@aifabrix/builder 2.44.5 → 2.45.0

package/lib/commands/repair-rbac-extract.js

@@ -0,0 +1,27 @@
+/**
+ * Shared RBAC extraction from external system JSON (repair / merge).
+ *
+ * @fileoverview extractRbacFromSystem for repair-rbac and migrate
+ * @author AI Fabrix Team
+ * @version 1.0.0
+ */
+
+'use strict';
+
+/**
+ * Extracts roles and permissions from external system JSON for rbac.yaml (same rules as repair).
+ * @param {Object} system - Parsed system config
+ * @returns {Object|null} RBAC object or null
+ */
+function extractRbacFromSystem(system) {
+  if (!system || typeof system !== 'object') return null;
+  const hasRoles = system.roles && Array.isArray(system.roles) && system.roles.length > 0;
+  const hasPermissions = system.permissions && Array.isArray(system.permissions) && system.permissions.length > 0;
+  if (!hasRoles && !hasPermissions) return null;
+  const rbac = {};
+  if (hasRoles) rbac.roles = system.roles;
+  if (hasPermissions) rbac.permissions = system.permissions;
+  return rbac;
+}
+
+module.exports = { extractRbacFromSystem };

package/lib/commands/repair-rbac-migrate.js

@@ -0,0 +1,186 @@
+/**
+ * Moves roles/permissions from *-system.{json,yaml} into rbac.{yaml,json} when both exist.
+ *
+ * @fileoverview migrateSystemRbacIntoRbacFile
+ * @author AI Fabrix Team
+ * @version 1.0.0
+ */
+
+'use strict';
+
+const appConfigResolver = require('../utils/app-config-resolver');
+const { loadConfigFile, writeConfigFile } = require('../utils/config-format');
+const { backupIntegrationFile } = require('../utils/integration-file-backup');
+const extractModule = require('./repair-rbac-extract');
+
+function _safeString(v) {
+  return typeof v === 'string' && v.trim() ? v.trim() : '';
+}
+
+/**
+ * Merges roles from source into target; dedupes by role.value.
+ * @param {Object[]} targetRoles - rbac.roles (mutated)
+ * @param {Object[]} sourceRoles - roles to merge in
+ * @returns {boolean} True if targetRoles changed
+ */
+function _mergeRoleObjectsInto(targetRoles, sourceRoles) {
+  if (!Array.isArray(sourceRoles) || sourceRoles.length === 0) return false;
+  const seen = new Set(
+    (targetRoles || []).map(r => _safeString(r?.value)).filter(Boolean)
+  );
+  let updated = false;
+  for (const r of sourceRoles) {
+    if (!r || typeof r !== 'object') continue;
+    const value = _safeString(r.value);
+    if (!value || seen.has(value)) continue;
+    targetRoles.push({
+      name: r.name,
+      value: r.value,
+      description: r.description,
+      groups: Array.isArray(r.groups) ? [...r.groups] : []
+    });
+    seen.add(value);
+    updated = true;
+  }
+  return updated;
+}
+
+/**
+ * @param {unknown[]} existingRoles - roles already on permission
+ * @param {unknown[]} incomingRoles - roles from merged permission
+ * @returns {string[]|null} New roles array if union added roles
+ */
+function _unionPermissionRoleSets(existingRoles, incomingRoles) {
+  const a = new Set(Array.isArray(existingRoles) ? existingRoles : []);
+  let unionChanged = false;
+  for (const rv of incomingRoles || []) {
+    if (typeof rv === 'string' && rv.trim() && !a.has(rv)) {
+      a.add(rv);
+      unionChanged = true;
+    }
+  }
+  return unionChanged ? [...a] : null;
+}
+
+/**
+ * Merges permissions from source into target; dedupes by name; unions roles arrays.
+ * @param {Object[]} targetPerms - rbac.permissions (mutated)
+ * @param {Object[]} sourcePerms - permissions to merge in
+ * @returns {boolean} True if targetPerms changed
+ */
+function _mergePermissionObjectsInto(targetPerms, sourcePerms) {
+  if (!Array.isArray(sourcePerms) || sourcePerms.length === 0) return false;
+  const byName = new Map(
+    (targetPerms || []).filter(p => p && typeof p === 'object').map(p => [p.name, p])
+  );
+  let updated = false;
+  for (const p of sourcePerms) {
+    if (!p || typeof p !== 'object') continue;
+    const name = _safeString(p.name);
+    if (!name) continue;
+    const existing = byName.get(name);
+    if (!existing) {
+      targetPerms.push({
+        name: p.name,
+        description: _safeString(p.description) || `Permission: ${name}`,
+        roles: Array.isArray(p.roles) ? [...p.roles] : []
