feat(gitlab): add builtin roles to GitLab

Co-authered-by: William Phetsinorath <william.phetsinorath@shikanime.studio>
Signed-off-by: William Phetsinorath <william.phetsinorath-open@interieur.gouv.fr>

Author: shikanime

apps/server/src/utils/hook-wrapper.ts

@@ -142,14 +142,21 @@ const user = {
 const projectMember = {
   upsert: async (projectId: Project['id'], userId: ProjectMembers['userId']) => {
     const project = await getHookProjectInfos(projectId)
+    const projectStore = dbToObj(await getProjectStore(project.id))
+    const hookProject = transformToHookProject(project, projectStore)
     const store = dbToObj(await getAdminPlugin())
 
     const member = project.members.find(m => m.userId === userId)
     if (!member) throw new Error('Member not found')
 
     const memberRoles = project.roles
       .filter(role => member.roleIds.includes(role.id))
-      .map(role => ({ ...role, permissions: role.permissions.toString(), oidcGroup: role.oidcGroup ?? undefined }))
+      .map(role => ({
+        ...role,
+        permissions: role.permissions.toString(),
+        oidcGroup: role.oidcGroup ?? undefined,
+        project: hookProject,
+      }))
 
     const payload = {
       userId: member.userId,
@@ -163,24 +170,28 @@ const projectMember = {
       lastLogin: member.user.lastLogin?.toISOString(),
       projectId: project.id,
       roles: memberRoles,
-      project: {
-        id: project.id,
-        slug: project.slug,
-      },
+      project: hookProject,
     }
 
     return hooks.upsertProjectMember.execute(payload, store)
   },
   delete: async (projectId: Project['id'], userId: ProjectMembers['userId']) => {
     const project = await getHookProjectInfos(projectId)
+    const projectStore = dbToObj(await getProjectStore(project.id))
+    const hookProject = transformToHookProject(project, projectStore)
     const store = dbToObj(await getAdminPlugin())
 
     const member = project.members.find(m => m.userId === userId)
     if (!member) throw new Error('Member not found')
 
     const memberRoles = project.roles
       .filter(role => member.roleIds.includes(role.id))
-      .map(role => ({ ...role, permissions: role.permissions.toString(), oidcGroup: role.oidcGroup ?? undefined }))
+      .map(role => ({
+        ...role,
+        permissions: role.permissions.toString(),
+        oidcGroup: role.oidcGroup ?? undefined,
+        project: hookProject,
+      }))
 
     const payload = {
       userId: member.userId,
@@ -194,10 +205,7 @@ const projectMember = {
       lastLogin: member.user.lastLogin?.toISOString(),
       projectId: project.id,
       roles: memberRoles,
-      project: {
-        id: project.id,
-        slug: project.slug,
-      },
+      project: hookProject,
     }
 
     return hooks.deleteProjectMember.execute(payload, store)
@@ -209,9 +217,14 @@ const projectRole = {
     const role = await getRole(roleId)
     if (!role) throw new Error('Role not found')
 
+    const project = await getHookProjectInfos(role.projectId)
+    const projectStore = dbToObj(await getProjectStore(role.projectId))
+    const hookProject = transformToHookProject(project, projectStore)
+
     const rolePayload = {
       ...role,
       permissions: role.permissions.toString(),
+      project: hookProject,
     }
     const store = dbToObj(await getAdminPlugin())
     return hooks.upsertProjectRole.execute(rolePayload, store)
@@ -220,9 +233,14 @@ const projectRole = {
     const role = await getRole(roleId)
     if (!role) throw new Error('Role not found')
 
+    const project = await getHookProjectInfos(role.projectId)
+    const projectStore = dbToObj(await getProjectStore(role.projectId))
+    const hookProject = transformToHookProject(project, projectStore)
+
     const rolePayload = {
       ...role,
       permissions: role.permissions.toString(),
+      project: hookProject,
     }
     const store = dbToObj(await getAdminPlugin())
     return hooks.deleteProjectRole.execute(rolePayload, store)

packages/hooks/src/hooks/hook-project-member.ts

@@ -1,14 +1,16 @@
-import type { ProjectMember, ProjectRole } from '@cpn-console/shared'
+import type { ProjectRole } from './hook-project-role.js'
+import type { Project } from './hook-project.js'
 import type { Hook } from './hook.js'
 import { createHook } from './hook.js'
 
