Skip to content

Commit fd01e8f

Browse files
MarceloRGoncMarceloRGonc
authored
Apply security policy to flow endpoints (#2098)
Fixes OPS-3884.
1 parent 7095368 commit fd01e8f

3 files changed

Lines changed: 59 additions & 7 deletions

File tree

packages/server/api/src/app/flows/flow.module.ts

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,7 @@ export const flowModule: FastifyPluginAsyncTypebox = async (app) => {
3131
await app.register(flowVersionController, { prefix: '/v1/flow-versions' });
3232
await app.register(flowController, { prefix: '/v1/flows' });
3333
await app.register(testController, { prefix: '/v1/test' });
34+
3435
websocketService.addListener(WebsocketServerEvent.TEST_FLOW_RUN, (socket) => {
3536
return async (data: TestFlowRunRequestBody) => {
3637
let principal;
@@ -82,6 +83,7 @@ export const flowModule: FastifyPluginAsyncTypebox = async (app) => {
8283
}
8384
};
8485
});
86+
8587
websocketService.addListener(WebsocketServerEvent.TEST_STEP_RUN, (socket) => {
8688
return async (data: CreateStepRunRequestBody) => {
8789
let principal;

packages/server/api/src/app/flows/flow/flow-version.controller.ts

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ import {
1515
UpdateFlowVersionRequest,
1616
} from '@openops/shared';
1717
import { StatusCodes } from 'http-status-codes';
18+
import { getProjectScopedRoutePolicy } from '../../core/security/route-policies/route-security-policy-factory';
1819
import { validateFlowVersionBelongsToProject } from '../common/flow-version-validation';
1920
import { flowVersionService } from '../flow-version/flow-version.service';
2021
import { flowStepTestOutputService } from '../step-test-output/flow-step-test-output.service';
@@ -25,6 +26,12 @@ export const flowVersionController: FastifyPluginAsyncTypebox = async (
2526
fastify.post(
2627
'/:flowVersionId/trigger',
2728
{
29+
config: {
30+
security: getProjectScopedRoutePolicy({
31+
allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
32+
permission: Permission.WRITE_FLOW,
33+
}),
34+
},
2835
schema: {
2936
description:
3037
'Updates the trigger configuration for a specific flow version',
@@ -243,7 +250,10 @@ export const flowVersionController: FastifyPluginAsyncTypebox = async (
243250
const GetLatestVersionsByConnectionRequestOptions = {
244251
config: {
245252
allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
246-
permission: Permission.READ_FLOW,
253+
security: getProjectScopedRoutePolicy({
254+
allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
255+
permission: Permission.READ_FLOW,
256+
}),
247257
},
248258
schema: {
249259
operationId: 'List Flows By Connection',

packages/server/api/src/app/flows/flow/flow.controller.ts

Lines changed: 46 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@ import {
3232
} from '@openops/shared';
3333
import { StatusCodes } from 'http-status-codes';
3434
import { entitiesMustBeOwnedByCurrentProject } from '../../authentication/authorization';
35+
import { getProjectScopedRoutePolicy } from '../../core/security/route-policies/route-security-policy-factory';
3536
import { projectService } from '../../project/project-service';
3637
import { sendWorkflowCreatedFromTemplateEvent } from '../../telemetry/event-models';
3738
import { flowRunService } from '../flow-run/flow-run-service';
@@ -266,7 +267,10 @@ async function extractUserIdFromPrincipal(
266267
const CreateFlowRequestOptions = {
267268
config: {
268269
allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
269-
permission: Permission.WRITE_FLOW,
270+
security: getProjectScopedRoutePolicy({
271+
allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
272+
permission: Permission.WRITE_FLOW,
273+
}),
270274
},
271275
schema: {
272276
tags: ['flows'],
@@ -282,7 +286,10 @@ const CreateFlowRequestOptions = {
282286

283287
const UpdateFlowRequestOptions = {
284288
config: {
285-
permission: Permission.UPDATE_FLOW_STATUS,
289+
security: getProjectScopedRoutePolicy({
290+
allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
291+
permission: Permission.UPDATE_FLOW_STATUS,
292+
}),
286293
},
287294
schema: {
288295
tags: ['flows'],
@@ -303,7 +310,14 @@ const ListFlowsRequestOptions = {
303310
PrincipalType.SERVICE,
304311
PrincipalType.WORKER,
305312
],
306-
permission: Permission.READ_FLOW,
313+
security: getProjectScopedRoutePolicy({
314+
allowedPrincipals: [
315+
PrincipalType.USER,
316+
PrincipalType.SERVICE,
317+
PrincipalType.WORKER,
318+
],
319+
permission: Permission.READ_FLOW,
320+
}),
307321
},
308322
schema: {
309323
operationId: 'List Workflows',
@@ -321,6 +335,10 @@ const ListFlowsRequestOptions = {
321335
const CountFlowsRequestOptions = {
322336
config: {
323337
allowedPrincipals: [PrincipalType.SERVICE, PrincipalType.USER],
338+
security: getProjectScopedRoutePolicy({
339+
allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
340+
permission: Permission.READ_FLOW,
341+
}),
324342
},
325343
schema: {
326344
operationId: 'Get Flow Count',
@@ -331,6 +349,13 @@ const CountFlowsRequestOptions = {
331349
};
332350

333351
const GetFlowVersionRequestOptions = {
352+
config: {
353+
allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
354+
security: getProjectScopedRoutePolicy({
355+
allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
356+
permission: Permission.READ_FLOW,
357+
}),
358+
},
334359
schema: {
335360
tags: ['flows'],
336361
description:
@@ -347,6 +372,12 @@ const GetFlowVersionRequestOptions = {
347372
};
348373

349374
const GetFlowTemplateRequestOptions = {
375+
config: {
376+
security: getProjectScopedRoutePolicy({
377+
allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
378+
permission: Permission.READ_FLOW,
379+
}),
380+
},
350381
schema: {
351382
params: Type.Object({
352383
id: OpenOpsId,
@@ -361,7 +392,10 @@ const GetFlowTemplateRequestOptions = {
361392
const GetFlowRequestOptions = {
362393
config: {
363394
allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
364-
permission: Permission.READ_FLOW,
395+
security: getProjectScopedRoutePolicy({
396+
allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
397+
permission: Permission.READ_FLOW,
398+
}),
365399
},
366400
schema: {
367401
operationId: 'Get Flow Details',
@@ -382,7 +416,10 @@ const GetFlowRequestOptions = {
382416
const DeleteFlowRequestOptions = {
383417
config: {
384418
allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
385-
permission: Permission.WRITE_FLOW,
419+
security: getProjectScopedRoutePolicy({
420+
allowedPrincipals: [PrincipalType.USER, PrincipalType.SERVICE],
421+
permission: Permission.WRITE_FLOW,
422+
}),
386423
},
387424
schema: {
388425
tags: ['flows'],
@@ -401,7 +438,10 @@ const DeleteFlowRequestOptions = {
401438
const RunFlowRequestOptions = {
402439
config: {
403440
allowedPrincipals: [PrincipalType.USER],
404-
permission: Permission.WRITE_FLOW,
441+
security: getProjectScopedRoutePolicy({
442+
allowedPrincipals: [PrincipalType.USER],
443+
permission: Permission.TEST_RUN_FLOW,
444+
}),
405445
preSerializationHook: entitiesMustBeOwnedByCurrentProject,
406446
},
407447
schema: {

0 commit comments

Comments
 (0)