+      });
+      byName.set(name, targetPerms[targetPerms.length - 1]);
+      updated = true;
+      continue;
+    }
+    const mergedRoles = _unionPermissionRoleSets(existing.roles, Array.isArray(p.roles) ? p.roles : []);
+    if (mergedRoles) {
+      existing.roles = mergedRoles;
+      updated = true;
+    }
+  }
+  return updated;
+}
+
+/**
+ * @param {string[]} changes - Repair changelog lines
+ * @param {boolean} rbacContentChanged - Whether rbac JSON/YAML payload changed
+ */
+function _appendMigrateSystemRbacNotes(changes, rbacContentChanged) {
+  if (rbacContentChanged) {
+    changes.push('Merged roles/permissions from external system file into rbac file');
+  }
+  changes.push('Removed roles and permissions from external system file (canonical copy in rbac file)');
+}
+
+/**
+ * @param {string} rbacPath
+ * @param {Object} rbac
+ * @param {boolean} rbacContentChanged
+ * @param {string} systemFilePath
+ * @param {Object} systemParsed
+ * @param {Object} [backupCtx]
+ * @returns {void}
+ */
+function _persistMigrateSystemRbacEdits(rbacPath, rbac, rbacContentChanged, systemFilePath, systemParsed, backupCtx) {
+  if (rbacContentChanged) {
+    backupIntegrationFile(rbacPath, backupCtx);
+    writeConfigFile(rbacPath, rbac);
+  }
+  delete systemParsed.roles;
+  delete systemParsed.permissions;
+  backupIntegrationFile(systemFilePath, backupCtx);
+  writeConfigFile(systemFilePath, systemParsed);
+}
+
+/**
+ * When an rbac file already exists, moves roles/permissions out of the external system JSON into that file.
+ * (Initial create-from-system is handled by createRbacFromSystemIfNeeded in repair.js.)
+ *
+ * @param {string} appPath - Integration directory
+ * @param {string} systemFilePath - Path to *-system.json (or yaml)
+ * @param {Object} systemParsed - Parsed system (mutated: roles/permissions removed when not dryRun)
+ * @param {{ dryRun: boolean, changes: string[], backupCtx?: Object }} options
+ * @returns {boolean} True if system had RBAC fields to relocate or rbac was merged
+ */
+function migrateSystemRbacIntoRbacFile(appPath, systemFilePath, systemParsed, options) {
+  const { dryRun, changes, backupCtx } = options;
+  const extracted = extractModule.extractRbacFromSystem(systemParsed);
+  if (!extracted) return false;
+
+  const rbacPath = appConfigResolver.resolveRbacPath(appPath);
+  if (!rbacPath) {
+    return false;
+  }
+
+  const loaded = loadConfigFile(rbacPath);
+  /** Clone so merges never mutate a shared mock / cached object returned by tests or loaders. */
+  const rbac = {
+    roles: Array.isArray(loaded.roles)
+      ? loaded.roles.map(r => ({
+        name: r.name,
+        value: r.value,
+        description: r.description,
+        groups: Array.isArray(r.groups) ? [...r.groups] : []
+      }))
+      : [],
+    permissions: Array.isArray(loaded.permissions)
+      ? loaded.permissions.map(p => ({
+        name: p.name,
+        description: p.description,
+        roles: Array.isArray(p.roles) ? [...p.roles] : []
+      }))
+      : []
+  };
+
+  const rolesMerged = _mergeRoleObjectsInto(rbac.roles, extracted.roles);
+  const permsMerged = _mergePermissionObjectsInto(rbac.permissions, extracted.permissions);
+  const rbacContentChanged = rolesMerged || permsMerged;
+
+  _appendMigrateSystemRbacNotes(changes, rbacContentChanged);
+
+  if (!dryRun) {
+    _persistMigrateSystemRbacEdits(rbacPath, rbac, rbacContentChanged, systemFilePath, systemParsed, backupCtx);
+  }
+  return true;
+}
+
+module.exports = {
+  migrateSystemRbacIntoRbacFile
+};

package/lib/commands/repair-rbac.js

@@ -13,24 +13,22 @@ const fs = require('fs');
 const chalk = require('chalk');
 const logger = require('../utils/logger');
 const { loadConfigFile, writeConfigFile } = require('../utils/config-format');
-const { resolveRbacPath } = require('../utils/app-config-resolver');
+const { backupIntegrationFile } = require('../utils/integration-file-backup');
+const appConfigResolver = require('../utils/app-config-resolver');
+const { extractRbacFromSystem } = require('./repair-rbac-extract');
 
 const DEFAULT_CAPABILITIES = ['list', 'get', 'create', 'update', 'delete'];
 
