Skip to content

Commit 6134e6a

Browse files
MarceloRGoncMarceloRGonc
authored
Add security policy to Engine-Only endpoints (#2082)
Fixes OPS-3866.
1 parent 776dc0f commit 6134e6a

7 files changed

Lines changed: 57 additions & 6 deletions

File tree

packages/server/api/src/app/app-connection/app-connection-worker-controller.ts

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,8 +5,10 @@ import {
55
import {
66
AppConnection,
77
ApplicationError,
8+
ENGINE_ROUTE_POLICY,
89
ErrorCode,
910
isNil,
11+
PrincipalType,
1012
} from '@openops/shared';
1113
import { allowWorkersOnly } from '../authentication/authorization';
1214
import { appConnectionService } from './app-connection-service/app-connection-service';
@@ -45,6 +47,10 @@ export const appConnectionWorkerController: FastifyPluginCallbackTypebox = (
4547
};
4648

4749
const GetAppConnectionRequest = {
50+
config: {
51+
allowedPrincipals: [PrincipalType.ENGINE],
52+
security: ENGINE_ROUTE_POLICY,
53+
},
4854
schema: {
4955
params: Type.Object({
5056
connectionName: Type.String(),

packages/server/api/src/app/core/security/route-policies/route-security-policy.ts

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ import {
44
PrincipalType,
55
PublicRoutePolicy,
66
RouteAccessType,
7+
UnscopedAuthorizationPolicy,
78
} from '@openops/shared';
89
import { PropertySource } from './property-source';
910

@@ -31,9 +32,4 @@ export type ProjectAuthorizationPolicy = {
3132
permission?: Permission;
3233
};
3334

34-
export type UnscopedAuthorizationPolicy = {
35-
authorizationScope: AuthorizationScope.UNSCOPED;
36-
allowedPrincipals: readonly PrincipalType[];
37-
};
38-
3935
export type RouteSecurityPolicy = AuthenticatedRoutePolicy | PublicRoutePolicy;

packages/server/api/src/app/flags/flag.module.ts

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
import { FastifyPluginAsyncTypebox } from '@fastify/type-provider-typebox';
22
import {
33
ALL_PRINCIPAL_TYPES,
4+
ENGINE_ROUTE_POLICY,
45
FlagId,
56
PrincipalType,
67
PUBLIC_ROUTE_POLICY,
@@ -46,6 +47,7 @@ export const flagController: FastifyPluginAsyncTypebox = async (app) => {
4647
{
4748
config: {
4849
allowedPrincipals: [PrincipalType.ENGINE],
50+
security: ENGINE_ROUTE_POLICY,
4951
},
5052
schema: {
5153
description:

packages/server/api/src/app/project/project-worker-controller.ts

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
import { FastifyPluginAsyncTypebox } from '@fastify/type-provider-typebox';
2-
import { PrincipalType } from '@openops/shared';
2+
import { ENGINE_ROUTE_POLICY, PrincipalType } from '@openops/shared';
33
import { projectService } from './project-service';
44

55
export const projectWorkerController: FastifyPluginAsyncTypebox = async (
@@ -14,5 +14,6 @@ export const projectWorkerController: FastifyPluginAsyncTypebox = async (
1414
const GetWorkerProjectRequest = {
1515
config: {
1616
allowedPrincipals: [PrincipalType.ENGINE],
17+
security: ENGINE_ROUTE_POLICY,
1718
},
1819
};

packages/server/api/src/app/store-entry/store-entry.controller.ts

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ import {
55
import { MAX_REQUEST_BODY_BYTES } from '@openops/server-shared';
66
import {
77
DeleteStoreEntryRequest,
8+
ENGINE_ROUTE_POLICY,
89
GetStoreEntryRequest,
910
PrincipalType,
1011
PutStoreEntryRequest,
@@ -65,6 +66,10 @@ export const storeEntryController: FastifyPluginAsyncTypebox = async (
6566
};
6667

6768
const CreateRequest = {
69+
config: {
70+
allowedPrincipals: [PrincipalType.ENGINE],
71+
security: ENGINE_ROUTE_POLICY,
72+
},
6873
schema: {
6974
body: PutStoreEntryRequest,
7075
description:
@@ -73,6 +78,10 @@ const CreateRequest = {
7378
};
7479

7580
const GetRequest = {
81+
config: {
82+
allowedPrincipals: [PrincipalType.ENGINE],
83+
security: ENGINE_ROUTE_POLICY,
84+
},
7685
schema: {
7786
querystring: GetStoreEntryRequest,
7887
description:
@@ -81,6 +90,10 @@ const GetRequest = {
8190
};
8291

