Merge pull request #3154 from RitwijParmar/codex/pangolin-refresh-live-log-window

fix(logs): refresh default end time

install/config/config.yml

@@ -22,7 +22,8 @@ server:
         methods: ["GET", "POST", "PUT", "DELETE", "PATCH"]
         allowed_headers: ["X-CSRF-Token", "Content-Type"]
         credentials: false
-    {{if .EnableGeoblocking}}maxmind_db_path: "./config/GeoLite2-Country.mmdb"{{end}}
+    {{if .EnableMaxMind}}maxmind_db_path: "./config/GeoLite2-Country.mmdb"{{end}}
+    {{if .EnableMaxMind}}maxmind_asn_path: "./config/GeoLite2-ASN.mmdb"{{end}}
 {{if .EnableEmail}}
 email:
     smtp_host: "{{.EmailSMTPHost}}"

install/main.go

@@ -54,8 +54,8 @@ type Config struct {
 	InstallGerbil             bool
 	TraefikBouncerKey         string
 	DoCrowdsecInstall         bool
-	EnableGeoblocking         bool
-	Secret                    string
+	EnableMaxMind             bool
+    Secret                    string
 	IsEnterprise              bool
 }
 
@@ -123,15 +123,15 @@ func main() {
 
 		fmt.Println("\nConfiguration files created successfully!")
 
-		// Download MaxMind database if requested
-		if config.EnableGeoblocking {
-			fmt.Println("\n=== Downloading MaxMind Database ===")
+		// Download MaxMind Country / ASN database if requested
+		if config.EnableMaxMind {
+			fmt.Println("\n=== Downloading MaxMind Country and ASN Databases ===")
 			if err := downloadMaxMindDatabase(); err != nil {
-				fmt.Printf("Error downloading MaxMind database: %v\n", err)
+				fmt.Printf("Error downloading MaxMind databases: %v\n", err)
 				fmt.Println("You can download it manually later if needed.")
 			}
 		}
-
+        
 		fmt.Println("\n=== Starting installation ===")
 
 		if readBool("Would you like to install and start the containers?", true) {
@@ -188,15 +188,15 @@ func main() {
 		fmt.Println("\n=== MaxMind Database Update ===")
 		if _, err := os.Stat("config/GeoLite2-Country.mmdb"); err == nil {
 			fmt.Println("MaxMind GeoLite2 Country database found.")
-			if readBool("Would you like to update the MaxMind database to the latest version?", false) {
+			if readBool("Would you like to update the MaxMind databases (Country and ASN) to the latest version?", false) {
 				if err := downloadMaxMindDatabase(); err != nil {
 					fmt.Printf("Error updating MaxMind database: %v\n", err)
 					fmt.Println("You can try updating it manually later if needed.")
 				}
 			}
 		} else {
-			fmt.Println("MaxMind GeoLite2 Country database not found.")
-			if readBool("Would you like to download the MaxMind GeoLite2 database for geoblocking functionality?", false) {
+			fmt.Println("MaxMind GeoLite2 Country and ASN databases not found.")
+			if readBool("Would you like to download the MaxMind GeoLite2 databases for blocking functionality?", false) {
 				if err := downloadMaxMindDatabase(); err != nil {
 					fmt.Printf("Error downloading MaxMind database: %v\n", err)
 					fmt.Println("You can try downloading it manually later if needed.")
@@ -204,9 +204,11 @@ func main() {
 				// Now you need to update your config file accordingly to enable geoblocking
 				fmt.Print("Please remember to update your config/config.yml file to enable geoblocking! \n\n")
 				// add   maxmind_db_path: "./config/GeoLite2-Country.mmdb" under server
-				fmt.Println("Add the following line under the 'server' section:")
+				// add   maxmind_asn_path: "./config/GeoLite2-ASN.mmdb" under server
+                fmt.Println("Add the following lines under the 'server' section:")
 				fmt.Println("  maxmind_db_path: \"./config/GeoLite2-Country.mmdb\"")
-			}
+				fmt.Println("  maxmind_asn_path: \"./config/GeoLite2-ASN.mmdb\"")
+            }
 		}
 	}
 
