From 3e3fa20241d9df097b39f9368404b2d9a8957f96 Mon Sep 17 00:00:00 2001 From: Gao Sun Date: Thu, 14 Dec 2023 17:25:17 +0800 Subject: [PATCH 1/5] refactor(schemas): add alteration script for tenant organizations --- .github/workflows/main.yml | 6 +- .../next-1702544178-sync-tenant-orgs.ts | 298 ++++++++++++++++++ packages/schemas/src/seeds/application.ts | 2 +- 3 files changed, 302 insertions(+), 4 deletions(-) create mode 100644 packages/schemas/alterations/next-1702544178-sync-tenant-orgs.ts diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index f46dcf348..6b684a01a 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -132,7 +132,7 @@ jobs: # ** Setup up-to-date databases and compare (test `up`) ** - name: Setup fresh database working-directory: ./fresh - run: pnpm cli db seed + run: pnpm cli db seed --test env: DB_URL: postgres://postgres:postgres@localhost:5432/fresh @@ -140,7 +140,7 @@ jobs: working-directory: ./alteration run: | cd packages/cli - pnpm start db seed + pnpm start db seed --test env: DB_URL: postgres://postgres:postgres@localhost:5432/alteration @@ -161,7 +161,7 @@ jobs: working-directory: ./alteration run: | cd packages/cli - pnpm start db seed + pnpm start db seed --test env: DB_URL: postgres://postgres:postgres@localhost:5432/old diff --git a/packages/schemas/alterations/next-1702544178-sync-tenant-orgs.ts b/packages/schemas/alterations/next-1702544178-sync-tenant-orgs.ts new file mode 100644 index 000000000..2991c5481 --- /dev/null +++ b/packages/schemas/alterations/next-1702544178-sync-tenant-orgs.ts @@ -0,0 +1,298 @@ +/** + * @fileoverview A preparation for the update of using organizations to manage tenants in the admin + * tenant. This script will do the following in the admin tenant: + * + * 1. Disable registration. + * 2. Create organization template roles and scopes. + * 3. Create organizations for existing tenants. + * 4. Add membership records and assign organization roles to existing users. + * 5. Create machine-to-machine Management API role for each tenant. + * 6. Create the corresponding machine-to-machine app for each tenant, and assign the Management API role to it. + * + * The `down` script will revert the changes. + */ + +import { ConsoleLog, generateStandardId } from '@logto/shared'; +import { sql } from 'slonik'; + +import { type AlterationScript } from '../lib/types/alteration.js'; + +const adminTenantId = 'admin'; +const consoleLog = new ConsoleLog(); + +const alteration: AlterationScript = { + up: async (transaction) => { + consoleLog.info('=== Sync tenant organizations ==='); + consoleLog.info('Disable registration'); + await transaction.query(sql` + update public.sign_in_experiences + set sign_in_mode = 'SignIn' + where tenant_id = ${adminTenantId}; + `); + + consoleLog.info('Create organization template roles and scopes'); + await transaction.query(sql` + insert into public.organization_roles (id, tenant_id, name, description) + values + ('owner', ${adminTenantId}, 'owner', 'Owner of the tenant, who has all permissions.'), + ('admin', ${adminTenantId}, 'admin', 'Admin of the tenant, who has all permissions except deleting the tenant.'), + ('member', ${adminTenantId}, 'member', 'Member of the tenant, who has limited permissions.'); + `); + await transaction.query(sql` + insert into public.organization_scopes (id, tenant_id, name, description) + values + ('read-tenant', ${adminTenantId}, 'read:tenant', 'Read the tenant data.'), + ('write-tenant', ${adminTenantId}, 'write:tenant', 'Write the tenant data, including creating and updating the tenant.'), + ('delete-tenant', ${adminTenantId}, 'delete:tenant', 'Delete data of the tenant.'), + ('invite-member', ${adminTenantId}, 'invite:member', 'Invite members to the tenant.'), + ('remove-member', ${adminTenantId}, 'remove:member', 'Remove members from the tenant.'), + ('update-member-role', ${adminTenantId}, 'update:member:role', 'Update the role of a member in the tenant.'), + ('manage-tenant', ${adminTenantId}, 'manage:tenant', 'Manage the tenant settings, including name, billing, etc.'); + `); + await transaction.query(sql` + insert into public.organization_role_scope_relations (tenant_id, organization_role_id, organization_scope_id) + values + (${adminTenantId}, 'owner', 'read-tenant'), + (${adminTenantId}, 'owner', 'write-tenant'), + (${adminTenantId}, 'owner', 'delete-tenant'), + (${adminTenantId}, 'owner', 'invite-member'), + (${adminTenantId}, 'owner', 'remove-member'), + (${adminTenantId}, 'owner', 'update-member-role'), + (${adminTenantId}, 'owner', 'manage-tenant'), + (${adminTenantId}, 'admin', 'read-tenant'), + (${adminTenantId}, 'admin', 'write-tenant'), + (${adminTenantId}, 'admin', 'delete-tenant'), + (${adminTenantId}, 'admin', 'invite-member'), + (${adminTenantId}, 'admin', 'remove-member'), + (${adminTenantId}, 'admin', 'update-member-role'), + (${adminTenantId}, 'member', 'read-tenant'), + (${adminTenantId}, 'member', 'write-tenant'), + (${adminTenantId}, 'member', 'invite-member') + `); + + consoleLog.info('Create organizations for existing tenants'); + const tenants = await transaction.any<{ id: string }>(sql` + select id + from public.tenants; + `); + await transaction.query(sql` + insert into public.organizations (id, tenant_id, name) + values + ${sql.join( + tenants.map( + (tenant) => sql`(${`t-${tenant.id}`}, ${adminTenantId}, ${`Tenant ${tenant.id}`})` + ), + sql`, ` + )}; + `); + + consoleLog.info('Add membership records and assign organization roles to existing users'); + const usersRoles = await transaction.any<{ userId: string; roleName: string }>(sql` + select + public.users.id as "userId", + public.roles.name as "roleName" + from public.users + join public.users_roles on public.users_roles.user_id = public.users.id + join public.roles on public.roles.id = public.users_roles.role_id + where public.roles.tenant_id = ${adminTenantId} + and public.roles.name like '%:admin'; + `); + + // Add membership records + await transaction.query(sql` + insert into public.organization_user_relations (tenant_id, organization_id, user_id) + values + ${sql.join( + usersRoles.map( + (userRole) => + sql`(${adminTenantId}, ${`t-${userRole.roleName.slice(0, -6)}`}, ${userRole.userId})` + ), + sql`, ` + )}; + `); + // We treat all existing users as the owner of the tenant + await transaction.query(sql` + insert into public.organization_role_user_relations (tenant_id, organization_id, user_id, organization_role_id) + values + ${sql.join( + usersRoles.map( + (userRole) => + sql` + ( + ${adminTenantId}, + ${`t-${userRole.roleName.slice(0, -6)}`}, + ${userRole.userId}, + 'owner' + ) + ` + ), + sql`, ` + )}; + `); + + consoleLog.info('Create machine-to-machine Management API role for each tenant'); + await transaction.query(sql` + insert into public.roles (id, tenant_id, name, description, type) + values + ${sql.join( + tenants.map( + (tenant) => + sql` + ( + ${`m-${tenant.id}`}, + ${adminTenantId}, + ${`machine:mapi:${tenant.id}`}, + ${`Machine-to-machine role for accessing Management API of tenant '${tenant.id}'.