first pass

server/private/routers/ssh/signSshKey.ts

@@ -30,7 +30,7 @@ import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
-import { eq, or, and } from "drizzle-orm";
+import { and, eq, inArray, or } from "drizzle-orm";
 import { canUserAccessSiteResource } from "@server/auth/canUserAccessSiteResource";
 import { signPublicKey, getOrgCAKeys } from "#private/lib/sshCA";
 import config from "@server/lib/config";
@@ -122,7 +122,7 @@ export async function signSshKey(
             resource: resourceQueryString
         } = parsedBody.data;
         const userId = req.user?.userId;
-        const roleId = req.userOrgRoleId!;
+        const roleIds = req.userOrgRoleIds ?? [];
 
         if (!userId) {
             return next(
@@ -130,6 +130,15 @@ export async function signSshKey(
             );
         }
 
+        if (roleIds.length === 0) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "User has no role in organization"
+                )
+            );
+        }
+
         const [userOrg] = await db
             .select()
             .from(userOrgs)
@@ -310,11 +319,11 @@ export async function signSshKey(
             );
         }
 
-        // Check if the user has access to the resource
+        // Check if the user has access to the resource (any of their roles)
         const hasAccess = await canUserAccessSiteResource({
             userId: userId,
             resourceId: resource.siteResourceId,
-            roleId: roleId
+            roleIds
         });
 
         if (!hasAccess) {
@@ -326,28 +335,39 @@ export async function signSshKey(
             );
         }
 
-        const [roleRow] = await db
+        const roleRows = await db
             .select()
             .from(roles)
-            .where(eq(roles.roleId, roleId))
-            .limit(1);
+            .where(inArray(roles.roleId, roleIds));
 
-        let parsedSudoCommands: string[] = [];
-        let parsedGroups: string[] = [];
-        try {
-            parsedSudoCommands = JSON.parse(roleRow?.sshSudoCommands ?? "[]");
-            if (!Array.isArray(parsedSudoCommands)) parsedSudoCommands = [];
-        } catch {
-            parsedSudoCommands = [];
+        const parsedSudoCommands: string[] = [];
+        const parsedGroupsSet = new Set<string>();
+        let homedir: boolean | null = null;
+        const sudoModeOrder = { none: 0, commands: 1, all: 2 };
+        let sudoMode: "none" | "commands" | "all" = "none";
+        for (const roleRow of roleRows) {
+            try {
+                const cmds = JSON.parse(roleRow?.sshSudoCommands ?? "[]");
+                if (Array.isArray(cmds)) parsedSudoCommands.push(...cmds);
+            } catch {
+                // skip
+            }
+            try {
+                const grps = JSON.parse(roleRow?.sshUnixGroups ?? "[]");
+                if (Array.isArray(grps)) grps.forEach((g: string) => parsedGroupsSet.add(g));
+            } catch {
+                // skip
+            }
+            if (roleRow?.sshCreateHomeDir === true) homedir = true;
+            const m = roleRow?.sshSudoMode ?? "none";
+            if (sudoModeOrder[m as keyof typeof sudoModeOrder] > sudoModeOrder[sudoMode]) {
+                sudoMode = m as "none" | "commands" | "all";
+            }
         }
-        try {
-            parsedGroups = JSON.parse(roleRow?.sshUnixGroups ?? "[]");
-            if (!Array.isArray(parsedGroups)) parsedGroups = [];
-        } catch {
-            parsedGroups = [];
+        const parsedGroups = Array.from(parsedGroupsSet);
+        if (homedir === null && roleRows.length > 0) {
+            homedir = roleRows[0].sshCreateHomeDir ?? null;
         }
-        const homedir = roleRow?.sshCreateHomeDir ?? null;
-        const sudoMode = roleRow?.sshSudoMode ?? "none";
 
         // get the site
         const [newt] = await db