chore: import upstream snapshot with attribution
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
Publish CLI Package / publish-npm (push) Has been cancelled
Publish Python SDK / publish-pypi (push) Has been cancelled
Publish TypeScript SDK / publish-npm (push) Has been cancelled
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
Publish CLI Package / publish-npm (push) Has been cancelled
Publish Python SDK / publish-pypi (push) Has been cancelled
Publish TypeScript SDK / publish-npm (push) Has been cancelled
This commit is contained in:
@@ -0,0 +1,160 @@
|
||||
import { createLogger } from '@sim/logger'
|
||||
import { toError } from '@sim/utils/errors'
|
||||
import { type NextRequest, NextResponse } from 'next/server'
|
||||
import { vantaDownloadContract } from '@/lib/api/contracts/tools/vanta'
|
||||
import { parseRequest } from '@/lib/api/server'
|
||||
import { checkInternalAuth } from '@/lib/auth/hybrid'
|
||||
import { generateRequestId } from '@/lib/core/utils/request'
|
||||
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
|
||||
import {
|
||||
buildVantaUrl,
|
||||
extractVantaError,
|
||||
fetchVantaWithAuth,
|
||||
getVantaBaseUrl,
|
||||
VANTA_READ_SCOPE,
|
||||
} from '@/tools/vanta/utils'
|
||||
|
||||
export const dynamic = 'force-dynamic'
|
||||
|
||||
const logger = createLogger('VantaDownloadAPI')
|
||||
|
||||
const MAX_DOWNLOAD_SIZE_BYTES = 100 * 1024 * 1024
|
||||
|
||||
function downloadSizeError(bytes: number): NextResponse {
|
||||
const sizeMB = (bytes / (1024 * 1024)).toFixed(2)
|
||||
return NextResponse.json(
|
||||
{ success: false, error: `File size (${sizeMB}MB) exceeds download limit of 100MB` },
|
||||
{ status: 400 }
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Reads a response body incrementally, aborting as soon as the accumulated
|
||||
* size exceeds the limit so oversized files are never fully buffered.
|
||||
* Returns null when the limit is exceeded.
|
||||
*/
|
||||
async function readBodyWithLimit(response: Response, maxBytes: number): Promise<Buffer | null> {
|
||||
const reader = response.body?.getReader()
|
||||
if (!reader) {
|
||||
const buffer = Buffer.from(await response.arrayBuffer())
|
||||
return buffer.length > maxBytes ? null : buffer
|
||||
}
|
||||
|
||||
const chunks: Uint8Array[] = []
|
||||
let total = 0
|
||||
while (true) {
|
||||
const { done, value } = await reader.read()
|
||||
if (done) break
|
||||
total += value.byteLength
|
||||
if (total > maxBytes) {
|
||||
await reader.cancel()
|
||||
return null
|
||||
}
|
||||
chunks.push(value)
|
||||
}
|
||||
return Buffer.concat(chunks)
|
||||
}
|
||||
|
||||
/**
|
||||
* Extracts the filename from a Content-Disposition header, if present.
|
||||
*/
|
||||
function getFileNameFromContentDisposition(header: string | null): string | null {
|
||||
if (!header) return null
|
||||
const utf8Match = header.match(/filename\*=UTF-8''([^;]+)/i)
|
||||
if (utf8Match) {
|
||||
try {
|
||||
return decodeURIComponent(utf8Match[1])
|
||||
} catch {
|
||||
return null
|
||||
}
|
||||
}
|
||||
const plainMatch = header.match(/filename="?([^";]+)"?/i)
|
||||
return plainMatch ? plainMatch[1] : null
|
||||
}
|
||||
|
||||
export const POST = withRouteHandler(async (request: NextRequest) => {
|
||||
const requestId = generateRequestId()
|
||||
|
||||
try {
|
||||
const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
|
||||
if (!authResult.success) {
|
||||
logger.warn(`[${requestId}] Unauthorized Vanta download attempt`, {
|
||||
error: authResult.error || 'Unauthorized',
|
||||
})
|
||||
return NextResponse.json(
|
||||
{ success: false, error: authResult.error || 'Unauthorized' },
|
||||
{ status: 401 }
|
||||
)
|
||||
}
|
||||
|
||||
const parsed = await parseRequest(vantaDownloadContract, request, {})
|
||||
if (!parsed.success) return parsed.response
|
||||
const params = parsed.data.body
|
||||
|
||||
const mediaUrl = buildVantaUrl(
|
||||
getVantaBaseUrl(params.region),
|
||||
`/documents/${encodeURIComponent(params.documentId)}/uploads/${encodeURIComponent(params.uploadedFileId)}/media`
|
