Skip to content

Commit

Permalink
feat(api): new permission system (#5674)
Browse files Browse the repository at this point in the history
  • Loading branch information
@n1ru4l
n1ru4l authored Nov 5, 2024
1 parent fb53f13 commit ff60d04
Show file tree
Hide file tree
Showing 79 changed files with 2,674 additions and 2,044 deletions.
34 changes: 0 additions & 34 deletions integration-tests/testkit/schema-policy.ts
View file
Original file line number Diff line number Diff line change
@@ -1,40 +1,6 @@
import { RuleInstanceSeverityLevel, SchemaPolicyInput } from 'testkit/gql/graphql';
import { graphql } from './gql';

export const TargetCalculatedPolicy = graphql(`
query TargetCalculatedPolicy($selector: TargetSelectorInput!) {
target(selector: $selector) {
id
schemaPolicy {
mergedRules {
...SchemaPolicyRuleInstanceFields
}
projectPolicy {
id
rules {
...SchemaPolicyRuleInstanceFields
}
}
organizationPolicy {
id
allowOverrides
rules {
...SchemaPolicyRuleInstanceFields
}
}
}
}
}
fragment SchemaPolicyRuleInstanceFields on SchemaPolicyRuleInstance {
rule {
id
}
severity
configuration
}
`);

export const OrganizationAndProjectsWithSchemaPolicy = graphql(`
query OrganizationAndProjectsWithSchemaPolicy($organization: String!) {
organization(selector: { organizationSlug: $organization }) {
Expand Down
29 changes: 16 additions & 13 deletions integration-tests/testkit/seed.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -495,19 +495,6 @@ export function initSeed() {
secret,
);
},

async updateSchemaVersionStatus(versionId: string, valid: boolean) {
return await updateSchemaVersionStatus(
{
organizationSlug: organization.slug,
projectSlug: project.slug,
targetSlug: target.slug,
valid,
versionId,
},
secret,
).then(r => r.expectNoGraphQLErrors());
},
async publishSchema(options: {
sdl: string;
headerName?: 'x-api-token' | 'authorization';
Expand Down Expand Up @@ -708,6 +695,22 @@ export function initSeed() {

return result.target?.schemaVersions.edges.map(edge => edge.node);
},
async updateSchemaVersionStatus(
versionId: string,
valid: boolean,
ttarget: TargetOverwrite = target,
) {
return await updateSchemaVersionStatus(
{
organizationSlug: organization.slug,
projectSlug: project.slug,
targetSlug: ttarget.slug,
valid,
versionId,
},
ownerToken,
).then(r => r.expectNoGraphQLErrors());
},
};
},
async inviteAndJoinMember(inviteToken: string = ownerToken) {
Expand Down
2 changes: 1 addition & 1 deletion integration-tests/tests/api/artifacts-cdn.spec.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -662,7 +662,7 @@ describe('CDN token', () => {
expect(deleteResult).toEqual(
expect.arrayContaining([
expect.objectContaining({
message: `No access (reason: "Missing target:settings permission")`,
message: `No access (reason: "Missing permission for performing 'cdnAccessToken:delete' on resource")`,
}),
]),
);
Expand Down
6 changes: 3 additions & 3 deletions integration-tests/tests/api/collections/document-collections.spec.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -140,7 +140,7 @@ describe('Document Collections', () => {
).rejects.toEqual(
expect.objectContaining({
message: expect.stringContaining(
`No access (reason: "Missing target:registry:write permission")`,
`No access (reason: "Missing permission for performing 'laboratory:createCollection' on resource")`,
),
}),
);
Expand Down Expand Up @@ -172,7 +172,7 @@ describe('Document Collections', () => {
).rejects.toEqual(
expect.objectContaining({
message: expect.stringContaining(
'No access (reason: "Missing target:registry:write permission")',
`No access (reason: "Missing permission for performing 'laboratory:modifyCollection' on resource")`,
),
}),
);
Expand Down Expand Up @@ -202,7 +202,7 @@ describe('Document Collections', () => {
).rejects.toEqual(
expect.objectContaining({
message: expect.stringContaining(
`No access (reason: "Missing target:registry:write permission")`,
`No access (reason: "Missing permission for performing 'laboratory:deleteCollection' on resource")`,
),
}),
);
Expand Down
6 changes: 3 additions & 3 deletions integration-tests/tests/api/oidc-integrations/crud.spec.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -150,7 +150,7 @@ describe('create', () => {
expect(errors).toEqual(
expect.arrayContaining([
expect.objectContaining({
message: `No access (reason: "Missing organization:integrations permission")`,
message: `No access (reason: "Missing permission for performing 'oidc:modify' on resource")`,
}),
]),
);
Expand Down Expand Up @@ -545,7 +545,7 @@ describe('delete', () => {
expect(errors).toEqual(
expect.arrayContaining([
expect.objectContaining({
message: `No access (reason: "Missing organization:integrations permission")`,
message: `No access (reason: "Missing permission for performing 'oidc:modify' on resource")`,
}),
]),
);
Expand Down Expand Up @@ -742,7 +742,7 @@ describe('update', () => {
expect(errors).toEqual(
expect.arrayContaining([
expect.objectContaining({
message: `No access (reason: "Missing organization:integrations permission")`,
message: `No access (reason: "Missing permission for performing 'oidc:modify' on resource")`,
}),
]),
);
Expand Down
70 changes: 0 additions & 70 deletions integration-tests/tests/api/policy/policy-access.spec.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,76 +4,6 @@ import { execute } from '../../../testkit/graphql';
import { initSeed } from '../../../testkit/seed';

describe('Policy Access', () => {
describe('Target', () => {
const query = graphql(`
query TargetSchemaPolicyAccess($selector: TargetSelectorInput!) {
target(selector: $selector) {
schemaPolicy {
mergedRules {
severity
}
}
}
}
`);

test.concurrent(
'should successfully fetch Target.schemaPolicy if the user has access to SETTINGS',
async ({ expect }) => {
const { createOrg } = await initSeed().createOwner();
const { organization, createProject, inviteAndJoinMember } = await createOrg();
const { project, target } = await createProject(ProjectType.Single);
const adminRole = organization.memberRoles.find(r => r.name === 'Admin');

if (!adminRole) {
throw new Error('Admin role not found');
}

const { member, memberToken, assignMemberRole } = await inviteAndJoinMember();
await assignMemberRole({
roleId: adminRole.id,
userId: member.user.id,
});

const result = await execute({
document: query,
variables: {
selector: {
organizationSlug: organization.slug,
projectSlug: project.slug,
targetSlug: target.slug,
},
},
authToken: memberToken,
}).then(r => r.expectNoGraphQLErrors());

expect(result.target?.schemaPolicy?.mergedRules).not.toBeNull();
},
);

test.concurrent(
'should fail to fetch Target.schemaPolicy if the user lacks access to SETTINGS',
async ({ expect }) => {
const { createOrg } = await initSeed().createOwner();
const { organization, createProject, inviteAndJoinMember } = await createOrg();
const { project, target } = await createProject(ProjectType.Single);
const { memberToken } = await inviteAndJoinMember();

await execute({
document: query,
variables: {
selector: {
organizationSlug: organization.slug,
projectSlug: project.slug,
targetSlug: target.slug,
},
},
authToken: memberToken,
}).then(r => r.expectGraphQLErrors());
},
);
});

describe('Project', () => {
const query = graphql(`
query ProjectSchemaPolicyAccess($selector: ProjectSelectorInput!) {
Expand Down
Loading

0 comments on commit ff60d04

Please sign in to comment.