pangolin_mirror/pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-04-14 22:06:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'dev' into private-http-ha

Browse Source
This commit is contained in:
Owen
2026-04-13 20:52:47 -07:00
parent 1b9a395432 03d95874e6
commit 646e440dec
46 changed files with 3017 additions and 2559 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
server/lib/ip.ts
View File

@@ -602,7 +602,7 @@ export async function generateSubnetProxyTargetV2(
pubKey: string | null;
subnet: string | null;
}[]
): Promise<SubnetProxyTargetV2 | undefined> {
): Promise<SubnetProxyTargetV2[] | undefined> {
if (clients.length === 0) {
logger.debug(
`No clients have access to site resource ${siteResource.siteResourceId}, skipping target generation.`
@@ -610,7 +610,7 @@ export async function generateSubnetProxyTargetV2(
return;
}
let target: SubnetProxyTargetV2 | null = null;
let targets: SubnetProxyTargetV2[] = [];
const portRange = [
...parsePortRangeString(siteResource.tcpPortRangeString, "tcp"),
@@ -625,34 +625,34 @@ export async function generateSubnetProxyTargetV2(
if (ipSchema.safeParse(destination).success) {
destination = `${destination}/32`;
target = {
targets.push({
sourcePrefixes: [],
destPrefix: destination,
portRange,
disableIcmp,
resourceId: siteResource.siteResourceId
};
});
}
if (siteResource.alias && siteResource.aliasAddress) {
// also push a match for the alias address
target = {
targets.push({
sourcePrefixes: [],
destPrefix: `${siteResource.aliasAddress}/32`,
rewriteTo: destination,
portRange,
disableIcmp,
resourceId: siteResource.siteResourceId
};
});
}
} else if (siteResource.mode == "cidr") {
target = {
targets.push({
sourcePrefixes: [],
destPrefix: siteResource.destination,
portRange,
disableIcmp,
resourceId: siteResource.siteResourceId
};
});
} else if (siteResource.mode == "http") {
let destination = siteResource.destination;
// check if this is a valid ip
@@ -697,7 +697,7 @@ export async function generateSubnetProxyTargetV2(
}
}
target = {
targets.push({
sourcePrefixes: [],
destPrefix: `${siteResource.aliasAddress}/32`,
rewriteTo: destination,
@@ -713,25 +713,27 @@ export async function generateSubnetProxyTargetV2(
}
],
...(tlsCert && tlsKey ? { tlsCert, tlsKey } : {})
};
});
}
if (!target) {
if (targets.length == 0) {
return;
}
for (const clientSite of clients) {
if (!clientSite.subnet) {
logger.debug(
`Client ${clientSite.clientId} has no subnet, skipping for site resource ${siteResource.siteResourceId}.`
);
continue;
for (const target of targets) {
for (const clientSite of clients) {
if (!clientSite.subnet) {
logger.debug(
`Client ${clientSite.clientId} has no subnet, skipping for site resource ${siteResource.siteResourceId}.`
);
continue;
}
const clientPrefix = `${clientSite.subnet.split("/")[0]}/32`;
// add client prefix to source prefixes
target.sourcePrefixes.push(clientPrefix);
}
const clientPrefix = `${clientSite.subnet.split("/")[0]}/32`;
// add client prefix to source prefixes
target.sourcePrefixes.push(clientPrefix);
}
// print a nice representation of the targets
@@ -739,7 +741,7 @@ export async function generateSubnetProxyTargetV2(
// `Generated subnet proxy targets for: ${JSON.stringify(targets, null, 2)}`
// );
return target;
return targets;
}
/**