||||
)
|
||||
|
||||
logger.info(`[${requestId}] Downloading Vanta document file`, {
|
||||
documentId: params.documentId,
|
||||
uploadedFileId: params.uploadedFileId,
|
||||
})
|
||||
|
||||
const response = await fetchVantaWithAuth(
|
||||
{
|
||||
clientId: params.clientId,
|
||||
clientSecret: params.clientSecret,
|
||||
region: params.region,
|
||||
scope: VANTA_READ_SCOPE,
|
||||
},
|
||||
(accessToken) =>
|
||||
fetch(mediaUrl, {
|
||||
method: 'GET',
|
||||
headers: { Authorization: `Bearer ${accessToken}` },
|
||||
cache: 'no-store',
|
||||
})
|
||||
)
|
||||
|
||||
if (!response.ok) {
|
||||
const errorData: unknown = await response.json().catch(() => null)
|
||||
const message = extractVantaError(errorData, 'Failed to download Vanta document file')
|
||||
logger.error(`[${requestId}] Vanta download failed`, { status: response.status, message })
|
||||
return NextResponse.json({ success: false, error: message }, { status: response.status })
|
||||
}
|
||||
|
||||
const contentLength = Number(response.headers.get('content-length'))
|
||||
if (Number.isFinite(contentLength) && contentLength > MAX_DOWNLOAD_SIZE_BYTES) {
|
||||
return downloadSizeError(contentLength)
|
||||
}
|
||||
|
||||
const buffer = await readBodyWithLimit(response, MAX_DOWNLOAD_SIZE_BYTES)
|
||||
if (buffer === null) {
|
||||
return NextResponse.json(
|
||||
{ success: false, error: 'File exceeds download limit of 100MB' },
|
||||
{ status: 400 }
|
||||
)
|
||||
}
|
||||
|
||||
const mimeType = response.headers.get('content-type') || 'application/octet-stream'
|
||||
const name =
|
||||
getFileNameFromContentDisposition(response.headers.get('content-disposition')) ||
|
||||
`vanta-document-file-${params.uploadedFileId}`
|
||||
|
||||
logger.info(`[${requestId}] Vanta download successful`, { name, size: buffer.length })
|
||||
|
||||
return NextResponse.json({
|
||||
success: true,
|
||||
output: {
|
||||
file: { name, mimeType, data: buffer.toString('base64'), size: buffer.length },
|
||||
name,
|
||||
mimeType,
|
||||
size: buffer.length,
|
||||
},
|
||||
})
|
||||
} catch (error) {
|
||||
const message = toError(error).message
|
||||
logger.error(`[${requestId}] Vanta download failed`, { error: message })
|
||||
return NextResponse.json({ success: false, error: message }, { status: 500 })
|
||||
}
|
||||
})
|
||||
@@ -0,0 +1,423 @@
|
||||
import { createLogger } from '@sim/logger'
|
||||
import { toError } from '@sim/utils/errors'
|
||||
import { type NextRequest, NextResponse } from 'next/server'
|
||||
import type { VantaQueryBody } from '@/lib/api/contracts/tools/vanta'
|
||||
import { vantaQueryContract } from '@/lib/api/contracts/tools/vanta'
|
||||
import { parseRequest } from '@/lib/api/server'
|
||||
import { checkInternalAuth } from '@/lib/auth/hybrid'
|
||||
import { generateRequestId } from '@/lib/core/utils/request'
|
||||
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
|
||||
import {
|
||||
asVantaRecord,
|
||||
buildVantaUrl,
|
||||
extractVantaError,
|
||||
fetchVantaWithAuth,
|
||||
getVantaBaseUrl,
|
||||
getVantaListResults,
|
||||
normalizeVantaControl,
|
||||
normalizeVantaControlDetail,
|
||||
normalizeVantaDocument,
|
||||
normalizeVantaDocumentDetail,
|
||||
normalizeVantaFramework,
|
||||
normalizeVantaFrameworkDetail,
|
||||
normalizeVantaMonitoredComputer,
|
||||
normalizeVantaPerson,
|
||||
normalizeVantaPolicy,
|
||||
normalizeVantaRiskScenario,
|
||||
normalizeVantaTest,
|
||||
normalizeVantaTestEntity,
|
||||
normalizeVantaUploadedFile,
|
||||
normalizeVantaVendor,
|
||||
normalizeVantaVulnerability,
|
||||
normalizeVantaVulnerabilityRemediation,
|
||||
normalizeVantaVulnerableAsset,
|
||||
splitVantaCommaList,
|
||||
VANTA_READ_SCOPE,
|
||||
VANTA_WRITE_SCOPE,
|
||||
} from '@/tools/vanta/utils'
|
||||
|
||||
export const dynamic = 'force-dynamic'
|
||||
|
||||
const logger = createLogger('VantaQueryAPI')
|
||||
|
||||
interface VantaApiRequest {
|
||||
method: 'GET' | 'POST'
|
||||
url: string
|
||||
}
|
||||
|
||||
/**
|
||||
* Maps a validated query operation to the Vanta API request it performs.
