@valentinkolb/cloud 0.3.1 → 0.5.0

package/src/services/accounts/authz.test.ts

@@ -0,0 +1,77 @@
+import { describe, expect, test } from "bun:test";
+import { canMutateManagedGroup, hasOnlySelfUpdateFields, isAdminActor, isSelfTarget, type AccountsActor } from "./authz";
+
+const actor = (overrides: Partial<AccountsActor> = {}): AccountsActor => ({
+  userId: "user-1",
+  uid: "eva",
+  roles: ["user", "local/user"],
+  provider: "local",
+  ...overrides,
+});
+
+describe("accounts service authorization helpers", () => {
+  test("recognizes admin actors from roles", () => {
+    expect(isAdminActor(actor({ roles: ["user", "admin"] }))).toBe(true);
+    expect(isAdminActor(actor({ roles: ["user", "group-manager"] }))).toBe(false);
+    expect(isAdminActor(null)).toBe(false);
+  });
+
+  test("recognizes self-service targets by user id", () => {
+    expect(isSelfTarget({ actor: actor({ userId: "user-1" }), targetUserId: "user-1" })).toBe(true);
+    expect(isSelfTarget({ actor: actor({ userId: "user-1" }), targetUserId: "user-2" })).toBe(false);
+    expect(isSelfTarget({ actor: null, targetUserId: "user-1" })).toBe(false);
+  });
+
+  test("allows managed group mutations for admins or recursive managers only", () => {
+    expect(
+      canMutateManagedGroup({
+        actor: actor({ roles: ["admin"] }),
+        groupId: "group-1",
+        managedGroupIds: [],
+      }),
+    ).toBe(true);
+
+    expect(
+      canMutateManagedGroup({
+        actor: actor({ roles: ["user", "group-manager"] }),
+        groupId: "group-1",
+        managedGroupIds: ["group-1", "child-group"],
+      }),
+    ).toBe(true);
+
+    expect(
+      canMutateManagedGroup({
+        actor: actor({ roles: ["user", "group-manager"] }),
+        groupId: "group-1",
+        managedGroupIds: ["other-group"],
+      }),
+    ).toBe(false);
+
+    expect(canMutateManagedGroup({ actor: null, groupId: "group-1", managedGroupIds: ["group-1"] })).toBe(false);
+  });
+
+  test("rejects managed group mutations for stale or guest manager relations", () => {
+    expect(
+      canMutateManagedGroup({
+        actor: actor({ roles: ["guest", "local/guest"] }),
+        groupId: "group-1",
+        managedGroupIds: ["group-1"],
+      }),
+    ).toBe(false);
+
+    expect(
+      canMutateManagedGroup({
+        actor: actor({ roles: ["user", "local/user"] }),
+        groupId: "group-1",
+        managedGroupIds: ["group-1"],
+      }),
+    ).toBe(false);
+  });
+
+  test("allows only self-service profile fields for self updates", () => {
+    expect(hasOnlySelfUpdateFields({ givenname: "Eva", sn: "Becker", displayName: "Eva Becker" })).toBe(true);
+    expect(hasOnlySelfUpdateFields({ ipa: { phone: "+49" } })).toBe(true);
+    expect(hasOnlySelfUpdateFields({ mail: "eva@example.com" })).toBe(false);
+    expect(hasOnlySelfUpdateFields({ givenname: "Eva", mail: "eva@example.com" })).toBe(false);
+  });
+});

package/src/services/accounts/authz.ts

@@ -1,5 +1,9 @@
 import type { Role, UserProfile, UserProvider } from "../../contracts/shared";
 
+export type AccountsActor = { userId: string; uid: string; roles: string[]; provider?: string | null };
+
+const SELF_UPDATE_FIELDS = new Set(["givenname", "sn", "displayName", "ipa"]);
+
 export const buildRoles = (params: {
   provider: UserProvider;
   profile: UserProfile;
@@ -20,3 +24,21 @@ export const buildRoles = (params: {
   if (manages.length > 0) roles.add("group-manager");
   return [...roles];
 };
+
+export const isAdminActor = (actor: AccountsActor | null | undefined): boolean => !!actor?.roles.includes("admin");
+
+export const isSelfTarget = (params: { actor: AccountsActor | null | undefined; targetUserId: string }): boolean =>
+  params.actor?.userId === params.targetUserId;
+
+export const canMutateManagedGroup = (params: {
+  actor: AccountsActor | null | undefined;
+  groupId: string;
+  managedGroupIds: string[];
+}): boolean => {
+  if (isAdminActor(params.actor)) return true;
+  if (!params.actor?.roles.includes("user") || !params.actor.roles.includes("group-manager")) return false;
+  return params.managedGroupIds.includes(params.groupId);
+};
+
+export const hasOnlySelfUpdateFields = (data: Record<string, unknown>): boolean =>
+  Object.keys(data).every((field) => SELF_UPDATE_FIELDS.has(field));

