remove gcloud dependencies

Author: k9ert

.github/workflows/integration-test.yml

@@ -98,9 +98,6 @@ jobs:
         run: nix develop -c buck2 build ${{ matrix.build_args }}
       - name: Start deps and run tests via tilt
         run: nix develop -c xvfb-run ./dev/bin/tilt-ci.sh ${{ matrix.component }}
-        env:
-          NODE_ENV: test
-          BYPASS_ROLE_CHECK: true
       - name: Prepare Tilt log
         id: prepare_tilt_log
         if: always()

apps/admin-panel/app/api/auth/[...nextauth]/options.ts

@@ -6,6 +6,15 @@ import { CallbacksOptions } from "next-auth"
 
 import { env } from "../../../env"
 
+declare module "next-auth" {
+  interface Session {
+    sub: string | null
+    accessToken: string
+    role: string
+    scope: string[]
+  }
+}
+
 const providers: Provider[] = [
   GoogleProvider({
     clientId: env.GOOGLE_CLIENT_ID ?? "",
@@ -30,7 +39,13 @@ if (env.NODE_ENV === "development") {
       },
       authorize: async (credentials) => {
         if (credentials?.username === "admin" && credentials?.password === "admin") {
-          return { id: "1", name: "admin", email: "[email protected]" }
+          return { id: "1", name: "admin", email: "[email protected]" }
+        }
+        if (credentials?.username === "alice" && credentials?.password === "alice") {
+          return { id: "2", name: "bob", email: "[email protected]" }
+        }
+        if (credentials?.username === "bob" && credentials?.password === "bob") {
+          return { id: "2", name: "bob", email: "[email protected]" }
         }
         return null
       },
@@ -60,32 +75,19 @@ const callbacks: Partial<CallbacksOptions> = {
     return verified && env.AUTHORIZED_EMAILS.includes(email)
   },
   async jwt({ token, account, profile, user }) {
-    // dummy values ToDo grab from config
-    // ToDo is it really necessary or is the session callback enough?!
-    token.scopes = ["muh","meh"]
-    console.log("jwt", token)
-    console.log("-------------------------")
+    const role_mapping = env.ROLE_MAPPING
+    if (user) {
+      // get this from config depending if you prefere scope or role
+      token.scope = ["READ", "WRITE"]
+      token.role = role_mapping[user.email as keyof typeof role_mapping] || "VIEWER"
+    } else {
+      console.log("no user")
+    }
     return token
   },
   async session({ session, token }) {
-    // Create custom JWT for admin-api
-    const adminJwtPayload = {
-      sub: token.email,
-      email: token.email,
-      iat: Math.floor(Date.now() / 1000),
-      exp: Math.floor(Date.now() / 1000) + (60 * 60), // 1 hour
-      iss: "admin-panel",
-      aud: "admin-api",
-      scopes: ["muh","meh"]
-    }
-
-    const jwt = require('jsonwebtoken')
-    const adminToken = jwt.sign(adminJwtPayload, env.NEXTAUTH_SECRET)
-    
-    session.adminToken = adminToken
-    session.user.email = token.email
-    // need scopes in session as well in order to retrieve it in oathkeeper's mutator
-    session.scopes = ["muh","meh"]
+    session.scope = token.scope as string[]
+    session.role = token.role as string
     return session
   },
 }

apps/admin-panel/app/env.ts

@@ -16,6 +16,16 @@ export const env = createEnv({
       .string()
       .transform((x) => x.split(",").map((email) => email.trim()))
       .default("[email protected]"),
+    ROLE_MAPPING: z
+      .string()
+      .transform((str) => {
+        try {
+          return JSON.parse(str)
+        } catch {
+          return {}
+        }
+      })
+      .default("{}"),
   },
   /*
    * Environment variables available on the client (and server).
@@ -40,5 +50,6 @@ export const env = createEnv({
     NEXTAUTH_URL: process.env.NEXTAUTH_URL,
     NEXTAUTH_SECRET: process.env.NEXTAUTH_SECRET,
     AUTHORIZED_EMAILS: process.env.AUTHORIZED_EMAILS,
+    ROLE_MAPPING: process.env.ROLE_MAPPING || "{}",
   },
 })

