mirror of
https://github.com/fosrl/pangolin.git
synced 2026-07-05 19:59:43 +00:00
Compare commits
150 Commits
dabaff3d13
...
1.19.1
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
d9952b0762 | ||
|
|
935593885a | ||
|
|
3fcfd3304f | ||
|
|
6e271028f3 | ||
|
|
820f66e58f | ||
|
|
b0fdc10e06 | ||
|
|
b82b41ed26 | ||
|
|
3e977ba00d | ||
|
|
a724b07846 | ||
|
|
5f0bc71bcd | ||
|
|
aea7827c1a | ||
|
|
d865c4c55b | ||
|
|
5baf0c3c09 | ||
|
|
cfe33eb974 | ||
|
|
71273e1b1c | ||
|
|
02f6e2a8c3 | ||
|
|
3cc244a1d3 | ||
|
|
1d9c4dd9e2 | ||
|
|
b9dd0c8e43 | ||
|
|
cd052976eb | ||
|
|
cc498f0e33 | ||
|
|
1a942937e6 | ||
|
|
d81d1a6b7f | ||
|
|
f64d04e827 | ||
|
|
540aee3fe2 | ||
|
|
10542d7282 | ||
|
|
b1d52ad1a3 | ||
|
|
ce2fbef805 | ||
|
|
e312b31e02 | ||
|
|
bc156c715d | ||
|
|
9a4c1f23c6 | ||
|
|
6921447fab | ||
|
|
d47449b082 | ||
|
|
665806dfe8 | ||
|
|
e248571268 | ||
|
|
fcf03854ff | ||
|
|
dd1fba4e45 | ||
|
|
a1ab8d8f35 | ||
|
|
c789e967db | ||
|
|
d870b9ff49 | ||
|
|
9c09019ddb | ||
|
|
9d88683fc5 | ||
|
|
dd2c9f2a02 | ||
|
|
bdb38db5bc | ||
|
|
96a54fc9cc | ||
|
|
3a485f74f1 | ||
|
|
92b0340324 | ||
|
|
9257ac01c7 | ||
|
|
4d1d0d9fcb | ||
|
|
f186e7e99e | ||
|
|
1aa6e3511f | ||
|
|
fb6f5b3953 | ||
|
|
c85a7f6ac5 | ||
|
|
dd54be523f | ||
|
|
d57f064d4c | ||
|
|
34799b7de2 | ||
|
|
20a66bba6f | ||
|
|
cdb43d9658 | ||
|
|
6581ccafa3 | ||
|
|
a3a45b4239 | ||
|
|
d6634b6e8a | ||
|
|
1089cfbacc | ||
|
|
1907a3c93b | ||
|
|
407ba567a0 | ||
|
|
f28571629f | ||
|
|
5a575c916b | ||
|
|
9a7e534b10 | ||
|
|
42974d1739 | ||
|
|
780e8babe4 | ||
|
|
2c7b8006cf | ||
|
|
35066c1388 | ||
|
|
135a5d38af | ||
|
|
1b7c1ffa70 | ||
|
|
641f643d2d | ||
|
|
b4ecfceb5e | ||
|
|
08a84d4bb1 | ||
|
|
4dbad7ab24 | ||
|
|
859c0c9477 | ||
|
|
d294bf8534 | ||
|
|
3c8fea382f | ||
|
|
b81bfcfcee | ||
|
|
56c415ca05 | ||
|
|
74fdcceace | ||
|
|
7dec8ba998 | ||
|
|
c9dc6affe7 | ||
|
|
8fe45ba78c | ||
|
|
934886caea | ||
|
|
fae258b145 | ||
|
|
9f224f655f | ||
|
|
aea7df7dc2 | ||
|
|
3b675f7de1 | ||
|
|
8daf7c2872 | ||
|
|
c394490473 | ||
|
|
3b6b78b3e1 | ||
|
|
aa47f522ef | ||
|
|
8658198a93 | ||
|
|
4b770d1385 | ||
|
|
cd4d7372a0 | ||
|
|
dc8243cb51 | ||
|
|
7b1f8d98f3 | ||
|
|
dd8bcbb3e3 | ||
|
|
d1af7a153f | ||
|
|
13efa47db7 | ||
|
|
69bd61c308 | ||
|
|
7b7ff51289 | ||
|
|
772ac8af73 | ||
|
|
8ee520dbb5 | ||
|
|
8e5d9e94a9 | ||
|
|
c9cb28af45 | ||
|
|
a994f8ff07 | ||
|
|
ea8eaf9736 | ||
|
|
b78db3daef | ||
|
|
7cf3f8df92 | ||
|
|
f2b5cff3f9 | ||
|
|
6de9ab8f05 | ||
|
|
ad0e800d8d | ||
|
|
65470fb64b | ||
|
|
f23142336b | ||
|
|
2da4987cd3 | ||
|
|
253ba554a2 | ||
|
|
95ce91d94b | ||
|
|
a4548fd874 | ||
|
|
eb03fb7060 | ||
|
|
add9b8dfb0 | ||
|
|
2adb7b64cb | ||
|
|
84fef5f1d6 | ||
|
|
def1e9c851 | ||
|
|
67b08ca61e | ||
|
|
614df75880 | ||
|
|
676cf37ee2 | ||
|
|
6b96e3dce6 | ||
|
|
b67037e2ea | ||
|
|
5a5b77cf62 | ||
|
|
d2793dfad7 | ||
|
|
ff507f1275 | ||
|
|
6b04bcb383 | ||
|
|
b2f1115ef8 | ||
|
|
567ef23ac4 | ||
|
|
6affebc666 | ||
|
|
889f78ddb8 | ||
|
|
9d3f96cf83 | ||
|
|
e5d0673bbf | ||
|
|
0907c0346f | ||
|
|
6420a90d08 | ||
|
|
33fdc9a94f | ||
|
|
c86026c941 | ||
|
|
db014e3446 | ||
|
|
feb8045643 | ||
|
|
d485a09318 | ||
|
|
9cff5f66b1 |
5
.cursor/rules/Button-loading-state.mdc
Normal file
5
.cursor/rules/Button-loading-state.mdc
Normal file
@@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
alwaysApply: true
|
||||||
|
---
|
||||||
|
|
||||||
|
When adding submit buttons, don't change the text of the button during the loading state. Text should stay static and you should use the loading prop on the button.
|
||||||
5
.cursor/rules/Components.mdc
Normal file
5
.cursor/rules/Components.mdc
Normal file
@@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
alwaysApply: true
|
||||||
|
---
|
||||||
|
|
||||||
|
When creating UI for popup dialogs or modals, use the Credenza componennt. This component is mobile responsive and works on desktop and wraps the dialog component and sheet into one.
|
||||||
7
.cursor/rules/TypeScript-rules.mdc
Normal file
7
.cursor/rules/TypeScript-rules.mdc
Normal file
@@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
alwaysApply: true
|
||||||
|
---
|
||||||
|
|
||||||
|
When writing TypeScript:
|
||||||
|
|
||||||
|
Prefer to use types instead of interfaces.
|
||||||
5
.cursor/rules/Use-React-form-and-Zod-schemas.mdc
Normal file
5
.cursor/rules/Use-React-form-and-Zod-schemas.mdc
Normal file
@@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
alwaysApply: true
|
||||||
|
---
|
||||||
|
|
||||||
|
When creating forms, use React form for validation and use Zod schemas.
|
||||||
@@ -34,4 +34,5 @@ build.ts
|
|||||||
tsconfig.json
|
tsconfig.json
|
||||||
Dockerfile*
|
Dockerfile*
|
||||||
drizzle.config.ts
|
drizzle.config.ts
|
||||||
allowedDevOrigins.json
|
allowedDevOrigins.json
|
||||||
|
scratch/
|
||||||
|
|||||||
@@ -4,19 +4,26 @@ import { eq } from "drizzle-orm";
|
|||||||
|
|
||||||
type SetServerAdminArgs = {
|
type SetServerAdminArgs = {
|
||||||
email: string;
|
email: string;
|
||||||
|
remove: boolean;
|
||||||
};
|
};
|
||||||
|
|
||||||
export const setServerAdmin: CommandModule<{}, SetServerAdminArgs> = {
|
export const setServerAdmin: CommandModule<{}, SetServerAdminArgs> = {
|
||||||
command: "set-server-admin",
|
command: "set-server-admin",
|
||||||
describe: "Mark any user as a server admin by email address",
|
describe: "Add or remove server admin by email address",
|
||||||
builder: (yargs) => {
|
builder: (yargs) => {
|
||||||
return yargs.option("email", {
|
return yargs
|
||||||
type: "string",
|
.option("email", {
|
||||||
demandOption: true,
|
type: "string",
|
||||||
describe: "User email address"
|
demandOption: true,
|
||||||
});
|
describe: "User email address"
|
||||||
|
})
|
||||||
|
.option("remove", {
|
||||||
|
type: "boolean",
|
||||||
|
default: false,
|
||||||
|
describe: "Remove server admin status from the user"
|
||||||
|
});
|
||||||
},
|
},
|
||||||
handler: async (argv: { email: string }) => {
|
handler: async (argv: SetServerAdminArgs) => {
|
||||||
try {
|
try {
|
||||||
const email = argv.email.trim().toLowerCase();
|
const email = argv.email.trim().toLowerCase();
|
||||||
|
|
||||||
@@ -31,6 +38,33 @@ export const setServerAdmin: CommandModule<{}, SetServerAdminArgs> = {
|
|||||||
process.exit(1);
|
process.exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (argv.remove) {
|
||||||
|
if (!user.serverAdmin) {
|
||||||
|
console.log(`User '${email}' is not a server admin`);
|
||||||
|
process.exit(0);
|
||||||
|
}
|
||||||
|
|
||||||
|
const serverAdmins = await db
|
||||||
|
.select()
|
||||||
|
.from(users)
|
||||||
|
.where(eq(users.serverAdmin, true));
|
||||||
|
|
||||||
|
if (serverAdmins.length <= 1) {
|
||||||
|
console.error(
|
||||||
|
"Cannot remove server admin: at least one server admin must exist"
|
||||||
|
);
|
||||||
|
process.exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
|
await db
|
||||||
|
.update(users)
|
||||||
|
.set({ serverAdmin: false })
|
||||||
|
.where(eq(users.userId, user.userId));
|
||||||
|
|
||||||
|
console.log(`Server admin status removed from user '${email}'`);
|
||||||
|
process.exit(0);
|
||||||
|
}
|
||||||
|
|
||||||
if (user.serverAdmin) {
|
if (user.serverAdmin) {
|
||||||
console.log(`User '${email}' is already a server admin`);
|
console.log(`User '${email}' is already a server admin`);
|
||||||
process.exit(0);
|
process.exit(0);
|
||||||
|
|||||||
@@ -200,8 +200,8 @@
|
|||||||
"shareErrorSelectResource": "Моля, изберете ресурс",
|
"shareErrorSelectResource": "Моля, изберете ресурс",
|
||||||
"proxyResourceTitle": "Управление на обществени ресурси",
|
"proxyResourceTitle": "Управление на обществени ресурси",
|
||||||
"proxyResourceDescription": "Създайте и управлявайте ресурси, които са общодостъпни чрез уеб браузър.",
|
"proxyResourceDescription": "Създайте и управлявайте ресурси, които са общодостъпни чрез уеб браузър.",
|
||||||
"proxyResourcesBannerTitle": "Публичен достъп чрез уеб.",
|
"publicResourcesBannerTitle": "Публичен достъп чрез уеб.",
|
||||||
"proxyResourcesBannerDescription": "Публичните ресурси са HTTPS или TCP/UDP проксита, достъпни за всеки в интернет чрез уеб браузър. За разлика от частните ресурси, те не изискват софтуер от страна на клиента и могат да включват издентити и контексто-осъзнати политики за достъп.",
|
"publicResourcesBannerDescription": "Публичните ресурси са HTTPS или TCP/UDP проксита, достъпни за всеки в интернет чрез уеб браузър. За разлика от частните ресурси, те не изискват софтуер от страна на клиента и могат да включват издентити и контексто-осъзнати политики за достъп.",
|
||||||
"clientResourceTitle": "Управление на частни ресурси",
|
"clientResourceTitle": "Управление на частни ресурси",
|
||||||
"clientResourceDescription": "Създайте и управлявайте ресурси, които са достъпни само чрез свързан клиент.",
|
"clientResourceDescription": "Създайте и управлявайте ресурси, които са достъпни само чрез свързан клиент.",
|
||||||
"privateResourcesBannerTitle": "Достъп до частни ресурси с нулево доверие.",
|
"privateResourcesBannerTitle": "Достъп до частни ресурси с нулево доверие.",
|
||||||
|
|||||||
@@ -200,8 +200,8 @@
|
|||||||
"shareErrorSelectResource": "Zvolte prosím zdroj",
|
"shareErrorSelectResource": "Zvolte prosím zdroj",
|
||||||
"proxyResourceTitle": "Spravovat veřejné zdroje",
|
"proxyResourceTitle": "Spravovat veřejné zdroje",
|
||||||
"proxyResourceDescription": "Vytváření a správa zdrojů, které jsou veřejně přístupné prostřednictvím webového prohlížeče",
|
"proxyResourceDescription": "Vytváření a správa zdrojů, které jsou veřejně přístupné prostřednictvím webového prohlížeče",
|
||||||
"proxyResourcesBannerTitle": "Veřejný přístup založený na webu",
|
"publicResourcesBannerTitle": "Veřejný přístup založený na webu",
|
||||||
"proxyResourcesBannerDescription": "Veřejné prostředky jsou HTTPS nebo TCP/UDP proxy, které jsou přístupné každému na internetu prostřednictvím webového prohlížeče. Na rozdíl od soukromých prostředků nevyžadují software na straně klienta a mohou zahrnovat politiky přístupu orientované na identitu a kontext.",
|
"publicResourcesBannerDescription": "Veřejné prostředky jsou HTTPS nebo TCP/UDP proxy, které jsou přístupné každému na internetu prostřednictvím webového prohlížeče. Na rozdíl od soukromých prostředků nevyžadují software na straně klienta a mohou zahrnovat politiky přístupu orientované na identitu a kontext.",
|
||||||
"clientResourceTitle": "Spravovat soukromé zdroje",
|
"clientResourceTitle": "Spravovat soukromé zdroje",
|
||||||
"clientResourceDescription": "Vytváření a správa zdrojů, které jsou přístupné pouze prostřednictvím připojeného klienta",
|
"clientResourceDescription": "Vytváření a správa zdrojů, které jsou přístupné pouze prostřednictvím připojeného klienta",
|
||||||
"privateResourcesBannerTitle": "Zero-Trust soukromý přístup",
|
"privateResourcesBannerTitle": "Zero-Trust soukromý přístup",
|
||||||
|
|||||||
@@ -200,8 +200,8 @@
|
|||||||
"shareErrorSelectResource": "Bitte wählen Sie eine Ressource",
|
"shareErrorSelectResource": "Bitte wählen Sie eine Ressource",
|
||||||
"proxyResourceTitle": "Öffentliche Ressourcen verwalten",
|
"proxyResourceTitle": "Öffentliche Ressourcen verwalten",
|
||||||
"proxyResourceDescription": "Erstelle und verwalte Ressourcen, die über einen Webbrowser öffentlich zugänglich sind",
|
"proxyResourceDescription": "Erstelle und verwalte Ressourcen, die über einen Webbrowser öffentlich zugänglich sind",
|
||||||
"proxyResourcesBannerTitle": "Web-basierter öffentlicher Zugang",
|
"publicResourcesBannerTitle": "Web-basierter öffentlicher Zugang",
|
||||||
"proxyResourcesBannerDescription": "Öffentliche Ressourcen sind HTTPS oder TCP/UDP-Proxys, die über einen Webbrowser für jeden zugänglich sind. Im Gegensatz zu privaten Ressourcen benötigen sie keine Client-seitige Software und können Identitäts- und kontextbezogene Zugriffsrichtlinien beinhalten.",
|
"publicResourcesBannerDescription": "Öffentliche Ressourcen sind HTTPS oder TCP/UDP-Proxys, die über einen Webbrowser für jeden zugänglich sind. Im Gegensatz zu privaten Ressourcen benötigen sie keine Client-seitige Software und können Identitäts- und kontextbezogene Zugriffsrichtlinien beinhalten.",
|
||||||
"clientResourceTitle": "Private Ressourcen verwalten",
|
"clientResourceTitle": "Private Ressourcen verwalten",
|
||||||
"clientResourceDescription": "Erstelle und verwalte Ressourcen, die nur über einen verbundenen Client zugänglich sind",
|
"clientResourceDescription": "Erstelle und verwalte Ressourcen, die nur über einen verbundenen Client zugänglich sind",
|
||||||
"privateResourcesBannerTitle": "Zero-Trust-Zugriff auf private Ressourcen",
|
"privateResourcesBannerTitle": "Zero-Trust-Zugriff auf private Ressourcen",
|
||||||
|
|||||||
@@ -101,6 +101,8 @@
|
|||||||
"sitesTableViewPrivateResources": "View Private Resources",
|
"sitesTableViewPrivateResources": "View Private Resources",
|
||||||
"siteInstallNewt": "Install Site",
|
"siteInstallNewt": "Install Site",
|
||||||
"siteInstallNewtDescription": "Install the site connector for your system",
|
"siteInstallNewtDescription": "Install the site connector for your system",
|
||||||
|
"siteInstallKubernetesDocsDescription": "For more and up to date Kubernetes installation information, see <docsLink>docs.pangolin.net/manage/sites/install-kubernetes</docsLink>.",
|
||||||
|
"siteInstallAdvantechDocsDescription": "For Advantech modem installation instructions, see <docsLink>docs.pangolin.net/manage/sites/install-advantech</docsLink>.",
|
||||||
"WgConfiguration": "WireGuard Configuration",
|
"WgConfiguration": "WireGuard Configuration",
|
||||||
"WgConfigurationDescription": "Use the following configuration to connect to the network",
|
"WgConfigurationDescription": "Use the following configuration to connect to the network",
|
||||||
"operatingSystem": "Operating System",
|
"operatingSystem": "Operating System",
|
||||||
@@ -148,16 +150,16 @@
|
|||||||
"siteCredentialsSaveDescription": "You will only be able to see this once. Make sure to copy it to a secure place.",
|
"siteCredentialsSaveDescription": "You will only be able to see this once. Make sure to copy it to a secure place.",
|
||||||
"siteInfo": "Site Information",
|
"siteInfo": "Site Information",
|
||||||
"status": "Status",
|
"status": "Status",
|
||||||
"shareTitle": "Manage Share Links",
|
"shareTitle": "Manage Shareable Links",
|
||||||
"shareDescription": "Create shareable links to grant temporary or permanent access to proxy resources",
|
"shareDescription": "Create shareable links to grant temporary or permanent access to proxy resources",
|
||||||
"shareSearch": "Search share links...",
|
"shareSearch": "Search shareable links...",
|
||||||
"shareCreate": "Create Share Link",
|
"shareCreate": "Create Shareable Link",
|
||||||
"shareErrorDelete": "Failed to delete link",
|
"shareErrorDelete": "Failed to delete link",
|
||||||
"shareErrorDeleteMessage": "An error occurred deleting link",
|
"shareErrorDeleteMessage": "An error occurred deleting link",
|
||||||
"shareDeleted": "Link deleted",
|
"shareDeleted": "Link deleted",
|
||||||
"shareDeletedDescription": "The link has been deleted",
|
"shareDeletedDescription": "The link has been deleted",
|
||||||
"shareDelete": "Delete Share Link",
|
"shareDelete": "Delete Shareable Link",
|
||||||
"shareDeleteConfirm": "Confirm Delete Share Link",
|
"shareDeleteConfirm": "Confirm Delete Shareable Link",
|
||||||
"shareQuestionRemove": "Are you sure you want to delete this share link?",
|
"shareQuestionRemove": "Are you sure you want to delete this share link?",
|
||||||
"shareMessageRemove": "Once deleted, the link will no longer work and anyone using it will lose access to the resource.",
|
"shareMessageRemove": "Once deleted, the link will no longer work and anyone using it will lose access to the resource.",
|
||||||
"shareTokenDescription": "The access token can be passed in two ways: as a query parameter or in the request headers. These must be passed from the client on every request for authenticated access.",
|
"shareTokenDescription": "The access token can be passed in two ways: as a query parameter or in the request headers. These must be passed from the client on every request for authenticated access.",
|
||||||
@@ -177,6 +179,7 @@
|
|||||||
"shareCreateDescription": "Anyone with this link can access the resource",
|
"shareCreateDescription": "Anyone with this link can access the resource",
|
||||||
"shareTitleOptional": "Title (optional)",
|
"shareTitleOptional": "Title (optional)",
|
||||||
"sharePathOptional": "Path (optional)",
|
"sharePathOptional": "Path (optional)",
|
||||||
|
"sharePathDescription": "The link will redirect users to this path after authentication.",
|
||||||
"expireIn": "Expire In",
|
"expireIn": "Expire In",
|
||||||
"neverExpire": "Never expire",
|
"neverExpire": "Never expire",
|
||||||
"shareExpireDescription": "Expiration time is how long the link will be usable and provide access to the resource. After this time, the link will no longer work, and users who used this link will lose access to the resource.",
|
"shareExpireDescription": "Expiration time is how long the link will be usable and provide access to the resource. After this time, the link will no longer work, and users who used this link will lose access to the resource.",
|
||||||
@@ -200,8 +203,8 @@
|
|||||||
"shareErrorSelectResource": "Please select a resource",
|
"shareErrorSelectResource": "Please select a resource",
|
||||||
"proxyResourceTitle": "Manage Public Resources",
|
"proxyResourceTitle": "Manage Public Resources",
|
||||||
"proxyResourceDescription": "Create and manage resources that are publicly accessible through a web browser",
|
"proxyResourceDescription": "Create and manage resources that are publicly accessible through a web browser",
|
||||||
"proxyResourcesBannerTitle": "Web-based Public Access",
|
"publicResourcesBannerTitle": "Web-based Public Access",
|
||||||
"proxyResourcesBannerDescription": "Public resources are HTTPS proxies accessible to anyone on the internet through a web browser. Unlike private resources, they do not require client-side software and can include identity and context-aware access policies.",
|
"publicResourcesBannerDescription": "Public resources are HTTPS proxies accessible to anyone on the internet through a web browser. Unlike private resources, they do not require client-side software and can include identity and context-aware access policies.",
|
||||||
"clientResourceTitle": "Manage Private Resources",
|
"clientResourceTitle": "Manage Private Resources",
|
||||||
"clientResourceDescription": "Create and manage resources that are only accessible through a connected client",
|
"clientResourceDescription": "Create and manage resources that are only accessible through a connected client",
|
||||||
"privateResourcesBannerTitle": "Zero-Trust Private Access",
|
"privateResourcesBannerTitle": "Zero-Trust Private Access",
|
||||||
@@ -209,15 +212,19 @@
|
|||||||
"resourcesSearch": "Search resources...",
|
"resourcesSearch": "Search resources...",
|
||||||
"resourceAdd": "Add Resource",
|
"resourceAdd": "Add Resource",
|
||||||
"resourceErrorDelte": "Error deleting resource",
|
"resourceErrorDelte": "Error deleting resource",
|
||||||
"resourcePoliciesTitle": "Manage Resource Policies",
|
"resourcePoliciesBannerTitle": "Re-use Authentication and Access Rules",
|
||||||
"resourcePoliciesAttachedResourcesColumnTitle": "Attached resources",
|
"resourcePoliciesBannerDescription": "Shared resource policies let you define authentication methods and access rules once, then attach them to multiple public resources. When you update a policy, every linked resource inherits the change automatically.",
|
||||||
|
"resourcePoliciesBannerButtonText": "Learn More",
|
||||||
|
"resourcePoliciesTitle": "Manage Public Resource Policies",
|
||||||
|
"resourcePoliciesAttachedResourcesColumnTitle": "Resources",
|
||||||
"resourcePoliciesAttachedResources": "{count} resource(s)",
|
"resourcePoliciesAttachedResources": "{count} resource(s)",
|
||||||
|
"resourcePoliciesAttachedResourcesCount": "{count, plural, one {# resource} other {# resources}}",
|
||||||
"resourcePoliciesAttachedResourcesEmpty": "no resources",
|
"resourcePoliciesAttachedResourcesEmpty": "no resources",
|
||||||
"resourcePoliciesDescription": "Create and manage authentication policies to control access to your resources",
|
"resourcePoliciesDescription": "Create and manage authentication policies to control access to your public resources",
|
||||||
"resourcePoliciesSearch": "Search policies...",
|
"resourcePoliciesSearch": "Search policies...",
|
||||||
"resourcePoliciesAdd": "Add Policy",
|
"resourcePoliciesAdd": "Add Policy",
|
||||||
"resourcePoliciesDefaultBadgeText": "Default policy",
|
"resourcePoliciesDefaultBadgeText": "Default policy",
|
||||||
"resourcePoliciesCreate": "Create Resource Policy",
|
"resourcePoliciesCreate": "Create Public Resource Policy",
|
||||||
"resourcePoliciesCreateDescription": "Follow the steps below to create a new policy",
|
"resourcePoliciesCreateDescription": "Follow the steps below to create a new policy",
|
||||||
"resourcePolicyName": "Policy Name",
|
"resourcePolicyName": "Policy Name",
|
||||||
"resourcePolicyNameDescription": "Give this policy a name to identify it across your resources",
|
"resourcePolicyNameDescription": "Give this policy a name to identify it across your resources",
|
||||||
@@ -274,7 +281,7 @@
|
|||||||
"back": "Back",
|
"back": "Back",
|
||||||
"cancel": "Cancel",
|
"cancel": "Cancel",
|
||||||
"resourceConfig": "Configuration Snippets",
|
"resourceConfig": "Configuration Snippets",
|
||||||
"resourceConfigDescription": "Copy and paste these configuration snippets to set up the TCP/UDP resource",
|
"resourceConfigDescription": "Copy and paste these configuration snippets to set up the TCP/UDP resource.",
|
||||||
"resourceAddEntrypoints": "Traefik: Add Entrypoints",
|
"resourceAddEntrypoints": "Traefik: Add Entrypoints",
|
||||||
"resourceExposePorts": "Gerbil: Expose Ports in Docker Compose",
|
"resourceExposePorts": "Gerbil: Expose Ports in Docker Compose",
|
||||||
"resourceLearnRaw": "Learn how to configure TCP/UDP resources",
|
"resourceLearnRaw": "Learn how to configure TCP/UDP resources",
|
||||||
@@ -287,6 +294,8 @@
|
|||||||
"labelDelete": "Delete Label",
|
"labelDelete": "Delete Label",
|
||||||
"labelAdd": "Add Label",
|
"labelAdd": "Add Label",
|
||||||
"labelCreateSuccessMessage": "Label Created Successfully",
|
"labelCreateSuccessMessage": "Label Created Successfully",
|
||||||
|
"labelDuplicateError": "Duplicate Label",
|
||||||
|
"labelDuplicateErrorDescription": "A label with this name already exists.",
|
||||||
"labelEditSuccessMessage": "Label Modified Successfully",
|
"labelEditSuccessMessage": "Label Modified Successfully",
|
||||||
"labelNameField": "Label Name",
|
"labelNameField": "Label Name",
|
||||||
"labelColorField": "Label Color",
|
"labelColorField": "Label Color",
|
||||||
@@ -311,7 +320,7 @@
|
|||||||
"rules": "Rules",
|
"rules": "Rules",
|
||||||
"resourceSettingDescription": "Configure the settings on the resource",
|
"resourceSettingDescription": "Configure the settings on the resource",
|
||||||
"resourceSetting": "{resourceName} Settings",
|
"resourceSetting": "{resourceName} Settings",
|
||||||
"resourcePolicySettingDescription": "Configure the settings on the resource policy",
|
"resourcePolicySettingDescription": "Configure the settings on this public resource policy",
|
||||||
"resourcePolicySetting": "{policyName} Settings",
|
"resourcePolicySetting": "{policyName} Settings",
|
||||||
"alwaysAllow": "Bypass Auth",
|
"alwaysAllow": "Bypass Auth",
|
||||||
"alwaysDeny": "Block Access",
|
"alwaysDeny": "Block Access",
|
||||||
@@ -719,7 +728,7 @@
|
|||||||
"targetSubmit": "Add Target",
|
"targetSubmit": "Add Target",
|
||||||
"targetNoOne": "This resource doesn't have any targets. Add a target to configure where to send requests to the backend.",
|
"targetNoOne": "This resource doesn't have any targets. Add a target to configure where to send requests to the backend.",
|
||||||
"targetNoOneDescription": "Adding more than one target above will enable load balancing.",
|
"targetNoOneDescription": "Adding more than one target above will enable load balancing.",
|
||||||
"targetsSubmit": "Save Targets",
|
"targetsSubmit": "Save Settings",
|
||||||
"addTarget": "Add Target",
|
"addTarget": "Add Target",
|
||||||
"proxyMultiSiteRoundRobinNodeHelp": "Round robin routing will not work between sites that are not connected to the same node, but failover will work.",
|
"proxyMultiSiteRoundRobinNodeHelp": "Round robin routing will not work between sites that are not connected to the same node, but failover will work.",
|
||||||
"targetErrorInvalidIp": "Invalid IP address",
|
"targetErrorInvalidIp": "Invalid IP address",
|
||||||
@@ -753,11 +762,11 @@
|
|||||||
"rulesErrorDuplicate": "Duplicate rule",
|
"rulesErrorDuplicate": "Duplicate rule",
|
||||||
"rulesErrorDuplicateDescription": "A rule with these settings already exists",
|
"rulesErrorDuplicateDescription": "A rule with these settings already exists",
|
||||||
"rulesErrorInvalidIpAddressRange": "Invalid CIDR",
|
"rulesErrorInvalidIpAddressRange": "Invalid CIDR",
|
||||||
"rulesErrorInvalidIpAddressRangeDescription": "Please enter a valid CIDR value",
|
"rulesErrorInvalidIpAddressRangeDescription": "Enter a valid CIDR range (e.g., 10.0.0.0/8).",
|
||||||
"rulesErrorInvalidUrl": "Invalid URL path",
|
"rulesErrorInvalidUrl": "Invalid path",
|
||||||
"rulesErrorInvalidUrlDescription": "Please enter a valid URL path value",
|
"rulesErrorInvalidUrlDescription": "Enter a valid URL path or pattern (e.g., /api/*).",
|
||||||
"rulesErrorInvalidIpAddress": "Invalid IP",
|
"rulesErrorInvalidIpAddress": "Invalid IP address",
|
||||||
"rulesErrorInvalidIpAddressDescription": "Please enter a valid IP address",
|
"rulesErrorInvalidIpAddressDescription": "Enter a valid IPv4 or IPv6 address.",
|
||||||
"rulesErrorUpdate": "Failed to update rules",
|
"rulesErrorUpdate": "Failed to update rules",
|
||||||
"rulesErrorUpdateDescription": "An error occurred while updating rules",
|
"rulesErrorUpdateDescription": "An error occurred while updating rules",
|
||||||
"rulesUpdated": "Enable Rules",
|
"rulesUpdated": "Enable Rules",
|
||||||
@@ -765,15 +774,24 @@
|
|||||||
"rulesMatchIpAddressRangeDescription": "Enter an address in CIDR format (e.g., 103.21.244.0/22)",
|
"rulesMatchIpAddressRangeDescription": "Enter an address in CIDR format (e.g., 103.21.244.0/22)",
|
||||||
"rulesMatchIpAddress": "Enter an IP address (e.g., 103.21.244.12)",
|
"rulesMatchIpAddress": "Enter an IP address (e.g., 103.21.244.12)",
|
||||||
"rulesMatchUrl": "Enter a URL path or pattern (e.g., /api/v1/todos or /api/v1/*)",
|
"rulesMatchUrl": "Enter a URL path or pattern (e.g., /api/v1/todos or /api/v1/*)",
|
||||||
"rulesErrorInvalidPriority": "Invalid Priority",
|
"rulesErrorInvalidPriority": "Invalid priority",
|
||||||
"rulesErrorInvalidPriorityDescription": "Please enter a valid priority",
|
"rulesErrorInvalidPriorityDescription": "Enter a whole number of 1 or higher.",
|
||||||
"rulesErrorDuplicatePriority": "Duplicate Priorities",
|
"rulesErrorDuplicatePriority": "Duplicate priorities",
|
||||||
"rulesErrorDuplicatePriorityDescription": "Please enter unique priorities",
|
"rulesErrorDuplicatePriorityDescription": "Each rule must have a unique priority number.",
|
||||||
|
"rulesErrorValidation": "Invalid rules",
|
||||||
|
"rulesErrorValidationRuleDescription": "Rule {ruleNumber}: {message}",
|
||||||
|
"rulesErrorInvalidMatchTypeDescription": "Select a valid match type (path, IP, CIDR, country, region, or ASN).",
|
||||||
|
"rulesErrorValueRequired": "Enter a value for this rule.",
|
||||||
|
"rulesErrorInvalidCountry": "Invalid country",
|
||||||
|
"rulesErrorInvalidCountryDescription": "Select a valid country.",
|
||||||
|
"rulesErrorInvalidAsn": "Invalid ASN",
|
||||||
|
"rulesErrorInvalidAsnDescription": "Enter a valid ASN (e.g., AS15169).",
|
||||||
"ruleUpdated": "Rules updated",
|
"ruleUpdated": "Rules updated",
|
||||||
"ruleUpdatedDescription": "Rules updated successfully",
|
"ruleUpdatedDescription": "Rules updated successfully",
|
||||||
"ruleErrorUpdate": "Operation failed",
|
"ruleErrorUpdate": "Operation failed",
|
||||||
"ruleErrorUpdateDescription": "An error occurred during the save operation",
|
"ruleErrorUpdateDescription": "An error occurred during the save operation",
|
||||||
"rulesPriority": "Priority",
|
"rulesPriority": "Priority",
|
||||||
|
"rulesReorderDragHandle": "Drag to reorder rule priority",
|
||||||
"rulesAction": "Action",
|
"rulesAction": "Action",
|
||||||
"rulesMatchType": "Match Type",
|
"rulesMatchType": "Match Type",
|
||||||
"value": "Value",
|
"value": "Value",
|
||||||
@@ -792,7 +810,7 @@
|
|||||||
"rulesResource": "Resource Rules Configuration",
|
"rulesResource": "Resource Rules Configuration",
|
||||||
"rulesResourceDescription": "Configure rules to control access to the resource",
|
"rulesResourceDescription": "Configure rules to control access to the resource",
|
||||||
"ruleSubmit": "Add Rule",
|
"ruleSubmit": "Add Rule",
|
||||||
"rulesNoOne": "No rules. Add a rule using the form.",
|
"rulesNoOne": "No rules yet.",
|
||||||
"rulesOrder": "Rules are evaluated by priority in ascending order.",
|
"rulesOrder": "Rules are evaluated by priority in ascending order.",
|
||||||
"rulesSubmit": "Save Rules",
|
"rulesSubmit": "Save Rules",
|
||||||
"policyErrorCreate": "Error creating policy",
|
"policyErrorCreate": "Error creating policy",
|
||||||
@@ -803,7 +821,48 @@
|
|||||||
"policyErrorUpdateMessageDescription": "An unexpected error occurred",
|
"policyErrorUpdateMessageDescription": "An unexpected error occurred",
|
||||||
"policyCreatedSuccess": "Resource policy succesfully created",
|
"policyCreatedSuccess": "Resource policy succesfully created",
|
||||||
"policyUpdatedSuccess": "Resource policy succesfully updated",
|
"policyUpdatedSuccess": "Resource policy succesfully updated",
|
||||||
"authMethodsSave": "Save auth methods",
|
"authMethodsSave": "Save Settings",
|
||||||
|
"policyAuthStackTitle": "Authentication",
|
||||||
|
"policyAuthStackDescription": "Control which authentication methods are required to access this resource",
|
||||||
|
"policyAuthOrLogicTitle": "Multiple authentication methods active",
|
||||||
|
"policyAuthOrLogicBanner": "Visitors may authenticate using any one of the active methods below. They do not need to complete all of them.",
|
||||||
|
"policyAuthMethodActive": "Active",
|
||||||
|
"policyAuthMethodOff": "Off",
|
||||||
|
"policyAuthSsoTitle": "Platform SSO",
|
||||||
|
"policyAuthSsoDescription": "Require sign-in through your organization's identity provider",
|
||||||
|
"policyAuthSsoSummary": "{idp} · {users} users, {roles} roles",
|
||||||
|
"policyAuthSsoDefaultIdp": "Default provider",
|
||||||
|
"policyAuthAddDefaultIdentityProvider": "Add Default Identity Provider",
|
||||||
|
"policyAuthOtherMethodsTitle": "Other Methods",
|
||||||
|
"policyAuthOtherMethodsDescription": "Optional methods visitors can use instead of or alongside platform SSO",
|
||||||
|
"policyAuthPasscodeTitle": "Passcode",
|
||||||
|
"policyAuthPasscodeDescription": "Require a shared alphanumeric passcode to access the resource",
|
||||||
|
"policyAuthPasscodeSummary": "Passcode set",
|
||||||
|
"policyAuthPincodeTitle": "PIN Code",
|
||||||
|
"policyAuthPincodeDescription": "A short numeric code required to access the resource",
|
||||||
|
"policyAuthPincodeSummary": "6-digit PIN set",
|
||||||
|
"policyAuthEmailTitle": "Email Whitelist",
|
||||||
|
"policyAuthEmailDescription": "Allow listed email addresses with one-time passwords",
|
||||||
|
"policyAuthEmailSummary": "{count} addresses allowed",
|
||||||
|
"policyAuthEmailOtpCallout": "Enabling email whitelist sends a one-time password to the visitor's email on login.",
|
||||||
|
"policyAuthHeaderAuthTitle": "Basic Header Auth",
|
||||||
|
"policyAuthHeaderAuthDescription": "Validate a custom HTTP header name and value on each request",
|
||||||
|
"policyAuthHeaderAuthSummary": "Header configured",
|
||||||
|
"policyAuthHeaderName": "Header name",
|
||||||
|
"policyAuthHeaderValue": "Expected value",
|
||||||
|
"policyAuthSetPasscode": "Set Passcode",
|
||||||
|
"policyAuthSetPincode": "Set PIN Code",
|
||||||
|
"policyAuthSetEmailWhitelist": "Set Email Whitelist",
|
||||||
|
"policyAuthSetHeaderAuth": "Set Basic Header Auth",
|
||||||
|
"policyAccessRulesTitle": "Access Rules",
|
||||||
|
"policyAccessRulesEnableDescription": "When enabled, rules are evaluated in descending order until one evaluates as true.",
|
||||||
|
"policyAccessRulesFirstMatch": "Rules are evaluated top to bottom. The first matching rule decides the outcome.",
|
||||||
|
"policyAccessRulesHowItWorks": "Rules match requests by path, IP address, location, or other criteria. Each rule applies an action: bypass authentication, block access, or pass to authentication. If no rule matches, traffic continues to authentication.",
|
||||||
|
"policyAccessRulesFallthroughOff": "When rules are disabled, all traffic passes through to authentication.",
|
||||||
|
"policyAccessRulesFallthroughOn": "When no rule matches, traffic passes through to authentication.",
|
||||||
|
"rulesPlaceholderCidr": "10.0.0.0/8",
|
||||||
|
"rulesPlaceholderPath": "/admin/*",
|
||||||
|
"rulesPlaceholderGeo": "RU, KP",
|
||||||
"rulesSave": "Save Rules",
|
"rulesSave": "Save Rules",
|
||||||
"resourceErrorCreate": "Error creating resource",
|
"resourceErrorCreate": "Error creating resource",
|
||||||
"resourceErrorCreateDescription": "An error occurred when creating the resource",
|
"resourceErrorCreateDescription": "An error occurred when creating the resource",
|
||||||
@@ -824,9 +883,9 @@
|
|||||||
"resourcesErrorUpdateDescription": "An error occurred while updating the resource",
|
