feat(api): authorization-and-roles-management-service

.github/workflows/ci.yml

@@ -9,6 +9,7 @@ jobs:
     outputs:
       ui: ${{ steps.ui.outputs.any_changed }}
       api: ${{ steps.api.outputs.any_changed }}
+      policies: ${{ steps.policies.outputs.any_changed }}
       engine: ${{ steps.engine.outputs.any_changed }}
       websocket: ${{ steps.websocket.outputs.any_changed }}
     steps:
@@ -20,13 +21,24 @@ jobs:
         id: api
         uses: tj-actions/changed-files@v41
         with:
-            files: |
-              api/**
-              .github/workflows/ci.yml
-              .github/workflows/ci_api.yml
-              .github/workflows/build_api.yml
-              .github/workflows/deploy_api_nightly.yml
-              CHANGELOG.md
+          files: |
+            api/**
+            .github/workflows/ci.yml
+            .github/workflows/ci_api.yml
+            .github/workflows/build_api.yml
+            .github/workflows/deploy_api_nightly.yml
+            CHANGELOG.md
+
+      - name: changed files for policies
+        id: policies
+        uses: tj-actions/changed-files@v41
+        with:
+          files: |
+            api/internal/rbac/**
+            .github/workflows/ci.yml
+            .github/workflows/check_cerbos_policies.yml
+            .github/workflows/update_cerbos_policies.yml
+            CHANGELOG.md
 
       - name: changed files for ui
         id: ui
@@ -63,14 +75,18 @@ jobs:
     needs: prepare
     if: needs.prepare.outputs.api == 'true'
     uses: ./.github/workflows/ci_api.yml
+  ci-policies:
+    needs: prepare
+    if: needs.prepare.outputs.policies == 'true'
+    uses: ./.github/workflows/ci_policies.yml
   ci-ui:
     needs: prepare
     if: needs.prepare.outputs.ui == 'true'
     uses: ./.github/workflows/ci_ui.yml
   ci-websocket:
-      needs: prepare
-      if: needs.prepare.outputs.websocket == 'true'
-      uses: ./.github/workflows/ci_websocket.yml
+    needs: prepare
+    if: needs.prepare.outputs.websocket == 'true'
+    uses: ./.github/workflows/ci_websocket.yml
   ci-engine:
     needs: prepare
     if: needs.prepare.outputs.engine == 'true'
@@ -79,6 +95,7 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - ci-api
+      - ci-policies
       - ci-ui
       - ci-websocket
       - ci-engine
@@ -138,7 +155,15 @@ jobs:
       new_tag_short: ${{ needs.ci-collect-info.outputs.new_tag_short }}
       name: ${{ needs.ci-collect-info.outputs.name }}
       sha: ${{ github.sha }}
-    secrets: inherit  
+    secrets: inherit
+  update-policies:
+    needs:
+      - ci
+      - ci-policies
+      - ci-collect-info
+    uses: ./.github/workflows/update_policies.yml
+    if: ${{ !failure() && needs.ci-policies.result == 'success' && github.event_name == 'push' && (github.ref_name == 'main' || github.ref_name == 'release' || startsWith(github.ref_name, 'release/')) }}
+    secrets: inherit
   build-and-deploy-ui:
     needs:
       - ci

