@flowcore/cli-plugin-iam 1.0.0 → 1.1.0

package/dist/resource-types/role.resource.js

@@ -0,0 +1,191 @@
+import { baseResourceDto } from "@flowcore/cli-plugin-core";
+import { diff } from "@opentf/obj-diff";
+import enquirer from "enquirer";
+import { diffString } from "json-diff";
+import { inspect } from "node:util";
+import { z } from "zod";
+export const roleDto = baseResourceDto.extend({
+    spec: z.object({
+        description: z.string().optional(),
+        flowcoreManaged: z.boolean().optional(),
+        policies: z.array(z.string()),
+    }),
+});
+export class RoleService {
+    iamClient;
+    logger;
+    getToken;
+    constructor(iamClient, logger, getToken) {
+        this.iamClient = iamClient;
+        this.logger = logger;
+        this.getToken = getToken;
+    }
+    async createNewRole(organizationId, role, skipConfirmation) {
+        const parsedRole = roleDto.parse(role);
+        try {
+            const roles = await this.iamClient.getApiV1RoleAssociationsOrganizationByOrganizationId(organizationId, {
+                headers: {
+                    Authorization: `Bearer ${await this.getToken()}`,
+                },
+            });
+            const existingRole = roles.data.find((r) => r.name === parsedRole.metadata.name);
+            const policies = await this.iamClient.getApiV1PolicyAssociationsOrganizationByOrganizationId(organizationId, {
+                headers: {
+                    Authorization: `Bearer ${await this.getToken()}`,
+                },
+            });
+            const linkedPolicies = policies.data.filter((p) => parsedRole.spec.policies.includes(p.name));
+            if (!existingRole) {
+                const result = await this.iamClient.postApiV1Roles({
+                    description: parsedRole.spec.description ?? undefined,
+                    name: parsedRole.metadata.name,
+                    organizationId,
+                }, {
+                    headers: {
+                        Authorization: `Bearer ${await this.getToken()}`,
+                    },
+                });
+                if (result.status !== 200) {
+                    this.logger.fatal(`Failed to create role: ${result.statusText}`);
+                }
+                const role = result.data;
+                for (const linkedPolicy of linkedPolicies) {
+                    const binding = await this.iamClient.postApiV1PolicyAssociationsRoleByRoleId(role.id, {
+                        policyId: linkedPolicy.id,
+                    }, {
+                        headers: {
+                            Authorization: `Bearer ${await this.getToken()}`,
+                        },
+                    });
+                    if (binding.status !== 200) {
+                        this.logger.fatal(`Failed to bind policy ${linkedPolicy.id} to role ${role.id}: ${binding.statusText}`);
+                    }
+                }
+                return true;
+            }
+            const alreadyLinkedPolicies = await this.iamClient.getApiV1PolicyAssociationsRoleByRoleId(existingRole.id, {
+                headers: {
+                    Authorization: `Bearer ${await this.getToken()}`,
+                },
+            });
+            this.logger.debug(`Found ${inspect(alreadyLinkedPolicies.data)} policies linked to role ${existingRole.id}`);
+            const newRole = {
+                description: parsedRole.spec.description ?? "",
+                name: parsedRole.metadata.name,
+                policies: parsedRole.spec.policies.sort(),
+            };
+            const existingRoleData = {
+                description: existingRole.description ?? "",
+                name: existingRole.name,
+                policies: alreadyLinkedPolicies.data.map((p) => p.name).sort(),
+            };
+            const diffResult = diff(existingRoleData, newRole);
+            if (diffResult.length === 0) {
+                return false;
+            }
+            if (!skipConfirmation) {
+                this.logger.info("Role has changed, do you want to apply these changes?");
+                this.logger.info(diffString(existingRoleData, newRole, {
+                    color: true,
+                    full: true,
+                }));
+                const { confirm } = await enquirer.prompt({
+                    message: "Are you sure you want to update the role?",
+                    name: "confirm",
+                    type: "confirm",
+                });
