feat(server): support resource group (#1442)

* feat(server): support teamwork

* feat(server): adapt to teamwork

* feat(server): add `InjectApplication`

* fix(server): fix team bug

* refactor

* fix

* feat(server): improve team application

* refactor(server): refactor team invite code

* refactor

Author: 0fatal

server/src/app.module.ts

@@ -25,6 +25,7 @@ import { AuthenticationModule } from './authentication/authentication.module'
 import { FunctionTemplateModule } from './function-template/function-template.module'
 import { MulterModule } from '@nestjs/platform-express'
 import { RecycleBinModule } from './recycle-bin/recycle-bin.module'
+import { GroupModule } from './group/group.module'
 import { APP_INTERCEPTOR } from '@nestjs/core'
 import { AppInterceptor } from './app.interceptor'
 import { InterceptorModule } from './interceptor/interceptor.module'
@@ -71,6 +72,7 @@ import { InterceptorModule } from './interceptor/interceptor.module'
     FunctionTemplateModule,
     MulterModule.register(),
     RecycleBinModule,
+    GroupModule,
     InterceptorModule,
   ],
   controllers: [AppController],

server/src/application/application.controller.ts

@@ -5,18 +5,17 @@ import {
   Patch,
   Param,
   UseGuards,
-  Req,
   Logger,
   Post,
   Delete,
+  ForbiddenException,
 } from '@nestjs/common'
 import {
   ApiBearerAuth,
   ApiOperation,
   ApiResponse,
   ApiTags,
 } from '@nestjs/swagger'
-import { IRequest } from '../utils/interface'
 import { JwtAuthGuard } from '../authentication/jwt.auth.guard'
 import {
   ApiResponseArray,
@@ -49,6 +48,11 @@ import { ResourceService } from 'src/billing/resource.service'
 import { RuntimeDomainService } from 'src/gateway/runtime-domain.service'
 import { BindCustomDomainDto } from 'src/website/dto/update-website.dto'
 import { RuntimeDomain } from 'src/gateway/entities/runtime-domain'
+import { GroupRole, getRoleLevel } from 'src/group/entities/group-member'
+import { GroupRoles } from 'src/group/group-role.decorator'
+import { InjectApplication, InjectGroup, InjectUser } from 'src/utils/decorator'
+import { User } from 'src/user/entities/user'
+import { GroupWithRole } from 'src/group/entities/group'
 
 @ApiTags('Application')
 @Controller('applications')
@@ -73,14 +77,12 @@ export class ApplicationController {
   @ApiOperation({ summary: 'Create application' })
   @ApiResponseObject(ApplicationWithRelations)
   @Post()
-  async create(@Req() req: IRequest, @Body() dto: CreateApplicationDto) {
+  async create(@Body() dto: CreateApplicationDto, @InjectUser() user: User) {
     const error = dto.autoscaling.validate()
     if (error) {
       return ResponseUtil.error(error)
     }
 
-    const user = req.user
-
     // check regionId exists
     const region = await this.region.findOneDesensitized(
       new ObjectId(dto.regionId),
@@ -141,8 +143,7 @@ export class ApplicationController {
   @Get()
   @ApiOperation({ summary: 'Get user application list' })
   @ApiResponseArray(ApplicationWithRelations)
-  async findAll(@Req() req: IRequest) {
-    const user = req.user
+  async findAll(@InjectUser() user: User) {
     const data = await this.application.findAllByUser(user._id)
     return ResponseUtil.ok(data)
   }
@@ -207,6 +208,7 @@ export class ApplicationController {
    */
   @ApiOperation({ summary: 'Update application name' })
   @ApiResponseObject(Application)
+  @GroupRoles(GroupRole.Admin)
   @UseGuards(JwtAuthGuard, ApplicationAuthGuard)
   @Patch(':appid/name')
   async updateName(
@@ -227,13 +229,16 @@ export class ApplicationController {
   async updateState(
     @Param('appid') appid: string,
     @Body() dto: UpdateApplicationStateDto,
-    @Req() req: IRequest,
+    @InjectApplication() app: Application,
+    @InjectGroup() group: GroupWithRole,
   ) {
-    const app = req.application
-    const user = req.user
+    if (dto.state === ApplicationState.Deleted) {
+      throw new ForbiddenException('cannot update state to deleted')
+    }
+    const userid = app.createdBy
 