|
||||
*/
|
||||
function buildVantaApiRequest(baseUrl: string, params: VantaQueryBody): VantaApiRequest {
|
||||
const id = encodeURIComponent
|
||||
|
||||
switch (params.operation) {
|
||||
case 'vanta_list_frameworks':
|
||||
return {
|
||||
method: 'GET',
|
||||
url: buildVantaUrl(baseUrl, '/frameworks', {
|
||||
pageSize: params.pageSize,
|
||||
pageCursor: params.pageCursor,
|
||||
}),
|
||||
}
|
||||
case 'vanta_get_framework':
|
||||
return { method: 'GET', url: buildVantaUrl(baseUrl, `/frameworks/${id(params.frameworkId)}`) }
|
||||
case 'vanta_list_framework_controls':
|
||||
return {
|
||||
method: 'GET',
|
||||
url: buildVantaUrl(baseUrl, `/frameworks/${id(params.frameworkId)}/controls`, {
|
||||
pageSize: params.pageSize,
|
||||
pageCursor: params.pageCursor,
|
||||
}),
|
||||
}
|
||||
case 'vanta_list_controls':
|
||||
return {
|
||||
method: 'GET',
|
||||
url: buildVantaUrl(baseUrl, '/controls', {
|
||||
frameworkMatchesAny: splitVantaCommaList(params.frameworkMatchesAny),
|
||||
pageSize: params.pageSize,
|
||||
pageCursor: params.pageCursor,
|
||||
}),
|
||||
}
|
||||
case 'vanta_get_control':
|
||||
return { method: 'GET', url: buildVantaUrl(baseUrl, `/controls/${id(params.controlId)}`) }
|
||||
case 'vanta_list_control_tests':
|
||||
return {
|
||||
method: 'GET',
|
||||
url: buildVantaUrl(baseUrl, `/controls/${id(params.controlId)}/tests`, {
|
||||
pageSize: params.pageSize,
|
||||
pageCursor: params.pageCursor,
|
||||
}),
|
||||
}
|
||||
case 'vanta_list_control_documents':
|
||||
return {
|
||||
method: 'GET',
|
||||
url: buildVantaUrl(baseUrl, `/controls/${id(params.controlId)}/documents`, {
|
||||
pageSize: params.pageSize,
|
||||
pageCursor: params.pageCursor,
|
||||
}),
|
||||
}
|
||||
case 'vanta_list_tests':
|
||||
return {
|
||||
method: 'GET',
|
||||
url: buildVantaUrl(baseUrl, '/tests', {
|
||||
statusFilter: params.statusFilter,
|
||||
frameworkFilter: params.frameworkFilter,
|
||||
integrationFilter: params.integrationFilter,
|
||||
controlFilter: params.controlFilter,
|
||||
ownerFilter: params.ownerFilter,
|
||||
categoryFilter: params.categoryFilter,
|
||||
isInRollout: params.isInRollout,
|
||||
pageSize: params.pageSize,
|
||||
pageCursor: params.pageCursor,
|
||||
}),
|
||||
}
|
||||
case 'vanta_get_test':
|
||||
return { method: 'GET', url: buildVantaUrl(baseUrl, `/tests/${id(params.testId)}`) }
|
||||
case 'vanta_list_test_entities':
|
||||
return {
|
||||
method: 'GET',
|
||||
url: buildVantaUrl(baseUrl, `/tests/${id(params.testId)}/entities`, {
|
||||
entityStatus: params.entityStatus,
|
||||
pageSize: params.pageSize,
|
||||
pageCursor: params.pageCursor,
|
||||
}),
|
||||
}
|
||||
case 'vanta_list_documents':
|
||||
return {
|
||||
method: 'GET',
|
||||
url: buildVantaUrl(baseUrl, '/documents', {
|
||||
frameworkMatchesAny: splitVantaCommaList(params.frameworkMatchesAny),
|
||||
statusMatchesAny: splitVantaCommaList(params.statusMatchesAny),
|
||||
pageSize: params.pageSize,
|
||||
pageCursor: params.pageCursor,
|
||||
}),
|
||||
}
|
||||
case 'vanta_get_document':
|
||||
return { method: 'GET', url: buildVantaUrl(baseUrl, `/documents/${id(params.documentId)}`) }
|
||||
case 'vanta_list_document_uploads':
|
||||
return {
|
||||
method: 'GET',
|
||||
url: buildVantaUrl(baseUrl, `/documents/${id(params.documentId)}/uploads`, {
|
||||
pageSize: params.pageSize,
|
||||
pageCursor: params.pageCursor,
|
||||
}),
|
||||
}
|
||||
case 'vanta_submit_document':
|
||||
return {
|
||||
method: 'POST',
|
||||