+                if (!confirm) {
+                    return false;
+                }
+            }
+            const result = await this.iamClient.patchApiV1RolesById(existingRole.id, {
+                description: newRole.description,
+                id: existingRole.id,
+                name: newRole.name,
+                organizationId,
+            }, {
+                headers: {
+                    Authorization: `Bearer ${await this.getToken()}`,
+                },
+            });
+            if (result.status !== 200) {
+                this.logger.fatal(`Failed to update role: ${result.statusText}`);
+            }
+            const toAdd = newRole.policies.filter((p) => !existingRoleData.policies.includes(p));
+            const toRemove = existingRoleData.policies.filter((p) => !newRole.policies.includes(p));
+            for (const policy of toAdd) {
+                const policyId = policies.data.find((p) => p.name === policy)?.id;
+                if (!policyId) {
+                    this.logger.fatal(`Policy ${policy} not found`);
+                }
+                const binding = await this.iamClient.postApiV1PolicyAssociationsRoleByRoleId(existingRole.id, { policyId }, {
+                    headers: {
+                        Authorization: `Bearer ${await this.getToken()}`,
+                    },
+                });
+                if (binding.status !== 200) {
+                    this.logger.error(`Failed to bind policy ${policyId} to role ${existingRole.id}: ${binding.statusText}`);
+                }
+                this.logger.debug(`Created binding for policy ${policyId} to role ${existingRole.id}`);
+            }
+            for (const policy of toRemove) {
+                console.log(policy, alreadyLinkedPolicies.data);
+                const policyId = alreadyLinkedPolicies.data.find((p) => p.name === policy)?.id;
+                if (!policyId) {
+                    this.logger.fatal(`Policy ${policy} not found`);
+                }
+                const binding = await this.iamClient.deleteApiV1PolicyAssociationsRoleByRoleId(existingRole.id, { policyId }, {
+                    headers: {
+                        Authorization: `Bearer ${await this.getToken()}`,
+                    },
+                });
+                if (binding.status !== 200) {
+                    this.logger.error(`Failed to unbind policy ${policyId} from role ${existingRole.id}: ${binding.statusText}`);
+                }
+                this.logger.debug(`Removed binding for policy ${policyId} from role ${existingRole.id}`);
+            }
+            return true;
+        }
+        catch (error) {
+            if (typeof error === "object" && error !== null && "error" in error) {
+                const err = error;
+                this.logger.fatal(`Failed to create role with error(${err.error.status} - ${err.error.code}): ${err.error.message}`);
+            }
+            else {
+                this.logger.fatal(`Failed to create role with unknown error: ${error}`);
+            }
+        }
+    }
+    async deleteRole(organizationId, role) {
+        const parsedRole = roleDto.parse(role);
+        try {
+            const roles = await this.iamClient.getApiV1RoleAssociationsOrganizationByOrganizationId(organizationId, {
+                headers: {
+                    Authorization: `Bearer ${await this.getToken()}`,
+                },
+            });
+            const existingRole = roles.data.find((r) => r.name === parsedRole.metadata.name);
+            if (!existingRole) {
+                return false;
+            }
+            const result = await this.iamClient.deleteApiV1RolesById(existingRole.id, {
+                headers: {
+                    Authorization: `Bearer ${await this.getToken()}`,
+                },
+            });
+            if (result.status !== 200) {
+                this.logger.fatal(`Failed to delete role: ${result.statusText}`);
+            }
+            return true;
+        }
+        catch (error) {
+            if (typeof error === "object" && error !== null && "error" in error) {
+                const err = error;
+                this.logger.fatal(`Failed to delete role with error(${err.error.status} - ${err.error.code}): ${err.error.message}`);
+            }
+            else {
+                this.logger.fatal(`Failed to delete role with unknown error: ${error}`);
+            }
+        }
+    }
+}

