From 19feaf4bf28e256a3df0a47b9ab3d17b12bf8671 Mon Sep 17 00:00:00 2001 From: Owen Date: Tue, 2 Jun 2026 15:47:55 -0700 Subject: [PATCH] Add the policy information into missing places --- server/db/queries/verifySessionQueries.ts | 57 ++++++++++++++++---- server/db/sqlite/schema/schema.ts | 9 ++++ server/private/routers/hybrid.ts | 63 +++++++++++++++++++---- server/private/routers/ssh/signSshKey.ts | 35 +------------ 4 files changed, 113 insertions(+), 51 deletions(-) diff --git a/server/db/queries/verifySessionQueries.ts b/server/db/queries/verifySessionQueries.ts index 17844e13c..d1f933979 100644 --- a/server/db/queries/verifySessionQueries.ts +++ b/server/db/queries/verifySessionQueries.ts @@ -26,15 +26,22 @@ import { userPolicies, users, ResourceHeaderAuthExtendedCompatibility, - resourceHeaderAuthExtendedCompatibility + resourceHeaderAuthExtendedCompatibility, + resourcePolicies, + resourcePolicyPincode, + ResourcePolicyPincode, + resourcePolicyPassword, + ResourcePolicyPassword, + resourcePolicyHeaderAuth, + ResourcePolicyHeaderAuth } from "@server/db"; import { and, eq, inArray, or, sql } from "drizzle-orm"; export type ResourceWithAuth = { resource: Resource | null; - pincode: ResourcePincode | null; - password: ResourcePassword | null; - headerAuth: ResourceHeaderAuth | null; + pincode: ResourcePincode | ResourcePolicyPincode | null; + password: ResourcePassword | ResourcePolicyPassword | null; + headerAuth: ResourceHeaderAuth | ResourcePolicyHeaderAuth | null; headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null; org: Org; }; @@ -82,6 +89,31 @@ export async function getResourceByDomain( resources.resourceId ) ) + .leftJoin( + resourcePolicies, + eq(resourcePolicies.resourcePolicyId, resources.resourcePolicyId) + ) + .leftJoin( + resourcePolicyPincode, + eq( + resourcePolicyPincode.resourcePolicyId, + resourcePolicies.resourcePolicyId + ) + ) + .leftJoin( + resourcePolicyPassword, + eq( + resourcePolicyPassword.resourcePolicyId, + resourcePolicies.resourcePolicyId + ) + ) + .leftJoin( + resourcePolicyHeaderAuth, + eq( + resourcePolicyHeaderAuth.resourcePolicyId, + resourcePolicies.resourcePolicyId + ) + ) .innerJoin(orgs, eq(orgs.orgId, resources.orgId)) .where( or( @@ -113,11 +145,18 @@ export async function getResourceByDomain( return { resource: result.resources, - pincode: result.resourcePincode, - password: result.resourcePassword, - headerAuth: result.resourceHeaderAuth, - headerAuthExtendedCompatibility: - result.resourceHeaderAuthExtendedCompatibility, + pincode: result.resourcePolicyPincode ?? result.resourcePincode, + password: result.resourcePolicyPassword ?? result.resourcePassword, + headerAuth: + result.resourcePolicyHeaderAuth ?? result.resourceHeaderAuth, + headerAuthExtendedCompatibility: result.resourcePolicyHeaderAuth + ? ({ + headerAuthExtendedCompatibilityId: 0, + resourceId: result.resources.resourceId, + extendedCompatibilityIsActivated: + result.resourcePolicyHeaderAuth.extendedCompatibility + } as ResourceHeaderAuthExtendedCompatibility) + : result.resourceHeaderAuthExtendedCompatibility, org: result.orgs }; } diff --git a/server/db/sqlite/schema/schema.ts b/server/db/sqlite/schema/schema.ts index aff55b74e..4291df6b0 100644 --- a/server/db/sqlite/schema/schema.ts +++ b/server/db/sqlite/schema/schema.ts @@ -1545,5 +1545,14 @@ export type RoundTripMessageTracker = InferSelectModel< export type StatusHistory = InferSelectModel; export type Label = InferSelectModel; export type ResourcePolicy = InferSelectModel; +export type ResourcePolicyPincode = InferSelectModel< + typeof resourcePolicyPincode +>; +export type ResourcePolicyPassword = InferSelectModel< + typeof resourcePolicyPassword +>; +export type ResourcePolicyHeaderAuth = InferSelectModel< + typeof resourcePolicyHeaderAuth +>; export type RolePolicy = InferSelectModel; export type UserPolicy = InferSelectModel; diff --git a/server/private/routers/hybrid.ts b/server/private/routers/hybrid.ts index 