feat(cloud_hub): Implement ProjectEnvironments service (#308)

- Implements all but `DeployProjectEnvironment`
- Improves E2E test performance by precompiling Cloud Hub
- Updates triggers for consistency

Author: dnys1

.github/workflows/celest_cloud_hub.yaml

@@ -46,4 +46,4 @@ jobs:
         run: dart pub upgrade
       - name: Test
         working-directory: services/celest_cloud_hub
-        run: dart test --fail-fast
+        run: dart test --fail-fast -j1

packages/celest_cloud/lib/src/cloud/project_environments/project_environments.dart

@@ -113,7 +113,7 @@ final class ProjectEnvironments with BaseService {
     );
   }
 
-  CloudOperation<Empty> delete(
+  CloudOperation<ProjectEnvironment> delete(
     String name, {
     String? etag,
     bool allowMissing = false,
@@ -133,7 +133,7 @@ final class ProjectEnvironments with BaseService {
     yield* operation.stream(
       operations: _operations,
       logger: logger,
-      response: Empty(),
+      response: ProjectEnvironment(),
       metadata: OperationMetadata(),
     );
   }

proto/celest/cloud/v1alpha1/project_environments.proto

@@ -60,11 +60,13 @@ service ProjectEnvironments {
   }
 
   // Deletes an environment.
+  //
+  // TODO: Add UndeleteProjectEnvironment
   rpc DeleteProjectEnvironment(DeleteProjectEnvironmentRequest) returns (google.longrunning.Operation) {
     option (google.api.http) = { delete: "/v1alpha1/{name=projects/*/environments/*}" };
     option (google.api.method_signature) = "name";
     option (google.longrunning.operation_info) = {
-      response_type: "google.protobuf.Empty"
+      response_type: "ProjectEnvironment"
       metadata_type: "OperationMetadata"
     };
   }

services/celest_cloud_hub/lib/src/auth/cloud.projects.environments.cedar

@@ -1,77 +1,83 @@
 // Users can view project environmentss they are viewers of.
 @id("cloud.projects.environments.viewer")
 permit (
-    principal is Celest::Project::Member,
+    principal,
     action in Celest::Action::"view",
     resource is Celest::Project::Environment
 )
 when
 {
+    (principal is Celest::Project::Member || principal is Celest::Project::Environment::Member) &&
     resource in principal.parent &&
     principal.role == Celest::Role::"viewer"
 };
 
 // Users can edit project environments they are editors of.
 @id("cloud.projects.environments.editor")
 permit (
-    principal is Celest::Project::Member,
+    principal,
     action in Celest::Action::"edit",
     resource is Celest::Project::Environment
 )
 when
 {
+    (principal is Celest::Project::Member || principal is Celest::Project::Environment::Member) &&
     resource in principal.parent &&
     principal.role == Celest::Role::"editor"
 };
 
 // Users can do anything but delete project environments they are admins of.
 @id("cloud.projects.environments.admin")
 permit (
-    principal is Celest::Project::Member,
+    principal,
     action in Celest::Action::"admin",
     resource is Celest::Project::Environment
 )
 when
 {
+    (principal is Celest::Project::Member || principal is Celest::Project::Environment::Member) &&
     resource in principal.parent &&
     principal.role == Celest::Role::"admin"
 };
 
 // Users can do anything to environments they are owners of.
 @id("cloud.projects.environments.owner")
 permit (
-    principal is Celest::Project::Member,
+    principal,
     action in Celest::Action::"owner",
     resource is Celest::Project::Environment
 )
 when
 {
+    (principal is Celest::Project::Member || principal is Celest::Project::Environment::Member) &&
     resource in principal.parent &&
     principal.role == Celest::Role::"owner"
 };
 
 // Users can create environments in projects they have admin access to.
 @id("cloud.projects.environments.creator")
 permit (
-    principal is Celest::Project::Member,
+    principal,
     action == Celest::Action::"create",
     resource is Celest::Project::Environment
 )
 when
 {
+    (principal is Celest::Project::Member || principal is Celest::Project::Environment::Member) &&
     resource in principal.parent &&
     principal.role in Celest::Role::"admin"
 };
 
 // Members can deploy environments in projects they have deploy or admin access to.
 @id("cloud.projects.environments.deployer")
 permit (
-    principal is Celest::Project::Member,
-    action == Celest::Project::Environment::Action::"deploy",
+    principal,
+    action == Celest::Action::"deploy",
     resource is Celest::Project::Environment
 )
 when
 {
+    (principal is Celest::Project::Member || principal is Celest::Project::Environment::Member) &&
     resource in principal.parent &&
     principal.role in Celest::Role::"admin"
 };

services/celest_cloud_hub/lib/src/auth/policy_set.g.dart

@@ -96,6 +96,7 @@ final class CloudHubDatabase extends $CloudHubDatabase
         // Fail if the action broke foreign keys
         final wrongForeignKeys =
             await customSelect('PRAGMA foreign_key_check').get();
+        await _dumpBrokenCedarForeignKeys();
         assert(
           wrongForeignKeys.isEmpty,
           '${wrongForeignKeys.map((e) => e.data)}',

