trycompai
diff --git a/‎apps/api/src/cloud-security/cloud-security-query.service.ts‎
Lines changed: 18 additions & 0 deletions b/‎apps/api/src/cloud-security/cloud-security-query.service.ts‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎apps/api/src/evidence-forms/evidence-forms.controller.ts‎
Lines changed: 15 additions & 1 deletion b/‎apps/api/src/evidence-forms/evidence-forms.controller.ts‎
Lines changed: 15 additions & 1 deletion
diff --git a/‎apps/app/src/app/(app)/[orgId]/cloud-tests/actions/run-tests.ts‎
Lines changed: 108 additions & 0 deletions b/‎apps/app/src/app/(app)/[orgId]/cloud-tests/actions/run-tests.ts‎
Lines changed: 108 additions & 0 deletions
diff --git a/‎apps/app/src/app/(app)/[orgId]/cloud-tests/actions/validate-aws-credentials.ts‎
Lines changed: 98 additions & 0 deletions b/‎apps/app/src/app/(app)/[orgId]/cloud-tests/actions/validate-aws-credentials.ts‎
Lines changed: 98 additions & 0 deletions
@@ -22,6 +22,8 @@ export interface CloudProvider {
   requiredVariables: string[];
   accountId?: string;
   regions?: string[];
+  tenantId?: string;
+  subscriptionId?: string;
   supportsMultipleConnections?: boolean;
 }
 
@@ -116,6 +118,14 @@ export class CloudSecurityQueryService {
               (r): r is string => typeof r === 'string',
             )
           : undefined,
+        tenantId:
+          typeof metadata.tenantId === 'string'
+            ? metadata.tenantId
+            : undefined,
+        subscriptionId:
+          typeof metadata.subscriptionId === 'string'
+            ? metadata.subscriptionId
+            : undefined,
         supportsMultipleConnections:
           manifest?.supportsMultipleConnections ?? false,
       };
@@ -150,6 +160,14 @@ export class CloudSecurityQueryService {
               (r): r is string => typeof r === 'string',
             )
           : undefined,
+        tenantId:
+          typeof settings.tenantId === 'string'
+            ? settings.tenantId
+            : undefined,
+        subscriptionId:
+          typeof settings.subscriptionId === 'string'
+            ? settings.subscriptionId
+            : undefined,
         supportsMultipleConnections:
           manifest?.supportsMultipleConnections ?? false,
       };
 
@@ -1,6 +1,9 @@
 import { AuthContext, OrganizationId } from '@/auth/auth-context.decorator';
 import { HybridAuthGuard } from '@/auth/hybrid-auth.guard';
+import { PermissionGuard } from '@/auth/permission.guard';
+import { RequirePermission } from '@/auth/require-permission.decorator';
 import type { AuthContext as AuthContextType } from '@/auth/types';
+import { AuditRead } from '@/audit/skip-audit-log.decorator';
 import {
   Body,
   Controller,
@@ -19,7 +22,7 @@ import { EvidenceFormsService } from './evidence-forms.service';
 
 @ApiTags('Evidence Forms')
 @Controller({ path: 'evidence-forms', version: '1' })
-@UseGuards(HybridAuthGuard)
+@UseGuards(HybridAuthGuard, PermissionGuard)
 @ApiSecurity('apikey')
 @ApiHeader({
   name: 'X-Organization-Id',
@@ -31,6 +34,7 @@ export class EvidenceFormsController {
   constructor(private readonly evidenceFormsService: EvidenceFormsService) {}
 
   @Get()
+  @RequirePermission('evidence', 'read')
   @ApiOperation({
     summary: 'List evidence forms',
     description: 'List all available pre-built evidence forms',
@@ -40,6 +44,7 @@ export class EvidenceFormsController {
   }
 
   @Get('statuses')
+  @RequirePermission('evidence', 'read')
   @ApiOperation({
     summary: 'Get submission statuses for all forms',
     description:
@@ -50,6 +55,7 @@ export class EvidenceFormsController {
   }
 
   @Get('my-submissions')
+  @RequirePermission('evidence', 'read')
   @ApiOperation({
     summary: 'Get current user submissions',
     description:
@@ -68,6 +74,7 @@ export class EvidenceFormsController {
   }
 