-/**
- * Extracts roles and permissions from external system JSON for rbac.yaml (same rules as repair).
- * @param {Object} system - Parsed system config
- * @returns {Object|null} RBAC object or null
- */
-function extractRbacFromSystem(system) {
-  if (!system || typeof system !== 'object') return null;
-  const hasRoles = system.roles && Array.isArray(system.roles) && system.roles.length > 0;
-  const hasPermissions = system.permissions && Array.isArray(system.permissions) && system.permissions.length > 0;
-  if (!hasRoles && !hasPermissions) return null;
-  const rbac = {};
-  if (hasRoles) rbac.roles = system.roles;
-  if (hasPermissions) rbac.permissions = system.permissions;
-  return rbac;
+function _safeString(v) {
+  return typeof v === 'string' && v.trim() ? v.trim() : '';
+}
+
+function _normalizeOperationKey(opKey) {
+  const s = _safeString(opKey);
+  if (!s) return '';
+  const withHyphens = s.replace(/([a-z0-9])([A-Z])/g, '$1-$2').toLowerCase();
+  const cleaned = withHyphens.replace(/[^a-z0-9-]+/g, '-');
+  return cleaned.replace(/-+/g, '-').replace(/^-+|-+$/g, '');
 }
 
 /**
@@ -62,20 +60,122 @@ function getCapabilitiesFromDatasource(parsed) {
 function collectPermissionNames(appPath, datasourceFiles) {
   const permissionNames = new Set();
   for (const fileName of datasourceFiles || []) {
-    const filePath = path.join(appPath, fileName);
-    if (!fs.existsSync(filePath)) continue;
-    try {
-      const parsed = loadConfigFile(filePath);
-      const resourceType = parsed?.resourceType || 'document';
-      const caps = getCapabilitiesFromDatasource(parsed);
-      for (const cap of caps) permissionNames.add(`${resourceType}:${cap}`);
-    } catch (err) {
-      logger.log(chalk.yellow(`⚠ Could not load ${fileName} for RBAC: ${err.message}`));
-    }
+    const parsed = _safeLoadDatasource(appPath, fileName);
+    if (!parsed) continue;
+    _collectPermissionNamesFromDatasourceParsed(permissionNames, parsed);
   }
   return permissionNames;
 }
 
