feat: add permissions for OIDC groups

bevzzz · bevzzz · commit 4273a3051403 · 2025-09-02T11:31:09.000+02:00
Note: the OpenAPI schema is manually modified to exclude 'db' group type, because it is not currently supported on the server. It will be removed from the next RC release (and GA too). Regenerate the schema once this PR is merged: #343
diff --git a/src/groups/index.ts b/src/groups/index.ts
@@ -13,29 +13,29 @@ export interface GroupsOIDC {
   /**
    * Get the roles assigned to a group specific to the configured OIDC's dynamic auth functionality.
    *
-   * @param groupID [string]  The group ID to get the roles for.
-   * @return A list of roles assigned tot he group.
+   * @param {string} groupID The group ID to get the roles for.
+   * @returns {Promise<Record<string, Role>>} A map of roles assigned to the group.
    */
   getAssignedRoles(groupID: string, includePermissions?: boolean): Promise<Record<string, Role>>;
 
   /**
    * Assign roles to a group specific to the configured OIDC's dynamic auth functionality.
    *
-   * @param group_id [string] The group to assign the roles to.
-   * @param role_names [string[]] The names of the roles to assign to the group.
+   * @param {string} groupID The group ID to get the roles for.
+   * @param {string | string[]} roles  The names of the roles to assign to the group.
    */
   assignRoles(groupID: string, roles: string | string[]): Promise<void>;
   /**
    * Revoke roles from a group specific to the configured OIDC's dynamic auth functionality.
    *
-   * @param group_id [string] The group to assign the roles to.
-   * @param role_names [string[]] The names of the roles to assign to the group.
+   * @param {string} groupID The group ID to get the roles for.
+   * @param {string | string[]} roles  The names of the roles to revoke from the group.
    */
   revokeRoles(groupID: string, roles: string | string[]): Promise<void>;
   /**
    * Get the known group names specific to the configured OIDC's dynamic auth functionality.
    *
-   * @return A list of known group names.
+   * @returns {Promise<string[]>} A list of known group names.
    */
   getKnownGroupNames(): Promise<string[]>;
 }
diff --git a/src/openapi/schema.ts b/src/openapi/schema.ts
@@ -319,7 +319,7 @@ export interface definitions {
    * @description If the group contains OIDC or database users.
    * @enum {string}
    */
-  GroupType: 'db' | 'oidc';
+  GroupType: 'oidc';
   /**
    * @description the type of user
    * @enum {string}
diff --git a/src/roles/index.ts b/src/roles/index.ts
@@ -12,6 +12,8 @@ import {
   CollectionsPermission,
   DataPermission,
   GroupAssignment,
+  GroupsAction,
+  GroupsPermission,
   NodesPermission,
   Permission,
   PermissionsInput,
@@ -109,7 +111,7 @@ export interface Roles {
    * Get the IDs and group type of groups that assigned this role.
    *
    * @param {string} roleName The name of the role to check.
-   * @return {Promise<GroupAssignment[]>} A promise that resolves to an array of group names assigned to this role.
+   * @returns {Promise<GroupAssignment[]>} A promise that resolves to an array of group names assigned to this role.
    */
   getGroupAssignments: (roleName: string) => Promise<GroupAssignment[]>;
 }
@@ -285,6 +287,49 @@ export const permissions = {
       return out;
     });
   },
+  /**
+   * This namespace contains methods to create permissions specific to RBAC groups.
+   */
+  groups: {
+    /**
+     * Create a set of permissions for 'oidc' groups.
+     *
+     * @param {string | string[]} args.groupID IDs of the groups with permissions.
+     * @param {boolean} [args.read] Whether to allow reading groups. Defaults to `false`.
+     * @param {boolean} [args.assignAndRevoke] Whether to allow changing group assignements. Defaults to `false`.
+     * @returns {GroupsPermission[]} The permissions for managing groups.
