lots of patches and fixes for IAM

composer.json

@@ -1,6 +1,6 @@
 {
     "name": "fleetbase/core-api",
-    "version": "1.1.1-alpha",
+    "version": "1.1.2-alpha",
     "description": "Core Framework and Resources for Fleetbase API",
     "keywords": [
         "fleetbase",

migrations/2023_04_25_094306_create_groups_table.php

@@ -19,6 +19,7 @@ public function up()
             $table->string('uuid', 191)->nullable()->unique();
             $table->string('company_uuid', 191)->nullable()->index('groups_company_uuid_foreign');
             $table->string('name')->nullable();
+            $table->string('description', 500)->nullable();
             $table->string('slug', 191)->nullable()->index();
             $table->softDeletes();
             $table->timestamp('created_at')->nullable()->index();

migrations/2023_04_25_094311_create_policies_table.php

@@ -23,6 +23,22 @@ public function up()
             $table->timestamps();
             $table->softDeletes();
         });
+
+        Schema::create('model_has_policies', function (Blueprint $table) {
+            $table->uuid('policy_id')->index();
+
+            $table->string('model_type');
+            $table->uuid('model_uuid');
+            $table->index(['model_uuid', 'model_type'], 'model_has_policies_model_uuid_model_type_index');
+
+            $table
+                ->foreign('policy_id')
+                ->references('id')
+                ->on('policies')
+                ->onDelete('cascade');
+
+            $table->primary(['policy_id', 'model_uuid', 'model_type'], 'model_has_policies_policy_model_type_primary');
+        });
     }
 
     /**
@@ -33,5 +49,6 @@ public function up()
     public function down()
     {
         Schema::dropIfExists('policies');
+        Schema::dropIfExists('model_has_policies');
     }
 };

migrations/2023_07_04_173018_make_roles_multi_tenant_table.php

@@ -0,0 +1,51 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    /**
+     * Run the migrations.
+     *
+     * @return void
+     */
+    public function up()
+    {
+        $tableNames = config('permission.table_names');
+        $columnNames = config('permission.column_names');
+
+        if (empty($tableNames)) {
+            throw new \Exception('Error: config/permission.php not loaded. Run [php artisan config:clear] and try again.');
+        }
+
+        Schema::table($tableNames['roles'], function (Blueprint $table) {
+            $table->uuid('company_uuid')->nullable()->after('id')->index();
+            $table->foreign('company_uuid')->references('uuid')->on('companies')->onDelete('cascade');
+            $table->string('description')->nullable()->after('guard_name');
+            $table->softDeletes();
+        });
+    }
+
+    /**
+     * Reverse the migrations.
+     *
+     * @return void
+     */
+    public function down()
+    {
+        $tableNames = config('permission.table_names');
+
+        if (empty($tableNames)) {
+            throw new \Exception('Error: config/permission.php not found and defaults could not be merged. Please publish the package configuration before proceeding, or drop the tables manually.');
+        }
+
+        Schema::table($tableNames['roles'], function (Blueprint $table) {
+            $table->dropColumn('description');
+            $table->dropForeign(['company_uuid']);
+            $table->dropColumn('company_uuid');
+            $table->dropColumn('deleted_at');
+        });
+    }
+};

seeds/FleetbaseSeeder.php

@@ -0,0 +1,19 @@
+<?php
+
+namespace Fleetbase\Seeds;
+
+use Illuminate\Database\Seeder;
+
+class FleetbaseSeeder extends Seeder
+{
+    /**
+     * Run the database seeds.
+     *
+     * @return void
+     */
+    public function run()
+    {
+        $this->call(ExtensionSeeder::class);
+        $this->call(PermissionSeeder::class);
+    }
+}

