Merge branch 'main' into mg/OPS-3194

MarceloRGonc · web-flow · commit 81df4de01397 · 2025-12-04T14:44:25.000Z
diff --git a/packages/react-ui/src/app/features/templates/components/public-flow-template-filter-sidebar-wrapper.tsx b/packages/react-ui/src/app/features/templates/components/public-flow-template-filter-sidebar-wrapper.tsx
@@ -20,6 +20,7 @@ export type FlowTemplateFilterSidebarProps = {
   setSelectedServices: (services: string[]) => void;
   selectedCategories: string[];
   setSelectedCategories: (categories: string[]) => void;
+  newDomains?: string[];
 };
 
 export const FlowTemplateFilterSidebarSkeletonLoader: React.FC<{
@@ -53,6 +54,7 @@ const PublicFlowTemplateFilterSidebarWrapper = ({
   setSelectedCategories,
   setSelectedBlocks,
   showDomains = true,
+  newDomains = [],
 }: FlowTemplateFilterSidebarProps & { showDomains?: boolean }) => {
   const useCloudTemplates = flagsHooks.useShouldFetchCloudTemplates();
 
@@ -175,6 +177,7 @@ const PublicFlowTemplateFilterSidebarWrapper = ({
       selectedCategories={selectedCategories}
       categoryLogos={categoryLogos}
       showDomains={showDomains}
+      newDomains={newDomains}
     />
   );
 };
diff --git a/packages/react-ui/src/app/features/templates/components/select-flow-template-dialog-content.tsx b/packages/react-ui/src/app/features/templates/components/select-flow-template-dialog-content.tsx
@@ -150,6 +150,7 @@ const SelectFlowTemplateDialogContent = ({
             selectedCategories={selectedCategories}
             setSelectedCategories={setSelectedCategories}
             showDomains={isFullCatalog}
+            newDomains={['Policy & Governance']}
           />
         ) : (
           <PrivateFlowTemplateFilterSidebarWrapper />
diff --git a/packages/server/api/src/app/ai/mcp/openops-tools.ts b/packages/server/api/src/app/ai/mcp/openops-tools.ts
@@ -11,6 +11,7 @@ import fs from 'fs/promises';
 import { OpenAPI } from 'openapi-types';
 import os from 'os';
 import path from 'path';
+import { accessTokenManager } from '../../authentication/context/access-token-manager';
 import { MCPTool } from './types';
 
 const INCLUDED_PATHS: Record<string, string[]> = {
@@ -68,7 +69,7 @@ async function getOpenApiSchemaPath(app: FastifyInstance): Promise<string> {
 
 export async function getOpenOpsTools(
   app: FastifyInstance,
-  authToken: string,
+  userAuthToken: string,
 ): Promise<MCPTool> {
   const basePath = system.getOrThrow<string>(
     AppSystemProp.OPENOPS_MCP_SERVER_PATH,
@@ -79,13 +80,17 @@ export async function getOpenOpsTools(
 
   const tempSchemaPath = await getOpenApiSchemaPath(app);
 
+  const serviceToken = await accessTokenManager.generateServiceToken(
+    userAuthToken,
+  );
+
   const openopsClient = await experimental_createMCPClient({
     transport: new Experimental_StdioMCPTransport({
       command: pythonPath,
       args: [serverPath],
       env: {
         OPENAPI_SCHEMA_PATH: tempSchemaPath,
-        AUTH_TOKEN: authToken,
+        AUTH_TOKEN: serviceToken,
         API_BASE_URL: networkUtls.getInternalApiUrl(),
         OPENOPS_MCP_SERVER_PATH: basePath,
         LOGZIO_TOKEN: system.get<string>(SharedSystemProp.LOGZIO_TOKEN) ?? '',
diff --git a/packages/server/api/src/app/app-connection/app-connection.controller.ts b/packages/server/api/src/app/app-connection/app-connection.controller.ts
@@ -171,7 +171,7 @@ const UpsertAppConnectionRequest = {
 
 const PatchAppConnectionRequest = {
   config: {
-    allowedPrincipals: [PrincipalType.USER],
+    allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
     permission: Permission.WRITE_APP_CONNECTION,
   },
   schema: {
@@ -226,7 +226,7 @@ const DeleteAppConnectionRequest = {
 
 const GetAppConnectionRequest = {
   config: {
-    allowedPrincipals: [PrincipalType.USER],
+    allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
     permission: Permission.READ_APP_CONNECTION,
   },
   schema: {
@@ -253,7 +253,7 @@ const GetAppConnectionRequest = {
 
 const GetConnectionMetadataRequest = {
   config: {
-    allowedPrincipals: [PrincipalType.USER],
+    allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
     permission: Permission.READ_APP_CONNECTION,
   },
   schema: {
diff --git a/packages/server/api/src/app/authentication/context/access-token-manager.ts b/packages/server/api/src/app/authentication/context/access-token-manager.ts
@@ -81,6 +81,32 @@ export const accessTokenManager = {
     });
   },
 