"resourcesErrorUpdateDescription": "An error occurred while updating the resource",
|
||||||
"access": "Access",
|
"access": "Access",
|
||||||
"accessControl": "Access Control",
|
"accessControl": "Access Control",
|
||||||
"shareLink": "{resource} Share Link",
|
"shareLink": "{resource} Shareable Link",
|
||||||
"resourceSelect": "Select resource",
|
"resourceSelect": "Select resource",
|
||||||
"shareLinks": "Share Links",
|
"shareLinks": "Shareable Links",
|
||||||
"share": "Shareable Links",
|
"share": "Shareable Links",
|
||||||
"shareDescription2": "Create shareable links to resources. Links provide temporary or unlimited access to your resource. You can configure the expiration duration of the link when you create one.",
|
"shareDescription2": "Create shareable links to resources. Links provide temporary or unlimited access to your resource. You can configure the expiration duration of the link when you create one.",
|
||||||
"shareEasyCreate": "Easy to create and share",
|
"shareEasyCreate": "Easy to create and share",
|
||||||
@@ -916,10 +975,18 @@
|
|||||||
"resourceRoleDescription": "Admins can always access this resource.",
|
"resourceRoleDescription": "Admins can always access this resource.",
|
||||||
"resourcePolicySelectTitle": "Resource Access Policy",
|
"resourcePolicySelectTitle": "Resource Access Policy",
|
||||||
"resourcePolicySelectDescription": "Select the resource policy type for authentication",
|
"resourcePolicySelectDescription": "Select the resource policy type for authentication",
|
||||||
|
"resourcePolicyTypeLabel": "Policy type",
|
||||||
|
"resourcePolicyLabel": "Resource policy",
|
||||||
"resourcePolicyInline": "Inline Resource Policy",
|
"resourcePolicyInline": "Inline Resource Policy",
|
||||||
"resourcePolicyInlineDescription": "Access Policy scoped to only this resource",
|
"resourcePolicyInlineDescription": "Access Policy scoped to only this resource",
|
||||||
"resourcePolicyShared": "Shared Resource Policy",
|
"resourcePolicyShared": "Shared Resource Policy",
|
||||||
"resourcePolicySharedDescription": "This resource uses a shared policy. Policy-level settings (auth methods, email whitelist) are locked. You can add resource-specific rules, roles, and users below.",
|
"resourcePolicySharedDescription": "This resource uses a shared policy.",
|
||||||
|
"sharedPolicy": "Shared Policy",
|
||||||
|
"sharedPolicyNoneDescription": "This resource has its own policy.",
|
||||||
|
"resourceSharedPolicyOwnDescription": "This resource has its own authentication and access rules controls.",
|
||||||
|
"resourceSharedPolicyInheritedDescription": "This resource inherits from <policyLink>{policyName}</policyLink>.",
|
||||||
|
"resourceSharedPolicyAuthenticationNotice": "This resource is using a shared policy. Some authentication settings can be edited on this resource to add to the policy. To change the underlying policy, you must edit to <policyLink>{policyName}</policyLink>.",
|
||||||
|
"resourceSharedPolicyRulesNotice": "This resource is using a shared policy. Some access rules can be edited on this resource. To change the underlying policy, you must edit <policyLink>{policyName}</policyLink>.",
|
||||||
"resourceUsersRoles": "Access Controls",
|
"resourceUsersRoles": "Access Controls",
|
||||||
"resourceUsersRolesDescription": "Configure which users and roles can visit this resource",
|
"resourceUsersRolesDescription": "Configure which users and roles can visit this resource",
|
||||||
"resourceUsersRolesSubmit": "Save Access Controls",
|
"resourceUsersRolesSubmit": "Save Access Controls",
|
||||||
@@ -944,7 +1011,14 @@
|
|||||||
"resourceVisibilityTitle": "Visibility",
|
"resourceVisibilityTitle": "Visibility",
|
||||||
"resourceVisibilityTitleDescription": "Completely enable or disable resource visibility",
|
"resourceVisibilityTitleDescription": "Completely enable or disable resource visibility",
|
||||||
"resourceGeneral": "General Settings",
|
"resourceGeneral": "General Settings",
|
||||||
"resourceGeneralDescription": "Configure the general settings for this resource",
|
"resourceGeneralDescription": "Configure name, address, and access policy for this resource.",
|
||||||
|
"resourceGeneralDetailsSubsection": "Resource Details",
|
||||||
|
"resourceGeneralDetailsSubsectionDescription": "Set the display name, identifier, and publicly accessible domain for this resource.",
|
||||||
|
"resourceGeneralDetailsSubsectionPortDescription": "Set the display name, identifier, and public port for this resource.",
|
||||||
|
"resourceGeneralPublicAddressSubsection": "Public Address",
|
||||||
|
"resourceGeneralPublicAddressSubsectionDescription": "Configure how users reach this resource.",
|
||||||
|
"resourceGeneralAuthenticationAccessSubsection": "Authentication & Access",
|
||||||
|
"resourceGeneralAuthenticationAccessSubsectionDescription": "Choose whether this resource uses its own policy or inherits from a shared policy.",
|
||||||
"resourceEnable": "Enable Resource",
|
"resourceEnable": "Enable Resource",
|
||||||
"resourceTransfer": "Transfer Resource",
|
"resourceTransfer": "Transfer Resource",
|
||||||
"resourceTransferDescription": "Transfer this resource to a different site",
|
"resourceTransferDescription": "Transfer this resource to a different site",
|
||||||
@@ -1220,11 +1294,14 @@
|
|||||||
"addLabels": "Add labels",
|
"addLabels": "Add labels",
|
||||||
"siteLabelsTab": "Labels",
|
"siteLabelsTab": "Labels",
|
||||||
"siteLabelsDescription": "Manage labels associated with this site.",
|
"siteLabelsDescription": "Manage labels associated with this site.",
|
||||||
"labelsNotFound": "Labels not found",
|
"labelsNotFound": "No labels found.",
|
||||||
|
"labelsEmptyCreateHint": "Start typing above to create a label.",
|
||||||
"labelSearch": "Search labels",
|
"labelSearch": "Search labels",
|
||||||
|
"labelSearchOrCreate": "Search or create a label",
|
||||||
"accessLabelFilterCount": "{count, plural, one {# label} other {# labels}}",
|
"accessLabelFilterCount": "{count, plural, one {# label} other {# labels}}",
|
||||||
"labelOverflowCount": "+{count, plural, one {# label} other {# labels}}",
|
"labelOverflowCount": "+{count, plural, one {# label} other {# labels}}",
|
||||||
"accessLabelFilterClear": "Clear label filters",
|
"accessLabelFilterClear": "Clear label filters",
|
||||||
|
"accessFilterClear": "Clear filters",
|
||||||
"selectColor": "Select color",
|
"selectColor": "Select color",
|
||||||
"createNewLabel": "Create new org label \"{label}\"",
|
"createNewLabel": "Create new org label \"{label}\"",
|
||||||
"inviteInvalidDescription": "The invite link is invalid.",
|
"inviteInvalidDescription": "The invite link is invalid.",
|
||||||
@@ -1461,8 +1538,8 @@
|
|||||||
"sidebarResources": "Resources",
|
"sidebarResources": "Resources",
|
||||||
"sidebarProxyResources": "Public",
|
"sidebarProxyResources": "Public",
|
||||||
"sidebarClientResources": "Private",
|
"sidebarClientResources": "Private",
|
||||||
"sidebarPolicies": "Policies",
|
"sidebarPolicies": "Shared Policies",
|
||||||
"sidebarResourcePolicies": "Resources",
|
"sidebarResourcePolicies": "Public Resources",
|
||||||
"sidebarAccessControl": "Access Control",
|
"sidebarAccessControl": "Access Control",
|
||||||
"sidebarLogsAndAnalytics": "Logs & Analytics",
|
"sidebarLogsAndAnalytics": "Logs & Analytics",
|
||||||
"sidebarTeam": "Team",
|
"sidebarTeam": "Team",
|
||||||
@@ -1470,7 +1547,7 @@
|
|||||||
"sidebarAdmin": "Admin",
|
"sidebarAdmin": "Admin",
|
||||||
"sidebarInvitations": "Invitations",
|
"sidebarInvitations": "Invitations",
|
||||||
"sidebarRoles": "Roles",
|
"sidebarRoles": "Roles",
|
||||||
"sidebarShareableLinks": "Links",
|
"sidebarShareableLinks": "Shareable Links",
|
||||||
"sidebarApiKeys": "API Keys",
|
"sidebarApiKeys": "API Keys",
|
||||||
"sidebarProvisioning": "Provisioning",
|
"sidebarProvisioning": "Provisioning",
|
||||||
"sidebarSettings": "Settings",
|
"sidebarSettings": "Settings",
|
||||||
@@ -1647,7 +1724,7 @@
|
|||||||
"standaloneHcFilterResourceIdFallback": "Resource {id}",
|
"standaloneHcFilterResourceIdFallback": "Resource {id}",
|
||||||
"blueprints": "Blueprints",
|
"blueprints": "Blueprints",
|
||||||
"blueprintsLog": "Blueprints Log",
|
"blueprintsLog": "Blueprints Log",
|
||||||
"blueprintsDescription": "View past blueprint applications and their results",
|
"blueprintsDescription": "View past blueprint applications and their results or apply a new blueprint",
|
||||||
"blueprintAdd": "Add Blueprint",
|
"blueprintAdd": "Add Blueprint",
|
||||||
"blueprintGoBack": "See all Blueprints",
|
"blueprintGoBack": "See all Blueprints",
|
||||||
"blueprintCreate": "Create Blueprint",
|
"blueprintCreate": "Create Blueprint",
|
||||||
@@ -1667,10 +1744,10 @@
|
|||||||
"enableDockerSocket": "Enable Docker Blueprint",
|
"enableDockerSocket": "Enable Docker Blueprint",
|
||||||
"enableDockerSocketDescription": "Enable Docker Socket label scraping for blueprint labels. Socket path must be provided to the site connector. Read about how this works in <docsLink>the documentation</docsLink>.",
|
"enableDockerSocketDescription": "Enable Docker Socket label scraping for blueprint labels. Socket path must be provided to the site connector. Read about how this works in <docsLink>the documentation</docsLink>.",
|
||||||
"newtAutoUpdate": "Enable Site Auto-Update",
|
"newtAutoUpdate": "Enable Site Auto-Update",
|
||||||
"newtAutoUpdateDescription": "When enabled, site connectors will automatically update to the latest version when a new release is available.",
|
"newtAutoUpdateDescription": "When enabled, site connectors will automatically download the latest version and restart themselves. This can be overridden on a per-site basis.",
|
||||||
"siteAutoUpdate": "Site Auto-Update",
|
"siteAutoUpdate": "Site Auto-Update",
|
||||||
"siteAutoUpdateLabel": "Enable Auto-Update",
|
"siteAutoUpdateLabel": "Enable Auto-Update",
|
||||||
"siteAutoUpdateDescription": "Control whether this site's connector automatically downloads the latest version.",
|
"siteAutoUpdateDescription": "When enabled, this site's connector will automatically download the latest version and restart itself.",
|
||||||
"siteAutoUpdateOrgDefault": "Organization default: {state}",
|
"siteAutoUpdateOrgDefault": "Organization default: {state}",
|
||||||
"siteAutoUpdateOverriding": "Overriding organization setting",
|
"siteAutoUpdateOverriding": "Overriding organization setting",
|
||||||
"siteAutoUpdateResetToOrg": "Reset to Organization Default",
|
"siteAutoUpdateResetToOrg": "Reset to Organization Default",
|
||||||
@@ -1768,9 +1845,9 @@
|
|||||||
"accountSetupSuccess": "Account setup completed! Welcome to Pangolin!",
|
"accountSetupSuccess": "Account setup completed! Welcome to Pangolin!",
|
||||||
"documentation": "Documentation",
|
"documentation": "Documentation",
|
||||||
"saveAllSettings": "Save All Settings",
|
"saveAllSettings": "Save All Settings",
|
||||||
"saveResourceTargets": "Save Targets",
|
"saveResourceTargets": "Save Settings",
|
||||||
"saveResourceHttp": "Save Proxy Settings",
|
"saveResourceHttp": "Save Settings",
|
||||||
"saveProxyProtocol": "Save Proxy protocol settings",
|
"saveProxyProtocol": "Save Settings",
|
||||||
"settingsUpdated": "Settings updated",
|
"settingsUpdated": "Settings updated",
|
||||||
"settingsUpdatedDescription": "Settings updated successfully",
|
"settingsUpdatedDescription": "Settings updated successfully",
|
||||||
"settingsErrorUpdate": "Failed to update settings",
|
"settingsErrorUpdate": "Failed to update settings",
|
||||||
@@ -2027,13 +2104,13 @@
|
|||||||
"healthCheckUnknown": "Unknown",
|
"healthCheckUnknown": "Unknown",
|
||||||
"healthCheck": "Health Check",
|
"healthCheck": "Health Check",
|
||||||
"configureHealthCheck": "Configure Health Check",
|
"configureHealthCheck": "Configure Health Check",
|
||||||
"configureHealthCheckDescription": "Set up health monitoring for {target}",
|
"configureHealthCheckDescription": "Set up monitoring for your resource to ensure it is always available",
|
||||||
"enableHealthChecks": "Enable Health Checks",
|
"enableHealthChecks": "Enable Health Checks",
|
||||||
"healthCheckDisabledStateDescription": "When disabled, the site will not perform health checks and the state will be considered unknown.",
|
"healthCheckDisabledStateDescription": "When disabled, the site will not perform health checks and the state will be considered unknown.",
|
||||||
"enableHealthChecksDescription": "Monitor the health of this target. You can monitor a different endpoint than the target if required.",
|
"enableHealthChecksDescription": "Monitor the health of this target. You can monitor a different endpoint than the target if required.",
|
||||||
"healthScheme": "Method",
|
"healthScheme": "Method",
|
||||||
"healthSelectScheme": "Select Method",
|
"healthSelectScheme": "Select Method",
|
||||||
"healthCheckPortInvalid": "Health check port must be between 1 and 65535",
|
"healthCheckPortInvalid": "Port must be between 1 and 65535",
|
||||||
"healthCheckPath": "Path",
|
"healthCheckPath": "Path",
|
||||||
"healthHostname": "IP / Host",
|
"healthHostname": "IP / Host",
|
||||||
"healthPort": "Port",
|
"healthPort": "Port",
|
||||||
@@ -2073,8 +2150,13 @@
|
|||||||
"sshDaemonDisclaimer": "Ensure your target host is properly configured to run the auth daemon before completing this setup, or provisioning will fail.",
|
"sshDaemonDisclaimer": "Ensure your target host is properly configured to run the auth daemon before completing this setup, or provisioning will fail.",
|
||||||
"sshDaemonPort": "Daemon Port",
|
"sshDaemonPort": "Daemon Port",
|
||||||
"sshServerDestination": "Server Destination",
|
"sshServerDestination": "Server Destination",
|
||||||
"sshServerDestinationDescription": "Configure the destination and port of the SSH server",
|
"sshServerDestinationDescription": "Configure the destination of the SSH server",
|
||||||
"destination": "Destination",
|
"destination": "Destination",
|
||||||
|
"destinationRequired": "Destination is required.",
|
||||||
|
"domainRequired": "Domain is required.",
|
||||||
|
"proxyPortRequired": "Port is required.",
|
||||||
|
"invalidPathConfiguration": "Invalid path configuration.",
|
||||||
|
"invalidRewritePathConfiguration": "Invalid rewrite path configuration.",
|
||||||
"bgTargetMultiSiteDisclaimer": "Selecting multiple sites enables resilient routing and failover for high availability.",
|
"bgTargetMultiSiteDisclaimer": "Selecting multiple sites enables resilient routing and failover for high availability.",
|
||||||
"roleAllowSsh": "Allow SSH",
|
"roleAllowSsh": "Allow SSH",
|
||||||
"roleAllowSshAllow": "Allow",
|
"roleAllowSshAllow": "Allow",
|
||||||
@@ -2089,10 +2171,25 @@
|
|||||||
"sshSudoModeCommandsDescription": "User can run only the specified commands with sudo.",
|
"sshSudoModeCommandsDescription": "User can run only the specified commands with sudo.",
|
||||||
"sshSudo": "Allow sudo",
|
"sshSudo": "Allow sudo",
|
||||||
"sshSudoCommands": "Sudo Commands",
|
"sshSudoCommands": "Sudo Commands",
|
||||||
"sshSudoCommandsDescription": "Comma separated list of commands the user is allowed to run with sudo. Absolute paths must be used.",
|
"sshSudoCommandsDescription": "List of commands the user is allowed to run with sudo, separated by commas, spaces, or new lines. Absolute paths must be used.",
|
||||||
"sshCreateHomeDir": "Create Home Directory",
|
"sshCreateHomeDir": "Create Home Directory",
|
||||||
"sshUnixGroups": "Unix Groups",
|
"sshUnixGroups": "Unix Groups",
|
||||||
"sshUnixGroupsDescription": "Comma separated Unix groups to add the user to on the target host.",
|
"sshUnixGroupsDescription": "Unix groups to add the user to on the target host, separated by commas, spaces, or new lines.",
|
||||||
|
"roleTextFieldPlaceholder": "Enter values, or drop a .txt or .csv file",
|
||||||
|
"roleTextImportTitle": "Import from File",
|
||||||
|
"roleTextImportDescription": "Importing {fileName} into {fieldLabel}.",
|
||||||
|
"roleTextImportSkipHeader": "Skip First Row (Header)",
|
||||||
|
"roleTextImportOverride": "Replace Existing",
|
||||||
|
"roleTextImportAppend": "Append to Existing",
|
||||||
|
"roleTextImportMode": "Import Mode",
|
||||||
|
"roleTextImportPreview": "Preview",
|
||||||
|
"roleTextImportItemCount": "{count, plural, =0 {No items to import} one {1 item to import} other {# items to import}}",
|
||||||
|
"roleTextImportTotalCount": "{existing} existing + {imported} imported = {total} total",
|
||||||
|
"roleTextImportConfirm": "Import",
|
||||||
|
"roleTextImportInvalidFile": "Unsupported file type",
|
||||||
|
"roleTextImportInvalidFileDescription": "Only .txt and .csv files are supported.",
|
||||||
|
"roleTextImportEmpty": "No items found in file",
|
||||||
|
"roleTextImportEmptyDescription": "The file does not contain any importable items.",
|
||||||
"retryAttempts": "Retry Attempts",
|
"retryAttempts": "Retry Attempts",
|
||||||
"expectedResponseCodes": "Expected Response Codes",
|
"expectedResponseCodes": "Expected Response Codes",
|
||||||
"expectedResponseCodesDescription": "HTTP status code that indicates healthy status. If left blank, 200-300 is considered healthy.",
|
"expectedResponseCodesDescription": "HTTP status code that indicates healthy status. If left blank, 200-300 is considered healthy.",
|
||||||
@@ -2876,9 +2973,10 @@
|
|||||||
"enableProxyProtocol": "Enable Proxy Protocol",
|
"enableProxyProtocol": "Enable Proxy Protocol",
|
||||||
"proxyProtocolInfo": "Preserve client IP addresses for TCP backends",
|
"proxyProtocolInfo": "Preserve client IP addresses for TCP backends",
|
||||||
"proxyProtocolVersion": "Proxy Protocol Version",
|
"proxyProtocolVersion": "Proxy Protocol Version",
|
||||||
"version1": " Version 1 (Recommended)",
|
"version1": "Version 1 (Recommended)",
|
||||||
"version2": "Version 2",
|
"version2": "Version 2",
|
||||||
"versionDescription": "Version 1 is text-based and widely supported. Version 2 is binary and more efficient but less compatible. Make sure servers transport is added to dynamic config.",
|
"version1Description": "Text-based and widely supported. Make sure servers transport is added to dynamic config.",
|
||||||
|
"version2Description": "Binary and more efficient but less compatible. Make sure servers transport is added to dynamic config.",
|
||||||
"warning": "Warning",
|
"warning": "Warning",
|
||||||
"proxyProtocolWarning": "The backend application must be configured to accept Proxy Protocol connections. If your backend doesn't support Proxy Protocol, enabling this will break all connections so only enable this if you know what you're doing. Make sure to configure your backend to trust Proxy Protocol headers from Traefik.",
|
"proxyProtocolWarning": "The backend application must be configured to accept Proxy Protocol connections. If your backend doesn't support Proxy Protocol, enabling this will break all connections so only enable this if you know what you're doing. Make sure to configure your backend to trust Proxy Protocol headers from Traefik.",
|
||||||
"restarting": "Restarting...",
|
"restarting": "Restarting...",
|
||||||
@@ -3035,7 +3133,7 @@
|
|||||||
"enterConfirmation": "Enter confirmation",
|
"enterConfirmation": "Enter confirmation",
|
||||||
"blueprintViewDetails": "Details",
|
"blueprintViewDetails": "Details",
|
||||||
"defaultIdentityProvider": "Default Identity Provider",
|
"defaultIdentityProvider": "Default Identity Provider",
|
||||||
"defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
|
"defaultIdentityProviderDescription": "The user will be automatically redirected to this identity provider for authentication.",
|
||||||
"editInternalResourceDialogNetworkSettings": "Network Settings",
|
"editInternalResourceDialogNetworkSettings": "Network Settings",
|
||||||
"editInternalResourceDialogAccessPolicy": "Access Policy",
|
"editInternalResourceDialogAccessPolicy": "Access Policy",
|
||||||
"editInternalResourceDialogAddRoles": "Add Roles",
|
"editInternalResourceDialogAddRoles": "Add Roles",
|
||||||
@@ -3076,6 +3174,7 @@
|
|||||||
"maintenanceModeType": "Maintenance Mode Type",
|
"maintenanceModeType": "Maintenance Mode Type",
|
||||||
"showMaintenancePage": "Show a maintenance page to visitors",
|
"showMaintenancePage": "Show a maintenance page to visitors",
|
||||||
"enableMaintenanceMode": "Enable Maintenance Mode",
|
"enableMaintenanceMode": "Enable Maintenance Mode",
|
||||||
|
"enableMaintenanceModeDescription": "When enabled, visitors will see a maintenance page instead of your resource.",
|
||||||
"automatic": "Automatic",
|
"automatic": "Automatic",
|
||||||
"automaticModeDescription": " Show maintenance page only when all backend targets are down or unhealthy. Your resource continues working normally as long as at least one target is healthy.",
|
"automaticModeDescription": " Show maintenance page only when all backend targets are down or unhealthy. Your resource continues working normally as long as at least one target is healthy.",
|
||||||
"forced": "Forced",
|
"forced": "Forced",
|
||||||
@@ -3083,6 +3182,8 @@
|
|||||||
"warning:": "Warning:",
|
"warning:": "Warning:",
|
||||||
"forcedeModeWarning": "All traffic will be directed to the maintenance page. Your backend resources will not receive any requests.",
|
"forcedeModeWarning": "All traffic will be directed to the maintenance page. Your backend resources will not receive any requests.",
|
||||||
"pageTitle": "Page Title",
|
"pageTitle": "Page Title",
|
||||||
|
"maintenancePageContentSubsection": "Page Content",
|
||||||
|
"maintenancePageContentSubsectionDescription": "Customize the content displayed on the maintenance page",
|
||||||
"pageTitleDescription": "The main heading displayed on the maintenance page",
|
"pageTitleDescription": "The main heading displayed on the maintenance page",
|
||||||
"maintenancePageMessage": "Maintenance Message",
|
"maintenancePageMessage": "Maintenance Message",
|
||||||
"maintenancePageMessagePlaceholder": "We'll be back soon! Our site is currently undergoing scheduled maintenance.",
|
"maintenancePageMessagePlaceholder": "We'll be back soon! Our site is currently undergoing scheduled maintenance.",
|
||||||
@@ -3442,18 +3543,58 @@
|
|||||||
"sshConnecting": "Connecting…",
|
"sshConnecting": "Connecting…",
|
||||||
"sshInitializing": "Initializing…",
|
"sshInitializing": "Initializing…",
|
||||||
"sshSignInTitle": "Sign in to SSH",
|
"sshSignInTitle": "Sign in to SSH",
|
||||||
"sshSignInDescription": "Enter your SSH credentials",
|
"sshSignInDescription": "Enter your SSH credentials to connect",
|
||||||
"sshPasswordTab": "Password",
|
"sshPasswordTab": "Password",
|
||||||
"sshPrivateKeyTab": "Private Key",
|
"sshPrivateKeyTab": "Private Key",
|
||||||
"sshPrivateKeyField": "Private Key",
|
"sshPrivateKeyField": "Private Key",
|
||||||
"sshPrivateKeyDisclaimer": "Your private key is not stored or visible to Pangolin. Alternatively, you can use short-lived certificates for seamless authentication using your existing Pangolin identity.",
|
"sshPrivateKeyDisclaimer": "Your private key is not stored or visible to Pangolin. Alternatively, you can use short-lived certificates for seamless authentication using your existing Pangolin identity.",
|
||||||
"sshLearnMore": "Learn more",
|
"sshLearnMore": "Learn more",
|
||||||
"sshPrivateKeyFile": "Private Key File",
|
"sshPrivateKeyFile": "Private Key File",
|
||||||
"sshAuthenticate": "Authenticate",
|
"sshAuthenticate": "Connect",
|
||||||
"sshTerminate": "Terminate",
|
"sshTerminate": "Terminate",
|
||||||
"sshPoweredBy": "Powered by",
|
"sshPoweredBy": "Powered by",
|
||||||
"sshErrorNoTarget": "No target specified",
|
"sshErrorNoTarget": "No target specified",
|
||||||
"sshErrorWebSocket": "WebSocket connection failed",
|
"sshErrorWebSocket": "WebSocket connection failed",
|
||||||
"sshErrorAuthFailed": "Authentication failed",
|
"sshErrorAuthFailed": "Authentication failed",
|
||||||
"sshErrorConnectionClosed": "Connection closed before authentication completed"
|
"sshErrorConnectionClosed": "Connection closed before authentication completed",
|
||||||
|
"sitePangolinSshDescription": "Allow SSH access to resources on this site. This can be changed later.",
|
||||||
|
"browserGatewayNoResourceForDomain": "No resource found for this domain",
|
||||||
|
"browserGatewayNoTarget": "No target",
|
||||||
|
"browserGatewayConnect": "Connect",
|
||||||
|
"browserGatewayCtrlAltDel": "Ctrl+Alt+Del",
|
||||||
|
"sshErrorSignKeyFailed": "Failed to sign SSH key for PAM push authentication. Did you sign in as a user?",
|
||||||
|
"sshTerminalError": "Error: {error}",
|
||||||
|
"sshConnectionClosedCode": "Connection closed (code {code})",
|
||||||
|
"sshPrivateKeyPlaceholder": "-----BEGIN OPENSSH PRIVATE KEY-----",
|
||||||
|
"sshPrivateKeyRequired": "Private key is required",
|
||||||
|
"vncTitle": "VNC",
|
||||||
|
"vncSignInDescription": "Enter your VNC password to connect",
|
||||||
|
"vncPasswordOptional": "Password (optional)",
|
||||||
|
"vncNoResourceTarget": "No resource target is available",
|
||||||
|
"vncFailedToLoadNovnc": "Failed to load noVNC",
|
||||||
|
"vncAuthFailedStatus": "Status {status}",
|
||||||
|
"vncPasteClipboard": "Paste clipboard",
|
||||||
|
"rdpTitle": "RDP",
|
||||||
|
"rdpSignInTitle": "Sign in to Remote Desktop",
|
||||||
|
"rdpSignInDescription": "Enter Windows credentials to connect",
|
||||||
|
"rdpLoadingModule": "Loading module...",
|
||||||
|
"rdpFailedToLoadModule": "Failed to load RDP module",
|
||||||
|
"rdpNotReady": "Not ready",
|
||||||
|
"rdpModuleInitializing": "RDP module is still initializing",
|
||||||
|
"rdpDownloadingFiles": "Downloading {count} file(s) from remote…",
|
||||||
|
"rdpDownloadFailed": "Download failed: {fileName}",
|
||||||
|
"rdpUploaded": "Uploaded: {fileName}",
|
||||||
|
"rdpNoConnectionTarget": "No connection target available",
|
||||||
|
"rdpConnectionFailed": "Connection failed",
|
||||||
|
"rdpFit": "Fit",
|
||||||
|
"rdpFull": "Full",
|
||||||
|
"rdpReal": "Real",
|
||||||
|
"rdpMeta": "Meta",
|
||||||
|
"rdpUploadFiles": "Upload files",
|
||||||
|
"rdpFilesReadyToPaste": "Files ready to paste",
|
||||||
|
"rdpFilesReadyToPasteDescription": "{count} file(s) copied to remote clipboard — press Ctrl+V on the remote desktop to paste.",
|
||||||
|
"rdpUploadFailed": "Upload failed",
|
||||||
|
"rdpUnicodeKeyboardMode": "Unicode keyboard mode",
|
||||||
|
"sessionToolbarShow": "Show toolbar",
|
||||||
|
"sessionToolbarHide": "Hide toolbar"
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -200,8 +200,8 @@
|
|||||||
"shareErrorSelectResource": "Por favor, seleccione un recurso",
|
"shareErrorSelectResource": "Por favor, seleccione un recurso",
|
||||||
"proxyResourceTitle": "Administrar recursos públicos",
|
"proxyResourceTitle": "Administrar recursos públicos",
|
||||||
"proxyResourceDescription": "Crear y administrar recursos que sean accesibles públicamente a través de un navegador web",
|
"proxyResourceDescription": "Crear y administrar recursos que sean accesibles públicamente a través de un navegador web",
|
||||||
"proxyResourcesBannerTitle": "Acceso público basado en web",
|
"publicResourcesBannerTitle": "Acceso público basado en web",
|
||||||
"proxyResourcesBannerDescription": "Los recursos públicos son proxies HTTPS o TCP/UDP accesibles a cualquiera en Internet a través de un navegador web. A diferencia de los recursos privados, no requieren software del lado del cliente e incluye políticas de acceso basadas en identidad y contexto.",
|
"publicResourcesBannerDescription": "Los recursos públicos son proxies HTTPS o TCP/UDP accesibles a cualquiera en Internet a través de un navegador web. A diferencia de los recursos privados, no requieren software del lado del cliente e incluye políticas de acceso basadas en identidad y contexto.",
|
||||||
"clientResourceTitle": "Administrar recursos privados",
|
"clientResourceTitle": "Administrar recursos privados",
|
||||||
"clientResourceDescription": "Crear y administrar recursos que sólo son accesibles a través de un cliente conectado",
|
"clientResourceDescription": "Crear y administrar recursos que sólo son accesibles a través de un cliente conectado",
|
||||||
"privateResourcesBannerTitle": "Acceso privado de confianza cero",
|
"privateResourcesBannerTitle": "Acceso privado de confianza cero",
|
||||||
|
|||||||
@@ -200,8 +200,8 @@
|
|||||||
"shareErrorSelectResource": "Veuillez sélectionner une ressource",
|
"shareErrorSelectResource": "Veuillez sélectionner une ressource",
|
||||||
"proxyResourceTitle": "Gérer les ressources publiques",
|
"proxyResourceTitle": "Gérer les ressources publiques",
|
||||||
"proxyResourceDescription": "Créer et gérer des ressources accessibles au public via un navigateur web",
|
"proxyResourceDescription": "Créer et gérer des ressources accessibles au public via un navigateur web",
|
||||||
"proxyResourcesBannerTitle": "Accès public basé sur le Web",
|
"publicResourcesBannerTitle": "Accès public basé sur le Web",
|
||||||
"proxyResourcesBannerDescription": "Les ressources publiques sont des proxys HTTPS ou TCP/UDP accessibles par tout le monde sur Internet via un navigateur Web. Contrairement aux ressources privées, elles n'exigent pas de logiciel côté client et peuvent inclure des politiques d'accès basées sur l'identité et le contexte.",
|
"publicResourcesBannerDescription": "Les ressources publiques sont des proxys HTTPS ou TCP/UDP accessibles par tout le monde sur Internet via un navigateur Web. Contrairement aux ressources privées, elles n'exigent pas de logiciel côté client et peuvent inclure des politiques d'accès basées sur l'identité et le contexte.",
|
||||||
"clientResourceTitle": "Gérer les ressources privées",
|
"clientResourceTitle": "Gérer les ressources privées",
|
||||||
"clientResourceDescription": "Créer et gérer des ressources qui ne sont accessibles que via un client connecté",
|
"clientResourceDescription": "Créer et gérer des ressources qui ne sont accessibles que via un client connecté",
|
||||||
"privateResourcesBannerTitle": "Accès privé sans confiance",
|
"privateResourcesBannerTitle": "Accès privé sans confiance",
|
||||||
|
|||||||
@@ -200,8 +200,8 @@
|
|||||||
"shareErrorSelectResource": "Seleziona una risorsa",
|
"shareErrorSelectResource": "Seleziona una risorsa",
|
||||||
"proxyResourceTitle": "Gestisci Risorse Pubbliche",
|
"proxyResourceTitle": "Gestisci Risorse Pubbliche",
|
||||||
"proxyResourceDescription": "Creare e gestire risorse pubbliche accessibili tramite un browser web",
|
"proxyResourceDescription": "Creare e gestire risorse pubbliche accessibili tramite un browser web",
|
||||||
"proxyResourcesBannerTitle": "Accesso Pubblico Basato sul Web",
|
"publicResourcesBannerTitle": "Accesso Pubblico Basato sul Web",
|
||||||
"proxyResourcesBannerDescription": "Le risorse pubbliche sono proxy HTTPS o TCP/UDP accessibili da chiunque tramite Internet da un browser web. A differenza delle risorse private non richiedono software lato client e possono includere politiche di accesso basate su identità e contesto.",
|
"publicResourcesBannerDescription": "Le risorse pubbliche sono proxy HTTPS o TCP/UDP accessibili da chiunque tramite Internet da un browser web. A differenza delle risorse private non richiedono software lato client e possono includere politiche di accesso basate su identità e contesto.",
|
||||||
"clientResourceTitle": "Gestisci Risorse Private",
|
"clientResourceTitle": "Gestisci Risorse Private",
|
||||||
"clientResourceDescription": "Crea e gestisci risorse accessibili solo tramite un client connesso",
|
"clientResourceDescription": "Crea e gestisci risorse accessibili solo tramite un client connesso",
|
||||||
"privateResourcesBannerTitle": "Accesso Privato Zero-Trust",
|
"privateResourcesBannerTitle": "Accesso Privato Zero-Trust",
|
||||||
|
|||||||
@@ -200,8 +200,8 @@
|
|||||||
"shareErrorSelectResource": "리소스를 선택하세요",
|
"shareErrorSelectResource": "리소스를 선택하세요",
|
||||||
"proxyResourceTitle": "공개 리소스 관리",
|
"proxyResourceTitle": "공개 리소스 관리",
|
||||||
"proxyResourceDescription": "웹 브라우저를 통해 공용으로 접근할 수 있는 리소스를 생성하고 관리하세요.",
|
"proxyResourceDescription": "웹 브라우저를 통해 공용으로 접근할 수 있는 리소스를 생성하고 관리하세요.",
|
||||||
"proxyResourcesBannerTitle": "웹 기반 공공 접근",
|
"publicResourcesBannerTitle": "웹 기반 공공 접근",
|
||||||
"proxyResourcesBannerDescription": "공공 자원은 누구나 웹 브라우저를 통해 접근 가능한 HTTPS 또는 TCP/UDP 프록시입니다. 개인 자원과 달리 클라이언트 측 소프트웨어가 필요하지 않으며, 아이덴티티 및 컨텍스트 인지 접근 정책을 포함할 수 있습니다.",
|
"publicResourcesBannerDescription": "공공 자원은 누구나 웹 브라우저를 통해 접근 가능한 HTTPS 또는 TCP/UDP 프록시입니다. 개인 자원과 달리 클라이언트 측 소프트웨어가 필요하지 않으며, 아이덴티티 및 컨텍스트 인지 접근 정책을 포함할 수 있습니다.",
|
||||||
"clientResourceTitle": "개인 리소스 관리",
|
"clientResourceTitle": "개인 리소스 관리",
|
||||||
"clientResourceDescription": "연결된 클라이언트를 통해서만 접근할 수 있는 리소스를 생성하고 관리하세요.",
|
"clientResourceDescription": "연결된 클라이언트를 통해서만 접근할 수 있는 리소스를 생성하고 관리하세요.",
|
||||||
"privateResourcesBannerTitle": "제로 트러스트 개인 접근",
|
"privateResourcesBannerTitle": "제로 트러스트 개인 접근",
|
||||||
|
|||||||
@@ -200,8 +200,8 @@
|
|||||||
"shareErrorSelectResource": "Vennligst velg en ressurs",
|
"shareErrorSelectResource": "Vennligst velg en ressurs",
|
||||||
"proxyResourceTitle": "Administrere offentlige ressurser",
|
"proxyResourceTitle": "Administrere offentlige ressurser",
|
||||||
"proxyResourceDescription": "Opprett og administrer ressurser som er offentlig tilgjengelige via en nettleser",
|
"proxyResourceDescription": "Opprett og administrer ressurser som er offentlig tilgjengelige via en nettleser",
|
||||||
"proxyResourcesBannerTitle": "Nettbasert offentlig tilgang",
|
"publicResourcesBannerTitle": "Nettbasert offentlig tilgang",
|
||||||
"proxyResourcesBannerDescription": "Offentlige ressurser er HTTPS- eller TCP/UDP-proxyer tilgjengelige for alle på internett via en nettleser. I motsetning til private ressurser, krever de ikke klient-basert programvare og kan inkludere identitets- og kontekstbevisste tilgangspolicyer.",
|
