@percepta/create 3.3.0 → 3.4.1

package/templates/webapp/scripts/seed.ts

@@ -8,21 +8,36 @@
  */
 
 import { AsyncLocalStorage } from "node:async_hooks";
+import { execFileSync } from "node:child_process";
 import { loadEnvConfig } from "@next/env";
+import type { SubjectRef } from "@percepta/access-control";
 
 const SEEDED_USERS = [
   {
-    access: "owner",
-    appRole: "admin",
-    email: "admin@example.com",
-    name: "Admin User",
+    access: "customer_admin",
+    email: "customer-admin@example.com",
+    name: "Customer Admin",
     password: "password",
     role: "admin",
   },
   {
-    access: "member",
-    email: "user@example.com",
-    name: "Regular User",
+    access: "app_admin",
+    email: "app-admin@example.com",
+    name: "App Admin",
+    password: "password",
+    role: "admin",
+  },
+  {
+    access: "app_user",
+    email: "app-user@example.com",
+    name: "App User",
+    password: "password",
+    role: "user",
+  },
+  {
+    access: "none",
+    email: "non-user@example.com",
+    name: "App Non User",
     password: "password",
     role: "user",
   },
@@ -30,7 +45,7 @@ const SEEDED_USERS = [
 
 async function main(): Promise<void> {
   loadEnvConfig(process.cwd());
-  // eslint-disable-next-line @typescript-eslint/no-explicit-any, @typescript-eslint/no-unsafe-member-access
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
   (globalThis as any).AsyncLocalStorage = AsyncLocalStorage;
 
   const { auth } = await import("@__REPO_NAME__/auth");
@@ -38,13 +53,16 @@ async function main(): Promise<void> {
   const { users } = await import("@__REPO_NAME__/auth/schema");
   const { getAccessControl, toUserSubject } =
     await import("../src/services/access/AppAccessControl");
+  const { getEnvConfig } = await import("../src/config/getEnvConfig");
   const { createCustomerAccessControl } =
     await import("@percepta/access-control");
   const { eq, sql } = await import("drizzle-orm");
 
+  const envConfig = getEnvConfig();
   const access = getAccessControl();
+  const appNamespace = access.manifest.appNamespace;
   const customerAccess = createCustomerAccessControl({
-    applications: [{ appNamespace: access.manifest.appNamespace }],
+    applications: [{ appNamespace }],
     client: access.client,
   });
 
@@ -89,25 +107,54 @@ async function main(): Promise<void> {
     }
 
     const subject = toUserSubject(userId);
-    if (seededUser.access === "owner") {
-      await customerAccess.assignApplicationOwner(
-        access.manifest.appNamespace,
-        subject,
-      );
-    } else {
-      await customerAccess.assignApplicationMember(
-        access.manifest.appNamespace,
-        subject,
-      );
-    }
-
-    if ("appRole" in seededUser) {
-      await access.app.assignAppRole(seededUser.appRole, subject);
+    switch (seededUser.access) {
+      case "customer_admin":
+        bootstrapCustomerAdmin(subject, envConfig);
+        await customerAccess.revokeApplicationAdmin(appNamespace, subject);
+        await customerAccess.revokeApplicationUser(appNamespace, subject);
+        break;
+      case "app_admin":
+        await customerAccess.assignApplicationAdmin(appNamespace, subject);
+        await customerAccess.revokeApplicationUser(appNamespace, subject);
+        break;
+      case "app_user":
+        await customerAccess.assignApplicationUser(appNamespace, subject);
+        await customerAccess.revokeApplicationAdmin(appNamespace, subject);
+        break;
+      case "none":
+        await customerAccess.revokeApplicationAdmin(appNamespace, subject);
+        await customerAccess.revokeApplicationUser(appNamespace, subject);
+        break;
     }
   }
 
-  console.log("Ensured local app access grants.");
+  console.log("Ensured local customer and app access grants.");
   process.exit(0);
 }
 
 void main();
+
+function bootstrapCustomerAdmin(
+  subject: SubjectRef,
+  envConfig: {
+    readonly SPICEDB_ENDPOINT: string;
+    readonly SPICEDB_INSECURE: boolean;
+    readonly SPICEDB_PRESHARED_KEY: string;
+  },
+): void {
+  const args = [
+    "bootstrap-customer-admin",
+    "--subject",
+    subject,
+    "--endpoint",
+    envConfig.SPICEDB_ENDPOINT,
+    "--key",
+    envConfig.SPICEDB_PRESHARED_KEY,
+  ];
+
+  if (envConfig.SPICEDB_INSECURE) {
+    args.push("--insecure");
+  }
+
+  execFileSync("percepta-access-control", args, { stdio: "inherit" });
+}

