Add the policy information into missing places

2026-06-05 07:16:24 +00:00 · 2026-06-02 15:47:55 -07:00
parent 88ea4391e0
commit 19feaf4bf2
4 changed files with 113 additions and 51 deletions
--- a/server/db/queries/verifySessionQueries.ts
+++ b/server/db/queries/verifySessionQueries.ts
@@ -26,15 +26,22 @@ import {
    userPolicies,
    users,
    ResourceHeaderAuthExtendedCompatibility,
-    resourceHeaderAuthExtendedCompatibility
+    resourceHeaderAuthExtendedCompatibility,
+    resourcePolicies,
+    resourcePolicyPincode,
+    ResourcePolicyPincode,
+    resourcePolicyPassword,
+    ResourcePolicyPassword,
+    resourcePolicyHeaderAuth,
+    ResourcePolicyHeaderAuth
 } from "@server/db";
 import { and, eq, inArray, or, sql } from "drizzle-orm";

 export type ResourceWithAuth = {
    resource: Resource | null;
-    pincode: ResourcePincode | null;
-    password: ResourcePassword | null;
-    headerAuth: ResourceHeaderAuth | null;
+    pincode: ResourcePincode | ResourcePolicyPincode | null;
+    password: ResourcePassword | ResourcePolicyPassword | null;
+    headerAuth: ResourceHeaderAuth | ResourcePolicyHeaderAuth | null;
    headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
    org: Org;
 };
@@ -82,6 +89,31 @@ export async function getResourceByDomain(
                resources.resourceId
            )
        )
+        .leftJoin(
+            resourcePolicies,
+            eq(resourcePolicies.resourcePolicyId, resources.resourcePolicyId)
+        )
+        .leftJoin(
+            resourcePolicyPincode,
+            eq(
+                resourcePolicyPincode.resourcePolicyId,
+                resourcePolicies.resourcePolicyId
+            )
+        )
+        .leftJoin(
+            resourcePolicyPassword,
+            eq(
+                resourcePolicyPassword.resourcePolicyId,
+                resourcePolicies.resourcePolicyId
+            )
+        )
+        .leftJoin(
+            resourcePolicyHeaderAuth,
+            eq(
+                resourcePolicyHeaderAuth.resourcePolicyId,
+                resourcePolicies.resourcePolicyId
+            )
+        )
        .innerJoin(orgs, eq(orgs.orgId, resources.orgId))
        .where(
            or(
@@ -113,11 +145,18 @@ export async function getResourceByDomain(

    return {
        resource: result.resources,
-        pincode: result.resourcePincode,
-        password: result.resourcePassword,
-        headerAuth: result.resourceHeaderAuth,
-        headerAuthExtendedCompatibility:
-            result.resourceHeaderAuthExtendedCompatibility,
+        pincode: result.resourcePolicyPincode ?? result.resourcePincode,
+        password: result.resourcePolicyPassword ?? result.resourcePassword,
+        headerAuth:
+            result.resourcePolicyHeaderAuth ?? result.resourceHeaderAuth,
+        headerAuthExtendedCompatibility: result.resourcePolicyHeaderAuth
+            ? ({
+                  headerAuthExtendedCompatibilityId: 0,
+                  resourceId: result.resources.resourceId,
+                  extendedCompatibilityIsActivated:
+                      result.resourcePolicyHeaderAuth.extendedCompatibility
+              } as ResourceHeaderAuthExtendedCompatibility)
+            : result.resourceHeaderAuthExtendedCompatibility,
        org: result.orgs
    };
 }
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -1545,5 +1545,14 @@ export type RoundTripMessageTracker = InferSelectModel<
 export type StatusHistory = InferSelectModel<typeof statusHistory>;
 export type Label = InferSelectModel<typeof labels>;
 export type ResourcePolicy = InferSelectModel<typeof resourcePolicies>;
+export type ResourcePolicyPincode = InferSelectModel<
+    typeof resourcePolicyPincode
+>;
+export type ResourcePolicyPassword = InferSelectModel<
+    typeof resourcePolicyPassword
+>;
+export type ResourcePolicyHeaderAuth = InferSelectModel<
+    typeof resourcePolicyHeaderAuth
+>;
 export type RolePolicy = InferSelectModel<typeof rolePolicies>;
 export type UserPolicy = InferSelectModel<typeof userPolicies>;
--- a/server/private/routers/hybrid.ts
+++ b/server/private/routers/hybrid.ts
@@ -35,7 +35,14 @@ import {
    ResourceHeaderAuthExtendedCompatibility,
    orgs,
    requestAuditLog,
-    Org
+    Org,
+    resourcePolicies,
+    resourcePolicyPincode,
+    ResourcePolicyPincode,
+    resourcePolicyPassword,
+    ResourcePolicyPassword,
+    resourcePolicyHeaderAuth,
+    ResourcePolicyHeaderAuth
 } from "@server/db";
 import {
    resources,
@@ -204,9 +211,9 @@ export type ValidateResourceSessionTokenBody = z.infer<
 // Type definitions for API responses
 export type ResourceWithAuth = {
    resource: Resource | null;
-    pincode: ResourcePincode | null;
-    password: ResourcePassword | null;
-    headerAuth: ResourceHeaderAuth | null;
+    pincode: ResourcePincode | ResourcePolicyPincode | null;
+    password: ResourcePassword | ResourcePolicyPassword | null;
+    headerAuth: ResourceHeaderAuth | ResourcePolicyHeaderAuth | null;
    headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
    org: Org;
 };
@@ -529,6 +536,34 @@ hybridRouter.get(
                        resources.resourceId
                    )
                )
+                .leftJoin(
+                    resourcePolicies,
+                    eq(
+                        resourcePolicies.resourcePolicyId,
+                        resources.resourcePolicyId
+                    )
+                )
+                .leftJoin(
+                    resourcePolicyPincode,
+                    eq(
+                        resourcePolicyPincode.resourcePolicyId,
+                        resourcePolicies.resourcePolicyId
+                    )
+                )
+                .leftJoin(
+                    resourcePolicyPassword,
+                    eq(
+                        resourcePolicyPassword.resourcePolicyId,
+                        resourcePolicies.resourcePolicyId
+                    )
+                )
+                .leftJoin(
+                    resourcePolicyHeaderAuth,
+                    eq(
+                        resourcePolicyHeaderAuth.resourcePolicyId,
+                        resourcePolicies.resourcePolicyId
+                    )
+                )
                .innerJoin(orgs, eq(orgs.orgId, resources.orgId))
                .where(
                    or(
@@ -581,11 +616,21 @@ hybridRouter.get(

