diff --git a/.configs/gqlgen.yaml b/.configs/gqlgen.yaml index ea4ce3fac..879ddcf82 100644 --- a/.configs/gqlgen.yaml +++ b/.configs/gqlgen.yaml @@ -41,7 +41,6 @@ autobind: - "github.com/nais/api/internal/cost" - "github.com/nais/api/internal/deployment" - "github.com/nais/api/internal/deployment/deploymentactivity" - - "github.com/nais/api/internal/elevation" - "github.com/nais/api/internal/environment" - "github.com/nais/api/internal/feature" - "github.com/nais/api/internal/github/repository" diff --git a/integration_tests/elevation.lua b/integration_tests/elevation.lua deleted file mode 100644 index efa0a650b..000000000 --- a/integration_tests/elevation.lua +++ /dev/null @@ -1,460 +0,0 @@ -Helper.readK8sResources("k8s_resources/elevation") - -local user = User.new("username-1", "user@example.com", "e") -local otherUser = User.new("username-2", "user2@example.com", "e2") - -local team = Team.new("myteam", "Elevation test team", "#myteam") -team:addOwner(user) - -Test.gql("Create elevation for secret - success", function(t) - t.addHeader("x-user-email", user:email()) - - t.query [[ - mutation { - createElevation(input: { - type: SECRET - team: "myteam" - environmentName: "dev" - resourceName: "test-secret" - reason: "Need to debug database connection issues" - durationMinutes: 30 - }) { - elevation { - id - type - team { - slug - } - teamEnvironment { - name - } - resourceName - user { - email - } - reason - } - } - } - ]] - - t.check { - data = { - createElevation = { - elevation = { - id = Save("elevationID"), - type = "SECRET", - team = { - slug = "myteam", - }, - teamEnvironment = { - name = "dev", - }, - resourceName = "test-secret", - user = { - email = "user@example.com", - }, - reason = "Need to debug database connection issues", - }, - }, - }, - } -end) - -Test.gql("Query elevations - find created elevation", function(t) - t.addHeader("x-user-email", user:email()) - - t.query [[ - query { - me { - ... on User { - elevations(input: { - type: SECRET - team: "myteam" - environmentName: "dev" - resourceName: "test-secret" - }) { - id - type - resourceName - reason - } - } - } - } - ]] - - t.check { - data = { - me = { - elevations = { - { - id = State.elevationID, - type = "SECRET", - resourceName = "test-secret", - reason = "Need to debug database connection issues", - }, - }, - }, - }, - } -end) - -Test.gql("Create elevation - reason too short", function(t) - t.addHeader("x-user-email", user:email()) - - t.query [[ - mutation { - createElevation(input: { - type: SECRET - team: "myteam" - environmentName: "dev" - resourceName: "test-secret" - reason: "short" - durationMinutes: 30 - }) { - elevation { - id - } - } - } - ]] - - t.check { - errors = { - { - message = Contains("Reason must be at least 10 characters"), - path = { "createElevation" }, - }, - }, - data = Null, - } -end) - -Test.gql("Create elevation - duration too long", function(t) - t.addHeader("x-user-email", user:email()) - - t.query [[ - mutation { - createElevation(input: { - type: SECRET - team: "myteam" - environmentName: "dev" - resourceName: "test-secret" - reason: "Need to debug database connection issues" - durationMinutes: 120 - }) { - elevation { - id - } - } - } - ]] - - t.check { - errors = { - { - message = Contains("Duration"), - path = { "createElevation" }, - }, - }, - data = Null, - } -end) - -Test.gql("Create elevation - non-team member not authorized", function(t) - t.addHeader("x-user-email", otherUser:email()) - - t.query [[ - mutation { - createElevation(input: { - type: SECRET - team: "myteam" - environmentName: "dev" - resourceName: "test-secret" - reason: "Need to debug database connection issues" - durationMinutes: 30 - }) { - elevation { - id - } - } - } - ]] - - t.check { - errors = { - { - message = Contains("authorized"), - path = { "createElevation" }, - }, - }, - data = Null, - } -end) - -Test.gql("Create elevation - admin user cannot bypass team membership", function(t) - -- Create an admin user - local adminUser = User.new("admin-user", "admin@example.com", "admin-ext") - adminUser:admin(true) - - -- Admin tries to create elevation for myteam (where they are NOT a member) - t.addHeader("x-user-email", adminUser:email()) - - t.query [[ - mutation { - createElevation(input: { - type: SECRET - team: "myteam" - environmentName: "dev" - resourceName: "test-secret" - reason: "Admin trying to access team secrets without membership" - durationMinutes: 5 - }) { - elevation { - id - } - } - } - ]] - - t.check { - errors = { - { - message = Contains("authorized"), - path = { "createElevation" }, - }, - }, - data = Null, - } -end) - -Test.gql("Create elevation - user from different team cannot elevate", function(t) - -- Create a second team with otherUser as owner - local otherTeam = Team.new("otherteam", "Other team", "#otherteam") - otherTeam:addOwner(otherUser) - - -- otherUser tries to create elevation for myteam's secret (where they are NOT a member) - t.addHeader("x-user-email", otherUser:email()) - - t.query [[ - mutation { - createElevation(input: { - type: SECRET - team: "myteam" - environmentName: "dev" - resourceName: "test-secret" - reason: "Trying to access another team's secrets" - durationMinutes: 5 - }) { - elevation { - id - } - } - } - ]] - - t.check { - errors = { - { - message = Contains("authorized"), - path = { "createElevation" }, - }, - }, - data = Null, - } -end) - -Test.gql("Create elevation - environment not found", function(t) - t.addHeader("x-user-email", user:email()) - - t.query [[ - mutation { - createElevation(input: { - type: SECRET - team: "myteam" - environmentName: "nonexistent-env" - resourceName: "test-secret" - reason: "Need to debug database connection issues" - durationMinutes: 30 - }) { - elevation { - id - } - } - } - ]] - - t.check { - errors = { - { - message = Contains("Environment"), - path = { "createElevation" }, - }, - }, - data = Null, - } -end) - -Test.gql("Create elevation for INSTANCE_EXEC", function(t) - t.addHeader("x-user-email", user:email()) - - t.query [[ - mutation { - createElevation(input: { - type: INSTANCE_EXEC - team: "myteam" - environmentName: "dev" - resourceName: "test-pod" - reason: "Need to debug application startup" - durationMinutes: 15 - }) { - elevation { - id - type - resourceName - } - } - } - ]] - - t.check { - data = { - createElevation = { - elevation = { - id = Save("execElevationID"), - type = "INSTANCE_EXEC", - resourceName = "test-pod", - }, - }, - }, - } -end) - -Test.gql("Create elevation for INSTANCE_PORT_FORWARD", function(t) - t.addHeader("x-user-email", user:email()) - - t.query [[ - mutation { - createElevation(input: { - type: INSTANCE_PORT_FORWARD - team: "myteam" - environmentName: "dev" - resourceName: "test-pod" - reason: "Need to connect to local database" - durationMinutes: 15 - }) { - elevation { - id - type - resourceName - } - } - } - ]] - - t.check { - data = { - createElevation = { - elevation = { - id = Save("portForwardElevationID"), - type = "INSTANCE_PORT_FORWARD", - resourceName = "test-pod", - }, - }, - }, - } -end) - -Test.gql("Create elevation for INSTANCE_DEBUG", function(t) - t.addHeader("x-user-email", user:email()) - - t.query [[ - mutation { - createElevation(input: { - type: INSTANCE_DEBUG - team: "myteam" - environmentName: "dev" - resourceName: "test-pod" - reason: "Need to attach debugger to application" - durationMinutes: 15 - }) { - elevation { - id - type - resourceName - } - } - } - ]] - - t.check { - data = { - createElevation = { - elevation = { - id = Save("debugElevationID"), - type = "INSTANCE_DEBUG", - resourceName = "test-pod", - }, - }, - }, - } -end) - -Test.gql("Query elevations - empty when no match", function(t) - t.addHeader("x-user-email", user:email()) - - t.query [[ - query { - me { - ... on User { - elevations(input: { - type: SECRET - team: "myteam" - environmentName: "dev" - resourceName: "nonexistent-secret" - }) { - id - } - } - } - } - ]] - - t.check { - data = { - me = { - elevations = {}, - }, - }, - } -end) - -Test.gql("Query elevations - other user sees empty list", function(t) - t.addHeader("x-user-email", otherUser:email()) - - t.query [[ - query { - me { - ... on User { - elevations(input: { - type: SECRET - team: "myteam" - environmentName: "dev" - resourceName: "test-secret" - }) { - id - } - } - } - } - ]] - - t.check { - data = { - me = { - elevations = {}, - }, - }, - } -end) diff --git a/integration_tests/secrets.lua b/integration_tests/secrets.lua index 6f4e9f4ac..2039a6ae7 100644 --- a/integration_tests/secrets.lua +++ b/integration_tests/secrets.lua @@ -470,218 +470,8 @@ Test.gql("Delete secret as non-team member", function(t) } end) -Test.gql("Create secret for elevation test", function(t) - t.addHeader("x-user-email", user:email()) - - t.query [[ - mutation { - createSecret(input: { - name: "test-elevation-secret" - environment: "dev" - team: "myteam" - }) { - secret { - name - } - } - } - ]] - - t.check { - data = { - createSecret = { - secret = { - name = "test-elevation-secret", - }, - }, - }, - } - - -- Add a value - t.query [[ - mutation { - addSecretValue(input: { - name: "test-elevation-secret" - environment: "dev" - team: "myteam" - value: { - name: "api-key", - value: "super-secret-123" - } - }) { - secret { - name - keys - } - } - } - ]] - - t.check { - data = { - addSecretValue = { - secret = { - name = "test-elevation-secret", - keys = { "api-key" }, - }, - }, - }, - } -end) - -Test.gql("Reading secret values WITHOUT elevation should fail", function(t) - t.addHeader("x-user-email", user:email()) - - t.query [[ - query { - team(slug: "myteam") { - environment(name: "dev") { - secret(name: "test-elevation-secret") { - name - values { - name - value - } - } - } - } - } - ]] - - t.check { - errors = { - { - message = Contains("You are authenticated"), - path = { "team", "environment", "secret", "values" }, - }, - }, - data = { - team = { - environment = { - secret = { - name = "test-elevation-secret", - values = Null, - }, - }, - }, - }, - } -end) - -Test.gql("Create elevation for reading secret values", function(t) - t.addHeader("x-user-email", user:email()) - - t.query [[ - mutation { - createElevation(input: { - type: SECRET - team: "myteam" - environmentName: "dev" - resourceName: "test-elevation-secret" - reason: "Testing secret values access with elevation" - durationMinutes: 5 - }) { - elevation { - id - } - } - } - ]] - - t.check { - data = { - createElevation = { - elevation = { - id = Save("elevationID"), - }, - }, - }, - } -end) - -Test.gql("Reading secret values WITH elevation should succeed", function(t) - t.addHeader("x-user-email", user:email()) - - t.query [[ - query { - team(slug: "myteam") { - environment(name: "dev") { - secret(name: "test-elevation-secret") { - name - values { - name - value - } - } - } - } - } - ]] - - t.check { - data = { - team = { - environment = { - secret = { - name = "test-elevation-secret", - values = { - { - name = "api-key", - value = "super-secret-123", - }, - }, - }, - }, - }, - }, - } -end) - -Test.gql("Admin user cannot read secret values without team membership", function(t) - -- Create an admin user (not a member of myteam) - local adminUser = User.new("admin-user", "admin@example.com", "admin-ext") - adminUser:admin(true) - - -- Admin tries to read secret values without being a team member - -- Since admin is not a team member, they cannot read secret values even with admin privileges - t.addHeader("x-user-email", adminUser:email()) - - t.query [[ - query { - team(slug: "myteam") { - environment(name: "dev") { - secret(name: "test-elevation-secret") { - name - values { - name - value - } - } - } - } - } - ]] - - -- Admin can see secret metadata but cannot read values without team membership - t.check { - errors = { - { - message = Contains("You are authenticated"), - path = { "team", "environment", "secret", "values" }, - }, - }, - data = { - team = { - environment = { - secret = { - name = "test-elevation-secret", - values = Null, - }, - }, - }, - }, - } -end) +-- Tests for reading secret values now use viewSecretValues mutation +-- The old elevation-based values resolver has been removed Test.gql("Admin can delete secret in other team", function(t) @@ -806,18 +596,18 @@ Test.gql("Admin can manage secrets but CANNOT read values without team membershi }, } - -- Admin should NOT be able to read secret values (requires team membership + elevation) - local secret = t.query [[ - query { - team(slug: "adminrotest") { - environment(name: "dev") { - secret(name: "admin-managed-secret") { - name - values { - name - value - } - } + -- Admin should NOT be able to read secret values via viewSecretValues (requires team membership) + t.query [[ + mutation { + viewSecretValues(input: { + name: "admin-managed-secret" + environment: "dev" + team: "adminrotest" + reason: "Admin trying to read secret values without team membership" + }) { + values { + name + value } } } @@ -827,19 +617,10 @@ Test.gql("Admin can manage secrets but CANNOT read values without team membershi errors = { { message = Contains("You are authenticated"), - path = { "team", "environment", "secret", "values" }, - }, - }, - data = { - team = { - environment = { - secret = { - name = "admin-managed-secret", - values = Null, - }, - }, + path = { "viewSecretValues" }, }, }, + data = Null, } end) @@ -896,43 +677,7 @@ Test.gql("viewSecretValues - success with valid reason", function(t) }, } - -- First verify that direct read via values resolver fails (requires elevation) - t.query [[ - query { - team(slug: "myteam") { - environment(name: "dev") { - secret(name: "view-test-secret") { - name - values { - name - value - } - } - } - } - } - ]] - - t.check { - errors = { - { - message = Contains("You are authenticated"), - path = { "team", "environment", "secret", "values" }, - }, - }, - data = { - team = { - environment = { - secret = { - name = "view-test-secret", - values = Null, - }, - }, - }, - }, - } - - -- Now use viewSecretValues to read the values (should succeed without separate elevation) + -- Use viewSecretValues to read the values t.query [[ mutation { viewSecretValues(input: { diff --git a/integration_tests/secrets_cross_team.lua b/integration_tests/secrets_cross_team.lua index 2ca26ad76..9ad2814a1 100644 --- a/integration_tests/secrets_cross_team.lua +++ b/integration_tests/secrets_cross_team.lua @@ -201,20 +201,20 @@ end) -- Cross-team VALUE read tests (should be BLOCKED) -- ============================================================ -Test.gql("Other team CANNOT see secret values", function(t) +Test.gql("Other team CANNOT see secret values via viewSecretValues", function(t) t.addHeader("x-user-email", otherUser:email()) t.query [[ - query { - team(slug: "alpha") { - environment(name: "dev") { - secret(name: "alpha-secret") { - name - values { - name - value - } - } + mutation { + viewSecretValues(input: { + name: "alpha-secret" + environment: "dev" + team: "alpha" + reason: "Trying to read secret values from another team" + }) { + values { + name + value } } } @@ -224,19 +224,10 @@ Test.gql("Other team CANNOT see secret values", function(t) errors = { { message = Contains("You are authenticated"), - path = { "team", "environment", "secret", "values" }, - }, - }, - data = { - team = { - environment = { - secret = { - name = "alpha-secret", - values = Null, - }, - }, + path = { "viewSecretValues" }, }, }, + data = Null, } end) @@ -395,53 +386,20 @@ end) -- Verify team owner still has full access -- ============================================================ -Test.gql("Team owner needs elevation to see values", function(t) +Test.gql("Team owner CAN see values via viewSecretValues", function(t) t.addHeader("x-user-email", teamOwner:email()) - -- First create elevation t.query [[ mutation { - createElevation(input: { - type: SECRET + viewSecretValues(input: { + name: "alpha-secret" + environment: "dev" team: "alpha" - environmentName: "dev" - resourceName: "alpha-secret" reason: "Testing team owner access to secret values" - durationMinutes: 5 }) { - elevation { - id - } - } - } - ]] - - t.check { - data = { - createElevation = { - elevation = { - id = Save("ownerElevationID"), - }, - }, - }, - } -end) - -Test.gql("Team owner CAN see values WITH elevation", function(t) - t.addHeader("x-user-email", teamOwner:email()) - - t.query [[ - query { - team(slug: "alpha") { - environment(name: "dev") { - secret(name: "alpha-secret") { - name - keys - values { - name - value - } - } + values { + name + value } } } @@ -449,17 +407,11 @@ Test.gql("Team owner CAN see values WITH elevation", function(t) t.check { data = { - team = { - environment = { - secret = { - name = "alpha-secret", - keys = { "api-key" }, - values = { - { - name = "api-key", - value = "super-secret-value-123", - }, - }, + viewSecretValues = { + values = { + { + name = "api-key", + value = "super-secret-value-123", }, }, }, diff --git a/internal/auth/authz/queries.go b/internal/auth/authz/queries.go index 2c8e25ec2..632f330ec 100644 --- a/internal/auth/authz/queries.go +++ b/internal/auth/authz/queries.go @@ -225,12 +225,6 @@ func CanDeleteSecrets(ctx context.Context, teamSlug slug.Slug) error { return requireTeamAuthorization(ctx, teamSlug, "teams:secrets:delete") } -// CanCreateElevation checks if the user can create an elevation for the team. -// This enforces strict team membership WITHOUT admin bypass for security reasons. -func CanCreateElevation(ctx context.Context, teamSlug slug.Slug) error { - return requireStrictTeamAuthorization(ctx, teamSlug, "teams:elevations:create") -} - // CanReadSecretValues checks if the user can read secret values for the team. // This enforces strict team membership WITHOUT admin bypass for security reasons. func CanReadSecretValues(ctx context.Context, teamSlug slug.Slug) error { diff --git a/internal/cmd/api/http.go b/internal/cmd/api/http.go index 92c4385bb..48b439a47 100644 --- a/internal/cmd/api/http.go +++ b/internal/cmd/api/http.go @@ -20,7 +20,6 @@ import ( "github.com/nais/api/internal/database" "github.com/nais/api/internal/database/notify" "github.com/nais/api/internal/deployment" - "github.com/nais/api/internal/elevation" "github.com/nais/api/internal/environment" "github.com/nais/api/internal/feature" "github.com/nais/api/internal/github/repository" @@ -293,7 +292,7 @@ func ConfigureGraph( secretClientCreator = secret.CreatorFromConfig(ctx, k8sClients) } - elevationClients := watcherMgr.GetDynamicClients() + dynamicClients := watcherMgr.GetDynamicClients() var costOpts []cost.Option if fakes.WithFakeCostClient { @@ -314,7 +313,7 @@ func ConfigureGraph( ctx = job.NewLoaderContext(ctx, watchers.JobWatcher, watchers.RunWatcher) ctx = kafkatopic.NewLoaderContext(ctx, watchers.KafkaTopicWatcher) ctx = workload.NewLoaderContext(ctx, watchers.PodWatcher) - ctx = secret.NewLoaderContext(ctx, watchers.SecretWatcher, secretClientCreator, elevationClients, clusters, log) + ctx = secret.NewLoaderContext(ctx, watchers.SecretWatcher, secretClientCreator, dynamicClients, clusters, log) ctx = aiven.NewLoaderContext(ctx, aivenProjects) ctx = opensearch.NewLoaderContext(ctx, tenantName, watchers.OpenSearchWatcher, aivenClient, log) ctx = valkey.NewLoaderContext(ctx, tenantName, watchers.ValkeyWatcher, aivenClient) @@ -343,7 +342,6 @@ func ConfigureGraph( ctx = unleash.NewLoaderContext(ctx, tenantName, watchers.UnleashWatcher, bifrostAPIURL, allowedClusters, log) ctx = logging.NewPackageContext(ctx, tenantName, defaultLogDestinations) ctx = environment.NewLoaderContext(ctx, pool) - ctx = elevation.NewLoaderContext(ctx, elevationClients, log) ctx = feature.NewLoaderContext( ctx, watchers.UnleashWatcher.Enabled(), diff --git a/internal/database/migrations/0058_delete_elevation_activity_log.sql b/internal/database/migrations/0058_delete_elevation_activity_log.sql new file mode 100644 index 000000000..549b921df --- /dev/null +++ b/internal/database/migrations/0058_delete_elevation_activity_log.sql @@ -0,0 +1,10 @@ +-- +goose Up +-- Delete historical elevation activity log entries +-- These are replaced by SECRET_VALUES_VIEWED entries in the new system +DELETE FROM activity_log_entries +WHERE + resource_type = 'ELEVATION' +; + +-- +goose Down +-- Cannot restore deleted data diff --git a/internal/elevation/activitylog.go b/internal/elevation/activitylog.go deleted file mode 100644 index 2e1d27236..000000000 --- a/internal/elevation/activitylog.go +++ /dev/null @@ -1,47 +0,0 @@ -package elevation - -import ( - "fmt" - "time" - - "github.com/nais/api/internal/activitylog" -) - -const ( - activityLogEntryResourceTypeElevation activitylog.ActivityLogEntryResourceType = "ELEVATION" -) - -func init() { - activitylog.RegisterTransformer(activityLogEntryResourceTypeElevation, func(entry activitylog.GenericActivityLogEntry) (activitylog.ActivityLogEntry, error) { - switch entry.Action { - case activitylog.ActivityLogEntryActionCreated: - data, err := activitylog.UnmarshalData[ElevationCreatedActivityLogEntryData](entry) - if err != nil { - return nil, err - } - - return ElevationCreatedActivityLogEntry{ - GenericActivityLogEntry: entry.WithMessage(fmt.Sprintf("Created elevation for %s access to %s", data.ElevationType, data.TargetResourceName)), - Data: data, - }, nil - default: - return nil, fmt.Errorf("unsupported elevation activity log entry action: %q", entry.Action) - } - }) - - activitylog.RegisterFilter("ELEVATION_CREATED", activitylog.ActivityLogEntryActionCreated, activityLogEntryResourceTypeElevation) -} - -type ElevationCreatedActivityLogEntry struct { - activitylog.GenericActivityLogEntry - Data *ElevationCreatedActivityLogEntryData `json:"data"` -} - -func (ElevationCreatedActivityLogEntry) IsActivityLogEntry() {} - -type ElevationCreatedActivityLogEntryData struct { - ElevationType ElevationType `json:"elevationType"` - TargetResourceName string `json:"targetResourceName"` - Reason string `json:"reason"` - ExpiresAt time.Time `json:"expiresAt"` -} diff --git a/internal/elevation/context.go b/internal/elevation/context.go deleted file mode 100644 index a303355d3..000000000 --- a/internal/elevation/context.go +++ /dev/null @@ -1,33 +0,0 @@ -package elevation - -import ( - "context" - - "github.com/sirupsen/logrus" - "k8s.io/client-go/dynamic" -) - -type ctxKey int - -const loadersKey ctxKey = iota - -type clients struct { - k8sClients map[string]dynamic.Interface - log logrus.FieldLogger -} - -func NewLoaderContext(ctx context.Context, k8sClients map[string]dynamic.Interface, log logrus.FieldLogger) context.Context { - return context.WithValue(ctx, loadersKey, &clients{ - k8sClients: k8sClients, - log: log, - }) -} - -func fromContext(ctx context.Context) *clients { - return ctx.Value(loadersKey).(*clients) -} - -func (c *clients) GetClient(environment string) (dynamic.Interface, bool) { - client, exists := c.k8sClients[environment] - return client, exists -} diff --git a/internal/elevation/errors.go b/internal/elevation/errors.go deleted file mode 100644 index 3ed9e4a4a..000000000 --- a/internal/elevation/errors.go +++ /dev/null @@ -1,10 +0,0 @@ -package elevation - -import "github.com/nais/api/internal/graph/apierror" - -var ( - ErrEnvironmentNotFound = apierror.Errorf("Environment does not exist.") - ErrInvalidDuration = apierror.Errorf("Duration must be between 1 and 60 minutes.") - ErrReasonTooShort = apierror.Errorf("Reason must be at least 10 characters.") - ErrNotAuthorized = apierror.Errorf("You are not authorized to perform this action.") -) diff --git a/internal/elevation/model.go b/internal/elevation/model.go deleted file mode 100644 index 87385c95d..000000000 --- a/internal/elevation/model.go +++ /dev/null @@ -1,83 +0,0 @@ -package elevation - -import ( - "fmt" - "io" - "strconv" - "time" - - "github.com/nais/api/internal/graph/ident" - "github.com/nais/api/internal/slug" -) - -type Elevation struct { - ID ident.Ident - Type ElevationType - TeamSlug slug.Slug - EnvironmentName string - ResourceName string - UserEmail string - Reason string - CreatedAt time.Time - ExpiresAt time.Time -} - -func (Elevation) IsNode() {} - -type ElevationType string - -const ( - ElevationTypeSecret ElevationType = "SECRET" - ElevationTypeExec ElevationType = "INSTANCE_EXEC" - ElevationTypePortForward ElevationType = "INSTANCE_PORT_FORWARD" - ElevationTypeDebug ElevationType = "INSTANCE_DEBUG" -) - -func (e ElevationType) IsValid() bool { - switch e { - case ElevationTypeSecret, ElevationTypeExec, ElevationTypePortForward, ElevationTypeDebug: - return true - } - return false -} - -func (e ElevationType) String() string { - return string(e) -} - -func (e *ElevationType) UnmarshalGQL(v any) error { - str, ok := v.(string) - if !ok { - return fmt.Errorf("enums must be strings") - } - - *e = ElevationType(str) - if !e.IsValid() { - return fmt.Errorf("%s is not a valid ElevationType", str) - } - return nil -} - -func (e ElevationType) MarshalGQL(w io.Writer) { - fmt.Fprint(w, strconv.Quote(e.String())) -} - -type ElevationInput struct { - Type ElevationType - Team slug.Slug - EnvironmentName string - ResourceName string -} - -type CreateElevationInput struct { - Type ElevationType - Team slug.Slug - EnvironmentName string - ResourceName string - Reason string - DurationMinutes int -} - -type CreateElevationPayload struct { - Elevation *Elevation -} diff --git a/internal/elevation/node.go b/internal/elevation/node.go deleted file mode 100644 index b5cd094db..000000000 --- a/internal/elevation/node.go +++ /dev/null @@ -1,37 +0,0 @@ -package elevation - -import ( - "context" - "fmt" - - "github.com/nais/api/internal/graph/ident" - "github.com/nais/api/internal/slug" -) - -type identType int - -const identKey identType = iota - -func init() { - ident.RegisterIdentType(identKey, "ELEV", GetByIdent) -} - -func newIdent(teamSlug slug.Slug, environmentName, elevationID string) ident.Ident { - return ident.NewIdent(identKey, teamSlug.String(), environmentName, elevationID) -} - -func parseIdent(id ident.Ident) (teamSlug slug.Slug, environmentName, elevationID string, err error) { - parts := id.Parts() - if len(parts) != 3 { - return "", "", "", fmt.Errorf("invalid elevation ident") - } - return slug.Slug(parts[0]), parts[1], parts[2], nil -} - -func GetByIdent(ctx context.Context, id ident.Ident) (*Elevation, error) { - teamSlug, environmentName, elevationID, err := parseIdent(id) - if err != nil { - return nil, err - } - return Get(ctx, teamSlug, environmentName, elevationID) -} diff --git a/internal/elevation/queries.go b/internal/elevation/queries.go deleted file mode 100644 index 0280512ba..000000000 --- a/internal/elevation/queries.go +++ /dev/null @@ -1,356 +0,0 @@ -package elevation - -import ( - "context" - "fmt" - "strconv" - "time" - - "github.com/google/uuid" - "github.com/nais/api/internal/activitylog" - "github.com/nais/api/internal/auth/authz" - "github.com/nais/api/internal/database" - "github.com/nais/api/internal/environmentmapper" - "github.com/nais/api/internal/slug" - rbacv1 "k8s.io/api/rbac/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "k8s.io/apimachinery/pkg/runtime/schema" -) - -const ( - labelElevation = "nais.io/elevation" - labelElevationType = "nais.io/elevation-type" - labelKillAfter = "euthanaisa.nais.io/kill-after" - annotationElevationResource = "nais.io/elevation-resource" - annotationElevationUser = "nais.io/elevation-user" - annotationElevationReason = "nais.io/elevation-reason" - annotationElevationCreated = "nais.io/elevation-created" - annotationElevationType = "nais.io/elevation-type" - annotationElevationNamespace = "nais.io/elevation-namespace" -) - -var ( - roleGVR = schema.GroupVersionResource{Group: "rbac.authorization.k8s.io", Version: "v1", Resource: "roles"} - roleBindingGVR = schema.GroupVersionResource{Group: "rbac.authorization.k8s.io", Version: "v1", Resource: "rolebindings"} -) - -func Create(ctx context.Context, input *CreateElevationInput, actor *authz.Actor) (*Elevation, error) { - if err := validateInput(input); err != nil { - return nil, err - } - - if err := authz.CanCreateElevation(ctx, input.Team); err != nil { - return nil, ErrNotAuthorized - } - - clients := fromContext(ctx) - k8sClient, exists := clients.GetClient(environmentmapper.ClusterName(input.EnvironmentName)) - if !exists { - return nil, ErrEnvironmentNotFound - } - - elevationID := generateElevationID() - namespace := input.Team.String() - expiresAt := time.Now().Add(time.Duration(input.DurationMinutes) * time.Minute) - createdAt := time.Now() - - role := buildRoleUnstructured(elevationID, namespace, input, actor, createdAt, expiresAt) - _, err := k8sClient.Resource(roleGVR).Namespace(namespace).Create(ctx, role, metav1.CreateOptions{}) - if err != nil { - clients.log.WithError(err).WithField("namespace", namespace).Error("failed to create elevation role") - return nil, fmt.Errorf("creating role: %w", err) - } - - roleBinding := buildRoleBindingUnstructured(elevationID, namespace, actor, createdAt, expiresAt) - _, err = k8sClient.Resource(roleBindingGVR).Namespace(namespace).Create(ctx, roleBinding, metav1.CreateOptions{}) - if err != nil { - clients.log.WithError(err).WithField("namespace", namespace).Error("failed to create elevation rolebinding") - _ = k8sClient.Resource(roleGVR).Namespace(namespace).Delete(ctx, elevationID, metav1.DeleteOptions{}) - return nil, fmt.Errorf("creating rolebinding: %w", err) - } - - if err := logElevationCreated(ctx, elevationID, namespace, input, actor, expiresAt); err != nil { - clients.log.WithError(err).Error("failed to log elevation creation") - } - - return &Elevation{ - ID: newIdent(input.Team, input.EnvironmentName, elevationID), - Type: input.Type, - TeamSlug: input.Team, - EnvironmentName: input.EnvironmentName, - ResourceName: input.ResourceName, - UserEmail: actor.User.Identity(), - Reason: input.Reason, - CreatedAt: createdAt, - ExpiresAt: expiresAt, - }, nil -} - -func validateInput(input *CreateElevationInput) error { - if !input.Type.IsValid() { - return fmt.Errorf("invalid elevation type: %s", input.Type) - } - - if len(input.Reason) < 10 { - return ErrReasonTooShort - } - - if input.DurationMinutes < 1 || input.DurationMinutes > 60 { - return ErrInvalidDuration - } - - return nil -} - -func generateElevationID() string { - return fmt.Sprintf("elev-%s", uuid.New().String()[:8]) -} - -func buildRoleUnstructured(elevationID, namespace string, input *CreateElevationInput, actor *authz.Actor, createdAt, expiresAt time.Time) *unstructured.Unstructured { - rules := getRoleRules(input.Type, input.ResourceName) - rulesUnstructured := make([]any, len(rules)) - for i, rule := range rules { - // Convert string slices to []any for proper unstructured serialization - apiGroups := make([]any, len(rule.APIGroups)) - for j, v := range rule.APIGroups { - apiGroups[j] = v - } - resources := make([]any, len(rule.Resources)) - for j, v := range rule.Resources { - resources[j] = v - } - verbs := make([]any, len(rule.Verbs)) - for j, v := range rule.Verbs { - verbs[j] = v - } - resourceNames := make([]any, len(rule.ResourceNames)) - for j, v := range rule.ResourceNames { - resourceNames[j] = v - } - rulesUnstructured[i] = map[string]any{ - "apiGroups": apiGroups, - "resources": resources, - "verbs": verbs, - "resourceNames": resourceNames, - } - } - - return &unstructured.Unstructured{ - Object: map[string]any{ - "apiVersion": "rbac.authorization.k8s.io/v1", - "kind": "Role", - "metadata": map[string]any{ - "name": elevationID, - "namespace": namespace, - "labels": map[string]any{ - labelElevation: "true", - labelElevationType: string(input.Type), - labelKillAfter: strconv.FormatInt(expiresAt.Unix(), 10), - }, - "annotations": map[string]any{ - annotationElevationResource: input.ResourceName, - annotationElevationUser: actor.User.Identity(), - annotationElevationReason: input.Reason, - annotationElevationCreated: createdAt.Format(time.RFC3339), - annotationElevationType: string(input.Type), - annotationElevationNamespace: namespace, - }, - }, - "rules": rulesUnstructured, - }, - } -} - -func buildRoleBindingUnstructured(elevationID, namespace string, actor *authz.Actor, createdAt, expiresAt time.Time) *unstructured.Unstructured { - return &unstructured.Unstructured{ - Object: map[string]any{ - "apiVersion": "rbac.authorization.k8s.io/v1", - "kind": "RoleBinding", - "metadata": map[string]any{ - "name": elevationID, - "namespace": namespace, - "labels": map[string]any{ - labelElevation: "true", - labelKillAfter: strconv.FormatInt(expiresAt.Unix(), 10), - }, - "annotations": map[string]any{ - annotationElevationCreated: createdAt.Format(time.RFC3339), - }, - }, - "roleRef": map[string]any{ - "apiGroup": "rbac.authorization.k8s.io", - "kind": "Role", - "name": elevationID, - }, - "subjects": []any{ - map[string]any{ - "apiGroup": "rbac.authorization.k8s.io", - "kind": "User", - "name": actor.User.Identity(), - }, - }, - }, - } -} - -func getRoleRules(elevationType ElevationType, resourceName string) []rbacv1.PolicyRule { - var rule rbacv1.PolicyRule - - switch elevationType { - case ElevationTypeSecret: - rule = rbacv1.PolicyRule{ - APIGroups: []string{""}, - Resources: []string{"secrets"}, - Verbs: []string{"get"}, - ResourceNames: []string{resourceName}, - } - case ElevationTypeExec: - rule = rbacv1.PolicyRule{ - APIGroups: []string{""}, - Resources: []string{"pods/exec"}, - Verbs: []string{"create"}, - ResourceNames: []string{resourceName}, - } - case ElevationTypePortForward: - rule = rbacv1.PolicyRule{ - APIGroups: []string{""}, - Resources: []string{"pods/portforward"}, - Verbs: []string{"create"}, - ResourceNames: []string{resourceName}, - } - case ElevationTypeDebug: - rule = rbacv1.PolicyRule{ - APIGroups: []string{""}, - Resources: []string{"pods/ephemeralcontainers"}, - Verbs: []string{"patch"}, - ResourceNames: []string{resourceName}, - } - } - - return []rbacv1.PolicyRule{rule} -} - -func logElevationCreated(ctx context.Context, elevationID, namespace string, input *CreateElevationInput, actor *authz.Actor, expiresAt time.Time) error { - return database.Transaction(ctx, func(ctx context.Context) error { - return activitylog.Create(ctx, activitylog.CreateInput{ - Actor: actor.User, - Action: activitylog.ActivityLogEntryActionCreated, - ResourceType: activityLogEntryResourceTypeElevation, - ResourceName: elevationID, - TeamSlug: &input.Team, - EnvironmentName: &input.EnvironmentName, - Data: &ElevationCreatedActivityLogEntryData{ - ElevationType: input.Type, - TargetResourceName: input.ResourceName, - Reason: input.Reason, - ExpiresAt: expiresAt, - }, - }) - }) -} - -// Get returns a specific elevation by team, environment and elevation ID -func Get(ctx context.Context, teamSlug slug.Slug, environmentName, elevationID string) (*Elevation, error) { - clients := fromContext(ctx) - - k8sClient, exists := clients.GetClient(environmentmapper.ClusterName(environmentName)) - if !exists { - return nil, ErrEnvironmentNotFound - } - - namespace := teamSlug.String() - - role, err := k8sClient.Resource(roleGVR).Namespace(namespace).Get(ctx, elevationID, metav1.GetOptions{}) - if err != nil { - return nil, fmt.Errorf("getting role: %w", err) - } - - // Verify this is actually an elevation role - labels := role.GetLabels() - if labels[labelElevation] != "true" { - return nil, fmt.Errorf("role is not an elevation") - } - - return unstructuredToElevation(role, environmentName) -} - -// List returns active elevations for the specified user by type, team, environment and resourceName -func List(ctx context.Context, input *ElevationInput, userEmail string) ([]*Elevation, error) { - clients := fromContext(ctx) - - k8sClient, exists := clients.GetClient(environmentmapper.ClusterName(input.EnvironmentName)) - if !exists { - return []*Elevation{}, nil // Environment not found, return empty list - } - - namespace := input.Team.String() - - roles, err := k8sClient.Resource(roleGVR).Namespace(namespace).List(ctx, metav1.ListOptions{ - LabelSelector: fmt.Sprintf("%s=true,%s=%s", labelElevation, labelElevationType, string(input.Type)), - }) - if err != nil { - return nil, fmt.Errorf("listing roles: %w", err) - } - - var elevations []*Elevation - for _, role := range roles.Items { - annotations := role.GetAnnotations() - // Filter by user - if annotations[annotationElevationUser] != userEmail { - continue - } - // Filter by resourceName - if annotations[annotationElevationResource] != input.ResourceName { - continue - } - - elev, err := unstructuredToElevation(&role, input.EnvironmentName) - if err != nil { - clients.log.WithError(err).WithField("role", role.GetName()).Debug("failed to convert role to elevation") - continue - } - elevations = append(elevations, elev) - } - - return elevations, nil -} - -// unstructuredToElevation converts an unstructured Role to an Elevation -func unstructuredToElevation(role *unstructured.Unstructured, environmentName string) (*Elevation, error) { - annotations := role.GetAnnotations() - labels := role.GetLabels() - - elevationType := ElevationType(annotations[annotationElevationType]) - if !elevationType.IsValid() { - elevationType = ElevationType(labels[labelElevationType]) - } - - createdAtStr := annotations[annotationElevationCreated] - createdAt, err := time.Parse(time.RFC3339, createdAtStr) - if err != nil { - createdAt = role.GetCreationTimestamp().Time - } - - var expiresAt time.Time - expiresAtUnix, parseErr := strconv.ParseInt(labels[labelKillAfter], 10, 64) - if parseErr != nil { - expiresAt = createdAt.Add(time.Hour) - } else { - expiresAt = time.Unix(expiresAtUnix, 0) - } - - teamSlug := slug.Slug(role.GetNamespace()) - - return &Elevation{ - ID: newIdent(teamSlug, environmentName, role.GetName()), - Type: elevationType, - TeamSlug: teamSlug, - EnvironmentName: environmentName, - ResourceName: annotations[annotationElevationResource], - UserEmail: annotations[annotationElevationUser], - Reason: annotations[annotationElevationReason], - CreatedAt: createdAt, - ExpiresAt: expiresAt, - }, nil -} diff --git a/internal/graph/elevation.resolvers.go b/internal/graph/elevation.resolvers.go deleted file mode 100644 index 0b0a07037..000000000 --- a/internal/graph/elevation.resolvers.go +++ /dev/null @@ -1,44 +0,0 @@ -package graph - -import ( - "context" - - "github.com/nais/api/internal/auth/authz" - "github.com/nais/api/internal/elevation" - "github.com/nais/api/internal/graph/gengql" - "github.com/nais/api/internal/team" - "github.com/nais/api/internal/user" -) - -func (r *elevationResolver) Team(ctx context.Context, obj *elevation.Elevation) (*team.Team, error) { - return team.Get(ctx, obj.TeamSlug) -} - -func (r *elevationResolver) TeamEnvironment(ctx context.Context, obj *elevation.Elevation) (*team.TeamEnvironment, error) { - return team.GetTeamEnvironment(ctx, obj.TeamSlug, obj.EnvironmentName) -} - -func (r *elevationResolver) User(ctx context.Context, obj *elevation.Elevation) (*user.User, error) { - return user.GetByEmail(ctx, obj.UserEmail) -} - -func (r *mutationResolver) CreateElevation(ctx context.Context, input elevation.CreateElevationInput) (*elevation.CreateElevationPayload, error) { - actor := authz.ActorFromContext(ctx) - - elev, err := elevation.Create(ctx, &input, actor) - if err != nil { - return nil, err - } - - return &elevation.CreateElevationPayload{ - Elevation: elev, - }, nil -} - -func (r *userResolver) Elevations(ctx context.Context, obj *user.User, input elevation.ElevationInput) ([]*elevation.Elevation, error) { - return elevation.List(ctx, &input, obj.Email) -} - -func (r *Resolver) Elevation() gengql.ElevationResolver { return &elevationResolver{r} } - -type elevationResolver struct{ *Resolver } diff --git a/internal/graph/gengql/activitylog.generated.go b/internal/graph/gengql/activitylog.generated.go index 5212aa06d..bd7a7c0c0 100644 --- a/internal/graph/gengql/activitylog.generated.go +++ b/internal/graph/gengql/activitylog.generated.go @@ -13,7 +13,6 @@ import ( "github.com/99designs/gqlgen/graphql" "github.com/nais/api/internal/activitylog" "github.com/nais/api/internal/deployment/deploymentactivity" - "github.com/nais/api/internal/elevation" "github.com/nais/api/internal/github/repository" "github.com/nais/api/internal/graph/pagination" "github.com/nais/api/internal/kubernetes/event/pubsublog" @@ -547,13 +546,6 @@ func (ec *executionContext) _ActivityLogEntry(ctx context.Context, sel ast.Selec return graphql.Null } return ec._JobDeletedActivityLogEntry(ctx, sel, obj) - case elevation.ElevationCreatedActivityLogEntry: - return ec._ElevationCreatedActivityLogEntry(ctx, sel, &obj) - case *elevation.ElevationCreatedActivityLogEntry: - if obj == nil { - return graphql.Null - } - return ec._ElevationCreatedActivityLogEntry(ctx, sel, obj) case deploymentactivity.DeploymentActivityLogEntry: return ec._DeploymentActivityLogEntry(ctx, sel, &obj) case *deploymentactivity.DeploymentActivityLogEntry: diff --git a/internal/graph/gengql/alerts.generated.go b/internal/graph/gengql/alerts.generated.go index 593b37591..1b1e7e18e 100644 --- a/internal/graph/gengql/alerts.generated.go +++ b/internal/graph/gengql/alerts.generated.go @@ -481,8 +481,6 @@ func (ec *executionContext) fieldContext_PrometheusAlert_team(_ context.Context, return ec.fieldContext_Team_viewerIsOwner(ctx, field) case "viewerIsMember": return ec.fieldContext_Team_viewerIsMember(ctx, field) - case "viewerCanElevate": - return ec.fieldContext_Team_viewerCanElevate(ctx, field) case "environments": return ec.fieldContext_Team_environments(ctx, field) case "environment": diff --git a/internal/graph/gengql/applications.generated.go b/internal/graph/gengql/applications.generated.go index 061f30d59..2863074bb 100644 --- a/internal/graph/gengql/applications.generated.go +++ b/internal/graph/gengql/applications.generated.go @@ -442,8 +442,6 @@ func (ec *executionContext) fieldContext_Application_team(_ context.Context, fie return ec.fieldContext_Team_viewerIsOwner(ctx, field) case "viewerIsMember": return ec.fieldContext_Team_viewerIsMember(ctx, field) - case "viewerCanElevate": - return ec.fieldContext_Team_viewerCanElevate(ctx, field) case "environments": return ec.fieldContext_Team_environments(ctx, field) case "environment": @@ -3545,8 +3543,6 @@ func (ec *executionContext) fieldContext_DeleteApplicationPayload_team(_ context return ec.fieldContext_Team_viewerIsOwner(ctx, field) case "viewerIsMember": return ec.fieldContext_Team_viewerIsMember(ctx, field) - case "viewerCanElevate": - return ec.fieldContext_Team_viewerCanElevate(ctx, field) case "environments": return ec.fieldContext_Team_environments(ctx, field) case "environment": diff --git a/internal/graph/gengql/bigquery.generated.go b/internal/graph/gengql/bigquery.generated.go index ea85b6f2d..39f3680a0 100644 --- a/internal/graph/gengql/bigquery.generated.go +++ b/internal/graph/gengql/bigquery.generated.go @@ -179,8 +179,6 @@ func (ec *executionContext) fieldContext_BigQueryDataset_team(_ context.Context, return ec.fieldContext_Team_viewerIsOwner(ctx, field) case "viewerIsMember": return ec.fieldContext_Team_viewerIsMember(ctx, field) - case "viewerCanElevate": - return ec.fieldContext_Team_viewerCanElevate(ctx, field) case "environments": return ec.fieldContext_Team_environments(ctx, field) case "environment": diff --git a/internal/graph/gengql/bucket.generated.go b/internal/graph/gengql/bucket.generated.go index 53ddaff73..274f52f64 100644 --- a/internal/graph/gengql/bucket.generated.go +++ b/internal/graph/gengql/bucket.generated.go @@ -144,8 +144,6 @@ func (ec *executionContext) fieldContext_Bucket_team(_ context.Context, field gr return ec.fieldContext_Team_viewerIsOwner(ctx, field) case "viewerIsMember": return ec.fieldContext_Team_viewerIsMember(ctx, field) - case "viewerCanElevate": - return ec.fieldContext_Team_viewerCanElevate(ctx, field) case "environments": return ec.fieldContext_Team_environments(ctx, field) case "environment": diff --git a/internal/graph/gengql/elevation.generated.go b/internal/graph/gengql/elevation.generated.go deleted file mode 100644 index f5bc7dbbc..000000000 --- a/internal/graph/gengql/elevation.generated.go +++ /dev/null @@ -1,1443 +0,0 @@ -// Code generated by github.com/99designs/gqlgen, DO NOT EDIT. - -package gengql - -import ( - "context" - "errors" - "fmt" - "strconv" - "sync" - "sync/atomic" - - "github.com/99designs/gqlgen/graphql" - "github.com/nais/api/internal/elevation" - "github.com/nais/api/internal/team" - "github.com/nais/api/internal/user" - "github.com/vektah/gqlparser/v2/ast" -) - -// region ************************** generated!.gotpl ************************** - -type ElevationResolver interface { - Team(ctx context.Context, obj *elevation.Elevation) (*team.Team, error) - TeamEnvironment(ctx context.Context, obj *elevation.Elevation) (*team.TeamEnvironment, error) - - User(ctx context.Context, obj *elevation.Elevation) (*user.User, error) -} - -// endregion ************************** generated!.gotpl ************************** - -// region ***************************** args.gotpl ***************************** - -// endregion ***************************** args.gotpl ***************************** - -// region ************************** directives.gotpl ************************** - -// endregion ************************** directives.gotpl ************************** - -// region **************************** field.gotpl ***************************** - -func (ec *executionContext) _CreateElevationPayload_elevation(ctx context.Context, field graphql.CollectedField, obj *elevation.CreateElevationPayload) (ret graphql.Marshaler) { - return graphql.ResolveField( - ctx, - ec.OperationContext, - field, - ec.fieldContext_CreateElevationPayload_elevation, - func(ctx context.Context) (any, error) { - return obj.Elevation, nil - }, - nil, - ec.marshalNElevation2ᚖgithubᚗcomᚋnaisᚋapiᚋinternalᚋelevationᚐElevation, - true, - true, - ) -} - -func (ec *executionContext) fieldContext_CreateElevationPayload_elevation(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) { - fc = &graphql.FieldContext{ - Object: "CreateElevationPayload", - Field: field, - IsMethod: false, - IsResolver: false, - Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) { - switch field.Name { - case "id": - return ec.fieldContext_Elevation_id(ctx, field) - case "type": - return ec.fieldContext_Elevation_type(ctx, field) - case "team": - return ec.fieldContext_Elevation_team(ctx, field) - case "teamEnvironment": - return ec.fieldContext_Elevation_teamEnvironment(ctx, field) - case "resourceName": - return ec.fieldContext_Elevation_resourceName(ctx, field) - case "user": - return ec.fieldContext_Elevation_user(ctx, field) - case "reason": - return ec.fieldContext_Elevation_reason(ctx, field) - case "createdAt": - return ec.fieldContext_Elevation_createdAt(ctx, field) - case "expiresAt": - return ec.fieldContext_Elevation_expiresAt(ctx, field) - } - return nil, fmt.Errorf("no field named %q was found under type Elevation", field.Name) - }, - } - return fc, nil -} - -func (ec *executionContext) _Elevation_id(ctx context.Context, field graphql.CollectedField, obj *elevation.Elevation) (ret graphql.Marshaler) { - return graphql.ResolveField( - ctx, - ec.OperationContext, - field, - ec.fieldContext_Elevation_id, - func(ctx context.Context) (any, error) { - return obj.ID, nil - }, - nil, - ec.marshalNID2githubᚗcomᚋnaisᚋapiᚋinternalᚋgraphᚋidentᚐIdent, - true, - true, - ) -} - -func (ec *executionContext) fieldContext_Elevation_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) { - fc = &graphql.FieldContext{ - Object: "Elevation", - Field: field, - IsMethod: false, - IsResolver: false, - Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) { - return nil, errors.New("field of type ID does not have child fields") - }, - } - return fc, nil -} - -func (ec *executionContext) _Elevation_type(ctx context.Context, field graphql.CollectedField, obj *elevation.Elevation) (ret graphql.Marshaler) { - return graphql.ResolveField( - ctx, - ec.OperationContext, - field, - ec.fieldContext_Elevation_type, - func(ctx context.Context) (any, error) { - return obj.Type, nil - }, - nil, - ec.marshalNElevationType2githubᚗcomᚋnaisᚋapiᚋinternalᚋelevationᚐElevationType, - true, - true, - ) -} - -func (ec *executionContext) fieldContext_Elevation_type(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) { - fc = &graphql.FieldContext{ - Object: "Elevation", - Field: field, - IsMethod: false, - IsResolver: false, - Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) { - return nil, errors.New("field of type ElevationType does not have child fields") - }, - } - return fc, nil -} - -func (ec *executionContext) _Elevation_team(ctx context.Context, field graphql.CollectedField, obj *elevation.Elevation) (ret graphql.Marshaler) { - return graphql.ResolveField( - ctx, - ec.OperationContext, - field, - ec.fieldContext_Elevation_team, - func(ctx context.Context) (any, error) { - return ec.resolvers.Elevation().Team(ctx, obj) - }, - nil, - ec.marshalNTeam2ᚖgithubᚗcomᚋnaisᚋapiᚋinternalᚋteamᚐTeam, - true, - true, - ) -} - -func (ec *executionContext) fieldContext_Elevation_team(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) { - fc = &graphql.FieldContext{ - Object: "Elevation", - Field: field, - IsMethod: true, - IsResolver: true, - Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) { - switch field.Name { - case "id": - return ec.fieldContext_Team_id(ctx, field) - case "slug": - return ec.fieldContext_Team_slug(ctx, field) - case "slackChannel": - return ec.fieldContext_Team_slackChannel(ctx, field) - case "purpose": - return ec.fieldContext_Team_purpose(ctx, field) - case "externalResources": - return ec.fieldContext_Team_externalResources(ctx, field) - case "member": - return ec.fieldContext_Team_member(ctx, field) - case "members": - return ec.fieldContext_Team_members(ctx, field) - case "lastSuccessfulSync": - return ec.fieldContext_Team_lastSuccessfulSync(ctx, field) - case "deletionInProgress": - return ec.fieldContext_Team_deletionInProgress(ctx, field) - case "viewerIsOwner": - return ec.fieldContext_Team_viewerIsOwner(ctx, field) - case "viewerIsMember": - return ec.fieldContext_Team_viewerIsMember(ctx, field) - case "viewerCanElevate": - return ec.fieldContext_Team_viewerCanElevate(ctx, field) - case "environments": - return ec.fieldContext_Team_environments(ctx, field) - case "environment": - return ec.fieldContext_Team_environment(ctx, field) - case "deleteKey": - return ec.fieldContext_Team_deleteKey(ctx, field) - case "inventoryCounts": - return ec.fieldContext_Team_inventoryCounts(ctx, field) - case "activityLog": - return ec.fieldContext_Team_activityLog(ctx, field) - case "alerts": - return ec.fieldContext_Team_alerts(ctx, field) - case "applications": - return ec.fieldContext_Team_applications(ctx, field) - case "bigQueryDatasets": - return ec.fieldContext_Team_bigQueryDatasets(ctx, field) - case "buckets": - return ec.fieldContext_Team_buckets(ctx, field) - case "cost": - return ec.fieldContext_Team_cost(ctx, field) - case "deploymentKey": - return ec.fieldContext_Team_deploymentKey(ctx, field) - case "deployments": - return ec.fieldContext_Team_deployments(ctx, field) - case "issues": - return ec.fieldContext_Team_issues(ctx, field) - case "jobs": - return ec.fieldContext_Team_jobs(ctx, field) - case "kafkaTopics": - return ec.fieldContext_Team_kafkaTopics(ctx, field) - case "openSearches": - return ec.fieldContext_Team_openSearches(ctx, field) - case "repositories": - return ec.fieldContext_Team_repositories(ctx, field) - case "secrets": - return ec.fieldContext_Team_secrets(ctx, field) - case "sqlInstances": - return ec.fieldContext_Team_sqlInstances(ctx, field) - case "unleash": - return ec.fieldContext_Team_unleash(ctx, field) - case "workloadUtilization": - return ec.fieldContext_Team_workloadUtilization(ctx, field) - case "serviceUtilization": - return ec.fieldContext_Team_serviceUtilization(ctx, field) - case "valkeys": - return ec.fieldContext_Team_valkeys(ctx, field) - case "imageVulnerabilityHistory": - return ec.fieldContext_Team_imageVulnerabilityHistory(ctx, field) - case "vulnerabilityFixHistory": - return ec.fieldContext_Team_vulnerabilityFixHistory(ctx, field) - case "vulnerabilitySummary": - return ec.fieldContext_Team_vulnerabilitySummary(ctx, field) - case "vulnerabilitySummaries": - return ec.fieldContext_Team_vulnerabilitySummaries(ctx, field) - case "workloads": - return ec.fieldContext_Team_workloads(ctx, field) - } - return nil, fmt.Errorf("no field named %q was found under type Team", field.Name) - }, - } - return fc, nil -} - -func (ec *executionContext) _Elevation_teamEnvironment(ctx context.Context, field graphql.CollectedField, obj *elevation.Elevation) (ret graphql.Marshaler) { - return graphql.ResolveField( - ctx, - ec.OperationContext, - field, - ec.fieldContext_Elevation_teamEnvironment, - func(ctx context.Context) (any, error) { - return ec.resolvers.Elevation().TeamEnvironment(ctx, obj) - }, - nil, - ec.marshalNTeamEnvironment2ᚖgithubᚗcomᚋnaisᚋapiᚋinternalᚋteamᚐTeamEnvironment, - true, - true, - ) -} - -func (ec *executionContext) fieldContext_Elevation_teamEnvironment(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) { - fc = &graphql.FieldContext{ - Object: "Elevation", - Field: field, - IsMethod: true, - IsResolver: true, - Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) { - switch field.Name { - case "id": - return ec.fieldContext_TeamEnvironment_id(ctx, field) - case "name": - return ec.fieldContext_TeamEnvironment_name(ctx, field) - case "gcpProjectID": - return ec.fieldContext_TeamEnvironment_gcpProjectID(ctx, field) - case "slackAlertsChannel": - return ec.fieldContext_TeamEnvironment_slackAlertsChannel(ctx, field) - case "team": - return ec.fieldContext_TeamEnvironment_team(ctx, field) - case "alerts": - return ec.fieldContext_TeamEnvironment_alerts(ctx, field) - case "application": - return ec.fieldContext_TeamEnvironment_application(ctx, field) - case "bigQueryDataset": - return ec.fieldContext_TeamEnvironment_bigQueryDataset(ctx, field) - case "bucket": - return ec.fieldContext_TeamEnvironment_bucket(ctx, field) - case "cost": - return ec.fieldContext_TeamEnvironment_cost(ctx, field) - case "environment": - return ec.fieldContext_TeamEnvironment_environment(ctx, field) - case "job": - return ec.fieldContext_TeamEnvironment_job(ctx, field) - case "kafkaTopic": - return ec.fieldContext_TeamEnvironment_kafkaTopic(ctx, field) - case "openSearch": - return ec.fieldContext_TeamEnvironment_openSearch(ctx, field) - case "secret": - return ec.fieldContext_TeamEnvironment_secret(ctx, field) - case "sqlInstance": - return ec.fieldContext_TeamEnvironment_sqlInstance(ctx, field) - case "valkey": - return ec.fieldContext_TeamEnvironment_valkey(ctx, field) - case "workload": - return ec.fieldContext_TeamEnvironment_workload(ctx, field) - } - return nil, fmt.Errorf("no field named %q was found under type TeamEnvironment", field.Name) - }, - } - return fc, nil -} - -func (ec *executionContext) _Elevation_resourceName(ctx context.Context, field graphql.CollectedField, obj *elevation.Elevation) (ret graphql.Marshaler) { - return graphql.ResolveField( - ctx, - ec.OperationContext, - field, - ec.fieldContext_Elevation_resourceName, - func(ctx context.Context) (any, error) { - return obj.ResourceName, nil - }, - nil, - ec.marshalNString2string, - true, - true, - ) -} - -func (ec *executionContext) fieldContext_Elevation_resourceName(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) { - fc = &graphql.FieldContext{ - Object: "Elevation", - Field: field, - IsMethod: false, - IsResolver: false, - Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) { - return nil, errors.New("field of type String does not have child fields") - }, - } - return fc, nil -} - -func (ec *executionContext) _Elevation_user(ctx context.Context, field graphql.CollectedField, obj *elevation.Elevation) (ret graphql.Marshaler) { - return graphql.ResolveField( - ctx, - ec.OperationContext, - field, - ec.fieldContext_Elevation_user, - func(ctx context.Context) (any, error) { - return ec.resolvers.Elevation().User(ctx, obj) - }, - nil, - ec.marshalNUser2ᚖgithubᚗcomᚋnaisᚋapiᚋinternalᚋuserᚐUser, - true, - true, - ) -} - -func (ec *executionContext) fieldContext_Elevation_user(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) { - fc = &graphql.FieldContext{ - Object: "Elevation", - Field: field, - IsMethod: true, - IsResolver: true, - Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) { - switch field.Name { - case "id": - return ec.fieldContext_User_id(ctx, field) - case "email": - return ec.fieldContext_User_email(ctx, field) - case "name": - return ec.fieldContext_User_name(ctx, field) - case "externalID": - return ec.fieldContext_User_externalID(ctx, field) - case "teams": - return ec.fieldContext_User_teams(ctx, field) - case "isAdmin": - return ec.fieldContext_User_isAdmin(ctx, field) - case "elevations": - return