+     */
+    oidc: (args: {
+      groupID: string | string[];
+      read?: boolean;
+      assignAndRevoke?: boolean;
+    }): GroupsPermission[] => {
+      const groups = Array.isArray(args.groupID) ? args.groupID : [args.groupID];
+      const actions: GroupsAction[] = [];
+      if (args.read) actions.push('read_groups');
+      if (args.assignAndRevoke) actions.push('assign_and_revoke_groups');
+      return groups.map((gid) => ({ groupID: gid, groupType: 'oidc', actions }));
+    },
+    /**
+     * Create a set of permissions for 'db' groups.
+     *
+     * @param {string | string[]} args.groupID IDs of the groups with permissions.
+     * @param {boolean} [args.read] Whether to allow reading groups. Defaults to `false`.
+     * @param {boolean} [args.assignAndRevoke] Whether to allow changing group assignements. Defaults to `false`.
+     * @returns {GroupsPermission[]} The permissions for managing groups.
+     */
+    // db: (args: {
+    //   groupID: string | string[];
+    //   read?: boolean;
+    //   assignAndRevoke?: boolean;
+    // }): GroupsPermission[] => {
+    //   const groups = Array.isArray(args.groupID) ? args.groupID : [args.groupID];
+    //   const actions: GroupsAction[] = [];
+    //   if (args.read) actions.push('read_groups');
+    //   if (args.assignAndRevoke) actions.push('assign_and_revoke_groups');
+    //   return groups.map((gid) => ({ groupID: gid, groupType: 'db', actions }));
+    // },
+  },
   /**
    * This namespace contains methods to create permissions specific to nodes.
    */
diff --git a/src/roles/integration.test.ts b/src/roles/integration.test.ts
@@ -25,6 +25,7 @@ const emptyPermissions = {
   clusterPermissions: [],
   collectionsPermissions: [],
   dataPermissions: [],
+  groupsPermissions: [],
   nodesPermissions: [],
   rolesPermissions: [],
   tenantsPermissions: [],
@@ -160,6 +161,23 @@ const testCases: TestCase[] = [
       ],
     },
   },
+  {
+    roleName: 'groups-oidc',
+    requireVersion: [1, 33, 0],
+    permissions: weaviate.permissions.groups.oidc({
+      groupID: ['G1', 'G2'],
+      read: true,
+      assignAndRevoke: true,
+    }),
+    expected: {
+      name: 'groups-oidc',
+      ...emptyPermissions,
+      groupsPermissions: [
+        { groupID: 'G1', groupType: 'oidc', actions: ['read_groups', 'assign_and_revoke_groups'] },
+        { groupID: 'G2', groupType: 'oidc', actions: ['read_groups', 'assign_and_revoke_groups'] },
+      ],
+    },
+  },
   {
     roleName: 'nodes-verbose',
     permissions: weaviate.permissions.nodes.verbose({
diff --git a/src/roles/types.ts b/src/roles/types.ts
@@ -18,6 +18,7 @@ export type DataAction = Extract<
   Action,
   'create_data' | 'delete_data' | 'read_data' | 'update_data' | 'manage_data'
 >;
+export type GroupsAction = Extract<Action, 'read_groups' | 'assign_and_revoke_groups'>;
 export type NodesAction = Extract<Action, 'read_nodes'>;
 export type RolesAction = Extract<Action, 'create_roles' | 'read_roles' | 'update_roles' | 'delete_roles'>;
 export type TenantsAction = Extract<
@@ -62,6 +63,12 @@ export type DataPermission = {
   actions: DataAction[];
 };
 
+export type GroupsPermission = {
+  groupID: string;
+  groupType: WeaviateGroupType;
+  actions: GroupsAction[];
+};
+
 export type NodesPermission = {
   collection: string;
   verbosity: 'verbose' | 'minimal';
@@ -91,6 +98,7 @@ export type Role = {
   clusterPermissions: ClusterPermission[];
   collectionsPermissions: CollectionsPermission[];
   dataPermissions: DataPermission[];
+  groupsPermissions: GroupsPermission[];
   nodesPermissions: NodesPermission[];
