chore: simplify policy rule update/delete lookups

refactor: dedupe resource rule value validation
fix: update resource rule routes to use shared policy rules
2026-06-22 07:12:04 +00:00 · 2026-06-16 23:52:22 +00:00 · 2026-06-16 23:50:38 +00:00 · 2026-06-16 23:48:46 +00:00 · 2026-06-16 23:43:34 +00:00
8 changed files with 117 additions and 73 deletions
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -62,7 +62,7 @@ jobs:

        steps:
            - name: Checkout code
-              uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

            - name: Monitor storage space
              run: |
@@ -134,7 +134,7 @@ jobs:

        steps:
            - name: Checkout code
-              uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

            - name: Monitor storage space
              run: |
@@ -201,7 +201,7 @@ jobs:
        timeout-minutes: 30
        steps:
            - name: Checkout code
-              uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

            - name: Log in to Docker Hub
              uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
@@ -256,7 +256,7 @@ jobs:

        steps:
            - name: Checkout code
-              uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

            - name: Extract tag name
              id: get-tag
--- a/.github/workflows/linting.yml
+++ b/.github/workflows/linting.yml
@@ -21,7 +21,7 @@ jobs:
        runs-on: ubuntu-latest
        steps:
            - name: Checkout code
-              uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

            - name: Set up Node.js
              uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -14,7 +14,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Install Node
        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
@@ -62,7 +62,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Build Docker image sqlite
        run: make dev-build-sqlite
@@ -71,7 +71,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Build Docker image pg
        run: make dev-build-pg
--- a/server/routers/resource/createResourceRule.ts
+++ b/server/routers/resource/createResourceRule.ts
@@ -154,12 +154,8 @@ export async function createResourceRule(
        }

        // Create the new resource rule
-        const isInlinePolicy =
-            resource.resourcePolicyId === null &&
-            resource.defaultResourcePolicyId !== null;
-
-        if (isInlinePolicy) {
-            const policyId = resource.defaultResourcePolicyId!;
+        if (resource.resourcePolicyId !== null) {
+            const policyId = resource.resourcePolicyId;
            const [newRule] = await db
                .insert(resourcePolicyRules)
                .values({
--- a/server/routers/resource/deleteResourceRule.ts
+++ b/server/routers/resource/deleteResourceRule.ts
@@ -2,7 +2,7 @@ import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db } from "@server/db";
 import { resourceRules, resourcePolicyRules, resources } from "@server/db";
-import { eq } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
@@ -73,14 +73,18 @@ export async function deleteResourceRule(
            );
        }

-        const isInlinePolicy =
-            resource.resourcePolicyId === null &&
-            resource.defaultResourcePolicyId !== null;
-
-        if (isInlinePolicy) {
+        if (resource.resourcePolicyId !== null) {
            const [deletedRule] = await db
                .delete(resourcePolicyRules)
-                .where(eq(resourcePolicyRules.ruleId, ruleId))
+                .where(
+                    and(
+                        eq(resourcePolicyRules.ruleId, ruleId),
+                        eq(
+                            resourcePolicyRules.resourcePolicyId,
+                            resource.resourcePolicyId
+                        )
+                    )
+                )
                .returning();

            if (!deletedRule) {
--- a/server/routers/resource/getResource.ts
+++ b/server/routers/resource/getResource.ts
@@ -141,16 +141,10 @@ export async function getResource(
            );
        }

-        const isInlinePolicy =
-            resource.resourcePolicyId === null &&
-            resource.defaultResourcePolicyId !== null;
-
        let returnData = resource;
-        if (isInlinePolicy) {
+        if (resource.resourcePolicyId !== null) {
            // get the policy
-            const policy = await queryInlinePolicy(
-                resource.defaultResourcePolicyId!
-            );
+            const policy = await queryInlinePolicy(resource.resourcePolicyId);
            returnData = {
                ...returnData,
                sso: policy?.sso || null,
--- a/server/routers/resource/listResourceRules.ts
+++ b/server/routers/resource/listResourceRules.ts
@@ -140,15 +140,11 @@ export async function listResourceRules(
            );
        }

-        const isInlinePolicy =
-            resource.resourcePolicyId === null &&
-            resource.defaultResourcePolicyId !== null;
-
        let rulesList: Awaited<ReturnType<typeof queryResourceRules>>;
        let totalCount: number;

-        if (isInlinePolicy) {
-            const policyId = resource.defaultResourcePolicyId!;
+        if (resource.resourcePolicyId !== null) {
+            const policyId = resource.resourcePolicyId;
            const policyRules = await queryPolicyRules(policyId)
                .limit(limit)
                .offset(offset);
--- a/server/routers/resource/updateResourceRule.ts
+++ b/server/routers/resource/updateResourceRule.ts
@@ -1,8 +1,8 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db } from "@server/db";
-import { resourceRules, resources } from "@server/db";
-import { eq } from "drizzle-orm";
+import { resourcePolicyRules, resourceRules, resources } from "@server/db";
+import { and, eq } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
@@ -37,6 +37,29 @@ const updateResourceRuleSchema = z
        error: "At least one field must be provided for update"
    });

