@logto/schemas 1.9.1 → 1.10.0

package/alterations/1.9.2-1694854226-init-sentinel.ts

@@ -0,0 +1,79 @@
+import { type CommonQueryMethods, sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const getDatabaseName = async (pool: CommonQueryMethods) => {
+  const { currentDatabase } = await pool.one<{ currentDatabase: string }>(sql`
+    select current_database();
+  `);
+
+  return currentDatabase.replaceAll('-', '_');
+};
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    const database = await getDatabaseName(pool);
+    const baseRoleId = sql.identifier([`logto_tenant_${database}`]);
+
+    await pool.query(sql`
+      create type sentinel_action_result as enum ('Success', 'Failed');
+
+      create type sentinel_decision as enum ('Undecided', 'Allowed', 'Blocked', 'Challenge');
+
+      create table sentinel_activities (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        id varchar(21) not null,
+        /** The target that the action was performed on. */
+        target_type varchar(32) /* @use SentinelActivityTargetType */ not null,
+        /** The target hashed identifier. */
+        target_hash varchar(64) not null,
+        /** The action name that was performed. */
+        action varchar(64) /* @use SentinelActivityAction */ not null,
+        /** If the action was successful or not. */
+        action_result sentinel_action_result not null,
+        /** Additional payload data if any. */
+        payload jsonb /* @use SentinelActivityPayload */ not null,
+        /** The sentinel decision for the action. */
+        decision sentinel_decision not null,
+        /** The expiry date of the decision. */
+        decision_expires_at timestamptz not null default(now()),
+        /** The time the activity was created. */
+        created_at timestamptz not null default(now()),
+        primary key (id)
+      );
+
+      create index sentinel_activities__id
+        on sentinel_activities (tenant_id, id);
+
+      create index sentinel_activities__target_type_target_hash_action_action_result_decision
+        on sentinel_activities (tenant_id, target_type, target_hash, action, action_result, decision);
+
+      create trigger set_tenant_id before insert on sentinel_activities
+        for each row execute procedure set_tenant_id();
+
+      alter table sentinel_activities enable row level security;
+
+      create policy sentinel_activities_tenant_id on sentinel_activities
+        as restrictive
+        using (tenant_id = (select id from tenants where db_user = current_user));
+
+      create policy sentinel_activities_modification on sentinel_activities
+        using (true);
+
+      grant select, insert, update, delete on sentinel_activities to ${baseRoleId};
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      drop policy sentinel_activities_tenant_id on sentinel_activities;
+      drop policy sentinel_activities_modification on sentinel_activities;
+
+      drop table sentinel_activities;
+      drop type sentinel_action_result;
+      drop type sentinel_decision;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.9.2-1695198741-remove-m2m-app-admin-access-switch.ts

@@ -0,0 +1,307 @@
+import { generateStandardId } from '@logto/shared/universal';
+import { deduplicate } from '@silverhand/essentials';
+import { sql } from 'slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+enum InternalRole {
+  Admin = '#internal:admin',
+}
+
+enum RoleType {
+  User = 'User',
+  MachineToMachine = 'MachineToMachine',
+}
+
+enum PredefinedScope {
+  All = 'all',
+}
+
+const getManagementApiResourceIndicator = (tenantId: string) => `https://${tenantId}.logto.app/api`;
+
+const managementApiAccessRoleName = 'Management API access';
+const managementApiAccessRoleDescription = 'Management API access';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    /**
+     * Step 1
+     * Get all internal admin roles.
+     */
+    /**
+     * Notice that in our case:
+     * Each tenant has only one built-in management API resource and one attached internal admin role.
+     * Each internal admin role has only one scope (`PredefinedScope.All`).
+     *
+     * Can go to @logto/schemas/src/{utils,seeds}/* to find more details.
+     *
+     * Based on this setup, we can use the following query to get all internal admin roles.
