feat: api v2 pbac support (calcom#24402)

* feat: Pbac decorator and guard

* feat: v2 roles endpoints

* fix: test

* fix: starting v2

* fix: test error

* fix: test api keys

* fix fixture

* test permission creation

* feat: permissions endpoints

* refactors

* refactor: project structure

* test: role permissions crud

* test: permissions endpoint negative tests

* docs: org, team permissions swagger

* unit tests for validator

* Update roles.guard.ts

* fix type

* test: error messages

* refactor: dont throw error in pbac

* delete redundant test file

* feedback: logging error

* fix: persist role.permissions when updating role.otherProperty

* refactor: use output service to return permissions

* refactor: service functions return current permissions

* refactor: remove OrganizationsRepository from providers

* refactor: try catch possibly duplicate create

* refactor: require min length name if provided

* refactor: org role has orgId and team role teamId

* fix: pbac guard caching

* fix: e2e tests in parallel

* refactor: use IsTeamInOrg guard for orgs teams roles and permissions endpoints

* refactor: use redis service getter and setter

* refactor: invalidate team permissions cache when permissions change

* refactor: delete keys instead of versioning when caching

Author: supalarry

apps/api/v2/src/modules/auth/auth.module.ts

@@ -7,6 +7,7 @@ import { DeploymentsModule } from "@/modules/deployments/deployments.module";
 import { MembershipsModule } from "@/modules/memberships/memberships.module";
 import { OAuthFlowService } from "@/modules/oauth-clients/services/oauth-flow.service";
 import { RedisModule } from "@/modules/redis/redis.module";
+import { RolesModule } from "@/modules/roles/roles.module";
 import { TokensModule } from "@/modules/tokens/tokens.module";
 import { UsersModule } from "@/modules/users/users.module";
 import { Module } from "@nestjs/common";
@@ -21,6 +22,7 @@ import { PassportModule } from "@nestjs/passport";
     MembershipsModule,
     TokensModule,
     DeploymentsModule,
+    RolesModule,
   ],
   providers: [NextAuthGuard, NextAuthStrategy, ApiAuthGuard, ApiAuthStrategy, OAuthFlowService],
   exports: [NextAuthGuard, ApiAuthGuard],

apps/api/v2/src/modules/auth/decorators/pbac/pbac.decorator.ts

@@ -0,0 +1,5 @@
+import { Reflector } from "@nestjs/core";
+
+import type { PermissionString } from "@calcom/platform-libraries/pbac";
+
+export const Pbac = Reflector.createDecorator<PermissionString[]>();

