alldigital/PSA
2
0
Fork 0
Code Issues Pull Requests Actions 13 Packages Projects Releases Wiki Activity
PSA/server/migrations/20251223145000_add_secrets_permissions.cjs
Hermes 284313f908
Some checks are pending
Bidi Control Character Guard / bidi-control-guard (push) Waiting to run
Details
Circular Dependency Check / Check for new circular dependencies (push) Waiting to run
Details
Citus Migration Smoke / Combined migrations on single-node Citus (push) Waiting to run
Details
E2E Fresh Install Tests / fresh-install-e2e (push) Waiting to run
Details
ext-v2 guardrails / Run ext-v2 guard and ESLint (push) Waiting to run
Details
Integration Tests / Check for relevant changes (push) Waiting to run
Details
Integration Tests / ${{ (github.event_name == 'schedule' || github.event.inputs.suite == 'full') && 'Full integration suite' || 'Tier-1 integration subset' }} (push) Blocked by required conditions
Details
Mobile checks / Mobile lint + typecheck (push) Waiting to run
Details
Mobile checks / Mobile unit tests (push) Waiting to run
Details
Mobile checks / Mobile dependency audit (report) (push) Waiting to run
Details
Mobile checks / Mobile reproducibility checks (push) Waiting to run
Details
Secrets guard (env backups) / Ensure no tracked env backup files (push) Waiting to run
Details
Temporal Readiness / fast-readiness (push) Waiting to run
Details
Temporal Readiness / docker-parity (push) Waiting to run
Details
TypeScript Type Check / Nx affected typecheck (push) Waiting to run
Details
Unit Tests / Skipped-test budget (push) Waiting to run
Details
Unit Tests / Nx affected unit tests (push) Waiting to run
Details
Unit Tests / Server unit coverage (informational) (push) Waiting to run
Details
Validate Tenant Management Schema / Check for relevant changes (push) Waiting to run
Details
Validate Tenant Management Schema / Validate Tenant Management Schema (push) Blocked by required conditions
Details
EE Workflows Build Guard / ee-workflows-build-guard (push) Waiting to run
Details
Initial import of AlgaPSA codebase from PSA server 
Excluded: .git, node_modules, secrets/, compose.env, assemblyscript tgz

Source: /opt/alga-psa on psa.joliet.tech
2026-06-22 16:12:17 -05:00

111 lines
3.3 KiB
JavaScript
Raw Permalink Blame History

/**
* Migration to add secrets permissions (§18.6.1)
*
* Creates three permission levels for tenant secrets:
* - secrets.view: List secret names and metadata
* - secrets.manage: Create, update, delete secrets
* - secrets.use: Reference secrets in workflows
*
* Admin role gets all permissions.
* Editor role gets view and use permissions.
* Viewer role gets no secrets permissions.
*/
const SECRETS_PERMISSIONS = [
{ resource: 'secrets', action: 'view', description: 'View secret names and metadata (not values)' },
{ resource: 'secrets', action: 'manage', description: 'Create, update, and delete secrets' },
{ resource: 'secrets', action: 'use', description: 'Reference secrets in workflows' },
];
exports.up = async function (knex) {
// Get all tenants
const tenants = await knex('tenants').select('tenant');
for (const { tenant } of tenants) {
// Insert permissions for this tenant
const permissionIds = [];
for (const perm of SECRETS_PERMISSIONS) {
const [row] = await knex('permissions')
.insert({
tenant,
resource: perm.resource,
action: perm.action,
description: perm.description,
})
.returning('permission_id');
permissionIds.push({ ...perm, permission_id: row.permission_id });
}
// Get Admin and Editor roles for this tenant
const adminRole = await knex('roles')
.where({ tenant, role_name: 'Admin' })
.first();
const editorRole = await knex('roles')
.where({ tenant, role_name: 'Editor' })
.first();
// Assign all secrets permissions to Admin role
if (adminRole) {
for (const perm of permissionIds) {
// Check if already assigned (idempotency)
const existing = await knex('role_permissions')
.where({
tenant,
role_id: adminRole.role_id,
permission_id: perm.permission_id,
})
.first();
if (!existing) {
await knex('role_permissions').insert({
tenant,
role_id: adminRole.role_id,
permission_id: perm.permission_id,
});
}
}
}
// Assign view and use permissions to Editor role
if (editorRole) {
for (const perm of permissionIds) {
if (perm.action === 'view' || perm.action === 'use') {
// Check if already assigned (idempotency)
const existing = await knex('role_permissions')
.where({
tenant,
role_id: editorRole.role_id,
permission_id: perm.permission_id,
})
.first();
if (!existing) {
await knex('role_permissions').insert({
tenant,
role_id: editorRole.role_id,
permission_id: perm.permission_id,
});
}
}
}
}
}
};
exports.down = async function (knex) {
// Remove role_permissions for secrets
const secretsPermissions = await knex('permissions')
.where({ resource: 'secrets' })
.select('tenant', 'permission_id');
for (const perm of secretsPermissions) {
await knex('role_permissions')
.where({
tenant: perm.tenant,
permission_id: perm.permission_id,
})
.del();
}
// Remove secrets permissions
await knex('permissions').where({ resource: 'secrets' }).del();
};
Reference in New Issue View Git Blame Copy Permalink