Initial sign endpoint working

2026-02-25 22:36:38 +00:00 · 2026-02-16 15:19:29 -08:00
parent bfd5aa30a7
commit 9cf59c409e
14 changed files with 985 additions and 14 deletions
--- a/server/lib/billing/tierMatrix.ts
+++ b/server/lib/billing/tierMatrix.ts
@@ -14,7 +14,8 @@ export enum TierFeature {
    TwoFactorEnforcement = "twoFactorEnforcement", // handle downgrade by setting to optional
    SessionDurationPolicies = "sessionDurationPolicies", // handle downgrade by setting to default duration
    PasswordExpirationPolicies = "passwordExpirationPolicies", // handle downgrade by setting to default duration
-    AutoProvisioning = "autoProvisioning" // handle downgrade by disabling auto provisioning
+    AutoProvisioning = "autoProvisioning", // handle downgrade by disabling auto provisioning
+    SshPam = "sshPam"
 }

 export const tierMatrix: Record<TierFeature, Tier[]> = {
@@ -46,5 +47,6 @@ export const tierMatrix: Record<TierFeature, Tier[]> = {
        "tier3",
        "enterprise"
    ],
-    [TierFeature.AutoProvisioning]: ["tier1", "tier3", "enterprise"]
+    [TierFeature.AutoProvisioning]: ["tier1", "tier3", "enterprise"],
+    [TierFeature.SshPam]: ["enterprise"]
 };
--- a/server/lib/createUserAccountOrg.ts
+++ b/server/lib/createUserAccountOrg.ts
@@ -19,6 +19,8 @@ import { FeatureId, limitsService, sandboxLimitSet } from "@server/lib/billing";
 import { createCustomer } from "#dynamic/lib/billing";
 import { usageService } from "@server/lib/billing/usageService";
 import config from "@server/lib/config";
+import { generateCA } from "@server/private/lib/sshCA";
+import { encrypt } from "@server/lib/crypto";

 export async function createUserAccountOrg(
    userId: string,
@@ -79,6 +81,11 @@ export async function createUserAccountOrg(

        const utilitySubnet = config.getRawConfig().orgs.utility_subnet_group;

+        // Generate SSH CA keys for the org
+        const ca = generateCA(`${orgId}-ca`);
+        const encryptionKey = config.getRawConfig().server.secret!;
+        const encryptedCaPrivateKey = encrypt(ca.privateKeyPem, encryptionKey);
+
        const newOrg = await trx
            .insert(orgs)
            .values({
@@ -87,7 +94,9 @@ export async function createUserAccountOrg(
                // subnet
                subnet: "100.90.128.0/24", // TODO: this should not be hardcoded - or can it be the same in all orgs?
                utilitySubnet: utilitySubnet,
-                createdAt: new Date().toISOString()
+                createdAt: new Date().toISOString(),
+                sshCaPrivateKey: encryptedCaPrivateKey,
+                sshCaPublicKey: ca.publicKeyOpenSSH
            })
            .returning();