@oneuptime/common 10.5.9 → 10.5.18

package/Server/Types/AnalyticsDatabase/ModelPermission.ts

@@ -807,6 +807,23 @@ export default class ModelPermission {
       }
     }
 
+    /*
+     * Telemetry with no owning resource (the unattributed "Unknown"
+     * bucket) is tagged with the projectId in place of a resource id. It
+     * belongs to the project, not any owner, so an Owned-scoped user
+     * (project-level catch-all access) sees it. Gated on hasOwnedGrant:
+     * a purely Labels-scoped user asked for label-matching telemetry, and
+     * the unattributed bucket carries no labels, so it stays excluded for
+     * them.
+     */
+    if (
+      hasOwnedGrant &&
+      model.ownedThrough.includeProjectScope &&
+      props.tenantId
+    ) {
+      allowedResourceIds.add(props.tenantId.toString());
+    }
+
     const fkColumn: string = model.ownedThrough.fkColumn;
     const idList: Array<string> =
       allowedResourceIds.size > 0
@@ -841,64 +858,73 @@ export default class ModelPermission {
 
     const ownerTableRegistry: Map<
       string,
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      { ownerUserService: any; ownerTeamService: any; fkColumn: string }
+      {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        ownerUserService: any;
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        ownerTeamService: any;
+        fkColumn: string;
+        canOwnTelemetry?: boolean;
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        modelService?: any;
+      }
     > =
       // eslint-disable-next-line @typescript-eslint/no-require-imports, @typescript-eslint/no-var-requires
       require("../Database/Permissions/OwnerTableRegistry").default;
 
-    const serviceEntry:
-      | {
-          // eslint-disable-next-line @typescript-eslint/no-explicit-any
-          ownerUserService: any;
-          // eslint-disable-next-line @typescript-eslint/no-explicit-any
-          ownerTeamService: any;
-          fkColumn: string;
-        }
-      | undefined = ownerTableRegistry.get("Service");
-    if (!serviceEntry) {
-      cache.ownedIds = result;
-      return result;
-    }
+    /*
+     * Telemetry serviceId is polymorphic — it can reference any resource
+     * type flagged `canOwnTelemetry` in the registry (Service, Monitor,
+     * Host, DockerHost, KubernetesCluster). Resolve ownership across all of
+     * them so a user who owns any such resource sees its telemetry, not
+     * just owned Services. The polymorphic set lives only in the registry
+     * (single source of truth); the resolved union is the same for every
+     * telemetry analytics model, so the single per-request `ownedIds`
+     * cache slot still holds it.
+     */
+    for (const entry of ownerTableRegistry.values()) {
+      if (!entry.canOwnTelemetry) {
+        continue;
+      }
+      const fkColumn: string = entry.fkColumn;
 
-    if (props.userId) {
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const userOwnedRows: Array<any> =
-        await serviceEntry.ownerUserService.findBy({
+      if (props.userId) {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const userOwnedRows: Array<any> = await entry.ownerUserService.findBy({
           query: {
             userId: props.userId,
             ...(props.tenantId ? { projectId: props.tenantId } : {}),
           },
-          select: { serviceId: true },
+          select: { [fkColumn]: true },
           props: { isRoot: true },
           skip: 0,
           limit: LIMIT_MAX,
         });
-      for (const row of userOwnedRows) {
-        const id: ObjectID | undefined = row.serviceId;
-        if (id) {
-          result.add(id.toString());
+        for (const row of userOwnedRows) {
+          const id: ObjectID | undefined = row[fkColumn];
+          if (id) {
+            result.add(id.toString());
+          }
         }
       }
-    }
 
