@mondaydotcomorg/monday-authorization 3.5.1 → 3.5.2-feat-shaime-support-entity-attributes-3-6202ab7

package/src/authorization-attributes-sns-service.ts

@@ -0,0 +1,257 @@
+import chunk from 'lodash/chunk.js';
+import { getTopicAttributes, sendToSns } from '@mondaydotcomorg/monday-sns';
+import {
+  ResourceAttributeOperation,
+  EntityAttributeOperation,
+  AttributeOperation,
+} from './types/authorization-attributes-contracts';
+import { Resource } from './types/general';
+import { logger } from './authorization-internal-service';
+import {
+  ASYNC_RESOURCE_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE,
+  ASYNC_ENTITY_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE,
+  RESOURCE_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND,
+  ENTITY_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND,
+  RESOURCE_SNS_ARN_ENV_VAR_NAME,
+  ENTITY_SNS_ARN_ENV_VAR_NAME,
+  RESOURCE_SNS_DEV_TEST_NAME,
+  ENTITY_SNS_DEV_TEST_NAME,
+  SnsTopicType,
+} from './constants/sns';
+import { AuthorizationAttributesService } from './types/authorization-attributes-service.interface';
+import { EntityType } from './entity-attributes-constants';
+import { ValidationUtils } from './utils/validation';
+import type { TopicAttributesMap } from 'aws-sdk/clients/sns';
+
+/**
+ * Service class for managing resource attributes asynchronously via SNS.
+ * Provides asynchronous operations to create/update and delete attributes on resources.
+ */
+export class AuthorizationAttributesSnsService implements AuthorizationAttributesService {
+  private static LOG_TAG = 'authorization_attributes';
+  private resourceSnsArn: string;
+  private entitySnsArn: string;
+
+  /**
+   * Public constructor to create the AuthorizationAttributesSnsService instance.
+   */
+  constructor() {
+    this.resourceSnsArn = AuthorizationAttributesSnsService.getSnsTopicArn(SnsTopicType.RESOURCE);
+    this.entitySnsArn = AuthorizationAttributesSnsService.getSnsTopicArn(SnsTopicType.ENTITY);
+  }
+
+  /**
+   * Async function to delete resource attributes using SNS.
+   * Sends the updates request to SNS and returns before the change actually took place.
+   * @param accountId The account ID
+   * @param appName App name of the calling app
+   * @param callerActionIdentifier Action identifier
+   * @param resource The resource (resourceType, resourceId)
+   * @param attributeKeys Array of attribute keys to delete
+   * @return Promise with array of sent operations
+   */
+  async deleteResourceAttributes(
+    accountId: number,
+    resource: Resource,
+    attributeKeys: string[],
+    appName?: string,
+    callerActionIdentifier?: string
+  ): Promise<ResourceAttributeOperation[]> {
+    if (!appName || !callerActionIdentifier) {
+      throw new Error('appName and callerActionIdentifier are required for SNS service');
+    }
+    const operations: ResourceAttributeOperation[] = attributeKeys.map(
+      key =>
+        ({
+          resourceType: resource.type,
+          resourceId: resource.id,
+          key,
+          operationType: AttributeOperation.DELETE,
+        } as ResourceAttributeOperation)
+    );
+    return this.updateResourceAttributes(accountId, appName, callerActionIdentifier, operations);
+  }
+
+  /**
+   * Async function to delete entity attributes using SNS.
+   * Sends the updates request to SNS and returns before the change actually took place.
+   * @param accountId The account ID
+   * @param appName App name of the calling app
+   * @param callerActionIdentifier Action identifier
+   * @param entityType The entity type
+   * @param entityId The entity ID
+   * @param attributeKeys Array of attribute keys to delete
+   * @return Promise with array of sent operations
+   */
+  async deleteEntityAttributes(
+    accountId: number,
+    entityType: EntityType,
+    entityId: number,
+    attributeKeys: string[],
+    appName?: string,
+    callerActionIdentifier?: string
+  ): Promise<EntityAttributeOperation[]> {
+    if (!appName || !callerActionIdentifier) {
+      throw new Error('appName and callerActionIdentifier are required for SNS service');
+    }
+    const operations: EntityAttributeOperation[] = attributeKeys.map(key => {
+      ValidationUtils.validateEntityAssignment({ entityId, entityType, key, value: '' });
+      return {
+        entityType: entityType,
+        entityId,
+        key,
+        operationType: AttributeOperation.DELETE,
+        value: '',
+      };
+    });
+    return this.updateEntityAttributes(accountId, appName, callerActionIdentifier, operations);
+  }
+
+  /**
+   *  Async function, this function only send the updates request to SNS and return before the change actually took place
+   * @param accountId
+   * @param appName - App name of the calling app
+   * @param callerActionIdentifier - action identifier
+   * @param resourceAttributeOperations - Array of operations to do on resource attributes.
+   * @return {Promise<ResourceAttributesOperation[]>} Array of sent operations
+   *  */
+  async updateResourceAttributes(
+    accountId: number,
+    appName: string,
+    callerActionIdentifier: string,
+    resourceAttributeOperations: ResourceAttributeOperation[]
+  ): Promise<ResourceAttributeOperation[]> {