ec.fieldContext_User_elevations(ctx, field) - } - return nil, fmt.Errorf("no field named %q was found under type User", field.Name) - }, - } - return fc, nil -} - -func (ec *executionContext) _Elevation_reason(ctx context.Context, field graphql.CollectedField, obj *elevation.Elevation) (ret graphql.Marshaler) { - return graphql.ResolveField( - ctx, - ec.OperationContext, - field, - ec.fieldContext_Elevation_reason, - func(ctx context.Context) (any, error) { - return obj.Reason, nil - }, - nil, - ec.marshalNString2string, - true, - true, - ) -} - -func (ec *executionContext) fieldContext_Elevation_reason(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) { - fc = &graphql.FieldContext{ - Object: "Elevation", - Field: field, - IsMethod: false, - IsResolver: false, - Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) { - return nil, errors.New("field of type String does not have child fields") - }, - } - return fc, nil -} - -func (ec *executionContext) _Elevation_createdAt(ctx context.Context, field graphql.CollectedField, obj *elevation.Elevation) (ret graphql.Marshaler) { - return graphql.ResolveField( - ctx, - ec.OperationContext, - field, - ec.fieldContext_Elevation_createdAt, - func(ctx context.Context) (any, error) { - return obj.CreatedAt, nil - }, - nil, - ec.marshalNTime2timeᚐTime, - true, - true, - ) -} - -func (ec *executionContext) fieldContext_Elevation_createdAt(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) { - fc = &graphql.FieldContext{ - Object: "Elevation", - Field: field, - IsMethod: false, - IsResolver: false, - Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) { - return nil, errors.New("field of type Time does not have child fields") - }, - } - return fc, nil -} - -func (ec *executionContext) _Elevation_expiresAt(ctx context.Context, field graphql.CollectedField, obj *elevation.Elevation) (ret graphql.Marshaler) { - return graphql.ResolveField( - ctx, - ec.OperationContext, - field, - ec.fieldContext_Elevation_expiresAt, - func(ctx context.Context) (any, error) { - return obj.ExpiresAt, nil - }, - nil, - ec.marshalNTime2timeᚐTime, - true, - true, - ) -} - -func (ec *executionContext) fieldContext_Elevation_expiresAt(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) { - fc = &graphql.FieldContext{ - Object: "Elevation", - Field: field, - IsMethod: false, - IsResolver: false, - Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) { - return nil, errors.New("field of type Time does not have child fields") - }, - } - return fc, nil -} - -func (ec *executionContext) _ElevationCreatedActivityLogEntry_id(ctx context.Context, field graphql.CollectedField, obj *elevation.ElevationCreatedActivityLogEntry) (ret graphql.Marshaler) { - return graphql.ResolveField( - ctx, - ec.OperationContext, - field, - ec.fieldContext_ElevationCreatedActivityLogEntry_id, - func(ctx context.Context) (any, error) { - return obj.ID(), nil - }, - nil, - ec.marshalNID2githubᚗcomᚋnaisᚋapiᚋinternalᚋgraphᚋidentᚐIdent, - true, - true, - ) -} - -func (ec *executionContext) fieldContext_ElevationCreatedActivityLogEntry_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) { - fc = &graphql.FieldContext{ - Object: "ElevationCreatedActivityLogEntry", - Field: field, - IsMethod: true, - IsResolver: false, - Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) { - return nil, errors.New("field of type ID does not have child fields") - }, - } - return fc, nil -} - -func (ec *executionContext) _ElevationCreatedActivityLogEntry_actor(ctx context.Context, field graphql.CollectedField, obj *elevation.ElevationCreatedActivityLogEntry) (ret graphql.Marshaler) { - return graphql.ResolveField( - ctx, - ec.OperationContext, - field, - ec.fieldContext_ElevationCreatedActivityLogEntry_actor, - func(ctx context.Context) (any, error) { - return obj.Actor, nil - }, - nil, - ec.marshalNString2string, - true, - true, - ) -} - -func (ec *executionContext) fieldContext_ElevationCreatedActivityLogEntry_actor(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) { - fc = &graphql.FieldContext{ - Object: "ElevationCreatedActivityLogEntry", - Field: field, - IsMethod: false, - IsResolver: false, - Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) { - return nil, errors.New("field of type String does not have child fields") - }, - } - return fc, nil -} - -func (ec *executionContext) _ElevationCreatedActivityLogEntry_createdAt(ctx context.Context, field graphql.CollectedField, obj *elevation.ElevationCreatedActivityLogEntry) (ret graphql.Marshaler) { - return graphql.ResolveField( - ctx, - ec.OperationContext, - field, - ec.fieldContext_ElevationCreatedActivityLogEntry_createdAt, - func(ctx context.Context) (any, error) { - return obj.CreatedAt, nil - }, - nil, - ec.marshalNTime2timeᚐTime, - true, - true, - ) -} - -func (ec *executionContext) fieldContext_ElevationCreatedActivityLogEntry_createdAt(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) { - fc = &graphql.FieldContext{ - Object: "ElevationCreatedActivityLogEntry", - Field: field, - IsMethod: false, - IsResolver: false, - Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) { - return nil, errors.New("field of type Time does not have child fields") - }, - } - return fc, nil -} - -func (ec *executionContext) _ElevationCreatedActivityLogEntry_message(ctx context.Context, field graphql.CollectedField, obj *elevation.ElevationCreatedActivityLogEntry) (ret graphql.Marshaler) { - return graphql.ResolveField( - ctx, - ec.OperationContext, - field, - ec.fieldContext_ElevationCreatedActivityLogEntry_message, - func(ctx context.Context) (any, error) { - return obj.Message, nil - }, - nil, - ec.marshalNString2string, - true, - true, - ) -} - -func (ec *executionContext) fieldContext_ElevationCreatedActivityLogEntry_message(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) { - fc = &graphql.FieldContext{ - Object: "ElevationCreatedActivityLogEntry", - Field: field, - IsMethod: false, - IsResolver: false, - Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) { - return nil, errors.New("field of type String does not have child fields") - }, - } - return fc, nil -} - -func (ec *executionContext) _ElevationCreatedActivityLogEntry_resourceType(ctx context.Context, field graphql.CollectedField, obj *elevation.ElevationCreatedActivityLogEntry) (ret graphql.Marshaler) { - return graphql.ResolveField( - ctx, - ec.OperationContext, - field, - ec.fieldContext_ElevationCreatedActivityLogEntry_resourceType, - func(ctx context.Context) (any, error) { - return obj.ResourceType, nil - }, - nil, - ec.marshalNActivityLogEntryResourceType2githubᚗcomᚋnaisᚋapiᚋinternalᚋactivitylogᚐActivityLogEntryResourceType, - true, - true, - ) -} - -func (ec *executionContext) fieldContext_ElevationCreatedActivityLogEntry_resourceType(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) { - fc = &graphql.FieldContext{ - Object: "ElevationCreatedActivityLogEntry", - Field: field, - IsMethod: false, - IsResolver: false, - Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) { - return nil, errors.New("field of type ActivityLogEntryResourceType does not have child fields") - }, - } - return fc, nil -} - -func (ec *executionContext) _ElevationCreatedActivityLogEntry_resourceName(ctx context.Context, field graphql.CollectedField, obj *elevation.ElevationCreatedActivityLogEntry) (ret graphql.Marshaler) { - return graphql.ResolveField( - ctx, - ec.OperationContext, - field, - ec.fieldContext_ElevationCreatedActivityLogEntry_resourceName, - func(ctx context.Context) (any, error) { - return obj.ResourceName, nil - }, - nil, - ec.marshalNString2string, - true, - true, - ) -} - -func (ec *executionContext) fieldContext_ElevationCreatedActivityLogEntry_resourceName(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) { - fc = &graphql.FieldContext{ - Object: "ElevationCreatedActivityLogEntry", - Field: field, - IsMethod: false, - IsResolver: false, - Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) { - return nil, errors.New("field of type String does not have child fields") - }, - } - return fc, nil -} - -func (ec *executionContext) _ElevationCreatedActivityLogEntry_teamSlug(ctx context.Context, field graphql.CollectedField, obj *elevation.ElevationCreatedActivityLogEntry) (ret graphql.Marshaler) { - return graphql.ResolveField( - ctx, - ec.OperationContext, - field, - ec.fieldContext_ElevationCreatedActivityLogEntry_teamSlug, - func(ctx context.Context) (any, error) { - return obj.TeamSlug, nil - }, - nil, - ec.marshalNSlug2ᚖgithubᚗcomᚋnaisᚋapiᚋinternalᚋslugᚐSlug, - true, - true, - ) -} - -func (ec *executionContext) fieldContext_ElevationCreatedActivityLogEntry_teamSlug(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) { - fc = &graphql.FieldContext{ - Object: "ElevationCreatedActivityLogEntry", - Field: field, - IsMethod: false, - IsResolver: false, - Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) { - return nil, errors.New("field of type Slug does not have child fields") - }, - } - return fc, nil -} - -func (ec *executionContext) _ElevationCreatedActivityLogEntry_environmentName(ctx context.Context, field graphql.CollectedField, obj *elevation.ElevationCreatedActivityLogEntry) (ret graphql.Marshaler) { - return graphql.ResolveField( - ctx, - ec.OperationContext, - field, - ec.fieldContext_ElevationCreatedActivityLogEntry_environmentName, - func(ctx context.Context) (any, error) { - return obj.EnvironmentName, nil - }, - nil, - ec.marshalOString2ᚖstring, - true, - false, - ) -} - -func (ec *executionContext) fieldContext_ElevationCreatedActivityLogEntry_environmentName(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) { - fc = &graphql.FieldContext{ - Object: "ElevationCreatedActivityLogEntry", - Field: field, - IsMethod: false, - IsResolver: false, - Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) { - return nil, errors.New("field of type String does not have child fields") - }, - } - return fc, nil -} - -func (ec *executionContext) _ElevationCreatedActivityLogEntry_data(ctx context.Context, field graphql.CollectedField, obj *elevation.ElevationCreatedActivityLogEntry) (ret graphql.Marshaler) { - return graphql.ResolveField( - ctx, - ec.OperationContext, - field, - ec.fieldContext_ElevationCreatedActivityLogEntry_data, - func(ctx context.Context) (any, error) { - return obj.Data, nil - }, - nil, - ec.marshalNElevationCreatedActivityLogEntryData2ᚖgithubᚗcomᚋnaisᚋapiᚋinternalᚋelevationᚐElevationCreatedActivityLogEntryData, - true, - true, - ) -} - -func (ec *executionContext) fieldContext_ElevationCreatedActivityLogEntry_data(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) { - fc = &graphql.FieldContext{ - Object: "ElevationCreatedActivityLogEntry", - Field: field, - IsMethod: false, - IsResolver: false, - Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) { - switch field.Name { - case "elevationType": - return ec.fieldContext_ElevationCreatedActivityLogEntryData_elevationType(ctx, field) - case "targetResourceName": - return ec.fieldContext_ElevationCreatedActivityLogEntryData_targetResourceName(ctx, field) - case "reason": - return ec.fieldContext_ElevationCreatedActivityLogEntryData_reason(ctx, field) - case "expiresAt": - return ec.fieldContext_ElevationCreatedActivityLogEntryData_expiresAt(ctx, field) - } - return nil, fmt.Errorf("no field named %q was found under type ElevationCreatedActivityLogEntryData", field.Name) - }, - } - return fc, nil -} - -func (ec *executionContext) _ElevationCreatedActivityLogEntryData_elevationType(ctx context.Context, field graphql.CollectedField, obj *elevation.ElevationCreatedActivityLogEntryData) (ret graphql.Marshaler) { - return graphql.ResolveField( - ctx, - ec.OperationContext, - field, - ec.fieldContext_ElevationCreatedActivityLogEntryData_elevationType, - func(ctx context.Context) (any, error) { - return obj.ElevationType, nil - }, - nil, - ec.marshalNElevationType2githubᚗcomᚋnaisᚋapiᚋinternalᚋelevationᚐElevationType, - true, - true, - ) -} - -func (ec *executionContext) fieldContext_ElevationCreatedActivityLogEntryData_elevationType(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) { - fc = &graphql.FieldContext{ - Object: "ElevationCreatedActivityLogEntryData", - Field: field, - IsMethod: false, - IsResolver: false, - Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) { - return nil, errors.New("field of type ElevationType does not have child fields") - }, - } - return fc, nil -} - -func (ec *executionContext) _ElevationCreatedActivityLogEntryData_targetResourceName(ctx context.Context, field graphql.CollectedField, obj *elevation.ElevationCreatedActivityLogEntryData) (ret graphql.Marshaler) { - return graphql.ResolveField( - ctx, - ec.OperationContext, - field, - ec.fieldContext_ElevationCreatedActivityLogEntryData_targetResourceName, - func(ctx context.Context) (any, error) { - return obj.TargetResourceName, nil - }, - nil, - ec.marshalNString2string, - true, - true, - ) -} - -func (ec *executionContext) fieldContext_ElevationCreatedActivityLogEntryData_targetResourceName(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) { - fc = &graphql.FieldContext{ - Object: "ElevationCreatedActivityLogEntryData", - Field: field, - IsMethod: false, - IsResolver: false, - Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) { - return nil, errors.New("field of type String does not have child fields") - }, - } - return fc, nil -} - -func (ec *executionContext) _ElevationCreatedActivityLogEntryData_reason(ctx context.Context, field graphql.CollectedField, obj *elevation.ElevationCreatedActivityLogEntryData) (ret graphql.Marshaler) { - return graphql.ResolveField( - ctx, - ec.OperationContext, - field, - ec.fieldContext_ElevationCreatedActivityLogEntryData_reason, - func(ctx context.Context) (any, error) { - return obj.Reason, nil - }, - nil, - ec.marshalNString2string, - true, - true, - ) -} - -func (ec *executionContext) fieldContext_ElevationCreatedActivityLogEntryData_reason(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) { - fc = &graphql.FieldContext{ - Object: "ElevationCreatedActivityLogEntryData", - Field: field, - IsMethod: false, - IsResolver: false, - Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) { - return nil, errors.New("field of type String does not have child fields") - }, - } - return fc, nil -} - -func (ec *executionContext) _ElevationCreatedActivityLogEntryData_expiresAt(ctx context.Context, field graphql.CollectedField, obj *elevation.ElevationCreatedActivityLogEntryData) (ret graphql.Marshaler) { - return graphql.ResolveField( - ctx, - ec.OperationContext, - field, - ec.fieldContext_ElevationCreatedActivityLogEntryData_expiresAt, - func(ctx context.Context) (any, error) { - return obj.ExpiresAt, nil - }, - nil, - ec.marshalNTime2timeᚐTime, - true, - true, - ) -} - -func (ec *executionContext) fieldContext_ElevationCreatedActivityLogEntryData_expiresAt(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) { - fc = &graphql.FieldContext{ - Object: "ElevationCreatedActivityLogEntryData", - Field: field, - IsMethod: false, - IsResolver: false, - Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) { - return nil, errors.New("field of type Time does not have child fields") - }, - } - return fc, nil -} - -// endregion **************************** field.gotpl ***************************** - -// region **************************** input.gotpl ***************************** - -func (ec *executionContext) unmarshalInputCreateElevationInput(ctx context.Context, obj any) (elevation.CreateElevationInput, error) { - var it elevation.CreateElevationInput - asMap := map[string]any{} - for k, v := range obj.(map[string]any) { - asMap[k] = v - } - - if _, present := asMap["durationMinutes"]; !present { - asMap["durationMinutes"] = 60 - } - - fieldsInOrder := [...]string{"type", "team", "environmentName", "resourceName", "reason", "durationMinutes"} - for _, k := range fieldsInOrder { - v, ok := asMap[k] - if !ok { - continue - } - switch k { - case "type": - ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("type")) - data, err := ec.unmarshalNElevationType2githubᚗcomᚋnaisᚋapiᚋinternalᚋelevationᚐElevationType(ctx, v) - if err != nil { - return it, err - } - it.Type = data - case "team": - ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("team")) - data, err := ec.unmarshalNSlug2githubᚗcomᚋnaisᚋapiᚋinternalᚋslugᚐSlug(ctx, v) - if err != nil { - return it, err - } - it.Team = data - case "environmentName": - ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("environmentName")) - data, err := ec.unmarshalNString2string(ctx, v) - if err != nil { - return it, err - } - it.EnvironmentName = data - case "resourceName": - ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("resourceName")) - data, err := ec.unmarshalNString2string(ctx, v) - if err != nil { - return it, err - } - it.ResourceName = data - case "reason": - ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("reason")) - data, err := ec.unmarshalNString2string(ctx, v) - if err != nil { - return it, err - } - it.Reason = data - case "durationMinutes": - ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("durationMinutes")) - data, err := ec.unmarshalNInt2int(ctx, v) - if err != nil { - return it, err - } - it.DurationMinutes = data - } - } - - return it, nil -} - -func (ec *executionContext) unmarshalInputElevationInput(ctx context.Context, obj any) (elevation.ElevationInput, error) { - var it elevation.ElevationInput - asMap := map[string]any{} - for k, v := range obj.