feat: Added API and UI for Eligible Roles Relationship Type in entity panel - BED-7309#2458
Open
specter-flq wants to merge 4 commits intomainfrom
Open
feat: Added API and UI for Eligible Roles Relationship Type in entity panel - BED-7309#2458specter-flq wants to merge 4 commits intomainfrom
specter-flq wants to merge 4 commits intomainfrom
Conversation
Contributor
📝 WalkthroughWalkthroughThis PR adds support for querying eligible roles for Azure entities (groups and users) by introducing new query functions, database operations, filters, constants, API endpoints, and UI sections across the Go backend and JavaScript frontend. The eligible roles functionality mirrors existing role-lookup patterns and expands Azure analysis capabilities. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~22 minutes 🚥 Pre-merge checks | ✅ 1 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (1 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches
🧪 Generate unit tests (beta)
Tip Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs). Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
specter-flq
changed the title
specter-flq
changed the title
specter-flq
added
api
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@packages/go/analysis/azure/filters.go`:
- Around line 41-42: The FilterEntityEligibleRoles function currently includes
both azure.AZRoleEligible and azure.AZRoleApprover in its KindIn criteria;
remove azure.AZRoleApprover so the filter only matches azure.AZRoleEligible.
Update the function FilterEntityEligibleRoles to use
query.KindIn(query.Relationship(), azure.AZRoleEligible) (leave AZRoleApprover
out) so the “Eligible Roles” flow no longer returns roles based on approver
edges.
In `@packages/go/analysis/azure/queries.go`:
- Around line 263-281: The current eligible-role traversals
(FetchEntityEligibleRolePaths and FetchEntityEligibleRoles) only follow direct
eligible-role edges and must mirror the inheritance logic used by
fetchRolesTraversalPlan: update their ops.TraversalPlan to include the
AZMemberOf branch (or otherwise traverse member-of edges) and apply the same
roleDescentFilter used in the active-role traversal so that role-assignable
group inheritance is followed; specifically, adjust the BranchQuery and
PathFilter fields (or add an intermediate branch) to combine
FilterEntityEligibleRoles with AZMemberOf and ensure roleDescentFilter is
applied to path segments just like in fetchRolesTraversalPlan.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: 3fd19dc0-548a-4642-92c0-5c837702af5a
📒 Files selected for processing (6)
cmd/api/src/api/v2/azure.gopackages/go/analysis/azure/db_ops.gopackages/go/analysis/azure/filters.gopackages/go/analysis/azure/model.gopackages/go/analysis/azure/queries.gopackages/javascript/bh-shared-ui/src/utils/content.ts
Comment on lines
+41
to
+42
| func FilterEntityEligibleRoles() graph.Criteria { | ||
| return query.KindIn(query.Relationship(), azure.AZRoleEligible, azure.AZRoleApprover) |
Contributor
There was a problem hiding this comment.
Keep approver edges out of the eligible-roles filter.
AZRoleApprover already backs the separate role-approver flow, so including it here makes eligible-roles return roles an entity can approve even when it is not actually eligible for them. That will populate the new “Eligible Roles” table with the wrong relationship type.
Suggested fix
func FilterEntityEligibleRoles() graph.Criteria {
- return query.KindIn(query.Relationship(), azure.AZRoleEligible, azure.AZRoleApprover)
+ return query.Kind(query.Relationship(), azure.AZRoleEligible)
}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| func FilterEntityEligibleRoles() graph.Criteria { | |
| return query.KindIn(query.Relationship(), azure.AZRoleEligible, azure.AZRoleApprover) | |
| func FilterEntityEligibleRoles() graph.Criteria { | |
| return query.Kind(query.Relationship(), azure.AZRoleEligible) | |
| } |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@packages/go/analysis/azure/filters.go` around lines 41 - 42, The
FilterEntityEligibleRoles function currently includes both azure.AZRoleEligible
and azure.AZRoleApprover in its KindIn criteria; remove azure.AZRoleApprover so
the filter only matches azure.AZRoleEligible. Update the function
FilterEntityEligibleRoles to use query.KindIn(query.Relationship(),
azure.AZRoleEligible) (leave AZRoleApprover out) so the “Eligible Roles” flow no
longer returns roles based on approver edges.
Comment on lines
+263
to
+281
| func FetchEntityEligibleRolePaths(tx graph.Transaction, node *graph.Node) (graph.PathSet, error) { | ||
| return ops.TraversePaths(tx, ops.TraversalPlan{ | ||
| Root: node, | ||
| Direction: graph.DirectionOutbound, | ||
| BranchQuery: FilterEntityEligibleRoles, | ||
| PathFilter: func(ctx *ops.TraversalContext, segment *graph.PathSegment) bool { | ||
| return segment.Node.Kinds.ContainsOneOf(azure.Role) | ||
| }, | ||
| }) | ||
| } | ||
|
|
||
| func FetchEntityEligibleRoles(tx graph.Transaction, node *graph.Node, skip, limit int) (graph.NodeSet, error) { | ||
| return ops.AcyclicTraverseTerminals(tx, ops.TraversalPlan{ | ||
| Root: node, | ||
| Direction: graph.DirectionOutbound, | ||
| Skip: skip, | ||
| Limit: limit, | ||
| BranchQuery: FilterEntityEligibleRoles, | ||
| }) |
Contributor
There was a problem hiding this comment.
Mirror the existing role-inheritance traversal here.
These traversals only follow direct eligible-role edges, so users who inherit eligibility through a role-assignable group will be omitted from both the list and graph endpoints. fetchRolesTraversalPlan already handles the analogous active-role case via AZMemberOf plus roleDescentFilter; the eligible-role path should apply the same inheritance rules.
Suggested direction
+func fetchEligibleRolesTraversalPlan(root *graph.Node, skip, limit int) ops.TraversalPlan {
+ return ops.TraversalPlan{
+ Root: root,
+ Direction: graph.DirectionOutbound,
+ Skip: skip,
+ Limit: limit,
+ BranchQuery: func() graph.Criteria {
+ return query.KindIn(query.Relationship(), azure.MemberOf, azure.AZRoleEligible)
+ },
+ DescentFilter: roleDescentFilter,
+ PathFilter: func(_ *ops.TraversalContext, segment *graph.PathSegment) bool {
+ return segment.Node.Kinds.ContainsOneOf(azure.Role)
+ },
+ }
+}🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@packages/go/analysis/azure/queries.go` around lines 263 - 281, The current
eligible-role traversals (FetchEntityEligibleRolePaths and
FetchEntityEligibleRoles) only follow direct eligible-role edges and must mirror
the inheritance logic used by fetchRolesTraversalPlan: update their
ops.TraversalPlan to include the AZMemberOf branch (or otherwise traverse
member-of edges) and apply the same roleDescentFilter used in the active-role
traversal so that role-assignable group inheritance is followed; specifically,
adjust the BranchQuery and PathFilter fields (or add an intermediate branch) to
combine FilterEntityEligibleRoles with AZMemberOf and ensure roleDescentFilter
is applied to path segments just like in fetchRolesTraversalPlan.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Motivation and Context
Resolves: BED-7309
How Has This Been Tested?
Please describe in detail how you tested your changes.
Include details of your testing environment, and the tests you ran to
see how your change affects other areas of the code, etc.
Screenshots (optional):
Types of changes
Checklist:
Summary by CodeRabbit