feat(cli): aggregate step authorization into top-level config field

lerna.json

@@ -4,5 +4,5 @@
     "packages/integration-sdk-*",
     "packages/cli"
   ],
-  "version": "17.3.0"
+  "version": "17.4.0"
 }

packages/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jupiterone/cli",
-  "version": "17.3.0",
+  "version": "17.4.0",
   "description": "The JupiterOne cli",
   "main": "dist/src/index.js",
   "types": "dist/src/index.d.ts",
@@ -24,8 +24,8 @@
     "test": "jest"
   },
   "dependencies": {
-    "@jupiterone/integration-sdk-core": "^17.3.0",
-    "@jupiterone/integration-sdk-runtime": "^17.3.0",
+    "@jupiterone/integration-sdk-core": "^17.4.0",
+    "@jupiterone/integration-sdk-runtime": "^17.4.0",
     "@lifeomic/attempt": "^3.0.3",
     "commander": "^5.0.0",
     "globby": "^11.0.1",

packages/integration-sdk-benchmark/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jupiterone/integration-sdk-benchmark",
-  "version": "17.3.0",
+  "version": "17.4.0",
   "private": true,
   "description": "SDK benchmarking scripts",
   "main": "./src/index.js",
@@ -15,8 +15,8 @@
     "benchmark": "for file in ./src/benchmarks/*; do npm run prebenchmark && node $file; done"
   },
   "dependencies": {
-    "@jupiterone/integration-sdk-core": "^17.3.0",
-    "@jupiterone/integration-sdk-runtime": "^17.3.0",
+    "@jupiterone/integration-sdk-core": "^17.4.0",
+    "@jupiterone/integration-sdk-runtime": "^17.4.0",
     "benchmark": "^2.1.4"
   }
 }

packages/integration-sdk-cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jupiterone/integration-sdk-cli",
-  "version": "17.3.0",
+  "version": "17.4.0",
   "description": "The SDK for developing JupiterOne integrations",
   "main": "dist/src/index.js",
   "types": "dist/src/index.d.ts",
@@ -25,8 +25,8 @@
     "plop": "plop --plopfile dist/src/generator/newIntegration.js"
   },
   "dependencies": {
-    "@jupiterone/integration-sdk-core": "^17.3.0",
-    "@jupiterone/integration-sdk-runtime": "^17.3.0",
+    "@jupiterone/integration-sdk-core": "^17.4.0",
+    "@jupiterone/integration-sdk-runtime": "^17.4.0",
     "chalk": "^4",
     "commander": "^9.4.0",
     "ejs": "^3.1.9",
@@ -44,7 +44,7 @@
   },
   "devDependencies": {
     "@jupiterone/data-model": "^0.62.0",
-    "@jupiterone/integration-sdk-private-test-utils": "^17.3.0",
+    "@jupiterone/integration-sdk-private-test-utils": "^17.4.0",
     "@pollyjs/adapter-node-http": "^6.0.5",
     "@pollyjs/core": "^6.0.5",
     "@pollyjs/persister-fs": "^6.0.5",

packages/integration-sdk-cli/src/commands/generate-ingestion-sources-config.test.ts

