improved IAM controls and directives

migrations/2024_08_27_063135_add_service_column_to_authorization_tables.php

@@ -0,0 +1,46 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class() extends Migration {
+    /**
+     * Run the migrations.
+     */
+    public function up(): void
+    {
+        Schema::table('permissions', function (Blueprint $table) {
+            $table->string('service')->nullable()->index()->after('guard_name');
+        });
+
+        Schema::table('policies', function (Blueprint $table) {
+            $table->string('service')->nullable()->index()->after('guard_name');
+        });
+
+        Schema::table('roles', function (Blueprint $table) {
+            $table->string('service')->nullable()->index()->after('guard_name');
+        });
+    }
+
+    /**
+     * Reverse the migrations.
+     */
+    public function down(): void
+    {
+        Schema::table('permissions', function (Blueprint $table) {
+            $table->dropIndex(['service']);
+            $table->dropColumn('service');
+        });
+
+        Schema::table('policies', function (Blueprint $table) {
+            $table->dropIndex(['service']);
+            $table->dropColumn('service');
+        });
+
+        Schema::table('roles', function (Blueprint $table) {
+            $table->dropIndex(['service']);
+            $table->dropColumn('service');
+        });
+    }
+};

migrations/2024_08_27_090558_create_directives_table.php

@@ -0,0 +1,35 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class() extends Migration {
+    /**
+     * Run the migrations.
+     */
+    public function up(): void
+    {
+        Schema::create('directives', function (Blueprint $table) {
+            $table->increments('id');
+            $table->uuid('uuid')->nullable()->index();
+            $table->foreignUuid('company_uuid')->nullable()->index()->references('uuid')->on('companies');
+            $table->foreignUuid('permission_uuid')->nullable()->index()->references('id')->on('permissions');
+            $table->string('subject_type')->nullable();
+            $table->uuid('subject_uuid')->nullable();
+            $table->index(['subject_type', 'subject_uuid']);
+            $table->mediumText('key')->nullable();
+            $table->json('rules')->nullable();
+            $table->timestamps();
+            $table->softDeletes();
+        });
+    }
+
+    /**
+     * Reverse the migrations.
+     */
+    public function down(): void
+    {
+        Schema::dropIfExists('directives');
+    }
+};

src/Auth/Schemas/Developers.php

@@ -47,4 +47,54 @@ class Developers
             'remove_actions' => ['create', 'update', 'delete'],
         ],
     ];
+
+    /**
+     * Policies provided by this schema.
+     */
+    public array $policies = [
+        [
+            'name'        => 'FLBDeveloper',
+            'description' => 'Policy for developers to create api credentials, webhooks and view logs.',
+            'permissions' => [
+                'view extension',
+                '* api-key',
+                '* webhook',
+                '* event',
+                '* log',
+                '* socket',
+            ],
+        ],
+        [
+            'name'        => 'FLBDevProjectManager',
+            'description' => 'Policy for view and read access to development resources.',
+            'permissions' => [
+                'view extension',
+                'see api-key',
+                'list api-key',
+                'view api-key',
+                'see webhook',
+                'list webhook',
+                'view webhook',
+                'see event',
+                'list event',
+                'view event',
+                'see log',
+                'list log',
+                'view log',
+            ],
+        ],
+    ];
+
+    /**
+     * Roles provided by this schema.
+     */
+    public array $roles = [
+        [
+            'name'        => 'Fleetbase Developer',
+            'description' => 'Role for developers to create api credentials, webhooks and view real time events and logs.',
+            'policies'    => [
+                'FLBDeveloper',
+            ],
+        ],
+    ];
 }

src/Auth/Schemas/IAM.php

@@ -45,4 +45,60 @@ class IAM
             'actions' => ['export'],
         ],
     ];
+
+    /**
+     * Policies provided by this schema.
+     */
+    public array $policies = [
+        [
+            'name'        => 'UserManager',
+            'description' => 'Policy for managing users, roles and groups.',
+            'permissions' => [
+                'see extension',
+                '* user',
+                '* role',
+                '* group',
+            ],
+        ],
+        [
+            'name'        => 'PolicyManager',
+            'description' => 'Policy for managing policies and roles.',
+            'permissions' => [
+                'see extension',
+                '* policy',
+                '* role',
+            ],
+        ],
+    ];
+
+    /**
+     * Roles provided by this schema.
+     */
+    public array $roles = [
+        [
+            'name'        => 'IAM User Manager',
+            'description' => 'Role for managing users, roles, and groups.',
+            'policies'    => [
+                'UserManager',
+            ],
+        ],
+        [
+            'name'        => 'IAM Policy Manager',
+            'description' => 'Role for managing users, roles, and groups.',
+            'policies'    => [
+                'PolicyManager',
+            ],
+        ],
+        [
+            'name'        => 'IAM Administrator',
+            'description' => 'Role for managing all users, roles, groups and policies.',
+            'permissions' => [
+                'see extension',
+                '* user',
+                '* group',
+                '* role',
+                '* policy',
+            ],
+        ],
+    ];
 }