Merge pull request #4172 from alkem-io/develop

Release: Fixes, Knowledge Subspace Defaults

package.json

@@ -1,6 +1,6 @@
 {
   "name": "alkemio-server",
-  "version": "0.82.2",
+  "version": "0.82.3",
   "description": "Alkemio server, responsible for managing the shared Alkemio platform",
   "author": "Alkemio Foundation",
   "private": false,

src/core/bootstrap/bootstrap.service.ts

@@ -32,6 +32,7 @@ import { SpaceType } from '@common/enums/space.type';
 import { SearchIngestService } from '@services/api/search/v2/ingest/search.ingest.service';
 import { CreateAccountInput } from '@domain/space/account/dto/account.dto.create';
 import { SpaceLevel } from '@common/enums/space.level';
+import { CreateSpaceOnAccountInput } from '@domain/space/account/dto/account.dto.create.space';
 
 @Injectable()
 export class BootstrapService {
@@ -70,7 +71,7 @@ export class BootstrapService {
       )?.logging?.profiling_enabled;
       if (profilingEnabled) Profiling.profilingEnabled = profilingEnabled;
 
-      await this.ensureSpaceSingleton();
+      await this.ensureAccountSpaceSingleton();
       await this.bootstrapProfiles();
       await this.ensureSsiPopulated();
       await this.platformService.ensureForumCreated();
@@ -255,7 +256,7 @@ export class BootstrapService {
     }
   }
 
-  async ensureSpaceSingleton() {
+  async ensureAccountSpaceSingleton() {
     this.logger.verbose?.(
       '=== Ensuring at least one Account with a space is present ===',
       LogContext.BOOTSTRAP
@@ -292,12 +293,20 @@ export class BootstrapService {
         },
         hostID: DEFAULT_HOST_ORG_NAMEID,
       };
-      return this.accountService
-        .createAccount(spaceInput)
-        .then(account =>
-          this.accountAuthorizationService.applyAuthorizationPolicy(account)
-        )
-        .then(account => this.accountService.save(account));
+
+      let account = await this.accountService.createAccount(spaceInput);
+      const createSpaceAccountInput: CreateSpaceOnAccountInput = {
+        accountID: account.id,
+        spaceData: spaceInput.spaceData,
+      };
+      account = await this.accountService.createSpaceOnAccount(
+        account,
+        createSpaceAccountInput
+      );
+      account = await this.accountAuthorizationService.applyAuthorizationPolicy(
+        account
+      );
+      return await this.accountService.save(account);
     }
   }
 }

src/domain/community/community/community.module.ts

@@ -30,7 +30,6 @@ import { CommunityGuidelinesModule } from '../community-guidelines/community.gui
 import { VirtualContributorModule } from '../virtual-contributor/virtual.contributor.module';
 import { LicenseEngineModule } from '@core/license-engine/license.engine.module';
 import { ContributorModule } from '../contributor/contributor.module';
-import { AiServerAdapterModule } from '@services/adapters/ai-server-adapter/ai.server.adapter.module';
 import { PlatformInvitationModule } from '@platform/invitation/platform.invitation.module';
 
 @Module({
@@ -60,7 +59,6 @@ import { PlatformInvitationModule } from '@platform/invitation/platform.invitati
     TypeOrmModule.forFeature([Community]),
     TrustRegistryAdapterModule,
     ContributionReporterModule,
-    AiServerAdapterModule,
   ],
   providers: [
     CommunityService,

