wip implementation

Author: n1ru4l

packages/services/api/src/modules/audit-logs/providers/audit-logs-types.ts

@@ -342,6 +342,22 @@ export const AuditLogModel = z.union([
       organizationAccessTokenId: z.string().uuid(),
     }),
   }),
+  z.object({
+    eventType: z.literal('PERSONAL_ACCESS_TOKEN_CREATED'),
+    metadata: z.object({
+      organizationAccessTokenId: z.string().uuid(),
+      userId: z.string().uuid(),
+      permissions: z.array(z.string()),
+      assignedResources: ResourceAssignmentModel,
+    }),
+  }),
+  z.object({
+    eventType: z.literal('PERSONAL_ACCESS_TOKEN_DELETED'),
+    metadata: z.object({
+      organizationAccessTokenId: z.string().uuid(),
+      userId: z.string().uuid(),
+    }),
+  }),
 ]);
 
 export type AuditLogSchemaEvent = z.infer<typeof AuditLogModel>;

packages/services/api/src/modules/auth/lib/authz.ts

@@ -6,6 +6,7 @@ import { AccessError } from '../../../shared/errors';
 import { objectEntries, objectFromEntries } from '../../../shared/helpers';
 import { isUUID } from '../../../shared/is-uuid';
 import type { OrganizationAccessToken } from '../../organization/providers/organization-access-tokens';
+import type { CachedPersonalAccessToken } from '../../organization/providers/personal-access-tokens-cache';
 import { Logger } from '../../shared/providers/logger';
 
 export type AuthorizationPolicyStatement = {
@@ -44,7 +45,6 @@ function parseResourceIdentifier(resource: string) {
   }
 
   // TODO: maybe some stricter validation of the resource id characters
-
   return { organizationId, resourceId: parts[2] };
 }
 
@@ -58,7 +58,12 @@ export type OrganizationAccessTokenActor = {
   organizationAccessToken: OrganizationAccessToken;
 };
 
-type Actor = UserActor | OrganizationAccessTokenActor;
+export type PersonalAccessTokenActor = {
+  type: 'personalAccessToken';
+  personalAccessToken: CachedPersonalAccessToken;
+};
+
+type Actor = UserActor | OrganizationAccessTokenActor | PersonalAccessTokenActor;
 
 /**
  * Abstract session class that is implemented by various ways to identify a session.
@@ -393,6 +398,7 @@ const permissionsByLevel = {
     z.literal('schemaLinting:modifyOrganizationRules'),
     z.literal('auditLog:export'),
     z.literal('accessToken:modify'),
+    z.literal('personalAccessToken:modify'),
   ],
   project: [
     z.literal('project:describe'),
@@ -485,7 +491,7 @@ export function getPermissionGroup(permission: Permission): ResourceLevel {
  * Transforms a flat permission array into an object that groups the permissions per resource level.
  */
 export function permissionsToPermissionsPerResourceLevelAssignment(
-  permissions: Array<Permission>,
+  permissions: Iterable<Permission>,
 ): PermissionsPerResourceLevelAssignment {
   const assignment: PermissionsPerResourceLevelAssignment = {
     organization: new Set(),

packages/services/api/src/modules/organization/index.ts

@@ -4,6 +4,8 @@ import { OrganizationAccessTokensCache } from './providers/organization-access-t
 import { OrganizationManager } from './providers/organization-manager';
 import { OrganizationMemberRoles } from './providers/organization-member-roles';
 import { OrganizationMembers } from './providers/organization-members';
+import { PersonalAccessTokens } from './providers/personal-access-tokens';
+import { PersonalAccessTokensCache } from './providers/personal-access-tokens-cache';
 import { ResourceAssignments } from './providers/resource-assignments';
 import { resolvers } from './resolvers.generated';
 import typeDefs from './module.graphql';
@@ -18,7 +20,9 @@ export const organizationModule = createModule({
     OrganizationMembers,
     OrganizationManager,
     OrganizationAccessTokens,
+    PersonalAccessTokens,
     ResourceAssignments,
     OrganizationAccessTokensCache,
+    PersonalAccessTokensCache,
   ],
 });

packages/services/api/src/modules/organization/lib/resource-assignment-model.ts

@@ -26,6 +26,8 @@ const AssignedServicesModel = z.union([
   WildcardAssignmentMode,
 ]);
 
+type AssignedServices = z.TypeOf<typeof AssignedServicesModel>;
+
 const AssignedAppDeploymentsModel = z.union([
   z.object({
     mode: GranularAssignmentModeModel,
@@ -34,6 +36,8 @@ const AssignedAppDeploymentsModel = z.union([
   WildcardAssignmentMode,
 ]);
 
