From ecf743205cfae91dfa886450ce60ed6e04ce9d22 Mon Sep 17 00:00:00 2001
From: Artem Niehrieiev <r.tem@tuta.io>
Date: Wed, 18 Mar 2026 15:40:30 +0000
Subject: [PATCH] refactor: simplify policy reference validation and enable
 feature flag

---
 .../cedar-authorization.service.ts            | 37 ++++++++-----------
 1 file changed, 16 insertions(+), 21 deletions(-)

diff --git a/backend/src/entities/cedar-authorization/cedar-authorization.service.ts b/backend/src/entities/cedar-authorization/cedar-authorization.service.ts
index b9545e8b5..d357574c3 100644
--- a/backend/src/entities/cedar-authorization/cedar-authorization.service.ts
+++ b/backend/src/entities/cedar-authorization/cedar-authorization.service.ts
@@ -37,7 +37,8 @@ export class CedarAuthorizationService implements ICedarAuthorizationService, On
 	}
 
 	isFeatureEnabled(): boolean {
-		return process.env.CEDAR_AUTHORIZATION_ENABLED === 'true';
+		// return process.env.CEDAR_AUTHORIZATION_ENABLED === 'true';
+		return true;
 	}
 
 	async validate(request: CedarValidationRequest): Promise<boolean> {
@@ -265,13 +266,10 @@ export class CedarAuthorizationService implements ICedarAuthorizationService, On
 		}
 	}
 
-	private async validatePolicyReferences(
-		cedarPolicy: string,
-		connectionId: string,
-	): Promise<void> {
-		const connectionIds = [
-			...cedarPolicy.matchAll(/resource\s*==\s*RocketAdmin::Connection::"([^"]+)"/g),
-		].map((m) => m[1]);
+	private async validatePolicyReferences(cedarPolicy: string, connectionId: string): Promise<void> {
+		const connectionIds = [...cedarPolicy.matchAll(/resource\s*==\s*RocketAdmin::Connection::"([^"]+)"/g)].map(
+			(m) => m[1],
+		);
 
 		for (const refConnectionId of connectionIds) {
 			if (refConnectionId !== connectionId) {
@@ -282,9 +280,9 @@ export class CedarAuthorizationService implements ICedarAuthorizationService, On
 			}
 		}
 
-		const groupResourceIds = [
-			...cedarPolicy.matchAll(/resource\s*==\s*RocketAdmin::Group::"([^"]+)"/g),
-		].map((m) => m[1]);
+		const groupResourceIds = [...cedarPolicy.matchAll(/resource\s*==\s*RocketAdmin::Group::"([^"]+)"/g)].map(
+			(m) => m[1],
+		);
 
 		if (groupResourceIds.length > 0) {
 			const connectionGroups = await this.globalDbContext.groupRepository.findAllGroupsInConnection(connectionId);
@@ -292,17 +290,14 @@ export class CedarAuthorizationService implements ICedarAuthorizationService, On
 
 			for (const refGroupId of groupResourceIds) {
 				if (!connectionGroupIds.has(refGroupId)) {
-					throw new HttpException(
-						{ message: Messages.CEDAR_POLICY_REFERENCES_FOREIGN_GROUP },
-						HttpStatus.BAD_REQUEST,
-					);
+					throw new HttpException({ message: Messages.CEDAR_POLICY_REFERENCES_FOREIGN_GROUP }, HttpStatus.BAD_REQUEST);
 				}
 			}
 		}
 
-		const tableResourceIds = [
-			...cedarPolicy.matchAll(/resource\s*==\s*RocketAdmin::Table::"([^"]+)"/g),
-		].map((m) => m[1]);
+		const tableResourceIds = [...cedarPolicy.matchAll(/resource\s*==\s*RocketAdmin::Table::"([^"]+)"/g)].map(
+			(m) => m[1],
+		);
 
 		for (const tableRef of tableResourceIds) {
 			if (!tableRef.startsWith(`${connectionId}/`)) {
@@ -313,9 +308,9 @@ export class CedarAuthorizationService implements ICedarAuthorizationService, On
 			}
 		}
 
-		const dashboardResourceIds = [
-			...cedarPolicy.matchAll(/resource\s*==\s*RocketAdmin::Dashboard::"([^"]+)"/g),
-		].map((m) => m[1]);
+		const dashboardResourceIds = [...cedarPolicy.matchAll(/resource\s*==\s*RocketAdmin::Dashboard::"([^"]+)"/g)].map(
+			(m) => m[1],
+		);
 
 		for (const dashboardRef of dashboardResourceIds) {
 			if (!dashboardRef.startsWith(`${connectionId}/`)) {