Merge pull request #6071 from logto-io/gao-org-app-role-apis

feat(core): organization app role apis
logto-io · Jun 21, 2024 · ec95536 · ec95536
2 parents 9f72a45 + 07da791
commit ec95536
Show file tree

Hide file tree

Showing 12 changed files with 484 additions and 31 deletions.
diff --git a/packages/core/src/queries/organization/index.ts b/packages/core/src/queries/organization/index.ts
@@ -33,6 +33,7 @@ import SchemaQueries from '#src/utils/SchemaQueries.js';
 import { conditionalSql, convertToIdentifiers } from '#src/utils/sql.js';
 
 import { EmailDomainQueries } from './email-domains.js';
+import { RoleApplicationRelationQueries } from './role-application-relations.js';
 import { RoleUserRelationQueries } from './role-user-relations.js';
 import { SsoConnectorQueries } from './sso-connectors.js';
 import { UserRelationQueries } from './user-relations.js';
@@ -284,6 +285,7 @@ export default class OrganizationQueries extends SchemaQueries<
     ),
     /** Queries for organization - user relations. */
     users: new UserRelationQueries(this.pool),
+    // TODO: Rename to `usersRoles`
     /** Queries for organization - organization role - user relations. */
     rolesUsers: new RoleUserRelationQueries(this.pool),
     /** Queries for organization - application relations. */
@@ -293,6 +295,9 @@ export default class OrganizationQueries extends SchemaQueries<
       Organizations,
       Applications
     ),
+    // TODO: Rename to `appsRoles`
+    /** Queries for organization - organization role - application relations. */
+    rolesApps: new RoleApplicationRelationQueries(this.pool),
     invitationsRoles: new TwoRelationsQueries(
       this.pool,
       OrganizationInvitationRoleRelations.table,

diff --git a/packages/core/src/queries/organization/role-application-relations.ts b/packages/core/src/queries/organization/role-application-relations.ts
@@ -0,0 +1,64 @@
+import {
+  Organizations,
+  OrganizationRoles,
+  Applications,
+  OrganizationRoleApplicationRelations,
+} from '@logto/schemas';
+import { type CommonQueryMethods, sql } from '@silverhand/slonik';
+
+import RelationQueries from '#src/utils/RelationQueries.js';
+import { convertToIdentifiers } from '#src/utils/sql.js';
+
+export class RoleApplicationRelationQueries extends RelationQueries<
+  [typeof Organizations, typeof OrganizationRoles, typeof Applications]
+> {
+  constructor(pool: CommonQueryMethods) {
+    super(
+      pool,
+      OrganizationRoleApplicationRelations.table,
+      Organizations,
+      OrganizationRoles,
+      Applications
+    );
+  }
+
+  /** Replace the roles of an application in an organization. */
+  async replace(organizationId: string, applicationId: string, roleIds: readonly string[]) {
+    const applications = convertToIdentifiers(Applications);
+    const relations = convertToIdentifiers(OrganizationRoleApplicationRelations);
+
+    return this.pool.transaction(async (transaction) => {
+      // Lock application
+      await transaction.query(sql`
+        select 1
+        from ${applications.table}
+        where ${applications.fields.id} = ${applicationId}
+        for update
+      `);
+
+      // Delete old relations
+      await transaction.query(sql`
+        delete from ${relations.table}
+        where ${relations.fields.organizationId} = ${organizationId}
+        and ${relations.fields.applicationId} = ${applicationId}
+      `);
+
+      // Insert new relations
+      if (roleIds.length === 0) {
+        return;
+      }
+
+      await transaction.query(sql`
+        insert into ${relations.table} (
+          ${relations.fields.organizationId},
+          ${relations.fields.applicationId},
+          ${relations.fields.organizationRoleId}
+        )
+        values ${sql.join(
+          roleIds.map((roleId) => sql`(${organizationId}, ${applicationId}, ${roleId})`),
+          sql`, `
+        )}
+      `);
+    });
+  }
+}
diff --git a/packages/core/src/queries/organization/role-user-relations.ts b/packages/core/src/queries/organization/role-user-relations.ts
@@ -83,7 +83,7 @@ export class RoleUserRelationQueries extends RelationQueries<
     return this.pool.transaction(async (transaction) => {
       // Lock user
       await transaction.query(sql`
-        select id
+        select 1
         from ${users.table}
         where ${users.fields.id} = ${userId}
         for update
@@ -92,8 +92,8 @@ export class RoleUserRelationQueries extends RelationQueries<
       // Delete old relations
       await transaction.query(sql`
         delete from ${relations.table}
-        where ${relations.fields.userId} = ${userId}
-        and ${relations.fields.organizationId} = ${organizationId}
+        where ${relations.fields.organizationId} = ${organizationId}
+        and ${relations.fields.userId} = ${userId}
       `);
 