core/api/BUCK

@@ -140,7 +140,7 @@ sdl(
   generator = ":write-sdl",
   args = ["admin"],
   deps_srcs = [":src"],
-  env = {"NODE_ENV": "development"},
+
   visibility = ["PUBLIC"],
 )
 

core/api/package.json

@@ -78,7 +78,6 @@
     "express": "^4.21.2",
     "express-jwt": "^8.5.1",
     "firebase-admin": "^12.6.0",
-    "google-auth-library": "^10.2.0",
     "google-protobuf": "^3.21.4",
     "graphql": "^16.11.0",
     "graphql-middleware": "^6.1.33",

core/api/src/config/env.ts

@@ -24,8 +24,6 @@ export const env = createEnv({
       .pipe(z.coerce.boolean())
       .default(false),
 
-    BYPASS_ROLE_CHECK: z.boolean().or(z.string()).pipe(z.coerce.boolean()).default(false),
-
     TELEGRAM_BOT_API_TOKEN: z.string().optional(),
     TELEGRAM_PASSPORT_PRIVATE_KEY: z.string().optional(),
 
@@ -125,10 +123,6 @@ export const env = createEnv({
       .pipe(z.coerce.number())
       .default(50052),
 
-    GCP_PROJECT_ID: z.string().min(1).optional(),
-
-    GCP_IAM_SERVICE_ACCOUNT_PATH: z.string().min(1).optional(),
-    GCS_APPLICATION_CREDENTIALS_PATH: z.string().min(1).optional(),
     NEXTCLOUD_URL: z.string().min(1).optional(),
     NEXTCLOUD_USER: z.string().min(1).optional(),
     NEXTCLOUD_PASSWORD: z.string().min(1).optional(),
@@ -152,8 +146,6 @@ export const env = createEnv({
       .or(z.string())
       .pipe(z.coerce.number().min(0))
       .default(60),
-
-    NODE_ENV: z.string(),
   },
 
   runtimeEnvStrict: {
@@ -165,8 +157,6 @@ export const env = createEnv({
     UNSECURE_DEFAULT_LOGIN_CODE: process.env.UNSECURE_DEFAULT_LOGIN_CODE,
     UNSECURE_IP_FROM_REQUEST_OBJECT: process.env.UNSECURE_IP_FROM_REQUEST_OBJECT,
 
-    BYPASS_ROLE_CHECK: process.env.BYPASS_ROLE_CHECK,
-
     TELEGRAM_BOT_API_TOKEN: process.env.TELEGRAM_BOT_API_TOKEN,
     TELEGRAM_PASSPORT_PRIVATE_KEY: process.env.TELEGRAM_PASSPORT_PRIVATE_KEY,
 
@@ -243,9 +233,6 @@ export const env = createEnv({
     PRICE_HISTORY_HOST: process.env.PRICE_HISTORY_HOST,
     PRICE_HISTORY_PORT: process.env.PRICE_HISTORY_PORT,
 
-    GCP_PROJECT_ID: process.env.GCP_PROJECT_ID,
-    GCP_IAM_SERVICE_ACCOUNT_PATH: process.env.GCP_IAM_SERVICE_ACCOUNT_PATH,
-    GCS_APPLICATION_CREDENTIALS_PATH: process.env.GCS_APPLICATION_CREDENTIALS_PATH,
     NEXTCLOUD_URL: process.env.NEXTCLOUD_URL,
     NEXTCLOUD_USER: process.env.NEXTCLOUD_USER,
     NEXTCLOUD_PASSWORD: process.env.NEXTCLOUD_PASSWORD,
@@ -265,7 +252,5 @@ export const env = createEnv({
 
     EXPORTER_ASSETS_LIABILITIES_DELAY_SECS:
       process.env.EXPORTER_ASSETS_LIABILITIES_DELAY_SECS,
-
-    NODE_ENV: process.env.NODE_ENV,
   },
 })

core/api/src/servers/graphql-admin-api-server.ts

@@ -3,9 +3,6 @@ import { rule, shield } from "graphql-shield"
 import { Rule } from "graphql-shield/typings/rules"
 
 import { NextFunction, Request, Response } from "express"
-import { expressjwt } from "express-jwt"
-import { getJwksArgs, jwtAlgorithms } from "./graphql-server"
-import jwksRsa from "jwks-rsa"
 
 import DataLoader from "dataloader"
 
