Remove all OR additional permission sets (#47063)

Co-authored-by: Rachael Sewell <rachmari@github.com>
2025-12-31 15:04:15 -05:00 · 2023-12-11 10:32:22 -08:00
parent 0daade082e
commit 0d77590b88
1 changed files with 40 additions and 9 deletions
--- a/src/github-apps/scripts/sync.js
+++ b/src/github-apps/scripts/sync.js
@@ -62,9 +62,11 @@ export async function syncGitHubAppsData(openApiSource, sourceSchemas, progAcces
        }

        // permissions
-        for (const [permissionName, readOrWrite] of Object.entries(
-          progAccessData[operation.operationId].permissions,
-        )) {
+        const allPermissions = {
+          ...progAccessData[operation.operationId].permissions.and,
+          ...progAccessData[operation.operationId].permissions.or,
+        }
+        for (const [permissionName, readOrWrite] of Object.entries(allPermissions)) {
          const tempTitle = permissionName.replace(/_/g, ' ')
          const permissionNameExists = progActorResources[permissionName]
          if (!permissionNameExists) {
@@ -76,9 +78,8 @@ export async function syncGitHubAppsData(openApiSource, sourceSchemas, progAcces
          const resourceGroup = progActorResources[permissionName]?.resource_group || ''
          const displayTitle = getDisplayTitle(title, resourceGroup)
          const relatedPermissionNames = Object.keys(
-            progAccessData[operation.operationId].permissions,
+            progAccessData[operation.operationId].permissions.and,
          ).filter((permission) => permission !== permissionName)
-
          // github app permissions
          const serverToServerPermissions = githubAppsData['server-to-server-permissions']
          if (!serverToServerPermissions[permissionName]) {
@@ -182,11 +183,41 @@ async function getProgAccessData(progAccessSource) {

  const progAccessData = {}
  for (const operation of progAccessDataRaw) {
-    const permissions = {}
+    const permissions = { or: {}, and: {} }
    if (operation.permission_sets) {
-      operation.permission_sets.forEach((permissionSet) => {
-        Object.assign(permissions, permissionSet)
-      })
+      // Currently there is only a length of up to 2 permission_sets
+      // OR permission_sets are dashed lists in yaml
+      // e.g.
+      // permission_sets:
+      //   - admin: write
+      //   - contents: read
+      // This becomes: [{admin: write}, {contents: read}] with yaml.load
+      if (operation.permission_sets.length === 2) {
+        // There's currently only one scenario where you have an OR permission_set where one of the OR permissions is an AND permission_set
+        // In this scenario, we want the AND permission_set
+        if (
+          Object.keys(operation.permission_sets[0]).length > 1 ||
+          Object.keys(operation.permission_sets[1]).length > 1
+        ) {
+          const andPermissionSet =
+            Object.keys(operation.permission_sets[0]).length > 1
+              ? operation.permission_sets[0]
+              : operation.permission_sets[1]
+          Object.assign(permissions.and, andPermissionSet)
+        } else {
+          operation.permission_sets.forEach((permissionSet) => {
+            Object.assign(permissions.or, permissionSet)
+          })
+        }
+        // AND permission_sets are under the same dash in yaml
+        // e.g.
+        // permission_sets:
+        //   - admin: write
+        //     contents: read
+        // This becomes: [{admin: write, contents: read}] with yaml.load
+      } else if (operation.permission_sets.length === 1) {
+        Object.assign(permissions.and, operation.permission_sets[0])
+      }
    }

    const userToServerRest = operation.user_to_server.enabled