iec-builder 0.1.0

package/src/routes/db-whitelist.ts

@@ -0,0 +1,204 @@
+import { Router } from 'express'
+import { z } from 'zod'
+import { apiResponse, apiError } from '../utils/response.js'
+import { getServicesCollection } from '../services/database.js'
+import { requireOrgAccess, requireOrgRole, type ServiceScopedRequest } from '../middleware/org-access.js'
+import { deriveOrgRole, type AuthenticatedRequest } from '../middleware/auth.js'
+import { logger } from '../utils/logger.js'
+import {
+  validatePublicIp,
+  detectCallerIp,
+  createWhitelistEntry,
+  revokeWhitelistEntry,
+  listWhitelistEntries,
+  listAllWhitelistEntries,
+} from '../services/db-whitelist.js'
+
+export const dbWhitelistRouter = Router()
+
+const WhitelistRequestSchema = z.object({
+  environment: z.enum(['prod', 'sandbox', 'uat']).default('sandbox'),
+  ttlHours: z.number().int().min(1).max(24).default(8),
+  ip: z.string().optional(),
+})
+
+/**
+ * POST /services/:serviceName/databases/whitelist
+ * Whitelist caller's IP for database access. Requires member role.
+ */
+dbWhitelistRouter.post(
+  '/:serviceName/databases/whitelist',
+  requireOrgAccess(),
+  requireOrgRole('member'),
+  async (req, res, next) => {
+    try {
+      const scopedReq = req as ServiceScopedRequest
+      let service = scopedReq.service
+
+      if (!service) {
+        const services = getServicesCollection()
+        const found = await services.findOne({
+          $or: [{ id: req.params.serviceName }, { name: req.params.serviceName }],
+        })
+        if (!found) {
+          res.status(404).json(apiError('NOT_FOUND', 'Service not found'))
+          return
+        }
+        service = found
+      }
+
+      const result = WhitelistRequestSchema.safeParse(req.body)
+      if (!result.success) {
+        res.status(400).json(apiError('VALIDATION_ERROR', 'Invalid request', result.error.flatten()))
+        return
+      }
+
+      const { environment, ttlHours, ip: explicitIp } = result.data
+
+      // Detect IP: explicit override > headers > req.ip
+      const ip = explicitIp || detectCallerIp(req.headers as Record<string, string | string[] | undefined>, req.ip)
+      if (!ip) {
+        res.status(400).json(apiError('IP_DETECTION_FAILED', 'Could not detect your IP address. Provide it explicitly in the request body.'))
+        return
+      }
+
+      // Validate IP is public
+      const ipCheck = validatePublicIp(ip)
+      if (!ipCheck.valid) {
+        res.status(400).json(apiError('INVALID_IP', `IP address ${ip} is not allowed: ${ipCheck.reason}`))
+        return
+      }
+
+      // Determine access level from org role
+      const userRoles = scopedReq.user?.roles || []
+      const orgRole = deriveOrgRole(userRoles)
+      const accessLevel = orgRole === 'admin' ? 'readWrite' : 'read'
+
+      const whitelistResult = await createWhitelistEntry(
+        service,
+        ip,
+        environment,
+        accessLevel,
+        ttlHours,
+        scopedReq.user?.id || 'unknown',
+        scopedReq.user?.email || 'unknown'
+      )
+
+      res.json(apiResponse({
+        ...whitelistResult,
+        warning: 'This connection string contains credentials. Do not share or commit to version control.',
+      }))
+    } catch (err) {
+      next(err)
+    }
+  }
+)
+
+/**
+ * GET /services/:serviceName/databases/whitelist
+ * List active whitelist entries for a service. Requires viewer role.
+ */
+dbWhitelistRouter.get(
+  '/:serviceName/databases/whitelist',
+  requireOrgAccess(),
+  async (req, res, next) => {
+    try {
+      const { serviceName } = req.params
+      const environment = req.query.environment as string | undefined
+      const validEnvironments = ['prod', 'sandbox', 'uat']
+
+      if (environment && !validEnvironments.includes(environment)) {
+        res.status(400).json(apiError('VALIDATION_ERROR', `Invalid environment: ${environment}`))
+        return
+      }
+
+      const entries = await listWhitelistEntries(serviceName, environment)
+
+      // Strip connection strings from list response
+      const sanitized = entries.map(e => ({
+        id: e.id,
+        serviceName: e.serviceName,
+        ip: e.ip,
+        environment: e.environment,
+        accessLevel: e.accessLevel,
+        requestedBy: e.requestedBy,
+        requestedByEmail: e.requestedByEmail,
+        createdAt: e.createdAt,
+        expiresAt: e.expiresAt,
+        status: e.status,
+      }))
+
+      res.json(apiResponse({ entries: sanitized }))
+    } catch (err) {
+      next(err)
+    }
+  }
+)
+
+/**
+ * DELETE /services/:serviceName/databases/whitelist/:entryId
+ * Revoke a whitelist entry. Requires admin role.
+ */
+dbWhitelistRouter.delete(
+  '/:serviceName/databases/whitelist/:entryId',
+  requireOrgAccess(),
+  requireOrgRole('admin'),
+  async (req, res, next) => {
+    try {
+      const scopedReq = req as ServiceScopedRequest
+      const { entryId } = req.params
+
+      const revoked = await revokeWhitelistEntry(
+        entryId,
+        scopedReq.user?.email || scopedReq.user?.id || 'unknown',
+        scopedReq.service?.org
+      )
+
+      if (!revoked) {
+        res.status(404).json(apiError('NOT_FOUND', 'Whitelist entry not found or already revoked'))
+        return
+      }
+
+      res.json(apiResponse({ revoked: true, id: entryId }))
+    } catch (err) {
+      next(err)
+    }
+  }
+)
+
+/**
+ * GET /databases/whitelist
+ * List all active whitelist entries across all orgs. Platform admin only.
+ */
+dbWhitelistRouter.get(
+  '/whitelist',
+  async (req, res, next) => {
+    try {
+      const authReq = req as AuthenticatedRequest
+      const roles = authReq.user?.roles || []
+      if (!roles.includes('super_admin') && !roles.includes('admin') && !roles.includes('service')) {
+        res.status(403).json(apiError('FORBIDDEN', 'Platform admin access required'))
+        return
+      }
+
+      const entries = await listAllWhitelistEntries()
+
+      const sanitized = entries.map(e => ({
+        id: e.id,
+        serviceName: e.serviceName,
+        orgId: e.orgId,
+        ip: e.ip,
+        environment: e.environment,
+        accessLevel: e.accessLevel,
+        requestedByEmail: e.requestedByEmail,
+        createdAt: e.createdAt,
+        expiresAt: e.expiresAt,
+        status: e.status,
+      }))
+
+      res.json(apiResponse({ entries: sanitized }))
+    } catch (err) {
+      next(err)
+    }
+  }
+)