feat: allow non target access actors to check, compose, delete and publish schemas (#6449)

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

Author: n1ru4l

.changeset/hungry-files-sneeze.md

@@ -0,0 +1,6 @@
+---
+'hive': minor
+---
+
+Modify GraphQL fields used by CLI to accept an optional specified target that is used for
+identifying the affected target instead of resolving the target from the access token.

.changeset/wet-eggs-rule.md

@@ -0,0 +1,30 @@
+---
+'@graphql-hive/cli': minor
+---
+
+Add `--target` flag for commands `app:create`, `app:publish`, `operations:check`, `schema:check`,
+`schema:delete`, `schema:fetch`, `schema:publish` and `dev`.
+
+The `--target` flag can be used to specify the target on which the operation should be performed.
+Either a slug or ID of the target can be provided.
+
+A provided slug must follow the format `$organizationSlug/$projectSlug/$targetSlug` (e.g.
+`the-guild/graphql-hive/staging`).
+
+**Example using target slug**
+
+```bash
+hive schema:publish --target the-guild/graphql-hive/production ./my-schema.graphql
+```
+
+A target id, must be a valid target UUID.
+
+**Example using target id**
+
+```bash
+hive schema:publish --target a0f4c605-6541-4350-8cfe-b31f21a4bf80 ./my-schema.graphql
+```
+
+**Note:** We encourage starting to use the `--target` flag today. In the future the flag will become
+mandatory as we are moving to a more flexible approach of access tokens that can be granted access
+to multiple targets.

integration-tests/testkit/cli-snapshot-serializer.ts

@@ -45,10 +45,18 @@ const variableReplacements = [
     pattern: /(Reference: )[^ ]+/gi,
     mask: '$1__ID__',
   },
+  {
+    pattern: /(Request ID:)[^)]+"/gi,
+    mask: '$1 __REQUEST_ID__',
+  },
   {
     pattern: /(https?:\/\/)[^\n ]+/gi,
     mask: '$1__URL__',
   },
+  {
+    pattern: /[ ]+\n/gi,
+    mask: '\n',
+  },
 ];
 
 /**

integration-tests/tests/cli/__snapshots__/schema.spec.ts.snap

@@ -163,7 +163,7 @@ exports[`FEDERATION > schema:publish should see Invalid Token error when token i
 exitCode------------------------------------------:
 2
 stderr--------------------------------------------:
- ›   Error: A valid registry token is required to perform the action. The 
+ ›   Error: A valid registry token is required to perform the action. The
  ›   registry token used does not exist or has been revoked.  [106]
  ›   > See https://__URL__ for
  ›    a complete list of error codes and recommended fixes.
@@ -319,7 +319,7 @@ exports[`SINGLE > schema:publish should see Invalid Token error when token is in
 exitCode------------------------------------------:
 2
 stderr--------------------------------------------:
- ›   Error: A valid registry token is required to perform the action. The 
+ ›   Error: A valid registry token is required to perform the action. The
  ›   registry token used does not exist or has been revoked.  [106]
  ›   > See https://__URL__ for
  ›    a complete list of error codes and recommended fixes.
@@ -493,7 +493,7 @@ exports[`STITCHING > schema:publish should see Invalid Token error when token is
 exitCode------------------------------------------:
 2
 stderr--------------------------------------------:
- ›   Error: A valid registry token is required to perform the action. The 
+ ›   Error: A valid registry token is required to perform the action. The
  ›   registry token used does not exist or has been revoked.  [106]
  ›   > See https://__URL__ for
  ›    a complete list of error codes and recommended fixes.

integration-tests/tests/cli/schema.spec.ts

@@ -328,7 +328,7 @@ describe.each([ProjectType.Stitching, ProjectType.Federation, ProjectType.Single
         const { inviteAndJoinMember, createProject } = await createOrg();
         await inviteAndJoinMember();
         const { createTargetAccessToken } = await createProject(projectType);
-        const { secret, latestSchema } = await createTargetAccessToken({});
+        const { secret } = await createTargetAccessToken({});
 
