calvin.erfmann/pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-06-17 04:47:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix resource protection status showing wrong

Browse Source
This commit is contained in:
Owen
2026-06-05 12:12:01 -07:00
parent 6de9ab8f05
commit f2b5cff3f9
1 changed files with 248 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

291
server/routers/resource/listResources.ts
View File

@@ -1,9 +1,9 @@
import { import {
alias,
browserGatewayTarget, browserGatewayTarget,
db, db,
labels, labels,
resourceHeaderAuth, resourceHeaderAuth,
resourceHeaderAuthExtendedCompatibility,
resourceLabels, resourceLabels,
resourcePassword, resourcePassword,
resourcePincode, resourcePincode,
@@ -187,16 +187,98 @@ export type ResourceWithTargets = {
}; };
function queryResourcesBase() { function queryResourcesBase() {
const sharedPolicy = alias(resourcePolicies, "sharedPolicy");
const defaultPolicy = alias(resourcePolicies, "defaultPolicy");
const sharedPolicyPincode = alias(
resourcePolicyPincode,
"sharedPolicyPincode"
);
const defaultPolicyPincode = alias(
resourcePolicyPincode,
"defaultPolicyPincode"
);
const sharedPolicyPassword = alias(
resourcePolicyPassword,
"sharedPolicyPassword"
);
const defaultPolicyPassword = alias(
resourcePolicyPassword,
"defaultPolicyPassword"
);
const sharedPolicyHeaderAuth = alias(
resourcePolicyHeaderAuth,
"sharedPolicyHeaderAuth"
);
const defaultPolicyHeaderAuth = alias(
resourcePolicyHeaderAuth,
"defaultPolicyHeaderAuth"
);
const effectivePasswordId = sql<number | null>`
COALESCE(
CASE
WHEN ${sharedPolicy.resourcePolicyId} IS NOT NULL THEN ${sharedPolicyPassword.passwordId}
ELSE ${defaultPolicyPassword.passwordId}
END,
${resourcePassword.passwordId}
)
`;
const effectivePincodeId = sql<number | null>`
COALESCE(
CASE
WHEN ${sharedPolicy.resourcePolicyId} IS NOT NULL THEN ${sharedPolicyPincode.pincodeId}
ELSE ${defaultPolicyPincode.pincodeId}
END,
${resourcePincode.pincodeId}
)
`;
const effectiveHeaderAuthId = sql<number | null>`
COALESCE(
CASE
WHEN ${sharedPolicy.resourcePolicyId} IS NOT NULL THEN ${sharedPolicyHeaderAuth.headerAuthId}
ELSE ${defaultPolicyHeaderAuth.headerAuthId}
END,
${resourceHeaderAuth.headerAuthId}
)
`;
const effectiveSso = sql<boolean>`
COALESCE(
CASE
WHEN ${sharedPolicy.resourcePolicyId} IS NOT NULL THEN ${sharedPolicy.sso}
ELSE ${defaultPolicy.sso}
END,
false
)
`;
const effectiveWhitelist = sql<boolean>`
COALESCE(
CASE
WHEN ${sharedPolicy.resourcePolicyId} IS NOT NULL THEN ${sharedPolicy.emailWhitelistEnabled}
ELSE ${defaultPolicy.emailWhitelistEnabled}
END,
false
)
`;
const effectiveHeaderAuthExtendedCompatibility = sql<boolean>`
COALESCE(
CASE
WHEN ${sharedPolicy.resourcePolicyId} IS NOT NULL THEN ${sharedPolicyHeaderAuth.extendedCompatibility}
ELSE ${defaultPolicyHeaderAuth.extendedCompatibility}
END,
false
)
`;
return db return db
.select({ .select({
resourceId: resources.resourceId, resourceId: resources.resourceId,
name: resources.name, name: resources.name,
ssl: resources.ssl, ssl: resources.ssl,
fullDomain: resources.fullDomain, fullDomain: resources.fullDomain,
passwordId: resourcePolicyPassword.passwordId, passwordId: effectivePasswordId,
sso: resourcePolicies.sso, sso: effectiveSso,
pincodeId: resourcePolicyPincode.pincodeId, pincodeId: effectivePincodeId,
