Add pass rule

2026-02-10 20:02:26 +00:00 · 2025-08-24 22:20:09 -07:00
parent 72f19274cd
commit 78d3861382
7 changed files with 19 additions and 9 deletions
--- a/server/db/pg/schema.ts
+++ b/server/db/pg/schema.ts
@@ -430,7 +430,7 @@ export const resourceRules = pgTable("resourceRules", {
        .references(() => resources.resourceId, { onDelete: "cascade" }),
    enabled: boolean("enabled").notNull().default(true),
    priority: integer("priority").notNull(),
-    action: varchar("action").notNull(), // ACCEPT, DROP
+    action: varchar("action").notNull(), // ACCEPT, DROP, PASS
    match: varchar("match").notNull(), // CIDR, PATH, IP
    value: varchar("value").notNull()
 });
--- a/server/db/sqlite/schema.ts
+++ b/server/db/sqlite/schema.ts
@@ -570,7 +570,7 @@ export const resourceRules = sqliteTable("resourceRules", {
        .references(() => resources.resourceId, { onDelete: "cascade" }),
    enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
    priority: integer("priority").notNull(),
-    action: text("action").notNull(), // ACCEPT, DROP
+    action: text("action").notNull(), // ACCEPT, DROP, PASS
    match: text("match").notNull(), // CIDR, PATH, IP
    value: text("value").notNull()
 });
--- a/server/routers/badger/verifySession.ts
+++ b/server/routers/badger/verifySession.ts
@@ -178,6 +178,9 @@ export async function verifyResourceSession(
            } else if (action == "DROP") {
                logger.debug("Resource denied by rule");
                return notAllowed(res);
+            } else if (action == "PASS") {
+                logger.debug("Resource passed by rule, continuing to auth checks");
+                // Continue to authentication checks below
            }

            // otherwise its undefined and we pass
@@ -581,7 +584,7 @@ async function checkRules(
    resourceId: number,
    clientIp: string | undefined,
    path: string | undefined
-): Promise<"ACCEPT" | "DROP" | undefined> {
+): Promise<"ACCEPT" | "DROP" | "PASS" | undefined> {
    const ruleCacheKey = `rules:${resourceId}`;

    let rules: ResourceRule[] | undefined = cache.get(ruleCacheKey);
--- a/server/routers/resource/createResourceRule.ts
+++ b/server/routers/resource/createResourceRule.ts
@@ -17,7 +17,7 @@ import { OpenAPITags, registry } from "@server/openApi";

 const createResourceRuleSchema = z
    .object({
-        action: z.enum(["ACCEPT", "DROP"]),
+        action: z.enum(["ACCEPT", "DROP", "PASS"]),
        match: z.enum(["CIDR", "IP", "PATH"]),
        value: z.string().min(1),
        priority: z.number().int(),
--- a/server/routers/resource/updateResourceRule.ts
+++ b/server/routers/resource/updateResourceRule.ts
@@ -29,7 +29,7 @@ const updateResourceRuleParamsSchema = z
 // Define Zod schema for request body validation
 const updateResourceRuleSchema = z
    .object({
-        action: z.enum(["ACCEPT", "DROP"]).optional(),
+        action: z.enum(["ACCEPT", "DROP", "PASS"]).optional(),
        match: z.enum(["CIDR", "IP", "PATH"]).optional(),
        value: z.string().min(1).optional(),
        priority: z.number().int(),