Merge branch 'develop' into master-to-develop-0.95

# Conflicts:
#	src/domain/access/application/application.service.authorization.ts
#	src/domain/access/application/application.service.lifecycle.ts
#	src/domain/access/role-set/role.set.resolver.mutations.ts
#	src/domain/access/role-set/role.set.service.lifecycle.application.ts

alkemio.yml

@@ -285,7 +285,7 @@ communications:
     enabled: ${COMMUNICATIONS_DISCUSSIONS_ENABLED}:true
 
 ## storage ##
-# Alkemio uses multiple types of persistent storage, including SQL database and IPFS.
+# Alkemio uses multiple types of persistent storage, including SQL database, postgres database, file storage, redis.
 storage:
   file:
     # 20MB

src/app.module.ts

@@ -66,7 +66,6 @@ import { ChatGuidanceModule } from '@services/api/chat-guidance/chat.guidance.mo
 import { LookupModule } from '@services/api/lookup';
 import { AuthResetSubscriberModule } from '@services/auth-reset/subscriber/auth-reset.subscriber.module';
 import { APP_ID_PROVIDER } from '@common/app.id.provider';
-import { IpfsLogModule } from '@services/api-rest/ipfs-log/ipfs.log.module';
 import { ContributionMoveModule } from '@domain/collaboration/callout-contribution/callout.contribution.move.module';
 import { TaskGraphqlModule } from '@domain/task/task.module';
 import { ActivityFeedModule } from '@domain/activity-feed';
@@ -279,7 +278,6 @@ import { AdminUsersModule } from '@platform/admin/users/admin.users.module';
     InnovationHubModule,
     SsiCredentialFlowModule,
     StorageAccessModule,
-    IpfsLogModule,
     MeModule,
     ExcalidrawServerModule,
     ChatGuidanceModule,

src/common/enums/alkemio.error.status.ts

@@ -24,9 +24,6 @@ export enum AlkemioErrorStatus {
   NOT_SUPPORTED = 'NOT_SUPPORTED',
   NOT_ENABLED = 'NOT_ENABLED',
   USER_NOT_REGISTERED = 'USER_NOT_REGISTERED',
-  IPFS_UPLOAD_FAILED = 'IPFS_UPLOAD_FAILED',
-  IPFS_DELETE_FAILED = 'IPFS_DELETE_FAILED',
-  IPFS_GARBAGE_COLLECTION_FAILED = 'IPFS_GARBAGE_COLLECTION_FAILED',
   LICENSE_NOT_FOUND = 'LICENSE_NOT_FOUND',
   MATRIX_ENTITY_NOT_FOUND_ERROR = 'MATRIX_ENTITY_NOT_FOUND_ERROR',
   BOOTSTRAP_FAILED = 'BOOTSTRAP_FAILED',
@@ -41,7 +38,6 @@ export enum AlkemioErrorStatus {
   STORAGE_BUCKET_NOT_FOUND = 'STORAGE_BUCKET_NOT_FOUND',
   TAGSET_NOT_FOUND = 'TAGSET_NOT_FOUND',
   MIME_TYPE_NOT_FOUND = 'MIME_TYPE_NOT_FOUND',
-  IPFS_FILE_NOT_FOUND = 'IPFS_FILE_NOT_FOUND',
   SUBSCRIPTION_USER_NOT_AUTHENTICATED = 'SUBSCRIPTION_USER_NOT_AUTHENTICATED',
   PAGINATION_INPUT_OUT_OF_BOUND = 'PAGINATION_INPUT_OUT_OF_BOUND',
   PAGINATION_NOT_FOUND = 'PAGINATION_NOT_FOUND',
@@ -62,7 +58,6 @@ export enum AlkemioErrorStatus {
   FORUM_DISCUSSION_CATEGORY = 'FORUM_DISCUSSION_CATEGORY',
   OPERATION_NOT_ALLOWED = 'OPERATION_NOT_ALLOWED',
   NOT_FOUND = 'NOT_FOUND',
-  IPFS_NOT_FOUND = 'IPFS_NOT_FOUND',
   EXCALIDRAW_AMQP_RESULT_ERROR = 'EXCALIDRAW_AMQP_RESULT_ERROR',
   EXCALIDRAW_REDIS_ADAPTER_INIT = 'EXCALIDRAW_REDIS_INIT',
   EXCALIDRAW_SERVER_INIT = 'EXCALIDRAW_SERVER_INIT',

src/common/enums/authorization.policy.type.ts

@@ -21,6 +21,7 @@ export enum AuthorizationPolicyType {
   COMMUNICATION = 'communication',
   ROOM = 'room',
   AI_PERSONA = 'ai-persona',
+  AI_SERVER = 'ai-server',
   APPLICATION = 'application',
   ROLE_SET = 'role-set',
   COMMUNITY = 'community',
@@ -50,8 +51,10 @@ export enum AuthorizationPolicyType {
   CALENDAR = 'calendar',
   CALENDAR_EVENT = 'calendar-event',
   TIMELINE = 'timeline',
+  LIBRARY = 'library',
   IN_MEMORY = 'in-memory',
   LICENSING = 'licensing',
+  LICENSE_POLICY = 'license-policy',
   UNKNOWN = 'unknown',
   AI_PERSONA_SERVICE = 'ai-persona-service',
 }