+    const topicArn: string = this.resourceSnsArn;
+    const sendToSnsPromises: Promise<ResourceAttributeOperation[]>[] = [];
+    const operationChucks = chunk(resourceAttributeOperations, ASYNC_RESOURCE_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE);
+    for (const operationsChunk of operationChucks) {
+      sendToSnsPromises.push(
+        this.sendSingleSnsMessage(
+          topicArn,
+          accountId,
+          appName,
+          callerActionIdentifier,
+          operationsChunk,
+          RESOURCE_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND,
+          'Authorization resource attributes async update: failed to send operations to SNS'
+        )
+      );
+    }
+    return (await Promise.all(sendToSnsPromises)).flat();
+  }
+
+  /**
+   *  Async function, this function only send the updates request to SNS and return before the change actually took place
+   * @param accountId
+   * @param appName - App name of the calling app
+   * @param callerActionIdentifier - action identifier
+   * @param entityAttributeOperations - Array of operations to do on entity attributes.
+   * @return {Promise<EntityAttributeOperation[]>} Array of sent operations
+   *  */
+  async updateEntityAttributes(
+    accountId: number,
+    appName: string,
+    callerActionIdentifier: string,
+    entityAttributeOperations: EntityAttributeOperation[]
+  ): Promise<EntityAttributeOperation[]> {
+    const topicArn: string = this.entitySnsArn;
+    const sendToSnsPromises: Promise<EntityAttributeOperation[]>[] = [];
+    const operationChucks = chunk(entityAttributeOperations, ASYNC_ENTITY_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE);
+    for (const operationsChunk of operationChucks) {
+      sendToSnsPromises.push(
+        this.sendSingleSnsMessage(
+          topicArn,
+          accountId,
+          appName,
+          callerActionIdentifier,
+          operationsChunk,
+          ENTITY_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND,
+          'Authorization entity attributes async update: failed to send operations to SNS'
+        )
+      );
+    }
+    return (await Promise.all(sendToSnsPromises)).flat();
+  }
+
+  private async sendSingleSnsMessage<T extends ResourceAttributeOperation | EntityAttributeOperation>(
+    topicArn: string,
+    accountId: number,
+    appName: string,
+    callerActionIdentifier: string,
+    operations: T[],
+    kind: string,
+    errorLogMessage: string
+  ): Promise<T[]> {
+    const payload = {
+      kind,
+      payload: {
+        accountId: accountId,
+        callerAppName: appName,
+        callerActionIdentifier: callerActionIdentifier,
+        operations: operations,
+      },
+    };
+    try {
+      await sendToSns(payload, topicArn);
+      return operations;
+    } catch (error) {
+      logger.error({ error, tag: AuthorizationAttributesSnsService.LOG_TAG }, errorLogMessage);
+      return [];
+    }
+  }
+
+  private static getSnsTopicArn(type: SnsTopicType): string {
+    let envVarName: string;
+    let devTestName: string;
+
+    switch (type) {
+      case SnsTopicType.ENTITY:
+        envVarName = ENTITY_SNS_ARN_ENV_VAR_NAME;
+        devTestName = ENTITY_SNS_DEV_TEST_NAME;
+        break;
+      default:
+        // Default to resource SNS constants
+        envVarName = RESOURCE_SNS_ARN_ENV_VAR_NAME;
+        devTestName = RESOURCE_SNS_DEV_TEST_NAME;
+        break;
+    }
+
+    const arnFromEnv: string | undefined = process.env[envVarName];
+    if (arnFromEnv) {
+      return arnFromEnv;
+    }
+    if (process.env.NODE_ENV === 'development' || process.env.NODE_ENV === 'test') {
+      return devTestName;
+    }
+    throw new Error(`Unable to get ${type} sns topic arn from env variable`);
+  }
+
+  /**
+   * Checks we can contact the required SNS topic that used to send attribute updates to Authorization MS.
+   * This function can be used as health check for services that updating resource attributes in async is crucial.
+   * Note this function only verify the POD can contact AWS SDK and the topic exists, but the user still might get
+   * errors when pushing for the SNS (e.g: in case the AWS role of the POD don't have permissions to push messages).
+   * However, this is the best we can do without actually push dummy messages to the SNS.
+   * @return {Promise<boolean>} - true if succeeded
+   */
+  async asyncResourceAttributesHealthCheck(): Promise<boolean> {
+    try {
+      const requestedTopicArn: string = this.resourceSnsArn;
+      const attributes: TopicAttributesMap = await getTopicAttributes(requestedTopicArn);
+      const isHealthy = !(!attributes || !('TopicArn' in attributes) || attributes.TopicArn !== requestedTopicArn);
+      if (!isHealthy) {
+        logger.error(
+          { requestedTopicArn, snsReturnedAttributes: attributes, tag: AuthorizationAttributesSnsService.LOG_TAG },
+          'authorization-attributes-service failed in health check'
+        );
+      }
+      return isHealthy;
+    } catch (error) {
+      logger.error(
+        { error, tag: AuthorizationAttributesSnsService.LOG_TAG },
+        'authorization-attributes-service got error during health check'
+      );
+      return false;
+    }
+  }
+}

