Support organization source and unscoped requests (#2079)

Part of OPS-3862.

Author: MarceloRGonc

packages/server/api/src/app/core/security/route-policies/project-id-source-factory.ts

@@ -0,0 +1,39 @@
+import { PropertyLocation, PropertySource } from './property-source';
+
+const DEFAULT_PROJECT_KEY = 'projectId';
+const DEFAULT_ORGANIZATION_KEY = 'organizationId';
+
+type PropertyHelpers = {
+  fromParams: (key?: string) => PropertySource;
+  fromQuery: (key?: string) => PropertySource;
+  fromBody: (key?: string) => PropertySource;
+};
+
+function createPropertySource(
+  location: PropertyLocation,
+  defaultKey: string,
+  key?: string,
+): PropertySource {
+  return {
+    location,
+    key: key ?? defaultKey,
+  };
+}
+
+function createPropertyHelpers(defaultKey: string): PropertyHelpers {
+  return {
+    fromParams: (key?: string): PropertySource =>
+      createPropertySource(PropertyLocation.PARAMS, defaultKey, key),
+
+    fromQuery: (key?: string): PropertySource =>
+      createPropertySource(PropertyLocation.QUERY, defaultKey, key),
+
+    fromBody: (key?: string): PropertySource =>
+      createPropertySource(PropertyLocation.BODY, defaultKey, key),
+  };
+}
+
+export const projectIdResolver = createPropertyHelpers(DEFAULT_PROJECT_KEY);
+export const organizationIdResolver = createPropertyHelpers(
+  DEFAULT_ORGANIZATION_KEY,
+);

packages/server/api/src/app/core/security/route-policies/project-id-source.ts

@@ -0,0 +1,32 @@
+export enum PropertyLocation {
+  PARAMS = 'PARAMS',
+  TOKEN = 'TOKEN',
+  QUERY = 'QUERY',
+  BODY = 'BODY',
+}
+
+type BasePropertySource = {
+  key: string;
+};
+
+export type ParamsPropertySource = BasePropertySource & {
+  location: PropertyLocation.PARAMS;
+};
+
+export type TokenPropertySource = {
+  location: PropertyLocation.TOKEN;
+};
+
+export type QueryPropertySource = BasePropertySource & {
+  location: PropertyLocation.QUERY;
+};
+
+export type BodyPropertySource = BasePropertySource & {
+  location: PropertyLocation.BODY;
+};
+
+export type PropertySource =
+  | TokenPropertySource
+  | QueryPropertySource
+  | BodyPropertySource
+  | ParamsPropertySource;

packages/server/api/src/app/core/security/route-policies/property-source-factory.ts

@@ -4,32 +4,40 @@ import {
   PrincipalType,
   RouteAccessType,
 } from '@openops/shared';
-import { ProjectIdLocation, ProjectIdSource } from './project-id-source';
+import { PropertyLocation, PropertySource } from './property-source';
 import { AuthenticatedRoutePolicy } from './route-security-policy';
 
-const defaultProjectIdSource: ProjectIdSource = {
-  location: ProjectIdLocation.TOKEN,
+const defaultSource: PropertySource = {
+  location: PropertyLocation.TOKEN,
 };
 
-export function getOrganizationScopedRoutePolicy(
-  allowedPrincipals: readonly PrincipalType[],
-): AuthenticatedRoutePolicy {
+export function getOrganizationScopedRoutePolicy({
+  organizationIdSource = defaultSource,
+  allowedPrincipals,
+  permission,
+}: {
+  allowedPrincipals: readonly PrincipalType[];
+  organizationIdSource?: PropertySource;
+  permission?: Permission;
+}): AuthenticatedRoutePolicy {
   return {
     routeAccessType: RouteAccessType.AUTHENTICATED,
     authorization: {
       authorizationScope: AuthorizationScope.ORGANIZATION,
+      organizationIdSource,
       allowedPrincipals,
+      permission,
     },
   };
 }
 
 export function getProjectScopedRoutePolicy({
-  projectIdSource = defaultProjectIdSource,
+  projectIdSource = defaultSource,
   allowedPrincipals,
   permission,
 }: {
   allowedPrincipals: readonly PrincipalType[];
-  projectIdSource?: ProjectIdSource;
+  projectIdSource?: PropertySource;
   permission?: Permission;
 }): AuthenticatedRoutePolicy {
   return {
@@ -42,3 +50,15 @@ export function getProjectScopedRoutePolicy({
     },
   };
 }
+
+export function getUnscopedRoutePolicy(
+  allowedPrincipals: PrincipalType[],
+): AuthenticatedRoutePolicy {
+  return {
+    routeAccessType: RouteAccessType.AUTHENTICATED,
+    authorization: {
+      authorizationScope: AuthorizationScope.UNSCOPED,
+      allowedPrincipals,
+    },
+  };
+}

packages/server/api/src/app/core/security/route-policies/property-source.ts

@@ -5,11 +5,12 @@ import {
   PublicRoutePolicy,
   RouteAccessType,
 } from '@openops/shared';
-import { ProjectIdSource } from './project-id-source';
+import { PropertySource } from './property-source';
 
 type AuthorizationPolicy =
   | OrganizationAuthorizationPolicy
-  | ProjectAuthorizationPolicy;
+  | ProjectAuthorizationPolicy
+  | UnscopedAuthorizationPolicy;
 
 export type AuthenticatedRoutePolicy = {
   routeAccessType: RouteAccessType.AUTHENTICATED;
@@ -19,14 +20,20 @@ export type AuthenticatedRoutePolicy = {
 export type OrganizationAuthorizationPolicy = {
   authorizationScope: AuthorizationScope.ORGANIZATION;
   allowedPrincipals: readonly PrincipalType[];
+  organizationIdSource: PropertySource;
   permission?: Permission;
 };
 
 export type ProjectAuthorizationPolicy = {
   authorizationScope: AuthorizationScope.PROJECT;
   allowedPrincipals: readonly PrincipalType[];
-  projectIdSource: ProjectIdSource;
+  projectIdSource: PropertySource;
   permission?: Permission;
 };
 
+export type UnscopedAuthorizationPolicy = {
+  authorizationScope: AuthorizationScope.UNSCOPED;
+  allowedPrincipals: readonly PrincipalType[];
+};
+
 export type RouteSecurityPolicy = AuthenticatedRoutePolicy | PublicRoutePolicy;

packages/server/api/src/app/core/security/route-policies/route-security-policy-factory.ts

@@ -17,6 +17,7 @@ export const SERVICE_KEY_SECURITY_OPENAPI = {
 export enum AuthorizationScope {
   ORGANIZATION = 'ORGANIZATION',
   PROJECT = 'PROJECT',
+  UNSCOPED = 'UNSCOPED',
 }
 
 export enum RouteAccessType {