   @Get('my-submissions/pending-count')
+  @RequirePermission('evidence', 'read')
   @ApiOperation({
     summary: 'Get pending submission count for current user',
     description:
@@ -84,6 +91,7 @@ export class EvidenceFormsController {
   }
 
   @Get(':formType')
+  @RequirePermission('evidence', 'read')
   @ApiOperation({
     summary: 'Get form definition and submissions',
     description:
@@ -108,6 +116,7 @@ export class EvidenceFormsController {
   }
 
   @Get(':formType/submissions/:submissionId')
+  @RequirePermission('evidence', 'read')
   @ApiOperation({
     summary: 'Get a single submission',
     description:
@@ -128,6 +137,7 @@ export class EvidenceFormsController {
   }
 
   @Post(':formType/submissions')
+  @RequirePermission('evidence', 'create')
   @ApiOperation({
     summary: 'Submit evidence form entry',
     description:
@@ -148,6 +158,7 @@ export class EvidenceFormsController {
   }
 
   @Patch(':formType/submissions/:submissionId/review')
+  @RequirePermission('evidence', 'update')
   @ApiOperation({
     summary: 'Review a submission',
     description:
@@ -170,6 +181,7 @@ export class EvidenceFormsController {
   }
 
   @Post('uploads')
+  @RequirePermission('evidence', 'create')
   @ApiOperation({
     summary: 'Upload evidence form file',
     description:
@@ -188,6 +200,8 @@ export class EvidenceFormsController {
   }
 
   @Get(':formType/export.csv')
+  @RequirePermission('evidence', 'read')
+  @AuditRead()
   @ApiOperation({
     summary: 'Export form submissions to CSV',
     description: 'Export all form submissions for an organization as CSV',
 