@@ -527,8 +529,8 @@ func collectUserInput() Config {
 	fmt.Println("\n=== Advanced Configuration ===")
 
 	config.EnableIPv6 = readBool("Is your server IPv6 capable?", true)
-	config.EnableGeoblocking = readBool("Do you want to download the MaxMind GeoLite2 database for geoblocking functionality?", true)
-
+	config.EnableMaxMind = readBool("Do you want to download the MaxMind GeoLite2 Country and ADN databases for blocking functionality?", true)
+    
 	if config.DashboardDomain == "" {
 		fmt.Println("Error: Dashboard Domain name is required")
 		os.Exit(1)
@@ -780,29 +782,42 @@ func checkPortsAvailable(port int) error {
 }
 
 func downloadMaxMindDatabase() error {
-	fmt.Println("Downloading MaxMind GeoLite2 Country database...")
+	fmt.Println("Downloading MaxMind GeoLite2 Country and ASN databases...")
 
-	// Download the GeoLite2 Country database
+	// Download the GeoLite2 Country databases
 	if err := run("curl", "-L", "-o", "GeoLite2-Country.tar.gz",
 		"https://github.com/GitSquared/node-geolite2-redist/raw/refs/heads/master/redist/GeoLite2-Country.tar.gz"); err != nil {
-		return fmt.Errorf("failed to download GeoLite2 database: %v", err)
+		return fmt.Errorf("failed to download GeoLite2 Country database: %v", err)
 	}
-
-	// Extract the database
+	if err := run("curl", "-L", "-o", "GeoLite2-ASN.tar.gz",
+		"https://github.com/GitSquared/node-geolite2-redist/raw/refs/heads/master/redist/GeoLite2-ASN.tar.gz"); err != nil {
+		return fmt.Errorf("failed to download GeoLite2 ASN database: %v", err)
+	}
+    
+	// Extract the Country database
 	if err := run("tar", "-xzf", "GeoLite2-Country.tar.gz"); err != nil {
-		return fmt.Errorf("failed to extract GeoLite2 database: %v", err)
+		return fmt.Errorf("failed to extract GeoLite2 Country database: %v", err)
 	}
-
+	if err := run("tar", "-xzf", "GeoLite2-ASN.tar.gz"); err != nil {
+		return fmt.Errorf("failed to extract GeoLite2 ASN database: %v", err)
+	}
+    
 	// Find the .mmdb file and move it to the config directory
 	if err := run("bash", "-c", "mv GeoLite2-Country_*/GeoLite2-Country.mmdb config/"); err != nil {
-		return fmt.Errorf("failed to move GeoLite2 database to config directory: %v", err)
+		return fmt.Errorf("failed to move GeoLite2 Country database to config directory: %v", err)
 	}
-
+	if err := run("bash", "-c", "mv GeoLite2-ASN_*/GeoLite2-ASN.mmdb config/"); err != nil {
+		return fmt.Errorf("failed to move GeoLite2 ASN database to config directory: %v", err)
+	}
+    
 	// Clean up the downloaded files
-	if err := run("rm", "-rf", "GeoLite2-Country.tar.gz", "GeoLite2-Country_*"); err != nil {
-		fmt.Printf("Warning: failed to clean up temporary files: %v\n", err)
+	if err := run("sh", "-c", "rm -rf GeoLite2-Country.tar.gz GeoLite2-Country_*"); err != nil {
+		fmt.Printf("Warning: failed to clean up temporary country files: %v\n", err)
 	}
-
-	fmt.Println("MaxMind GeoLite2 Country database downloaded successfully!")
+	if err := run("sh", "-c", "rm -rf GeoLite2-ASN.tar.gz GeoLite2-ASN_*"); err != nil {
+		fmt.Printf("Warning: failed to clean up temporary ASN files: %v\n", err)
+	}
+    
+	fmt.Println("MaxMind GeoLite2 Country and ASN database downloaded successfully!")
 	return nil
 }

