basic tests

Author: n1ru4l

integration-tests/testkit/seed.ts

@@ -60,7 +60,7 @@ import {
 import { execute } from './graphql';
 import { UpdateSchemaPolicyForOrganization, UpdateSchemaPolicyForProject } from './schema-policy';
 import { collect, CollectedOperation, legacyCollect } from './usage';
-import { generateUnique } from './utils';
+import { generateUnique, getServiceHost } from './utils';
 
 export function initSeed() {
   function createConnectionPool() {
@@ -87,6 +87,17 @@ export function initSeed() {
         },
       };
     },
+    async purgePersonalAccessTokenById(id: string) {
+      const registryAddress = await getServiceHost('server', 8082);
+      (
+        await fetch(
+          'http://' + registryAddress + '/cache/personal-access-token-cache/delete/' + id,
+          {
+            method: 'POST',
+          },
+        )
+      ).json();
+    },
     authenticate,
     generateEmail: () => userEmail(generateUnique()),
     async createOwner() {
@@ -880,7 +891,10 @@ export function initSeed() {
                 },
               };
             },
-            async inviteAndJoinMember(inviteToken: string = ownerToken) {
+            async inviteAndJoinMember(
+              memberRoleId: string | undefined = undefined,
+              inviteToken: string = ownerToken,
+            ) {
               const memberEmail = userEmail(generateUnique());
               const memberToken = await authenticate(memberEmail).then(r => r.access_token);
 
@@ -892,6 +906,7 @@ export function initSeed() {
                     },
                   },
                   email: memberEmail,
+                  memberRoleId,
                 },
                 inviteToken,
               ).then(r => r.expectNoGraphQLErrors());

integration-tests/tests/api/personal-access-tokens.spec.ts

@@ -1,4 +1,5 @@
 import { assertNonNullish } from 'testkit/utils';
+import { PersonalAccessTokensCache } from '../../../packages/services/api/src/modules/organization/providers/personal-access-tokens-cache';
 import { graphql } from '../../testkit/gql';
 import * as GraphQLSchema from '../../testkit/gql/graphql';
 import { execute } from '../../testkit/graphql';
@@ -299,7 +300,8 @@ test.concurrent('query GraphQL API on resources with access', async ({ expect })
     authToken: ownerToken,
   }).then(e => e.expectNoGraphQLErrors());
   expect(result.createPersonalAccessToken.error).toEqual(null);
-  const organizationAccessToken = result.createPersonalAccessToken.ok!.privateAccessKey;
+  assertNonNullish(result.createPersonalAccessToken.ok);
+  const personalAccessToken = result.createPersonalAccessToken.ok.privateAccessKey;
 