@@ -31,7 +28,12 @@ import { Transactions } from "@/app"
 
 import { AuthorizationError } from "@/graphql/error"
 
-import { AdminFeature, hasFeature } from "@/services/auth/role-checker"
+import { AdminAccessRight, AdminRoleString, hasAccessRight } from "@/services/auth/role-checker"
+
+// Helper function to validate role
+const isValidAdminRole = (role: string): role is AdminRoleString => {
+  return role === "VIEWER" || role === "SUPPORT" || role === "ADMIN"
+}
 
 // TODO: loaders probably not needed for the admin panel
 const loaders = {
@@ -62,12 +64,14 @@ const setGqlAdminContext = async (
   console.log("JWT Token payload:", tokenPayload)
 
   const userEmail = tokenPayload.sub as string // This should be the email from OAuth
+  const role = tokenPayload.role as string
   const privilegedClientId = tokenPayload.sub as PrivilegedClientId
 
   req.gqlContext = {
     loaders,
     privilegedClientId,
     userEmail, // Add email to context
+    role,
     logger,
   }
 
@@ -86,17 +90,18 @@ const requiresViewAccess = rule({ cache: "contextual" })(async (
   args,
   ctx: GraphQLAdminContext,
 ) => {
-  if (!ctx.userEmail) return false
-  return hasFeature(ctx.userEmail, AdminFeature.VIEW_ACCOUNTS)
+  if (!ctx.userEmail || !ctx.role || !isValidAdminRole(ctx.role)) return false
+  console.log("ctx",ctx)
+  return hasAccessRight(ctx.role, AdminAccessRight.VIEW_ACCOUNTS)
 })
 
 const requiresModifyAccess = rule({ cache: "contextual" })(async (
   parent,
   args,
   ctx: GraphQLAdminContext,
 ) => {
-  if (!ctx.userEmail) return false
-  return hasFeature(ctx.userEmail, AdminFeature.MODIFY_ACCOUNTS)
+  if (!ctx.userEmail || !ctx.role || !isValidAdminRole(ctx.role)) return false
+  return hasAccessRight(ctx.role, AdminAccessRight.MODIFY_ACCOUNTS)
 })
 
 export async function startApolloServerForAdminSchema() {

core/api/src/servers/index.files.d.ts

@@ -25,6 +25,7 @@ type GraphQLAdminContext = {
   loaders: Loaders
   privilegedClientId: PrivilegedClientId
   userEmail: string
+  role: string
 }
 
 type GraphQLContext =

core/api/src/services/auth/role-checker.ts

@@ -1,37 +1,14 @@
-import { GoogleAuth } from "google-auth-library"
 
-import { env } from "../../config/env"
 
-import { baseLogger } from "@/services/logger"
 
-import { recordExceptionInCurrentSpan } from "@/services/tracing"
-
-import { ErrorLevel } from "@/domain/shared"
-
-// Based on https://cloud.google.com/resource-manager/reference/rest/v1/Policy
-interface Policy {
-  bindings?: Binding[]
-  etag?: string
-  version?: number
-}
-
-interface Binding {
-  role?: string
-  members?: string[]
-  condition?: {
-    title?: string
-    description?: string
-    expression?: string
-  }
-}
 
 export enum AdminRole {
   VIEWER = "roles/adminPanelViewer",
   SUPPORT = "roles/adminPanelSupport",
   ADMIN = "roles/adminPanelAdmin",
 }
 
-export enum AdminFeature {
+export enum AdminAccessRight {
   VIEW_ACCOUNTS = "VIEW_ACCOUNTS",
   MODIFY_ACCOUNTS = "MODIFY_ACCOUNTS",
   DELETE_ACCOUNTS = "DELETE_ACCOUNTS",
@@ -40,76 +17,31 @@ export enum AdminFeature {
   SYSTEM_CONFIG = "SYSTEM_CONFIG",
 }
 
