mirror of
https://github.com/fosrl/pangolin.git
synced 2026-06-07 16:18:47 +00:00
Get user resources from the right table
This commit is contained in:
Owen
@@ -47,6 +47,7 @@ export type ResourceWithAuth = {
|
|||||||
headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
|
headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
|
||||||
applyRules: boolean;
|
applyRules: boolean;
|
||||||
sso: boolean;
|
sso: boolean;
|
||||||
|
emailWhitelistEnabled: boolean;
|
||||||
org: Org;
|
org: Org;
|
||||||
};
|
};
|
||||||
|
|
||||||
@@ -222,12 +223,16 @@ export async function getResourceByDomain(
|
|||||||
const effectiveApplyRules =
|
const effectiveApplyRules =
|
||||||
selectedPolicy?.applyRules ?? result.resources.applyRules;
|
selectedPolicy?.applyRules ?? result.resources.applyRules;
|
||||||
const effectiveSSO = selectedPolicy?.sso ?? result.resources.sso;
|
const effectiveSSO = selectedPolicy?.sso ?? result.resources.sso;
|
||||||
|
const effectiveEmailWhitelistEnabled =
|
||||||
|
selectedPolicy?.emailWhitelistEnabled ??
|
||||||
|
result.resources.emailWhitelistEnabled;
|
||||||
|
|
||||||
return {
|
return {
|
||||||
resource: {
|
resource: {
|
||||||
...result.resources,
|
...result.resources,
|
||||||
applyRules: effectiveApplyRules,
|
applyRules: effectiveApplyRules,
|
||||||
sso: effectiveSSO
|
sso: effectiveSSO,
|
||||||
|
emailWhitelistEnabled: effectiveEmailWhitelistEnabled
|
||||||
}, // doing this for backward compatability so the remote nodes get the value as part of the resource struct
|
}, // doing this for backward compatability so the remote nodes get the value as part of the resource struct
|
||||||
pincode: effectivePolicyPincode ?? result.resourcePincode,
|
pincode: effectivePolicyPincode ?? result.resourcePincode,
|
||||||
password: effectivePolicyPassword ?? result.resourcePassword,
|
password: effectivePolicyPassword ?? result.resourcePassword,
|
||||||
@@ -242,6 +247,7 @@ export async function getResourceByDomain(
|
|||||||
: result.resourceHeaderAuthExtendedCompatibility,
|
: result.resourceHeaderAuthExtendedCompatibility,
|
||||||
applyRules: effectiveApplyRules,
|
applyRules: effectiveApplyRules,
|
||||||
sso: effectiveSSO,
|
sso: effectiveSSO,
|
||||||
|
emailWhitelistEnabled: effectiveEmailWhitelistEnabled,
|
||||||
org: result.orgs
|
org: result.orgs
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -216,6 +216,9 @@ export type ResourceWithAuth = {
|
|||||||
password: ResourcePassword | ResourcePolicyPassword | null;
|
password: ResourcePassword | ResourcePolicyPassword | null;
|
||||||
headerAuth: ResourceHeaderAuth | ResourcePolicyHeaderAuth | null;
|
headerAuth: ResourceHeaderAuth | ResourcePolicyHeaderAuth | null;
|
||||||
headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
|
headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
|
||||||
|
applyRules: boolean;
|
||||||
|
sso: boolean;
|
||||||
|
emailWhitelistEnabled: boolean;
|
||||||
org: Org;
|
org: Org;
|
||||||
};
|
};
|
||||||
|
|
||||||
@@ -687,12 +690,16 @@ hybridRouter.get(
|
|||||||
const effectiveApplyRules =
|
const effectiveApplyRules =
|
||||||
selectedPolicy?.applyRules ?? result.resources.applyRules;
|
selectedPolicy?.applyRules ?? result.resources.applyRules;
|
||||||
const effectiveSSO = selectedPolicy?.sso ?? result.resources.sso;
|
const effectiveSSO = selectedPolicy?.sso ?? result.resources.sso;
|
||||||
|
const effectiveEmailWhitelistEnabled =
|
||||||
|
selectedPolicy?.emailWhitelistEnabled ??