@@ -190,4 +190,71 @@ describe('#generateIngestionSourcesConfig', () => {
       ingestionSourcesConfig[INGESTION_SOURCE_IDS.TEST_SOURCE],
     ).toBeUndefined();
   });
+
+  it('should aggregate authorization from all steps into a top-level field', () => {
+    const integrationSteps: IntegrationStep<IntegrationInstanceConfig>[] = [
+      {
+        id: 'fetch-account',
+        name: 'Fetch Account',
+        entities: [],
+        relationships: [],
+        dependsOn: [],
+        executionHandler: jest.fn(),
+        authorization: {
+          permissions: ['account:read'],
+          apis: ['accounts.googleapis.com'],
+        },
+      },
+      {
+        id: 'fetch-repos',
+        name: 'Fetch Repos',
+        entities: [],
+        relationships: [],
+        dependsOn: ['fetch-account'],
+        ingestionSourceId: INGESTION_SOURCE_IDS.FETCH_REPOS,
+        executionHandler: jest.fn(),
+        authorization: {
+          permissions: ['repo:read', 'account:read'],
+          apis: ['repos.googleapis.com'],
+          oauthScopes: ['repo:read'],
+        },
+      },
+      {
+        id: 'fetch-teams',
+        name: 'Fetch Teams',
+        entities: [],
+        relationships: [],
+        dependsOn: ['fetch-account'],
+        executionHandler: jest.fn(),
+      },
+    ];
+    const ingestionSourcesConfig = generateIngestionSourcesConfig(
+      ingestionConfig,
+      integrationSteps,
+    );
+    expect(ingestionSourcesConfig.authorization).toEqual({
+      permissions: ['account:read', 'repo:read'],
+      apis: ['accounts.googleapis.com', 'repos.googleapis.com'],
+      oauthScopes: ['repo:read'],
+    });
+  });
+
+  it('should not include authorization when no steps have it', () => {
+    const integrationSteps: IntegrationStep<IntegrationInstanceConfig>[] = [
+      {
+        id: 'fetch-repos',
+        name: 'Fetch Repos',
+        entities: [],
+        relationships: [],
+        dependsOn: [],
+        ingestionSourceId: INGESTION_SOURCE_IDS.FETCH_REPOS,
+        executionHandler: jest.fn(),
+      },
+    ];
+    const ingestionSourcesConfig = generateIngestionSourcesConfig(
+      ingestionConfig,
+      integrationSteps,
+    );
+    expect(ingestionSourcesConfig.authorization).toBeUndefined();
+  });
 });

packages/integration-sdk-cli/src/commands/generate-ingestion-sources-config.ts

@@ -3,6 +3,7 @@ import {
   IntegrationIngestionConfigFieldMap,
   IntegrationSourceId,
   Step,
+  StepAuthorization,
   StepExecutionContext,
   StepMetadata,
 } from '@jupiterone/integration-sdk-core';
@@ -70,7 +71,9 @@ export function generateIngestionSourcesConfigCommand() {
 export type EnhancedIntegrationIngestionConfigFieldMap = Record<
   IntegrationSourceId,
   IntegrationIngestionConfigField & { childIngestionSources?: StepMetadata[] }
->;
+> & {
+  authorization?: StepAuthorization;
+};
 
 /**
  * Generates an ingestionConfig with childIngestionSources taking into account
@@ -119,5 +122,47 @@ export function generateIngestionSourcesConfig<
       log.warn(`The key ${key} does not exist in the ingestionConfig`);
     }
   });
+
+  const aggregatedAuth = aggregateAuthorization(integrationSteps);
+  if (aggregatedAuth) {
+    newIngestionConfig.authorization = aggregatedAuth;
+  }
+
   return newIngestionConfig;
 }
+
+function aggregateAuthorization<
+  TStepExecutionContext extends StepExecutionContext,
+>(steps: Step<TStepExecutionContext>[]): StepAuthorization | undefined {
+  const collected: Record<keyof StepAuthorization, Set<string>> = {
+    permissions: new Set(),
+    roles: new Set(),
+    oauthScopes: new Set(),
+    apis: new Set(),
+    endpoints: new Set(),
+    licenses: new Set(),
+    documentationLinks: new Set(),
+  };
+
+  for (const step of steps) {
+    if (!step.authorization) continue;
+    for (const [key, values] of Object.entries(step.authorization)) {
+      if (Array.isArray(values)) {
+        for (const v of values) {
+          if (v) collected[key as keyof StepAuthorization].add(v);
+        }
+      }
+    }
+  }
+
+  const auth: StepAuthorization = {};
+  let hasAny = false;
+  for (const [key, set] of Object.entries(collected)) {
+    if (set.size > 0) {
+      auth[key as keyof StepAuthorization] = [...set].sort();
+      hasAny = true;
+    }
+  }
+
+  return hasAny ? auth : undefined;
+}