[UIE-9148] - IAM / RBAC - Support permission segmentation for LA (linode#12764)

* Do the deed

* hook logic

* fix and improve test

* fix MaintenancePolicy permissions

* improve hook logic based on feedback

* feedback @hana-akamai

* revert API changes

* changesets

* tests + improved & cleaned up logic

Author: abailly-akamai

packages/api-v4/.changeset/pr-12764-fixed-1756302991843.md

@@ -0,0 +1,5 @@
+---
+"@linode/api-v4": Fixed
+---
+
+Wrong import path for EntityType ([#12764](https://github.com/linode/manager/pull/12764))

packages/api-v4/src/iam/types.ts

@@ -1,4 +1,4 @@
-import type { EntityType } from 'src/entities/types';
+import type { EntityType } from '../entities/types';
 
 export type AccountType = 'account';
 

packages/manager/.changeset/pr-12764-changed-1756303053101.md

@@ -0,0 +1,5 @@
+---
+"@linode/manager": Changed
+---
+
+Support IAM/RBAC permission segmentation for BETA/LA features ([#12764](https://github.com/linode/manager/pull/12764))

packages/manager/src/features/IAM/Shared/utilities.ts

@@ -513,7 +513,7 @@ export const mergeAssignedRolesIntoExistingRoles = (
         selectedPlusExistingRoles.entity_access.push({
           id: e.value,
           roles: [r.role?.value as EntityRoleType],
-          type: r.role?.entity_type,
+          type: r.role?.entity_type as AccessType,
         });
       }
     });

packages/manager/src/features/IAM/hooks/usePermissions.test.ts

@@ -23,13 +23,22 @@ vi.mock(import('@linode/queries'), async (importOriginal) => {
   const actual = await importOriginal();
   return {
     ...actual,
-    useIsIAMEnabled: queryMocks.useIsIAMEnabled,
     useUserAccountPermissions: queryMocks.useUserAccountPermissions,
     useUserEntityPermissions: queryMocks.useUserEntityPermissions,
     useGrants: queryMocks.useGrants,
   };
 });
 
+vi.mock('src/features/IAM/hooks/useIsIAMEnabled', async () => {
+  const actual = await vi.importActual(
+    'src/features/IAM/hooks/useIsIAMEnabled'
+  );
+  return {
+    ...actual,
+    useIsIAMEnabled: queryMocks.useIsIAMEnabled,
+  };
+});
+
 vi.mock('./adapters', () => ({
   fromGrants: vi.fn(
     (
@@ -127,4 +136,83 @@ describe('usePermissions', () => {
       false
     );
   });
+
+  it('returns correct map when IAM beta is false', () => {
+    queryMocks.useIsIAMEnabled.mockReturnValue({
+      isIAMEnabled: true,
+      isIAMBeta: false,
+    });
+    const flags = { iam: { beta: false, enabled: true } };
+
+    renderHook(() => usePermissions('account', ['create_linode']), {
+      wrapper: (ui) => wrapWithTheme(ui, { flags }),
+    });
+
+    expect(queryMocks.useGrants).toHaveBeenCalledWith(false);
+    expect(queryMocks.useUserEntityPermissions).toHaveBeenCalledWith(
+      'account',
+      undefined,
+      true
+    );
+  });
+
+  it('returns correct map when beta is true and neither the access type nor the permissions are in the limited availability scope', () => {
+    const flags = { iam: { beta: true, enabled: true } };
+    queryMocks.useIsIAMEnabled.mockReturnValue({
+      isIAMEnabled: true,
+      isIAMBeta: true,
+    });
+
+    renderHook(() => usePermissions('linode', ['update_linode'], 123), {
+      wrapper: (ui) => wrapWithTheme(ui, { flags }),
+    });
+
+    expect(queryMocks.useGrants).toHaveBeenCalledWith(false);
+    expect(queryMocks.useUserAccountPermissions).toHaveBeenCalledWith(false);
+    expect(queryMocks.useUserEntityPermissions).toHaveBeenCalledWith(
+      'linode',
+      123,
+      true
+    );
+  });
+
+  it('returns correct map when beta is true and the access type is in the limited availability scope', () => {
+    const flags = { iam: { beta: true, enabled: true } };
+    queryMocks.useIsIAMEnabled.mockReturnValue({
+      isIAMEnabled: true,
+      isIAMBeta: true,
+    });
+
+    renderHook(() => usePermissions('volume', ['resize_volume'], 123), {
+      wrapper: (ui) => wrapWithTheme(ui, { flags }),
+    });
+
+    expect(queryMocks.useGrants).toHaveBeenCalledWith(true);
+    expect(queryMocks.useUserAccountPermissions).toHaveBeenCalledWith(false);
+    expect(queryMocks.useUserEntityPermissions).toHaveBeenCalledWith(
+      'volume',
+      123,
+      false
+    );
+  });
+
+  it('returns correct map when beta is true and one of the permissions is in the limited availability scope', () => {
+    const flags = { iam: { beta: true, enabled: true } };
+    queryMocks.useIsIAMEnabled.mockReturnValue({
+      isIAMEnabled: true,
+      isIAMBeta: true,
+    });
+
+    renderHook(() => usePermissions('account', ['create_volume']), {
+      wrapper: (ui) => wrapWithTheme(ui, { flags }),
+    });
+
+    expect(queryMocks.useGrants).toHaveBeenCalledWith(true);
+    expect(queryMocks.useUserAccountPermissions).toHaveBeenCalledWith(false);
+    expect(queryMocks.useUserEntityPermissions).toHaveBeenCalledWith(
+      'account',
+      undefined,
+      false
+    );
+  });
 });