         const cli = createCLI({
           readonly: secret,
@@ -355,3 +355,101 @@ describe.each([ProjectType.Stitching, ProjectType.Federation, ProjectType.Single
     );
   },
 );
+
+test.concurrent(
+  'schema:publish with --target parameter matching the access token (slug)',
+  async ({ expect }) => {
+    const { createOrg } = await initSeed().createOwner();
+    const { inviteAndJoinMember, createProject, organization } = await createOrg();
+    await inviteAndJoinMember();
+    const { createTargetAccessToken, project, target } = await createProject();
+    const { secret } = await createTargetAccessToken({});
+
+    const targetSlug = [organization.slug, project.slug, target.slug].join('/');
+
+    await expect(
+      schemaPublish([
+        '--registry.accessToken',
+        secret,
+        '--author',
+        'Kamil',
+        '--target',
+        targetSlug,
+        'fixtures/init-schema.graphql',
+      ]),
+    ).resolves.toMatchInlineSnapshot(`
+      :::::::::::::::: CLI SUCCESS OUTPUT :::::::::::::::::
+
+      stdout--------------------------------------------:
+      ✔ Published initial schema.
+      ℹ Available at http://__URL__
+    `);
+  },
+);
+
+test.concurrent(
+  'schema:publish with --target parameter matching the access token (UUID)',
+  async ({ expect }) => {
+    const { createOrg } = await initSeed().createOwner();
+    const { inviteAndJoinMember, createProject } = await createOrg();
+    await inviteAndJoinMember();
+    const { createTargetAccessToken, target } = await createProject();
+    const { secret } = await createTargetAccessToken({});
+
+    await expect(
+      schemaPublish([
+        '--registry.accessToken',
+        secret,
+        '--author',
+        'Kamil',
+        '--target',
+        target.id,
+        'fixtures/init-schema.graphql',
+      ]),
+    ).resolves.toMatchInlineSnapshot(`
+      :::::::::::::::: CLI SUCCESS OUTPUT :::::::::::::::::
+
+      stdout--------------------------------------------:
+      ✔ Published initial schema.
+      ℹ Available at http://__URL__
+    `);
+  },
+);
+
+test.concurrent(
+  'schema:publish fails with --target parameter not matching the access token (slug)',
+  async ({ expect }) => {
+    const { createOrg } = await initSeed().createOwner();
+    const { inviteAndJoinMember, createProject } = await createOrg();
+    await inviteAndJoinMember();
+    const { createTargetAccessToken } = await createProject();
+    const { secret } = await createTargetAccessToken({});
+
+    const targetSlug = 'i/do/not-match';
+
+    await expect(
+      schemaPublish([
+        '--registry.accessToken',
+        secret,
+        '--author',
+        'Kamil',
+        '--target',
+        targetSlug,
+        'fixtures/init-schema.graphql',
+      ]),
+    ).rejects.toMatchInlineSnapshot(`
+      :::::::::::::::: CLI FAILURE OUTPUT :::::::::::::::
+      exitCode------------------------------------------:
+      2
+      stderr--------------------------------------------:
+       ›   Error: No access (reason: "Missing permission for performing
+       ›   'schemaVersion:publish' on resource")  (Request ID: __REQUEST_ID__)  [115]
+       ›   > See https://__URL__ for
+       ›    a complete list of error codes and recommended fixes.
+       ›   To disable this message set HIVE_NO_ERROR_TIP=1
+       ›   Reference: __ID__
+      stdout--------------------------------------------:
+      __NONE__
+    `);
+  },
+);

packages/libraries/cli/src/commands/app/create.ts

@@ -3,13 +3,16 @@ import { Args, Flags } from '@oclif/core';
 import Command from '../../base-command';
 import { graphql } from '../../gql';
 import { AppDeploymentStatus } from '../../gql/graphql';
+import * as GraphQLSchema from '../../gql/graphql';
 import { graphqlEndpoint } from '../../helpers/config';
 import {
   APIError,
+  InvalidTargetError,
   MissingEndpointError,
   MissingRegistryTokenError,
   PersistedOperationsMalformedError,
 } from '../../helpers/errors';
+import * as TargetInput from '../../helpers/target-input';
 
 export default class AppCreate extends Command<typeof AppCreate> {
   static description = 'create an app deployment';
@@ -28,6 +31,12 @@ export default class AppCreate extends Command<typeof AppCreate> {
       description: 'app version',
       required: true,
     }),
+    target: Flags.string({
+      description:
+        'The target in which the app deployment will be created.' +
+        ' This can either be a slug following the format "$organizationSlug/$projectSlug/$targetSlug" (e.g "the-guild/graphql-hive/staging")' +
+        ' or an UUID (e.g. "a0f4c605-6541-4350-8cfe-b31f21a4bf80").',
+    }),
   };
 
   static args = {
@@ -66,6 +75,15 @@ export default class AppCreate extends Command<typeof AppCreate> {
       throw new MissingRegistryTokenError();
     }
 
+    let target: GraphQLSchema.TargetReferenceInput | null = null;
+    if (flags.target) {
+      const result = TargetInput.parse(flags.target);
+      if (result.type === 'error') {
+        throw new InvalidTargetError();
+      }
+      target = result.data;
+    }
+
     const file: string = args.file;
     const contents = this.readJSON(file);
     const operations: unknown = JSON.parse(contents);
@@ -81,6 +99,7 @@ export default class AppCreate extends Command<typeof AppCreate> {
         input: {
           appName: flags['name'],
           appVersion: flags['version'],
+          target,
         },
       },
     });
@@ -108,6 +127,7 @@ export default class AppCreate extends Command<typeof AppCreate> {
           operation: AddDocumentsToAppDeploymentMutation,
           variables: {
             input: {
+              target,
               appName: flags['name'],
               appVersion: flags['version'],
               documents: buffer,