+function _safeLoadDatasource(appPath, fileName) {
+  const filePath = path.join(appPath, fileName);
+  if (!fs.existsSync(filePath)) return null;
+  try {
+    return loadConfigFile(filePath);
+  } catch (err) {
+    logger.log(chalk.yellow(`⚠ Could not load ${fileName} for RBAC: ${err.message}`));
+    return null;
+  }
+}
+
+function _hasAutoRbacOps(parsed) {
+  const openapi = parsed?.openapi;
+  return (
+    openapi &&
+    typeof openapi === 'object' &&
+    openapi.autoRbac === true &&
+    openapi.operations &&
+    typeof openapi.operations === 'object' &&
+    !Array.isArray(openapi.operations)
+  );
+}
+
+function _collectPermissionNamesFromDatasourceParsed(permissionNames, parsed) {
+  const resourceType = parsed?.resourceType || 'document';
+
+  if (_hasAutoRbacOps(parsed)) {
+    const ops = parsed.openapi.operations;
+    for (const opKey of Object.keys(ops)) {
+      const normOpKey = _normalizeOperationKey(opKey) || _safeString(opKey);
+      if (!normOpKey) continue;
+      permissionNames.add(`${resourceType}:${normOpKey}`);
+    }
+  }
+  // When autoRbac is false/missing, RBAC is considered manual; do not auto-generate permissions.
+}
+
+function _collectManagedResourceTypesFromDatasources(appPath, datasourceFiles) {
+  const out = new Set();
+  for (const fileName of datasourceFiles || []) {
+    const parsed = _safeLoadDatasource(appPath, fileName);
+    if (!parsed) continue;
+    if (!_hasAutoRbacOps(parsed)) continue;
+    const rt = _safeString(parsed.resourceType) || 'document';
+    out.add(rt);
+  }
+  return out;
+}
+
+function _buildDesiredPermissionNames(appPath, datasourceFiles) {
+  const desired = collectPermissionNames(appPath, datasourceFiles);
+  if (desired.size === 0) return { desired, managedResourceTypes: new Set(), aliases: new Map() };
+
+  const managedResourceTypes = _collectManagedResourceTypesFromDatasources(appPath, datasourceFiles);
+
+  // Build alias map for rename support (kebab-case or case variants -> canonical).
+  const aliases = new Map();
+  for (const name of desired) {
+    const [rt, op] = String(name).split(':');
+    if (!rt || !op) continue;
+    const kebab = _normalizeOperationKey(op);
+    if (kebab && `${rt}:${kebab}` !== name) {
+      aliases.set(`${rt}:${kebab}`, name);
+    }
+    const lower = `${rt}:${String(op).toLowerCase()}`;
+    if (lower !== name) {
+      aliases.set(lower, name);
+    }
+    const dehyphen = `${rt}:${String(op).replace(/-/g, '').toLowerCase()}`;
+    if (dehyphen !== name) {
+      aliases.set(dehyphen, name);
+    }
+  }
+  return { desired, managedResourceTypes, aliases };
+}
+
+function _renameExistingPermissionIfAliasMatches(rbac, aliases, changes) {
+  if (!rbac || !Array.isArray(rbac.permissions) || aliases.size === 0) return false;
+  let updated = false;
+  for (const p of rbac.permissions) {
+    if (!p || typeof p !== 'object') continue;
+    const name = _safeString(p.name);
+    if (!name) continue;
+    const canonical = aliases.get(name);
+    if (!canonical || canonical === name) continue;
+    p.name = canonical;
+    changes.push(`Renamed RBAC permission: ${name} → ${canonical}`);
+    updated = true;
+  }
+  return updated;
+}
+
+function _removeExtraAutoRbacPermissions(rbac, desired, managedResourceTypes, changes) {
+  if (!rbac || !Array.isArray(rbac.permissions) || desired.size === 0) return false;
+  if (!managedResourceTypes || managedResourceTypes.size === 0) return false;
+  const before = rbac.permissions.length;
+  rbac.permissions = rbac.permissions.filter((p) => {
+    const name = _safeString(p?.name);
+    if (!name || !name.includes(':')) return true;
+    const [rt] = name.split(':');
+    if (!managedResourceTypes.has(rt)) return true;
+    return desired.has(name);
+  });
+  const after = rbac.permissions.length;
+  if (after === before) return false;
+  changes.push(`Removed ${before - after} extra autoRbac permission(s) not present in operations`);
+  return true;
+}
+
 /**
  * Loads existing RBAC file (rbac.yaml, rbac.yml, or rbac.json) or creates empty structure.
  * Uses extractRbacFromSystem when no file exists. New file path respects format (rbac.json when format is 'json').
@@ -87,7 +187,7 @@ function collectPermissionNames(appPath, datasourceFiles) {
  * @returns {{ rbac: Object, rbacPath: string }} rbacPath is resolved path or path.join(appPath, 'rbac.{json|yaml}') for new file
  */
 function loadOrCreateRbac(appPath, systemParsed, extractRbacFromSystem, format) {
-  const resolvedPath = resolveRbacPath(appPath);
+  const resolvedPath = appConfigResolver.resolveRbacPath(appPath);
   let rbac;
   let rbacPath;
   if (resolvedPath) {
@@ -153,6 +253,82 @@ function ensureDefaultRoles(rbac, systemKey, displayName, changes) {
   return true;
 }
 
