feat: segregate system role with prefix type as protected resources

Signed-off-by: William Phetsinorath <william.phetsinorath-open@interieur.gouv.fr>

Author: shikanime

apps/client/src/components/AdminRoleForm.vue

@@ -1,6 +1,6 @@
 <script lang="ts" setup>
 import type { AdminPermsKeys, LettersQuery, SharedZodError, User } from '@cpn-console/shared'
-import { ADMIN_PERMS, adminPermsDetails, RoleSchema, shallowEqual } from '@cpn-console/shared'
+import { ADMIN_PERMS, adminPermsDetails, isManagedRole, isSystemRole, RoleSchema, shallowEqual } from '@cpn-console/shared'
 import pDebounce from 'p-debounce'
 import { computed, onBeforeMount, ref } from 'vue'
 import { useUsersStore } from '@/stores/users.js'
@@ -31,6 +31,21 @@ const role = ref({
   permissions: props.permissions ?? 0n,
 })
 
+const systemTypePrefix = 'system:'
+const isSystem = computed(() => isSystemRole(role.value.type))
+const isManaged = computed(() => isManagedRole(role.value.type))
+const roleTypeForSelect = computed({
+  get() {
+    const type = role.value.type
+    if (type?.startsWith(systemTypePrefix)) return type.slice(systemTypePrefix.length)
+    return type ?? 'managed'
+  },
+  set(value) {
+    if (role.value.type?.startsWith(systemTypePrefix)) role.value.type = `${systemTypePrefix}${value}`
+    else role.value.type = value
+  },
+})
+
 const isUpdated = computed(() => {
   return !shallowEqual(props, role.value)
 })
@@ -44,7 +59,7 @@ const tabListName = 'Liste d’onglet'
 const tabTitles = computed(() => [
   { title: 'Général', icon: 'ri:checkbox-circle-line', tabId: 'general' },
   ...(
-    role.value.type === 'managed'
+    isManaged.value
       ? [{ title: 'Membres', icon: 'ri:checkbox-circle-line', tabId: 'members' }]
       : []),
   { title: 'Fermer', icon: 'ri:close-line', tabId: 'close' },
@@ -150,6 +165,7 @@ const typeOptions = [
         label-visible
         hint="Ne doit pas dépasser 30 caractères."
         class="mb-5"
+        :disabled="isSystem"
       />
       <p
         class="fr-h6"
@@ -174,18 +190,19 @@ const typeOptions = [
           :label="perm.label"
           :hint="perm?.hint"
           :name="perm.key"
-          :disabled="role.permissions & ADMIN_PERMS.MANAGE && perm.key !== 'MANAGE'"
+          :disabled="isSystem || (role.permissions & ADMIN_PERMS.MANAGE && perm.key !== 'MANAGE')"
           @update:model-value="(checked: boolean) => updateChecked(checked, perm.key)"
         />
       </div>
       <DsfrSelect
-        v-model="role.type"
+        v-model="roleTypeForSelect"
         data-testid="roleTypeSelect"
         select-id="roleTypeSelect"
         label="Type"
         label-visible
         :options="typeOptions"
         class="mb-5"
+        :disabled="isSystem"
       />
       <DsfrInput
         v-model="role.oidcGroup"
@@ -194,16 +211,18 @@ const typeOptions = [
         label-visible
         placeholder="/admin"
         class="mb-5"
+        :disabled="isSystem"
       />
       <DsfrButton
         data-testid="saveBtn"
         label="Enregistrer"
         secondary
-        :disabled="!isUpdated || !!errorSchema"
+        :disabled="!isUpdated || !!errorSchema || isSystem"
         class="mr-5"
         @click="$emit('save', { ...role, permissions: role.permissions.toString() })"
       />
       <DsfrButton
+        v-if="!isSystem"
         data-testid="deleteBtn"
         label="Supprimer"
         secondary

apps/client/src/components/ProjectRoleForm.vue

@@ -1,6 +1,6 @@
 <script lang="ts" setup>
 import type { Member, ProjectRoleBigint, ProjectV2 } from '@cpn-console/shared'
-import { PROJECT_PERMS, projectPermsDetails, shallowEqual } from '@cpn-console/shared'
+import { isManagedRole, isSystemRole, PROJECT_PERMS, projectPermsDetails, shallowEqual } from '@cpn-console/shared'
 import { computed, ref } from 'vue'
 
 const props = defineProps<{
@@ -29,6 +29,21 @@ const role = ref({
   type: props.type ?? 'managed',
 })
 