apps/api/v2/src/modules/auth/guards/pbac/pbac.guard.ts

@@ -0,0 +1,177 @@
+import { Pbac } from "@/modules/auth/decorators/pbac/pbac.decorator";
+import { ApiAuthGuardUser } from "@/modules/auth/strategies/api-auth/api-auth.strategy";
+import { PrismaReadService } from "@/modules/prisma/prisma-read.service";
+import { RedisService } from "@/modules/redis/redis.service";
+import {
+  Injectable,
+  CanActivate,
+  ExecutionContext,
+  ForbiddenException,
+  UnauthorizedException,
+  BadRequestException,
+} from "@nestjs/common";
+import { Reflector } from "@nestjs/core";
+import { Request } from "express";
+
+import type { PermissionString } from "@calcom/platform-libraries/pbac";
+import { PermissionCheckService, FeaturesRepository } from "@calcom/platform-libraries/pbac";
+
+export const REDIS_PBAC_CACHE_KEY = (teamId: number) => `apiv2:team:${teamId}:has:pbac:guard:pbac`;
+export const REDIS_REQUIRED_PERMISSIONS_CACHE_KEY = (
+  userId: number,
+  teamId: number,
+  requiredPermissions: PermissionString[]
+) =>
+  `apiv2:user:${userId}:team:${teamId}:requiredPermissions:${requiredPermissions
+    .sort()
+    .join(",")}:guard:pbac`;
+
+@Injectable()
+export class PbacGuard implements CanActivate {
+  constructor(
+    private reflector: Reflector,
+    private prismaReadService: PrismaReadService,
+    private readonly redisService: RedisService
+  ) {}
+
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    const request = context.switchToHttp().getRequest<Request & { pbacAuthorizedRequest?: boolean }>();
+    const user = request.user as ApiAuthGuardUser;
+    const teamId = request.params.teamId;
+    const orgId = request.params.orgId;
+    const requiredPermissions = this.reflector.get(Pbac, context.getHandler());
+
+    const effectiveTeamId = teamId || orgId;
+    if (!user) {
+      throw new UnauthorizedException("PbacGuard - the request does not have an authorized user provided");
+    }
+    if (!effectiveTeamId) {
+      throw new BadRequestException(
+        "PbacGuard - can't check pbac because no teamId or orgId provided within the request url"
+      );
+    }
+
+    if (!requiredPermissions || requiredPermissions.length === 0) {
+      request.pbacAuthorizedRequest = false;
+      return true;
+    }
+
+    const hasPbacEnabled = await this.hasPbacEnabled(Number(effectiveTeamId));
+    if (!hasPbacEnabled) {
+      request.pbacAuthorizedRequest = false;
+      return true;
+    }
+
+    const hasRequiredPermissions = await this.checkUserHasRequiredPermissions(
+      user.id,
+      Number(effectiveTeamId),
+      requiredPermissions
+    );
+
+    if (!hasRequiredPermissions) {
+      request.pbacAuthorizedRequest = false;
+      return true;
+    }
+
+    request.pbacAuthorizedRequest = true;
+    return true;
+  }
+
+  async hasPbacEnabled(teamId: number) {
+    const cachedHasPbacEnabled = await this.getCachePbacEnabled(teamId);
+
+    if (cachedHasPbacEnabled) {
+      return cachedHasPbacEnabled;
+    }
+
+    const pbacFeatureFlag = "pbac";
+    const featuresRepository = new FeaturesRepository(this.prismaReadService.prisma);
+    const hasPbacEnabled = await featuresRepository.checkIfTeamHasFeature(teamId, pbacFeatureFlag);
+
+    if (hasPbacEnabled) {
+      await this.setCachePbacEnabled(teamId, hasPbacEnabled);
+    }
+
+    return hasPbacEnabled;
+  }
+
+  async checkUserHasRequiredPermissions(
+    userId: number,
+    teamId: number,
+    requiredPermissions: PermissionString[]
+  ) {
+    const cachedAccess = await this.getCacheRequiredPermissions(userId, teamId, requiredPermissions);
+
+    if (cachedAccess) {
+      return cachedAccess;
+    }
+
+    const permissionCheckService = new PermissionCheckService();
+    const hasRequiredPermissions = await permissionCheckService.checkPermissions({
+      userId,
+      teamId,
+      permissions: requiredPermissions,
+      fallbackRoles: [],
+    });
+
+    if (hasRequiredPermissions) {
+      await this.setCacheRequiredPermissions(userId, teamId, requiredPermissions, hasRequiredPermissions);
+    }
+
+    return hasRequiredPermissions;
+  }
+
+  private async getCacheRequiredPermissions(
+    userId: number,
+    teamId: number,
+    requiredPermissions: PermissionString[]
+  ): Promise<boolean | null> {
+    return this.redisService.get<boolean>(
+      REDIS_REQUIRED_PERMISSIONS_CACHE_KEY(userId, teamId, requiredPermissions)
+    );
+  }
+
+  private async setCacheRequiredPermissions(
+    userId: number,
+    teamId: number,
+    requiredPermissions: PermissionString[],
+    hasRequired: boolean
+  ): Promise<void> {
+    await this.redisService.set<boolean>(
+      REDIS_REQUIRED_PERMISSIONS_CACHE_KEY(userId, teamId, requiredPermissions),
+      hasRequired,
+      { ttl: 300_000 }
+    );
+  }
+
+  private async getCachePbacEnabled(teamId: number) {
+    const cachedResult = await this.redisService.get<boolean>(REDIS_PBAC_CACHE_KEY(teamId));
+    return cachedResult;
+  }
+
+  private async setCachePbacEnabled(teamId: number, pbacEnabled: boolean) {
+    await this.redisService.set<boolean>(REDIS_PBAC_CACHE_KEY(teamId), pbacEnabled, {
+      ttl: 300_000,
+    });
+  }
+
+  throwForbiddenError(
+    userId: number,
+    teamId: string,
+    orgId: string,
+    requiredPermissions: PermissionString[]
+  ) {
+    let errorMessage = `PbacGuard - user with id=${userId} does not have the minimum required permissions=${requiredPermissions.join(
+      ","
+    )} `;
+    if (teamId) {
+      errorMessage += `within team with id=${teamId}`;
+    }
+    if (orgId) {
+      errorMessage += `within organization with id=${orgId}`;
+    }
+    errorMessage += `.`;
+
+    throw new ForbiddenException(errorMessage);
+  }
+}

apps/api/v2/src/modules/auth/guards/roles/roles.guard.ts

@@ -7,8 +7,6 @@ import { Injectable, CanActivate, ExecutionContext, ForbiddenException, Logger }
 import { Reflector } from "@nestjs/core";
 import { Request } from "express";
 
-import type { Team } from "@calcom/prisma/client";
-
 @Injectable()
 export class RolesGuard implements CanActivate {
   private readonly logger = new Logger("RolesGuard Logger");
@@ -19,7 +17,13 @@ export class RolesGuard implements CanActivate {
   ) {}
 
   async canActivate(context: ExecutionContext): Promise<boolean> {
-    const request = context.switchToHttp().getRequest<Request & { team: Team }>();
+    const request = context.switchToHttp().getRequest<Request & { pbacAuthorizedRequest?: boolean }>();
+
+    if (request.pbacAuthorizedRequest === true) {
+      this.logger.debug("PBAC authorized request, skipping legacy role checking");
+      return true;
+    }
+
     const teamId = request.params.teamId as string;
     const orgId = request.params.orgId as string;
     const user = request.user as ApiAuthGuardUser;

