feat(server): expose fields for managing access tokens via the public API (#6710)

Author: n1ru4l

integration-tests/testkit/seed.ts

@@ -843,7 +843,7 @@ export function initSeed() {
                       userId: input.userId,
                       roleId: input.roleId,
                       resources: input.resources ?? {
-                        mode: GraphQLSchema.ResourceAssignmentMode.All,
+                        mode: GraphQLSchema.ResourceAssignmentModeType.All,
                         projects: [],
                       },
                     },

integration-tests/tests/api/organization-access-tokens.spec.ts

@@ -86,7 +86,7 @@ test.concurrent('create: success', async () => {
         },
         title: 'a access token',
         description: 'Some description',
-        resources: { mode: GraphQLSchema.ResourceAssignmentMode.All },
+        resources: { mode: GraphQLSchema.ResourceAssignmentModeType.All },
         permissions: [],
       },
     },
@@ -118,7 +118,7 @@ test.concurrent('create: failure invalid title', async ({ expect }) => {
         },
         title: '   ',
         description: 'Some description',
-        resources: { mode: GraphQLSchema.ResourceAssignmentMode.All },
+        resources: { mode: GraphQLSchema.ResourceAssignmentModeType.All },
         permissions: [],
       },
     },
@@ -149,7 +149,7 @@ test.concurrent('create: failure invalid description', async ({ expect }) => {
         },
         title: 'a access token',
         description: new Array(300).fill('A').join(''),
-        resources: { mode: GraphQLSchema.ResourceAssignmentMode.All },
+        resources: { mode: GraphQLSchema.ResourceAssignmentModeType.All },
         permissions: [],
       },
     },
@@ -181,7 +181,7 @@ test.concurrent('create: failure because no access to organization', async ({ ex
         },
         title: 'a access token',
         description: 'Some description',
-        resources: { mode: GraphQLSchema.ResourceAssignmentMode.All },
+        resources: { mode: GraphQLSchema.ResourceAssignmentModeType.All },
         permissions: [],
       },
     },
@@ -213,7 +213,7 @@ test.concurrent('query GraphQL API on resources with access', async ({ expect })
         },
         title: 'a access token',
         description: 'a description',
-        resources: { mode: GraphQLSchema.ResourceAssignmentMode.All },
+        resources: { mode: GraphQLSchema.ResourceAssignmentModeType.All },
         permissions: ['organization:describe', 'project:describe'],
       },
     },
@@ -263,11 +263,11 @@ test.concurrent('query GraphQL API on resources without access', async ({ expect
         title: 'a access token',
         description: 'a description',
         resources: {
-          mode: GraphQLSchema.ResourceAssignmentMode.Granular,
+          mode: GraphQLSchema.ResourceAssignmentModeType.Granular,
           projects: [
             {
               projectId: project1.project.id,
-              targets: { mode: GraphQLSchema.ResourceAssignmentMode.All },
+              targets: { mode: GraphQLSchema.ResourceAssignmentModeType.All },
             },
           ],
         },
@@ -327,7 +327,7 @@ test.concurrent('pagination', async ({ expect }) => {
         title: 'first access token',
         description: 'a description',
         resources: {
-          mode: GraphQLSchema.ResourceAssignmentMode.All,
+          mode: GraphQLSchema.ResourceAssignmentModeType.All,
         },
         permissions: ['organization:describe'],
       },
@@ -345,7 +345,7 @@ test.concurrent('pagination', async ({ expect }) => {
         title: 'second access token',
         description: 'a description',
         resources: {
-          mode: GraphQLSchema.ResourceAssignmentMode.All,
+          mode: GraphQLSchema.ResourceAssignmentModeType.All,
         },
         permissions: ['organization:describe'],
       },

integration-tests/tests/api/project/crud.spec.ts

@@ -1,4 +1,4 @@
-import { ProjectType, ResourceAssignmentMode } from 'testkit/gql/graphql';
+import { ProjectType, ResourceAssignmentModeType } from 'testkit/gql/graphql';
 import { updateProjectSlug } from '../../../testkit/flow';
 import { initSeed } from '../../../testkit/seed';
 
@@ -217,7 +217,7 @@ test.concurrent('prevent access to projects with assigned resources on member',
     roleId: member.role.id,
     userId: member.user.id,
     resources: {
-      mode: ResourceAssignmentMode.Granular,
+      mode: ResourceAssignmentModeType.Granular,
       projects: [],
     },
   });
@@ -246,11 +246,11 @@ test.concurrent('restrict access to single project with assigned resources on me
     roleId: member.role.id,
     userId: member.user.id,
     resources: {
-      mode: ResourceAssignmentMode.Granular,
+      mode: ResourceAssignmentModeType.Granular,
       projects: [
         {
           projectId: firstProject.id,
-          targets: { mode: ResourceAssignmentMode.All },
+          targets: { mode: ResourceAssignmentModeType.All },
         },
       ],
     },

integration-tests/tests/api/schema/check.spec.ts

@@ -1,6 +1,6 @@
 import {
   ProjectType,
-  ResourceAssignmentMode,
+  ResourceAssignmentModeType,
   RuleInstanceSeverityLevel,
 } from 'testkit/gql/graphql';
 // eslint-disable-next-line import/no-extraneous-dependencies
@@ -1370,7 +1370,7 @@ test.concurrent(
     await assignMemberRole({
       roleId: member.role.id,
       userId: member.user.id,
-      resources: { mode: ResourceAssignmentMode.Granular, projects: [] },
+      resources: { mode: ResourceAssignmentModeType.Granular, projects: [] },
     });
 
