Refactor Cedar policy generation to remove group ID references across multiple files

Author: Artuomka

backend/src/entities/cedar-authorization/cedar-authorization.service.ts

@@ -107,7 +107,7 @@ export class CedarAuthorizationService implements ICedarAuthorizationService, On
 			throw new HttpException({ message: Messages.CANNOT_CHANGE_ADMIN_GROUP }, HttpStatus.BAD_REQUEST);
 		}
 
-		await this.validatePolicyReferences(cedarPolicy, connectionId, groupId);
+		await this.validatePolicyReferences(cedarPolicy, connectionId);
 
 		const classicalPermissions = parseCedarPolicyToClassicalPermissions(cedarPolicy, connectionId, groupId);
 
@@ -273,9 +273,7 @@ export class CedarAuthorizationService implements ICedarAuthorizationService, On
 	private async validatePolicyReferences(
 		cedarPolicy: string,
 		connectionId: string,
-		groupId: string,
 	): Promise<void> {
-		
 		const connectionIds = [
 			...cedarPolicy.matchAll(/resource\s*==\s*RocketAdmin::Connection::"([^"]+)"/g),
 		].map((m) => m[1]);

backend/src/entities/cedar-authorization/cedar-policy-generator.ts

@@ -2,7 +2,6 @@ import { AccessLevelEnum } from '../../enums/index.js';
 import { IComplexPermission } from '../permission/permission.interface.js';
 
 export function generateCedarPolicyForGroup(
-	groupId: string,
 	connectionId: string,
 	isMain: boolean,
 	permissions: IComplexPermission,

backend/src/entities/cedar-authorization/cedar-policy-parser.ts

@@ -6,7 +6,6 @@ import {
 } from '../permission/permission.interface.js';
 
 interface ParsedPermitStatement {
-	groupId: string | null;
 	action: string | null;
 	resourceType: string | null;
 	resourceId: string | null;
@@ -140,18 +139,12 @@ function extractPermitStatements(policyText: string): ParsedPermitStatement[] {
 
 function parsePermitBody(body: string): ParsedPermitStatement {
 	const result: ParsedPermitStatement = {
-		groupId: null,
 		action: null,
 		resourceType: null,
 		resourceId: null,
 		isWildcard: false,
 	};
 
-	const principalInMatch = body.match(/principal\s+in\s+RocketAdmin::Group::"([^"]+)"/);
-	if (principalInMatch) {
-		result.groupId = principalInMatch[1];
-	}
-
 	const actionMatch = body.match(/action\s*==\s*RocketAdmin::Action::"([^"]+)"/);
 	if (actionMatch) {
 		result.action = actionMatch[1];

backend/src/entities/cedar-authorization/scripts/migrate-permissions-to-cedar.ts

@@ -50,7 +50,7 @@ export async function migratePermissionsToCedar(dataSource: DataSource): Promise
 			tables: Array.from(tableMap.values()),
 		};
 
-		const cedarPolicy = generateCedarPolicyForGroup(group.id, connection.id, group.isMain, complexPermission);
+		const cedarPolicy = generateCedarPolicyForGroup(connection.id, group.isMain, complexPermission);
 		group.cedarPolicy = cedarPolicy;
 		await groupRepository.save(group);
 		migratedCount++;

backend/src/entities/connection/use-cases/create-connection.use.case.ts

@@ -101,7 +101,6 @@ export class CreateConnectionUseCase
 			);
 			await this._dbContext.permissionRepository.createdDefaultAdminPermissionsInGroup(createdAdminGroup);
 			createdAdminGroup.cedarPolicy = generateCedarPolicyForGroup(
-				createdAdminGroup.id,
 				savedConnection.id,
 				true,
 				{

backend/src/entities/connection/use-cases/create-group-in-connection.use.case.ts

@@ -37,7 +37,6 @@ export class CreateGroupInConnectionUseCase
 		const newGroupEntity = buildNewGroupEntityForConnectionWithUser(connectionToUpdate, foundUser, title);
 		const savedGroup = await this._dbContext.groupRepository.saveNewOrUpdatedGroup(newGroupEntity);
 		savedGroup.cedarPolicy = generateCedarPolicyForGroup(
-			savedGroup.id,
 			connectionId,
 			false,
 			{

backend/src/entities/permission/use-cases/create-or-update-permissions.use.case.ts

@@ -189,7 +189,7 @@ export class CreateOrUpdatePermissionsUseCase
 		);
 
 		// Generate and save Cedar policy for this group
-		const cedarPolicy = generateCedarPolicyForGroup(groupId, connectionId, groupToUpdate.isMain, resultPermissions);
+		const cedarPolicy = generateCedarPolicyForGroup(connectionId, groupToUpdate.isMain, resultPermissions);
 		groupToUpdate.cedarPolicy = cedarPolicy;
 		await this._dbContext.groupRepository.saveNewOrUpdatedGroup(groupToUpdate);
 		Cacher.invalidateCedarPolicyCache(connectionId);

backend/test/ava-tests/non-saas-tests/non-saas-cedar-policy-generator.test.ts

@@ -16,7 +16,7 @@ function makePermissions(overrides: Partial<IComplexPermission> = {}): IComplexP
 }
 