       // Insert new relations
@@ -103,14 +103,14 @@ export class RoleUserRelationQueries extends RelationQueries<
 
       await transaction.query(sql`
         insert into ${relations.table} (
-          ${relations.fields.userId},
           ${relations.fields.organizationId},
+          ${relations.fields.userId},
           ${relations.fields.organizationRoleId}
         )
-         values ${sql.join(
-           roleIds.map((roleId) => sql`(${userId}, ${organizationId}, ${roleId})`),
-           sql`, `
-         )}
+        values ${sql.join(
+          roleIds.map((roleId) => sql`(${organizationId}, ${userId}, ${roleId})`),
+          sql`, `
+        )}
       `);
     });
   }

diff --git a/packages/core/src/routes/organization/index.application-role-relations.ts b/packages/core/src/routes/organization/index.application-role-relations.ts
@@ -0,0 +1,126 @@
+import { OrganizationRoles } from '@logto/schemas';
+import type Router from 'koa-router';
+import { z } from 'zod';
+
+import RequestError from '#src/errors/RequestError/index.js';
+import koaGuard from '#src/middleware/koa-guard.js';
+import { type WithHookContext } from '#src/middleware/koa-management-api-hooks.js';
+import koaPagination from '#src/middleware/koa-pagination.js';
+import type OrganizationQueries from '#src/queries/organization/index.js';
+
+// Consider building a class to handle these relations. See `index.user-role-relations.ts` for more information.
+export default function applicationRoleRelationRoutes(
+  router: Router<unknown, WithHookContext>,
+  organizations: OrganizationQueries
+) {
+  const params = Object.freeze({
+    id: z.string().min(1),
+    applicationId: z.string().min(1),
+  } as const);
+  const pathname = '/:id/applications/:applicationId/roles';
+
+  // The pathname of `.use()` will not match the end of the path, for example:
+  // `.use('/foo', ...)` will match both `/foo` and `/foo/bar`.
+  // See https://github.com/koajs/router/blob/02ad6eedf5ced6ec1eab2138380fd67c63e3f1d7/lib/router.js#L330-L333
+  router.use(pathname, koaGuard({ params: z.object(params) }), async (ctx, next) => {
+    const { id, applicationId } = ctx.guard.params;
+
+    // Ensure membership
+    if (!(await organizations.relations.apps.exists({ organizationId: id, applicationId }))) {
+      throw new RequestError({ code: 'organization.require_membership', status: 422 });
+    }
+
+    return next();
+  });
+
+  router.get(
+    pathname,
+    koaPagination(),
+    koaGuard({
+      params: z.object(params),
+      response: OrganizationRoles.guard.array(),
+      status: [200, 422],
+    }),
+    async (ctx, next) => {
+      const { id, applicationId } = ctx.guard.params;
+
+      const [totalCount, entities] = await organizations.relations.rolesApps.getEntities(
+        OrganizationRoles,
+        {
+          organizationId: id,
+          applicationId,
+        }
+      );
+
+      ctx.pagination.totalCount = totalCount;
+      ctx.body = entities;
+      return next();
+    }
+  );
+
+  router.post(
+    pathname,
+    koaGuard({
+      params: z.object(params),
+      body: z.object({
+        organizationRoleIds: z.string().min(1).array().nonempty(),
+      }),
+      status: [201, 422],
+    }),
+    async (ctx, next) => {
+      const { id, applicationId } = ctx.guard.params;
+      const { organizationRoleIds } = ctx.guard.body;
+
+      await organizations.relations.rolesApps.insert(
+        ...organizationRoleIds.map((organizationRoleId) => ({
+          organizationId: id,
+          applicationId,
+          organizationRoleId,
+        }))
+      );
+
+      ctx.status = 201;
+      return next();
+    }
+  );
+
+  router.put(
+    pathname,
+    koaGuard({
+      params: z.object(params),
+      body: z.object({
+        organizationRoleIds: z.string().min(1).array().nonempty(),
+      }),
+      status: [204, 422],
+    }),
+    async (ctx, next) => {
+      const { id, applicationId } = ctx.guard.params;
+      const { organizationRoleIds } = ctx.guard.body;
+
+      await organizations.relations.rolesApps.replace(id, applicationId, organizationRoleIds);
+
+      ctx.status = 204;
+      return next();
+    }
+  );
+
+  router.delete(
+    `${pathname}/:organizationRoleId`,
+    koaGuard({
+      params: z.object({ ...params, organizationRoleId: z.string().min(1) }),
