feat: use session class within contracts manager

graphql-hive · Oct 23, 2024 · fbce7a7 · fbce7a7
1 parent 1cc69a5
commit fbce7a7
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 30 deletions.
diff --git a/packages/services/api/src/modules/auth/lib/authz.ts b/packages/services/api/src/modules/auth/lib/authz.ts
@@ -262,6 +262,9 @@ const actionDefinitions = {
   'appDeployment:retire': defaultAppDeploymentIdentity,
   'laboratory:describe': defaultTargetIdentity,
   'laboratory:modify': defaultTargetIdentity,
+  'schemaContract:describe': defaultTargetIdentity,
+  'schemaContract:create': defaultTargetIdentity,
+  'schemaContract:disable': defaultTargetIdentity,
 } satisfies ActionDefinitionMap;
 
 type ActionDefinitionMap = {

diff --git a/packages/services/api/src/modules/auth/lib/legacy-permissions.ts b/packages/services/api/src/modules/auth/lib/legacy-permissions.ts
@@ -63,6 +63,14 @@ export function transformLegacyPolicies(
         });
         break;
       }
+      case TargetAccessScope.SETTINGS: {
+        policies.push({
+          effect: 'allow',
+          action: ['schemaContract:create', 'schemaContract:disable', 'schemaContract:describe'],
+          resource: [`hrn:${organizationId}:*`],
+        });
+        break;
+      }
     }
   }
 

diff --git a/packages/services/api/src/modules/schema/providers/contracts-manager.ts b/packages/services/api/src/modules/schema/providers/contracts-manager.ts
@@ -2,8 +2,7 @@ import { Injectable, Scope } from 'graphql-modules';
 import type { SchemaCheck, SchemaVersion } from '@hive/storage';
 import type { Target } from '../../../shared/entities';
 import { cache } from '../../../shared/helpers';
-import { AuthManager } from '../../auth/providers/auth-manager';
-import { TargetAccessScope } from '../../auth/providers/scopes';
+import { Session } from '../../auth/lib/authz';
 import { IdTranslator } from '../../shared/providers/id-translator';
 import { Logger } from '../../shared/providers/logger';
 import { Storage } from '../../shared/providers/storage';
@@ -25,7 +24,7 @@ export class ContractsManager {
     logger: Logger,
     private contracts: Contracts,
     private storage: Storage,
-    private authManager: AuthManager,
+    private session: Session,
     private idTranslator: IdTranslator,
     private breakingSchemaChangeUsageHelper: BreakingSchemaChangeUsageHelper,
   ) {
@@ -51,11 +50,14 @@ export class ContractsManager {
       this.idTranslator.translateTargetId(breadcrumb),
     ]);
 
-    await this.authManager.ensureTargetAccess({
-      organization: organizationId,
-      project: projectId,
-      target: targetId,
-      scope: TargetAccessScope.SETTINGS,
+    await this.session.assertPerformAction({
+      action: 'schemaContract:create',
+      organizationId,
+      params: {
+        organizationId,
+        projectId,
+        targetId,
+      },
     });
 
     return await this.contracts.createContract(args);
@@ -86,26 +88,30 @@ export class ContractsManager {
       this.idTranslator.translateTargetId(breadcrumb),
     ]);
 
-    await this.authManager.ensureTargetAccess({
-      organization: organizationId,
-      project: projectId,
-      target: targetId,
-      scope: TargetAccessScope.SETTINGS,
+    await this.session.assertPerformAction({
+      action: 'schemaContract:disable',
+      organizationId,
+      params: {
+        organizationId,
+        projectId,
+        targetId,
+      },
     });
 
     return await this.contracts.disableContract({
       contract,
     });
   }
 
-  async getViewerCanDisableContractForContract(contract: Contract) {
+  async getViewerCanDisableContractForContract(contract: Contract): Promise<boolean> {
     if (contract.isDisabled) {
       return false;
     }
 
     const breadcrumb = await this.storage.getTargetBreadcrumbForTargetId({
       targetId: contract.targetId,
     });
+
     if (!breadcrumb) {
       return false;
     }
@@ -116,12 +122,15 @@ export class ContractsManager {
       this.idTranslator.translateTargetId(breadcrumb),
     ]);
 
-    return await this.authManager
-      .ensureTargetAccess({
-        organization: organizationId,
-        project: projectId,
-        target: targetId,
-        scope: TargetAccessScope.SETTINGS,
+    return await this.session
+      .assertPerformAction({
+        action: 'schemaContract:disable',
+        organizationId,
+        params: {
+          organizationId,
+          projectId,
+          targetId,
+        },
       })
       .then(() => true)
       .catch(() => false);
@@ -132,11 +141,14 @@ export class ContractsManager {
     cursor: string | null;
     first: number | null;
   }) {
-    await this.authManager.ensureTargetAccess({
-      organization: args.target.orgId,
-      project: args.target.projectId,
-      target: args.target.id,
-      scope: TargetAccessScope.SETTINGS,
+    await this.session.assertPerformAction({
+      action: 'schemaContract:describe',
+      organizationId: args.target.orgId,
+      params: {
+        organizationId: args.target.orgId,
+        projectId: args.target.projectId,
+        targetId: args.target.id,
+      },
     });
 
     return this.contracts.getPaginatedContractsByTargetId({
@@ -152,11 +164,13 @@ export class ContractsManager {
     cursor: string | null;
     first: number | null;
   }) {
-    await this.authManager.ensureTargetAccess({
-      organization: args.target.orgId,
-      project: args.target.projectId,
-      target: args.target.id,
-      scope: TargetAccessScope.READ,
+    await this.session.assertPerformAction({
+      action: 'project:describe',
+      organizationId: args.target.orgId,
+      params: {
+        organizationId: args.target.orgId,
+        projectId: args.target.projectId,
+      },
     });
 
     return this.contracts.getPaginatedContractsByTargetId({