|
||||||
|
result.resources.emailWhitelistEnabled;
|
||||||
|
|
||||||
const resourceWithAuth: ResourceWithAuth = {
|
const resourceWithAuth: ResourceWithAuth = {
|
||||||
resource: {
|
resource: {
|
||||||
...result.resources,
|
...result.resources,
|
||||||
applyRules: effectiveApplyRules,
|
applyRules: effectiveApplyRules,
|
||||||
sso: effectiveSSO
|
sso: effectiveSSO,
|
||||||
|
emailWhitelistEnabled: effectiveEmailWhitelistEnabled
|
||||||
},
|
},
|
||||||
pincode: effectivePolicyPincode ?? result.resourcePincode,
|
pincode: effectivePolicyPincode ?? result.resourcePincode,
|
||||||
password: effectivePolicyPassword ?? result.resourcePassword,
|
password: effectivePolicyPassword ?? result.resourcePassword,
|
||||||
@@ -706,6 +713,9 @@ hybridRouter.get(
|
|||||||
effectivePolicyHeaderAuth.extendedCompatibility
|
effectivePolicyHeaderAuth.extendedCompatibility
|
||||||
} as ResourceHeaderAuthExtendedCompatibility)
|
} as ResourceHeaderAuthExtendedCompatibility)
|
||||||
: result.resourceHeaderAuthExtendedCompatibility,
|
: result.resourceHeaderAuthExtendedCompatibility,
|
||||||
|
applyRules: effectiveApplyRules,
|
||||||
|
sso: effectiveSSO,
|
||||||
|
emailWhitelistEnabled: effectiveEmailWhitelistEnabled,
|
||||||
org: result.orgs
|
org: result.orgs
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@@ -146,6 +146,7 @@ export async function verifyResourceSession(
|
|||||||
headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
|
headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
|
||||||
applyRules: boolean;
|
applyRules: boolean;
|
||||||
sso: boolean;
|
sso: boolean;
|
||||||
|
emailWhitelistEnabled: boolean;
|
||||||
org: Org;
|
org: Org;
|
||||||
}
|
}
|
||||||
| undefined = localCache.get(resourceCacheKey);
|
| undefined = localCache.get(resourceCacheKey);
|
||||||
@@ -182,6 +183,7 @@ export async function verifyResourceSession(
|
|||||||
pincode,
|
pincode,
|
||||||
password,
|
password,
|
||||||
headerAuth,
|
headerAuth,
|
||||||
|
emailWhitelistEnabled,
|
||||||
headerAuthExtendedCompatibility
|
headerAuthExtendedCompatibility
|
||||||
} = resourceData;
|
} = resourceData;
|
||||||
|
|
||||||
@@ -279,7 +281,7 @@ export async function verifyResourceSession(
|
|||||||
!sso &&
|
!sso &&
|
||||||
!pincode &&
|
!pincode &&
|
||||||
!password &&
|
!password &&
|
||||||
!resource.emailWhitelistEnabled &&
|
!emailWhitelistEnabled &&
|
||||||
!headerAuth
|
!headerAuth
|
||||||
) {
|
) {
|
||||||
logger.debug("Resource allowed because no auth");
|
logger.debug("Resource allowed because no auth");
|
||||||
@@ -464,7 +466,7 @@ export async function verifyResourceSession(
|
|||||||
!sso &&
|
!sso &&
|
||||||
!pincode &&
|
!pincode &&
|
||||||
!password &&
|
!password &&
|
||||||
!resource.emailWhitelistEnabled &&
|
!emailWhitelistEnabled &&
|
||||||
!headerAuthExtendedCompatibility?.extendedCompatibilityIsActivated
|
!headerAuthExtendedCompatibility?.extendedCompatibilityIsActivated
|
||||||
) {
|
) {
|
||||||
logRequestAudit(
|
logRequestAudit(
|
||||||
@@ -486,7 +488,7 @@ export async function verifyResourceSession(
|
|||||||
!sso &&
|
!sso &&
|
||||||
!pincode &&
|
!pincode &&
|
||||||
!password &&
|
!password &&
|
||||||
