Add custom authorization guards (#2125)

Fixes OPS-3906.

Author: MarceloRGonc

packages/server/api/src/app/core/security/authorization-guards/authorization-guards-factory.ts

@@ -0,0 +1,6 @@
+import { AuthorizationGuards } from './authorization-guards';
+import { noopAuthorizationGuards } from './noop-authorization-guards';
+
+export function getAuthorizationGuards(): AuthorizationGuards {
+  return noopAuthorizationGuards;
+}

packages/server/api/src/app/core/security/authorization-guards/authorization-guards.ts

@@ -0,0 +1,24 @@
+import {
+  CreateStepRunRequestBody,
+  Principal,
+  TestFlowRunRequestBody,
+} from '@openops/shared';
+import { FastifyRequest } from 'fastify';
+
+export type AuthorizationGuards = {
+  enforceTestStepAuthorizationFromRequest(
+    request: FastifyRequest,
+  ): Promise<void>;
+
+  enforceTestStepAuthorization(
+    data: CreateStepRunRequestBody,
+    principal: Principal,
+  ): Promise<void>;
+
+  enforceTestRunAuthorization(
+    data: TestFlowRunRequestBody,
+    principal: Principal,
+  ): Promise<void>;
+
+  enforceWorkflowStatusAuthorization(request: FastifyRequest): Promise<void>;
+};

packages/server/api/src/app/core/security/authorization-guards/noop-authorization-guards.ts

@@ -0,0 +1,33 @@
+import {
+  CreateStepRunRequestBody,
+  Principal,
+  TestFlowRunRequestBody,
+} from '@openops/shared';
+import { FastifyRequest } from 'fastify';
+import { AuthorizationGuards } from './authorization-guards';
+
+export const noopAuthorizationGuards: AuthorizationGuards = {
+  enforceTestRunAuthorization(
+    _data: TestFlowRunRequestBody,
+    _principal: Principal,
+  ): Promise<void> {
+    return Promise.resolve();
+  },
+
+  enforceTestStepAuthorization(
+    _data: CreateStepRunRequestBody,
+    _principal: Principal,
+  ): Promise<void> {
+    return Promise.resolve();
+  },
+
+  enforceTestStepAuthorizationFromRequest(
+    _request: FastifyRequest,
+  ): Promise<void> {
+    return Promise.resolve();
+  },
+
+  enforceWorkflowStatusAuthorization(_request: FastifyRequest): Promise<void> {
+    return Promise.resolve();
+  },
+};

packages/server/api/src/app/flows/flow.module.ts

@@ -1,14 +1,18 @@
 import { FastifyPluginAsyncTypebox } from '@fastify/type-provider-typebox';
 import { logger } from '@openops/server-shared';
 import {
+  ApplicationError,
   CreateStepRunRequestBody,
+  ErrorCode,
   FlowRunStatus,
   StepRunResponse,
   TestFlowRunRequestBody,
   WebsocketClientEvent,
   WebsocketServerEvent,
   flowHelper,
 } from '@openops/shared';
+import { Socket } from 'socket.io';
+import { getAuthorizationGuards } from '../core/security/authorization-guards/authorization-guards-factory';
 import { sendStepFailureEvent } from '../telemetry/event-models/step';
 import {
   sendWorkflowTestFailureEvent,
@@ -39,6 +43,11 @@ export const flowModule: FastifyPluginAsyncTypebox = async (app) => {
       try {
         principal = await getPrincipalFromWebsocket(socket);
 
+        await getAuthorizationGuards().enforceTestRunAuthorization(
+          data,
+          principal,
+        );
+
         flowRun = await flowRunService.test({
           projectId: principal.projectId,
           flowVersionId: data.flowVersionId,
@@ -63,6 +72,11 @@ export const flowModule: FastifyPluginAsyncTypebox = async (app) => {
         );
         socket.emit(WebsocketClientEvent.TEST_FLOW_RUN_STARTED, flowRun);
       } catch (err) {
+        if (isAuthorizationError(err)) {
+          sendAuthorizationError(socket, err);
+          return;
+        }
+
         sendWorkflowTestFailureEvent({
           userId: principal?.id ?? '',
           projectId: principal?.projectId ?? '',
@@ -90,6 +104,11 @@ export const flowModule: FastifyPluginAsyncTypebox = async (app) => {
       try {
         principal = await getPrincipalFromWebsocket(socket);
 
