Merge branch 'main' into migrate-cedar-policy-groups-to-signals

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: gugu

backend/src/common/data-injection.tokens.ts

@@ -43,6 +43,7 @@ export enum UseCaseType {
 	REFRESH_CONNECTION_AGENT_TOKEN = 'REFRESH_CONNECTION_AGENT_TOKEN',
 	VALIDATE_CONNECTION_MASTER_PASSWORD = 'VALIDATE_CONNECTION_MASTER_PASSWORD',
 	UNFREEZE_CONNECTION = 'UNFREEZE_CONNECTION',
+	UPDATE_CONNECTION_TITLE = 'UPDATE_CONNECTION_TITLE',
 
 	FIND_ALL_USER_GROUPS = 'FIND_ALL_USER_GROUPS',
 	INVITE_USER_IN_GROUP = 'INVITE_USER_IN_GROUP',
@@ -117,6 +118,7 @@ export enum UseCaseType {
 	SAAS_CREATE_CONNECTION_FOR_HOSTED_DB = 'SAAS_CREATE_CONNECTION_FOR_HOSTED_DB',
 	SAAS_DELETE_CONNECTION_FOR_HOSTED_DB = 'SAAS_DELETE_CONNECTION_FOR_HOSTED_DB',
 	SAAS_UPDATE_HOSTED_CONNECTION_PASSWORD = 'SAAS_UPDATE_HOSTED_CONNECTION_PASSWORD',
+	SAAS_GET_CONNECTIONS_INFO_BY_IDS = 'SAAS_GET_CONNECTIONS_INFO_BY_IDS',
 
 	INVITE_USER_IN_COMPANY_AND_CONNECTION_GROUP = 'INVITE_USER_IN_COMPANY_AND_CONNECTION_GROUP',
 	VERIFY_INVITE_USER_IN_COMPANY_AND_CONNECTION_GROUP = 'VERIFY_INVITE_USER_IN_COMPANY_AND_CONNECTION_GROUP',

backend/src/entities/cedar-authorization/cedar-permissions.service.ts

@@ -1,16 +1,16 @@
+import * as cedarWasm from '@cedar-policy/cedar-wasm/nodejs';
 import { HttpException, HttpStatus, Inject, Injectable } from '@nestjs/common';
+import { IGlobalDatabaseContext } from '../../common/application/global-database-context.interface.js';
+import { BaseType } from '../../common/data-injection.tokens.js';
 import { AccessLevelEnum } from '../../enums/index.js';
 import { Messages } from '../../exceptions/text/messages.js';
 import { Cacher } from '../../helpers/cache/cacher.js';
-import { IGlobalDatabaseContext } from '../../common/application/global-database-context.interface.js';
-import { BaseType } from '../../common/data-injection.tokens.js';
 import { GroupEntity } from '../group/group.entity.js';
 import { ITablePermissionData } from '../permission/permission.interface.js';
-import { CedarAction, CedarResourceType, CEDAR_ACTION_TYPE, CEDAR_USER_TYPE } from './cedar-action-map.js';
+import { IUserAccessRepository } from '../user-access/repository/user-access.repository.interface.js';
+import { CEDAR_ACTION_TYPE, CEDAR_USER_TYPE, CedarAction, CedarResourceType } from './cedar-action-map.js';
 import { buildCedarEntities } from './cedar-entity-builder.js';
 import { CEDAR_SCHEMA } from './cedar-schema.js';
-import * as cedarWasm from '@cedar-policy/cedar-wasm/nodejs';
-import { IUserAccessRepository } from '../user-access/repository/user-access.repository.interface.js';
 
 interface EvalContext {
 	userGroups: Array<GroupEntity>;
@@ -58,6 +58,69 @@ export class CedarPermissionsService implements IUserAccessRepository {
 		return AccessLevelEnum.none;
 	}
 