package/dist/utils/clients/iam/Api.d.ts

@@ -27,6 +27,8 @@ export declare class Api<SecurityDataType = unknown> extends HttpClient<Security
         description?: string;
         /** The principal role that can access the resource */
         principal?: string;
+        /** If the policy is managed by flowcore */
+        flowcoreManaged?: boolean;
     } & {
         /** The id of the policy */
         id: string;
@@ -58,6 +60,8 @@ export declare class Api<SecurityDataType = unknown> extends HttpClient<Security
         description?: string;
         /** The principal role that can access the resource */
         principal?: string;
+        /** If the policy is managed by flowcore */
+        flowcoreManaged?: boolean;
     }, params?: RequestParams) => Promise<import("./http-client.js").HttpResponse<object, any>>;
     /**
      * @description Get a policy by id
@@ -123,6 +127,8 @@ export declare class Api<SecurityDataType = unknown> extends HttpClient<Security
         name: string;
         /** Role description */
         description?: string;
+        /** Flowcore managed role */
+        flowcoreManaged?: boolean;
     } & {
         /** The id of the role */
         id: string;
@@ -142,6 +148,8 @@ export declare class Api<SecurityDataType = unknown> extends HttpClient<Security
         name: string;
         /** Role description */
         description?: string;
+        /** Flowcore managed role */
+        flowcoreManaged?: boolean;
     }, params?: RequestParams) => Promise<import("./http-client.js").HttpResponse<object, any>>;
     /**
      * @description Get a role by ID
@@ -158,6 +166,8 @@ export declare class Api<SecurityDataType = unknown> extends HttpClient<Security
         name: string;
         /** Role description */
         description?: string;
+        /** Flowcore managed role */
+        flowcoreManaged?: boolean;
     } & {
         /** Role ID */
         id: string;
@@ -213,6 +223,40 @@ export declare class Api<SecurityDataType = unknown> extends HttpClient<Security
         /** The message of the archive role */
         message: string;
     }, any>>;
+    /**
+     * @description Fetch associations for a policy
+     *
+     * @tags policy-associations
+     * @name GetApiV1PolicyAssociationsByPolicyId
+     * @request GET:/api/v1/policy-associations/{policyId}
+     * @secure
+     */
+    getApiV1PolicyAssociationsByPolicyId: (policyId: string, params?: RequestParams) => Promise<import("./http-client.js").HttpResponse<{
+        keys: {
+            /** The ID of the policy */
+            policyId: string;
+            /** The ID of the organization */
+            organizationId: string;
+            /** The ID of the key */
+            keyId: string;
+        }[];
+        users: {
+            /** The ID of the policy */
+            policyId: string;
+            /** The ID of the organization */
+            organizationId: string;
+            /** The ID of the user */
+            userId: string;
+        }[];
+        roles: {
+            /** The ID of the policy */
+            policyId: string;
+            /** The ID of the organization */
+            organizationId: string;
+            /** The ID of the role */
+            roleId: string;
+        }[];
+    }, any>>;
     /**
      * @description Fetch policies for an organization
      *
@@ -240,6 +284,8 @@ export declare class Api<SecurityDataType = unknown> extends HttpClient<Security
         description?: string;
         /** The principal role that can access the resource */
         principal?: string;
+        /** If the policy is managed by flowcore */
+        flowcoreManaged?: boolean;
     } & {
         /** The id of the policy */
         id: string;
@@ -274,6 +320,8 @@ export declare class Api<SecurityDataType = unknown> extends HttpClient<Security
         description?: string;
         /** The principal role that can access the resource */
         principal?: string;
+        /** If the policy is managed by flowcore */
+        flowcoreManaged?: boolean;
     } & {
         /** The id of the policy */
         id: string;
@@ -345,6 +393,8 @@ export declare class Api<SecurityDataType = unknown> extends HttpClient<Security
         description?: string;
         /** The principal role that can access the resource */
         principal?: string;
+        /** If the policy is managed by flowcore */
+        flowcoreManaged?: boolean;
     } & {
         /** The id of the policy */
         id: string;
@@ -416,6 +466,8 @@ export declare class Api<SecurityDataType = unknown> extends HttpClient<Security
         description?: string;
         /** The principal role that can access the resource */
         principal?: string;
+        /** If the policy is managed by flowcore */
+        flowcoreManaged?: boolean;
     } & {
         /** The id of the policy */
         id: string;
@@ -460,6 +512,32 @@ export declare class Api<SecurityDataType = unknown> extends HttpClient<Security
         /** The ID of the role */
         roleId: string;
     }, any>>;
+    /**
+     * @description Fetch associations for a role
+     *
+     * @tags role-associations
+     * @name GetApiV1RoleAssociationsByRoleId
+     * @request GET:/api/v1/role-associations/{roleId}
+     * @secure
+     */
+    getApiV1RoleAssociationsByRoleId: (roleId: string, params?: RequestParams) => Promise<import("./http-client.js").HttpResponse<{
+        keys: {
+            /** The ID of the role */
+            roleId: string;
+            /** The ID of the organization */
+            organizationId: string;
+            /** The ID of the key */
+            keyId: string;
+        }[];
+        users: {
+            /** The ID of the role */
+            roleId: string;
+            /** The ID of the organization */
+            organizationId: string;
+            /** The ID of the user */
+            userId: string;
+        }[];
+    }, any>>;
     /**
      * @description Fetch roles for an organization
      *
@@ -475,6 +553,8 @@ export declare class Api<SecurityDataType = unknown> extends HttpClient<Security
         name: string;
         /** Role description */
         description?: string;
+        /** Flowcore managed role */
+        flowcoreManaged?: boolean;
     } & {
         /** The id of the role */
         id: string;
@@ -497,6 +577,8 @@ export declare class Api<SecurityDataType = unknown> extends HttpClient<Security
         name: string;
         /** Role description */
         description?: string;
+        /** Flowcore managed role */
+        flowcoreManaged?: boolean;
     } & {
         /** Role ID */
         id: string;
@@ -556,6 +638,8 @@ export declare class Api<SecurityDataType = unknown> extends HttpClient<Security
         name: string;
         /** Role description */
         description?: string;
+        /** Flowcore managed role */
+        flowcoreManaged?: boolean;
     } & {
         /** Role ID */
         id: string;