package/templates/webapp/src/access/access.manifest.ts

@@ -1,4 +1,11 @@
-import { defineAccessManifest } from "@percepta/access-control";
+import {
+  defineAccessManifest,
+  defineAccessRoleDefinitions,
+} from "@percepta/access-control";
+
+const appRoles = [] as const;
+
+export const accessRoleDefinitions = defineAccessRoleDefinitions(appRoles, []);
 
 export const accessManifest = defineAccessManifest({
   adminUI: {
@@ -10,6 +17,6 @@ export const accessManifest = defineAccessManifest({
     urlEnv: "APP_BASE_URL",
   },
   system: {
-    assignableRoles: ["admin"],
+    assignableRoles: appRoles,
   },
 } as const);

package/templates/webapp/src/access/schema.zed

@@ -1,7 +1,3 @@
 definition __APP_NAME_SNAKE__/system {
-  relation application: core/application
-  relation admin: core/user | core/group#member
-
-  permission access_app = application->access
-  permission manage_roles = access_app & (application->owner + admin)
+  // Add application-specific roles and permissions here.
 }

package/templates/webapp/src/app/(admin)/admin/_components/AdminTabs.tsx

@@ -0,0 +1,33 @@
+"use client";
+
+import { Tabs, TabsList, TabsTrigger } from "@percepta/design";
+import Link from "next/link";
+
+export type AdminTab = "assignments" | "roles";
+
+const tabs = [
+  { href: "/admin?tab=roles", label: "Roles", tab: "roles" },
+  {
+    href: "/admin?tab=assignments",
+    label: "Assignments",
+    tab: "assignments",
+  },
+] as const satisfies ReadonlyArray<{
+  readonly href: string;
+  readonly label: string;
+  readonly tab: AdminTab;
+}>;
+
+export function AdminTabs({ activeTab }: { readonly activeTab: AdminTab }) {
+  return (
+    <Tabs value={activeTab}>
+      <TabsList aria-label="RBAC views">
+        {tabs.map((tab) => (
+          <TabsTrigger asChild={true} key={tab.tab} value={tab.tab}>
+            <Link href={tab.href}>{tab.label}</Link>
+          </TabsTrigger>
+        ))}
+      </TabsList>
+    </Tabs>
+  );
+}

package/templates/webapp/src/app/(admin)/admin/_lib/accessAdmin.ts

@@ -0,0 +1,62 @@
+import type { AppRole } from "@percepta/access-control";
+import { notFound, redirect } from "next/navigation";
+import { accessManifest } from "../../../../access/access.manifest";
+import { getServerSession } from "../../../../lib/auth";
+import {
+  canManageAppRolesStrong as checkCanManageAppRoles,
+  canManageDefaultRolesStrong as checkCanManageDefaultRoles,
+} from "../../../../services/access/AppAccessControl";
+
+export type AccessAppRole = AppRole<typeof accessManifest>;
+
+export const assignableRoles: readonly AccessAppRole[] =
+  accessManifest.system.assignableRoles ?? [];
+
+export interface AdminPermissions {
+  readonly canManageAppRoles: boolean;
+  readonly canManageDefaultRoles: boolean;
+}
+
+export async function requireAnyAdminPermission(): Promise<AdminPermissions> {
+  if (!isAdminUiEnabled()) {
+    notFound();
+  }
+
+  const session = await getServerSession();
+
+  if (session?.user == null) {
+    redirect("/auth/signin");
+  }
+
+  const [canManageDefaultRoles, canManageAppRoles] = await Promise.all([
+    checkCanManageDefaultRoles(session.user.id),
+    checkCanManageAppRoles(session.user.id),
+  ]);
+
+  if (!canManageDefaultRoles && !canManageAppRoles) {
+    notFound();
+  }
+
+  return {
+    canManageAppRoles,
+    canManageDefaultRoles,
+  };
+}
+
+export function readAssignableRole(formData: FormData): AccessAppRole {
+  const role = formData.get("role");
+  if (
+    typeof role !== "string" ||
+    !assignableRoles.includes(role as AccessAppRole)
+  ) {
+    throw new Error("Invalid app role.");
+  }
+
+  return role as AccessAppRole;
+}
+
+function isAdminUiEnabled(): boolean {
+  const adminUI: { readonly enabled?: boolean } | undefined =
+    accessManifest.adminUI;
+  return adminUI?.enabled !== false;
+}