messages/en-US.json

@@ -1957,7 +1957,7 @@
     "sshSudoModeCommandsDescription": "User can run only the specified commands with sudo.",
     "sshSudo": "Allow sudo",
     "sshSudoCommands": "Sudo Commands",
-    "sshSudoCommandsDescription": "Comma separated list of commands the user is allowed to run with sudo.",
+    "sshSudoCommandsDescription": "Comma separated list of commands the user is allowed to run with sudo. Absolute paths must be used.",
     "sshCreateHomeDir": "Create Home Directory",
     "sshUnixGroups": "Unix Groups",
     "sshUnixGroupsDescription": "Comma separated Unix groups to add the user to on the target host.",

server/lib/alerts/events/healthCheckEvents.ts

@@ -221,10 +221,18 @@ async function handleResource(
         )
         .where(eq(targets.resourceId, resource.resourceId));
 
+    const monitoredTargets = otherTargets.filter(
+        (t) => t.hcHealth !== "unknown"
+    );
+
     let health = "healthy";
-    const allUnknown = otherTargets.every((t) => t.hcHealth === "unknown");
-    const allHealthy = otherTargets.every((t) => t.hcHealth === "healthy");
-    const allUnhealthy = otherTargets.every((t) => t.hcHealth === "unhealthy");
+    const allUnknown = monitoredTargets.length === 0;
+    const allHealthy = monitoredTargets.every(
+        (t) => t.hcHealth === "healthy"
+    );
+    const allUnhealthy = monitoredTargets.every(
+        (t) => t.hcHealth === "unhealthy"
+    );
 
     if (allUnknown) {
         logger.debug(

server/lib/blueprints/types.ts

@@ -82,7 +82,7 @@ export const RuleSchema = z
     .object({
         action: z.enum(["allow", "deny", "pass"]),
         match: z.enum(["cidr", "path", "ip", "country", "asn", "region"]),
-        value: z.string(),
+        value: z.coerce.string(),
         priority: z.int().optional()
     })
     .refine(
@@ -340,7 +340,8 @@ export const ResourceSchema = z
             if (parts.includes("*", 1)) return false; // no further wildcards
             if (parts.length < 3) return false; // need at least *.label.tld
 
-            const labelRegex = /^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?$|^[a-zA-Z0-9]$/;
+            const labelRegex =
+                /^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?$|^[a-zA-Z0-9]$/;
             return parts.slice(1).every((label) => labelRegex.test(label));
         },
         {

