Merge pull request #2121 from Fredkiss3/feat/device-approvals

feat: device approvals
2026-03-06 18:56:39 +00:00 · 2026-01-15 21:33:31 -08:00
parent ff5e12655f 6d90d734f4
commit 06aaa7c680
39 changed files with 1549 additions and 286 deletions
--- a/server/routers/client/blockClient.ts
+++ b/server/routers/client/blockClient.ts
@@ -73,7 +73,7 @@ export async function blockClient(
            // Block the client
            await trx
                .update(clients)
-                .set({ blocked: true })
+                .set({ blocked: true, approvalState: "denied" })
                .where(eq(clients.clientId, clientId));

            // Send terminate signal if there's an associated OLM and it's connected
--- a/server/routers/client/listClients.ts
+++ b/server/routers/client/listClients.ts
@@ -139,6 +139,7 @@ function queryClients(
            userEmail: users.email,
            niceId: clients.niceId,
            agent: olms.agent,
+            approvalState: clients.approvalState,
            olmArchived: olms.archived,
            archived: clients.archived,
            blocked: clients.blocked,
--- a/server/routers/client/unblockClient.ts
+++ b/server/routers/client/unblockClient.ts
@@ -71,7 +71,7 @@ export async function unblockClient(
        // Unblock the client
        await db
            .update(clients)
-            .set({ blocked: false })
+            .set({ blocked: false, approvalState: null })
            .where(eq(clients.clientId, clientId));

        return response(res, {
--- a/server/routers/external.ts
+++ b/server/routers/external.ts
@@ -586,6 +586,14 @@ authenticated.get(
    verifyUserHasAction(ActionsEnum.listRoles),
    role.listRoles
 );
+
+authenticated.post(
+    "/org/:orgId/role/:roleId",
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.updateRole),
+    logActionAudit(ActionsEnum.updateRole),
+    role.updateRole
+);
 // authenticated.get(
 //     "/role/:roleId",
 //     verifyRoleAccess,
--- a/server/routers/integration.ts
+++ b/server/routers/integration.ts
@@ -467,6 +467,14 @@ authenticated.put(
    role.createRole
 );

+authenticated.post(
+    "/org/:orgId/role/:roleId",
+    verifyApiKeyOrgAccess,
+    verifyApiKeyHasAction(ActionsEnum.updateRole),
+    logActionAudit(ActionsEnum.updateRole),
+    role.updateRole
+);
+
 authenticated.get(
    "/org/:orgId/roles",
    verifyApiKeyOrgAccess,
--- a/server/routers/role/createRole.ts
+++ b/server/routers/role/createRole.ts
@@ -10,6 +10,8 @@ import { fromError } from "zod-validation-error";
 import { ActionsEnum } from "@server/auth/actions";
 import { eq, and } from "drizzle-orm";
 import { OpenAPITags, registry } from "@server/openApi";
+import { build } from "@server/build";
+import { isLicensedOrSubscribed } from "@server/lib/isLicencedOrSubscribed";

 const createRoleParamsSchema = z.strictObject({
    orgId: z.string()
@@ -17,7 +19,8 @@ const createRoleParamsSchema = z.strictObject({

 const createRoleSchema = z.strictObject({
    name: z.string().min(1).max(255),
-    description: z.string().optional()
+    description: z.string().optional(),
+    requireDeviceApproval: z.boolean().optional()
 });

 export const defaultRoleAllowedActions: ActionsEnum[] = [
@@ -97,6 +100,11 @@ export async function createRole(
            );
        }

+        const isLicensed = await isLicensedOrSubscribed(orgId);
+        if (build === "oss" || !isLicensed) {
+            roleData.requireDeviceApproval = undefined;
+        }
+
        await db.transaction(async (trx) => {
            const newRole = await trx
                .insert(roles)
--- a/server/routers/role/listRoles.ts
+++ b/server/routers/role/listRoles.ts
@@ -1,15 +1,13 @@
-import { Request, Response, NextFunction } from "express";
-import { z } from "zod";
-import { db } from "@server/db";
-import { roles, orgs } from "@server/db";
+import { db, orgs, roles } from "@server/db";
 import response from "@server/lib/response";
-import HttpCode from "@server/types/HttpCode";
-import createHttpError from "http-errors";
-import { sql, eq } from "drizzle-orm";
 import logger from "@server/logger";
-import { fromError } from "zod-validation-error";
-import stoi from "@server/lib/stoi";
 import { OpenAPITags, registry } from "@server/openApi";
+import HttpCode from "@server/types/HttpCode";
+import { eq, sql } from "drizzle-orm";
+import { NextFunction, Request, Response } from "express";
+import createHttpError from "http-errors";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";

 const listRolesParamsSchema = z.strictObject({
    orgId: z.string()
@@ -38,7 +36,8 @@ async function queryRoles(orgId: string, limit: number, offset: number) {
            isAdmin: roles.isAdmin,
            name: roles.name,
            description: roles.description,
-            orgName: orgs.name
+            orgName: orgs.name,
+            requireDeviceApproval: roles.requireDeviceApproval
        })
        .from(roles)
        .leftJoin(orgs, eq(roles.orgId, orgs.orgId))
--- a/server/routers/role/updateRole.ts
+++ b/server/routers/role/updateRole.ts
@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db } from "@server/db";
+import { db, orgs, type Role } from "@server/db";
 import { roles } from "@server/db";
 import { eq } from "drizzle-orm";
 import response from "@server/lib/response";
@@ -8,20 +8,28 @@ import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
+import { build } from "@server/build";
+import { isLicensedOrSubscribed } from "@server/lib/isLicencedOrSubscribed";

 const updateRoleParamsSchema = z.strictObject({
+    orgId: z.string(),
    roleId: z.string().transform(Number).pipe(z.int().positive())
 });

 const updateRoleBodySchema = z
    .strictObject({
        name: z.string().min(1).max(255).optional(),
-        description: z.string().optional()
+        description: z.string().optional(),
+        requireDeviceApproval: z.boolean().optional()
    })
    .refine((data) => Object.keys(data).length > 0, {
        error: "At least one field must be provided for update"
    });

+export type UpdateRoleBody = z.infer<typeof updateRoleBodySchema>;
+
+export type UpdateRoleResponse = Role;
+
 export async function updateRole(
    req: Request,
    res: Response,
@@ -48,13 +56,14 @@ export async function updateRole(
            );
        }

-        const { roleId } = parsedParams.data;
+        const { roleId, orgId } = parsedParams.data;
        const updateData = parsedBody.data;

        const role = await db
            .select()
            .from(roles)
            .where(eq(roles.roleId, roleId))
+            .innerJoin(orgs, eq(roles.orgId, orgs.orgId))
            .limit(1);

        if (role.length === 0) {
@@ -66,7 +75,7 @@ export async function updateRole(
            );
        }

-        if (role[0].isAdmin) {
+        if (role[0].roles.isAdmin) {
            return next(
                createHttpError(
                    HttpCode.FORBIDDEN,
@@ -75,6 +84,11 @@ export async function updateRole(
            );
        }

+        const isLicensed = await isLicensedOrSubscribed(orgId);
+        if (build === "oss" || !isLicensed) {
+            updateData.requireDeviceApproval = undefined;
+        }
+
        const updatedRole = await db
            .update(roles)
            .set(updateData)