Merge branch 'main' into cs-241-framework-dropdown

Author: tofikwest

apps/api/src/cloud-security/cloud-security.controller.ts

@@ -25,7 +25,11 @@ import { CloudSecurityQueryService } from './cloud-security-query.service';
 import { CloudSecurityLegacyService } from './cloud-security-legacy.service';
 import { logCloudSecurityActivity } from './cloud-security-audit';
 import { CloudSecurityActivityService } from './cloud-security-activity.service';
-import { GCPSecurityService } from './providers/gcp-security.service';
+import {
+  GCPSecurityService,
+  type GcpSetupStep,
+  type GcpSetupStepId,
+} from './providers/gcp-security.service';
 import { AzureSecurityService } from './providers/azure-security.service';
 
 @Controller({ path: 'cloud-security', version: '1' })
@@ -226,55 +230,119 @@ export class CloudSecurityController {
     @OrganizationId() organizationId: string,
   ) {
     try {
-      const connection = await this.cloudSecurityService.getConnectionForDetect(
-        connectionId,
-        organizationId,
-      );
+      const context = await this.resolveGcpSetupContext(connectionId, organizationId);
 
-      const credentials = connection.credentials as Record<string, unknown>;
-      const accessToken = credentials?.access_token as string;
-      if (!accessToken) {
-        throw new Error('No access token found. Reconnect the GCP integration.');
-      }
+      const result = await this.gcpSecurityService.autoSetup({
+        accessToken: context.accessToken,
+        organizationId: context.organizationId ?? '',
+        projectId: context.projectId,
+      });
 
-      const variables = (connection.variables ?? {}) as Record<string, unknown>;
-      const gcpOrgId = variables.organization_id as string | undefined;
-
-      // Auto-detect org if not set
-      let orgId = gcpOrgId;
-      if (!orgId) {
-        const orgs = await this.gcpSecurityService.detectOrganizations(accessToken);
-        if (orgs.length > 0) {
-          orgId = orgs[0].id;
-          await this.cloudSecurityService.saveConnectionVariable(connectionId, 'organization_id', orgId, organizationId);
-        }
-      }
+      return {
+        ...result,
+        steps: this.withGcpResolveActions(result.steps, connectionId),
+        organizationId: context.organizationId,
+        projectId: context.projectId,
+      };
+    } catch (error) {
+      const message =
+        error instanceof Error ? error.message : 'GCP setup failed';
+      throw new HttpException(message, HttpStatus.BAD_REQUEST);
+    }
+  }
 
-      // Auto-detect project if not known
-      const projects = await this.gcpSecurityService.detectProjects(accessToken);
-      const projectId = projects[0]?.id;
-      if (!projectId) {
-        throw new Error('No GCP projects found. Ensure your account has access to at least one project.');
+  @Post('setup-gcp/:connectionId/resolve-step')
+  @UseGuards(HybridAuthGuard, PermissionGuard)
+  @RequirePermission('integration', 'update')
+  async resolveGcpSetupStep(
+    @Param('connectionId') connectionId: string,
+    @Body() body: { stepId: GcpSetupStepId },
+    @OrganizationId() organizationId: string,
+  ) {
+    try {
+      if (!body?.stepId) {
+        throw new Error('stepId is required');
       }
 
-      const result = await this.gcpSecurityService.autoSetup({
-        accessToken,
-        organizationId: orgId ?? '',
-        projectId,
+      const context = await this.resolveGcpSetupContext(connectionId, organizationId);
+      const result = await this.gcpSecurityService.resolveSetupStep({
+        stepId: body.stepId,
+        accessToken: context.accessToken,
+        organizationId: context.organizationId ?? '',
+        projectId: context.projectId,
       });
 
       return {
-        ...result,
-        organizationId: orgId,
-        projectId,
+        email: result.email,
+        step: this.withGcpResolveActions([result.step], connectionId)[0],
+        organizationId: context.organizationId,
+        projectId: context.projectId,
       };
     } catch (error) {
       const message =
-        error instanceof Error ? error.message : 'GCP setup failed';
+        error instanceof Error ? error.message : 'Failed to resolve setup step';
       throw new HttpException(message, HttpStatus.BAD_REQUEST);
     }
   }
 