 test('isMain=true generates a single wildcard permit', (t) => {
-	const result = generateCedarPolicyForGroup(groupId, connectionId, true, makePermissions());
+	const result = generateCedarPolicyForGroup(connectionId, true, makePermissions());
 	t.true(result.includes('principal,'));
 	t.true(result.includes('action,'));
 	t.true(result.includes('resource'));
@@ -27,7 +27,6 @@ test('isMain=true generates a single wildcard permit', (t) => {
 
 test('connection:edit generates ONLY connection:read + connection:edit (not wildcard)', (t) => {
 	const result = generateCedarPolicyForGroup(
-		groupId,
 		connectionId,
 		false,
 		makePermissions({
@@ -49,7 +48,6 @@ test('connection:edit generates ONLY connection:read + connection:edit (not wild
 
 test('connection:readonly generates only connection:read', (t) => {
 	const result = generateCedarPolicyForGroup(
-		groupId,
 		connectionId,
 		false,
 		makePermissions({
@@ -63,14 +61,13 @@ test('connection:readonly generates only connection:read', (t) => {
 });
 
 test('connection:none generates no connection policies', (t) => {
-	const result = generateCedarPolicyForGroup(groupId, connectionId, false, makePermissions());
+	const result = generateCedarPolicyForGroup(connectionId, false, makePermissions());
 	t.false(result.includes('connection:read'));
 	t.false(result.includes('connection:edit'));
 });
 
 test('group:edit generates group:read + group:edit', (t) => {
 	const result = generateCedarPolicyForGroup(
-		groupId,
 		connectionId,
 		false,
 		makePermissions({
@@ -85,7 +82,6 @@ test('group:edit generates group:read + group:edit', (t) => {
 
 test('group:readonly generates only group:read', (t) => {
 	const result = generateCedarPolicyForGroup(
-		groupId,
 		connectionId,
 		false,
 		makePermissions({
@@ -100,7 +96,6 @@ test('group:readonly generates only group:read', (t) => {
 
 test('table with visibility=true only generates only table:read', (t) => {
 	const result = generateCedarPolicyForGroup(
-		groupId,
 		connectionId,
 		false,
 		makePermissions({
@@ -122,7 +117,6 @@ test('table with visibility=true only generates only table:read', (t) => {
 
 test('table with all flags true generates table:read + table:add + table:edit + table:delete', (t) => {
 	const result = generateCedarPolicyForGroup(
-		groupId,
 		connectionId,
 		false,
 		makePermissions({
@@ -144,7 +138,6 @@ test('table with all flags true generates table:read + table:add + table:edit +
 
 test('table with add=true only generates table:read + table:add (hasAnyAccess triggers table:read)', (t) => {
 	const result = generateCedarPolicyForGroup(
-		groupId,
 		connectionId,
 		false,
 		makePermissions({
@@ -166,7 +159,6 @@ test('table with add=true only generates table:read + table:add (hasAnyAccess tr
 
 test('table with all flags false generates no policies for that table', (t) => {
 	const result = generateCedarPolicyForGroup(
-		groupId,
 		connectionId,
 		false,
 		makePermissions({
@@ -183,13 +175,12 @@ test('table with all flags false generates no policies for that table', (t) => {
 });
 
 test('all none + no tables returns empty string', (t) => {
-	const result = generateCedarPolicyForGroup(groupId, connectionId, false, makePermissions());
+	const result = generateCedarPolicyForGroup(connectionId, false, makePermissions());
 	t.is(result, '');
 });
 
 test('multiple tables generate separate policies per table with correct resource refs', (t) => {
 	const result = generateCedarPolicyForGroup(
-		groupId,
 		connectionId,
 		false,
 		makePermissions({
@@ -214,7 +205,6 @@ test('multiple tables generate separate policies per table with correct resource
 
 test('dashboard with read=true generates only dashboard:read', (t) => {
 	const result = generateCedarPolicyForGroup(
-		groupId,
 		connectionId,
 		false,
 		makePermissions({
@@ -236,7 +226,6 @@ test('dashboard with read=true generates only dashboard:read', (t) => {
 
 test('dashboard with all flags true generates dashboard:read + dashboard:create + dashboard:edit + dashboard:delete', (t) => {
 	const result = generateCedarPolicyForGroup(
-		groupId,
 		connectionId,
 		false,
 		makePermissions({
@@ -258,7 +247,6 @@ test('dashboard with all flags true generates dashboard:read + dashboard:create
 
 test('dashboard with all flags false generates no policies for that dashboard', (t) => {
 	const result = generateCedarPolicyForGroup(
-		groupId,
 		connectionId,
 		false,
 		makePermissions({
@@ -276,7 +264,6 @@ test('dashboard with all flags false generates no policies for that dashboard',
 
 test('dashboard resource ref format uses connectionId/dashboardId', (t) => {
 	const result = generateCedarPolicyForGroup(
-		groupId,
 		connectionId,
 		false,
 		makePermissions({
@@ -293,7 +280,6 @@ test('dashboard resource ref format uses connectionId/dashboardId', (t) => {
 
 test('resource ref format validation', (t) => {
 	const result = generateCedarPolicyForGroup(
-		groupId,
 		connectionId,
 		false,
 		makePermissions({