+const isSystem = computed(() => isSystemRole(role.value.type))
+const isManaged = computed(() => isManagedRole(role.value.type))
+const systemTypePrefix = 'system:'
+const roleTypeForSelect = computed({
+  get() {
+    const type = role.value.type
+    if (type?.startsWith(systemTypePrefix)) return type.slice(systemTypePrefix.length)
+    return type ?? 'managed'
+  },
+  set(value) {
+    if (role.value.type?.startsWith(systemTypePrefix)) role.value.type = `${systemTypePrefix}${value}`
+    else role.value.type = value
+  },
+})
+
 const isUpdated = computed(() => {
   if (role.value.isEveryone) return props.permissions !== role.value.permissions
   return !shallowEqual(props, role.value)
@@ -38,7 +53,7 @@ const tabListName = 'Liste d’onglet'
 const tabTitles = computed(() => [
   { title: 'Général', icon: 'ri:checkbox-circle-line', tabId: 'general' },
   ...(
-    role.value.type === 'managed'
+    isManaged.value
       ? [{ title: 'Membres', icon: 'ri:checkbox-circle-line', tabId: 'members' }]
       : []),
   { title: 'Fermer', icon: 'ri:close-line', tabId: 'close' },
@@ -74,30 +89,34 @@ const typeOptions = [
       panel-id="general"
       tab-id="general"
     >
-      <h6>Nom du rôle</h6>
       <DsfrInput
         v-model="role.name"
         data-testid="roleNameInput"
+        label="Nom du rôle"
         label-visible
         class="mb-5"
-        :disabled="role.isEveryone"
-      />
-      <h6>Type</h6>
-      <DsfrSelect
-        v-model="role.type"
-        select-id="roleTypeSelect"
-        :options="typeOptions"
-        class="mb-5"
-        :disabled="role.isEveryone"
-      />
-      <h6>Groupe OIDC</h6>
-      <DsfrInput
-        v-model="role.oidcGroup"
-        data-testid="roleOidcGroupInput"
-        label-visible
-        class="mb-5"
-        :disabled="role.isEveryone"
+        :disabled="role.isEveryone || isSystem"
       />
+      <template v-if="!role.isEveryone">
+        <DsfrSelect
+          v-model="roleTypeForSelect"
+          data-testid="roleTypeSelect"
+          select-id="roleTypeSelect"
+          label="Type"
+          label-visible
+          :options="typeOptions"
+          class="mb-5"
+          :disabled="isSystem"
+        />
+        <DsfrInput
+          v-model="role.oidcGroup"
+          data-testid="roleOidcGroupInput"
+          label="Groupe OIDC"
+          label-visible
+          class="mb-5"
+          :disabled="isSystem"
+        />
+      </template>
       <h6>Permissions</h6>
       <div
         v-for="scope in projectPermsDetails"
@@ -117,20 +136,20 @@ const typeOptions = [
           :label="perm?.label"
           :hint="perm?.hint"
           :name="perm.key"
-          :disabled="(role.permissions & PROJECT_PERMS.MANAGE && perm.key !== 'MANAGE')"
+          :disabled="isSystem || (role.permissions & PROJECT_PERMS.MANAGE && perm.key !== 'MANAGE')"
           @update:model-value="(checked: boolean) => updateChecked(checked, PROJECT_PERMS[perm.key])"
         />
       </div>
       <DsfrButton
         label="Enregistrer"
         data-testid="saveBtn"
         secondary
-        :disabled="!isUpdated"
+        :disabled="!isUpdated || isSystem"
         class="mr-5"
         @click="$emit('save', role)"
       />
       <DsfrButton
-        v-if="!role.isEveryone"
+        v-if="!role.isEveryone && !isSystem"
         data-testid="deleteBtn"
         label="Supprimer"
         secondary