`}, + 'MachineToMachine' + ) + ` + ), + sql`, ` + )}; + `); + + const managementApiScopes = await transaction.any<{ id: string; indicator: string }>(sql` + select public.scopes.id, public.resources.indicator + from public.resources + join public.scopes on public.scopes.resource_id = public.resources.id + where public.resources.indicator like 'https://%.logto.app/api' + and public.scopes.name = 'all' + and public.resources.tenant_id = ${adminTenantId}; + `); + + const assertScopeId = (forTenantId: string) => { + const scope = managementApiScopes.find( + (scope) => scope.indicator === `https://${forTenantId}.logto.app/api` + ); + if (!scope) { + throw new Error(`Cannot find Management API scope for tenant '${forTenantId}'.`); + } + return scope.id; + }; + + // Insert role - scope relations + await transaction.query(sql` + insert into public.roles_scopes (tenant_id, id, role_id, scope_id) + values + ${sql.join( + tenants.map( + (tenant) => + sql` + ( + ${adminTenantId}, + ${generateStandardId()}, + ${`m-${tenant.id}`}, + ${assertScopeId(tenant.id)} + ) + ` + ), + sql`, ` + )}; + `); + + consoleLog.info( + 'Create the corresponding machine-to-machine app for each tenant, and assign the Management API role to it' + ); + await transaction.query(sql` + insert into public.applications (id, tenant_id, secret, name, description, type, oidc_client_metadata) + values + ${sql.join( + tenants.map( + (tenant) => + sql` + ( + ${`m-${tenant.id}`}, + ${adminTenantId}, + ${generateStandardId(32)}, + ${`Management API access for ${tenant.id}`}, + ${`Machine-to-machine app for accessing Management API of tenant '${tenant.id}'.`}, + 'MachineToMachine', + ${sql.jsonb({ + redirectUris: [], + postLogoutRedirectUris: [], + })} + ) + ` + ), + sql`, ` + )}; + `); + await transaction.query(sql` + insert into public.applications_roles (tenant_id, id, application_id, role_id) + values + ${sql.join( + tenants.map( + (tenant) => + sql` + ( + ${adminTenantId}, + ${generateStandardId()}, + ${`m-${tenant.id}`}, + ${`m-${tenant.id}`} + ) + ` + ), + sql`, ` + )}; + `); + + consoleLog.info('=== Sync tenant organizations done ==='); + }, + down: async (transaction) => { + consoleLog.info('=== Revert sync tenant organizations ==='); + + consoleLog.info('Remove machine-to-machine apps'); + await transaction.query(sql` + delete from public.applications + where public.applications.tenant_id = ${adminTenantId} + and public.applications.id like 'm-%'; + `); + + consoleLog.info('Remove machine-to-machine roles'); + await transaction.query(sql` + delete from public.roles + where public.roles.tenant_id = ${adminTenantId} + and public.roles.id like 'm-%'; + `); + + consoleLog.info('Remove organizations'); + await transaction.query(sql` + delete from public.organizations + where public.organizations.tenant_id = ${adminTenantId} + and public.organizations.id like 't-%'; + `); + + consoleLog.info('Remove organization roles'); + await transaction.query(sql` + delete from public.organization_roles + where public.organization_roles.tenant_id = ${adminTenantId} + and public.organization_roles.id in ('owner', 'admin', 'member'); + `); + + consoleLog.info('Remove organization scopes'); + await transaction.query(sql` + delete from public.organization_scopes + where public.organization_scopes.tenant_id = ${adminTenantId} + and public.organization_scopes.id in ( + 'read-tenant', + 'write-tenant', + 'delete-tenant', + 'invite-member', + 'remove-member', + 'update-member-role', + 'manage-tenant' + ); + `); + + consoleLog.info('Enable registration'); + await transaction.query(sql` + update public.sign_in_experiences + set sign_in_mode = 'SignInAndRegister' + where tenant_id = ${adminTenantId}; + `); + + consoleLog.info('=== Revert sync tenant organizations done ==='); + }, +}; + +export default alteration; diff --git a/packages/schemas/src/seeds/application.ts b/packages/schemas/src/seeds/application.ts index 29792520e..512ebfe4e 100644 --- a/packages/schemas/src/seeds/application.ts +++ b/packages/schemas/src/seeds/application.ts @@ -61,7 +61,7 @@ export const createTenantMachineToMachineApplication = ( }, }); -/** Create role for "tenant application (M2M)" in admin tenant */ +/** Create an entry to assign a role to an application in the admin tenant. */ export const createAdminTenantApplicationRole = ( applicationId: string, roleId: string From 30e4e103c29d757c49b787c2cc021201ef20e398 Mon Sep 17 00:00:00 2001 From: Gao Sun Date: Fri, 15 Dec 2023 00:31:19 +0800 Subject: [PATCH 2/5] refactor(cli): seed organization data --- .../cli/src/commands/database/seed/tables.ts | 22 ++- .../database/seed/tenant-organizations.ts | 161 +++++++++++++++++ packages/cli/src/database.ts | 27 ++- packages/schemas/src/types/index.ts | 1 + packages/schemas/src/types/mapi-proxy.ts | 60 +++++++ .../schemas/src/types/tenant-organization.ts | 164 ++++++++++++++++++ packages/schemas/src/types/tenant.ts | 27 --- 7 files changed, 424 insertions(+), 38 deletions(-) create mode 100644 packages/cli/src/commands/database/seed/tenant-organizations.ts create mode 100644 packages/schemas/src/types/mapi-proxy.ts create mode 100644 packages/schemas/src/types/tenant-organization.ts diff --git a/packages/cli/src/commands/database/seed/tables.ts b/packages/cli/src/commands/database/seed/tables.ts index 9e5a15047..27231d10c 100644 --- a/packages/cli/src/commands/database/seed/tables.ts +++ b/packages/cli/src/commands/database/seed/tables.ts @@ -17,6 +17,9 @@ import { Roles, type Role, UsersRoles, + LogtoConfigs, + SignInExperiences, + Applications, } from '@logto/schemas'; import { Tenants } from '@logto/schemas/models'; import { convertToIdentifiers, generateStandardId } from '@logto/shared'; @@ -31,6 +34,7 @@ import { consoleLog, getPathInModule } from '../../../utils.js'; import { appendAdminConsoleRedirectUris, seedTenantCloudServiceApplication } from './cloud.js'; import { seedOidcConfigs } from './oidc-config.js'; +import { seedTenantOrganizations } from './tenant-organizations.js'; import { assignScopesToRole, createTenant, seedAdminData } from './tenant.js'; const getExplicitOrder = (query: string) => { @@ -139,7 +143,7 @@ export const seedTables = async ( // Create tenant application role const applicationRole = createTenantApplicationRole(); - await connection.query(insertInto(applicationRole, 'roles')); + await connection.query(insertInto(applicationRole, Roles.table)); await assignScopesToRole( connection, adminTenantId, @@ -161,16 +165,22 @@ export const seedTables = async ( await seedTenantCloudServiceApplication(connection, defaultTenantId); await Promise.all([ - connection.query(insertInto(createDefaultAdminConsoleConfig(defaultTenantId), 'logto_configs')), - connection.query(insertInto(createDefaultAdminConsoleConfig(adminTenantId), 'logto_configs')), connection.query( - insertInto(createDefaultSignInExperience(defaultTenantId, isCloud), 'sign_in_experiences') + insertInto(createDefaultAdminConsoleConfig(defaultTenantId), LogtoConfigs.table) ), - connection.query(insertInto(createAdminTenantSignInExperience(), 'sign_in_experiences')), - connection.query(insertInto(createDefaultAdminConsoleApplication(), 'applications')), + connection.query( + insertInto(createDefaultAdminConsoleConfig(adminTenantId), LogtoConfigs.table) + ), + connection.query( + insertInto(createDefaultSignInExperience(defaultTenantId, isCloud), SignInExperiences.table) + ), + connection.query(insertInto(createAdminTenantSignInExperience(), SignInExperiences.table)), + connection.query(insertInto(createDefaultAdminConsoleApplication(), Applications.table)), updateDatabaseTimestamp(connection, latestTimestamp), ]); + await