feat(rbac_ce): add service account subject type

Author: hamir-suspect

rbac/ce/lib/rbac/grpc_servers/rbac_server.ex

@@ -298,6 +298,8 @@ defmodule Rbac.GrpcServers.RbacServer do
   end
 
   defp build_search_params(request, page) do
+    Logger.info("build_search_params: #{inspect(request)}")
+
     params =
       request
       |> Map.from_struct()
@@ -342,6 +344,9 @@ defmodule Rbac.GrpcServers.RbacServer do
       :member_has_role ->
         if valid_uuid?(value), do: Keyword.put(acc, :role_id, value), else: acc
 
+      :member_type ->
+        Keyword.put(acc, :subject_type, value |> Atom.to_string() |> String.downcase())
+
       _ ->
         acc
     end
@@ -376,10 +381,14 @@ defmodule Rbac.GrpcServers.RbacServer do
 
   defp build_members_response(role_assignments, display_names_by_id) do
     Enum.map(role_assignments, fn assignment ->
+      # Determine subject type - for CE, we support USER and SERVICE_ACCOUNT
+      # We need to determine if this user_id is a service account
+      subject_type = assignment.subject_type |> String.upcase() |> String.to_existing_atom()
+
       %RBAC.ListMembersResponse.Member{
         subject: %RBAC.Subject{
           subject_id: assignment.user_id,
-          subject_type: :USER,
+          subject_type: subject_type,
           display_name: display_names_by_id[assignment.user_id] || ""
         },
         subject_role_bindings: [build_subject_role_binding(assignment)]

rbac/ce/lib/rbac/models/role_assignment.ex

@@ -12,14 +12,15 @@ defmodule Rbac.Models.RoleAssignment do
     field(:role_id, :binary_id)
     field(:org_id, :binary_id, primary_key: true)
     field(:user_id, :binary_id, primary_key: true)
+    field(:subject_type, :string, default: "user")
 
     timestamps(inserted_at: :created_at, updated_at: :updated_at)
   end
 
   @doc false
   def changeset(role_assignment, attrs) do
     role_assignment
-    |> cast(attrs, [:user_id, :org_id, :role_id])
+    |> cast(attrs, [:user_id, :org_id, :role_id, :subject_type])
     |> validate_required([:user_id, :org_id, :role_id])
   end
 
@@ -45,6 +46,7 @@ defmodule Rbac.Models.RoleAssignment do
           :user_id -> from(r in query, where: r.user_id == ^value)
           :org_id -> from(r in query, where: r.org_id == ^value)
           :role_id -> from(r in query, where: r.role_id == ^value)
+          :subject_type -> from(r in query, where: r.subject_type == ^value)
           _ -> query
         end
       end)

rbac/ce/test/rbac/grpc_servers/rbac_server_test.exs

@@ -879,6 +879,93 @@ defmodule Rbac.GrpcServers.RbacServerTest do
 
       assert Enum.empty?(response.members)
     end
+
+    test "Should return only service accounts when member_type is SERVICE_ACCOUNT", %{
+      channel: channel,
+      org_id: org_id
+    } do
+      # Create a service account role assignment
+      service_account_id = Ecto.UUID.generate()
+
+      Rbac.Support.RoleAssignmentsFixtures.role_assignment_fixture(%{
+        user_id: service_account_id,
+        role_id: Rbac.Roles.Member.role().id,
+        org_id: org_id,
+        subject_type: "service_account"
+      })
+
+      # Mock the User API to return service account information
+      GrpcMock.stub(UserMock, :describe_many, fn request, _ ->
+        %InternalApi.User.DescribeManyResponse{
+          users:
+            [
+              %InternalApi.User.User{
+                id: service_account_id,
+                name: "Test Service Account",
+                creation_source: :SERVICE_ACCOUNT
+              }
+            ]
+            |> Enum.filter(fn user -> user.id in request.user_ids end)
+        }
+      end)
+
+      request = %InternalApi.RBAC.ListMembersRequest{
+        org_id: org_id,
+        member_type: :SERVICE_ACCOUNT,
+        page: %InternalApi.RBAC.ListMembersRequest.Page{
+          page_no: 1,
+          page_size: 10
+        }
+      }
+
+      {:ok, response} = Stub.list_members(channel, request)
+
+      assert length(response.members) == 1
+
+      [member] = response.members
+      assert member.subject.subject_type == :SERVICE_ACCOUNT
+      assert member.subject.subject_id == service_account_id
+    end
+
+    test "Should exclude service accounts by default when no member_type is specified", %{
+      channel: channel,
+      org_id: org_id,
+      valid_requester: owner_user,
+      member_user: member_user
+    } do
+      # Create a service account role assignment to ensure it's filtered out by default
+      service_account_id = Ecto.UUID.generate()
+
+      Rbac.Support.RoleAssignmentsFixtures.role_assignment_fixture(%{
+        user_id: service_account_id,
+        role_id: Rbac.Roles.Admin.role().id,
+        org_id: org_id,
+        subject_type: "service_account"
+      })
+
+      request = %InternalApi.RBAC.ListMembersRequest{
+        org_id: org_id,
+        page: %InternalApi.RBAC.ListMembersRequest.Page{
+          page_no: 1,
+          page_size: 10
+        }
+      }
+
+      {:ok, response} = Stub.list_members(channel, request)
+
+      # Should only return the 2 regular users, not the service account
+      assert length(response.members) == 2
+
+      assert Enum.all?(response.members, fn member ->
+               member.subject.subject_type == :USER and
+                 member.subject.subject_id in [member_user.user_id, owner_user.user_id]
+             end)
+
+      # Verify service account is not in the results
+      refute Enum.any?(response.members, fn member ->
+               member.subject.subject_id == service_account_id
+             end)
+    end
   end
 
   describe "count_members/2" do