+  async generateServiceToken(
+    userToken: string,
+    expiresInSeconds: number = openOpsRefreshTokenLifetimeSeconds,
+  ): Promise<string> {
+    const principal = await this.extractPrincipal(userToken);
+    if (principal.type !== PrincipalType.USER) {
+      throw new ApplicationError({
+        code: ErrorCode.INVALID_BEARER_TOKEN,
+        params: {
+          message: 'Service token can only be generated from a user token',
+        },
+      });
+    }
+
+    const secret = await jwtUtils.getJwtSecret();
+
+    return jwtUtils.sign({
+      payload: {
+        ...principal,
+        type: PrincipalType.SERVICE,
+      },
+      key: secret,
+      expiresInSeconds,
+    });
+  },
+
   async extractPrincipal(token: string): Promise<Principal> {
     const secret = await jwtUtils.getJwtSecret();
 
diff --git a/packages/server/api/src/app/blocks/base-block-module.ts b/packages/server/api/src/app/blocks/base-block-module.ts
@@ -230,6 +230,9 @@ const ListCategoriesRequest = {
 };
 
 const OptionsBlockRequest = {
+  config: {
+    allowedPrincipals: ALL_PRINCIPAL_TYPES,
+  },
   schema: {
     operationId: 'Execute Block Properties',
     description:
diff --git a/packages/server/api/src/app/file/file.controller.ts b/packages/server/api/src/app/file/file.controller.ts
@@ -19,7 +19,7 @@ export const fileController: FastifyPluginAsyncTypebox = async (app) => {
 
 const GetFileRequest = {
   config: {
-    allowedPrincipals: [PrincipalType.USER],
+    allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
   },
   schema: {
     operationId: 'Get File',
diff --git a/packages/server/api/src/app/flows/flow-run/flow-run-controller.ts b/packages/server/api/src/app/flows/flow-run/flow-run-controller.ts
@@ -190,6 +190,7 @@ const ResumeFlowRunRequest = {
 
 const RetryFlowRequest = {
   config: {
+    allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
     permission: Permission.RETRY_RUN,
   },
   schema: {
diff --git a/packages/server/api/src/app/flows/flow/flow.controller.ts b/packages/server/api/src/app/flows/flow/flow.controller.ts
@@ -381,6 +381,9 @@ const ListFlowsRequestOptions = {
 };
 
 const CountFlowsRequestOptions = {
+  config: {
+    allowedPrincipals: [PrincipalType.SERVICE, PrincipalType.USER],
+  },
   schema: {
     operationId: 'Get Flow Count',
     description:
diff --git a/packages/server/api/src/app/helper/allow-all-origins-hook-handler.ts b/packages/server/api/src/app/helper/allow-all-origins-hook-handler.ts
@@ -15,7 +15,7 @@ export const allowAllOriginsHookHandler: onRequestHookHandler = (
 
   void reply.header(
     'Access-Control-Allow-Headers',
-    'Content-Type,Ops-Origin,Authorization',
+    'Content-Type,Ops-Origin,Authorization,Ops-Cloud-Token',
   );
 
   void reply.header('Access-Control-Allow-Credentials', 'true');
diff --git a/packages/server/api/src/app/user-info/cloud-auth.ts b/packages/server/api/src/app/user-info/cloud-auth.ts
@@ -4,11 +4,19 @@ import jwt, { JwtPayload } from 'jsonwebtoken';
 const CLOUD_TOKEN_COOKIE_NAME = 'cloud-token';
 
 const getCloudToken = (request: FastifyRequest): string | undefined => {
-  let token = request.headers.authorization?.replace('Bearer ', '');
-  if (!token) {
-    token = request.cookies[CLOUD_TOKEN_COOKIE_NAME];
+  const authorizationHeader = request.headers.authorization;
+  const cookieToken = request.cookies[CLOUD_TOKEN_COOKIE_NAME];
+  const headerToken = request.headers['ops-cloud-token'] as string | undefined;
+
+  if (authorizationHeader) {
+    return authorizationHeader.replace('Bearer ', '');
   }
-  return token;
+
+  if (cookieToken) {
+    return cookieToken;
+  }
+
+  return headerToken;
 };
 
 export function getVerifiedUser(
diff --git a/packages/server/api/test/integration/cloud/cloud/cloud-auth.test.ts b/packages/server/api/test/integration/cloud/cloud/cloud-auth.test.ts
@@ -85,6 +85,22 @@ describe('getVerifiedUser', () => {
     expect(result).toEqual(payload);
   });
 
