feat: new permission system

integration-tests/testkit/schema-policy.ts

@@ -1,40 +1,6 @@
 import { RuleInstanceSeverityLevel, SchemaPolicyInput } from 'testkit/gql/graphql';
 import { graphql } from './gql';
 
-export const TargetCalculatedPolicy = graphql(`
-  query TargetCalculatedPolicy($selector: TargetSelectorInput!) {
-    target(selector: $selector) {
-      id
-      schemaPolicy {
-        mergedRules {
-          ...SchemaPolicyRuleInstanceFields
-        }
-        projectPolicy {
-          id
-          rules {
-            ...SchemaPolicyRuleInstanceFields
-          }
-        }
-        organizationPolicy {
-          id
-          allowOverrides
-          rules {
-            ...SchemaPolicyRuleInstanceFields
-          }
-        }
-      }
-    }
-  }
-
-  fragment SchemaPolicyRuleInstanceFields on SchemaPolicyRuleInstance {
-    rule {
-      id
-    }
-    severity
-    configuration
-  }
-`);
-
 export const OrganizationAndProjectsWithSchemaPolicy = graphql(`
   query OrganizationAndProjectsWithSchemaPolicy($organization: String!) {
     organization(selector: { organizationSlug: $organization }) {

integration-tests/testkit/seed.ts

@@ -495,19 +495,6 @@ export function initSeed() {
                         secret,
                       );
                     },
-
-                    async updateSchemaVersionStatus(versionId: string, valid: boolean) {
-                      return await updateSchemaVersionStatus(
-                        {
-                          organizationSlug: organization.slug,
-                          projectSlug: project.slug,
-                          targetSlug: target.slug,
-                          valid,
-                          versionId,
-                        },
-                        secret,
-                      ).then(r => r.expectNoGraphQLErrors());
-                    },
                     async publishSchema(options: {
                       sdl: string;
                       headerName?: 'x-api-token' | 'authorization';
@@ -708,6 +695,22 @@ export function initSeed() {
 
                   return result.target?.schemaVersions.edges.map(edge => edge.node);
                 },
+                async updateSchemaVersionStatus(
+                  versionId: string,
+                  valid: boolean,
+                  ttarget: TargetOverwrite = target,
+                ) {
+                  return await updateSchemaVersionStatus(
+                    {
+                      organizationSlug: organization.slug,
+                      projectSlug: project.slug,
+                      targetSlug: ttarget.slug,
+                      valid,
+                      versionId,
+                    },
+                    ownerToken,
+                  ).then(r => r.expectNoGraphQLErrors());
+                },
               };
             },
             async inviteAndJoinMember(inviteToken: string = ownerToken) {

integration-tests/tests/api/artifacts-cdn.spec.ts

@@ -662,7 +662,7 @@ describe('CDN token', () => {
     expect(deleteResult).toEqual(
       expect.arrayContaining([
         expect.objectContaining({
-          message: `No access (reason: "Missing target:settings permission")`,
+          message: `No access (reason: "Missing permission for performing 'cdnAccessToken:delete' on resource")`,
         }),
       ]),
     );

integration-tests/tests/api/collections/document-collections.spec.ts

@@ -140,7 +140,7 @@ describe('Document Collections', () => {
         ).rejects.toEqual(
           expect.objectContaining({
             message: expect.stringContaining(
-              `No access (reason: "Missing target:registry:write permission")`,
+              `No access (reason: "Missing permission for performing 'laboratory:createCollection' on resource")`,
             ),
           }),
         );
@@ -172,7 +172,7 @@ describe('Document Collections', () => {
         ).rejects.toEqual(
           expect.objectContaining({
             message: expect.stringContaining(
-              'No access (reason: "Missing target:registry:write permission")',
+              `No access (reason: "Missing permission for performing 'laboratory:modifyCollection' on resource")`,
             ),
           }),
         );
@@ -202,7 +202,7 @@ describe('Document Collections', () => {
         ).rejects.toEqual(
           expect.objectContaining({
             message: expect.stringContaining(
-              `No access (reason: "Missing target:registry:write permission")`,
+              `No access (reason: "Missing permission for performing 'laboratory:deleteCollection' on resource")`,
             ),
           }),
         );