seedTenantOrganizations(connection, isCloud); + consoleLog.succeed('Seed data'); }; diff --git a/packages/cli/src/commands/database/seed/tenant-organizations.ts b/packages/cli/src/commands/database/seed/tenant-organizations.ts new file mode 100644 index 000000000..eab428ff9 --- /dev/null +++ b/packages/cli/src/commands/database/seed/tenant-organizations.ts @@ -0,0 +1,161 @@ +import { + defaultTenantId, + adminTenantId, + Roles, + Applications, + OrganizationRoles, + TenantRole, + getTenantScope, + OrganizationScopes, + TenantScope, + getTenantRole, + OrganizationRoleScopeRelations, + tenantRoleScopes, + getTenantOrganizationCreateData, + Organizations, + Scopes, + Resources, + PredefinedScope, + RolesScopes, + ApplicationsRoles, +} from '@logto/schemas'; +import { getMapiProxyM2mApp, getMapiProxyRole } from '@logto/schemas/lib/types/mapi-proxy.js'; +import { convertToIdentifiers, generateStandardId } from '@logto/shared'; +import type { DatabaseTransactionConnection } from 'slonik'; +import { sql } from 'slonik'; + +import { insertInto } from '../../../database.js'; +import { consoleLog } from '../../../utils.js'; + +/** + * Seed initial data in the admin tenant for tenant organizations: + * + * - Organization roles and scopes for tenant management. + * - Create tenant organizations for the initial tenants (`default` and `admin`). + * + * If it is a cloud deployment, it will also seed the following: + * + * - Machine-to-machine roles for Management API proxy. + * - Assign the corresponding Management API scopes to the machine-to-machine roles. + * - Machine-to-machine applications for Management API proxy. + * - Assign the roles to the corresponding applications. + */ +export const seedTenantOrganizations = async ( + connection: DatabaseTransactionConnection, + isCloud: boolean +) => { + const tenantIds = [defaultTenantId, adminTenantId]; + + // Init organization template + await Promise.all([ + connection.query( + insertInto( + Object.values(TenantRole).map((role) => getTenantRole(role)), + OrganizationRoles.table + ) + ), + connection.query( + insertInto( + Object.values(TenantScope).map((scope) => getTenantScope(scope)), + OrganizationScopes.table + ) + ), + ]); + + // Link organization roles and scopes + await connection.query( + insertInto( + Object.entries(tenantRoleScopes).flatMap(([role, scopes]) => + scopes.map((scope) => ({ + tenantId: adminTenantId, + // eslint-disable-next-line no-restricted-syntax -- `Object.entries` converts the enum to string + organizationRoleId: getTenantRole(role as TenantRole).id, + organizationScopeId: getTenantScope(scope).id, + })) + ), + OrganizationRoleScopeRelations.table + ) + ); + consoleLog.succeed('Initialized tenant organization template'); + + // Init tenant organizations + await connection.query( + insertInto( + tenantIds.map((id) => getTenantOrganizationCreateData(id)), + Organizations.table + ) + ); + consoleLog.succeed('Created tenant organizations'); + + if (!isCloud) { + return; + } + + // Init Management API proxy roles + await connection.query( + insertInto( + tenantIds.map((tenantId) => getMapiProxyRole(tenantId)), + Roles.table + ) + ); + consoleLog.succeed('Created Management API proxy roles'); + + // Prepare Management API scopes + const scopes = convertToIdentifiers(Scopes); + const resources = convertToIdentifiers(Resources); + /** Scopes with the name {@link PredefinedScope.All} in all Management API resources. */ + const allScopes = await connection.any<{ id: string; indicator: string }>(sql` + select ${scopes.fields.id}, ${resources.fields.indicator} + from ${resources.table} + join ${scopes.table} on ${scopes.fields.resourceId} = ${resources.fields.id} + where ${resources.fields.indicator} like 'https://%.logto.app/api' + and ${scopes.fields.name} = ${PredefinedScope.All} + and ${resources.fields.tenantId} = ${adminTenantId} + `); + const assertScopeId = (forTenantId: string) => { + const scope = allScopes.find( + (scope) => scope.indicator === `https://${forTenantId}.logto.app/api` + ); + if (!scope) { + throw new Error(`Cannot find Management API scope for tenant '${forTenantId}'.`); + } + return scope.id; + }; + + // Assign Management API scopes to the proxy roles + await connection.query( + insertInto( + tenantIds.map((tenantId) => ({ + tenantId: adminTenantId, + id: generateStandardId(), + roleId: getMapiProxyRole(tenantId).id, + scopeId: assertScopeId(tenantId), + })), + RolesScopes.table + ) + ); + consoleLog.succeed('Assigned Management API scopes to the proxy roles'); + + // Create machine-to-machine applications for Management API proxy + await connection.query( + insertInto( + tenantIds.map((tenantId) => getMapiProxyM2mApp(tenantId)), + Applications.table + ) + ); + consoleLog.succeed('Created machine-to-machine applications for Management API proxy'); + + // Assign the proxy roles to the applications + await connection.query( + insertInto( + tenantIds.map((tenantId) => ({ + tenantId: adminTenantId, + id: generateStandardId(), + applicationId: getMapiProxyM2mApp(tenantId).id, + roleId: getMapiProxyRole(tenantId).id, + })), + ApplicationsRoles.table + ) + ); + consoleLog.succeed('Assigned the proxy roles to the applications'); +}; diff --git a/packages/cli/src/database.ts b/packages/cli/src/database.ts index cab6c7899..26ca45a73 100644 --- a/packages/cli/src/database.ts +++ b/packages/cli/src/database.ts @@ -65,8 +65,19 @@ export const createPoolAndDatabaseIfNeeded = async () => { } }; -export const insertInto = >(object: T, table: string) => { - const keys = Object.keys(object); +/** + * Build an `insert into` query from the given payload. If the payload is an array, it will insert + * multiple rows. + */ +export const insertInto = >(payload: T | T[], table: string) => { + const first = Array.isArray(payload) ? payload[0] : payload; + + if (!first) { + throw new Error('Payload cannot be empty'); + } + + const keys = Object.keys(first); + const values = Array.isArray(payload) ? payload : [payload]; return sql` insert into ${sql.identifier([table])} @@ -74,9 +85,15 @@ export const insertInto = >(object: T, table: strin keys.map((key) => sql.identifier([decamelize(key)])), sql`, ` )}) - values (${sql.join( - keys.map((key) => convertToPrimitiveOrSql(key, object[key] ?? null)), + values ${sql.join( + values.map( + (object) => + sql`(${sql.join( + keys.map((key) => convertToPrimitiveOrSql(key, object[key] ?? null)), + sql`, ` + )})` + ), sql`, ` - )}) + )} `; }; diff --git a/packages/schemas/src/types/index.ts b/packages/schemas/src/types/index.ts index b2b5fe9f9..061880c6a 100644 --- a/packages/schemas/src/types/index.ts +++ b/packages/schemas/src/types/index.ts @@ -23,3 +23,4 @@ export * from './mfa.js'; export * from './organization.js'; export * from './sso-connector.js'; export * from './tenant.js'; +export * from './tenant-organization.js'; diff --git a/packages/schemas/src/types/mapi-proxy.ts b/packages/schemas/src/types/mapi-proxy.ts new file mode 100644 index 000000000..a6ebba78f --- /dev/null +++ b/packages/schemas/src/types/mapi-proxy.ts @@ -0,0 +1,60 @@ +/** + * @fileoverview + * Mapi (Management API) proxy is an endpoint in Logto Cloud that proxies the requests to the + * corresponding Management API. It has the following benefits: + * + * - When we migrate the tenant management from API resources to tenant organizations, we can + * migrate Console to use the mapi proxy endpoint by changing only the base URL. + * - It decouples the access control of Cloud user collaboration from the machine-to-machine access + * control of the Management API. + * - The mapi proxy endpoint shares the same domain with Logto Cloud, so it can be used in the + * browser without CORS. + * + * This module provides utilities to manage mapi proxy. + */ + +import { generateStandardSecret } from '@logto/shared'; + +import { + RoleType, + type Role, + type CreateApplication, + ApplicationType, +} from '../db-entries/index.js'; +import { adminTenantId } from '../index.js'; + +/** + * Given a tenant ID, return the role data for the mapi proxy. + * + * It follows a convention to generate all the fields which can be used across the system. See + * source code for details. + */ +export const getMapiProxyRole = (tenantId: string): Readonly => + Object.freeze({ + tenantId: adminTenantId, + id: `m-${tenantId}`, + name: `machine:mapi:${tenantId}`, + description: `Machine-to-machine role for accessing Management API of tenant '${tenantId}'.`, + type: RoleType.MachineToMachine, + }); + +/** + * Given a tenant ID, return the application create data for the mapi proxy. The proxy will use the + * application to access the Management API. + * + * It follows a convention to generate all the fields which can be used across the system. See + * source code for details. + */ +export const getMapiProxyM2mApp = (tenantId: string): Readonly => + Object.freeze({ + tenantId: adminTenantId, + id: `m-${tenantId}`, + secret: generateStandardSecret(32), + name: `Management API access for ${tenantId}`, + description: `Machine-to-machine app for accessing Management API of tenant '${tenantId}'.`, + type: ApplicationType.MachineToMachine, + oidcClientMetadata: { + redirectUris: [], + postLogoutRedirectUris: [], + }, + }); diff --git a/packages/schemas/src/types/tenant-organization.ts b/packages/schemas/src/types/tenant-organization.ts new file mode 100644 index 000000000..d7090b047 --- /dev/null +++ b/packages/schemas/src/types/tenant-organization.ts @@ -0,0 +1,164 @@ +/** + * @fileoverview + * Tenant organizations are organizations in the admin tenant that represent tenants. They are + * created when a tenant is created, and are used to define the roles and scopes for the users in + * the tenant. + * + * This module provides utilities to manage tenant organizations. + */ + +import { + type CreateOrganization, + type OrganizationRole, + type OrganizationScope, +} from '../db-entries/index.js'; +import { adminTenantId } from '../seeds/tenant.js'; + +/** Given a tenant ID, return the corresponding organization ID in the admin tenant. */ +export const getTenantOrganizationId = (tenantId: string) => `t-${tenantId}`; + +/** + * Given a tenant ID, return the organization create data for the admin tenant. It follows a + * convention to generate the organization ID and name which can be used across the system. + * + * @example + * ```ts + * const tenantId = 'test-tenant'; + * const createData = getCreateData(tenantId); + * + * expect(createData).toEqual({ + * tenantId: 'admin', + * id: 't-test-tenant', + * name: 'Tenant test-tenant', + * }); + * ``` + * + * @see {@link getId} for the convention of generating the organization ID. + */ +export const getTenantOrganizationCreateData = (tenantId: string): Readonly => + Object.freeze({ + tenantId: adminTenantId, + id: getTenantOrganizationId(tenantId), + name: `Tenant ${tenantId}`, + }); + +/** + * Scope names in organization template for managing tenants. + * + * @remarks + * Should sync JSDoc descriptions with {@link tenantScopeDescriptions}. + */ +export enum TenantScope { + /** Read the tenant data. */ + ReadData = 'read:data', + /** Write the tenant data, including creating and updating the tenant. */ + WriteData = 'write:data', + /** Delete data of the tenant. */ + DeleteData = 'delete:data', + /** Invite members to the tenant. */ + InviteMember = 'invite:member', + /** Remove members from the tenant. */ + RemoveMember = 'remove:member', + /** Update the role of a member in the tenant. */ + UpdateMemberRole = 'update:member:role', + /** Manage the tenant settings, including name, billing, etc. */ + ManageTenant = 'manage:tenant', +} + +const allTenantScopes = Object.freeze(Object.values(TenantScope)); + +/** + * Given a tenant scope, return the corresponding organization scope data in the admin tenant. + * + * @example + * ```ts + * const scope = TenantScope.ReadData; // 'read:data' + * const scopeData = getTenantScope(scope); + * + * expect(scopeData).toEqual({ + * tenantId: 'admin', + * id: 'read-data', + * name: 'read:data', + * description: 'Read the tenant data.', + * }); + * ``` + * + * @see {@link tenantScopeDescriptions} for scope descriptions of each scope. + */ +export const getTenantScope = (scope: TenantScope): Readonly => + Object.freeze({ + tenantId: adminTenantId, + id: scope.replaceAll(':', '-'), + name: scope, + description: tenantScopeDescriptions[scope], + }); + +const tenantScopeDescriptions: Readonly> = Object.freeze({ + [TenantScope.ReadData]: 'Read the tenant data.', + [TenantScope.WriteData]: 'Write the tenant data, including creating and updating the tenant.', + [TenantScope.DeleteData]: 'Delete data of the tenant.', + [TenantScope.InviteMember]: 'Invite members to the tenant.', + [TenantScope.RemoveMember]: 'Remove members from the tenant.', + [TenantScope.UpdateMemberRole]: 'Update the role of a member in the tenant.', + [TenantScope.ManageTenant]: 'Manage the tenant settings, including name, billing, etc.', +}); + +/** + * Role names in organization template for managing tenants. + * + * @remarks + * Should sync JSDoc descriptions with {@link tenantRoleDescriptions}. + */ +export enum TenantRole { + /** Owner of the tenant, who has all permissions. */ + Owner = 'owner', + /** Admin of the tenant, who has all permissions except managing the tenant settings. */ + Admin = 'admin', + /** Member of the tenant, who has limited permissions on reading and writing the tenant data. */ + Member = 'member', +} + +const tenantRoleDescriptions: Readonly> = Object.freeze({ + [TenantRole.Owner]: 'Owner of the tenant, who has all permissions.', + [TenantRole.Admin]: + 'Admin of the tenant, who has all permissions except managing the tenant settings.', + [TenantRole.Member]: + 'Member of the tenant, who has limited permissions on reading and writing the tenant data.', +}); + +/** + * Given a tenant role, return the corresponding organization role data in the admin tenant. + * + * @example + * ```ts + * const role = TenantRole.Member; // 'member' + * const roleData = getTenantRole(role); + * + * expect(roleData).toEqual({ + * tenantId: 'admin', + * id: 'member', + * name: 'member', + * description: 'Member of the tenant, who has limited permissions on reading and writing the tenant data.', + * }); + * ``` + * + * @see {@link tenantRoleDescriptions} for scope descriptions of each role. + */ +export const getTenantRole = (role: TenantRole): Readonly => + Object.freeze({ + tenantId: adminTenantId, + id: role, + name: role, + description: tenantRoleDescriptions[role], + }); + +/** + * The dictionary of tenant roles and their corresponding scopes. + * @see {TenantRole} for scope descriptions of each role. + */ +export const tenantRoleScopes: Readonly>> = + Object.freeze({ + [TenantRole.Owner]: allTenantScopes, + [TenantRole.Admin]: allTenantScopes.filter((scope) => scope !