"publicResourcesBannerDescription": "Offentlige ressurser er HTTPS- eller TCP/UDP-proxyer tilgjengelige for alle på internett via en nettleser. I motsetning til private ressurser, krever de ikke klient-basert programvare og kan inkludere identitets- og kontekstbevisste tilgangspolicyer.",
|
||||||
"clientResourceTitle": "Administrer private ressurser",
|
"clientResourceTitle": "Administrer private ressurser",
|
||||||
"clientResourceDescription": "Opprette og administrere ressurser som bare er tilgjengelige via en tilkoblet klient",
|
"clientResourceDescription": "Opprette og administrere ressurser som bare er tilgjengelige via en tilkoblet klient",
|
||||||
"privateResourcesBannerTitle": "Zero-Trust privat tilgang",
|
"privateResourcesBannerTitle": "Zero-Trust privat tilgang",
|
||||||
|
|||||||
@@ -200,8 +200,8 @@
|
|||||||
"shareErrorSelectResource": "Selecteer een bron",
|
"shareErrorSelectResource": "Selecteer een bron",
|
||||||
"proxyResourceTitle": "Openbare bronnen beheren",
|
"proxyResourceTitle": "Openbare bronnen beheren",
|
||||||
"proxyResourceDescription": "Creëer en beheer bronnen die openbaar toegankelijk zijn via een webbrowser",
|
"proxyResourceDescription": "Creëer en beheer bronnen die openbaar toegankelijk zijn via een webbrowser",
|
||||||
"proxyResourcesBannerTitle": "Webgebaseerde openbare toegang",
|
"publicResourcesBannerTitle": "Webgebaseerde openbare toegang",
|
||||||
"proxyResourcesBannerDescription": "Openbare bronnen zijn HTTPS of TCP/UDP-proxies die toegankelijk zijn voor iedereen op het internet via een webbrowser. In tegenstelling tot priv<69><76>bronnen vereisen ze geen client-side software maar kunnen ze identiteits- en context-bewuste toegangsrichtlijnen bevatten.",
|
"publicResourcesBannerDescription": "Openbare bronnen zijn HTTPS of TCP/UDP-proxies die toegankelijk zijn voor iedereen op het internet via een webbrowser. In tegenstelling tot priv<69><76>bronnen vereisen ze geen client-side software maar kunnen ze identiteits- en context-bewuste toegangsrichtlijnen bevatten.",
|
||||||
"clientResourceTitle": "Privébronnen beheren",
|
"clientResourceTitle": "Privébronnen beheren",
|
||||||
"clientResourceDescription": "Creëer en beheer bronnen die alleen toegankelijk zijn via een verbonden client",
|
"clientResourceDescription": "Creëer en beheer bronnen die alleen toegankelijk zijn via een verbonden client",
|
||||||
"privateResourcesBannerTitle": "Zero-Trust Private Access",
|
"privateResourcesBannerTitle": "Zero-Trust Private Access",
|
||||||
|
|||||||
@@ -200,8 +200,8 @@
|
|||||||
"shareErrorSelectResource": "Wybierz zasób",
|
"shareErrorSelectResource": "Wybierz zasób",
|
||||||
"proxyResourceTitle": "Zarządzaj zasobami publicznymi",
|
"proxyResourceTitle": "Zarządzaj zasobami publicznymi",
|
||||||
"proxyResourceDescription": "Twórz i zarządzaj zasobami, które są publicznie dostępne w przeglądarce internetowej",
|
"proxyResourceDescription": "Twórz i zarządzaj zasobami, które są publicznie dostępne w przeglądarce internetowej",
|
||||||
"proxyResourcesBannerTitle": "Publiczny dostęp za pośrednictwem sieci Web",
|
"publicResourcesBannerTitle": "Publiczny dostęp za pośrednictwem sieci Web",
|
||||||
"proxyResourcesBannerDescription": "Zasoby publiczne to proxy HTTPS lub TCP/UDP dostępne dla każdego w internecie za pośrednictwem przeglądarki internetowej. W przeciwieństwie do zasobów prywatnych, nie wymagają oprogramowania po stronie klienta i mogą obejmować polityki dostępu świadome tożsamości i kontekstu.",
|
"publicResourcesBannerDescription": "Zasoby publiczne to proxy HTTPS lub TCP/UDP dostępne dla każdego w internecie za pośrednictwem przeglądarki internetowej. W przeciwieństwie do zasobów prywatnych, nie wymagają oprogramowania po stronie klienta i mogą obejmować polityki dostępu świadome tożsamości i kontekstu.",
|
||||||
"clientResourceTitle": "Zarządzaj zasobami prywatnymi",
|
"clientResourceTitle": "Zarządzaj zasobami prywatnymi",
|
||||||
"clientResourceDescription": "Twórz i zarządzaj zasobami, które są dostępne tylko za pośrednictwem połączonego klienta",
|
"clientResourceDescription": "Twórz i zarządzaj zasobami, które są dostępne tylko za pośrednictwem połączonego klienta",
|
||||||
"privateResourcesBannerTitle": "Zero zaufania do prywatnego dostępu",
|
"privateResourcesBannerTitle": "Zero zaufania do prywatnego dostępu",
|
||||||
|
|||||||
@@ -200,8 +200,8 @@
|
|||||||
"shareErrorSelectResource": "Por favor, selecione um recurso",
|
"shareErrorSelectResource": "Por favor, selecione um recurso",
|
||||||
"proxyResourceTitle": "Gerenciar Recursos Públicos",
|
"proxyResourceTitle": "Gerenciar Recursos Públicos",
|
||||||
"proxyResourceDescription": "Criar e gerenciar recursos que são acessíveis publicamente por meio de um navegador da web",
|
"proxyResourceDescription": "Criar e gerenciar recursos que são acessíveis publicamente por meio de um navegador da web",
|
||||||
"proxyResourcesBannerTitle": "Acesso Público via Web",
|
"publicResourcesBannerTitle": "Acesso Público via Web",
|
||||||
"proxyResourcesBannerDescription": "Os recursos públicos são proxies HTTPS ou TCP/UDP acessíveis a qualquer pessoa na internet por meio de um navegador web. Ao contrário dos recursos privados, eles não requerem software do lado do cliente e podem incluir políticas de acesso conscientes de identidade e contexto.",
|
"publicResourcesBannerDescription": "Os recursos públicos são proxies HTTPS ou TCP/UDP acessíveis a qualquer pessoa na internet por meio de um navegador web. Ao contrário dos recursos privados, eles não requerem software do lado do cliente e podem incluir políticas de acesso conscientes de identidade e contexto.",
|
||||||
"clientResourceTitle": "Gerenciar recursos privados",
|
"clientResourceTitle": "Gerenciar recursos privados",
|
||||||
"clientResourceDescription": "Criar e gerenciar recursos que só são acessíveis por meio de um cliente conectado",
|
"clientResourceDescription": "Criar e gerenciar recursos que só são acessíveis por meio de um cliente conectado",
|
||||||
"privateResourcesBannerTitle": "Acesso Privado com Confiança Zero",
|
"privateResourcesBannerTitle": "Acesso Privado com Confiança Zero",
|
||||||
|
|||||||
@@ -200,8 +200,8 @@
|
|||||||
"shareErrorSelectResource": "Пожалуйста, выберите ресурс",
|
"shareErrorSelectResource": "Пожалуйста, выберите ресурс",
|
||||||
"proxyResourceTitle": "Управление публичными ресурсами",
|
"proxyResourceTitle": "Управление публичными ресурсами",
|
||||||
"proxyResourceDescription": "Создание и управление ресурсами, которые доступны через веб-браузер",
|
"proxyResourceDescription": "Создание и управление ресурсами, которые доступны через веб-браузер",
|
||||||
"proxyResourcesBannerTitle": "Общедоступный доступ через веб",
|
"publicResourcesBannerTitle": "Общедоступный доступ через веб",
|
||||||
"proxyResourcesBannerDescription": "Общедоступные ресурсы - это прокси-по HTTPS или TCP/UDP, доступные любому пользователю в Интернете через веб-браузер. В отличие от частных ресурсов, они не требуют программного обеспечения на стороне клиента и могут включать политики доступа на основе идентификации и контекста.",
|
"publicResourcesBannerDescription": "Общедоступные ресурсы - это прокси-по HTTPS или TCP/UDP, доступные любому пользователю в Интернете через веб-браузер. В отличие от частных ресурсов, они не требуют программного обеспечения на стороне клиента и могут включать политики доступа на основе идентификации и контекста.",
|
||||||
"clientResourceTitle": "Управление приватными ресурсами",
|
"clientResourceTitle": "Управление приватными ресурсами",
|
||||||
"clientResourceDescription": "Создание и управление ресурсами, которые доступны только через подключенный клиент",
|
"clientResourceDescription": "Создание и управление ресурсами, которые доступны только через подключенный клиент",
|
||||||
"privateResourcesBannerTitle": "Частный доступ с нулевым доверием",
|
"privateResourcesBannerTitle": "Частный доступ с нулевым доверием",
|
||||||
|
|||||||
@@ -200,8 +200,8 @@
|
|||||||
"shareErrorSelectResource": "Lütfen bir kaynak seçin",
|
"shareErrorSelectResource": "Lütfen bir kaynak seçin",
|
||||||
"proxyResourceTitle": "Herkese Açık Kaynakları Yönet",
|
"proxyResourceTitle": "Herkese Açık Kaynakları Yönet",
|
||||||
"proxyResourceDescription": "Bir web tarayıcısı aracılığıyla kamuya açık kaynaklar oluşturun ve yönetin",
|
"proxyResourceDescription": "Bir web tarayıcısı aracılığıyla kamuya açık kaynaklar oluşturun ve yönetin",
|
||||||
"proxyResourcesBannerTitle": "Web Tabanlı Genel Erişim",
|
"publicResourcesBannerTitle": "Web Tabanlı Genel Erişim",
|
||||||
"proxyResourcesBannerDescription": "Genel kaynaklar, web tarayıcısı aracılığıyla herkesin internette erişebileceği HTTPS veya TCP/UDP proxy'leridir. Özel kaynakların aksine, istemci tarafı yazılıma ihtiyaç duymazlar ve kimlik ve bağlam farkındalığı erişim politikalarını içerebilirler.",
|
"publicResourcesBannerDescription": "Genel kaynaklar, web tarayıcısı aracılığıyla herkesin internette erişebileceği HTTPS veya TCP/UDP proxy'leridir. Özel kaynakların aksine, istemci tarafı yazılıma ihtiyaç duymazlar ve kimlik ve bağlam farkındalığı erişim politikalarını içerebilirler.",
|
||||||
"clientResourceTitle": "Özel Kaynakları Yönet",
|
"clientResourceTitle": "Özel Kaynakları Yönet",
|
||||||
"clientResourceDescription": "Sadece bağlı bir istemci aracılığıyla erişilebilen kaynakları oluşturun ve yönetin",
|
"clientResourceDescription": "Sadece bağlı bir istemci aracılığıyla erişilebilen kaynakları oluşturun ve yönetin",
|
||||||
"privateResourcesBannerTitle": "Sıfır Güven Özel Erişim",
|
"privateResourcesBannerTitle": "Sıfır Güven Özel Erişim",
|
||||||
|
|||||||
@@ -200,8 +200,8 @@
|
|||||||
"shareErrorSelectResource": "请选择一个资源",
|
"shareErrorSelectResource": "请选择一个资源",
|
||||||
"proxyResourceTitle": "管理公共资源",
|
"proxyResourceTitle": "管理公共资源",
|
||||||
"proxyResourceDescription": "创建和管理可通过 Web 浏览器公开访问的资源",
|
"proxyResourceDescription": "创建和管理可通过 Web 浏览器公开访问的资源",
|
||||||
"proxyResourcesBannerTitle": "基于Web的公共访问",
|
"publicResourcesBannerTitle": "基于Web的公共访问",
|
||||||
"proxyResourcesBannerDescription": "公共资源是可以通过网络浏览器在互联网上任何人访问的HTTPS或TCP/UDP代理。与私人资源不同,它们不需要客户端软件,并且可以包含身份和上下文感知访问策略。",
|
"publicResourcesBannerDescription": "公共资源是可以通过网络浏览器在互联网上任何人访问的HTTPS或TCP/UDP代理。与私人资源不同,它们不需要客户端软件,并且可以包含身份和上下文感知访问策略。",
|
||||||
"clientResourceTitle": "管理私有资源",
|
"clientResourceTitle": "管理私有资源",
|
||||||
"clientResourceDescription": "创建和管理只能通过连接客户端访问的资源",
|
"clientResourceDescription": "创建和管理只能通过连接客户端访问的资源",
|
||||||
"privateResourcesBannerTitle": "零信任的私人访问",
|
"privateResourcesBannerTitle": "零信任的私人访问",
|
||||||
|
|||||||
@@ -152,8 +152,8 @@
|
|||||||
"shareErrorSelectResource": "請選擇一個資源",
|
"shareErrorSelectResource": "請選擇一個資源",
|
||||||
"proxyResourceTitle": "管理公開資源",
|
"proxyResourceTitle": "管理公開資源",
|
||||||
"proxyResourceDescription": "建立和管理可透過網頁瀏覽器公開存取的資源",
|
"proxyResourceDescription": "建立和管理可透過網頁瀏覽器公開存取的資源",
|
||||||
"proxyResourcesBannerTitle": "基於網頁的公開存取",
|
"publicResourcesBannerTitle": "基於網頁的公開存取",
|
||||||
"proxyResourcesBannerDescription": "公開資源是任何人都可以透過網頁瀏覽器存取的 HTTPS 或 TCP/UDP 代理。與私有資源不同,它們不需要客戶端軟體,並且可以包含基於身份和情境感知的存取策略。",
|
"publicResourcesBannerDescription": "公開資源是任何人都可以透過網頁瀏覽器存取的 HTTPS 或 TCP/UDP 代理。與私有資源不同,它們不需要客戶端軟體,並且可以包含基於身份和情境感知的存取策略。",
|
||||||
"clientResourceTitle": "管理私有資源",
|
"clientResourceTitle": "管理私有資源",
|
||||||
"clientResourceDescription": "建立和管理只能透過已連接的客戶端存取的資源",
|
"clientResourceDescription": "建立和管理只能透過已連接的客戶端存取的資源",
|
||||||
"privateResourcesBannerTitle": "零信任私有存取",
|
"privateResourcesBannerTitle": "零信任私有存取",
|
||||||
|
|||||||
@@ -87,7 +87,7 @@ function createDb() {
|
|||||||
|
|
||||||
export const db = createDb();
|
export const db = createDb();
|
||||||
export default db;
|
export default db;
|
||||||
export const primaryDb = db.$primary as typeof db; // is this typeof a problem - techincally they are different types
|
export const primaryDb = db.$primary as typeof db; // is this typeof a problem - technically they are different types
|
||||||
export type Transaction = Parameters<
|
export type Transaction = Parameters<
|
||||||
Parameters<(typeof db)["transaction"]>[0]
|
Parameters<(typeof db)["transaction"]>[0]
|
||||||
>[0];
|
>[0];
|
||||||
|
|||||||
@@ -2,7 +2,7 @@ import { drizzle as DrizzlePostgres } from "drizzle-orm/node-postgres";
|
|||||||
import { readConfigFile } from "@server/lib/readConfigFile";
|
import { readConfigFile } from "@server/lib/readConfigFile";
|
||||||
import { withReplicas } from "drizzle-orm/pg-core";
|
import { withReplicas } from "drizzle-orm/pg-core";
|
||||||
import { build } from "@server/build";
|
import { build } from "@server/build";
|
||||||
import { db as mainDb, primaryDb as mainPrimaryDb } from "./driver";
|
import { db as mainDb } from "./driver";
|
||||||
import { createPool } from "./poolConfig";
|
import { createPool } from "./poolConfig";
|
||||||
|
|
||||||
function createLogsDb() {
|
function createLogsDb() {
|
||||||
@@ -63,8 +63,7 @@ function createLogsDb() {
|
|||||||
})
|
})
|
||||||
);
|
);
|
||||||
} else {
|
} else {
|
||||||
const maxReplicaConnections =
|
const maxReplicaConnections = poolConfig?.max_replica_connections || 20;
|
||||||
poolConfig?.max_replica_connections || 20;
|
|
||||||
for (const conn of replicaConnections) {
|
for (const conn of replicaConnections) {
|
||||||
const replicaPool = createPool(
|
const replicaPool = createPool(
|
||||||
conn.connection_string,
|
conn.connection_string,
|
||||||
@@ -91,4 +90,4 @@ function createLogsDb() {
|
|||||||
|
|
||||||
export const logsDb = createLogsDb();
|
export const logsDb = createLogsDb();
|
||||||
export default logsDb;
|
export default logsDb;
|
||||||
export const primaryLogsDb = logsDb.$primary;
|
export const primaryLogsDb = logsDb.$primary;
|
||||||
|
|||||||
@@ -1,5 +1,4 @@
|
|||||||
import { Pool, PoolConfig } from "pg";
|
import { Pool, PoolConfig } from "pg";
|
||||||
import logger from "@server/logger";
|
|
||||||
|
|
||||||
export function createPoolConfig(
|
export function createPoolConfig(
|
||||||
connectionString: string,
|
connectionString: string,
|
||||||
@@ -27,7 +26,7 @@ export function attachPoolErrorHandlers(pool: Pool, label: string): void {
|
|||||||
pool.on("error", (err) => {
|
pool.on("error", (err) => {
|
||||||
// This catches errors on idle clients in the pool. Without this
|
// This catches errors on idle clients in the pool. Without this
|
||||||
// handler an unexpected disconnect would crash the process.
|
// handler an unexpected disconnect would crash the process.
|
||||||
logger.error(
|
console.error(
|
||||||
`Unexpected error on idle ${label} database client: ${err.message}`
|
`Unexpected error on idle ${label} database client: ${err.message}`
|
||||||
);
|
);
|
||||||
});
|
});
|
||||||
@@ -36,7 +35,7 @@ export function attachPoolErrorHandlers(pool: Pool, label: string): void {
|
|||||||
// Set a statement timeout on every new connection so a single slow
|
// Set a statement timeout on every new connection so a single slow
|
||||||
// query can't block the pool forever
|
// query can't block the pool forever
|
||||||
client.query("SET statement_timeout = '30s'").catch((err: Error) => {
|
client.query("SET statement_timeout = '30s'").catch((err: Error) => {
|
||||||
logger.warn(
|
console.warn(
|
||||||
`Failed to set statement_timeout on ${label} client: ${err.message}`
|
`Failed to set statement_timeout on ${label} client: ${err.message}`
|
||||||
);
|
);
|
||||||
});
|
});
|
||||||
@@ -60,4 +59,4 @@ export function createPool(
|
|||||||
);
|
);
|
||||||
attachPoolErrorHandlers(pool, label);
|
attachPoolErrorHandlers(pool, label);
|
||||||
return pool;
|
return pool;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -580,24 +580,6 @@ export const trialNotifications = pgTable("trialNotifications", {
|
|||||||
sentAt: bigint("sentAt", { mode: "number" }).notNull()
|
sentAt: bigint("sentAt", { mode: "number" }).notNull()
|
||||||
});
|
});
|
||||||
|
|
||||||
export const browserGatewayTarget = pgTable("browserGatewayTarget", {
|
|
||||||
browserGatewayTargetId: serial("browserGatewayTargetId").primaryKey(),
|
|
||||||
resourceId: integer("resourceId")
|
|
||||||
.references(() => resources.resourceId, {
|
|
||||||
onDelete: "cascade"
|
|
||||||
})
|
|
||||||
.notNull(),
|
|
||||||
siteId: integer("siteId")
|
|
||||||
.references(() => sites.siteId, {
|
|
||||||
onDelete: "cascade"
|
|
||||||
})
|
|
||||||
.notNull(),
|
|
||||||
authToken: varchar("authToken").notNull(),
|
|
||||||
type: varchar("type").notNull(), // "ssh", "rdp", "vnc"
|
|
||||||
destination: varchar("destination").notNull(),
|
|
||||||
destinationPort: integer("destinationPort").notNull()
|
|
||||||
});
|
|
||||||
|
|
||||||
export type Approval = InferSelectModel<typeof approvals>;
|
export type Approval = InferSelectModel<typeof approvals>;
|
||||||
export type Limit = InferSelectModel<typeof limits>;
|
export type Limit = InferSelectModel<typeof limits>;
|
||||||
export type Account = InferSelectModel<typeof account>;
|
export type Account = InferSelectModel<typeof account>;
|
||||||
@@ -645,6 +627,3 @@ export type AlertEmailRecipients = InferSelectModel<
|
|||||||
>;
|
>;
|
||||||
export type AlertWebhookActions = InferSelectModel<typeof alertWebhookActions>;
|
export type AlertWebhookActions = InferSelectModel<typeof alertWebhookActions>;
|
||||||
export type TrialNotification = InferSelectModel<typeof trialNotifications>;
|
export type TrialNotification = InferSelectModel<typeof trialNotifications>;
|
||||||
export type BrowserGatewayTarget = InferSelectModel<
|
|
||||||
typeof browserGatewayTarget
|
|
||||||
>;
|
|
||||||
|
|||||||
@@ -147,12 +147,10 @@ export const resources = pgTable("resources", {
|
|||||||
}),
|
}),
|
||||||
ssl: boolean("ssl").notNull().default(false),
|
ssl: boolean("ssl").notNull().default(false),
|
||||||
blockAccess: boolean("blockAccess").notNull().default(false),
|
blockAccess: boolean("blockAccess").notNull().default(false),
|
||||||
sso: boolean("sso").notNull().default(true),
|
|
||||||
proxyPort: integer("proxyPort"),
|
proxyPort: integer("proxyPort"),
|
||||||
emailWhitelistEnabled: boolean("emailWhitelistEnabled")
|
sso: boolean("sso"),
|
||||||
.notNull()
|
emailWhitelistEnabled: boolean("emailWhitelistEnabled"),
|
||||||
.default(false),
|
applyRules: boolean("applyRules"),
|
||||||
applyRules: boolean("applyRules").notNull().default(false),
|
|
||||||
enabled: boolean("enabled").notNull().default(true),
|
enabled: boolean("enabled").notNull().default(true),
|
||||||
stickySession: boolean("stickySession").notNull().default(false),
|
stickySession: boolean("stickySession").notNull().default(false),
|
||||||
tlsServerName: varchar("tlsServerName"),
|
tlsServerName: varchar("tlsServerName"),
|
||||||
@@ -290,7 +288,12 @@ export const targets = pgTable("targets", {
|
|||||||
pathMatchType: text("pathMatchType"), // exact, prefix, regex
|
pathMatchType: text("pathMatchType"), // exact, prefix, regex
|
||||||
rewritePath: text("rewritePath"), // if set, rewrites the path to this value before sending to the target
|
rewritePath: text("rewritePath"), // if set, rewrites the path to this value before sending to the target
|
||||||
rewritePathType: text("rewritePathType"), // exact, prefix, regex, stripPrefix
|
rewritePathType: text("rewritePathType"), // exact, prefix, regex, stripPrefix
|
||||||
priority: integer("priority").notNull().default(100)
|
priority: integer("priority").notNull().default(100),
|
||||||
|
mode: varchar("mode")
|
||||||
|
.$type<"http" | "tcp" | "udp" | "ssh" | "rdp" | "vnc">()
|
||||||
|
.notNull()
|
||||||
|
.default("http"),
|
||||||
|
authToken: varchar("authToken")
|
||||||
});
|
});
|
||||||
|
|
||||||
export const targetHealthCheck = pgTable("targetHealthCheck", {
|
export const targetHealthCheck = pgTable("targetHealthCheck", {
|
||||||
@@ -886,7 +889,9 @@ export const resourcePolicyRules = pgTable("resourcePolicyRules", {
|
|||||||
enabled: boolean("enabled").notNull().default(true),
|
enabled: boolean("enabled").notNull().default(true),
|
||||||
priority: integer("priority").notNull(),
|
priority: integer("priority").notNull(),
|
||||||
action: varchar("action").$type<"ACCEPT" | "DROP" | "PASS">().notNull(),
|
action: varchar("action").$type<"ACCEPT" | "DROP" | "PASS">().notNull(),
|
||||||
match: varchar("match").$type<"CIDR" | "PATH" | "IP">().notNull(),
|
match: varchar("match")
|
||||||
|
.$type<"CIDR" | "PATH" | "IP" | "COUNTRY" | "ASN" | "REGION">()
|
||||||
|
.notNull(),
|
||||||
value: varchar("value").notNull()
|
value: varchar("value").notNull()
|
||||||
});
|
});
|
||||||
|
|
||||||
|
|||||||
@@ -45,9 +45,9 @@ export type ResourceWithAuth = {
|
|||||||
password: ResourcePassword | ResourcePolicyPassword | null;
|
password: ResourcePassword | ResourcePolicyPassword | null;
|
||||||
headerAuth: ResourceHeaderAuth | ResourcePolicyHeaderAuth | null;
|
headerAuth: ResourceHeaderAuth | ResourcePolicyHeaderAuth | null;
|
||||||
headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
|
headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
|
||||||
applyRules: boolean;
|
applyRules: boolean | null;
|
||||||
sso: boolean;
|
sso: boolean | null;
|
||||||
emailWhitelistEnabled: boolean;
|
emailWhitelistEnabled: boolean | null;
|
||||||
org: Org;
|
org: Org;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@@ -588,26 +588,6 @@ export const trialNotifications = sqliteTable("trialNotifications", {
|
|||||||
sentAt: integer("sentAt").notNull()
|
sentAt: integer("sentAt").notNull()
|
||||||
});
|
});
|
||||||
|
|
||||||
export const browserGatewayTarget = sqliteTable("browserGatewayTarget", {
|
|
||||||
browserGatewayTargetId: integer("browserGatewayTargetId").primaryKey({
|
|
||||||
autoIncrement: true
|
|
||||||
}),
|
|
||||||
resourceId: integer("resourceId")
|
|
||||||
.references(() => resources.resourceId, {
|
|
||||||
onDelete: "cascade"
|
|
||||||
})
|
|
||||||
.notNull(),
|
|
||||||
siteId: integer("siteId")
|
|
||||||
.references(() => sites.siteId, {
|
|
||||||
onDelete: "cascade"
|
|
||||||
})
|
|
||||||
.notNull(),
|
|
||||||
authToken: text("authToken").notNull(),
|
|
||||||
type: text("type").notNull(), // "ssh", "rdp", "vnc"
|
|
||||||
destination: text("destination").notNull(),
|
|
||||||
destinationPort: integer("destinationPort").notNull()
|
|
||||||
});
|
|
||||||
|
|
||||||
export type Approval = InferSelectModel<typeof approvals>;
|
export type Approval = InferSelectModel<typeof approvals>;
|
||||||
export type Limit = InferSelectModel<typeof limits>;
|
export type Limit = InferSelectModel<typeof limits>;
|
||||||
export type Account = InferSelectModel<typeof account>;
|
export type Account = InferSelectModel<typeof account>;
|
||||||
@@ -647,6 +627,3 @@ export type AlertEmailAction = InferSelectModel<typeof alertEmailActions>;
|
|||||||
export type AlertEmailRecipient = InferSelectModel<typeof alertEmailRecipients>;
|
export type AlertEmailRecipient = InferSelectModel<typeof alertEmailRecipients>;
|
||||||
export type AlertWebhookAction = InferSelectModel<typeof alertWebhookActions>;
|
export type AlertWebhookAction = InferSelectModel<typeof alertWebhookActions>;
|
||||||
export type TrialNotification = InferSelectModel<typeof trialNotifications>;
|
export type TrialNotification = InferSelectModel<typeof trialNotifications>;
|
||||||
export type BrowserGatewayTarget = InferSelectModel<
|
|
||||||
typeof browserGatewayTarget
|
|
||||||
>;
|
|
||||||
|
|||||||
@@ -165,14 +165,12 @@ export const resources = sqliteTable("resources", {
|
|||||||
blockAccess: integer("blockAccess", { mode: "boolean" })
|
blockAccess: integer("blockAccess", { mode: "boolean" })
|
||||||
.notNull()
|
.notNull()
|
||||||
.default(false),
|
.default(false),
|
||||||
sso: integer("sso", { mode: "boolean" }).notNull().default(true),
|
|
||||||
proxyPort: integer("proxyPort"),
|
proxyPort: integer("proxyPort"),
|
||||||
emailWhitelistEnabled: integer("emailWhitelistEnabled", { mode: "boolean" })
|
sso: integer("sso", { mode: "boolean" }),
|
||||||
.notNull()
|
emailWhitelistEnabled: integer("emailWhitelistEnabled", {
|
||||||
.default(false),
|
mode: "boolean"
|
||||||
applyRules: integer("applyRules", { mode: "boolean" })
|
}),
|
||||||
.notNull()
|
applyRules: integer("applyRules", { mode: "boolean" }),
|
||||||
.default(false),
|
|
||||||
enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
|
enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
|
||||||
stickySession: integer("stickySession", { mode: "boolean" })
|
stickySession: integer("stickySession", { mode: "boolean" })
|
||||||
.notNull()
|
.notNull()
|
||||||
@@ -322,7 +320,12 @@ export const targets = sqliteTable("targets", {
|
|||||||
pathMatchType: text("pathMatchType"), // exact, prefix, regex
|
pathMatchType: text("pathMatchType"), // exact, prefix, regex
|
||||||
rewritePath: text("rewritePath"), // if set, rewrites the path to this value before sending to the target
|
rewritePath: text("rewritePath"), // if set, rewrites the path to this value before sending to the target
|
||||||
rewritePathType: text("rewritePathType"), // exact, prefix, regex, stripPrefix
|
rewritePathType: text("rewritePathType"), // exact, prefix, regex, stripPrefix
|
||||||
priority: integer("priority").notNull().default(100)
|
priority: integer("priority").notNull().default(100),
|
||||||
|
mode: text("mode")
|
||||||
|
.$type<"http" | "tcp" | "udp" | "ssh" | "rdp" | "vnc">()
|
||||||
|
.notNull()
|
||||||
|
.default("http"),
|
||||||
|
authToken: text("authToken")
|
||||||
});
|
});
|
||||||
|
|
||||||
export const targetHealthCheck = sqliteTable("targetHealthCheck", {
|
export const targetHealthCheck = sqliteTable("targetHealthCheck", {
|
||||||
@@ -1248,7 +1251,9 @@ export const resourcePolicyRules = sqliteTable("resourcePolicyRules", {
|
|||||||
enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
|
enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
|
||||||
priority: integer("priority").notNull(),
|
priority: integer("priority").notNull(),
|
||||||
action: text("action").$type<"ACCEPT" | "DROP" | "PASS">().notNull(),
|
action: text("action").$type<"ACCEPT" | "DROP" | "PASS">().notNull(),
|
||||||
match: text("match").$type<"CIDR" | "PATH" | "IP">().notNull(),
|
match: text("match")
|
||||||
|
.$type<"CIDR" | "PATH" | "IP" | "COUNTRY" | "ASN" | "REGION">()
|
||||||
|
.notNull(),
|
||||||
value: text("value").notNull()
|
value: text("value").notNull()
|
||||||
});
|
});
|
||||||
|
|
||||||
|
|||||||
@@ -157,7 +157,9 @@ function getOpenApiDocumentation() {
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z
|
||||||
|
.record(z.string(), z.any())
|
||||||
|
.nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
|
|||||||
@@ -31,7 +31,7 @@ export enum TierFeature {
|
|||||||
}
|
}
|
||||||
|
|
||||||
export const tierMatrix: Record<TierFeature, Tier[]> = {
|
export const tierMatrix: Record<TierFeature, Tier[]> = {
|
||||||
[TierFeature.Labels]: ["tier2", "tier3", "enterprise"],
|
[TierFeature.Labels]: ["tier1", "tier2", "tier3", "enterprise"],
|
||||||
[TierFeature.OrgOidc]: ["tier1", "tier2", "tier3", "enterprise"],
|
[TierFeature.OrgOidc]: ["tier1", "tier2", "tier3", "enterprise"],
|
||||||
[TierFeature.LoginPageDomain]: ["tier1", "tier2", "tier3", "enterprise"],
|
[TierFeature.LoginPageDomain]: ["tier1", "tier2", "tier3", "enterprise"],
|
||||||
[TierFeature.DeviceApprovals]: ["tier1", "tier3", "enterprise"],
|
[TierFeature.DeviceApprovals]: ["tier1", "tier3", "enterprise"],
|
||||||
@@ -71,16 +71,6 @@ export const tierMatrix: Record<TierFeature, Tier[]> = {
|
|||||||
[TierFeature.WildcardSubdomain]: ["tier1", "tier2", "tier3", "enterprise"],
|
[TierFeature.WildcardSubdomain]: ["tier1", "tier2", "tier3", "enterprise"],
|
||||||
[TierFeature.NewtAutoUpdate]: ["tier1", "tier2", "tier3", "enterprise"],
|
[TierFeature.NewtAutoUpdate]: ["tier1", "tier2", "tier3", "enterprise"],
|
||||||
[TierFeature.ResourcePolicies]: ["tier3", "enterprise"],
|
[TierFeature.ResourcePolicies]: ["tier3", "enterprise"],
|
||||||
[TierFeature.AdvancedPublicResources]: [
|
[TierFeature.AdvancedPublicResources]: ["tier3", "enterprise"],
|
||||||
"tier1",
|
[TierFeature.AdvancedPrivateResources]: ["tier3", "enterprise"]
|
||||||
"tier2",
|
|
||||||
"tier3",
|
|
||||||
"enterprise"
|
|
||||||
],
|
|
||||||
[TierFeature.AdvancedPrivateResources]: [
|
|
||||||
"tier1",
|
|
||||||
"tier2",
|
|
||||||
"tier3",
|
|
||||||
"enterprise"
|
|
||||||
]
|
|
||||||
};
|
};
|
||||||
|
|||||||
@@ -10,16 +10,23 @@ import {
|
|||||||
clientSiteResources
|
clientSiteResources
|
||||||
} from "@server/db";
|
} from "@server/db";
|
||||||
import { Config, ConfigSchema } from "./types";
|
import { Config, ConfigSchema } from "./types";
|
||||||
import { ProxyResourcesResults, updateProxyResources } from "./proxyResources";
|
import {
|
||||||
|
PublicResourcesResults,
|
||||||
|
updatePublicResources
|
||||||
|
} from "./publicResources";
|
||||||
import { fromError } from "zod-validation-error";
|
import { fromError } from "zod-validation-error";
|
||||||
import logger from "@server/logger";
|
import logger from "@server/logger";
|
||||||
import { sites } from "@server/db";
|
import { sites } from "@server/db";
|
||||||
import { eq, and, isNotNull } from "drizzle-orm";
|
import { eq, and, isNotNull } from "drizzle-orm";
|
||||||
import { addTargets as addProxyTargets } from "@server/routers/newt/targets";
|
import {
|
||||||
|
addTargets as addProxyTargets,
|
||||||
|
sendBrowserGatewayTargets
|
||||||
|
} from "@server/routers/newt/targets";
|
||||||
import {
|
import {
|
||||||
ClientResourcesResults,
|
ClientResourcesResults,
|
||||||
updateClientResources
|
updatePrivateResources
|
||||||
} from "./clientResources";
|
} from "./privateResources";
|
||||||
|
import { updateResourcePolicies } from "./resourcePolicies";
|
||||||
import { BlueprintSource } from "@server/routers/blueprints/types";
|
import { BlueprintSource } from "@server/routers/blueprints/types";
|
||||||
import { stringify as stringifyYaml } from "yaml";
|
import { stringify as stringifyYaml } from "yaml";
|
||||||
import { generateName } from "@server/db/names";
|
import { generateName } from "@server/db/names";
|
||||||
@@ -53,16 +60,18 @@ export async function applyBlueprint({
|
|||||||
let error: any | null = null;
|
let error: any | null = null;
|
||||||
|
|
||||||
try {
|
try {
|
||||||
let proxyResourcesResults: ProxyResourcesResults = [];
|
let proxyResourcesResults: PublicResourcesResults = [];
|
||||||
let clientResourcesResults: ClientResourcesResults = [];
|
let clientResourcesResults: ClientResourcesResults = [];
|
||||||
await db.transaction(async (trx) => {
|
await db.transaction(async (trx) => {
|
||||||
proxyResourcesResults = await updateProxyResources(
|
await updateResourcePolicies(orgId, config, trx);
|
||||||
|
|
||||||
|
proxyResourcesResults = await updatePublicResources(
|
||||||
orgId,
|
orgId,
|
||||||
config,
|
config,
|
||||||
trx,
|
trx,
|
||||||
siteId
|
siteId
|
||||||
);
|
);
|
||||||
clientResourcesResults = await updateClientResources(
|
clientResourcesResults = await updatePrivateResources(
|
||||||
orgId,
|
orgId,
|
||||||
config,
|
config,
|
||||||
trx,
|
trx,
|
||||||
@@ -101,13 +110,27 @@ export async function applyBlueprint({
|
|||||||
(hc) => hc.targetId === target.targetId
|
(hc) => hc.targetId === target.targetId
|
||||||
);
|
);
|
||||||
|
|
||||||
await addProxyTargets(
|
if (["http", "tcp", "udp"].includes(target.mode)) {
|
||||||
site.newt.newtId,
|
await addProxyTargets(
|
||||||
[target],
|
site.newt.newtId,
|
||||||
matchingHealthcheck ? [matchingHealthcheck] : [],
|
[target],
|
||||||
result.proxyResource.mode === "udp" ? "udp" : "tcp",
|
matchingHealthcheck
|
||||||
site.newt.version
|
? [matchingHealthcheck]
|
||||||
);
|
: [],
|
||||||
|
result.proxyResource.mode === "udp"
|
||||||
|
? "udp"
|
||||||
|
: "tcp",
|
||||||
|
site.newt.version
|
||||||
|
);
|
||||||
|
} else if (
|
||||||
|
["ssh", "rdp", "vnc"].includes(target.mode)
|
||||||
|
) {
|
||||||
|
await sendBrowserGatewayTargets(
|
||||||
|
site.newt.newtId,
|
||||||
|
[target],
|
||||||
|
site.newt.version
|
||||||
|
);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -23,6 +23,8 @@ import logger from "@server/logger";
|
|||||||
import { defaultRoleAllowedActions } from "@server/routers/role/createRole";
|
import { defaultRoleAllowedActions } from "@server/routers/role/createRole";
|
||||||
import { getNextAvailableAliasAddress } from "../ip";
|
import { getNextAvailableAliasAddress } from "../ip";
|
||||||
import { createCertificate } from "#dynamic/routers/certificates/createCertificate";
|
import { createCertificate } from "#dynamic/routers/certificates/createCertificate";
|
||||||
|
import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
|
||||||
|
import { tierMatrix } from "../billing/tierMatrix";
|
||||||
|
|
||||||
async function getDomainForSiteResource(
|
async function getDomainForSiteResource(
|
||||||
siteResourceId: number | undefined,
|
siteResourceId: number | undefined,
|
||||||
@@ -103,7 +105,7 @@ export type ClientResourcesResults = {
|
|||||||
oldSites: { siteId: number }[];
|
oldSites: { siteId: number }[];
|
||||||
}[];
|
}[];
|
||||||
|
|
||||||
export async function updateClientResources(
|
export async function updatePrivateResources(
|
||||||
orgId: string,
|
orgId: string,
|
||||||
config: Config,
|
config: Config,
|
||||||
trx: Transaction,
|
trx: Transaction,
|
||||||
@@ -114,6 +116,30 @@ export async function updateClientResources(
|
|||||||
for (const [resourceNiceId, resourceData] of Object.entries(
|
for (const [resourceNiceId, resourceData] of Object.entries(
|
||||||
config["client-resources"]
|
config["client-resources"]
|
||||||
)) {
|
)) {
|
||||||
|
if (resourceData.mode === "http") {
|
||||||
|
const hasHttpFeature = await isLicensedOrSubscribed(
|
||||||
|
orgId,
|
||||||
|
tierMatrix.advancedPrivateResources
|
||||||
|
);
|
||||||
|
if (!hasHttpFeature) {
|
||||||
|
throw new Error(
|
||||||
|
"HTTP private resources are not included in your current plan. Please upgrade."