-    if (props.userTeamIds && props.userTeamIds.length > 0) {
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const teamOwnedRows: Array<any> =
-        await serviceEntry.ownerTeamService.findBy({
+      if (props.userTeamIds && props.userTeamIds.length > 0) {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const teamOwnedRows: Array<any> = await entry.ownerTeamService.findBy({
           query: {
             teamId: QueryHelper.any(props.userTeamIds),
             ...(props.tenantId ? { projectId: props.tenantId } : {}),
           },
-          select: { serviceId: true },
+          select: { [fkColumn]: true },
           props: { isRoot: true },
           skip: 0,
           limit: LIMIT_MAX,
         });
-      for (const row of teamOwnedRows) {
-        const id: ObjectID | undefined = row.serviceId;
-        if (id) {
-          result.add(id.toString());
+        for (const row of teamOwnedRows) {
+          const id: ObjectID | undefined = row[fkColumn];
+          if (id) {
+            result.add(id.toString());
+          }
         }
       }
     }
@@ -942,50 +968,54 @@ export default class ModelPermission {
       return cached;
     }
 
-    const ServiceService: any =
-      // eslint-disable-next-line @typescript-eslint/no-require-imports, @typescript-eslint/no-var-requires
-      require("../../Services/ServiceService").default;
-    const MonitorService: any =
-      // eslint-disable-next-line @typescript-eslint/no-require-imports, @typescript-eslint/no-var-requires
-      require("../../Services/MonitorService").default;
-
     const tenantFilter: Record<string, ObjectID> = props.tenantId
       ? { projectId: props.tenantId }
       : {};
 
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    const serviceRows: Array<any> = await ServiceService.findBy({
-      query: {
-        labels: labelIds,
-        ...tenantFilter,
-      },
-      select: { _id: true },
-      props: { isRoot: true },
-      skip: 0,
-      limit: LIMIT_MAX,
-    });
-    for (const row of serviceRows) {
-      const id: ObjectID | string | undefined = row._id;
-      if (id) {
-        result.add(id.toString());
+    const ownerTableRegistry: Map<
+      string,
+      {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        ownerUserService: any;
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        ownerTeamService: any;
+        fkColumn: string;
+        canOwnTelemetry?: boolean;
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        modelService?: any;
       }
-    }
+    > =
+      // eslint-disable-next-line @typescript-eslint/no-require-imports, @typescript-eslint/no-var-requires
+      require("../Database/Permissions/OwnerTableRegistry").default;
 
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    const monitorRows: Array<any> = await MonitorService.findBy({
-      query: {
-        labels: labelIds,
-        ...tenantFilter,
-      },
-      select: { _id: true },
-      props: { isRoot: true },
-      skip: 0,
-      limit: LIMIT_MAX,
-    });
-    for (const row of monitorRows) {
-      const id: ObjectID | string | undefined = row._id;
-      if (id) {
-        result.add(id.toString());
+    /*
+     * Telemetry serviceId is polymorphic across every resource type
+     * flagged `canOwnTelemetry` in the registry (Service, Monitor, Host,
+     * DockerHost, KubernetesCluster), each of which carries labels. Find
+     * rows of each whose labels intersect the user's. Keeping this set in
+     * the registry (single source of truth) means a new telemetry-owning
+     * resource is picked up here automatically — no edits needed.
+     */
+    for (const entry of ownerTableRegistry.values()) {
+      if (!entry.canOwnTelemetry || !entry.modelService) {
+        continue;
+      }
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      const rows: Array<any> = await entry.modelService.findBy({
+        query: {
+          labels: labelIds,
+          ...tenantFilter,
+        },
+        select: { _id: true },
+        props: { isRoot: true },
+        skip: 0,
+        limit: LIMIT_MAX,
+      });
+      for (const row of rows) {
+        const id: ObjectID | string | undefined = row._id;
+        if (id) {
+          result.add(id.toString());
+        }
       }
     }
 

package/Server/Types/Database/Permissions/OwnedScopePermission.ts

@@ -208,15 +208,23 @@ export default class OwnedScopePermission {
   ): Promise<Array<ObjectID>> {
     const model: BaseModel = new modelType();
 
