Remove all OR additional permission sets (#47063)

gracepark · rachmari · web-flow · commit 0d77590b885e · 2023-12-11T18:32:22.000Z
Co-authored-by: Rachael Sewell &lt;rachmari@github.com&gt;
diff --git a/src/github-apps/scripts/sync.js b/src/github-apps/scripts/sync.js
@@ -62,9 +62,11 @@ export async function syncGitHubAppsData(openApiSource, sourceSchemas, progAcces
         }
 
         // permissions
-        for (const [permissionName, readOrWrite] of Object.entries(
-          progAccessData[operation.operationId].permissions,
-        )) {
+        const allPermissions = {
+          ...progAccessData[operation.operationId].permissions.and,
+          ...progAccessData[operation.operationId].permissions.or,
+        }
+        for (const [permissionName, readOrWrite] of Object.entries(allPermissions)) {
           const tempTitle = permissionName.replace(/_/g, ' ')
           const permissionNameExists = progActorResources[permissionName]
           if (!permissionNameExists) {
@@ -76,9 +78,8 @@ export async function syncGitHubAppsData(openApiSource, sourceSchemas, progAcces
           const resourceGroup = progActorResources[permissionName]?.resource_group || ''
           const displayTitle = getDisplayTitle(title, resourceGroup)
           const relatedPermissionNames = Object.keys(
-            progAccessData[operation.operationId].permissions,
+            progAccessData[operation.operationId].permissions.and,
           ).filter((permission) => permission !== permissionName)
-
           // github app permissions
           const serverToServerPermissions = githubAppsData['server-to-server-permissions']
           if (!serverToServerPermissions[permissionName]) {
@@ -182,11 +183,41 @@ async function getProgAccessData(progAccessSource) {
 
   const progAccessData = {}
   for (const operation of progAccessDataRaw) {
-    const permissions = {}
+    const permissions = { or: {}, and: {} }
     if (operation.permission_sets) {
-      operation.permission_sets.forEach((permissionSet) => {
-        Object.assign(permissions, permissionSet)
-      })
+      // Currently there is only a length of up to 2 permission_sets
+      // OR permission_sets are dashed lists in yaml
+      // e.g.
+      // permission_sets:
+      //   - admin: write
+      //   - contents: read
+      // This becomes: [{admin: write}, {contents: read}] with yaml.load
+      if (operation.permission_sets.length === 2) {
+        // There's currently only one scenario where you have an OR permission_set where one of the OR permissions is an AND permission_set
+        // In this scenario, we want the AND permission_set
+        if (
+          Object.keys(operation.permission_sets[0]).length > 1 ||
+          Object.keys(operation.permission_sets[1]).length > 1
+        ) {
+          const andPermissionSet =
+            Object.keys(operation.permission_sets[0]).length > 1
+              ? operation.permission_sets[0]
+              : operation.permission_sets[1]
+          Object.assign(permissions.and, andPermissionSet)
+        } else {
+          operation.permission_sets.forEach((permissionSet) => {
+            Object.assign(permissions.or, permissionSet)
+          })
+        }
+        // AND permission_sets are under the same dash in yaml
+        // e.g.
+        // permission_sets:
+        //   - admin: write
+        //     contents: read
+        // This becomes: [{admin: write, contents: read}] with yaml.load
+      } else if (operation.permission_sets.length === 1) {
+        Object.assign(permissions.and, operation.permission_sets[0])
+      }
     }
 
     const userToServerRest = operation.user_to_server.enabled
