Merge branch 'main' into dependabot/update-package-lock

Author: MarceloRGonc

packages/blocks/aws-athena/src/lib/actions/query-athena-action.ts

@@ -3,7 +3,7 @@ import {
   amazonAuth,
   dryRunCheckBox,
   getAwsAccountsSingleSelectDropdown,
-  getCredentialsListFromAuth,
+  getCredentialsForAccount,
   getRegionsDropdownState,
   listAthenaDatabases,
   runAndWaitForQueryResult,
@@ -33,10 +33,9 @@ export const runAthenaQueryAction = createAction({
     database: Property.Dropdown<string>({
       displayName: 'Database',
       description: 'Database that contains the table to query on',
-
-      refreshers: ['auth', 'accounts', 'region'],
+      refreshers: ['auth', 'accounts', 'accounts.accounts', 'region'],
       required: true,
-      options: async ({ auth, accounts, region }) => {
+      options: async ({ auth, accounts, region }: any) => {
         if (!auth) {
           return {
             disabled: true,
@@ -46,24 +45,14 @@ export const runAthenaQueryAction = createAction({
         }
 
         try {
-          const authProp = auth as {
-            accessKeyId: string;
-            secretAccessKey: string;
-            defaultRegion: string;
-          };
-          const selectedAccounts = (
-            accounts as unknown as {
-              accounts?: string[];
-            }
-          )?.accounts;
-          const credentialsList = await getCredentialsListFromAuth(
-            authProp,
-            selectedAccounts,
+          const credentials = await getCredentialsForAccount(
+            auth,
+            accounts?.['accounts'],
           );
 
           const databases = await listAthenaDatabases(
-            credentialsList[0],
-            (region as string | undefined) ?? authProp.defaultRegion,
+            credentials,
+            (region as string | undefined) ?? auth.defaultRegion,
           );
 
           return {
@@ -119,14 +108,13 @@ export const runAthenaQueryAction = createAction({
     }
 
     try {
-      const selectedAccounts = context.propsValue.accounts?.['accounts'];
-      const credentialsList = await getCredentialsListFromAuth(
+      const credentials = await getCredentialsForAccount(
         context.auth,
-        selectedAccounts,
+        context.propsValue.accounts?.['accounts'],
       );
 
       return await runAndWaitForQueryResult(
-        credentialsList[0],
+        credentials,
         context.propsValue.region ?? context.auth.defaultRegion,
         query,
         database,

packages/blocks/aws-athena/test/athena-query-action.test.ts

@@ -1,6 +1,6 @@
 const openopsCommonMock = {
   ...jest.requireActual('@openops/common'),
-  getCredentialsListFromAuth: jest.fn(),
+  getCredentialsForAccount: jest.fn(),
   runAndWaitForQueryResult: jest.fn(),
 };
 
@@ -12,9 +12,9 @@ describe('runAthenaQueryAction tests', () => {
   beforeEach(() => {
     jest.clearAllMocks();
 
-    openopsCommonMock.getCredentialsListFromAuth.mockResolvedValue([
-      { someCreds: 'some creds' },
-    ]);
+    openopsCommonMock.getCredentialsForAccount.mockResolvedValue({
+      someCreds: 'some creds',
+    });
   });
 
   const auth = {
@@ -76,7 +76,7 @@ describe('runAthenaQueryAction tests', () => {
       ...jest.requireActual('@openops/blocks-framework'),
       auth: auth,
       propsValue: {
-        accounts: { accounts: ['some-account-id'] },
+        accounts: { accounts: 'some-account-id' },
         query: 'some query',
         database: 'some database',
         outputBucket: 'some outputBucket',
@@ -87,12 +87,10 @@ describe('runAthenaQueryAction tests', () => {
     const result = (await runAthenaQueryAction.run(context)) as any;
 
     expect(result).toEqual('mockResult');
-    expect(openopsCommonMock.getCredentialsListFromAuth).toHaveBeenCalledTimes(
-      1,
-    );
-    expect(openopsCommonMock.getCredentialsListFromAuth).toHaveBeenCalledWith(
+    expect(openopsCommonMock.getCredentialsForAccount).toHaveBeenCalledTimes(1);
+    expect(openopsCommonMock.getCredentialsForAccount).toHaveBeenCalledWith(
       auth,
-      ['some-account-id'],
+      'some-account-id',
     );
   });
 