url: buildVantaUrl(baseUrl, `/documents/${id(params.documentId)}/submit`),
|
||||
}
|
||||
case 'vanta_list_people':
|
||||
return {
|
||||
method: 'GET',
|
||||
url: buildVantaUrl(baseUrl, '/people', {
|
||||
emailAndNameFilter: params.emailAndNameFilter,
|
||||
employmentStatus: params.employmentStatus,
|
||||
groupIdsMatchesAny: splitVantaCommaList(params.groupIdsMatchesAny),
|
||||
tasksSummaryStatusMatchesAny: splitVantaCommaList(params.tasksSummaryStatusMatchesAny),
|
||||
taskTypeMatchesAny: splitVantaCommaList(params.taskTypeMatchesAny),
|
||||
taskStatusMatchesAny: splitVantaCommaList(params.taskStatusMatchesAny),
|
||||
pageSize: params.pageSize,
|
||||
pageCursor: params.pageCursor,
|
||||
}),
|
||||
}
|
||||
case 'vanta_get_person':
|
||||
return { method: 'GET', url: buildVantaUrl(baseUrl, `/people/${id(params.personId)}`) }
|
||||
case 'vanta_list_policies':
|
||||
return {
|
||||
method: 'GET',
|
||||
url: buildVantaUrl(baseUrl, '/policies', {
|
||||
pageSize: params.pageSize,
|
||||
pageCursor: params.pageCursor,
|
||||
}),
|
||||
}
|
||||
case 'vanta_get_policy':
|
||||
return { method: 'GET', url: buildVantaUrl(baseUrl, `/policies/${id(params.policyId)}`) }
|
||||
case 'vanta_list_vendors':
|
||||
return {
|
||||
method: 'GET',
|
||||
url: buildVantaUrl(baseUrl, '/vendors', {
|
||||
name: params.name,
|
||||
statusMatchesAny: splitVantaCommaList(params.statusMatchesAny),
|
||||
pageSize: params.pageSize,
|
||||
pageCursor: params.pageCursor,
|
||||
}),
|
||||
}
|
||||
case 'vanta_get_vendor':
|
||||
return { method: 'GET', url: buildVantaUrl(baseUrl, `/vendors/${id(params.vendorId)}`) }
|
||||
case 'vanta_list_monitored_computers':
|
||||
return {
|
||||
method: 'GET',
|
||||
url: buildVantaUrl(baseUrl, '/monitored-computers', {
|
||||
complianceStatusFilterMatchesAny: splitVantaCommaList(
|
||||
params.complianceStatusFilterMatchesAny
|
||||
),
|
||||
pageSize: params.pageSize,
|
||||
pageCursor: params.pageCursor,
|
||||
}),
|
||||
}
|
||||
case 'vanta_list_vulnerabilities':
|
||||
return {
|
||||
method: 'GET',
|
||||
url: buildVantaUrl(baseUrl, '/vulnerabilities', {
|
||||
q: params.q,
|
||||
severity: params.severity,
|
||||
isFixAvailable: params.isFixAvailable,
|
||||
isDeactivated: params.isDeactivated,
|
||||
includeVulnerabilitiesWithoutSlas: params.includeVulnerabilitiesWithoutSlas,
|
||||
packageIdentifier: params.packageIdentifier,
|
||||
externalVulnerabilityId: params.externalVulnerabilityId,
|
||||
integrationId: params.integrationId,
|
||||
vulnerableAssetId: params.vulnerableAssetId,
|
||||
slaDeadlineAfterDate: params.slaDeadlineAfterDate,
|
||||
slaDeadlineBeforeDate: params.slaDeadlineBeforeDate,
|
||||
pageSize: params.pageSize,
|
||||
pageCursor: params.pageCursor,
|
||||
}),
|
||||
}
|
||||
case 'vanta_list_vulnerability_remediations':
|
||||
return {
|
||||
method: 'GET',
|
||||
url: buildVantaUrl(baseUrl, '/vulnerability-remediations', {
|
||||
integrationId: params.integrationId,
|
||||
severity: params.severity,
|
||||
isRemediatedOnTime: params.isRemediatedOnTime,
|
||||
remediatedAfterDate: params.remediatedAfterDate,
|
||||
remediatedBeforeDate: params.remediatedBeforeDate,
|
||||
pageSize: params.pageSize,
|
||||
pageCursor: params.pageCursor,
|
||||
}),
|
||||
}
|
||||
case 'vanta_list_vulnerable_assets':
|
||||
return {
|
||||
method: 'GET',
|
||||
url: buildVantaUrl(baseUrl, '/vulnerable-assets', {
|
||||
q: params.q,
|
||||
integrationId: params.integrationId,
|
||||
assetType: params.assetType,
|
||||
