personal access token can grant everything the user is allowed to do

Author: n1ru4l

packages/migrations/src/actions/2025.10.17T00-00-00.personal-access-tokens.ts

@@ -10,7 +10,7 @@ export default {
       , "created_at" timestamptz NOT NULL DEFAULT now()
       , "title" text NOT NULL
       , "description" text NOT NULL
-      , "permissions" text[] NOT NULL
+      , "permissions" text[]
       , "assigned_resources" jsonb
       , "hash" text NOT NULL
       , "first_characters" text NOT NULL

packages/services/api/src/modules/audit-logs/providers/audit-logs-types.ts

@@ -347,7 +347,7 @@ export const AuditLogModel = z.union([
     metadata: z.object({
       organizationAccessTokenId: z.string().uuid(),
       userId: z.string().uuid(),
-      permissions: z.array(z.string()),
+      permissions: z.array(z.string()).nullable(),
       assignedResources: ResourceAssignmentModel,
     }),
   }),

packages/services/api/src/modules/organization/lib/organization-access-token-permissions.ts

@@ -147,6 +147,11 @@ export const permissionGroups: Array<PermissionGroup> = [
         title: 'Publish app deployment',
         description: 'Grant access to publishing app deployments.',
       },
+      {
+        id: 'appDeployment:retire',
+        title: 'Retire app deployment',
+        description: 'Grant access to retring app deployments.',
+      },
     ],
   },
 ];

packages/services/api/src/modules/organization/lib/organization-member-permissions.ts

@@ -241,6 +241,64 @@ export const permissionGroups: Array<PermissionGroup> = [
       },
     ],
   },
+  {
+    id: 'api-cli-actions',
+    title: 'CLI/API Actions',
+    permissions: [
+      {
+        id: 'schema:compose',
+        title: 'Compose schema',
+        description: 'Allow using "hive dev" command for local composition.',
+        dependsOn: 'project:describe',
+      },
+      {
+        id: 'schemaCheck:create',
+        title: 'Check schema/service/subgraph',
+        description: 'Allow usage of the "hive schema:check" command.',
+        dependsOn: 'project:describe',
+      },
+      {
+        id: 'schemaVersion:publish',
+        title: 'Publish schema/service/subgraph',
+        description: 'Allow usage of the "hive schema:publish" command.',
+        dependsOn: 'project:describe',
+      },
+      {
+        id: 'schemaVersion:deleteService',
+        title: 'Delete service',
+        description: 'Allow usage of the "hive schema:delete" command.',
+        dependsOn: 'project:describe',
+      },
+      {
+        id: 'appDeployment:create',
+        title: 'Create app deployment',
+        description: 'Grant access to creating app deployments.',
+        dependsOn: 'project:describe',
+      },
+      {
+        id: 'appDeployment:publish',
+        title: 'Publish app deployment',
+        description: 'Grant access to publishing app deployments.',
+        dependsOn: 'project:describe',
+      },
+      {
+        id: 'appDeployment:retire',
+        title: 'Retire app deployment',
+        description: 'Grant access to retring app deployments.',
+        dependsOn: 'project:describe',
+      },
+      {
+        id: 'usage:report',
+        title: 'Report usage data',
+        description: 'Grant access to report usage data.',
+      },
+      {
+        id: 'traces:report',
+        title: 'Report OTEL traces',
+        description: 'Grant access to reporting traces.',
+      },
+    ],
+  },
 ] as const;
 
 function assertAllRulesAreAssigned(excluded: Array<Permission>) {
@@ -267,18 +325,7 @@ function assertAllRulesAreAssigned(excluded: Array<Permission>) {
  * This seems like the easiest way to make sure that all the permissions we have are
  * assignable and exposed via our API.
  */
-assertAllRulesAreAssigned([
-  /** These are CLI only actions for now. */
-  'schema:compose',
-  'schemaCheck:create',
-  'schemaVersion:publish',
-  'schemaVersion:deleteService',
-  'appDeployment:create',
-  'appDeployment:publish',
-  'appDeployment:retire',
-  'usage:report',
-  'traces:report',
-]);
+assertAllRulesAreAssigned([]);
 