@@ -138,7 +136,6 @@ describe('runAthenaQueryAction tests', () => {
       ...jest.requireActual('@openops/blocks-framework'),
       auth: auth,
       propsValue: {
-        accounts: { accounts: ['some-account-id'] },
         region: 'some region',
         query: 'some query',
         database: 'some database',
@@ -158,12 +155,10 @@ describe('runAthenaQueryAction tests', () => {
       'some database',
       'some outputBucket',
     );
-    expect(openopsCommonMock.getCredentialsListFromAuth).toHaveBeenCalledTimes(
-      1,
-    );
-    expect(openopsCommonMock.getCredentialsListFromAuth).toHaveBeenCalledWith(
+    expect(openopsCommonMock.getCredentialsForAccount).toHaveBeenCalledTimes(1);
+    expect(openopsCommonMock.getCredentialsForAccount).toHaveBeenCalledWith(
       auth,
-      ['some-account-id'],
+      undefined,
     );
   });
 

packages/blocks/slack/src/lib/common/utils.ts

@@ -269,7 +269,8 @@ export function dynamicBlockKitProperties(): any {
         const result: any = {
           blocks: Property.Json({
             displayName: 'Block Kit blocks',
-            description: 'See https://api.slack.com/block-kit for specs',
+            description:
+              'See https://api.slack.com/block-kit for specs. Visual preview available at https://app.slack.com/block-kit-builder',
             required: true,
             defaultValue: [
               {

packages/server/api/src/app/app.ts

@@ -114,7 +114,9 @@ export const setupApp = async (
   const openapiRoutePrefix = '/v1/openapi';
   app.addHook('onRoute', (route) => {
     if (route.url.startsWith(openapiRoutePrefix)) {
-      route.config ??= {};
+      route.config ??= {
+        security: PUBLIC_ROUTE_POLICY,
+      };
       route.config.skipAuth = true;
       route.config.security = PUBLIC_ROUTE_POLICY;
     }

packages/server/api/src/app/core/security/authorization-guards/authorization-guards-factory.ts

@@ -0,0 +1,6 @@
+import { AuthorizationGuards } from './authorization-guards';
+import { noopAuthorizationGuards } from './noop-authorization-guards';
+
+export function getAuthorizationGuards(): AuthorizationGuards {
+  return noopAuthorizationGuards;
+}

packages/server/api/src/app/core/security/authorization-guards/authorization-guards.ts

@@ -0,0 +1,24 @@
+import {
+  CreateStepRunRequestBody,
+  Principal,
+  TestFlowRunRequestBody,
+} from '@openops/shared';
+import { FastifyRequest } from 'fastify';
+
+export type AuthorizationGuards = {
+  enforceTestStepAuthorizationFromRequest(
+    request: FastifyRequest,
+  ): Promise<void>;
+
+  enforceTestStepAuthorization(
+    data: CreateStepRunRequestBody,
+    principal: Principal,
+  ): Promise<void>;
+
+  enforceTestRunAuthorization(
+    data: TestFlowRunRequestBody,
+    principal: Principal,
+  ): Promise<void>;
+
+  enforceWorkflowStatusAuthorization(request: FastifyRequest): Promise<void>;
+};

packages/server/api/src/app/core/security/authorization-guards/noop-authorization-guards.ts

@@ -0,0 +1,33 @@
+import {
+  CreateStepRunRequestBody,
+  Principal,
+  TestFlowRunRequestBody,
+} from '@openops/shared';
+import { FastifyRequest } from 'fastify';
+import { AuthorizationGuards } from './authorization-guards';
+
+export const noopAuthorizationGuards: AuthorizationGuards = {
+  enforceTestRunAuthorization(
+    _data: TestFlowRunRequestBody,
+    _principal: Principal,
+  ): Promise<void> {
+    return Promise.resolve();
+  },
+
+  enforceTestStepAuthorization(
+    _data: CreateStepRunRequestBody,
+    _principal: Principal,
+  ): Promise<void> {
+    return Promise.resolve();
+  },
+
+  enforceTestStepAuthorizationFromRequest(
+    _request: FastifyRequest,
+  ): Promise<void> {
+    return Promise.resolve();
+  },
+
+  enforceWorkflowStatusAuthorization(_request: FastifyRequest): Promise<void> {
+    return Promise.resolve();
+  },
+};

packages/server/api/src/app/flows/flow.module.ts

@@ -1,14 +1,18 @@
 import { FastifyPluginAsyncTypebox } from '@fastify/type-provider-typebox';
 import { logger } from '@openops/server-shared';
 import {
+  ApplicationError,
   CreateStepRunRequestBody,
+  ErrorCode,
   FlowRunStatus,
   StepRunResponse,
   TestFlowRunRequestBody,
   WebsocketClientEvent,
   WebsocketServerEvent,
   flowHelper,
 } from '@openops/shared';
+import { Socket } from 'socket.io';
+import { getAuthorizationGuards } from '../core/security/authorization-guards/authorization-guards-factory';
 import { sendStepFailureEvent } from '../telemetry/event-models/step';
 import {
   sendWorkflowTestFailureEvent,
@@ -39,6 +43,11 @@ export const flowModule: FastifyPluginAsyncTypebox = async (app) => {
       try {
         principal = await getPrincipalFromWebsocket(socket);
 
