diff --git a/packages/services/api/src/modules/auth/lib/legacy-permissions.ts b/packages/services/api/src/modules/auth/lib/legacy-permissions.ts index e2f361ebf5..123ba5b44c 100644 --- a/packages/services/api/src/modules/auth/lib/legacy-permissions.ts +++ b/packages/services/api/src/modules/auth/lib/legacy-permissions.ts @@ -15,26 +15,10 @@ export function transformLegacyPolicies( const policies: Array = []; for (const scope of scopes) { switch (scope) { - case OrganizationAccessScope.READ: { - policies.push({ - effect: 'allow', - action: ['organization:view'], - resource: [`hrn:${organizationId}:*`], - }); - break; - } - case OrganizationAccessScope.DELETE: { - policies.push({ - effect: 'allow', - action: ['organization:delete'], - resource: [`hrn:${organizationId}:*`], - }); - break; - } case OrganizationAccessScope.SETTINGS: { policies.push({ effect: 'allow', - action: ['organization:settings'], + action: ['organization:updateSlug'], resource: [`hrn:${organizationId}:*`], }); break; @@ -42,99 +26,11 @@ export function transformLegacyPolicies( case OrganizationAccessScope.INTEGRATIONS: { policies.push({ effect: 'allow', - action: ['organization:integrations'], - resource: [`hrn:${organizationId}:*`], - }); - break; - } - case OrganizationAccessScope.MEMBERS: { - policies.push({ - effect: 'allow', - action: ['organization:members'], + action: ['oidc:modify'], resource: [`hrn:${organizationId}:*`], }); break; } - case ProjectAccessScope.READ: { - policies.push({ - effect: 'allow', - action: ['project:view'], - resource: [`hrn:${organizationId}:project:${projectId}`], - }); - break; - } - case ProjectAccessScope.DELETE: { - policies.push({ - effect: 'allow', - action: ['project:view'], - resource: [`hrn:${organizationId}:project:${projectId}`], - }); - break; - } - case ProjectAccessScope.SETTINGS: { - policies.push({ - effect: 'allow', - action: ['project:settings'], - resource: [`hrn:${organizationId}:project:${projectId}`], - }); - break; - } - case ProjectAccessScope.ALERTS: { - policies.push({ - effect: 'allow', - action: ['project:alerts'], - resource: [`hrn:${organizationId}:project:${projectId}`], - }); - break; - } - case ProjectAccessScope.OPERATIONS_STORE_READ: - case ProjectAccessScope.OPERATIONS_STORE_WRITE: - // not used right now - continue; - case TargetAccessScope.READ: { - policies.push({ - effect: 'allow', - action: ['target:view'], - resource: [`hrn:${organizationId}:target:${targetId}`], - }); - break; - } - case TargetAccessScope.DELETE: { - policies.push({ - effect: 'allow', - action: ['target:delete'], - resource: [`hrn:${organizationId}:target:${targetId}`], - }); - break; - } - case TargetAccessScope.SETTINGS: { - policies.push({ - effect: 'allow', - action: ['target:settings'], - resource: [`hrn:${organizationId}:target:${targetId}`], - }); - break; - } - case TargetAccessScope.REGISTRY_READ: { - policies.push({ - effect: 'allow', - action: ['usage:view'], - resource: [`hrn:${organizationId}:target:${targetId}`], - }); - break; - } - case TargetAccessScope.REGISTRY_WRITE: { - policies.push({ - effect: 'allow', - action: ['usage:report'], - resource: [`hrn:${organizationId}:target:${targetId}`], - }); - break; - } - case TargetAccessScope.TOKENS_READ: - case TargetAccessScope.TOKENS_WRITE: - // not implemented right now - continue; } } diff --git a/packages/services/api/src/modules/oidc-integrations/providers/oidc-integrations.provider.ts b/packages/services/api/src/modules/oidc-integrations/providers/oidc-integrations.provider.ts index 1b8f60f94c..08f2440113 100644 --- a/packages/services/api/src/modules/oidc-integrations/providers/oidc-integrations.provider.ts +++ b/packages/services/api/src/modules/oidc-integrations/providers/oidc-integrations.provider.ts @@ -2,8 +2,7 @@ import { Inject, Injectable, Scope } from 'graphql-modules'; import zod from 'zod'; import { OIDCIntegration } from '../../../shared/entities'; import { HiveError } from '../../../shared/errors'; -import { AuthManager } from '../../auth/providers/auth-manager'; -import { OrganizationAccessScope } from '../../auth/providers/organization-access'; +import { Session } from '../../auth/lib/authz'; import { CryptoProvider } from '../../shared/providers/crypto'; import { Logger } from '../../shared/providers/logger'; import { PUB_SUB_CONFIG, type HivePubSub } from '../../shared/providers/pub-sub'; @@ -20,10 +19,10 @@ export class OIDCIntegrationsProvider { constructor( logger: Logger, private storage: Storage, - private authManager: AuthManager, private crypto: CryptoProvider, @Inject(PUB_SUB_CONFIG) private pubSub: HivePubSub, @Inject(OIDC_INTEGRATIONS_ENABLED) private enabled: boolean, + private session: Session, ) { this.logger = logger.child({ source: 'OIDCIntegrationsProvider' }); } @@ -38,9 +37,12 @@ export class OIDCIntegrationsProvider { } try { - await this.authManager.ensureOrganizationAccess({ - organization: organizationId, - scope: OrganizationAccessScope.INTEGRATIONS, + await this.session.assertPerformAction({ + organizationId, + action: 'oidc:modify', + params: { + organizationId, + }, }); return true; } catch { @@ -60,9 +62,12 @@ export class OIDCIntegrationsProvider { return null; } - await this.authManager.ensureOrganizationAccess({ - organization: args.organizationId, - scope: OrganizationAccessScope.INTEGRATIONS, + await this.session.assertPerformAction({ + organizationId: args.organizationId, + action: 'oidc:modify', + params: { + organizationId: args.organizationId, + }, }); return await this.storage.getOIDCIntegrationForOrganization({ @@ -90,9 +95,12 @@ export class OIDCIntegrationsProvider { } as const; } - await this.authManager.ensureOrganizationAccess({ - organization: args.organizationId, - scope: OrganizationAccessScope.INTEGRATIONS, + await this.session.assertPerformAction({ + organizationId: args.organizationId, + action: 'oidc:modify', + params: { + organizationId: args.organizationId, + }, }); const organization = await this.storage.getOrganization({ organization: args.organizationId }); @@ -192,9 +200,12 @@ export class OIDCIntegrationsProvider { } as const; } - await this.authManager.ensureOrganizationAccess({ - organization: integration.linkedOrganizationId, - scope: OrganizationAccessScope.INTEGRATIONS, + await this.session.assertPerformAction({ + action: 'oidc:modify', + organizationId: integration.linkedOrganizationId, + params: { + organizationId: integration.linkedOrganizationId, + }, }); const clientIdResult = maybe(OIDCIntegrationClientIdModel).safeParse(args.clientId); @@ -269,9 +280,12 @@ export class OIDCIntegrationsProvider { } as const; } - await this.authManager.ensureOrganizationAccess({ - organization: integration.linkedOrganizationId, - scope: OrganizationAccessScope.INTEGRATIONS, + await this.session.assertPerformAction({ + organizationId: integration.linkedOrganizationId, + action: 'oidc:modify', + params: { + organizationId: integration.linkedOrganizationId, + }, }); await this.storage.deleteOIDCIntegration(args); @@ -301,9 +315,12 @@ export class OIDCIntegrationsProvider { } as const; } - await this.authManager.ensureOrganizationAccess({ - organization: oidcIntegration.linkedOrganizationId, - scope: OrganizationAccessScope.INTEGRATIONS, + await this.session.assertPerformAction({ + organizationId: oidcIntegration.linkedOrganizationId, + action: 'oidc:modify', + params: { + organizationId: oidcIntegration.linkedOrganizationId, + }, }); return { @@ -346,9 +363,12 @@ export class OIDCIntegrationsProvider { throw new HiveError('Integration not found.'); } - await this.authManager.ensureOrganizationAccess({ - organization: integration.linkedOrganizationId, - scope: OrganizationAccessScope.INTEGRATIONS, + await this.session.assertPerformAction({ + organizationId: integration.linkedOrganizationId, + action: 'oidc:modify', + params: { + organizationId: integration.linkedOrganizationId, + }, }); return this.pubSub.subscribe('oidcIntegrationLogs', integration.id);