implement missing resolvers

Author: n1ru4l

packages/services/api/src/modules/organization/module.graphql.ts

@@ -138,25 +138,23 @@ export default gql`
     title: String!
     description: String
     """
+    Whether the permissions of this access token are inherited from the access token owner.
+    """
+    hasAllPermissionsFromOwner: Boolean!
+    """
     The currently valid permissions for the personal access token.
+
+    Resolves to the access token owners permissions in case no restriction was specified during the creation of the access token.
     """
     permissions: [String!]!
     """
     The currently valid resources for the personal access token.
+
+    Resolves to the access token owners resources in case no restriction was specified during the creation of the access token.
     """
     resources: ResourceAssignment!
     firstCharacters: String!
     createdAt: DateTime!
-    """
-    The permissions that were originally assigned to the access token.
-    They can differ from 'PersonalAccessToken.permissions' as the permissions of the users role can change.
-    """
-    assignedPermissions: [String!]!
-    """
-    The resources that were originally assigned to the access token.
-    They can differ from 'PersonalAccessToken.resources' as the permissions of the users role can change.
-    """
-    assignedResources: [String!]!
   }
 
   type CreatePersonalAccessTokenResultOk {
@@ -810,6 +808,10 @@ export default gql`
     """
     personalAccessTokens(first: Int, after: String): PersonalAccessTokenConnection
     """
+    Retrieve a personal access token by it's id.
+    """
+    personalAccessToken(id: ID!): PersonalAccessToken
+    """
     Permission groups the member is allowed to assign to personal access tokens.
     """
     availablePersonalAccessTokenPermissionGroups: [PermissionGroup!]!

packages/services/api/src/modules/organization/providers/personal-access-tokens-cache.ts

@@ -5,23 +5,22 @@ import { Inject, Injectable, Scope } from 'graphql-modules';
 import type Redis from 'ioredis';
 import type { DatabasePool } from 'slonik';
 import { prometheusPlugin } from '@bentocache/plugin-prometheus';
+import type { AuthorizationPolicyStatement } from '../../auth/lib/authz';
 import { Logger } from '../../shared/providers/logger';
 import { PG_POOL_CONFIG } from '../../shared/providers/pg-pool';
 import { PrometheusConfig } from '../../shared/providers/prometheus-config';
 import { REDIS_INSTANCE } from '../../shared/providers/redis';
 import { OrganizationMembers, type OrganizationMembership } from './organization-members';
 import { PersonalAccessTokens, type PersonalAccessToken } from './personal-access-tokens';
 
-export type CachedPersonalAccessToken = Omit<
+export type CachedPersonalAccessToken = Pick<
   PersonalAccessToken,
-  'resolveAuthorizationPolicyStatements'
+  'id' | 'userId' | 'organizationId' | 'hash'
 > & {
-  authorizationPolicyStatements: ReturnType<
-    PersonalAccessToken['resolveAuthorizationPolicyStatements']
-  >;
+  authorizationPolicyStatements: Array<AuthorizationPolicyStatement>;
 };
 
-type PersonalAccessTokeDeleteInput = Pick<PersonalAccessToken, 'id'>;
+type PersonalAccessTokeDeleteInput = Pick<CachedPersonalAccessToken, 'id'>;
 
 /**
  * Cache for performant PersonalAccessToken lookups.
@@ -65,13 +64,16 @@ export class PersonalAccessTokensCache {
   private makeCachedPersonalAccessToken(
     personalAccessToken: PersonalAccessToken,
     membership: OrganizationMembership,
-  ) {
-    const authorizationPolicyStatements =
-      personalAccessToken.resolveAuthorizationPolicyStatements(membership);
-
+  ): CachedPersonalAccessToken {
     return {
-      ...personalAccessToken,
-      authorizationPolicyStatements,
+      id: personalAccessToken.id,
+      userId: personalAccessToken.userId,
+      organizationId: personalAccessToken.organizationId,
+      hash: personalAccessToken.hash,
+      authorizationPolicyStatements: PersonalAccessTokens.computeAuthorizationStatements(
+        personalAccessToken,
+        membership,
+      ),
     };
   }
 

packages/services/api/src/modules/organization/providers/personal-access-tokens.ts