server/lib/rebuildClientAssociations.ts

@@ -1826,3 +1826,77 @@ export async function verifyClientAssociationsCache(
         extraSiteIds: extraSiteIds.sort((a, b) => a - b)
     };
 }
+
+// cleanupSiteAssociations efficiently removes all client associations for a
+// site that is being deleted. Instead of calling
+// rebuildClientAssociationsFromSiteResource once per site resource (which is
+// O(resources) in DB round-trips and message fan-out), this function performs
+// a single bulk lookup of affected clients and site resources, deletes all
+// cache rows at once, and fires all peer/proxy removal messages in parallel.
+//
+// The caller is responsible for deleting the site row itself (and for sending
+// the newt/wg/terminate signal to the newt process).
+export async function cleanupSiteAssociations(
+    site: Site,
+    trx: Transaction | typeof db = db
+): Promise<void> {
+    const siteId = site.siteId;
+
+    logger.debug(`cleanupSiteAssociations: START siteId=${siteId}`);
+
+    // 1. Find every client currently cached against this site.
+    const cachedSiteClientRows = await trx
+        .select({ clientId: clientSitesAssociationsCache.clientId })
+        .from(clientSitesAssociationsCache)
+        .where(eq(clientSitesAssociationsCache.siteId, siteId));
+
+    const cachedClientIds = cachedSiteClientRows.map((r) => r.clientId);
+
+    // 2. Load full client details (needed for WireGuard public-key references).
+    const allClients =
+        cachedClientIds.length > 0
+            ? await trx
+                  .select({
+                      clientId: clients.clientId,
+                      pubKey: clients.pubKey,
+                      subnet: clients.subnet
+                  })
+                  .from(clients)
+                  .where(inArray(clients.clientId, cachedClientIds))
+            : [];
+
+    // 6. Bulk-delete all cache entries for this site.  Do this before sending
+    //    destination-update messages so updateClientSiteDestinations computes
+    //    the correct (post-deletion) set of destinations.
+    await trx
+        .delete(clientSitesAssociationsCache)
+        .where(eq(clientSitesAssociationsCache.siteId, siteId));
+
+    logger.debug(
+        `cleanupSiteAssociations: siteId=${siteId} cache cleared. clients=${allClients.length}`
+    );
+
+    // 7. Fire all removal messages in parallel.
+    const jobs: Promise<any>[] = [];
+
+    for (const client of allClients) {
+        // Tell each olm to drop the site's WireGuard peer.
+        if (site.publicKey) {
+            jobs.push(olmDeletePeer(client.clientId, siteId, site.publicKey));
+        }
+
+        // Recompute and push updated relay destinations (now excluding this site).
+        if (client.pubKey && client.subnet) {
+            jobs.push(updateClientSiteDestinations(client, trx));
+        }
+    }
+
+    await Promise.all(jobs).catch((error) => {
+        logger.error(
+            `cleanupSiteAssociations: error sending cleanup messages for siteId=${siteId}:`,
+            error
+        );
+    });
+
+    logger.debug(`cleanupSiteAssociations: DONE siteId=${siteId}`);
+}

server/routers/auditLogs/queryRequestAnalytics.ts

@@ -1,4 +1,4 @@
-import { logsDb, requestAuditLog, driver, primaryLogsDb } from "@server/db";
+import { logsDb, requestAuditLog, driver } from "@server/db";
 import { registry } from "@server/openApi";
 import { NextFunction } from "express";
 import { Request, Response } from "express";
@@ -74,12 +74,12 @@ async function query(query: Q) {
         );
     }
 
-    const [all] = await primaryLogsDb
+    const [all] = await logsDb
         .select({ total: count() })
         .from(requestAuditLog)
         .where(baseConditions);
 
-    const [blocked] = await primaryLogsDb
+    const [blocked] = await logsDb
         .select({ total: count() })
         .from(requestAuditLog)
         .where(and(baseConditions, eq(requestAuditLog.action, false)));
@@ -90,7 +90,7 @@ async function query(query: Q) {
 
     const DISTINCT_LIMIT = 500;
 
-    const requestsPerCountry = await primaryLogsDb
+    const requestsPerCountry = await logsDb
         .selectDistinct({
             code: requestAuditLog.location,
             count: totalQ
@@ -118,7 +118,7 @@ async function query(query: Q) {
     const booleanTrue = driver === "pg" ? sql`true` : sql`1`;
     const booleanFalse = driver === "pg" ? sql`false` : sql`0`;
 
-    const requestsPerDay = await primaryLogsDb
+    const requestsPerDay = await logsDb
         .select({
             day: groupByDayFunction.as("day"),
             allowedCount:

server/routers/auditLogs/queryRequestAuditLog.ts

@@ -1,4 +1,4 @@
-import { logsDb, primaryLogsDb, requestAuditLog, resources, siteResources, db, primaryDb } from "@server/db";
+import { logsDb, requestAuditLog, resources, siteResources, db, primaryDb } from "@server/db";
 import { registry } from "@server/openApi";
 import { NextFunction } from "express";
 import { Request, Response } from "express";
@@ -110,7 +110,7 @@ function getWhere(data: Q) {
 }
 
 export function queryRequest(data: Q) {
-    return primaryLogsDb
+    return logsDb
         .select({
             id: requestAuditLog.id,
                 timestamp: requestAuditLog.timestamp,
@@ -211,7 +211,7 @@ async function enrichWithResourceDetails(logs: Awaited<ReturnType<typeof queryRe
 }
 