+function getRuleValueValidationError(
+    match: "CIDR" | "IP" | "PATH" | "COUNTRY" | "ASN" | "REGION",
+    value: string
+): string | null {
+    if (match === "CIDR" && !isValidCIDR(value)) {
+        return "Invalid CIDR provided";
+    }
+
+    if (match === "IP" && !isValidIP(value)) {
+        return "Invalid IP provided";
+    }
+
+    if (match === "PATH" && !isValidUrlGlobPattern(value)) {
+        return "Invalid URL glob pattern provided";
+    }
+
+    if (match === "REGION" && !isValidRegionId(value)) {
+        return "Invalid region ID provided";
+    }
+
+    return null;
+}
+
 registry.registerPath({
    method: "post",
    path: "/resource/{resourceId}/rule/{ruleId}",
@@ -128,6 +151,68 @@ export async function updateResourceRule(
            );
        }

+        if (resource.resourcePolicyId !== null) {
+            const [existingRule] = await db
+                .select()
+                .from(resourcePolicyRules)
+                .where(
+                    and(
+                        eq(resourcePolicyRules.ruleId, ruleId),
+                        eq(
+                            resourcePolicyRules.resourcePolicyId,
+                            resource.resourcePolicyId
+                        )
+                    )
+                )
+                .limit(1);
+
+            if (!existingRule) {
+                return next(
+                    createHttpError(
+                        HttpCode.NOT_FOUND,
+                        `Resource rule with ID ${ruleId} not found`
+                    )
+                );
+            }
+
+            const match = updateData.match || existingRule.match;
+            const { value } = updateData;
+
+            if (value !== undefined) {
+                const validationError = getRuleValueValidationError(
+                    match,
+                    value
+                );
+                if (validationError) {
+                    return next(
+                        createHttpError(HttpCode.BAD_REQUEST, validationError)
+                    );
+                }
+            }
+
+            const [updatedRule] = await db
+                .update(resourcePolicyRules)
+                .set(updateData)
+                .where(
+                    and(
+                        eq(resourcePolicyRules.ruleId, ruleId),
+                        eq(
+                            resourcePolicyRules.resourcePolicyId,
+                            resource.resourcePolicyId
+                        )
+                    )
+                )
+                .returning();
+
+            return response(res, {
+                data: updatedRule,
+                success: true,
+                error: false,
+                message: "Resource rule updated successfully",
+                status: HttpCode.OK
+            });
+        }
+
        // Verify that the rule exists and belongs to the specified resource
        const [existingRule] = await db
            .select()
@@ -157,42 +242,11 @@ export async function updateResourceRule(
        const { value } = updateData;

        if (value !== undefined) {
-            if (match === "CIDR") {
-                if (!isValidCIDR(value)) {
-                    return next(
-                        createHttpError(
-                            HttpCode.BAD_REQUEST,
-                            "Invalid CIDR provided"
-                        )
-                    );
-                }
-            } else if (match === "IP") {
-                if (!isValidIP(value)) {
-                    return next(
-                        createHttpError(
-                            HttpCode.BAD_REQUEST,
-                            "Invalid IP provided"
-                        )
-                    );
-                }
-            } else if (match === "PATH") {
-                if (!isValidUrlGlobPattern(value)) {
-                    return next(
-                        createHttpError(
-                            HttpCode.BAD_REQUEST,
-                            "Invalid URL glob pattern provided"
-                        )
-                    );
-                }
-            } else if (match === "REGION") {
-                if (!isValidRegionId(value)) {
-                    return next(
-                        createHttpError(
-                            HttpCode.BAD_REQUEST,
-                            "Invalid region ID provided"
-                        )
-                    );
-                }
+            const validationError = getRuleValueValidationError(match, value);
+            if (validationError) {
+                return next(
+                    createHttpError(HttpCode.BAD_REQUEST, validationError)
+                );
            }
        }
Author	SHA1	Message	Date
copilot-swe-agent[bot]	0bde633c5f	chore: simplify policy rule update/delete lookups	2026-06-16 23:52:22 +00:00
copilot-swe-agent[bot]	a7c99f336f	refactor: dedupe resource rule value validation	2026-06-16 23:50:38 +00:00
copilot-swe-agent[bot]	0d960181a2	fix: update resource rule routes to use shared policy rules	2026-06-16 23:48:46 +00:00
copilot-swe-agent[bot]	b6862093d1	Initial plan	2026-06-16 23:43:34 +00:00