== TenantScope.ManageTenant), + [TenantRole.Member]: [TenantScope.ReadData, TenantScope.WriteData, TenantScope.InviteMember], + }); diff --git a/packages/schemas/src/types/tenant.ts b/packages/schemas/src/types/tenant.ts index d71f6f86b..2a60341fc 100644 --- a/packages/schemas/src/types/tenant.ts +++ b/packages/schemas/src/types/tenant.ts @@ -6,30 +6,3 @@ export enum TenantTag { /* A production tenant must have an associated subscription plan, even if it's a free plan. */ Production = 'production', } - -/** Tenant roles that are used in organization template of admin tenant. */ -export enum TenantRole { - /* A tenant admin can manage all resources in the tenant. */ - Admin = 'admin', - /* A tenant member can manage resources without deleting them. */ - Member = 'member', -} - -/** Tenant scopes that are used in organization template of admin tenant. */ -export enum TenantScope { - /** Read tenant data. */ - ReadTenant = 'read:tenant', - /** Create or update tenant data. */ - WriteTenant = 'write:tenant', - /** Delete tenant data. */ - DeleteTenant = 'delete:tenant', - /** Invite a new member to the tenant. */ - InviteMember = 'invite:member', - /** Remove a member from the tenant. */ - RemoveMember = 'remove:member', - /** Update a member's role in the tenant. */ - UpdateMemberRole = 'update:member:role', -} - -/** The prefix that applies to all organization IDs that are created to represent a tenant. */ -export const tenantOrganizationIdPrefix = 't-'; From b8fd594feabc70478dcd257bf3fefbc80470df8c Mon Sep 17 00:00:00 2001 From: Gao Sun Date: Fri, 15 Dec 2023 16:50:14 +0800 Subject: [PATCH 3/5] refactor: fix workflow --- .github/workflows/main.yml | 20 +++++- .scripts/compare-database.js | 16 +++-- .../cli/src/commands/database/seed/index.ts | 37 ++++++---- .../cli/src/commands/database/seed/tables.ts | 70 ++++++++++++++++--- .../database/seed/tenant-organizations.ts | 16 ++--- .../next-1702544178-sync-tenant-orgs.ts | 59 +++++++--------- 6 files changed, 145 insertions(+), 73 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 6b684a01a..811ddfd42 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -140,7 +140,15 @@ jobs: working-directory: ./alteration run: | cd packages/cli - pnpm start db seed --test + pnpm start db seed + env: + DB_URL: postgres://postgres:postgres@localhost:5432/alteration + + # FIXME: Last version of CLI doesn't support test data seeding. Here's a temporary workaround. + # We will remove this step when a new version of CLI is released. + - name: Setup alteration database test data + working-directory: ./fresh + run: pnpm cli db seed --testOnly env: DB_URL: postgres://postgres:postgres@localhost:5432/alteration @@ -161,7 +169,15 @@ jobs: working-directory: ./alteration run: | cd packages/cli - pnpm start db seed --test + pnpm start db seed + env: + DB_URL: postgres://postgres:postgres@localhost:5432/old + + # FIXME: Last version of CLI doesn't support test data seeding. Here's a temporary workaround. + # We will remove this step when a new version of CLI is released. + - name: Setup old database test data + working-directory: ./fresh + run: pnpm cli db seed --testOnly env: DB_URL: postgres://postgres:postgres@localhost:5432/old diff --git a/.scripts/compare-database.js b/.scripts/compare-database.js index 200b7ca13..5a44b4f2f 100644 --- a/.scripts/compare-database.js +++ b/.scripts/compare-database.js @@ -7,6 +7,15 @@ const omitArray = (arrayOfObjects, ...keys) => arrayOfObjects.map((value) => omi const schemas = ['cloud', 'public']; const schemasArray = `(${schemas.map((schema) => `'${schema}'`).join(', ')})`; +const tryCompare = (a, b) => { + try { + assert.deepStrictEqual(a, b); + } catch (error) { + console.error(error.toString()); + process.exit(1); + } +}; + const queryDatabaseManifest = async (database) => { const pool = new pg.Pool({ database, user: 'postgres', password: 'postgres' }); @@ -150,7 +159,7 @@ const manifests = [ await queryDatabaseManifest(database2), ]; -assert.deepStrictEqual(...manifests); +tryCompare(...manifests); const autoCompare = (a, b) => { if (typeof a !== typeof b) { @@ -200,7 +209,4 @@ const queryDatabaseData = async (database) => { console.log('Compare database data between', database1, 'and', database2); -assert.deepStrictEqual( - await queryDatabaseData(database1), - await queryDatabaseData(database2), -); +tryCompare(await queryDatabaseData(database1), await queryDatabaseData(database2)); diff --git a/packages/cli/src/commands/database/seed/index.ts b/packages/cli/src/commands/database/seed/index.ts index c718fda5f..7cff7ac9c 100644 --- a/packages/cli/src/commands/database/seed/index.ts +++ b/packages/cli/src/commands/database/seed/index.ts @@ -9,7 +9,12 @@ import { getAlterationDirectory } from '../alteration/utils.js'; import { createTables, seedCloud, seedTables, seedTest } from './tables.js'; -export const seedByPool = async (pool: DatabasePool, cloud = false, test = false) => { +export const seedByPool = async ( + pool: DatabasePool, + cloud = false, + test = false, + testOnly = false +) => { await pool.transaction(async (connection) => { // Check alteration scripts available in order to insert correct timestamp const latestTimestamp = await getLatestAlterationTimestamp(); @@ -21,16 +26,18 @@ export const seedByPool = async (pool: DatabasePool, cloud = false, test = false ); } - await oraPromise(createTables(connection), { - text: 'Create tables', - }); - await seedTables(connection, latestTimestamp, cloud); + if (!testOnly) { + await oraPromise(createTables(connection), { + text: 'Create tables', + }); + await seedTables(connection, latestTimestamp, cloud); - if (cloud) { - await seedCloud(connection); + if (cloud) { + await seedCloud(connection); + } } - if (test) { + if (test || testOnly) { await seedTest(connection); } }); @@ -38,7 +45,7 @@ export const seedByPool = async (pool: DatabasePool, cloud = false, test = false const seed: CommandModule< Record, - { swe?: boolean; cloud?: boolean; test?: boolean } + { swe?: boolean; cloud?: boolean; test?: boolean; 'test-only'?: boolean } > = { command: 'seed [type]', describe: 'Create database then seed tables and data', @@ -56,8 +63,12 @@ const seed: CommandModule< .option('test', { describe: 'Seed additional test data', type: 'boolean', + }) + .option('test-only', { + describe: 'Seed test data only, this option conflicts with `--cloud`', + type: 'boolean', }), - handler: async ({ swe, cloud, test }) => { + handler: async ({ swe, cloud, test, testOnly }) => { const pool = await createPoolAndDatabaseIfNeeded(); if (swe && (await doesConfigsTableExist(pool))) { @@ -68,7 +79,7 @@ const seed: CommandModule< } try { - await seedByPool(pool, cloud, test); + await seedByPool(pool, cloud, test, testOnly); } catch (error: unknown) { consoleLog.error(error); consoleLog.error( @@ -76,8 +87,10 @@ const seed: CommandModule< ' Nothing has changed since the seeding process was in a transaction.\n' + ' Try to fix the error and seed again.' ); + throw error; + } finally { + await pool.end(); } - await pool.end(); }, }; diff --git a/packages/cli/src/commands/database/seed/tables.ts b/packages/cli/src/commands/database/seed/tables.ts index 27231d10c..1e50e1ed5 100644 --- a/packages/cli/src/commands/database/seed/tables.ts +++ b/packages/cli/src/commands/database/seed/tables.ts @@ -20,7 +20,14 @@ import { LogtoConfigs, SignInExperiences, Applications, + OrganizationUserRelations, + getTenantOrganizationId, + Users, + OrganizationRoleUserRelations, + TenantRole, + Organizations, } from '@logto/schemas'; +import { getTenantRole } from '@logto/schemas'; import { Tenants } from '@logto/schemas/models'; import { convertToIdentifiers, generateStandardId } from '@logto/shared'; import type { DatabaseTransactionConnection } from 'slonik'; @@ -179,7 +186,7 @@ export const seedTables = async ( updateDatabaseTimestamp(connection, latestTimestamp), ]); - await seedTenantOrganizations(connection, isCloud); + await seedTenantOrganizations(connection); consoleLog.succeed('Seed data'); }; @@ -217,25 +224,72 @@ export const seedTest = async (connection: DatabaseTransactionConnection) => { ) ); + const userIds = Object.freeze(['test-1', 'test-2'] as const); await Promise.all([ connection.query( - insertInto({ id: 'test-1', username: 'test1', tenantId: adminTenantId }, 'users') + insertInto({ id: userIds[0], username: 'test1', tenantId: adminTenantId }, Users.table) ), connection.query( - insertInto({ id: 'test-2', username: 'test2', tenantId: adminTenantId }, 'users') + insertInto({ id: userIds[1], username: 'test2', tenantId: adminTenantId }, Users.table) ), ]); - consoleLog.succeed('Created test users'); const adminTenantRole = await getManagementRole(adminTenantId); const defaultTenantRole = await getManagementRole(defaultTenantId); await Promise.all([ - assignRoleToUser('test-1', adminTenantRole.id), - assignRoleToUser('test-1', defaultTenantRole.id), - assignRoleToUser('test-2', defaultTenantRole.id), + assignRoleToUser(userIds[0], adminTenantRole.id), + assignRoleToUser(userIds[0], defaultTenantRole.id), + assignRoleToUser(userIds[1], defaultTenantRole.id), + ]); + consoleLog.succeed('Assigned tenant management roles to the test users'); + + const organizations = convertToIdentifiers(Organizations); + const isTenantOrganizationInitialized = await connection.exists( + sql` + select 1 + from ${organizations.table} + where ${organizations.fields.tenantId} = ${getTenantOrganizationId(adminTenantId)} + ` + ); + + // This check is for older versions (<=v.12.0) that don't have tenant organization initialized. + if (!isTenantOrganizationInitialized) { + consoleLog.warn('Tenant organization is not enabled, skip seeding tenant organization data'); + return; + } + + const addOrganizationMembership = async (userId: string, tenantId: string) => + connection.query( + insertInto( + { userId, organizationId: getTenantOrganizationId(tenantId), tenantId: adminTenantId }, + OrganizationUserRelations.table + ) + ); + + await Promise.all([ + addOrganizationMembership(userIds[0], adminTenantId), + addOrganizationMembership(userIds[0], defaultTenantId), + addOrganizationMembership(userIds[1], defaultTenantId), ]); - consoleLog.succeed('Assigned tenant management roles to the test users'); + const assignOrganizationRole = async (userId: string, tenantId: string, tenantRole: TenantRole) => + connection.query( + insertInto( + { + userId, + organizationRoleId: getTenantRole(tenantRole).id, + organizationId: getTenantOrganizationId(tenantId), + tenantId: adminTenantId, + }, + OrganizationRoleUserRelations.table + ) + ); + + await Promise.all([ + assignOrganizationRole(userIds[0], adminTenantId, TenantRole.Owner), + assignOrganizationRole(userIds[0], defaultTenantId, TenantRole.Owner), + assignOrganizationRole(userIds[1], defaultTenantId, TenantRole.Owner), + ]); }; diff --git a/packages/cli/src/commands/database/seed/tenant-organizations.ts b/packages/cli/src/commands/database/seed/tenant-organizations.ts index eab428ff9..66bcf3510 100644 --- a/packages/cli/src/commands/database/seed/tenant-organizations.ts +++ b/packages/cli/src/commands/database/seed/tenant-organizations.ts @@ -33,17 +33,14 @@ import { consoleLog } from '../../../utils.js'; * - Organization roles and scopes for tenant management. * - Create tenant organizations for the initial tenants (`default` and `admin`). * - * If it is a cloud deployment, it will also seed the following: + * The following data are used for Logto Cloud, we seed them anyway for the sake of simplicity: * * - Machine-to-machine roles for Management API proxy. * - Assign the corresponding Management API scopes to the machine-to-machine roles. * - Machine-to-machine applications for Management API proxy. * - Assign the roles to the corresponding applications. */ -export const seedTenantOrganizations = async ( - connection: DatabaseTransactionConnection, - isCloud: boolean -) => { +export const seedTenantOrganizations = async (connection: DatabaseTransactionConnection) => { const tenantIds = [defaultTenantId, adminTenantId]; // Init organization template @@ -87,10 +84,7 @@ export const seedTenantOrganizations = async ( ); consoleLog.succeed('Created tenant organizations'); - if (!isCloud) { - return; - } - + /* === Cloud-specific data === */ // Init Management API proxy roles await connection.query( insertInto( @@ -101,8 +95,8 @@ export const seedTenantOrganizations = async ( consoleLog.succeed('Created Management API proxy roles'); // Prepare Management API scopes - const scopes = convertToIdentifiers(Scopes); - const resources = convertToIdentifiers(Resources); + const scopes = convertToIdentifiers(Scopes, true); + const resources = convertToIdentifiers(Resources, true); /** Scopes with the name {@link PredefinedScope.All} in all Management API resources. */ const allScopes = await connection.any<{ id: string; indicator: string }>(sql` select ${scopes.fields.id}, ${resources.fields.indicator} diff --git a/packages/schemas/alterations/next-1702544178-sync-tenant-orgs.ts b/packages/schemas/alterations/next-1702544178-sync-tenant-orgs.ts index 2991c5481..77e95b5ea 100644 --- a/packages/schemas/alterations/next-1702544178-sync-tenant-orgs.ts +++ b/packages/schemas/alterations/next-1702544178-sync-tenant-orgs.ts @@ -2,14 +2,16 @@ * @fileoverview A preparation for the update of using organizations to manage tenants in the admin * tenant. This script will do the following in the admin tenant: * - * 1. Disable registration. - * 2. Create organization template roles and scopes. - * 3. Create organizations for existing tenants. - * 4. Add membership records and assign organization roles to existing users. - * 5. Create machine-to-machine Management API role for each tenant. - * 6. Create the corresponding machine-to-machine app for each tenant, and assign the Management API role to it. + * 1. Create organization template roles and scopes. + * 