assetExternalAccountId: params.assetExternalAccountId,
|
||||
pageSize: params.pageSize,
|
||||
pageCursor: params.pageCursor,
|
||||
}),
|
||||
}
|
||||
case 'vanta_get_vulnerable_asset':
|
||||
return {
|
||||
method: 'GET',
|
||||
url: buildVantaUrl(baseUrl, `/vulnerable-assets/${id(params.vulnerableAssetId)}`),
|
||||
}
|
||||
case 'vanta_list_risk_scenarios':
|
||||
return {
|
||||
method: 'GET',
|
||||
url: buildVantaUrl(baseUrl, '/risk-scenarios', {
|
||||
searchString: params.searchString,
|
||||
includeIgnored: params.includeIgnored,
|
||||
type: params.type,
|
||||
ownerMatchesAny: splitVantaCommaList(params.ownerMatchesAny),
|
||||
categoryMatchesAny: splitVantaCommaList(params.categoryMatchesAny),
|
||||
ciaCategoryMatchesAny: splitVantaCommaList(params.ciaCategoryMatchesAny),
|
||||
treatmentTypeMatchesAny: splitVantaCommaList(params.treatmentTypeMatchesAny),
|
||||
inherentScoreGroupMatchesAny: splitVantaCommaList(params.inherentScoreGroupMatchesAny),
|
||||
residualScoreGroupMatchesAny: splitVantaCommaList(params.residualScoreGroupMatchesAny),
|
||||
reviewStatusMatchesAny: splitVantaCommaList(params.reviewStatusMatchesAny),
|
||||
orderBy: params.orderBy,
|
||||
pageSize: params.pageSize,
|
||||
pageCursor: params.pageCursor,
|
||||
}),
|
||||
}
|
||||
case 'vanta_get_risk_scenario':
|
||||
return {
|
||||
method: 'GET',
|
||||
url: buildVantaUrl(baseUrl, `/risk-scenarios/${id(params.riskScenarioId)}`),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Normalizes a successful Vanta API response body into the operation's
|
||||
* documented output shape.
|
||||
*/
|
||||
function buildVantaOutput(params: VantaQueryBody, data: unknown): Record<string, unknown> {
|
||||
switch (params.operation) {
|
||||
case 'vanta_list_frameworks': {
|
||||
const { data: items, pageInfo } = getVantaListResults(data)
|
||||
return { frameworks: items.map(normalizeVantaFramework), pageInfo }
|
||||
}
|
||||
case 'vanta_get_framework':
|
||||
return { framework: normalizeVantaFrameworkDetail(asVantaRecord(data)) }
|
||||
case 'vanta_list_framework_controls':
|
||||
case 'vanta_list_controls': {
|
||||
const { data: items, pageInfo } = getVantaListResults(data)
|
||||
return { controls: items.map(normalizeVantaControl), pageInfo }
|
||||
}
|
||||
case 'vanta_get_control':
|
||||
return { control: normalizeVantaControlDetail(asVantaRecord(data)) }
|
||||
case 'vanta_list_control_tests':
|
||||
case 'vanta_list_tests': {
|
||||
const { data: items, pageInfo } = getVantaListResults(data)
|
||||
return { tests: items.map(normalizeVantaTest), pageInfo }
|
||||
}
|
||||
case 'vanta_get_test':
|
||||
return { test: normalizeVantaTest(asVantaRecord(data)) }
|
||||
case 'vanta_list_test_entities': {
|
||||
const { data: items, pageInfo } = getVantaListResults(data)
|
||||
return { entities: items.map(normalizeVantaTestEntity), pageInfo }
|
||||
}
|
||||
case 'vanta_list_control_documents':
|
||||
case 'vanta_list_documents': {
|
||||
const { data: items, pageInfo } = getVantaListResults(data)
|
||||
return { documents: items.map(normalizeVantaDocument), pageInfo }
|
||||
}
|
||||
case 'vanta_get_document':
|
||||
return { document: normalizeVantaDocumentDetail(asVantaRecord(data)) }
|
||||
case 'vanta_list_document_uploads': {
|
||||
const { data: items, pageInfo } = getVantaListResults(data)
|
||||
return { uploads: items.map(normalizeVantaUploadedFile), pageInfo }
|
||||
}
|
||||
case 'vanta_submit_document':
|
||||
return { documentId: params.documentId, submitted: true }
|
||||