package/src/base-attribute-assignment.ts

@@ -0,0 +1,30 @@
+import isEqual from 'lodash/isEqual.js';
+
+/**
+ * Base class for attribute assignments (Resource or Entity)
+ * Provides common validation and functionality
+ */
+export abstract class BaseAttributeAssignment<T, R> {
+  public readonly id: number;
+  public readonly type: T;
+  public readonly attributeKey: string;
+  public readonly attributeValue: string;
+
+  constructor(id: number, type: T, attributeKey: string, attributeValue: string) {
+    this.id = id;
+    this.type = type;
+    this.attributeKey = attributeKey;
+    this.attributeValue = attributeValue;
+  }
+
+  /**
+   * Compares two assignments for equality
+   * @param other Another assignment instance
+   * @returns true if all properties are equal
+   */
+  equals(other: BaseAttributeAssignment<T, R>): boolean {
+    return isEqual(this, other);
+  }
+
+  abstract toDataTransferObject(): R;
+}

package/src/constants/sns.ts

@@ -1,5 +1,22 @@
-export const SNS_ARN_ENV_VAR_NAME = 'SHARED_AUTHORIZATION_SNS_ENDPOINT_RESOURCE_ATTRIBUTES';
-export const SNS_DEV_TEST_NAME =
+export enum SnsTopicType {
+  RESOURCE = 'resource',
+  ENTITY = 'entity',
+}
+
+// Resource SNS constants
+export const RESOURCE_SNS_ARN_ENV_VAR_NAME = 'SHARED_AUTHORIZATION_SNS_ENDPOINT_RESOURCE_ATTRIBUTES';
+export const RESOURCE_SNS_DEV_TEST_NAME =
   'arn:aws:sns:us-east-1:000000000000:monday-authorization-resource-attributes-sns-local';
+
+// Entity SNS constants
+export const ENTITY_SNS_ARN_ENV_VAR_NAME = 'SHARED_AUTHORIZATION_SNS_ENDPOINT_ENTITY_ATTRIBUTES';
+export const ENTITY_SNS_DEV_TEST_NAME =
+  'arn:aws:sns:us-east-1:000000000000:monday-authorization-entity-attributes-sns-local';
 export const RESOURCE_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND = 'resourceAttributeModification';
+export const ENTITY_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND = 'entityAttributeModification';
 export const ASYNC_RESOURCE_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE = 100;
+export const ASYNC_ENTITY_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE = 100;
+
+// Legacy exports for backward compatibility
+export const SNS_ARN_ENV_VAR_NAME = RESOURCE_SNS_ARN_ENV_VAR_NAME;
+export const SNS_DEV_TEST_NAME = RESOURCE_SNS_DEV_TEST_NAME;