whitelist: resourcePolicies.emailWhitelistEnabled, whitelist: effectiveWhitelist,
proxyPort: resources.proxyPort, proxyPort: resources.proxyPort,
enabled: resources.enabled, enabled: resources.enabled,
domainId: resources.domainId, domainId: resources.domainId,
@@ -204,44 +286,74 @@ function queryResourcesBase() {
wildcard: resources.wildcard, wildcard: resources.wildcard,
mode: resources.mode, mode: resources.mode,
health: resources.health, health: resources.health,
headerAuthId: resourcePolicyHeaderAuth.headerAuthId, headerAuthId: effectiveHeaderAuthId,
headerAuthExtendedCompatibility: headerAuthExtendedCompatibility:
resourcePolicyHeaderAuth.extendedCompatibility effectiveHeaderAuthExtendedCompatibility
}) })
.from(resources) .from(resources)
.leftJoin( .leftJoin(
resourcePolicies, resourcePincode,
or( eq(resourcePincode.resourceId, resources.resourceId)
eq(
resourcePolicies.resourcePolicyId,
resources.resourcePolicyId
),
eq(
resourcePolicies.resourcePolicyId,
resources.defaultResourcePolicyId
)
)
) )
.leftJoin( .leftJoin(
resourcePolicyPassword, resourcePassword,
eq(resourcePassword.resourceId, resources.resourceId)
)
.leftJoin(
resourceHeaderAuth,
eq(resourceHeaderAuth.resourceId, resources.resourceId)
)
.leftJoin(
sharedPolicy,
eq(sharedPolicy.resourcePolicyId, resources.resourcePolicyId)
)
.leftJoin(
sharedPolicyPincode,
eq( eq(
resourcePolicyPassword.resourcePolicyId, sharedPolicyPincode.resourcePolicyId,
resourcePolicies.resourcePolicyId sharedPolicy.resourcePolicyId
) )
) )
.leftJoin( .leftJoin(
resourcePolicyPincode, sharedPolicyPassword,
eq( eq(
resourcePolicyPincode.resourcePolicyId, sharedPolicyPassword.resourcePolicyId,
resourcePolicies.resourcePolicyId sharedPolicy.resourcePolicyId
) )
) )
.leftJoin( .leftJoin(
resourcePolicyHeaderAuth, sharedPolicyHeaderAuth,
eq( eq(
resourcePolicyHeaderAuth.resourcePolicyId, sharedPolicyHeaderAuth.resourcePolicyId,
resourcePolicies.resourcePolicyId sharedPolicy.resourcePolicyId
)
)
.leftJoin(
defaultPolicy,
eq(
defaultPolicy.resourcePolicyId,
resources.defaultResourcePolicyId
)
)
.leftJoin(
defaultPolicyPincode,
eq(
defaultPolicyPincode.resourcePolicyId,
defaultPolicy.resourcePolicyId
)
)
.leftJoin(
defaultPolicyPassword,
eq(
defaultPolicyPassword.resourcePolicyId,
defaultPolicy.resourcePolicyId
)
)
.leftJoin(
defaultPolicyHeaderAuth,
eq(
defaultPolicyHeaderAuth.resourcePolicyId,
defaultPolicy.resourcePolicyId
) )
) )
.leftJoin(targets, eq(targets.resourceId, resources.resourceId)) .leftJoin(targets, eq(targets.resourceId, resources.resourceId))
@@ -251,10 +363,23 @@ function queryResourcesBase() {
) )
.groupBy( .groupBy(
resources.resourceId, resources.resourceId,
resourcePolicies.resourcePolicyId, resourcePincode.pincodeId,
resourcePolicyPassword.passwordId, resourcePassword.passwordId,
resourcePolicyPincode.pincodeId, resourceHeaderAuth.headerAuthId,
resourcePolicyHeaderAuth.headerAuthId sharedPolicy.resourcePolicyId,
sharedPolicy.sso,
sharedPolicy.emailWhitelistEnabled,
sharedPolicyPincode.pincodeId,
sharedPolicyPassword.passwordId,
sharedPolicyHeaderAuth.headerAuthId,
sharedPolicyHeaderAuth.extendedCompatibility,
defaultPolicy.resourcePolicyId,
defaultPolicy.sso,
defaultPolicy.emailWhitelistEnabled,
defaultPolicyPincode.pincodeId,
defaultPolicyPassword.passwordId,
