Fix #3252

2026-06-13 19:07:18 +00:00 · 2026-06-12 14:44:45 -07:00
parent 5a8a48f9bf
commit 3fd5c98def
3 changed files with 50 additions and 5 deletions
--- a/server/lib/blueprints/applyNewtDockerBlueprint.ts
+++ b/server/lib/blueprints/applyNewtDockerBlueprint.ts
@@ -71,7 +71,10 @@ export async function applyNewtDockerBlueprint(
    let skippedKeys: string[] = [];

    try {
-        const blueprint = processContainerLabels(containers);
+        // Some Newt clients can report null/undefined containers when Docker
+        // labels are unavailable. Treat that as an empty blueprint payload.
+        const safeContainers = Array.isArray(containers) ? containers : [];
+        const blueprint = processContainerLabels(safeContainers);

        logger.debug(
            `Received Docker blueprint with ${Object.keys(blueprint["proxy-resources"]).length} proxy, ${Object.keys(blueprint["client-resources"]).length} client resource(s)`
--- a/server/lib/blueprints/publicResources.ts
+++ b/server/lib/blueprints/publicResources.ts
@@ -945,7 +945,45 @@ export async function updatePublicResources(
                }
            } else {
                // INLINE POLICY MODE: sync rules into policy-level table
-                const inlinePolicyId = resource!.defaultResourcePolicyId!;
+                let inlinePolicyId = resource!.defaultResourcePolicyId;
+
+                // Targets-only updates skip the auth/policy update branch above,
+                // so pre-1.19 resources can still have no inline policy linked.
+                if (!inlinePolicyId) {
+                    const [adminRole] = await trx
+                        .select()
+                        .from(roles)
+                        .where(
+                            and(eq(roles.isAdmin, true), eq(roles.orgId, orgId))
+                        )
+                        .limit(1);
+
+                    if (!adminRole) {
+                        throw new Error(`Admin role not found`);
+                    }
+
+                    inlinePolicyId = await ensureInlinePolicy(
+                        existingResource.defaultResourcePolicyId,
+                        orgId,
+                        resourceNiceId,
+                        adminRole.roleId,
+                        trx
+                    );
+
+                    [resource] = await trx
+                        .update(resources)
+                        .set({
+                            resourcePolicyId: null,
+                            defaultResourcePolicyId: inlinePolicyId
+                        })
+                        .where(
+                            eq(
+                                resources.resourceId,
+                                existingResource.resourceId
+                            )
+                        )
+                        .returning();
+                }

                // Clear the old resource-level rules table
                await trx