package/src/services/accounts/entities.ts

@@ -21,6 +21,7 @@ export type EntityListParams = {
   profile?: UserProfile;
   excludeUserIds?: string[];
   excludeGroupIds?: string[];
+  excludeServiceAccountIds?: string[];
   userMemberOfGroupIds?: string[];
   memberOfGroupId?: string;
   managerOfGroupId?: string;
@@ -383,6 +384,25 @@ const mapEntityRow = (row: DbRow): EntityListItem => {
     };
   }
 
+  if (row.kind === "service_account") {
+    return {
+      kind: "service_account",
+      serviceAccount: {
+        id: String(row.id),
+        name: String(row.name ?? ""),
+        kind: row.service_account_kind === "resource_bound" ? "resource_bound" : "user_delegated",
+        status: row.status === "disabled" ? "disabled" : "active",
+        delegatedUserId: typeof row.delegated_user_id === "string" ? row.delegated_user_id : null,
+        appId: typeof row.app_id === "string" ? row.app_id : null,
+        resourceType: typeof row.resource_type === "string" ? row.resource_type : null,
+        resourceId: typeof row.resource_id === "string" ? row.resource_id : null,
+        createdBy: typeof row.created_by === "string" ? row.created_by : null,
+        createdAt: row.created_at instanceof Date ? row.created_at.toISOString() : String(row.created_at),
+      },
+      relation: direct === undefined ? undefined : { direct },
+    };
+  }
+
   return {
     kind: "group",
     group: buildBaseGroup(row),
@@ -412,6 +432,10 @@ export const list = async (params: EntityListParams): Promise<{
     (params.excludeGroupIds?.length ?? 0) === 0
       ? sql`TRUE`
       : sql`(kind <> 'group' OR id <> ALL(${toPgUuidArray(params.excludeGroupIds ?? [])}::uuid[]))`;
+  const excludeServiceAccountCondition =
+    (params.excludeServiceAccountIds?.length ?? 0) === 0
+      ? sql`TRUE`
+      : sql`(kind <> 'service_account' OR id <> ALL(${toPgUuidArray(params.excludeServiceAccountIds ?? [])}::uuid[]))`;
   const userMemberOfGroupCondition =
     (params.userMemberOfGroupIds?.length ?? 0) === 0
       ? sql`TRUE`
@@ -428,6 +452,7 @@ export const list = async (params: EntityListParams): Promise<{
     AND (${params.profile ?? null}::text IS NULL OR kind = 'group' OR profile = ${params.profile ?? null})
     AND ${excludeUserCondition}
     AND ${excludeGroupCondition}
+    AND ${excludeServiceAccountCondition}
     AND ${userMemberOfGroupCondition}
     AND (
       ${pattern}::text IS NULL
@@ -446,6 +471,14 @@ export const list = async (params: EntityListParams): Promise<{
           OR LOWER(COALESCE(description, '')) LIKE ${pattern} ESCAPE '\\'
         )
       )
+      OR (
+        kind = 'service_account' AND (
+          LOWER(name) LIKE ${pattern} ESCAPE '\\'
+          OR LOWER(COALESCE(app_id, '')) LIKE ${pattern} ESCAPE '\\'
+          OR LOWER(COALESCE(resource_type, '')) LIKE ${pattern} ESCAPE '\\'
+          OR LOWER(COALESCE(resource_id, '')) LIKE ${pattern} ESCAPE '\\'
+        )
+      )
     )
   `;
 