24
server/lib/rebuildClientAssociations.ts
View File

@@ -769,16 +769,16 @@ async function handleSubnetProxyTargetUpdates(
);
if (addedClients.length > 0) {
const targetToAdd = await generateSubnetProxyTargetV2(
const targetsToAdd = await generateSubnetProxyTargetV2(
siteResource,
addedClients
);
if (targetToAdd) {
if (targetsToAdd) {
proxyJobs.push(
addSubnetProxyTargets(
newt.newtId,
[targetToAdd],
targetsToAdd,
newt.version
)
);
@@ -806,16 +806,16 @@ async function handleSubnetProxyTargetUpdates(
);
if (removedClients.length > 0) {
const targetToRemove = await generateSubnetProxyTargetV2(
const targetsToRemove = await generateSubnetProxyTargetV2(
siteResource,
removedClients
);
if (targetToRemove) {
if (targetsToRemove) {
proxyJobs.push(
removeSubnetProxyTargets(
newt.newtId,
[targetToRemove],
targetsToRemove,
newt.version
)
);
@@ -1328,7 +1328,7 @@ async function handleMessagesForClientResources(
}
for (const resource of resources) {
const target = await generateSubnetProxyTargetV2(resource, [
const targets = await generateSubnetProxyTargetV2(resource, [
{
clientId: client.clientId,
pubKey: client.pubKey,
@@ -1336,11 +1336,11 @@ async function handleMessagesForClientResources(
}
]);
if (target) {
if (targets) {
proxyJobs.push(
addSubnetProxyTargets(
newt.newtId,
[target],
targets,
newt.version
)
);
@@ -1437,7 +1437,7 @@ async function handleMessagesForClientResources(
}
for (const resource of resources) {
const target = await generateSubnetProxyTargetV2(resource, [
const targets = await generateSubnetProxyTargetV2(resource, [
{
clientId: client.clientId,
pubKey: client.pubKey,
@@ -1445,11 +1445,11 @@ async function handleMessagesForClientResources(
}
]);
if (target) {
if (targets) {
proxyJobs.push(
removeSubnetProxyTargets(
newt.newtId,
[target],
targets,
newt.version
)
);

49
server/private/lib/acmeCertSync.ts
View File

@@ -29,7 +29,10 @@ import { encrypt, decrypt } from "@server/lib/crypto";
import logger from "@server/logger";
import privateConfig from "#private/lib/config";
import config from "@server/lib/config";
import { generateSubnetProxyTargetV2, SubnetProxyTargetV2 } from "@server/lib/ip";
import {
generateSubnetProxyTargetV2,
SubnetProxyTargetV2
} from "@server/lib/ip";
import { updateTargets } from "@server/routers/client/targets";
import cache from "#private/lib/cache";
import { build } from "@server/build";
@@ -142,26 +145,26 @@ async function pushCertUpdateToAffectedNewts(
}
// Generate target once — same cert applies to all sites for this resource
const newTarget = await generateSubnetProxyTargetV2(
const newTargets = await generateSubnetProxyTargetV2(
resource,
resourceClients
);
if (!newTarget) {
if (!newTargets) {
logger.debug(
`acmeCertSync: could not generate target for resource ${resource.siteResourceId}, skipping`
);
continue;
}
// Construct the old target — same routing shape but with the previous cert/key.
// Construct the old targets — same routing shape but with the previous cert/key.
// The newt only uses destPrefix/sourcePrefixes for removal, but we keep the
// semantics correct so the update message accurately reflects what changed.
const oldTarget: SubnetProxyTargetV2 = {
...newTarget,
const oldTargets: SubnetProxyTargetV2[] = newTargets.map((t) => ({
...t,
tlsCert: oldCertPem ?? undefined,
tlsKey: oldKeyPem ?? undefined
};
}));
// Push update to each site's newt
for (const { siteId } of resourceSiteRows) {
@@ -180,7 +183,7 @@ async function pushCertUpdateToAffectedNewts(
await updateTargets(
newt.newtId,
{ oldTargets: [oldTarget], newTargets: [newTarget] },
{ oldTargets: oldTargets, newTargets: newTargets },
newt.version
);
@@ -275,8 +278,6 @@ async function syncAcmeCerts(
return;
}
for (const cert of resolverData.Certificates) {
const domain = cert.domain?.main;
@@ -364,8 +365,14 @@ async function syncAcmeCerts(
}
const wildcard = domain.startsWith("*.");
const encryptedCert = encrypt(certPem, config.getRawConfig().server.secret!);
const encryptedKey = encrypt(keyPem, config.getRawConfig().server.secret!);
const encryptedCert = encrypt(
certPem,
config.getRawConfig().server.secret!
);
const encryptedKey = encrypt(
keyPem,
config.getRawConfig().server.secret!
);
const now = Math.floor(Date.now() / 1000);
const domainId = await findDomainId(domain);
@@ -397,7 +404,12 @@ async function syncAcmeCerts(
`acmeCertSync: updated certificate for ${domain} (expires ${expiresAt ? new Date(expiresAt * 1000).toISOString() : "unknown"})`
);
await pushCertUpdateToAffectedNewts(domain, domainId, oldCertPem, oldKeyPem);
await pushCertUpdateToAffectedNewts(
domain,
domainId,
oldCertPem,
oldKeyPem
);
} else {
await db.insert(certificates).values({
domain,
@@ -430,17 +442,22 @@ export function initAcmeCertSync(): void {
const privateConfigData = privateConfig.getRawPrivateConfig();
if (!privateConfigData.flags?.enable_acme_cert_sync) {
logger.debug(`acmeCertSync: ACME cert sync is disabled by config flag, skipping`);
logger.debug(
`acmeCertSync: ACME cert sync is disabled by config flag, skipping`
);
return;
}
if (privateConfigData.flags.use_pangolin_dns) {
logger.debug(`acmeCertSync: ACME cert sync requires use_pangolin_dns flag to be disabled, skipping`);
logger.debug(
`acmeCertSync: ACME cert sync requires use_pangolin_dns flag to be disabled, skipping`
);
return;
}
const acmeJsonPath =
privateConfigData.acme?.acme_json_path ?? "config/letsencrypt/acme.json";
privateConfigData.acme?.acme_json_path ??
"config/letsencrypt/acme.json";
const resolver = privateConfigData.acme?.resolver ?? "letsencrypt";
const intervalMs = privateConfigData.acme?.sync_interval_ms ?? 5000;