.github/workflows/ci_policies.yml

@@ -0,0 +1,51 @@
+name: ci-policies
+on:
+  workflow_call:
+env:
+  GO_VERSION: '1.22'
+
+jobs:
+  cerbosCheck:
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout
+        uses: actions/checkout@v3
+      - name: set up
+        uses: actions/setup-go@v4
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: false
+      - name: Generate policies
+        run: |
+          set -e
+          if ! make gen-policies; then
+            echo "Policy generation failed"
+            exit 1
+          fi
+        working-directory: api
+      - name: List generated policy files
+        run: |
+          set -eo pipefail
+          echo "Generated policy files in api/policies/:"
+          ls -la policies/ || echo "No files found"
+          if [ -d "policies" ] && [ "$(ls -A policies/)" ]; then
+            echo "Content of policy files:"
+            for file in policies/*.yaml; do
+              echo "--- Content of $file ---"
+              cat "$file"
+            done
+          else
+            echo "No policy files were generated"
+            exit 1
+          fi
+        working-directory: api
+      - name: Setup Cerbos
+        uses: cerbos/cerbos-setup-action@v1
+        with:
+          version: '0.36.0'
+      - name: Validate Cerbos policies
+        run: |
+          set -eo pipefail
+          cerbos compile ./policies
+          echo "Policy validation successful"
+        working-directory: api

.github/workflows/update_policies.yml

@@ -0,0 +1,80 @@
+name: update-policies
+on:
+  workflow_call:
+env:
+  GO_VERSION: '1.22'
+  GCS_BUCKET_PATH: gs://cerbos-oss-policyfile-bucket
+
+jobs:
+  update-policies:
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout
+        uses: actions/checkout@v3
+      - name: set up
+        uses: actions/setup-go@v4
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: false
+      - name: Generate policies
+        run: |
+          set -e
+          if ! make gen-policies; then
+            echo "Policy generation failed"
+            exit 1
+          fi
+        working-directory: api
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v1
+        with:
+          credentials_json: ${{ secrets.GCP_SA_KEY }}
+      - name: Set up Cloud SDK
+        uses: google-github-actions/setup-gcloud@v1
+      - name: Sync policies with Cloud Storage
+        run: |
+          set -euo pipefail
+          echo "All files in bucket (before sync):"
+          gsutil ls "${GCS_BUCKET_PATH}/" || true
+
+          echo "Current flow files in bucket:"
+          bucket_files=$(gsutil ls "${GCS_BUCKET_PATH}/flow_*.yaml" || true)
+          echo "$bucket_files"
+
+          echo "Local policy files:"
+          local_files=$(ls policies/flow_*.yaml 2>/dev/null || true)
+          echo "$local_files"
+
+          for file in policies/flow_*.yaml; do
+            if [ -f "$file" ]; then
+              if ! yamllint "$file"; then
+                echo "Error: Invalid YAML in $file"
+                exit 1
+              fi
+            fi
+          done
+
+          for file in policies/flow_*.yaml; do
+            if [ -f "$file" ]; then
+              file_name=$(basename "$file")
+              echo "Uploading/Updating: $file_name"
+              if ! gsutil cp "$file" "${GCS_BUCKET_PATH}/$file_name"; then
+                echo "Error: Failed to upload $file_name"
+                exit 1
+              fi
+            fi
+          done
+
+          for bucket_file in "${GCS_BUCKET_PATH}"/flow_*.yaml; do
+            file_name=$(basename "$bucket_file")
+            if [ ! -f "policies/$file_name" ] && [[ "$file_name" == flow_* ]]; then
+              echo "Deleting: $file_name"
+              if ! gsutil rm "$bucket_file"; then
+                echo "Error: Failed to delete $bucket_file"
+                exit 1
+              fi
+            fi
+          done
+
+          echo "Sync completed. All files in bucket:"
+          gsutil ls "${GCS_BUCKET_PATH}/" || true
+        working-directory: api

api/.env.example

@@ -1,10 +1,12 @@
 # General
 PORT=8080
 REEARTH_FLOW_DB=mongodb://localhost
-REEARTH_FLOW_HOST=https://localhost:8080
 REEARTH_FLOW_ASSETBASEURL=https://localhost:8080/assets
 REEARTH_FLOW_DEV=false
 
+# Host configurations
+REEARTH_FLOW_HOST=https://localhost:8080
+REEARTH_DASHBOARD_HOST=http://localhost:8090
 