apps/api/v2/src/modules/organizations/organizations.module.ts

@@ -39,6 +39,7 @@ import { OrganizationsMembershipRepository } from "@/modules/organizations/membe
 import { OrganizationsMembershipOutputService } from "@/modules/organizations/memberships/services/organizations-membership-output.service";
 import { OrganizationsMembershipService } from "@/modules/organizations/memberships/services/organizations-membership.service";
 import { OrganizationsOrganizationsModule } from "@/modules/organizations/organizations/organizations-organizations.module";
+import { OrganizationsRolesModule } from "@/modules/organizations/roles/organizations-roles.module";
 import { OrganizationsSchedulesController } from "@/modules/organizations/schedules/organizations-schedules.controller";
 import { OrganizationsSchedulesService } from "@/modules/organizations/schedules/services/organizations-schedules.service";
 import { OrganizationsStripeModule } from "@/modules/organizations/stripe/organizations-stripe.module";
@@ -50,6 +51,7 @@ import { OrganizationsTeamsInviteController } from "@/modules/organizations/team
 import { OrganizationsTeamsMembershipsController } from "@/modules/organizations/teams/memberships/organizations-teams-memberships.controller";
 import { OrganizationsTeamsMembershipsRepository } from "@/modules/organizations/teams/memberships/organizations-teams-memberships.repository";
 import { OrganizationsTeamsMembershipsService } from "@/modules/organizations/teams/memberships/services/organizations-teams-memberships.service";
+import { OrganizationsTeamsRolesModule } from "@/modules/organizations/teams/roles/organizations-teams-roles.module";
 import { OrganizationsTeamsRoutingFormsModule } from "@/modules/organizations/teams/routing-forms/organizations-teams-routing-forms.module";
 import { OrganizationsTeamsSchedulesController } from "@/modules/organizations/teams/schedules/organizations-teams-schedules.controller";
 import { OrganizationTeamWorkflowsController } from "@/modules/organizations/teams/workflows/controllers/org-team-workflows.controller";
@@ -96,6 +98,8 @@ import { Module } from "@nestjs/common";
     TeamsModule,
     OrganizationsDelegationCredentialModule,
     OrganizationsOrganizationsModule,
+    OrganizationsRolesModule,
+    OrganizationsTeamsRolesModule,
     OrganizationsStripeModule,
     OrganizationsTeamsRoutingFormsModule,
     MembershipsModule,

apps/api/v2/src/modules/organizations/roles/inputs/base-org-role.input.ts

@@ -0,0 +1,34 @@
+import { ApiPropertyOptional } from "@nestjs/swagger";
+import { IsArray, IsOptional, IsString, Validate } from "class-validator";
+
+import type { PermissionString } from "@calcom/platform-libraries/pbac";
+import { getAllPermissionStringsForScope, Scope } from "@calcom/platform-libraries/pbac";
+
+import { OrgPermissionStringValidator } from "../permissions/inputs/validators/org-permission-string.validator";
+
+export const orgPermissionEnum = [...getAllPermissionStringsForScope(Scope.Organization)] as const;
+
+export class BaseOrgRoleInput {
+  @ApiPropertyOptional({ description: "Color for the role (hex code)" })
+  @IsString()
+  @IsOptional()
+  color?: string;
+
+  @ApiPropertyOptional({ description: "Description of the role" })
+  @IsString()
+  @IsOptional()
+  description?: string;
+
+  @ApiPropertyOptional({
+    description:
+      "Permissions for this role (format: resource.action). On update, this field replaces the entire permission set for the role (full replace). Use granular permission endpoints for one-by-one changes.",
+    enum: orgPermissionEnum,
+    isArray: true,
+    example: ["eventType.read", "eventType.create", "booking.read"],
+  })
+  @IsArray()
+  @IsString({ each: true })
+  @Validate(OrgPermissionStringValidator, { each: true })
+  @IsOptional()
+  permissions?: PermissionString[];
+}

apps/api/v2/src/modules/organizations/roles/inputs/create-org-role.input.ts

@@ -0,0 +1,11 @@
+import { ApiProperty } from "@nestjs/swagger";
+import { IsString, MinLength } from "class-validator";
+
+import { BaseOrgRoleInput } from "./base-org-role.input";
+
+export class CreateOrgRoleInput extends BaseOrgRoleInput {
+  @ApiProperty({ description: "Name of the role", minLength: 1 })
+  @IsString()
+  @MinLength(1)
+  name!: string;
+}

apps/api/v2/src/modules/organizations/roles/inputs/update-org-role.input.ts

@@ -0,0 +1,12 @@
+import { ApiPropertyOptional } from "@nestjs/swagger";
+import { IsString, IsOptional, MinLength } from "class-validator";
+
+import { BaseOrgRoleInput } from "./base-org-role.input";
+
+export class UpdateOrgRoleInput extends BaseOrgRoleInput {
+  @ApiPropertyOptional({ description: "Name of the role", minLength: 1 })
+  @IsString()
+  @MinLength(1)
+  @IsOptional()
+  name?: string;
+}