package/dist/utils/clients/iam/Api.js

@@ -168,6 +168,21 @@ export class Api extends HttpClient {
         format: "json",
         ...params,
     });
+    /**
+     * @description Fetch associations for a policy
+     *
+     * @tags policy-associations
+     * @name GetApiV1PolicyAssociationsByPolicyId
+     * @request GET:/api/v1/policy-associations/{policyId}
+     * @secure
+     */
+    getApiV1PolicyAssociationsByPolicyId = (policyId, params = {}) => this.request({
+        path: `/api/v1/policy-associations/${policyId}`,
+        method: "GET",
+        secure: true,
+        format: "json",
+        ...params,
+    });
     /**
      * @description Fetch policies for an organization
      *
@@ -331,6 +346,21 @@ export class Api extends HttpClient {
         format: "json",
         ...params,
     });
+    /**
+     * @description Fetch associations for a role
+     *
+     * @tags role-associations
+     * @name GetApiV1RoleAssociationsByRoleId
+     * @request GET:/api/v1/role-associations/{roleId}
+     * @secure
+     */
+    getApiV1RoleAssociationsByRoleId = (roleId, params = {}) => this.request({
+        path: `/api/v1/role-associations/${roleId}`,
+        method: "GET",
+        secure: true,
+        format: "json",
+        ...params,
+    });
     /**
      * @description Fetch roles for an organization
      *

package/dist/utils/clients/iam/http-client.d.ts

@@ -25,11 +25,11 @@ export interface ApiConfig<SecurityDataType = unknown> {
     securityWorker?: (securityData: SecurityDataType | null) => Promise<RequestParams | void> | RequestParams | void;
     customFetch?: typeof fetch;
 }
-export interface HttpResponse<D, E = unknown> extends Response {
+export interface HttpResponse<D extends unknown, E extends unknown = unknown> extends Response {
     data: D;
     error: E;
 }
-type CancelToken = symbol | string | number;
+type CancelToken = Symbol | string | number;
 export declare enum ContentType {
     Json = "application/json",
     FormData = "multipart/form-data",

