RBAC plugin: array resources + action alias wrapper (TRI-8719 Phase A)

matt-aitken · matt-aitken · commit e154745cd73e · 2026-04-28T17:05:23.000+01:00
Foundational changes before swapping apiBuilder to rbac.authenticateBearer.
No behaviour change yet — apiBuilder is still on the legacy path.

Array resources:
- @trigger.dev/plugins RbacAbility.can now accepts RbacResource | RbacResource[].
  Array form means 'grant access if any element passes', preserving the
  legacy checkAuthorization multi-key semantic once TRI-8719 completes.
- internal-packages/rbac ability.ts: permissive/super/deny pass through
  unchanged; buildJwtAbility iterates the array and short-circuits on
  first match.

Action alias wrapper (internal-packages/rbac/src/index.ts):
- ACTION_ALIASES map + withActionAliases function. Wraps an underlying
  RbacAbility so that can(action, resource) retries with alias actions
  when the direct check fails. Currently: trigger, batchTrigger, update
  are all satisfied by a scope whose action is write — matching legacy
  superScope behaviour for route.action values that don't align with
  scope prefixes.
- LazyController wraps the ability it gets from authenticateBearer /
  authenticateSession. authenticateAuthorize* stop delegating to the
  underlying's own Authorize methods (that would bypass the wrapper)
  and instead do the inline ability.can check against the wrapped
  ability.

The enterprise plugin (TRI-8720) does not need to know about aliases —
the wrapper applies uniformly regardless of which ability came back.

Tests:
- ability.test.ts: +4 tests for array resource form (31 total in file).
- loader.test.ts: +11 tests for withActionAliases (direct match, alias
  retry for trigger/batchTrigger/update, id-scoped retry, admin passes,
  array form retry, canSuper delegation).
- Unit suite: 31 tests, all passing.
- Webapp typecheck: clean.
diff --git a/internal-packages/rbac/src/ability.test.ts b/internal-packages/rbac/src/ability.test.ts
@@ -83,6 +83,38 @@ describe("buildJwtAbility", () => {
   });
 });
 
+describe("buildJwtAbility — array resources", () => {
+  it("authorizes when any resource in the array passes a scope check", () => {
+    const ability = buildJwtAbility(["read:batch:batch_abc"]);
+    const resources = [
+      { type: "runs", id: "run_xyz" },
+      { type: "batch", id: "batch_abc" },
+      { type: "tasks", id: "task_other" },
+    ];
+    expect(ability.can("read", resources)).toBe(true);
+  });
+
+  it("rejects when no resource in the array passes a scope check", () => {
+    const ability = buildJwtAbility(["read:batch:batch_abc"]);
+    const resources = [
+      { type: "runs", id: "run_xyz" },
+      { type: "batch", id: "batch_other" },
+      { type: "tasks", id: "task_other" },
+    ];
+    expect(ability.can("read", resources)).toBe(false);
+  });
+
+  it("empty array never authorizes", () => {
+    const ability = buildJwtAbility(["read:all"]);
+    expect(ability.can("read", [])).toBe(false);
+  });
+
+  it("authorizes a single resource via the non-array form (backwards compatible)", () => {
+    const ability = buildJwtAbility(["read:runs:run_abc"]);
+    expect(ability.can("read", { type: "runs", id: "run_abc" })).toBe(true);
+  });
+});
+
 describe("buildFallbackAbility", () => {
   it("returns permissiveAbility for non-admin users", () => {
     const ability = buildFallbackAbility(false);
diff --git a/internal-packages/rbac/src/ability.ts b/internal-packages/rbac/src/ability.ts
@@ -1,4 +1,14 @@
-import type { RbacAbility } from "@trigger.dev/plugins";
+import type { RbacAbility, RbacResource } from "@trigger.dev/plugins";
+
+// Applies a per-resource predicate across single or multi-resource inputs.
+// Array form means "any element passes → authorized", matching the legacy
+// multi-key checkAuthorization semantic.
+function anyResource(
+  resource: RbacResource | RbacResource[],
+  predicate: (r: RbacResource) => boolean
+): boolean {
+  return Array.isArray(resource) ? resource.some(predicate) : predicate(resource);
+}
 