case 'vanta_list_people': {
|
||||
const { data: items, pageInfo } = getVantaListResults(data)
|
||||
return { people: items.map(normalizeVantaPerson), pageInfo }
|
||||
}
|
||||
case 'vanta_get_person':
|
||||
return { person: normalizeVantaPerson(asVantaRecord(data)) }
|
||||
case 'vanta_list_policies': {
|
||||
const { data: items, pageInfo } = getVantaListResults(data)
|
||||
return { policies: items.map(normalizeVantaPolicy), pageInfo }
|
||||
}
|
||||
case 'vanta_get_policy':
|
||||
return { policy: normalizeVantaPolicy(asVantaRecord(data)) }
|
||||
case 'vanta_list_vendors': {
|
||||
const { data: items, pageInfo } = getVantaListResults(data)
|
||||
return { vendors: items.map(normalizeVantaVendor), pageInfo }
|
||||
}
|
||||
case 'vanta_get_vendor':
|
||||
return { vendor: normalizeVantaVendor(asVantaRecord(data)) }
|
||||
case 'vanta_list_monitored_computers': {
|
||||
const { data: items, pageInfo } = getVantaListResults(data)
|
||||
return { computers: items.map(normalizeVantaMonitoredComputer), pageInfo }
|
||||
}
|
||||
case 'vanta_list_vulnerabilities': {
|
||||
const { data: items, pageInfo } = getVantaListResults(data)
|
||||
return { vulnerabilities: items.map(normalizeVantaVulnerability), pageInfo }
|
||||
}
|
||||
case 'vanta_list_vulnerability_remediations': {
|
||||
const { data: items, pageInfo } = getVantaListResults(data)
|
||||
return { remediations: items.map(normalizeVantaVulnerabilityRemediation), pageInfo }
|
||||
}
|
||||
case 'vanta_list_vulnerable_assets': {
|
||||
const { data: items, pageInfo } = getVantaListResults(data)
|
||||
return { assets: items.map(normalizeVantaVulnerableAsset), pageInfo }
|
||||
}
|
||||
case 'vanta_get_vulnerable_asset':
|
||||
return { asset: normalizeVantaVulnerableAsset(asVantaRecord(data)) }
|
||||
case 'vanta_list_risk_scenarios': {
|
||||
const { data: items, pageInfo } = getVantaListResults(data)
|
||||
return { riskScenarios: items.map(normalizeVantaRiskScenario), pageInfo }
|
||||
}
|
||||
case 'vanta_get_risk_scenario':
|
||||
return { riskScenario: normalizeVantaRiskScenario(asVantaRecord(data)) }
|
||||
}
|
||||
}
|
||||
|
||||
export const POST = withRouteHandler(async (request: NextRequest) => {
|
||||
const requestId = generateRequestId()
|
||||
|
||||
try {
|
||||
const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
|
||||
if (!authResult.success) {
|
||||
logger.warn(`[${requestId}] Unauthorized Vanta query attempt`, {
|
||||
error: authResult.error || 'Unauthorized',
|
||||
})
|
||||
return NextResponse.json(
|
||||
{ success: false, error: authResult.error || 'Unauthorized' },
|
||||
{ status: 401 }
|
||||
)
|
||||
}
|
||||
|
||||
const parsed = await parseRequest(vantaQueryContract, request, {})
|
||||
if (!parsed.success) return parsed.response
|
||||
const params = parsed.data.body
|
||||
|
||||
const baseUrl = getVantaBaseUrl(params.region)
|
||||
const scope =
|
||||
params.operation === 'vanta_submit_document' ? VANTA_WRITE_SCOPE : VANTA_READ_SCOPE
|
||||
|
||||
logger.info(`[${requestId}] Vanta query request`, { operation: params.operation })
|
||||
|
||||
const apiRequest = buildVantaApiRequest(baseUrl, params)
|
||||
const response = await fetchVantaWithAuth(
|
||||
{
|
||||
clientId: params.clientId,
|
||||
clientSecret: params.clientSecret,
|
||||
region: params.region,
|
||||
scope,
|
||||
},
|
||||
(accessToken) =>
|
||||
fetch(apiRequest.url, {
|
||||
method: apiRequest.method,
|
||||
headers: {
|
||||
Accept: 'application/json',
|
||||
Authorization: `Bearer ${accessToken}`,