+type AssignedAppDeployments = z.TypeOf<typeof AssignedAppDeploymentsModel>;
+
 export const TargetAssignmentModel = z.object({
   type: z.literal('target'),
   id: z.string().uuid(),
@@ -49,6 +53,8 @@ const AssignedTargetsModel = z.union([
   WildcardAssignmentMode,
 ]);
 
+type AssignedTargets = z.TypeOf<typeof AssignedTargetsModel>;
+
 const ProjectAssignmentModel = z.object({
   type: z.literal('project'),
   id: z.string().uuid(),
@@ -79,3 +85,111 @@ export const ResourceAssignmentModel = z.union([
  */
 export type ResourceAssignmentGroup = z.TypeOf<typeof ResourceAssignmentModel>;
 export type GranularAssignedProjects = z.TypeOf<typeof GranularAssignedProjectsModel>;
+
+/**
+ * Get the intersection of two resource assignments
+ */
+export function intersectResourceAssignments(
+  a: ResourceAssignmentGroup,
+  b: ResourceAssignmentGroup,
+): ResourceAssignmentGroup {
+  if (a.mode === '*' && b.mode === '*') {
+    return { mode: '*' };
+  }
+
+  if (a.mode === '*') {
+    return b;
+  }
+
+  if (b.mode === '*') {
+    return a;
+  }
+
+  return {
+    mode: 'granular',
+    projects: a.projects
+      .map(projectA => {
+        const projectB = b.projects.find(p => p.id === projectA.id);
+        if (!projectB) {
+          return null;
+        }
+
+        const intersectedTargets = intersectTargets(projectA.targets, projectB.targets);
+
+        return {
+          ...projectA,
+          targets: intersectedTargets,
+        };
+      })
+      .filter((p): p is NonNullable<typeof p> => p !== null),
+  };
+}
+
+function intersectTargets(a: AssignedTargets, b: AssignedTargets): AssignedTargets {
+  if (a.mode === '*' && b.mode === '*') {
+    return { mode: '*' };
+  }
+
+  if (a.mode === '*') {
+    return b;
+  }
+
+  if (b.mode === '*') {
+    return a;
+  }
+
+  const targets = a.targets
+    .map(targetA => {
+      const targetB = b.targets.find(t => t.id === targetA.id);
+      if (!targetB) return null;
+
+      return {
+        ...targetA,
+        services: intersectServices(targetA.services, targetB.services),
+        appDeployments: intersectAppDeployments(targetA.appDeployments, targetB.appDeployments),
+      };
+    })
+    .filter(t => t !== null);
+
+  return { mode: 'granular', targets };
+}
+
+function intersectServices(a: AssignedServices, b: AssignedServices): AssignedServices {
+  if (a.mode === '*' && b.mode === '*') {
+    return { mode: '*' };
+  }
+  if (a.mode === '*') {
+    return b;
+  }
+  if (b.mode === '*') {
+    return a;
+  }
+
+  // Both granular
+  const services = a.services.filter(s => b.services.some(sb => sb.serviceName === s.serviceName));
+  return { mode: 'granular', services };
+}
+
+function intersectAppDeployments(
+  a: AssignedAppDeployments,
+  b: AssignedAppDeployments,
+): AssignedAppDeployments {
+  if (a.mode === '*' && b.mode === '*') {
+    return { mode: '*' };
+  }
+
+  if (a.mode === '*') {
+    return b;
+  }
+
+  if (b.mode === '*') {
+    return a;
+  }
+
+  // Both granular
+  const appDeployments = a.appDeployments.filter(ad =>
+    b.appDeployments.some(bd => bd.type === ad.type && bd.appName === ad.appName),
+  );
+
+  return { mode: 'granular', appDeployments };
+}

packages/services/api/src/modules/organization/providers/organization-access-tokens.ts

@@ -29,14 +29,14 @@ import {
   translateResolvedResourcesToAuthorizationPolicyStatements,
 } from './resource-assignments';
 
-const TitleInputModel = z
+export const TitleInputModel = z
   .string()
   .trim()
   .regex(/^[ a-zA-Z0-9_-]+$/, 'Can only contain letters, numbers, " ", "_", and "-".')
   .min(2, 'Minimum length is 2 characters.')
   .max(100, 'Maximum length is 100 characters.');
 
-const DescriptionInputModel = z
+export const DescriptionInputModel = z
   .string()
   .trim()
   .max(248, 'Maximum length is 248 characters.')

packages/services/api/src/modules/organization/providers/organization-member-roles.ts

