chore: simplify policy rule update/delete lookups

refactor: dedupe resource rule value validation
fix: update resource rule routes to use shared policy rules
2026-06-17 04:47:11 +00:00 · 2026-06-16 23:52:22 +00:00 · 2026-06-16 23:50:38 +00:00 · 2026-06-16 23:48:46 +00:00 · 2026-06-16 23:43:34 +00:00
7 changed files with 115 additions and 71 deletions
--- a/install/go.mod
+++ b/install/go.mod
@@ -5,7 +5,7 @@ go 1.25.0
 require (
 	github.com/charmbracelet/huh v1.0.0
 	github.com/charmbracelet/lipgloss v1.1.0
-	golang.org/x/term v0.44.0
+	golang.org/x/term v0.43.0
 	gopkg.in/yaml.v3 v3.0.1
 )

@@ -33,6 +33,6 @@ require (
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	golang.org/x/sync v0.15.0 // indirect
-	golang.org/x/sys v0.46.0 // indirect
+	golang.org/x/sys v0.44.0 // indirect
 	golang.org/x/text v0.23.0 // indirect
 )
--- a/install/go.sum
+++ b/install/go.sum
@@ -69,10 +69,10 @@ golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
 golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.46.0 h1:noSf2Fq6F8DBgS+LysIkx7rIExoNHJsxOAtPp4rthXw=
-golang.org/x/sys v0.46.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
-golang.org/x/term v0.44.0 h1:0rLvDRCtNj0gZkyIXhCyOb2OAzEhLVqc4B+hrsBhrmc=
-golang.org/x/term v0.44.0/go.mod h1:7ze4MdzUzLXpSAoFP1H0bOI9aXDqveSvatT5vKcFh2Y=
+golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
+golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4=
+golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk=
 golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
 golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
--- a/server/routers/resource/createResourceRule.ts
+++ b/server/routers/resource/createResourceRule.ts
@@ -154,12 +154,8 @@ export async function createResourceRule(
        }

        // Create the new resource rule
-        const isInlinePolicy =
-            resource.resourcePolicyId === null &&
-            resource.defaultResourcePolicyId !== null;
-
-        if (isInlinePolicy) {
-            const policyId = resource.defaultResourcePolicyId!;
+        if (resource.resourcePolicyId !== null) {
+            const policyId = resource.resourcePolicyId;
            const [newRule] = await db
                .insert(resourcePolicyRules)
                .values({
--- a/server/routers/resource/deleteResourceRule.ts
+++ b/server/routers/resource/deleteResourceRule.ts
@@ -2,7 +2,7 @@ import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db } from "@server/db";
 import { resourceRules, resourcePolicyRules, resources } from "@server/db";
-import { eq } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
@@ -73,14 +73,18 @@ export async function deleteResourceRule(
            );
        }

-        const isInlinePolicy =
-            resource.resourcePolicyId === null &&
-            resource.defaultResourcePolicyId !== null;
-
-        if (isInlinePolicy) {
+        if (resource.resourcePolicyId !== null) {
            const [deletedRule] = await db
                .delete(resourcePolicyRules)
-                .where(eq(resourcePolicyRules.ruleId, ruleId))
+                .where(
+                    and(
+                        eq(resourcePolicyRules.ruleId, ruleId),
+                        eq(
+                            resourcePolicyRules.resourcePolicyId,
+                            resource.resourcePolicyId
+                        )
+                    )
+                )
                .returning();

            if (!deletedRule) {
--- a/server/routers/resource/getResource.ts
+++ b/server/routers/resource/getResource.ts
@@ -141,16 +141,10 @@ export async function getResource(
            );
        }

-        const isInlinePolicy =
-            resource.resourcePolicyId === null &&
-            resource.defaultResourcePolicyId !== null;
-
        let returnData = resource;
-        if (isInlinePolicy) {
+        if (resource.resourcePolicyId !== null) {
            // get the policy
-            const policy = await queryInlinePolicy(
-                resource.defaultResourcePolicyId!
-            );
+            const policy = await queryInlinePolicy(resource.resourcePolicyId);
            returnData = {
                ...returnData,
                sso: policy?.sso || null,
--- a/server/routers/resource/listResourceRules.ts
+++ b/server/routers/resource/listResourceRules.ts
@@ -140,15 +140,11 @@ export async function listResourceRules(
            );
        }

-        const isInlinePolicy =
-            resource.resourcePolicyId === null &&
-            resource.defaultResourcePolicyId !== null;
-
        let rulesList: Awaited<ReturnType<typeof queryResourceRules>>;
        let totalCount: number;