(map[string]any) { - asMap[k] = v - } - - fieldsInOrder := [...]string{"type", "team", "environmentName", "resourceName"} - for _, k := range fieldsInOrder { - v, ok := asMap[k] - if !ok { - continue - } - switch k { - case "type": - ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("type")) - data, err := ec.unmarshalNElevationType2githubᚗcomᚋnaisᚋapiᚋinternalᚋelevationᚐElevationType(ctx, v) - if err != nil { - return it, err - } - it.Type = data - case "team": - ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("team")) - data, err := ec.unmarshalNSlug2githubᚗcomᚋnaisᚋapiᚋinternalᚋslugᚐSlug(ctx, v) - if err != nil { - return it, err - } - it.Team = data - case "environmentName": - ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("environmentName")) - data, err := ec.unmarshalNString2string(ctx, v) - if err != nil { - return it, err - } - it.EnvironmentName = data - case "resourceName": - ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("resourceName")) - data, err := ec.unmarshalNString2string(ctx, v) - if err != nil { - return it, err - } - it.ResourceName = data - } - } - - return it, nil -} - -// endregion **************************** input.gotpl ***************************** - -// region ************************** interface.gotpl *************************** - -// endregion ************************** interface.gotpl *************************** - -// region **************************** object.gotpl **************************** - -var createElevationPayloadImplementors = []string{"CreateElevationPayload"} - -func (ec *executionContext) _CreateElevationPayload(ctx context.Context, sel ast.SelectionSet, obj *elevation.CreateElevationPayload) graphql.Marshaler { - fields := graphql.CollectFields(ec.OperationContext, sel, createElevationPayloadImplementors) - - out := graphql.NewFieldSet(fields) - deferred := make(map[string]*graphql.FieldSet) - for i, field := range fields { - switch field.Name { - case "__typename": - out.Values[i] = graphql.MarshalString("CreateElevationPayload") - case "elevation": - out.Values[i] = ec._CreateElevationPayload_elevation(ctx, field, obj) - if out.Values[i] == graphql.Null { - out.Invalids++ - } - default: - panic("unknown field " + strconv.Quote(field.Name)) - } - } - out.Dispatch(ctx) - if out.Invalids > 0 { - return graphql.Null - } - - atomic.AddInt32(&ec.deferred, int32(len(deferred))) - - for label, dfs := range deferred { - ec.processDeferredGroup(graphql.DeferredGroup{ - Label: label, - Path: graphql.GetPath(ctx), - FieldSet: dfs, - Context: ctx, - }) - } - - return out -} - -var elevationImplementors = []string{"Elevation", "Node"} - -func (ec *executionContext) _Elevation(ctx context.Context, sel ast.SelectionSet, obj *elevation.Elevation) graphql.Marshaler { - fields := graphql.CollectFields(ec.OperationContext, sel, elevationImplementors) - - out := graphql.NewFieldSet(fields) - deferred := make(map[string]*graphql.FieldSet) - for i, field := range fields { - switch field.Name { - case "__typename": - out.Values[i] = graphql.MarshalString("Elevation") - case "id": - out.Values[i] = ec._Elevation_id(ctx, field, obj) - if out.Values[i] == graphql.Null { - atomic.AddUint32(&out.Invalids, 1) - } - case "type": - out.Values[i] = ec._Elevation_type(ctx, field, obj) - if out.Values[i] == graphql.Null { - atomic.AddUint32(&out.Invalids, 1) - } - case "team": - field := field - - innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) { - defer func() { - if r := recover(); r != nil { - ec.Error(ctx, ec.Recover(ctx, r)) - } - }() - res = ec._Elevation_team(ctx, field, obj) - if res == graphql.Null { - atomic.AddUint32(&fs.Invalids, 1) - } - return res - } - - if field.Deferrable != nil { - dfs, ok := deferred[field.Deferrable.Label] - di := 0 - if ok { - dfs.AddField(field) - di = len(dfs.Values) - 1 - } else { - dfs = graphql.NewFieldSet([]graphql.CollectedField{field}) - deferred[field.Deferrable.Label] = dfs - } - dfs.Concurrently(di, func(ctx context.Context) graphql.Marshaler { - return innerFunc(ctx, dfs) - }) - - // don't run the out.Concurrently() call below - out.Values[i] = graphql.Null - continue - } - - out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return innerFunc(ctx, out) }) - case "teamEnvironment": - field := field - - innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) { - defer func() { - if r := recover(); r != nil { - ec.Error(ctx, ec.Recover(ctx, r)) - } - }() - res = ec._Elevation_teamEnvironment(ctx, field, obj) - if res == graphql.Null { - atomic.AddUint32(&fs.Invalids, 1) - } - return res - } - - if field.Deferrable != nil { - dfs, ok := deferred[field.Deferrable.Label] - di := 0 - if ok { - dfs.AddField(field) - di = len(dfs.Values) - 1 - } else { - dfs = graphql.NewFieldSet([]graphql.CollectedField{field}) - deferred[field.Deferrable.Label] = dfs - } - dfs.Concurrently(di, func(ctx context.Context) graphql.Marshaler { - return innerFunc(ctx, dfs) - }) - - // don't run the out.Concurrently() call below - out.Values[i] = graphql.Null - continue - } - - out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return innerFunc(ctx, out) }) - case "resourceName": - out.Values[i] = ec._Elevation_resourceName(ctx, field, obj) - if out.Values[i] == graphql.Null { - atomic.AddUint32(&out.Invalids, 1) - } - case "user": - field := field - - innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) { - defer func() { - if r := recover(); r != nil { - ec.Error(ctx, ec.Recover(ctx, r)) - } - }() - res = ec._Elevation_user(ctx, field, obj) - if res == graphql.Null { - atomic.AddUint32(&fs.Invalids, 1) - } - return res - } - - if field.Deferrable != nil { - dfs, ok := deferred[field.Deferrable.Label] - di := 0 - if ok { - dfs.AddField(field) - di = len(dfs.Values) - 1 - } else { - dfs = graphql.NewFieldSet([]graphql.CollectedField{field}) - deferred[field.Deferrable.Label] = dfs - } - dfs.Concurrently(di, func(ctx context.Context) graphql.Marshaler { - return innerFunc(ctx, dfs) - }) - - // don't run the out.Concurrently() call below - out.Values[i] = graphql.Null - continue - } - - out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return innerFunc(ctx, out) }) - case "reason": - out.Values[i] = ec._Elevation_reason(ctx, field, obj) - if out.Values[i] == graphql.Null { - atomic.AddUint32(&out.Invalids, 1) - } - case "createdAt": - out.Values[i] = ec._Elevation_createdAt(ctx, field, obj) - if out.Values[i] == graphql.Null { - atomic.AddUint32(&out.Invalids, 1) - } - case "expiresAt": - out.Values[i] = ec._Elevation_expiresAt(ctx, field, obj) - if out.Values[i] == graphql.Null { - atomic.AddUint32(&out.Invalids, 1) - } - default: - panic("unknown field " + strconv.Quote(field.Name)) - } - } - out.Dispatch(ctx) - if out.Invalids > 0 { - return graphql.Null - } - - atomic.AddInt32(&ec.deferred, int32(len(deferred))) - - for label, dfs := range deferred { - ec.processDeferredGroup(graphql.DeferredGroup{ - Label: label, - Path: graphql.GetPath(ctx), - FieldSet: dfs, - Context: ctx, - }) - } - - return out -} - -var elevationCreatedActivityLogEntryImplementors = []string{"ElevationCreatedActivityLogEntry", "ActivityLogEntry", "Node"} - -func (ec *executionContext) _ElevationCreatedActivityLogEntry(ctx context.Context, sel ast.SelectionSet, obj *elevation.ElevationCreatedActivityLogEntry) graphql.Marshaler { - fields := graphql.CollectFields(ec.OperationContext, sel, elevationCreatedActivityLogEntryImplementors) - - out := graphql.NewFieldSet(fields) - deferred := make(map[string]*graphql.FieldSet) - for i, field := range fields { - switch field.Name { - case "__typename": - out.Values[i] = graphql.MarshalString("ElevationCreatedActivityLogEntry") - case "id": - out.Values[i] = ec._ElevationCreatedActivityLogEntry_id(ctx, field, obj) - if out.Values[i] == graphql.Null { - out.Invalids++ - } - case "actor": - out.Values[i] = ec._ElevationCreatedActivityLogEntry_actor(ctx, field, obj) - if out.Values[i] == graphql.Null { - out.Invalids++ - } - case "createdAt": - out.Values[i] = ec._ElevationCreatedActivityLogEntry_createdAt(ctx, field, obj) - if out.Values[i] == graphql.Null { - out.Invalids++ - } - case "message": - out.Values[i] = ec._ElevationCreatedActivityLogEntry_message(ctx, field, obj) - if out.Values[i] == graphql.Null { - out.Invalids++ - } - case "resourceType": - out.Values[i] = ec._ElevationCreatedActivityLogEntry_resourceType(ctx, field, obj) - if out.Values[i] == graphql.Null { - out.Invalids++ - } - case "resourceName": - out.Values[i] = ec._ElevationCreatedActivityLogEntry_resourceName(ctx, field, obj) - if out.Values[i] == graphql.Null { - out.Invalids++ - } - case "teamSlug": - out.Values[i] = ec._ElevationCreatedActivityLogEntry_teamSlug(ctx, field, obj) - if out.Values[i] == graphql.Null { - out.Invalids++ - } - case "environmentName": - out.Values[i] = ec._ElevationCreatedActivityLogEntry_environmentName(ctx, field, obj) - case "data": - out.Values[i] = ec._ElevationCreatedActivityLogEntry_data(ctx, field, obj) - if out.Values[i] == graphql.Null { - out.Invalids++ - } - default: - panic("unknown field " + strconv.Quote(field.Name)) - } - } - out.Dispatch(ctx) - if out.Invalids > 0 { - return graphql.Null - } - - atomic.AddInt32(&ec.deferred, int32(len(deferred))) - - for label, dfs := range deferred { - ec.processDeferredGroup(graphql.DeferredGroup{ - Label: label, - Path: graphql.GetPath(ctx), - FieldSet: dfs, - Context: ctx, - }) - } - - return out -} - -var elevationCreatedActivityLogEntryDataImplementors = []string{"ElevationCreatedActivityLogEntryData"} - -func (ec *executionContext) _ElevationCreatedActivityLogEntryData(ctx context.Context, sel ast.SelectionSet, obj *elevation.ElevationCreatedActivityLogEntryData) graphql.Marshaler { - fields := graphql.CollectFields(ec.OperationContext, sel, elevationCreatedActivityLogEntryDataImplementors) - - out := graphql.NewFieldSet(fields) - deferred := make(map[string]*graphql.FieldSet) - for i, field := range fields { - switch field.Name { - case "__typename": - out.Values[i] = graphql.MarshalString("ElevationCreatedActivityLogEntryData") - case "elevationType": - out.Values[i] = ec._ElevationCreatedActivityLogEntryData_elevationType(ctx, field, obj) - if out.Values[i] == graphql.Null { - out.Invalids++ - } - case "targetResourceName": - out.Values[i] = ec._ElevationCreatedActivityLogEntryData_targetResourceName(ctx, field, obj) - if out.Values[i] == graphql.Null { - out.Invalids++ - } - case "reason": - out.Values[i] = ec._ElevationCreatedActivityLogEntryData_reason(ctx, field, obj) - if out.Values[i] == graphql.Null { - out.Invalids++ - } - case "expiresAt": - out.Values[i] = ec._ElevationCreatedActivityLogEntryData_expiresAt(ctx, field, obj) - if out.Values[i] == graphql.Null { - out.Invalids++ - } - default: - panic("unknown field " + strconv.Quote(field.Name)) - } - } - out.Dispatch(ctx) - if out.Invalids > 0 { - return graphql.Null - } - - atomic.AddInt32(&ec.deferred, int32(len(deferred))) - - for label, dfs := range deferred { - ec.processDeferredGroup(graphql.DeferredGroup{ - Label: label, - Path: graphql.GetPath(ctx), - FieldSet: dfs, - Context: ctx, - }) - } - - return out -} - -// endregion **************************** object.gotpl **************************** - -// region ***************************** type.gotpl ***************************** - -func (ec *executionContext) unmarshalNCreateElevationInput2githubᚗcomᚋnaisᚋapiᚋinternalᚋelevationᚐCreateElevationInput(ctx context.Context, v any) (elevation.CreateElevationInput, error) { - res, err := ec.unmarshalInputCreateElevationInput(ctx, v) - return res, graphql.ErrorOnPath(ctx, err) -} - -func (ec *executionContext) marshalNCreateElevationPayload2githubᚗcomᚋnaisᚋapiᚋinternalᚋelevationᚐCreateElevationPayload(ctx context.Context, sel ast.SelectionSet, v elevation.CreateElevationPayload) graphql.Marshaler { - return ec._CreateElevationPayload(ctx, sel, &v) -} - -func (ec *executionContext) marshalNCreateElevationPayload2ᚖgithubᚗcomᚋnaisᚋapiᚋinternalᚋelevationᚐCreateElevationPayload(ctx context.Context, sel ast.SelectionSet, v *elevation.CreateElevationPayload) graphql.Marshaler { - if v == nil { - if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) { - graphql.AddErrorf(ctx, "the requested element is null which the schema does not allow") - } - return graphql.Null - } - return ec._CreateElevationPayload(ctx, sel, v) -} - -func (ec *executionContext) marshalNElevation2ᚕᚖgithubᚗcomᚋnaisᚋapiᚋinternalᚋelevationᚐElevationᚄ(ctx context.Context, sel ast.SelectionSet, v []*elevation.Elevation) graphql.Marshaler { - ret := make(graphql.Array, len(v)) - var wg sync.WaitGroup - isLen1 := len(v) == 1 - if !isLen1 { - wg.Add(len(v)) - } - for i := range v { - i := i - fc := &graphql.FieldContext{ - Index: &i, - Result: &v[i], - } - ctx := graphql.WithFieldContext(ctx, fc) - f := func(i int) { - defer func() { - if r := recover(); r != nil { - ec.Error(ctx, ec.Recover(ctx, r)) - ret = nil - } - }() - if !isLen1 { - defer wg.Done() - } - ret[i] = ec.marshalNElevation2ᚖgithubᚗcomᚋnaisᚋapiᚋinternalᚋelevationᚐElevation(ctx, sel, v[i]) - } - if isLen1 { - f(i) - } else { - go f(i) - } - - } - wg.Wait() - - for _, e := range ret { - if e == graphql.Null { - return graphql.Null - } - } - - return ret -} - -func (ec *executionContext) marshalNElevation2ᚖgithubᚗcomᚋnaisᚋapiᚋinternalᚋelevationᚐElevation(ctx context.Context, sel ast.SelectionSet, v *elevation.Elevation) graphql.Marshaler { - if v == nil { - if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) { - graphql.AddErrorf(ctx, "the requested element is null which the schema does not allow") - } - return graphql.Null - } - return ec._Elevation(ctx, sel, v) -} - -func (ec *executionContext) marshalNElevationCreatedActivityLogEntryData2ᚖgithubᚗcomᚋnaisᚋapiᚋinternalᚋelevationᚐElevationCreatedActivityLogEntryData(ctx context.Context, sel ast.SelectionSet, v *elevation.ElevationCreatedActivityLogEntryData) graphql.Marshaler { - if v == nil { - if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) { - graphql.AddErrorf(ctx, "the requested element is null which the schema does not allow") - } - return graphql.Null - } - return ec._ElevationCreatedActivityLogEntryData(ctx, sel, v) -} - -func (ec *executionContext) unmarshalNElevationInput2githubᚗcomᚋnaisᚋapiᚋinternalᚋelevationᚐElevationInput(ctx context.Context, v any) (elevation.ElevationInput, error) { - res, err := ec.unmarshalInputElevationInput(ctx, v) - return res, graphql.ErrorOnPath(ctx, err) -} - -func (ec *executionContext) unmarshalNElevationType2githubᚗcomᚋnaisᚋapiᚋinternalᚋelevationᚐElevationType(ctx context.Context, v any) (elevation.ElevationType, error) { - var res elevation.ElevationType - err := res.UnmarshalGQL(v) - return res, graphql.ErrorOnPath(ctx, err) -} - -func (ec *executionContext) marshalNElevationType2githubᚗcomᚋnaisᚋapiᚋinternalᚋelevationᚐElevationType(ctx context.Context, sel ast.SelectionSet, v elevation.ElevationType) graphql.Marshaler { - return v -} - -// endregion ***************************** type.gotpl ***************************** diff --git a/internal/graph/gengql/jobs.generated.go b/internal/graph/gengql/jobs.generated.go index 4ff6f65ef..10c6d5d07 100644 --- a/internal/graph/gengql/jobs.generated.go +++ b/internal/graph/gengql/jobs.generated.go @@ -379,8 +379,6 @@ func (ec *executionContext) fieldContext_DeleteJobPayload_team(_ context.Context return ec.fieldContext_Team_viewerIsOwner(ctx, field) case "viewerIsMember": return ec.fieldContext_Team_viewerIsMember(ctx, field) - case "viewerCanElevate": - return ec.fieldContext_Team_viewerCanElevate(ctx, field) case "environments": return ec.fieldContext_Team_environments(ctx, field) case "environment": @@ -577,8 +575,6 @@ func (ec *executionContext) fieldContext_Job_team(_ context.Context, field graph return ec.fieldContext_Team_viewerIsOwner(ctx, field) case "viewerIsMember": return ec.fieldContext_Team_viewerIsMember(ctx, field) - case "viewerCanElevate": - return ec.fieldContext_Team_viewerCanElevate(ctx, field) case "environments": return ec.fieldContext_Team_environments(ctx, field) case "environment": diff --git a/internal/graph/gengql/kafka.generated.go b/internal/graph/gengql/kafka.generated.go index 7890d6f64..db18423fb 100644 --- a/internal/graph/gengql/kafka.generated.go +++ b/internal/graph/gengql/kafka.generated.go @@ -184,8 +184,6 @@ func (ec *executionContext) fieldContext_KafkaTopic_team(_ context.Context, fiel return ec.fieldContext_Team_viewerIsOwner(ctx, field) case "viewerIsMember": return ec.fieldContext_Team_viewerIsMember(ctx, field) - case "viewerCanElevate": - return ec.fieldContext_Team_viewerCanElevate(ctx, field) case "environments": return ec.fieldContext_Team_environments(ctx, field) case "environment": @@ -641,8 +639,6 @@ func (ec *executionContext) fieldContext_KafkaTopicAcl_team(_ context.Context, f return ec.fieldContext_Team_viewerIsOwner(ctx, field) case "viewerIsMember": return ec.fieldContext_Team_viewerIsMember(ctx, field) - case "viewerCanElevate": - return ec.fieldContext_Team_viewerCanElevate(ctx, field) case "environments": return ec.fieldContext_Team_environments(ctx, field) case "environment": diff --git a/internal/graph/gengql/netpol.generated.go b/internal/graph/gengql/netpol.generated.go index 1e0b35e99..91838a211 100644 --- a/internal/graph/gengql/netpol.generated.go +++ b/internal/graph/gengql/netpol.generated.go @@ -396,8 +396,6 @@ func (ec *executionContext) fieldContext_NetworkPolicyRule_targetTeam(_ context. return ec.fieldContext_Team_viewerIsOwner(ctx, field) case "viewerIsMember": return ec.fieldContext_Team_viewerIsMember(ctx, field) - case "viewerCanElevate": - return ec.fieldContext_Team_viewerCanElevate(ctx, field) case "environments": return ec.fieldContext_Team_environments(ctx, field) case "environment": diff --git a/internal/graph/gengql/opensearch.generated.go b/internal/graph/gengql/opensearch.generated.go index be1b9d998..e4bc1edd3 100644 --- a/internal/graph/gengql/opensearch.generated.go +++ b/internal/graph/gengql/opensearch.generated.go @@ -351,8 +351,6 @@ func (ec *executionContext) fieldContext_OpenSearch_team(_ context.Context, fiel return ec.fieldContext_Team_viewerIsOwner(ctx, field) case "viewerIsMember": return ec.fieldContext_Team_viewerIsMember(ctx, field) - case "viewerCanElevate": - return ec.fieldContext_Team_viewerCanElevate(ctx, field) case "environments": return ec.fieldContext_Team_environments(ctx, field) case "environment": diff --git a/internal/graph/gengql/reconcilers.generated.go b/internal/graph/gengql/reconcilers.generated.go index 366cfe2fb..ace650f3b 100644 --- a/internal/graph/gengql/reconcilers.generated.go +++ b/internal/graph/gengql/reconcilers.generated.go @@ -1715,8 +1715,6 @@ func (ec *executionContext) fieldContext_ReconcilerError_team(_ context.Context, return ec.fieldContext_Team_viewerIsOwner(ctx, field) case "viewerIsMember": return ec.fieldContext_Team_viewerIsMember(ctx, field) - case "viewerCanElevate": - return ec.fieldContext_Team_viewerCanElevate(ctx, field) case "environments": return ec.fieldContext_Team_environments(ctx, field) case "environment": diff --git a/internal/graph/gengql/repository.generated.go b/internal/graph/gengql/repository.generated.go index bc154b9f8..cb7b22bdc 100644 --- a/internal/graph/gengql/repository.generated.go +++ b/internal/graph/gengql/repository.generated.go @@ -205,8 +205,6 @@ func (ec *executionContext) fieldContext_Repository_team(_ context.Context, fiel return ec.fieldContext_Team_viewerIsOwner(ctx, field) case "viewerIsMember": return ec.fieldContext_Team_viewerIsMember(ctx, field) - case "viewerCanElevate": - return ec.fieldContext_Team_viewerCanElevate(ctx, field) case "environments": return ec.fieldContext_Team_environments(ctx, field) case "environment": diff --git a/internal/graph/gengql/root_.generated.go b/internal/graph/gengql/root_.generated.go index a9a61bec8..bd08300a0 100644 --- a/internal/graph/gengql/root_.generated.go +++ b/internal/graph/gengql/root_.generated.go @@ -14,7 +14,6 @@ import ( "github.com/nais/api/internal/alerts" "github.com/nais/api/internal/cost" "github.com/nais/api/internal/deployment" - "github.com/nais/api/internal/elevation" "github.com/nais/api/internal/environment" "github.com/nais/api/internal/github/repository" "github.com/nais/api/internal/graph/ident" @@ -79,7 +78,6 @@ type ResolverRoot interface { Deployment() DeploymentResolver DeprecatedIngressIssue() DeprecatedIngressIssueResolver