apps/client/src/components/ProjectRoles.vue

@@ -41,7 +41,7 @@ async function updateMember(checked: boolean, userId: Member['userId']) {
   if (!matchingMember) return
 
   const newRoleList = checked
-    ? [...matchingMember.roleIds, ...selectedRole.value.id]
+    ? [...matchingMember.roleIds, selectedRole.value.id]
     : matchingMember.roleIds.filter(id => id !== selectedRole.value?.id)
 
   await props.project.Members.patch([{ userId, roles: newRoleList }])

apps/server-nestjs/src/modules/healthz/healthz.module.ts

@@ -1,7 +1,7 @@
 import { Module } from '@nestjs/common'
 import { TerminusModule } from '@nestjs/terminus'
-import { KeycloakModule } from '../keycloak/keycloak.module'
 import { DatabaseModule } from '../../cpin-module/infrastructure/database/database.module'
+import { KeycloakModule } from '../keycloak/keycloak.module'
 import { HealthzController } from './healthz.controller'
 
 @Module({

apps/server/src/prisma/migrations/20260330122500_migrate_project_system_roles_type_system_managed/migration.sql

@@ -0,0 +1,15 @@
+-- Migrate well-known project roles to the new "system:"-prefixed type
+UPDATE "ProjectRole"
+SET "type" = 'system:managed'
+WHERE
+  "type" = 'managed'
+  AND "oidcGroup" ~ '^/[^/]+/console/(admin|devops|developer|readonly)$';
+
+-- Migrate well-known admin roles to the new "system:"-prefixed type
+UPDATE "AdminRole"
+SET "type" = 'system:managed'
+WHERE id IN (
+  '76229c96-4716-45bc-99da-00498ec9018c',
+  '6bebe7b2-0f0a-456e-ab7f-b3d7640a7cbf',
+  '35848aa2-e881-4770-9844-0c5c3693e506'
+);

apps/server/src/resources/project-role/business.ts

@@ -1,5 +1,6 @@
 import type { projectRoleContract } from '@cpn-console/shared'
 import type { Project, ProjectRole } from '@prisma/client'
+import { isSystemRole } from '@cpn-console/shared'
 import prisma from '@/prisma.js'
 import {
   deleteRole as deleteRoleQuery,
@@ -32,6 +33,12 @@ export async function patchRoles(projectId: Project['id'], roles: typeof project
   for (const dbRole of dbRoles) {
     const matchingRole = roles.find(role => role.id === dbRole.id)
     if (matchingRole) {
+      if (isSystemRole(dbRole.type)) {
+        return new BadRequest400('Ce rôle système ne peut pas être modifié')
+      }
+      if (isSystemRole(matchingRole.type)) {
+        return new BadRequest400('Impossible de modifier un rôle en rôle système')
+      }
       if (typeof matchingRole?.position !== 'undefined' && !positionsAvailable.includes(matchingRole?.position)) {
         positionsAvailable.push(matchingRole.position)
       }
@@ -62,6 +69,9 @@ export async function patchRoles(projectId: Project['id'], roles: typeof project
 export async function createRole(projectId: Project['id'], role: typeof projectRoleContract.createProjectRole.body._type) {
   const project = await prisma.project.findUnique({ where: { id: projectId }, select: { slug: true } })
   if (!project) throw new NotFound404()
+  if (isSystemRole(role.type)) {
+    throw new BadRequest400('Impossible de créer un rôle système')
+  }
   const dbMaxPosRole = (await prisma.projectRole.findFirst({
     where: { projectId },
     orderBy: { position: 'desc' },
@@ -100,6 +110,11 @@ export async function countRolesMembers(projectId: Project['id']) {
 }
 