+  private withGcpResolveActions(steps: GcpSetupStep[], connectionId: string): GcpSetupStep[] {
+    return steps.map((step) => {
+      if (step.success) return step;
+      return {
+        ...step,
+        resolveAction: {
+          label: 'Resolve this',
+          method: 'POST',
+          endpoint: `/v1/cloud-security/setup-gcp/${connectionId}/resolve-step`,
+          body: { stepId: step.id },
+        },
+      };
+    });
+  }
+
+  private async resolveGcpSetupContext(connectionId: string, organizationId: string) {
+    const connection = await this.cloudSecurityService.getConnectionForDetect(
+      connectionId,
+      organizationId,
+    );
+
+    const credentials = connection.credentials as Record<string, unknown>;
+    const accessToken = credentials?.access_token as string;
+    if (!accessToken) {
+      throw new Error('No access token found. Reconnect the GCP integration.');
+    }
+
+    const variables = (connection.variables ?? {}) as Record<string, unknown>;
+    let gcpOrgId = variables.organization_id as string | undefined;
+
+    if (!gcpOrgId) {
+      const orgs = await this.gcpSecurityService.detectOrganizations(accessToken);
+      if (orgs.length > 0) {
+        gcpOrgId = orgs[0].id;
+        await this.cloudSecurityService.saveConnectionVariable(
+          connectionId,
+          'organization_id',
+          gcpOrgId,
+          organizationId,
+        );
+      }
+    }
+
+    const projects = await this.gcpSecurityService.detectProjects(accessToken);
+    const projectId = projects[0]?.id;
+    if (!projectId) {
+      throw new Error(
+        'No GCP projects found. Ensure your account has access to at least one project.',
+      );
+    }
+
+    return {
+      accessToken,
+      organizationId: gcpOrgId,
+      projectId,
+    };
+  }
+
   @Post('setup-azure/:connectionId')
   @UseGuards(HybridAuthGuard, PermissionGuard)
   @RequirePermission('integration', 'update')

apps/api/src/cloud-security/cloud-security.service.ts

@@ -162,11 +162,13 @@ export class CloudSecurityService {
     // Get variables for the scan
     const variables = (connection.variables as Record<string, unknown>) || {};
 
-    // Security baseline: always scanned regardless of toggles.
-    // Every AWS account should have these configured.
-    const BASELINE_SERVICES = [
-      'cloudtrail', 'config', 'guardduty', 'iam-analyzer', 'cloudwatch', 'kms',
-    ];
+    // Provider baselines are always scanned regardless of toggles.
+    const BASELINE_SERVICES_BY_PROVIDER: Record<string, string[]> = {
+      aws: ['cloudtrail', 'config', 'guardduty', 'iam-analyzer', 'cloudwatch', 'kms'],
+      gcp: ['security-command-center'],
+      azure: [],
+    };
+    const baselineServices = BASELINE_SERVICES_BY_PROVIDER[providerSlug] ?? [];
 
     // Smart service filtering: auto-detect is additive, user can only exclude.
     // Scan = (detectedServices MINUS disabledServices) UNION baselineServices.
@@ -178,11 +180,11 @@ export class CloudSecurityService {
     if (Array.isArray(variables.enabledServices) && (variables.enabledServices as string[]).length > 0) {
       // Legacy format: explicit enabled list (backward compat) + baseline
       const userEnabled = (variables.enabledServices as string[]).filter((s) => !disabledServices.has(s));
-      enabledServices = [...new Set([...userEnabled, ...BASELINE_SERVICES])];
+      enabledServices = [...new Set([...userEnabled, ...baselineServices])];
     } else if (Array.isArray(variables.detectedServices) && (variables.detectedServices as string[]).length > 0) {
       // New smart format: detected minus disabled + baseline always included
       const filtered = (variables.detectedServices as string[]).filter((s) => !disabledServices.has(s));
-      enabledServices = [...new Set([...filtered, ...BASELINE_SERVICES])];
+      enabledServices = [...new Set([...filtered, ...baselineServices])];
     }
     // else: undefined = scan all adapters (no detection data at all)
 
@@ -219,6 +221,7 @@ export class CloudSecurityService {
           findings = await this.gcpService.scanSecurityFindings(
             credentials,
             variables,
+            enabledServices,
           );
           break;
         case 'aws':
@@ -358,19 +361,32 @@ export class CloudSecurityService {
       return [];
     }
 
-    // Save detected services and auto-enable them (remove from disabledServices)
-    const currentDisabled = Array.isArray(variables.disabledServices)
-      ? (variables.disabledServices as string[])
-      : [];
-    const updatedDisabled = currentDisabled.filter((s) => !detected.includes(s));
+    // Merge with existing detected services and only auto-enable genuinely NEW detections.
+    // This preserves explicit user toggles (both enabled and disabled).
+    const existingDetected = new Set<string>(
+      Array.isArray(variables.detectedServices)
+        ? (variables.detectedServices as string[])
+        : [],
+    );
+    const updatedDisabled = new Set<string>(
+      Array.isArray(variables.disabledServices)
+        ? (variables.disabledServices as string[])
+        : [],
+    );
+    for (const id of detected) {
+      if (!existingDetected.has(id)) {
+        updatedDisabled.delete(id);
+      }
+      existingDetected.add(id);
+    }
 
     await db.integrationConnection.update({
       where: { id: connectionId },
       data: {
         variables: {
           ...variables,
-          detectedServices: detected,
-          disabledServices: updatedDisabled,
+          detectedServices: [...existingDetected],
+          disabledServices: [...updatedDisabled],
         },
       },
     });