API: Enhance permissions to allow filtering by environments

[rajdip-b]

Description

Right now, the roles that are created can have one or many projects associated with it. Associating projects mean that members who will have this role attached to them, will be able to perform the authorities in WorkspaceRole entity [refer to prisma schema].

We would like to have another layer of security in here. We would also like to introduce environment specific access, so that members can have access to only a specific set of environments in the project set by the admin.

Use case:

Consider that there's a project that has 3 environments - dev, stage and prod. It will be ideal to allow the developers access the dev and stage environments (and the secrets and variables in it) while the prod environment is only accessible by the DevOps team or such. This is where this feature will be helpful

Solution

• Update the ProjectWorkspaceRoleAssociation entity to include environments - specifying the environments accessible by the member.
• Create a reverse relation from Environment on to ProjectWorkspaceRoleAssociation.
• Add a util function named getCollectiveEnvironmentAuthorities. You can take the reference from any get-collective-project-authorities.ts. The purpose of this function would be this: given the userId, project, and environment, it would need to fetch all the authorities that the member has over this environment.
• Update AuthorityCheckerService#checkAuthorityOverEnvironment to incorporate the getCollectiveEnvironmentAuthorities function and filter the roles.
• Update the projectIds to be a of type Map<String, Array<String>>. The association will be something like this: For every projectId, list of environmentIds that will be available to the role.
• Update the WorkspaceRoleService functions acordingly
• Update the required tests in workspace-role module.