+	async getUserConnectionAccessLevelsForMultipleConnections(
+		userId: string,
+		connectionIds: Array<string>,
+	): Promise<Map<string, AccessLevelEnum>> {
+		const result = new Map<string, AccessLevelEnum>();
+		if (connectionIds.length === 0) return result;
+
+		const allGroups = await this.globalDbContext.groupRepository.findAllUserGroupsInConnections(connectionIds, userId);
+
+		const groupsByConnection = new Map<string, Array<GroupEntity>>();
+		for (const group of allGroups) {
+			const connId = group.connection?.id;
+			if (!connId) continue;
+			if (!groupsByConnection.has(connId)) {
+				groupsByConnection.set(connId, []);
+			}
+			groupsByConnection.get(connId).push(group);
+		}
+
+		for (const connectionId of connectionIds) {
+			const userGroups = groupsByConnection.get(connectionId);
+			if (!userGroups || userGroups.length === 0) {
+				result.set(connectionId, AccessLevelEnum.none);
+				continue;
+			}
+
+			const policies = userGroups.map((g) => g.cedarPolicy).filter(Boolean);
+			if (policies.length === 0) {
+				result.set(connectionId, AccessLevelEnum.none);
+				continue;
+			}
+
+			const entities = buildCedarEntities(userId, userGroups, connectionId);
+			if (
+				this.evaluatePolicies(
+					userId,
+					CedarAction.ConnectionEdit,
+					CedarResourceType.Connection,
+					connectionId,
+					policies,
+					entities,
+				)
+			) {
+				result.set(connectionId, AccessLevelEnum.edit);
+			} else if (
+				this.evaluatePolicies(
+					userId,
+					CedarAction.ConnectionRead,
+					CedarResourceType.Connection,
+					connectionId,
+					policies,
+					entities,
+				)
+			) {
+				result.set(connectionId, AccessLevelEnum.readonly);
+			} else {
+				result.set(connectionId, AccessLevelEnum.none);
+			}
+		}
+
+		return result;
+	}
+
 	async checkUserConnectionRead(cognitoUserName: string, connectionId: string): Promise<boolean> {
 		const ctx = await this.loadContext(connectionId, cognitoUserName);
 		if (!ctx) return false;
@@ -372,5 +435,4 @@ export class CedarPermissionsService implements IUserAccessRepository {
 
 		return { userGroups, policies };
 	}
-
 }

backend/src/entities/company-info/repository/company-info-custom-repository.extension.ts

@@ -1,5 +1,6 @@
 import { Constants } from '../../../helpers/constants/constants.js';
 import { ConnectionEntity } from '../../connection/connection.entity.js';
+import { decryptConnectionsCredentialsAsync } from '../../connection/utils/decrypt-connection-credentials-async.js';
 import { CompanyInfoEntity } from '../company-info.entity.js';
 import { ICompanyInfoRepository } from './company-info-repository.interface.js';
 
@@ -19,11 +20,15 @@ export const companyInfoRepositoryExtension: ICompanyInfoRepository = {
 	},
 
 	async findOneCompanyInfoByUserIdWithConnections(userId: string): Promise<CompanyInfoEntity> {
-		return await this.createQueryBuilder('company_info')
+		const result = await this.createQueryBuilder('company_info')
 			.leftJoinAndSelect('company_info.users', 'users')
 			.leftJoinAndSelect('company_info.connections', 'connections')
 			.where('users.id = :userId', { userId })
 			.getOne();
+		if (result?.connections?.length) {
+			await decryptConnectionsCredentialsAsync(result.connections);
+		}
+		return result;
 	},
 
 	async findCompanyInfoByUserId(userId: string): Promise<CompanyInfoEntity> {
@@ -55,7 +60,7 @@ export const companyInfoRepositoryExtension: ICompanyInfoRepository = {
 