+      status: [204, 422, 404],
+    }),
+    async (ctx, next) => {
+      const { id, applicationId, organizationRoleId } = ctx.guard.params;
+
+      await organizations.relations.rolesApps.delete({
+        organizationId: id,
+        applicationId,
+        organizationRoleId,
+      });
+
+      ctx.status = 204;
+      return next();
+    }
+  );
+}
diff --git a/packages/core/src/routes/organization/index.applications.openapi.json b/packages/core/src/routes/organization/index.applications.openapi.json
@@ -77,6 +77,81 @@
           }
         }
       }
+    },
+    "/api/organizations/{id}/applications/{applicationId}/roles": {
+      "get": {
+        "summary": "Get organization application roles",
+        "description": "Get roles associated with the application in the organization.",
+        "responses": {
+          "200": {
+            "description": "A list of roles."
+          }
+        }
+      },
+      "post": {
+        "summary": "Add organization application role",
+        "description": "Add a role to the application in the organization.",
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "properties": {
+                  "organizationRoleIds": {
+                    "description": "The role ID to add."
+                  }
+                }
+              }
+            }
+          }
+        },
+        "responses": {
+          "201": {
+            "description": "The role was added successfully."
+          },
+          "422": {
+            "description": "The role could not be added. Some of the roles may not exist."
+          }
+        }
+      },
+      "put": {
+        "summary": "Replace organization application roles",
+        "description": "Replace all roles associated with the application in the organization with the given data.",
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "properties": {
+                  "organizationRoleIds": {
+                    "description": "An array of role IDs to replace existing roles."
+                  }
+                }
+              }
+            }
+          }
+        },
+        "responses": {
+          "204": {
+            "description": "The roles were replaced successfully."
+          },
+          "422": {
+            "description": "The roles could not be replaced. Some of the roles may not exist."
+          }
+        }
+      }
+    },
+    "/api/organizations/{id}/applications/{applicationId}/roles/{organizationRoleId}": {
+      "delete": {
+        "summary": "Remove organization application role",
+        "description": "Remove a role from the application in the organization.",
+        "responses": {
+          "204": {
+            "description": "The role was removed from the application in the organization successfully."
+          },
+          "422": {
+            "description": "The role could not be removed. The role may not exist."
+          }
+        }
+      }
     }
   }
 }
diff --git a/packages/core/src/routes/organization/index.ts b/packages/core/src/routes/organization/index.ts
@@ -17,6 +17,7 @@ import { parseSearchOptions } from '#src/utils/search.js';
 
 import { type ManagementApiRouter, type RouterInitArgs } from '../types.js';
 
+import applicationRoleRelationRoutes from './index.application-role-relations.js';
 import emailDomainRoutes from './index.jit.email-domains.js';
 import userRoleRelationRoutes from './index.user-role-relations.js';
 import organizationInvitationRoutes from './invitations.js';
@@ -113,6 +114,7 @@ export default function organizationRoutes<T extends ManagementApiRouter>(
     }
   );
 
+  // MARK: Organization - user role relation routes
   router.post(
     '/:id/users/roles',
     koaGuard({
@@ -140,11 +142,14 @@ export default function organizationRoutes<T extends ManagementApiRouter>(
 
   userRoleRelationRoutes(router, organizations);
 
-  // MARK: Organization - application relation routes
   if (EnvSet.values.isDevFeaturesEnabled) {
+    // MARK: Organization - application relation routes
     router.addRelationRoutes(organizations.relations.apps, undefined, {
       hookEvent: 'Organization.Membership.Updated',
     });
+
+    // MARK: Organization - application role relation routes
+    applicationRoleRelationRoutes(router, organizations);
   }
 
   // MARK: Just-in-time provisioning