Map Compass scopes -> permissions

Author: dxu2-atlassian

Cargo.lock

@@ -0,0 +1,101 @@
+# Sourced from https://developer.atlassian.com/cloud/compass/forge-graphql-toolkit/Classes/CompassRequests/
+# Required oauth scopes for compass graphql requests
+
+addEventSource:
+  - write:component:compass
+  - write:event:compass
+
+addLabels:
+  - write:component:compass
+
+attachDataManager:
+  - write:component:compass
+
+attachEventSource:
+  - write:component:compass
+
+createComponent:
+  - write:component:compass
+
+createCustomFieldDefinition:
+  - write:component:compass
+
+createEvent:
+  - write:event:compass
+
+createEventSource:
+  - write:event:compass
+
+createExternalAlias:
+  - write:component:compass
+
+createLink:
+  - write:component:compass
+
+createRelationship:
+  - write:component:compass
+
+deleteComponent:
+  - write:component:compass
+
+deleteExternalAlias:
+  - write:component:compass
+
+deleteLink:
+  - write:component:compass
+
+deleteRelationship:
+  - write:component:compass
+
+detachDataManager:
+  - write:component:compass
+
+detachEventSource:
+  - write:component:compass
+
+getAllComponentTypes:
+  - read:component:compass
+
+getComponent:
+  - read:component:compass
+
+getComponentByExternalAlias:
+  - read:component:compass
+
+getComponentsByReferences:
+  - read:component:compass
+
+getEventSource:
+  - read:event:compass
+
+insertMetricValueByExternalId:
+  - write:metric:compass
+
+removeLabels:
+  - write:component:compass
+
+searchComponents:
+  - read:component:compass
+
+syncComponentByExternalAlias:
+  - write:component:compass
+  - write:event:compass
+
+synchronizeLinkAssociations:
+  - write:component:compass
+  - write:event:compass
+  - write:metric:compass
+
+unlinkExternalSource:
+  - write:component:compass
+
+updateComponent:
+  - write:component:compass
+  - write:event:compass
+
+updateDataManager:
+  - write:component:compass
+
+updateEventSources:
+  - write:component:compass
+  - write:event:compass

compass-scopes.yaml

@@ -1050,7 +1050,7 @@ impl<'cx> Dataflow<'cx> for PermissionDataflow {
         if let Intrinsic::ApiCall(name) | Intrinsic::SafeCall(name) | Intrinsic::Authorize(name) =
             intrinsic
         {
-            intrinsic_argument.name = Some(*name);
+            intrinsic_argument.name = Some(name.clone());
             let (first, second) = (operands.first(), operands.get(1));
             if let Some(operand) = first {
                 match operand {
@@ -1092,9 +1092,21 @@ impl<'cx> Dataflow<'cx> for PermissionDataflow {
                 }
             }
 
-            let mut permissions_within_call: Vec<String> = vec![];
             let intrinsic_func_type = intrinsic_argument.name.unwrap();
 
+            // Handle RequestCompass case first
+            if let IntrinsicName::RequestCompass(api_name) = intrinsic_func_type {
+                if let Some(required_permissions) =
+                    interp.compass_permission_resolver.get(&api_name)
+                {
+                    interp
+                        .permissions
+                        .retain(|permissions| !required_permissions.contains(permissions));
+                }
+                return initial_state;
+            }
+
+            let mut permissions_within_call: Vec<String> = vec![];
             let (resolver, regex_map) = match intrinsic_func_type {
                 IntrinsicName::RequestJiraAny => (
                     interp.jira_any_permission_resolver,
@@ -1119,7 +1131,7 @@ impl<'cx> Dataflow<'cx> for PermissionDataflow {
                     interp.bitbucket_permission_resolver,
                     interp.bitbucket_regex_map,
                 ),
-                IntrinsicName::RequestCompass | IntrinsicName::Other => {
+                IntrinsicName::RequestCompass(_) | IntrinsicName::Other => {
                     (&PermissionHashMap::new(), &HashMap::<String, Regex>::new())
                 }
             };

crates/forge_analyzer/src/checkers.rs

@@ -621,15 +621,15 @@ enum LowerStage {
     Create,
 }
 
-#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+#[derive(Debug, Clone, PartialEq, Eq)]
 pub enum IntrinsicName {
     RequestJiraAny,
     RequestJiraSoftware,
     RequestJiraServiceManagement,
     RequestConfluence,
     RequestJira,
     RequestBitbucket,
-    RequestCompass,
+    RequestCompass(String),
     Other,
 }
 