-export type ProjectMemberPayload = ProjectMember & {
+export interface ProjectMember {
+  userId: string
+  email: string
+  firstName: string
+  lastName: string
   roles: ProjectRole[]
-  project: {
-    id: string
-    slug: string
-  }
+  project: Project
 }
 
-export const upsertProjectMember: Hook<ProjectMemberPayload> = createHook()
-export const deleteProjectMember: Hook<ProjectMemberPayload> = createHook()
+export const upsertProjectMember: Hook<ProjectMember> = createHook()
+export const deleteProjectMember: Hook<ProjectMember> = createHook()

packages/hooks/src/hooks/hook-project-role.ts

@@ -1,6 +1,17 @@
-import type { ProjectRole } from '@cpn-console/shared'
+import type { Project } from './hook-project.js'
 import type { Hook } from './hook.js'
 import { createHook } from './hook.js'
 
+export interface ProjectRole {
+  id: string
+  name: string
+  permissions: string
+  projectId: string
+  position: number
+  type?: string
+  oidcGroup?: string
+  project: Project
+}
+
 export const upsertProjectRole: Hook<ProjectRole> = createHook()
 export const deleteProjectRole: Hook<ProjectRole> = createHook()

plugins/gitlab/src/class.ts

@@ -1,5 +1,5 @@
 import { createHash } from 'node:crypto'
-import { PluginApi, type Project, type UniqueRepo } from '@cpn-console/hooks'
+import { PluginApi, type Project, type UniqueRepo, type ProjectMember } from '@cpn-console/hooks'
 import type { AccessTokenScopes, CommitAction, GroupSchema, MemberSchema, ProjectVariableSchema, VariableSchema, AllRepositoryTreesOptions, CondensedProjectSchema, Gitlab, ProjectSchema, RepositoryFileExpandedSchema } from '@gitbeaker/core'
 import { AccessLevel } from '@gitbeaker/core'
 import type { VaultProjectApi } from '@cpn-console/vault-plugin/types/vault-project-api.js'
@@ -234,12 +234,12 @@ export class GitlabZoneApi extends GitlabApi {
 }
 
 export class GitlabProjectApi extends GitlabApi {
-  private project: Project | UniqueRepo
+  private project: Project | UniqueRepo | ProjectMember['project']
   private gitlabGroup: GroupSchema | undefined
   private specialRepositories: string[] = [infraAppsRepoName, internalMirrorRepoName]
   private zoneApi: GitlabZoneApi
 
-  constructor(project: Project | UniqueRepo) {
+  constructor(project: Project | UniqueRepo | ProjectMember['project']) {
     super()
     this.project = project
     this.api = getApi()
@@ -434,6 +434,11 @@ export class GitlabProjectApi extends GitlabApi {
     return this.api.GroupMembers.add(group.id, userId, accessLevel)
   }
 
+  public async editGroupMember(userId: number, accessLevel: AccessLevelAllowed = AccessLevel.DEVELOPER): Promise<MemberSchema> {
+    const group = await this.getOrCreateProjectGroup()
+    return this.api.GroupMembers.edit(group.id, userId, accessLevel)
+  }
+
   public async removeGroupMember(userId: number) {
     const group = await this.getOrCreateProjectGroup()
     return this.api.GroupMembers.remove(group.id, userId)

