feat: premissions revamp

[golanglemonade]

⚠️ Breaking Changes

This PR contains revamped changes to permissions constructs and requires data migration.

• FGA Model - this switches to using a fga.mod file in order to break up permissions into more manageable files. These are grouped based on functionality (e.g. compliance, trust center, regsitry, etc.
• All base crud permissions are now generated based on the ent schema and are located in fga/model/generated/crud.fga. This contains all the can_<action>_<object> permissions that are used for both API Token scopes as well as base sets of permissions
• New roles.fga file that contains more defined role types, e.g. compliance_manager, policy_manager, risk_manager - this will allow for easier designation of roles to user. These can be added on top of organization roles. For example, a member can be given policy_manger role which will give them full access to manage all policies in the organization.
  • This file uses special annotations to allow for easier management without duplication:
    • @inherit: This inherits all the same permissions as the specified roles, e.g. compliance_manager inherits the permissions given to can_manage_compliance, can_manage_policies, can_manage_registry, can_manage_risk
    • @crud: This specifies which objects the role provides crud access to
• New Roles:
  • Super Admin: Users with this role will have the same permissions as the owner with the exception of being able to delete the organization. Organizations can have 0->many super admins
  • Auditor: This will be a mostly read-only role users can give to their auditor and in the future be able to specifiy what they have access to
• Scoped API Tokens - The update will allow API Tokens to be scoped to specific objects + operations allowing for more fined grained access on the tokens. This deprecates the old can_view, can_edit, can_delete, group_manager scopes in favor of new scopes. THE UI NEEDS TO BE UPDATED TO ACCOMODATE THIS CHANGE
• Adds new parent_context relation which replaces the parent relation for organization level checks for all objects with the exception of files. This requires a migration of parent relations for organization objects to parent_context. We cannot use contextual tuples because of parent hierarchy, e.g. this fails when you get to something like control_implementation where the access is based on the control and the control is based on the organization - we'd have to pass the full hierachy for this to work with the structure we have today.
• Removes adding user tuples when objects are created; previously this meant if you changed roles your access wasn't removed for any objects you created. Now, it is based on the roles - so if you can manage policies, you can see the policy you created and do not need a user specific tuple.

Other Changes:

• Logs email when checkAllowedEmailDomain fails so we know the user attempted to be added to the organization
• Changes the entitlement reconciliation failed logs when a constraint error to an warn log so test logs aren't full of these errors but we still see the warning in production. All other errors are kept as error level logs.
• Updates default org update logic to order by personal org desc so we don't set the default org to the personal org if there are other orgs available to the user
• Adds helpers for creating a fresh org, cleaning up org after
• Moves all tests that create fresh orgs and do not do river checks (most of the trust center tests) to use t.Parallel()

Deps:

• Migration Guide
  Depends on: feat: disable parent by default iam#508

[theopenlane-bender]

🔧 Configuration Changes Detected

This PR contains changes that will affect the Helm chart configuration. A draft infrastructure PR has been automatically created to preview these changes:

📋 Draft PR: https://github.com/theopenlane/openlane-infra/pull/928

Changes Preview:

✅ Updated ConfigMap template

• 🔄 Merged Helm values.yaml
• 🔐 External secrets configuration updated
• ✅ Updated ConfigMap template

The draft infrastructure PR will be closed automatically after this core PR is merged.

[sonarqubecloud]

Quality Gate failed

Failed conditions
13.3% Coverage on New Code (required ≥ 20%)

See analysis details on SonarQube Cloud

[matoszz]

the hook triggers on OpUpdate and OpUpdateOne but you only have logic for OpUpdateOne

[matoszz]

is something changing with the order of operations that allows us to safely remove this?

[matoszz]

why would we need to perform ordering when the Where condition already precludes the previously set organization ID ?

[matoszz]

it might be easier to do GetAuthzSubjectType or one of the other helpers here

[matoszz]

the fgax constants are all already lower, no real reason to have strings.ToLower prefixing all these

[matoszz]

update operation checks can_view but on OpUpdate and expected can edit?

[matoszz]

shouldn't this be can_delete?

[matoszz]

isn't this duplicative of the check that's at the top of the function already?

[matoszz]

why manipulate the object type input like this?

[matoszz]

is it possible for m.Type() to return empty?