+  it('should verify token from header when Authorization header and cookie are missing', () => {
+    const payload = { sub: 'abc' };
+    (jwt.verify as jest.Mock).mockReturnValue(payload);
+    const mockRequest = createMockRequest({
+      headers: { 'ops-cloud-token': 'cookie-header-token' },
+      cookies: {},
+    });
+
+    const result = getVerifiedUser(mockRequest, publicKey);
+
+    expect(jwt.verify).toHaveBeenCalledWith('cookie-header-token', publicKey, {
+      algorithms: ['RS256'],
+    });
+    expect(result).toEqual(payload);
+  });
+
   it('should return undefined when verification fails (throws)', () => {
     (jwt.verify as jest.Mock).mockImplementation(() => {
       throw new Error('invalid');
diff --git a/packages/server/api/test/unit/ai/openops-tools.test.ts b/packages/server/api/test/unit/ai/openops-tools.test.ts
@@ -16,6 +16,7 @@ const mockTools = {
 const systemMock = {
   get: jest.fn(),
   getOrThrow: jest.fn(),
+  getNumber: jest.fn(),
 };
 
 const loggerMock = {
@@ -27,8 +28,17 @@ const networkUtlsMock = {
   getInternalApiUrl: jest.fn(),
 };
 
-const createMcpClientMock = jest.fn();
+const generateServiceTokenMock = jest.fn();
+jest.mock(
+  '../../../src/app/authentication/context/access-token-manager',
+  () => ({
+    accessTokenManager: {
+      generateServiceToken: generateServiceTokenMock,
+    },
+  }),
+);
 
+const createMcpClientMock = jest.fn();
 jest.mock('ai', () => ({
   experimental_createMCPClient: createMcpClientMock,
 }));
@@ -214,6 +224,7 @@ describe('getOpenOpsTools', () => {
       tools: jest.fn().mockResolvedValue(mockTools),
     };
     createMcpClientMock.mockResolvedValue(mockClient);
+    generateServiceTokenMock.mockResolvedValue('auth-service-token');
 
     const result = await getOpenOpsTools(mockApp, 'test-auth-token');
 
@@ -229,7 +240,7 @@ describe('getOpenOpsTools', () => {
           args: [`${mockBasePath}/main.py`],
           env: expect.objectContaining({
             OPENAPI_SCHEMA_PATH: expect.any(String),
-            AUTH_TOKEN: 'test-auth-token',
+            AUTH_TOKEN: 'auth-service-token',
             API_BASE_URL: mockApiBaseUrl,
             OPENOPS_MCP_SERVER_PATH: mockBasePath,
             LOGZIO_TOKEN: 'test-logzio-token',
diff --git a/packages/ui-components/src/components/flow-template/flow-template-filter-sidebar.tsx b/packages/ui-components/src/components/flow-template/flow-template-filter-sidebar.tsx
@@ -2,6 +2,7 @@ import { BlockMetadataModelSummary } from '@openops/blocks-framework';
 import { t } from 'i18next';
 import { ChevronRight, Layers, LucideIcon } from 'lucide-react';
 import { cn } from '../../lib/cn';
+import { Badge } from '../../ui/badge';
 import {
   Collapsible,
   CollapsibleContent,
@@ -21,6 +22,7 @@ type FlowTemplateFilterItemProps = {
   isActive: boolean;
   logoUrl?: string;
   Icon?: LucideIcon;
+  isNew?: boolean;
 };
 
 const FlowTemplateFilterItem = ({
@@ -30,12 +32,13 @@ const FlowTemplateFilterItem = ({
   onClick,
   logoUrl,
   Icon,
+  isNew = false,
 }: FlowTemplateFilterItemProps) => (
   <div
     aria-selected={isActive}
     role="option"
     className={cn(
-      'w-full px-3 py-[10px] justify-start gap-2.5 inline-flex items-center overflow-hidden cursor-pointer hover:bg-muted',
+      'w-full px-3 py-[10px] justify-start gap-2.5 inline-flex items-center overflow-hidden cursor-pointer hover:bg-muted relative',
       {
         'bg-muted': isActive,
       },
@@ -52,6 +55,14 @@ const FlowTemplateFilterItem = ({
         text={displayName}
         className="w-full font-normal text-slate-600 dark:text-primary text-base leading-snug truncate select-none"
       />
+      {isNew && (
+        <Badge
+          variant="secondary"
+          className="-mx-2.5 text-[10px] font-medium px-0.5"
+        >
+          {t('New')}
+        </Badge>
+      )}
     </TooltipProvider>
   </div>
 );
@@ -94,6 +105,7 @@ type FlowTemplateFilterSidebarProps = {
   onCategoryFilterClick: (category: string) => void;
   clearFilters: () => void;
   categoryLogos?: Record<string, string>;
+  newDomains?: string[];
 };
 
 const FlowTemplateFilterSidebar = ({
@@ -111,6 +123,7 @@ const FlowTemplateFilterSidebar = ({
   onCategoryFilterClick,
   clearFilters,
   categoryLogos,
+  newDomains = [],
 }: FlowTemplateFilterSidebarProps & { showDomains?: boolean }) => {
   return (
     <div className="rounded-2xl flex-col justify-start items-start inline-flex h-full w-full px-4 pt-[25px] pb-8 bg-background">
@@ -183,6 +196,7 @@ const FlowTemplateFilterSidebar = ({
                   onClick={onDomainFilterClick}
                   isActive={selectedDomains.includes(domain)}
                   Icon={DOMAIN_ICON_SUGGESTIONS[domain] ?? Layers}
+                  isNew={newDomains.includes(domain)}
                 />
               ))}
             </div>