   const projectQuery = await execute({
     document: OrganizationProjectTargetQuery1,
@@ -308,7 +310,7 @@ test.concurrent('query GraphQL API on resources with access', async ({ expect })
       projectSlug: project.project.slug,
       targetSlug: project.target.slug,
     },
-    authToken: organizationAccessToken,
+    authToken: personalAccessToken,
   }).then(e => e.expectNoGraphQLErrors());
   expect(projectQuery).toEqual({
     organization: {
@@ -376,3 +378,107 @@ test.concurrent('query GraphQL API on resources without access', async ({ expect
     },
   });
 });
+
+test.concurrent(
+  'query GraphQL API after membership resources have been downgraded',
+  async ({ expect }) => {
+    const seed = await initSeed();
+    const { createOrg } = await seed.createOwner();
+    const org = await createOrg();
+    const project = await org.createProject(GraphQLSchema.ProjectType.Federation);
+
+    const { member, memberToken, assignMemberRole, createMemberRole } =
+      await org.inviteAndJoinMember();
+
+    const newRole = await createMemberRole([
+      'organization:describe',
+      'project:describe',
+      'personalAccessToken:modify',
+    ]);
+
+    // make user also an admin
+    await assignMemberRole({
+      userId: member.id,
+      roleId: newRole.id,
+    });
+
+    const result = await execute({
+      document: CreatePersonalAccessTokenMutation,
+      variables: {
+        input: {
+          organization: {
+            byId: org.organization.id,
+          },
+          title: 'a access token',
+          description: 'a description',
+          resources: { mode: GraphQLSchema.ResourceAssignmentModeType.All },
+          permissions: ['organization:describe', 'project:describe'],
+        },
+      },
+      authToken: memberToken,
+    }).then(e => e.expectNoGraphQLErrors());
+
+    expect(result.createPersonalAccessToken.error).toEqual(null);
+    assertNonNullish(result.createPersonalAccessToken.ok);
+
+    const personalAccessToken = result.createPersonalAccessToken.ok.privateAccessKey;
+
+    let projectQuery = await execute({
+      document: OrganizationProjectTargetQuery1,
+      variables: {
+        organizationSlug: org.organization.slug,
+        projectSlug: project.project.slug,
+        targetSlug: project.target.slug,
+      },
+      authToken: personalAccessToken,
+    }).then(e => e.expectNoGraphQLErrors());
+
+    expect(projectQuery).toEqual({
+      organization: {
+        id: org.organization.id,
+        project: {
+          id: project.project.id,
+          slug: project.project.slug,
+          targetBySlug: {
+            id: project.target.id,
+            slug: project.target.slug,
+          },
+        },
+        slug: org.organization.slug,
+      },
+    });
+
+    // Update member role assignment so it looses access to describe project/target on the resources
+    await assignMemberRole({
+      userId: member.id,
+      roleId: newRole.id,
+      resources: {
+        mode: GraphQLSchema.ResourceAssignmentModeType.Granular,
+        projects: [],
+      },
+    });
+
+    // simulate 5 minutes passing by...
+    await seed.purgePersonalAccessTokenById(
+      result.createPersonalAccessToken.ok.createdPersonalAccessToken.id,
+    );
+
+    projectQuery = await execute({
+      document: OrganizationProjectTargetQuery1,
+      variables: {
+        organizationSlug: org.organization.slug,
+        projectSlug: project.project.slug,
+        targetSlug: project.target.slug,
+      },
+      authToken: personalAccessToken,
+    }).then(e => e.expectNoGraphQLErrors());
+
+    expect(projectQuery).toEqual({
+      organization: {
+        id: org.organization.id,
+        project: null,
+        slug: org.organization.slug,
+      },
+    });
+  },
+);

packages/services/api/src/modules/organization/providers/personal-access-tokens-cache.ts

@@ -21,6 +21,8 @@ export type CachedPersonalAccessToken = Omit<
   >;
 };
 
+type PersonalAccessTokeDeleteInput = Pick<PersonalAccessToken, 'id'>;
+
 /**
  * Cache for performant PersonalAccessToken lookups.
  */
@@ -124,7 +126,8 @@ export class PersonalAccessTokensCache {
     });
   }
 
-  purge(token: PersonalAccessToken) {
+  /** Delete a personal access token from the cache e.g. upon deletion or update of permissions */
+  delete(token: PersonalAccessTokeDeleteInput) {
     return this.cache.delete({
       key: token.id,
     });

packages/services/api/src/modules/organization/providers/personal-access-tokens.ts

@@ -190,7 +190,7 @@ export class PersonalAccessTokens {
         "id" = ${args.personalAccessTokenId}
     `);
 
-    await this.cache.purge(record);
+    await this.cache.delete(record);
 
     await this.auditLogs.record({
       organizationId: record.organizationId,

packages/services/server/src/index.ts

@@ -605,6 +605,13 @@ export async function main() {
       return;
     });
 
+    // only for integration testing :)
+    server.post('/cache/personal-access-token-cache/delete/:id', async (req, res) => {
+      await registry.injector.get(PersonalAccessTokensCache).delete({ id: (req.params as any).id });
+      void res.status(200).send({});
+      return;
+    });
+
     createOtelAuthEndpoint({
       server,
       authN,