@@ -471,13 +504,19 @@ export const list = async (params: EntityListParams): Promise<{
             WHEN u.provider = 'local' THEN u.admin
             ELSE EXISTS(
               SELECT 1
-              FROM auth.user_groups_v2 ug_admin
-              JOIN auth.groups g_admin ON g_admin.id = ug_admin.group_id
-              WHERE ug_admin.user_id = u.id
-                AND g_admin.provider = 'ipa'
-                AND g_admin.name = ANY(${groupsAdminLiteral}::text[])
+              FROM auth.ipa_user_effective_groups eg
+              WHERE eg.user_id = u.id
+                AND eg.group_name = ANY(${groupsAdminLiteral}::text[])
             )
           END AS effective_admin,
+          NULL::text AS service_account_kind,
+          NULL::text AS status,
+          NULL::uuid AS delegated_user_id,
+          NULL::text AS app_id,
+          NULL::text AS resource_type,
+          NULL::text AS resource_id,
+          NULL::uuid AS created_by,
+          NULL::timestamptz AS created_at,
           LOWER(COALESCE(NULLIF(u.display_name, ''), NULLIF(u.mail, ''), u.uid)) AS sort_label
         ${spec.userFrom}
         WHERE ${spec.userWhere}
@@ -498,14 +537,54 @@ export const list = async (params: EntityListParams): Promise<{
           g.description,
           g.gid_number,
           NULL::boolean AS effective_admin,
+          NULL::text AS service_account_kind,
+          NULL::text AS status,
+          NULL::uuid AS delegated_user_id,
+          NULL::text AS app_id,
+          NULL::text AS resource_type,
+          NULL::text AS resource_id,
+          NULL::uuid AS created_by,
+          NULL::timestamptz AS created_at,
           LOWER(g.name) AS sort_label
         ${spec.groupFrom}
         WHERE ${spec.groupWhere}
       ),
+      service_account_rows AS (
+        SELECT
+          'service_account'::text AS kind,
+          NULL::boolean AS direct,
+          sa.id,
+          NULL::text AS provider,
+          NULL::text AS profile,
+          NULL::text AS uid,
+          NULL::text AS given_name,
+          NULL::text AS sn,
+          NULL::text AS display_name,
+          NULL::text AS mail,
+          sa.name,
+          CASE
+            WHEN sa.kind = 'user_delegated' THEN 'Personal automation keys'
+            ELSE CONCAT_WS(' · ', sa.app_id, sa.resource_type, sa.resource_id)
+          END AS description,
+          NULL::int AS gid_number,
+          NULL::boolean AS effective_admin,
+          sa.kind AS service_account_kind,
+          sa.status,
+          sa.delegated_user_id,
+          sa.app_id,
+          sa.resource_type,
+          sa.resource_id,
+          sa.created_by,
+          sa.created_at,
+          LOWER(sa.name) AS sort_label
+        FROM auth.service_accounts sa
+      ),
       entity_rows AS (
         SELECT * FROM user_rows
         UNION ALL
         SELECT * FROM group_rows
+        UNION ALL
+        SELECT * FROM service_account_rows
       )
     SELECT *, COUNT(*) OVER() AS total
     FROM entity_rows

package/src/services/accounts/groups.ts

@@ -2,6 +2,7 @@ import { sql } from "bun";
 import type { BaseGroup, GroupMember, MutationResult, UserProvider } from "../../contracts/shared";
 import * as localGroups from "./local-groups";
 import { providers } from "../providers";
+import { getServiceIpaSession } from "../ipa/service-account";
 import { freeipa } from "../../server/services";
 import { toPgUuidArray } from "../postgres";
 import { buildBaseGroup } from "./base-group";
@@ -138,7 +139,6 @@ export const getManagedGroups = async (params: { id: string; provider?: UserProv
 };
 
 export const create = async (params: {
-  ipaSession?: string | null;
   provider: UserProvider;
   name: string;
   description?: string;
@@ -148,9 +148,10 @@ export const create = async (params: {
     if (params.posix) return { ok: false, error: "Local groups do not support POSIX mode", status: 400 };
     return localGroups.create({ name: params.name, description: params.description });
   }
-  if (!params.ipaSession) return { ok: false, error: "IPA session required to create IPA groups", status: 401 };
+  const serviceSession = await getServiceIpaSession();
+  if (!serviceSession.ok) return serviceSession;
   return providers.ipa.groups.add({
-    ipaSession: params.ipaSession,
+    ipaSession: serviceSession.data,
     cn: params.name,
     description: params.description,
     posix: params.posix,
@@ -158,87 +159,92 @@ export const create = async (params: {
 };
 
 export const update = async (params: {
-  ipaSession?: string | null;
   id: string;
   provider?: UserProvider;
   description: string;
 }): Promise<MutationResult<void>> => {
   const provider = params.provider ?? (await getGroup(params.id))?.provider;
   if (provider === "local") return localGroups.update({ id: params.id, description: params.description });
-  if (!params.ipaSession) return { ok: false, error: "IPA session required to update IPA groups", status: 401 };
+  const serviceSession = await getServiceIpaSession();
+  if (!serviceSession.ok) return serviceSession;
   return providers.ipa.groups.update({
-    ipaSession: params.ipaSession,
+    ipaSession: serviceSession.data,
     id: params.id,
     description: params.description,
   });
 };
 
