From 0d960181a2abdb4abaedb94ea974ef7f38e80eff Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 16 Jun 2026 23:48:46 +0000 Subject: [PATCH] fix: update resource rule routes to use shared policy rules --- server/routers/resource/createResourceRule.ts | 8 +- server/routers/resource/deleteResourceRule.ts | 16 ++-- server/routers/resource/getResource.ts | 10 +-- server/routers/resource/listResourceRules.ts | 8 +- server/routers/resource/updateResourceRule.ts | 90 ++++++++++++++++++- 5 files changed, 103 insertions(+), 29 deletions(-) diff --git a/server/routers/resource/createResourceRule.ts b/server/routers/resource/createResourceRule.ts index 9d2261338..5ab7dcf43 100644 --- a/server/routers/resource/createResourceRule.ts +++ b/server/routers/resource/createResourceRule.ts @@ -154,12 +154,8 @@ export async function createResourceRule( } // Create the new resource rule - const isInlinePolicy = - resource.resourcePolicyId === null && - resource.defaultResourcePolicyId !== null; - - if (isInlinePolicy) { - const policyId = resource.defaultResourcePolicyId!; + if (resource.resourcePolicyId !== null) { + const policyId = resource.resourcePolicyId; const [newRule] = await db .insert(resourcePolicyRules) .values({ diff --git a/server/routers/resource/deleteResourceRule.ts b/server/routers/resource/deleteResourceRule.ts index c619a693e..7c21e30ea 100644 --- a/server/routers/resource/deleteResourceRule.ts +++ b/server/routers/resource/deleteResourceRule.ts @@ -2,7 +2,7 @@ import { Request, Response, NextFunction } from "express"; import { z } from "zod"; import { db } from "@server/db"; import { resourceRules, resourcePolicyRules, resources } from "@server/db"; -import { eq } from "drizzle-orm"; +import { and, eq } from "drizzle-orm"; import response from "@server/lib/response"; import HttpCode from "@server/types/HttpCode"; import createHttpError from "http-errors"; @@ -73,14 +73,16 @@ export async function deleteResourceRule( ); } - const isInlinePolicy = - resource.resourcePolicyId === null && - resource.defaultResourcePolicyId !== null; - - if (isInlinePolicy) { + if (resource.resourcePolicyId !== null) { + const policyId = resource.resourcePolicyId; const [deletedRule] = await db .delete(resourcePolicyRules) - .where(eq(resourcePolicyRules.ruleId, ruleId)) + .where( + and( + eq(resourcePolicyRules.ruleId, ruleId), + eq(resourcePolicyRules.resourcePolicyId, policyId) + ) + ) .returning(); if (!deletedRule) { diff --git a/server/routers/resource/getResource.ts b/server/routers/resource/getResource.ts index 708351db1..161464a45 100644 --- a/server/routers/resource/getResource.ts +++ b/server/routers/resource/getResource.ts @@ -141,16 +141,10 @@ export async function getResource( ); } - const isInlinePolicy = - resource.resourcePolicyId === null && - resource.defaultResourcePolicyId !== null; - let returnData = resource; - if (isInlinePolicy) { + if (resource.resourcePolicyId !== null) { // get the policy - const policy = await queryInlinePolicy( - resource.defaultResourcePolicyId! - ); + const policy = await queryInlinePolicy(resource.resourcePolicyId); returnData = { ...returnData, sso: policy?.sso || null, diff --git a/server/routers/resource/listResourceRules.ts b/server/routers/resource/listResourceRules.ts index 6b9df688a..efb315ac5 100644 --- a/server/routers/resource/listResourceRules.ts +++ b/server/routers/resource/listResourceRules.ts @@ -140,15 +140,11 @@ export async function listResourceRules( ); } - const isInlinePolicy = - resource.resourcePolicyId === null && - resource.defaultResourcePolicyId !== null; - let rulesList: Awaited>; let totalCount: number; - if (isInlinePolicy) { - const policyId = resource.defaultResourcePolicyId!; + if (resource.resourcePolicyId !== null) { + const policyId = resource.resourcePolicyId; const policyRules = await queryPolicyRules(policyId) .limit(limit) .offset(offset); diff --git a/server/routers/resource/updateResourceRule.ts b/server/routers/resource/updateResourceRule.ts index cc2a6fc03..8e4297ce1 100644 --- a/server/routers/resource/updateResourceRule.ts +++ b/server/routers/resource/updateResourceRule.ts @@ -1,8 +1,8 @@ import { Request, Response, NextFunction } from "express"; import { z } from "zod"; import { db } from "@server/db"; -import { resourceRules, resources } from "@server/db"; -import { eq } from "drizzle-orm"; +import { resourcePolicyRules, resourceRules, resources } from "@server/db"; +import { and, eq } from "drizzle-orm"; import response from "@server/lib/response"; import HttpCode from "@server/types/HttpCode"; import createHttpError from "http-errors"; @@ -128,6 +128,92 @@ export async function updateResourceRule( ); } + const policyId = resource.resourcePolicyId; + + if (policyId !== null) { + const [existingRule] = await db + .select() + .from(resourcePolicyRules) + .where( + and( + eq(resourcePolicyRules.ruleId, ruleId), + eq(resourcePolicyRules.resourcePolicyId, policyId) + ) + ) + .limit(1); + + if (!existingRule) { + return next( + createHttpError( + HttpCode.NOT_FOUND, + `Resource rule with ID ${ruleId} not found` + ) + ); + } + + const match = updateData.match || existingRule.match; + const { value } = updateData; + + if (value !== undefined) { + if (match === "CIDR") { + if (!isValidCIDR(value)) { + return next( + createHttpError( + HttpCode.BAD_REQUEST, + "Invalid CIDR provided" + ) + ); + } + } else if (match === "IP") { + if (!isValidIP(value)) { + return next( + createHttpError( + HttpCode.BAD_REQUEST, + "Invalid IP provided" + ) + ); + } + } else if (match === "PATH") { + if (!isValidUrlGlobPattern(value)) { + return next( + createHttpError( + HttpCode.BAD_REQUEST, + "Invalid URL glob pattern provided" + ) + ); + } + } else if (match === "REGION") { + if (!isValidRegionId(value)) { + return next( + createHttpError( + HttpCode.BAD_REQUEST, + "Invalid region ID provided" + ) + ); + } + } + } + + const [updatedRule] = await db + .update(resourcePolicyRules) + .set(updateData) + .where( + and( + eq(resourcePolicyRules.ruleId, ruleId), + eq(resourcePolicyRules.resourcePolicyId, policyId) + ) + ) + .returning(); + + return response(res, { + data: updatedRule, + success: true, + error: false, + message: "Resource rule updated successfully", + status: HttpCode.OK + }); + } + // Verify that the rule exists and belongs to the specified resource const [existingRule] = await db .select()