packages/libraries/cli/src/commands/app/publish.ts

@@ -1,8 +1,15 @@
 import { Flags } from '@oclif/core';
 import Command from '../../base-command';
 import { graphql } from '../../gql';
+import * as GraphQLSchema from '../../gql/graphql';
 import { graphqlEndpoint } from '../../helpers/config';
-import { APIError, MissingEndpointError, MissingRegistryTokenError } from '../../helpers/errors';
+import {
+  APIError,
+  InvalidTargetError,
+  MissingEndpointError,
+  MissingRegistryTokenError,
+} from '../../helpers/errors';
+import * as TargetInput from '../../helpers/target-input';
 
 export default class AppPublish extends Command<typeof AppPublish> {
   static description = 'publish an app deployment';
@@ -21,6 +28,12 @@ export default class AppPublish extends Command<typeof AppPublish> {
       description: 'app version',
       required: true,
     }),
+    target: Flags.string({
+      description:
+        'The target in which the app deployment will be published (slug or ID).' +
+        ' This can either be a slug following the format "$organizationSlug/$projectSlug/$targetSlug" (e.g "the-guild/graphql-hive/staging")' +
+        ' or an UUID (e.g. "a0f4c605-6541-4350-8cfe-b31f21a4bf80").',
+    }),
   };
 
   async run() {
@@ -50,10 +63,20 @@ export default class AppPublish extends Command<typeof AppPublish> {
       throw new MissingRegistryTokenError();
     }
 
+    let target: GraphQLSchema.TargetReferenceInput | null = null;
+    if (flags.target) {
+      const result = TargetInput.parse(flags.target);
+      if (result.type === 'error') {
+        throw new InvalidTargetError();
+      }
+      target = result.data;
+    }
+
     const result = await this.registryApi(endpoint, accessToken).request({
       operation: ActivateAppDeploymentMutation,
       variables: {
         input: {
+          target,
           appName: flags['name'],
           appVersion: flags['version'],
         },

packages/libraries/cli/src/commands/dev.ts

@@ -10,12 +10,14 @@ import {
 } from '@theguild/federation-composition';
 import Command from '../base-command';
 import { graphql } from '../gql';
+import * as GraphQLSchema from '../gql/graphql';
 import { graphqlEndpoint } from '../helpers/config';
 import {
   APIError,
   HiveCLIError,
   IntrospectionError,
   InvalidCompositionResultError,
+  InvalidTargetError,
   LocalCompositionError,
   MissingEndpointError,
   MissingRegistryTokenError,
@@ -24,6 +26,7 @@ import {
   UnexpectedError,
 } from '../helpers/errors';
 import { loadSchema } from '../helpers/schema';
+import * as TargetInput from '../helpers/target-input';
 import { invariant } from '../helpers/validation';
 
 const CLI_SchemaComposeMutation = graphql(/* GraphQL */ `
@@ -172,10 +175,16 @@ export default class Dev extends Command<typeof Dev> {
     unstable__forceLatest: Flags.boolean({
       hidden: true,
       description:
-        'Force the command to use the latest version of the CLI, not the latest composable version. ',
+        'Force the command to use the latest version of the CLI, not the latest composable version.',
       default: false,
       dependsOn: ['remote'],
     }),
+    target: Flags.string({
+      description:
+        'The target to use for composition (slug or ID).' +
+        ' This can either be a slug following the format "$organizationSlug/$projectSlug/$targetSlug" (e.g "the-guild/graphql-hive/staging")' +
+        ' or an UUID (e.g. "a0f4c605-6541-4350-8cfe-b31f21a4bf80").',
+    }),
   };
 
   async run() {
@@ -200,6 +209,15 @@ export default class Dev extends Command<typeof Dev> {
       };
     });
 
+    let target: GraphQLSchema.TargetReferenceInput | null = null;
+    if (flags.target) {
+      const result = TargetInput.parse(flags.target);
+      if (result.type === 'error') {
+        throw new InvalidTargetError();
+      }
+      target = result.data;
+    }
+
     if (flags.watch === true) {
       if (isRemote) {
         let registry: string, token: string;
@@ -234,6 +252,7 @@ export default class Dev extends Command<typeof Dev> {
             token,
             write: flags.write,
             unstable__forceLatest,
+            target,
             onError: error => {
               // watch mode should not exit. Log instead.
               this.logFailure(error.message);
@@ -291,6 +310,7 @@ export default class Dev extends Command<typeof Dev> {
         token,
         write: flags.write,
         unstable__forceLatest,
+        target,
         onError: error => {
           throw error;
         },
@@ -354,6 +374,7 @@ export default class Dev extends Command<typeof Dev> {
     token: string;
     write: string;
     unstable__forceLatest: boolean;
+    target: GraphQLSchema.TargetReferenceInput | null;
     onError: (error: HiveCLIError) => void | never;
   }) {
     const result = await this.registryApi(input.registry, input.token).request({
@@ -366,6 +387,7 @@ export default class Dev extends Command<typeof Dev> {
             url: service.url,
             sdl: service.sdl,
           })),
+          target: input.target,
         },
       },
     });