 /** Every authenticated non-admin subject: can do anything, cannot do super-user actions. */
 export const permissiveAbility: RbacAbility = {
@@ -25,16 +35,18 @@ export function buildFallbackAbility(isAdmin: boolean): RbacAbility {
 /** Builds an ability from JWT scope strings like "read:runs", "read:runs:run_abc", "read:all", "admin". */
 export function buildJwtAbility(scopes: string[]): RbacAbility {
   return {
-    can(action: string, resource: { type: string; id?: string }): boolean {
-      return scopes.some((scope) => {
-        const [scopeAction, scopeType, scopeId] = scope.split(":");
-        if (scopeAction === "admin") return true;
-        if (scopeAction !== action && scopeAction !== "*") return false;
-        if (scopeType === "all") return true;
-        if (scopeType !== resource.type) return false;
-        if (!scopeId) return true;
-        return scopeId === resource.id;
-      });
+    can(action: string, resource: RbacResource | RbacResource[]): boolean {
+      return anyResource(resource, (r) =>
+        scopes.some((scope) => {
+          const [scopeAction, scopeType, scopeId] = scope.split(":");
+          if (scopeAction === "admin") return true;
+          if (scopeAction !== action && scopeAction !== "*") return false;
+          if (scopeType === "all") return true;
+          if (scopeType !== r.type) return false;
+          if (!scopeId) return true;
+          return scopeId === r.id;
+        })
+      );
     },
     canSuper(): boolean {
       return false;
diff --git a/internal-packages/rbac/src/index.ts b/internal-packages/rbac/src/index.ts
@@ -1,5 +1,6 @@
 import type {
   Permission,
+  RbacAbility,
   Role,
   RbacResource,
   RoleBaseAccessController,
@@ -17,6 +18,31 @@ export type RbacCreateOptions = {
   forceFallback?: boolean;
 };
 
+// Route actions that historically authorised via the legacy checkAuthorization's
+// superScopes escape hatch — e.g. a JWT with scope "write:tasks" was accepted by
+// a route with action: "trigger" because "write:tasks" was listed in the route's
+// superScopes array. The new ability model matches scope-action strictly, so we
+// restore the prior semantic here: when the underlying ability denies for action
+// X, retry with each aliased action. The retry covers both OSS fallback
+// (scope-based buildJwtAbility) and enterprise (DB/CASL-based) paths
+// transparently — neither implementation needs to know about aliases.
+const ACTION_ALIASES: Record<string, readonly string[]> = {
+  trigger: ["write"],
+  batchTrigger: ["write"],
+  update: ["write"],
+};
+
+export function withActionAliases(underlying: RbacAbility): RbacAbility {
+  return {
+    can(action: string, resource: RbacResource | RbacResource[]): boolean {
+      if (underlying.can(action, resource)) return true;
+      const aliases = ACTION_ALIASES[action] ?? [];
+      return aliases.some((a) => underlying.can(a, resource));
+    },
+    canSuper: () => underlying.canSuper(),
+  };
+}
+
 // Loads the enterprise plugin lazily; falls back to the OSS implementation if not installed.
 // Synchronous create() avoids top-level await (not supported in the webapp's CJS build).
 class LazyController implements RoleBaseAccessController {
@@ -49,19 +75,42 @@ class LazyController implements RoleBaseAccessController {
   }
 
   async authenticateBearer(...args: Parameters<RoleBaseAccessController["authenticateBearer"]>) {
-    return (await this.c()).authenticateBearer(...args);
+    const result = await (await this.c()).authenticateBearer(...args);
+    return result.ok ? { ...result, ability: withActionAliases(result.ability) } : result;
   }
 
   async authenticateSession(...args: Parameters<RoleBaseAccessController["authenticateSession"]>) {
-    return (await this.c()).authenticateSession(...args);
-  }
-
-  async authenticateAuthorizeBearer(...args: Parameters<RoleBaseAccessController["authenticateAuthorizeBearer"]>) {
-    return (await this.c()).authenticateAuthorizeBearer(...args);
-  }
-
-  async authenticateAuthorizeSession(...args: Parameters<RoleBaseAccessController["authenticateAuthorizeSession"]>) {
-    return (await this.c()).authenticateAuthorizeSession(...args);
+    const result = await (await this.c()).authenticateSession(...args);
+    return result.ok ? { ...result, ability: withActionAliases(result.ability) } : result;
+  }
+
+  // Don't delegate to the underlying Authorize variants — that would run the
+  // inline ability check against the unwrapped ability. Use our wrapped
+  // authenticate* and do the ability check here instead.
+  async authenticateAuthorizeBearer(
+    request: Parameters<RoleBaseAccessController["authenticateAuthorizeBearer"]>[0],
+    check: Parameters<RoleBaseAccessController["authenticateAuthorizeBearer"]>[1],
+    options?: Parameters<RoleBaseAccessController["authenticateAuthorizeBearer"]>[2]
+  ) {
+    const auth = await this.authenticateBearer(request, options);
+    if (!auth.ok) return auth;
+    if (!auth.ability.can(check.action, check.resource)) {
+      return { ok: false as const, status: 403 as const, error: "Unauthorized" };
+    }
+    return auth;
+  }
+
+  async authenticateAuthorizeSession(
+    request: Parameters<RoleBaseAccessController["authenticateAuthorizeSession"]>[0],
+    context: Parameters<RoleBaseAccessController["authenticateAuthorizeSession"]>[1],
+    check: Parameters<RoleBaseAccessController["authenticateAuthorizeSession"]>[2]
+  ) {
+    const auth = await this.authenticateSession(request, context);
+    if (!auth.ok) return auth;
+    if (!auth.ability.can(check.action, check.resource)) {
+      return { ok: false as const, reason: "unauthorized" as const };
+    }
+    return auth;
   }
 