seeds/PermissionSeeder.php

@@ -0,0 +1,228 @@
+<?php
+
+namespace Fleetbase\Seeds;
+
+use Fleetbase\Models\Permission;
+use Fleetbase\Models\Policy;
+use Fleetbase\Support\Utils;
+use Illuminate\Database\Seeder;
+use Illuminate\Support\Facades\Schema;
+use Illuminate\Support\Str;
+
+class PermissionSeeder extends Seeder
+{
+    /**
+     * Run the database seeds.
+     *
+     * @return void
+     */
+    public function run()
+    {
+        Schema::disableForeignKeyConstraints();
+        Permission::truncate();
+        Policy::truncate();
+
+        $actions = ['create', 'update', 'delete', 'view', 'list'];
+        $schemas = Utils::getAuthSchemas();
+
+        foreach ($schemas as $schema) {
+            $service = $schema->name;
+            $resources = $schema->resources ?? [];
+            $permissions = $schema->permissions ?? null;
+            $guard = 'web';
+
+            // first create a wilcard permission for the entire schema
+            $administratorPolicy = Policy::firstOrCreate(
+                [
+                    'name' => 'AdministratorAccess',
+                    'guard_name' => $guard,
+                    'description' => 'Provides full access to Fleetbase extensions and resources.',
+                ]
+            );
+
+            $permission = Permission::firstOrCreate(
+                [
+                    'name' => $service . ' *',
+                    'guard_name' => $guard
+                ],
+                [
+                    'name' => $service . ' *',
+                    'guard_name' => $guard
+                ]
+            );
+
+            // add wildcard permissions to administrator access policy
+            try {
+                $administratorPolicy->givePermissionTo($permission);
+            } catch (\Spatie\Permission\Exceptions\GuardDoesNotMatch $e) {
+                dd($e->getMessage(), $guard, $permission, $administratorPolicy);
+            }
+
+            // output message for permissions creation
+            $this->output('Created (' . $guard . ') permission: ' . $permission->name);
+
+            // check if schema has direct permissions to add
+            if (is_array($permissions)) {
+                foreach ($permissions as $action) {
+                    $permission = Permission::firstOrCreate(
+                        [
+                            'name' => $service . ' ' . $action,
+                            'guard_name' => $guard
+                        ],
+                        [
+                            'name' => $service . ' ' . $action,
+                            'guard_name' => $guard
+                        ]
+                    );
+
+                    // add wildcard permissions to administrator access policy
+                    try {
+                        $administratorPolicy->givePermissionTo($permission);
+                    } catch (\Spatie\Permission\Exceptions\GuardDoesNotMatch $e) {
+                        dd($e->getMessage(), $guard, $permission, $administratorPolicy);
+                    }
+
+                    // output message for permissions creation
+                    $this->output('Created (' . $guard . ') permission: ' . $permission->name);
+                }
+            }
+
+            // create a resource policy for full access
+            $fullAccessPolicy = Policy::firstOrCreate(
+                [
+                    'name' => Str::studly(data_get($schema, 'policyName')) . 'FullAccess',
+                    'guard_name' => $guard
+                ],
+                [
+                    'name' => Str::studly(data_get($schema, 'policyName')) .  'FullAccess',
+                    'description' => 'Provides full access to ' . Str::studly(data_get($schema, 'policyName')) . '.',
+                    'guard_name' => $guard
+                ]
+            );
+
+            // create a resource policy for read-only access
+            $readOnlyPolicy = Policy::firstOrCreate(
+                [
+                    'name' => Str::studly(data_get($schema, 'policyName')) . 'FullAccess',
+                    'guard_name' => $guard
+                ],
+                [
+                    'name' => Str::studly(data_get($schema, 'policyName')) . 'FullAccess',
+                    'description' => 'Provides read-only access to ' . Str::studly(data_get($schema, 'policyName')) . '.',
+                    'guard_name' => $guard
+                ]
+            );
+
+            // create wilcard permission for service and all resources
+            foreach ($resources as $resource) {
+                // create a resource policy for full access
+                $resourceFullAccessPolicy = Policy::firstOrCreate(
+                    [
+                        'name' => Str::studly(data_get($schema, 'policyName')) . Str::studly(data_get($resource, 'name')) . 'FullAccess',
+                        'guard_name' => $guard
+                    ],
+                    [
+                        'name' => Str::studly(data_get($schema, 'policyName')) . Str::studly(data_get($resource, 'name')) . 'FullAccess',
