feat: email invite and default oidc resources assignments (#7252)

Co-authored-by: jdolle <[email protected]>

Author: n1ru4l

.changeset/common-crabs-grow.md

@@ -0,0 +1,5 @@
+---
+'hive': minor
+---
+
+Support selecting resources when inviting a user via email.

.changeset/strong-carrots-sniff.md

@@ -0,0 +1,5 @@
+---
+'hive': minor
+---
+
+Support assigning default resources for new OIDC members.

integration-tests/testkit/seed.ts

@@ -889,7 +889,11 @@ export function initSeed() {
                 },
               };
             },
-            async inviteAndJoinMember(inviteToken: string = ownerToken) {
+            async inviteAndJoinMember(
+              inviteToken: string = ownerToken,
+              memberRoleId: string | undefined = undefined,
+              resources: GraphQLSchema.ResourceAssignmentInput | undefined = undefined,
+            ) {
               const memberEmail = userEmail(generateUnique());
               const memberToken = await authenticate(memberEmail).then(r => r.access_token);
 
@@ -901,6 +905,8 @@ export function initSeed() {
                     },
                   },
                   email: memberEmail,
+                  memberRoleId,
+                  resources,
                 },
                 inviteToken,
               ).then(r => r.expectNoGraphQLErrors());

integration-tests/tests/api/oidc-integrations/assigned-resources.spec.ts

@@ -0,0 +1,286 @@
+import { graphql } from 'testkit/gql';
+import { ResourceAssignmentModeType } from 'testkit/gql/graphql';
+import { execute } from 'testkit/graphql';
+import { initSeed } from 'testkit/seed';
+
+const AssignedResourcesSpec_CreateOIDCIntegrationMutation = graphql(`
+  mutation AssignedResourcesSpec_CreateOIDCIntegrationMutation(
+    $input: CreateOIDCIntegrationInput!
+  ) {
+    createOIDCIntegration(input: $input) {
+      ok {
+        createdOIDCIntegration {
+          id
+          defaultResourceAssignment {
+            mode
+          }
+        }
+      }
+    }
+  }
+`);
+
+const AssignedResourcesSpec_ReadDefaultTest = graphql(`
+  query AssignedResourcesSpec_ReadDefaultTest($organizationSlug: String!) {
+    organization(reference: { bySelector: { organizationSlug: $organizationSlug } }) {
+      id
+      oidcIntegration {
+        defaultResourceAssignment {
+          mode
+          projects {
+            project {
+              id
+              slug
+            }
+            targets {
+              mode
+              targets {
+                target {
+                  id
+                  slug
+                }
+                services {
+                  mode
+                  services
+                }
+                appDeployments {
+                  mode
+                  appDeployments
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+`);
+
+const AssignedResourcesSpec_UpdateDefaultMutation = graphql(`
+  mutation AssignedResourcesSpec_UpdateDefaultMutation(
+    $input: UpdateOIDCDefaultResourceAssignmentInput!
+  ) {
+    updateOIDCDefaultResourceAssignment(input: $input) {
+      ok {
+        updatedOIDCIntegration {
+          id
+          defaultResourceAssignment {
+            mode
+            projects {
+              project {
+                id
+                slug
+              }
+              targets {
+                mode
+                targets {
+                  target {
+                    id
+                    slug
+                  }
+                  services {
+                    mode
+                    services
+                  }
+                  appDeployments {
+                    mode
+                    appDeployments
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+      error {
+        message
+      }
+    }
+  }
+`);
+
+async function setup() {
+  const { ownerToken, createOrg } = await initSeed().createOwner();
+  const { organization, createOrganizationAccessToken } = await createOrg();
+
+  const result = await execute({
+    document: AssignedResourcesSpec_CreateOIDCIntegrationMutation,
+    variables: {
+      input: {
+        organizationId: organization.id,
+        clientId: 'foo',
+        clientSecret: 'foofoofoofoo',
+        tokenEndpoint: 'http://localhost:8888/oauth/token',
+        userinfoEndpoint: 'http://localhost:8888/oauth/userinfo',
+        authorizationEndpoint: 'http://localhost:8888/oauth/authorize',
+      },
+    },
+    authToken: ownerToken,
+  }).then(r => r.expectNoGraphQLErrors());
+
+  // no default exists at creation
+  expect(result.createOIDCIntegration.ok?.createdOIDCIntegration.defaultResourceAssignment).toBe(
+    null,
+  );
+  return {
+    organization,
+    ownerToken,
+    oidcIntegrationId: result.createOIDCIntegration.ok?.createdOIDCIntegration.id!,
