celest-dev
diff --git a/‎apps/cli/lib/src/commands/init_command.dart‎
Lines changed: 3 additions & 3 deletions b/‎apps/cli/lib/src/commands/init_command.dart‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎services/celest_cloud_hub/Dockerfile‎
Lines changed: 1 addition & 1 deletion b/‎services/celest_cloud_hub/Dockerfile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎services/celest_cloud_hub/analysis_options.yaml‎
Lines changed: 1 addition & 1 deletion b/‎services/celest_cloud_hub/analysis_options.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎services/celest_cloud_hub/bin/cloud_hub.dart‎
Lines changed: 4 additions & 2 deletions b/‎services/celest_cloud_hub/bin/cloud_hub.dart‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎services/celest_cloud_hub/build.yaml‎
Lines changed: 2 additions & 0 deletions b/‎services/celest_cloud_hub/build.yaml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎services/celest_cloud_hub/launch.sh‎
Lines changed: 16 additions & 0 deletions b/‎services/celest_cloud_hub/launch.sh‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎services/celest_cloud_hub/lib/src/auth/cloud.operations.cedar‎
Lines changed: 71 additions & 0 deletions b/‎services/celest_cloud_hub/lib/src/auth/cloud.operations.cedar‎
Lines changed: 71 additions & 0 deletions
diff --git a/‎services/celest_cloud_hub/lib/src/auth/cloud.organizations.cedar‎
Lines changed: 48 additions & 0 deletions b/‎services/celest_cloud_hub/lib/src/auth/cloud.organizations.cedar‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎services/celest_cloud_hub/lib/src/auth/cloud.projects.cedar‎
Lines changed: 52 additions & 0 deletions b/‎services/celest_cloud_hub/lib/src/auth/cloud.projects.cedar‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎services/celest_cloud_hub/lib/src/auth/cloud.projects.environments.cedar‎
Lines changed: 77 additions & 0 deletions b/‎services/celest_cloud_hub/lib/src/auth/cloud.projects.environments.cedar‎
Lines changed: 77 additions & 0 deletions
@@ -97,9 +97,9 @@ final class InitCommand extends CelestCommand with Configure, ProjectCreator {
     stdout.writeln();
     cliLogger.success('🚀 To start a local development server, run:');
     cliLogger
-      ..write(Platform.lineTerminator)
-      ..write('      $command${Platform.lineTerminator}')
-      ..write(Platform.lineTerminator);
+      ..info(Platform.lineTerminator)
+      ..info('      $command${Platform.lineTerminator}')
+      ..info(Platform.lineTerminator);
 
     return 0;
   }
 
@@ -56,7 +56,7 @@ FROM scratch
 COPY --from=build /runtime/ /
 COPY --from=build /app/cloud_hub /app/cloud_hub
 COPY --from=build /app/libsqlite3.so /app/libsqlite3.so
-COPY --from=build /usr/local/bin/flyctl /usr/local/bin/fly
+COPY --from=build /usr/local/bin/flyctl /usr/local/bin/flyctl
 
 ENV PORT=8080
 EXPOSE $PORT
 
@@ -5,4 +5,4 @@ analyzer:
     avoid_print: ignore
     implementation_imports: ignore
   exclude:
-    - lib/src/proto
+    - lib/src/proto/**
@@ -17,6 +17,7 @@ import 'package:celest_cloud_hub/src/gateway/gateway.dart';
 import 'package:celest_cloud_hub/src/project.dart';
 import 'package:celest_cloud_hub/src/services/health_service.dart';
 import 'package:celest_cloud_hub/src/services/operations_service.dart';
+import 'package:celest_cloud_hub/src/services/organizations_service.dart';
 import 'package:celest_cloud_hub/src/services/project_environments_service.dart';
 import 'package:celest_core/_internal.dart';
 import 'package:grpc/grpc.dart' as grpc;
@@ -63,9 +64,10 @@ Future<void> main() async {
 
   final server = grpc.Server.create(
     services: [
-      ProjectEnvironmentsService(),
-      OperationsService(db, authorizer),
       HealthService(),
+      OperationsService(db, authorizer),
+      OrganizationsService(db, authorizer),
+      ProjectEnvironmentsService(db, authorizer),
     ],
     interceptors: [
       (call, method) async {
 
