Skip to content

fix: Grant All Permissions on All Projects mechanism (Issue #148)#149

Merged
joshuaquek merged 1 commit into
mainfrom
fix/issue-148-grant-all-permissions
May 6, 2026
Merged

fix: Grant All Permissions on All Projects mechanism (Issue #148)#149
joshuaquek merged 1 commit into
mainfrom
fix/issue-148-grant-all-permissions

Conversation

@joshuaquek

Copy link
Copy Markdown
Collaborator

Summary

Changed the permission migration mechanism to use SonarCloud's "Grant All Permissions on All Projects" approach, which grants admin permission at the organization level (automatically granting all permissions on all projects) instead of trying to replicate the complex per-group, per-permission structure that fails when groups don't exist in SonarCloud.

Problem

The original permission migration mechanism iterated over all groups from SonarQube and tried to grant each specific permission to each group on each project. This caused silent failures when groups didn't exist in SonarCloud.

Solution

API Layer

  • Added grantAllPermissionsOnAllProjects() function that uses the 'admin' permission at org level

Migration Layer

  • migrateGlobalPermissions: Now grants 'admin' to 'Sonar Migration Admins' group with fallback to 'Anyone'
  • migrateProjectPermissions: Skipped (admin at org level covers all projects)

Files Changed

File Change
api/permissions/helpers/group-permissions.js Added grantAllPermissionsOnAllProjects()
api/permissions/index.js Export new function
api/permissions.js Export new function
api-client/helpers/attach-perm-methods.js Attach new method to client
migrators/permissions/helpers/migrate-global-permissions.js Simplified with fallback
migrators/permissions/helpers/migrate-project-permissions.js Skipped

Regression Testing

✅ Verified: Sonar Migration Admins group confirmed with ['gateadmin', 'scan', 'admin', 'provisioning'] permissions

New Documentation (5 files)

Added comprehensive documentation:

  • Easy Local Development Guide.md - Beginner setup guide
  • Design Principles.md - Architecture patterns
  • Core Technologies.md - Tech stack overview
  • Business Value.md - Value proposition
  • Audit & Error Events Logging Strategy.md - Logging system

Test Plan

  • Build passes (npm run package)
  • Binary version: 1.3.0
  • Syntax checks pass on all modified files
  • Regression test: permissions migration successful
  • Verify SC group has correct permissions

🤖 Generated with Claude Code

## Summary

Changed the permission migration mechanism to use SonarCloud's "Grant All Permissions on All Projects" approach, which grants admin permission at the organization level (automatically granting all permissions on all projects) instead of trying to replicate the complex per-group, per-permission structure that fails when groups don't exist in SonarCloud.

## Problem

The original permission migration mechanism iterated over all groups from SonarQube and tried to grant each specific permission (scan, admin, gateadmin, etc.) to each group on each project. This approach had multiple failure modes:

1. **Silent failures**: Permission grant errors were only logged at debug level, silently swallowed
2. **Group existence**: If a group didn't exist in SonarCloud, permissions weren't granted
3. **Edge cases**: Groups/users not available in SQC caused incomplete migrations
4. **Complexity**: Replicating granular permissions was error-prone and hard to debug

## Solution

### API Layer (`group-permissions.js`)

Added new function `grantAllPermissionsOnAllProjects()` that uses the 'admin' permission at org level, which automatically grants all permissions on all projects in SonarCloud:

```javascript
export async function grantAllPermissionsOnAllProjects(client, organization, groupName) {
  await client.post('/api/permissions/add_group', null, {
    params: { groupName, permission: 'admin', organization }
  });
}
```

### Migration Layer (`migrate-global-permissions.js`)

Refactored to use the simplified mechanism:
- Primary: Grant 'admin' to 'Sonar Migration Admins' group
- Fallback: If that fails, grant to 'Anyone' group
- Throws error only if both attempts fail

### Project Permissions (`migrate-project-permissions.js`)

Changed to skip per-project permissions since the org-level admin permission already covers all projects. Added null-safe handling for projectPermissions parameter.

