Normalize permission model

[jhoward-lm]

Description

This PR is an implementation of the permission model normalization discussed in DependencyTrack/hyades#1757 and proposed by DependencyTrack/hyades#1783.

Addressed Issue

Closes DependencyTrack/hyades#1757

Additional Details

Checklist

• I have read and understand the contributing guidelines
• This PR fixes a defect, and I have provided tests to verify that the fix is effective
• This PR implements an enhancement, and I have provided tests to verify that it works as intended
• This PR introduces changes to the database model, and I have updated the migration changelog accordingly
• This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

[codacy-production]

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation	Diff coverage
✅ +0.00% (target: -1.00%)	✅ 76.00% (target: 70.00%)

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (39a308d)	27850	22860	82.08%
Head commit (22923ba)	27848 (-2)	22857 (-3)	82.08% (+0.00%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#1207)	125	95	76.00%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

[nscuro]

Note so we don't forget:

• Before this can be merged, we need a DB migration that reassigns any existing old permissions to their corresponding new counterparts.
• Changes in frontend would also be required.

[jhoward-lm]

@nscuro I added a change set for the migration. Not sure if it's what you were looking for, so any suggestions are welcome. Will work on the frontend tomorrow

[jhoward-lm]

@nscuro I haven't pushed this, but initially thought about adding database-level enforcement using:

• Permissions defined as PostgreSQL enums, one for project-scoped and one for system-scoped
• A domain representing a combination of these two enums to be used as the PERMISSION table NAME column datatype
• A view of permission names and scopes for ease of lookup
  • or could be one view for project-scoped and another for system-scoped, e.g. PROJECT_PERMISSIONS and SYSTEM_PERMISSIONS (optionally with a V_ prefix, I've seen that convention from time to time)

Either the addition of the SCOPE column on the PERMISSION table or the view might be unnecessary, but here is the change set including both. WDYT?

changeSet

    <changeSet id="v5.6.0-32.3" author="jhoward-lm">
        <sql splitStatements="true">
            CREATE TYPE permission_scope AS ENUM (
              'PROJECT',
              'SYSTEM'
            );

            CREATE TYPE project_permission AS ENUM (
              'BADGES_READ',
              'BOM_READ',
              'BOM_CREATE',
              'FINDING_READ',
              'FINDING_UPDATE',
              'FINDING_CREATE',
              'POLICY_VIOLATION_READ',
              'POLICY_VIOLATION_UPDATE',
              'POLICY_VIOLATION_CREATE',
              'PROJECT_READ',
              'PROJECT_UPDATE',
              'PROJECT_DELETE'
            );

            CREATE TYPE system_permission AS ENUM (
              'ACCESS_MANAGEMENT',
              'NOTIFICATION_RULE',
              'POLICY',
              'PORTFOLIO_ACCESS_CONTROL_BYPASS',
              'PORTFOLIO',
              'SYSTEM_CONFIGURATION',
              'TAG',
              'VULNERABILITY'
            );

            CREATE CAST (VARCHAR AS project_permission) WITH INOUT AS IMPLICIT;
            CREATE CAST (VARCHAR AS system_permission) WITH INOUT AS IMPLICIT;

            CREATE DOMAIN permission AS TEXT NOT NULL
            CHECK (
              VALUE = ANY(CAST(enum_range(NULL::project_permission) AS TEXT[])) OR
              VALUE = ANY(CAST(enum_range(NULL::system_permission) AS TEXT[]))
            );
        </sql>

        <addColumn tableName="PERMISSION">
            <column name="SCOPE" type="permission_scope" />
        </addColumn>

        <sql splitStatements="false">
            UPDATE "PERMISSION" SET "SCOPE" = CASE
              WHEN "NAME" = ANY(CAST(enum_range(NULL::project_permission) AS TEXT[])) THEN 'PROJECT'::permission_scope
              WHEN "NAME" = ANY(CAST(enum_range(NULL::system_permission) AS TEXT[])) THEN 'SYSTEM'::permission_scope
              ELSE "SCOPE"
            END;
        </sql>

        <addNotNullConstraint tableName="PERMISSION" columnName="SCOPE" validate="true" />

        <createView viewName="PERMISSIONS_SCOPED" replaceIfExists="true">
            SELECT 'PROJECT'::permission_scope AS "TYPE", enum_val::TEXT AS "NAME"
              FROM unnest(enum_range(NULL::project_permission)) AS enum_val
             UNION
            SELECT 'SYSTEM'::permission_scope AS "TYPE", enum_val::TEXT AS "NAME"
              FROM unnest(enum_range(NULL::system_permission)) AS enum_val
        </createView>

        <modifyDataType tableName="PERMISSION" columnName="NAME" newDataType="permission" />
    </changeSet>

If a new permission needs to be added or renamed in the future, though, the contributor would need to know to add a change set containing something like

<sql>
    ALTER TYPE project_permission
    ADD VALUE 'METRICS_READ'
    AFTER 'FINDING_CREATE';

    ALTER TYPE system_permission
    RENAME VALUE 'PORTFOLIO'
    TO 'PORTFOLIO_MANAGEMENT';
</sql>

[nscuro]

Some initial feedback. I still need to have a close look at all the changed permission checks and verify they behave as expected.

I am also thinking to cut a release, even if it's just a release candidate, before merging this since it's rather intrusive.

[nscuro]

@jhoward-lm I raised jhoward-lm#16 to resolve the merge conflicts.

[jhoward-lm]

@jhoward-lm I raised jhoward-lm#16 to resolve the merge conflicts.

@nscuro Thanks! I merged it