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (resourceData.mode === "ssh") {
|
||||||
|
const hasSshFeature = await isLicensedOrSubscribed(
|
||||||
|
orgId,
|
||||||
|
tierMatrix.advancedPrivateResources
|
||||||
|
);
|
||||||
|
if (!hasSshFeature) {
|
||||||
|
throw new Error(
|
||||||
|
"SSH private resources are not included in your current plan. Please upgrade."
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
const [existingResource] = await trx
|
const [existingResource] = await trx
|
||||||
.select()
|
.select()
|
||||||
.from(siteResources)
|
.from(siteResources)
|
||||||
@@ -366,7 +392,9 @@ export async function updateClientResources(
|
|||||||
}))
|
}))
|
||||||
);
|
);
|
||||||
existingRoles.push(created);
|
existingRoles.push(created);
|
||||||
logger.info(`Auto-created role "${name}" in org ${orgId} from blueprint`);
|
logger.info(
|
||||||
|
`Auto-created role "${name}" in org ${orgId} from blueprint`
|
||||||
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
const roleIds = existingRoles.map((role) => role.roleId);
|
const roleIds = existingRoles.map((role) => role.roleId);
|
||||||
@@ -387,7 +415,11 @@ export async function updateClientResources(
|
|||||||
} else {
|
} else {
|
||||||
let aliasAddress: string | null = null;
|
let aliasAddress: string | null = null;
|
||||||
let releaseAliasLock: (() => Promise<void>) | null = null;
|
let releaseAliasLock: (() => Promise<void>) | null = null;
|
||||||
if (resourceData.mode === "host" || resourceData.mode === "http") {
|
if (
|
||||||
|
resourceData.mode === "host" ||
|
||||||
|
resourceData.mode === "http" ||
|
||||||
|
resourceData.mode === "ssh"
|
||||||
|
) {
|
||||||
const { value, release } = await getNextAvailableAliasAddress(
|
const { value, release } = await getNextAvailableAliasAddress(
|
||||||
orgId,
|
orgId,
|
||||||
trx
|
trx
|
||||||
@@ -510,7 +542,9 @@ export async function updateClientResources(
|
|||||||
}))
|
}))
|
||||||
);
|
);
|
||||||
existingRoles.push(created);
|
existingRoles.push(created);
|
||||||
logger.info(`Auto-created role "${name}" in org ${orgId} from blueprint`);
|
logger.info(
|
||||||
|
`Auto-created role "${name}" in org ${orgId} from blueprint`
|
||||||
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
const roleIds = existingRoles.map((role) => role.roleId);
|
const roleIds = existingRoles.map((role) => role.roleId);
|
||||||
@@ -47,20 +47,24 @@ import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
|
|||||||
import { fireHealthCheckUnknownAlert } from "@server/lib/alerts";
|
import { fireHealthCheckUnknownAlert } from "@server/lib/alerts";
|
||||||
import { tierMatrix } from "../billing/tierMatrix";
|
import { tierMatrix } from "../billing/tierMatrix";
|
||||||
import { defaultRoleAllowedActions } from "@server/routers/role/createRole";
|
import { defaultRoleAllowedActions } from "@server/routers/role/createRole";
|
||||||
|
import { build } from "@server/build";
|
||||||
|
import { encrypt } from "@server/lib/crypto";
|
||||||
|
import { generateId } from "@server/auth/sessions/app";
|
||||||
|
import serverConfig from "@server/lib/config";
|
||||||
|
|
||||||
export type ProxyResourcesResults = {
|
export type PublicResourcesResults = {
|
||||||
proxyResource: Resource;
|
proxyResource: Resource;
|
||||||
targetsToUpdate: Target[];
|
targetsToUpdate: Target[];
|
||||||
healthchecksToUpdate: TargetHealthCheck[];
|
healthchecksToUpdate: TargetHealthCheck[];
|
||||||
}[];
|
}[];
|
||||||
|
|
||||||
export async function updateProxyResources(
|
export async function updatePublicResources(
|
||||||
orgId: string,
|
orgId: string,
|
||||||
config: Config,
|
config: Config,
|
||||||
trx: Transaction,
|
trx: Transaction,
|
||||||
siteId?: number
|
siteId?: number
|
||||||
): Promise<ProxyResourcesResults> {
|
): Promise<PublicResourcesResults> {
|
||||||
const results: ProxyResourcesResults = [];
|
const results: PublicResourcesResults = [];
|
||||||
|
|
||||||
for (const [resourceNiceId, resourceData] of Object.entries(
|
for (const [resourceNiceId, resourceData] of Object.entries(
|
||||||
config["proxy-resources"]
|
config["proxy-resources"]
|
||||||
@@ -79,7 +83,7 @@ export async function updateProxyResources(
|
|||||||
if (targetSiteId) {
|
if (targetSiteId) {
|
||||||
// Look up site by niceId
|
// Look up site by niceId
|
||||||
[site] = await trx
|
[site] = await trx
|
||||||
.select({ siteId: sites.siteId })
|
.select({ siteId: sites.siteId, type: sites.type })
|
||||||
.from(sites)
|
.from(sites)
|
||||||
.where(
|
.where(
|
||||||
and(
|
and(
|
||||||
@@ -91,7 +95,7 @@ export async function updateProxyResources(
|
|||||||
} else if (siteId) {
|
} else if (siteId) {
|
||||||
// Use the provided siteId directly, but verify it belongs to the org
|
// Use the provided siteId directly, but verify it belongs to the org
|
||||||
[site] = await trx
|
[site] = await trx
|
||||||
.select({ siteId: sites.siteId })
|
.select({ siteId: sites.siteId, type: sites.type })
|
||||||
.from(sites)
|
.from(sites)
|
||||||
.where(
|
.where(
|
||||||
and(eq(sites.siteId, siteId), eq(sites.orgId, orgId))
|
and(eq(sites.siteId, siteId), eq(sites.orgId, orgId))
|
||||||
@@ -118,6 +122,15 @@ export async function updateProxyResources(
|
|||||||
internalPortToCreate = targetData["internal-port"];
|
internalPortToCreate = targetData["internal-port"];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
let authToken: string | undefined;
|
||||||
|
if (site.type !== "local") {
|
||||||
|
const plainToken = generateId(48);
|
||||||
|
authToken = encrypt(
|
||||||
|
plainToken,
|
||||||
|
serverConfig.getRawConfig().server.secret!
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
// Create target
|
// Create target
|
||||||
const [newTarget] = await trx
|
const [newTarget] = await trx
|
||||||
.insert(targets)
|
.insert(targets)
|
||||||
@@ -125,10 +138,12 @@ export async function updateProxyResources(
|
|||||||
resourceId: resourceId,
|
resourceId: resourceId,
|
||||||
siteId: site.siteId,
|
siteId: site.siteId,
|
||||||
ip: targetData.hostname,
|
ip: targetData.hostname,
|
||||||
|
mode: resourceData.mode as Target["mode"],
|
||||||
method: targetData.method,
|
method: targetData.method,
|
||||||
port: targetData.port,
|
port: targetData.port,
|
||||||
enabled: targetData.enabled,
|
enabled: targetData.enabled,
|
||||||
internalPort: internalPortToCreate,
|
internalPort: internalPortToCreate,
|
||||||
|
authToken: authToken,
|
||||||
path: targetData.path,
|
path: targetData.path,
|
||||||
pathMatchType: targetData["path-match"],
|
pathMatchType: targetData["path-match"],
|
||||||
rewritePath:
|
rewritePath:
|
||||||
@@ -222,17 +237,59 @@ export async function updateProxyResources(
|
|||||||
headers = JSON.stringify(resourceData.headers);
|
headers = JSON.stringify(resourceData.headers);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (["ssh", "rdp", "vnc"].includes(resourceData.mode || "")) {
|
||||||
|
const isLicensed = await isLicensedOrSubscribed(
|
||||||
|
orgId,
|
||||||
|
tierMatrix.advancedPublicResources
|
||||||
|
);
|
||||||
|
if (!isLicensed) {
|
||||||
|
throw new Error(
|
||||||
|
"Your current subscription does not support browser gateway resources. Please upgrade to access this feature."
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (resourceData.policy) {
|
||||||
|
const isLicensed = await isLicensedOrSubscribed(
|
||||||
|
orgId,
|
||||||
|
tierMatrix.resourcePolicies
|
||||||
|
);
|
||||||
|
if (!isLicensed) {
|
||||||
|
throw new Error(
|
||||||
|
"Your current subscription does not support shared resource policies. Please upgrade to access this feature."
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (existingResource) {
|
if (existingResource) {
|
||||||
let domain;
|
let domain;
|
||||||
if (
|
if (
|
||||||
["http", "ssh", "rdp", "vnc"].includes(resourceData.mode || "")
|
["http", "ssh", "rdp", "vnc"].includes(resourceData.mode || "")
|
||||||
) {
|
) {
|
||||||
|
if (resourceData["full-domain"]?.startsWith("*.")) {
|
||||||
|
const isLicensed = await isLicensedOrSubscribed(
|
||||||
|
orgId,
|
||||||
|
tierMatrix.wildcardSubdomain
|
||||||
|
);
|
||||||
|
if (!isLicensed) {
|
||||||
|
throw new Error(
|
||||||
|
"Wildcard subdomains are not supported on your current plan. Please upgrade to access this feature."
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
domain = await getDomain(
|
domain = await getDomain(
|
||||||
existingResource.resourceId,
|
existingResource.resourceId,
|
||||||
resourceData["full-domain"]!,
|
resourceData["full-domain"]!,
|
||||||
orgId,
|
orgId,
|
||||||
trx
|
trx
|
||||||
);
|
);
|
||||||
|
|
||||||
|
await enforceDomainNamespacePaywall(
|
||||||
|
orgId,
|
||||||
|
domain.domainId,
|
||||||
|
trx
|
||||||
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
// check if the only key in the resource is targets, if so, skip the update
|
// check if the only key in the resource is targets, if so, skip the update
|
||||||
@@ -522,6 +579,13 @@ export async function updateProxyResources(
|
|||||||
? (resourceData["proxy-protocol-version"] ??
|
? (resourceData["proxy-protocol-version"] ??
|
||||||
1)
|
1)
|
||||||
: 1,
|
: 1,
|
||||||
|
pamMode:
|
||||||
|
resourceData["auth-daemon"]?.pam ||
|
||||||
|
"passthrough",
|
||||||
|
authDaemonMode:
|
||||||
|
resourceData["auth-daemon"]?.mode || "native",
|
||||||
|
authDaemonPort:
|
||||||
|
resourceData["auth-daemon"]?.port || 22123,
|
||||||
resourcePolicyId: null,
|
resourcePolicyId: null,
|
||||||
defaultResourcePolicyId: inlinePolicyId
|
defaultResourcePolicyId: inlinePolicyId
|
||||||
})
|
})
|
||||||
@@ -664,7 +728,8 @@ export async function updateProxyResources(
|
|||||||
? "/"
|
? "/"
|
||||||
: undefined),
|
: undefined),
|
||||||
rewritePathType: targetData["rewrite-match"],
|
rewritePathType: targetData["rewrite-match"],
|
||||||
priority: targetData.priority
|
priority: targetData.priority,
|
||||||
|
mode: resourceData.mode
|
||||||
})
|
})
|
||||||
.where(eq(targets.targetId, existingTarget.targetId))
|
.where(eq(targets.targetId, existingTarget.targetId))
|
||||||
.returning();
|
.returning();
|
||||||
@@ -906,12 +971,30 @@ export async function updateProxyResources(
|
|||||||
if (
|
if (
|
||||||
["http", "ssh", "rdp", "vnc"].includes(resourceData.mode || "")
|
["http", "ssh", "rdp", "vnc"].includes(resourceData.mode || "")
|
||||||
) {
|
) {
|
||||||
|
if (resourceData["full-domain"]?.startsWith("*.")) {
|
||||||
|
const isLicensed = await isLicensedOrSubscribed(
|
||||||
|
orgId,
|
||||||
|
tierMatrix.wildcardSubdomain
|
||||||
|
);
|
||||||
|
if (!isLicensed) {
|
||||||
|
throw new Error(
|
||||||
|
"Wildcard subdomains are not supported on your current plan. Please upgrade to access this feature."
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
domain = await getDomain(
|
domain = await getDomain(
|
||||||
undefined,
|
undefined,
|
||||||
resourceData["full-domain"]!,
|
resourceData["full-domain"]!,
|
||||||
orgId,
|
orgId,
|
||||||
trx
|
trx
|
||||||
);
|
);
|
||||||
|
|
||||||
|
await enforceDomainNamespacePaywall(
|
||||||
|
orgId,
|
||||||
|
domain.domainId,
|
||||||
|
trx
|
||||||
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
const isLicensed = await isLicensedOrSubscribed(
|
const isLicensed = await isLicensedOrSubscribed(
|
||||||
@@ -1384,17 +1467,6 @@ async function syncWhitelistUsers(
|
|||||||
.where(eq(resourceWhitelist.resourceId, resourceId));
|
.where(eq(resourceWhitelist.resourceId, resourceId));
|
||||||
|
|
||||||
for (const email of whitelistUsers) {
|
for (const email of whitelistUsers) {
|
||||||
const [user] = await trx
|
|
||||||
.select()
|
|
||||||
.from(users)
|
|
||||||
.innerJoin(userOrgs, eq(users.userId, userOrgs.userId))
|
|
||||||
.where(and(eq(users.email, email), eq(userOrgs.orgId, orgId)))
|
|
||||||
.limit(1);
|
|
||||||
|
|
||||||
if (!user) {
|
|
||||||
throw new Error(`User not found: ${email} in org ${orgId}`);
|
|
||||||
}
|
|
||||||
|
|
||||||
const existingWhitelistEntry = existingWhitelist.find(
|
const existingWhitelistEntry = existingWhitelist.find(
|
||||||
(w) => w.email === email
|
(w) => w.email === email
|
||||||
);
|
);
|
||||||
@@ -1866,6 +1938,37 @@ function checkIfTargetChanged(
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
async function enforceDomainNamespacePaywall(
|
||||||
|
orgId: string,
|
||||||
|
domainId: string,
|
||||||
|
trx: Transaction
|
||||||
|
) {
|
||||||
|
if (build !== "saas") {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
const hasDomainNamespaceAccess = await isLicensedOrSubscribed(
|
||||||
|
orgId,
|
||||||
|
tierMatrix.domainNamespaces
|
||||||
|
);
|
||||||
|
|
||||||
|
if (hasDomainNamespaceAccess) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
const [namespaceDomain] = await trx
|
||||||
|
.select()
|
||||||
|
.from(domainNamespaces)
|
||||||
|
.where(eq(domainNamespaces.domainId, domainId))
|
||||||
|
.limit(1);
|
||||||
|
|
||||||
|
if (namespaceDomain) {
|
||||||
|
throw new Error(
|
||||||
|
"Your current subscription does not support custom domain namespaces. Please upgrade to access this feature."
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
export async function getDomain(
|
export async function getDomain(
|
||||||
resourceId: number | undefined,
|
resourceId: number | undefined,
|
||||||
fullDomain: string,
|
fullDomain: string,
|
||||||
653
server/lib/blueprints/resourcePolicies.ts
Normal file
653
server/lib/blueprints/resourcePolicies.ts
Normal file
@@ -0,0 +1,653 @@
|
|||||||
|
import {
|
||||||
|
db,
|
||||||
|
idp,
|
||||||
|
idpOrg,
|
||||||
|
resourcePolicies,
|
||||||
|
resourcePolicyHeaderAuth,
|
||||||
|
resourcePolicyPassword,
|
||||||
|
resourcePolicyPincode,
|
||||||
|
resourcePolicyRules,
|
||||||
|
resourcePolicyWhiteList,
|
||||||
|
rolePolicies,
|
||||||
|
roles,
|
||||||
|
Transaction,
|
||||||
|
userOrgs,
|
||||||
|
userPolicies,
|
||||||
|
users
|
||||||
|
} from "@server/db";
|
||||||
|
import { eq, and, or } from "drizzle-orm";
|
||||||
|
import { Config, ResourcePolicyData } from "./types";
|
||||||
|
import logger from "@server/logger";
|
||||||
|
import { getUniqueResourcePolicyName } from "@server/db/names";
|
||||||
|
import { hashPassword } from "@server/auth/password";
|
||||||
|
import { isValidCIDR, isValidIP, isValidUrlGlobPattern } from "../validators";
|
||||||
|
import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
|
||||||
|
import { tierMatrix } from "../billing/tierMatrix";
|
||||||
|
|
||||||
|
export type ResourcePoliciesResults = {
|
||||||
|
resourcePolicyId: number;
|
||||||
|
niceId: string;
|
||||||
|
}[];
|
||||||
|
|
||||||
|
export async function updateResourcePolicies(
|
||||||
|
orgId: string,
|
||||||
|
config: Config,
|
||||||
|
trx: Transaction
|
||||||
|
): Promise<ResourcePoliciesResults> {
|
||||||
|
const results: ResourcePoliciesResults = [];
|
||||||
|
|
||||||
|
for (const [policyNiceId, policyData] of Object.entries(
|
||||||
|
config["public-policies"]
|
||||||
|
)) {
|
||||||
|
const isLicensed = await isLicensedOrSubscribed(
|
||||||
|
orgId,
|
||||||
|
tierMatrix.resourcePolicies
|
||||||
|
);
|
||||||
|
if (!isLicensed) {
|
||||||
|
throw new Error(
|
||||||
|
"Your current subscription does not support shared resource policies. Please upgrade to access this feature."
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
// Validate rules
|
||||||
|
for (const rule of policyData.rules) {
|
||||||
|
if (rule.match === "cidr" && !isValidCIDR(rule.value)) {
|
||||||
|
throw new Error(
|
||||||
|
`Invalid CIDR provided in resource policy '${policyNiceId}': ${rule.value}`
|
||||||
|
);
|
||||||
|
} else if (rule.match === "ip" && !isValidIP(rule.value)) {
|
||||||
|
throw new Error(
|
||||||
|
`Invalid IP provided in resource policy '${policyNiceId}': ${rule.value}`
|
||||||
|
);
|
||||||
|
} else if (
|
||||||
|
rule.match === "path" &&
|
||||||
|
!isValidUrlGlobPattern(rule.value)
|
||||||
|
) {
|
||||||
|
throw new Error(
|
||||||
|
`Invalid URL glob pattern provided in resource policy '${policyNiceId}': ${rule.value}`
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Validate auto-login-idp if provided
|
||||||
|
if (policyData["auto-login-idp"]) {
|
||||||
|
const [provider] = await trx
|
||||||
|
.select()
|
||||||
|
.from(idp)
|
||||||
|
.innerJoin(idpOrg, eq(idpOrg.idpId, idp.idpId))
|
||||||
|
.where(
|
||||||
|
and(
|
||||||
|
eq(idp.idpId, policyData["auto-login-idp"]),
|
||||||
|
eq(idpOrg.orgId, orgId)
|
||||||
|
)
|
||||||
|
)
|
||||||
|
.limit(1);
|
||||||
|
|
||||||
|
if (!provider) {
|
||||||
|
throw new Error(
|
||||||
|
`Identity provider not found for policy '${policyNiceId}' in this organization`
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Look up the admin role
|
||||||
|
const [adminRole] = await trx
|
||||||
|
.select()
|
||||||
|
.from(roles)
|
||||||
|
.where(and(eq(roles.isAdmin, true), eq(roles.orgId, orgId)))
|
||||||
|
.limit(1);
|
||||||
|
|
||||||
|
if (!adminRole) {
|
||||||
|
throw new Error("Admin role not found");
|
||||||
|
}
|
||||||
|
|
||||||
|
// Find existing policy by niceId and orgId
|
||||||
|
const [existingPolicy] = await trx
|
||||||
|
.select()
|
||||||
|
.from(resourcePolicies)
|
||||||
|
.where(
|
||||||
|
and(
|
||||||
|
eq(resourcePolicies.niceId, policyNiceId),
|
||||||
|
eq(resourcePolicies.orgId, orgId)
|
||||||
|
)
|
||||||
|
)
|
||||||
|
.limit(1);
|
||||||
|
|
||||||
|
let resourcePolicyId: number;
|
||||||
|
|
||||||
|
if (existingPolicy) {
|
||||||
|
// Update the existing policy
|
||||||
|
await trx
|
||||||
|
.update(resourcePolicies)
|
||||||
|
.set({
|
||||||
|
name: policyData.name,
|
||||||
|
sso: policyData.sso ?? true,
|
||||||
|
idpId: policyData["auto-login-idp"] ?? null,
|
||||||
|
emailWhitelistEnabled:
|
||||||
|
policyData["email-whitelist-enabled"] ??
|
||||||
|
policyData["whitelist-users"].length > 0,
|
||||||
|
applyRules:
|
||||||
|
policyData["apply-rules"] || policyData.rules.length > 0
|
||||||
|
})
|
||||||
|
.where(
|
||||||
|
eq(
|
||||||
|
resourcePolicies.resourcePolicyId,
|
||||||
|
existingPolicy.resourcePolicyId
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
|
resourcePolicyId = existingPolicy.resourcePolicyId;
|
||||||
|
|
||||||
|
// Sync password
|
||||||
|
await trx
|
||||||
|
.delete(resourcePolicyPassword)
|
||||||
|
.where(
|
||||||
|
eq(
|
||||||
|
resourcePolicyPassword.resourcePolicyId,
|
||||||
|
resourcePolicyId
|
||||||
|
)
|
||||||
|
);
|
||||||
|
if (policyData.password) {
|
||||||
|
const passwordHash = await hashPassword(policyData.password);
|
||||||
|
await trx.insert(resourcePolicyPassword).values({
|
||||||
|
resourcePolicyId,
|
||||||
|
passwordHash
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
// Sync pincode
|
||||||
|
await trx
|
||||||
|
.delete(resourcePolicyPincode)
|
||||||
|
.where(
|
||||||
|
eq(resourcePolicyPincode.resourcePolicyId, resourcePolicyId)
|
||||||
|
);
|
||||||
|
if (policyData.pincode) {
|
||||||
|
const pincodeHash = await hashPassword(policyData.pincode);
|
||||||
|
await trx.insert(resourcePolicyPincode).values({
|
||||||
|
resourcePolicyId,
|
||||||
|
pincodeHash,
|
||||||
|
digitLength: 6
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
// Sync header auth
|
||||||
|
await trx
|
||||||
|
.delete(resourcePolicyHeaderAuth)
|
||||||
|
.where(
|
||||||
|
eq(
|
||||||
|
resourcePolicyHeaderAuth.resourcePolicyId,
|
||||||
|
resourcePolicyId
|
||||||
|
)
|
||||||
|
);
|
||||||
|
if (policyData["basic-auth"]) {
|
||||||
|
const basicAuth = policyData["basic-auth"];
|
||||||
|
const headerAuthHash = await hashPassword(
|
||||||
|
Buffer.from(
|
||||||
|
`${basicAuth.user}:${basicAuth.password}`
|
||||||
|
).toString("base64")
|
||||||
|
);
|
||||||
|
await trx.insert(resourcePolicyHeaderAuth).values({
|
||||||
|
resourcePolicyId,
|
||||||
|
headerAuthHash,
|
||||||
|
extendedCompatibility:
|
||||||
|
basicAuth["extended-compatibility"] ?? true
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
// Sync SSO roles
|
||||||
|
await syncRolePolicies(
|
||||||
|
resourcePolicyId,
|
||||||
|
policyData["sso-roles"],
|
||||||
|
orgId,
|
||||||
|
adminRole.roleId,
|
||||||
|
trx
|
||||||
|
);
|
||||||
|
|
||||||
|
// Sync SSO users
|
||||||
|
await syncUserPolicies(
|
||||||
|
resourcePolicyId,
|
||||||
|
policyData["sso-users"],
|
||||||
|
orgId,
|
||||||
|
trx
|
||||||
|
);
|
||||||
|
|
||||||
|
// Sync whitelist users
|
||||||
|
await syncWhitelistPolicyUsers(
|
||||||
|
resourcePolicyId,
|
||||||
|
policyData["whitelist-users"],
|
||||||
|
trx
|
||||||
|
);
|
||||||
|
|
||||||
|
// Sync rules
|
||||||
|
await syncPolicyRules(resourcePolicyId, policyData.rules, trx);
|
||||||
|
|
||||||
|
logger.debug(
|
||||||
|
`Updated resource policy ${resourcePolicyId} (${policyNiceId})`
|
||||||
|
);
|
||||||
|
} else {
|
||||||
|
// Create a new policy
|
||||||
|
const [newPolicy] = await trx
|
||||||
|
.insert(resourcePolicies)
|
||||||
|
.values({
|
||||||
|
niceId: policyNiceId,
|
||||||
|
orgId,
|
||||||
|
name: policyData.name,
|
||||||
|
sso: policyData.sso ?? true,
|
||||||
|
idpId: policyData["auto-login-idp"] ?? null,
|
||||||
|
emailWhitelistEnabled:
|
||||||
|
policyData["email-whitelist-enabled"] ??
