feat(portal): Allow connection-time conditions for internet resources (#6899)

Closes #6848
2026-01-27 10:18:54 +00:00 · 2024-10-01 16:10:17 -06:00
parent 759e944729
commit 14544b27cc
4 changed files with 81 additions and 11 deletions
--- a/elixir/apps/web/lib/web/live/policies/components.ex
+++ b/elixir/apps/web/lib/web/live/policies/components.ex
@@ -13,6 +13,24 @@ defmodule Web.Policies.Components do
    {"U", "Sunday"}
  ]

+  @all_conditions [
+    :remote_ip_location_region,
+    :remote_ip,
+    :provider_id,
+    :client_verified,
+    :current_utc_datetime
+  ]
+
+  # current_utc_datetime is a condition evaluated at the time of the request,
+  # so we don't need to include it in the list of conditions that can be set
+  # for internet resources, otherwise it would be blocking all the requests.
+  @conditions_by_resource_type %{
+    internet: @all_conditions -- [:current_utc_datetime],
+    dns: @all_conditions,
+    ip: @all_conditions,
+    cidr: @all_conditions
+  }
+
  attr(:policy, :map, required: true)

  def policy_name(assigns) do
@@ -256,9 +274,13 @@ defmodule Web.Policies.Components do

  def conditions_form(assigns) do
    assigns =
-      assign_new(assigns, :policy_conditions_enabled?, fn ->
+      assigns
+      |> assign_new(:policy_conditions_enabled?, fn ->
        Domain.Accounts.policy_conditions_enabled?(assigns.account)
      end)
+      |> assign_new(:enabled_conditions, fn ->
+        Map.fetch!(@conditions_by_resource_type, assigns.selected_resource.type)
+      end)

    ~H"""
    <fieldset class="flex flex-col gap-2 mt-4">
@@ -280,17 +302,28 @@ defmodule Web.Policies.Components do

      <div class={@policy_conditions_enabled? == false && "opacity-50"}>
        <.remote_ip_location_region_condition_form
+          :if={:remote_ip_location_region in @enabled_conditions}
+          form={@form}
+          disabled={@policy_conditions_enabled? == false}
+        />
+        <.remote_ip_condition_form
+          :if={:remote_ip in @enabled_conditions}
          form={@form}
          disabled={@policy_conditions_enabled? == false}
        />
-        <.remote_ip_condition_form form={@form} disabled={@policy_conditions_enabled? == false} />
        <.provider_id_condition_form
+          :if={:provider_id in @enabled_conditions}
          form={@form}
          providers={@providers}
          disabled={@policy_conditions_enabled? == false}
        />
-        <.client_verified_condition_form form={@form} disabled={@policy_conditions_enabled? == false} />
+        <.client_verified_condition_form
+          :if={:client_verified in @enabled_conditions}
+          form={@form}
+          disabled={@policy_conditions_enabled? == false}
+        />
        <.current_utc_datetime_condition_form
+          :if={:current_utc_datetime in @enabled_conditions}
          form={@form}
          timezone={@timezone}
          disabled={@policy_conditions_enabled? == false}
--- a/elixir/apps/web/lib/web/live/policies/edit.ex
+++ b/elixir/apps/web/lib/web/live/policies/edit.ex
@@ -163,19 +163,19 @@ defmodule Web.Policies.Edit do
              </fieldset>

              <.conditions_form
-                :if={@selected_resource.type != :internet}
+                :if={not is_nil(@selected_resource)}
                form={@form}
                account={@account}
                timezone={@timezone}
                providers={@providers}
+                selected_resource={@selected_resource}
              />

              <.options_form
-                :if={@selected_resource.type == :internet}
+                :if={not is_nil(@selected_resource)}
                form={@form}
                account={@account}
-                timezone={@timezone}
-                providers={@providers}
+                selected_resource={@selected_resource}
              />
            </div>

--- a/elixir/apps/web/lib/web/live/policies/new.ex
+++ b/elixir/apps/web/lib/web/live/policies/new.ex
@@ -152,19 +152,19 @@ defmodule Web.Policies.New do
              </fieldset>

              <.conditions_form
-                :if={not is_nil(@selected_resource) and @selected_resource.type != :internet}
+                :if={not is_nil(@selected_resource)}
                form={@form}
                account={@account}
                timezone={@timezone}
                providers={@providers}
+                selected_resource={@selected_resource}
              />

              <.options_form
-                :if={not is_nil(@selected_resource) and @selected_resource.type == :internet}
+                :if={not is_nil(@selected_resource)}
                form={@form}
                account={@account}
-                timezone={@timezone}
-                providers={@providers}
+                selected_resource={@selected_resource}
              />
            </div>

--- a/elixir/apps/web/test/web/live/policies/new_test.exs
+++ b/elixir/apps/web/test/web/live/policies/new_test.exs
@@ -158,6 +158,43 @@ defmodule Web.Live.Policies.NewTest do
    assert Floki.attribute(value_input, "value") == [resource.id]
  end

+  test "form changes depending on resource type", %{
+    account: account,
+    identity: identity,
+    conn: conn
+  } do
+    resource = Fixtures.Resources.create_resource(account: account, type: :internet)
+
+    {:ok, lv, _html} =
+      conn
+      |> authorize_conn(identity)
+      |> live(~p"/#{account}/policies/new?resource_id=#{resource.id}")
+
+    form = form(lv, "form")
+
+    assert find_inputs(form) == [
+             "policy[actor_group_id]",
+             "policy[actor_group_id]_name",
+             "policy[conditions][client_verified][operator]",
+             "policy[conditions][client_verified][property]",
+             "policy[conditions][client_verified][values][]",
+             "policy[conditions][provider_id][operator]",
+             "policy[conditions][provider_id][property]",
+             "policy[conditions][provider_id][values][]",
+             "policy[conditions][remote_ip][operator]",
+             "policy[conditions][remote_ip][property]",
+             "policy[conditions][remote_ip][values][]",
+             "policy[conditions][remote_ip_location_region][operator]",
+             "policy[conditions][remote_ip_location_region][property]",
+             "policy[conditions][remote_ip_location_region][values][]",
+             "policy[description]",
+             "policy[resource_id]",
+             "policy[resource_id]_name",
+             "search_query-policy_actor_group_id",
+             "search_query-policy_resource_id"
+           ]
+  end
+
  test "renders changeset errors on input change", %{
    account: account,
    identity: identity,