DeprecatedRegistryIssue() DeprecatedRegistryIssueResolver - Elevation() ElevationResolver Environment() EnvironmentResolver FailedSynchronizationIssue() FailedSynchronizationIssueResolver Ingress() IngressResolver @@ -474,10 +472,6 @@ type ComplexityRoot struct { Series func(childComplexity int) int } - CreateElevationPayload struct { - Elevation func(childComplexity int) int - } - CreateOpenSearchPayload struct { OpenSearch func(childComplexity int) int } @@ -647,37 +641,6 @@ type ComplexityRoot struct { Workload func(childComplexity int) int } - Elevation struct { - CreatedAt func(childComplexity int) int - ExpiresAt func(childComplexity int) int - ID func(childComplexity int) int - Reason func(childComplexity int) int - ResourceName func(childComplexity int) int - Team func(childComplexity int) int - TeamEnvironment func(childComplexity int) int - Type func(childComplexity int) int - User func(childComplexity int) int - } - - ElevationCreatedActivityLogEntry struct { - Actor func(childComplexity int) int - CreatedAt func(childComplexity int) int - Data func(childComplexity int) int - EnvironmentName func(childComplexity int) int - ID func(childComplexity int) int - Message func(childComplexity int) int - ResourceName func(childComplexity int) int - ResourceType func(childComplexity int) int - TeamSlug func(childComplexity int) int - } - - ElevationCreatedActivityLogEntryData struct { - ElevationType func(childComplexity int) int - ExpiresAt func(childComplexity int) int - Reason func(childComplexity int) int - TargetResourceName func(childComplexity int) int - } - EntraIDAuthIntegration struct { Name func(childComplexity int) int } @@ -1107,7 +1070,6 @@ type ComplexityRoot struct { ChangeDeploymentKey func(childComplexity int, input deployment.ChangeDeploymentKeyInput) int ConfigureReconciler func(childComplexity int, input reconciler.ConfigureReconcilerInput) int ConfirmTeamDeletion func(childComplexity int, input team.ConfirmTeamDeletionInput) int - CreateElevation func(childComplexity int, input elevation.CreateElevationInput) int CreateOpenSearch func(childComplexity int, input opensearch.CreateOpenSearchInput) int CreateSecret func(childComplexity int, input secret.CreateSecretInput) int CreateServiceAccount func(childComplexity int, input serviceaccount.CreateServiceAccountInput) int @@ -1644,7 +1606,6 @@ type ComplexityRoot struct { Name func(childComplexity int) int Team func(childComplexity int) int TeamEnvironment func(childComplexity int) int - Values func(childComplexity int) int Workloads func(childComplexity int, first *int, after *pagination.Cursor, last *int, before *pagination.Cursor) int } @@ -2109,7 +2070,6 @@ type ComplexityRoot struct { Slug func(childComplexity int) int Unleash func(childComplexity int) int Valkeys func(childComplexity int, first *int, after *pagination.Cursor, last *int, before *pagination.Cursor, orderBy *valkey.ValkeyOrder) int - ViewerCanElevate func(childComplexity int) int ViewerIsMember func(childComplexity int) int ViewerIsOwner func(childComplexity int) int VulnerabilityFixHistory func(childComplexity int, from scalar.Date) int @@ -2595,7 +2555,6 @@ type ComplexityRoot struct { } User struct { - Elevations func(childComplexity int, input elevation.ElevationInput) int Email func(childComplexity int) int ExternalID func(childComplexity int) int ID func(childComplexity int) int @@ -4313,13 +4272,6 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin return e.complexity.CostMonthlySummary.Series(childComplexity), true - case "CreateElevationPayload.elevation": - if e.complexity.CreateElevationPayload.Elevation == nil { - break - } - - return e.complexity.CreateElevationPayload.Elevation(childComplexity), true - case "CreateOpenSearchPayload.openSearch": if e.complexity.CreateOpenSearchPayload.OpenSearch == nil { break @@ -4883,160 +4835,6 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin return e.complexity.DeprecatedRegistryIssue.Workload(childComplexity), true - case "Elevation.createdAt": - if e.complexity.Elevation.CreatedAt == nil { - break - } - - return e.complexity.Elevation.CreatedAt(childComplexity), true - - case "Elevation.expiresAt": - if e.complexity.Elevation.ExpiresAt == nil { - break - } - - return e.complexity.Elevation.ExpiresAt(childComplexity), true - - case "Elevation.id": - if e.complexity.Elevation.ID == nil { - break - } - - return e.complexity.Elevation.ID(childComplexity), true - - case "Elevation.reason": - if e.complexity.Elevation.Reason == nil { - break - } - - return e.complexity.Elevation.Reason(childComplexity), true - - case "Elevation.resourceName": - if e.complexity.Elevation.ResourceName == nil { - break - } - - return e.complexity.Elevation.ResourceName(childComplexity), true - - case "Elevation.team": - if e.complexity.Elevation.Team == nil { - break - } - - return e.complexity.Elevation.Team(childComplexity), true - - case "Elevation.teamEnvironment": - if e.complexity.Elevation.TeamEnvironment == nil { - break - } - - return e.complexity.Elevation.TeamEnvironment(childComplexity), true - - case "Elevation.type": - if e.complexity.Elevation.Type == nil { - break - } - - return e.complexity.Elevation.Type(childComplexity), true - - case "Elevation.user": - if e.complexity.Elevation.User == nil { - break - } - - return e.complexity.Elevation.User(childComplexity), true - - case "ElevationCreatedActivityLogEntry.actor": - if e.complexity.ElevationCreatedActivityLogEntry.Actor == nil { - break - } - - return e.complexity.ElevationCreatedActivityLogEntry.Actor(childComplexity), true - - case "ElevationCreatedActivityLogEntry.createdAt": - if e.complexity.ElevationCreatedActivityLogEntry.CreatedAt == nil { - break - } - - return e.complexity.ElevationCreatedActivityLogEntry.CreatedAt(childComplexity), true - - case "ElevationCreatedActivityLogEntry.data": - if e.complexity.ElevationCreatedActivityLogEntry.Data == nil { - break - } - - return e.complexity.ElevationCreatedActivityLogEntry.Data(childComplexity), true - - case "ElevationCreatedActivityLogEntry.environmentName": - if e.complexity.ElevationCreatedActivityLogEntry.EnvironmentName == nil { - break - } - - return e.complexity.ElevationCreatedActivityLogEntry.EnvironmentName(childComplexity), true - - case "ElevationCreatedActivityLogEntry.id": - if e.complexity.ElevationCreatedActivityLogEntry.ID == nil { - break - } - - return e.complexity.ElevationCreatedActivityLogEntry.ID(childComplexity), true - - case "ElevationCreatedActivityLogEntry.message": - if e.complexity.ElevationCreatedActivityLogEntry.Message == nil { - break - } - - return e.complexity.ElevationCreatedActivityLogEntry.Message(childComplexity), true - - case "ElevationCreatedActivityLogEntry.resourceName": - if e.complexity.ElevationCreatedActivityLogEntry.ResourceName == nil { - break - } - - return e.complexity.ElevationCreatedActivityLogEntry.ResourceName(childComplexity), true - - case "ElevationCreatedActivityLogEntry.resourceType": - if e.complexity.ElevationCreatedActivityLogEntry.ResourceType == nil { - break - } - - return e.complexity.ElevationCreatedActivityLogEntry.ResourceType(childComplexity), true - - case "ElevationCreatedActivityLogEntry.teamSlug": - if e.complexity.ElevationCreatedActivityLogEntry.TeamSlug == nil { - break - } - - return e.complexity.ElevationCreatedActivityLogEntry.TeamSlug(childComplexity), true - - case "ElevationCreatedActivityLogEntryData.elevationType": - if e.complexity.ElevationCreatedActivityLogEntryData.ElevationType == nil { - break - } - - return e.complexity.ElevationCreatedActivityLogEntryData.ElevationType(childComplexity), true - - case "ElevationCreatedActivityLogEntryData.expiresAt": - if e.complexity.ElevationCreatedActivityLogEntryData.ExpiresAt == nil { - break - } - - return e.complexity.ElevationCreatedActivityLogEntryData.ExpiresAt(childComplexity), true - - case "ElevationCreatedActivityLogEntryData.reason": - if e.complexity.ElevationCreatedActivityLogEntryData.Reason == nil { - break - } - - return e.complexity.ElevationCreatedActivityLogEntryData.Reason(childComplexity), true - - case "ElevationCreatedActivityLogEntryData.targetResourceName": - if e.complexity.ElevationCreatedActivityLogEntryData.TargetResourceName == nil { - break - } - - return e.complexity.ElevationCreatedActivityLogEntryData.TargetResourceName(childComplexity), true - case "EntraIDAuthIntegration.name": if e.complexity.EntraIDAuthIntegration.Name == nil { break @@ -6793,18 +6591,6 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin return e.complexity.Mutation.ConfirmTeamDeletion(childComplexity, args["input"].(team.ConfirmTeamDeletionInput)), true - case "Mutation.createElevation": - if e.complexity.Mutation.CreateElevation == nil { - break - } - - args, err := ec.field_Mutation_createElevation_args(ctx, rawArgs) - if err != nil { - return 0, false - } - - return e.complexity.Mutation.CreateElevation(childComplexity, args["input"].(elevation.CreateElevationInput)), true - case "Mutation.createOpenSearch": if e.complexity.Mutation.CreateOpenSearch == nil { break @@ -9532,13 +9318,6 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin return e.complexity.Secret.TeamEnvironment(childComplexity), true - case "Secret.values": - if e.complexity.Secret.Values == nil { - break - } - - return e.complexity.Secret.Values(childComplexity), true - case "Secret.workloads": if e.complexity.Secret.Workloads == nil { break @@ -11683,13 +11462,6 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin return e.complexity.Team.Valkeys(childComplexity, args["first"].(*int), args["after"].(*pagination.Cursor), args["last"].(*int), args["before"].(*pagination.Cursor), args["orderBy"].(*valkey.ValkeyOrder)), true - case "Team.viewerCanElevate": - if e.complexity.Team.ViewerCanElevate == nil { - break - } - - return e.complexity.Team.ViewerCanElevate(childComplexity), true - case "Team.viewerIsMember": if e.complexity.Team.ViewerIsMember == nil { break @@ -13689,18 +13461,6 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin return e.complexity.UpdateValkeyPayload.Valkey(childComplexity), true - case "User.elevations": - if e.complexity.User.Elevations == nil { - break - } - - args, err := ec.field_User_elevations_args(ctx, rawArgs) - if err != nil { - return 0, false - } - - return e.complexity.User.Elevations(childComplexity, args["input"].(elevation.ElevationInput)), true - case "User.email": if e.complexity.User.Email == nil { break @@ -15142,7 +14902,6 @@ func (e *executableSchema) Exec(ctx context.Context) graphql.ResponseHandler { ec.unmarshalInputChangeDeploymentKeyInput, ec.unmarshalInputConfigureReconcilerInput, ec.unmarshalInputConfirmTeamDeletionInput, - ec.unmarshalInputCreateElevationInput, ec.unmarshalInputCreateOpenSearchInput, ec.unmarshalInputCreateSecretInput, ec.unmarshalInputCreateServiceAccountInput, @@ -15160,7 +14919,6 @@ func (e *executableSchema) Exec(ctx context.Context) graphql.ResponseHandler { ec.unmarshalInputDeleteValkeyInput, ec.unmarshalInputDeploymentFilter, ec.unmarshalInputDisableReconcilerInput, - ec.unmarshalInputElevationInput, ec.unmarshalInputEnableReconcilerInput, ec.unmarshalInputEnvironmentOrder, ec.unmarshalInputEnvironmentWorkloadOrder, @@ -17607,256 +17365,6 @@ input DeploymentFilter { "Filter deployments by environments." environments: [String!] } -`, BuiltIn: false}, - {Name: "../schema/elevation.graphqls", Input: `""" -Type of elevation that can be requested. -""" -enum ElevationType { - """ - Access to read secrets in plain text. - """ - SECRET - - """ - Access to execute commands in an instance. - """ - INSTANCE_EXEC - - """ - Access to port-forward to an instance. - """ - INSTANCE_PORT_FORWARD - - """ - Access to debug an instance with ephemeral containers. - """ - INSTANCE_DEBUG -} - -""" -An active elevation grants temporary elevated privileges to a specific resource. -""" -type Elevation implements Node { - """ - Unique ID of the elevation. - """ - id: ID! - - """ - Type of elevation. - """ - type: ElevationType! - - """ - Team that owns the resource. - """ - team: Team! - - """ - Environment where the resource is located. - """ - teamEnvironment: TeamEnvironment! - - """ - Name of the resource being elevated to. - """ - resourceName: String! - - """ - User who requested the elevation. - """ - user: User! - - """ - Reason provided for the elevation. - """ - reason: String! - - """ - When the elevation was created. - """ - createdAt: Time! - - """ - When the elevation will expire. - """ - expiresAt: Time! -} - -""" -Input for looking up an existing elevation. -""" -input ElevationInput { - """ - Type of elevation. - """ - type: ElevationType! - - """ - Team slug. - """ - team: Slug! - - """ - Environment name. - """ - environmentName: String! - - """ - Name of the resource. - """ - resourceName: String! -} - -""" -Input for creating an elevation. -""" -input CreateElevationInput { - """ - Type of elevation to create. - """ - type: ElevationType! - - """ - Team slug. - """ - team: Slug! - - """ - Environment name. - """ - environmentName: String! - - """ - Name of the resource to elevate access to. - """ - resourceName: String! - - """ - Reason for requesting the elevation. Must be at least 10 characters. - """ - reason: String! - - """ - Duration of the elevation in minutes. Maximum 60 minutes. - """ - durationMinutes: Int! = 60 -} - -""" -Payload returned when creating an elevation. -""" -type CreateElevationPayload { - """ - The created elevation. - """ - elevation: Elevation! -} - -extend enum ActivityLogEntryResourceType { - """ - All activity log entries related to elevations will use this resource type. - """ - ELEVATION -} - -extend enum ActivityLogActivityType { - """ - Elevation was created. - """ - ELEVATION_CREATED -} - -""" -Data associated with an elevation creation activity log entry. -""" -type ElevationCreatedActivityLogEntryData { - """ - Type of elevation that was created. - """ - elevationType: ElevationType! - - """ - Target resource name that was elevated to. - """ - targetResourceName: String! - - """ - Reason provided for the elevation. - """ - reason: String! - - """ - When the elevation will expire. - """ - expiresAt: Time! -} - -""" -Activity log entry for elevation creation. -""" -type ElevationCreatedActivityLogEntry implements ActivityLogEntry & Node { - """ - ID of the entry. - """ - id: ID! - - """ - The identity of the actor who created the elevation. - """ - actor: String! - - """ - Creation time of the entry. - """ - createdAt: Time! - - """ - Message that summarizes the entry. - """ - message: String! - - """ - Resource type (ELEVATION). - """ - resourceType: ActivityLogEntryResourceType! - - """ - Name of the elevation resource. - """ - resourceName: String! - - """ - The team slug. - """ - teamSlug: Slug! - - """ - The environment name. - """ - environmentName: String - - """ - Data associated with the entry. - """ - data: ElevationCreatedActivityLogEntryData! -} - -extend type User { - """ - Get active elevations for this user matching the given parameters. - Returns an empty list if no active elevations match. - """ - elevations(input: ElevationInput!): [Elevation!]! -} - -extend type Mutation { - """ - Create a temporary elevation of privileges for a specific resource. - The elevation expires automatically after the specified duration. - """ - createElevation(input: CreateElevationInput!): CreateElevationPayload! -} `, BuiltIn: false}, {Name: "../schema/environments.graphqls", Input: `extend type Query { """ @@ -20539,9 +20047,6 @@ type Secret implements Node & ActivityLogger { "The names of the keys in the secret. This does not require elevation to access." keys: [String!]! - "The secret values contained within the secret. Requires elevation to access the values. Returns null if not authorized." - values: [SecretValue!] - "Applications that use the secret." applications( "Get the first n items in the connection. This can be used in combination with the after parameter." @@ -22646,9 +22151,6 @@ type Team implements Node { "Whether or not the viewer is a member of the team." viewerIsMember: Boolean! - "Whether or not the viewer can create elevations for the team." - viewerCanElevate: Boolean! - "Environments for the team." environments: [TeamEnvironment!]! diff --git a/internal/graph/gengql/schema.generated.go b/internal/graph/gengql/schema.generated.go index 9a5c432fe..e5987a457 100644 --- a/internal/graph/gengql/schema.generated.go +++ b/internal/graph/gengql/schema.generated.go @@ -16,7 +16,6 @@ import ( "github.com/nais/api/internal/cost" "github.com/nais/api/internal/deployment" "github.com/nais/api/internal/deployment/deploymentactivity" - "github.com/nais/api/internal/elevation" "github.com/nais/api/internal/environment" "github.com/nais/api/internal/feature" "github.com/nais/api/internal/github/repository" @@ -62,7 +61,6 @@ type MutationResolver interface { DeleteApplication(ctx context.Context, input application.DeleteApplicationInput) (*application.DeleteApplicationPayload, error) RestartApplication(ctx context.Context, input application.RestartApplicationInput) (*application.RestartApplicationPayload, error) ChangeDeploymentKey(ctx context.Context, input deployment.ChangeDeploymentKeyInput) (*deployment.ChangeDeploymentKeyPayload, error) - CreateElevation(ctx context.Context, input elevation.CreateElevationInput) (*elevation.CreateElevationPayload, error) DeleteJob(ctx context.Context, input job.DeleteJobInput) (*job.DeleteJobPayload, error) TriggerJob(ctx context.Context, input job.TriggerJobInput) (*job.TriggerJobPayload, error) CreateOpenSearch(ctx context.Context, input opensearch.CreateOpenSearchInput) (*opensearch.CreateOpenSearchPayload, error) @@ -232,17 +230,6 @@ func (ec *executionContext) field_Mutation_confirmTeamDeletion_args(ctx context. return args, nil } -func (ec *executionContext) field_Mutation_createElevation_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) { - var err error - args := map[string]any{} - arg0, err := graphql.ProcessArgField(ctx, rawArgs, "input", ec.unmarshalNCreateElevationInput2githubᚗcomᚋnaisᚋapiᚋinternalᚋelevationᚐCreateElevationInput) - if err != nil { - return nil, err - } - args["input"] = arg0 - return args, nil -} - func (ec *executionContext) field_Mutation_createOpenSearch_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) { var err error args := map[string]any{} @@ -1240,51 +1227,6 @@ func (ec *executionContext) fieldContext_Mutation_changeDeploymentKey(ctx contex return fc, nil } -func (ec *executionContext) _Mutation_createElevation(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) { - return graphql.ResolveField( - ctx, - ec.OperationContext, - field, - ec.fieldContext_Mutation_createElevation, - func(ctx context.Context) (any, error) { - fc := graphql.GetFieldContext(ctx) - return ec.resolvers.Mutation().CreateElevation(ctx, fc.Args["input"].