feature: machine identity groups [ENG-4237]

backend/src/@types/knex.d.ts

@@ -170,6 +170,9 @@ import {
   TIdentityGcpAuths,
   TIdentityGcpAuthsInsert,
   TIdentityGcpAuthsUpdate,
+  TIdentityGroupMembership,
+  TIdentityGroupMembershipInsert,
+  TIdentityGroupMembershipUpdate,
   TIdentityJwtAuths,
   TIdentityJwtAuthsInsert,
   TIdentityJwtAuthsUpdate,
@@ -857,6 +860,11 @@ declare module "knex/types/tables" {
       TUserGroupMembershipInsert,
       TUserGroupMembershipUpdate
     >;
+    [TableName.IdentityGroupMembership]: KnexOriginal.CompositeTableType<
+      TIdentityGroupMembership,
+      TIdentityGroupMembershipInsert,
+      TIdentityGroupMembershipUpdate
+    >;
     [TableName.GroupProjectMembership]: KnexOriginal.CompositeTableType<
       TGroupProjectMemberships,
       TGroupProjectMembershipsInsert,

backend/src/db/migrations/20251202162715_add-identity-group-membership.ts

@@ -0,0 +1,28 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.IdentityGroupMembership))) {
+    await knex.schema.createTable(TableName.IdentityGroupMembership, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("identityId").notNullable();
+      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+      t.uuid("groupId").notNullable();
+      t.foreign("groupId").references("id").inTable(TableName.Groups).onDelete("CASCADE");
+      t.timestamps(true, true, true);
+
+      t.unique(["identityId", "groupId"]);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.IdentityGroupMembership);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.IdentityGroupMembership)) {
+    await knex.schema.dropTable(TableName.IdentityGroupMembership);
+    await dropOnUpdateTrigger(knex, TableName.IdentityGroupMembership);
+  }
+}

backend/src/db/schemas/identity-group-membership.ts

@@ -0,0 +1,22 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const IdentityGroupMembershipSchema = z.object({
+  id: z.string().uuid(),
+  identityId: z.string().uuid(),
+  groupId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TIdentityGroupMembership = z.infer<typeof IdentityGroupMembershipSchema>;
+export type TIdentityGroupMembershipInsert = Omit<z.input<typeof IdentityGroupMembershipSchema>, TImmutableDBKeys>;
+export type TIdentityGroupMembershipUpdate = Partial<
+  Omit<z.input<typeof IdentityGroupMembershipSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/index.ts

@@ -55,6 +55,7 @@ export * from "./identity-alicloud-auths";
 export * from "./identity-aws-auths";
 export * from "./identity-azure-auths";
 export * from "./identity-gcp-auths";
+export * from "./identity-group-membership";
 export * from "./identity-jwt-auths";
 export * from "./identity-kubernetes-auths";
 export * from "./identity-metadata";

backend/src/db/schemas/models.ts

@@ -42,6 +42,7 @@ export enum TableName {
   GroupProjectMembershipRole = "group_project_membership_roles",
   ExternalGroupOrgRoleMapping = "external_group_org_role_mappings",
   UserGroupMembership = "user_group_membership",
+  IdentityGroupMembership = "identity_group_membership",
   UserAliases = "user_aliases",
   UserEncryptionKey = "user_encryption_keys",
   AuthTokens = "auth_tokens",

backend/src/ee/routes/v1/group-router.ts

@@ -1,10 +1,13 @@
 import { z } from "zod";
 
