generate pam access grant as part of post approval flow

2026-01-09 15:38:03 -05:00 · 2025-12-06 19:44:57 -05:00
parent 89c1c5ffc4
commit 6c7d708c98
5 changed files with 26 additions and 11 deletions
--- a/backend/src/ee/services/pam-account/pam-account-service.ts
+++ b/backend/src/ee/services/pam-account/pam-account-service.ts
@@ -554,7 +554,7 @@ export const pamAccountServiceFactory = ({
      accountPath: `${folderPath}/${account.name}`
    };

-    const canAccess = await fac.canAccess(approvalRequestGrantsDAL, actor.id, resource.projectId, inputs);
+    const canAccess = await fac.canAccess(approvalRequestGrantsDAL, resource.projectId, actor.id, inputs);

    if (canAccess) {
      // Grant exists, allow access without checking permission
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@@ -2485,7 +2485,8 @@ export const registerRoutes = async (
    approvalRequestStepEligibleApproversDAL,
    approvalRequestApprovalsDAL,
    userGroupMembershipDAL,
-    notificationService
+    notificationService,
+    approvalRequestGrantsDAL
  });

  // setup the communication with license key server
--- a/backend/src/services/approval-policy/approval-policy-service.ts
+++ b/backend/src/services/approval-policy/approval-policy-service.ts
@@ -14,6 +14,7 @@ import {
  TApprovalPolicyStepsDALFactory,
  TApprovalRequestApprovalsDALFactory,
  TApprovalRequestDALFactory,
+  TApprovalRequestGrantsDALFactory,
  TApprovalRequestStepEligibleApproversDALFactory,
  TApprovalRequestStepsDALFactory
 } from "./approval-policy-dal";
@@ -41,6 +42,7 @@ type TApprovalPolicyServiceFactoryDep = {
  approvalRequestDAL: TApprovalRequestDALFactory;
  approvalRequestStepsDAL: TApprovalRequestStepsDALFactory;
  approvalRequestStepEligibleApproversDAL: TApprovalRequestStepEligibleApproversDALFactory;
+  approvalRequestGrantsDAL: TApprovalRequestGrantsDALFactory;
  userGroupMembershipDAL: TUserGroupMembershipDALFactory;
  notificationService: TNotificationServiceFactory;
  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission" | "getOrgPermission">;
@@ -56,6 +58,7 @@ export const approvalPolicyServiceFactory = ({
  approvalRequestDAL,
  approvalRequestStepsDAL,
  approvalRequestStepEligibleApproversDAL,
+  approvalRequestGrantsDAL,
  userGroupMembershipDAL,
  notificationService,
  permissionService,
@@ -598,7 +601,7 @@ export const approvalPolicyServiceFactory = ({
      const fac = APPROVAL_POLICY_FACTORY_MAP[updatedRequest.type as ApprovalPolicyType](
        updatedRequest.type as ApprovalPolicyType
      );
-      await fac.postApprovalRoutine(newRequest as TApprovalRequest);
+      await fac.postApprovalRoutine(approvalRequestGrantsDAL, newRequest as TApprovalRequest);
    }

    return { request: newRequest };
--- a/backend/src/services/approval-policy/approval-policy-types.ts
+++ b/backend/src/services/approval-policy/approval-policy-types.ts
@@ -73,7 +73,10 @@ export type TApprovalRequestFactoryValidateConstraints<P extends TApprovalPolicy
  policy: P,
  inputs: R
 ) => boolean;
-export type TApprovalRequestFactoryPostApprovalRoutine = (request: TApprovalRequest) => Promise<void>;
+export type TApprovalRequestFactoryPostApprovalRoutine = (
+  approvalRequestGrantsDAL: TApprovalRequestGrantsDALFactory,
+  request: TApprovalRequest
+) => Promise<void>;

 export type TApprovalResourceFactory<
  I extends TApprovalPolicyInputs,
--- a/backend/src/services/approval-policy/pam-access/pam-access-policy-factory.ts
+++ b/backend/src/services/approval-policy/pam-access/pam-access-policy-factory.ts
@@ -74,11 +74,7 @@ export const pamAccessPolicyFactory: TApprovalResourceFactory<
    return grants.some((grant) => {
      const grantAttributes = grant.attributes as TPamAccessPolicyInputs;
      const isMatch = picomatch(grantAttributes.accountPath);
-      return (
-        grantAttributes.resourceId === inputs.resourceId &&
-        isMatch(inputs.accountPath) &&
-        (!grant.expiresAt || grant.expiresAt > new Date())
-      );
+      return isMatch(inputs.accountPath) && (!grant.expiresAt || grant.expiresAt > new Date());
    });
  };

@@ -92,8 +88,20 @@ export const pamAccessPolicyFactory: TApprovalResourceFactory<
    return reqDuration >= ms(durationConstraint.min) && reqDuration <= ms(durationConstraint.max);
  };

-  const postApprovalRoutine: TApprovalRequestFactoryPostApprovalRoutine = async (_request) => {
-    // Placeholder
+  const postApprovalRoutine: TApprovalRequestFactoryPostApprovalRoutine = async (approvalRequestGrantsDAL, request) => {
+    const inputs = request.requestData.requestData;
+    const durationMs = ms(inputs.accessDuration);
+    const expiresAt = new Date(Date.now() + durationMs);
+
+    await approvalRequestGrantsDAL.create({
+      projectId: request.projectId,
+      requestId: request.id,
+      granteeUserId: request.requesterId,
+      status: ApprovalRequestGrantStatus.Active,
+      type: request.type,
+      attributes: inputs,
+      expiresAt
+    });
  };

  return {