 export function countRequestQuery(data: Q) {
-    const countQuery = primaryLogsDb
+    const countQuery = logsDb
         .select({ count: count() })
         .from(requestAuditLog)
         .where(getWhere(data));
@@ -254,34 +254,34 @@ async function queryUniqueFilterAttributes(
         uniqueResources,
         uniqueSiteResources
     ] = await Promise.all([
-        primaryLogsDb
+        logsDb
             .selectDistinct({ actor: requestAuditLog.actor })
             .from(requestAuditLog)
             .where(baseConditions)
             .limit(DISTINCT_LIMIT + 1),
-        primaryLogsDb
+        logsDb
             .selectDistinct({ locations: requestAuditLog.location })
             .from(requestAuditLog)
             .where(baseConditions)
             .limit(DISTINCT_LIMIT + 1),
-        primaryLogsDb
+        logsDb
             .selectDistinct({ hosts: requestAuditLog.host })
             .from(requestAuditLog)
             .where(baseConditions)
             .limit(DISTINCT_LIMIT + 1),
-        primaryLogsDb
+        logsDb
             .selectDistinct({ paths: requestAuditLog.path })
             .from(requestAuditLog)
             .where(baseConditions)
             .limit(DISTINCT_LIMIT + 1),
-        primaryLogsDb
+        logsDb
             .selectDistinct({
                 id: requestAuditLog.resourceId
             })
             .from(requestAuditLog)
             .where(baseConditions)
             .limit(DISTINCT_LIMIT + 1),
-        primaryLogsDb
+        logsDb
             .selectDistinct({
                 id: requestAuditLog.siteResourceId
             })

server/routers/site/deleteSite.ts

@@ -1,8 +1,8 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db, Site, siteNetworks, siteResources } from "@server/db";
-import { newts, newtSessions, sites } from "@server/db";
-import { eq, inArray } from "drizzle-orm";
+import { db } from "@server/db";
+import { newts, sites } from "@server/db";
+import { eq } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
@@ -11,7 +11,7 @@ import { deletePeer } from "../gerbil/peers";
 import { fromError } from "zod-validation-error";
 import { sendToClient } from "#dynamic/routers/ws";
 import { OpenAPITags, registry } from "@server/openApi";
-import { rebuildClientAssociationsFromSiteResource } from "@server/lib/rebuildClientAssociations";
+import { cleanupSiteAssociations } from "@server/lib/rebuildClientAssociations";
 import { usageService } from "@server/lib/billing/usageService";
 import { FeatureId } from "@server/lib/billing";
 
@@ -63,7 +63,11 @@ export async function deleteSite(
             );
         }
 
-        let deletedNewtId: string | null = null;
+        const [deletedNewt] = await db
+            .select()
+            .from(newts)
+            .where(eq(newts.siteId, siteId))
+            .limit(1);
 
         await db.transaction(async (trx) => {
             if (site.type == "wireguard") {
@@ -71,56 +75,24 @@ export async function deleteSite(
                     await deletePeer(site.exitNodeId!, site.pubKey);
                 }
             } else if (site.type == "newt") {
-                const networks = await trx
-                    .select({ networkId: siteNetworks.networkId })
-                    .from(siteNetworks)
-                    .where(eq(siteNetworks.siteId, siteId));
+                // Clean up all client associations and send peer/proxy removal
+                // messages in a single efficient pass before deleting the row.
+                await cleanupSiteAssociations(site, trx);
 
