Add security policy for general endpoints (#2100)

Fixes OPS-3886.

Author: MarceloRGonc

packages/server/api/src/app/flows/flow/flow-version.controller.ts

@@ -129,6 +129,10 @@ export const flowVersionController: FastifyPluginAsyncTypebox = async (
     {
       config: {
         allowedPrincipals: [PrincipalType.USER],
+        security: getProjectScopedRoutePolicy({
+          allowedPrincipals: [PrincipalType.USER],
+          permission: Permission.TEST_STEP_FLOW,
+        }),
       },
       schema: {
         description:
@@ -172,6 +176,10 @@ export const flowVersionController: FastifyPluginAsyncTypebox = async (
     {
       config: {
         allowedPrincipals: [PrincipalType.USER],
+        security: getProjectScopedRoutePolicy({
+          allowedPrincipals: [PrincipalType.USER],
+          permission: Permission.TEST_STEP_FLOW,
+        }),
       },
       schema: {
         description:

packages/server/api/src/app/flows/flow/form/form.controller.ts

@@ -5,8 +5,10 @@ import {
 import {
   ALL_PRINCIPAL_TYPES,
   OpenOpsId,
+  Permission,
   USE_DRAFT_QUERY_PARAM_NAME,
 } from '@openops/shared';
+import { getProjectScopedRoutePolicy } from '../../../core/security/route-policies/route-security-policy-factory';
 import { formService } from './form.service';
 
 export const formController: FastifyPluginAsyncTypebox = async (app) => {
@@ -21,6 +23,10 @@ export const formController: FastifyPluginAsyncTypebox = async (app) => {
 const GetFormRequest = {
   config: {
     allowedPrincipals: ALL_PRINCIPAL_TYPES,
+    security: getProjectScopedRoutePolicy({
+      allowedPrincipals: ALL_PRINCIPAL_TYPES,
+      permission: Permission.READ_FLOW,
+    }),
   },
   schema: {
     description:

packages/server/api/src/app/flows/folder/folder.module.ts

@@ -11,6 +11,7 @@ import {
 import { Type } from '@sinclair/typebox';
 import { StatusCodes } from 'http-status-codes';
 import { entitiesMustBeOwnedByCurrentProject } from '../../authentication/authorization';
+import { getProjectScopedRoutePolicy } from '../../core/security/route-policies/route-security-policy-factory';
 import { flowFolderService as folderService } from './folder.service';
 
 export const folderModule: FastifyPluginAsyncTypebox = async (app) => {
@@ -19,6 +20,7 @@ export const folderModule: FastifyPluginAsyncTypebox = async (app) => {
 
 const folderController: FastifyPluginAsyncTypebox = async (fastify) => {
   fastify.addHook('preSerialization', entitiesMustBeOwnedByCurrentProject);
+
   fastify.post('/', CreateFolderParams, async (request) => {
     const createdFolder = await folderService.create({
       projectId: request.principal.projectId,
@@ -67,7 +69,10 @@ const folderController: FastifyPluginAsyncTypebox = async (fastify) => {
 const CreateFolderParams = {
   config: {
     allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
-    permission: Permission.WRITE_FLOW,
+    security: getProjectScopedRoutePolicy({
+      allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
+      permission: Permission.WRITE_FOLDER,
+    }),
   },
   schema: {
     tags: ['folders'],
@@ -81,7 +86,10 @@ const CreateFolderParams = {
 const UpdateFolderParams = {
   config: {
     allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
-    permission: Permission.WRITE_FLOW,
+    security: getProjectScopedRoutePolicy({
+      allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
+      permission: Permission.WRITE_FOLDER,
+    }),
   },
   schema: {
     tags: ['folders'],
@@ -98,7 +106,10 @@ const UpdateFolderParams = {
 const GetFolderParams = {
   config: {
     allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
-    permission: Permission.READ_FLOW,
+    security: getProjectScopedRoutePolicy({
+      allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
+      permission: Permission.READ_FOLDER,
+    }),
   },
   schema: {
     tags: ['folders'],
@@ -114,7 +125,10 @@ const GetFolderParams = {
 const ListFoldersFlowsParams = {
   config: {
     allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
-    permission: Permission.READ_FLOW,
+    security: getProjectScopedRoutePolicy({
+      allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
+      permission: Permission.READ_FLOW,
+    }),
   },
   schema: {
     tags: ['folders'],
@@ -128,7 +142,10 @@ const ListFoldersFlowsParams = {
 const DeleteFolderParams = {
   config: {
     allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
-    permission: Permission.WRITE_FLOW,
+    security: getProjectScopedRoutePolicy({
+      allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
+      permission: Permission.DELETE_FOLDER,
+    }),
   },
   schema: {
     params: DeleteFolderRequest,