2. Create organizations for existing tenants. + * 3. Add membership records and assign organization roles to existing users. + * 4. Create machine-to-machine Management API role for each tenant. + * 5. Create the corresponding machine-to-machine app for each tenant, and assign the Management API role to it. * * The `down` script will revert the changes. + * + * NOTE: In order to avoid unnecessary dirty data, it's recommended disabling the registration of + * new tenants before running this script and deploying the changes. */ import { ConsoleLog, generateStandardId } from '@logto/shared'; @@ -23,27 +25,21 @@ const consoleLog = new ConsoleLog(); const alteration: AlterationScript = { up: async (transaction) => { consoleLog.info('=== Sync tenant organizations ==='); - consoleLog.info('Disable registration'); - await transaction.query(sql` - update public.sign_in_experiences - set sign_in_mode = 'SignIn' - where tenant_id = ${adminTenantId}; - `); consoleLog.info('Create organization template roles and scopes'); await transaction.query(sql` insert into public.organization_roles (id, tenant_id, name, description) values ('owner', ${adminTenantId}, 'owner', 'Owner of the tenant, who has all permissions.'), - ('admin', ${adminTenantId}, 'admin', 'Admin of the tenant, who has all permissions except deleting the tenant.'), - ('member', ${adminTenantId}, 'member', 'Member of the tenant, who has limited permissions.'); + ('admin', ${adminTenantId}, 'admin', 'Admin of the tenant, who has all permissions except managing the tenant settings.'), + ('member', ${adminTenantId}, 'member', 'Member of the tenant, who has limited permissions on reading and writing the tenant data.'); `); await transaction.query(sql` insert into public.organization_scopes (id, tenant_id, name, description) values - ('read-tenant', ${adminTenantId}, 'read:tenant', 'Read the tenant data.'), - ('write-tenant', ${adminTenantId}, 'write:tenant', 'Write the tenant data, including creating and updating the tenant.'), - ('delete-tenant', ${adminTenantId}, 'delete:tenant', 'Delete data of the tenant.'), + ('read-data', ${adminTenantId}, 'read:data', 'Read the tenant data.'), + ('write-data', ${adminTenantId}, 'write:data', 'Write the tenant data, including creating and updating the tenant.'), + ('delete-data', ${adminTenantId}, 'delete:data', 'Delete data of the tenant.'), ('invite-member', ${adminTenantId}, 'invite:member', 'Invite members to the tenant.'), ('remove-member', ${adminTenantId}, 'remove:member', 'Remove members from the tenant.'), ('update-member-role', ${adminTenantId}, 'update:member:role', 'Update the role of a member in the tenant.'), @@ -52,21 +48,21 @@ const alteration: AlterationScript = { await transaction.query(sql` insert into public.organization_role_scope_relations (tenant_id, organization_role_id, organization_scope_id) values - (${adminTenantId}, 'owner', 'read-tenant'), - (${adminTenantId}, 'owner', 'write-tenant'), - (${adminTenantId}, 'owner', 'delete-tenant'), + (${adminTenantId}, 'owner', 'read-data'), + (${adminTenantId}, 'owner', 'write-data'), + (${adminTenantId}, 'owner', 'delete-data'), (${adminTenantId}, 'owner', 'invite-member'), (${adminTenantId}, 'owner', 'remove-member'), (${adminTenantId}, 'owner', 'update-member-role'), (${adminTenantId}, 'owner', 'manage-tenant'), - (${adminTenantId}, 'admin', 'read-tenant'), - (${adminTenantId}, 'admin', 'write-tenant'), - (${adminTenantId}, 'admin', 'delete-tenant'), + (${adminTenantId}, 'admin', 'read-data'), + (${adminTenantId}, 'admin', 'write-data'), + (${adminTenantId}, 'admin', 'delete-data'), (${adminTenantId}, 'admin', 'invite-member'), (${adminTenantId}, 'admin', 'remove-member'), (${adminTenantId}, 'admin', 'update-member-role'), - (${adminTenantId}, 'member', 'read-tenant'), - (${adminTenantId}, 'member', 'write-tenant'), + (${adminTenantId}, 'member', 'read-data'), + (${adminTenantId}, 'member', 'write-data'), (${adminTenantId}, 'member', 'invite-member') `); @@ -274,9 +270,9 @@ const alteration: AlterationScript = { delete from public.organization_scopes where public.organization_scopes.tenant_id = ${adminTenantId} and public.organization_scopes.id in ( - 'read-tenant', - 'write-tenant', - 'delete-tenant', + 'read-data', + 'write-data', + 'delete-data', 'invite-member', 'remove-member', 'update-member-role', @@ -284,13 +280,6 @@ const alteration: AlterationScript = { ); `); - consoleLog.info('Enable registration'); - await transaction.query(sql` - update public.sign_in_experiences - set sign_in_mode = 'SignInAndRegister' - where tenant_id = ${adminTenantId}; - `); - consoleLog.info('=== Revert sync tenant organizations done ==='); }, }; From 74e5975be5e2a3a09a471ede6dc2af2cae43fb5f Mon Sep 17 00:00:00 2001 From: Gao Sun Date: Fri, 15 Dec 2023 17:19:29 +0800 Subject: [PATCH 4/5] feat(cli): support seeding legacy test data --- .github/workflows/main.yml | 4 +- .../cli/src/commands/database/seed/index.ts | 53 ++++++++++++------- .../cli/src/commands/database/seed/tables.ts | 19 +++---- 3 files changed, 41 insertions(+), 35 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 811ddfd42..669ba5729 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -148,7 +148,7 @@ jobs: # We will remove this step when a new version of CLI is released. - name: Setup alteration database test data working-directory: ./fresh - run: pnpm cli db seed --testOnly + run: pnpm cli db seed --legacy-test-data env: DB_URL: postgres://postgres:postgres@localhost:5432/alteration @@ -177,7 +177,7 @@ jobs: # We will remove this step when a new version of CLI is released. - name: Setup old database test data working-directory: ./fresh - run: pnpm cli db seed --testOnly + run: pnpm cli db seed --legacy-test-data env: DB_URL: postgres://postgres:postgres@localhost:5432/old diff --git a/packages/cli/src/commands/database/seed/index.ts b/packages/cli/src/commands/database/seed/index.ts index 7cff7ac9c..c5ef9b2ac 100644 --- a/packages/cli/src/commands/database/seed/index.ts +++ b/packages/cli/src/commands/database/seed/index.ts @@ -9,12 +9,7 @@ import { getAlterationDirectory } from '../alteration/utils.js'; import { createTables, seedCloud, seedTables, seedTest } from './tables.js'; -export const seedByPool = async ( - pool: DatabasePool, - cloud = false, - test = false, - testOnly = false -) => { +export const seedByPool = async (pool: DatabasePool, cloud = false, test = false) => { await pool.transaction(async (connection) => { // Check alteration scripts available in order to insert correct timestamp const latestTimestamp = await getLatestAlterationTimestamp(); @@ -26,26 +21,30 @@ export const seedByPool = async ( ); } - if (!testOnly) { - await oraPromise(createTables(connection), { - text: 'Create tables', - }); - await seedTables(connection, latestTimestamp, cloud); + await oraPromise(createTables(connection), { + text: 'Create tables', + }); + await seedTables(connection, latestTimestamp, cloud); - if (cloud) { - await seedCloud(connection); - } + if (cloud) { + await seedCloud(connection); } - if (test || testOnly) { + if (test) { await seedTest(connection); } }); }; +const seedLegacyTestData = async (pool: DatabasePool) => { + return pool.transaction(async (connection) => { + await