 	// returns groups and connections where user is invited
 	async findFullCompanyInfoByUserId(userId: string): Promise<CompanyInfoEntity> {
-		return await this.createQueryBuilder('company_info')
+		const result = await this.createQueryBuilder('company_info')
 			.leftJoinAndSelect('company_info.logo', 'logo')
 			.leftJoinAndSelect('company_info.favicon', 'favicon')
 			.leftJoinAndSelect('company_info.tab_title', 'tab_title')
@@ -68,6 +73,10 @@ export const companyInfoRepositoryExtension: ICompanyInfoRepository = {
 			.leftJoinAndSelect('groups.users', 'groups_users')
 			.where('current_user.id = :userId', { userId })
 			.getOne();
+		if (result?.connections?.length) {
+			await decryptConnectionsCredentialsAsync(result.connections);
+		}
+		return result;
 	},
 
 	async findCompanyInfosByUserEmail(userEmail: string): Promise<CompanyInfoEntity[]> {
@@ -87,10 +96,12 @@ export const companyInfoRepositoryExtension: ICompanyInfoRepository = {
 			.andWhere('connections.isTestConnection IS FALSE')
 			.andWhere('connections.is_frozen IS FALSE')
 			.getMany();
-		return foundCompaniesWithPaidConnections
+		const connections = foundCompaniesWithPaidConnections
 			.map((companyInfo: CompanyInfoEntity) => companyInfo.connections)
 			.filter(Boolean)
 			.flat();
+		await decryptConnectionsCredentialsAsync(connections);
+		return connections;
 	},
 
 	async findCompanyFrozenPaidConnections(companyIds: Array<string>): Promise<Array<ConnectionEntity>> {
@@ -102,10 +113,12 @@ export const companyInfoRepositoryExtension: ICompanyInfoRepository = {
 			.andWhere('connections.isTestConnection IS FALSE')
 			.andWhere('connections.is_frozen IS TRUE')
 			.getMany();
-		return foundCompaniesWithPaidConnections
+		const connections = foundCompaniesWithPaidConnections
 			.map((companyInfo: CompanyInfoEntity) => companyInfo.connections)
 			.filter(Boolean)
 			.flat();
+		await decryptConnectionsCredentialsAsync(connections);
+		return connections;
 	},
 
 	async findCompanyWithLogo(companyId: string): Promise<CompanyInfoEntity> {

backend/src/entities/connection/application/data-structures/update-connection-title.ds.ts

@@ -0,0 +1,5 @@
+export class UpdateConnectionTitleDs {
+	connectionId: string;
+	userId: string;
+	title: string;
+}

backend/src/entities/connection/application/dto/update-connection-title.dto.ts

@@ -0,0 +1,9 @@
+import { ApiProperty } from '@nestjs/swagger';
+import { IsNotEmpty, IsString } from 'class-validator';
+
+export class UpdateConnectionTitleDto {
+	@ApiProperty()
+	@IsString()
+	@IsNotEmpty()
+	title: string;
+}

backend/src/entities/connection/connection.controller.ts

@@ -41,6 +41,7 @@ import { GetGroupsInConnectionDs } from './application/data-structures/get-group
 import { GetPermissionsInConnectionDs } from './application/data-structures/get-permissions-in-connection.ds.js';
 import { RestoredConnectionDs } from './application/data-structures/restored-connection.ds.js';
 import { UpdateConnectionDs } from './application/data-structures/update-connection.ds.js';
+import { UpdateConnectionTitleDs } from './application/data-structures/update-connection-title.ds.js';
 import { UpdateMasterPasswordDs } from './application/data-structures/update-master-password.ds.js';
 import { ValidateConnectionMasterPasswordDs } from './application/data-structures/validate-connection-master-password.ds.js';
 import { CreateConnectionDto } from './application/dto/create-connection.dto.js';
@@ -51,6 +52,7 @@ import { DeleteGroupFromConnectionDTO } from './application/dto/delete-group-fro
 import { FoundUserGroupsInConnectionDTO } from './application/dto/found-user-groups-in-connection.dto.js';
 import { ConnectionTokenResponseDTO } from './application/dto/new-connection-token-response.dto.js';
 import { TestConnectionResponseDTO } from './application/dto/test-connection-response.dto.js';
+import { UpdateConnectionTitleDto } from './application/dto/update-connection-title.dto.js';
 import { UpdateMasterPasswordRequestBodyDto } from './application/dto/update-master-password-request-body.dto.js';
 import { UpdatedConnectionResponseDTO } from './application/dto/updated-connection-response.dto.js';
 import { ValidationResultRo } from './application/dto/validation-result.ro.js';
@@ -69,6 +71,7 @@ import {
 	ITestConnection,
 	IUnfreezeConnection,
 	IUpdateConnection,
+	IUpdateConnectionTitle,
 	IUpdateMasterPassword,
 	IValidateConnectionMasterPassword,
 	IValidateConnectionToken,
@@ -120,6 +123,8 @@ export class ConnectionController {
 		private readonly validateConnectionMasterPasswordUseCase: IValidateConnectionMasterPassword,
 		@Inject(UseCaseType.UNFREEZE_CONNECTION)
 		private readonly unfreezeConnectionUseCase: IUnfreezeConnection,
+		@Inject(UseCaseType.UPDATE_CONNECTION_TITLE)
+		private readonly updateConnectionTitleUseCase: IUpdateConnectionTitle,
 		@Inject(BaseType.GLOBAL_DB_CONTEXT)
 		protected _dbContext: IGlobalDatabaseContext,
 		private readonly amplitudeService: AmplitudeService,
@@ -685,4 +690,29 @@ export class ConnectionController {
 		}
 		return await this.unfreezeConnectionUseCase.execute({ connectionId, userId }, InTransactionEnum.ON);
 	}
+
+	@ApiOperation({ summary: 'Update connection title' })
+	@ApiBody({ type: UpdateConnectionTitleDto })
+	@ApiResponse({
+		status: 200,
+		type: SuccessResponse,
+		description: 'Connection title was updated.',
+	})
+	@UseGuards(ConnectionEditGuard)
+	@Put('/connection/title/:connectionId')
+	async updateConnectionTitle(
+		@Body() titleData: UpdateConnectionTitleDto,
+		@SlugUuid('connectionId') connectionId: string,
+		@UserId() userId: string,
+	): Promise<SuccessResponse> {
+		if (!connectionId) {
+			throw new BadRequestException(Messages.CONNECTION_ID_MISSING);
+		}
+		const inputData: UpdateConnectionTitleDs = {
+			connectionId,
+			userId,
+			title: titleData.title,
+		};
+		return await this.updateConnectionTitleUseCase.execute(inputData, InTransactionEnum.ON);
+	}
 }

backend/src/entities/connection/connection.entity.ts

@@ -1,7 +1,7 @@
+import { ConnectionTypesEnum } from '@rocketadmin/shared-code/dist/src/shared/enums/connection-types-enum.js';
 import { Expose } from 'class-transformer';
 import { nanoid } from 'nanoid';
 import {
-	AfterLoad,
 	BeforeInsert,
 	BeforeUpdate,
 	Column,
@@ -13,8 +13,6 @@ import {
 	PrimaryColumn,
 	Relation,
 } from 'typeorm';
-import { ConnectionTypesEnum } from '@rocketadmin/shared-code/dist/src/shared/enums/connection-types-enum.js';
-import { Constants } from '../../helpers/constants/constants.js';
 import { Encryptor } from '../../helpers/encryption/encryptor.js';
 import { isConnectionTypeAgent } from '../../helpers/index.js';
 import { AgentEntity } from '../agent/agent.entity.js';
@@ -118,9 +116,18 @@ export class ConnectionEntity {
 	@Column({ default: null })
 	master_hash?: string | null;
 
+	/**
+	 * Non-persisted flag indicating whether credentials are currently in decrypted state.
+	 * Used by @BeforeUpdate to decide whether encryption is needed.
+	 */
+	credentialsDecrypted = false;
+
 	@BeforeUpdate()
 	updateTimestampEncryptCredentials(): void {
 		this.updatedAt = new Date();
+		if (!this.credentialsDecrypted) {
+			return;
+		}
 		if (!isConnectionTypeAgent(this.type)) {
 			this.host = Encryptor.encryptData(this.host);
 			this.database = Encryptor.encryptData(this.database);
@@ -138,6 +145,7 @@ export class ConnectionEntity {
 				this.cert = Encryptor.encryptData(this.cert);
 			}
 		}
+		this.credentialsDecrypted = false;
 	}
 
