ssh settings on a role

2026-02-27 23:36:39 +00:00 · 2026-02-19 17:53:11 -08:00
parent 874794c996
commit 7a01a4e090
16 changed files with 982 additions and 484 deletions
--- a/server/routers/role/createRole.ts
+++ b/server/routers/role/createRole.ts
@@ -18,10 +18,17 @@ const createRoleParamsSchema = z.strictObject({
    orgId: z.string()
 });

+const sshSudoModeSchema = z.enum(["none", "full", "commands"]);
+
 const createRoleSchema = z.strictObject({
    name: z.string().min(1).max(255),
    description: z.string().optional(),
-    requireDeviceApproval: z.boolean().optional()
+    requireDeviceApproval: z.boolean().optional(),
+    allowSsh: z.boolean().optional(),
+    sshSudoMode: sshSudoModeSchema.optional(),
+    sshSudoCommands: z.array(z.string()).optional(),
+    sshCreateHomeDir: z.boolean().optional(),
+    sshUnixGroups: z.array(z.string()).optional()
 });

 export const defaultRoleAllowedActions: ActionsEnum[] = [
@@ -101,24 +108,40 @@ export async function createRole(
            );
        }

-        const isLicensed = await isLicensedOrSubscribed(orgId, tierMatrix.deviceApprovals);
-        if (!isLicensed) {
+        const isLicensedDeviceApprovals = await isLicensedOrSubscribed(orgId, tierMatrix.deviceApprovals);
+        if (!isLicensedDeviceApprovals) {
            roleData.requireDeviceApproval = undefined;
        }

+        const isLicensedSshPam = await isLicensedOrSubscribed(orgId, tierMatrix.sshPam);
+        const roleInsertValues: Record<string, unknown> = {
+            name: roleData.name,
+            orgId
+        };
+        if (roleData.description !== undefined) roleInsertValues.description = roleData.description;
+        if (roleData.requireDeviceApproval !== undefined) roleInsertValues.requireDeviceApproval = roleData.requireDeviceApproval;
+        if (isLicensedSshPam) {
+            if (roleData.sshSudoMode !== undefined) roleInsertValues.sshSudoMode = roleData.sshSudoMode;
+            if (roleData.sshSudoCommands !== undefined) roleInsertValues.sshSudoCommands = JSON.stringify(roleData.sshSudoCommands);
+            if (roleData.sshCreateHomeDir !== undefined) roleInsertValues.sshCreateHomeDir = roleData.sshCreateHomeDir;
+            if (roleData.sshUnixGroups !== undefined) roleInsertValues.sshUnixGroups = JSON.stringify(roleData.sshUnixGroups);
+        }
+
        await db.transaction(async (trx) => {
            const newRole = await trx
                .insert(roles)
-                .values({
-                    ...roleData,
-                    orgId
-                })
+                .values(roleInsertValues as typeof roles.$inferInsert)
                .returning();

+            const actionsToInsert = [...defaultRoleAllowedActions];
+            if (roleData.allowSsh) {
+                actionsToInsert.push(ActionsEnum.signSshKey);
+            }
+
            await trx
                .insert(roleActions)
                .values(
-                    defaultRoleAllowedActions.map((action) => ({
+                    actionsToInsert.map((action) => ({
                        roleId: newRole[0].roleId,
                        actionId: action,
                        orgId