src/domain/community/community/community.resolver.mutations.ts

@@ -45,19 +45,16 @@ import { CommunityMembershipStatus } from '@common/enums/community.membership.st
 import { CommunityMembershipException } from '@common/exceptions/community.membership.exception';
 import { AssignCommunityRoleToVirtualInput } from './dto/community.dto.role.assign.virtual';
 import { RemoveCommunityRoleFromVirtualInput } from './dto/community.dto.role.remove.virtual';
-import { VirtualContributorAuthorizationService } from '../virtual-contributor/virtual.contributor.service.authorization';
 import { VirtualContributorService } from '../virtual-contributor/virtual.contributor.service';
 import {
   IVirtualContributor,
   VirtualContributor,
 } from '../virtual-contributor';
 import { EntityNotInitializedException } from '@common/exceptions';
 import { CommunityInvitationException } from '@common/exceptions/community.invitation.exception';
-import { SpaceIngestionPurpose } from '@services/infrastructure/event-bus/commands';
 import { CreateInvitationForContributorsOnCommunityInput } from './dto/community.dto.invite.contributor';
 import { IContributor } from '../contributor/contributor.interface';
 import { ContributorService } from '../contributor/contributor.service';
-import { AiServerAdapter } from '@services/adapters/ai-server-adapter/ai.server.adapter';
 import { PlatformInvitationAuthorizationService } from '@platform/invitation/platform.invitation.service.authorization';
 import { PlatformInvitationService } from '@platform/invitation/platform.invitation.service';
 import { IPlatformInvitation } from '@platform/invitation';
@@ -72,7 +69,6 @@ export class CommunityResolverMutations {
     private userService: UserService,
     private userAuthorizationService: UserAuthorizationService,
     private virtualContributorService: VirtualContributorService,
-    private virtualContributorAuthorizationService: VirtualContributorAuthorizationService,
     private userGroupAuthorizationService: UserGroupAuthorizationService,
     private communityService: CommunityService,
     @Inject(CommunityApplicationLifecycleOptionsProvider)
@@ -85,7 +81,6 @@ export class CommunityResolverMutations {
     private invitationAuthorizationService: InvitationAuthorizationService,
     private communityAuthorizationService: CommunityAuthorizationService,
     private contributorService: ContributorService,
-    private aiServerAdapter: AiServerAdapter,
     private platformInvitationAuthorizationService: PlatformInvitationAuthorizationService,
     private platformInvitationService: PlatformInvitationService
   ) {}
@@ -233,34 +228,9 @@ export class CommunityResolverMutations {
       true
     );
 
-    // reset the user authorization policy so that their profile is visible to other community members
-    let virtual =
-      await this.virtualContributorService.getVirtualContributorOrFail(
-        roleData.virtualContributorID,
-        {
-          relations: {
-            account: true,
-          },
-        }
-      );
-
-    const host = await this.virtualContributorService.getAccountHost(virtual);
-
-    virtual =
-      await this.virtualContributorAuthorizationService.applyAuthorizationPolicy(
-        virtual,
-        host,
-        virtual.account.authorization
-      );
-    virtual = await this.virtualContributorService.save(virtual);
-
-    const spaceID = await this.communityService.getRootSpaceID(community);
-    this.aiServerAdapter.ensureSpaceIsUsable(
-      spaceID,
-      SpaceIngestionPurpose.CONTEXT
+    return await this.virtualContributorService.getVirtualContributorOrFail(
+      roleData.virtualContributorID
     );
-
-    return virtual;
   }
 
   @UseGuards(GraphqlGuard)
@@ -356,27 +326,10 @@ export class CommunityResolverMutations {
       roleData.virtualContributorID,
       roleData.role
     );
-    // reset the user authorization policy so that their profile is not visible
-    // to other community members
-    let virtual =
-      await this.virtualContributorService.getVirtualContributorOrFail(
-        roleData.virtualContributorID,
-        {
-          relations: {
-            account: {
-              authorization: true,
-            },
-          },
-        }
-      );
-    const host = await this.virtualContributorService.getAccountHost(virtual);
-    virtual =
-      await this.virtualContributorAuthorizationService.applyAuthorizationPolicy(
-        virtual,
-        host,
-        virtual.account.authorization
-      );
-    return await this.virtualContributorService.save(virtual);
+
+    return await this.virtualContributorService.getVirtualContributorOrFail(
+      roleData.virtualContributorID
+    );
   }
 
   @UseGuards(GraphqlGuard)

src/domain/community/virtual-contributor/virtual.contributor.module.ts

@@ -17,7 +17,7 @@ import { NamingModule } from '@services/infrastructure/naming/naming.module';
 import { AiPersonaModule } from '../ai-persona/ai.persona.module';
 import { AiServerAdapterModule } from '@services/adapters/ai-server-adapter/ai.server.adapter.module';
 import { PlatformAuthorizationPolicyModule } from '@platform/authorization/platform.authorization.policy.module';
-import { AccountHostModule } from '@domain/space/account/account.host.module';
+import { AccountHostModule } from '@domain/space/account.host/account.host.module';
 