plugins/gitlab/src/functions.ts

@@ -1,13 +1,22 @@
-import { okStatus, parseError, specificallyDisabled } from '@cpn-console/hooks'
-import type { ClusterObject, PluginResult, Project, ProjectLite, StepCall, UniqueRepo, ZoneObject } from '@cpn-console/hooks'
+import { okStatus, parseError, specificallyDisabled, specificallyEnabled } from '@cpn-console/hooks'
+import type { AdminRole, ClusterObject, PluginResult, Project, ProjectLite, StepCall, UniqueRepo, ZoneObject, ProjectMember } from '@cpn-console/hooks'
 import { insert } from '@cpn-console/shared'
+import { AccessLevel } from '@gitbeaker/core'
 import { deleteGroup } from './group.js'
-import { createUsername, getUser } from './user.js'
+import { createUsername, getUser, upsertUser } from './user.js'
 import { ensureMembers } from './members.js'
 import { ensureRepositories } from './repositories.js'
 import type { VaultSecrets } from './utils.js'
-import { cleanGitlabError } from './utils.js'
 import config from './config.js'
+import type { GitlabProjectApi } from './class.js'
+import { cleanGitlabError, matchRole } from './utils.js'
+import {
+  DEFAULT_ADMIN_GROUP_PATH,
+  DEFAULT_AUDITOR_GROUP_PATH,
+  DEFAULT_PROJECT_DEVELOPER_GROUP_PATH_SUFFIX,
+  DEFAULT_PROJECT_MAINTAINER_GROUP_PATH_SUFFIX,
+  DEFAULT_PROJECT_REPORTER_GROUP_PATH_SUFFIX,
+} from './infos.js'
 