@@ -1204,10 +1204,10 @@ impl FunctionAnalyzer<'_> {
             {
                 match authn.first() {
                     Some(PropPath::MemberCall(name)) if name == "asApp" => {
-                        Some(Intrinsic::ApiCall(IntrinsicName::RequestCompass))
+                        Some(Intrinsic::ApiCall(IntrinsicName::RequestCompass(function_name.to_string())))
                     }
                     Some(PropPath::MemberCall(name)) if name == "asUser" => {
-                        Some(Intrinsic::SafeCall(IntrinsicName::RequestCompass))
+                        Some(Intrinsic::SafeCall(IntrinsicName::RequestCompass(function_name.to_string())))
                     }
                     _ => None,
                 }

crates/forge_analyzer/src/definitions.rs

@@ -11,6 +11,7 @@ use std::{
 };
 
 use forge_permission_resolver::permissions_resolver::PermissionHashMap;
+use forge_permission_resolver::permissions_resolver_compass::CompassPermissionResolver;
 use forge_utils::{FxHashMap, FxHashSet};
 use itertools::Itertools;
 use regex::Regex;
@@ -396,6 +397,7 @@ pub struct Interp<'cx, C: Runner<'cx>> {
     pub jira_permission_resolver: &'cx PermissionHashMap,
     pub confluence_permission_resolver: &'cx PermissionHashMap,
     pub bitbucket_permission_resolver: &'cx PermissionHashMap,
+    pub compass_permission_resolver: &'cx CompassPermissionResolver,
     pub jira_any_regex_map: &'cx HashMap<String, Regex>,
     pub jira_software_regex_map: &'cx HashMap<String, Regex>,
     pub jira_service_management_regex_map: &'cx HashMap<String, Regex>,
@@ -526,6 +528,7 @@ impl<'cx, C: Runner<'cx>> Interp<'cx, C> {
         confluence_regex_map: &'cx HashMap<String, Regex>,
         bitbucket_permission_resolver: &'cx PermissionHashMap,
         bitbucket_regex_map: &'cx HashMap<String, Regex>,
+        compass_permission_resolver: &'cx CompassPermissionResolver,
     ) -> Self {
         let call_graph = CallGraph::new(env);
 
@@ -558,6 +561,7 @@ impl<'cx, C: Runner<'cx>> Interp<'cx, C> {
             jira_permission_resolver,
             confluence_permission_resolver,
             bitbucket_permission_resolver,
+            compass_permission_resolver,
             jira_any_regex_map,
             jira_software_regex_map,
             jira_service_management_regex_map,

crates/forge_analyzer/src/interp.rs

@@ -13,6 +13,7 @@ workspace = true
 [dependencies]
 serde.workspace = true
 serde_json.workspace = true
+serde_yaml.workspace = true
 tracing.workspace = true
 regex.workspace = true
 ureq = { version = "2.9.6", features = ["json", "charset"] }

crates/forge_permission_resolver/Cargo.toml

@@ -1 +1,2 @@
 pub mod permissions_resolver;
+pub mod permissions_resolver_compass;

crates/forge_permission_resolver/src/lib.rs

@@ -1,3 +1,4 @@
+use crate::permissions_resolver_compass::CompassPermissionResolver;
 use regex::Regex;
 use serde::Deserialize;
 use std::{cmp::Reverse, collections::HashMap, hash::Hash};
@@ -142,6 +143,10 @@ pub fn get_permission_resolver_bitbucket() -> (PermissionHashMap, HashMap<String
     get_permission_resolver(bitbucket_url)
 }
 
+pub fn get_permission_resolver_compass() -> CompassPermissionResolver {
+    CompassPermissionResolver::new()
+}
+
 pub fn get_permission_resolver(url: &str) -> (PermissionHashMap, HashMap<String, Regex>) {
     let mut endpoint_map: PermissionHashMap = HashMap::default();
     let mut endpoint_regex: HashMap<String, Regex> = HashMap::default();