     // check account balance
-    const account = await this.account.findOne(user._id)
+    const account = await this.account.findOne(userid)
     const balance = account?.balance || 0
     if (balance < 0) {
       return ResponseUtil.error(`account balance is not enough`)
@@ -272,6 +277,15 @@ export class ApplicationController {
       )
     }
 
+    if (
+      [ApplicationState.Stopped, ApplicationState.Running].includes(
+        dto.state,
+      ) &&
+      getRoleLevel(group.role) < getRoleLevel(GroupRole.Admin)
+    ) {
+      return ResponseUtil.error('no permission')
+    }
+
     const doc = await this.application.updateState(appid, dto.state)
     return ResponseUtil.ok(doc)
   }
@@ -281,20 +295,20 @@ export class ApplicationController {
    */
   @ApiOperation({ summary: 'Update application bundle' })
   @ApiResponseObject(ApplicationBundle)
+  @GroupRoles(GroupRole.Admin)
   @UseGuards(JwtAuthGuard, ApplicationAuthGuard)
   @Patch(':appid/bundle')
   async updateBundle(
     @Param('appid') appid: string,
     @Body() dto: UpdateApplicationBundleDto,
-    @Req() req: IRequest,
+    @InjectApplication() app: ApplicationWithRelations,
   ) {
     const error = dto.autoscaling.validate()
     if (error) {
       return ResponseUtil.error(error)
     }
 
-    const app = await this.application.findOne(appid)
-    const user = req.user
+    const userid = app.createdBy
     const regionId = app.regionId
 
     // check if trial tier
@@ -304,7 +318,7 @@ export class ApplicationController {
     })
     if (isTrialTier) {
       const bundle = await this.resource.findTrialBundle(regionId)
-      const trials = await this.application.findTrialApplications(user._id)
+      const trials = await this.application.findTrialApplications(userid)
       const limitOfFreeTier = bundle?.limitCountOfFreeTierPerUser || 0
       if (trials.length >= (limitOfFreeTier || 0)) {
         return ResponseUtil.error(
@@ -334,6 +348,7 @@ export class ApplicationController {
    */
   @ApiResponseObject(RuntimeDomain)
   @ApiOperation({ summary: 'Bind custom domain to application' })
+  @GroupRoles(GroupRole.Admin)
   @UseGuards(JwtAuthGuard, ApplicationAuthGuard)
   @Patch(':appid/domain')
   async bindDomain(
@@ -368,6 +383,7 @@ export class ApplicationController {
    */
   @ApiResponse({ type: ResponseUtil<boolean> })
   @ApiOperation({ summary: 'Check if domain is resolved' })
+  @GroupRoles(GroupRole.Admin)
   @UseGuards(JwtAuthGuard, ApplicationAuthGuard)
   @Post(':appid/domain/resolved')
   async checkResolved(
@@ -387,6 +403,7 @@ export class ApplicationController {
    */
   @ApiResponseObject(RuntimeDomain)
   @ApiOperation({ summary: 'Remove custom domain of application' })
+  @GroupRoles(GroupRole.Admin)
   @UseGuards(JwtAuthGuard, ApplicationAuthGuard)
   @Delete(':appid/domain')
   async remove(@Param('appid') appid: string) {
@@ -408,11 +425,13 @@ export class ApplicationController {
    */
   @ApiOperation({ summary: 'Delete an application' })
   @ApiResponseObject(Application)
+  @GroupRoles(GroupRole.Owner)
   @UseGuards(JwtAuthGuard, ApplicationAuthGuard)
   @Delete(':appid')
-  async delete(@Param('appid') appid: string, @Req() req: IRequest) {
-    const app = req.application
-
+  async delete(
+    @Param('appid') appid: string,
+    @InjectApplication() app: ApplicationWithRelations,
+  ) {
     // check: only stopped application can be deleted
     if (
       app.state !== ApplicationState.Stopped &&

server/src/application/application.service.ts

@@ -21,11 +21,15 @@ import {
   ApplicationBundle,
   ApplicationBundleResource,
 } from './entities/application-bundle'
+import { GroupService } from 'src/group/group.service'
+import { GroupMember } from 'src/group/entities/group-member'
 
