[SM-713] Add database support for secret access policies (#3681)

* mssql add column and migration * Add secret access policies to EF models and config * Clear new access policies on service account delete * Add SM cleanup code on delete * Fix EF org user bulk delete * Run EF migrations
2025-12-25 12:43:14 +00:00 · 2024-02-22 10:06:39 -06:00
parent 374b59bcfb
commit 1499d1e2c6
20 changed files with 8315 additions and 46 deletions
--- a/src/Sql/SecretsManager/dbo/Tables/AccessPolicy.sql
+++ b/src/Sql/SecretsManager/dbo/Tables/AccessPolicy.sql
@@ -1,34 +1,40 @@
-CREATE TABLE [AccessPolicy] (
-    [Id]                      UNIQUEIDENTIFIER NOT NULL,
-    [Discriminator]           NVARCHAR(50)     NOT NULL,
-    [OrganizationUserId]      UNIQUEIDENTIFIER NULL,
-    [GroupId]                 UNIQUEIDENTIFIER NULL,
-    [ServiceAccountId]        UNIQUEIDENTIFIER NULL,
-    [GrantedProjectId]        UNIQUEIDENTIFIER NULL,
+CREATE TABLE [dbo].[AccessPolicy]
+(
+    [Id] UNIQUEIDENTIFIER NOT NULL,
+    [Discriminator] NVARCHAR (50) NOT NULL,
+    [OrganizationUserId] UNIQUEIDENTIFIER NULL,
+    [GroupId] UNIQUEIDENTIFIER NULL,
+    [ServiceAccountId] UNIQUEIDENTIFIER NULL,
+    [GrantedProjectId] UNIQUEIDENTIFIER NULL,
    [GrantedServiceAccountId] UNIQUEIDENTIFIER NULL,
-    [Read]                    BIT NOT NULL,
-    [Write]                   BIT NOT NULL,
-    [CreationDate]            DATETIME2 NOT NULL,
-    [RevisionDate]            DATETIME2 NOT NULL,
-    CONSTRAINT [PK_AccessPolicy] PRIMARY KEY CLUSTERED ([Id]),
-    CONSTRAINT [FK_AccessPolicy_Group_GroupId] FOREIGN KEY ([GroupId]) REFERENCES [Group] ([Id]) ON DELETE CASCADE,
-    CONSTRAINT [FK_AccessPolicy_OrganizationUser_OrganizationUserId] FOREIGN KEY ([OrganizationUserId]) REFERENCES [OrganizationUser] ([Id]),
-    CONSTRAINT [FK_AccessPolicy_Project_GrantedProjectId] FOREIGN KEY ([GrantedProjectId]) REFERENCES [Project] ([Id]) ON DELETE CASCADE,
-    CONSTRAINT [FK_AccessPolicy_ServiceAccount_GrantedServiceAccountId] FOREIGN KEY ([GrantedServiceAccountId]) REFERENCES [ServiceAccount] ([Id]),
-    CONSTRAINT [FK_AccessPolicy_ServiceAccount_ServiceAccountId] FOREIGN KEY ([ServiceAccountId]) REFERENCES [ServiceAccount] ([Id])
+    [Read] BIT NOT NULL,
+    [Write] BIT NOT NULL,
+    [CreationDate] DATETIME2 NOT NULL,
+    [RevisionDate] DATETIME2 NOT NULL,
+    [GrantedSecretId] UNIQUEIDENTIFIER NULL,
+    CONSTRAINT [PK_AccessPolicy] PRIMARY KEY CLUSTERED ([Id] ASC),
+    CONSTRAINT [FK_AccessPolicy_Group_GroupId] FOREIGN KEY ([GroupId]) REFERENCES [dbo].[Group] ([Id]) ON DELETE CASCADE,
+    CONSTRAINT [FK_AccessPolicy_OrganizationUser_OrganizationUserId] FOREIGN KEY ([OrganizationUserId]) REFERENCES [dbo].[OrganizationUser] ([Id]),
+    CONSTRAINT [FK_AccessPolicy_Project_GrantedProjectId] FOREIGN KEY ([GrantedProjectId]) REFERENCES [dbo].[Project] ([Id]) ON DELETE CASCADE,
+    CONSTRAINT [FK_AccessPolicy_ServiceAccount_GrantedServiceAccountId] FOREIGN KEY ([GrantedServiceAccountId]) REFERENCES [dbo].[ServiceAccount] ([Id]),
+    CONSTRAINT [FK_AccessPolicy_ServiceAccount_ServiceAccountId] FOREIGN KEY ([ServiceAccountId]) REFERENCES [dbo].[ServiceAccount] ([Id]),
+    CONSTRAINT [FK_AccessPolicy_Secret_GrantedSecretId] FOREIGN KEY ([GrantedSecretId]) REFERENCES [dbo].[Secret] ([Id]) ON DELETE CASCADE
 );

 GO
-CREATE NONCLUSTERED INDEX [IX_AccessPolicy_GroupId] ON [AccessPolicy] ([GroupId]);
+CREATE NONCLUSTERED INDEX [IX_AccessPolicy_GroupId] ON [dbo].[AccessPolicy]([GroupId] ASC);

 GO
-CREATE NONCLUSTERED INDEX [IX_AccessPolicy_OrganizationUserId] ON [AccessPolicy] ([OrganizationUserId]);
+CREATE NONCLUSTERED INDEX [IX_AccessPolicy_OrganizationUserId] ON [dbo].[AccessPolicy]([OrganizationUserId] ASC);

 GO
-CREATE NONCLUSTERED INDEX [IX_AccessPolicy_GrantedProjectId] ON [AccessPolicy] ([GrantedProjectId]);
+CREATE NONCLUSTERED INDEX [IX_AccessPolicy_GrantedProjectId] ON [dbo].[AccessPolicy]([GrantedProjectId] ASC);

 GO
-CREATE NONCLUSTERED INDEX [IX_AccessPolicy_ServiceAccountId] ON [AccessPolicy] ([ServiceAccountId]);
+CREATE NONCLUSTERED INDEX [IX_AccessPolicy_ServiceAccountId] ON [dbo].[AccessPolicy]([ServiceAccountId] ASC);

 GO
-CREATE NONCLUSTERED INDEX [IX_AccessPolicy_GrantedServiceAccountId] ON [AccessPolicy] ([GrantedServiceAccountId]);
+CREATE NONCLUSTERED INDEX [IX_AccessPolicy_GrantedServiceAccountId] ON [dbo].[AccessPolicy]([GrantedServiceAccountId] ASC);
+
+GO
+CREATE NONCLUSTERED INDEX [IX_AccessPolicy_GrantedSecretId] ON [dbo].[AccessPolicy]([GrantedSecretId] ASC);