@@ -1,6 +1,7 @@
 import { Inject, Injectable, Scope } from 'graphql-modules';
 import { sql, type CommonQueryMethods, type DatabasePool } from 'slonik';
 import z from 'zod';
+import { cache } from '@hive/api/shared/helpers';
 import {
   decodeCreatedAtAndUUIDIdBasedCursor,
   encodeCreatedAtAndUUIDIdBasedCursor,
@@ -38,7 +39,6 @@ import {
 })
 export class PersonalAccessTokens {
   logger: Logger;
-  private findById: ReturnType<typeof PersonalAccessTokens.findById>;
 
   constructor(
     @Inject(PG_POOL_CONFIG) private pool: DatabasePool,
@@ -54,7 +54,6 @@ export class PersonalAccessTokens {
     this.logger = logger.child({
       source: 'OrganizationAccessTokens',
     });
-    this.findById = PersonalAccessTokens.findById({ logger: this.logger, pool });
   }
 
   async create(args: {
@@ -183,18 +182,25 @@ export class PersonalAccessTokens {
   async delete(args: { personalAccessTokenId: string }) {
     const viewer = await this.session.getViewer();
 
-    const record = await this.findById(args.personalAccessTokenId);
+    const record = await PersonalAccessTokens.findById({
+      pool: this.pool,
+      logger: this.logger,
+    })(args.personalAccessTokenId);
 
-    if (record === null || record.userId !== viewer.id) {
-      this.session.raise('accessToken:modify');
+    if (!record) {
+      return null;
     }
 
     await this.session.assertPerformAction({
-      action: 'personalAccessToken:modify',
       organizationId: record.organizationId,
       params: { organizationId: record.organizationId },
+      action: 'personalAccessToken:modify',
     });
 
+    if (record.userId !== viewer.id) {
+      return null;
+    }
+
     await this.pool.query(sql`
       DELETE
       FROM
@@ -220,11 +226,13 @@ export class PersonalAccessTokens {
     };
   }
 
-  async getPaginated(args: { organizationId: string; first: number | null; after: string | null }) {
-    const viewer = await this.session.getViewer();
+  async getPaginatedForMembership(
+    membership: OrganizationMembership,
+    args: { first: number | null; after: string | null },
+  ) {
     await this.session.assertPerformAction({
-      organizationId: args.organizationId,
-      params: { organizationId: args.organizationId },
+      organizationId: membership.organizationId,
+      params: { organizationId: membership.organizationId },
       action: 'personalAccessToken:modify',
     });
 
@@ -245,8 +253,8 @@ export class PersonalAccessTokens {
       FROM
         "personal_access_tokens"
       WHERE
-        "organization_id" = ${args.organizationId}
-        AND "user_id" = ${viewer.id}
+        "organization_id" = ${membership.organizationId}
+        AND "user_id" = ${membership.userId}
         ${
           cursor
             ? sql`
@@ -298,6 +306,25 @@ export class PersonalAccessTokens {
     };
   }
 
+  async findByIdForMembership(membership: OrganizationMembership, accessTokenId: string) {
+    await this.session.assertPerformAction({
+      organizationId: membership.organizationId,
+      params: { organizationId: membership.organizationId },
+      action: 'personalAccessToken:modify',
+    });
+
+    const accessToken = await PersonalAccessTokens.findById({
+      logger: this.logger,
+      pool: this.pool,
+    })(accessTokenId);
+
+    if (!accessToken || accessToken.userId !== viewer.id) {
+      return null;
+    }
+
+    return accessToken;
+  }
+
   /**
    * Implementation for finding a personal access token from the PG database.
    * It is a static function, so we can use it for the personal access tokens cache.
@@ -345,6 +372,87 @@ export class PersonalAccessTokens {
       return result;
     };
   }
+
+  static computeResources(
+    personalAccessToken: PersonalAccessToken,
+    membership: OrganizationMembership,
+  ) {
+    const legitAssignedResources = intersectResourceAssignments(
+      membership.assignedRole.resources,
+      personalAccessToken.assignedResources,
+    );
+
+    return legitAssignedResources;
+  }
+
+  static computePermissions(
+    personalAccessToken: PersonalAccessToken,
+    membership: OrganizationMembership,
+  ) {
+    // If the access token specifies no permissions, we use the permissions of the member role
+    if (personalAccessToken.permissions === null) {
+      return membership.assignedRole.role.allPermissions;
+    }
+
+    // The roles permission could have been updated.
+    // Because of that we always need to filter this list based on the role.
+    return intersection(
+      new Set(personalAccessToken.permissions),
+      membership.assignedRole.role.allPermissions,
+    );
+  }
+
+  static computeAuthorizationStatements(
+    personalAccessToken: PersonalAccessToken,
+    membership: OrganizationMembership,
+  ) {
+    const permissions = PersonalAccessTokens.computePermissions(personalAccessToken, membership);
+    const resources = PersonalAccessTokens.computeResources(personalAccessToken, membership);
+
+    const permissionsPerLevel = permissionsToPermissionsPerResourceLevelAssignment(permissions);
+    const resolvedResources = resolveResourceAssignment({
+      organizationId: personalAccessToken.organizationId,
+      projects: resources,
+    });
+
+    return translateResolvedResourcesToAuthorizationPolicyStatements(
+      personalAccessToken.organizationId,
+      permissionsPerLevel,
+      resolvedResources,
+    );
+  }
+
+  @cache((...values: Array<string>) => values.join('|'))
+  async getMembership(organizationId: string, userId: string) {
+    const organization = await this.storage.getOrganization({ organizationId });
+    const membership = await this.organizationMembers.findOrganizationMembership({
+      organization,
+      userId,
+    });
+
+    if (!membership) {
+      throw new Error('Should be able to find membership.');
+    }
+
+    return membership;
+  }
+
+  async getResourcesForPersonalAccessToken(personalAccessToken: PersonalAccessToken) {
+    const membership = await this.getMembership(
+      personalAccessToken.organizationId,
+      personalAccessToken.userId,
+    );
+
+    return PersonalAccessTokens.computeResources(personalAccessToken, membership);
+  }
+
+  async getPermissionsForPersonalAccessToken(personalAccessToken: PersonalAccessToken) {
+    const membership = await this.getMembership(
+      personalAccessToken.organizationId,
+      personalAccessToken.userId,
+    );
+    return PersonalAccessTokens.computePermissions(personalAccessToken, membership);
+  }
 }
 