crates/forge_permission_resolver/src/permissions_resolver.rs

@@ -0,0 +1,70 @@
+use serde_yaml;
+use std::collections::HashMap;
+use tracing::warn;
+
+#[derive(Debug)]
+pub struct CompassPermissionResolver {
+    api_scopes_map: HashMap<String, Vec<String>>,
+}
+
+impl CompassPermissionResolver {
+    /// Factory method to create a new `CompassPermissionResolver`
+    pub fn new() -> Self {
+        let permissions = load_compass_api_scopes();
+        CompassPermissionResolver {
+            api_scopes_map: permissions,
+        }
+    }
+
+    /// Retrieves permissions for a given key. Prints a warning if the key is missing.
+    pub fn get(&self, key: &str) -> Option<&Vec<String>> {
+        if let Some(permissions) = self.api_scopes_map.get(key) {
+            Some(permissions)
+        } else {
+            warn!(
+                "Warning: compass API '{}' not found in the api->scopes mapping.",
+                key
+            );
+            None
+        }
+    }
+}
+
+impl Default for CompassPermissionResolver {
+    fn default() -> Self {
+        Self::new()
+    }
+}
+
+// This is for handling https://developer.atlassian.com/cloud/compass/forge-graphql-toolkit/
+fn load_compass_api_scopes() -> HashMap<String, Vec<String>> {
+    let file = include_str!("../../../compass-scopes.yaml");
+    serde_yaml::from_str(file)
+        .expect("Error: Failed to parse compass-scopes YAML file. Ensure it is properly formatted.")
+}
+
+#[cfg(test)]
+mod test {
+    use super::*;
+
+    #[test]
+    fn test_load_compass_api_scopes() {
+        let scopes = load_compass_api_scopes();
+
+        // Verify that the scopes are loaded correctly
+        assert!(scopes.contains_key("addEventSource"));
+        assert_eq!(
+            scopes.get("addEventSource").unwrap(),
+            &vec![
+                "write:component:compass".to_string(),
+                "write:event:compass".to_string()
+            ]
+        );
+
+        assert!(scopes.contains_key("addLabels"));
+        assert_eq!(
+            scopes.get("addLabels").unwrap(),
+            &vec!["write:component:compass".to_string()]
+        );
+    }
+}

crates/forge_permission_resolver/src/permissions_resolver_compass.rs

@@ -6,9 +6,10 @@ mod test;
 
 use clap::{Parser, ValueHint};
 use forge_permission_resolver::permissions_resolver::{
-    get_permission_resolver_bitbucket, get_permission_resolver_confluence,
-    get_permission_resolver_jira, get_permission_resolver_jira_any,
-    get_permission_resolver_jira_service_management, get_permission_resolver_jira_software,
+    get_permission_resolver_bitbucket, get_permission_resolver_compass,
+    get_permission_resolver_confluence, get_permission_resolver_jira,
+    get_permission_resolver_jira_any, get_permission_resolver_jira_service_management,
+    get_permission_resolver_jira_software,
 };
 use glob::glob;
 use std::{
@@ -418,6 +419,7 @@ pub(crate) fn scan_directory<'a>(
     let (confluence_permission_resolver, confluence_regex_map) =
         get_permission_resolver_confluence();
     let (bitbucket_permission_resolver, bitbucket_regex_map) = get_permission_resolver_bitbucket();
+    let compass_permission_resolver = get_permission_resolver_compass();
 
     let mut definition_analysis_interp = Interp::<DefinitionAnalysisRunner>::new(
         &proj.env,
@@ -436,6 +438,7 @@ pub(crate) fn scan_directory<'a>(
         &confluence_regex_map,
         &bitbucket_permission_resolver,
         &bitbucket_regex_map,
+        &compass_permission_resolver,
     );
 
     let mut interp = Interp::new(
@@ -455,6 +458,7 @@ pub(crate) fn scan_directory<'a>(
         &confluence_regex_map,
         &bitbucket_permission_resolver,
         &bitbucket_regex_map,
+        &compass_permission_resolver,
     );
     let mut authn_interp = Interp::new(
         &proj.env,
@@ -473,6 +477,7 @@ pub(crate) fn scan_directory<'a>(
         &confluence_regex_map,
         &bitbucket_permission_resolver,
         &bitbucket_regex_map,
+        &compass_permission_resolver,
     );
 
     let mut reporter = Reporter::new();
@@ -493,6 +498,7 @@ pub(crate) fn scan_directory<'a>(
         &confluence_regex_map,
         &bitbucket_permission_resolver,
         &bitbucket_regex_map,
+        &compass_permission_resolver,
     );
     reporter.add_app(opts.appkey.clone().unwrap_or_default(), name.to_owned());
 
@@ -513,6 +519,7 @@ pub(crate) fn scan_directory<'a>(
         &confluence_regex_map,
         &bitbucket_permission_resolver,
         &bitbucket_regex_map,
+        &compass_permission_resolver,
     );
     for func in &proj.funcs {
         let mut def_checker = DefinitionAnalysisRunner::new();