+     */
+    const { rows: internalManagementApiRolesCandidates } = await pool.query<{
+      roleId: string;
+      tenantId: string;
+      scopeId: string;
+      indicator: string;
+    }>(sql`
+      select
+        roles.id as "role_id",
+        roles.tenant_id as "tenant_id",
+        scopes.id as "scope_id",
+        resources.indicator as "indicator" from roles
+      join roles_scopes
+        on roles_scopes.role_id = roles.id and roles_scopes.tenant_id = roles.tenant_id
+      join scopes
+        on scopes.id = roles_scopes.scope_id and scopes.tenant_id = roles_scopes.tenant_id
+      join resources
+        on resources.id = scopes.resource_id and resources.tenant_id = scopes.tenant_id
+      where
+        roles.name = ${InternalRole.Admin}
+        and roles.type = ${RoleType.MachineToMachine}
+        and scopes.name = ${PredefinedScope.All}
+        and resources.indicator like ${getManagementApiResourceIndicator('%')}
+        and resources.name = 'Logto Management API'
+    `);
+    // Can not directly use the result from the query unless we use subquery, separate the filter and subquery for easy understanding.
+    const internalManagementApiRoles = internalManagementApiRolesCandidates.filter(
+      ({ indicator, tenantId }) => indicator === getManagementApiResourceIndicator(tenantId)
+    );
+    /**
+     * Step 2
+     * Get all applications_roles related to the internal admin roles.
+     */
+    const { rows: applicationRoles } = await pool.query<{
+      id: string;
+      applicationId: string;
+      roleId: string;
+      tenantId: string;
+    }>(sql`
+      select * from applications_roles where (role_id, tenant_id) in (values ${sql.join(
+        internalManagementApiRoles.map(({ roleId, tenantId }) => sql`( ${roleId}, ${tenantId} )`),
+        sql`, `
+      )});
+    `);
+    /**
+     * Step 3
+     * Create new roles with only management API access for tenants (m2m apps with internal admin access should share the same role),
+     * we can not directly assign internal admin roles to m2m applications since it's "internal" and invisible to Logto users.
+     */
+    /** A tenant can have multiple applications with internal admin role, hence need to `deduplicate()`. */
+    const tenantsNeedManagementApiAccessRole = deduplicate(
+      applicationRoles.map(({ tenantId }) => tenantId)
+    );
+    if (tenantsNeedManagementApiAccessRole.length === 0) {
+      return;
+    }
+    const { rows: insertedRoles } = await pool.query<{
+      id: string;
+      tenantId: string;
+      name: string;
+      description: string;
+      type: RoleType;
+    }>(sql`
+      insert into roles (tenant_id, id, name, description, type) values ${sql.join(
+        tenantsNeedManagementApiAccessRole.map(
+          (tenantId) =>
+            sql`( ${tenantId}, ${generateStandardId()}, ${managementApiAccessRoleName}, ${managementApiAccessRoleDescription}, ${
+              RoleType.MachineToMachine
+            } )`
+        ),
+        sql`, `
+      )} returning *;
+    `);
+    /**
+     * Step 4
+     * Assign internal admin access scopes to new roles.
+     */
+    await Promise.all(
+      insertedRoles.map(async ({ tenantId, id: roleId }) => {
+        const internalRoleForTenant = internalManagementApiRoles.find(
+          ({ tenantId: roleTenantId }) => tenantId === roleTenantId
+        );
+        if (!internalRoleForTenant) {
+          return;
+        }
+        await pool.query<{
+          tenantId: string;
+          id: string;
+          roleId: string;
+          scopeId: string;
+        }>(sql`
+          insert into roles_scopes (tenant_id, id, role_id, scope_id) values (${tenantId}, ${generateStandardId()}, ${roleId}, ${
+            internalRoleForTenant.scopeId
+          });
+        `);
+      })
+    );
+    /**
+     * Step 5
+     * Should remove internal admin access roles from m2m applications and assign new roles (created in step 3) to them.
+     * These two steps can be done by simply replace the role_id in applications_roles table.