-        if (isInlinePolicy) {
-            const policyId = resource.defaultResourcePolicyId!;
+        if (resource.resourcePolicyId !== null) {
+            const policyId = resource.resourcePolicyId;
            const policyRules = await queryPolicyRules(policyId)
                .limit(limit)
                .offset(offset);
--- a/server/routers/resource/updateResourceRule.ts
+++ b/server/routers/resource/updateResourceRule.ts
@@ -1,8 +1,8 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db } from "@server/db";
-import { resourceRules, resources } from "@server/db";
-import { eq } from "drizzle-orm";
+import { resourcePolicyRules, resourceRules, resources } from "@server/db";
+import { and, eq } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
@@ -37,6 +37,29 @@ const updateResourceRuleSchema = z
        error: "At least one field must be provided for update"
    });

+function getRuleValueValidationError(
+    match: "CIDR" | "IP" | "PATH" | "COUNTRY" | "ASN" | "REGION",
+    value: string
+): string | null {
+    if (match === "CIDR" && !isValidCIDR(value)) {
+        return "Invalid CIDR provided";
+    }
+
+    if (match === "IP" && !isValidIP(value)) {
+        return "Invalid IP provided";
+    }
+
+    if (match === "PATH" && !isValidUrlGlobPattern(value)) {
+        return "Invalid URL glob pattern provided";
+    }
+
+    if (match === "REGION" && !isValidRegionId(value)) {
+        return "Invalid region ID provided";
+    }
+
+    return null;
+}
+
 registry.registerPath({
    method: "post",
    path: "/resource/{resourceId}/rule/{ruleId}",
@@ -128,6 +151,68 @@ export async function updateResourceRule(
            );
        }

+        if (resource.resourcePolicyId !== null) {
+            const [existingRule] = await db
+                .select()
+                .from(resourcePolicyRules)
+                .where(
+                    and(
+                        eq(resourcePolicyRules.ruleId, ruleId),
+                        eq(
+                            resourcePolicyRules.resourcePolicyId,
+                            resource.resourcePolicyId
+                        )
+                    )
+                )
+                .limit(1);
+
+            if (!existingRule) {
+                return next(
+                    createHttpError(
+                        HttpCode.NOT_FOUND,
+                        `Resource rule with ID ${ruleId} not found`
+                    )
+                );
+            }
+
+            const match = updateData.match || existingRule.match;
+            const { value } = updateData;
+
+            if (value !== undefined) {
+                const validationError = getRuleValueValidationError(
+                    match,
+                    value
+                );
+                if (validationError) {
+                    return next(
+                        createHttpError(HttpCode.BAD_REQUEST, validationError)
+                    );
+                }
+            }
+
+            const [updatedRule] = await db
+                .update(resourcePolicyRules)
+                .set(updateData)
+                .where(
+                    and(
+                        eq(resourcePolicyRules.ruleId, ruleId),
+                        eq(
+                            resourcePolicyRules.resourcePolicyId,
+                            resource.resourcePolicyId
+                        )
+                    )
+                )
+                .returning();
+
+            return response(res, {
+                data: updatedRule,
+                success: true,
+                error: false,
+                message: "Resource rule updated successfully",
+                status: HttpCode.OK
+            });
+        }
+
        // Verify that the rule exists and belongs to the specified resource
        const [existingRule] = await db
            .select()
@@ -157,42 +242,11 @@ export async function updateResourceRule(
        const { value } = updateData;

        if (value !== undefined) {
-            if (match === "CIDR") {
-                if (!isValidCIDR(value)) {
-                    return next(
-                        createHttpError(
-                            HttpCode.BAD_REQUEST,
-                            "Invalid CIDR provided"
-                        )
-                    );
-                }
-            } else if (match === "IP") {
-                if (!isValidIP(value)) {
-                    return next(
-                        createHttpError(
-                            HttpCode.BAD_REQUEST,
-                            "Invalid IP provided"
-                        )
-                    );
-                }
-            } else if (match === "PATH") {
-                if (!isValidUrlGlobPattern(value)) {
-                    return next(
-                        createHttpError(
-                            HttpCode.BAD_REQUEST,
-                            "Invalid URL glob pattern provided"
-                        )
-                    );
-                }
-            } else if (match === "REGION") {
-                if (!isValidRegionId(value)) {
-                    return next(
-                        createHttpError(
-                            HttpCode.BAD_REQUEST,
-                            "Invalid region ID provided"
-                        )
-                    );
-                }
+            const validationError = getRuleValueValidationError(match, value);
+            if (validationError) {
+                return next(
+                    createHttpError(HttpCode.BAD_REQUEST, validationError)
+                );
            }
        }
Author	SHA1	Message	Date
copilot-swe-agent[bot]	0bde633c5f	chore: simplify policy rule update/delete lookups	2026-06-16 23:52:22 +00:00
copilot-swe-agent[bot]	a7c99f336f	refactor: dedupe resource rule value validation	2026-06-16 23:50:38 +00:00
copilot-swe-agent[bot]	0d960181a2	fix: update resource rule routes to use shared policy rules	2026-06-16 23:48:46 +00:00
copilot-swe-agent[bot]	b6862093d1	Initial plan	2026-06-16 23:43:34 +00:00