package/src/entity-attribute-assignment.ts

@@ -0,0 +1,33 @@
+import { EntityType } from './entity-attributes-constants';
+import { BaseAttributeAssignment } from './base-attribute-assignment';
+import { EntityAttributeAssignment as EntityAttributeAssignmentContract } from './types/authorization-attributes-contracts';
+import { ValidationUtils } from './utils/validation';
+
+export class EntityAttributeAssignment extends BaseAttributeAssignment<EntityType, EntityAttributeAssignmentContract> {
+  public readonly entityId: number;
+  public readonly entityType: EntityType;
+
+  constructor(entityId: number, entityType: EntityType, attributeKey: string, attributeValue: string) {
+    ValidationUtils.validateEntityAssignment({ entityId, entityType, key: attributeKey, value: attributeValue });
+    super(entityId, entityType, attributeKey, attributeValue);
+    this.entityId = entityId;
+    this.entityType = entityType;
+  }
+
+  toDataTransferObject(): EntityAttributeAssignmentContract {
+    return {
+      entityId: this.entityId,
+      entityType: this.entityType,
+      key: this.attributeKey,
+      value: this.attributeValue,
+    };
+  }
+  /**
+   * Compares two assignments for equality
+   * @param other Another EntityAttributeAssignment instance
+   * @returns true if all properties are equal
+   */
+  equals(other: EntityAttributeAssignment): boolean {
+    return super.equals(other);
+  }
+}

package/src/entity-attributes-constants.ts

@@ -0,0 +1,7 @@
+export enum EntityType {
+  User = 'user',
+  Team = 'team',
+  Account = 'account',
+}
+
+export const ENTITY_TYPES = Object.freeze(Object.values(EntityType));

package/src/errors/argument-error.ts

@@ -0,0 +1,6 @@
+export class ArgumentError extends Error {
+  constructor(message: string) {
+    super(message);
+    this.name = 'ArgumentError';
+  }
+}

package/src/resource-attribute-assignment.ts

@@ -0,0 +1,36 @@
+import { ResourceType } from './resource-attributes-constants';
+import { BaseAttributeAssignment } from './base-attribute-assignment';
+import { ResourceAttributeAssignment as ResourceAttributeAssignmentContract } from './types/authorization-attributes-contracts';
+import { ValidationUtils } from './utils/validation';
+
+export class ResourceAttributeAssignment extends BaseAttributeAssignment<
+  ResourceType,
+  ResourceAttributeAssignmentContract
+> {
+  public readonly resourceId: number;
+  public readonly resourceType: ResourceType;
+
+  constructor(resourceId: number, resourceType: ResourceType, attributeKey: string, attributeValue: string) {
+    ValidationUtils.validateResourceAssignment({ resourceId, resourceType, key: attributeKey, value: attributeValue });
+    super(resourceId, resourceType, attributeKey, attributeValue);
+    this.resourceId = resourceId;
+    this.resourceType = this.type;
+  }
+
+  toDataTransferObject(): ResourceAttributeAssignmentContract {
+    return {
+      resourceId: this.resourceId,
+      resourceType: this.resourceType,
+      key: this.attributeKey,
+      value: this.attributeValue,
+    };
+  }
+  /**
+   * Compares two assignments for equality
+   * @param other Another ResourceAttributeAssignment instance
+   * @returns true if all properties are equal
+   */
+  equals(other: ResourceAttributeAssignment): boolean {
+    return super.equals(other);
+  }
+}