-    // Determine which model's owner tables to consult.
-    let resolverName: string;
-    if (model.ownedThrough) {
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      resolverName = (model.ownedThrough.parentModel as any).name;
-    } else {
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      resolverName = (modelType as any).name;
-    }
+    /*
+     * Which model(s) owner tables to consult. A nested model can inherit
+     * ownership from several parent resource types when its FK is
+     * polymorphic (e.g. a telemetry serviceId that may point at a Service,
+     * Host, DockerHost or KubernetesCluster) — resolve and union the owned
+     * ids across all of them. Top-level operational resources consult
+     * their own owner tables.
+     */
+    const resolverNames: Array<string> = model.ownedThrough
+      ? model.ownedThrough.parentModels.map(
+          // eslint-disable-next-line @typescript-eslint/no-explicit-any
+          (parentModel: any) => {
+            return parentModel.name;
+          },
+        )
+      : // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        [(modelType as any).name];
 
     /*
      * Lazy require to avoid the circular dep cycle: this file is reachable
@@ -227,66 +235,79 @@ export default class OwnedScopePermission {
       // eslint-disable-next-line @typescript-eslint/no-require-imports, @typescript-eslint/no-var-requires
       require("./OwnerTableRegistry").default;
 
-    const registryEntry: OwnerTablePair | undefined =
-      ownerTableRegistry.get(resolverName);
-    if (!registryEntry) {
-      /*
-       * No registered owner tables for this model — Owned scope can't
-       * resolve, so nothing is accessible.
-       */
-      return [];
-    }
-
     const seen: Set<string> = new Set<string>();
-    const fkColumn: string = registryEntry.fkColumn;
 
-    /*
-     * User-ownership lookup. Skipped for non-user callers (API keys, Probes
-     * with no userId); those evaluate `Owned` as `All` elsewhere.
-     */
-    if (props.userId) {
-      const userOwnedRows: Array<BaseModel> =
-        await registryEntry.ownerUserService.findBy({
-          query: {
-            userId: props.userId,
-            ...(props.tenantId ? { projectId: props.tenantId } : {}),
-          },
-          select: { [fkColumn]: true },
-          props: { isRoot: true },
-          skip: 0,
-          limit: LIMIT_MAX,
-        });
-      for (const row of userOwnedRows) {
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        const value: ObjectID | undefined = (row as any)[fkColumn];
-        if (value) {
-          seen.add(value.toString());
+    for (const resolverName of resolverNames) {
+      const registryEntry: OwnerTablePair | undefined =
+        ownerTableRegistry.get(resolverName);
+      if (!registryEntry) {
+        /*
+         * No registered owner tables for this parent — skip it. Other
+         * parents (or includeProjectScope below) may still resolve.
+         */
+        continue;
+      }
+
+      const fkColumn: string = registryEntry.fkColumn;
+
+      /*
+       * User-ownership lookup. Skipped for non-user callers (API keys,
+       * Probes with no userId); those evaluate `Owned` as `All` elsewhere.
+       */
+      if (props.userId) {
+        const userOwnedRows: Array<BaseModel> =
+          await registryEntry.ownerUserService.findBy({
+            query: {
+              userId: props.userId,
+              ...(props.tenantId ? { projectId: props.tenantId } : {}),
+            },
+            select: { [fkColumn]: true },
+            props: { isRoot: true },
+            skip: 0,
+            limit: LIMIT_MAX,
+          });
+        for (const row of userOwnedRows) {
+          // eslint-disable-next-line @typescript-eslint/no-explicit-any
+          const value: ObjectID | undefined = (row as any)[fkColumn];
+          if (value) {
+            seen.add(value.toString());
+          }
         }
       }
-    }
 
