From debcfc037f87c8d18e4a1649e6ba2ed5acab2869 Mon Sep 17 00:00:00 2001
From: Artem Niehrieiev <r.tem@tuta.io>
Date: Mon, 9 Mar 2026 13:50:31 +0000
Subject: [PATCH] migrate permissions to Cedar during application bootstrap

---
 .../scripts/migrate-permissions-to-cedar.ts                  | 3 ++-
 backend/src/main.ts                                          | 5 +++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/backend/src/entities/cedar-authorization/scripts/migrate-permissions-to-cedar.ts b/backend/src/entities/cedar-authorization/scripts/migrate-permissions-to-cedar.ts
index 77a6bfe44..f9cf0044b 100644
--- a/backend/src/entities/cedar-authorization/scripts/migrate-permissions-to-cedar.ts
+++ b/backend/src/entities/cedar-authorization/scripts/migrate-permissions-to-cedar.ts
@@ -20,6 +20,7 @@ export async function migratePermissionsToCedar(dataSource: DataSource): Promise
 			.leftJoinAndSelect('group.connection', 'connection')
 			.leftJoinAndSelect('group.permissions', 'permission')
 			.where('connection.id = :connectionId', { connectionId: connection.id })
+			.andWhere('(group.cedarPolicy IS NULL OR group.cedarPolicy = :empty)', { empty: '' })
 			.getMany();
 
 		for (const group of groups) {
@@ -61,5 +62,5 @@ export async function migratePermissionsToCedar(dataSource: DataSource): Promise
 		}
 	}
 
-	console.log(`Migrated Cedar policies for ${migratedCount} groups`);
+	console.log(`Migrated Cedar policies for ${migratedCount} groups (skipped groups with existing policies)`);
 }
diff --git a/backend/src/main.ts b/backend/src/main.ts
index 72fc56809..0c7c29980 100644
--- a/backend/src/main.ts
+++ b/backend/src/main.ts
@@ -7,7 +7,9 @@ import bodyParser from 'body-parser';
 import { ValidationError } from 'class-validator';
 import cookieParser from 'cookie-parser';
 import helmet from 'helmet';
+import { DataSource } from 'typeorm';
 import { ApplicationModule } from './app.module.js';
+import { migratePermissionsToCedar } from './entities/cedar-authorization/scripts/migrate-permissions-to-cedar.js';
 import { WinstonLogger } from './entities/logging/winston-logger.js';
 import { AllExceptionsFilter } from './exceptions/all-exceptions.filter.js';
 import { ValidationException } from './exceptions/custom-exceptions/validation-exception.js';
@@ -82,6 +84,9 @@ async function bootstrap() {
 			}),
 		);
 
+		const dataSource = app.get(DataSource);
+		await migratePermissionsToCedar(dataSource);
+
 		await app.listen(3000);
 	} catch (e) {
 		console.error(`Failed to initialize, due to ${e}`);