package/src/resource-attributes-constants.ts

@@ -0,0 +1,27 @@
+export const RESOURCE_ATTRIBUTES_CONSTANTS = Object.freeze({
+  ACCOUNT_RESOURCE_ATTRIBUTES: {
+    ENABLE_MEMBERS_INVITE_FROM_NON_AUTH_DOMAIN: 'enable_members_invite_from_non_auth_domain',
+  },
+  WORKSPACE_RESOURCE_ATTRIBUTES: {
+    IS_DEFAULT_WORKSPACE: 'is_default_workspace',
+  },
+  BOARD_RESOURCE_ATTRIBUTES: {
+    IS_SYNCABLE_CHILD_ENTITY: 'is_syncable_child_entity',
+    SYSTEM_ENTITY_TYPE: 'system_entity_type',
+  },
+});
+
+export enum ResourceType {
+  Account = 'account',
+  AccountProduct = 'account_product',
+  Workspace = 'workspace',
+  Board = 'board',
+  Item = 'item',
+  Team = 'team',
+  Overview = 'overview',
+  Document = 'document',
+  Crm = 'crm',
+}
+
+// Define the array of strings and use 'as const' to make its contents literal types
+export const RESOURCE_TYPES = Object.freeze(Object.values(ResourceType));

package/src/types/authorization-attributes-contracts.ts

@@ -1,33 +1,56 @@
 import { Resource } from './general';
+import type { EntityType } from '../entity-attributes-constants';
+import type { ResourceType } from '../resource-attributes-constants';
 
-export interface ResourceAttributeAssignment {
-  resourceType: Resource['type'];
-  resourceId: Resource['id'];
+export interface AttributeAssignment {
   key: string;
   value: string;
 }
 
-export interface ResourceAttributeResponse {
-  attributes: ResourceAttributeAssignment[];
+// Resource Attribute Assignment - matching API contract
+export interface ResourceAttributeAssignment extends AttributeAssignment {
+  resourceId: number;
+  resourceType: ResourceType;
 }
 
+// Entity Attribute Assignment - matching API contract
+// Note: For validation, use the EntityAttributeAssignment class from '../entity-attribute-assignment'
+export interface EntityAttributeAssignment extends AttributeAssignment {
+  entityId: number;
+  entityType: EntityType;
+}
+
+// Legacy types for backward compatibility
 export interface ResourceAttributeDelete {
   resourceType: Resource['type'];
   resourceId: Resource['id'];
   key: string;
 }
 
-export enum ResourceAttributeOperationEnum {
+export interface EntityAttributeDelete {
+  entityType: EntityType;
+  entityId: number;
+  key: string;
+}
+
+export enum AttributeOperation {
   UPSERT = 'upsert',
   DELETE = 'delete',
 }
 
-interface UpsertResourceAttributeOperation extends ResourceAttributeAssignment {
-  operationType: ResourceAttributeOperationEnum.UPSERT;
+// Response types
+export interface ResourceAttributeResponse {
+  attributes: ResourceAttributeAssignment[];
 }
 
-interface DeleteResourceAttributeOperation extends ResourceAttributeDelete {
-  operationType: ResourceAttributeOperationEnum.DELETE;
+export interface EntityAttributeResponse {
+  attributes: EntityAttributeAssignment[];
 }
 
-export type ResourceAttributesOperation = UpsertResourceAttributeOperation | DeleteResourceAttributeOperation;
+export interface ResourceAttributeOperation extends ResourceAttributeAssignment {
+  operationType: AttributeOperation;
+}
+
+export interface EntityAttributeOperation extends EntityAttributeAssignment {
+  operationType: AttributeOperation;
+}