8392
const DeleteStoreRequest = {
93+
config: {
94+
allowedPrincipals: [PrincipalType.ENGINE],
95+
security: ENGINE_ROUTE_POLICY,
96+
},
8497
schema: {
8598
querystring: DeleteStoreEntryRequest,
8699
description:
@@ -89,6 +102,10 @@ const DeleteStoreRequest = {
89102
};
90103

91104
const ListRequest = {
105+
config: {
106+
allowedPrincipals: [PrincipalType.ENGINE],
107+
security: ENGINE_ROUTE_POLICY,
108+
},
92109
schema: {
93110
querystring: Type.Object({
94111
prefix: Type.String(),

packages/server/api/src/app/workers/engine-controller.ts

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ import {
1414
import {
1515
ApplicationError,
1616
assertNotNullOrUndefined,
17+
ENGINE_ROUTE_POLICY,
1718
EngineHttpResponse,
1819
EnginePrincipal,
1920
ErrorCode,
@@ -55,6 +56,7 @@ export const flowEngineWorker: FastifyPluginAsyncTypebox = async (app) => {
5556
{
5657
config: {
5758
allowedPrincipals: [PrincipalType.ENGINE],
59+
security: ENGINE_ROUTE_POLICY,
5860
},
5961
schema: {
6062
description:
@@ -76,6 +78,7 @@ export const flowEngineWorker: FastifyPluginAsyncTypebox = async (app) => {
7678
{
7779
config: {
7880
allowedPrincipals: [PrincipalType.ENGINE],
81+
security: ENGINE_ROUTE_POLICY,
7982
},
8083
schema: {
8184
description:
@@ -397,6 +400,7 @@ async function trackExecution(
397400
const GetFileRequestParams = {
398401
config: {
399402
allowedPrincipals: [PrincipalType.ENGINE],
403+
security: ENGINE_ROUTE_POLICY,
400404
},
401405
schema: {
402406
params: Type.Object({
@@ -408,6 +412,7 @@ const GetFileRequestParams = {
408412
const UpdateStepProgress = {
409413
config: {
410414
allowedPrincipals: [PrincipalType.ENGINE],
415+
security: ENGINE_ROUTE_POLICY,
411416
},
412417
schema: {
413418
body: UpdateRunProgressRequest,
@@ -417,6 +422,7 @@ const UpdateStepProgress = {
417422
const SendWebhookResponse = {
418423
config: {
419424
allowedPrincipals: [PrincipalType.ENGINE],
425+
security: ENGINE_ROUTE_POLICY,
420426
},
421427
schema: {
422428
description:
@@ -428,6 +434,7 @@ const SendWebhookResponse = {
428434
const UpdateFailureCount = {
429435
config: {
430436
allowedPrincipals: [PrincipalType.ENGINE],
437+
security: ENGINE_ROUTE_POLICY,
431438
},
432439
schema: {
433440
description:
@@ -439,6 +446,7 @@ const UpdateFailureCount = {
439446
const GetLockedVersionRequest = {
440447
config: {
441448
allowedPrincipals: [PrincipalType.ENGINE],
449+
security: ENGINE_ROUTE_POLICY,
442450
},
443451
schema: {
444452
description:
@@ -453,6 +461,7 @@ const GetLockedVersionRequest = {
453461
const RemoveFlowRequest = {
454462
config: {
455463
allowedPrincipals: [PrincipalType.ENGINE],
464+
security: ENGINE_ROUTE_POLICY,
456465
},
457466
schema: {
458467
description:

packages/shared/src/lib/authentication/model/principal-type.ts

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,10 +25,30 @@ export enum RouteAccessType {
2525
PUBLIC = 'PUBLIC',
2626
}
2727

28+
export type UnscopedAuthorizationPolicy = {
29+
authorizationScope: AuthorizationScope.UNSCOPED;
30+
allowedPrincipals: readonly PrincipalType[];
31+
};
32+
33+
export type UnscopedRoutePolicy = {
34+
routeAccessType: RouteAccessType.AUTHENTICATED;
35+
authorization: UnscopedAuthorizationPolicy;
36+
};
37+
2838
export type PublicRoutePolicy = {
2939
routeAccessType: RouteAccessType.PUBLIC;
3040
};
3141

3242
export const PUBLIC_ROUTE_POLICY: Readonly<PublicRoutePolicy> = Object.freeze({
3343
routeAccessType: RouteAccessType.PUBLIC,
3444
});
45+
46+
export const ENGINE_ROUTE_POLICY: Readonly<UnscopedRoutePolicy> = Object.freeze(
47+
{
48+
routeAccessType: RouteAccessType.AUTHENTICATED,
49+
authorization: {
50+
authorizationScope: AuthorizationScope.UNSCOPED,
51+
allowedPrincipals: [PrincipalType.ENGINE],
52+
} as UnscopedAuthorizationPolicy,
53+
},
54+
);

0 commit comments

Comments
 (0)