feat(front): add feature flag and permissions to service accounts

Author: skipi

front/lib/front/auth.ex

@@ -313,6 +313,8 @@ defmodule Front.Auth do
       "project.secrets.manage" -> :ManageProjectSecrets
       "project.deployment_targets.view" -> :ViewDeploymentTargets
       "project.deployment_targets.manage" -> :ManageDeploymentTargets
+      "service_accounts.view" -> :ViewServiceAccounts
+      "service_accounts.manage" -> :ManageServiceAccounts
       _ -> :unknown
     end
   end

front/lib/front_web/controllers/service_account_controller.ex

@@ -5,15 +5,17 @@ defmodule FrontWeb.ServiceAccountController do
   alias Front.{Audit, ServiceAccount}
   alias FrontWeb.Plugs
 
-  plug(Plugs.FetchPermissions)
-  plug(Plugs.PageAccess, permission: "service_accounts.view")
+  plug(Plugs.FetchPermissions, scope: "org")
+  plug(Plugs.PageAccess, permissions: "service_accounts.view")
 
   plug(
     Plugs.PageAccess,
-    [permission: "service_accounts.manage"]
+    [permissions: "service_accounts.manage"]
     when action in [:create, :update, :delete, :regenerate_token]
   )
 
+  plug(Plugs.FeatureEnabled, [:service_accounts])
+
   def index(conn, params) do
     org_id = conn.assigns.organization_id
     page_size = String.to_integer(params["page_size"] || "20")

front/lib/front_web/plugs/organization_authorization.ex

@@ -19,6 +19,7 @@ defmodule FrontWeb.Plugs.OrganizationAuthorization do
   alias FrontWeb.SelfHostedAgentController, as: SelfHostedAgent
   alias FrontWeb.SettingsController, as: Settings
   alias FrontWeb.SupportController, as: Support
+  alias FrontWeb.ServiceAccountController, as: ServiceAccount
 
   alias Front.Auth
 
@@ -119,6 +120,12 @@ defmodule FrontWeb.Plugs.OrganizationAuthorization do
   defp authorize(Billing, :invoices, conn), do: Auth.private(conn, :ManageBilling)
   defp authorize(Billing, _, conn), do: Auth.private(conn, :ViewBilling)
 
+  defp authorize(ServiceAccount, action, conn)
+       when action in [:create, :update, :delete, :regenerate_token],
+       do: Auth.private(conn, :ManageServiceAccounts)
+
+  defp authorize(ServiceAccount, _, conn), do: Auth.private(conn, :ViewServiceAccounts)
+
   defp can?(conn, permission) do
     user_id = conn.assigns.user_id
     org_id = conn.assigns.organization_id

front/lib/front_web/views/service_account_view.ex

@@ -9,7 +9,7 @@ defmodule FrontWeb.ServiceAccountView do
     }
   end
 
-  def render("show.json", %{service_account: %ServiceAccount{} = service_account} = assigns) do
+  def render("show.json", assigns = %{service_account: service_account = %ServiceAccount{}}) do
     data = service_account_json(service_account)
 
     # Only include api_token if it's present (on create/regenerate)
@@ -19,7 +19,7 @@ defmodule FrontWeb.ServiceAccountView do
     end
   end
 
-  defp service_account_json(%ServiceAccount{} = service_account) do
+  defp service_account_json(service_account = %ServiceAccount{}) do
     %{
       id: service_account.id,
       name: service_account.name,
@@ -32,7 +32,7 @@ defmodule FrontWeb.ServiceAccountView do
 
   defp format_datetime(nil), do: nil
 
-  defp format_datetime(%DateTime{} = datetime) do
+  defp format_datetime(datetime = %DateTime{}) do
     DateTime.to_iso8601(datetime)
   end
 end

front/test/support/stubs/feature.ex

@@ -138,7 +138,8 @@ defmodule Support.Stubs.Feature do
       {"open_id_connect_filter", state: :ENABLED, quantity: 1},
       {"wf_editor_via_jobs", state: :HIDDEN, quantity: 0},
       {"ui_reports", state: :ENABLED, quantity: 1},
-      {"ui_partial_ppl_rebuild", state: :ENABLED, quantity: 1}
+      {"ui_partial_ppl_rebuild", state: :ENABLED, quantity: 1},
+      {"service_accounts", state: :ENABLED, quantity: 1}
     ]
   end
 

front/test/support/stubs/permission_patrol.ex

@@ -1,7 +1,7 @@
 defmodule Support.Stubs.PermissionPatrol do
   alias Support.Stubs.DB
 