-import { GroupsSchema, OrgMembershipRole, ProjectsSchema, UsersSchema } from "@app/db/schemas";
+import { GroupsSchema, IdentitiesSchema, OrgMembershipRole, ProjectsSchema, UsersSchema } from "@app/db/schemas";
 import {
-  EFilterReturnedProjects,
-  EFilterReturnedUsers,
-  EGroupProjectsOrderBy
+  FilterMemberType,
+  FilterReturnedIdentities,
+  FilterReturnedProjects,
+  FilterReturnedUsers,
+  GroupMembersOrderBy,
+  GroupProjectsOrderBy
 } from "@app/ee/services/group/group-types";
 import { ApiDocsTags, GROUPS } from "@app/lib/api-docs";
 import { OrderByDirection } from "@app/lib/types";
@@ -13,6 +16,11 @@ import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 
+const GroupIdentityResponseSchema = IdentitiesSchema.pick({
+  id: true,
+  name: true
+});
+
 export const registerGroupRouter = async (server: FastifyZodProvider) => {
   server.route({
     url: "/",
@@ -191,7 +199,7 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
         limit: z.coerce.number().min(1).max(100).default(10).describe(GROUPS.LIST_USERS.limit),
         username: z.string().trim().optional().describe(GROUPS.LIST_USERS.username),
         search: z.string().trim().optional().describe(GROUPS.LIST_USERS.search),
-        filter: z.nativeEnum(EFilterReturnedUsers).optional().describe(GROUPS.LIST_USERS.filterUsers)
+        filter: z.nativeEnum(FilterReturnedUsers).optional().describe(GROUPS.LIST_USERS.filterUsers)
       }),
       response: {
         200: z.object({
@@ -202,12 +210,10 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
             lastName: true,
             id: true
           })
-            .merge(
-              z.object({
-                isPartOfGroup: z.boolean(),
-                joinedGroupAt: z.date().nullable()
-              })
-            )
+            .extend({
+              isPartOfGroup: z.boolean(),
+              joinedGroupAt: z.date().nullable()
+            })
             .array(),
           totalCount: z.number()
         })
@@ -227,6 +233,119 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
     }
   });
 
+  server.route({
+    method: "GET",
+    url: "/:id/identities",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Groups],
+      params: z.object({
+        id: z.string().trim().describe(GROUPS.LIST_IDENTITIES.id)
+      }),
+      querystring: z.object({
+        offset: z.coerce.number().min(0).default(0).describe(GROUPS.LIST_IDENTITIES.offset),
+        limit: z.coerce.number().min(1).max(100).default(10).describe(GROUPS.LIST_IDENTITIES.limit),
+        search: z.string().trim().optional().describe(GROUPS.LIST_IDENTITIES.search),
+        filter: z.nativeEnum(FilterReturnedIdentities).optional().describe(GROUPS.LIST_IDENTITIES.filterIdentities)
+      }),
+      response: {
+        200: z.object({
+          identities: GroupIdentityResponseSchema.extend({
+            isPartOfGroup: z.boolean(),
+            joinedGroupAt: z.date().nullable()
+          }).array(),
+          totalCount: z.number()
+        })
+      }
+    },
+    handler: async (req) => {
+      const { identities, totalCount } = await server.services.group.listGroupIdentities({
+        id: req.params.id,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.query
+      });
+
+      return { identities, totalCount };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:id/members",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Groups],
+      params: z.object({
+        id: z.string().trim().describe(GROUPS.LIST_MEMBERS.id)
+      }),
+      querystring: z.object({
+        offset: z.coerce.number().min(0).default(0).describe(GROUPS.LIST_MEMBERS.offset),
+        limit: z.coerce.number().min(1).max(100).default(10).describe(GROUPS.LIST_MEMBERS.limit),
+        search: z.string().trim().optional().describe(GROUPS.LIST_MEMBERS.search),
+        orderBy: z
+          .nativeEnum(GroupMembersOrderBy)
+          .default(GroupMembersOrderBy.Name)
+          .optional()
+          .describe(GROUPS.LIST_MEMBERS.orderBy),
+        orderDirection: z.nativeEnum(OrderByDirection).optional().describe(GROUPS.LIST_MEMBERS.orderDirection),
+        memberTypeFilter: z
+          .union([z.nativeEnum(FilterMemberType), z.array(z.nativeEnum(FilterMemberType))])
+          .optional()
+          .describe(GROUPS.LIST_MEMBERS.memberTypeFilter)
+          .transform((val) => {
+            if (!val) return undefined;
+            return Array.isArray(val) ? val : [val];
+          })
+      }),
+      response: {
+        200: z.object({
+          members: z
+            .union([
+              UsersSchema.pick({
+                email: true,
+                username: true,
+                firstName: true,
+                lastName: true,
+                id: true
+              }).extend({
+                joinedGroupAt: z.date().nullable(),
+                memberType: z.literal("user")
+              }),
+              GroupIdentityResponseSchema.extend({
+                joinedGroupAt: z.date().nullable(),
+                memberType: z.literal("identity")
+              })
+            ])
+            .array(),
+          totalCount: z.number()
+        })
+      }
+    },
+    handler: async (req) => {
+      const { members, totalCount } = await server.services.group.listGroupMembers({
+        id: req.params.id,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.query
+      });
+
+      return { members, totalCount };
+    }
+  });
+
   server.route({
     method: "GET",
     url: "/:id/projects",
@@ -244,10 +363,10 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
         offset: z.coerce.number().min(0).default(0).describe(GROUPS.LIST_PROJECTS.offset),
         limit: z.coerce.number().min(1).max(100).default(10).describe(GROUPS.LIST_PROJECTS.limit),
         search: z.string().trim().optional().describe(GROUPS.LIST_PROJECTS.search),
-        filter: z.nativeEnum(EFilterReturnedProjects).optional().describe(GROUPS.LIST_PROJECTS.filterProjects),
+        filter: z.nativeEnum(FilterReturnedProjects).optional().describe(GROUPS.LIST_PROJECTS.filterProjects),
         orderBy: z
-          .nativeEnum(EGroupProjectsOrderBy)
-          .default(EGroupProjectsOrderBy.Name)
+          .nativeEnum(GroupProjectsOrderBy)
+          .default(GroupProjectsOrderBy.Name)
           .describe(GROUPS.LIST_PROJECTS.orderBy),
         orderDirection: z
           .nativeEnum(OrderByDirection)
@@ -263,11 +382,9 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
             description: true,
             type: true
           })
-            .merge(
-              z.object({
-                joinedGroupAt: z.date().nullable()
-              })
-            )
+            .extend({
+              joinedGroupAt: z.date().nullable()
+            })
             .array(),
           totalCount: z.number()
         })
@@ -325,6 +442,38 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
     }
   });
 
