Implement permission policies in the API

[rijkvanzanten]

Scope

What's changed:

• Implements policy-system based permissions handling on the API
• Replaces AuthorizationService with new set of functions in the api/src/permissions folder
• Allows roles to be nested
• Adds new roles flag to accountability object. This is an ordered array of all the parent roles of the current user
• Cleans up get-ast-from-query by splitting it into multiple files
• Permissions are now injected into the AST through cases and whenCase. This allows us to dynamically generate the case/when SQL to have dynamic field output per item.
• Cleans up run-ast by splitting it up into smaller files

Potential Risks / Drawbacks

• The risks are very high. This replaces the full permissions system, and thus needs a lot of testing

Review Notes / Questions

• This PR now compiles, but doesn't run yet.
• There was some weird logic happening in the users controller for TFA enable/disable that I'm not sure we need to keep. Needs a bit more testing

Todos

• Add permissions processing for $CURRENT_USER etc flags
• Add permissions merging when you're accessing from a share
• Add caching to:
  • Fetching Policies
  • Fetching permissions
  • Fetching the roles tree
  • Fetching the field map
  • Fetching allowed fields
  • Fetching allowed collections
• Enable validation for admin users for wrong paths
• Figure out what we want to do with Presets
• Use whenCases in run-ast
• Use applyCases in Meta Service for permissions aware counts
• Handle admin-checks in roles and users services¹
• Add unit testing for clear method in memory/cache
• Make sure graphql gracefully handles optional fields when you have different fields for the same collection in multiple permission sets
• Add changeset
• Unbork /permissions endpoint
• Invalidate cache on permission changes

---

Closes #21778, closes #21765, closes #22163, closes #21769, closes #21768, closes #21767, closes #21766

Footnotes

1. Eg check to make sure there's still >=1 admin left after the mutation is done ↩

[hanneskuettner]

This should probably explicitly test for all known filter operators since otherwise valid field names that start with an underscore are ignored. (See my added, failing, test case).

[hanneskuettner]

Set<FieldKey[]> does not guarantee uniqueness of the path arrays, as ['author'] != ['author']. So we can switch this over to a list, but need to enforce uniqueness with uniqWith(paths, isEqual).

[hanneskuettner]

We're effectively only testing if the ipInNetworks function works, which is already covered in the test suite of the util function. So maybe mock it out and just check that is called correctly?

[hanneskuettner]

This right now only works for functions that return a non falsy value. If a cached function returns null, 0, '', false, etc. its value will not be returned from cache.

Should this be changed to

Suggested change

	if (cached) {
	if (cached !== undefined) {

[hanneskuettner]

Just as a note, since the user does not have the admin_access and app_access flags anymore, we need to look in to the auth providers and verify that they did not need that info, as the user object is passed down to their login method.

[hanneskuettner]

Did we drop support for QueryOptions.permissionsAction or is this accounted for somewhere else, that I'm missing?

[hanneskuettner]

If we're planning to drop support for meta anyways (see #15665) I would suggest not investing any time in how to make this work and consider it a good point to drop it now rather than later? Maybe in a follow-up PR?

[hanneskuettner]

This is missing the check for '*'. Was that done on purpose? As far as I can see fetchAllowedFields does not expand '*' to all available fields of a collection, so explicitly checking for '*' seems necessary?