+     */
+    await Promise.all(
+      insertedRoles.map(async ({ tenantId, id: roleId }) => {
+        const applicationRolesOfTheTenant = applicationRoles.filter(
+          ({ tenantId: applicationRoleTenantId }) => tenantId === applicationRoleTenantId
+        );
+        const previousInternalRole = internalManagementApiRoles.find(
+          ({ tenantId: internalRoleTenantId }) => internalRoleTenantId === tenantId
+        );
+        if (applicationRolesOfTheTenant.length === 0 || !previousInternalRole) {
+          return;
+        }
+        await pool.query<{
+          id: string;
+          applicationId: string;
+          roleId: string;
+          tenantId: string;
+        }>(sql`
+          update applications_roles set role_id = ${roleId} where tenant_id = ${tenantId} and role_id = ${
+            previousInternalRole.roleId
+          } and application_id in (${sql.join(
+            applicationRolesOfTheTenant.map(({ applicationId }) => applicationId),
+            sql`, `
+          )});
+        `);
+      })
+    );
+  },
+  down: async (pool) => {
+    /**
+     * Step 1
+     * Get all auto-created management api access roles.
+     * Notice that in our case: each management api access role has only one scope (`PredefinedScope.All`), and each tenant has only one management api access role.
+     */
+    /**
+     * Notice that in our case:
+     * Each tenant has only one built-in management API resource and one attached management API access role.
+     * Each management API access role role has only one scope (`PredefinedScope.All`).
+     *
+     * Can go to @logto/schemas/src/{utils,seeds}/* to find more details.
+     *
+     * Based on this setup, we can use the following query to get all internal admin roles.
+     */
+    const { rows: managementApiAccessRolesCandidates } = await pool.query<{
+      roleId: string;
+      tenantId: string;
+      scopeId: string;
+      indicator: string;
+    }>(sql`
+      select
+        roles.id as "role_id",
+        roles.tenant_id as "tenant_id",
+        scopes.id as "scope_id",
+        resources.indicator as "indicator" from roles
+      join roles_scopes
+        on roles_scopes.role_id = roles.id and roles_scopes.tenant_id = roles.tenant_id
+      join scopes
+        on scopes.id = roles_scopes.scope_id and scopes.tenant_id = roles_scopes.tenant_id
+      join resources
+        on resources.id = scopes.resource_id and resources.tenant_id = scopes.tenant_id
+      where
+        roles.name = ${managementApiAccessRoleName}
+        and roles.description = ${managementApiAccessRoleDescription}
+        and roles.type = ${RoleType.MachineToMachine}
+        and scopes.name = ${PredefinedScope.All}
+        and resources.indicator like ${getManagementApiResourceIndicator('%')}
+        and resources.name = 'Logto Management API';
+    `);
+    // Can not directly use the result from the query unless we use subquery, separate the filter and subquery for easy understanding.
+    const managementApiAccessRoles = managementApiAccessRolesCandidates.filter(
+      ({ indicator, tenantId }) => indicator === getManagementApiResourceIndicator(tenantId)
+    );
+    /**
+     * Step 2
+     * Get all applications_roles related to the management api access role.
+     */
+    if (managementApiAccessRoles.length === 0) {
+      return;
+    }
+    const { rows: applicationRoles } = await pool.query<{
+      id: string;
+      applicationId: string;
+      roleId: string;
+      tenantId: string;
+    }>(sql`
+      select * from applications_roles where (role_id, tenant_id) in (values ${sql.join(
+        managementApiAccessRoles.map(({ roleId, tenantId }) => sql`( ${roleId}, ${tenantId} )`),
+        sql`, `
+      )});
+    `);
+    /**
+     * Step 3
+     * Find all internal admin access roles.