 # Local Auth serv
 REEARTH_FLOW_AUTH0_DOMAIN=https://example.auth0.com

api/Makefile

@@ -19,4 +19,7 @@ run-db:
 gql:
 	go generate ./internal/adapter/gql
 
-.PHONY: lint test e2e build run-app run-db gql
+gen-policies:
+	go run ./cmd/policy-generator
+
+.PHONY: lint test e2e build run-app run-db gql gen-policies

api/README.md

@@ -17,3 +17,28 @@ $ make run-db
 ```console
 $ go run ./cmd/reearth-flow
 ```
+
+## Authorization System
+
+Re:Earth Flow uses Role-Based Access Control (RBAC) to manage permissions. The system is built using Cerbos for policy enforcement.
+
+### Authorization Configuration
+All authorization-related definitions are managed in `api/internal/rbac/definitions.go`. This file contains:
+
+- Resource definitions (e.g., project, workflow)
+- Action definitions (e.g., read, edit)
+- Role definitions (owner, maintainer, writer, reader)
+- Permission mappings between resources, actions, and roles
+
+To add or modify permissions:
+1. Open `api/internal/rbac/definitions.go`
+2. Add/modify resources in the `ResourceXXX` constants
+3. Add/modify actions in the `ActionXXX` constants
+4. Add/modify roles in the `roleXXX` constants
+5. Update the permission mappings in the `DefineResources` function
+
+### Deployment
+The permission definitions are automatically synchronized with the Cerbos server's storage bucket when changes are merged into the main branch via CI. This ensures that the latest permission settings are always available for authorization checks.
+
+### Implementation in Use Cases
+Permission checks should be implemented in use case interactors.

api/cmd/policy-generator/main.go

@@ -0,0 +1,18 @@
+package main
+
+import (
+	"log"
+
+	"github.com/reearth/reearth-flow/api/internal/rbac"
+	"github.com/reearth/reearthx/cerbos/generator"
+)
+
+func main() {
+	if err := generator.GeneratePolicies(
+		rbac.ServiceName,
+		rbac.DefineResources,
+		rbac.PolicyFileDir,
+	); err != nil {
+		log.Fatalf("Failed to generate policies: %v", err)
+	}
+}

api/e2e/common.go

@@ -29,8 +29,8 @@ func init() {
 	mongotest.Env = "REEARTH_FLOW_DB"
 }
 
-func StartServer(t *testing.T, cfg *config.Config, useMongo bool, seeder Seeder) *httpexpect.Expect {
-	e, _, _ := StartServerAndRepos(t, cfg, useMongo, seeder)
+func StartServer(t *testing.T, cfg *config.Config, useMongo bool, seeder Seeder, allowPermission bool) *httpexpect.Expect {
+	e, _, _ := StartServerAndRepos(t, cfg, useMongo, seeder, allowPermission)
 	return e
 }
 
@@ -60,13 +60,13 @@ func initGateway() *gateway.Container {
 	}
 }
 
-func StartServerAndRepos(t *testing.T, cfg *config.Config, useMongo bool, seeder Seeder) (*httpexpect.Expect, *repo.Container, *gateway.Container) {
+func StartServerAndRepos(t *testing.T, cfg *config.Config, useMongo bool, seeder Seeder, allowPermission bool) (*httpexpect.Expect, *repo.Container, *gateway.Container) {
 	repos := initRepos(t, useMongo, seeder)
 	gateways := initGateway()
-	return StartServerWithRepos(t, cfg, repos, gateways), repos, gateways
+	return StartServerWithRepos(t, cfg, repos, gateways, allowPermission), repos, gateways
 }
 
-func StartServerWithRepos(t *testing.T, cfg *config.Config, repos *repo.Container, gateways *gateway.Container) *httpexpect.Expect {
+func StartServerWithRepos(t *testing.T, cfg *config.Config, repos *repo.Container, gateways *gateway.Container, allowPermission bool) *httpexpect.Expect {
 	t.Helper()
 
 	if testing.Short() {
@@ -80,12 +80,17 @@ func StartServerWithRepos(t *testing.T, cfg *config.Config, repos *repo.Containe
 		t.Fatalf("server failed to listen: %v", err)
 	}
 