 @Module({
   imports: [

src/domain/community/virtual-contributor/virtual.contributor.service.authorization.ts

@@ -5,7 +5,6 @@ import { ProfileAuthorizationService } from '@domain/common/profile/profile.serv
 import { IAuthorizationPolicy } from '@domain/common/authorization-policy';
 import { AuthorizationPolicyService } from '@domain/common/authorization-policy/authorization.policy.service';
 import {
-  AccountException,
   EntityNotInitializedException,
   RelationshipNotFoundException,
 } from '@common/exceptions';
@@ -14,16 +13,10 @@ import { IAuthorizationPolicyRuleCredential } from '@core/authorization/authoriz
 import {
   CREDENTIAL_RULE_TYPES_VC_GLOBAL_COMMUNITY_READ,
   CREDENTIAL_RULE_TYPES_VC_GLOBAL_SUPPORT_MANAGE,
-  CREDENTIAL_RULE_TYPES_VC_GLOBAL_ADMINS,
-  CREDENTIAL_RULE_TYPES_VC_PROVIDER,
 } from '@common/constants';
 import { StorageAggregatorAuthorizationService } from '@domain/storage/storage-aggregator/storage.aggregator.service.authorization';
 import { IVirtualContributor } from './virtual.contributor.interface';
 import { AgentAuthorizationService } from '@domain/agent/agent/agent.service.authorization';
-import { ICredentialDefinition } from '@domain/agent/credential/credential.definition.interface';
-import { IContributor } from '../contributor/contributor.interface';
-import { Organization } from '../organization';
-import { User } from '../user';
 import { AiPersonaAuthorizationService } from '../ai-persona/ai.persona.service.authorization';
 
 @Injectable()
@@ -40,7 +33,6 @@ export class VirtualContributorAuthorizationService {
 
   async applyAuthorizationPolicy(
     virtualInput: IVirtualContributor,
-    host: IContributor,
     parentAuthorization: IAuthorizationPolicy | undefined
   ): Promise<IVirtualContributor> {
     const virtual = await this.virtualService.getVirtualContributorOrFail(
@@ -77,11 +69,6 @@ export class VirtualContributorAuthorizationService {
       virtual.id
     );
 
-    virtual.authorization = this.extendAuthorizationPolicy(
-      virtual.authorization,
-      host
-    );
-
     // NOTE: Clone the authorization policy to ensure the changes are local to profile
     const clonedVirtualAuthorizationAnonymousAccess =
       this.authorizationPolicyService.cloneAuthorizationPolicy(
@@ -107,7 +94,7 @@ export class VirtualContributorAuthorizationService {
     );
 
     virtual.aiPersona =
-      await this.aiPersonaAuthorizationService.applyAuthorizationPolicy(
+      this.aiPersonaAuthorizationService.applyAuthorizationPolicy(
         virtual.aiPersona,
         virtual.authorization
       );
@@ -130,7 +117,10 @@ export class VirtualContributorAuthorizationService {
     const globalCommunityRead =
       this.authorizationPolicyService.createCredentialRuleUsingTypesOnly(
         [AuthorizationPrivilege.READ],
-        [AuthorizationCredential.GLOBAL_COMMUNITY_READ],
+        [
+          AuthorizationCredential.GLOBAL_REGISTERED,
+          AuthorizationCredential.GLOBAL_COMMUNITY_READ,
+        ],
         CREDENTIAL_RULE_TYPES_VC_GLOBAL_COMMUNITY_READ
       );
     newRules.push(globalCommunityRead);
@@ -148,52 +138,6 @@ export class VirtualContributorAuthorizationService {
       );
     newRules.push(globalSupportManage);
 