     // Attempt approving the failed schema check
@@ -1448,7 +1448,7 @@ test.concurrent(
     await assignMemberRole({
       roleId: memberRole.id,
       userId: member.user.id,
-      resources: { mode: ResourceAssignmentMode.Granular, projects: [] },
+      resources: { mode: ResourceAssignmentModeType.Granular, projects: [] },
     });
 
     // Attempt approving the failed schema check
@@ -1529,12 +1529,12 @@ test.concurrent(
       roleId: memberRole.id,
       userId: member.user.id,
       resources: {
-        mode: ResourceAssignmentMode.Granular,
+        mode: ResourceAssignmentModeType.Granular,
         projects: [
           {
             projectId: project.id,
             targets: {
-              mode: ResourceAssignmentMode.Granular,
+              mode: ResourceAssignmentModeType.Granular,
               targets: [],
             },
           },
@@ -1618,17 +1618,17 @@ test.concurrent(
       roleId: memberRole.id,
       userId: member.user.id,
       resources: {
-        mode: ResourceAssignmentMode.Granular,
+        mode: ResourceAssignmentModeType.Granular,
         projects: [
           {
             projectId: project.id,
             targets: {
-              mode: ResourceAssignmentMode.Granular,
+              mode: ResourceAssignmentModeType.Granular,
               targets: [
                 {
                   targetId: target.id,
-                  appDeployments: { mode: ResourceAssignmentMode.All },
-                  services: { mode: ResourceAssignmentMode.All },
+                  appDeployments: { mode: ResourceAssignmentModeType.All },
+                  services: { mode: ResourceAssignmentModeType.All },
                 },
               ],
             },

integration-tests/tests/cli/schema.spec.ts

@@ -770,7 +770,7 @@ test('schema:check without `--target` flag fails for organization access token',
   const privateKey = await createOrganizationAccessToken({
     permissions: ['schemaCheck:create', 'project:describe'],
     resources: {
-      mode: GraphQLSchema.ResourceAssignmentMode.All,
+      mode: GraphQLSchema.ResourceAssignmentModeType.All,
     },
   });
 
@@ -809,7 +809,7 @@ test('schema:check with `--target` flag succeeds for organization access token',
   const privateKey = await createOrganizationAccessToken({
     permissions: ['schemaCheck:create', 'project:describe'],
     resources: {
-      mode: GraphQLSchema.ResourceAssignmentMode.All,
+      mode: GraphQLSchema.ResourceAssignmentModeType.All,
     },
   });
 
@@ -841,7 +841,7 @@ test('schema:publish without `--target` flag fails for organization access token
   const privateKey = await createOrganizationAccessToken({
     permissions: ['project:describe', 'schemaVersion:publish'],
     resources: {
-      mode: GraphQLSchema.ResourceAssignmentMode.All,
+      mode: GraphQLSchema.ResourceAssignmentModeType.All,
     },
   });
 
@@ -881,7 +881,7 @@ test('schema:publish with `--target` flag succeeds for organization access token
   const privateKey = await createOrganizationAccessToken({
     permissions: ['project:describe', 'schemaVersion:publish'],
     resources: {
-      mode: GraphQLSchema.ResourceAssignmentMode.All,
+      mode: GraphQLSchema.ResourceAssignmentModeType.All,
     },
   });
 

integration-tests/tests/usage-reporting/organization-access-token.spec.ts

@@ -1,5 +1,5 @@
 import { initSeed } from 'testkit/seed';
-import { ResourceAssignmentMode } from '../../testkit/gql/graphql';
+import { ResourceAssignmentModeType } from '../../testkit/gql/graphql';
 import { getServiceHost } from '../../testkit/utils';
 
 test('/:targetId > operation is accepted with wildcard access token', async () => {
@@ -12,7 +12,7 @@ test('/:targetId > operation is accepted with wildcard access token', async () =
   const accessToken = await createOrganizationAccessToken({
     permissions: ['usage:report'],
     resources: {
-      mode: ResourceAssignmentMode.All,
+      mode: ResourceAssignmentModeType.All,
     },
   });
 