@@ -0,0 +1,108 @@
+'use server';
+
+import { runIntegrationTests } from '@/trigger/tasks/integration/run-integration-tests';
+import { auth } from '@/utils/auth';
+import { runs, tasks } from '@trigger.dev/sdk';
+import { revalidatePath } from 'next/cache';
+import { headers } from 'next/headers';
+
+const MAX_POLL_ATTEMPTS = 60; // Max 2 minutes (60 * 2 seconds)
+const POLL_INTERVAL_MS = 2000;
+
+/**
+ * Run integration tests and wait for completion.
+ * @param integrationId - Optional. If provided, only run tests for this specific connection.
+ *                        If not provided, run tests for all connections in the organization.
+ */
+export const runTests = async (integrationId?: string) => {
+  const session = await auth.api.getSession({
+    headers: await headers(),
+  });
+
+  if (!session) {
+    return {
+      success: false,
+      errors: ['Unauthorized'],
+    };
+  }
+
+  const orgId = session.session?.activeOrganizationId;
+  if (!orgId) {
+    return {
+      success: false,
+      errors: ['No active organization'],
+    };
+  }
+
+  try {
+    // Trigger the task
+    const handle = await tasks.trigger<typeof runIntegrationTests>('run-integration-tests', {
+      organizationId: orgId,
+      ...(integrationId ? { integrationId } : {}),
+    });
+
+    // Poll for completion
+    let attempts = 0;
+    while (attempts < MAX_POLL_ATTEMPTS) {
+      const run = await runs.retrieve(handle.id);
+
+      // Check if the run is in a terminal state
+      if (run.isCompleted) {
+        const headersList = await headers();
+        let path = headersList.get('x-pathname') || headersList.get('referer') || '';
+        path = path.replace(/\/[a-z]{2}\//, '/');
+        revalidatePath(path);
+
+        if (run.isSuccess) {
+          const output = run.output as {
+            success?: boolean;
+            errors?: string[];
+            failedIntegrations?: Array<{ name: string; error: string }>;
+          } | null;
+
+          if (output?.success === false) {
+            return {
+              success: false,
+              errors: output.errors || ['Scan completed with errors'],
+              taskId: run.id,
+            };
+          }
+
+          return {
+            success: true,
+            errors: null,
+            taskId: run.id,
+          };
+        }
+
+        // Handle all other terminal states (failed, cancelled, or unexpected)
+        // This ensures we don't continue polling after the run has completed
+        return {
+          success: false,
+          errors: run.isFailed || run.isCancelled 
+            ? ['Task failed or was canceled'] 
+            : ['Task completed with unexpected status'],
+          taskId: run.id,
+        };
+      }
+
+      // Wait before polling again
+      await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS));
+      attempts++;
+    }
+
+    // Timeout - task is taking too long
+    return {
+      success: false,
+      errors: ['Scan is taking longer than expected. Check the status in Trigger.dev dashboard.'],
+      taskId: handle.id,
+    };
+  } catch (error) {
+    console.error('Error running integration tests:', error);
+
+    return {
+      success: false,
+      errors: [error instanceof Error ? error.message : 'Failed to run integration tests'],
+    };
+  }
+};
@@ -0,0 +1,98 @@
+'use server';
+
+import { DescribeRegionsCommand, EC2Client } from '@aws-sdk/client-ec2';
+import { GetCallerIdentityCommand, STSClient } from '@aws-sdk/client-sts';
+import { z } from 'zod';
+import { authActionClient } from '../../../../../actions/safe-action';
+
+const validateAwsCredentialsSchema = z.object({
+  accessKeyId: z.string(),
+  secretAccessKey: z.string(),
+});
+
+export const validateAwsCredentialsAction = authActionClient
+  .inputSchema(validateAwsCredentialsSchema)
+  .metadata({
+    name: 'validate-aws-credentials',
+    track: {
+      event: 'validate-aws-credentials',
+      channel: 'cloud-tests',
+    },
+  })
+  .action(async ({ parsedInput: { accessKeyId, secretAccessKey } }) => {
+    try {
+      // First, validate credentials using STS
+      const stsClient = new STSClient({
+        region: 'us-east-1', // Default region for validation
+        credentials: {
+          accessKeyId,
+          secretAccessKey,
+        },
+      });
+
+      const identity = await stsClient.send(new GetCallerIdentityCommand({}));
+
+      // Get available regions
+      const ec2Client = new EC2Client({
+        region: 'us-east-1',
+        credentials: {
+          accessKeyId,
+          secretAccessKey,
+        },
+      });
+
+      const regionsResponse = await ec2Client.send(new DescribeRegionsCommand({}));
+
+      // Map of common region codes to friendly names
+      const regionNames: Record<string, string> = {
+        'us-east-1': 'US East (N. Virginia)',
+        'us-east-2': 'US East (Ohio)',
+        'us-west-1': 'US West (N. California)',
+        'us-west-2': 'US West (Oregon)',
+        'eu-west-1': 'Europe (Ireland)',
+        'eu-west-2': 'Europe (London)',
+        'eu-west-3': 'Europe (Paris)',
+        'eu-central-1': 'Europe (Frankfurt)',
+        'eu-north-1': 'Europe (Stockholm)',
+        'eu-south-1': 'Europe (Milan)',
+        'ap-southeast-1': 'Asia Pacific (Singapore)',
+        'ap-southeast-2': 'Asia Pacific (Sydney)',
+        'ap-northeast-1': 'Asia Pacific (Tokyo)',
+        'ap-northeast-2': 'Asia Pacific (Seoul)',
+        'ap-northeast-3': 'Asia Pacific (Osaka)',
+        'ap-south-1': 'Asia Pacific (Mumbai)',
+        'ap-east-1': 'Asia Pacific (Hong Kong)',
+        'ca-central-1': 'Canada (Central)',
+        'sa-east-1': 'South America (São Paulo)',
+        'me-south-1': 'Middle East (Bahrain)',
+        'af-south-1': 'Africa (Cape Town)',
+      };
+
+      const regions = (regionsResponse.Regions || [])
+        .filter((region) => region.RegionName)
+        .map((region) => {
+          const code = region.RegionName!;
+          const friendlyName = regionNames[code] || code;
+          return {
+            value: code,
+            label: `${friendlyName} (${code})`,
+          };
+        })
+        .sort((a, b) => a.value.localeCompare(b.value));
+
+      return {
+        success: true,
+        accountId: identity.Account,
+        regions,
+      };
+    } catch (error) {
+      console.error('AWS credential validation failed:', error);
+      return {
+        success: false,
+        error:
+          error instanceof Error
+            ? error.message
+            : 'Failed to validate AWS credentials. Please check your access key and secret.',
+      };
+    }
+  });