 /**
  * List of permissions that are assignable

packages/services/api/src/modules/organization/lib/permissions.ts

@@ -14,3 +14,58 @@ export type PermissionGroup = {
   title: string;
   permissions: Array<PermissionRecord>;
 };
+
+/**
+ * Utility to verify that all the permissions in one permission group are also available in the other permission group.
+ */
+export function assertPermissionGroupsIsSubset(
+  sourceGroups: Array<PermissionGroup>,
+  subsetGroups: Array<PermissionGroup>,
+) {
+  const permissionsInSource = new Set(
+    sourceGroups.flatMap(group => group.permissions.map(permission => permission.id)),
+  );
+  const missing = new Array<string>();
+
+  subsetGroups.forEach(group =>
+    group.permissions.forEach(permission => {
+      if (!permissionsInSource.has(permission.id)) {
+        missing.push(permission.id);
+      }
+    }),
+  );
+
+  if (missing.length) {
+    throw new Error(
+      'The following permissions are missing in the main group.\n- ' + missing.join('\n- '),
+    );
+  }
+}
+
+/**
+ * Folter down a permission group based on a set of input permissions.
+ * E.g. for only showing a list of permissions to assign based on the viewers permissions.
+ */
+export function filterDownPermissionGroups(
+  sourceGroups: Array<PermissionGroup>,
+  permissions: Set<string>,
+) {
+  return sourceGroups
+    .map(group => {
+      const newPermissions = group.permissions.filter(permission => permissions.has(permission.id));
+
+      if (newPermissions.length === group.permissions.length) {
+        return group;
+      }
+
+      if (newPermissions.length === 0) {
+        return null;
+      }
+
+      return {
+        ...group,
+        permissions: newPermissions,
+      };
+    })
+    .filter((p): p is NonNullable<typeof p> => p !== null);
+}

packages/services/api/src/modules/organization/lib/personal-access-token-permissions.ts

@@ -0,0 +1,105 @@
+import * as OrganizationMemberPermissions from './organization-member-permissions';
+import { assertPermissionGroupsIsSubset, PermissionGroup } from './permissions';
+
+export const permissionGroups: Array<PermissionGroup> = [
+  {
+    id: 'organization',
+    title: 'Organization',
+    permissions: [
+      {
+        id: 'organization:describe',
+        title: 'Describe organization',
+        description: 'Fetch information about the specified organization.',
+      },
+    ],
+  },
+  {
+    id: 'project',
+    title: 'Project',
+    permissions: [
+      {
+        id: 'project:describe',
+        title: 'Describe project',
+        description: 'Fetch information about the specified projects.',
+      },
+    ],
+  },
+  {
+    id: 'cli-actions-schema-registry',
+    title: 'CLI/API Actions for Schema Registry',
+    permissions: [
+      {
+        id: 'schema:compose',
+        title: 'Compose schema',
+        description: 'Allow using "hive dev" command for local composition.',
+        dependsOn: 'project:describe',
+      },
+      {
+        id: 'schemaCheck:create',
+        title: 'Check schema/service/subgraph',
+        description: 'Allow usage of the "hive schema:check" command.',
+        dependsOn: 'project:describe',
+      },
+      {
+        id: 'schemaVersion:publish',
+        title: 'Publish schema/service/subgraph',
+        description: 'Allow usage of the "hive schema:publish" command.',
+        dependsOn: 'project:describe',
+      },
+      {
+        id: 'schemaVersion:deleteService',
+        title: 'Delete service',
+        description: 'Allow usage of the "hive schema:delete" command.',
+        dependsOn: 'project:describe',
+      },
+    ],
+  },
+  {
+    id: 'cli-actions-app-deployments',
+    title: 'CLI/API Actions for App Deployments',
+    permissions: [
+      {
+        id: 'appDeployment:create',
+        title: 'Create app deployment',
+        description: 'Grant access to creating app deployments.',
+      },
+      {
+        id: 'appDeployment:publish',
+        title: 'Publish app deployment',
+        description: 'Grant access to publishing app deployments.',
+      },
+      {
+        id: 'appDeployment:retire',
+        title: 'Retire app deployment',
+        description: 'Grant access to retring app deployments.',
+      },
+    ],
+  },
+  {
+    id: 'api-actions-reporting',
+    title: 'API Reporting',
+    permissions: [
+      {
+        id: 'usage:report',
+        title: 'Report usage data',
+        description: 'Grant access to report usage data.',
+      },
+      {
+        id: 'traces:report',
+        title: 'Report OTEL traces',
+        description: 'Grant access to reporting traces.',
+      },
+    ],
+  },
+];
+
+/**
+ * Make sure that the personal access token permissions is always a subset of the
+ * organization member permissions.
+ *
+ * We need to do this because the organization member needs the permissions assigned in order
+ * to assign them to the personal access token.
+ *
+ * If that is not possible we have a inconsistency.
+ */
+assertPermissionGroupsIsSubset(OrganizationMemberPermissions.permissionGroups, permissionGroups);