packages/manager/src/features/IAM/hooks/usePermissions.ts

@@ -1,8 +1,4 @@
-import {
-  type AccessType,
-  getUserEntityPermissions,
-  type PermissionType,
-} from '@linode/api-v4';
+import { getUserEntityPermissions } from '@linode/api-v4';
 import {
   useGrants,
   useProfile,
@@ -20,14 +16,26 @@ import {
 import { useIsIAMEnabled } from './useIsIAMEnabled';
 
 import type {
+  AccessType,
+  AccountAdmin,
   AccountEntity,
   APIError,
   EntityType,
   GrantType,
+  PermissionType,
   Profile,
 } from '@linode/api-v4';
 import type { UseQueryResult } from '@linode/queries';
 
+const BETA_ACCESS_TYPE_SCOPE: AccessType[] = ['account', 'linode', 'firewall'];
+const LA_ACCOUNT_ADMIN_PERMISSIONS_TO_EXCLUDE = [
+  'create_image',
+  'upload_image',
+  'create_vpc',
+  'create_volume',
+  'create_nodebalancer',
+];
+
 export type PermissionsResult<T extends readonly PermissionType[]> = {
   data: Record<T[number], boolean>;
 } & Omit<UseQueryResult<PermissionType[], APIError[]>, 'data'>;
@@ -38,23 +46,50 @@ export const usePermissions = <T extends readonly PermissionType[]>(
   entityId?: number,
   enabled: boolean = true
 ): PermissionsResult<T> => {
-  const { isIAMEnabled } = useIsIAMEnabled();
+  const { isIAMBeta, isIAMEnabled } = useIsIAMEnabled();
+  const { data: profile } = useProfile();
+
+  /**
+   * BETA and LA features should use the new permission model.
+   * However, beta features are limited to a subset of AccessTypes and account permissions.
+   * - Use Beta Permissions if:
+   *   - The feature is beta
+   *   - The access type is in the BETA_ACCESS_TYPE_SCOPE
+   *   - The account permission is not in the LA_ACCOUNT_ADMIN_PERMISSIONS_TO_EXCLUDE
+   * - Use LA Permissions if:
+   *   - The feature is not beta
+   */
+  const useBetaPermissions =
+    isIAMEnabled &&
+    isIAMBeta &&
+    BETA_ACCESS_TYPE_SCOPE.includes(accessType) &&
+    LA_ACCOUNT_ADMIN_PERMISSIONS_TO_EXCLUDE.some(
+      (blacklistedPermission) =>
+        permissionsToCheck.includes(blacklistedPermission as AccountAdmin) // some of the account admin in the blacklist have not been added yet
+    ) === false;
+  const useLAPermissions = isIAMEnabled && !isIAMBeta;
+  const shouldUsePermissionMap = useBetaPermissions || useLAPermissions;
+
+  const { data: grants } = useGrants(
+    (!isIAMEnabled || !shouldUsePermissionMap) && enabled
+  );
 
   const { data: userAccountPermissions, ...restAccountPermissions } =
     useUserAccountPermissions(
-      isIAMEnabled && accessType === 'account' && enabled
+      shouldUsePermissionMap && accessType === 'account' && enabled
     );
 
   const { data: userEntityPermissions, ...restEntityPermissions } =
-    useUserEntityPermissions(accessType, entityId!, isIAMEnabled && enabled);
+    useUserEntityPermissions(
+      accessType,
+      entityId!,
+      shouldUsePermissionMap && enabled
+    );
 
   const usersPermissions =
     accessType === 'account' ? userAccountPermissions : userEntityPermissions;
 
-  const { data: profile } = useProfile();
-  const { data: grants } = useGrants(!isIAMEnabled && enabled);
-
-  const permissionMap = isIAMEnabled
+  const permissionMap = shouldUsePermissionMap
     ? toPermissionMap(
         permissionsToCheck,
         usersPermissions!,