            const resourceWithAuth: ResourceWithAuth = {
                resource: result.resources,
-                pincode: result.resourcePincode,
-                password: result.resourcePassword,
-                headerAuth: result.resourceHeaderAuth,
-                headerAuthExtendedCompatibility:
-                    result.resourceHeaderAuthExtendedCompatibility,
+                pincode: result.resourcePolicyPincode ?? result.resourcePincode,
+                password:
+                    result.resourcePolicyPassword ?? result.resourcePassword,
+                headerAuth:
+                    result.resourcePolicyHeaderAuth ??
+                    result.resourceHeaderAuth,
+                headerAuthExtendedCompatibility: result.resourcePolicyHeaderAuth
+                    ? ({
+                          headerAuthExtendedCompatibilityId: 0,
+                          resourceId: result.resources.resourceId,
+                          extendedCompatibilityIsActivated:
+                              result.resourcePolicyHeaderAuth
+                                  .extendedCompatibility
+                      } as ResourceHeaderAuthExtendedCompatibility)
+                    : result.resourceHeaderAuthExtendedCompatibility,
                org: result.orgs
            };

--- a/server/private/routers/ssh/signSshKey.ts
+++ b/server/private/routers/ssh/signSshKey.ts
@@ -78,41 +78,9 @@ export type SignSshKeyResponse = {
    validAfter?: string;
    validBefore?: string;
    expiresIn?: number;
+    authDaemonMode: "site" | "remote" | "native" | null;
 };

-// registry.registerPath({
-//     method: "post",
-//     path: "/org/{orgId}/ssh/sign-key",
-//     description: "Sign an SSH public key for access to a resource.",
-//     tags: [OpenAPITags.Org, OpenAPITags.Ssh],
-//     request: {
-//         params: paramsSchema,
-//         body: {
-//             content: {
-//                 "application/json": {
-//                     schema: bodySchema
-//                 }
-//             }
-//         }
-//     },
-// responses: {
-// 200: {
-// description: "Successful response",
-// content: {
-// "application/json": {
-// schema: z.object({
-// data: z.unknown().nullable(),
-// success: z.boolean(),
-// error: z.boolean(),
-// message: z.string(),
-// status: z.number()
-// })
-// }
-// }
-// }
-// }
-// });
-
 export async function signSshKey(
    req: Request,
    res: Response,
@@ -654,6 +622,7 @@ export async function signSshKey(
                siteIds: siteIds,
                siteId: siteIds[0], // just pick the first one for backward compatibility with older olms
                keyId: cert?.keyId,
+                authDaemonMode: resource.authDaemonMode,
                validPrincipals: cert?.validPrincipals,
                validAfter: cert?.validAfter.toISOString(),
                validBefore: cert?.validBefore.toISOString(),