|
||||||
|
policyData["whitelist-users"].length > 0,
|
||||||
|
applyRules:
|
||||||
|
policyData["apply-rules"] ||
|
||||||
|
policyData.rules.length > 0,
|
||||||
|
scope: "global"
|
||||||
|
})
|
||||||
|
.returning();
|
||||||
|
|
||||||
|
resourcePolicyId = newPolicy.resourcePolicyId;
|
||||||
|
|
||||||
|
// Always add admin role
|
||||||
|
await trx.insert(rolePolicies).values({
|
||||||
|
roleId: adminRole.roleId,
|
||||||
|
resourcePolicyId
|
||||||
|
});
|
||||||
|
|
||||||
|
// Add SSO roles
|
||||||
|
await addRolePolicies(
|
||||||
|
resourcePolicyId,
|
||||||
|
policyData["sso-roles"],
|
||||||
|
orgId,
|
||||||
|
adminRole.roleId,
|
||||||
|
trx
|
||||||
|
);
|
||||||
|
|
||||||
|
// Add SSO users
|
||||||
|
await addUserPolicies(
|
||||||
|
resourcePolicyId,
|
||||||
|
policyData["sso-users"],
|
||||||
|
orgId,
|
||||||
|
trx
|
||||||
|
);
|
||||||
|
|
||||||
|
// Add password
|
||||||
|
if (policyData.password) {
|
||||||
|
const passwordHash = await hashPassword(policyData.password);
|
||||||
|
await trx.insert(resourcePolicyPassword).values({
|
||||||
|
resourcePolicyId,
|
||||||
|
passwordHash
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
// Add pincode
|
||||||
|
if (policyData.pincode) {
|
||||||
|
const pincodeHash = await hashPassword(policyData.pincode);
|
||||||
|
await trx.insert(resourcePolicyPincode).values({
|
||||||
|
resourcePolicyId,
|
||||||
|
pincodeHash,
|
||||||
|
digitLength: 6
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
// Add header auth
|
||||||
|
if (policyData["basic-auth"]) {
|
||||||
|
const basicAuth = policyData["basic-auth"];
|
||||||
|
const headerAuthHash = await hashPassword(
|
||||||
|
Buffer.from(
|
||||||
|
`${basicAuth.user}:${basicAuth.password}`
|
||||||
|
).toString("base64")
|
||||||
|
);
|
||||||
|
await trx.insert(resourcePolicyHeaderAuth).values({
|
||||||
|
resourcePolicyId,
|
||||||
|
headerAuthHash,
|
||||||
|
extendedCompatibility:
|
||||||
|
basicAuth["extended-compatibility"] ?? true
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
// Add whitelist users
|
||||||
|
if (policyData["whitelist-users"].length > 0) {
|
||||||
|
await trx.insert(resourcePolicyWhiteList).values(
|
||||||
|
policyData["whitelist-users"].map((email) => ({
|
||||||
|
email,
|
||||||
|
resourcePolicyId
|
||||||
|
}))
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
// Add rules
|
||||||
|
if (policyData.rules.length > 0) {
|
||||||
|
await trx.insert(resourcePolicyRules).values(
|
||||||
|
policyData.rules.map((rule, index) => ({
|
||||||
|
resourcePolicyId,
|
||||||
|
action: getRuleAction(rule.action),
|
||||||
|
match: getRuleMatch(rule.match),
|
||||||
|
value: rule.value,
|
||||||
|
priority: rule.priority ?? index + 1,
|
||||||
|
enabled: rule.enabled ?? true
|
||||||
|
}))
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
logger.debug(
|
||||||
|
`Created resource policy ${resourcePolicyId} (${policyNiceId})`
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
results.push({ resourcePolicyId, niceId: policyNiceId });
|
||||||
|
}
|
||||||
|
|
||||||
|
return results;
|
||||||
|
}
|
||||||
|
|
||||||
|
function getRuleAction(input: string): "ACCEPT" | "DROP" | "PASS" {
|
||||||
|
if (input === "allow") return "ACCEPT";
|
||||||
|
if (input === "deny") return "DROP";
|
||||||
|
return "PASS";
|
||||||
|
}
|
||||||
|
|
||||||
|
function getRuleMatch(
|
||||||
|
input: string
|
||||||
|
): "CIDR" | "IP" | "PATH" | "COUNTRY" | "ASN" | "REGION" {
|
||||||
|
return input.toUpperCase() as
|
||||||
|
| "CIDR"
|
||||||
|
| "IP"
|
||||||
|
| "PATH"
|
||||||
|
| "COUNTRY"
|
||||||
|
| "ASN"
|
||||||
|
| "REGION";
|
||||||
|
}
|
||||||
|
|
||||||
|
async function syncRolePolicies(
|
||||||
|
policyId: number,
|
||||||
|
ssoRoles: string[],
|
||||||
|
orgId: string,
|
||||||
|
adminRoleId: number,
|
||||||
|
trx: Transaction
|
||||||
|
) {
|
||||||
|
const existingRolePolicies = await trx
|
||||||
|
.select()
|
||||||
|
.from(rolePolicies)
|
||||||
|
.where(eq(rolePolicies.resourcePolicyId, policyId));
|
||||||
|
|
||||||
|
for (const roleName of ssoRoles) {
|
||||||
|
const [role] = await trx
|
||||||
|
.select()
|
||||||
|
.from(roles)
|
||||||
|
.where(and(eq(roles.name, roleName), eq(roles.orgId, orgId)))
|
||||||
|
.limit(1);
|
||||||
|
|
||||||
|
if (!role) {
|
||||||
|
logger.warn(
|
||||||
|
`Role '${roleName}' not found in org '${orgId}', skipping`
|
||||||
|
);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (role.isAdmin) {
|
||||||
|
continue; // admin role is always included, skip
|
||||||
|
}
|
||||||
|
|
||||||
|
const alreadyExists = existingRolePolicies.some(
|
||||||
|
(rp) => rp.roleId === role.roleId
|
||||||
|
);
|
||||||
|
|
||||||
|
if (!alreadyExists) {
|
||||||
|
await trx.insert(rolePolicies).values({
|
||||||
|
roleId: role.roleId,
|
||||||
|
resourcePolicyId: policyId
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Remove roles no longer in the list (except admin)
|
||||||
|
for (const existingRolePolicy of existingRolePolicies) {
|
||||||
|
if (existingRolePolicy.roleId === adminRoleId) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
const [role] = await trx
|
||||||
|
.select()
|
||||||
|
.from(roles)
|
||||||
|
.where(eq(roles.roleId, existingRolePolicy.roleId))
|
||||||
|
.limit(1);
|
||||||
|
|
||||||
|
if (role?.isAdmin) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (role && !ssoRoles.includes(role.name)) {
|
||||||
|
await trx
|
||||||
|
.delete(rolePolicies)
|
||||||
|
.where(
|
||||||
|
and(
|
||||||
|
eq(rolePolicies.resourcePolicyId, policyId),
|
||||||
|
eq(rolePolicies.roleId, existingRolePolicy.roleId)
|
||||||
|
)
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
async function addRolePolicies(
|
||||||
|
policyId: number,
|
||||||
|
ssoRoles: string[],
|
||||||
|
orgId: string,
|
||||||
|
adminRoleId: number,
|
||||||
|
trx: Transaction
|
||||||
|
) {
|
||||||
|
for (const roleName of ssoRoles) {
|
||||||
|
const [role] = await trx
|
||||||
|
.select()
|
||||||
|
.from(roles)
|
||||||
|
.where(and(eq(roles.name, roleName), eq(roles.orgId, orgId)))
|
||||||
|
.limit(1);
|
||||||
|
|
||||||
|
if (!role) {
|
||||||
|
logger.warn(
|
||||||
|
`Role '${roleName}' not found in org '${orgId}', skipping`
|
||||||
|
);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (role.isAdmin) {
|
||||||
|
continue; // admin already added
|
||||||
|
}
|
||||||
|
|
||||||
|
await trx.insert(rolePolicies).values({
|
||||||
|
roleId: role.roleId,
|
||||||
|
resourcePolicyId: policyId
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
async function syncUserPolicies(
|
||||||
|
policyId: number,
|
||||||
|
ssoUsers: string[],
|
||||||
|
orgId: string,
|
||||||
|
trx: Transaction
|
||||||
|
) {
|
||||||
|
const existingUserPolicies = await trx
|
||||||
|
.select()
|
||||||
|
.from(userPolicies)
|
||||||
|
.where(eq(userPolicies.resourcePolicyId, policyId));
|
||||||
|
|
||||||
|
for (const username of ssoUsers) {
|
||||||
|
const [user] = await trx
|
||||||
|
.select()
|
||||||
|
.from(users)
|
||||||
|
.innerJoin(userOrgs, eq(users.userId, userOrgs.userId))
|
||||||
|
.where(
|
||||||
|
and(
|
||||||
|
or(eq(users.username, username), eq(users.email, username)),
|
||||||
|
eq(userOrgs.orgId, orgId)
|
||||||
|
)
|
||||||
|
)
|
||||||
|
.limit(1);
|
||||||
|
|
||||||
|
if (!user) {
|
||||||
|
logger.warn(
|
||||||
|
`User '${username}' not found in org '${orgId}', skipping`
|
||||||
|
);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
const alreadyExists = existingUserPolicies.some(
|
||||||
|
(up) => up.userId === user.user.userId
|
||||||
|
);
|
||||||
|
|
||||||
|
if (!alreadyExists) {
|
||||||
|
await trx.insert(userPolicies).values({
|
||||||
|
userId: user.user.userId,
|
||||||
|
resourcePolicyId: policyId
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Remove users no longer in the list
|
||||||
|
for (const existingUserPolicy of existingUserPolicies) {
|
||||||
|
const [user] = await trx
|
||||||
|
.select()
|
||||||
|
.from(users)
|
||||||
|
.innerJoin(userOrgs, eq(users.userId, userOrgs.userId))
|
||||||
|
.where(
|
||||||
|
and(
|
||||||
|
eq(users.userId, existingUserPolicy.userId),
|
||||||
|
eq(userOrgs.orgId, orgId)
|
||||||
|
)
|
||||||
|
)
|
||||||
|
.limit(1);
|
||||||
|
|
||||||
|
if (
|
||||||
|
user &&
|
||||||
|
user.user.username &&
|
||||||
|
!ssoUsers.includes(user.user.username) &&
|
||||||
|
!ssoUsers.includes(user.user.email ?? "")
|
||||||
|
) {
|
||||||
|
await trx
|
||||||
|
.delete(userPolicies)
|
||||||
|
.where(
|
||||||
|
and(
|
||||||
|
eq(userPolicies.resourcePolicyId, policyId),
|
||||||
|
eq(userPolicies.userId, existingUserPolicy.userId)
|
||||||
|
)
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
async function addUserPolicies(
|
||||||
|
policyId: number,
|
||||||
|
ssoUsers: string[],
|
||||||
|
orgId: string,
|
||||||
|
trx: Transaction
|
||||||
|
) {
|
||||||
|
for (const username of ssoUsers) {
|
||||||
|
const [user] = await trx
|
||||||
|
.select()
|
||||||
|
.from(users)
|
||||||
|
.innerJoin(userOrgs, eq(users.userId, userOrgs.userId))
|
||||||
|
.where(
|
||||||
|
and(
|
||||||
|
or(eq(users.username, username), eq(users.email, username)),
|
||||||
|
eq(userOrgs.orgId, orgId)
|
||||||
|
)
|
||||||
|
)
|
||||||
|
.limit(1);
|
||||||
|
|
||||||
|
if (!user) {
|
||||||
|
logger.warn(
|
||||||
|
`User '${username}' not found in org '${orgId}', skipping`
|
||||||
|
);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
await trx.insert(userPolicies).values({
|
||||||
|
userId: user.user.userId,
|
||||||
|
resourcePolicyId: policyId
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
async function syncWhitelistPolicyUsers(
|
||||||
|
policyId: number,
|
||||||
|
whitelistUsers: string[],
|
||||||
|
trx: Transaction
|
||||||
|
) {
|
||||||
|
const existingWhitelist = await trx
|
||||||
|
.select()
|
||||||
|
.from(resourcePolicyWhiteList)
|
||||||
|
.where(eq(resourcePolicyWhiteList.resourcePolicyId, policyId));
|
||||||
|
|
||||||
|
for (const email of whitelistUsers) {
|
||||||
|
const alreadyExists = existingWhitelist.some((w) => w.email === email);
|
||||||
|
|
||||||
|
if (!alreadyExists) {
|
||||||
|
await trx.insert(resourcePolicyWhiteList).values({
|
||||||
|
email,
|
||||||
|
resourcePolicyId: policyId
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
for (const existingEntry of existingWhitelist) {
|
||||||
|
if (!whitelistUsers.includes(existingEntry.email)) {
|
||||||
|
await trx
|
||||||
|
.delete(resourcePolicyWhiteList)
|
||||||
|
.where(
|
||||||
|
and(
|
||||||
|
eq(resourcePolicyWhiteList.resourcePolicyId, policyId),
|
||||||
|
eq(resourcePolicyWhiteList.email, existingEntry.email)
|
||||||
|
)
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
async function syncPolicyRules(
|
||||||
|
policyId: number,
|
||||||
|
rules: ResourcePolicyData["rules"],
|
||||||
|
trx: Transaction
|
||||||
|
) {
|
||||||
|
const existingRules = await trx
|
||||||
|
.select()
|
||||||
|
.from(resourcePolicyRules)
|
||||||
|
.where(eq(resourcePolicyRules.resourcePolicyId, policyId))
|
||||||
|
.orderBy(resourcePolicyRules.priority);
|
||||||
|
|
||||||
|
for (const [index, rule] of rules.entries()) {
|
||||||
|
const intendedPriority = rule.priority ?? index + 1;
|
||||||
|
const existingRule = existingRules[index];
|
||||||
|
|
||||||
|
if (existingRule) {
|
||||||
|
await trx
|
||||||
|
.update(resourcePolicyRules)
|
||||||
|
.set({
|
||||||
|
action: getRuleAction(rule.action),
|
||||||
|
match: getRuleMatch(rule.match),
|
||||||
|
value: rule.value,
|
||||||
|
priority: intendedPriority,
|
||||||
|
enabled: rule.enabled ?? true
|
||||||
|
})
|
||||||
|
.where(eq(resourcePolicyRules.ruleId, existingRule.ruleId));
|
||||||
|
} else {
|
||||||
|
await trx.insert(resourcePolicyRules).values({
|
||||||
|
resourcePolicyId: policyId,
|
||||||
|
action: getRuleAction(rule.action),
|
||||||
|
match: getRuleMatch(rule.match),
|
||||||
|
value: rule.value,
|
||||||
|
priority: intendedPriority,
|
||||||
|
enabled: rule.enabled ?? true
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Remove extra rules
|
||||||
|
if (existingRules.length > rules.length) {
|
||||||
|
const rulesToDelete = existingRules.slice(rules.length);
|
||||||
|
for (const rule of rulesToDelete) {
|
||||||
|
await trx
|
||||||
|
.delete(resourcePolicyRules)
|
||||||
|
.where(eq(resourcePolicyRules.ruleId, rule.ruleId));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -1,8 +1,23 @@
|
|||||||
import { z } from "zod";
|
import { z } from "zod";
|
||||||
|
import { existsSync } from "node:fs";
|
||||||
import { portRangeStringSchema } from "@server/lib/ip";
|
import { portRangeStringSchema } from "@server/lib/ip";
|
||||||
import { MaintenanceSchema } from "#dynamic/lib/blueprints/MaintenanceSchema";
|
import { MaintenanceSchema } from "#dynamic/lib/blueprints/MaintenanceSchema";
|
||||||
import { isValidRegionId } from "@server/db/regions";
|
import { isValidRegionId } from "@server/db/regions";
|
||||||
import { wildcardSubdomainSchema } from "@server/lib/schemas";
|
import { wildcardSubdomainSchema } from "@server/lib/schemas";
|
||||||
|
import config from "@server/lib/config";
|
||||||
|
|
||||||
|
const maxmindDbPath = config.getRawConfig().server.maxmind_db_path;
|
||||||
|
const maxmindAsnPath = config.getRawConfig().server.maxmind_asn_path;
|
||||||
|
|
||||||
|
const hasMaxmindCountryDb =
|
||||||
|
typeof maxmindDbPath === "string" &&
|
||||||
|
maxmindDbPath.length > 0 &&
|
||||||
|
existsSync(maxmindDbPath);
|
||||||
|
|
||||||
|
const hasMaxmindAsnDb =
|
||||||
|
typeof maxmindAsnPath === "string" &&
|
||||||
|
maxmindAsnPath.length > 0 &&
|
||||||
|
existsSync(maxmindAsnPath);
|
||||||
|
|
||||||
export const SiteSchema = z.object({
|
export const SiteSchema = z.object({
|
||||||
name: z.string().min(1).max(100),
|
name: z.string().min(1).max(100),
|
||||||
@@ -83,7 +98,8 @@ export const RuleSchema = z
|
|||||||
action: z.enum(["allow", "deny", "pass"]),
|
action: z.enum(["allow", "deny", "pass"]),
|
||||||
match: z.enum(["cidr", "path", "ip", "country", "asn", "region"]),
|
match: z.enum(["cidr", "path", "ip", "country", "asn", "region"]),
|
||||||
value: z.coerce.string(),
|
value: z.coerce.string(),
|
||||||
priority: z.int().optional()
|
priority: z.int().optional(),
|
||||||
|
enabled: z.boolean().optional().default(true)
|
||||||
})
|
})
|
||||||
.refine(
|
.refine(
|
||||||
(rule) => {
|
(rule) => {
|
||||||
@@ -116,6 +132,9 @@ export const RuleSchema = z
|
|||||||
.refine(
|
.refine(
|
||||||
(rule) => {
|
(rule) => {
|
||||||
if (rule.match === "country") {
|
if (rule.match === "country") {
|
||||||
|
if (!hasMaxmindCountryDb) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
// Check if it's a valid 2-letter country code or "ALL"
|
// Check if it's a valid 2-letter country code or "ALL"
|
||||||
return /^[A-Z]{2}$/.test(rule.value) || rule.value === "ALL";
|
return /^[A-Z]{2}$/.test(rule.value) || rule.value === "ALL";
|
||||||
}
|
}
|
||||||
@@ -124,12 +143,15 @@ export const RuleSchema = z
|
|||||||
{
|
{
|
||||||
path: ["value"],
|
path: ["value"],
|
||||||
message:
|
message:
|
||||||
"Value must be a 2-letter country code or 'ALL' when match is 'country'"
|
"Country rules require a valid existing server.maxmind_db_path and value must be a 2-letter country code or 'ALL'"
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
.refine(
|
.refine(
|
||||||
(rule) => {
|
(rule) => {
|
||||||
if (rule.match === "asn") {
|
if (rule.match === "asn") {
|
||||||
|
if (!hasMaxmindCountryDb || !hasMaxmindAsnDb) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
// Check if it's either AS<number> format or "ALL"
|
// Check if it's either AS<number> format or "ALL"
|
||||||
const asNumberPattern = /^AS\d+$/i;
|
const asNumberPattern = /^AS\d+$/i;
|
||||||
return asNumberPattern.test(rule.value) || rule.value === "ALL";
|
return asNumberPattern.test(rule.value) || rule.value === "ALL";
|
||||||
@@ -139,7 +161,7 @@ export const RuleSchema = z
|
|||||||
{
|
{
|
||||||
path: ["value"],
|
path: ["value"],
|
||||||
message:
|
message:
|
||||||
"Value must be 'AS<number>' format or 'ALL' when match is 'asn'"
|
"ASN rules require valid existing server.maxmind_db_path and server.maxmind_asn_path, and value must be 'AS<number>' format or 'ALL'"
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
.refine(
|
.refine(
|
||||||
@@ -267,8 +289,37 @@ export const PublicResourceSchema = z
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
// If protocol/mode is http, it must have a full-domain
|
const effectiveProtocol = resource.mode ?? resource.protocol;
|
||||||
if ((resource.mode ?? resource.protocol) === "http") {
|
if (effectiveProtocol !== "ssh") {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
const authDaemonMode = resource["auth-daemon"]?.mode;
|
||||||
|
if (authDaemonMode !== "native" && authDaemonMode !== "site") {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
return (
|
||||||
|
resource.targets.filter((target) => target != null).length <= 1
|
||||||
|
);
|
||||||
|
},
|
||||||
|
{
|
||||||
|
path: ["targets"],
|
||||||
|
error: "When protocol is 'ssh' and auth-daemon mode is 'native' or 'site', only one target/site is allowed"
|
||||||
|
}
|
||||||
|
)
|
||||||
|
.refine(
|
||||||
|
(resource) => {
|
||||||
|
if (isTargetsOnlyResource(resource)) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
// If protocol/mode is http, ssh, rdp, or vnc, it must have a full-domain
|
||||||
|
const effectiveProtocol = resource.mode ?? resource.protocol;
|
||||||
|
if (
|
||||||
|
effectiveProtocol !== undefined &&
|
||||||
|
["http", "ssh", "rdp", "vnc"].includes(effectiveProtocol)
|
||||||
|
) {
|
||||||
return (
|
return (
|
||||||
resource["full-domain"] !== undefined &&
|
resource["full-domain"] !== undefined &&
|
||||||
resource["full-domain"].length > 0
|
resource["full-domain"].length > 0
|
||||||
@@ -278,7 +329,7 @@ export const PublicResourceSchema = z
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
path: ["full-domain"],
|
path: ["full-domain"],
|
||||||
error: "When protocol is 'http', a 'full-domain' must be provided"
|
error: "When protocol is 'http', 'ssh', 'rdp', or 'vnc', a 'full-domain' must be provided"
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
.refine(
|
.refine(
|
||||||
@@ -505,7 +556,90 @@ export const PrivateResourceSchema = z
|
|||||||
{
|
{
|
||||||
message: "Destination must be a valid CIDR notation for cidr mode"
|
message: "Destination must be a valid CIDR notation for cidr mode"
|
||||||
}
|
}
|
||||||
);
|
)
|
||||||
|
.refine(
|
||||||
|
(data) => {
|
||||||
|
if (data.mode !== "ssh") {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
const authDaemonMode = data["auth-daemon"]?.mode;
|
||||||
|
if (authDaemonMode !== "native" && authDaemonMode !== "site") {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
const uniqueSites = new Set<string>();
|
||||||
|
if (data.site) {
|
||||||
|
uniqueSites.add(data.site);
|
||||||
|
}
|
||||||
|
for (const site of data.sites) {
|
||||||
|
uniqueSites.add(site);
|
||||||
|
}
|
||||||
|
|
||||||
|
return uniqueSites.size <= 1;
|
||||||
|
},
|
||||||
|
{
|
||||||
|
path: ["sites"],
|
||||||
|
message:
|
||||||
|
"When mode is 'ssh' and auth-daemon mode is 'native' or 'site', only one site/target is allowed"
|
||||||
|
}
|
||||||
|
)
|
||||||
|
.transform((data) => {
|
||||||
|
if (
|
||||||
|
data.mode === "ssh" &&
|
||||||
|
data.destination !== undefined &&
|
||||||
|
data["destination-port"] === undefined
|
||||||
|
) {
|
||||||
|
data["destination-port"] = 22;
|
||||||
|
}
|
||||||
|
return data;
|
||||||
|
});
|
||||||
|
|
||||||
|
export const ResourcePolicyRuleSchema = RuleSchema;
|
||||||
|
|
||||||
|
export const ResourcePolicySchema = z.object({
|
||||||
|
name: z.string().min(1).max(255),
|
||||||
|
sso: z.boolean().optional().default(true),
|
||||||
|
"auto-login-idp": z.int().positive().optional().nullable(),
|
||||||
|
"sso-roles": z
|
||||||
|
.array(z.string())
|
||||||
|
.optional()
|
||||||
|
.default([])
|
||||||
|
.refine((roles) => !roles.includes("Admin"), {
|
||||||
|
error: "Admin role cannot be included in sso-roles"
|
||||||
|
}),
|
||||||
|
"sso-users": z.array(z.string()).optional().default([]),
|
||||||
|
password: z.string().min(4).max(100).optional().nullable(),
|
||||||
|
pincode: z
|
||||||
|
.string()
|
||||||
|
.regex(/^\d{6}$/)
|
||||||
|
.optional()
|
||||||
|
.nullable(),
|
||||||
|
"basic-auth": z
|
||||||
|
.object({
|
||||||
|
user: z.string().min(4).max(100),
|
||||||
|
password: z.string().min(4).max(100),
|
||||||
|
"extended-compatibility": z.boolean().default(true)
|
||||||
|
})
|
||||||
|
.optional()
|
||||||
|
.nullable(),
|
||||||
|
"email-whitelist-enabled": z.boolean().optional().default(false),
|
||||||
|
"whitelist-users": z
|
||||||
|
.array(
|
||||||
|
z.email().or(
|
||||||
|
z.string().regex(/^\*@[\w.-]+\.[a-zA-Z]{2,}$/, {
|
||||||
|
error: "Invalid email address. Wildcard (*) must be the entire local part."
|
||||||
|
})
|
||||||
|
)
|
||||||
|
)
|
||||||
|
.max(50)
|
||||||
|
.transform((v) => v.map((e) => e.toLowerCase()))
|
||||||
|
.optional()
|
||||||
|
.default([]),
|
||||||
|
"apply-rules": z.boolean().optional().default(false),
|
||||||
|
rules: z.array(ResourcePolicyRuleSchema).optional().default([])
|
||||||
|
});
|
||||||
|
export type ResourcePolicyData = z.infer<typeof ResourcePolicySchema>;
|
||||||
|
|
||||||
// Schema for the entire configuration object
|
// Schema for the entire configuration object
|
||||||
export const ConfigSchema = z
|
export const ConfigSchema = z
|
||||||
@@ -526,6 +660,10 @@ export const ConfigSchema = z
|
|||||||
.record(z.string(), PrivateResourceSchema)
|
.record(z.string(), PrivateResourceSchema)
|
||||||
.optional()
|
.optional()
|
||||||
.prefault({}),
|
.prefault({}),
|
||||||
|
"public-policies": z
|
||||||
|
.record(z.string(), ResourcePolicySchema)
|
||||||
|
.optional()
|
||||||
|
.prefault({}),
|
||||||
sites: z.record(z.string(), SiteSchema).optional().prefault({})
|
sites: z.record(z.string(), SiteSchema).optional().prefault({})
|
||||||
})
|
})
|
||||||
.transform((data) => {
|
.transform((data) => {
|
||||||
@@ -556,6 +694,10 @@ export const ConfigSchema = z
|
|||||||
string,
|
string,
|
||||||
z.infer<typeof PrivateResourceSchema>
|
z.infer<typeof PrivateResourceSchema>
|
||||||
>;
|
>;
|
||||||
|
"public-policies": Record<
|
||||||
|
string,
|
||||||
|
z.infer<typeof ResourcePolicySchema>
|
||||||
|
>;
|
||||||
sites: Record<string, z.infer<typeof SiteSchema>>;
|
sites: Record<string, z.infer<typeof SiteSchema>>;
|
||||||
};
|
};
|
||||||
})
|
})
|
||||||
@@ -695,3 +837,4 @@ export type Site = z.infer<typeof SiteSchema>;
|
|||||||
export type Target = z.infer<typeof TargetSchema>;
|
export type Target = z.infer<typeof TargetSchema>;
|
||||||
export type Resource = z.infer<typeof PublicResourceSchema>;
|
export type Resource = z.infer<typeof PublicResourceSchema>;
|
||||||
export type Config = z.infer<typeof ConfigSchema>;
|
export type Config = z.infer<typeof ConfigSchema>;
|
||||||
|
export type BlueprintResourcePolicy = z.infer<typeof ResourcePolicySchema>;
|
||||||
|
|||||||
@@ -504,7 +504,7 @@ export function generateRemoteSubnets(
|
|||||||
const parseResult = cidrSchema.safeParse(sr.destination);
|
const parseResult = cidrSchema.safeParse(sr.destination);
|
||||||
return parseResult.success;
|
return parseResult.success;
|
||||||
}
|
}
|
||||||
if (sr.mode === "host") {
|
if (sr.mode === "host" || sr.mode === "ssh") {
|
||||||
// check if its a valid IP using zod
|
// check if its a valid IP using zod
|
||||||
const ipSchema = z.union([z.ipv4(), z.ipv6()]);
|
const ipSchema = z.union([z.ipv4(), z.ipv6()]);
|
||||||
const parseResult = ipSchema.safeParse(sr.destination);
|
const parseResult = ipSchema.safeParse(sr.destination);
|
||||||
@@ -514,7 +514,7 @@ export function generateRemoteSubnets(
|
|||||||
})
|
})
|
||||||
.map((sr) => {
|
.map((sr) => {
|
||||||
if (sr.mode === "cidr") return sr.destination;
|
if (sr.mode === "cidr") return sr.destination;
|
||||||
if (sr.mode === "host") {
|
if (sr.mode === "host" || sr.mode === "ssh") {
|
||||||
return `${sr.destination}/32`;
|
return `${sr.destination}/32`;
|
||||||
}
|
}
|
||||||
return ""; // This should never be reached due to filtering, but satisfies TypeScript
|
return ""; // This should never be reached due to filtering, but satisfies TypeScript
|
||||||
@@ -531,7 +531,7 @@ export function generateAliasConfig(allSiteResources: SiteResource[]): Alias[] {
|
|||||||
.filter(
|
.filter(
|
||||||
(sr) =>
|
(sr) =>
|
||||||
sr.aliasAddress &&
|
sr.aliasAddress &&
|
||||||
((sr.alias && sr.mode == "host") ||
|
((sr.alias && (sr.mode == "host" || sr.mode == "ssh")) ||
|
||||||
(sr.fullDomain && sr.mode == "http"))
|
(sr.fullDomain && sr.mode == "http"))
|
||||||
)
|
)
|
||||||
.map((sr) => ({
|
.map((sr) => ({
|
||||||
@@ -577,6 +577,10 @@ export function generateSubnetProxyTargets(
|
|||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!siteResource.destination) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
const clientPrefix = `${clientSite.subnet.split("/")[0]}/32`;
|
const clientPrefix = `${clientSite.subnet.split("/")[0]}/32`;
|
||||||
const portRange = [
|
const portRange = [
|
||||||
...parsePortRangeString(siteResource.tcpPortRangeString, "tcp"),
|
...parsePortRangeString(siteResource.tcpPortRangeString, "tcp"),
|
||||||
@@ -584,7 +588,7 @@ export function generateSubnetProxyTargets(
|
|||||||
];
|
];
|
||||||
const disableIcmp = siteResource.disableIcmp ?? false;
|
const disableIcmp = siteResource.disableIcmp ?? false;
|
||||||
|
|
||||||
if (siteResource.mode == "host") {
|
if (siteResource.mode == "host" || siteResource.mode == "ssh") {
|
||||||
let destination = siteResource.destination;
|
let destination = siteResource.destination;
|
||||||
// check if this is a valid ip
|
// check if this is a valid ip
|
||||||
const ipSchema = z.union([z.ipv4(), z.ipv6()]);
|
const ipSchema = z.union([z.ipv4(), z.ipv6()]);
|
||||||
@@ -665,6 +669,11 @@ export async function generateSubnetProxyTargetV2(
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!siteResource.destination) {
|
||||||
|
// ssh can have no destination
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
const targets: SubnetProxyTargetV2[] = [];
|
const targets: SubnetProxyTargetV2[] = [];
|
||||||
|
|
||||||
const portRange = [
|
const portRange = [
|
||||||
@@ -673,7 +682,7 @@ export async function generateSubnetProxyTargetV2(
|
|||||||
];
|
];
|
||||||
const disableIcmp = siteResource.disableIcmp ?? false;
|
const disableIcmp = siteResource.disableIcmp ?? false;
|
||||||
|
|
||||||
if (siteResource.mode == "host") {
|
if (siteResource.mode == "host" || siteResource.mode == "ssh") {
|
||||||
let destination = siteResource.destination;
|
let destination = siteResource.destination;
|
||||||
// check if this is a valid ip
|
// check if this is a valid ip
|
||||||
const ipSchema = z.union([z.ipv4(), z.ipv6()]);
|
const ipSchema = z.union([z.ipv4(), z.ipv6()]);
|
||||||
|
|||||||
@@ -181,6 +181,7 @@ class TelemetryClient {
|
|||||||
let numPrivResourceHosts = 0;
|
let numPrivResourceHosts = 0;
|
||||||
let numPrivResourceCidr = 0;
|
let numPrivResourceCidr = 0;
|
||||||
let numPrivResourceHttp = 0;
|
let numPrivResourceHttp = 0;
|
||||||
|
let numPrivResourceSsh = 0;
|
||||||
for (const res of allPrivateResources) {
|
for (const res of allPrivateResources) {
|
||||||
if (res.mode === "host") {
|
if (res.mode === "host") {
|
||||||
numPrivResourceHosts += 1;
|
numPrivResourceHosts += 1;
|
||||||
@@ -188,6 +189,8 @@ class TelemetryClient {
|
|||||||
numPrivResourceCidr += 1;
|
numPrivResourceCidr += 1;
|
||||||
} else if (res.mode === "http") {
|
} else if (res.mode === "http") {
|
||||||
numPrivResourceHttp += 1;
|
numPrivResourceHttp += 1;
|
||||||
|
} else if (res.mode === "ssh") {
|
||||||
|
numPrivResourceSsh += 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (res.alias) {
|
if (res.alias) {
|
||||||
@@ -207,6 +210,7 @@ class TelemetryClient {
|
|||||||
numPrivateResourceHosts: numPrivResourceHosts,
|
numPrivateResourceHosts: numPrivResourceHosts,
|
||||||
numPrivateResourceCidr: numPrivResourceCidr,
|
numPrivateResourceCidr: numPrivResourceCidr,
|
||||||
numPrivateResourceHttp: numPrivResourceHttp,
|
numPrivateResourceHttp: numPrivResourceHttp,
|
||||||
|
numPrivateResourceSsh: numPrivResourceSsh,
|
||||||
numAlertRules: numAlertRules.count,
|
numAlertRules: numAlertRules.count,
|
||||||
numUserDevices: userDevicesCount.count,
|
numUserDevices: userDevicesCount.count,
|
||||||
numMachineClients: machineClients.count,
|
numMachineClients: machineClients.count,
|
||||||
|
|||||||
@@ -1,5 +1,7 @@
|
|||||||
import z from "zod";
|
import z from "zod";
|
||||||
import ipaddr from "ipaddr.js";
|
import ipaddr from "ipaddr.js";
|
||||||
|
import { COUNTRIES } from "@server/db/countries";
|
||||||
|
import { isValidRegionId } from "@server/db/regions";
|
||||||
|
|
||||||
export function isValidCIDR(cidr: string): boolean {
|
export function isValidCIDR(cidr: string): boolean {
|
||||||
return (
|
return (
|
||||||
@@ -67,6 +69,45 @@ export function isValidUrlGlobPattern(pattern: string): boolean {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
export const RESOURCE_RULE_MATCH_TYPES = [
|
||||||
|
"CIDR",
|
||||||
|
"IP",
|
||||||
|
"PATH",
|
||||||
|
"COUNTRY",
|
||||||
|
"ASN",
|
||||||
|
"REGION"
|
||||||
|
] as const;
|
||||||
|
|
||||||
|
export type ResourceRuleMatchType = (typeof RESOURCE_RULE_MATCH_TYPES)[number];
|
||||||
|
|
||||||
|
export function getResourceRuleValueValidationError(
|
||||||
|
match: ResourceRuleMatchType,
|
||||||
|
value: string
|
||||||
|
): string | null {
|
||||||
|
switch (match) {
|
||||||
|
case "CIDR":
|
||||||
|
return isValidCIDR(value) ? null : "Invalid CIDR provided";
|
||||||
|
case "IP":
|
||||||
|
return isValidIP(value) ? null : "Invalid IP provided";
|
||||||
|
case "PATH":
|
||||||
|
return isValidUrlGlobPattern(value)
|
||||||
|
? null
|
||||||
|
: "Invalid URL glob pattern provided";
|
||||||
|
case "REGION":
|
||||||
|
return isValidRegionId(value) ? null : "Invalid region ID provided";
|
||||||
|
case "COUNTRY":
|
||||||
|
return COUNTRIES.some((country) => country.code === value)
|
||||||
|
? null
|
||||||
|
: "Invalid country code provided";
|
||||||
|
case "ASN":
|
||||||
|
return /^AS\d+$/i.test(value.trim())
|
||||||
|
? null
|
||||||
|
: "Invalid ASN provided";
|
||||||
|
default:
|
||||||
|
return "Invalid rule match type provided";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
export function isUrlValid(url: string | undefined) {
|
export function isUrlValid(url: string | undefined) {
|
||||||
if (!url) return true; // the link is optional in the schema so if it's empty it's valid
|
if (!url) return true; // the link is optional in the schema so if it's empty it's valid
|
||||||
var pattern = new RegExp(
|
var pattern = new RegExp(
|
||||||
|
|||||||
@@ -1,11 +1,15 @@
|
|||||||
import { Request, Response, NextFunction } from "express";
|
import { Request, Response, NextFunction } from "express";
|
||||||
import { db, Resource } from "@server/db";
|
import { db, Resource } from "@server/db";
|
||||||
import { resources, userOrgs, userResources, roleResources } from "@server/db";
|
import { resources, userOrgs } from "@server/db";
|
||||||
import { and, eq, inArray } from "drizzle-orm";
|
import { and, eq } from "drizzle-orm";
|
||||||
import createHttpError from "http-errors";
|
import createHttpError from "http-errors";
|
||||||
import HttpCode from "@server/types/HttpCode";
|
import HttpCode from "@server/types/HttpCode";
|
||||||
import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
|
import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
|
||||||
import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
|
import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
|
||||||
|
import {
|
||||||
|
getRoleResourceAccess,
|
||||||
|
getUserResourceAccess
|
||||||
|
} from "@server/db/queries/verifySessionQueries";
|
||||||
|
|
||||||
export async function verifyResourceAccess(
|
export async function verifyResourceAccess(
|
||||||
req: Request,
|
req: Request,
|
||||||
@@ -116,37 +120,22 @@ export async function verifyResourceAccess(
|
|||||||
|
|
||||||
const roleResourceAccess =
|
const roleResourceAccess =
|
||||||
(req.userOrgRoleIds?.length ?? 0) > 0
|
(req.userOrgRoleIds?.length ?? 0) > 0
|
||||||
? await db
|
? await getRoleResourceAccess(
|
||||||
.select()
|
resource.resourceId,
|
||||||
.from(roleResources)
|
req.userOrgRoleIds!
|
||||||
.where(
|
)
|
||||||
and(
|
: null;
|
||||||
eq(roleResources.resourceId, resource.resourceId),
|
|
||||||
inArray(
|
|
||||||
roleResources.roleId,
|
|
||||||
req.userOrgRoleIds!