-                // loop through them
-                const updatedSiteResources = await trx
-                    .select()
-                    .from(siteResources)
-                    .where(
-                        inArray(
-                            siteResources.networkId,
-                            networks.map((n) => n.networkId)
-                        )
-                    );
-                for (const siteResource of updatedSiteResources) {
-                    await rebuildClientAssociationsFromSiteResource(
-                        siteResource,
-                        trx
-                    );
-                }
-
-                // get the newt on the site by querying the newt table for siteId
-                const [deletedNewt] = await trx
-                    .delete(newts)
-                    .where(eq(newts.siteId, siteId))
-                    .returning();
-                if (deletedNewt) {
-                    deletedNewtId = deletedNewt.newtId;
-
-                    // delete all of the sessions for the newt
-                    await trx
-                        .delete(newtSessions)
-                        .where(eq(newtSessions.newtId, deletedNewt.newtId));
-                }
+                await trx.delete(sites).where(eq(sites.siteId, siteId));
             }
 
-            await trx.delete(sites).where(eq(sites.siteId, siteId));
-
             await usageService.add(site.orgId, FeatureId.SITES, -1, trx);
         });
 
         // Send termination message outside of transaction to prevent blocking
-        if (deletedNewtId) {
+        if (deletedNewt) {
             const payload = {
                 type: `newt/wg/terminate`,
                 data: {}
             };
             // Don't await this to prevent blocking the response
-            sendToClient(deletedNewtId, payload).catch((error) => {
+            sendToClient(deletedNewt.newtId, payload).catch((error) => {
                 logger.error(
                     "Failed to send termination message to newt:",
                     error

server/routers/siteResource/batchAddClientToSiteResources.ts

@@ -15,10 +15,7 @@ import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { eq, and, inArray } from "drizzle-orm";
 import { OpenAPITags, registry } from "@server/openApi";
-import {
-    rebuildClientAssociationsFromClient,
-    rebuildClientAssociationsFromSiteResource
-} from "@server/lib/rebuildClientAssociations";
+import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
 
 const batchAddClientToSiteResourcesParamsSchema = z
     .object({

src/app/[orgId]/settings/logs/access/page.tsx

@@ -280,10 +280,14 @@ export default function GeneralPage() {
         console.log("Data refreshed");
         setIsRefreshing(true);
         try {
+            const endDate = searchParams.get("end")
+                ? dateRange.endDate
+                : { date: new Date() };
+            setDateRange((current) => ({ ...current, endDate }));
             // Refresh data with current date range and pagination
             await queryDateTime(
                 dateRange.startDate,
-                dateRange.endDate,
+                endDate,
                 currentPage,
                 pageSize
             );

src/app/[orgId]/settings/logs/action/page.tsx

@@ -266,10 +266,14 @@ export default function GeneralPage() {
         console.log("Data refreshed");
         setIsRefreshing(true);
         try {
+            const endDate = searchParams.get("end")
+                ? dateRange.endDate
+                : { date: new Date() };
+            setDateRange((current) => ({ ...current, endDate }));
             // Refresh data with current date range and pagination
             await queryDateTime(
                 dateRange.startDate,
-                dateRange.endDate,
+                endDate,
                 currentPage,
                 pageSize
             );

src/app/[orgId]/settings/logs/connection/page.tsx

@@ -306,10 +306,14 @@ export default function ConnectionLogsPage() {
         console.log("Data refreshed");
         setIsRefreshing(true);
         try {
+            const endDate = searchParams.get("end")
+                ? dateRange.endDate
+                : { date: new Date() };
+            setDateRange((current) => ({ ...current, endDate }));
             // Refresh data with current date range and pagination
             await queryDateTime(
                 dateRange.startDate,
-                dateRange.endDate,
+                endDate,
                 currentPage,
                 pageSize
             );

src/app/[orgId]/settings/logs/request/page.tsx

@@ -281,10 +281,14 @@ export default function GeneralPage() {
         console.log("Data refreshed");
         setIsRefreshing(true);
         try {
+            const endDate = searchParams.get("end")
+                ? dateRange.endDate
+                : { date: new Date() };
+            setDateRange((current) => ({ ...current, endDate }));
             // Refresh data with current date range and pagination
             await queryDateTime(
                 dateRange.startDate,
-                dateRange.endDate,
+                endDate,
                 currentPage,
                 pageSize
             );