!resource.emailWhitelistEnabled &&
|
!emailWhitelistEnabled &&
|
||||||
!headerAuthExtendedCompatibility?.extendedCompatibilityIsActivated
|
!headerAuthExtendedCompatibility?.extendedCompatibilityIsActivated
|
||||||
) {
|
) {
|
||||||
logRequestAudit(
|
logRequestAudit(
|
||||||
@@ -634,7 +636,7 @@ export async function verifyResourceSession(
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (
|
if (
|
||||||
resource.emailWhitelistEnabled &&
|
emailWhitelistEnabled &&
|
||||||
(resourceSession.whitelistId ||
|
(resourceSession.whitelistId ||
|
||||||
resourceSession.policyWhitelistId)
|
resourceSession.policyWhitelistId)
|
||||||
) {
|
) {
|
||||||
|
|||||||
@@ -80,14 +80,32 @@ export async function getUserResources(
|
|||||||
const directResourcesQuery = db
|
const directResourcesQuery = db
|
||||||
.select({ resourceId: userResources.resourceId })
|
.select({ resourceId: userResources.resourceId })
|
||||||
.from(userResources)
|
.from(userResources)
|
||||||
.where(eq(userResources.userId, userId));
|
.innerJoin(
|
||||||
|
resources,
|
||||||
|
eq(userResources.resourceId, resources.resourceId)
|
||||||
|
)
|
||||||
|
.where(
|
||||||
|
and(
|
||||||
|
eq(userResources.userId, userId),
|
||||||
|
eq(resources.orgId, orgId)
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
const roleResourcesQuery =
|
const roleResourcesQuery =
|
||||||
userRoleIds.length > 0
|
userRoleIds.length > 0
|
||||||
? db
|
? db
|
||||||
.select({ resourceId: roleResources.resourceId })
|
.select({ resourceId: roleResources.resourceId })
|
||||||
.from(roleResources)
|
.from(roleResources)
|
||||||
.where(inArray(roleResources.roleId, userRoleIds))
|
.innerJoin(
|
||||||
|
resources,
|
||||||
|
eq(roleResources.resourceId, resources.resourceId)
|
||||||
|
)
|
||||||
|
.where(
|
||||||
|
and(
|
||||||
|
inArray(roleResources.roleId, userRoleIds),
|
||||||
|
eq(resources.orgId, orgId)
|
||||||
|
)
|
||||||
|
)
|
||||||
: Promise.resolve([]);
|
: Promise.resolve([]);
|
||||||
|
|
||||||
const directPolicyResourcesQuery = db
|
const directPolicyResourcesQuery = db
|
||||||
@@ -97,7 +115,9 @@ export async function getUserResources(
|
|||||||
userPolicies,
|
userPolicies,
|
||||||
eq(effectiveResourcePolicyId, userPolicies.resourcePolicyId)
|
eq(effectiveResourcePolicyId, userPolicies.resourcePolicyId)
|
||||||
)
|
)
|
||||||
.where(eq(userPolicies.userId, userId));
|
.where(
|
||||||
|
and(eq(userPolicies.userId, userId), eq(resources.orgId, orgId))
|
||||||
|
);
|
||||||
|
|
||||||
const rolePolicyResourcesQuery =
|
const rolePolicyResourcesQuery =
|
||||||
userRoleIds.length > 0
|
userRoleIds.length > 0
|
||||||
@@ -111,7 +131,12 @@ export async function getUserResources(
|
|||||||
rolePolicies.resourcePolicyId
|
rolePolicies.resourcePolicyId
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
.where(inArray(rolePolicies.roleId, userRoleIds))
|
.where(
|
||||||
|
and(
|
||||||
|
inArray(rolePolicies.roleId, userRoleIds),
|
||||||
|
eq(resources.orgId, orgId)
|
||||||
|
)
|
||||||
|
)
|
||||||
: Promise.resolve([]);
|
: Promise.resolve([]);
|
||||||
|
|
||||||
const directSiteResourcesQuery = db
|
const directSiteResourcesQuery = db
|
||||||
|
|||||||
Reference in New Issue
Block a user