+        await getAuthorizationGuards().enforceTestStepAuthorization(
+          data,
+          principal,
+        );
+
         logger.debug({ data }, '[Socket#testStepRun]');
         const stepRun = await stepRunService.create({
           userId: principal.id,
@@ -105,6 +124,11 @@ export const flowModule: FastifyPluginAsyncTypebox = async (app) => {
         };
         socket.emit(WebsocketClientEvent.TEST_STEP_FINISHED, response);
       } catch (err) {
+        if (isAuthorizationError(err)) {
+          sendAuthorizationError(socket, err);
+          return;
+        }
+
         let step;
         try {
           const flowVersion = await flowVersionService.getOneOrThrow(
@@ -139,3 +163,20 @@ export const flowModule: FastifyPluginAsyncTypebox = async (app) => {
     };
   });
 };
+
+function isAuthorizationError(error: unknown): boolean {
+  logger.debug('isAuthorizationError', error);
+  return (
+    error instanceof ApplicationError &&
+    error.error.code === ErrorCode.AUTHORIZATION
+  );
+}
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+function sendAuthorizationError(socket: Socket, error: any): void {
+  socket.emit('error', {
+    success: false,
+    code: error.error.code,
+    output: error.error.params.message,
+  });
+}

packages/server/api/src/app/flows/flow/flow.controller.ts

@@ -32,6 +32,7 @@ import {
 } from '@openops/shared';
 import { StatusCodes } from 'http-status-codes';
 import { entitiesMustBeOwnedByCurrentProject } from '../../authentication/authorization';
+import { getAuthorizationGuards } from '../../core/security/authorization-guards/authorization-guards-factory';
 import { getProjectScopedRoutePolicy } from '../../core/security/route-policies/route-security-policy-factory';
 import { projectService } from '../../project/project-service';
 import { sendWorkflowCreatedFromTemplateEvent } from '../../telemetry/event-models';
@@ -291,6 +292,7 @@ const UpdateFlowRequestOptions = {
       permission: Permission.WRITE_FLOW,
     }),
   },
+  preHandler: getAuthorizationGuards().enforceWorkflowStatusAuthorization,
   schema: {
     tags: ['flows'],
     description:

packages/server/api/src/app/flows/trigger-events/trigger-event.module.ts

@@ -5,6 +5,7 @@ import {
   PrincipalType,
   TestPollingTriggerRequest,
 } from '@openops/shared';
+import { getAuthorizationGuards } from '../../core/security/authorization-guards/authorization-guards-factory';
 import { getProjectScopedRoutePolicy } from '../../core/security/route-policies/route-security-policy-factory';
 import { systemJobsSchedule } from '../../helper/system-jobs';
 import { SystemJobName } from '../../helper/system-jobs/common';
@@ -44,6 +45,8 @@ const triggerEventController: FastifyPluginAsyncTypebox = async (fastify) => {
           permission: Permission.READ_FLOW,
         }),
       },
+      preHandler:
+        getAuthorizationGuards().enforceTestStepAuthorizationFromRequest,
       schema: {
         querystring: TestPollingTriggerRequest,
       },

packages/server/api/src/app/webhooks/webhook-simulation/webhook-simulation-controller.ts

@@ -3,6 +3,7 @@ import {
   Type,
 } from '@fastify/type-provider-typebox';
 import { Permission, PrincipalType } from '@openops/shared';
+import { getAuthorizationGuards } from '../../core/security/authorization-guards/authorization-guards-factory';
 import { getProjectScopedRoutePolicy } from '../../core/security/route-policies/route-security-policy-factory';
 import { webhookSimulationService } from './webhook-simulation-service';
 
@@ -52,6 +53,7 @@ const CreateWebhookSimulationRequest = {
       permission: Permission.TEST_STEP_FLOW,
     }),
   },
+  preHandler: getAuthorizationGuards().enforceTestStepAuthorizationFromRequest,
   schema: {
     body: Type.Object({
       flowId: Type.String(),