+        await getAuthorizationGuards().enforceTestRunAuthorization(
+          data,
+          principal,
+        );
+
         flowRun = await flowRunService.test({
           projectId: principal.projectId,
           flowVersionId: data.flowVersionId,
@@ -63,6 +72,11 @@ export const flowModule: FastifyPluginAsyncTypebox = async (app) => {
         );
         socket.emit(WebsocketClientEvent.TEST_FLOW_RUN_STARTED, flowRun);
       } catch (err) {
+        if (isAuthorizationError(err)) {
+          sendAuthorizationError(socket, err);
+          return;
+        }
+
         sendWorkflowTestFailureEvent({
           userId: principal?.id ?? '',
           projectId: principal?.projectId ?? '',
@@ -90,6 +104,11 @@ export const flowModule: FastifyPluginAsyncTypebox = async (app) => {
       try {
         principal = await getPrincipalFromWebsocket(socket);
 
+        await getAuthorizationGuards().enforceTestStepAuthorization(
+          data,
+          principal,
+        );
+
         logger.debug({ data }, '[Socket#testStepRun]');
         const stepRun = await stepRunService.create({
           userId: principal.id,
@@ -105,6 +124,11 @@ export const flowModule: FastifyPluginAsyncTypebox = async (app) => {
         };
         socket.emit(WebsocketClientEvent.TEST_STEP_FINISHED, response);
       } catch (err) {
+        if (isAuthorizationError(err)) {
+          sendAuthorizationError(socket, err);
+          return;
+        }
+
         let step;
         try {
           const flowVersion = await flowVersionService.getOneOrThrow(
@@ -139,3 +163,20 @@ export const flowModule: FastifyPluginAsyncTypebox = async (app) => {
     };
   });
 };
+
+function isAuthorizationError(error: unknown): boolean {
+  logger.debug('isAuthorizationError', error);
+  return (
+    error instanceof ApplicationError &&
+    error.error.code === ErrorCode.AUTHORIZATION
+  );
+}
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+function sendAuthorizationError(socket: Socket, error: any): void {
+  socket.emit('error', {
+    success: false,
+    code: error.error.code,
+    output: error.error.params.message,
+  });
+}

packages/server/api/src/app/flows/flow/flow.controller.ts

@@ -32,6 +32,7 @@ import {
 } from '@openops/shared';
 import { StatusCodes } from 'http-status-codes';
 import { entitiesMustBeOwnedByCurrentProject } from '../../authentication/authorization';
+import { getAuthorizationGuards } from '../../core/security/authorization-guards/authorization-guards-factory';
 import { getProjectScopedRoutePolicy } from '../../core/security/route-policies/route-security-policy-factory';
 import { projectService } from '../../project/project-service';
 import { sendWorkflowCreatedFromTemplateEvent } from '../../telemetry/event-models';
@@ -288,9 +289,10 @@ const UpdateFlowRequestOptions = {
   config: {
     security: getProjectScopedRoutePolicy({
       allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
-      permission: Permission.UPDATE_FLOW_STATUS,
+      permission: Permission.WRITE_FLOW,
     }),
   },
+  preHandler: getAuthorizationGuards().enforceWorkflowStatusAuthorization,
   schema: {
     tags: ['flows'],
     description:

packages/server/api/src/app/flows/trigger-events/trigger-event.module.ts

@@ -5,6 +5,7 @@ import {
   PrincipalType,
   TestPollingTriggerRequest,
 } from '@openops/shared';
+import { getAuthorizationGuards } from '../../core/security/authorization-guards/authorization-guards-factory';
 import { getProjectScopedRoutePolicy } from '../../core/security/route-policies/route-security-policy-factory';
 import { systemJobsSchedule } from '../../helper/system-jobs';
 import { SystemJobName } from '../../helper/system-jobs/common';
@@ -44,6 +45,8 @@ const triggerEventController: FastifyPluginAsyncTypebox = async (fastify) => {
           permission: Permission.READ_FLOW,
         }),
       },
+      preHandler:
+        getAuthorizationGuards().enforceTestStepAuthorizationFromRequest,
       schema: {
         querystring: TestPollingTriggerRequest,
       },