+    createOrganizationAccessToken,
+  };
+}
+
+describe('read OIDC', () => {
+  describe('permissions="organization:integrations"', () => {
+    test.concurrent('success', async ({ expect }) => {
+      const { organization, ownerToken, oidcIntegrationId } = await setup();
+
+      await execute({
+        document: AssignedResourcesSpec_UpdateDefaultMutation,
+        variables: {
+          input: {
+            oidcIntegrationId,
+            resources: {
+              mode: ResourceAssignmentModeType.All,
+            },
+          },
+        },
+        authToken: ownerToken,
+      }).then(r => r.expectNoGraphQLErrors());
+
+      const read = await execute({
+        document: AssignedResourcesSpec_ReadDefaultTest,
+        variables: {
+          organizationSlug: organization.slug,
+        },
+        authToken: ownerToken,
+      }).then(r => r.expectNoGraphQLErrors());
+
+      expect(read).toEqual({
+        organization: {
+          id: expect.stringMatching('.+'),
+          oidcIntegration: {
+            defaultResourceAssignment: {
+              mode: 'ALL',
+              projects: null,
+            },
+          },
+        },
+      });
+    });
+  });
+
+  describe('permissions missing "organization:integrations"', () => {
+    test.concurrent('fail', async ({ expect }) => {
+      const { organization, ownerToken, oidcIntegrationId, createOrganizationAccessToken } =
+        await setup();
+      const { privateAccessKey: readToken } = await createOrganizationAccessToken({
+        permissions: ['organization:read'],
+        resources: { mode: ResourceAssignmentModeType.All },
+      });
+
+      await execute({
+        document: AssignedResourcesSpec_UpdateDefaultMutation,
+        variables: {
+          input: {
+            oidcIntegrationId,
+            resources: {
+              mode: ResourceAssignmentModeType.All,
+            },
+          },
+        },
+        authToken: ownerToken,
+      }).then(r => r.expectNoGraphQLErrors());
+
+      const errors = await execute({
+        document: AssignedResourcesSpec_ReadDefaultTest,
+        variables: {
+          organizationSlug: organization.slug,
+        },
+        authToken: readToken,
+      }).then(r => r.expectGraphQLErrors());
+      expect(errors).toHaveLength(1);
+      expect(errors).toMatchObject([
+        {
+          extensions: {
+            code: 'UNAUTHORISED',
+          },
+          message: `No access (reason: "Missing permission for performing 'organization:describe' on resource")`,
+          path: ['organization'],
+        },
+      ]);
+    });
+  });
+});
+
+describe('update OIDC default assigned resources', () => {
+  describe('permissions="oidc:modify"', () => {
+    test.concurrent('success', async ({ expect }) => {
+      const { ownerToken, oidcIntegrationId } = await setup();
+
+      const update = await execute({
+        document: AssignedResourcesSpec_UpdateDefaultMutation,
+        variables: {
+          input: {
+            oidcIntegrationId,
+            resources: {
+              mode: ResourceAssignmentModeType.All,
+            },
+          },
+        },
+        authToken: ownerToken,
+      }).then(r => r.expectNoGraphQLErrors());
+
+      expect(update).toEqual({
+        updateOIDCDefaultResourceAssignment: {
+          error: null,
+          ok: {
+            updatedOIDCIntegration: {
+              defaultResourceAssignment: {
+                mode: 'ALL',
+                projects: null,
+              },
+              id: expect.stringMatching('.+'),
+            },
+          },
+        },
+      });
+    });
+  });
+
+  describe('permissions missing "oidc:modify"', () => {
+    test.concurrent('fails', async ({ expect }) => {
+      const { createOrganizationAccessToken, ownerToken, oidcIntegrationId } = await setup();
+
+      const { privateAccessKey: accessToken } = await createOrganizationAccessToken({
+        permissions: ['organization:read'],
+        resources: {
+          mode: ResourceAssignmentModeType.All,
+        },
+      });
+
+      const errors = await execute({
+        document: AssignedResourcesSpec_UpdateDefaultMutation,
+        variables: {
+          input: {
+            oidcIntegrationId,
+            resources: {
+              mode: ResourceAssignmentModeType.All,
+            },
+          },
+        },
+        authToken: accessToken,
+      }).then(r => r.expectGraphQLErrors());
+      expect(errors).toHaveLength(1);
+      expect(errors).toMatchObject([
+        {
+          extensions: {
+            code: 'UNAUTHORISED',
+          },
+          message: `No access (reason: "Missing permission for performing 'oidc:modify' on resource")`,
+          path: ['updateOIDCDefaultResourceAssignment'],
+        },
+      ]);
+    });
+  });
+});