6
server/routers/external.ts
View File

@@ -440,6 +440,12 @@ authenticated.get(
resource.getUserResources
);
authenticated.get(
"/org/:orgId/user-resource-aliases",
verifyOrgAccess,
resource.listUserResourceAliases
);
authenticated.get(
"/org/:orgId/domains",
verifyOrgAccess,

6
server/routers/newt/buildConfiguration.ts
View File

@@ -173,13 +173,13 @@ export async function buildClientConfigurationForNewtClient(
)
);
const resourceTarget = await generateSubnetProxyTargetV2(
const resourceTargets = await generateSubnetProxyTargetV2(
resource,
resourceClients
);
if (resourceTarget) {
targetsToSend.push(resourceTarget);
if (resourceTargets) {
targetsToSend.push(...resourceTargets);
}
}

2
server/routers/resource/createResource.ts
View File

@@ -200,7 +200,7 @@ async function createHttpResource(
if (build == "saas" && !isSubscribed(orgId!, tierMatrix.domainNamespaces)) {
// grandfather in existing users
const lastAllowedDate = new Date("2026-04-12");
const lastAllowedDate = new Date("2026-04-13");
const userCreatedDate = new Date(req.user?.dateCreated || new Date());
if (userCreatedDate > lastAllowedDate) {
// check if this domain id is a namespace domain and if so, reject

4
server/routers/resource/getUserResources.ts
View File

@@ -142,6 +142,7 @@ export async function getUserResources(
let siteResourcesData: Array<{
siteResourceId: number;
name: string;
niceId: string;
destination: string;
mode: string;
scheme: string | null;
@@ -154,6 +155,7 @@ export async function getUserResources(
.select({
siteResourceId: siteResources.siteResourceId,
name: siteResources.name,
niceId: siteResources.niceId,
destination: siteResources.destination,
mode: siteResources.mode,
scheme: siteResources.scheme,
@@ -249,7 +251,7 @@ export async function getUserResources(
});
return response(res, {
data: {
data: {
resources: resourcesWithAuth,
siteResources: siteResourcesFormatted
},

1
server/routers/resource/index.ts
View File

@@ -22,6 +22,7 @@ export * from "./deleteResourceRule";
export * from "./listResourceRules";
export * from "./updateResourceRule";
export * from "./getUserResources";
export * from "./listUserResourceAliases";
export * from "./setResourceHeaderAuth";
export * from "./addEmailToResourceWhitelist";
export * from "./removeEmailFromResourceWhitelist";

8
server/routers/resource/listResources.ts
View File

@@ -6,6 +6,7 @@ import {
resourcePincode,
resources,
roleResources,
sites,
targetHealthCheck,
targets,
userResources
@@ -138,6 +139,7 @@ export type ResourceWithTargets = {
port: number;
enabled: boolean;
healthStatus: "healthy" | "unhealthy" | "unknown" | null;
siteName: string | null;
}>;
};
@@ -446,14 +448,16 @@ export async function listResources(
port: targets.port,
enabled: targets.enabled,
healthStatus: targetHealthCheck.hcHealth,
hcEnabled: targetHealthCheck.hcEnabled
hcEnabled: targetHealthCheck.hcEnabled,
siteName: sites.name
})
.from(targets)
.where(inArray(targets.resourceId, resourceIdList))
.leftJoin(
targetHealthCheck,
eq(targetHealthCheck.targetId, targets.targetId)
);
)
.leftJoin(sites, eq(targets.siteId, sites.siteId));
// avoids TS issues with reduce/never[]
const map = new Map<number, ResourceWithTargets>();