-    // Team-ownership lookup.
-    if (props.userTeamIds && props.userTeamIds.length > 0) {
-      const teamOwnedRows: Array<BaseModel> =
-        await registryEntry.ownerTeamService.findBy({
-          query: {
-            teamId: QueryHelper.any(props.userTeamIds),
-            ...(props.tenantId ? { projectId: props.tenantId } : {}),
-          },
-          select: { [fkColumn]: true },
-          props: { isRoot: true },
-          skip: 0,
-          limit: LIMIT_MAX,
-        });
-      for (const row of teamOwnedRows) {
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        const value: ObjectID | undefined = (row as any)[fkColumn];
-        if (value) {
-          seen.add(value.toString());
+      // Team-ownership lookup.
+      if (props.userTeamIds && props.userTeamIds.length > 0) {
+        const teamOwnedRows: Array<BaseModel> =
+          await registryEntry.ownerTeamService.findBy({
+            query: {
+              teamId: QueryHelper.any(props.userTeamIds),
+              ...(props.tenantId ? { projectId: props.tenantId } : {}),
+            },
+            select: { [fkColumn]: true },
+            props: { isRoot: true },
+            skip: 0,
+            limit: LIMIT_MAX,
+          });
+        for (const row of teamOwnedRows) {
+          // eslint-disable-next-line @typescript-eslint/no-explicit-any
+          const value: ObjectID | undefined = (row as any)[fkColumn];
+          if (value) {
+            seen.add(value.toString());
+          }
         }
       }
     }
 
+    /*
+     * Polymorphic FK rows with no owning resource (the unattributed
+     * "Unknown" telemetry bucket) carry the projectId in the FK column.
+     * They belong to the project, not any single owner, so include the
+     * tenant id when the model opts in via includeProjectScope.
+     */
+    if (model.ownedThrough?.includeProjectScope && props.tenantId) {
+      seen.add(props.tenantId.toString());
+    }
+
     const result: Array<ObjectID> = [];
     for (const id of seen) {
       result.push(new ObjectID(id));

package/Server/Types/Database/Permissions/OwnerTableRegistry.ts

@@ -14,10 +14,27 @@ import ScheduledMaintenanceOwnerTeamService from "../../../Services/ScheduledMai
 import ScheduledMaintenanceOwnerUserService from "../../../Services/ScheduledMaintenanceOwnerUserService";
 import ServiceOwnerTeamService from "../../../Services/ServiceOwnerTeamService";
 import ServiceOwnerUserService from "../../../Services/ServiceOwnerUserService";
+import HostOwnerTeamService from "../../../Services/HostOwnerTeamService";
+import HostOwnerUserService from "../../../Services/HostOwnerUserService";
+import DockerHostOwnerTeamService from "../../../Services/DockerHostOwnerTeamService";
+import DockerHostOwnerUserService from "../../../Services/DockerHostOwnerUserService";
+import KubernetesClusterOwnerTeamService from "../../../Services/KubernetesClusterOwnerTeamService";
+import KubernetesClusterOwnerUserService from "../../../Services/KubernetesClusterOwnerUserService";
 import StatusPageOwnerTeamService from "../../../Services/StatusPageOwnerTeamService";
 import StatusPageOwnerUserService from "../../../Services/StatusPageOwnerUserService";
 import WorkflowOwnerTeamService from "../../../Services/WorkflowOwnerTeamService";
 import WorkflowOwnerUserService from "../../../Services/WorkflowOwnerUserService";
+/*
+ * The resources whose ids can appear in a telemetry row's polymorphic
+ * serviceId also expose their own service (for label-scope resolution).
+ * Imported here so the registry is the single source of truth for the
+ * telemetry serviceId polymorphism — see canOwnTelemetry / modelService.
+ */
+import ServiceService from "../../../Services/ServiceService";
+import MonitorService from "../../../Services/MonitorService";
+import HostService from "../../../Services/HostService";
+import DockerHostService from "../../../Services/DockerHostService";
+import KubernetesClusterService from "../../../Services/KubernetesClusterService";
 