packages/services/api/src/modules/organization/module.graphql.ts

@@ -86,13 +86,17 @@ export default gql`
     """
     List of permissions that are assigned to the access token.
     A list of available permissions can be retrieved via the 'Organization.availableOrganizationAccessTokenPermissionGroups' field.
+
+    If omitted (or set to null), the personal access token will be granted all permissions of the members role.
     """
-    permissions: [String!]!
+    permissions: [String!]
     """
     Resources on which the permissions should be granted (project, target, service, and app deployments).
     Permissions are inherited by sub-resources.
+
+    If omitted (or set to null), the personal access token will be granted all permissions of the members role.
     """
-    resources: ResourceAssignmentInput!
+    resources: ResourceAssignmentInput
   }
 
   input DeletePersonalAccessTokenInput {
@@ -120,13 +124,13 @@ export default gql`
   }
 
   interface AccessToken {
-    id: ID! @tag(name: "public")
-    title: String! @tag(name: "public")
-    description: String @tag(name: "public")
-    permissions: [String!]! @tag(name: "public")
-    resources: ResourceAssignment! @tag(name: "public")
-    firstCharacters: String! @tag(name: "public")
-    createdAt: DateTime! @tag(name: "public")
+    id: ID!
+    title: String!
+    description: String
+    permissions: [String!]!
+    resources: ResourceAssignment!
+    firstCharacters: String!
+    createdAt: DateTime!
   }
 
   type PersonalAccessToken implements AccessToken {
@@ -514,6 +518,10 @@ export default gql`
     """
     viewerCanManageAccessTokens: Boolean!
     """
+    Whether the viewer can manage personal access tokens.
+    """
+    viewerCanManagePersonalAccessTokens: Boolean!
+    """
     Paginated organization access tokens.
     """
     accessTokens(
@@ -526,12 +534,22 @@ export default gql`
     accessToken(id: ID! @tag(name: "public")): OrganizationAccessToken @tag(name: "public")
   }
 
-  type OrganizationAccessTokenEdge {
+  interface AccessTokenEdge {
+    node: AccessToken!
+    cursor: String!
+  }
+
+  interface AccessTokenConnection {
+    pageInfo: PageInfo!
+    edges: [AccessTokenEdge!]!
+  }
+
+  type OrganizationAccessTokenEdge implements AccessTokenEdge {
     node: OrganizationAccessToken! @tag(name: "public")
     cursor: String! @tag(name: "public")
   }
 
-  type OrganizationAccessTokenConnection {
+  type OrganizationAccessTokenConnection implements AccessTokenConnection {
     pageInfo: PageInfo! @tag(name: "public")
     edges: [OrganizationAccessTokenEdge!]! @tag(name: "public")
   }
@@ -766,6 +784,16 @@ export default gql`
     error: AssignMemberRoleResultError @tag(name: "public")
   }
 
+  type PersonalAccessTokenConnection implements AccessTokenConnection {
+    pageInfo: PageInfo!
+    edges: [PersonalAccessTokenEdge!]!
+  }
+
+  type PersonalAccessTokenEdge implements AccessTokenEdge {
+    node: PersonalAccessToken!
+    cursor: String!
+  }
+
   type Member {
     id: ID!
     user: User! @tag(name: "public")
@@ -777,6 +805,14 @@ export default gql`
     Whether the viewer can remove this member from the organization.
     """
     viewerCanRemove: Boolean!
+    """
+    Paginated list of personal access tokens for the user.
+    """
+    personalAccessTokens(first: Int, after: String): PersonalAccessTokenConnection
+    """
+    Permission groups the member is allowed to assign to personal access tokens.
+    """
+    availablePersonalAccessTokenPermissionGroups: [PermissionGroup!]!
   }
 
   enum ResourceAssignmentModeType {