seedTest(connection, true); + }); +}; + const seed: CommandModule< Record, - { swe?: boolean; cloud?: boolean; test?: boolean; 'test-only'?: boolean } + { swe?: boolean; cloud?: boolean; test?: boolean; 'legacy-test-data'?: boolean } > = { command: 'seed [type]', describe: 'Create database then seed tables and data', @@ -64,13 +63,27 @@ const seed: CommandModule< describe: 'Seed additional test data', type: 'boolean', }) - .option('test-only', { - describe: 'Seed test data only, this option conflicts with `--cloud`', + .option('legacy-test-data', { + describe: + 'Seed test data only for legacy Logto versions (<=1.12.0), this option conflicts with others', type: 'boolean', }), - handler: async ({ swe, cloud, test, testOnly }) => { + handler: async ({ swe, cloud, test, legacyTestData }) => { const pool = await createPoolAndDatabaseIfNeeded(); + if (legacyTestData) { + // eslint-disable-next-line @typescript-eslint/prefer-nullish-coalescing + if (swe || cloud || test) { + throw new Error( + 'The `legacy-test-data` option conflicts with other options, please use it alone.' + ); + } + + await seedLegacyTestData(pool); + await pool.end(); + return; + } + if (swe && (await doesConfigsTableExist(pool))) { consoleLog.info('Seeding skipped'); await pool.end(); @@ -79,7 +92,7 @@ const seed: CommandModule< } try { - await seedByPool(pool, cloud, test, testOnly); + await seedByPool(pool, cloud, test); } catch (error: unknown) { consoleLog.error(error); consoleLog.error( diff --git a/packages/cli/src/commands/database/seed/tables.ts b/packages/cli/src/commands/database/seed/tables.ts index 1e50e1ed5..ed088863e 100644 --- a/packages/cli/src/commands/database/seed/tables.ts +++ b/packages/cli/src/commands/database/seed/tables.ts @@ -25,7 +25,6 @@ import { Users, OrganizationRoleUserRelations, TenantRole, - Organizations, } from '@logto/schemas'; import { getTenantRole } from '@logto/schemas'; import { Tenants } from '@logto/schemas/models'; @@ -206,7 +205,7 @@ export const seedCloud = async (connection: DatabaseTransactionConnection) => { * - `test-1` will be assigned the management roles for both `default` and `admin` tenant. * - `test-2` will be assigned the management role for `default` tenant. */ -export const seedTest = async (connection: DatabaseTransactionConnection) => { +export const seedTest = async (connection: DatabaseTransactionConnection, forLegacy = false) => { const roles = convertToIdentifiers(Roles); const getManagementRole = async (tenantId: string) => connection.one(sql` @@ -245,18 +244,11 @@ export const seedTest = async (connection: DatabaseTransactionConnection) => { ]); consoleLog.succeed('Assigned tenant management roles to the test users'); - const organizations = convertToIdentifiers(Organizations); - const isTenantOrganizationInitialized = await connection.exists( - sql` - select 1 - from ${organizations.table} - where ${organizations.fields.tenantId} = ${getTenantOrganizationId(adminTenantId)} - ` - ); - // This check is for older versions (<=v.12.0) that don't have tenant organization initialized. - if (!isTenantOrganizationInitialized) { - consoleLog.warn('Tenant organization is not enabled, skip seeding tenant organization data'); + if (forLegacy) { + consoleLog.warn( + 'Tenant organization is not enabled in legacy Logto versions, skip seeding tenant organization data' + ); return; } @@ -292,4 +284,5 @@ export const seedTest = async (connection: DatabaseTransactionConnection) => { assignOrganizationRole(userIds[0], defaultTenantId, TenantRole.Owner), assignOrganizationRole(userIds[1], defaultTenantId, TenantRole.Owner), ]); + consoleLog.succeed('Assigned tenant organization membership and roles to the test users'); }; From 36139d7002a02602c21eb65a3b19054eb428f23b Mon Sep 17 00:00:00 2001 From: Gao Sun Date: Sat, 16 Dec 2023 14:48:01 +0800 Subject: [PATCH 5/5] refactor(schemas): skip adding membership when no user found --- ...eration-compatibility-integration-test.yml | 4 +- .../next-1702544178-sync-tenant-orgs.ts | 73 +++++++++++-------- 2 files changed, 42 insertions(+), 35 deletions(-) diff --git a/.github/workflows/alteration-compatibility-integration-test.yml b/.github/workflows/alteration-compatibility-integration-test.yml index c01335b53..ef4acc55f 100644 --- a/.github/workflows/alteration-compatibility-integration-test.yml +++ b/.github/workflows/alteration-compatibility-integration-test.yml @@ -5,7 +5,6 @@ on: push: branches: - master - - "push-action/**" pull_request: concurrency: @@ -19,8 +18,7 @@ jobs: has-alteration-changes: ${{ steps.changes-detection.outputs.has-alteration-changes }} steps: - - name: checkout head - uses: actions/checkout@v4 + - uses: actions/checkout@v4 with: fetch-depth: 0 diff --git a/packages/schemas/alterations/next-1702544178-sync-tenant-orgs.ts b/packages/schemas/alterations/next-1702544178-sync-tenant-orgs.ts index 77e95b5ea..e0a8e083a 100644 --- a/packages/schemas/alterations/next-1702544178-sync-tenant-orgs.ts +++ b/packages/schemas/alterations/next-1702544178-sync-tenant-orgs.ts @@ -82,7 +82,6 @@ const alteration: AlterationScript = { )}; `); - consoleLog.info('Add membership records and assign organization roles to existing users'); const usersRoles = await transaction.any<{ userId: string; roleName: string }>(sql` select public.users.id as "userId", @@ -94,37 +93,47 @@ const alteration: AlterationScript = { and public.roles.name like '%:admin'; `); - // Add membership records - await transaction.query(sql` - insert into public.organization_user_relations (tenant_id, organization_id, user_id) - values - ${sql.join( - usersRoles.map( - (userRole) => - sql`(${adminTenantId}, ${`t-${userRole.roleName.slice(0, -6)}`}, ${userRole.userId})` - ), - sql`, ` - )}; - `); - // We treat all existing users as the owner of the tenant - await transaction.query(sql` - insert into public.organization_role_user_relations (tenant_id, organization_id, user_id, organization_role_id) - values - ${sql.join( - usersRoles.map( - (userRole) => - sql` - ( - ${adminTenantId}, - ${`t-${userRole.roleName.slice(0, -6)}`}, - ${userRole.userId}, - 'owner' - ) - ` - ), - sql`, ` - )}; - `); + if (usersRoles.length === 0) { + consoleLog.warn( + 'No existing admin users found, skip adding membership records for tenant organizations.' + ); + } else { + consoleLog.info('Add membership records and assign organization roles to existing users'); + + // Add membership records + await transaction.query(sql` + insert into public.organization_user_relations (tenant_id, organization_id, user_id) + values + ${sql.join( + usersRoles.map( + (userRole) => + sql`(${adminTenantId}, ${`t-${userRole.roleName.slice(0, -6)}`}, ${ + userRole.userId + })` + ), + sql`, ` + )}; + `); + // We treat all existing users as the owner of the tenant + await transaction.query(sql` + insert into public.organization_role_user_relations (tenant_id, organization_id, user_id, organization_role_id) + values + ${sql.join( + usersRoles.map( + (userRole) => + sql` + ( + ${adminTenantId}, + ${`t-${userRole.roleName.slice(0, -6)}`}, + ${userRole.userId}, + 'owner' + ) + ` + ), + sql`, ` + )}; + `); + } consoleLog.info('Create machine-to-machine Management API role for each tenant'); await transaction.query(sql`