 export async function deleteRole(roleId: Project['id']) {
+  const role = await prisma.projectRole.findUnique({ where: { id: roleId }, select: { type: true } })
+  if (!role) throw new NotFound404()
+  if (isSystemRole(role.type)) {
+    throw new BadRequest400('Ce rôle système ne peut pas être supprimé')
+  }
   await hook.projectRole.delete(roleId)
   await deleteRoleQuery(roleId)
   return null

apps/server/src/resources/project/queries.ts

@@ -264,28 +264,28 @@ export function initializeProject(params: CreateProjectParams) {
             permissions: PROJECT_PERMS.MANAGE,
             position: 0,
             oidcGroup: `/${params.slug}/console/admin`,
-            type: 'managed',
+            type: 'system:managed',
           },
           {
             name: 'DevOps',
             permissions: PROJECT_PERMS.MANAGE_ENVIRONMENTS | PROJECT_PERMS.MANAGE_REPOSITORIES | PROJECT_PERMS.REPLAY_HOOKS | PROJECT_PERMS.SEE_SECRETS | PROJECT_PERMS.LIST_ENVIRONMENTS | PROJECT_PERMS.LIST_REPOSITORIES,
             position: 1,
             oidcGroup: `/${params.slug}/console/devops`,
-            type: 'managed',
+            type: 'system:managed',
           },
           {
             name: 'Développeur',
             permissions: PROJECT_PERMS.MANAGE_REPOSITORIES | PROJECT_PERMS.LIST_ENVIRONMENTS | PROJECT_PERMS.LIST_REPOSITORIES,
             position: 2,
             oidcGroup: `/${params.slug}/console/developer`,
-            type: 'managed',
+            type: 'system:managed',
           },
           {
             name: 'Lecture seule',
             permissions: PROJECT_PERMS.LIST_ENVIRONMENTS | PROJECT_PERMS.LIST_REPOSITORIES,
             position: 3,
             oidcGroup: `/${params.slug}/console/readonly`,
-            type: 'managed',
+            type: 'system:managed',
           },
         ],
       },

packages/shared/src/utils/index.ts

@@ -3,5 +3,6 @@ export * from './date.js'
 export * from './functions.js'
 export * from './permissions.js'
 export * from './plugins.js'
+export * from './roles.js'
 export * from './schemas.js'
 export * from './types.js'

packages/shared/src/utils/roles.ts

@@ -0,0 +1,22 @@
+export const systemRoleTypePrefix = 'system:' as const
+
+export function isSystemRole(type: string | null | undefined) {
+  return !!type?.startsWith(systemRoleTypePrefix)
+}
+
+function getBaseRole(type: string | null | undefined) {
+  if (!type) return undefined
+  return isSystemRole(type) ? type.slice(systemRoleTypePrefix.length) : type
+}
+
+export function isManaged(type: string | null | undefined) {
+  return getBaseRole(type) === 'managed'
+}
+
+export function isGlobal(type: string | null | undefined) {
+  return getBaseRole(type) === 'global'
+}
+
+export function isExternal(type: string | null | undefined) {
+  return getBaseRole(type) === 'external'
+}

packages/test-utils/src/imports/data.ts

@@ -25,15 +25,15 @@ export const data = {
       position: 0,
       oidcGroup: '/admin',
       name: 'Root Administrateur Plateforme',
-      type: 'managed',
+      type: 'system:managed',
     },
     {
       id: '6bebe7b2-0f0a-456e-ab7f-b3d7640a7cbf',
       permissions: '3n',
       position: 0,
       oidcGroup: '/console/admin',
       name: 'Administrateur Plateforme',
-      type: 'managed',
+      type: 'system:managed',
     },
     {
       id: 'eadf604f-5f54-4744-bdfb-4793d2271e9b',
@@ -49,7 +49,7 @@ export const data = {
       position: 2,
       oidcGroup: '/console/readonly',
       name: 'Lecture Seule Plateforme',
-      type: 'managed',
+      type: 'system:managed',
     },
     {
       id: '034f589f-1750-4b15-bb34-4cd995e7fcaa',