@adobe/helix-config 3.3.8 → 3.4.0

package/CHANGELOG.md

@@ -1,3 +1,10 @@
+# [3.4.0](https://github.com/adobe/helix-config/compare/v3.3.8...v3.4.0) (2024-07-04)
+
+
+### Features
+
+* add user groups and resolve for admin roles ([#120](https://github.com/adobe/helix-config/issues/120)) ([a325138](https://github.com/adobe/helix-config/commit/a325138650e20ef3bd662e6c3bf163c36ccb9334)), closes [#15](https://github.com/adobe/helix-config/issues/15) [#121](https://github.com/adobe/helix-config/issues/121)
+
 ## [3.3.8](https://github.com/adobe/helix-config/compare/v3.3.7...v3.3.8) (2024-07-02)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/helix-config",
-  "version": "3.3.8",
+  "version": "3.4.0",
   "description": "Helix Config",
   "main": "src/index.js",
   "types": "src/index.d.ts",

package/src/config-view.js

@@ -276,7 +276,12 @@ export async function loadOrgConfig(ctx, org) {
   return res.body ? res.json() : null;
 }
 
-function computeAdminRoles(adminConfig, orgConfig) {
+/**
+ * Computes the access.admin.role arrays for the org users.
+ * @param adminConfig
+ * @param orgConfig
+ */
+function computeOrgAdminRoles(adminConfig, orgConfig) {
   if (orgConfig?.users) {
     // map users[].roles[] to access.admin.role[].email
     const rolesObj = deepGetOrCreate(adminConfig, ['access', 'admin', 'role'], true);
@@ -293,6 +298,50 @@ function computeAdminRoles(adminConfig, orgConfig) {
   }
 }
 
+/**
+ * Extract the email addresses of the users for the given group.
+ * @param groups
+ * @param name
+ */
+function resolveGroup(groups, name) {
+  const users = groups?.[name]?.members ?? [];
+  return users.map((user) => user.email);
+}
+
+/**
+ * Compute the access.admin.role arrays for the admin config. Resolves site and org groups.
+ * @param admin
+ * @param configGroups
+ * @param orgGroups
+ */
+function computeSiteAdminRoles(admin, configGroups = {}, orgGroups = {}) {
+  if (!admin.role) {
+    return admin;
+  }
+  const roles = {};
+  for (const [roleName, role] of Object.entries(admin.role)) {
+    const users = new Set();
+    for (const /* @type string */ entry of role) {
+      if (entry.indexOf('@') > 0) {
+        users.add(entry);
+      } else if (entry.startsWith('groups/') && entry.endsWith('.json')) {
+        for (const email of resolveGroup(configGroups, entry.substring(7, entry.length - 5))) {
+          users.add(email);
+        }
+      } else if (entry.startsWith('/groups/')) {
+        for (const email of resolveGroup(orgGroups, entry.substring(8, entry.length - 5))) {
+          users.add(email);
+        }
+      }
+    }
+    roles[roleName] = Array.from(users);
+  }
+  return {
+    ...admin,
+    role: roles,
+  };
+}
+
 export async function getConfigResponse(ctx, opts) {
   const {
     ref, site, org, scope,
@@ -338,7 +387,7 @@ export async function getConfigResponse(ctx, opts) {
       // access.require.repository ?
     };
     if (opts.scope === SCOPE_ADMIN || opts.scope === SCOPE_RAW) {
-      config.access.admin = admin;
+      config.access.admin = computeSiteAdminRoles(admin, config.groups, orgConfig.groups);
     }
   }
 
@@ -384,11 +433,11 @@ export async function getConfigResponse(ctx, opts) {
       ...config,
       content: {
         ...config.content,
-        ...config.content.source,
       },
     };
     delete adminConfig.public;
     delete adminConfig.robots;
+    delete adminConfig.groups;
     return new PipelineResponse(JSON.stringify(adminConfig, null, 2), {
       headers: {
         'content-type': 'application/json',
@@ -478,9 +527,10 @@ export async function getOrgConfigResponse(ctx, opts) {
     ...orgConfig,
   };
 
-  computeAdminRoles(adminConfig, orgConfig);
+  computeOrgAdminRoles(adminConfig, orgConfig);
   delete adminConfig.tokens;
   delete adminConfig.users;
+  delete adminConfig.groups;
   return new PipelineResponse(JSON.stringify(adminConfig, null, 2), {
     headers: {
       'content-type': 'application/json',

package/src/schemas/access-admin.schema.json

@@ -20,7 +20,7 @@
       "type": "object",
       "patternProperties": {
         "^[a-z-_]+$": {
-          "description": "The email glob of the users with respective role.",
+          "description": "The email glob of the users or a group reference for the respective role.",
           "type": "array",
           "items": {"type": "string"}
         }

package/src/schemas/groups.schema.cjs

@@ -0,0 +1,12 @@
+/*
+ * Copyright 2024 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+module.exports = require('./groups.schema.json');

package/src/schemas/groups.schema.json

@@ -0,0 +1,49 @@
+{
+  "meta:license": [
+    "Copyright 2024 Adobe. All rights reserved.",
+    "This file is licensed to you under the Apache License, Version 2.0 (the \"License\");",
+    "you may not use this file except in compliance with the License. You may obtain a copy",
+    "of the License at http://www.apache.org/licenses/LICENSE-2.0",
+    "",
+    "Unless required by applicable law or agreed to in writing, software distributed under",
+    "the License is distributed on an \"AS IS\" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS",
+    "OF ANY KIND, either express or implied. See the License for the specific language",
+    "governing permissions and limitations under the License."
+  ],
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "https://ns.adobe.com/helix/config/groups",
+  "type": "object",
+  "title": "Groups",
+  "patternProperties": {
+    "^[a-zA-Z0-9-_=]+$": {
+      "type": "object",
+      "title": "Group",
+      "description": "A group of members. Can be referenced in access.admin.role.",
+      "properties": {
+        "members": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "email": {
+                "type": "string",
+                "format": "email"
+              },
+              "name": {
+                "type": "string"
+              }
+            },
+            "required": [
+              "email"
+            ]
+          }
+        }
+      },
+      "additionalProperties": false,
+      "required": [
+        "members"
+      ]
+    }
+  },
+  "additionalProperties": false
+}

