From 4c8bd4db0a781606a50f5e190c466a1691d6f225 Mon Sep 17 00:00:00 2001 From: miloschwartz Date: Mon, 6 Jul 2026 22:00:35 -0400 Subject: [PATCH] includen on sso resources in launcher --- .../launcher/launcherResourceAccess.ts | 55 +++++++++++++++++-- 1 file changed, 51 insertions(+), 4 deletions(-) diff --git a/server/routers/launcher/launcherResourceAccess.ts b/server/routers/launcher/launcherResourceAccess.ts index 246f86688..0784dff70 100644 --- a/server/routers/launcher/launcherResourceAccess.ts +++ b/server/routers/launcher/launcherResourceAccess.ts @@ -1,10 +1,11 @@ import { createHash } from "node:crypto"; -import { db } from "@server/db"; +import { alias, db } from "@server/db"; import { exitNodes, labels, launcherViews, resourceLabels, + resourcePolicies, resources, rolePolicies, roleResources, @@ -31,6 +32,7 @@ import { inArray, isNull, like, + not, or, sql, type SQL @@ -134,6 +136,48 @@ function launcherAccessibleIdsCacheKey( return `launcherAccessibleIds:${orgId}:${userId}:${rolesKey}`; } +async function fetchOrgNonSsoPublicResourceIds( + orgId: string +): Promise { + const sharedPolicy = alias(resourcePolicies, "sharedPolicy"); + const defaultPolicy = alias(resourcePolicies, "defaultPolicy"); + + const effectiveSso = sql` + COALESCE( + CASE + WHEN ${sharedPolicy.resourcePolicyId} IS NOT NULL THEN ${sharedPolicy.sso} + ELSE ${defaultPolicy.sso} + END, + false + ) + `; + + const rows = await db + .select({ resourceId: resources.resourceId }) + .from(resources) + .leftJoin( + sharedPolicy, + eq(sharedPolicy.resourcePolicyId, resources.resourcePolicyId) + ) + .leftJoin( + defaultPolicy, + eq( + defaultPolicy.resourcePolicyId, + resources.defaultResourcePolicyId + ) + ) + .where( + and( + eq(resources.orgId, orgId), + eq(resources.enabled, true), + eq(resources.blockAccess, false), + not(effectiveSso) + ) + ); + + return rows.map((row) => row.resourceId); +} + async function resolveAccessibleIdsUncached( orgId: string, userId: string, @@ -145,7 +189,8 @@ async function resolveAccessibleIdsUncached( directPolicyResourceResults, rolePolicyResourceResults, directSiteResourceResults, - roleSiteResourceResults + roleSiteResourceResults, + orgNonSsoPublicResources ] = await Promise.all([ db .select({ resourceId: userResources.resourceId }) @@ -214,7 +259,8 @@ async function resolveAccessibleIdsUncached( }) .from(roleSiteResources) .where(inArray(roleSiteResources.roleId, userRoleIds)) - : Promise.resolve([]) + : Promise.resolve([]), + fetchOrgNonSsoPublicResourceIds(orgId) ]); return { @@ -223,7 +269,8 @@ async function resolveAccessibleIdsUncached( ...directResources.map((r) => r.resourceId), ...roleResourceResults.map((r) => r.resourceId), ...directPolicyResourceResults.map((r) => r.resourceId), - ...rolePolicyResourceResults.map((r) => r.resourceId) + ...rolePolicyResourceResults.map((r) => r.resourceId), + ...orgNonSsoPublicResources ]) ), siteResourceIds: Array.from(