-export const remove = async (params: { ipaSession?: string | null; id: string; provider?: UserProvider }): Promise<MutationResult<void>> => {
+export const remove = async (params: { id: string; provider?: UserProvider }): Promise<MutationResult<void>> => {
   const provider = params.provider ?? (await getGroup(params.id))?.provider;
   if (provider === "local") return localGroups.remove({ id: params.id });
-  if (!params.ipaSession) return { ok: false, error: "IPA session required to delete IPA groups", status: 401 };
+  const serviceSession = await getServiceIpaSession();
+  if (!serviceSession.ok) return serviceSession;
   return providers.ipa.groups.remove({
-    ipaSession: params.ipaSession,
+    ipaSession: serviceSession.data,
     id: params.id,
   });
 };
 
 export const makePosix = async (params: {
-  ipaSession?: string | null;
   id: string;
   provider?: UserProvider;
 }): Promise<MutationResult<{ gidnumber: number | null }>> => {
   const provider = params.provider ?? (await getGroup(params.id))?.provider;
   if (provider === "local") return { ok: false, error: "Local groups do not support POSIX mode", status: 400 };
-  if (!params.ipaSession) return { ok: false, error: "IPA session required to change IPA groups", status: 401 };
+  const serviceSession = await getServiceIpaSession();
+  if (!serviceSession.ok) return serviceSession;
   return providers.ipa.groups.makePosix({
-    ipaSession: params.ipaSession,
+    ipaSession: serviceSession.data,
     id: params.id,
   });
 };
 
-export const addMember = async (params: { ipaSession?: string | null; id: string; provider?: UserProvider; user?: string; group?: string }): Promise<MutationResult<void>> => {
+export const addMember = async (params: { id: string; provider?: UserProvider; user?: string; group?: string }): Promise<MutationResult<void>> => {
   const provider = params.provider ?? (await getGroup(params.id))?.provider;
   if (provider === "local") return localGroups.addMember({ id: params.id, user: params.user, group: params.group });
-  if (!params.ipaSession) return { ok: false, error: "IPA session required to update IPA groups", status: 401 };
+  const serviceSession = await getServiceIpaSession();
+  if (!serviceSession.ok) return serviceSession;
   return providers.ipa.groups.addMember({
-    ipaSession: params.ipaSession,
+    ipaSession: serviceSession.data,
     id: params.id,
     user: params.user,
     group: params.group,
   });
 };
 
-export const removeMember = async (params: { ipaSession?: string | null; id: string; provider?: UserProvider; user?: string; group?: string }): Promise<MutationResult<void>> => {
+export const removeMember = async (params: { id: string; provider?: UserProvider; user?: string; group?: string }): Promise<MutationResult<void>> => {
   const provider = params.provider ?? (await getGroup(params.id))?.provider;
   if (provider === "local") return localGroups.removeMember({ id: params.id, user: params.user, group: params.group });
-  if (!params.ipaSession) return { ok: false, error: "IPA session required to update IPA groups", status: 401 };
+  const serviceSession = await getServiceIpaSession();
+  if (!serviceSession.ok) return serviceSession;
   return providers.ipa.groups.removeMember({
-    ipaSession: params.ipaSession,
+    ipaSession: serviceSession.data,
     id: params.id,
     user: params.user,
     group: params.group,
   });
 };
 
-export const addManager = async (params: { ipaSession?: string | null; id: string; provider?: UserProvider; user?: string; group?: string }): Promise<MutationResult<void>> => {
+export const addManager = async (params: { id: string; provider?: UserProvider; user?: string; group?: string }): Promise<MutationResult<void>> => {
   const provider = params.provider ?? (await getGroup(params.id))?.provider;
   if (provider === "local") return localGroups.addManager({ id: params.id, user: params.user, group: params.group });
-  if (!params.ipaSession) return { ok: false, error: "IPA session required to update IPA groups", status: 401 };
+  const serviceSession = await getServiceIpaSession();
+  if (!serviceSession.ok) return serviceSession;
   return providers.ipa.groups.addManager({
-    ipaSession: params.ipaSession,
+    ipaSession: serviceSession.data,
     id: params.id,
     user: params.user,
     group: params.group,
   });
 };
 