(elevation.CreateElevationInput)) - }, - nil, - ec.marshalNCreateElevationPayload2ᚖgithubᚗcomᚋnaisᚋapiᚋinternalᚋelevationᚐCreateElevationPayload, - true, - true, - ) -} - -func (ec *executionContext) fieldContext_Mutation_createElevation(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) { - fc = &graphql.FieldContext{ - Object: "Mutation", - Field: field, - IsMethod: true, - IsResolver: true, - Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) { - switch field.Name { - case "elevation": - return ec.fieldContext_CreateElevationPayload_elevation(ctx, field) - } - return nil, fmt.Errorf("no field named %q was found under type CreateElevationPayload", field.Name) - }, - } - defer func() { - if r := recover(); r != nil { - err = ec.Recover(ctx, r) - ec.Error(ctx, err) - } - }() - ctx = graphql.WithFieldContext(ctx, fc) - if fc.Args, err = ec.field_Mutation_createElevation_args(ctx, field.ArgumentMap(ec.Variables)); err != nil { - ec.Error(ctx, err) - return fc, err - } - return fc, nil -} - func (ec *executionContext) _Mutation_deleteJob(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) { return graphql.ResolveField( ctx, @@ -4196,8 +4138,6 @@ func (ec *executionContext) fieldContext_Query_team(ctx context.Context, field g return ec.fieldContext_Team_viewerIsOwner(ctx, field) case "viewerIsMember": return ec.fieldContext_Team_viewerIsMember(ctx, field) - case "viewerCanElevate": - return ec.fieldContext_Team_viewerCanElevate(ctx, field) case "environments": return ec.fieldContext_Team_environments(ctx, field) case "environment": @@ -4397,8 +4337,6 @@ func (ec *executionContext) fieldContext_Query_user(ctx context.Context, field g return ec.fieldContext_User_teams(ctx, field) case "isAdmin": return ec.fieldContext_User_isAdmin(ctx, field) - case "elevations": - return ec.fieldContext_User_elevations(ctx, field) } return nil, fmt.Errorf("no field named %q was found under type User", field.Name) }, @@ -5522,13 +5460,6 @@ func (ec *executionContext) _Node(ctx context.Context, sel ast.SelectionSet, obj return graphql.Null } return ec._FailedSynchronizationIssue(ctx, sel, obj) - case elevation.ElevationCreatedActivityLogEntry: - return ec._ElevationCreatedActivityLogEntry(ctx, sel, &obj) - case *elevation.ElevationCreatedActivityLogEntry: - if obj == nil { - return graphql.Null - } - return ec._ElevationCreatedActivityLogEntry(ctx, sel, obj) case issue.DeprecatedRegistryIssue: return ec._DeprecatedRegistryIssue(ctx, sel, &obj) case *issue.DeprecatedRegistryIssue: @@ -5743,13 +5674,6 @@ func (ec *executionContext) _Node(ctx context.Context, sel ast.SelectionSet, obj return graphql.Null } return ec._Environment(ctx, sel, obj) - case elevation.Elevation: - return ec._Elevation(ctx, sel, &obj) - case *elevation.Elevation: - if obj == nil { - return graphql.Null - } - return ec._Elevation(ctx, sel, obj) case deployment.DeploymentStatus: return ec._DeploymentStatus(ctx, sel, &obj) case *deployment.DeploymentStatus: @@ -5851,13 +5775,6 @@ func (ec *executionContext) _Mutation(ctx context.Context, sel ast.SelectionSet) if out.Values[i] == graphql.Null { out.Invalids++ } - case "createElevation": - out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) { - return ec._Mutation_createElevation(ctx, field) - }) - if out.Values[i] == graphql.Null { - out.Invalids++ - } case "deleteJob": out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) { return ec._Mutation_deleteJob(ctx, field) diff --git a/internal/graph/gengql/secret.generated.go b/internal/graph/gengql/secret.generated.go index f37392f2d..6aed49b68 100644 --- a/internal/graph/gengql/secret.generated.go +++ b/internal/graph/gengql/secret.generated.go @@ -29,7 +29,6 @@ type SecretResolver interface { TeamEnvironment(ctx context.Context, obj *secret.Secret) (*team.TeamEnvironment, error) Team(ctx context.Context, obj *secret.Secret) (*team.Team, error) - Values(ctx context.Context, obj *secret.Secret) ([]*secret.SecretValue, error) Applications(ctx context.Context, obj *secret.Secret, first *int, after *pagination.Cursor, last *int, before *pagination.Cursor) (*pagination.Connection[*application.Application], error) Jobs(ctx context.Context, obj *secret.Secret, first *int, after *pagination.Cursor, last *int, before *pagination.Cursor) (*pagination.Connection[*job.Job], error) Workloads(ctx context.Context, obj *secret.Secret, first *int, after *pagination.Cursor, last *int, before *pagination.Cursor) (*pagination.Connection[workload.Workload], error) @@ -195,8 +194,6 @@ func (ec *executionContext) fieldContext_AddSecretValuePayload_secret(_ context. return ec.fieldContext_Secret_team(ctx, field) case "keys": return ec.fieldContext_Secret_keys(ctx, field) - case "values": - return ec.fieldContext_Secret_values(ctx, field) case "applications": return ec.fieldContext_Secret_applications(ctx, field) case "jobs": @@ -252,8 +249,6 @@ func (ec *executionContext) fieldContext_CreateSecretPayload_secret(_ context.Co return ec.fieldContext_Secret_team(ctx, field) case "keys": return ec.fieldContext_Secret_keys(ctx, field) - case "values": - return ec.fieldContext_Secret_values(ctx, field) case "applications": return ec.fieldContext_Secret_applications(ctx, field) case "jobs": @@ -338,8 +333,6 @@ func (ec *executionContext) fieldContext_RemoveSecretValuePayload_secret(_ conte return ec.fieldContext_Secret_team(ctx, field) case "keys": return ec.fieldContext_Secret_keys(ctx, field) - case "values": - return ec.fieldContext_Secret_values(ctx, field) case "applications": return ec.fieldContext_Secret_applications(ctx, field) case "jobs": @@ -597,8 +590,6 @@ func (ec *executionContext) fieldContext_Secret_team(_ context.Context, field gr return ec.fieldContext_Team_viewerIsOwner(ctx, field) case "viewerIsMember": return ec.fieldContext_Team_viewerIsMember(ctx, field) - case "viewerCanElevate": - return ec.fieldContext_Team_viewerCanElevate(ctx, field) case "environments": return ec.fieldContext_Team_environments(ctx, field) case "environment": @@ -691,41 +682,6 @@ func (ec *executionContext) fieldContext_Secret_keys(_ context.Context, field gr return fc, nil } -func (ec *executionContext) _Secret_values(ctx context.Context, field graphql.CollectedField, obj *secret.Secret) (ret graphql.Marshaler) { - return graphql.ResolveField( - ctx, - ec.OperationContext, - field, - ec.fieldContext_Secret_values, - func(ctx context.Context) (any, error) { - return ec.resolvers.Secret().Values(ctx, obj) - }, - nil, - ec.marshalOSecretValue2ᚕᚖgithubᚗcomᚋnaisᚋapiᚋinternalᚋworkloadᚋsecretᚐSecretValueᚄ, - true, - false, - ) -} - -func (ec *executionContext) fieldContext_Secret_values(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) { - fc = &graphql.FieldContext{ - Object: "Secret", - Field: field, - IsMethod: true, - IsResolver: true, - Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) { - switch field.Name { - case "name": - return ec.fieldContext_SecretValue_name(ctx, field) - case "value": - return ec.fieldContext_SecretValue_value(ctx, field) - } - return nil, fmt.Errorf("no field named %q was found under type SecretValue", field.Name) - }, - } - return fc, nil -} - func (ec *executionContext) _Secret_applications(ctx context.Context, field graphql.CollectedField, obj *secret.Secret) (ret graphql.Marshaler) { return graphql.ResolveField( ctx, @@ -938,8 +894,6 @@ func (ec *executionContext) fieldContext_Secret_lastModifiedBy(_ context.Context return ec.fieldContext_User_teams(ctx, field) case "isAdmin": return ec.fieldContext_User_isAdmin(ctx, field) - case "elevations": - return ec.fieldContext_User_elevations(ctx, field) } return nil, fmt.Errorf("no field named %q was found under type User", field.Name) }, @@ -1077,8 +1031,6 @@ func (ec *executionContext) fieldContext_SecretConnection_nodes(_ context.Contex return ec.fieldContext_Secret_team(ctx, field) case "keys": return ec.fieldContext_Secret_keys(ctx, field) - case "values": - return ec.fieldContext_Secret_values(ctx, field) case "applications": return ec.fieldContext_Secret_applications(ctx, field) case "jobs": @@ -1662,8 +1614,6 @@ func (ec *executionContext) fieldContext_SecretEdge_node(_ context.Context, fiel return ec.fieldContext_Secret_team(ctx, field) case "keys": return ec.fieldContext_Secret_keys(ctx, field) - case "values": - return ec.fieldContext_Secret_values(ctx, field) case "applications": return ec.fieldContext_Secret_applications(ctx, field) case "jobs": @@ -2953,8 +2903,6 @@ func (ec *executionContext) fieldContext_UpdateSecretValuePayload_secret(_ conte return ec.fieldContext_Secret_team(ctx, field) case "keys": return ec.fieldContext_Secret_keys(ctx, field) - case "values": - return ec.fieldContext_Secret_values(ctx, field) case "applications": return ec.fieldContext_Secret_applications(ctx, field) case "jobs": @@ -3675,39 +3623,6 @@ func (ec *executionContext) _Secret(ctx context.Context, sel ast.SelectionSet, o if out.Values[i] == graphql.Null { atomic.AddUint32(&out.Invalids, 1) } - case "values": - field := field - - innerFunc := func(ctx context.Context, _ *graphql.FieldSet) (res graphql.Marshaler) { - defer func() { - if r := recover(); r != nil { - ec.Error(ctx, ec.Recover(ctx, r)) - } - }() - res = ec._Secret_values(ctx, field, obj) - return res - } - - if field.Deferrable != nil { - dfs, ok := deferred[field.Deferrable.Label] - di := 0 - if ok { - dfs.AddField(field) - di = len(dfs.Values) - 1 - } else { - dfs = graphql.NewFieldSet([]graphql.CollectedField{field}) - deferred[field.Deferrable.Label] = dfs - } - dfs.Concurrently(di, func(ctx context.Context) graphql.Marshaler { - return innerFunc(ctx, dfs) - }) - - // don't run the out.Concurrently() call below - out.Values[i] = graphql.Null - continue - } - - out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return innerFunc(ctx, out) }) case "applications": field := field @@ -5094,51 +5009,4 @@ func (ec *executionContext) unmarshalOSecretOrder2ᚖgithubᚗcomᚋnaisᚋapi return &res, graphql.ErrorOnPath(ctx, err) } -func (ec *executionContext) marshalOSecretValue2ᚕᚖgithubᚗcomᚋnaisᚋapiᚋinternalᚋworkloadᚋsecretᚐSecretValueᚄ(ctx context.Context, sel ast.SelectionSet, v []*secret.SecretValue) graphql.Marshaler { - if v == nil { - return graphql.Null - } - ret := make(graphql.Array, len(v)) - var wg sync.WaitGroup - isLen1 := len(v) == 1 - if !isLen1 { - wg.Add(len(v)) - } - for i := range v { - i := i - fc := &graphql.FieldContext{ - Index: &i, - Result: &v[i], - } - ctx := graphql.WithFieldContext(ctx, fc) - f := func(i int) { - defer func() { - if r := recover(); r != nil { - ec.Error(ctx, ec.Recover(ctx, r)) - ret = nil - } - }() - if !isLen1 { - defer wg.Done() - } - ret[i] = ec.marshalNSecretValue2ᚖgithubᚗcomᚋnaisᚋapiᚋinternalᚋworkloadᚋsecretᚐSecretValue(ctx, sel, v[i]) - } - if isLen1 { - f(i) - } else { - go f(i) - } - - } - wg.Wait() - - for _, e := range ret { - if e == graphql.Null { - return graphql.Null - } - } - - return ret -} - // endregion ***************************** type.gotpl ***************************** diff --git a/internal/graph/gengql/serviceaccounts.generated.go b/internal/graph/gengql/serviceaccounts.generated.go index bf477c825..0f9153232 100644 --- a/internal/graph/gengql/serviceaccounts.generated.go +++ b/internal/graph/gengql/serviceaccounts.generated.go @@ -1277,8 +1277,6 @@ func (ec *executionContext) fieldContext_ServiceAccount_team(_ context.Context, return ec.fieldContext_Team_viewerIsOwner(ctx, field) case "viewerIsMember": return ec.fieldContext_Team_viewerIsMember(ctx, field) - case "viewerCanElevate": - return ec.fieldContext_Team_viewerCanElevate(ctx, field) case "environments": return ec.fieldContext_Team_environments(ctx, field) case "environment": diff --git a/internal/graph/gengql/sqlinstance.generated.go b/internal/graph/gengql/sqlinstance.generated.go index 8e75f12cc..0921d97a8 100644 --- a/internal/graph/gengql/sqlinstance.generated.go +++ b/internal/graph/gengql/sqlinstance.generated.go @@ -325,8 +325,6 @@ func (ec *executionContext) fieldContext_Postgres_team(_ context.Context, field return ec.fieldContext_Team_viewerIsOwner(ctx, field) case "viewerIsMember": return ec.fieldContext_Team_viewerIsMember(ctx, field) - case "viewerCanElevate": - return ec.fieldContext_Team_viewerCanElevate(ctx, field) case "environments": return ec.fieldContext_Team_environments(ctx, field) case "environment": @@ -953,8 +951,6 @@ func (ec *executionContext) fieldContext_SqlDatabase_team(_ context.Context, fie return ec.fieldContext_Team_viewerIsOwner(ctx, field) case "viewerIsMember": return ec.fieldContext_Team_viewerIsMember(ctx, field) - case "viewerCanElevate": - return ec.fieldContext_Team_viewerCanElevate(ctx, field) case "environments": return ec.fieldContext_Team_environments(ctx, field) case "environment": @@ -1372,8 +1368,6 @@ func (ec *executionContext) fieldContext_SqlInstance_team(_ context.Context, fie return ec.fieldContext_Team_viewerIsOwner(ctx, field) case "viewerIsMember": return ec.fieldContext_Team_viewerIsMember(ctx, field) - case "viewerCanElevate": - return ec.fieldContext_Team_viewerCanElevate(ctx, field) case "environments": return ec.fieldContext_Team_environments(ctx, field) case "environment": diff --git a/internal/graph/gengql/teams.generated.go b/internal/graph/gengql/teams.generated.go index f06c384bc..ba0971184 100644 --- a/internal/graph/gengql/teams.generated.go +++ b/internal/graph/gengql/teams.generated.go @@ -50,7 +50,6 @@ type TeamResolver interface { ViewerIsOwner(ctx context.Context, obj *team.Team) (bool, error) ViewerIsMember(ctx context.Context, obj *team.Team) (bool, error) - ViewerCanElevate(ctx context.Context, obj *team.Team) (bool, error) Environments(ctx context.Context, obj *team.Team) ([]*team.TeamEnvironment, error) Environment(ctx context.Context, obj *team.Team, name string) (*team.TeamEnvironment, error) DeleteKey(ctx context.Context, obj *team.Team, key string) (*team.TeamDeleteKey, error) @@ -1027,8 +1026,6 @@ func (ec *executionContext) fieldContext_CreateTeamPayload_team(_ context.Contex return ec.fieldContext_Team_viewerIsOwner(ctx, field) case "viewerIsMember": return ec.fieldContext_Team_viewerIsMember(ctx, field) - case "viewerCanElevate": - return ec.fieldContext_Team_viewerCanElevate(ctx, field) case "environments": return ec.fieldContext_Team_environments(ctx, field) case "environment": @@ -1128,8 +1125,6 @@ func (ec *executionContext) fieldContext_RemoveTeamMemberPayload_user(_ context. return ec.fieldContext_User_teams(ctx, field) case "isAdmin": return ec.fieldContext_User_isAdmin(ctx, field) - case "elevations": - return ec.fieldContext_User_elevations(ctx, field) } return nil, fmt.Errorf("no field named %q was found under type User", field.Name) }, @@ -1183,8 +1178,6 @@ func (ec *executionContext) fieldContext_RemoveTeamMemberPayload_team(_ context. return ec.fieldContext_Team_viewerIsOwner(ctx, field) case "viewerIsMember": return ec.fieldContext_Team_viewerIsMember(ctx, field) - case "viewerCanElevate": - return ec.fieldContext_Team_viewerCanElevate(ctx, field) case "environments": return ec.fieldContext_Team_environments(ctx, field) case "environment": @@ -1697,35 +1690,6 @@ func (ec *executionContext) fieldContext_Team_viewerIsMember(_ context.Context, return fc, nil } -func (ec *executionContext) _Team_viewerCanElevate(ctx context.Context, field graphql.CollectedField, obj *team.Team) (ret graphql.Marshaler) { - return graphql.ResolveField( - ctx, - ec.OperationContext, - field, - ec.fieldContext_Team_viewerCanElevate, - func(ctx context.Context) (any, error) { - return ec.resolvers.Team().ViewerCanElevate(ctx, obj) - }, - nil, - ec.marshalNBoolean2bool, - true, - true, - ) -} - -func (ec *executionContext) fieldContext_Team_viewerCanElevate(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) { - fc = &graphql.FieldContext{ - Object: "Team", - Field: field, - IsMethod: true, - IsResolver: true, - Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) { - return nil, errors.New("field of type Boolean does not have child fields") - }, - } - return fc, nil -} - func (ec *executionContext) _Team_environments(ctx context.Context, field graphql.CollectedField, obj *team.Team) (ret graphql.Marshaler) { return graphql.ResolveField( ctx, @@ -3468,8 +3432,6 @@ func (ec *executionContext) fieldContext_TeamConnection_nodes(_ context.Context, return ec.fieldContext_Team_viewerIsOwner(ctx, field) case "viewerIsMember": return ec.fieldContext_Team_viewerIsMember(ctx, field) - case "viewerCanElevate": - return ec.fieldContext_Team_viewerCanElevate(ctx, field) case "environments": return ec.fieldContext_Team_environments(ctx, field) case "environment": @@ -4155,8 +4117,6 @@ func (ec *executionContext) fieldContext_TeamDeleteKey_createdBy(_ context.Conte return ec.fieldContext_User_teams(ctx, field) case "isAdmin": return ec.fieldContext_User_isAdmin(ctx, field) - case "elevations": - return ec.fieldContext_User_elevations(ctx, field) } return nil, fmt.Errorf("no field named %q was found under type User", field.Name) }, @@ -4210,8 +4170,6 @@ func (ec *executionContext) fieldContext_TeamDeleteKey_team(_ context.Context, f return ec.fieldContext_Team_viewerIsOwner(ctx, field) case "viewerIsMember": return ec.fieldContext_Team_viewerIsMember(ctx, field) - case "viewerCanElevate": - return ec.fieldContext_Team_viewerCanElevate(ctx, field) case "environments": return ec.fieldContext_Team_environments(ctx, field) case "environment": @@ -4350,8 +4308,6 @@ func (ec *executionContext) fieldContext_TeamEdge_node(_ context.Context, field return ec.fieldContext_Team_viewerIsOwner(ctx, field) case "viewerIsMember": return ec.fieldContext_Team_viewerIsMember(ctx, field) - case "viewerCanElevate": - return ec.fieldContext_Team_viewerCanElevate(ctx, field) case "environments": return ec.fieldContext_Team_environments(ctx, field) case "environment": @@ -4606,8 +4562,6 @@ func (ec *executionContext) fieldContext_TeamEnvironment_team(_ context.Context, return ec.fieldContext_Team_viewerIsOwner(ctx, field) case "viewerIsMember": return ec.fieldContext_Team_viewerIsMember(ctx, field) - case "viewerCanElevate": - return ec.fieldContext_Team_viewerCanElevate(ctx, field) case "environments": return ec.fieldContext_Team_environments(ctx, field) case "environment": @@ -5291,8 +5245,6 @@ func (ec *executionContext) fieldContext_TeamEnvironment_secret(ctx context.Cont return ec.fieldContext_Secret_team(ctx, field) case "keys": return ec.fieldContext_Secret_keys(ctx, field) - case "values": - return ec.fieldContext_Secret_values(ctx, field) case "applications": return ec.fieldContext_Secret_applications(ctx, field) case "jobs": @@ -6489,8 +6441,6 @@ func (ec *executionContext) fieldContext_TeamMember_team(_ context.Context, fiel return ec.fieldContext_Team_viewerIsOwner(ctx, field) case "viewerIsMember": return ec.fieldContext_Team_viewerIsMember(ctx, field) - case "viewerCanElevate": - return ec.fieldContext_Team_viewerCanElevate(ctx, field) case "environments": return ec.fieldContext_Team_environments(ctx, field) case "environment": @@ -6590,8 +6540,6 @@ func (ec *executionContext) fieldContext_TeamMember_user(_ context.Context, fiel return ec.fieldContext_User_teams(ctx, field) case "isAdmin": return ec.fieldContext_User_isAdmin(ctx, field) - case "elevations": - return ec.fieldContext_User_elevations(ctx, field) } return nil, fmt.Errorf("no field named %q was found under type User", field.Name) }, @@ -8417,8 +8365,6 @@ func (ec *executionContext) fieldContext_UpdateTeamPayload_team(_ context.Contex return ec.fieldContext_Team_viewerIsOwner(ctx, field) case "viewerIsMember": return ec.fieldContext_Team_viewerIsMember(ctx, field) - case "viewerCanElevate": - return ec.fieldContext_Team_viewerCanElevate(ctx, field) case "environments": return ec.fieldContext_Team_environments(ctx, field) case "environment": @@ -9355,42 +9301,6 @@ func (ec *executionContext) _Team(ctx context.Context, sel ast.SelectionSet, obj continue } - out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return innerFunc(ctx, out) }) - case "viewerCanElevate": - field := field - - innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) { - defer func() { - if r := recover(); r != nil { - ec.Error(ctx, ec.Recover(ctx, r)) - } - }() - res = ec._Team_viewerCanElevate(ctx, field, obj) - if res == graphql.Null { - atomic.AddUint32(&fs.Invalids, 1) - } - return res - } - - if field.Deferrable != nil { - dfs, ok := deferred[field.Deferrable.Label] - di := 0 - if ok { - dfs.AddField(field) - di = len(dfs.Values) - 1 - } else { - dfs = graphql.NewFieldSet([]graphql.CollectedField{field}) - deferred[field.Deferrable.Label] = dfs - } - dfs.Concurrently(di, func(ctx context.Context) graphql.Marshaler { - return innerFunc(ctx, dfs) - }) - - // don't run the out.Concurrently() call below - out.Values[i] = graphql.Null - continue - } - out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return innerFunc(ctx, out) }) case "environments": field := field diff --git a/internal/graph/gengql/users.generated.go b/internal/graph/gengql/users.generated.go index afff9834c..c05a2c7e7 100644 --- a/internal/graph/gengql/users.generated.go +++ b/internal/graph/gengql/users.generated.go @@ -12,7 +12,6 @@ import ( "github.com/99designs/gqlgen/graphql" "github.com/nais/api/internal/auth/authz" - "github.com/nais/api/internal/elevation" "github.com/nais/api/internal/graph/pagination" "github.com/nais/api/internal/serviceaccount" "github.com/nais/api/internal/team" @@ -24,25 +23,12 @@ import ( type UserResolver interface { Teams(ctx context.Context, obj *user.User, first *int, after *pagination.Cursor, last *int, before *pagination.Cursor, orderBy *team.UserTeamOrder) (*pagination.Connection[*team.TeamMember], error) - - Elevations(ctx context.Context, obj *user.User, input elevation.ElevationInput) ([]*elevation.Elevation, error) } // endregion ************************** generated!.gotpl ************************** // region ***************************** args.gotpl ***************************** -func (ec *executionContext) field_User_elevations_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) { - var err error - args := map[string]any{} - arg0, err := graphql.ProcessArgField(ctx, rawArgs, "input", ec.unmarshalNElevationInput2githubᚗcomᚋnaisᚋapiᚋinternalᚋelevationᚐElevationInput) - if err != nil { - return nil, err - } - args["input"] = arg0 - return args, nil -} - func (ec *executionContext) field_User_teams_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) { var err error args := map[string]any{} @@ -276,67 +262,6 @@ func (ec *executionContext) fieldContext_User_isAdmin(_ context.Context, field g return fc, nil } -func (ec *executionContext) _User_elevations(ctx context.Context, field graphql.CollectedField, obj *user.User) (ret graphql.Marshaler) { - return graphql.ResolveField( - ctx, - ec.OperationContext, - field, - ec.fieldContext_User_elevations, - func(ctx context.Context) (any, error) { - fc := graphql.GetFieldContext(ctx) - return ec.resolvers.User().Elevations(ctx, obj, fc.Args["input"].(elevation.ElevationInput)) - }, - nil, - ec.marshalNElevation2ᚕᚖgithubᚗcomᚋnaisᚋapiᚋinternalᚋelevationᚐElevationᚄ, - true, - true, - ) -} - -func (ec *executionContext) fieldContext_User_elevations(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) { - fc = &graphql.FieldContext{ - Object: "User", - Field: field, - IsMethod: true, - IsResolver: true, - Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) { - switch field.Name { - case "id": - return ec.fieldContext_Elevation_id(ctx, field) - case "type": - return ec.fieldContext_Elevation_type(ctx, field) - case "team": - return ec.fieldContext_Elevation_team(ctx, field) - case "teamEnvironment": - return ec.fieldContext_Elevation_teamEnvironment(ctx, field) - case "resourceName": - return ec.fieldContext_Elevation_resourceName(ctx, field) - case "user": - return ec.fieldContext_Elevation_user(ctx, field) - case "reason": - return ec.fieldContext_Elevation_reason(ctx, field) - case "createdAt": - return ec.fieldContext_Elevation_createdAt(ctx, field) - case "expiresAt": - return ec.fieldContext_Elevation_expiresAt(ctx, field) - } - return nil, fmt.Errorf("no field named %q was found under type Elevation", field.Name) - }, - } - defer func() { - if r := recover(); r != nil { - err = ec.Recover(ctx, r) - ec.Error(ctx, err) - } - }() - ctx = graphql.WithFieldContext(ctx, fc) - if fc.Args, err = ec.field_User_elevations_args(ctx, field.ArgumentMap(ec.Variables)); err != nil { - ec.Error(ctx, err) - return fc, err - } - return fc, nil -} - func (ec *executionContext) _UserConnection_pageInfo(ctx context.Context, field graphql.CollectedField, obj *pagination.Connection[*user.User]) (ret graphql.Marshaler) { return graphql.ResolveField( ctx, @@ -418,8 +343,6 @@ func (ec *executionContext) fieldContext_UserConnection_nodes(_ context.Context, return ec.fieldContext_User_teams(ctx, field) case "isAdmin": return ec.fieldContext_User_isAdmin(ctx, field) - case "elevations": - return ec.fieldContext_User_elevations(ctx, field) } return nil, fmt.Errorf("no field named %q was found under type User", field.Name) }, @@ -527,8 +450,6 @@ func (ec *executionContext) fieldContext_UserEdge_node(_ context.Context, field return ec.fieldContext_User_teams(ctx, field) case "isAdmin": return ec.fieldContext_User_isAdmin(ctx, field) - case "elevations": - return ec.fieldContext_User_elevations(ctx, field) } return nil, fmt.Errorf("no field named %q was found under type User", field.Name) }, @@ -707,42 +628,6 @@ func (ec *executionContext) _User(ctx context.Context, sel ast.SelectionSet, obj if out.Values[i] == graphql.Null { atomic.AddUint32(&out.Invalids, 1) } - case "elevations": - field := field - - innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) { - defer func() { - if r := recover(); r != nil { - ec.Error(ctx, ec.Recover(ctx, r)) - } - }() - res = ec._User_elevations(ctx, field, obj) - if res == graphql.Null { - atomic.AddUint32(&fs.Invalids, 1) - } - return res - } - - if field.Deferrable != nil { - dfs, ok := deferred[field.Deferrable.Label] - di := 0 - if ok { - dfs.AddField(field) - di = len(dfs.Values) - 1 - } else { - dfs = graphql.NewFieldSet([]graphql.CollectedField{field}) - deferred[field.Deferrable.Label] = dfs - } - dfs.Concurrently(di, func(ctx context.Context) graphql.Marshaler { - return innerFunc(ctx, dfs) - }) - - // don't run the out.Concurrently() call below - out.Values[i] = graphql.Null - continue - } - - out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return innerFunc(ctx, out) }) default: panic("unknown field " + strconv.Quote(field.Name)) } diff --git a/internal/graph/gengql/utilization.generated.go b/internal/graph/gengql/utilization.generated.go index 29f9c6198..437f79b14 100644 --- a/internal/graph/gengql/utilization.generated.go +++ b/internal/graph/gengql/utilization.generated.go @@ -232,8 +232,6 @@ func (ec *executionContext) fieldContext_TeamUtilizationData_team(_ context.Cont return ec.fieldContext_Team_viewerIsOwner(ctx, field) case "viewerIsMember": return ec.fieldContext_Team_viewerIsMember(ctx, field) - case "viewerCanElevate": - return ec.fieldContext_Team_viewerCanElevate(ctx, field) case "environments": return ec.fieldContext_Team_environments(ctx, field) case "environment": diff --git a/internal/graph/gengql/valkey.generated.go b/internal/graph/gengql/valkey.generated.go index c67e8e866..0c9dffebd 100644 --- a/internal/graph/gengql/valkey.generated.go +++ b/internal/graph/gengql/valkey.generated.go @@ -472,8 +472,6 @@ func (ec *executionContext) fieldContext_Valkey_team(_ context.Context, field gr return ec.fieldContext_Team_viewerIsOwner(ctx, field) case "viewerIsMember": return ec.fieldContext_Team_viewerIsMember(ctx, field) - case "viewerCanElevate": - return ec.fieldContext_Team_viewerCanElevate(ctx, field) case "environments": return ec.fieldContext_Team_environments(ctx, field) case "environment": diff --git a/internal/graph/schema/elevation.graphqls b/internal/graph/schema/elevation.graphqls deleted file mode 100644 index a092c141f..000000000 --- a/internal/graph/schema/elevation.graphqls +++ /dev/null @@ -1,249 +0,0 @@ -""" -Type of elevation that can be requested. -""" -enum ElevationType { - """ - Access to read secrets in plain text. - """ - SECRET - - """ - Access to execute commands in an instance. - """ - INSTANCE_EXEC - - """ - Access to port-forward to an instance. - """ - INSTANCE_PORT_FORWARD - - """ - Access to debug an instance with ephemeral containers. - """ - INSTANCE_DEBUG -} - -""" -An active elevation grants temporary elevated privileges to a specific resource. -""" -type Elevation implements Node { - """ - Unique ID of the elevation. - """ - id: ID! - - """ - Type of elevation. - """ - type: ElevationType! - - """ - Team that owns the resource. - """ - team: Team! - - """ - Environment where the resource is located. - """ - teamEnvironment: TeamEnvironment! - - """ - Name of the resource being elevated to. - """ - resourceName: String! - - """ - User who requested the elevation. - """ - user: User! - - """ - Reason provided for the elevation. - """ - reason: String! - - """ - When the elevation was created. - """ - createdAt: Time! - - """ - When the elevation will expire. - """ - expiresAt: Time! -} - -""" -Input for looking up an existing elevation. -""" -input ElevationInput { - """ - Type of elevation. - """ - type: ElevationType! - - """ - Team slug. - """ - team: Slug! - - """ - Environment name. - """ - environmentName: String! - - """ - Name of the resource. - """ - resourceName: String! -} - -""" -Input for creating an elevation. -""" -input CreateElevationInput { - """ - Type of elevation to create. - """ - type: ElevationType! - - """ - Team slug. - """ - team: Slug! - - """ - Environment name. - """ - environmentName: String! - - """ - Name of the resource to elevate access to. - """ - resourceName: String! - - """ - Reason for requesting the elevation. Must be at least 10 characters. - """ - reason: String! - - """ - Duration of the elevation in minutes. Maximum 60 minutes. - """ - durationMinutes: Int! = 60 -} - -""" -Payload returned when creating an elevation. -""" -type CreateElevationPayload { - """ - The created elevation. - """ - elevation: Elevation! -} - -extend enum ActivityLogEntryResourceType { - """ - All activity log entries related to elevations will use this resource type. - """ - ELEVATION -} - -extend enum ActivityLogActivityType { - """ - Elevation was created. - """ - ELEVATION_CREATED -} - -""" -Data associated with an elevation creation activity log entry. -""" -type ElevationCreatedActivityLogEntryData { - """ - Type of elevation that was created. - """ - elevationType: ElevationType! - - """ - Target resource name that was elevated to. - """ - targetResourceName: String! - - """ - Reason provided for the elevation. - """ - reason: String! - - """ - When the elevation will expire. - """ - expiresAt: Time! -} - -""" -Activity log entry for elevation creation. -""" -type ElevationCreatedActivityLogEntry implements ActivityLogEntry & Node { - """ - ID of the entry. - """ - id: ID! - - """ - The identity of the actor who created the elevation. - """ - actor: String! - - """ - Creation time of the entry. - """ - createdAt: Time! - - """ - Message that summarizes the entry. - """ - message: String! - - """ - Resource type (ELEVATION). - """ - resourceType: ActivityLogEntryResourceType! - - """ - Name of the elevation resource. - """ - resourceName: String! - - """ - The team slug. - """ - teamSlug: Slug! - - """ - The environment name. - """ - environmentName: String - - """ - Data associated with the entry. - """ - data: ElevationCreatedActivityLogEntryData! -} - -extend type User { - """ - Get active elevations for this user matching the given parameters. - Returns an empty list if no active elevations match. - """ - elevations(input: ElevationInput!): [Elevation!]! -} - -extend type Mutation { - """ - Create a temporary elevation of privileges for a specific resource. - The elevation expires automatically after the specified duration. - """ - createElevation(input: CreateElevationInput!): CreateElevationPayload! -} diff --git a/internal/graph/schema/secret.graphqls b/internal/graph/schema/secret.graphqls index 78ee0ea54..c96444d1e 100644 --- a/internal/graph/schema/secret.graphqls +++ b/internal/graph/schema/secret.graphqls @@ -135,9 +135,6 @@ type Secret implements Node & ActivityLogger { "The names of the keys in the secret. This does not require elevation to access." keys: [String!]! - "The secret values contained within the secret. Requires elevation to access the values. Returns null if not authorized." - values: [SecretValue!] - "Applications that use the secret." applications( "Get the first n items in the connection. This can be used in combination with the after parameter." diff --git a/internal/graph/schema/teams.graphqls b/internal/graph/schema/teams.graphqls index 15f21aba7..d57795bee 100644 --- a/internal/graph/schema/teams.graphqls +++ b/internal/graph/schema/teams.graphqls @@ -154,9 +154,6 @@ type Team implements Node { "Whether or not the viewer is a member of the team." viewerIsMember: Boolean! - "Whether or not the viewer can create elevations for the team." - viewerCanElevate: Boolean! - "Environments for the team." environments: [TeamEnvironment!]! diff --git a/internal/graph/secret.resolvers.go b/internal/graph/secret.resolvers.go index 5fd7fe909..9ba4fba61 100644 --- a/internal/graph/secret.resolvers.go +++ b/internal/graph/secret.resolvers.go @@ -6,7 +6,6 @@ import ( "github.com/nais/api/internal/activitylog" "github.com/nais/api/internal/auth/authz" - "github.com/nais/api/internal/elevation" "github.com/nais/api/internal/environmentmapper" "github.com/nais/api/internal/graph/gengql" "github.com/nais/api/internal/graph/model" @@ -127,32 +126,6 @@ func (r *secretResolver) Team(ctx context.Context, obj *secret.Secret) (*team.Te return team.Get(ctx, obj.TeamSlug) } -func (r *secretResolver) Values(ctx context.Context, obj *secret.Secret) ([]*secret.SecretValue, error) { - // First check if user is a team member (strict check without admin bypass) - if err := authz.CanReadSecretValues(ctx, obj.TeamSlug); err != nil { - return nil, err - } - - // Then check if user has an active elevation for this specific secret - actor := authz.ActorFromContext(ctx) - elevations, err := elevation.List(ctx, &elevation.ElevationInput{ - Type: elevation.ElevationTypeSecret, - Team: obj.TeamSlug, - EnvironmentName: environmentmapper.EnvironmentName(obj.EnvironmentName), - ResourceName: obj.Name, - }, actor.User.Identity()) - if err != nil { - return nil, err - } - - if len(elevations) == 0 { - // No active elevation found - user must request elevation to view secret values - return nil, authz.ErrUnauthorized - } - - return secret.GetSecretValues(ctx, obj.TeamSlug, environmentmapper.ClusterName(obj.EnvironmentName), obj.Name) -} - func (r *secretResolver) Applications(ctx context.Context, obj *secret.Secret, first *int, after *pagination.Cursor, last *int, before *pagination.Cursor) (*pagination.Connection[*application.Application], error) { page, err := pagination.ParsePage(first, after, last, before) if err != nil { @@ -247,7 +220,7 @@ func (r *secretResolver) ActivityLog(ctx context.Context, obj *secret.Secret, fi // Secrets returns all secrets for a team. // Secret metadata (names, keys) is visible to all authenticated users. -// Secret values require team membership and elevation. +// Secret values require team membership (use viewSecretValues mutation). func (r *teamResolver) Secrets(ctx context.Context, obj *team.Team, first *int, after *pagination.Cursor, last *int, before *pagination.Cursor, orderBy *secret.SecretOrder, filter *secret.SecretFilter) (*pagination.Connection[*secret.Secret], error) { page, err := pagination.ParsePage(first, after, last, before) if err != nil { @@ -259,7 +232,7 @@ func (r *teamResolver) Secrets(ctx context.Context, obj *team.Team, first *int, // Secret returns a single secret by name. // Secret metadata (name, keys) is visible to all authenticated users. -// Secret values require team membership and elevation. +// Secret values require team membership (use viewSecretValues mutation). func (r *teamEnvironmentResolver) Secret(ctx context.Context, obj *team.TeamEnvironment, name string) (*secret.Secret, error) { return secret.Get(ctx, obj.TeamSlug, obj.EnvironmentName, name) } diff --git a/internal/graph/teams.resolvers.go b/internal/graph/teams.resolvers.go index 93f3a0852..4cba6ec4d 100644 --- a/internal/graph/teams.resolvers.go +++ b/internal/graph/teams.resolvers.go @@ -293,11 +293,6 @@ func (r *teamResolver) ViewerIsMember(ctx context.Context, obj *team.Team) (bool return team.UserIsMember(ctx, obj.Slug, authz.ActorFromContext(ctx).User.GetID()) } -func (r *teamResolver) ViewerCanElevate(ctx context.Context, obj *team.Team) (bool, error) { - err := authz.CanCreateElevation(ctx, obj.Slug) - return err == nil, nil -} - func (r *teamResolver) Environments(ctx context.Context, obj *team.Team) ([]*team.TeamEnvironment, error) { return team.ListTeamEnvironments(ctx, obj.Slug) } diff --git a/internal/workload/secret/queries.go b/internal/workload/secret/queries.go index 87ebcf592..09f1a5a0b 100644 --- a/internal/workload/secret/queries.go +++ b/internal/workload/secret/queries.go @@ -10,10 +10,10 @@ // - Allows admin bypass - admins can manage secrets in any team // // ImpersonatedClient (user's RBAC): -// - Read secret values -// - Requires user to be team member AND have active elevation -// - NO admin bypass - even admins must be team members and request elevation -// - This ensures all secret value access is audited via elevation system +// - Read secret values via viewSecretValues mutation +// - Requires user to be team member (no admin bypass) +// - Creates temporary RBAC, uses impersonation for defense in depth +// - All access is audited via activity log package secret import (