Revoke FGA roles (#5139)

ruggi · web-flow · commit 4705e45953ea · 2024-03-28T16:37:01.000+01:00
* revoke relations

* tests

* add comment

* restore
diff --git a/utopia-remix/app/models/projectAccessRequest.server.spec.ts b/utopia-remix/app/models/projectAccessRequest.server.spec.ts
@@ -2,15 +2,17 @@ import { prisma } from '../db.server'
 import {
   createTestProject,
   createTestProjectAccessRequest,
+  createTestProjectCollaborator,
   createTestUser,
   truncateTables,
 } from '../test-util'
-import { AccessRequestStatus } from '../types'
+import { AccessRequestStatus, UserProjectRole } from '../types'
 import {
   createAccessRequest,
   listProjectAccessRequests,
   updateAccessRequestStatus,
 } from './projectAccessRequest.server'
+import * as permissionsService from '../services/permissionsService.server'
 
 describe('projectAccessRequest', () => {
   describe('createAccessRequest', () => {
@@ -78,6 +80,9 @@ describe('projectAccessRequest', () => {
   })
 
   describe('updateAccessRequestStatus', () => {
+    let revokeAllRolesFromUserMock: jest.SpyInstance
+    let grantProjectRoleToUserMock: jest.SpyInstance
+
     afterEach(async () => {
       await truncateTables([
         prisma.projectID,
@@ -86,13 +91,19 @@ describe('projectAccessRequest', () => {
         prisma.project,
         prisma.userDetails,
       ])
+
+      revokeAllRolesFromUserMock.mockRestore()
+      grantProjectRoleToUserMock.mockRestore()
     })
     beforeEach(async () => {
       await createTestUser(prisma, { id: 'bob' })
       await createTestUser(prisma, { id: 'alice' })
       await createTestUser(prisma, { id: 'that-guy' })
       await createTestProject(prisma, { id: 'one', ownerId: 'bob' })
       await createTestProject(prisma, { id: 'two', ownerId: 'alice' })
+
+      revokeAllRolesFromUserMock = jest.spyOn(permissionsService, 'revokeAllRolesFromUser')
+      grantProjectRoleToUserMock = jest.spyOn(permissionsService, 'grantProjectRoleToUser')
     })
     it('requires an existing project', async () => {
       const fn = async () =>
@@ -171,6 +182,39 @@ describe('projectAccessRequest', () => {
       const collabs = await prisma.projectCollaborator.findMany({ where: { project_id: 'one' } })
       expect(collabs.length).toBe(1)
       expect(collabs[0].user_id).toBe('alice')
+
+      expect(grantProjectRoleToUserMock).toHaveBeenCalledWith(
+        'one',
+        'alice',
+        UserProjectRole.VIEWER,
+      )
+      expect(revokeAllRolesFromUserMock).not.toHaveBeenCalled()
+    })
+    it('removes the user from the collaborators if rejected', async () => {
+      await createTestProjectCollaborator(prisma, { projectId: 'one', userId: 'alice' })
+      const existingCollabs = await prisma.projectCollaborator.findMany({
+        where: { project_id: 'one' },
+      })
+      expect(existingCollabs.length).toBe(1)
+
+      await createTestProjectAccessRequest(prisma, {
+        projectId: 'one',
+        userId: 'alice',
+        token: 'something',
+        status: AccessRequestStatus.PENDING,
+      })
+      await updateAccessRequestStatus({
+        projectId: 'one',
+        ownerId: 'bob',
+        token: 'something',
+        status: AccessRequestStatus.REJECTED,
+      })
+
+      const collabs = await prisma.projectCollaborator.findMany({ where: { project_id: 'one' } })
+      expect(collabs.length).toBe(0)
+
+      expect(grantProjectRoleToUserMock).not.toHaveBeenCalled()
+      expect(revokeAllRolesFromUserMock).toHaveBeenCalledWith('one', 'alice')
     })
   })
 