package/dist/utils/clients/iam/http-client.js

@@ -48,9 +48,7 @@ export class HttpClient {
         const query = rawQuery || {};
         const keys = Object.keys(query).filter((key) => "undefined" !== typeof query[key]);
         return keys
-            .map((key) => Array.isArray(query[key])
-            ? this.addArrayQueryParam(query, key)
-            : this.addQueryParam(query, key))
+            .map((key) => (Array.isArray(query[key]) ? this.addArrayQueryParam(query, key) : this.addQueryParam(query, key)))
             .join("&");
     }
     addQueryParams(rawQuery) {
@@ -58,12 +56,8 @@ export class HttpClient {
         return queryString ? `?${queryString}` : "";
     }
     contentFormatters = {
-        [ContentType.Json]: (input) => input !== null && (typeof input === "object" || typeof input === "string")
-            ? JSON.stringify(input)
-            : input,
-        [ContentType.Text]: (input) => input !== null && typeof input !== "string"
-            ? JSON.stringify(input)
-            : input,
+        [ContentType.Json]: (input) => input !== null && (typeof input === "object" || typeof input === "string") ? JSON.stringify(input) : input,
+        [ContentType.Text]: (input) => (input !== null && typeof input !== "string" ? JSON.stringify(input) : input),
         [ContentType.FormData]: (input) => Object.keys(input || {}).reduce((formData, key) => {
             const property = input[key];
             formData.append(key, property instanceof Blob
@@ -119,16 +113,10 @@ export class HttpClient {
             ...requestParams,
             headers: {
                 ...(requestParams.headers || {}),
-                ...(type && type !== ContentType.FormData
-                    ? { "Content-Type": type }
-                    : {}),
+                ...(type && type !== ContentType.FormData ? { "Content-Type": type } : {}),
             },
-            signal: (cancelToken
-                ? this.createAbortSignal(cancelToken)
-                : requestParams.signal) || null,
-            body: typeof body === "undefined" || body === null
-                ? null
-                : payloadFormatter(body),
+            signal: (cancelToken ? this.createAbortSignal(cancelToken) : requestParams.signal) || null,
+            body: typeof body === "undefined" || body === null ? null : payloadFormatter(body),
         }).then(async (response) => {
             const r = response.clone();
             r.data = null;

package/dist/utils/fetch-manifest.util.js

@@ -9,7 +9,6 @@ export const FetchManifestUtil = {
         const contents = [];
         for (const file of files) {
             if (file === "-") {
-                // eslint-disable-next-line no-await-in-loop
                 contents.push(await readPipe() || "");
             }
             else if (fs.existsSync(file)) {

package/oclif.manifest.json

@@ -123,5 +123,5 @@
       ]
     }
   },
-  "version": "1.0.0"
+  "version": "1.1.0"
 }

package/package.json

@@ -5,16 +5,18 @@
 	},
 	"dependencies": {
 		"@flowcore/cli-plugin-config": "^2.2.1",
-		"@flowcore/cli-plugin-core": "^4.0.3",
+		"@flowcore/cli-plugin-core": "^4.6.0",
 		"@oclif/core": "^4.0.21",
 		"@oclif/plugin-help": "^6",
 		"@oclif/plugin-plugins": "^5.4.7",
+		"@opentf/obj-diff": "npm:@jsr/opentf__obj-diff",
 		"dayjs": "^1.11.10",
 		"deepmerge": "^4.3.1",
 		"enquirer": "^2.4.1",
 		"graphql": "^16.8.1",
 		"graphql-request": "^6.1.0",
 		"js-yaml": "^4.1.0",
+		"json-diff": "^1.0.6",
 		"lodash": "^4.17.21",
 		"radash": "^12.1.0",
 		"uuid": "^9.0.1",
@@ -27,6 +29,7 @@
 		"@types/chai": "^4",
 		"@types/deepmerge": "^2.2.0",
 		"@types/js-yaml": "^4.0.9",
+		"@types/json-diff": "^1.0.3",
 		"@types/lodash": "^4.14.202",
 		"@types/mocha": "^10",
 		"@types/node": "^18",
@@ -63,6 +66,9 @@
 			"@oclif/plugin-plugins",
 			"@flowcore/cli-plugin-config"
 		],
+		"hooks": {
+			"register-api": "./dist/hooks/register-apply"
+		},
 		"topicSeparator": " ",
 		"topics": {
 			"iam": {
@@ -82,7 +88,7 @@
 		"version": "oclif readme && git add README.md",
 		"update-schema": "rover graph introspect https://graph.api.flowcore.io/graphql -o schema.gql"
 	},
-	"version": "1.0.0",
+	"version": "1.1.0",
 	"bugs": "https://github.com/flowcore-io/cli-plugin-iam/issues",
 	"keywords": [
 		"oclif"