|
|
||||||
)
|
|
||||||
)
|
|
||||||
)
|
|
||||||
.limit(1)
|
|
||||||
: [];
|
|
||||||
|
|
||||||
if (roleResourceAccess.length > 0) {
|
if (roleResourceAccess) {
|
||||||
return next();
|
return next();
|
||||||
}
|
}
|
||||||
|
|
||||||
const userResourceAccess = await db
|
const userResourceAccess = await getUserResourceAccess(
|
||||||
.select()
|
userId,
|
||||||
.from(userResources)
|
resource.resourceId
|
||||||
.where(
|
);
|
||||||
and(
|
|
||||||
eq(userResources.userId, userId),
|
|
||||||
eq(userResources.resourceId, resource.resourceId)
|
|
||||||
)
|
|
||||||
)
|
|
||||||
.limit(1);
|
|
||||||
|
|
||||||
if (userResourceAccess.length > 0) {
|
if (userResourceAccess) {
|
||||||
return next();
|
return next();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -109,7 +109,11 @@ export const privateConfigSchema = z
|
|||||||
enable_redis: z.boolean().optional().default(false),
|
enable_redis: z.boolean().optional().default(false),
|
||||||
use_pangolin_dns: z.boolean().optional().default(false),
|
use_pangolin_dns: z.boolean().optional().default(false),
|
||||||
use_org_only_idp: z.boolean().optional(),
|
use_org_only_idp: z.boolean().optional(),
|
||||||
enable_acme_cert_sync: z.boolean().optional().default(true)
|
enable_acme_cert_sync: z.boolean().optional().default(true),
|
||||||
|
disable_private_http_placeholder: z
|
||||||
|
.boolean()
|
||||||
|
.optional()
|
||||||
|
.default(false)
|
||||||
})
|
})
|
||||||
.optional()
|
.optional()
|
||||||
.prefault({}),
|
.prefault({}),
|
||||||
|
|||||||
@@ -12,7 +12,6 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
import {
|
import {
|
||||||
browserGatewayTarget,
|
|
||||||
certificates,
|
certificates,
|
||||||
db,
|
db,
|
||||||
domainNamespaces,
|
domainNamespaces,
|
||||||
@@ -172,8 +171,15 @@ export async function getTraefikConfig(
|
|||||||
),
|
),
|
||||||
inArray(sites.type, siteTypes),
|
inArray(sites.type, siteTypes),
|
||||||
allowRawResources
|
allowRawResources
|
||||||
? inArray(resources.mode, ["http", "udp", "tcp"]) // allow all three
|
? inArray(resources.mode, [
|
||||||
: eq(resources.mode, "http")
|
"http",
|
||||||
|
"udp",
|
||||||
|
"tcp",
|
||||||
|
"vnc",
|
||||||
|
"ssh",
|
||||||
|
"rdp"
|
||||||
|
]) // allow all three
|
||||||
|
: inArray(resources.mode, ["http", "vnc", "ssh", "rdp"])
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
.orderBy(desc(targets.priority), targets.targetId); // stable ordering
|
.orderBy(desc(targets.priority), targets.targetId); // stable ordering
|
||||||
@@ -181,7 +187,10 @@ export async function getTraefikConfig(
|
|||||||
// Group by resource and include targets with their unique site data
|
// Group by resource and include targets with their unique site data
|
||||||
const resourcesMap = new Map();
|
const resourcesMap = new Map();
|
||||||
|
|
||||||
resourcesWithTargetsAndSites.forEach((row) => {
|
for (const row of resourcesWithTargetsAndSites) {
|
||||||
|
if (!["http", "tcp", "udp"].includes(row.mode)) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
const resourceId = row.resourceId;
|
const resourceId = row.resourceId;
|
||||||
const resourceName = sanitize(row.resourceName) || "";
|
const resourceName = sanitize(row.resourceName) || "";
|
||||||
const targetPath = encodePath(row.path); // Use encodePath to avoid collisions (e.g. "/a/b" vs "/a-b")
|
const targetPath = encodePath(row.path); // Use encodePath to avoid collisions (e.g. "/a/b" vs "/a-b")
|
||||||
@@ -191,7 +200,7 @@ export async function getTraefikConfig(
|
|||||||
const priority = row.priority ?? 100;
|
const priority = row.priority ?? 100;
|
||||||
|
|
||||||
if (filterOutNamespaceDomains && row.domainNamespaceId) {
|
if (filterOutNamespaceDomains && row.domainNamespaceId) {
|
||||||
return;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Create a unique key combining resourceId, path config, and rewrite config
|
// Create a unique key combining resourceId, path config, and rewrite config
|
||||||
@@ -218,7 +227,7 @@ export async function getTraefikConfig(
|
|||||||
logger.debug(
|
logger.debug(
|
||||||
`Invalid path rewrite configuration for resource ${resourceId}: ${validation.error}`
|
`Invalid path rewrite configuration for resource ${resourceId}: ${validation.error}`
|
||||||
);
|
);
|
||||||
return;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
resourcesMap.set(mapKey, {
|
resourcesMap.set(mapKey, {
|
||||||
@@ -275,7 +284,7 @@ export async function getTraefikConfig(
|
|||||||
online: row.siteOnline
|
online: row.siteOnline
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
});
|
}
|
||||||
|
|
||||||
// Group browser gateway targets by resource
|
// Group browser gateway targets by resource
|
||||||
type BrowserGatewayResourceEntry = {
|
type BrowserGatewayResourceEntry = {
|
||||||
@@ -295,13 +304,12 @@ export async function getTraefikConfig(
|
|||||||
maintenanceMessage: string | null;
|
maintenanceMessage: string | null;
|
||||||
maintenanceEstimatedTime: string | null;
|
maintenanceEstimatedTime: string | null;
|
||||||
targets: {
|
targets: {
|
||||||
browserGatewayTargetId: number;
|
targetId: number;
|
||||||
bgType: string;
|
bgType: string;
|
||||||
siteId: number;
|
siteId: number;
|
||||||
siteType: string;
|
siteType: string;
|
||||||
siteOnline: boolean | null;
|
siteOnline: boolean | null;
|
||||||
subnet: string | null;
|
subnet: string | null;
|
||||||
siteExitNodeId: number | null;
|
|
||||||
}[];
|
}[];
|
||||||
};
|
};
|
||||||
const browserGatewayResourcesMap = new Map<
|
const browserGatewayResourcesMap = new Map<
|
||||||
@@ -310,66 +318,10 @@ export async function getTraefikConfig(
|
|||||||
>();
|
>();
|
||||||
|
|
||||||
if (allowBrowserGatewayResources) {
|
if (allowBrowserGatewayResources) {
|
||||||
// Query browser gateway targets for this exit node
|
for (const row of resourcesWithTargetsAndSites) {
|
||||||
const browserGatewayRows = await db
|
if (!["ssh", "vnc", "rdp"].includes(row.mode)) {
|
||||||
.select({
|
continue;
|
||||||
// Resource fields
|
}
|
||||||
resourceId: resources.resourceId,
|
|
||||||
resourceName: resources.name,
|
|
||||||
fullDomain: resources.fullDomain,
|
|
||||||
ssl: resources.ssl,
|
|
||||||
subdomain: resources.subdomain,
|
|
||||||
domainId: resources.domainId,
|
|
||||||
enabled: resources.enabled,
|
|
||||||
wildcard: resources.wildcard,
|
|
||||||
domainCertResolver: domains.certResolver,
|
|
||||||
preferWildcardCert: domains.preferWildcardCert,
|
|
||||||
domainNamespaceId: domainNamespaces.domainNamespaceId,
|
|
||||||
// Maintenance fields
|
|
||||||
maintenanceModeEnabled: resources.maintenanceModeEnabled,
|
|
||||||
maintenanceModeType: resources.maintenanceModeType,
|
|
||||||
maintenanceTitle: resources.maintenanceTitle,
|
|
||||||
maintenanceMessage: resources.maintenanceMessage,
|
|
||||||
maintenanceEstimatedTime: resources.maintenanceEstimatedTime,
|
|
||||||
// Browser gateway target fields
|
|
||||||
browserGatewayTargetId:
|
|
||||||
browserGatewayTarget.browserGatewayTargetId,
|
|
||||||
bgType: browserGatewayTarget.type,
|
|
||||||
// Site fields
|
|
||||||
siteId: sites.siteId,
|
|
||||||
siteType: sites.type,
|
|
||||||
siteOnline: sites.online,
|
|
||||||
subnet: sites.subnet,
|
|
||||||
siteExitNodeId: sites.exitNodeId
|
|
||||||
})
|
|
||||||
.from(browserGatewayTarget)
|
|
||||||
.innerJoin(sites, eq(sites.siteId, browserGatewayTarget.siteId))
|
|
||||||
.innerJoin(
|
|
||||||
resources,
|
|
||||||
eq(resources.resourceId, browserGatewayTarget.resourceId)
|
|
||||||
)
|
|
||||||
.leftJoin(domains, eq(domains.domainId, resources.domainId))
|
|
||||||
.leftJoin(
|
|
||||||
domainNamespaces,
|
|
||||||
eq(domainNamespaces.domainId, resources.domainId)
|
|
||||||
)
|
|
||||||
.where(
|
|
||||||
and(
|
|
||||||
eq(resources.enabled, true),
|
|
||||||
or(
|
|
||||||
eq(sites.exitNodeId, exitNodeId),
|
|
||||||
and(
|
|
||||||
isNull(sites.exitNodeId),
|
|
||||||
sql`(${siteTypes.includes("local") ? 1 : 0} = 1)`,
|
|
||||||
eq(sites.type, "local"),
|
|
||||||
sql`(${build != "saas" ? 1 : 0} = 1)`
|
|
||||||
)
|
|
||||||
),
|
|
||||||
inArray(sites.type, siteTypes)
|
|
||||||
)
|
|
||||||
);
|
|
||||||
|
|
||||||
for (const row of browserGatewayRows) {
|
|
||||||
if (filterOutNamespaceDomains && row.domainNamespaceId) {
|
if (filterOutNamespaceDomains && row.domainNamespaceId) {
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
@@ -394,13 +346,12 @@ export async function getTraefikConfig(
|
|||||||
});
|
});
|
||||||
}
|
}
|
||||||
browserGatewayResourcesMap.get(row.resourceId)!.targets.push({
|
browserGatewayResourcesMap.get(row.resourceId)!.targets.push({
|
||||||
browserGatewayTargetId: row.browserGatewayTargetId,
|
targetId: row.targetId,
|
||||||
bgType: row.bgType,
|
bgType: row.mode,
|
||||||
siteId: row.siteId,
|
siteId: row.siteId,
|
||||||
siteType: row.siteType,
|
siteType: row.siteType,
|
||||||
siteOnline: row.siteOnline,
|
siteOnline: row.siteOnline,
|
||||||
subnet: row.subnet,
|
subnet: row.subnet
|
||||||
siteExitNodeId: row.siteExitNodeId
|
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -410,7 +361,11 @@ export async function getTraefikConfig(
|
|||||||
fullDomain: string | null;
|
fullDomain: string | null;
|
||||||
mode: "http" | "host" | "cidr" | "ssh";
|
mode: "http" | "host" | "cidr" | "ssh";
|
||||||
}[] = [];
|
}[] = [];
|
||||||
if (build == "enterprise") {
|
if (
|
||||||
|
build == "enterprise" &&
|
||||||
|
!privateConfig.getRawPrivateConfig().flags
|
||||||
|
.disable_private_http_placeholder
|
||||||
|
) {
|
||||||
// we dont want to do this on the cloud
|
// we dont want to do this on the cloud
|
||||||
// Query siteResources in HTTP mode with SSL enabled and aliases - cert generation / HTTPS edge
|
// Query siteResources in HTTP mode with SSL enabled and aliases - cert generation / HTTPS edge
|
||||||
siteResourcesWithFullDomain = await db
|
siteResourcesWithFullDomain = await db
|
||||||
|
|||||||
@@ -208,7 +208,7 @@ registry.registerPath({
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z.record(z.string(), z.any()).nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
|
|||||||
@@ -44,7 +44,7 @@ registry.registerPath({
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z.record(z.string(), z.any()).nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
@@ -112,4 +112,4 @@ export async function deleteAlertRule(
|
|||||||
createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
|
createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -32,7 +32,10 @@ import { OpenAPITags, registry } from "@server/openApi";
|
|||||||
import { and, eq } from "drizzle-orm";
|
import { and, eq } from "drizzle-orm";
|
||||||
import { decrypt } from "@server/lib/crypto";
|
import { decrypt } from "@server/lib/crypto";
|
||||||
import config from "@server/lib/config";
|
import config from "@server/lib/config";
|
||||||
import { GetAlertRuleResponse, WebhookAlertConfig } from "@server/routers/alertRule/types";
|
import {
|
||||||
|
GetAlertRuleResponse,
|
||||||
|
WebhookAlertConfig
|
||||||
|
} from "@server/routers/alertRule/types";
|
||||||
|
|
||||||
const paramsSchema = z
|
const paramsSchema = z
|
||||||
.object({
|
.object({
|
||||||
@@ -55,7 +58,7 @@ registry.registerPath({
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z.record(z.string(), z.any()).nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
|
|||||||
@@ -101,7 +101,7 @@ registry.registerPath({
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z.record(z.string(), z.any()).nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
|
|||||||
@@ -44,7 +44,7 @@ registry.registerPath({
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z.record(z.string(), z.any()).nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
|
|||||||
@@ -44,7 +44,7 @@ registry.registerPath({
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z.record(z.string(), z.any()).nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
|
|||||||
@@ -44,7 +44,7 @@ registry.registerPath({
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z.record(z.string(), z.any()).nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
@@ -72,7 +72,9 @@ export async function exportConnectionAuditLogs(
|
|||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
const parsedParams = queryConnectionAuditLogsParams.safeParse(req.params);
|
const parsedParams = queryConnectionAuditLogsParams.safeParse(
|
||||||
|
req.params
|
||||||
|
);
|
||||||
if (!parsedParams.success) {
|
if (!parsedParams.success) {
|
||||||
return next(
|
return next(
|
||||||
createHttpError(
|
createHttpError(
|
||||||
@@ -112,4 +114,4 @@ export async function exportConnectionAuditLogs(
|
|||||||
createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
|
createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -11,7 +11,14 @@
|
|||||||
* This file is not licensed under the AGPLv3.
|
* This file is not licensed under the AGPLv3.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
import { accessAuditLog, logsDb, resources, siteResources, db, primaryDb } from "@server/db";
|
import {
|
||||||
|
accessAuditLog,
|
||||||
|
logsDb,
|
||||||
|
resources,
|
||||||
|
siteResources,
|
||||||
|
db,
|
||||||
|
primaryDb
|
||||||
|
} from "@server/db";
|
||||||
import { registry } from "@server/openApi";
|
import { registry } from "@server/openApi";
|
||||||
import { NextFunction } from "express";
|
import { NextFunction } from "express";
|
||||||
import { Request, Response } from "express";
|
import { Request, Response } from "express";
|
||||||
@@ -150,21 +157,30 @@ export function queryAccess(data: Q) {
|
|||||||
.orderBy(desc(accessAuditLog.timestamp), desc(accessAuditLog.id));
|
.orderBy(desc(accessAuditLog.timestamp), desc(accessAuditLog.id));
|
||||||
}
|
}
|
||||||
|
|
||||||
async function enrichWithResourceDetails(logs: Awaited<ReturnType<typeof queryAccess>>) {
|
async function enrichWithResourceDetails(
|
||||||
|
logs: Awaited<ReturnType<typeof queryAccess>>
|
||||||
|
) {
|
||||||
const resourceIds = logs
|
const resourceIds = logs
|
||||||
.map(log => log.resourceId)
|
.map((log) => log.resourceId)
|
||||||
.filter((id): id is number => id !== null && id !== undefined);
|
.filter((id): id is number => id !== null && id !== undefined);
|
||||||
|
|
||||||
const siteResourceIds = logs
|
const siteResourceIds = logs
|
||||||
.filter(log => log.resourceId == null && log.siteResourceId != null)
|
.filter((log) => log.resourceId == null && log.siteResourceId != null)
|
||||||
.map(log => log.siteResourceId)
|
.map((log) => log.siteResourceId)
|
||||||
.filter((id): id is number => id !== null && id !== undefined);
|
.filter((id): id is number => id !== null && id !== undefined);
|
||||||
|
|
||||||
if (resourceIds.length === 0 && siteResourceIds.length === 0) {
|
if (resourceIds.length === 0 && siteResourceIds.length === 0) {
|
||||||
return logs.map(log => ({ ...log, resourceName: null, resourceNiceId: null }));
|
return logs.map((log) => ({
|
||||||
|
...log,
|
||||||
|
resourceName: null,
|
||||||
|
resourceNiceId: null
|
||||||
|
}));
|
||||||
}
|
}
|
||||||
|
|
||||||
const resourceMap = new Map<number, { name: string | null; niceId: string | null }>();
|
const resourceMap = new Map<
|
||||||
|
number,
|
||||||
|
{ name: string | null; niceId: string | null }
|
||||||
|
>();
|
||||||
|
|
||||||
if (resourceIds.length > 0) {
|
if (resourceIds.length > 0) {
|
||||||
const resourceDetails = await primaryDb
|
const resourceDetails = await primaryDb
|
||||||
@@ -181,7 +197,10 @@ async function enrichWithResourceDetails(logs: Awaited<ReturnType<typeof queryAc
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
const siteResourceMap = new Map<number, { name: string | null; niceId: string | null }>();
|
const siteResourceMap = new Map<
|
||||||
|
number,
|
||||||
|
{ name: string | null; niceId: string | null }
|
||||||
|
>();
|
||||||
|
|
||||||
if (siteResourceIds.length > 0) {
|
if (siteResourceIds.length > 0) {
|
||||||
const siteResourceDetails = await primaryDb
|
const siteResourceDetails = await primaryDb
|
||||||
@@ -194,12 +213,15 @@ async function enrichWithResourceDetails(logs: Awaited<ReturnType<typeof queryAc
|
|||||||
.where(inArray(siteResources.siteResourceId, siteResourceIds));
|
.where(inArray(siteResources.siteResourceId, siteResourceIds));
|
||||||
|
|
||||||
for (const r of siteResourceDetails) {
|
for (const r of siteResourceDetails) {
|
||||||
siteResourceMap.set(r.siteResourceId, { name: r.name, niceId: r.niceId });
|
siteResourceMap.set(r.siteResourceId, {
|
||||||
|
name: r.name,
|
||||||
|
niceId: r.niceId
|
||||||
|
});
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Enrich logs with resource details
|
// Enrich logs with resource details
|
||||||
return logs.map(log => {
|
return logs.map((log) => {
|
||||||
if (log.resourceId != null) {
|
if (log.resourceId != null) {
|
||||||
const details = resourceMap.get(log.resourceId);
|
const details = resourceMap.get(log.resourceId);
|
||||||
return {
|
return {
|
||||||
@@ -273,11 +295,11 @@ async function queryUniqueFilterAttributes(
|
|||||||
|
|
||||||
// Fetch resource names from main database for the unique resource IDs
|
// Fetch resource names from main database for the unique resource IDs
|
||||||
const resourceIds = uniqueResources
|
const resourceIds = uniqueResources
|
||||||
.map(row => row.id)
|
.map((row) => row.id)
|
||||||
.filter((id): id is number => id !== null);
|
.filter((id): id is number => id !== null);
|
||||||
|
|
||||||
const siteResourceIds = uniqueSiteResources
|
const siteResourceIds = uniqueSiteResources
|
||||||
.map(row => row.id)
|
.map((row) => row.id)
|
||||||
.filter((id): id is number => id !== null);
|
.filter((id): id is number => id !== null);
|
||||||
|
|
||||||
let resourcesWithNames: Array<{ id: number; name: string | null }> = [];
|
let resourcesWithNames: Array<{ id: number; name: string | null }> = [];
|
||||||
@@ -293,7 +315,7 @@ async function queryUniqueFilterAttributes(
|
|||||||
|
|
||||||
resourcesWithNames = [
|
resourcesWithNames = [
|
||||||
...resourcesWithNames,
|
...resourcesWithNames,
|
||||||
...resourceDetails.map(r => ({
|
...resourceDetails.map((r) => ({
|
||||||
id: r.resourceId,
|
id: r.resourceId,
|
||||||
name: r.name
|
name: r.name
|
||||||
}))
|
}))
|
||||||
@@ -311,7 +333,7 @@ async function queryUniqueFilterAttributes(
|
|||||||
|
|
||||||
resourcesWithNames = [
|
resourcesWithNames = [
|
||||||
...resourcesWithNames,
|
...resourcesWithNames,
|
||||||
...siteResourceDetails.map(r => ({
|
...siteResourceDetails.map((r) => ({
|
||||||
id: r.siteResourceId,
|
id: r.siteResourceId,
|
||||||
name: r.name
|
name: r.name
|
||||||
}))
|
}))
|
||||||
@@ -344,7 +366,7 @@ registry.registerPath({
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z.record(z.string(), z.any()).nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
|
|||||||
@@ -171,7 +171,7 @@ registry.registerPath({
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z.record(z.string(), z.any()).nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
|
|||||||
@@ -459,7 +459,7 @@ registry.registerPath({
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z.record(z.string(), z.any()).nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
|
|||||||
@@ -17,8 +17,7 @@ import createHttpError from "http-errors";
|
|||||||
import { z } from "zod";
|
import { z } from "zod";
|
||||||
import { fromError } from "zod-validation-error";
|
import { fromError } from "zod-validation-error";
|
||||||
import logger from "@server/logger";
|
import logger from "@server/logger";
|
||||||
import { sessions, sessionTransferToken } from "@server/db";
|
import { db, safeRead, sessions, sessionTransferToken } from "@server/db";
|
||||||
import { db } from "@server/db";
|
|
||||||
import { eq } from "drizzle-orm";
|
import { eq } from "drizzle-orm";
|
||||||
import { response } from "@server/lib/response";
|
import { response } from "@server/lib/response";
|
||||||
import { encodeHexLowerCase } from "@oslojs/encoding";
|
import { encodeHexLowerCase } from "@oslojs/encoding";
|
||||||
@@ -57,15 +56,19 @@ export async function transferSession(
|
|||||||
sha256(new TextEncoder().encode(token))
|
sha256(new TextEncoder().encode(token))
|
||||||
);
|
);
|
||||||
|
|
||||||
const [existing] = await db
|
const result = await safeRead((db) =>
|
||||||
.select()
|
db
|
||||||
.from(sessionTransferToken)
|
.select()
|
||||||
.where(eq(sessionTransferToken.token, tokenRaw))
|
.from(sessionTransferToken)
|
||||||
.innerJoin(
|
.where(eq(sessionTransferToken.token, tokenRaw))
|
||||||
sessions,
|
.innerJoin(
|
||||||
eq(sessions.sessionId, sessionTransferToken.sessionId)
|
sessions,
|
||||||
)
|
eq(sessions.sessionId, sessionTransferToken.sessionId)
|
||||||
.limit(1);
|
)
|
||||||
|
.limit(1)
|
||||||
|
);
|
||||||
|
|
||||||
|
const [existing] = result;
|
||||||
|
|
||||||
if (!existing) {
|
if (!existing) {
|
||||||
return next(
|
return next(
|
||||||
|
|||||||
@@ -45,7 +45,7 @@ const getOrgSchema = z.strictObject({
|
|||||||
// content: {
|
// content: {
|
||||||
// "application/json": {
|
// "application/json": {
|
||||||
// schema: z.object({
|
// schema: z.object({
|
||||||
// data: z.unknown().nullable(),
|
// data: z.record(z.string(), z.any()).nullable(),
|
||||||
// success: z.boolean(),
|
// success: z.boolean(),
|
||||||
// error: z.boolean(),
|
// error: z.boolean(),
|
||||||
// message: z.string(),
|
// message: z.string(),
|
||||||
|
|||||||
@@ -1,187 +0,0 @@
|
|||||||
/*
|
|
||||||
* This file is part of a proprietary work.
|
|
||||||
*
|
|
||||||
* Copyright (c) 2025-2026 Fossorial, Inc.
|
|
||||||
* All rights reserved.
|
|
||||||
*
|
|
||||||
* This file is licensed under the Fossorial Commercial License.
|
|
||||||
* You may not use this file except in compliance with the License.
|
|
||||||
* Unauthorized use, copying, modification, or distribution is strictly prohibited.
|
|
||||||
*
|
|
||||||
* This file is not licensed under the AGPLv3.
|
|
||||||
*/
|
|
||||||
|
|
||||||
import { Request, Response, NextFunction } from "express";
|
|
||||||
import { z } from "zod";
|
|
||||||
import {
|
|
||||||
browserGatewayTarget,
|
|
||||||
BrowserGatewayTarget,
|
|
||||||
db,
|
|
||||||
newts,
|
|
||||||
resources,
|
|
||||||
sites
|
|
||||||
} from "@server/db";
|
|
||||||
import { eq, and } from "drizzle-orm";
|
|
||||||
import response from "@server/lib/response";
|
|
||||||
import HttpCode from "@server/types/HttpCode";
|
|
||||||
import createHttpError from "http-errors";
|
|
||||||
import logger from "@server/logger";
|
|
||||||
import { fromError } from "zod-validation-error";
|
|
||||||
import { OpenAPITags, registry } from "@server/openApi";
|
|
||||||
import { encrypt } from "@server/lib/crypto";
|
|
||||||
import config from "@server/lib/config";
|
|
||||||
import { sendBrowserGatewayTargets } from "@server/routers/newt/targets";
|
|
||||||
import { generateId } from "@server/auth/sessions/app";
|
|
||||||
|
|
||||||
const paramsSchema = z.strictObject({
|
|
||||||
orgId: z.string().nonempty(),
|
|
||||||
resourceId: z.string().transform(Number).pipe(z.number().int().positive())
|
|
||||||
});
|
|
||||||
|
|
||||||
const bodySchema = z.strictObject({
|
|
||||||
siteId: z.number().int().positive(),
|
|
||||||
type: z.enum(["ssh", "rdp", "vnc"]),
|
|
||||||
destination: z.string().nonempty(),
|
|
||||||
destinationPort: z.number().int().min(1).max(65535)
|
|
||||||
});
|
|
||||||
|
|
||||||
export type CreateBrowserGatewayTargetResponse = BrowserGatewayTarget;
|
|
||||||
|
|
||||||
registry.registerPath({
|
|
||||||
method: "put",
|
|
||||||
path: "/org/{orgId}/resource/{resourceId}/browser-gateway-target",
|
|
||||||
description: "Create a browser gateway target for a resource.",
|
|
||||||
tags: [OpenAPITags.Org],
|
|
||||||
request: {
|
|
||||||
params: paramsSchema,
|
|
||||||
body: {
|
|
||||||
content: {
|
|
||||||
"application/json": {
|
|
||||||
schema: bodySchema
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
},
|
|
||||||
responses: {}
|
|
||||||
});
|
|
||||||
|
|
||||||
export async function createBrowserGatewayTarget(
|
|
||||||
req: Request,
|
|
||||||
res: Response,
|
|
||||||
next: NextFunction
|
|
||||||
): Promise<any> {
|
|
||||||
try {
|
|
||||||
const parsedParams = paramsSchema.safeParse(req.params);
|
|
||||||
if (!parsedParams.success) {
|
|
||||||
return next(
|
|
||||||
createHttpError(
|
|
||||||
HttpCode.BAD_REQUEST,
|
|
||||||
fromError(parsedParams.error).toString()
|
|
||||||
)
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
const { orgId, resourceId } = parsedParams.data;
|
|
||||||
|
|
||||||
const parsedBody = bodySchema.safeParse(req.body);
|
|
||||||
if (!parsedBody.success) {
|
|
||||||
return next(
|
|
||||||
createHttpError(
|
|
||||||
HttpCode.BAD_REQUEST,
|
|
||||||
fromError(parsedBody.error).toString()
|
|
||||||
)
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
const { siteId, type, destination, destinationPort } = parsedBody.data;
|
|
||||||
|
|
||||||
const [resource] = await db
|
|
||||||
.select()
|
|
||||||
.from(resources)
|
|
||||||
.where(
|
|
||||||
and(
|
|
||||||
eq(resources.resourceId, resourceId),
|
|
||||||
eq(resources.orgId, orgId)
|
|
||||||
)
|
|
||||||
)
|
|
||||||
.limit(1);
|
|
||||||
|
|
||||||
if (!resource) {
|
|
||||||
return next(
|
|
||||||
createHttpError(
|
|
||||||
HttpCode.NOT_FOUND,
|
|
||||||
`Resource with ID ${resourceId} not found in organization ${orgId}`
|
|
||||||
)
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
const [site] = await db
|
|
||||||
.select()
|
|
||||||
.from(sites)
|
|
||||||
.where(and(eq(sites.siteId, siteId), eq(sites.orgId, orgId)))
|
|
||||||
.limit(1);
|
|
||||||
|
|
||||||
if (!site) {
|
|
||||||
return next(
|
|
||||||
createHttpError(
|
|
||||||
HttpCode.NOT_FOUND,
|
|
||||||
`Site with ID ${siteId} not found in organization ${orgId}`
|
|
||||||
)
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
const plainToken = generateId(48);
|
|
||||||
const encryptedToken = encrypt(
|
|
||||||
plainToken,
|
|
||||||
config.getRawConfig().server.secret!
|
|
||||||
);
|
|
||||||
|
|
||||||
const [record] = await db
|
|
||||||
.insert(browserGatewayTarget)
|
|
||||||
.values({
|
|
||||||
resourceId,
|
|
||||||
siteId,
|
|
||||||
type,
|
|
||||||
destination,
|
|
||||||
destinationPort,
|
|
||||||
authToken: encryptedToken
|
|
||||||
})
|
|
||||||
.returning();
|
|
||||||
|
|
||||||
if (site.type === "newt") {
|
|
||||||
const [newt] = await db
|
|
||||||
.select()
|
|
||||||
.from(newts)
|
|
||||||
.where(eq(newts.siteId, siteId))
|
|
||||||
.limit(1);
|
|
||||||
|
|
||||||
if (newt) {
|
|
||||||
await sendBrowserGatewayTargets(
|
|
||||||
newt.newtId,
|
|
||||||
[record],
|
|
||||||
newt.version
|
|
||||||
);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
logger.info(
|
|
||||||
`Created browser gateway target ${record.browserGatewayTargetId} for resource ${resourceId}`
|
|
||||||
);
|
|
||||||
|
|
||||||
return response<CreateBrowserGatewayTargetResponse>(res, {
|
|
||||||
data: record,
|
|
||||||
success: true,
|
|
||||||
error: false,
|
|
||||||
message: "Browser gateway target created successfully",
|
|
||||||
status: HttpCode.CREATED
|
|
||||||
});
|
|
||||||
} catch (error) {
|
|
||||||
logger.error(error);
|
|
||||||
return next(
|
|
||||||
createHttpError(
|
|
||||||
HttpCode.INTERNAL_SERVER_ERROR,
|
|
||||||
"Failed to create browser gateway target"
|
|
||||||
)
|
|
||||||
);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,130 +0,0 @@
|
|||||||
/*
|
|
||||||
* This file is part of a proprietary work.
|
|
||||||
*
|
|
||||||
* Copyright (c) 2025-2026 Fossorial, Inc.
|
|
||||||
* All rights reserved.
|
|
||||||
*
|
|
||||||
* This file is licensed under the Fossorial Commercial License.
|
|
||||||
* You may not use this file except in compliance with the License.
|
|
||||||
* Unauthorized use, copying, modification, or distribution is strictly prohibited.
|
|
||||||
*
|
|
||||||
* This file is not licensed under the AGPLv3.
|
|
||||||
*/
|
|
||||||
|
|
||||||
import { Request, Response, NextFunction } from "express";
|
|
||||||
import { z } from "zod";
|
|
||||||
import { browserGatewayTarget, db, newts, sites } from "@server/db";
|
|
||||||
import { eq, and } from "drizzle-orm";
|
|
||||||
import response from "@server/lib/response";
|
|
||||||
import HttpCode from "@server/types/HttpCode";
|
|
||||||
import createHttpError from "http-errors";
|
|
||||||
import logger from "@server/logger";
|
|
||||||
import { fromError } from "zod-validation-error";
|
|
||||||
import { OpenAPITags, registry } from "@server/openApi";
|
|
||||||
import { removeBrowserGatewayTarget } from "@server/routers/newt/targets";
|
|
||||||
|
|
||||||
const paramsSchema = z.strictObject({
|
|
||||||
orgId: z.string().nonempty(),
|
|
||||||
browserGatewayTargetId: z
|
|
||||||
.string()
|
|
||||||
.transform(Number)
|
|
||||||
.pipe(z.number().int().positive())
|
|
||||||
});
|
|
||||||
|
|
||||||
registry.registerPath({
|
|
||||||
method: "delete",
|
|
||||||
path: "/org/{orgId}/browser-gateway-target/{browserGatewayTargetId}",
|
|
||||||
description: "Delete a browser gateway target.",
|
|
||||||
tags: [OpenAPITags.Org],
|
|
||||||
request: {
|
|
||||||
params: paramsSchema
|
|
||||||
},
|
|
||||||
responses: {}
|
|
||||||
});
|
|
||||||
|
|
||||||
export async function deleteBrowserGatewayTarget(
|
|
||||||
req: Request,
|
|
||||||
res: Response,
|
|
||||||
next: NextFunction
|
|
||||||
): Promise<any> {
|
|
||||||
try {
|
|
||||||
const parsedParams = paramsSchema.safeParse(req.params);
|
|
||||||
if (!parsedParams.success) {
|
|
||||||
return next(
|
|
||||||
createHttpError(
|
|
||||||
HttpCode.BAD_REQUEST,
|
|
||||||
fromError(parsedParams.error).toString()
|
|
||||||
)
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
const { orgId, browserGatewayTargetId } = parsedParams.data;
|
|
||||||
|
|
||||||
const [existing] = await db
|
|
||||||
.select({ bgt: browserGatewayTarget, site: sites })
|
|
||||||
.from(browserGatewayTarget)
|
|
||||||
.innerJoin(sites, eq(sites.siteId, browserGatewayTarget.siteId))
|
|
||||||
.where(
|
|
||||||
and(
|
|
||||||
eq(
|
|
||||||
browserGatewayTarget.browserGatewayTargetId,
|
|
||||||
browserGatewayTargetId
|
|
||||||
),
|
|
||||||
eq(sites.orgId, orgId)
|
|
||||||
)
|
|
||||||
)
|
|
||||||
.limit(1);
|
|
||||||
|
|
||||||
if (!existing) {
|
|
||||||
return next(
|
|
||||||
createHttpError(
|
|
||||||
HttpCode.NOT_FOUND,
|
|
||||||
`Browser gateway target with ID ${browserGatewayTargetId} not found`
|
|
||||||
)
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
await db
|
|
||||||
.delete(browserGatewayTarget)
|
|
||||||
.where(
|
|
||||||
eq(
|
|
||||||
browserGatewayTarget.browserGatewayTargetId,
|
|
||||||
browserGatewayTargetId
|
|
||||||
)
|
|
||||||
);
|
|
||||||
|
|
||||||
if (existing.site.type === "newt") {
|
|
||||||
const [newt] = await db
|
|
||||||
.select()
|
|
||||||
.from(newts)
|
|
||||||
.where(eq(newts.siteId, existing.bgt.siteId))
|
|
||||||
.limit(1);
|
|
||||||
|
|
||||||
if (newt) {
|
|
||||||
await removeBrowserGatewayTarget(
|
|
||||||
newt.newtId,
|
|
||||||
browserGatewayTargetId,
|
|
||||||
newt.version
|
|
||||||
);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
logger.info(`Deleted browser gateway target ${browserGatewayTargetId}`);
|
|
||||||
|
|
||||||
return response(res, {
|
|
||||||
data: null,
|
|
||||||
success: true,
|
|
||||||
error: false,
|
|
||||||
message: "Browser gateway target deleted successfully",
|
|
||||||
status: HttpCode.OK
|
|
||||||
});
|
|
||||||
} catch (error) {
|
|
||||||
logger.error(error);
|
|
||||||
return next(
|
|
||||||
createHttpError(
|
|
||||||
HttpCode.INTERNAL_SERVER_ERROR,
|
|
||||||
"Failed to delete browser gateway target"
|
|
||||||
)
|
|
||||||
);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,109 +0,0 @@
|
|||||||
/*
|
|
||||||
* This file is part of a proprietary work.
|
|
||||||
*
|
|
||||||
* Copyright (c) 2025-2026 Fossorial, Inc.
|
|
||||||
* All rights reserved.
|
|
||||||
*
|
|
||||||
* This file is licensed under the Fossorial Commercial License.
|
|
||||||
* You may not use this file except in compliance with the License.
|
|
||||||
* Unauthorized use, copying, modification, or distribution is strictly prohibited.
|
|
||||||
*
|
|
||||||
* This file is not licensed under the AGPLv3.
|
|
||||||
*/
|
|
||||||
|
|
||||||
import { Request, Response, NextFunction } from "express";
|
|
||||||
import { z } from "zod";
|
|
||||||
import {
|
|
||||||
browserGatewayTarget,
|
|
||||||
BrowserGatewayTarget,
|
|
||||||
db,
|
|
||||||
sites
|
|
||||||
} from "@server/db";
|
|
||||||
import { eq, and } from "drizzle-orm";
|
|
||||||
import response from "@server/lib/response";
|
|
||||||
import HttpCode from "@server/types/HttpCode";
|
|
||||||
import createHttpError from "http-errors";
|
|
||||||
import logger from "@server/logger";
|
|
||||||
import { fromError } from "zod-validation-error";
|
|
||||||
import { OpenAPITags, registry } from "@server/openApi";
|
|
||||||
|
|
||||||
const paramsSchema = z.strictObject({
|
|
||||||
orgId: z.string().nonempty(),
|
|
||||||
browserGatewayTargetId: z
|
|
||||||
.string()
|
|
||||||
.transform(Number)
|
|
||||||
.pipe(z.number().int().positive())
|
|
||||||
});
|
|
||||||
|
|
||||||
export type GetBrowserGatewayTargetResponse = BrowserGatewayTarget;
|
|
||||||
|
|
||||||
registry.registerPath({
|
|
||||||
method: "get",
|
|
||||||
path: "/org/{orgId}/browser-gateway-target/{browserGatewayTargetId}",
|
|
||||||
description: "Get a browser gateway target.",
|
|
||||||
tags: [OpenAPITags.Org],
|
|
||||||
request: {
|
|
||||||
params: paramsSchema
|
|
||||||
},
|
|
||||||
responses: {}
|
|
||||||
});
|
|
||||||
|
|
||||||
export async function getBrowserGatewayTarget(
|
|
||||||
req: Request,
|
|
||||||
res: Response,
|
|
||||||
next: NextFunction
|
|
||||||
): Promise<any> {
|
|
||||||
try {
|
|
||||||
const parsedParams = paramsSchema.safeParse(req.params);
|
|
||||||
if (!parsedParams.success) {
|
|
||||||
return next(
|
|
||||||
createHttpError(
|
|
||||||
HttpCode.BAD_REQUEST,
|
|
||||||
fromError(parsedParams.error).toString()
|
|
||||||
)
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
const { orgId, browserGatewayTargetId } = parsedParams.data;
|
|
||||||
|
|
||||||
const [result] = await db
|
|
||||||
.select({ bgt: browserGatewayTarget })
|
|
||||||
.from(browserGatewayTarget)
|
|
||||||
.innerJoin(sites, eq(sites.siteId, browserGatewayTarget.siteId))
|
|
||||||
.where(
|
|
||||||
and(
|
|
||||||
eq(
|
|
||||||
browserGatewayTarget.browserGatewayTargetId,
|
|
||||||
browserGatewayTargetId
|
|
||||||
),
|
|
||||||
eq(sites.orgId, orgId)
|
|
||||||
)
|
|
||||||
)
|
|
||||||
.limit(1);
|
|
||||||
|
|
||||||
if (!result) {
|
|
||||||
return next(
|
|
||||||
createHttpError(
|
|
||||||
HttpCode.NOT_FOUND,
|
|
||||||
`Browser gateway target with ID ${browserGatewayTargetId} not found`
|
|
||||||
)
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
return response<GetBrowserGatewayTargetResponse>(res, {
|
|
||||||
data: result.bgt,
|
|
||||||
success: true,
|
|
||||||
error: false,
|
|
||||||
message: "Browser gateway target retrieved successfully",
|
|
||||||
status: HttpCode.OK
|
|
||||||
});
|
|
||||||
} catch (error) {
|
|
||||||
logger.error(error);
|
|
||||||
return next(
|
|
||||||
createHttpError(
|
|
||||||
HttpCode.INTERNAL_SERVER_ERROR,
|
|
||||||
"Failed to retrieve browser gateway target"
|
|
||||||
)
|
|
||||||
);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -13,9 +13,8 @@
|
|||||||
|
|
||||||
import { Request, Response, NextFunction } from "express";
|
import { Request, Response, NextFunction } from "express";
|
||||||
import { z } from "zod";
|
import { z } from "zod";
|
||||||
import { browserGatewayTarget, db } from "@server/db";
|
import { db, resources, targets } from "@server/db";
|
||||||
import { resources, targets } from "@server/db";
|
import { eq, and, inArray } from "drizzle-orm";
|
||||||
import { eq } from "drizzle-orm";
|
|
||||||
import response from "@server/lib/response";
|
import response from "@server/lib/response";
|
||||||
import HttpCode from "@server/types/HttpCode";
|
import HttpCode from "@server/types/HttpCode";
|
||||||
import createHttpError from "http-errors";
|
import createHttpError from "http-errors";
|
||||||
@@ -51,31 +50,30 @@ export async function getBrowserTarget(
|
|||||||
|
|
||||||
logger.info(`Retrieving browser target for domain: ${fullDomain}`);
|
logger.info(`Retrieving browser target for domain: ${fullDomain}`);
|
||||||
|
|
||||||
const [browserTarget] = await db
|
const [row] = await db
|
||||||
.select({
|
.select({
|
||||||
destination: browserGatewayTarget.destination,
|
ip: targets.ip,
|
||||||
destinationPort: browserGatewayTarget.destinationPort,
|
port: targets.port,
|
||||||
authToken: browserGatewayTarget.authToken,
|
authToken: targets.authToken,
|
||||||
resourceId: resources.resourceId,
|
resourceId: resources.resourceId,
|
||||||
niceId: resources.niceId,
|
niceId: resources.niceId,
|
||||||
|
name: resources.name,
|
||||||
orgId: resources.orgId,
|
orgId: resources.orgId,
|
||||||
pamMode: resources.pamMode,
|
pamMode: resources.pamMode,
|
||||||
authDaemonMode: resources.authDaemonMode
|
authDaemonMode: resources.authDaemonMode
|
||||||
})
|
})
|
||||||
.from(browserGatewayTarget)
|
.from(targets)
|
||||||
.innerJoin(
|
.innerJoin(resources, eq(targets.resourceId, resources.resourceId))
|
||||||
resources,
|
.where(
|
||||||
eq(browserGatewayTarget.resourceId, resources.resourceId)
|
and(
|
||||||
|
eq(resources.fullDomain, fullDomain),
|
||||||
|
eq(targets.enabled, true),
|
||||||
|
inArray(targets.mode, ["ssh", "rdp", "vnc"])
|
||||||
|
)
|
||||||
)
|
)
|
||||||
.where(eq(resources.fullDomain, fullDomain))
|
|
||||||
.limit(1);
|
.limit(1);
|
||||||
|
|
||||||
const decryptedAuthToken = decrypt(
|
if (!row) {
|
||||||
browserTarget.authToken,
|
|
||||||
config.getRawConfig().server.secret!
