Skip to content

Commit b3ee0d1

Browse files
MarceloRGoncMarceloRGonc
authored
Add security policy to Worker-Only endpoints (#2083)
Fixes OPS-3867.
1 parent 6134e6a commit b3ee0d1

3 files changed

Lines changed: 20 additions & 0 deletions

File tree

packages/server/api/src/app/workers/machine/machine-controller.ts

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ import { system } from '@openops/server-shared';
66
import {
77
OpsEdition,
88
PrincipalType,
9+
WORKER_ROUTE_POLICY,
910
WorkerMachineHealthcheckRequest,
1011
WorkerMachineType,
1112
WorkerPrincipal,
@@ -69,6 +70,7 @@ const GenerateWorkerTokenParams = {
6970
const HeartbeatParams = {
7071
config: {
7172
allowedPrincipals: [PrincipalType.WORKER],
73+
security: WORKER_ROUTE_POLICY,
7274
},
7375
schema: {
7476
description:

packages/server/api/src/app/workers/worker-controller.ts

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@ import {
2121
PrincipalType,
2222
ProgressUpdateType,
2323
RunEnvironment,
24+
WORKER_ROUTE_POLICY,
2425
} from '@openops/shared';
2526
import { accessTokenManager } from '../authentication/context/access-token-manager';
2627
import { flowRunService } from '../flows/flow-run/flow-run-service';
@@ -37,6 +38,7 @@ export const flowWorkerController: FastifyPluginAsyncTypebox = async (app) => {
3738
{
3839
config: {
3940
allowedPrincipals: [PrincipalType.WORKER],
41+
security: WORKER_ROUTE_POLICY,
4042
},
4143
logLevel: 'silent',
4244
schema: {
@@ -63,6 +65,7 @@ export const flowWorkerController: FastifyPluginAsyncTypebox = async (app) => {
6365
{
6466
config: {
6567
allowedPrincipals: [PrincipalType.WORKER],
68+
security: WORKER_ROUTE_POLICY,
6669
},
6770
schema: {
6871
description:
@@ -81,6 +84,7 @@ export const flowWorkerController: FastifyPluginAsyncTypebox = async (app) => {
8184
{
8285
config: {
8386
allowedPrincipals: [PrincipalType.WORKER],
87+
security: WORKER_ROUTE_POLICY,
8488
},
8589
schema: {
8690
description:
@@ -104,6 +108,7 @@ export const flowWorkerController: FastifyPluginAsyncTypebox = async (app) => {
104108
{
105109
config: {
106110
allowedPrincipals: [PrincipalType.WORKER],
111+
security: WORKER_ROUTE_POLICY,
107112
},
108113
schema: {
109114
description:
@@ -133,6 +138,7 @@ export const flowWorkerController: FastifyPluginAsyncTypebox = async (app) => {
133138
{
134139
config: {
135140
allowedPrincipals: [PrincipalType.WORKER],
141+
security: WORKER_ROUTE_POLICY,
136142
},
137143
schema: {
138144
description:
@@ -169,6 +175,7 @@ export const flowWorkerController: FastifyPluginAsyncTypebox = async (app) => {
169175
{
170176
config: {
171177
allowedPrincipals: [PrincipalType.WORKER],
178+
security: WORKER_ROUTE_POLICY,
172179
},
173180
schema: {
174181
description:
@@ -213,6 +220,7 @@ export const flowWorkerController: FastifyPluginAsyncTypebox = async (app) => {
213220
{
214221
config: {
215222
allowedPrincipals: [PrincipalType.WORKER],
223+
security: WORKER_ROUTE_POLICY,
216224
},
217225
schema: {
218226
description:

packages/shared/src/lib/authentication/model/principal-type.ts

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,3 +52,13 @@ export const ENGINE_ROUTE_POLICY: Readonly<UnscopedRoutePolicy> = Object.freeze(
5252
} as UnscopedAuthorizationPolicy,
5353
},
5454
);
55+
56+
export const WORKER_ROUTE_POLICY: Readonly<UnscopedRoutePolicy> = Object.freeze(
57+
{
58+
routeAccessType: RouteAccessType.AUTHENTICATED,
59+
authorization: {
60+
authorizationScope: AuthorizationScope.UNSCOPED,
61+
allowedPrincipals: [PrincipalType.WORKER],
62+
} as UnscopedAuthorizationPolicy,
63+
},
64+
);

0 commit comments

Comments
 (0)