src/common/enums/logging.context.ts

@@ -26,7 +26,6 @@ export enum LogContext {
   SEARCH_EXTRACT = 'search-extract',
   SEARCH_RESULT = 'search-result',
   OPPORTUNITY = 'opportunity',
-  IPFS = 'ipfs',
   LIFECYCLE = 'lifecycle',
   UNSPECIFIED = 'not_specified',
   NOTIFICATIONS = 'notifications',

src/common/exceptions/http/index.ts

@@ -2,4 +2,3 @@ export * from './base.http.exception';
 
 export * from './forbidden.http.exception';
 export * from './not.found.http.exception';
-export * from './ipfs.not.found.http.exception';

src/core/bootstrap/bootstrap.service.ts

@@ -58,8 +58,6 @@ import { bootstrapSpaceTutorialsCallouts } from './platform-template-definitions
 
 @Injectable()
 export class BootstrapService {
-  private adminAgentInfo?: AgentInfo;
-
   constructor(
     private accountService: AccountService,
     private accountAuthorizationService: AccountAuthorizationService,
@@ -296,7 +294,7 @@ export class BootstrapService {
           userData.email
         );
         if (!userExists) {
-          let user = await this.userService.createUser({
+          const user = await this.userService.createUser({
             email: userData.email,
             accountUpn: userData.email,
             firstName: userData.firstName,
@@ -306,19 +304,11 @@ export class BootstrapService {
             },
           });
 
-          const credentialsData = userData.credentials;
-          for (const credentialData of credentialsData) {
-            await this.adminAuthorizationService.grantCredentialToUser({
-              userID: user.id,
-              type: credentialData.type,
-              resourceID: credentialData.resourceID,
-            });
-          }
-          user = await this.userAuthorizationService.grantCredentials(user);
-
           // Once all is done, reset the user authorizations
           const userAuthorizations =
-            await this.userAuthorizationService.applyAuthorizationPolicy(user);
+            await this.userAuthorizationService.applyAuthorizationPolicy(
+              user.id
+            );
           await this.authorizationPolicyService.saveAll(userAuthorizations);
 
           const account = await this.userService.getAccount(user);
@@ -327,16 +317,18 @@ export class BootstrapService {
               account
             );
           await this.authorizationPolicyService.saveAll(accountAuthorizations);
-          if (!this.adminAgentInfo) {
-            this.adminAgentInfo = await this.createSystemAgentInfo(user);
-          }
-        } else {
-          if (!this.adminAgentInfo) {
-            const user = await this.userService.getUserByEmail(userData.email);
-            if (user) {
-              this.adminAgentInfo = await this.createSystemAgentInfo(user);
-            }
+
+          const credentialsData = userData.credentials;
+          for (const credentialData of credentialsData) {
+            await this.adminAuthorizationService.grantCredentialToUser({
+              userID: user.id,
+              type: credentialData.type,
+              resourceID: credentialData.resourceID,
+            });
           }
+          await this.userAuthorizationService.grantCredentialsAllUsersReceive(
+            user.id
+          );
         }
       }
     } catch (error: any) {
@@ -432,14 +424,15 @@ export class BootstrapService {
       DEFAULT_HOST_ORG_NAMEID
     );
     if (!hostOrganization) {
+      const adminAgentInfo = await this.getAdminAgentInfo();
       hostOrganization = await this.organizationService.createOrganization(
         {
           nameID: DEFAULT_HOST_ORG_NAMEID,
           profileData: {
             displayName: DEFAULT_HOST_ORG_DISPLAY_NAME,
           },
         },
-        this.adminAgentInfo
+        adminAgentInfo
       );
       const orgAuthorizations =
         await this.organizationAuthorizationService.applyAuthorizationPolicy(
@@ -457,6 +450,21 @@ export class BootstrapService {
     }
   }
 