|
|
||||||
);
|
|
||||||
|
|
||||||
if (!browserTarget) {
|
|
||||||
return next(
|
return next(
|
||||||
createHttpError(
|
createHttpError(
|
||||||
HttpCode.NOT_FOUND,
|
HttpCode.NOT_FOUND,
|
||||||
@@ -84,16 +82,21 @@ export async function getBrowserTarget(
|
|||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
const decryptedAuthToken = row.authToken
|
||||||
|
? decrypt(row.authToken, config.getRawConfig().server.secret!)
|
||||||
|
: "";
|
||||||
|
|
||||||
return response<GetBrowserTargetResponse>(res, {
|
return response<GetBrowserTargetResponse>(res, {
|
||||||
data: {
|
data: {
|
||||||
ip: browserTarget.destination,
|
ip: row.ip,
|
||||||
port: browserTarget.destinationPort,
|
port: row.port,
|
||||||
authToken: decryptedAuthToken,
|
authToken: decryptedAuthToken,
|
||||||
pamMode: browserTarget.pamMode,
|
pamMode: row.pamMode,
|
||||||
authDaemonMode: browserTarget.authDaemonMode,
|
authDaemonMode: row.authDaemonMode,
|
||||||
orgId: browserTarget.orgId,
|
orgId: row.orgId,
|
||||||
resourceId: browserTarget.resourceId,
|
resourceId: row.resourceId,
|
||||||
niceId: browserTarget.niceId
|
niceId: row.niceId,
|
||||||
|
name: row.name ?? ""
|
||||||
},
|
},
|
||||||
success: true,
|
success: true,
|
||||||
error: false,
|
error: false,
|
||||||
|
|||||||
@@ -11,9 +11,4 @@
|
|||||||
* This file is not licensed under the AGPLv3.
|
* This file is not licensed under the AGPLv3.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
export * from "./createBrowserGatewayTarget";
|
|
||||||
export * from "./updateBrowserGatewayTarget";
|
|
||||||
export * from "./deleteBrowserGatewayTarget";
|
|
||||||
export * from "./getBrowserGatewayTarget";
|
|
||||||
export * from "./listBrowserGatewayTargets";
|
|
||||||
export * from "./getBrowserTarget";
|
export * from "./getBrowserTarget";
|
||||||
|
|||||||
@@ -1,159 +0,0 @@
|
|||||||
/*
|
|
||||||
* This file is part of a proprietary work.
|
|
||||||
*
|
|
||||||
* Copyright (c) 2025-2026 Fossorial, Inc.
|
|
||||||
* All rights reserved.
|
|
||||||
*
|
|
||||||
* This file is licensed under the Fossorial Commercial License.
|
|
||||||
* You may not use this file except in compliance with the License.
|
|
||||||
* Unauthorized use, copying, modification, or distribution is strictly prohibited.
|
|
||||||
*
|
|
||||||
* This file is not licensed under the AGPLv3.
|
|
||||||
*/
|
|
||||||
|
|
||||||
import { Request, Response, NextFunction } from "express";
|
|
||||||
import { z } from "zod";
|
|
||||||
import {
|
|
||||||
browserGatewayTarget,
|
|
||||||
BrowserGatewayTarget,
|
|
||||||
db,
|
|
||||||
resources,
|
|
||||||
sites
|
|
||||||
} from "@server/db";
|
|
||||||
import { eq, and } from "drizzle-orm";
|
|
||||||
import response from "@server/lib/response";
|
|
||||||
import HttpCode from "@server/types/HttpCode";
|
|
||||||
import createHttpError from "http-errors";
|
|
||||||
import logger from "@server/logger";
|
|
||||||
import { fromError } from "zod-validation-error";
|
|
||||||
import { OpenAPITags, registry } from "@server/openApi";
|
|
||||||
|
|
||||||
const paramsSchema = z.strictObject({
|
|
||||||
orgId: z.string().nonempty(),
|
|
||||||
resourceId: z.string().transform(Number).pipe(z.number().int().positive())
|
|
||||||
});
|
|
||||||
|
|
||||||
const querySchema = z.object({
|
|
||||||
limit: z
|
|
||||||
.string()
|
|
||||||
.optional()
|
|
||||||
.default("1000")
|
|
||||||
.transform(Number)
|
|
||||||
.pipe(z.number().int().positive()),
|
|
||||||
offset: z
|
|
||||||
.string()
|
|
||||||
.optional()
|
|
||||||
.default("0")
|
|
||||||
.transform(Number)
|
|
||||||
.pipe(z.number().int().nonnegative())
|
|
||||||
});
|
|
||||||
|
|
||||||
export type ListBrowserGatewayTargetsResponse = {
|
|
||||||
targets: BrowserGatewayTarget[];
|
|
||||||
total: number;
|
|
||||||
limit: number;
|
|
||||||
offset: number;
|
|
||||||
};
|
|
||||||
|
|
||||||
registry.registerPath({
|
|
||||||
method: "get",
|
|
||||||
path: "/org/{orgId}/resource/{resourceId}/browser-gateway-targets",
|
|
||||||
description: "List browser gateway targets for a resource.",
|
|
||||||
tags: [OpenAPITags.Org],
|
|
||||||
request: {
|
|
||||||
params: paramsSchema,
|
|
||||||
query: querySchema
|
|
||||||
},
|
|
||||||
responses: {}
|
|
||||||
});
|
|
||||||
|
|
||||||
export async function listBrowserGatewayTargets(
|
|
||||||
req: Request,
|
|
||||||
res: Response,
|
|
||||||
next: NextFunction
|
|
||||||
): Promise<any> {
|
|
||||||
try {
|
|
||||||
const parsedParams = paramsSchema.safeParse(req.params);
|
|
||||||
if (!parsedParams.success) {
|
|
||||||
return next(
|
|
||||||
createHttpError(
|
|
||||||
HttpCode.BAD_REQUEST,
|
|
||||||
fromError(parsedParams.error).toString()
|
|
||||||
)
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
const { orgId, resourceId } = parsedParams.data;
|
|
||||||
|
|
||||||
const parsedQuery = querySchema.safeParse(req.query);
|
|
||||||
if (!parsedQuery.success) {
|
|
||||||
return next(
|
|
||||||
createHttpError(
|
|
||||||
HttpCode.BAD_REQUEST,
|
|
||||||
fromError(parsedQuery.error).toString()
|
|
||||||
)
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
const { limit, offset } = parsedQuery.data;
|
|
||||||
|
|
||||||
const [resource] = await db
|
|
||||||
.select()
|
|
||||||
.from(resources)
|
|
||||||
.where(
|
|
||||||
and(
|
|
||||||
eq(resources.resourceId, resourceId),
|
|
||||||
eq(resources.orgId, orgId)
|
|
||||||
)
|
|
||||||
)
|
|
||||||
.limit(1);
|
|
||||||
|
|
||||||
if (!resource) {
|
|
||||||
return next(
|
|
||||||
createHttpError(
|
|
||||||
HttpCode.NOT_FOUND,
|
|
||||||
`Resource with ID ${resourceId} not found in organization ${orgId}`
|
|
||||||
)
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
const rows = await db
|
|
||||||
.select({
|
|
||||||
browserGatewayTargetId:
|
|
||||||
browserGatewayTarget.browserGatewayTargetId,
|
|
||||||
resourceId: browserGatewayTarget.resourceId,
|
|
||||||
siteId: browserGatewayTarget.siteId,
|
|
||||||
authToken: browserGatewayTarget.authToken,
|
|
||||||
type: browserGatewayTarget.type,
|
|
||||||
destination: browserGatewayTarget.destination,
|
|
||||||
destinationPort: browserGatewayTarget.destinationPort,
|
|
||||||
siteName: sites.name
|
|
||||||
})
|
|
||||||
.from(browserGatewayTarget)
|
|
||||||
.leftJoin(sites, eq(sites.siteId, browserGatewayTarget.siteId))
|
|
||||||
.where(eq(browserGatewayTarget.resourceId, resourceId))
|
|
||||||
.limit(limit)
|
|
||||||
.offset(offset);
|
|
||||||
|
|
||||||
return response<ListBrowserGatewayTargetsResponse>(res, {
|
|
||||||
data: {
|
|
||||||
targets: rows as any,
|
|
||||||
total: rows.length,
|
|
||||||
limit,
|
|
||||||
offset
|
|
||||||
},
|
|
||||||
success: true,
|
|
||||||
error: false,
|
|
||||||
message: "Browser gateway targets retrieved successfully",
|
|
||||||
status: HttpCode.OK
|
|
||||||
});
|
|
||||||
} catch (error) {
|
|
||||||
logger.error(error);
|
|
||||||
return next(
|
|
||||||
createHttpError(
|
|
||||||
HttpCode.INTERNAL_SERVER_ERROR,
|
|
||||||
"Failed to list browser gateway targets"
|
|
||||||
)
|
|
||||||
);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,180 +0,0 @@
|
|||||||
/*
|
|
||||||
* This file is part of a proprietary work.
|
|
||||||
*
|
|
||||||
* Copyright (c) 2025-2026 Fossorial, Inc.
|
|
||||||
* All rights reserved.
|
|
||||||
*
|
|
||||||
* This file is licensed under the Fossorial Commercial License.
|
|
||||||
* You may not use this file except in compliance with the License.
|
|
||||||
* Unauthorized use, copying, modification, or distribution is strictly prohibited.
|
|
||||||
*
|
|
||||||
* This file is not licensed under the AGPLv3.
|
|
||||||
*/
|
|
||||||
|
|
||||||
import { Request, Response, NextFunction } from "express";
|
|
||||||
import { z } from "zod";
|
|
||||||
import {
|
|
||||||
browserGatewayTarget,
|
|
||||||
BrowserGatewayTarget,
|
|
||||||
db,
|
|
||||||
newts,
|
|
||||||
sites
|
|
||||||
} from "@server/db";
|
|
||||||
import { eq, and } from "drizzle-orm";
|
|
||||||
import response from "@server/lib/response";
|
|
||||||
import HttpCode from "@server/types/HttpCode";
|
|
||||||
import createHttpError from "http-errors";
|
|
||||||
import logger from "@server/logger";
|
|
||||||
import { fromError } from "zod-validation-error";
|
|
||||||
import { OpenAPITags, registry } from "@server/openApi";
|
|
||||||
import { sendBrowserGatewayTargets } from "@server/routers/newt/targets";
|
|
||||||
|
|
||||||
const paramsSchema = z.strictObject({
|
|
||||||
orgId: z.string().nonempty(),
|
|
||||||
browserGatewayTargetId: z
|
|
||||||
.string()
|
|
||||||
.transform(Number)
|
|
||||||
.pipe(z.number().int().positive())
|
|
||||||
});
|
|
||||||
|
|
||||||
const bodySchema = z.strictObject({
|
|
||||||
siteId: z.number().int().positive().optional(),
|
|
||||||
type: z.enum(["ssh", "rdp", "vnc"]).optional(),
|
|
||||||
destination: z.string().nonempty().optional(),
|
|
||||||
destinationPort: z.number().int().min(1).max(65535).optional()
|
|
||||||
});
|
|
||||||
|
|
||||||
export type UpdateBrowserGatewayTargetResponse = BrowserGatewayTarget;
|
|
||||||
|
|
||||||
registry.registerPath({
|
|
||||||
method: "post",
|
|
||||||
path: "/org/{orgId}/browser-gateway-target/{browserGatewayTargetId}",
|
|
||||||
description: "Update a browser gateway target.",
|
|
||||||
tags: [OpenAPITags.Org],
|
|
||||||
request: {
|
|
||||||
params: paramsSchema,
|
|
||||||
body: {
|
|
||||||
content: {
|
|
||||||
"application/json": {
|
|
||||||
schema: bodySchema
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
},
|
|
||||||
responses: {}
|
|
||||||
});
|
|
||||||
|
|
||||||
export async function updateBrowserGatewayTarget(
|
|
||||||
req: Request,
|
|
||||||
res: Response,
|
|
||||||
next: NextFunction
|
|
||||||
): Promise<any> {
|
|
||||||
try {
|
|
||||||
const parsedParams = paramsSchema.safeParse(req.params);
|
|
||||||
if (!parsedParams.success) {
|
|
||||||
return next(
|
|
||||||
createHttpError(
|
|
||||||
HttpCode.BAD_REQUEST,
|
|
||||||
fromError(parsedParams.error).toString()
|
|
||||||
)
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
const { orgId, browserGatewayTargetId } = parsedParams.data;
|
|
||||||
|
|
||||||
const parsedBody = bodySchema.safeParse(req.body);
|
|
||||||
if (!parsedBody.success) {
|
|
||||||
return next(
|
|
||||||
createHttpError(
|
|
||||||
HttpCode.BAD_REQUEST,
|
|
||||||
fromError(parsedBody.error).toString()
|
|
||||||
)
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
const { siteId, type, destination, destinationPort } = parsedBody.data;
|
|
||||||
|
|
||||||
const [existing] = await db
|
|
||||||
.select({ bgt: browserGatewayTarget, site: sites })
|
|
||||||
.from(browserGatewayTarget)
|
|
||||||
.innerJoin(sites, eq(sites.siteId, browserGatewayTarget.siteId))
|
|
||||||
.where(
|
|
||||||
and(
|
|
||||||
eq(
|
|
||||||
browserGatewayTarget.browserGatewayTargetId,
|
|
||||||
browserGatewayTargetId
|
|
||||||
),
|
|
||||||
eq(sites.orgId, orgId)
|
|
||||||
)
|
|
||||||
)
|
|
||||||
.limit(1);
|
|
||||||
|
|
||||||
if (!existing) {
|
|
||||||
return next(
|
|
||||||
createHttpError(
|
|
||||||
HttpCode.NOT_FOUND,
|
|
||||||
`Browser gateway target with ID ${browserGatewayTargetId} not found`
|
|
||||||
)
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
const updateValues: Partial<BrowserGatewayTarget> = {};
|
|
||||||
if (siteId !== undefined) updateValues.siteId = siteId;
|
|
||||||
if (type !== undefined) updateValues.type = type;
|
|
||||||
if (destination !== undefined) updateValues.destination = destination;
|
|
||||||
if (destinationPort !== undefined)
|
|
||||||
updateValues.destinationPort = destinationPort;
|
|
||||||
|
|
||||||
const [updated] = await db
|
|
||||||
.update(browserGatewayTarget)
|
|
||||||
.set(updateValues)
|
|
||||||
.where(
|
|
||||||
eq(
|
|
||||||
browserGatewayTarget.browserGatewayTargetId,
|
|
||||||
browserGatewayTargetId
|
|
||||||
)
|
|
||||||
)
|
|
||||||
.returning();
|
|
||||||
|
|
||||||
const targetSiteId = siteId ?? existing.bgt.siteId;
|
|
||||||
const [site] = await db
|
|
||||||
.select()
|
|
||||||
.from(sites)
|
|
||||||
.where(eq(sites.siteId, targetSiteId))
|
|
||||||
.limit(1);
|
|
||||||
|
|
||||||
if (site && site.type === "newt") {
|
|
||||||
const [newt] = await db
|
|
||||||
.select()
|
|
||||||
.from(newts)
|
|
||||||
.where(eq(newts.siteId, targetSiteId))
|
|
||||||
.limit(1);
|
|
||||||
|
|
||||||
if (newt) {
|
|
||||||
await sendBrowserGatewayTargets(
|
|
||||||
newt.newtId,
|
|
||||||
[updated],
|
|
||||||
newt.version
|
|
||||||
);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
logger.info(`Updated browser gateway target ${browserGatewayTargetId}`);
|
|
||||||
|
|
||||||
return response<UpdateBrowserGatewayTargetResponse>(res, {
|
|
||||||
data: updated,
|
|
||||||
success: true,
|
|
||||||
error: false,
|
|
||||||
message: "Browser gateway target updated successfully",
|
|
||||||
status: HttpCode.OK
|
|
||||||
});
|
|
||||||
} catch (error) {
|
|
||||||
logger.error(error);
|
|
||||||
return next(
|
|
||||||
createHttpError(
|
|
||||||
HttpCode.INTERNAL_SERVER_ERROR,
|
|
||||||
"Failed to update browser gateway target"
|
|
||||||
)
|
|
||||||
);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -121,7 +121,7 @@ registry.registerPath({
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z.record(z.string(), z.any()).nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
|
|||||||
@@ -46,7 +46,7 @@ registry.registerPath({
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z.record(z.string(), z.any()).nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
|
|||||||
@@ -29,7 +29,7 @@ import { tierMatrix } from "@server/lib/billing/tierMatrix";
|
|||||||
const paramsSchema = z.strictObject({});
|
const paramsSchema = z.strictObject({});
|
||||||
|
|
||||||
const querySchema = z.strictObject({
|
const querySchema = z.strictObject({
|
||||||
subdomain: z.string(),
|
subdomain: z.string()
|
||||||
// orgId: build === "saas" ? z.string() : z.string().optional() // Required for saas, optional otherwise
|
// orgId: build === "saas" ? z.string() : z.string().optional() // Required for saas, optional otherwise
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -48,7 +48,7 @@ registry.registerPath({
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z.record(z.string(), z.any()).nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
|
|||||||
@@ -33,7 +33,8 @@ const paramsSchema = z
|
|||||||
registry.registerPath({
|
registry.registerPath({
|
||||||
method: "delete",
|
method: "delete",
|
||||||
path: "/org/{orgId}/event-streaming-destination/{destinationId}",
|
path: "/org/{orgId}/event-streaming-destination/{destinationId}",
|
||||||
description: "Delete an event streaming destination for a specific organization.",
|
description:
|
||||||
|
"Delete an event streaming destination for a specific organization.",
|
||||||
tags: [OpenAPITags.Org],
|
tags: [OpenAPITags.Org],
|
||||||
request: {
|
request: {
|
||||||
params: paramsSchema
|
params: paramsSchema
|
||||||
@@ -44,7 +45,7 @@ registry.registerPath({
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z.record(z.string(), z.any()).nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
@@ -115,4 +116,4 @@ export async function deleteEventStreamingDestination(
|
|||||||
createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
|
createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -31,7 +31,6 @@ import * as siteProvisioning from "#private/routers/siteProvisioning";
|
|||||||
import * as eventStreamingDestination from "#private/routers/eventStreamingDestination";
|
import * as eventStreamingDestination from "#private/routers/eventStreamingDestination";
|
||||||
import * as alertRule from "#private/routers/alertRule";
|
import * as alertRule from "#private/routers/alertRule";
|
||||||
import * as healthChecks from "#private/routers/healthChecks";
|
import * as healthChecks from "#private/routers/healthChecks";
|
||||||
import * as browserGatewayTarget from "#private/routers/browserGatewayTarget";
|
|
||||||
import * as labels from "#private/routers/labels";
|
import * as labels from "#private/routers/labels";
|
||||||
import * as client from "@server/routers/client";
|
import * as client from "@server/routers/client";
|
||||||
import * as resource from "#private/routers/resource";
|
import * as resource from "#private/routers/resource";
|
||||||
@@ -879,48 +878,3 @@ authenticated.post(
|
|||||||
verifyClientAccess,
|
verifyClientAccess,
|
||||||
client.rebuildClientAssociationsCacheRoute
|
client.rebuildClientAssociationsCacheRoute
|
||||||
);
|
);
|
||||||
|
|
||||||
authenticated.put(
|
|
||||||
"/org/:orgId/resource/:resourceId/browser-gateway-target",
|
|
||||||
verifyValidLicense,
|
|
||||||
verifyOrgAccess,
|
|
||||||
verifyLimits,
|
|
||||||
verifyUserHasAction(ActionsEnum.createBrowserGatewayTarget),
|
|
||||||
logActionAudit(ActionsEnum.createBrowserGatewayTarget),
|
|
||||||
browserGatewayTarget.createBrowserGatewayTarget
|
|
||||||
);
|
|
||||||
|
|
||||||
authenticated.get(
|
|
||||||
"/org/:orgId/resource/:resourceId/browser-gateway-targets",
|
|
||||||
verifyValidLicense,
|
|
||||||
verifyOrgAccess,
|
|
||||||
verifyUserHasAction(ActionsEnum.listBrowserGatewayTargets),
|
|
||||||
browserGatewayTarget.listBrowserGatewayTargets
|
|
||||||
);
|
|
||||||
|
|
||||||
authenticated.get(
|
|
||||||
"/org/:orgId/browser-gateway-target/:browserGatewayTargetId",
|
|
||||||
verifyValidLicense,
|
|
||||||
verifyOrgAccess,
|
|
||||||
verifyUserHasAction(ActionsEnum.getBrowserGatewayTarget),
|
|
||||||
browserGatewayTarget.getBrowserGatewayTarget
|
|
||||||
);
|
|
||||||
|
|
||||||
authenticated.post(
|
|
||||||
"/org/:orgId/browser-gateway-target/:browserGatewayTargetId",
|
|
||||||
verifyValidLicense,
|
|
||||||
verifyOrgAccess,
|
|
||||||
verifyLimits,
|
|
||||||
verifyUserHasAction(ActionsEnum.updateBrowserGatewayTarget),
|
|
||||||
logActionAudit(ActionsEnum.updateBrowserGatewayTarget),
|
|
||||||
browserGatewayTarget.updateBrowserGatewayTarget
|
|
||||||
);
|
|
||||||
|
|
||||||
authenticated.delete(
|
|
||||||
"/org/:orgId/browser-gateway-target/:browserGatewayTargetId",
|
|
||||||
verifyValidLicense,
|
|
||||||
verifyOrgAccess,
|
|
||||||
verifyUserHasAction(ActionsEnum.deleteBrowserGatewayTarget),
|
|
||||||
logActionAudit(ActionsEnum.deleteBrowserGatewayTarget),
|
|
||||||
browserGatewayTarget.deleteBrowserGatewayTarget
|
|
||||||
);
|
|
||||||
|
|||||||
@@ -47,7 +47,7 @@ registry.registerPath({
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z.record(z.string(), z.any()).nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
|
|||||||
@@ -74,7 +74,7 @@ registry.registerPath({
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z.record(z.string(), z.any()).nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
|
|||||||
@@ -79,7 +79,10 @@ import logger from "@server/logger";
|
|||||||
import { decrypt } from "@server/lib/crypto";
|
import { decrypt } from "@server/lib/crypto";
|
||||||
import config from "@server/lib/config";
|
import config from "@server/lib/config";
|
||||||
import { exchangeSession } from "@server/routers/badger";
|
import { exchangeSession } from "@server/routers/badger";
|
||||||
import { validateResourceSessionToken } from "@server/auth/sessions/resource";
|
import {
|
||||||
|
ResourceSessionValidationResult,
|
||||||
|
validateResourceSessionToken
|
||||||
|
} from "@server/auth/sessions/resource";
|
||||||
import { checkExitNodeOrg, resolveExitNodes } from "#private/lib/exitNodes";
|
import { checkExitNodeOrg, resolveExitNodes } from "#private/lib/exitNodes";
|
||||||
import { maxmindLookup } from "@server/db/maxmind";
|
import { maxmindLookup } from "@server/db/maxmind";
|
||||||
import { verifyResourceAccessToken } from "@server/auth/verifyResourceAccessToken";
|
import { verifyResourceAccessToken } from "@server/auth/verifyResourceAccessToken";
|
||||||
@@ -216,9 +219,9 @@ export type ResourceWithAuth = {
|
|||||||
password: ResourcePassword | ResourcePolicyPassword | null;
|
password: ResourcePassword | ResourcePolicyPassword | null;
|
||||||
headerAuth: ResourceHeaderAuth | ResourcePolicyHeaderAuth | null;
|
headerAuth: ResourceHeaderAuth | ResourcePolicyHeaderAuth | null;
|
||||||
headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
|
headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
|
||||||
applyRules: boolean;
|
applyRules: boolean | null;
|
||||||
sso: boolean;
|
sso: boolean | null;
|
||||||
emailWhitelistEnabled: boolean;
|
emailWhitelistEnabled: boolean | null;
|
||||||
org: Org;
|
org: Org;
|
||||||
};
|
};
|
||||||
|
|
||||||
@@ -1754,11 +1757,34 @@ hybridRouter.post(
|
|||||||
resourceId
|
resourceId
|
||||||
);
|
);
|
||||||
|
|
||||||
|
// this is for backward compatibility with nodes that did not have the policy id checking
|
||||||
|
const modifiedResult: ResourceSessionValidationResult = {
|
||||||
|
...result,
|
||||||
|
resourceSession: result.resourceSession
|
||||||
|
? {
|
||||||
|
...result.resourceSession,
|
||||||
|
// Prefer policy IDs, but keep legacy IDs populated for older nodes.
|
||||||
|
pincodeId:
|
||||||
|
result.resourceSession.policyPincodeId ??
|
||||||
|
result.resourceSession.pincodeId ??
|
||||||
|
null,
|
||||||
|
passwordId:
|
||||||
|
result.resourceSession.policyPasswordId ??
|
||||||
|
result.resourceSession.passwordId ??
|
||||||
|
null,
|
||||||
|
whitelistId:
|
||||||
|
result.resourceSession.policyWhitelistId ??
|
||||||
|
result.resourceSession.whitelistId ??
|
||||||
|
null
|
||||||
|
}
|
||||||
|
: null
|
||||||
|
};
|
||||||
|
|
||||||
return response(res, {
|
return response(res, {
|
||||||
data: result,
|
data: modifiedResult,
|
||||||
success: true,
|
success: true,
|
||||||
error: false,
|
error: false,
|
||||||
message: result.resourceSession
|
message: modifiedResult.resourceSession
|
||||||
? "Resource session token is valid"
|
? "Resource session token is valid"
|
||||||
: "Resource session token is invalid or expired",
|
: "Resource session token is invalid or expired",
|
||||||
status: HttpCode.OK
|
status: HttpCode.OK
|
||||||
|
|||||||
@@ -16,7 +16,6 @@ import * as org from "#private/routers/org";
|
|||||||
import * as logs from "#private/routers/auditLogs";
|
import * as logs from "#private/routers/auditLogs";
|
||||||
import * as alertEvents from "#private/routers/alertEvents";
|
import * as alertEvents from "#private/routers/alertEvents";
|
||||||
import * as certificates from "#private/routers/certificates";
|
import * as certificates from "#private/routers/certificates";
|
||||||
import * as browserGatewayTarget from "#private/routers/browserGatewayTarget";
|
|
||||||
|
|
||||||
import {
|
import {
|
||||||
verifyApiKeyHasAction,
|
verifyApiKeyHasAction,
|
||||||
@@ -216,43 +215,3 @@ authenticated.delete(
|
|||||||
logActionAudit(ActionsEnum.removeUserRole),
|
logActionAudit(ActionsEnum.removeUserRole),
|
||||||
user.removeUserRole
|
user.removeUserRole
|
||||||
);
|
);
|
||||||
|
|
||||||
authenticated.put(
|
|
||||||
"/org/:orgId/resource/:resourceId/browser-gateway-target",
|
|
||||||
verifyApiKeyOrgAccess,
|
|
||||||
verifyLimits,
|
|
||||||
verifyApiKeyHasAction(ActionsEnum.createBrowserGatewayTarget),
|
|
||||||
logActionAudit(ActionsEnum.createBrowserGatewayTarget),
|
|
||||||
browserGatewayTarget.createBrowserGatewayTarget
|
|
||||||
);
|
|
||||||
|
|
||||||
authenticated.get(
|
|
||||||
"/org/:orgId/resource/:resourceId/browser-gateway-targets",
|
|
||||||
verifyApiKeyOrgAccess,
|
|
||||||
verifyApiKeyHasAction(ActionsEnum.listBrowserGatewayTargets),
|
|
||||||
browserGatewayTarget.listBrowserGatewayTargets
|
|
||||||
);
|
|
||||||
|
|
||||||
authenticated.get(
|
|
||||||
"/org/:orgId/browser-gateway-target/:browserGatewayTargetId",
|
|
||||||
verifyApiKeyOrgAccess,
|
|
||||||
verifyApiKeyHasAction(ActionsEnum.getBrowserGatewayTarget),
|
|
||||||
browserGatewayTarget.getBrowserGatewayTarget
|
|
||||||
);
|
|
||||||
|
|
||||||
authenticated.post(
|
|
||||||
"/org/:orgId/browser-gateway-target/:browserGatewayTargetId",
|
|
||||||
verifyApiKeyOrgAccess,
|
|
||||||
verifyLimits,
|
|
||||||
verifyApiKeyHasAction(ActionsEnum.updateBrowserGatewayTarget),
|
|
||||||
logActionAudit(ActionsEnum.updateBrowserGatewayTarget),
|
|
||||||
browserGatewayTarget.updateBrowserGatewayTarget
|
|
||||||
);
|
|
||||||
|
|
||||||
authenticated.delete(
|
|
||||||
"/org/:orgId/browser-gateway-target/:browserGatewayTargetId",
|
|
||||||
verifyApiKeyOrgAccess,
|
|
||||||
verifyApiKeyHasAction(ActionsEnum.deleteBrowserGatewayTarget),
|
|
||||||
logActionAudit(ActionsEnum.deleteBrowserGatewayTarget),
|
|
||||||
browserGatewayTarget.deleteBrowserGatewayTarget
|
|
||||||
);
|
|
||||||
|
|||||||
@@ -17,9 +17,9 @@ import * as orgIdp from "#private/routers/orgIdp";
|
|||||||
import * as billing from "#private/routers/billing";
|
import * as billing from "#private/routers/billing";
|
||||||
import * as license from "#private/routers/license";
|
import * as license from "#private/routers/license";
|
||||||
import * as resource from "#private/routers/resource";
|
import * as resource from "#private/routers/resource";
|
||||||
import * as browserTarget from "#private/routers/browserGatewayTarget";
|
|
||||||
import * as ssh from "#private/routers/ssh";
|
import * as ssh from "#private/routers/ssh";
|
||||||
import * as ws from "@server/routers/ws";
|
import * as ws from "@server/routers/ws";
|
||||||
|
import * as browserTarget from "#private/routers/browserGatewayTarget";
|
||||||
|
|
||||||
import {
|
import {
|
||||||
verifySessionUserMiddleware,
|
verifySessionUserMiddleware,
|
||||||
|
|||||||
@@ -22,7 +22,7 @@ import response from "@server/lib/response";
|
|||||||
import logger from "@server/logger";
|
import logger from "@server/logger";
|
||||||
import type { CreateOrEditLabelResponse } from "@server/routers/labels/types";
|
import type { CreateOrEditLabelResponse } from "@server/routers/labels/types";
|
||||||
import HttpCode from "@server/types/HttpCode";
|
import HttpCode from "@server/types/HttpCode";
|
||||||
import { and, eq } from "drizzle-orm";
|
import { and, eq, sql } from "drizzle-orm";
|
||||||
import { NextFunction, Request, Response } from "express";
|
import { NextFunction, Request, Response } from "express";
|
||||||
import createHttpError from "http-errors";
|
import createHttpError from "http-errors";
|
||||||
import { z } from "zod";
|
import { z } from "zod";
|
||||||
@@ -107,6 +107,26 @@ export async function createOrgLabel(
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
const [existingLabel] = await db
|
||||||
|
.select({ labelId: labels.labelId })
|
||||||
|
.from(labels)
|
||||||
|
.where(
|
||||||
|
and(
|
||||||
|
eq(labels.orgId, orgId),
|
||||||
|
sql`LOWER(${labels.name}) = ${name.toLowerCase()}`
|
||||||
|
)
|
||||||
|
)
|
||||||
|
.limit(1);
|
||||||
|
|
||||||
|
if (existingLabel) {
|
||||||
|
return next(
|
||||||
|
createHttpError(
|
||||||
|
HttpCode.CONFLICT,
|
||||||
|
"A label with this name already exists"
|
||||||
|
)
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
const label = await db.transaction(async (tx) => {
|
const label = await db.transaction(async (tx) => {
|
||||||
const [label] = await tx
|
const [label] = await tx
|
||||||
.insert(labels)
|
.insert(labels)
|
||||||
|
|||||||
@@ -16,7 +16,7 @@ import response from "@server/lib/response";
|
|||||||
import logger from "@server/logger";
|
import logger from "@server/logger";
|
||||||
import type { CreateOrEditLabelResponse } from "@server/routers/labels/types";
|
import type { CreateOrEditLabelResponse } from "@server/routers/labels/types";
|
||||||
import HttpCode from "@server/types/HttpCode";
|
import HttpCode from "@server/types/HttpCode";
|
||||||
import { and, eq } from "drizzle-orm";
|
import { and, eq, ne, sql } from "drizzle-orm";
|
||||||
import { NextFunction, Request, Response } from "express";
|
import { NextFunction, Request, Response } from "express";
|
||||||
import createHttpError from "http-errors";
|
import createHttpError from "http-errors";
|
||||||
import { z } from "zod";
|
import { z } from "zod";
|
||||||
@@ -74,6 +74,29 @@ export async function updateOrgLabel(
|
|||||||
|
|
||||||
const { name, color } = parsedBody.data;
|
const { name, color } = parsedBody.data;
|
||||||
|
|
||||||
|
if (name && name.toLowerCase() !== existing.name.toLowerCase()) {
|
||||||
|
const [duplicateLabel] = await db
|
||||||
|
.select({ labelId: labels.labelId })
|
||||||
|
.from(labels)
|
||||||
|
.where(
|
||||||
|
and(
|
||||||
|
eq(labels.orgId, orgId),
|
||||||
|
ne(labels.labelId, labelId),
|
||||||
|
sql`LOWER(${labels.name}) = ${name.toLowerCase()}`
|
||||||
|
)
|
||||||
|
)
|
||||||
|
.limit(1);
|
||||||
|
|
||||||
|
if (duplicateLabel) {
|
||||||
|
return next(
|
||||||
|
createHttpError(
|
||||||
|
HttpCode.CONFLICT,
|
||||||
|
"A label with this name already exists"
|
||||||
|
)
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
const [label] = await db
|
const [label] = await db
|
||||||
.update(labels)
|
.update(labels)
|
||||||
.set({
|
.set({
|
||||||
|
|||||||
@@ -69,7 +69,7 @@ registry.registerPath({
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z.record(z.string(), z.any()).nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
@@ -127,7 +127,8 @@ export async function createOrgOidcIdp(
|
|||||||
|
|
||||||
let { autoProvision } = parsedBody.data;
|
let { autoProvision } = parsedBody.data;
|
||||||
|
|
||||||
if (build == "saas") { // this is not paywalled with a ee license because this whole endpoint is restricted
|
if (build == "saas") {
|
||||||
|
// this is not paywalled with a ee license because this whole endpoint is restricted
|
||||||
const subscribed = await isSubscribed(
|
const subscribed = await isSubscribed(
|
||||||
orgId,
|
orgId,
|
||||||
tierMatrix.deviceApprovals
|
tierMatrix.deviceApprovals
|
||||||
|
|||||||
@@ -44,7 +44,7 @@ registry.registerPath({
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z.record(z.string(), z.any()).nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
|
|||||||
@@ -62,7 +62,7 @@ registry.registerPath({
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z.record(z.string(), z.any()).nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
|
|||||||
@@ -78,7 +78,7 @@ registry.registerPath({
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z.record(z.string(), z.any()).nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
|
|||||||
@@ -33,9 +33,8 @@ import {
|
|||||||
import { getUniqueResourcePolicyName } from "@server/db/names";
|
import { getUniqueResourcePolicyName } from "@server/db/names";
|
||||||
import response from "@server/lib/response";
|
import response from "@server/lib/response";
|
||||||
import {
|
import {
|
||||||
isValidCIDR,
|
getResourceRuleValueValidationError,
|
||||||
isValidIP,
|
RESOURCE_RULE_MATCH_TYPES
|
||||||
isValidUrlGlobPattern
|
|
||||||
} from "@server/lib/validators";
|
} from "@server/lib/validators";
|
||||||
import logger from "@server/logger";
|
import logger from "@server/logger";
|
||||||
import { OpenAPITags, registry } from "@server/openApi";
|
import { OpenAPITags, registry } from "@server/openApi";
|
||||||
@@ -56,9 +55,9 @@ const ruleSchema = z.strictObject({
|
|||||||
enum: ["ACCEPT", "DROP", "PASS"],
|
enum: ["ACCEPT", "DROP", "PASS"],
|
||||||
description: "rule action"
|
description: "rule action"
|
||||||
}),
|
}),
|
||||||
match: z.enum(["CIDR", "IP", "PATH"]).openapi({
|
match: z.enum(RESOURCE_RULE_MATCH_TYPES).openapi({
|
||||||
type: "string",
|
type: "string",
|
||||||
enum: ["CIDR", "IP", "PATH"],
|
enum: [...RESOURCE_RULE_MATCH_TYPES],
|
||||||
description: "rule match"
|
description: "rule match"
|
||||||
}),
|
}),
|
||||||
value: z.string().min(1),
|
value: z.string().min(1),
|
||||||
@@ -261,26 +260,13 @@ export async function createResourcePolicy(
|
|||||||
const niceId = await getUniqueResourcePolicyName(orgId);
|
const niceId = await getUniqueResourcePolicyName(orgId);
|
||||||
|
|
||||||
for (const rule of rules) {
|
for (const rule of rules) {
|
||||||
if (rule.match === "CIDR" && !isValidCIDR(rule.value)) {
|
const validationError = getResourceRuleValueValidationError(
|
||||||
|
rule.match,
|
||||||
|
rule.value
|
||||||
|
);
|
||||||
|
if (validationError) {
|
||||||
return next(
|
return next(
|
||||||
createHttpError(
|
createHttpError(HttpCode.BAD_REQUEST, validationError)
|
||||||
HttpCode.BAD_REQUEST,
|
|
||||||
"Invalid CIDR provided"
|
|
||||||
)
|
|
||||||
);
|
|
||||||
} else if (rule.match === "IP" && !isValidIP(rule.value)) {
|
|
||||||
return next(
|
|
||||||
createHttpError(HttpCode.BAD_REQUEST, "Invalid IP provided")
|
|
||||||
);
|
|
||||||
} else if (
|
|
||||||
rule.match === "PATH" &&
|
|
||||||
!isValidUrlGlobPattern(rule.value)
|
|
||||||
) {
|
|
||||||
return next(
|
|
||||||
createHttpError(
|
|
||||||
HttpCode.BAD_REQUEST,
|
|
||||||
"Invalid URL glob pattern provided"
|
|
||||||
)
|
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -216,6 +216,7 @@ export async function listResourcePolicies(
|
|||||||
: await db
|
: await db
|
||||||
.select({
|
.select({
|
||||||
resourceId: resources.resourceId,
|
resourceId: resources.resourceId,
|
||||||
|
niceId: resources.niceId,
|
||||||
name: resources.name,
|
name: resources.name,
|
||||||
fullDomain: resources.fullDomain,
|
fullDomain: resources.fullDomain,
|
||||||
resourcePolicyId: resources.resourcePolicyId
|
resourcePolicyId: resources.resourcePolicyId
|
||||||
|
|||||||
@@ -0,0 +1,202 @@
|
|||||||
|
/*
|
||||||
|
* This file is part of a proprietary work.