@@ -199,7 +243,7 @@ describe('projectAccessRequest', () => {
       await createTestProjectAccessRequest(prisma, {
         userId: 'p1',
         projectId: 'two',
-        status: AccessRequestStatus.APPROVED,
+        status: AccessRequestStatus.REJECTED,
         token: 'test1',
       })
       await createTestProjectAccessRequest(prisma, {
diff --git a/utopia-remix/app/models/projectAccessRequest.server.ts b/utopia-remix/app/models/projectAccessRequest.server.ts
@@ -5,7 +5,11 @@ import { ensure } from '../util/api.server'
 import { Status } from '../util/statusCodes'
 import type { ProjectAccessRequestWithUserDetails } from '../types'
 import { AccessRequestStatus, UserProjectRole } from '../types'
-import { addToProjectCollaboratorsWithRunner } from './projectCollaborators.server'
+import {
+  addToProjectCollaboratorsWithRunner,
+  removeFromProjectCollaboratorsWithRunner,
+} from './projectCollaborators.server'
+import { assertNever } from '../util/assertNever'
 
 function makeRequestToken(): string {
   return uuid.v4()
@@ -84,19 +88,32 @@ export async function updateAccessRequestStatus(params: {
       },
     })
 
-    // …finally, grant the role.
-    if (params.status === AccessRequestStatus.APPROVED) {
-      await addToProjectCollaboratorsWithRunner(tx, {
-        projectId: params.projectId,
-        userId: request.user_id,
-      })
-      await permissionsService.grantProjectRoleToUser(
-        params.projectId,
-        request.user_id,
-        UserProjectRole.VIEWER,
-      )
+    // …finally, update FGA permissions
+    switch (params.status) {
+      case AccessRequestStatus.APPROVED:
+        await addToProjectCollaboratorsWithRunner(tx, {
+          projectId: params.projectId,
+          userId: request.user_id,
+        })
+        await permissionsService.grantProjectRoleToUser(
+          params.projectId,
+          request.user_id,
+          UserProjectRole.VIEWER,
+        )
+        break
+      case AccessRequestStatus.REJECTED:
+        await removeFromProjectCollaboratorsWithRunner(tx, {
+          projectId: params.projectId,
+          userId: request.user_id,
+        })
+        await permissionsService.revokeAllRolesFromUser(params.projectId, request.user_id)
+        break
+      case AccessRequestStatus.PENDING:
+        // do nothing
+        break
+      default:
+        assertNever(params.status)
     }
-    // NOTE (ruggi): there should be a way to revoke the permission if the request is REJECTED (TODO)
   })
 }
 
diff --git a/utopia-remix/app/models/projectCollaborators.server.spec.ts b/utopia-remix/app/models/projectCollaborators.server.spec.ts
@@ -9,6 +9,7 @@ import {
   getCollaborators,
   addToProjectCollaborators,
   listProjectCollaborators,
+  removeFromProjectCollaborators,
 } from './projectCollaborators.server'
 
 describe('projectCollaborators model', () => {
@@ -112,6 +113,43 @@ describe('projectCollaborators model', () => {
     })
   })
 
+  describe('removeFromProjectCollaborators', () => {
+    beforeEach(async () => {
+      await createTestUser(prisma, { id: 'bob' })
+      await createTestUser(prisma, { id: 'alice' })
+      await createTestProject(prisma, { id: 'one', ownerId: 'bob' })
+      await createTestProject(prisma, { id: 'two', ownerId: 'alice' })
+      await createTestProject(prisma, { id: 'three', ownerId: 'bob' })
+      await createTestProjectCollaborator(prisma, { projectId: 'one', userId: 'bob' })
+      await createTestProjectCollaborator(prisma, { projectId: 'two', userId: 'alice' })
+      await createTestProjectCollaborator(prisma, { projectId: 'two', userId: 'bob' })
+    })
+
+    it('errors if the project is not found', async () => {
+      const removed = await removeFromProjectCollaborators({ projectId: 'WRONG', userId: 'alice' })
+      expect(removed.count).toBe(0)
+    })
+    it('does nothing if the user is not found', async () => {
+      const removed = await removeFromProjectCollaborators({ projectId: 'one', userId: 'alice' })
+      expect(removed.count).toBe(0)
+
+      const collaborators = await prisma.projectCollaborator.findMany({
+        where: { project_id: 'one' },
+      })
+      expect(collaborators.map((p) => p.user_id)).toEqual(['bob'])
+    })
+    it('removes the user from the collaborators if present', async () => {
+      const removed = await removeFromProjectCollaborators({ projectId: 'two', userId: 'bob' })
+      expect(removed.count).toBe(1)
+
+      let collaborators = await prisma.projectCollaborator.findMany({
+        where: { project_id: 'two' },
+        orderBy: { id: 'asc' },
+      })
+      expect(collaborators.map((p) => p.user_id)).toEqual(['alice'])
+    })
+  })
+
   describe('listProjectCollaborators', () => {
     beforeEach(async () => {
       await createTestUser(prisma, { id: 'bob' })
diff --git a/utopia-remix/app/models/projectCollaborators.server.ts b/utopia-remix/app/models/projectCollaborators.server.ts
@@ -1,8 +1,9 @@
-import type { UserDetails } from 'prisma-client'
+import type { ProjectCollaborator, UserDetails } from 'prisma-client'
 import type { UtopiaPrismaClient } from '../db.server'
 import { prisma } from '../db.server'
 import type { CollaboratorsByProject } from '../types'
 import { userToCollaborator } from '../types'
+import type { GetBatchResult } from 'prisma-client/runtime/library.js'
 
