Skip to content

fix(project-roles): remove /console prefix strip #1906

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
shikanime wants to merge 2 commits into from
Closed

fix(project-roles): remove /console prefix strip #1906

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a486d48
fix(admin-roles): admin conflicting with existing admin group in Keyc…
shikanime Feb 9, 2026
96073a2
fix(project-roles): remove /console prefix strip
shikanime Feb 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion apps/server/src/prisma/migrations/20260204150335_add_system_roles/migration.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
-- Update existing Admin role to be system role 'Administrateur Plateforme'
UPDATE "AdminRole"
SET
SET
"name" = 'Administrateur Plateforme',
"type" = 'system',
"permissions" = 3, -- Assuming 3n means bit 0 and 1 (1 | 2 = 3)
Expand Down
28 changes: 28 additions & 0 deletions apps/server/src/prisma/migrations/20260206105522_dso/migration.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-- Update existing Admin role to be system role 'Root Administrateur Plateforme'
UPDATE "AdminRole"
SET
"name" = 'Root Administrateur Plateforme'
WHERE "id" = '76229c96-4716-45bc-99da-00498ec9018c'::uuid;

-- Insert 'Administrateur Plateforme' system role if it doesn't exist
INSERT INTO "AdminRole" ("id", "name", "permissions", "position", "oidcGroup", "type")
VALUES (
'6bebe7b2-0f0a-456e-ab7f-b3d7640a7cbf'::uuid,
'Administrateur Plateforme',
3, -- Assuming 3n means bit 0 and 1 (1 | 2 = 3)
0,
'/console/admin',
'system'
)
ON CONFLICT ("id") DO UPDATE
SET
"name" = 'Administrateur Plateforme',
"type" = 'system',
"permissions" = 3,
"oidcGroup" = '/console/admin';

-- Update 'Lecture Seule Plateforme' system role
UPDATE "AdminRole"
SET
"oidcGroup" = '/console/readonly'
WHERE "id" = '35848aa2-e881-4770-9844-0c5c3693e506'::uuid;
6 changes: 3 additions & 3 deletions apps/server/src/resources/project-role/business.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ describe('test project-role business', () => {
prisma.projectRole.findMany.mockResolvedValueOnce([dbRole])

const response = await listRoles(projectId)
expect(response[0].oidcGroup).toBe('/admin')
expect(response[0].oidcGroup).toBe('/console/admin')
})
})

Expand Down Expand Up @@ -162,7 +162,7 @@ describe('test project-role business', () => {
prisma.projectRole.create.mockResolvedValue(dbRole)
prisma.projectRole.findMany.mockResolvedValueOnce([dbRole])

await createRole(projectId, { name: 'test', permissions: '4', oidcGroup: '/admin' })
await createRole(projectId, { name: 'test', permissions: '4', oidcGroup: '/console/admin' })

expect(prisma.projectRole.create).toHaveBeenCalledWith(expect.objectContaining({
data: expect.objectContaining({
Expand Down Expand Up @@ -378,7 +378,7 @@ describe('test project-role business', () => {

it('should update role with enforced oidcGroup prefix', async () => {
const updateRoles: any[] = [
{ id: dbRoles[1].id, oidcGroup: '/admin' },
{ id: dbRoles[1].id, oidcGroup: '/console/admin' },
]

prisma.project.findUnique.mockResolvedValue(project)
Expand Down
6 changes: 3 additions & 3 deletions apps/server/src/resources/project-role/business.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,11 @@
return roles.map(role => ({
...role,
permissions: role.permissions.toString(),
oidcGroup: role.oidcGroup ? role.oidcGroup.replace(/^\/[^/]+\/console/, '') : role.oidcGroup,
oidcGroup: role.oidcGroup ? role.oidcGroup.replace(/^\/[^/]+/, '') : role.oidcGroup,
}))
}

export async function patchRoles(projectId: Project['id'], roles: typeof projectRoleContract.patchProjectRoles.body._type) {

Check failure on line 22 in apps/server/src/resources/project-role/business.ts

View check run for this annotation

cloud-pi-native-sonarqube / SonarQube Code Analysis

apps/server/src/resources/project-role/business.ts#L22 

Refactor this function to reduce its Cognitive Complexity from 24 to the 15 allowed.
const project = await prisma.project.findUnique({ where: { id: projectId }, select: { slug: true } })
if (!project) throw new NotFound404()
const dbRoles = await listRolesQuery(projectId)
Expand All @@ -45,7 +45,7 @@
name: matchingRole.name ?? dbRole.name,
permissions: matchingRole.permissions ? BigInt(matchingRole.permissions) : dbRole.permissions,
position: matchingRole.position ?? dbRole.position,
oidcGroup: matchingRole.oidcGroup ? `/${project.slug}/console${matchingRole.oidcGroup}` : dbRole.oidcGroup,
oidcGroup: matchingRole.oidcGroup ? `/${project.slug}${matchingRole.oidcGroup}` : dbRole.oidcGroup,
type: matchingRole.type ?? dbRole.type,
projectId: dbRole.projectId,
})
Expand Down Expand Up @@ -84,7 +84,7 @@
projectId,
position: dbMaxPosRole + 1,
permissions: BigInt(role.permissions),
oidcGroup: role.oidcGroup ? `/${project.slug}/console${role.oidcGroup}` : undefined,
oidcGroup: role.oidcGroup ? `/${project.slug}${role.oidcGroup}` : undefined,
},
})