@@ -67,6 +67,15 @@ const MemberRoleModel = z
     return {
       ...omit(record, 'legacyScopes'),
       permissions,
+      get allPermissions() {
+        const allPermissions = new Set<Permission>();
+        Object.values(permissions).forEach(set => {
+          set.forEach(permission => {
+            allPermissions.add(permission);
+          });
+        });
+        return allPermissions;
+      },
     };
   });
 

packages/services/api/src/modules/organization/providers/organization-members.ts

@@ -59,6 +59,9 @@ export type OrganizationMembership = {
   createdAt: string;
 };
 
+/** Properties needed from organization. */
+type OrganizationMemberPartial = Pick<Organization, 'id' | 'ownerId'>;
+
 @Injectable({
   scope: Scope.Operation,
   global: true,
@@ -99,7 +102,7 @@ export class OrganizationMembers {
    * them into resource based role assignments.
    */
   private async resolveMemberships(
-    organization: Organization,
+    organization: OrganizationMemberPartial,
     organizationMembers: Array<z.TypeOf<typeof RawOrganizationMembershipModel>>,
   ) {
     const organizationMembershipByUserId = new Map</* userId */ string, OrganizationMembership>();
@@ -164,7 +167,7 @@ export class OrganizationMembers {
   }
 
   async getPaginatedOrganizationMembersForOrganization(
-    organization: Organization,
+    organization: OrganizationMemberPartial,
     args: { first: number | null; after: string | null },
   ) {
     this.logger.debug(
@@ -245,7 +248,7 @@ export class OrganizationMembers {
    * Batched loader function for a organization membership.
    */
   findOrganizationMembership = batchBy(
-    (args: { organization: Organization; userId: string }) => args.organization.id,
+    (args: { organization: OrganizationMemberPartial; userId: string }) => args.organization.id,
     async args => {
       const organization = args[0].organization;
       const userIds = args.map(arg => arg.userId);
@@ -271,7 +274,7 @@ export class OrganizationMembers {
   }
 
   async findOrganizationMembershipByEmail(
-    organization: Organization,
+    organization: OrganizationMemberPartial,
     email: string,
   ): Promise<OrganizationMembership | null> {
     this.logger.debug(

packages/services/api/src/modules/shared/providers/in-memory-rate-limiter.ts

@@ -65,7 +65,13 @@ export class InMemoryRateLimiter {
     const limiter = this.store.ensureLimiter(action, windowSizeInMs, maxActions);
 
     if (
-      !limiter.isAllowed(actor.type === 'user' ? actor.user.id : actor.organizationAccessToken.id)
+      !limiter.isAllowed(
+        actor.type === 'user'
+          ? actor.user.id
+          : actor.type === 'organizationAccessToken'
+            ? actor.organizationAccessToken.id
+            : actor.personalAccessToken.id,
+      )
     ) {
       throw new HiveError(message);
     }

packages/services/server/src/index.ts

@@ -23,6 +23,8 @@ import {
   OrganizationMemberRoles,
   OrganizationMembers,
 } from '@hive/api';
+import { PersonalAccessTokenSessionStrategy } from '@hive/api/modules/auth/lib/personal-access-token-strategy';
+import { PersonalAccessTokensCache } from '@hive/api/modules/organization/providers/personal-access-tokens-cache';
 import { HivePubSub } from '@hive/api/modules/shared/providers/pub-sub';
 import { createRedisClient } from '@hive/api/modules/shared/providers/redis';
 import { TargetsByIdCache } from '@hive/api/modules/target/providers/targets-by-id-cache';
@@ -413,6 +415,13 @@ export async function main() {
         accessTokenValidationCache: registry.injector.get(AccessTokenValidationCache),
       });
 
+    const personalAccessTokenStrategy = (logger: Logger) =>
+      new PersonalAccessTokenSessionStrategy(
+        logger,
+        registry.injector.get(PersonalAccessTokensCache),
+        registry.injector.get(AccessTokenValidationCache),
+      );
+
     const graphqlPath = '/graphql';
     const port = env.http.port;
     const signature = Math.random().toString(16).substr(2);
@@ -443,6 +452,7 @@ export async function main() {
               ),
             }),
           organizationAccessTokenStrategy,
+          personalAccessTokenStrategy,
           (logger: Logger) =>
             new TargetAccessTokenStrategy({
               logger,
@@ -461,7 +471,7 @@ export async function main() {
     });
 
     const authN = new AuthN({
-      strategies: [organizationAccessTokenStrategy],
+      strategies: [organizationAccessTokenStrategy, personalAccessTokenStrategy],
     });
 
     server.route({