 export async function getCollaborators(params: {
   ids: string[]
@@ -48,6 +49,26 @@ export async function addToProjectCollaboratorsWithRunner(
   })
 }
 
+export async function removeFromProjectCollaborators(params: {
+  projectId: string
+  userId: string
+}): Promise<GetBatchResult> {
+  return removeFromProjectCollaboratorsWithRunner(prisma, params)
+}
+
+export async function removeFromProjectCollaboratorsWithRunner(
+  runner: Pick<UtopiaPrismaClient, 'projectCollaborator'>,
+  params: { projectId: string; userId: string },
+) {
+  // using delete many so not to explode if the record is not found
+  return await runner.projectCollaborator.deleteMany({
+    where: {
+      user_id: params.userId,
+      project_id: params.projectId,
+    },
+  })
+}
+
 export async function listProjectCollaborators(params: { id: string }): Promise<UserDetails[]> {
   const collaborators = await prisma.projectCollaborator.findMany({
     where: { project_id: params.id },
diff --git a/utopia-remix/app/services/fgaService.server.ts b/utopia-remix/app/services/fgaService.server.ts
@@ -162,3 +162,13 @@ function accessLevelToFgaWrites(projectId: string, accessLevel: AccessLevel): Cl
       assertNever(accessLevel)
   }
 }
+
+export async function revokeRelations(projectId: string, userId: string, relations: string[]) {
+  return await Promise.all(
+    relations.map((relation) =>
+      fgaClient.write({
+        deletes: [{ user: `user:${userId}`, relation: relation, object: `project:${projectId}` }],
+      }),
+    ),
+  )
+}
diff --git a/utopia-remix/app/services/permissionsService.server.ts b/utopia-remix/app/services/permissionsService.server.ts
@@ -73,3 +73,12 @@ export async function grantProjectRoleToUser(
       assertNever(role)
   }
 }
+
+export async function revokeAllRolesFromUser(projectId: string, userId: string) {
+  return await fgaService.revokeRelations(projectId, userId, [
+    'viewer',
+    'collaborator',
+    'editor',
+    'admin',
+  ])
+}

Original file line number	Diff line number	Diff line change
`@@ -162,3 +162,13 @@ function accessLevelToFgaWrites(projectId: string, accessLevel: AccessLevel): Cl`
`162`	`162`	`assertNever(accessLevel)`
`163`	`163`	`}`
`164`	`164`	`}`
	`165`	`+`
	`166`	`+export async function revokeRelations(projectId: string, userId: string, relations: string[]) {`
	`167`	`+ return await Promise.all(`
	`168`	`+ relations.map((relation) =>`
	`169`	`+ fgaClient.write({`
	`170`	+ deletes: [{ user: `user:${userId}`, relation: relation, object: `project:${projectId}` }],
	`171`	`+ }),`
	`172`	`+ ),`
	`173`	`+ )`
	`174`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -73,3 +73,12 @@ export async function grantProjectRoleToUser(`
`73`	`73`	`assertNever(role)`
`74`	`74`	`}`
`75`	`75`	`}`
	`76`	`+`
	`77`	`+export async function revokeAllRolesFromUser(projectId: string, userId: string) {`
	`78`	`+ return await fgaService.revokeRelations(projectId, userId, [`
	`79`	`+ 'viewer',`
	`80`	`+ 'collaborator',`
	`81`	`+ 'editor',`
	`82`	`+ 'admin',`
	`83`	`+ ])`
	`84`	`+}`