Skip to content

feat(access-control): add ALLOWED_INTEGRATIONS env var for self-hosted block restrictions #3238

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
waleedlatif1 merged 12 commits into from
Feb 18, 2026
Merged

feat(access-control): add ALLOWED_INTEGRATIONS env var for self-hosted block restrictions #3238

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
03aa64b
feat(access-control): add ALLOWED_INTEGRATIONS env var for self-hoste…
waleedlatif1 Feb 17, 2026
b82b524
fix(tests): add getAllowedIntegrationsFromEnv mock to agent-handler t…
waleedlatif1 Feb 18, 2026
5817ec5
fix(access-control): add auth to allowlist endpoint, fix loading stat…
waleedlatif1 Feb 18, 2026
5854ca4
fix(access-control): remove auth from allowed-integrations endpoint t…
waleedlatif1 Feb 18, 2026
d0a3cd3
fix(access-control): normalize blockType to lowercase before env allo…
waleedlatif1 Feb 18, 2026
9c22c63
fix(access-control): expose merged allowedIntegrations on config to p…
waleedlatif1 Feb 18, 2026
bb513e6
consolidate merging of allowed blocks so all callers have it by default
waleedlatif1 Feb 18, 2026
628a313
normalize to lower case
waleedlatif1 Feb 18, 2026
5ec4e63
added tests
waleedlatif1 Feb 18, 2026
2d863f9
added tests, normalize to lower case
waleedlatif1 Feb 18, 2026
4eaad05
added safety incase userId is missing
waleedlatif1 Feb 18, 2026
0a08bd2
fix failing tests
waleedlatif1 Feb 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
fix failing tests
  • Loading branch information
@waleedlatif1
waleedlatif1 committed Feb 18, 2026
commit 0a08bd20eb5426f32a0a4889d966712eb3a79dc5
71 changes: 37 additions & 34 deletions apps/sim/ee/access-control/utils/permission-check.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,30 +4,36 @@
import { databaseMock, drizzleOrmMock, loggerMock } from '@sim/testing'
import { beforeEach, describe, expect, it, vi } from 'vitest'

const DEFAULT_PERMISSION_GROUP_CONFIG = {
allowedIntegrations: null,
allowedModelProviders: null,
hideTraceSpans: false,
hideKnowledgeBaseTab: false,
hideCopilot: false,
hideApiKeysTab: false,
hideEnvironmentTab: false,
hideFilesTab: false,
disableMcpTools: false,
disableCustomTools: false,
disableSkills: false,
hideTemplates: false,
disableInvitations: false,
hideDeployApi: false,
hideDeployMcp: false,
hideDeployA2a: false,
hideDeployChatbot: false,
hideDeployTemplate: false,
}

const mockGetAllowedIntegrationsFromEnv = vi.fn<() => string[] | null>()
const mockIsOrganizationOnEnterprisePlan = vi.fn<() => Promise<boolean>>()
const mockGetProviderFromModel = vi.fn<(model: string) => string>()
const {
DEFAULT_PERMISSION_GROUP_CONFIG,
mockGetAllowedIntegrationsFromEnv,
mockIsOrganizationOnEnterprisePlan,
mockGetProviderFromModel,
} = vi.hoisted(() => ({
DEFAULT_PERMISSION_GROUP_CONFIG: {
allowedIntegrations: null,
allowedModelProviders: null,
hideTraceSpans: false,
hideKnowledgeBaseTab: false,
hideCopilot: false,
hideApiKeysTab: false,
hideEnvironmentTab: false,
hideFilesTab: false,
disableMcpTools: false,
disableCustomTools: false,
disableSkills: false,
hideTemplates: false,
disableInvitations: false,
hideDeployApi: false,
hideDeployMcp: false,
hideDeployA2a: false,
hideDeployChatbot: false,
hideDeployTemplate: false,
},
mockGetAllowedIntegrationsFromEnv: vi.fn<() => string[] | null>(),
mockIsOrganizationOnEnterprisePlan: vi.fn<() => Promise<boolean>>(),
mockGetProviderFromModel: vi.fn<(model: string) => string>(),
}))