 // Check
 export const checkApi: StepCall<Project> = async (payload) => {
@@ -232,3 +241,187 @@ export const commitFiles: StepCall<UniqueRepo | Project | ClusterObject | ZoneOb
     return returnResult
   }
 }
+
+export const upsertAdminRole: StepCall<AdminRole> = async (payload) => {
+  try {
+    const role = payload.args
+    const adminGroupPath = payload.config.gitlab?.adminGroupPath ?? DEFAULT_ADMIN_GROUP_PATH
+    const auditorGroupPath = payload.config.gitlab?.auditorGroupPath ?? DEFAULT_AUDITOR_GROUP_PATH
+
+    const isAdmin = role.oidcGroup === adminGroupPath ? true : undefined
+    const isAuditor = role.oidcGroup === auditorGroupPath ? true : undefined
+
+    if (isAdmin === undefined && isAuditor === undefined) {
+      return {
+        status: {
+          result: 'OK',
+          message: 'Not a managed role for GitLab plugin',
+        },
+      }
+    }
+
+    for (const member of role.members) {
+      await upsertUser(member, isAdmin, isAuditor)
+    }
+
+    return {
+      status: {
+        result: 'OK',
+        message: 'Members synced',
+      },
+    }
+  } catch (error) {
+    return {
+      error: parseError(cleanGitlabError(error)),
+      status: {
+        result: 'KO',
+        message: 'An error occured while syncing admin role',
+      },
+    }
+  }
+}
+
+export const deleteAdminRole: StepCall<AdminRole> = async (payload) => {
+  try {
+    const role = payload.args
+    const adminGroupPath = payload.config.gitlab?.adminGroupPath ?? DEFAULT_ADMIN_GROUP_PATH
+    const auditorGroupPath = payload.config.gitlab?.auditorGroupPath ?? DEFAULT_AUDITOR_GROUP_PATH
+
+    const isAdmin = role.oidcGroup === adminGroupPath ? false : undefined
+    const isAuditor = role.oidcGroup === auditorGroupPath ? false : undefined
+
+    if (isAdmin === undefined && isAuditor === undefined) {
+      return {
+        status: {
+          result: 'OK',
+          message: 'Not a managed role for GitLab plugin',
+        },
+      }
+    }
+
+    for (const member of role.members) {
+      await upsertUser(member, isAdmin, isAuditor)
+    }
+
+    return {
+      status: {
+        result: 'OK',
+        message: 'Admin role deleted and members synced',
+      },
+    }
+  } catch (error) {
+    return {
+      error: parseError(cleanGitlabError(error)),
+      status: {
+        result: 'KO',
+        message: 'An error occured while deleting admin role',
+      },
+    }
+  }
+}
+
+export const upsertProjectMember: StepCall<ProjectMember> = async (payload) => {
+  const member = payload.args
+  const { gitlab: gitlabApi } = payload.apis as { gitlab: GitlabProjectApi } // TODO: apis is never type for some resaon
+  const purge = payload.config.gitlab?.purge
+  const projectReporterGroupPathSuffix = payload.config.gitlab?.projectReporterGroupPathSuffix ?? DEFAULT_PROJECT_REPORTER_GROUP_PATH_SUFFIX
+  const projectDeveloperGroupPathSuffix = payload.config.gitlab?.projectDeveloperGroupPathSuffix ?? DEFAULT_PROJECT_DEVELOPER_GROUP_PATH_SUFFIX
+  const projectMaintainerGroupPathSuffix = payload.config.gitlab?.projectMaintainerGroupPathSuffix ?? DEFAULT_PROJECT_MAINTAINER_GROUP_PATH_SUFFIX
+
+  try {
+    const gitlabUser = await upsertUser({
+      id: member.userId,
+      firstName: member.firstName,
+      lastName: member.lastName,
+      email: member.email,
+    })
+
+    let maxAccessLevel: number | undefined
+
+    if (member.project.owner.id === member.userId) {
+      maxAccessLevel = AccessLevel.OWNER
+    } else if (member.roles.find(role => role.oidcGroup && matchRole(member.project.slug, role.oidcGroup, projectReporterGroupPathSuffix))) {
+      maxAccessLevel = AccessLevel.GUEST
+    } else if (member.roles.find(role => role.oidcGroup && matchRole(member.project.slug, role.oidcGroup, projectDeveloperGroupPathSuffix))) {
+      maxAccessLevel = AccessLevel.DEVELOPER
+    } else if (member.roles.find(role => role.oidcGroup && matchRole(member.project.slug, role.oidcGroup, projectMaintainerGroupPathSuffix))) {
+      maxAccessLevel = AccessLevel.MAINTAINER
+    }
+
+    const groupMembers = await gitlabApi.getGroupMembers()
+    const existingMember = groupMembers.find(m => m.id === gitlabUser.id)
+
+    if (maxAccessLevel === undefined) {
+      if (specificallyEnabled(purge)) {
+        if (existingMember) {
+          await gitlabApi.removeGroupMember(gitlabUser.id)
+        }
+        return {
+          status: {
+            result: 'OK',
+            message: 'Member has no matching roles, removed from group',
+          },
+        }
+      } else {
+        console.warn(`Member ${gitlabUser.username} has no matching roles, not synced`)
+      }
+    }
+
+    if (existingMember) {
+      if (existingMember.access_level !== maxAccessLevel) {
+        await gitlabApi.editGroupMember(gitlabUser.id, maxAccessLevel)
+      }
+    } else {
+      await gitlabApi.addGroupMember(gitlabUser.id, maxAccessLevel)
+    }
+
+    return {
+      status: {
+        result: 'OK',
+        message: 'Member synced',
+      },
+    }
+  } catch (error) {
+    return {
+      error: parseError(cleanGitlabError(error)),
+      status: {
+        result: 'KO',
+        message: 'An error happened while syncing project member',
+      },
+    }
+  }
+}
+
+export const deleteProjectMember: StepCall<ProjectMember> = async (payload) => {
+  const member = payload.args
+  const { gitlab: gitlabApi } = payload.apis as { gitlab: GitlabProjectApi } // TODO: apis is never type for some resaon
+
+  try {
+    const userInfos = await getUser({ ...member, id: member.userId, username: createUsername(member.email) })
+    if (!userInfos) {
+      return {
+        status: {
+          result: 'OK',
+          message: 'User not found in GitLab',
+        },
+      }
+    }
+
+    await gitlabApi.removeGroupMember(userInfos.id)
+
+    return {
+      status: {
+        result: 'OK',
+        message: 'Member deleted',
+      },
+    }
+  } catch (error) {
+    return {
+      error: parseError(cleanGitlabError(error)),
+      status: {
+        result: 'KO',
+        message: 'An error happened while deleting project member',
+      },
+    }
+  }
+}