|
||||
},
|
||||
cache: 'no-store',
|
||||
})
|
||||
)
|
||||
|
||||
if (!response.ok) {
|
||||
const errorData: unknown = await response.json().catch(() => null)
|
||||
return NextResponse.json(
|
||||
{ success: false, error: extractVantaError(errorData, 'Vanta request failed') },
|
||||
{ status: response.status }
|
||||
)
|
||||
}
|
||||
|
||||
const data: unknown = response.status === 204 ? null : await response.json().catch(() => null)
|
||||
return NextResponse.json({ success: true, output: buildVantaOutput(params, data) })
|
||||
} catch (error) {
|
||||
const message = toError(error).message
|
||||
logger.error(`[${requestId}] Vanta query failed`, { error: message })
|
||||
return NextResponse.json({ success: false, error: message }, { status: 500 })
|
||||
}
|
||||
})
|
||||
@@ -0,0 +1,160 @@
|
||||
import { createLogger } from '@sim/logger'
|
||||
import { getErrorMessage, toError } from '@sim/utils/errors'
|
||||
import { type NextRequest, NextResponse } from 'next/server'
|
||||
import { vantaUploadContract } from '@/lib/api/contracts/tools/vanta'
|
||||
import { parseRequest } from '@/lib/api/server'
|
||||
import { checkInternalAuth } from '@/lib/auth/hybrid'
|
||||
import { generateRequestId } from '@/lib/core/utils/request'
|
||||
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
|
||||
import { processFilesToUserFiles, type RawFileInput } from '@/lib/uploads/utils/file-utils'
|
||||
import { downloadServableFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
|
||||
import { docNotReadyResponse } from '@/lib/uploads/utils/servable-file-response'
|
||||
import { assertToolFileAccess } from '@/app/api/files/authorization'
|
||||
import {
|
||||
asVantaRecord,
|
||||
buildVantaUrl,
|
||||
extractVantaError,
|
||||
fetchVantaWithAuth,
|
||||
getVantaBaseUrl,
|
||||
normalizeVantaUploadedFile,
|
||||
VANTA_DOCUMENT_UPLOAD_SCOPE,
|
||||
} from '@/tools/vanta/utils'
|
||||
|
||||
export const dynamic = 'force-dynamic'
|
||||
|
||||
const logger = createLogger('VantaUploadAPI')
|
||||
|
||||
const MAX_UPLOAD_SIZE_BYTES = 100 * 1024 * 1024
|
||||
|
||||
function uploadSizeError(bytes: number): NextResponse {
|
||||
const sizeMB = (bytes / (1024 * 1024)).toFixed(2)
|
||||
return NextResponse.json(
|
||||
{ success: false, error: `File size (${sizeMB}MB) exceeds upload limit of 100MB` },
|
||||
{ status: 400 }
|
||||
)
|
||||
}
|
||||
|
||||
export const POST = withRouteHandler(async (request: NextRequest) => {
|
||||
const requestId = generateRequestId()
|
||||
|
||||
try {
|
||||
const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
|
||||
if (!authResult.success || !authResult.userId) {
|
||||
logger.warn(`[${requestId}] Unauthorized Vanta upload attempt`, {
|
||||
error: authResult.error || 'Missing userId',
|
||||
})
|
||||
return NextResponse.json(
|
||||
{ success: false, error: authResult.error || 'Unauthorized' },
|
||||
{ status: 401 }
|
||||
)
|
||||
}
|
||||
|
||||
const parsed = await parseRequest(vantaUploadContract, request, {})
|
||||
if (!parsed.success) return parsed.response
|
||||
const params = parsed.data.body
|
||||
|
||||
let fileBuffer: Buffer
|
||||
let fileName: string
|
||||
let mimeType: string
|
||||
|
||||
if (params.file) {
|
||||
const userFiles = processFilesToUserFiles([params.file as RawFileInput], requestId, logger)
|
||||
if (userFiles.length === 0) {
|
||||
return NextResponse.json({ success: false, error: 'Invalid file input' }, { status: 400 })
|
||||
}
|
||||
|
||||
const userFile = userFiles[0]
