🚧 wip

2026-05-08 09:19:53 +00:00 · 2026-02-26 19:20:15 +01:00
parent 4d803a40c9
commit c5231d37f6
19 changed files with 4177 additions and 116 deletions
--- a/server/auth/actions.ts
+++ b/server/auth/actions.ts
@@ -133,6 +133,7 @@ export enum ActionsEnum {
    listApprovals = "listApprovals",
    updateApprovals = "updateApprovals",
    listResourcePolicies = "listResourcePolicies",
+    getResourcePolicy = "getResourcePolicy",
    createResourcePolicy = "createResourcePolicy",
    updateResourcePolicy = "updateResourcePolicy",
    deleteResourcePolicy = "deleteResourcePolicy",
--- a/server/middlewares/integration/index.ts
+++ b/server/middlewares/integration/index.ts
@@ -14,3 +14,4 @@ export * from "./verifyApiKeyApiKeyAccess";
 export * from "./verifyApiKeyClientAccess";
 export * from "./verifyApiKeySiteResourceAccess";
 export * from "./verifyApiKeyIdpAccess";
+export * from "./verifyApiKeyResourcePolicyAccess";
--- a/server/middlewares/integration/verifyApiKeyResourcePolicyAccess.ts
+++ b/server/middlewares/integration/verifyApiKeyResourcePolicyAccess.ts
@@ -0,0 +1,92 @@
+import { Request, Response, NextFunction } from "express";
+import { db } from "@server/db";
+import { resourcePolicies, apiKeyOrg } from "@server/db";
+import { eq, and } from "drizzle-orm";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+
+export async function verifyApiKeyResourcePolicyAccess(
+    req: Request,
+    res: Response,
+    next: NextFunction
+) {
+    const apiKey = req.apiKey;
+    const resourcePolicyId =
+        req.params.resourcePolicyId ||
+        req.body.resourcePolicyId ||
+        req.query.resourcePolicyId;
+
+    if (!apiKey) {
+        return next(
+            createHttpError(HttpCode.UNAUTHORIZED, "Key not authenticated")
+        );
+    }
+
+    try {
+        // Retrieve the resource policy
+        const [policy] = await db
+            .select()
+            .from(resourcePolicies)
+            .where(eq(resourcePolicies.resourcePolicyId, resourcePolicyId))
+            .limit(1);
+
+        if (!policy) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Resource policy with ID ${resourcePolicyId} not found`
+                )
+            );
+        }
+
+        if (apiKey.isRoot) {
+            // Root keys can access any resource policy in any org
+            return next();
+        }
+
+        if (!policy.orgId) {
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    `Resource policy with ID ${resourcePolicyId} does not have an organization ID`
+                )
+            );
+        }
+
+        // Verify that the API key is linked to the resource policy's organization
+        if (!req.apiKeyOrg) {
+            const apiKeyOrgResult = await db
+                .select()
+                .from(apiKeyOrg)
+                .where(
+                    and(
+                        eq(apiKeyOrg.apiKeyId, apiKey.apiKeyId),
+                        eq(apiKeyOrg.orgId, policy.orgId)
+                    )
+                )
+                .limit(1);
+
+            if (apiKeyOrgResult.length > 0) {
+                req.apiKeyOrg = apiKeyOrgResult[0];
+            }
+        }
+
+        if (!req.apiKeyOrg) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "Key does not have access to this organization"
+                )
+            );
+        }
+
+        return next();
+    } catch (error) {
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Error verifying resource policy access"
+            )
+        );
+    }
+}
--- a/server/private/routers/policy/updateResourcePolicy.ts
+++ b/server/private/routers/policy/updateResourcePolicy.ts
@@ -10,7 +10,6 @@ import {
    resourcePolicies,
    rolePolicies,
    userPolicies,
-    type ResourcePolicy,
    type ResourcePolicy
 } from "@server/db";
 import { and, eq } from "drizzle-orm";
--- a/server/routers/external.ts
+++ b/server/routers/external.ts
@@ -3,6 +3,7 @@ import config from "@server/lib/config";
 import * as site from "./site";
 import * as org from "./org";
 import * as resource from "./resource";
+import * as policy from "./policy";
 import * as domain from "./domain";
 import * as target from "./target";
 import * as user from "./user";
@@ -521,6 +522,7 @@ authenticated.get(
    verifyUserHasAction(ActionsEnum.getResource),
    resource.getResource
 );
+
 authenticated.post(
    "/resource/:resourceId",
    verifyResourceAccess,
@@ -627,6 +629,15 @@ authenticated.post(
    logActionAudit(ActionsEnum.updateRole),
    role.updateRole
 );
+
+authenticated.get(
+    "/org/:orgId/resource-policy/:niceId",
+    verifyOrgAccess,
+    verifyResourcePolicyAccess,