 const personalAccessTokenFields = sql`
@@ -360,58 +468,20 @@ const personalAccessTokenFields = sql`
   , "hash"
 `;
 
-const PersonalAccessTokenModel = z
-  .object({
-    id: z.string().uuid(),
-    organizationId: z.string().uuid(),
-    userId: z.string().uuid(),
-    createdAt: z.string(),
-    title: z.string(),
-    description: z.string(),
-    permissions: z.array(PermissionsModel).nullable(),
-    assignedResources: ResourceAssignmentModel.nullable().transform(
-      value => value ?? { mode: '*' as const, projects: [] },
-    ),
-    firstCharacters: z.string(),
-    hash: z.string(),
-  })
-  .transform(record => ({
-    ...record,
-    // Only used in the context of authorization, we do not need
-    // to compute when querying a list of organization access tokens via the GraphQL API.
-    // Compared to organization access tokens, we also need to filter down the permissions based on the membership
-    resolveAuthorizationPolicyStatements(organizationMembership: OrganizationMembership) {
-      const legitPermissions =
-        // If the access token specifies no permissions, we use the permissions of the member role
-        record.permissions === null
-          ? organizationMembership.assignedRole.role.allPermissions
-          : // The roles permission could have been updated.
-            // Because of that we always need to filter this list based on the role.
-            intersection(
-              new Set(record.permissions),
-              organizationMembership.assignedRole.role.allPermissions,
-            );
-
-      // The membership resources could have been updated.
-      // Because of that we always need to filter this list based on the role.
-      const legitAssignedResources = intersectResourceAssignments(
-        organizationMembership.assignedRole.resources,
-        record.assignedResources,
-      );
-
-      const permissions = permissionsToPermissionsPerResourceLevelAssignment(legitPermissions);
-      const resolvedResources = resolveResourceAssignment({
-        organizationId: record.organizationId,
-        projects: legitAssignedResources,
-      });
-
-      return translateResolvedResourcesToAuthorizationPolicyStatements(
-        record.organizationId,
-        permissions,
-        resolvedResources,
-      );
-    },
-  }));
+const PersonalAccessTokenModel = z.object({
+  id: z.string().uuid(),
+  organizationId: z.string().uuid(),
+  userId: z.string().uuid(),
+  createdAt: z.string(),
+  title: z.string(),
+  description: z.string(),
+  permissions: z.array(PermissionsModel).nullable(),
+  assignedResources: ResourceAssignmentModel.nullable().transform(
+    value => value ?? { mode: '*' as const, projects: [] },
+  ),
+  firstCharacters: z.string(),
+  hash: z.string(),
+});
 
 export type PersonalAccessToken = z.TypeOf<typeof PersonalAccessTokenModel>;
 

packages/services/api/src/modules/organization/resolvers/Member.ts

@@ -45,8 +45,7 @@ export const Member: MemberResolvers = {
     });
   },
   personalAccessTokens: async (member, args, { injector }) => {
-    return injector.get(PersonalAccessTokens).getPaginated({
-      organizationId: member.organizationId,
+    return injector.get(PersonalAccessTokens).getPaginatedForMembership(member, {
       first: args.first ?? null,
       after: args.after ?? null,
     });
@@ -58,4 +57,7 @@ export const Member: MemberResolvers = {
       member.assignedRole.role.allPermissions,
     );
   },
+  personalAccessToken: async (member, args, { injector }) => {
+    return injector.get(PersonalAccessTokens).findByIdForMembership(member, args.id);
+  },
 };