## Files Changed

| File | Change |
|------|--------|
| `api/permissions/helpers/group-permissions.js` | Added `grantAllPermissionsOnAllProjects()` function |
| `api/permissions/index.js` | Export new function |
| `api/permissions.js` | Export new function |
| `api-client/helpers/attach-perm-methods.js` | Attach new method to client |
| `migrators/permissions/helpers/migrate-global-permissions.js` | Simplified to use admin permission with fallback |
| `migrators/permissions/helpers/migrate-project-permissions.js` | Skipped (admin at org level covers all) |

## Regression Testing

Verified on SonarQube/SonarCloud with:
- SQ: 3 groups with global permissions found
- SC: 'Sonar Migration Admins' group confirmed with ['gateadmin', 'scan', 'admin', 'provisioning'] permissions

Log output confirmed successful migration:
```
Migrating global permissions using simplified 'Grant All Permissions on All Projects' mechanism
Successfully granted admin permission to 'Sonar Migration Admins' group
```

---

## New Documentation (5 files)

Added comprehensive documentation for new users and contributors:

### Easy Local Development Guide.md
- Beginner-friendly setup instructions
- Prerequisites, clone, build, run steps
- Troubleshooting section
- Config file templates

### Design Principles.md
- Folder-Centric Architecture
- Micro Files Over Monoliths
- Flat Over Nested
- Readable at a Glance
- Shared Libraries for Reuse
- Error Handling
- State Management

### Core Technologies.md
- Node.js and SEA packaging
- Protobuf encoding
- Winston logging
- Commander.js CLI
- Ajv schema validation
- Electron desktop GUI
- GitHub Actions CI/CD

### Business Value.md
- Time savings (no re-scanning)
- Data preservation metrics
- Risk reduction strategies
- Cost efficiency analysis
- Governance continuity

### Audit & Error Events Logging Strategy.md
- Winston-based logging architecture
- Log levels and destinations
- Structured logging format
- Error classification hierarchy
- Audit trail events
- Log rotation strategy

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@sonar-review-alpha

sonar-review-alpha Bot commented May 6, 2026

Copy link
Copy Markdown

Summary

This PR replaces the granular permission migration approach with a simplified org-level grant mechanism. Instead of attempting to replicate complex per-group, per-permission structures (which fails silently when groups don't exist in SonarCloud), it now:

  1. Grants admin permission at the organization level via a new grantAllPermissionsOnAllProjects() function
  2. Uses 'Sonar Migration Admins' group with automatic fallback to 'Anyone' if that fails
  3. Skips per-project permission migrations entirely (org-level admin automatically cascades to all projects)

The API changes are minimal (one new function + client binding), but the migration logic is significantly simplified. Also adds 5 comprehensive documentation files covering logging strategy, design principles, tech stack, business value, and local development setup.

What reviewers should know

Where to start:

  • src/pipelines/sq-2025/sonarcloud/api/permissions/helpers/group-permissions.js — the new grantAllPermissionsOnAllProjects() function (lines 22-33)
  • src/pipelines/sq-2025/sonarcloud/migrators/permissions/helpers/migrate-global-permissions.js — shows how it's used with fallback logic (lines 15-33)
  • src/pipelines/sq-2025/sonarcloud/migrators/permissions/helpers/migrate-project-permissions.js — now a no-op (intentionally skipped)

Key decisions to understand:

  • Why skip project permissions? Org-level admin permission automatically grants all permissions on all projects in SonarCloud, so per-project grants are redundant
  • Fallback to 'Anyone': If 'Sonar Migration Admins' group doesn't exist, the code falls back to granting admin to 'Anyone'. This is intentional resilience, but worth confirming matches your security model
  • Simplified API: The new function wraps a single POST call with permission: 'admin' at org level—verify this endpoint behaves as documented

Documentation changes:
Five new docs (2041 lines total) were added to docs/. These are substantial but non-code—just verify they align with your current architecture and policies. The logging strategy doc is particularly detailed if you need to understand the logging approach.


  • Generate Walkthrough
  • Generate Diagram

🗣️ Give feedback

@joshuaquek

Copy link
Copy Markdown
Collaborator Author

++ @okorach-sonar @okorach ok resolved, regression tested.

@joshuaquek
joshuaquek merged commit d4e1896 into main May 6, 2026
1 check failed
@joshuaquek
joshuaquek deleted the fix/issue-148-grant-all-permissions branch May 6, 2026 17:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant