feat: add an api to validate the token's permissions (#2271)

Author: JivusAyrus

connect-go/gen/proto/wg/cosmo/platform/v1/platform.pb.go

@@ -23139,3 +23139,89 @@ export class UnlinkSubgraphResponse extends Message<UnlinkSubgraphResponse> {
   }
 }
 
+/**
+ * @generated from message wg.cosmo.platform.v1.VerifyAPIKeyGraphAccessRequest
+ */
+export class VerifyAPIKeyGraphAccessRequest extends Message<VerifyAPIKeyGraphAccessRequest> {
+  /**
+   * @generated from field: string federatedGraphId = 1;
+   */
+  federatedGraphId = "";
+
+  constructor(data?: PartialMessage<VerifyAPIKeyGraphAccessRequest>) {
+    super();
+    proto3.util.initPartial(data, this);
+  }
+
+  static readonly runtime: typeof proto3 = proto3;
+  static readonly typeName = "wg.cosmo.platform.v1.VerifyAPIKeyGraphAccessRequest";
+  static readonly fields: FieldList = proto3.util.newFieldList(() => [
+    { no: 1, name: "federatedGraphId", kind: "scalar", T: 9 /* ScalarType.STRING */ },
+  ]);
+
+  static fromBinary(bytes: Uint8Array, options?: Partial<BinaryReadOptions>): VerifyAPIKeyGraphAccessRequest {
+    return new VerifyAPIKeyGraphAccessRequest().fromBinary(bytes, options);
+  }
+
+  static fromJson(jsonValue: JsonValue, options?: Partial<JsonReadOptions>): VerifyAPIKeyGraphAccessRequest {
+    return new VerifyAPIKeyGraphAccessRequest().fromJson(jsonValue, options);
+  }
+
+  static fromJsonString(jsonString: string, options?: Partial<JsonReadOptions>): VerifyAPIKeyGraphAccessRequest {
+    return new VerifyAPIKeyGraphAccessRequest().fromJsonString(jsonString, options);
+  }
+
+  static equals(a: VerifyAPIKeyGraphAccessRequest | PlainMessage<VerifyAPIKeyGraphAccessRequest> | undefined, b: VerifyAPIKeyGraphAccessRequest | PlainMessage<VerifyAPIKeyGraphAccessRequest> | undefined): boolean {
+    return proto3.util.equals(VerifyAPIKeyGraphAccessRequest, a, b);
+  }
+}
+
+/**
+ * @generated from message wg.cosmo.platform.v1.VerifyAPIKeyGraphAccessResponse
+ */
+export class VerifyAPIKeyGraphAccessResponse extends Message<VerifyAPIKeyGraphAccessResponse> {
+  /**
+   * @generated from field: wg.cosmo.platform.v1.Response response = 1;
+   */
+  response?: Response;
+
+  /**
+   * @generated from field: bool hasOrganizationAdminOrDeveloperPermissions = 2;
+   */
+  hasOrganizationAdminOrDeveloperPermissions = false;
+
+  /**
+   * @generated from field: bool hasWriteAccessToGraph = 3;
+   */
+  hasWriteAccessToGraph = false;
+
+  constructor(data?: PartialMessage<VerifyAPIKeyGraphAccessResponse>) {
+    super();
+    proto3.util.initPartial(data, this);
+  }
+
+  static readonly runtime: typeof proto3 = proto3;
+  static readonly typeName = "wg.cosmo.platform.v1.VerifyAPIKeyGraphAccessResponse";
+  static readonly fields: FieldList = proto3.util.newFieldList(() => [
+    { no: 1, name: "response", kind: "message", T: Response },
+    { no: 2, name: "hasOrganizationAdminOrDeveloperPermissions", kind: "scalar", T: 8 /* ScalarType.BOOL */ },
+    { no: 3, name: "hasWriteAccessToGraph", kind: "scalar", T: 8 /* ScalarType.BOOL */ },
+  ]);
+
+  static fromBinary(bytes: Uint8Array, options?: Partial<BinaryReadOptions>): VerifyAPIKeyGraphAccessResponse {
+    return new VerifyAPIKeyGraphAccessResponse().fromBinary(bytes, options);
+  }
+
+  static fromJson(jsonValue: JsonValue, options?: Partial<JsonReadOptions>): VerifyAPIKeyGraphAccessResponse {
+    return new VerifyAPIKeyGraphAccessResponse().fromJson(jsonValue, options);
+  }
+
+  static fromJsonString(jsonString: string, options?: Partial<JsonReadOptions>): VerifyAPIKeyGraphAccessResponse {
+    return new VerifyAPIKeyGraphAccessResponse().fromJsonString(jsonString, options);
+  }
+
+  static equals(a: VerifyAPIKeyGraphAccessResponse | PlainMessage<VerifyAPIKeyGraphAccessResponse> | undefined, b: VerifyAPIKeyGraphAccessResponse | PlainMessage<VerifyAPIKeyGraphAccessResponse> | undefined): boolean {
+    return proto3.util.equals(VerifyAPIKeyGraphAccessResponse, a, b);
+  }
+}
+