+     */
+    const concernedTenantIds = deduplicate(
+      managementApiAccessRoles.map(({ tenantId }) => tenantId)
+    );
+    const { rows: internalAdminAccessRoles } = await pool.query<{
+      roleId: string;
+      tenantId: string;
+    }>(sql`
+      select
+        roles.id as "roleId",
+        roles.tenant_id as "tenantId" from roles
+      join roles_scopes
+        on roles.tenant_id = roles_scopes.tenant_id and roles.id = roles_scopes.role_id
+      join scopes
+        on scopes.tenant_id = roles_scopes.tenant_id and scopes.id = roles_scopes.scope_id
+      join resources
+        on resources.id = scopes.resource_id and resources.tenant_id = scopes.tenant_id
+      where
+        roles.name = ${InternalRole.Admin}
+        and ( roles.tenant_id, resources.indicator ) in (values ${sql.join(
+          concernedTenantIds.map(
+            (tenantId) => sql`( ${tenantId}, ${getManagementApiResourceIndicator(tenantId)} )`
+          ),
+          sql`, `
+        )});
+    `);
+    /**
+     * Step 4
+     * Assign internal admin access roles to m2m apps with management api access roles. (Found in step 2)
+     */
+    await Promise.all(
+      internalAdminAccessRoles.map(async ({ roleId: internalAdminAccessRoleId, tenantId }) => {
+        const pendingApplicationsOfTenant = applicationRoles.filter(
+          ({ tenantId: applicationTenantId }) => tenantId === applicationTenantId
+        );
+        const previousManagementApiAccessRole = managementApiAccessRoles.find(
+          ({ tenantId: managementApiAccessRoleTenantId }) =>
+            managementApiAccessRoleTenantId === tenantId
+        );
+        if (pendingApplicationsOfTenant.length === 0 || !previousManagementApiAccessRole) {
+          return;
+        }
+        await pool.query<{
+          id: string;
+          applicationId: string;
+          roleId: string;
+          tenantId: string;
+        }>(sql`
+          update applications_roles set role_id = ${internalAdminAccessRoleId} where tenant_id = ${tenantId} and role_id = ${
+            previousManagementApiAccessRole.roleId
+          } and application_id in (${sql.join(
+            pendingApplicationsOfTenant.map(({ applicationId }) => applicationId),
+            sql`, `
+          )});
+        `);
+      })
+    );
+    /**
+     * Step 5
+     * Remove management api access roles. (`roles_scopes` will automatically be removed if roles are removed)
+     */
+    if (managementApiAccessRoles.length === 0) {
+      return;
+    }
+    await Promise.all(
+      managementApiAccessRoles.map(async ({ roleId, tenantId }) => {
+        await pool.query(sql`
+          delete from roles where id = ${roleId} and tenant_id = ${tenantId};
+        `);
+      })
+    );
+  },
+};
+
+export default alteration;

package/alterations-js/1.9.2-1694854226-init-sentinel.d.ts

@@ -0,0 +1,3 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.9.2-1694854226-init-sentinel.js

@@ -0,0 +1,72 @@
+import { sql } from 'slonik';
+const getDatabaseName = async (pool) => {
+    const { currentDatabase } = await pool.one(sql `
+    select current_database();
+  `);
+    return currentDatabase.replaceAll('-', '_');
+};
+const alteration = {
+    up: async (pool) => {
+        const database = await getDatabaseName(pool);
+        const baseRoleId = sql.identifier([`logto_tenant_${database}`]);
+        await pool.query(sql `
+      create type sentinel_action_result as enum ('Success', 'Failed');
+
+      create type sentinel_decision as enum ('Undecided', 'Allowed', 'Blocked', 'Challenge');
+
+      create table sentinel_activities (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        id varchar(21) not null,
+        /** The target that the action was performed on. */
+        target_type varchar(32) /* @use SentinelActivityTargetType */ not null,
+        /** The target hashed identifier. */
+        target_hash varchar(64) not null,
+        /** The action name that was performed. */
+        action varchar(64) /* @use SentinelActivityAction */ not null,
+        /** If the action was successful or not. */
+        action_result sentinel_action_result not null,
+        /** Additional payload data if any. */
+        payload jsonb /* @use SentinelActivityPayload */ not null,
+        /** The sentinel decision for the action. */
+        decision sentinel_decision not null,
+        /** The expiry date of the decision. */