-export const removeManager = async (params: { ipaSession?: string | null; id: string; provider?: UserProvider; user?: string; group?: string }): Promise<MutationResult<void>> => {
+export const removeManager = async (params: { id: string; provider?: UserProvider; user?: string; group?: string }): Promise<MutationResult<void>> => {
   const provider = params.provider ?? (await getGroup(params.id))?.provider;
   if (provider === "local") return localGroups.removeManager({ id: params.id, user: params.user, group: params.group });
-  if (!params.ipaSession) return { ok: false, error: "IPA session required to update IPA groups", status: 401 };
+  const serviceSession = await getServiceIpaSession();
+  if (!serviceSession.ok) return serviceSession;
   return providers.ipa.groups.removeManager({
-    ipaSession: params.ipaSession,
+    ipaSession: serviceSession.data,
     id: params.id,
     user: params.user,
     group: params.group,

package/src/services/accounts/model.test.ts

@@ -0,0 +1,30 @@
+import { describe, expect, test } from "bun:test";
+import {
+  calculateIpaProfileFromGroupNames,
+  deriveIpaAdminFromGroupNames,
+  parseIpaAccountTransitionPolicy,
+} from "./model";
+
+describe("IPA account model helpers", () => {
+  test("classifies full IPA users from effective base realm groups", () => {
+    expect(calculateIpaProfileFromGroupNames(["base-sync", "base-realm"], ["base-realm"])).toBe("user");
+  });
+
+  test("classifies in-scope IPA users without base realm as guests", () => {
+    expect(calculateIpaProfileFromGroupNames(["base-sync"], ["base-realm"])).toBe("guest");
+  });
+
+  test("derives IPA admin from effective groups", () => {
+    expect(deriveIpaAdminFromGroupNames(["hidden-admin-transit", "admins"], ["admins"])).toBe(true);
+    expect(deriveIpaAdminFromGroupNames(["base-sync"], ["admins"])).toBe(false);
+  });
+
+  test("parses all transition policy settings with safe guest demotion fallback", () => {
+    expect(parseIpaAccountTransitionPolicy("delete")).toBe("delete");
+    expect(parseIpaAccountTransitionPolicy("demote_to_local")).toBe("demote_to_local");
+    expect(parseIpaAccountTransitionPolicy("demote_to_local_user")).toBe("demote_to_local_user");
+    expect(parseIpaAccountTransitionPolicy("demote_to_local_guest")).toBe("demote_to_local_guest");
+    expect(parseIpaAccountTransitionPolicy("unexpected")).toBe("demote_to_local_guest");
+    expect(parseIpaAccountTransitionPolicy(null)).toBe("demote_to_local_guest");
+  });
+});

package/src/services/accounts/switching.test.ts

@@ -0,0 +1,14 @@
+import { describe, expect, test } from "bun:test";
+import { resolveIpaTransitionProfile } from "./switching";
+
+describe("resolveIpaTransitionProfile", () => {
+  test("keeps the current profile for demote_to_local", () => {
+    expect(resolveIpaTransitionProfile({ currentProfile: "user", policy: "demote_to_local" })).toBe("user");
+    expect(resolveIpaTransitionProfile({ currentProfile: "guest", policy: "demote_to_local" })).toBe("guest");
+  });
+
+  test("supports explicit local user and guest transition policies", () => {
+    expect(resolveIpaTransitionProfile({ currentProfile: "guest", policy: "demote_to_local_user" })).toBe("user");
+    expect(resolveIpaTransitionProfile({ currentProfile: "user", policy: "demote_to_local_guest" })).toBe("guest");
+  });
+});

package/src/services/accounts/switching.ts

@@ -53,12 +53,7 @@ export const resolveIpaTransitionTarget = async (params: {
   currentProfile: UserProfile;
   policy: Exclude<IpaAccountTransitionPolicy, "delete">;
 }): Promise<{ targetProfile: UserProfile; accountExpires: Date | null }> => {
-  const targetProfile =
-    params.policy === "demote_to_local"
-      ? params.currentProfile
-      : params.policy === "demote_to_local_user"
-        ? "user"
-        : "guest";
+  const targetProfile = resolveIpaTransitionProfile(params);
 
   return {
     targetProfile,
@@ -66,6 +61,15 @@ export const resolveIpaTransitionTarget = async (params: {
   };
 };
 
+export const resolveIpaTransitionProfile = (params: {
+  currentProfile: UserProfile;
+  policy: Exclude<IpaAccountTransitionPolicy, "delete">;
+}): UserProfile => {
+  if (params.policy === "demote_to_local") return params.currentProfile;
+  if (params.policy === "demote_to_local_user") return "user";
+  return "guest";
+};
+
 export const transitionIpaUserToLocal = async (params: {
   userId: string;
   targetProfile: UserProfile;
@@ -88,6 +92,11 @@ export const transitionIpaUserToLocal = async (params: {
     WHERE user_id = ${params.userId}::uuid
   `;
 
+  await db`
+    DELETE FROM auth.ipa_user_effective_groups
+    WHERE user_id = ${params.userId}::uuid
+  `;
+
   await clearUserRelationsForProvider({
     userId: params.userId,
     provider: "ipa",