-  @all_organization_permissions "organization.custom_roles.view,organization.custom_roles.manage,organization.okta.view,organization.okta.manage,organization.contact_support,organization.delete,organization.view,organization.secrets_policy_settings.manage,organization.secrets_policy_settings.view,organization.activity_monitor.view,organization.projects.create,organization.audit_logs.view,organization.audit_logs.manage,organization.people.view,organization.people.invite,organization.people.manage,organization.groups.view,organization.groups.manage,organization.custom_roles.manage,organization.self_hosted_agents.view,organization.self_hosted_agents.manage,organization.general_settings.view,organization.general_settings.manage,organization.secrets.view,organization.secrets.manage,organization.ip_allow_list.view,organization.ip_allow_list.manage,organization.notifications.view,organization.notifications.manage,organization.pre_flight_checks.view,organization.pre_flight_checks.manage,organization.plans_and_billing.view,organization.plans_and_billing.manage,organization.repo_to_role_mappers.manage,organization.dashboards.view,organization.dashboards.manage,organization.instance_git_integration.manage"
+  @all_organization_permissions "organization.custom_roles.view,organization.custom_roles.manage,organization.okta.view,organization.okta.manage,organization.contact_support,organization.delete,organization.view,organization.secrets_policy_settings.manage,organization.secrets_policy_settings.view,organization.activity_monitor.view,organization.projects.create,organization.audit_logs.view,organization.audit_logs.manage,organization.people.view,organization.people.invite,organization.people.manage,organization.groups.view,organization.groups.manage,organization.custom_roles.manage,organization.self_hosted_agents.view,organization.self_hosted_agents.manage,organization.general_settings.view,organization.general_settings.manage,organization.secrets.view,organization.secrets.manage,organization.ip_allow_list.view,organization.ip_allow_list.manage,organization.notifications.view,organization.notifications.manage,organization.pre_flight_checks.view,organization.pre_flight_checks.manage,organization.plans_and_billing.view,organization.plans_and_billing.manage,organization.repo_to_role_mappers.manage,organization.dashboards.view,organization.dashboards.manage,organization.instance_git_integration.manage,service_accounts.view,service_accounts.manage"
   @all_project_permissions "project.view,project.delete,project.access.view,project.access.manage,project.debug,project.secrets.view,project.secrets.manage,project.notifications.view,project.notifications.manage,project.insights.view,project.insights.manage,project.artifacts.view,project.artifacts.delete,project.artifacts.view_settings,project.artifacts.modify_settings,project.scheduler.view,project.scheduler.manage,project.scheduler.run_manually,project.general_settings.view,project.general_settings.manage,project.repository_info.view,project.repository_info.manage,project.deployment_targets.view,project.deployment_targets.manage,project.pre_flight_checks.view,project.pre_flight_checks.manage,project.workflow.view,project.workflow.manage,project.job.view,project.job.rerun,project.job.stop,project.job.port_forwarding,project.job.attach"
 
   def init do

front/test/support/stubs/rbac.ex

@@ -46,7 +46,9 @@ defmodule Support.Stubs.RBAC do
     "organization.plans_and_billing.manage",
     "organization.repo_to_role_mappers.manage",
     "organization.dashboards.view",
-    "organization.dashboards.manage"
+    "organization.dashboards.manage",
+    "service_accounts.view",
+    "service_accounts.manage"
   ]
 
   @project_permissions [