integration-tests/tests/api/oidc-integrations/crud.spec.ts

@@ -150,7 +150,7 @@ describe('create', () => {
       expect(errors).toEqual(
         expect.arrayContaining([
           expect.objectContaining({
-            message: `No access (reason: "Missing organization:integrations permission")`,
+            message: `No access (reason: "Missing permission for performing 'oidc:modify' on resource")`,
           }),
         ]),
       );
@@ -545,7 +545,7 @@ describe('delete', () => {
       expect(errors).toEqual(
         expect.arrayContaining([
           expect.objectContaining({
-            message: `No access (reason: "Missing organization:integrations permission")`,
+            message: `No access (reason: "Missing permission for performing 'oidc:modify' on resource")`,
           }),
         ]),
       );
@@ -742,7 +742,7 @@ describe('update', () => {
       expect(errors).toEqual(
         expect.arrayContaining([
           expect.objectContaining({
-            message: `No access (reason: "Missing organization:integrations permission")`,
+            message: `No access (reason: "Missing permission for performing 'oidc:modify' on resource")`,
           }),
         ]),
       );

integration-tests/tests/api/policy/policy-access.spec.ts

@@ -4,76 +4,6 @@ import { execute } from '../../../testkit/graphql';
 import { initSeed } from '../../../testkit/seed';
 
 describe('Policy Access', () => {
-  describe('Target', () => {
-    const query = graphql(`
-      query TargetSchemaPolicyAccess($selector: TargetSelectorInput!) {
-        target(selector: $selector) {
-          schemaPolicy {
-            mergedRules {
-              severity
-            }
-          }
-        }
-      }
-    `);
-
-    test.concurrent(
-      'should successfully fetch Target.schemaPolicy if the user has access to SETTINGS',
-      async ({ expect }) => {
-        const { createOrg } = await initSeed().createOwner();
-        const { organization, createProject, inviteAndJoinMember } = await createOrg();
-        const { project, target } = await createProject(ProjectType.Single);
-        const adminRole = organization.memberRoles.find(r => r.name === 'Admin');
-
-        if (!adminRole) {
-          throw new Error('Admin role not found');
-        }
-
-        const { member, memberToken, assignMemberRole } = await inviteAndJoinMember();
-        await assignMemberRole({
-          roleId: adminRole.id,
-          userId: member.user.id,
-        });
-
-        const result = await execute({
-          document: query,
-          variables: {
-            selector: {
-              organizationSlug: organization.slug,
-              projectSlug: project.slug,
-              targetSlug: target.slug,
-            },
-          },
-          authToken: memberToken,
-        }).then(r => r.expectNoGraphQLErrors());
-
-        expect(result.target?.schemaPolicy?.mergedRules).not.toBeNull();
-      },
-    );
-
-    test.concurrent(
-      'should fail to fetch Target.schemaPolicy if the user lacks access to SETTINGS',
-      async ({ expect }) => {
-        const { createOrg } = await initSeed().createOwner();
-        const { organization, createProject, inviteAndJoinMember } = await createOrg();
-        const { project, target } = await createProject(ProjectType.Single);
-        const { memberToken } = await inviteAndJoinMember();
-
-        await execute({
-          document: query,
-          variables: {
-            selector: {
-              organizationSlug: organization.slug,
-              projectSlug: project.slug,
-              targetSlug: target.slug,
-            },
-          },
-          authToken: memberToken,
-        }).then(r => r.expectGraphQLErrors());
-      },
-    );
-  });
-
   describe('Project', () => {
     const query = graphql(`
       query ProjectSchemaPolicyAccess($selector: ProjectSelectorInput!) {