11f46e68d..27100c3eb 100644 --- a/server/private/routers/hybrid.ts +++ b/server/private/routers/hybrid.ts @@ -35,7 +35,14 @@ import { ResourceHeaderAuthExtendedCompatibility, orgs, requestAuditLog, - Org + Org, + resourcePolicies, + resourcePolicyPincode, + ResourcePolicyPincode, + resourcePolicyPassword, + ResourcePolicyPassword, + resourcePolicyHeaderAuth, + ResourcePolicyHeaderAuth } from "@server/db"; import { resources, @@ -204,9 +211,9 @@ export type ValidateResourceSessionTokenBody = z.infer< // Type definitions for API responses export type ResourceWithAuth = { resource: Resource | null; - pincode: ResourcePincode | null; - password: ResourcePassword | null; - headerAuth: ResourceHeaderAuth | null; + pincode: ResourcePincode | ResourcePolicyPincode | null; + password: ResourcePassword | ResourcePolicyPassword | null; + headerAuth: ResourceHeaderAuth | ResourcePolicyHeaderAuth | null; headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null; org: Org; }; @@ -529,6 +536,34 @@ hybridRouter.get( resources.resourceId ) ) + .leftJoin( + resourcePolicies, + eq( + resourcePolicies.resourcePolicyId, + resources.resourcePolicyId + ) + ) + .leftJoin( + resourcePolicyPincode, + eq( + resourcePolicyPincode.resourcePolicyId, + resourcePolicies.resourcePolicyId + ) + ) + .leftJoin( + resourcePolicyPassword, + eq( + resourcePolicyPassword.resourcePolicyId, + resourcePolicies.resourcePolicyId + ) + ) + .leftJoin( + resourcePolicyHeaderAuth, + eq( + resourcePolicyHeaderAuth.resourcePolicyId, + resourcePolicies.resourcePolicyId + ) + ) .innerJoin(orgs, eq(orgs.orgId, resources.orgId)) .where( or( @@ -581,11 +616,21 @@ hybridRouter.get( const resourceWithAuth: ResourceWithAuth = { resource: result.resources, - pincode: result.resourcePincode, - password: result.resourcePassword, - headerAuth: result.resourceHeaderAuth, - headerAuthExtendedCompatibility: - result.resourceHeaderAuthExtendedCompatibility, + pincode: result.resourcePolicyPincode ?? result.resourcePincode, + password: + result.resourcePolicyPassword ?? result.resourcePassword, + headerAuth: + result.resourcePolicyHeaderAuth ?? + result.resourceHeaderAuth, + headerAuthExtendedCompatibility: result.resourcePolicyHeaderAuth + ? ({ + headerAuthExtendedCompatibilityId: 0, + resourceId: result.resources.resourceId, + extendedCompatibilityIsActivated: + result.resourcePolicyHeaderAuth + .extendedCompatibility + } as ResourceHeaderAuthExtendedCompatibility) + : result.resourceHeaderAuthExtendedCompatibility, org: result.orgs }; diff --git a/server/private/routers/ssh/signSshKey.ts b/server/private/routers/ssh/signSshKey.ts index 3919306cf..efddfc0d9 100644 --- a/server/private/routers/ssh/signSshKey.ts +++ b/server/private/routers/ssh/signSshKey.ts @@ -78,41 +78,9 @@ export type SignSshKeyResponse = { validAfter?: string; validBefore?: string; expiresIn?: number; + authDaemonMode: "site" | "remote" | "native" | null; }; -// registry.registerPath({ -// method: "post", -// path: "/org/{orgId}/ssh/sign-key", -// description: "Sign an SSH public key for access to a resource.", -// tags: [OpenAPITags.Org, OpenAPITags.Ssh], -// request: { -// params: paramsSchema, -// body: { -// content: { -// "application/json": { -// schema: bodySchema -// } -// } -// } -// }, -// responses: { -// 200: { -// description: "Successful response", -// content: { -// "application/json": { -// schema: z.object({ -// data: z.unknown().nullable(), -// success: z.boolean(), -// error: z.boolean(), -// message: z.string(), -// status: z.number() -// }) -// } -// } -// } -// } -// }); - export async function signSshKey( req: Request, res: Response, @@ -654,6 +622,7 @@ export async function signSshKey( siteIds: siteIds, siteId: siteIds[0], // just pick the first one for backward compatibility with older olms keyId: cert?.keyId, + authDaemonMode: resource.authDaemonMode, validPrincipals: cert?.validPrincipals, validAfter: cert?.validAfter.toISOString(), validBefore: cert?.validBefore.toISOString(),