   async allPermissions(...args: Parameters<RoleBaseAccessController["allPermissions"]>): Promise<Permission[]> {
diff --git a/internal-packages/rbac/src/loader.test.ts b/internal-packages/rbac/src/loader.test.ts
@@ -0,0 +1,69 @@
+import type { RbacAbility } from "@trigger.dev/plugins";
+import { describe, expect, it } from "vitest";
+import { buildJwtAbility } from "./ability.js";
+import { withActionAliases } from "./index.js";
+
+describe("withActionAliases", () => {
+  it("direct action match passes through unchanged", () => {
+    const ability = withActionAliases(buildJwtAbility(["write:tasks"]));
+    expect(ability.can("write", { type: "tasks", id: "task_x" })).toBe(true);
+  });
+
+  it("trigger action is satisfied by a write:tasks scope (alias retry)", () => {
+    const ability = withActionAliases(buildJwtAbility(["write:tasks"]));
+    expect(ability.can("trigger", { type: "tasks", id: "task_x" })).toBe(true);
+  });
+
+  it("batchTrigger action is satisfied by a write:tasks scope (alias retry)", () => {
+    const ability = withActionAliases(buildJwtAbility(["write:tasks"]));
+    expect(ability.can("batchTrigger", { type: "tasks", id: "task_x" })).toBe(true);
+  });
+
+  it("update action is satisfied by a write:prompts scope (alias retry)", () => {
+    const ability = withActionAliases(buildJwtAbility(["write:prompts"]));
+    expect(ability.can("update", { type: "prompts", id: "p_x" })).toBe(true);
+  });
+
+  it("id-scoped write scope satisfies the aliased action on matching id", () => {
+    const ability = withActionAliases(buildJwtAbility(["write:tasks:task_x"]));
+    expect(ability.can("trigger", { type: "tasks", id: "task_x" })).toBe(true);
+  });
+
+  it("id-scoped write scope denies the aliased action on a different id", () => {
+    const ability = withActionAliases(buildJwtAbility(["write:tasks:task_x"]));
+    expect(ability.can("trigger", { type: "tasks", id: "task_other" })).toBe(false);
+  });
+
+  it("read scope does not satisfy a trigger action (aliases are write-only)", () => {
+    const ability = withActionAliases(buildJwtAbility(["read:tasks"]));
+    expect(ability.can("trigger", { type: "tasks", id: "task_x" })).toBe(false);
+  });
+
+  it("non-aliased custom action only matches its direct action scope", () => {
+    const ability = withActionAliases(buildJwtAbility(["read:runs"]));
+    expect(ability.can("someOtherAction", { type: "runs", id: "run_x" })).toBe(false);
+  });
+
+  it("admin scope continues to grant everything regardless of aliases", () => {
+    const ability = withActionAliases(buildJwtAbility(["admin"]));
+    expect(ability.can("trigger", { type: "tasks", id: "task_x" })).toBe(true);
+    expect(ability.can("batchTrigger", { type: "tasks", id: "task_x" })).toBe(true);
+    expect(ability.can("anything", { type: "whatever", id: "x" })).toBe(true);
+  });
+
+  it("array resource form: alias retry applies when any element passes", () => {
+    const ability = withActionAliases(buildJwtAbility(["write:tasks:task_x"]));
+    const resources = [
+      { type: "tasks", id: "task_other" },
+      { type: "tasks", id: "task_x" },
+    ];
+    expect(ability.can("trigger", resources)).toBe(true);
+  });
+
+  it("canSuper is delegated unchanged", () => {
+    const allowSuper: RbacAbility = { can: () => false, canSuper: () => true };
+    const denySuper: RbacAbility = { can: () => false, canSuper: () => false };
+    expect(withActionAliases(allowSuper).canSuper()).toBe(true);
+    expect(withActionAliases(denySuper).canSuper()).toBe(false);
+  });
+});
diff --git a/packages/plugins/src/rbac.ts b/packages/plugins/src/rbac.ts
@@ -46,7 +46,11 @@ export type RbacUser = {
 
 /** Pre-built ability returned by authenticate* — all checks are sync, no DB call. */
 export interface RbacAbility {
-  can(action: string, resource: RbacResource): boolean;
+  // Array form means "grant access if any resource in the array passes" —
+  // used by routes that touch multiple resources (e.g. a run also carries
+  // a batch id, tags, a task identifier) so a JWT scoped to any of them
+  // grants access.
+  can(action: string, resource: RbacResource | RbacResource[]): boolean;
   canSuper(): boolean;
 }
 