package/src/types/authorization-attributes-service.interface.ts

@@ -0,0 +1,70 @@
+import { EntityType } from '../entity-attributes-constants';
+import { ResourceAttributeOperation, EntityAttributeOperation } from './authorization-attributes-contracts';
+import { Resource } from './general';
+
+/**
+ * Resource type compatible with both MS and SNS services
+ */
+export interface CompatibleResource {
+  resourceType?: string;
+  resourceId?: number;
+  type?: string;
+  id?: number;
+}
+
+/**
+ * Interface for authorization attributes operations.
+ * Both MS (direct) and SNS (async) services implement this interface.
+ */
+export interface AuthorizationAttributesService {
+  /**
+   * Deletes resource attributes.
+   * For MS service: returns Promise<void>
+   * For SNS service: requires appName and callerActionIdentifier, returns Promise<ResourceAttributesOperation[]>
+   */
+  deleteResourceAttributes(
+    accountId: number,
+    resource: CompatibleResource | Resource,
+    attributeKeys: string[],
+    appName?: string,
+    callerActionIdentifier?: string
+  ): Promise<void | ResourceAttributeOperation[]>;
+
+  /**
+   * Deletes entity attributes.
+   * For MS service: returns Promise<void>
+   * For SNS service: requires appName and callerActionIdentifier, returns Promise<EntityAttributesOperation[]>
+   */
+  deleteEntityAttributes(
+    accountId: number,
+    entityType: EntityType | string,
+    entityId: number,
+    attributeKeys: string[],
+    appName?: string,
+    callerActionIdentifier?: string
+  ): Promise<void | EntityAttributeOperation[]>;
+
+  /**
+   * Updates resource attributes (batch operations).
+   * For MS service: may throw error or delegate to upsert/delete
+   * For SNS service: returns Promise<ResourceAttributesOperation[]>
+   */
+  updateResourceAttributes(
+    accountId: number,
+    appName: string,
+    callerActionIdentifier: string,
+    resourceAttributeOperations: ResourceAttributeOperation[]
+  ): Promise<ResourceAttributeOperation[]>;
+
+  /**
+   * Updates entity attributes (batch operations).
+   * For MS service: may throw error or delegate to upsert/delete
+   * For SNS service: returns Promise<EntityAttributesOperation[]>
+   */
+  updateEntityAttributes(
+    accountId: number,
+    appName: string,
+    callerActionIdentifier: string,
+    entityAttributeOperations: EntityAttributeOperation[]
+  ): Promise<EntityAttributeOperation[]>;
+}

package/src/types/general.ts

@@ -1,7 +1,7 @@
 import type { Request, Response } from 'express';
 
 export interface Resource {
-  id?: number;
+  id: number;
   type: string;
   wrapperData?: object;
 }

package/src/utils/assigment-schema.ts

@@ -0,0 +1,29 @@
+import Ajv from 'ajv';
+import { EntityType } from '../entity-attributes-constants';
+import { ResourceType } from '../resource-attributes-constants';
+
+const ajv = new Ajv({ allErrors: true });
+
+export const entityAssignmentSchema = ajv.compile({
+  type: 'object',
+  properties: {
+    entityId: { type: 'number', multipleOf: 1 },
+    entityType: { type: 'string', enum: Object.values(EntityType) },
+    key: { type: 'string', minLength: 1 },
+    value: { type: 'string' },
+  },
+  required: ['entityId', 'entityType', 'key'],
+  additionalProperties: false,
+});
+
+export const resourceAssignmentSchema = ajv.compile({
+  type: 'object',
+  properties: {
+    id: { type: 'number', multipleOf: 1 },
+    type: { type: 'string', enum: Object.values(ResourceType) },
+    key: { type: 'string', minLength: 1 },
+    value: { type: 'string' },
+  },
+  required: ['id', 'type', 'key'],
+  additionalProperties: false,
+});

package/src/utils/resource-schema.ts

@@ -0,0 +1,21 @@
+import Ajv from 'ajv';
+import { RESOURCE_TYPES } from '../resource-attributes-constants';
+
+const ajv = new Ajv({ allErrors: true });
+
+export interface Resource {
+  id?: number;
+  type: string;
+  wrapperData?: object;
+}
+
+export const resourceSchema = ajv.compile({
+  type: 'object',
+  properties: {
+    id: { type: 'number', multipleOf: 1 },
+    type: { type: 'string', enum: RESOURCE_TYPES },
+    wrapperData: { type: 'string', minLength: 1 },
+  },
+  required: ['id', 'type', 'wrapperData'],
+  additionalProperties: false,
+});