@@ -11,6 +11,7 @@ targets:
         enabled: true
         generate_for:
           - lib/src/database/**
+          - lib/src/model/**
         options: &options
           sql:
             dialect: sqlite
@@ -23,5 +24,6 @@ targets:
         enabled: true
         generate_for:
           - lib/src/database/**
+          - lib/src/model/**
         # We use yaml anchors to give the two builders the same options
         options: *options
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+# This script launches the Celest Cloud Hub to Fly.io
+#
+# Usage:
+#   ./deploy.sh
+
+fly launch \
+    --yaml \
+    --name cloud-hub \
+    --org celest-809 \
+    --image celestdev/cloud-hub:latest \
+    --env "CLOUD_HUB_DATABASE_HOST=file::memory:" \
+    --region lax \
+    --regions lax,ord \
+    --vm-size performance-8x
@@ -0,0 +1,71 @@
+@id("cloud.operations.viewer")
+permit (
+    principal,
+    action in Celest::Action::"view",
+    resource is Celest::Operation
+)
+when
+{
+    if
+        principal is Celest::Organization::Member ||
+        principal is Celest::Project::Member
+    then
+        resource in principal.parent &&
+        principal.role in Celest::Role::"viewer"
+    else
+        if
+            principal is Celest::User ||
+            principal is Celest::ServiceAccount
+        then
+            resource in principal
+        else
+            false
+};
+
+// @id("cloud.operations.editor")
+// permit (
+//     principal,
+//     action in Celest::Action::"edit",
+//     resource is Celest::Operation
+// )
+// when
+// {
+//     if
+//         principal is Celest::Organization::Member ||
+//         principal is Celest::Project::Member
+//     then
+//         resource in principal.parent &&
+//         principal.role in Celest::Role::"editor"
+//     else
+//         if
+//             principal is Celest::User ||
+//             principal is Celest::ServiceAccount
+//         then
+//             resource in principal
+//         else
+//             false
+// };
+
+// @id("cloud.operations.admin")
+// permit (
+//     principal,
+//     action in Celest::Action::"admin",
+//     resource is Celest::Operation
+// )
+// when
+// {
+//     if
+//         principal is Celest::Organization::Member ||
+//         principal is Celest::Project::Member
+//     then
+//         resource in principal.parent &&
+//         principal.role in Celest::Role::"admin"
+//     else
+//         if
+//             principal is Celest::User ||
+//             principal is Celest::ServiceAccount
+//         then
+//             resource in principal
+//         else
+//             false
+// };
@@ -0,0 +1,48 @@
+// Users can view organizations they are viewers of.
+@id("cloud.organizations.viewer")
+permit (
+    principal is Celest::Organization::Member,
+    action in Celest::Action::"view",
+    resource is Celest::Organization
+)
+when
+{ resource in principal.parent && principal.role in Celest::Role::"viewer" };
+
+// Users can edit organizations they are editors of.
+@id("cloud.organizations.editor")
+permit (
+    principal is Celest::Organization::Member,
+    action in Celest::Action::"edit",
+    resource is Celest::Organization
+)
+when
+{ resource in principal.parent && principal.role in Celest::Role::"editor" };
+
+// Users can do anything but delete organizations they are admins of.
+@id("cloud.organizations.admin")
+permit (
+    principal is Celest::Organization::Member,
+    action in Celest::Action::"admin",
+    resource is Celest::Organization
+)
+when
+{ resource in principal.parent && principal.role in Celest::Role::"admin" };
+
+// Users can do anything to organizations they are owners of.
+@id("cloud.organizations.owner")
+permit (
+    principal is Celest::Organization::Member,
+    action in Celest::Action::"owner",
+    resource is Celest::Organization
+)
+when
+{ resource in principal.parent && principal.role in Celest::Role::"owner" };
+
+// Any registered user can create an organization.