 /*
  * Maps an operational model name (e.g. "Monitor") to the two services that
@@ -35,6 +52,22 @@ export interface OwnerTablePair {
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
   ownerTeamService: any;
   fkColumn: string;
+  /*
+   * True when a telemetry row's serviceId (polymorphic, discriminated by
+   * serviceType) can reference this resource type. The analytics
+   * owned/labels scope resolution iterates the entries flagged here, so
+   * the telemetry serviceId polymorphism lives only in this registry —
+   * adding a new telemetry-owning resource needs just an entry here, with
+   * no edits in ModelPermission.
+   */
+  canOwnTelemetry?: boolean;
+  /*
+   * The resource's own service, used by labels-scope resolution to find
+   * resources whose labels match the user's. Set for canOwnTelemetry
+   * types (they all carry labels).
+   */
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  modelService?: any;
 }
 
 const ownerTableRegistry: Map<string, OwnerTablePair> = new Map<
@@ -47,6 +80,8 @@ const ownerTableRegistry: Map<string, OwnerTablePair> = new Map<
       ownerUserService: MonitorOwnerUserService,
       ownerTeamService: MonitorOwnerTeamService,
       fkColumn: "monitorId",
+      canOwnTelemetry: true,
+      modelService: MonitorService,
     },
   ],
   [
@@ -111,6 +146,38 @@ const ownerTableRegistry: Map<string, OwnerTablePair> = new Map<
       ownerUserService: ServiceOwnerUserService,
       ownerTeamService: ServiceOwnerTeamService,
       fkColumn: "serviceId",
+      canOwnTelemetry: true,
+      modelService: ServiceService,
+    },
+  ],
+  [
+    "Host",
+    {
+      ownerUserService: HostOwnerUserService,
+      ownerTeamService: HostOwnerTeamService,
+      fkColumn: "hostId",
+      canOwnTelemetry: true,
+      modelService: HostService,
+    },
+  ],
+  [
+    "DockerHost",
+    {
+      ownerUserService: DockerHostOwnerUserService,
+      ownerTeamService: DockerHostOwnerTeamService,
+      fkColumn: "dockerHostId",
+      canOwnTelemetry: true,
+      modelService: DockerHostService,
+    },
+  ],
+  [
+    "KubernetesCluster",
+    {
+      ownerUserService: KubernetesClusterOwnerUserService,
+      ownerTeamService: KubernetesClusterOwnerTeamService,
+      fkColumn: "kubernetesClusterId",
+      canOwnTelemetry: true,
+      modelService: KubernetesClusterService,
     },
   ],
   [

package/Server/Utils/Express.ts

@@ -1,4 +1,5 @@
 import logger from "./Logger";
+import GracefulShutdown, { ShutdownPriority } from "./GracefulShutdown";
 import Dictionary from "../../Types/Dictionary";
 import GenericFunction from "../../Types/GenericFunction";
 import { JSONObject, JSONObjectOrArray } from "../../Types/JSON";
@@ -104,6 +105,37 @@ class Express {
       this.httpServer = createServer(this.app);
     }
 
+    /*
+     * On shutdown, stop accepting new connections first (before datastores are
+     * drained) so in-flight requests can finish but new ones don't acquire
+     * resources we're about to tear down. closeIdleConnections() drops idle
+     * keep-alive sockets so server.close() doesn't block waiting on them; the
+     * GracefulShutdown per-handler timeout bounds anything still in flight.
+     */
+    GracefulShutdown.registerHandler(
+      "HttpServer",
+      ShutdownPriority.HttpServer,
+      () => {
+        return new Promise<void>((resolve: () => void) => {
+          if (!this.httpServer || !this.httpServer.listening) {
+            resolve();
+            return;
+          }
+
+          const server: Server & { closeIdleConnections?: () => void } =
+            this.httpServer;
+
+          if (typeof server.closeIdleConnections === "function") {
+            server.closeIdleConnections();
+          }
+
+          server.close(() => {
+            resolve();
+          });
+        });
+      },
+    );
+
     type ResolveFunction = (app: express.Application) => void;
 
     return new Promise<express.Application>((resolve: ResolveFunction) => {