+  private async getAdminAgentInfo(): Promise<AgentInfo> {
+    const adminUserEmail = '[email protected]';
+    const adminUser = await this.userService.getUserByEmail(adminUserEmail, {
+      relations: {
+        agent: true,
+      },
+    });
+    if (!adminUser) {
+      throw new BootstrapException(
+        `Unable to load fixed admin user for creating organization: ${adminUserEmail}`
+      );
+    }
+    return this.createSystemAgentInfo(adminUser);
+  }
+
   private async ensureSpaceSingleton() {
     this.logger.verbose?.(
       '=== Ensuring at least one Account with a space is present ===',

src/domain/access/application/application.service.authorization.ts

@@ -6,9 +6,6 @@ import { IAuthorizationPolicy } from '@domain/common/authorization-policy/author
 import { IApplication } from './application.interface';
 import { IAuthorizationPolicyRuleCredential } from '@core/authorization/authorization.policy.rule.credential.interface';
 import { CREDENTIAL_RULE_COMMUNITY_USER_APPLICATION } from '@common/constants/authorization/credential.rule.constants';
-import { AuthorizationPolicyRulePrivilege } from '@core/authorization/authorization.policy.rule.privilege';
-import { POLICY_RULE_COMMUNITY_APPROVE_APPLICATION } from '@common/constants';
-
 @Injectable()
 export class ApplicationAuthorizationService {
   constructor(
@@ -26,10 +23,6 @@ export class ApplicationAuthorizationService {
         parentAuthorization
       );
 
-    application.authorization = this.appendPrivilegeRules(
-      application.authorization
-    );
-
     application.authorization =
       await this.extendAuthorizationPolicy(application);
 
@@ -45,6 +38,7 @@ export class ApplicationAuthorizationService {
     const user = await this.applicationService.getContributor(application.id);
 
     // also grant the user privileges to manage their own application
+    // Note: the GRANT privilege iS NOT assigned to the user; that is what is actually used to approve the application
     const userApplicationRule =
       this.authorizationPolicyService.createCredentialRule(
         [
@@ -67,19 +61,4 @@ export class ApplicationAuthorizationService {
       newRules
     );
   }
-
-  private appendPrivilegeRules(
-    authorization: IAuthorizationPolicy
-  ): IAuthorizationPolicy {
-    const approveApplicationPrivilege = new AuthorizationPolicyRulePrivilege(
-      [AuthorizationPrivilege.COMMUNITY_APPLY_ACCEPT],
-      AuthorizationPrivilege.GRANT,
-      POLICY_RULE_COMMUNITY_APPROVE_APPLICATION
-    );
-
-    return this.authorizationPolicyService.appendPrivilegeAuthorizationRules(
-      authorization,
-      [approveApplicationPrivilege]
-    );
-  }
 }

src/domain/access/application/application.service.lifecycle.ts

@@ -60,19 +60,19 @@ export const applicationLifecycleMachine: ILifecycleDefinition = {
     new: {
       on: {
         APPROVE: {
-          guards: 'hasApplicationAcceptPrivilege',
+          guard: 'hasGrantPrivilege',
           target: ApplicationLifecycleState.APPROVING,
         },
         REJECT: {
-          guards: 'hasUpdatePrivilege',
+          guard: 'hasUpdatePrivilege',
           target: ApplicationLifecycleState.REJECTED,
         },
       },
     },
     approving: {
       on: {
         APPROVED: {
-          guards: 'hasApplicationAcceptPrivilege',
+          guard: 'hasGrantPrivilege',
           target: ApplicationLifecycleState.APPROVED,
         },
       },
@@ -83,11 +83,11 @@ export const applicationLifecycleMachine: ILifecycleDefinition = {
     rejected: {
       on: {
         REOPEN: {
-          guards: 'hasUpdatePrivilege',
+          guard: 'hasUpdatePrivilege',
           target: ApplicationLifecycleState.NEW,
         },
         ARCHIVE: {
-          guards: 'hasUpdatePrivilege',
+          guard: 'hasUpdatePrivilege',
           target: ApplicationLifecycleState.ARCHIVED,
         },
       },

src/domain/access/invitation/invitation.service.lifecycle.ts

@@ -61,19 +61,19 @@ export const invitationLifecycleMachine: ILifecycleDefinition = {
     invited: {
       on: {
         ACCEPT: {
-          guards: 'hasInvitationAcceptPrivilege',
+          guard: 'hasInvitationAcceptPrivilege',
           target: InvitationLifecycleState.ACCEPTING,
         },
         REJECT: {
-          guards: 'hasUpdatePrivilege',
+          guard: 'hasUpdatePrivilege',
           target: InvitationLifecycleState.REJECTED,
         },
       },
     },
     accepting: {
       on: {
         ACCEPTED: {
-          guards: 'hasInvitationAcceptPrivilege',
+          guard: 'hasInvitationAcceptPrivilege',
           target: InvitationLifecycleState.ACCEPTED,
         },
       },
@@ -84,11 +84,11 @@ export const invitationLifecycleMachine: ILifecycleDefinition = {
     rejected: {
       on: {
         REINVITE: {
-          guards: 'hasUpdatePrivilege',
+          guard: 'hasUpdatePrivilege',
           target: InvitationLifecycleState.INVITED,
         },
         ARCHIVE: {
-          guards: 'hasUpdatePrivilege',
+          guard: 'hasUpdatePrivilege',
           target: InvitationLifecycleState.ARCHIVED,
         },
       },