+	// mockPermissionChecker
+	mockPermissionChecker := gateway.NewMockPermissionChecker()
+	mockPermissionChecker.Allow = allowPermission
+
 	srv := app.NewServer(ctx, &app.ServerConfig{
-		Config:       cfg,
-		Repos:        repos,
-		Gateways:     gateways,
-		Debug:        true,
-		AccountRepos: repos.AccountRepos(),
+		Config:            cfg,
+		Repos:             repos,
+		Gateways:          gateways,
+		Debug:             true,
+		AccountRepos:      repos.AccountRepos(),
+		PermissionChecker: mockPermissionChecker,
 	})
 
 	ch := make(chan error)
@@ -115,18 +120,18 @@ type GraphQLRequest struct {
 	Variables     map[string]any `json:"variables"`
 }
 
-func StartGQLServer(t *testing.T, cfg *config.Config, useMongo bool, seeder Seeder) (*httpexpect.Expect, *accountrepo.Container) {
-	e, r := StartGQLServerAndRepos(t, cfg, useMongo, seeder)
+func StartGQLServer(t *testing.T, cfg *config.Config, useMongo bool, seeder Seeder, allowPermission bool) (*httpexpect.Expect, *accountrepo.Container) {
+	e, r := StartGQLServerAndRepos(t, cfg, useMongo, seeder, allowPermission)
 	return e, r
 }
 
-func StartGQLServerAndRepos(t *testing.T, cfg *config.Config, useMongo bool, seeder Seeder) (*httpexpect.Expect, *accountrepo.Container) {
+func StartGQLServerAndRepos(t *testing.T, cfg *config.Config, useMongo bool, seeder Seeder, allowPermission bool) (*httpexpect.Expect, *accountrepo.Container) {
 	repos := initRepos(t, useMongo, seeder)
 	acRepos := repos.AccountRepos()
-	return StartGQLServerWithRepos(t, cfg, repos, acRepos), acRepos
+	return StartGQLServerWithRepos(t, cfg, repos, acRepos, allowPermission), acRepos
 }
 
-func StartGQLServerWithRepos(t *testing.T, cfg *config.Config, repos *repo.Container, accountrepos *accountrepo.Container) *httpexpect.Expect {
+func StartGQLServerWithRepos(t *testing.T, cfg *config.Config, repos *repo.Container, accountrepos *accountrepo.Container, allowPermission bool) *httpexpect.Expect {
 	t.Helper()
 
 	if testing.Short() {
@@ -140,6 +145,10 @@ func StartGQLServerWithRepos(t *testing.T, cfg *config.Config, repos *repo.Conta
 		t.Fatalf("server failed to listen: %v", err)
 	}
 
+	// mockPermissionChecker
+	mockPermissionChecker := gateway.NewMockPermissionChecker()
+	mockPermissionChecker.Allow = allowPermission
+
 	srv := app.NewServer(ctx, &app.ServerConfig{
 		Config:       cfg,
 		Repos:        repos,
@@ -150,7 +159,8 @@ func StartGQLServerWithRepos(t *testing.T, cfg *config.Config, repos *repo.Conta
 		AccountGateways: &accountgateway.Container{
 			Mailer: mailer.New(ctx, &mailer.Config{}),
 		},
-		Debug: true,
+		Debug:             true,
+		PermissionChecker: mockPermissionChecker,
 	})
 
 	ch := make(chan error)

api/e2e/gql_me_test.go

@@ -14,7 +14,7 @@ func TestMe(t *testing.T) {
 			Disabled: true,
 		},
 	},
-		true, baseSeeder)
+		true, baseSeeder, true)
 
 	requestBody := GraphQLRequest{
 		OperationName: "GetMe",