fix(rbac_ce): use subject type for role assignment

hamir-suspect · skipi · commit f08674c710ea · 2025-08-13T14:46:12.000+02:00
diff --git a/rbac/ce/lib/rbac/grpc_servers/rbac_server.ex b/rbac/ce/lib/rbac/grpc_servers/rbac_server.ex
@@ -56,10 +56,11 @@ defmodule Rbac.GrpcServers.RbacServer do
       role_id = role_assignment.role_id
       project_id = role_assignment.project_id
       subject_id = role_assignment.subject.subject_id
+      subject_type = role_assignment.subject.subject_type
 
       cond do
         valid_uuid?(role_id) ->
-          handle_role_assignment(org_id, subject_id, role_id)
+          handle_role_assignment(org_id, subject_id, role_id, subject_type)
 
         valid_uuid?(project_id) ->
           handle_project_assignment(subject_id, org_id, project_id)
@@ -467,14 +468,15 @@ defmodule Rbac.GrpcServers.RbacServer do
     end
   end
 
-  defp handle_role_assignment(org_id, subject_id, role_id) do
+  defp handle_role_assignment(org_id, subject_id, role_id, subject_type) do
     role = Rbac.Roles.find_by_id(role_id)
 
     if is_nil(role) do
       grpc_error!(:not_found, "Role with id #{role_id} not found")
     end
 
-    RoleAssignment.create_or_update(%{org_id: org_id, user_id: subject_id, role_id: role_id})
+    subject_type_string = convert_subject_type_to_string(subject_type)
+    RoleAssignment.create_or_update(%{org_id: org_id, user_id: subject_id, role_id: role_id, subject_type: subject_type_string})
   end
 
   defp handle_delete_role_assignment(org_id, subject_id) do
@@ -521,4 +523,14 @@ defmodule Rbac.GrpcServers.RbacServer do
     validate_uuid!(role_assignment.org_id)
     validate_uuid!(role_assignment.subject.subject_id)
   end
+
+  defp convert_subject_type_to_string(subject_type) do
+    case subject_type do
+      :USER -> "user"
+      :SERVICE_ACCOUNT -> "service_account"
+      :GROUP -> "group"
+      nil -> "user" # Default fallback
+      _ -> "user" # Default fallback for unknown values
+    end
+  end
 end
diff --git a/rbac/ce/test/rbac/grpc_servers/rbac_server_test.exs b/rbac/ce/test/rbac/grpc_servers/rbac_server_test.exs
@@ -66,6 +66,93 @@ defmodule Rbac.GrpcServers.RbacServerTest do
       setup_assign_and_retract(channel)
     end
 
+    @tag :subject_type_test
+    test "Should assign a role to a USER subject and save correct subject_type", %{
+      channel: channel,
+      valid_requester: valid_requester,
+      non_member_user: non_member_user,
+      org_id: org_id
+    } do
+      request = %InternalApi.RBAC.AssignRoleRequest{
+        requester_id: valid_requester.user_id,
+        role_assignment: %InternalApi.RBAC.RoleAssignment{
+          org_id: org_id,
+          role_id: Rbac.Roles.Member.role().id,
+          subject: %InternalApi.RBAC.Subject{
+            subject_id: non_member_user.user_id,
+            subject_type: :USER
+          }
+        }
+      }
+
+      {:ok, response} = Stub.assign_role(channel, request)
+      assert response == %InternalApi.RBAC.AssignRoleResponse{}
+
+      role_assignment =
+        Rbac.Models.RoleAssignment.get_by_user_and_org_id(non_member_user.user_id, org_id)
+
+      assert role_assignment.role_id == Rbac.Roles.Member.role().id
+      assert role_assignment.subject_type == "user"
+    end
+
+    @tag :subject_type_test
+    test "Should assign a role to a SERVICE_ACCOUNT subject and save correct subject_type", %{
+      channel: channel,
+      valid_requester: valid_requester,
+      non_member_user: non_member_user,
+      org_id: org_id
+    } do
+      request = %InternalApi.RBAC.AssignRoleRequest{
+        requester_id: valid_requester.user_id,
+        role_assignment: %InternalApi.RBAC.RoleAssignment{
+          org_id: org_id,
+          role_id: Rbac.Roles.Admin.role().id,
+          subject: %InternalApi.RBAC.Subject{
+            subject_id: non_member_user.user_id,
+            subject_type: :SERVICE_ACCOUNT
+          }
+        }
+      }
+
+      {:ok, response} = Stub.assign_role(channel, request)
+      assert response == %InternalApi.RBAC.AssignRoleResponse{}
+
+      role_assignment =
+        Rbac.Models.RoleAssignment.get_by_user_and_org_id(non_member_user.user_id, org_id)
+
+      assert role_assignment.role_id == Rbac.Roles.Admin.role().id
+      assert role_assignment.subject_type == "service_account"
+    end
+
+    @tag :subject_type_test
+    test "Should default to 'user' subject_type when subject_type is not provided", %{
+      channel: channel,
+      valid_requester: valid_requester,
+      non_member_user: non_member_user,
+      org_id: org_id
+    } do
+      request = %InternalApi.RBAC.AssignRoleRequest{
+        requester_id: valid_requester.user_id,
+        role_assignment: %InternalApi.RBAC.RoleAssignment{
+          org_id: org_id,
+          role_id: Rbac.Roles.Owner.role().id,
+          subject: %InternalApi.RBAC.Subject{
+            subject_id: non_member_user.user_id
+            # subject_type not provided
+          }
+        }
+      }
+
+      {:ok, response} = Stub.assign_role(channel, request)
+      assert response == %InternalApi.RBAC.AssignRoleResponse{}
+
+      role_assignment =
+        Rbac.Models.RoleAssignment.get_by_user_and_org_id(non_member_user.user_id, org_id)
+
+      assert role_assignment.role_id == Rbac.Roles.Owner.role().id
+      assert role_assignment.subject_type == "user"
+    end
+
     test "A valid requester user should assign a member role to a subject", %{
       channel: channel,
       valid_requester: valid_requester,