+        decision_expires_at timestamptz not null default(now()),
+        /** The time the activity was created. */
+        created_at timestamptz not null default(now()),
+        primary key (id)
+      );
+
+      create index sentinel_activities__id
+        on sentinel_activities (tenant_id, id);
+
+      create index sentinel_activities__target_type_target_hash_action_action_result_decision
+        on sentinel_activities (tenant_id, target_type, target_hash, action, action_result, decision);
+
+      create trigger set_tenant_id before insert on sentinel_activities
+        for each row execute procedure set_tenant_id();
+
+      alter table sentinel_activities enable row level security;
+
+      create policy sentinel_activities_tenant_id on sentinel_activities
+        as restrictive
+        using (tenant_id = (select id from tenants where db_user = current_user));
+
+      create policy sentinel_activities_modification on sentinel_activities
+        using (true);
+
+      grant select, insert, update, delete on sentinel_activities to ${baseRoleId};
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      drop policy sentinel_activities_tenant_id on sentinel_activities;
+      drop policy sentinel_activities_modification on sentinel_activities;
+
+      drop table sentinel_activities;
+      drop type sentinel_action_result;
+      drop type sentinel_decision;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.9.2-1695198741-remove-m2m-app-admin-access-switch.d.ts

@@ -0,0 +1,3 @@
+import type { AlterationScript } from '../lib/types/alteration.js';
+declare const alteration: AlterationScript;
+export default alteration;

package/alterations-js/1.9.2-1695198741-remove-m2m-app-admin-access-switch.js

@@ -0,0 +1,199 @@
+import { generateStandardId } from '@logto/shared/universal';
+import { deduplicate } from '@silverhand/essentials';
+import { sql } from 'slonik';
+var InternalRole;
+(function (InternalRole) {
+    InternalRole["Admin"] = "#internal:admin";
+})(InternalRole || (InternalRole = {}));
+var RoleType;
+(function (RoleType) {
+    RoleType["User"] = "User";
+    RoleType["MachineToMachine"] = "MachineToMachine";
+})(RoleType || (RoleType = {}));
+var PredefinedScope;
+(function (PredefinedScope) {
+    PredefinedScope["All"] = "all";
+})(PredefinedScope || (PredefinedScope = {}));
+const getManagementApiResourceIndicator = (tenantId) => `https://${tenantId}.logto.app/api`;
+const managementApiAccessRoleName = 'Management API access';
+const managementApiAccessRoleDescription = 'Management API access';
+const alteration = {
+    up: async (pool) => {
+        /**
+         * Step 1
+         * Get all internal admin roles.
+         */
+        /**
+         * Notice that in our case:
+         * Each tenant has only one built-in management API resource and one attached internal admin role.
+         * Each internal admin role has only one scope (`PredefinedScope.All`).
+         *
+         * Can go to @logto/schemas/src/{utils,seeds}/* to find more details.
+         *
+         * Based on this setup, we can use the following query to get all internal admin roles.
+         */
+        const { rows: internalManagementApiRolesCandidates } = await pool.query(sql `
+      select
+        roles.id as "role_id",
+        roles.tenant_id as "tenant_id",
+        scopes.id as "scope_id",
+        resources.indicator as "indicator" from roles
+      join roles_scopes
+        on roles_scopes.role_id = roles.id and roles_scopes.tenant_id = roles.tenant_id
+      join scopes
+        on scopes.id = roles_scopes.scope_id and scopes.tenant_id = roles_scopes.tenant_id
+      join resources
+        on resources.id = scopes.resource_id and resources.tenant_id = scopes.tenant_id
+      where
+        roles.name = ${InternalRole.Admin}
+        and roles.type = ${RoleType.MachineToMachine}
+        and scopes.name = ${PredefinedScope.All}
+        and resources.indicator like ${getManagementApiResourceIndicator('%')}
+        and resources.name = 'Logto Management API'
+    `);
+        // Can not directly use the result from the query unless we use subquery, separate the filter and subquery for easy understanding.
+        const internalManagementApiRoles = internalManagementApiRolesCandidates.filter(({ indicator, tenantId }) => indicator === getManagementApiResourceIndicator(tenantId));
+        /**
+         * Step 2
+         * Get all applications_roles related to the internal admin roles.