package/src/schemas/org.schema.json

@@ -27,6 +27,9 @@
     },
     "users": {
       "$ref": "https://ns.adobe.com/helix/config/users"
+    },
+    "groups": {
+      "$ref": "https://ns.adobe.com/helix/config/groups"
     }
   },
   "required": [

package/src/schemas/site.schema.json

@@ -46,6 +46,9 @@
     "access": {
       "$ref": "https://ns.adobe.com/helix/config/access"
     },
+    "groups": {
+      "$ref": "https://ns.adobe.com/helix/config/groups"
+    },
     "sidekick": {
       "$ref": "https://ns.adobe.com/helix/config/sidekick"
     },

package/src/storage/config-store.js

@@ -49,6 +49,13 @@ const FRAGMENTS = {
   sites: {
     ...FRAGMENTS_COMMON,
     extends: 'object',
+    groups: {
+      '.': 'object',
+      '.param': {
+        '.': 'object',
+        members: 'object',
+      },
+    },
   },
   profiles: FRAGMENTS_COMMON,
   org: {
@@ -66,6 +73,13 @@ const FRAGMENTS = {
         '.': 'user',
       },
     },
+    groups: {
+      '.': 'object',
+      '.param': {
+        '.': 'object',
+        members: 'object',
+      },
+    },
   },
 };
 
@@ -218,7 +232,7 @@ export class ConfigStore {
     if (frag) {
       obj = deepGetOrCreate(obj, frag.relPath);
     }
-    return redact(obj, frag);
+    return redact(obj, frag) ?? null;
   }
 
   async update(ctx, data, relPath = '') {

package/src/storage/config-validator.js

@@ -21,6 +21,7 @@ import commonSchema from '../schemas/common.schema.cjs';
 import codeSchema from '../schemas/code.schema.cjs';
 import contentSchema from '../schemas/content.schema.cjs';
 import foldersSchema from '../schemas/folders.schema.cjs';
+import groupsSchema from '../schemas/groups.schema.cjs';
 import googleSchema from '../schemas/content-source-google.schema.cjs';
 import headersSchema from '../schemas/headers.schema.cjs';
 import markupSchema from '../schemas/content-source-markup.schema.cjs';
@@ -48,6 +49,7 @@ export const SCHEMAS = [
   codeSchema,
   foldersSchema,
   googleSchema,
+  groupsSchema,
   headersSchema,
   markupSchema,
   metadataSchema,

package/src/utils.js

@@ -21,18 +21,23 @@
  */
 export function deepGetOrCreate(obj, path, create = false) {
   const parts = Array.isArray(path) ? path : path.split('/');
-  return parts.reduce((o, prop) => {
+  let o = obj;
+  for (const prop of parts) {
     if (Array.isArray(o)) {
       // todo: better support for arrays
-      return o.find((e) => e.id === prop);
+      o = o.find((e) => e.id === prop);
+    } else if (typeof o !== 'object') {
+      return undefined;
+    } else if (prop in o) {
+      o = o[prop];
+    } else if (create) {
+      // eslint-disable-next-line no-multi-assign
+      o = o[prop] = {};
     } else {
-      if (create && !(prop in o)) {
-        // eslint-disable-next-line no-param-reassign
-        o[prop] = {};
-      }
-      return o[prop];
+      return undefined;
     }
-  }, obj);
+  }
+  return o;
 }
 
 /**

package/types/org-config.d.ts

@@ -26,6 +26,7 @@ export interface HelixOrgConfig {
   description?: string;
   tokens?: Tokens;
   users?: Users;
+  groups?: Groups;
 }
 export interface Tokens {
   /**
@@ -44,3 +45,19 @@ export interface HttpsNsAdobeComHelixConfigUser {
   name?: string;
   roles: ('admin' | 'author' | 'publish' | 'config')[];
 }
+export interface Groups {
+  [k: string]: Group;
+}
+/**
+ * A group of members. Can be referenced in access.admin.role.
+ *
+ * This interface was referenced by `Groups`'s JSON-Schema definition
+ * via the `patternProperty` "^[a-zA-Z0-9-_=]+$".
+ */
+export interface Group {
+  members: {
+    email: string;
+    name?: string;
+    [k: string]: unknown;
+  }[];
+}

package/types/site-config.d.ts

@@ -32,6 +32,7 @@ export interface HelixSiteConfig {
   headers?: HelixHeadersConfig;
   cdn?: CDNConfig;
   access?: Access;
+  groups?: Groups;
   sidekick?: SidekickConfig;
   metadata?: Metadata;
   robots?: Robots;
@@ -252,6 +253,22 @@ export interface SiteAccessConfig {
    */
   clientCertDN?: string[];
 }
+export interface Groups {
+  [k: string]: Group;
+}
+/**
+ * A group of members. Can be referenced in access.admin.role.
+ *
+ * This interface was referenced by `Groups`'s JSON-Schema definition
+ * via the `patternProperty` "^[a-zA-Z0-9-_=]+$".
+ */
+export interface Group {
+  members: {
+    email: string;
+    name?: string;
+    [k: string]: unknown;
+  }[];
+}
 export interface SidekickConfig {
   plugins?: SidekickPlugin[];
   [k: string]: unknown;