   rolesPermissions: RolesPermission[];
   tenantsPermissions: TenantsPermission[];
@@ -103,6 +111,7 @@ export type Permission =
   | ClusterPermission
   | CollectionsPermission
   | DataPermission
+  | GroupsPermission
   | NodesPermission
   | RolesPermission
   | TenantsPermission
diff --git a/src/roles/util.ts b/src/roles/util.ts
@@ -19,6 +19,8 @@ import {
   DataAction,
   DataPermission,
   GroupAssignment,
+  GroupsAction,
+  GroupsPermission,
   NodesAction,
   NodesPermission,
   Permission,
@@ -67,6 +69,8 @@ export class PermissionGuards {
       'read_data',
       'update_data'
     );
+  static isGroups = (permission: Permission): permission is GroupsPermission =>
+    PermissionGuards.includes<GroupsAction>(permission, 'read_groups', 'assign_and_revoke_groups');
   static isNodes = (permission: Permission): permission is NodesPermission =>
     PermissionGuards.includes<NodesAction>(permission, 'read_nodes');
   static isRoles = (permission: Permission): permission is RolesPermission =>
@@ -129,6 +133,11 @@ export class Map {
         data: permission,
         action,
       }));
+    } else if (PermissionGuards.isGroups(permission)) {
+      return Array.from(permission.actions).map((action) => ({
+        groups: { group: permission.groupID, groupType: permission.groupType },
+        action,
+      }));
     } else if (PermissionGuards.isNodes(permission)) {
       return Array.from(permission.actions).map((action) => ({
         nodes: permission,
@@ -207,6 +216,7 @@ class PermissionsMapping {
       cluster: {},
       collections: {},
       data: {},
+      groups: {},
       nodes: {},
       roles: {},
       tenants: {},
@@ -230,6 +240,7 @@ class PermissionsMapping {
       clusterPermissions: Object.values(this.mappings.cluster),
       collectionsPermissions: Object.values(this.mappings.collections),
       dataPermissions: Object.values(this.mappings.data),
+      groupsPermissions: Object.values(this.mappings.groups),
       nodesPermissions: Object.values(this.mappings.nodes),
       rolesPermissions: Object.values(this.mappings.roles),
       tenantsPermissions: Object.values(this.mappings.tenants),
@@ -286,6 +297,18 @@ class PermissionsMapping {
     }
   };
 
+  private groups = (permission: WeaviatePermission) => {
+    if (permission.groups !== undefined) {
+      const { group, groupType } = permission.groups;
+      if (group === undefined) throw new Error('Group permission missing groupID');
+      if (groupType === undefined) throw new Error('Group permission missing groupType');
+      const key = `${groupType}#${group}`;
+      if (this.mappings.groups[key] === undefined)
+        this.mappings.groups[key] = { groupType, groupID: group, actions: [] };
+      this.mappings.groups[key].actions.push(permission.action as GroupsAction);
+    }
+  };
+
   private nodes = (permission: WeaviatePermission) => {
     if (permission.nodes !== undefined) {
       let { collection } = permission.nodes;
@@ -337,6 +360,7 @@ class PermissionsMapping {
     this.cluster(permission);
     this.collections(permission);
     this.data(permission);
+    this.groups(permission);
     this.nodes(permission);
     this.roles(permission);
     this.tenants(permission);
@@ -350,6 +374,7 @@ type PermissionMappings = {
   cluster: Record<string, ClusterPermission>;
   collections: Record<string, CollectionsPermission>;
   data: Record<string, DataPermission>;
+  groups: Record<string, GroupsPermission>;
   nodes: Record<string, NodesPermission>;
   roles: Record<string, RolesPermission>;
   tenants: Record<string, TenantsPermission>;