+  server.route({
+    method: "POST",
+    url: "/:id/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Groups],
+      params: z.object({
+        id: z.string().trim().describe(GROUPS.ADD_IDENTITY.id),
+        identityId: z.string().trim().describe(GROUPS.ADD_IDENTITY.identityId)
+      }),
+      response: {
+        200: GroupIdentityResponseSchema
+      }
+    },
+    handler: async (req) => {
+      const identity = await server.services.group.addIdentityToGroup({
+        id: req.params.id,
+        identityId: req.params.identityId,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      return identity;
+    }
+  });
+
   server.route({
     method: "DELETE",
     url: "/:id/users/:username",
@@ -362,4 +511,36 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
       return user;
     }
   });
+
+  server.route({
+    method: "DELETE",
+    url: "/:id/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.Groups],
+      params: z.object({
+        id: z.string().trim().describe(GROUPS.DELETE_IDENTITY.id),
+        identityId: z.string().trim().describe(GROUPS.DELETE_IDENTITY.identityId)
+      }),
+      response: {
+        200: GroupIdentityResponseSchema
+      }
+    },
+    handler: async (req) => {
+      const identity = await server.services.group.removeIdentityFromGroup({
+        id: req.params.id,
+        identityId: req.params.identityId,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      return identity;
+    }
+  });
 };

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -56,7 +56,7 @@ type TSecretApprovalRequestServiceFactoryDep = {
     TAccessApprovalRequestReviewerDALFactory,
     "create" | "find" | "findOne" | "transaction" | "delete"
   >;
-  groupDAL: Pick<TGroupDALFactory, "findAllGroupPossibleMembers">;
+  groupDAL: Pick<TGroupDALFactory, "findAllGroupPossibleUsers">;
   smtpService: Pick<TSmtpService, "sendMail">;
   userDAL: Pick<
     TUserDALFactory,
@@ -182,7 +182,7 @@ export const accessApprovalRequestServiceFactory = ({
       await Promise.all(
         approverGroupIds.map((groupApproverId) =>
           groupDAL
-            .findAllGroupPossibleMembers({
+            .findAllGroupPossibleUsers({
               orgId: actorOrgId,
               groupId: groupApproverId
             })