+         */
+        const { rows: applicationRoles } = await pool.query(sql `
+      select * from applications_roles where (role_id, tenant_id) in (values ${sql.join(internalManagementApiRoles.map(({ roleId, tenantId }) => sql `( ${roleId}, ${tenantId} )`), sql `, `)});
+    `);
+        /**
+         * Step 3
+         * Create new roles with only management API access for tenants (m2m apps with internal admin access should share the same role),
+         * we can not directly assign internal admin roles to m2m applications since it's "internal" and invisible to Logto users.
+         */
+        /** A tenant can have multiple applications with internal admin role, hence need to `deduplicate()`. */
+        const tenantsNeedManagementApiAccessRole = deduplicate(applicationRoles.map(({ tenantId }) => tenantId));
+        if (tenantsNeedManagementApiAccessRole.length === 0) {
+            return;
+        }
+        const { rows: insertedRoles } = await pool.query(sql `
+      insert into roles (tenant_id, id, name, description, type) values ${sql.join(tenantsNeedManagementApiAccessRole.map((tenantId) => sql `( ${tenantId}, ${generateStandardId()}, ${managementApiAccessRoleName}, ${managementApiAccessRoleDescription}, ${RoleType.MachineToMachine} )`), sql `, `)} returning *;
+    `);
+        /**
+         * Step 4
+         * Assign internal admin access scopes to new roles.
+         */
+        await Promise.all(insertedRoles.map(async ({ tenantId, id: roleId }) => {
+            const internalRoleForTenant = internalManagementApiRoles.find(({ tenantId: roleTenantId }) => tenantId === roleTenantId);
+            if (!internalRoleForTenant) {
+                return;
+            }
+            await pool.query(sql `
+          insert into roles_scopes (tenant_id, id, role_id, scope_id) values (${tenantId}, ${generateStandardId()}, ${roleId}, ${internalRoleForTenant.scopeId});
+        `);
+        }));
+        /**
+         * Step 5
+         * Should remove internal admin access roles from m2m applications and assign new roles (created in step 3) to them.
+         * These two steps can be done by simply replace the role_id in applications_roles table.
+         */
+        await Promise.all(insertedRoles.map(async ({ tenantId, id: roleId }) => {
+            const applicationRolesOfTheTenant = applicationRoles.filter(({ tenantId: applicationRoleTenantId }) => tenantId === applicationRoleTenantId);
+            const previousInternalRole = internalManagementApiRoles.find(({ tenantId: internalRoleTenantId }) => internalRoleTenantId === tenantId);
+            if (applicationRolesOfTheTenant.length === 0 || !previousInternalRole) {
+                return;
+            }
+            await pool.query(sql `
+          update applications_roles set role_id = ${roleId} where tenant_id = ${tenantId} and role_id = ${previousInternalRole.roleId} and application_id in (${sql.join(applicationRolesOfTheTenant.map(({ applicationId }) => applicationId), sql `, `)});
+        `);
+        }));
+    },
+    down: async (pool) => {
+        /**
+         * Step 1
+         * Get all auto-created management api access roles.
+         * Notice that in our case: each management api access role has only one scope (`PredefinedScope.All`), and each tenant has only one management api access role.
+         */
+        /**
+         * Notice that in our case:
+         * Each tenant has only one built-in management API resource and one attached management API access role.
+         * Each management API access role role has only one scope (`PredefinedScope.All`).
+         *
+         * Can go to @logto/schemas/src/{utils,seeds}/* to find more details.
+         *
+         * Based on this setup, we can use the following query to get all internal admin roles.
+         */
+        const { rows: managementApiAccessRolesCandidates } = await pool.query(sql `
+      select
+        roles.id as "role_id",
+        roles.tenant_id as "tenant_id",
+        scopes.id as "scope_id",
+        resources.indicator as "indicator" from roles
+      join roles_scopes
+        on roles_scopes.role_id = roles.id and roles_scopes.tenant_id = roles.tenant_id
+      join scopes
+        on scopes.id = roles_scopes.scope_id and scopes.tenant_id = roles_scopes.tenant_id
+      join resources
+        on resources.id = scopes.resource_id and resources.tenant_id = scopes.tenant_id
+      where
+        roles.name = ${managementApiAccessRoleName}
+        and roles.description = ${managementApiAccessRoleDescription}
+        and roles.type = ${RoleType.MachineToMachine}
+        and scopes.name = ${PredefinedScope.All}
+        and resources.indicator like ${getManagementApiResourceIndicator('%')}
+        and resources.name = 'Logto Management API';
+    `);
+        // Can not directly use the result from the query unless we use subquery, separate the filter and subquery for easy understanding.