 @Injectable()
 export class ApplicationService {
   private readonly logger = new Logger(ApplicationService.name)
 
+  constructor(private readonly groupService: GroupService) {}
+
   /**
    * Create application
    * - create configuration
@@ -85,7 +89,7 @@ export class ApplicationService {
           state: dto.state || ApplicationState.Running,
           phase: ApplicationPhase.Creating,
           tags: [],
-          createdBy: new ObjectId(userid),
+          createdBy: userid,
           lockedAt: TASK_LOCK_INIT_TIME,
           regionId: new ObjectId(dto.regionId),
           runtimeId: new ObjectId(dto.runtimeId),
@@ -96,6 +100,7 @@ export class ApplicationService {
         { session },
       )
 
+      await this.groupService.create(appid, userid, appid)
       // commit transaction
       await session.commitTransaction()
     } catch (error) {
@@ -110,11 +115,30 @@ export class ApplicationService {
     const db = SystemDatabase.db
 
     const doc = await db
-      .collection('Application')
-      .aggregate<ApplicationWithRelations>()
+      .collection<GroupMember>('GroupMember')
+      .aggregate()
+      .match({
+        uid: userid,
+      })
+      .lookup({
+        from: 'GroupApplication',
+        localField: 'groupId',
+        foreignField: 'groupId',
+        as: 'applications',
+      })
+      .unwind('$applications')
+      .project({
+        _id: 0,
+        appid: '$applications.appid',
+      })
+      .toArray()
+
+    const res = db
+      .collection<Application>('Application')
+      .aggregate()
       .match({
-        createdBy: new ObjectId(userid),
         phase: { $ne: ApplicationPhase.Deleted },
+        appid: { $in: doc.map((v) => v.appid) },
       })
       .lookup({
         from: 'ApplicationBundle',
@@ -136,7 +160,7 @@ export class ApplicationService {
       })
       .toArray()
 
-    return doc
+    return res
   }
 
   async findOne(appid: string) {

server/src/authentication/application.auth.guard.ts

@@ -7,28 +7,70 @@ import {
 import { ApplicationService } from '../application/application.service'
 import { IRequest } from '../utils/interface'
 import { User } from 'src/user/entities/user'
+import { GroupService } from 'src/group/group.service'
+import { getRoleLevel } from 'src/group/entities/group-member'
+import { Reflector } from '@nestjs/core'
 
 @Injectable()
 export class ApplicationAuthGuard implements CanActivate {
   logger = new Logger(ApplicationAuthGuard.name)
-  constructor(private appService: ApplicationService) {}
+  constructor(
+    private readonly appService: ApplicationService,
+    private readonly groupService: GroupService,
+    private readonly reflector: Reflector,
+  ) {}
   async canActivate(context: ExecutionContext) {
     const request = context.switchToHttp().getRequest() as IRequest
     const appid = request.params.appid
     const user = request.user as User
 
+    // check appid
     const app = await this.appService.findOne(appid)
     if (!app) {
       return false
     }
 
-    const author_id = app.createdBy?.toString()
-    if (author_id !== user._id.toString()) {
+    const ok = await this.checkGroupAuth(appid, user, context)
+    if (!ok) {
       return false
     }
 
     // inject app to request
     request.application = app
+
+    return true
+  }
+
+  async checkGroupAuth(appid: string, user: User, context: ExecutionContext) {
+    const request = context.switchToHttp().getRequest() as IRequest
+
+    // check group
+    const groups = await this.groupService.findGroupsByAppidAndUid(
+      appid,
+      user._id,
+    )
+    if (groups.length === 0) {
+      return false
+    }
+
+    groups.sort((a, b) => getRoleLevel(b.role) - getRoleLevel(a.role))
+    const group = groups[0]
+
+    // check group role
+    const roles = this.reflector.get<string[]>(
+      'group-roles',
+      context.getHandler(),
+    )
+    if (roles?.length > 0) {
+      const roleLevels = roles.map(getRoleLevel).sort((a, b) => a - b)
+
+      if (roleLevels[0] > getRoleLevel(group.role)) {
+        return false
+      }
+    }
+
+    request.group = group
+
     return true
   }
 }