262
server/routers/resource/listUserResourceAliases.ts Normal file
View File

@@ -0,0 +1,262 @@
import { Request, Response, NextFunction } from "express";
import {
db,
siteResources,
userSiteResources,
roleSiteResources,
userOrgRoles,
userOrgs
} from "@server/db";
import { and, eq, inArray, asc, isNotNull, ne } from "drizzle-orm";
import createHttpError from "http-errors";
import HttpCode from "@server/types/HttpCode";
import response from "@server/lib/response";
import logger from "@server/logger";
import { z } from "zod";
import { fromZodError } from "zod-validation-error";
import type { PaginatedResponse } from "@server/types/Pagination";
import { OpenAPITags, registry } from "@server/openApi";
import { localCache } from "#dynamic/lib/cache";
const USER_RESOURCE_ALIASES_CACHE_TTL_SEC = 60;
function userResourceAliasesCacheKey(
orgId: string,
userId: string,
page: number,
pageSize: number
) {
return `userResourceAliases:${orgId}:${userId}:${page}:${pageSize}`;
}
const listUserResourceAliasesParamsSchema = z.strictObject({
orgId: z.string()
});
const listUserResourceAliasesQuerySchema = z.object({
pageSize: z.coerce
.number<string>()
.int()
.positive()
.optional()
.catch(20)
.default(20)
.openapi({
type: "integer",
default: 20,
description: "Number of items per page"
}),
page: z.coerce
.number<string>()
.int()
.min(0)
.optional()
.catch(1)
.default(1)
.openapi({
type: "integer",
default: 1,
description: "Page number to retrieve"
})
});
export type ListUserResourceAliasesResponse = PaginatedResponse<{
aliases: string[];
}>;
// registry.registerPath({
// method: "get",
// path: "/org/{orgId}/user-resource-aliases",
// description:
// "List private (host-mode) site resource aliases the authenticated user can access in the organization, paginated.",
// tags: [OpenAPITags.PrivateResource],
// request: {
// params: z.object({
// orgId: z.string()
// }),
// query: listUserResourceAliasesQuerySchema
// },
// responses: {}
// });
export async function listUserResourceAliases(
req: Request,
res: Response,
next: NextFunction
): Promise<any> {
try {
const parsedQuery = listUserResourceAliasesQuerySchema.safeParse(
req.query
);
if (!parsedQuery.success) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromZodError(parsedQuery.error)
)
);
}
const { page, pageSize } = parsedQuery.data;
const parsedParams = listUserResourceAliasesParamsSchema.safeParse(
req.params
);
if (!parsedParams.success) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromZodError(parsedParams.error)
)
);
}
const { orgId } = parsedParams.data;
const userId = req.user?.userId;
if (!userId) {
return next(
createHttpError(HttpCode.UNAUTHORIZED, "User not authenticated")
);
}
const [userOrg] = await db
.select()
.from(userOrgs)
.where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
.limit(1);
if (!userOrg) {
return next(
createHttpError(HttpCode.FORBIDDEN, "User not in organization")
);
}
const cacheKey = userResourceAliasesCacheKey(
orgId,
userId,
page,
pageSize
);
const cachedData: ListUserResourceAliasesResponse | undefined =
localCache.get(cacheKey);
if (cachedData) {
return response<ListUserResourceAliasesResponse>(res, {
data: cachedData,
success: true,
error: false,
message: "User resource aliases retrieved successfully",
status: HttpCode.OK
});
}
const userRoleIds = await db
.select({ roleId: userOrgRoles.roleId })
.from(userOrgRoles)
.where(
and(
eq(userOrgRoles.userId, userId),
eq(userOrgRoles.orgId, orgId)
)
)
.then((rows) => rows.map((r) => r.roleId));
const directSiteResourcesQuery = db
.select({ siteResourceId: userSiteResources.siteResourceId })
.from(userSiteResources)
.where(eq(userSiteResources.userId, userId));
const roleSiteResourcesQuery =
userRoleIds.length > 0
? db
.select({
siteResourceId: roleSiteResources.siteResourceId
})
.from(roleSiteResources)
.where(inArray(roleSiteResources.roleId, userRoleIds))
: Promise.resolve([]);
const [directSiteResourceResults, roleSiteResourceResults] =
await Promise.all([
directSiteResourcesQuery,
roleSiteResourcesQuery
]);
const accessibleSiteResourceIds = [
...directSiteResourceResults.map((r) => r.siteResourceId),
...roleSiteResourceResults.map((r) => r.siteResourceId)
];
if (accessibleSiteResourceIds.length === 0) {
const data: ListUserResourceAliasesResponse = {
aliases: [],
pagination: {
total: 0,
pageSize,
page
}
};
localCache.set(cacheKey, data, USER_RESOURCE_ALIASES_CACHE_TTL_SEC);
return response<ListUserResourceAliasesResponse>(res, {
data,
success: true,
error: false,
message: "User resource aliases retrieved successfully",
status: HttpCode.OK
});
}
const whereClause = and(
eq(siteResources.orgId, orgId),
eq(siteResources.enabled, true),
eq(siteResources.mode, "host"),
isNotNull(siteResources.alias),
ne(siteResources.alias, ""),
inArray(siteResources.siteResourceId, accessibleSiteResourceIds)
);
const baseSelect = () =>
db
.select({ alias: siteResources.alias })
.from(siteResources)
.where(whereClause);
const countQuery = db.$count(baseSelect().as("filtered_aliases"));
const [rows, totalCount] = await Promise.all([
baseSelect()
.orderBy(asc(siteResources.alias))
.limit(pageSize)
.offset(pageSize * (page - 1)),
countQuery
]);
const aliases = rows.map((r) => r.alias as string);
const data: ListUserResourceAliasesResponse = {
aliases,
pagination: {
total: totalCount,
pageSize,
page
}
};
localCache.set(cacheKey, data, USER_RESOURCE_ALIASES_CACHE_TTL_SEC);
return response<ListUserResourceAliasesResponse>(res, {
data,
success: true,
error: false,
message: "User resource aliases retrieved successfully",
status: HttpCode.OK
});
} catch (error) {
logger.error(error);
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"Internal server error"
)
);
}
}