-    // Allow Global admins + Global Space Admins to manage access to Spaces + contents
-    const globalAdmin =
-      this.authorizationPolicyService.createCredentialRuleUsingTypesOnly(
-        [AuthorizationPrivilege.GRANT],
-        [
-          AuthorizationCredential.GLOBAL_ADMIN,
-          AuthorizationCredential.GLOBAL_SUPPORT,
-        ],
-        CREDENTIAL_RULE_TYPES_VC_GLOBAL_ADMINS
-      );
-    newRules.push(globalAdmin);
-
-    const virtualAdmin = this.authorizationPolicyService.createCredentialRule(
-      [
-        AuthorizationPrivilege.GRANT,
-        AuthorizationPrivilege.CREATE,
-        AuthorizationPrivilege.UPDATE,
-        AuthorizationPrivilege.DELETE,
-      ],
-      [
-        {
-          type: AuthorizationCredential.ACCOUNT_HOST,
-          resourceID: accountID,
-        },
-        {
-          type: AuthorizationCredential.ORGANIZATION_OWNER,
-          resourceID: accountID,
-        },
-      ],
-      CREDENTIAL_RULE_TYPES_VC_PROVIDER
-    );
-
-    newRules.push(virtualAdmin);
-
-    const readPrivilege = this.authorizationPolicyService.createCredentialRule(
-      [AuthorizationPrivilege.READ],
-      [
-        {
-          type: AuthorizationCredential.GLOBAL_REGISTERED,
-          resourceID: '',
-        },
-      ],
-      CREDENTIAL_RULE_TYPES_VC_GLOBAL_COMMUNITY_READ
-    );
-    newRules.push(readPrivilege);
-
     const updatedAuthorization =
       this.authorizationPolicy.appendCredentialAuthorizationRules(
         authorization,
@@ -202,51 +146,4 @@ export class VirtualContributorAuthorizationService {
 
     return updatedAuthorization;
   }
-
-  private extendAuthorizationPolicy(
-    authorization: IAuthorizationPolicy | undefined,
-    host: IContributor
-  ): IAuthorizationPolicy {
-    if (!authorization) {
-      throw new EntityNotInitializedException(
-        `Authorization definition not found for: contributor ${host.id}`,
-        LogContext.ACCOUNT
-      );
-    }
-    const newRules: IAuthorizationPolicyRuleCredential[] = [];
-
-    // Create the criterias for who can create a VC
-    const hostSelfManagementCriterias: ICredentialDefinition[] = [];
-    const accountHostCred = this.createCredentialCriteriaForHost(host);
-
-    hostSelfManagementCriterias.push(accountHostCred);
-
-    this.authorizationPolicyService.appendCredentialAuthorizationRules(
-      authorization,
-      newRules
-    );
-
-    return authorization;
-  }
-
-  private createCredentialCriteriaForHost(
-    host: IContributor
-  ): ICredentialDefinition {
-    if (host instanceof User) {
-      return {
-        type: AuthorizationCredential.USER_SELF_MANAGEMENT,
-        resourceID: host.id,
-      };
-    } else if (host instanceof Organization) {
-      return {
-        type: AuthorizationCredential.ORGANIZATION_ADMIN,
-        resourceID: host.id,
-      };
-    } else {
-      throw new AccountException(
-        `Unable to determine host type for: ${host.id}, of type '${host.constructor.name}'`,
-        LogContext.ACCOUNT
-      );
-    }
-  }
 }

src/domain/community/virtual-contributor/virtual.contributor.service.ts

@@ -37,7 +37,7 @@ import { SearchVisibility } from '@common/enums/search.visibility';
 import { IMessageAnswerToQuestion } from '@domain/communication/message.answer.to.question/message.answer.to.question.interface';
 import { IAiPersona } from '../ai-persona';
 import { IContributor } from '../contributor/contributor.interface';
-import { AccountHostService } from '@domain/space/account/account.host.service';
+import { AccountHostService } from '@domain/space/account.host/account.host.service';
 
 @Injectable()
 export class VirtualContributorService {

src/domain/space/account/account.host.module.ts → src/domain/space/account.host/account.host.module.ts

@@ -1,9 +1,10 @@
 import { ContributorModule } from '@domain/community/contributor/contributor.module';
 import { Module } from '@nestjs/common';
 import { AccountHostService } from './account.host.service';
+import { AgentModule } from '@domain/agent/agent/agent.module';
 
 @Module({
-  imports: [ContributorModule],
+  imports: [ContributorModule, AgentModule],
   providers: [AccountHostService],
   exports: [AccountHostService],
 })