vi.mock('@sim/db', () => databaseMock)
vi.mock('@sim/db/schema', () => ({}))
Expand All @@ -52,7 +58,6 @@ vi.mock('@/providers/utils', () => ({
getProviderFromModel: mockGetProviderFromModel,
}))

import { getAllowedIntegrationsFromEnv } from '@/lib/core/config/feature-flags'
import {
getUserPermissionConfig,
IntegrationNotAllowedError,
Expand Down Expand Up @@ -112,13 +117,13 @@ describe('env allowlist fallback when userId is absent', () => {
vi.clearAllMocks()
})

it('returns null config when no userId and no env allowlist', async () => {
it('returns null allowlist when no userId and no env allowlist', async () => {
mockGetAllowedIntegrationsFromEnv.mockReturnValue(null)

const userId: string | undefined = undefined
const permissionConfig = userId ? await getUserPermissionConfig(userId) : null
const allowedIntegrations =
permissionConfig?.allowedIntegrations ?? getAllowedIntegrationsFromEnv()
permissionConfig?.allowedIntegrations ?? mockGetAllowedIntegrationsFromEnv()

expect(allowedIntegrations).toBeNull()
})
Expand All @@ -129,7 +134,7 @@ describe('env allowlist fallback when userId is absent', () => {
const userId: string | undefined = undefined
const permissionConfig = userId ? await getUserPermissionConfig(userId) : null
const allowedIntegrations =
permissionConfig?.allowedIntegrations ?? getAllowedIntegrationsFromEnv()
permissionConfig?.allowedIntegrations ?? mockGetAllowedIntegrationsFromEnv()

expect(allowedIntegrations).toEqual(['slack', 'gmail'])
})
Expand All @@ -140,7 +145,7 @@ describe('env allowlist fallback when userId is absent', () => {
const userId: string | undefined = undefined
const permissionConfig = userId ? await getUserPermissionConfig(userId) : null
const allowedIntegrations =
permissionConfig?.allowedIntegrations ?? getAllowedIntegrationsFromEnv()
permissionConfig?.allowedIntegrations ?? mockGetAllowedIntegrationsFromEnv()

expect(allowedIntegrations).not.toBeNull()
expect(allowedIntegrations!.includes('slack')).toBe(true)
Expand Down Expand Up @@ -210,14 +215,12 @@ describe('validateBlockType', () => {
await validateBlockType(undefined, 'GOOGLE_DRIVE')
})

it('includes reason in error for env-only enforcement', async () => {
it('includes env reason in error when env allowlist is the source', async () => {
await expect(validateBlockType(undefined, 'discord')).rejects.toThrow(/ALLOWED_INTEGRATIONS/)
})

it('does not include env reason when userId is provided', async () => {
await expect(validateBlockType('user-123', 'discord')).rejects.toThrow(
/permission group settings/
)
it('includes env reason even when userId is present if env is the source', async () => {
await expect(validateBlockType('user-123', 'discord')).rejects.toThrow(/ALLOWED_INTEGRATIONS/)
})
})
})
Expand Down
9 changes: 5 additions & 4 deletions apps/sim/ee/access-control/utils/permission-check.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -195,16 +195,17 @@ export async function validateBlockType(
}

if (!config.allowedIntegrations.includes(blockType.toLowerCase())) {
const isEnvOnly = !userId
const envAllowlist = getAllowedIntegrationsFromEnv()
const blockedByEnv = envAllowlist !== null && !envAllowlist.includes(blockType.toLowerCase())
logger.warn(
isEnvOnly
blockedByEnv
? 'Integration blocked by env allowlist'
: 'Integration blocked by permission config',
: 'Integration blocked by permission group',
{ userId, blockType }
)
throw new IntegrationNotAllowedError(
blockType,
isEnvOnly ? 'blocked by server ALLOWED_INTEGRATIONS policy' : undefined
blockedByEnv ? 'blocked by server ALLOWED_INTEGRATIONS policy' : undefined
)
}
}
Expand Down