+function _roleValues(rbac) {
+  const roles = Array.isArray(rbac.roles) ? rbac.roles : [];
+  return roles
+    .map(r => r?.value)
+    .filter(v => typeof v === 'string' && v.trim());
+}
+
+function _pickAdminRoleValue(roleValues, systemKey) {
+  return (
+    roleValues.find(v => v === `${systemKey}-admin`) ||
+    roleValues.find(v => /-admin$/.test(v)) ||
+    roleValues[0] ||
+    null
+  );
+}
+
+function _pickReaderRoleValue(roleValues, systemKey) {
+  return (
+    roleValues.find(v => v === `${systemKey}-reader`) ||
+    roleValues.find(v => /-reader$/.test(v)) ||
+    null
+  );
+}
+
+function _capabilityFromPermissionName(name) {
+  if (typeof name !== 'string' || !name.includes(':')) return null;
+  return name.split(':')[1] || null;
+}
+
+function _defaultRolesForCapability(cap, { adminValue, readerValue }) {
+  const roles = [];
+  if ((cap === 'list' || cap === 'get') && readerValue) roles.push(readerValue);
+  if (adminValue) roles.push(adminValue);
+  return roles;
+}
+
+/**
+ * Ensures every permission has at least one role assigned.
+ *
+ * When roles already exist, new permissions may be added with empty roles (invalid for manifest).
+ * Apply a safe default:
+ * - list/get -> reader + admin when those roles exist
+ * - create/update/delete -> admin when it exists (otherwise first available role)
+ *
+ * Mutates rbac.
+ * @param {Object} rbac - RBAC object (mutated)
+ * @param {string} systemKey - System key
+ * @param {string[]} changes - Array to append to
+ * @returns {boolean}
+ */
+function ensureNonEmptyPermissionRoles(rbac, systemKey, changes) {
+  const roleValues = _roleValues(rbac);
+  if (!Array.isArray(rbac.permissions) || roleValues.length === 0) return false;
+
+  const adminValue = _pickAdminRoleValue(roleValues, systemKey);
+  const readerValue = _pickReaderRoleValue(roleValues, systemKey);
+
+  let updated = false;
+  for (const p of rbac.permissions) {
+    if (!p || typeof p !== 'object') continue;
+    if (!Array.isArray(p.roles)) p.roles = [];
+    if (p.roles.length > 0) continue;
+
+    const cap = _capabilityFromPermissionName(p.name);
+    const defaults = _defaultRolesForCapability(cap, { adminValue, readerValue });
+    for (const rv of defaults) {
+      if (!p.roles.includes(rv)) p.roles.push(rv);
+    }
+    if (p.roles.length > 0) {
+      changes.push(`RBAC: defaulted empty roles for ${p.name}`);
+      updated = true;
+    }
+  }
+  return updated;
+}
+
 /**
  * Merges RBAC from datasources: ensures permission per resourceType:capability, adds Admin/Reader roles if none.
  * When creating a new RBAC file, uses rbac.json if format is 'json', otherwise rbac.yaml.
@@ -161,27 +337,34 @@ function ensureDefaultRoles(rbac, systemKey, displayName, changes) {
  * @param {Object} systemParsed - Parsed system (key, displayName)
  * @param {string[]} datasourceFiles - Datasource file names
  * @param {Function} extractRbacFromSystem - (system) => rbac or null
- * @param {{ format?: string, dryRun: boolean, changes: string[] }} options - format ('json'|'yaml'), dryRun, changes array
+ * @param {{ format?: string, dryRun: boolean, changes: string[], backupCtx?: Object }} options - format ('json'|'yaml'), dryRun, changes array
  * @returns {boolean} True if rbac was updated (or would be in dry-run)
  */
 function mergeRbacFromDatasources(appPath, systemParsed, datasourceFiles, extractRbacFromSystem, options) {
-  const { format = 'yaml', dryRun, changes } = options;
+  const { format = 'yaml', dryRun, changes, backupCtx } = options;
   const rbacFormat = format === 'json' ? 'json' : 'yaml';
-  const permissionNames = collectPermissionNames(appPath, datasourceFiles);
+  const { desired: permissionNames, managedResourceTypes, aliases } = _buildDesiredPermissionNames(appPath, datasourceFiles);
   if (permissionNames.size === 0) return false;
   const systemKey = systemParsed?.key || 'system';
   const displayName = systemParsed?.displayName || systemKey;
   const { rbac, rbacPath } = loadOrCreateRbac(appPath, systemParsed, extractRbacFromSystem, rbacFormat);
-  let updated = addMissingPermissions(rbac, permissionNames, changes);
+  let updated = _renameExistingPermissionIfAliasMatches(rbac, aliases, changes);
+  updated = addMissingPermissions(rbac, permissionNames, changes) || updated;
+  updated = _removeExtraAutoRbacPermissions(rbac, permissionNames, managedResourceTypes, changes) || updated;
   updated = ensureDefaultRoles(rbac, systemKey, displayName, changes) || updated;
+  updated = ensureNonEmptyPermissionRoles(rbac, systemKey, changes) || updated;
   if (updated && !dryRun) {
+    backupIntegrationFile(rbacPath, backupCtx);
     writeConfigFile(rbacPath, rbac);
   }
   return updated;
 }
 
+const { migrateSystemRbacIntoRbacFile } = require('./repair-rbac-migrate');
+
 module.exports = {
   extractRbacFromSystem,
   getCapabilitiesFromDatasource,
-  mergeRbacFromDatasources
+  mergeRbacFromDatasources,
+  migrateSystemRbacIntoRbacFile
 };