+        const managementApiAccessRoles = managementApiAccessRolesCandidates.filter(({ indicator, tenantId }) => indicator === getManagementApiResourceIndicator(tenantId));
+        /**
+         * Step 2
+         * Get all applications_roles related to the management api access role.
+         */
+        if (managementApiAccessRoles.length === 0) {
+            return;
+        }
+        const { rows: applicationRoles } = await pool.query(sql `
+      select * from applications_roles where (role_id, tenant_id) in (values ${sql.join(managementApiAccessRoles.map(({ roleId, tenantId }) => sql `( ${roleId}, ${tenantId} )`), sql `, `)});
+    `);
+        /**
+         * Step 3
+         * Find all internal admin access roles.
+         */
+        const concernedTenantIds = deduplicate(managementApiAccessRoles.map(({ tenantId }) => tenantId));
+        const { rows: internalAdminAccessRoles } = await pool.query(sql `
+      select
+        roles.id as "roleId",
+        roles.tenant_id as "tenantId" from roles
+      join roles_scopes
+        on roles.tenant_id = roles_scopes.tenant_id and roles.id = roles_scopes.role_id
+      join scopes
+        on scopes.tenant_id = roles_scopes.tenant_id and scopes.id = roles_scopes.scope_id
+      join resources
+        on resources.id = scopes.resource_id and resources.tenant_id = scopes.tenant_id
+      where
+        roles.name = ${InternalRole.Admin}
+        and ( roles.tenant_id, resources.indicator ) in (values ${sql.join(concernedTenantIds.map((tenantId) => sql `( ${tenantId}, ${getManagementApiResourceIndicator(tenantId)} )`), sql `, `)});
+    `);
+        /**
+         * Step 4
+         * Assign internal admin access roles to m2m apps with management api access roles. (Found in step 2)
+         */
+        await Promise.all(internalAdminAccessRoles.map(async ({ roleId: internalAdminAccessRoleId, tenantId }) => {
+            const pendingApplicationsOfTenant = applicationRoles.filter(({ tenantId: applicationTenantId }) => tenantId === applicationTenantId);
+            const previousManagementApiAccessRole = managementApiAccessRoles.find(({ tenantId: managementApiAccessRoleTenantId }) => managementApiAccessRoleTenantId === tenantId);
+            if (pendingApplicationsOfTenant.length === 0 || !previousManagementApiAccessRole) {
+                return;
+            }
+            await pool.query(sql `
+          update applications_roles set role_id = ${internalAdminAccessRoleId} where tenant_id = ${tenantId} and role_id = ${previousManagementApiAccessRole.roleId} and application_id in (${sql.join(pendingApplicationsOfTenant.map(({ applicationId }) => applicationId), sql `, `)});
+        `);
+        }));
+        /**
+         * Step 5
+         * Remove management api access roles. (`roles_scopes` will automatically be removed if roles are removed)
+         */
+        if (managementApiAccessRoles.length === 0) {
+            return;
+        }
+        await Promise.all(managementApiAccessRoles.map(async ({ roleId, tenantId }) => {
+            await pool.query(sql `
+          delete from roles where id = ${roleId} and tenant_id = ${tenantId};
+        `);
+        }));
+    },
+};
+export default alteration;

package/lib/db-entries/custom-types.d.ts

@@ -8,6 +8,16 @@ export declare enum RoleType {
     User = "User",
     MachineToMachine = "MachineToMachine"
 }
+export declare enum SentinelActionResult {
+    Success = "Success",
+    Failed = "Failed"
+}
+export declare enum SentinelDecision {
+    Undecided = "Undecided",
+    Allowed = "Allowed",
+    Blocked = "Blocked",
+    Challenge = "Challenge"
+}
 export declare enum SignInMode {
     SignIn = "SignIn",
     Register = "Register",