+                        'description' => 'Provides full access to ' . Str::studly(data_get($schema, 'policyName')) . ' ' . Str::plural(data_get($resource, 'name')) . '.',
+                        'guard_name' => $guard
+                    ]
+                );
+
+                // create a resource policy for read-only access
+                $resourceReadOnlyPolicy = Policy::firstOrCreate(
+                    [
+                        'name' => Str::studly(data_get($schema, 'policyName')) . Str::studly(data_get($resource, 'name')) . 'FullAccess',
+                        'guard_name' => $guard
+                    ],
+                    [
+                        'name' => Str::studly(data_get($schema, 'policyName')) . Str::studly(data_get($resource, 'name')) . 'FullAccess',
+                        'description' => 'Provides read-only access to ' . Str::studly(data_get($schema, 'policyName')) . ' ' . Str::plural(data_get($resource, 'name')) . '.',
+                        'guard_name' => $guard
+                    ]
+                );
+
+                $permission = Permission::firstOrCreate(
+                    [
+                        'name' => $service . ' * ' . data_get($resource, 'name'),
+                        'guard_name' => $guard
+                    ],
+                    [
+                        'name' => $service . ' * ' . data_get($resource, 'name'),
+                        'guard_name' => $guard
+                    ]
+                );
+
+                // add wildcard permissions to full access policy
+                try {
+                    $fullAccessPolicy->givePermissionTo($permission);
+                } catch (\Spatie\Permission\Exceptions\GuardDoesNotMatch $e) {
+                    dd($e->getMessage(), $guard, $permission, $fullAccessPolicy);
+                }
+                try {
+                    $resourceFullAccessPolicy->givePermissionTo($permission);
+                } catch (\Spatie\Permission\Exceptions\GuardDoesNotMatch $e) {
+                    dd($e->getMessage(), $guard, $permission, $resourceFullAccessPolicy);
+                }
+
+                // output message for permissions creation
+                $this->output('Created (' . $guard . ') permission: ' . $permission->name);
+
+                // create action permissions
+                $resourceActions = array_merge($actions, data_get($resource, 'actions', []));
+
+                // if some actions should be excluded
+                if (is_array(data_get($resource, 'remove_actions', null))) {
+                    foreach (data_get($resource, 'remove_actions') as $remove) {
+                        if (($key = array_search($remove, $actions)) !== false) {
+                            unset($actions[$key]);
+                        }
+                    }
+                }
+
+                // create action permissions
+                foreach ($resourceActions as $action) {
+                    $permission = Permission::firstOrCreate(
+                        [
+                            'name' => $service . ' ' . $action . ' ' . data_get($resource, 'name'),
+                            'guard_name' => $guard
+                        ],
+                        [
+                            'name' => $service . ' ' . $action . ' ' . data_get($resource, 'name'),
+                            'guard_name' => $guard
+                        ]
+                    );
+
+                    // add the permission to the read only policy
+                    if ($action === 'view' || $action === 'list') {
+                        try {
+                            $readOnlyPolicy->givePermissionTo($permission);
+                        } catch (\Spatie\Permission\Exceptions\GuardDoesNotMatch $e) {
+                            dd($e->getMessage(), $guard, $permission, $readOnlyPolicy);
+                        }
+                        try {
+                            $resourceReadOnlyPolicy->givePermissionTo($permission);
+                        } catch (\Spatie\Permission\Exceptions\GuardDoesNotMatch $e) {
+                            dd($e->getMessage(), $guard, $permission, $resourceReadOnlyPolicy);
+                        }
+                    }
+
+                    // output message for permissions creation
+                    $this->output('Created (' . $guard . ') permission: ' . $permission->name);
+                }
+            }
+        }
+
+        Schema::enableForeignKeyConstraints();
+    }
+
+    /**
+     * Simple echo to output to CLI
+     *
+     * @param string $line
+     * @return void
+     */
+    public function output(string $line = ''): void
+    {
+        echo $line . PHP_EOL;
+    }
+}

seeds/RolesSeeder.php

@@ -0,0 +1,18 @@
+<?php
+
+namespace Fleetbase\Seeds;
+
+use Illuminate\Database\Seeder;
+
+class RolesSeeder extends Seeder
+{
+    /**
+     * Run the database seeds.
+     *
+     * @return void
+     */
+    public function run()
+    {
+
+    }
+}