defaultPolicyHeaderAuth.headerAuthId,
defaultPolicyHeaderAuth.extendedCompatibility
); );
} }
@@ -396,6 +521,80 @@ export async function listResources(
} }
if (typeof authState !== "undefined") { if (typeof authState !== "undefined") {
const sharedPolicy = alias(resourcePolicies, "sharedPolicy");
const defaultPolicy = alias(resourcePolicies, "defaultPolicy");
const sharedPolicyPincode = alias(
resourcePolicyPincode,
"sharedPolicyPincode"
);
const defaultPolicyPincode = alias(
resourcePolicyPincode,
"defaultPolicyPincode"
);
const sharedPolicyPassword = alias(
resourcePolicyPassword,
"sharedPolicyPassword"
);
const defaultPolicyPassword = alias(
resourcePolicyPassword,
"defaultPolicyPassword"
);
const sharedPolicyHeaderAuth = alias(
resourcePolicyHeaderAuth,
"sharedPolicyHeaderAuth"
);
const defaultPolicyHeaderAuth = alias(
resourcePolicyHeaderAuth,
"defaultPolicyHeaderAuth"
);
const effectiveSso = sql<boolean>`
COALESCE(
CASE
WHEN ${sharedPolicy.resourcePolicyId} IS NOT NULL THEN ${sharedPolicy.sso}
ELSE ${defaultPolicy.sso}
END,
false
)
`;
const effectiveWhitelist = sql<boolean>`
COALESCE(
CASE
WHEN ${sharedPolicy.resourcePolicyId} IS NOT NULL THEN ${sharedPolicy.emailWhitelistEnabled}
ELSE ${defaultPolicy.emailWhitelistEnabled}
END,
false
)
`;
const effectiveHeaderAuthId = sql<number | null>`
COALESCE(
CASE
WHEN ${sharedPolicy.resourcePolicyId} IS NOT NULL THEN ${sharedPolicyHeaderAuth.headerAuthId}
ELSE ${defaultPolicyHeaderAuth.headerAuthId}
END,
${resourceHeaderAuth.headerAuthId}
)
`;
const effectivePincodeId = sql<number | null>`
COALESCE(
CASE
WHEN ${sharedPolicy.resourcePolicyId} IS NOT NULL THEN ${sharedPolicyPincode.pincodeId}
ELSE ${defaultPolicyPincode.pincodeId}
END,
${resourcePincode.pincodeId}
)
`;
const effectivePasswordId = sql<number | null>`
COALESCE(
CASE
WHEN ${sharedPolicy.resourcePolicyId} IS NOT NULL THEN ${sharedPolicyPassword.passwordId}
ELSE ${defaultPolicyPassword.passwordId}
END,
${resourcePassword.passwordId}
)
`;
const browserGatewayModes = ["http", "ssh", "rdp", "vnc"];
switch (authState) { switch (authState) {
case "none": case "none":
conditions.push( conditions.push(
@@ -404,22 +603,28 @@ export async function listResources(
break; break;
case "protected": case "protected":
conditions.push( conditions.push(
or( and(
eq(resourcePolicies.sso, true), inArray(resources.mode, browserGatewayModes),
eq(resourcePolicies.emailWhitelistEnabled, true), or(
not(isNull(resourcePolicyHeaderAuth.headerAuthId)), eq(effectiveSso, true),
not(isNull(resourcePolicyPincode.pincodeId)), eq(effectiveWhitelist, true),
not(isNull(resourcePolicyPassword.passwordId)) not(isNull(effectiveHeaderAuthId)),
not(isNull(effectivePincodeId)),
not(isNull(effectivePasswordId))
)
) )
); );
break; break;
case "not_protected": case "not_protected":
conditions.push( conditions.push(
not(eq(resourcePolicies.sso, true)), and(
not(eq(resourcePolicies.emailWhitelistEnabled, true)), inArray(resources.mode, browserGatewayModes),
isNull(resourcePolicyHeaderAuth.headerAuthId), not(eq(effectiveSso, true)),
isNull(resourcePolicyPincode.pincodeId), not(eq(effectiveWhitelist, true)),
isNull(resourcePolicyPassword.passwordId) isNull(effectiveHeaderAuthId),
isNull(effectivePincodeId),
isNull(effectivePasswordId)
)
); );
break; break;
} }