refactor: identity -> iam

modules/iam/routes/roles/handle.ts

@@ -0,0 +1,33 @@
+import { ForbiddenError, NotFoundError } from "@platform/relay";
+
+import { getPrincipalById, setPrincipalRolesById } from "../../services/database.ts";
+import route from "./spec.ts";
+
+export default route.access("session").handle(async ({ params: { id }, body: ops }, { access }) => {
+  const principal = await getPrincipalById(id);
+  if (principal === undefined) {
+    return new NotFoundError();
+  }
+  const decision = await access.isAllowed({ kind: "role", id: principal.id, attr: principal.attr }, "manage");
+  if (decision === false) {
+    return new ForbiddenError("You do not have permission to modify roles for this identity.");
+  }
+  const roles: Set<string> = new Set(principal.roles);
+  for (const op of ops) {
+    switch (op.type) {
+      case "add": {
+        for (const role of op.roles) {
+          roles.add(role);
+        }
+        break;
+      }
+      case "remove": {
+        for (const role of op.roles) {
+          roles.delete(role);
+        }
+        break;
+      }
+    }
+  }
+  await setPrincipalRolesById(id, Array.from(roles));
+});

modules/iam/routes/roles/spec.ts

@@ -0,0 +1,19 @@
+import { ForbiddenError, NotFoundError, route, UnauthorizedError } from "@platform/relay";
+import z from "zod";
+
+export default route
+  .put("/api/v1/identity/:id/roles")
+  .params({
+    id: z.string(),
+  })
+  .body(
+    z.array(
+      z.union([
+        z.strictObject({
+          type: z.union([z.literal("add"), z.literal("remove")]),
+          roles: z.array(z.any()),
+        }),
+      ]),
+    ),
+  )
+  .errors([UnauthorizedError, ForbiddenError, NotFoundError]);