@@ -71,12 +71,12 @@ test('/:targetId > operation is denied without access to target', async () => {
   const accessToken = await createOrganizationAccessToken({
     permissions: ['usage:report'],
     resources: {
-      mode: ResourceAssignmentMode.Granular,
+      mode: ResourceAssignmentModeType.Granular,
       projects: [
         {
           projectId: project.id,
           targets: {
-            mode: ResourceAssignmentMode.Granular,
+            mode: ResourceAssignmentModeType.Granular,
             targets: [],
           },
         },
@@ -133,22 +133,22 @@ test('/:targetId > operation is accepted with specific access to target', async
   const accessToken = await createOrganizationAccessToken({
     permissions: ['usage:report'],
     resources: {
-      mode: ResourceAssignmentMode.Granular,
+      mode: ResourceAssignmentModeType.Granular,
       projects: [
         {
           projectId: project.id,
           targets: {
-            mode: ResourceAssignmentMode.Granular,
+            mode: ResourceAssignmentModeType.Granular,
             targets: [
               {
                 targetId: target.id,
                 services: {
                   services: [],
-                  mode: ResourceAssignmentMode.Granular,
+                  mode: ResourceAssignmentModeType.Granular,
                 },
                 appDeployments: {
                   appDeployments: [],
-                  mode: ResourceAssignmentMode.Granular,
+                  mode: ResourceAssignmentModeType.Granular,
                 },
               },
             ],
@@ -213,7 +213,7 @@ test('/:orgSlug/:projectSlug/:targetSlug > operation is accepted with wildcard a
   const accessToken = await createOrganizationAccessToken({
     permissions: ['usage:report'],
     resources: {
-      mode: ResourceAssignmentMode.All,
+      mode: ResourceAssignmentModeType.All,
     },
   });
 
@@ -275,12 +275,12 @@ test('/:orgSlug/:projectSlug/:targetSlug > operation is denied without access to
   const accessToken = await createOrganizationAccessToken({
     permissions: ['usage:report'],
     resources: {
-      mode: ResourceAssignmentMode.Granular,
+      mode: ResourceAssignmentModeType.Granular,
       projects: [
         {
           projectId: project.id,
           targets: {
-            mode: ResourceAssignmentMode.Granular,
+            mode: ResourceAssignmentModeType.Granular,
             targets: [],
           },
         },
@@ -340,22 +340,22 @@ test('/:orgSlug/:projectSlug/:targetSlug > operation is accepted with specific a
   const accessToken = await createOrganizationAccessToken({
     permissions: ['usage:report'],
     resources: {
-      mode: ResourceAssignmentMode.Granular,
+      mode: ResourceAssignmentModeType.Granular,
       projects: [
         {
           projectId: project.id,
           targets: {
-            mode: ResourceAssignmentMode.Granular,
+            mode: ResourceAssignmentModeType.Granular,
             targets: [
               {
                 targetId: target.id,
                 services: {
                   services: [],
-                  mode: ResourceAssignmentMode.Granular,
+                  mode: ResourceAssignmentModeType.Granular,
                 },
                 appDeployments: {
                   appDeployments: [],
-                  mode: ResourceAssignmentMode.Granular,
+                  mode: ResourceAssignmentModeType.Granular,
                 },
               },
             ],

packages/services/api/src/modules/auth/module.graphql.ts

@@ -5,10 +5,6 @@ export default gql`
     me: User!
   }
 
-  interface Error {
-    message: String!
-  }
-
   extend type Mutation {
     updateMe(input: UpdateMeInput!): UpdateMeResult!
   }
@@ -97,19 +93,19 @@ export default gql`
     TOKENS_WRITE
   }
 
-  enum PermissionLevel {
-    organization
-    project
-    target
-    service
-    appDeployment
+  enum PermissionLevelType {
+    ORGANIZATION
+    PROJECT
+    TARGET
+    SERVICE
+    APP_DEPLOYMENT
   }
 
   type Permission {
     id: ID!
     title: String!
     description: String!
-    level: PermissionLevel!
+    level: PermissionLevelType!
     dependsOnId: ID
     isReadOnly: Boolean!
     warning: String

packages/services/api/src/modules/auth/resolvers/Permission.ts

@@ -1,4 +1,4 @@
-import { getPermissionGroup } from '../lib/authz';
+import { getPermissionGroup, type ResourceLevel } from '../lib/authz';
 import type { PermissionResolvers } from './../../../__generated__/types';
 
 /*
@@ -18,9 +18,24 @@ export const Permission: PermissionResolvers = {
     return permission.isReadOnly ?? false;
   },
   level: async (permission, _arg, _ctx) => {
-    return getPermissionGroup(permission.id);
+    return resourceLevelToResourceLevelType(getPermissionGroup(permission.id));
   },
   warning: async (permission, _arg, _ctx) => {
     return permission.warning ?? null;
   },
 };
+
+function resourceLevelToResourceLevelType(resourceLevel: ResourceLevel) {
+  switch (resourceLevel) {
+    case 'target':
+      return 'TARGET' as const;
+    case 'service':
+      return 'SERVICE' as const;
+    case 'project':
+      return 'PROJECT' as const;
+    case 'organization':
+      return 'ORGANIZATION' as const;
+    case 'appDeployment':
+      return 'APP_DEPLOYMENT' as const;
+  }
+}