integration-tests/tests/api/organization/members.spec.ts

@@ -1,4 +1,5 @@
 import { graphql } from 'testkit/gql';
+import { ResourceAssignmentModeType } from 'testkit/gql/graphql';
 import { execute } from 'testkit/graphql';
 import { history } from '../../../testkit/emails';
 import { initSeed } from '../../../testkit/seed';
@@ -141,6 +142,38 @@ test.concurrent('can not invite with role not existing in organization', async (
   });
 });
 
+test.concurrent('invite user with assigned resouces', async ({ expect }) => {
+  const seed = initSeed();
+  const owner = await seed.createOwner();
+  const org = await owner.createOrg();
+  const { project: project1 } = await org.createProject();
+  // we just create this to make sure it does not show up :)
+  const { project: _project2 } = await org.createProject();
+  const { project: project3 } = await org.createProject();
+
+  const m = await org.inviteAndJoinMember();
+  const role = await m.createMemberRole(['organization:describe', 'project:describe']);
+
+  const member = await org.inviteAndJoinMember(undefined, role.id, {
+    mode: ResourceAssignmentModeType.Granular,
+    projects: [
+      {
+        projectId: project1.id,
+        targets: { mode: ResourceAssignmentModeType.Granular, targets: [] },
+      },
+      {
+        projectId: project3.id,
+        targets: { mode: ResourceAssignmentModeType.Granular, targets: [] },
+      },
+    ],
+  });
+
+  const result = await org.projects(member.memberToken);
+  expect(result).toHaveLength(2);
+  expect(result[0].id).toEqual(project3.id);
+  expect(result[1].id).toEqual(project1.id);
+});
+
 test.concurrent(
   'cannot join organization twice using the same invitation code',
   async ({ expect }) => {

packages/migrations/src/actions/2025.11.12T00-00-00.granular-oidc-role-permissions.ts

@@ -0,0 +1,14 @@
+import { type MigrationExecutor } from '../pg-migrator';
+
+export default {
+  name: '2025.11.12T00-00-00.granular-oidc-role-permissions.ts',
+  run: ({ sql }) => sql`
+    ALTER TABLE "oidc_integrations"
+      ADD COLUMN "default_assigned_resources" JSONB
+    ;
+
+    ALTER TABLE "organization_invitations"
+      ADD COLUMN "assigned_resources" JSONB
+    ;
+  `,
+} satisfies MigrationExecutor;

packages/migrations/src/run-pg-migrations.ts

@@ -169,5 +169,6 @@ export const runPGMigrations = async (args: { slonik: DatabasePool; runTo?: stri
       await import('./actions/2025.05.28T00-00-00.schema-log-by-ids'),
       await import('./actions/2025.10.16T00-00-00.schema-log-by-commit-ordered'),
       await import('./actions/2025.10.17T00-00-00.project-access-tokens'),
+      await import('./actions/2025.11.12T00-00-00.granular-oidc-role-permissions'),
     ],
   });