connect-go/gen/proto/wg/cosmo/platform/v1/platformv1connect/platform.connect.go

@@ -169,6 +169,7 @@ import { validateAndFetchPluginData } from './plugin/validateAndFetchPluginData.
 import { linkSubgraph } from './subgraph/linkSubgraph.js';
 import { unlinkSubgraph } from './subgraph/unlinkSubgraph.js';
 import { getWorkspace } from './workspace/getWorkspace.js';
+import { verifyAPIKeyGraphAccess } from './api-key/verifyAPIKeyGraphAccess.js';
 
 export default function (opts: RouterOptions): Partial<ServiceImpl<typeof PlatformService>> {
   return {
@@ -854,5 +855,9 @@ export default function (opts: RouterOptions): Partial<ServiceImpl<typeof Platfo
     unlinkSubgraph: (req, ctx) => {
       return unlinkSubgraph(opts, req, ctx);
     },
+
+    verifyAPIKeyGraphAccess: (req, ctx) => {
+      return verifyAPIKeyGraphAccess(opts, req, ctx);
+    },
   };
 }

connect/src/wg/cosmo/platform/v1/platform-PlatformService_connectquery.ts

@@ -0,0 +1,48 @@
+import { PlainMessage } from '@bufbuild/protobuf';
+import { HandlerContext } from '@connectrpc/connect';
+import { EnumStatusCode } from '@wundergraph/cosmo-connect/dist/common/common_pb';
+import {
+  VerifyAPIKeyGraphAccessRequest,
+  VerifyAPIKeyGraphAccessResponse,
+} from '@wundergraph/cosmo-connect/dist/platform/v1/platform_pb';
+import { UnauthorizedError } from '../../errors/errors.js';
+import type { RouterOptions } from '../../routes.js';
+import { enrichLogger, getLogger, handleError } from '../../util.js';
+import { FederatedGraphRepository } from '../../repositories/FederatedGraphRepository.js';
+
+export function verifyAPIKeyGraphAccess(
+  opts: RouterOptions,
+  req: VerifyAPIKeyGraphAccessRequest,
+  ctx: HandlerContext,
+): Promise<PlainMessage<VerifyAPIKeyGraphAccessResponse>> {
+  let logger = getLogger(ctx, opts.logger);
+
+  return handleError<PlainMessage<VerifyAPIKeyGraphAccessResponse>>(ctx, logger, async () => {
+    const authContext = await opts.authenticator.authenticate(ctx.requestHeader);
+    logger = enrichLogger(ctx, logger, authContext);
+
+    if (authContext.organizationDeactivated) {
+      throw new UnauthorizedError();
+    }
+
+    const fedRepo = new FederatedGraphRepository(logger, opts.db, authContext.organizationId);
+    const federatedGraph = await fedRepo.byId(req.federatedGraphId);
+    if (!federatedGraph) {
+      return {
+        response: {
+          code: EnumStatusCode.OK,
+        },
+        hasOrganizationAdminOrDeveloperPermissions: false,
+        hasWriteAccessToGraph: false,
+      };
+    }
+
+    return {
+      response: {
+        code: EnumStatusCode.OK,
+      },
+      hasOrganizationAdminOrDeveloperPermissions: authContext.rbac.isOrganizationAdminOrDeveloper,
+      hasWriteAccessToGraph: authContext.rbac.hasFederatedGraphWriteAccess(federatedGraph),
+    };
+  });
+}

connect/src/wg/cosmo/platform/v1/platform_connect.ts

@@ -2950,6 +2950,16 @@ message UnlinkSubgraphResponse {
   Response response = 1;
 }
 
+message VerifyAPIKeyGraphAccessRequest {
+  string federatedGraphId = 1;
+}
+
+message VerifyAPIKeyGraphAccessResponse {
+  Response response = 1;
+  bool hasOrganizationAdminOrDeveloperPermissions = 2;
+  bool hasWriteAccessToGraph = 3;
+}
+
 service PlatformService {
   // PlaygroundScripts
   rpc CreatePlaygroundScript(CreatePlaygroundScriptRequest) returns (CreatePlaygroundScriptResponse) {}
@@ -3324,4 +3334,6 @@ service PlatformService {
   rpc LinkSubgraph(LinkSubgraphRequest) returns (LinkSubgraphResponse) {}
   // UnlinkSubgraph unlinks one subgraph from another
   rpc UnlinkSubgraph(UnlinkSubgraphRequest) returns (UnlinkSubgraphResponse) {}
+  // VerifyAPIKeyGraphAccess checks if the token or the jwt has organization admin or developer  and checks if the token has permissions to write to the graph
+  rpc VerifyAPIKeyGraphAccess(VerifyAPIKeyGraphAccessRequest) returns (VerifyAPIKeyGraphAccessResponse) {}
 }