 	@BeforeInsert()
@@ -168,51 +176,8 @@ export class ConnectionEntity {
 		}
 	}
 
-	@AfterLoad()
-	decryptCredentials(): void {
-		if (this.isTestConnection) {
-			const testConnectionsArray = Constants.getTestConnectionsArr();
-			const foundTestConnectionByType = testConnectionsArray.find(
-				(testConnection) => testConnection.type === this.type,
-			);
-			if (foundTestConnectionByType) {
-				this.host = foundTestConnectionByType.host;
-				this.database = foundTestConnectionByType.database;
-				this.username = foundTestConnectionByType.username;
-				this.password = foundTestConnectionByType.password;
-				this.port = foundTestConnectionByType.port;
-				this.ssh = foundTestConnectionByType.ssh;
-				this.privateSSHKey = foundTestConnectionByType.privateSSHKey;
-				this.sshHost = foundTestConnectionByType.sshHost;
-				this.sshPort = foundTestConnectionByType.sshPort;
-				this.sshUsername = foundTestConnectionByType.sshUsername;
-				this.ssl = foundTestConnectionByType.ssl;
-				this.cert = foundTestConnectionByType.cert;
-				this.authSource = foundTestConnectionByType.authSource;
-				this.sid = foundTestConnectionByType.sid;
-				this.schema = foundTestConnectionByType.schema;
-				this.azure_encryption = foundTestConnectionByType.azure_encryption;
-			}
-		} else {
-			if (!isConnectionTypeAgent(this.type)) {
-				this.host = Encryptor.decryptData(this.host);
-				this.database = Encryptor.decryptData(this.database);
-				this.password = Encryptor.decryptData(this.password);
-				this.username = Encryptor.decryptData(this.username);
-				if (this.authSource) {
-					this.authSource = Encryptor.decryptData(this.authSource);
-				}
-				if (this.ssh) {
-					this.privateSSHKey = Encryptor.decryptData(this.privateSSHKey);
-					this.sshHost = Encryptor.decryptData(this.sshHost);
-					this.sshUsername = Encryptor.decryptData(this.sshUsername);
-				}
-				if (this.ssl && this.cert) {
-					this.cert = Encryptor.decryptData(this.cert);
-				}
-			}
-		}
-	}
+	// Decryption moved to async utility: decrypt-connection-credentials-async.ts
+	// All repository methods must call decryptConnectionCredentialsAsync() after loading.
 
 	@ManyToOne(
 		(_) => UserEntity,

backend/src/entities/connection/connection.module.ts

@@ -33,6 +33,7 @@ import { TestConnectionUseCase } from './use-cases/test-connection.use.case.js';
 import { UnfreezeConnectionUseCase } from './use-cases/unfreeze-connection.use.case.js';
 import { UpdateConnectionUseCase } from './use-cases/update-connection.use.case.js';
 import { UpdateConnectionMasterPasswordUseCase } from './use-cases/update-connection-master-password.use.case.js';
+import { UpdateConnectionTitleUseCase } from './use-cases/update-connection-title.use.case.js';
 import { ValidateConnectionMasterPasswordUseCase } from './use-cases/validate-connection-master-password.use.case.js';
 import { ValidateConnectionTokenUseCase } from './use-cases/validate-connection-token.use.case.js';
 
@@ -130,6 +131,10 @@ import { ValidateConnectionTokenUseCase } from './use-cases/validate-connection-
 			provide: UseCaseType.UNFREEZE_CONNECTION,
 			useClass: UnfreezeConnectionUseCase,
 		},
+		{
+			provide: UseCaseType.UPDATE_CONNECTION_TITLE,
+			useClass: UpdateConnectionTitleUseCase,
+		},
 	],
 	controllers: [ConnectionController],
 })
@@ -156,6 +161,7 @@ export class ConnectionModule implements NestModule {
 				{ path: '/connection/token/refresh/:connectionId', method: RequestMethod.GET },
 				{ path: '/connection/masterpwd/verify/:connectionId', method: RequestMethod.GET },
 				{ path: '/connection/unfreeze/:connectionId', method: RequestMethod.PUT },
+				{ path: '/connection/title/:connectionId', method: RequestMethod.PUT },
 			)
 			.apply(AuthWithApiMiddleware)
 			.forRoutes({ path: 'connections', method: RequestMethod.GET });