|
||||
const denied = await assertToolFileAccess(userFile.key, authResult.userId, requestId, logger)
|
||||
if (denied) return denied
|
||||
|
||||
if (userFile.size > MAX_UPLOAD_SIZE_BYTES) {
|
||||
return uploadSizeError(userFile.size)
|
||||
}
|
||||
|
||||
try {
|
||||
const resolved = await downloadServableFileFromStorage(userFile, requestId, logger)
|
||||
fileBuffer = resolved.buffer
|
||||
fileName = params.fileName || userFile.name
|
||||
mimeType =
|
||||
resolved.contentType || userFile.type || params.mimeType || 'application/octet-stream'
|
||||
} catch (error) {
|
||||
const notReady = docNotReadyResponse(error)
|
||||
if (notReady) return notReady
|
||||
logger.error(`[${requestId}] Failed to download Vanta upload file`, {
|
||||
error: getErrorMessage(error),
|
||||
})
|
||||
return NextResponse.json(
|
||||
{ success: false, error: getErrorMessage(error, 'Failed to download file') },
|
||||
{ status: 500 }
|
||||
)
|
||||
}
|
||||
} else if (params.fileContent) {
|
||||
fileBuffer = Buffer.from(params.fileContent, 'base64')
|
||||
fileName = params.fileName || 'file'
|
||||
mimeType = params.mimeType || 'application/octet-stream'
|
||||
} else {
|
||||
return NextResponse.json({ success: false, error: 'File is required' }, { status: 400 })
|
||||
}
|
||||
|
||||
if (fileBuffer.length > MAX_UPLOAD_SIZE_BYTES) {
|
||||
return uploadSizeError(fileBuffer.length)
|
||||
}
|
||||
|
||||
logger.info(`[${requestId}] Uploading file to Vanta document`, {
|
||||
documentId: params.documentId,
|
||||
fileName,
|
||||
size: fileBuffer.length,
|
||||
})
|
||||
|
||||
const uploadUrl = buildVantaUrl(
|
||||
getVantaBaseUrl(params.region),
|
||||
`/documents/${encodeURIComponent(params.documentId)}/uploads`
|
||||
)
|
||||
const response = await fetchVantaWithAuth(
|
||||
{
|
||||
clientId: params.clientId,
|
||||
clientSecret: params.clientSecret,
|
||||
region: params.region,
|
||||
scope: VANTA_DOCUMENT_UPLOAD_SCOPE,
|
||||
},
|
||||
(accessToken) => {
|
||||
const formData = new FormData()
|
||||
formData.append(
|
||||
'file',
|
||||
new Blob([new Uint8Array(fileBuffer)], { type: mimeType }),
|
||||
fileName
|
||||
)
|
||||
if (params.description) {
|
||||
formData.append('description', params.description)
|
||||
}
|
||||
if (params.effectiveAtDate) {
|
||||
formData.append('effectiveAtDate', params.effectiveAtDate)
|
||||
}
|
||||
return fetch(uploadUrl, {
|
||||
method: 'POST',
|
||||
headers: { Authorization: `Bearer ${accessToken}` },
|
||||
body: formData,
|
||||
cache: 'no-store',
|
||||
})
|
||||
}
|
||||
)
|
||||
|
||||
const data: unknown = await response.json().catch(() => null)
|
||||
if (!response.ok) {
|
||||
const message = extractVantaError(data, 'Failed to upload file to Vanta document')
|
||||
logger.error(`[${requestId}] Vanta upload failed`, { status: response.status, message })
|
||||
return NextResponse.json({ success: false, error: message }, { status: response.status })
|
||||
}
|
||||
|
||||
logger.info(`[${requestId}] Vanta upload successful`, { documentId: params.documentId })
|
||||
|
||||
return NextResponse.json({
|
||||
success: true,
|
||||
output: { upload: normalizeVantaUploadedFile(asVantaRecord(data)) },
|
||||
})
|
||||
} catch (error) {
|
||||
const message = toError(error).message
|
||||
logger.error(`[${requestId}] Vanta upload failed`, { error: message })
|
||||
return NextResponse.json({ success: false, error: message }, { status: 500 })
|
||||
}
|
||||
})
|
||||
Reference in New Issue
Block a user