-const ROLE_FEATURES = {
-  [AdminRole.VIEWER]: [AdminFeature.VIEW_ACCOUNTS, AdminFeature.VIEW_TRANSACTIONS],
-  [AdminRole.SUPPORT]: [
-    AdminFeature.VIEW_ACCOUNTS,
-    AdminFeature.MODIFY_ACCOUNTS,
-    AdminFeature.VIEW_TRANSACTIONS,
-    AdminFeature.SEND_NOTIFICATIONS,
+// String-based role values from options.ts
+export type AdminRoleString = "VIEWER" | "SUPPORT" | "ADMIN"
+
+// String-based role access rights mapping
+const STRING_ROLE_ACCESS_RIGHTS = {
+  VIEWER: [AdminAccessRight.VIEW_ACCOUNTS, AdminAccessRight.VIEW_TRANSACTIONS],
+  SUPPORT: [
+    AdminAccessRight.VIEW_ACCOUNTS,
+    AdminAccessRight.MODIFY_ACCOUNTS,
+    AdminAccessRight.VIEW_TRANSACTIONS,
+    AdminAccessRight.SEND_NOTIFICATIONS,
   ],
-  [AdminRole.ADMIN]: Object.values(AdminFeature),
+  ADMIN: Object.values(AdminAccessRight),
 }
 
-const auth = new GoogleAuth({
-  scopes: ["https://www.googleapis.com/auth/cloud-platform"],
-  keyFilename: env.GCP_IAM_SERVICE_ACCOUNT_PATH,
-})
-
-export const getUserRoles = async (userEmail: string): Promise<AdminRole[]> => {
-  // Only bypass in development/test environments
-  if (
-    (env.NODE_ENV === "development" || env.NODE_ENV === "test") &&
-    env.BYPASS_ROLE_CHECK
-  ) {
-    return Object.values(AdminRole)
-  }
-
-  // Production uses real role checking
-  try {
-    const client = await auth.getClient()
-    const projectId = process.env.GCP_PROJECT_ID
-    if (!projectId) {
-      throw new Error("GCP_PROJECT_ID environment variable is required for role checking")
-    }
 
-    const response = await client.request({
-      url: `https://cloudresourcemanager.googleapis.com/v1/projects/${projectId}:getIamPolicy`,
-      method: "POST",
-    })
-
-    const policy = response.data as Policy
-    const bindings = policy.bindings || []
-    const userRoles = bindings.reduce<AdminRole[]>((roles, binding) => {
-      if (binding.members?.includes(`user:${userEmail}`)) {
-        if (
-          binding.role &&
-          Object.values(AdminRole).includes(binding.role as AdminRole)
-        ) {
-          roles.push(binding.role as AdminRole)
-        }
-      }
-      return roles
-    }, [])
-
-    return userRoles
-  } catch (error) {
-    baseLogger.error("Failed to get user roles:", error)
-    recordExceptionInCurrentSpan({
-      error,
-      level: ErrorLevel.Critical,
-      attributes: {
-        "getUserRoles.error.userEmail": userEmail,
-      },
-    })
-    return []
-  }
-}
-
-export const hasFeature = async (
-  userEmail: string,
-  feature: AdminFeature,
+export const hasAccessRight = async (
+  role: AdminRoleString,
+  accessRight: AdminAccessRight,
 ): Promise<boolean> => {
-  const roles = await getUserRoles(userEmail)
-  return roles.some((role) => ROLE_FEATURES[role]?.includes(feature))
+  return STRING_ROLE_ACCESS_RIGHTS[role]?.includes(accessRight) || false
 }
+
+// Backward compatibility - deprecated, use AdminAccessRight instead
+export const AdminFeature = AdminAccessRight
+
+// Backward compatibility - deprecated, use hasAccessRight instead
+export const hasFeature = hasAccessRight

dev/config/ory/oathkeeper_rules.yaml

@@ -106,5 +106,4 @@
   mutators:
     - handler: id_token
       config: #! TODO: add aud: {"aud": ["https://api/admin/graphql"] }
-        # This is currently failing with invalid character '\"' after array element"
-        claims: "{\"sub\": \"{{ print .Subject }}\", \"scopes\": {{ printf \"%+q\" .Extra.scopes }}, \"email\": \"{{ print .Extra.user.email }}\" }"
+        claims: "{\"sub\": \"{{ print .Subject }}\", \"role\": \"{{ print .Extra.role }}\", \"email\": \"{{ print .Extra.user.emailr }}\" }"