packages/server/api/src/app/flows/trigger-events/trigger-event.module.ts

@@ -1,8 +1,11 @@
 import { FastifyPluginAsyncTypebox } from '@fastify/type-provider-typebox';
 import {
   ListTriggerEventsRequest,
+  Permission,
+  PrincipalType,
   TestPollingTriggerRequest,
 } from '@openops/shared';
+import { getProjectScopedRoutePolicy } from '../../core/security/route-policies/route-security-policy-factory';
 import { systemJobsSchedule } from '../../helper/system-jobs';
 import { SystemJobName } from '../../helper/system-jobs/common';
 import { systemJobHandlers } from '../../helper/system-jobs/job-handlers';
@@ -35,6 +38,12 @@ const triggerEventController: FastifyPluginAsyncTypebox = async (fastify) => {
   fastify.get(
     '/poll',
     {
+      config: {
+        security: getProjectScopedRoutePolicy({
+          allowedPrincipals: [PrincipalType.USER],
+          permission: Permission.READ_FLOW,
+        }),
+      },
       schema: {
         querystring: TestPollingTriggerRequest,
       },
@@ -55,6 +64,12 @@ const triggerEventController: FastifyPluginAsyncTypebox = async (fastify) => {
   fastify.post(
     '/',
     {
+      config: {
+        security: getProjectScopedRoutePolicy({
+          allowedPrincipals: [PrincipalType.USER],
+          permission: Permission.WRITE_FLOW,
+        }),
+      },
       schema: {
         querystring: TestPollingTriggerRequest,
       },
@@ -72,6 +87,12 @@ const triggerEventController: FastifyPluginAsyncTypebox = async (fastify) => {
   fastify.get(
     '/',
     {
+      config: {
+        security: getProjectScopedRoutePolicy({
+          allowedPrincipals: [PrincipalType.USER],
+          permission: Permission.READ_FLOW,
+        }),
+      },
       schema: {
         querystring: ListTriggerEventsRequest,
       },

packages/server/api/src/app/user-settings/user-settings.module.ts

@@ -10,6 +10,7 @@ import {
 } from '@openops/shared';
 import { FastifyRequest } from 'fastify';
 import { StatusCodes } from 'http-status-codes';
+import { getProjectScopedRoutePolicy } from '../core/security/route-policies/route-security-policy-factory';
 import { userSettingsService } from './user-settings-service';
 
 export const userSettingsModule: FastifyPluginAsyncTypebox = async (app) => {
@@ -19,7 +20,7 @@ export const userSettingsModule: FastifyPluginAsyncTypebox = async (app) => {
 };
 
 const usersSettingsController: FastifyPluginAsyncTypebox = async (app) => {
-  app.get('/', async (request, response) => {
+  app.get('/', GetUserSettingsRequestOptions, async (request, response) => {
     const userSettings = await userSettingsService.get({
       userId: request.principal.id,
       projectId: request.principal.projectId,
@@ -57,9 +58,29 @@ const usersSettingsController: FastifyPluginAsyncTypebox = async (app) => {
   );
 };
 
+const GetUserSettingsRequestOptions = {
+  config: {
+    allowedPrincipals: [PrincipalType.USER],
+    security: getProjectScopedRoutePolicy({
+      allowedPrincipals: [PrincipalType.USER],
+    }),
+  },
+  schema: {
+    tags: ['user'],
+    description: 'Get user settings',
+    security: [SERVICE_KEY_SECURITY_OPENAPI],
+    response: {
+      [StatusCodes.OK]: UserSettingsDefinition,
+    },
+  },
+};
+
 const UpsertUserSettingsRequestOptions = {
   config: {
     allowedPrincipals: [PrincipalType.USER],
+    security: getProjectScopedRoutePolicy({
+      allowedPrincipals: [PrincipalType.USER],
+    }),
   },
   schema: {
     tags: ['user'],

packages/server/api/src/app/workers/machine/machine-controller.ts

@@ -12,6 +12,8 @@ import {
   WorkerPrincipal,
 } from '@openops/shared';
 import { accessTokenManager } from '../../authentication/context/access-token-manager';
+import { organizationIdResolver } from '../../core/security/route-policies/property-source-factory';
+import { getOrganizationScopedRoutePolicy } from '../../core/security/route-policies/route-security-policy-factory';
 import { organizationService } from '../../organization/organization.service';
 import { machineService } from './machine-service';
 
@@ -57,6 +59,10 @@ export const workerMachineController: FastifyPluginAsyncTypebox = async (
 const GenerateWorkerTokenParams = {
   config: {
     allowedPrincipals: [PrincipalType.USER],
+    security: getOrganizationScopedRoutePolicy({
+      allowedPrincipals: [PrincipalType.USER],
+      organizationIdSource: organizationIdResolver.fromBody(),
+    }),
   },
   schema: {
     description:
@@ -82,6 +88,9 @@ const HeartbeatParams = {
 const ListWorkersParams = {
   config: {
     allowedPrincipals: [PrincipalType.USER],
+    security: getOrganizationScopedRoutePolicy({
+      allowedPrincipals: [PrincipalType.USER],
+    }),
   },
   schema: {
     description: