references('idp').inTable('identity_provider').notNullable().onUpdate('CASCADE')
+        .onDelete('CASCADE');
+      table.string('permCode').references('permCode').inTable('permission').notNullable().onUpdate('CASCADE')
+        .onDelete('CASCADE');
+      stamps(knex, table);
+    }))
+
+    // Create audit triggers
+    .then(() => knex.schema.raw(`CREATE TRIGGER audit_object_idp_permission_trigger
+    AFTER UPDATE OR DELETE ON object_idp_permission
+    FOR EACH ROW EXECUTE PROCEDURE audit.if_modified_func();`))
+
+    .then(() => knex.schema.raw(`CREATE TRIGGER audit_bucket_idp_permission_trigger
+    AFTER UPDATE OR DELETE ON bucket_idp_permission
+    FOR EACH ROW EXECUTE PROCEDURE audit.if_modified_func();`));
+};
+
+exports.down = function (knex) {
+  return Promise.resolve()
+
+    // Drop audit triggers
+    .then(() => knex.schema.raw('DROP TRIGGER IF EXISTS audit_bucket_idp_permission_trigger ON bucket_idp_permission'))
+    .then(() => knex.schema.raw('DROP TRIGGER IF EXISTS audit_object_idp_permission_trigger ON object_idp_permission'))
+
+    // Drop table
+    .then(() => knex.schema.dropTableIfExists('bucket_idp_permission'))
+    .then(() => knex.schema.dropTableIfExists('object_idp_permission'));
+};

app/src/db/models/index.js

@@ -2,11 +2,13 @@ const models = {
   // Tables
   Bucket: require('./tables/bucket'),
   BucketPermission: require('./tables/bucketPermission'),
+  BucketIdpPermission: require('./tables/bucketIdpPermission'),
   IdentityProvider: require('./tables/identityProvider'),
   Invite: require('./tables/invite'),
   Metadata: require('./tables/metadata'),
   ObjectModel: require('./tables/objectModel'),
   ObjectPermission: require('./tables/objectPermission'),
+  ObjectIdpPermission: require('./tables/objectIdpPermission'),
   ObjectQueue: require('./tables/objectQueue'),
   Permission: require('./tables/permission'),
   Tag: require('./tables/tag'),