services/celest_cloud_hub/lib/src/database/cloud_hub_database.dart

@@ -159,18 +159,19 @@ abstract class $CloudHubDatabase extends i0.GeneratedDatabase {
     i6.projectsDeleteUserMembershipsTrg,
     projectEnvironments,
     i6.projectEnvironmentsDeleteUserMembershipsTrg,
-    i9.projectEnvironmentsTriggerUpdateTime,
+    i9.projectEnvironmentsParentIdx,
+    i9.projectEnvironmentsUpdateTimeTrg,
+    i9.projectEnvironmentsCreateTrg,
+    i9.projectEnvironmentsSetParentTrg,
+    i9.projectEnvironmentsDeleteTrg,
     projectEnvironmentAsts,
     projectEnvironmentAssets,
     projectEnvironmentStates,
     i8.projectsFkParentIdx,
-    i8.projectsUpdateTime,
-    i8.celestCloudProjectsTriggerCreate,
-    i8.celestCloudProjectsTriggerCreateParent,
-    i8.celestCloudProjectsTriggerAddParent,
-    i8.celestCloudProjectsTriggerSetParent,
-    i8.celestCloudProjectsTriggerRemoveParent,
-    i8.celestCloudProjectsTriggerDelete,
+    i8.projectsUpdateTimeTrg,
+    i8.projectsCreateTrg,
+    i8.projectsSetParentTrg,
+    i8.projectsDeleteTrg,
     i7.organizationsParentIdx,
     i7.organizationsUpdateTime,
     i7.organizationsCreate,
@@ -625,6 +626,42 @@ abstract class $CloudHubDatabase extends i0.GeneratedDatabase {
       ),
       result: [i0.TableUpdate('user_memberships', kind: i0.UpdateKind.delete)],
     ),
+    i0.WritePropagation(
+      on: i0.TableUpdateQuery.onTableName(
+        'cedar_entities',
+        limitUpdateKind: i0.UpdateKind.delete,
+      ),
+      result: [
+        i0.TableUpdate('project_environments', kind: i0.UpdateKind.delete),
+      ],
+    ),
+    i0.WritePropagation(
+      on: i0.TableUpdateQuery.onTableName(
+        'cedar_entities',
+        limitUpdateKind: i0.UpdateKind.update,
+      ),
+      result: [
+        i0.TableUpdate('project_environments', kind: i0.UpdateKind.update),
+      ],
+    ),
+    i0.WritePropagation(
+      on: i0.TableUpdateQuery.onTableName(
+        'projects',
+        limitUpdateKind: i0.UpdateKind.delete,
+      ),
+      result: [
+        i0.TableUpdate('project_environments', kind: i0.UpdateKind.delete),
+      ],
+    ),
+    i0.WritePropagation(
+      on: i0.TableUpdateQuery.onTableName(
+        'projects',
+        limitUpdateKind: i0.UpdateKind.update,
+      ),
+      result: [
+        i0.TableUpdate('project_environments', kind: i0.UpdateKind.update),
+      ],
+    ),
     i0.WritePropagation(
       on: i0.TableUpdateQuery.onTableName(
         'project_environments',
@@ -641,6 +678,35 @@ abstract class $CloudHubDatabase extends i0.GeneratedDatabase {
         i0.TableUpdate('project_environments', kind: i0.UpdateKind.update),
       ],
     ),
+    i0.WritePropagation(
+      on: i0.TableUpdateQuery.onTableName(
+        'project_environments',
+        limitUpdateKind: i0.UpdateKind.insert,
+      ),
+      result: [
+        i0.TableUpdate('cedar_entities', kind: i0.UpdateKind.insert),
+        i0.TableUpdate('cedar_relationships', kind: i0.UpdateKind.insert),
+      ],
+    ),
+    i0.WritePropagation(
+      on: i0.TableUpdateQuery.onTableName(
+        'project_environments',
+        limitUpdateKind: i0.UpdateKind.update,
+      ),
+      result: [
+        i0.TableUpdate('cedar_relationships', kind: i0.UpdateKind.update),
+      ],
+    ),
+    i0.WritePropagation(
+      on: i0.TableUpdateQuery.onTableName(
+        'project_environments',
+        limitUpdateKind: i0.UpdateKind.delete,
+      ),
+      result: [
+        i0.TableUpdate('cedar_relationships', kind: i0.UpdateKind.delete),
+        i0.TableUpdate('cedar_entities', kind: i0.UpdateKind.delete),
+      ],
+    ),
     i0.WritePropagation(
       on: i0.TableUpdateQuery.onTableName(
         'project_environments',
@@ -719,23 +785,8 @@ abstract class $CloudHubDatabase extends i0.GeneratedDatabase {
         'projects',
         limitUpdateKind: i0.UpdateKind.insert,
       ),
-      result: [i0.TableUpdate('cedar_entities', kind: i0.UpdateKind.insert)],
-    ),
-    i0.WritePropagation(
-      on: i0.TableUpdateQuery.onTableName(
-        'projects',
-        limitUpdateKind: i0.UpdateKind.insert,
-      ),
-      result: [
-        i0.TableUpdate('cedar_relationships', kind: i0.UpdateKind.insert),
-      ],
-    ),
-    i0.WritePropagation(
-      on: i0.TableUpdateQuery.onTableName(
-        'projects',
-        limitUpdateKind: i0.UpdateKind.update,
-      ),
       result: [
+        i0.TableUpdate('cedar_entities', kind: i0.UpdateKind.insert),
         i0.TableUpdate('cedar_relationships', kind: i0.UpdateKind.insert),
       ],
     ),
@@ -748,15 +799,6 @@ abstract class $CloudHubDatabase extends i0.GeneratedDatabase {
         i0.TableUpdate('cedar_relationships', kind: i0.UpdateKind.update),
       ],
     ),
-    i0.WritePropagation(
-      on: i0.TableUpdateQuery.onTableName(
-        'projects',
-        limitUpdateKind: i0.UpdateKind.update,
-      ),
-      result: [
-        i0.TableUpdate('cedar_relationships', kind: i0.UpdateKind.delete),
-      ],
-    ),
     i0.WritePropagation(
       on: i0.TableUpdateQuery.onTableName(
         'projects',