|
||||||
|
*
|
||||||
|
* Copyright (c) 2025-2026 Fossorial, Inc.
|
||||||
|
* All rights reserved.
|
||||||
|
*
|
||||||
|
* This file is licensed under the Fossorial Commercial License.
|
||||||
|
* You may not use this file except in compliance with the License.
|
||||||
|
* Unauthorized use, copying, modification, or distribution is strictly prohibited.
|
||||||
|
*
|
||||||
|
* This file is not licensed under the AGPLv3.
|
||||||
|
*/
|
||||||
|
|
||||||
|
import axios from "axios";
|
||||||
|
import { db, exitNodes, newts, sites } from "@server/db";
|
||||||
|
import { eq } from "drizzle-orm";
|
||||||
|
import logger from "@server/logger";
|
||||||
|
import redisManager from "#private/lib/redis";
|
||||||
|
import { sendToClient } from "#private/routers/ws";
|
||||||
|
|
||||||
|
const INITIAL_DELAY_MS = 15 * 1000; // 15 seconds before first check
|
||||||
|
const CHECK_INTERVAL_MS = 10 * 1000; // Check every 10 seconds
|
||||||
|
const MAX_DURATION_MS = 5 * 60 * 1000; // Give up after 5 minutes
|
||||||
|
const REDIS_PENDING_SET = "exit-node-reconnect-pending";
|
||||||
|
const REDIS_HASH_PREFIX = "exit-node-reconnect:";
|
||||||
|
|
||||||
|
interface PendingReconnect {
|
||||||
|
startTime: number;
|
||||||
|
reachableAt: string;
|
||||||
|
}
|
||||||
|
|
||||||
|
// In-memory tracking for this node
|
||||||
|
const pendingReconnects = new Map<number, PendingReconnect>();
|
||||||
|
|
||||||
|
let schedulerInterval: NodeJS.Timeout | null = null;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Schedules a reconnect check for newts connected to the given exit node.
|
||||||
|
* Called when an exit node transitions from offline to online.
|
||||||
|
*/
|
||||||
|
export async function scheduleExitNodeReconnect(
|
||||||
|
exitNodeId: number,
|
||||||
|
reachableAt: string
|
||||||
|
): Promise<void> {
|
||||||
|
logger.info(
|
||||||
|
`Scheduling newt reconnect for exit node ${exitNodeId} (reachableAt: ${reachableAt})`
|
||||||
|
);
|
||||||
|
|
||||||
|
const entry: PendingReconnect = {
|
||||||
|
startTime: Date.now(),
|
||||||
|
reachableAt
|
||||||
|
};
|
||||||
|
|
||||||
|
pendingReconnects.set(exitNodeId, entry);
|
||||||
|
|
||||||
|
// Store in Redis if available for cross-node coordination
|
||||||
|
if (redisManager.isRedisEnabled()) {
|
||||||
|
await redisManager.sadd(REDIS_PENDING_SET, exitNodeId.toString());
|
||||||
|
await redisManager.hset(
|
||||||
|
`${REDIS_HASH_PREFIX}${exitNodeId}`,
|
||||||
|
"startTime",
|
||||||
|
entry.startTime.toString()
|
||||||
|
);
|
||||||
|
await redisManager.hset(
|
||||||
|
`${REDIS_HASH_PREFIX}${exitNodeId}`,
|
||||||
|
"reachableAt",
|
||||||
|
reachableAt
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Starts the background interval that checks pending exit node reconnects.
|
||||||
|
*/
|
||||||
|
export function startExitNodeReconnectScheduler(): void {
|
||||||
|
if (schedulerInterval) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
schedulerInterval = setInterval(async () => {
|
||||||
|
try {
|
||||||
|
await processPendingReconnects();
|
||||||
|
} catch (error) {
|
||||||
|
logger.error("Error in exit node reconnect scheduler", { error });
|
||||||
|
}
|
||||||
|
}, CHECK_INTERVAL_MS);
|
||||||
|
|
||||||
|
logger.debug("Started exit node reconnect scheduler");
|
||||||
|
}
|
||||||
|
|
||||||
|
async function processPendingReconnects(): Promise<void> {
|
||||||
|
// Merge in-memory and Redis-tracked pending reconnects
|
||||||
|
const toProcess = new Map(pendingReconnects);
|
||||||
|
|
||||||
|
if (redisManager.isRedisEnabled()) {
|
||||||
|
const redisIds = await redisManager.smembers(REDIS_PENDING_SET);
|
||||||
|
for (const idStr of redisIds) {
|
||||||
|
const id = parseInt(idStr, 10);
|
||||||
|
if (!toProcess.has(id)) {
|
||||||
|
const startTimeStr = await redisManager.hget(
|
||||||
|
`${REDIS_HASH_PREFIX}${id}`,
|
||||||
|
"startTime"
|
||||||
|
);
|
||||||
|
const reachableAt = await redisManager.hget(
|
||||||
|
`${REDIS_HASH_PREFIX}${id}`,
|
||||||
|
"reachableAt"
|
||||||
|
);
|
||||||
|
if (startTimeStr && reachableAt) {
|
||||||
|
toProcess.set(id, {
|
||||||
|
startTime: parseInt(startTimeStr, 10),
|
||||||
|
reachableAt
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
const now = Date.now();
|
||||||
|
|
||||||
|
for (const [exitNodeId, entry] of toProcess) {
|
||||||
|
const elapsed = now - entry.startTime;
|
||||||
|
|
||||||
|
// Give up after max duration
|
||||||
|
if (elapsed >= MAX_DURATION_MS) {
|
||||||
|
logger.warn(
|
||||||
|
`Exit node reconnect check timed out for exit node ${exitNodeId} after 5 minutes`
|
||||||
|
);
|
||||||
|
await removePending(exitNodeId);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Respect initial delay
|
||||||
|
if (elapsed < INITIAL_DELAY_MS) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check if the exit node HTTP endpoint is reachable
|
||||||
|
const pingUrl = `${entry.reachableAt}/ping`;
|
||||||
|
try {
|
||||||
|
await axios.get(pingUrl, { timeout: 5000 });
|
||||||
|
} catch {
|
||||||
|
logger.debug(
|
||||||
|
`Exit node ${exitNodeId} not yet reachable at ${pingUrl}`
|
||||||
|
);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Node is reachable — send reconnect to all connected newts
|
||||||
|
logger.info(
|
||||||
|
`Exit node ${exitNodeId} is reachable. Sending newt/wg/reconnect to connected newts.`
|
||||||
|
);
|
||||||
|
|
||||||
|
await sendReconnectToNewts(exitNodeId);
|
||||||
|
await removePending(exitNodeId);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
async function sendReconnectToNewts(exitNodeId: number): Promise<void> {
|
||||||
|
try {
|
||||||
|
const connectedNewts = await db
|
||||||
|
.select({ newtId: newts.newtId })
|
||||||
|
.from(newts)
|
||||||
|
.innerJoin(sites, eq(newts.siteId, sites.siteId))
|
||||||
|
.where(eq(sites.exitNodeId, exitNodeId));
|
||||||
|
|
||||||
|
if (connectedNewts.length === 0) {
|
||||||
|
logger.debug(
|
||||||
|
`No newts found for exit node ${exitNodeId}, nothing to reconnect`
|
||||||
|
);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
logger.info(
|
||||||
|
`Sending newt/wg/reconnect to ${connectedNewts.length} newt(s) for exit node ${exitNodeId}`
|
||||||
|
);
|
||||||
|
|
||||||
|
const reconnectMessage = {
|
||||||
|
type: "newt/wg/reconnect",
|
||||||
|
data: {}
|
||||||
|
};
|
||||||
|
|
||||||
|
await Promise.allSettled(
|
||||||
|
connectedNewts.map(({ newtId }) =>
|
||||||
|
sendToClient(newtId, reconnectMessage)
|
||||||
|
)
|
||||||
|
);
|
||||||
|
} catch (error) {
|
||||||
|
logger.error(
|
||||||
|
`Failed to send reconnect messages for exit node ${exitNodeId}`,
|
||||||
|
{ error }
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
async function removePending(exitNodeId: number): Promise<void> {
|
||||||
|
pendingReconnects.delete(exitNodeId);
|
||||||
|
|
||||||
|
if (redisManager.isRedisEnabled()) {
|
||||||
|
await redisManager.srem(REDIS_PENDING_SET, exitNodeId.toString());
|
||||||
|
await redisManager.del(`${REDIS_HASH_PREFIX}${exitNodeId}`);
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -16,6 +16,7 @@ import { MessageHandler } from "@server/routers/ws";
|
|||||||
import { RemoteExitNode } from "@server/db";
|
import { RemoteExitNode } from "@server/db";
|
||||||
import { eq } from "drizzle-orm";
|
import { eq } from "drizzle-orm";
|
||||||
import logger from "@server/logger";
|
import logger from "@server/logger";
|
||||||
|
import { scheduleExitNodeReconnect } from "./exitNodeReconnectScheduler";
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Handles ping messages from clients and responds with pong
|
* Handles ping messages from clients and responds with pong
|
||||||
@@ -37,6 +38,13 @@ export const handleRemoteExitNodePingMessage: MessageHandler = async (
|
|||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
|
// Fetch the current state before updating so we can detect the offline→online transition
|
||||||
|
const [currentExitNode] = await db
|
||||||
|
.select({ online: exitNodes.online, reachableAt: exitNodes.reachableAt })
|
||||||
|
.from(exitNodes)
|
||||||
|
.where(eq(exitNodes.exitNodeId, remoteExitNode.exitNodeId))
|
||||||
|
.limit(1);
|
||||||
|
|
||||||
// Update the exit node's last ping timestamp
|
// Update the exit node's last ping timestamp
|
||||||
await db
|
await db
|
||||||
.update(exitNodes)
|
.update(exitNodes)
|
||||||
@@ -45,6 +53,16 @@ export const handleRemoteExitNodePingMessage: MessageHandler = async (
|
|||||||
online: true
|
online: true
|
||||||
})
|
})
|
||||||
.where(eq(exitNodes.exitNodeId, remoteExitNode.exitNodeId));
|
.where(eq(exitNodes.exitNodeId, remoteExitNode.exitNodeId));
|
||||||
|
|
||||||
|
// If the exit node was offline and is now coming online, schedule newt reconnects
|
||||||
|
if (currentExitNode && !currentExitNode.online && currentExitNode.reachableAt) {
|
||||||
|
scheduleExitNodeReconnect(
|
||||||
|
remoteExitNode.exitNodeId,
|
||||||
|
currentExitNode.reachableAt
|
||||||
|
).catch((error) => {
|
||||||
|
logger.error("Failed to schedule exit node reconnect", { error });
|
||||||
|
});
|
||||||
|
}
|
||||||
} catch (error) {
|
} catch (error) {
|
||||||
logger.error("Error handling ping message", { error });
|
logger.error("Error handling ping message", { error });
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -22,3 +22,4 @@ export * from "./listRemoteExitNodes";
|
|||||||
export * from "./pickRemoteExitNodeDefaults";
|
export * from "./pickRemoteExitNodeDefaults";
|
||||||
export * from "./quickStartRemoteExitNode";
|
export * from "./quickStartRemoteExitNode";
|
||||||
export * from "./offlineChecker";
|
export * from "./offlineChecker";
|
||||||
|
export * from "./exitNodeReconnectScheduler";
|
||||||
|
|||||||
@@ -30,8 +30,7 @@ import {
|
|||||||
userOrgs,
|
userOrgs,
|
||||||
sites,
|
sites,
|
||||||
Resource,
|
Resource,
|
||||||
SiteResource,
|
SiteResource
|
||||||
browserGatewayTarget
|
|
||||||
} from "@server/db";
|
} from "@server/db";
|
||||||
import { logAccessAudit } from "#private/lib/logAccessAudit";
|
import { logAccessAudit } from "#private/lib/logAccessAudit";
|
||||||
import { isLicensedOrSubscribed } from "#private/lib/isLicencedOrSubscribed";
|
import { isLicensedOrSubscribed } from "#private/lib/isLicencedOrSubscribed";
|
||||||
@@ -291,16 +290,15 @@ export async function signSshKey(
|
|||||||
const publicResource = resource as Resource;
|
const publicResource = resource as Resource;
|
||||||
const targetRows = await db
|
const targetRows = await db
|
||||||
.select({
|
.select({
|
||||||
siteId: browserGatewayTarget.siteId,
|
siteId: targets.siteId,
|
||||||
ip: browserGatewayTarget.destination
|
ip: targets.ip
|
||||||
})
|
})
|
||||||
.from(browserGatewayTarget)
|
.from(targets)
|
||||||
.where(
|
.where(
|
||||||
and(
|
and(
|
||||||
eq(
|
eq(targets.resourceId, publicResource.resourceId),
|
||||||
browserGatewayTarget.resourceId,
|
eq(targets.enabled, true),
|
||||||
publicResource.resourceId
|
eq(targets.mode, "ssh")
|
||||||
)
|
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
|
|||||||
@@ -44,7 +44,7 @@ registry.registerPath({
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z.record(z.string(), z.any()).nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
|
|||||||
@@ -45,7 +45,7 @@ registry.registerPath({
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z.record(z.string(), z.any()).nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
|
|||||||
@@ -14,7 +14,8 @@
|
|||||||
import {
|
import {
|
||||||
handleRemoteExitNodeRegisterMessage,
|
handleRemoteExitNodeRegisterMessage,
|
||||||
handleRemoteExitNodePingMessage,
|
handleRemoteExitNodePingMessage,
|
||||||
startRemoteExitNodeOfflineChecker
|
startRemoteExitNodeOfflineChecker,
|
||||||
|
startExitNodeReconnectScheduler
|
||||||
} from "#private/routers/remoteExitNode";
|
} from "#private/routers/remoteExitNode";
|
||||||
import { MessageHandler } from "@server/routers/ws";
|
import { MessageHandler } from "@server/routers/ws";
|
||||||
import { build } from "@server/build";
|
import { build } from "@server/build";
|
||||||
@@ -29,4 +30,5 @@ export const messageHandlers: Record<string, MessageHandler> = {
|
|||||||
|
|
||||||
if (build != "saas") {
|
if (build != "saas") {
|
||||||
startRemoteExitNodeOfflineChecker(); // this is to handle the offline check for remote exit nodes
|
startRemoteExitNodeOfflineChecker(); // this is to handle the offline check for remote exit nodes
|
||||||
|
startExitNodeReconnectScheduler(); // check pending exit node reconnects and notify newts
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -28,7 +28,7 @@ registry.registerPath({
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z.record(z.string(), z.any()).nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
|
|||||||
@@ -61,7 +61,7 @@ registry.registerPath({
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z.record(z.string(), z.any()).nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
|
|||||||
@@ -135,7 +135,7 @@ registry.registerPath({
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z.record(z.string(), z.any()).nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
@@ -164,7 +164,7 @@ registry.registerPath({
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z.record(z.string(), z.any()).nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
|
|||||||
@@ -28,7 +28,7 @@ registry.registerPath({
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z.record(z.string(), z.any()).nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
|
|||||||
@@ -42,7 +42,7 @@ registry.registerPath({
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z.record(z.string(), z.any()).nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
|
|||||||
@@ -35,7 +35,7 @@ registry.registerPath({
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z.record(z.string(), z.any()).nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
|
|||||||
@@ -162,7 +162,7 @@ registry.registerPath({
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z.record(z.string(), z.any()).nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
|
|||||||
@@ -1,4 +1,11 @@
|
|||||||
import { logsDb, requestAuditLog, resources, siteResources, db, primaryDb } from "@server/db";
|
import {
|
||||||
|
logsDb,
|
||||||
|
requestAuditLog,
|
||||||
|
resources,
|
||||||
|
siteResources,
|
||||||
|
db,
|
||||||
|
primaryDb
|
||||||
|
} from "@server/db";
|
||||||
import { registry } from "@server/openApi";
|
import { registry } from "@server/openApi";
|
||||||
import { NextFunction } from "express";
|
import { NextFunction } from "express";
|
||||||
import { Request, Response } from "express";
|
import { Request, Response } from "express";
|
||||||
@@ -127,16 +134,16 @@ export function queryRequest(data: Q) {
|
|||||||
return logsDb
|
return logsDb
|
||||||
.select({
|
.select({
|
||||||
id: requestAuditLog.id,
|
id: requestAuditLog.id,
|
||||||
timestamp: requestAuditLog.timestamp,
|
timestamp: requestAuditLog.timestamp,
|
||||||
orgId: requestAuditLog.orgId,
|
orgId: requestAuditLog.orgId,
|
||||||
action: requestAuditLog.action,
|
action: requestAuditLog.action,
|
||||||
reason: requestAuditLog.reason,
|
reason: requestAuditLog.reason,
|
||||||
actorType: requestAuditLog.actorType,
|
actorType: requestAuditLog.actorType,
|
||||||
actor: requestAuditLog.actor,
|
actor: requestAuditLog.actor,
|
||||||
actorId: requestAuditLog.actorId,
|
actorId: requestAuditLog.actorId,
|
||||||
resourceId: requestAuditLog.resourceId,
|
resourceId: requestAuditLog.resourceId,
|
||||||
siteResourceId: requestAuditLog.siteResourceId,
|
siteResourceId: requestAuditLog.siteResourceId,
|
||||||
ip: requestAuditLog.ip,
|
ip: requestAuditLog.ip,
|
||||||
location: requestAuditLog.location,
|
location: requestAuditLog.location,
|
||||||
userAgent: requestAuditLog.userAgent,
|
userAgent: requestAuditLog.userAgent,
|
||||||
metadata: requestAuditLog.metadata,
|
metadata: requestAuditLog.metadata,
|
||||||
@@ -154,21 +161,30 @@ export function queryRequest(data: Q) {
|
|||||||
.orderBy(desc(requestAuditLog.timestamp));
|
.orderBy(desc(requestAuditLog.timestamp));
|
||||||
}
|
}
|
||||||
|
|
||||||
async function enrichWithResourceDetails(logs: Awaited<ReturnType<typeof queryRequest>>) {
|
async function enrichWithResourceDetails(
|
||||||
|
logs: Awaited<ReturnType<typeof queryRequest>>
|
||||||
|
) {
|
||||||
const resourceIds = logs
|
const resourceIds = logs
|
||||||
.map(log => log.resourceId)
|
.map((log) => log.resourceId)
|
||||||
.filter((id): id is number => id !== null && id !== undefined);
|
.filter((id): id is number => id !== null && id !== undefined);
|
||||||
|
|
||||||
const siteResourceIds = logs
|
const siteResourceIds = logs
|
||||||
.filter(log => log.resourceId == null && log.siteResourceId != null)
|
.filter((log) => log.resourceId == null && log.siteResourceId != null)
|
||||||
.map(log => log.siteResourceId)
|
.map((log) => log.siteResourceId)
|
||||||
.filter((id): id is number => id !== null && id !== undefined);
|
.filter((id): id is number => id !== null && id !== undefined);
|
||||||
|
|
||||||
if (resourceIds.length === 0 && siteResourceIds.length === 0) {
|
if (resourceIds.length === 0 && siteResourceIds.length === 0) {
|
||||||
return logs.map(log => ({ ...log, resourceName: null, resourceNiceId: null }));
|
return logs.map((log) => ({
|
||||||
|
...log,
|
||||||
|
resourceName: null,
|
||||||
|
resourceNiceId: null
|
||||||
|
}));
|
||||||
}
|
}
|
||||||
|
|
||||||
const resourceMap = new Map<number, { name: string | null; niceId: string | null }>();
|
const resourceMap = new Map<
|
||||||
|
number,
|
||||||
|
{ name: string | null; niceId: string | null }
|
||||||
|
>();
|
||||||
|
|
||||||
if (resourceIds.length > 0) {
|
if (resourceIds.length > 0) {
|
||||||
const resourceDetails = await primaryDb
|
const resourceDetails = await primaryDb
|
||||||
@@ -185,7 +201,10 @@ async function enrichWithResourceDetails(logs: Awaited<ReturnType<typeof queryRe
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
const siteResourceMap = new Map<number, { name: string | null; niceId: string | null }>();
|
const siteResourceMap = new Map<
|
||||||
|
number,
|
||||||
|
{ name: string | null; niceId: string | null }
|
||||||
|
>();
|
||||||
|
|
||||||
if (siteResourceIds.length > 0) {
|
if (siteResourceIds.length > 0) {
|
||||||
const siteResourceDetails = await primaryDb
|
const siteResourceDetails = await primaryDb
|
||||||
@@ -198,12 +217,15 @@ async function enrichWithResourceDetails(logs: Awaited<ReturnType<typeof queryRe
|
|||||||
.where(inArray(siteResources.siteResourceId, siteResourceIds));
|
.where(inArray(siteResources.siteResourceId, siteResourceIds));
|
||||||
|
|
||||||
for (const r of siteResourceDetails) {
|
for (const r of siteResourceDetails) {
|
||||||
siteResourceMap.set(r.siteResourceId, { name: r.name, niceId: r.niceId });
|
siteResourceMap.set(r.siteResourceId, {
|
||||||
|
name: r.name,
|
||||||
|
niceId: r.niceId
|
||||||
|
});
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Enrich logs with resource details
|
// Enrich logs with resource details
|
||||||
return logs.map(log => {
|
return logs.map((log) => {
|
||||||
if (log.resourceId != null) {
|
if (log.resourceId != null) {
|
||||||
const details = resourceMap.get(log.resourceId);
|
const details = resourceMap.get(log.resourceId);
|
||||||
return {
|
return {
|
||||||
@@ -247,7 +269,7 @@ registry.registerPath({
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z.record(z.string(), z.any()).nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
@@ -333,11 +355,11 @@ async function queryUniqueFilterAttributes(
|
|||||||
|
|
||||||
// Fetch resource names from main database for the unique resource IDs
|
// Fetch resource names from main database for the unique resource IDs
|
||||||
const resourceIds = uniqueResources
|
const resourceIds = uniqueResources
|
||||||
.map(row => row.id)
|
.map((row) => row.id)
|
||||||
.filter((id): id is number => id !== null);
|
.filter((id): id is number => id !== null);
|
||||||
|
|
||||||
const siteResourceIds = uniqueSiteResources
|
const siteResourceIds = uniqueSiteResources
|
||||||
.map(row => row.id)
|
.map((row) => row.id)
|
||||||
.filter((id): id is number => id !== null);
|
.filter((id): id is number => id !== null);
|
||||||
|
|
||||||
let resourcesWithNames: Array<{ id: number; name: string | null }> = [];
|
let resourcesWithNames: Array<{ id: number; name: string | null }> = [];
|
||||||
@@ -353,7 +375,7 @@ async function queryUniqueFilterAttributes(
|
|||||||
|
|
||||||
resourcesWithNames = [
|
resourcesWithNames = [
|
||||||
...resourcesWithNames,
|
...resourcesWithNames,
|
||||||
...resourceDetails.map(r => ({
|
...resourceDetails.map((r) => ({
|
||||||
id: r.resourceId,
|
id: r.resourceId,
|
||||||
name: r.name
|
name: r.name
|
||||||
}))
|
}))
|
||||||
@@ -371,7 +393,7 @@ async function queryUniqueFilterAttributes(
|
|||||||
|
|
||||||
resourcesWithNames = [
|
resourcesWithNames = [
|
||||||
...resourcesWithNames,
|
...resourcesWithNames,
|
||||||
...siteResourceDetails.map(r => ({
|
...siteResourceDetails.map((r) => ({
|
||||||
id: r.siteResourceId,
|
id: r.siteResourceId,
|
||||||
name: r.name
|
name: r.name
|
||||||
}))
|
}))
|
||||||
|
|||||||
@@ -1,14 +1,7 @@
|
|||||||
import { Request, Response, NextFunction } from "express";
|
import { Request, Response, NextFunction } from "express";
|
||||||
import { z } from "zod";
|
import { z } from "zod";
|
||||||
import { db } from "@server/db";
|
import { db } from "@server/db";
|
||||||
import {
|
import { users, userOrgs, orgs, idpOrg, idp, idpOidcConfig } from "@server/db";
|
||||||
users,
|
|
||||||
userOrgs,
|
|
||||||
orgs,
|
|
||||||
idpOrg,
|
|
||||||
idp,
|
|
||||||
idpOidcConfig
|
|
||||||
} from "@server/db";
|
|
||||||
import { eq, or, sql, and, isNotNull, inArray } from "drizzle-orm";
|
import { eq, or, sql, and, isNotNull, inArray } from "drizzle-orm";
|
||||||
import response from "@server/lib/response";
|
import response from "@server/lib/response";
|
||||||
import HttpCode from "@server/types/HttpCode";
|
import HttpCode from "@server/types/HttpCode";
|
||||||
@@ -57,7 +50,7 @@ export type LookupUserResponse = {
|
|||||||
// content: {
|
// content: {
|
||||||
// "application/json": {
|
// "application/json": {
|
||||||
// schema: z.object({
|
// schema: z.object({
|
||||||
// data: z.unknown().nullable(),
|
// data: z.record(z.string(), z.any()).nullable(),
|
||||||
// success: z.boolean(),
|
// success: z.boolean(),
|
||||||
// error: z.boolean(),
|
// error: z.boolean(),
|
||||||
// message: z.string(),
|
// message: z.string(),
|
||||||
@@ -169,46 +162,54 @@ export async function lookupUser(
|
|||||||
);
|
);
|
||||||
|
|
||||||
// Deduplicate orgs (user might have multiple memberships in same org)
|
// Deduplicate orgs (user might have multiple memberships in same org)
|
||||||
const uniqueOrgs = new Map<string, typeof userOrgMemberships[0]>();
|
const uniqueOrgs = new Map<
|
||||||
|
string,
|
||||||
|
(typeof userOrgMemberships)[0]
|
||||||
|
>();
|
||||||
for (const membership of userOrgMemberships) {
|
for (const membership of userOrgMemberships) {
|
||||||
if (!uniqueOrgs.has(membership.orgId)) {
|
if (!uniqueOrgs.has(membership.orgId)) {
|
||||||
uniqueOrgs.set(membership.orgId, membership);
|
uniqueOrgs.set(membership.orgId, membership);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
const orgsData = Array.from(uniqueOrgs.values()).map((membership) => {
|
const orgsData = Array.from(uniqueOrgs.values()).map(
|
||||||
// Get IdPs for this org where the user (with the exact identifier) is authenticated via that IdP
|
(membership) => {
|
||||||
// Only show IdPs where the user's idpId matches
|
// Get IdPs for this org where the user (with the exact identifier) is authenticated via that IdP
|
||||||
// Internal users don't have an idpId, so they won't see any IdPs
|
// Only show IdPs where the user's idpId matches
|
||||||
const orgIdpsList = orgIdps
|
// Internal users don't have an idpId, so they won't see any IdPs
|
||||||
.filter((idp) => {
|
const orgIdpsList = orgIdps
|
||||||
if (idp.orgId !== membership.orgId) {
|
.filter((idp) => {
|
||||||
|
if (idp.orgId !== membership.orgId) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
// Only show IdPs where the user (with exact identifier) is authenticated via that IdP
|
||||||
|
// This means user.idpId must match idp.idpId
|
||||||
|
if (
|
||||||
|
user.idpId !== null &&
|
||||||
|
user.idpId === idp.idpId
|
||||||
|
) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
return false;
|
return false;
|
||||||
}
|
})
|
||||||
// Only show IdPs where the user (with exact identifier) is authenticated via that IdP
|
.map((idp) => ({
|
||||||
// This means user.idpId must match idp.idpId
|
idpId: idp.idpId,
|
||||||
if (user.idpId !== null && user.idpId === idp.idpId) {
|
name: idp.idpName,
|
||||||
return true;
|
variant: idp.variant
|
||||||
}
|
}));
|
||||||
return false;
|
|
||||||
})
|
|
||||||
.map((idp) => ({
|
|
||||||
idpId: idp.idpId,
|
|
||||||
name: idp.idpName,
|
|
||||||
variant: idp.variant
|
|
||||||
}));
|
|
||||||
|
|
||||||
// Check if user has internal auth for this org
|
// Check if user has internal auth for this org
|
||||||
// User has internal auth if they have an internal account type
|
// User has internal auth if they have an internal account type
|
||||||
const orgHasInternalAuth = hasInternalAuth;
|
const orgHasInternalAuth = hasInternalAuth;
|
||||||
|
|
||||||
return {
|
return {
|
||||||
orgId: membership.orgId,
|
orgId: membership.orgId,
|
||||||
orgName: membership.orgName,
|
orgName: membership.orgName,
|
||||||
idps: orgIdpsList,
|
idps: orgIdpsList,
|
||||||
hasInternalAuth: orgHasInternalAuth
|
hasInternalAuth: orgHasInternalAuth
|
||||||
};
|
};
|
||||||
});
|
}
|
||||||
|
);
|
||||||
|
|
||||||
accounts.push({
|
accounts.push({
|
||||||
userId: user.userId,
|
userId: user.userId,
|
||||||
|
|||||||
@@ -20,7 +20,8 @@ import {
|
|||||||
ResourcePolicyPincode,
|
ResourcePolicyPincode,
|
||||||
ResourcePolicyPassword,
|
ResourcePolicyPassword,
|
||||||
ResourcePolicyHeaderAuth,
|
ResourcePolicyHeaderAuth,
|
||||||
ResourceRule
|
ResourceRule,
|
||||||
|
ResourceSession
|
||||||
} from "@server/db";
|
} from "@server/db";
|
||||||
import config from "@server/lib/config";
|
import config from "@server/lib/config";
|
||||||
import { isIpInCidr, stripPortFromHost } from "@server/lib/ip";
|
import { isIpInCidr, stripPortFromHost } from "@server/lib/ip";
|
||||||
@@ -144,9 +145,9 @@ export async function verifyResourceSession(
|
|||||||
| ResourcePolicyHeaderAuth
|
| ResourcePolicyHeaderAuth
|
||||||
| null;
|
| null;
|
||||||
headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
|
headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
|
||||||
applyRules: boolean;
|
applyRules: boolean | null;
|
||||||
sso: boolean;
|
sso: boolean | null;
|
||||||
emailWhitelistEnabled: boolean;
|
emailWhitelistEnabled: boolean | null;
|
||||||
org: Org;
|
org: Org;
|
||||||
}
|
}
|
||||||
| undefined = localCache.get(resourceCacheKey);
|
| undefined = localCache.get(resourceCacheKey);
|
||||||
@@ -536,7 +537,8 @@ export async function verifyResourceSession(
|
|||||||
|
|
||||||
if (resourceSessionToken) {
|
if (resourceSessionToken) {
|
||||||
const sessionCacheKey = `session:${resourceSessionToken}`;
|
const sessionCacheKey = `session:${resourceSessionToken}`;
|
||||||
let resourceSession: any = localCache.get(sessionCacheKey);
|
let resourceSession: ResourceSession | null | undefined =
|
||||||
|
localCache.get(sessionCacheKey);
|
||||||
|
|
||||||
if (!resourceSession) {
|
if (!resourceSession) {
|
||||||
const result = await validateResourceSessionToken(
|
const result = await validateResourceSessionToken(
|
||||||
@@ -671,7 +673,7 @@ export async function verifyResourceSession(
|
|||||||
orgId: resource.orgId,
|
orgId: resource.orgId,
|
||||||
location: ipCC,
|
location: ipCC,
|
||||||
apiKey: {
|
apiKey: {
|
||||||
name: resourceSession.accessTokenTitle,
|
name: null,
|
||||||
apiKeyId: resourceSession.accessTokenId
|
apiKeyId: resourceSession.accessTokenId
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
@@ -717,7 +719,7 @@ export async function verifyResourceSession(
|
|||||||
location: ipCC,
|
location: ipCC,
|
||||||
user: {
|
user: {
|
||||||
username: allowedUserData.username,
|
username: allowedUserData.username,
|
||||||
userId: resourceSession.userId
|
userId: allowedUserData.userId
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
parsedBody.data
|
parsedBody.data
|
||||||
|
|||||||
@@ -37,7 +37,7 @@ registry.registerPath({
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z.record(z.string(), z.any()).nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
|
|||||||
@@ -60,7 +60,7 @@ registry.registerPath({
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z.record(z.string(), z.any()).nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
|
|||||||
@@ -62,7 +62,7 @@ registry.registerPath({
|
|||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({
|
schema: z.object({
|
||||||
data: z.unknown().nullable(),
|
data: z.record(z.string(), z.any()).nullable(),
|
||||||
success: z.boolean(),
|
success: z.boolean(),
|
||||||
error: z.boolean(),
|
error: z.boolean(),
|
||||||
message: z.string(),
|
message: z.string(),
|
||||||
|
|||||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user