+// TODO: They shouldn't be able to create a resource anywhere, only in the root.
+@id("cloud.organizations.creator")
+permit (
+    principal is Celest::User,
+    action == Celest::Action::"create",
+    resource is Celest::Organization
+);
@@ -0,0 +1,52 @@
+// Users can view projects they are viewers of.
+@id("cloud.projects.viewer")
+permit (
+    principal is Celest::Project::Member,
+    action in Celest::Action::"view",
+    resource is Celest::Project
+)
+when
+{ resource in principal.parent && principal.role == Celest::Role::"viewer" };
+
+// Users can edit projects they are editors of.
+@id("cloud.projects.editor")
+permit (
+    principal is Celest::Project::Member,
+    action in Celest::Action::"edit",
+    resource is Celest::Project
+)
+when
+{ resource in principal.parent && principal.role == Celest::Role::"editor" };
+
+// Users can do anything but delete projects they are admins of.
+@id("cloud.projects.admin")
+permit (
+    principal is Celest::Project::Member,
+    action in Celest::Action::"admin",
+    resource is Celest::Project
+)
+when
+{ resource in principal.parent && principal.role == Celest::Role::"admin" };
+
+// Users can do anything to projects they are owners of.
+@id("cloud.projects.owner")
+permit (
+    principal is Celest::Project::Member,
+    action in Celest::Action::"owner",
+    resource is Celest::Project
+)
+when
+{ resource in principal.parent && principal.role == Celest::Role::"owner" };
+
+// Users can create projects in organizations they have admin access to.
+@id("cloud.projects.creator")
+permit (
+    principal is Celest::Organization::Member,
+    action == Celest::Action::"create",
+    resource is Celest::Project
+)
+when
+{
+    resource in principal.parent &&
+    principal.role in Celest::Role::"admin"
+};
@@ -0,0 +1,77 @@
+// Users can view project environmentss they are viewers of.
+@id("cloud.projects.environments.viewer")
+permit (
+    principal is Celest::Project::Member,
+    action in Celest::Action::"view",
+    resource is Celest::Project::Environment
+)
+when
+{
+    resource in principal.parent &&
+    principal.role == Celest::Role::"viewer"
+};
+
+// Users can edit project environments they are editors of.
+@id("cloud.projects.environments.editor")
+permit (
+    principal is Celest::Project::Member,
+    action in Celest::Action::"edit",
+    resource is Celest::Project::Environment
+)
+when
+{
+    resource in principal.parent &&
+    principal.role == Celest::Role::"editor"
+};
+
+// Users can do anything but delete project environments they are admins of.
+@id("cloud.projects.environments.admin")
+permit (
+    principal is Celest::Project::Member,
+    action in Celest::Action::"admin",
+    resource is Celest::Project::Environment
+)
+when
+{
+    resource in principal.parent &&
+    principal.role == Celest::Role::"admin"
+};
+
+// Users can do anything to environments they are owners of.
+@id("cloud.projects.environments.owner")
+permit (
+    principal is Celest::Project::Member,
+    action in Celest::Action::"owner",
+    resource is Celest::Project::Environment
+)
+when
+{
+    resource in principal.parent &&
+    principal.role == Celest::Role::"owner"
+};
+
+// Users can create environments in projects they have admin access to.
+@id("cloud.projects.environments.creator")
+permit (
+    principal is Celest::Project::Member,
+    action == Celest::Action::"create",
+    resource is Celest::Project::Environment
+)
+when
+{
+    resource in principal.parent &&
+    principal.role in Celest::Role::"admin"
+};
+
+// Members can deploy environments in projects they have deploy or admin access to.
+@id("cloud.projects.environments.deployer")
+permit (
+    principal is Celest::Project::Member,
+    action == Celest::Project::Environment::Action::"deploy",
+    resource is Celest::Project::Environment
+)
+when
+{
+    resource in principal.parent &&
+    principal.role in Celest::Role::"admin"
+};