+    verifyUserHasAction(ActionsEnum.getResourcePolicy),
+    policy.getResourcePolicy
+);
+
 // authenticated.get(
 //     "/role/:roleId",
 //     verifyRoleAccess,
--- a/server/routers/integration.ts
+++ b/server/routers/integration.ts
@@ -2,6 +2,7 @@ import * as site from "./site";
 import * as org from "./org";
 import * as blueprints from "./blueprints";
 import * as resource from "./resource";
+import * as policy from "./policy";
 import * as domain from "./domain";
 import * as target from "./target";
 import * as user from "./user";
@@ -27,7 +28,8 @@ import {
    verifyApiKeyClientAccess,
    verifyApiKeySiteResourceAccess,
    verifyApiKeySetResourceClients,
-    verifyLimits
+    verifyLimits,
+    verifyApiKeyResourcePolicyAccess
 } from "@server/middlewares";
 import HttpCode from "@server/types/HttpCode";
 import { Router } from "express";
@@ -392,6 +394,13 @@ authenticated.get(
    resource.getResource
 );

+authenticated.get(
+    "/resource-policy/:resourcePolicyId",
+    verifyApiKeyResourcePolicyAccess,
+    verifyApiKeyHasAction(ActionsEnum.getResourcePolicy),
+    policy.getResourcePolicy
+);
+
 authenticated.post(
    "/resource/:resourceId",
    verifyApiKeyResourceAccess,
--- a/server/routers/policy/getResourcePolicy.ts
+++ b/server/routers/policy/getResourcePolicy.ts
@@ -0,0 +1,123 @@
+import { db, resourcePolicies, rolePolicies, userPolicies } from "@server/db";
+import response from "@server/lib/response";
+import logger from "@server/logger";
+import { OpenAPITags, registry } from "@server/openApi";
+import HttpCode from "@server/types/HttpCode";
+import { and, eq, type SQL } from "drizzle-orm";
+import type { NextFunction, Request, Response } from "express";
+import createHttpError from "http-errors";
+import z from "zod";
+import { fromError } from "zod-validation-error";
+
+const getResourcePolicySchema = z
+    .strictObject({
+        niceId: z.string(),
+        orgId: z.string()
+    })
+    .or(
+        z.strictObject({
+            resourcePolicyId: z.coerce.number<string>().int().positive()
+        })
+    );
+
+async function query(params: z.infer<typeof getResourcePolicySchema>) {
+    const conditions: SQL<unknown>[] = [];
+    if ("resourcePolicyId" in params) {
+        conditions.push(
+            eq(resourcePolicies.resourcePolicyId, params.resourcePolicyId)
+        );
+    } else {
+        conditions.push(
+            eq(resourcePolicies.niceId, params.niceId),
+            eq(resourcePolicies.orgId, params.orgId)
+        );
+    }
+
+    const [res] = await db
+        .select({
+            policy: resourcePolicies,
+            userPolicies,
+            rolePolicies
+        })
+        .from(resourcePolicies)
+        .leftJoin(
+            userPolicies,
+            eq(userPolicies.resourcePolicyId, resourcePolicies.resourcePolicyId)
+        )
+        .leftJoin(
+            rolePolicies,
+            eq(rolePolicies.resourcePolicyId, resourcePolicies.resourcePolicyId)
+        )
+        .where(and(...conditions))
+        .limit(1);
+    return res;
+}
+
+export type GetResourcePolicyResponse = Awaited<ReturnType<typeof query>>;
+
+registry.registerPath({
+    method: "get",
+    path: "/org/{orgId}/resource-policy/{niceId}",
+    description:
+        "Get a resource policy by orgId and niceId. NiceId is a readable ID for the resource and unique on a per org basis.",
+    tags: [OpenAPITags.Org, OpenAPITags.Policy],
+    request: {
+        params: z.object({
+            orgId: z.string(),
+            niceId: z.string()
+        })
+    },
+    responses: {}
+});
+
+registry.registerPath({
+    method: "get",
+    path: "/resource-policy/{resourcePolicyId}",
+    description: "Get a resource policy by its resourcePolicyId.",
+    tags: [OpenAPITags.Policy],
+    request: {
+        params: z.object({
+            resourcePolicyId: z.number()
+        })
+    },
+    responses: {}
+});
+
+export async function getResourcePolicy(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = getResourcePolicySchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const policy = await query(parsedParams.data);
+
+        if (!policy) {
+            return next(
+                createHttpError(HttpCode.NOT_FOUND, "Resource policy not found")
+            );
+        }
+
+        return response<GetResourcePolicyResponse>(res, {
+            data: policy,
+            success: true,
+            error: false,
+            message: "Resource Policy retrieved successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
--- a/server/routers/policy/index.ts
+++ b/server/routers/policy/index.ts
@@ -0,0 +1 @@
+export * from "./getResourcePolicy";