Expand Down
8 changes: 4 additions & 4 deletions apps/server/src/resources/project/business.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ export async function listProjects({ status, statusIn, statusNotIn, filter = 'me
}).then(projects => projects.map(({ clusters, ...project }) => ({
...project,
clusterIds: clusters.map(({ id }) => id),
roles: project.roles.map(role => ({ ...role, permissions: role.permissions.toString(), oidcGroup: project.slug ? role.oidcGroup?.replace(`/${project.slug}/console`, '') : role.oidcGroup })),
roles: project.roles.map(role => ({ ...role, permissions: role.permissions.toString(), oidcGroup: project.slug ? role.oidcGroup?.replace(`/${project.slug}`, '') : role.oidcGroup })),
everyonePerms: project.everyonePerms.toString(),
})))
}
Expand Down Expand Up @@ -91,15 +91,15 @@ export async function createProject(dataDto: typeof projectContract.createProjec
...projectInfos,
clusterIds: projectInfos.clusters.map(({ id }) => id),
everyonePerms: projectInfos.everyonePerms.toString(),
roles: projectInfos.roles.map(role => ({ ...role, permissions: role.permissions.toString(), oidcGroup: projectInfos.slug ? role.oidcGroup?.replace(`/${project.slug}/console`, '') : role.oidcGroup })),
roles: projectInfos.roles.map(role => ({ ...role, permissions: role.permissions.toString(), oidcGroup: projectInfos.slug ? role.oidcGroup?.replace(`/${project.slug}`, '') : role.oidcGroup })),
}
}

export async function getProject(projectId: Project['id']) {
return getProjectOrThrow(projectId).then(({ clusters, ...project }) => ({
...project,
clusterIds: clusters.map(({ id }) => id),
roles: project.roles.map(role => ({ ...role, permissions: role.permissions.toString(), oidcGroup: project.slug ? role.oidcGroup?.replace(`/${project.slug}/console`, '') : role.oidcGroup })),
roles: project.roles.map(role => ({ ...role, permissions: role.permissions.toString(), oidcGroup: project.slug ? role.oidcGroup?.replace(`/${project.slug}`, '') : role.oidcGroup })),
everyonePerms: project.everyonePerms.toString(),
}))
}
Expand Down Expand Up @@ -156,7 +156,7 @@ export async function updateProject(
...projectInfos,
clusterIds: projectInfos.clusters.map(({ id }) => id),
everyonePerms: projectInfos.everyonePerms.toString(),
roles: projectInfos.roles.map(role => ({ ...role, permissions: role.permissions.toString(), oidcGroup: projectInfos.slug ? role.oidcGroup?.replace(`/${projectInfos.slug}/console`, '') : role.oidcGroup })),
roles: projectInfos.roles.map(role => ({ ...role, permissions: role.permissions.toString(), oidcGroup: projectInfos.slug ? role.oidcGroup?.replace(`/${projectInfos.slug}`, '') : role.oidcGroup })),
}
}

Expand Down
10 changes: 9 additions & 1 deletion packages/test-utils/src/imports/data.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,14 @@ export const data = {
permissions: '3n',
position: 0,
oidcGroup: '/admin',
name: 'Root Administrateur Plateforme',
type: 'system',
},
{
id: '6bebe7b2-0f0a-456e-ab7f-b3d7640a7cbf',
permissions: '3n',
position: 0,
oidcGroup: '/console/admin',
name: 'Administrateur Plateforme',
type: 'system',
},
Expand All @@ -39,7 +47,7 @@ export const data = {
id: '35848aa2-e881-4770-9844-0c5c3693e506',
permissions: '1n',
position: 2,
oidcGroup: '/readonly',
oidcGroup: '/console/readonly',
name: 'Lecture Seule Plateforme',
type: 'system',
},
Expand Down
8 changes: 4 additions & 4 deletions playwright/e2e-tests/system-roles.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,10 @@ test.describe('System Roles at Project Creation', () => {

// Assert
const systemRoles = [
{ name: 'Administrateur', oidcGroup: '/admin' },
{ name: 'DevOps', oidcGroup: '/devops' },
{ name: 'Développeur', oidcGroup: '/developer' },
{ name: 'Lecture seule', oidcGroup: '/readonly' },
{ name: 'Administrateur', oidcGroup: '/console/admin' },
{ name: 'DevOps', oidcGroup: '/console/devops' },
{ name: 'Développeur', oidcGroup: '/console/developer' },
{ name: 'Lecture seule', oidcGroup: '/console/readonly' },
]

for (const role of systemRoles) {
Expand Down
Loading