2
server/routers/resource/updateResource.ts
View File

@@ -326,7 +326,7 @@ async function updateHttpResource(
!isSubscribed(resource.orgId, tierMatrix.domainNamespaces)
) {
// grandfather in existing users
const lastAllowedDate = new Date("2026-04-12");
const lastAllowedDate = new Date("2026-04-13");
const userCreatedDate = new Date(
req.user?.dateCreated || new Date()
);

8
server/routers/siteResource/updateSiteResource.ts
View File

@@ -768,11 +768,11 @@ export async function handleMessagingForUpdatedSiteResource(
portRangesChanged ||
destinationPortChanged
) {
const oldTarget = await generateSubnetProxyTargetV2(
const oldTargets = await generateSubnetProxyTargetV2(
existingSiteResource,
mergedAllClients
);
const newTarget = await generateSubnetProxyTargetV2(
const newTargets = await generateSubnetProxyTargetV2(
updatedSiteResource,
mergedAllClients
);
@@ -780,8 +780,8 @@ export async function handleMessagingForUpdatedSiteResource(
await updateTargets(
newt.newtId,
{
oldTargets: oldTarget ? [oldTarget] : [],
newTargets: newTarget ? [newTarget] : []
oldTargets: oldTargets ? oldTargets : [],
newTargets: newTargets ? newTargets : []
},
newt.version
);

3
server/routers/user/getUser.ts
View File

@@ -21,7 +21,8 @@ async function queryUser(userId: string) {
serverAdmin: users.serverAdmin,
idpName: idp.name,
idpId: users.idpId,
locale: users.locale
locale: users.locale,
dateCreated: users.dateCreated
})
.from(users)
.leftJoin(idp, eq(users.idpId, idp.idpId))

3
server/routers/user/myDevice.ts
View File

@@ -64,7 +64,8 @@ export async function myDevice(
serverAdmin: users.serverAdmin,
idpName: idp.name,
idpId: users.idpId,
locale: users.locale
locale: users.locale,
dateCreated: users.dateCreated
})
.from(users)
.leftJoin(idp, eq(users.idpId, idp.idpId))