Merge branch 'logging-provision' into dev

2026-03-31 06:56:39 +00:00 · 2026-03-29 13:59:14 -07:00
parent 9808a48da0 a3b088f8d2
commit 9dc9b6a2c3
43 changed files with 4458 additions and 36 deletions
--- a/server/routers/auditLogs/types.ts
+++ b/server/routers/auditLogs/types.ts
@@ -91,3 +91,50 @@ export type QueryAccessAuditLogResponse = {
        locations: string[];
    };
 };
+
+export type QueryConnectionAuditLogResponse = {
+    log: {
+        sessionId: string;
+        siteResourceId: number | null;
+        orgId: string | null;
+        siteId: number | null;
+        clientId: number | null;
+        userId: string | null;
+        sourceAddr: string;
+        destAddr: string;
+        protocol: string;
+        startedAt: number;
+        endedAt: number | null;
+        bytesTx: number | null;
+        bytesRx: number | null;
+        resourceName: string | null;
+        resourceNiceId: string | null;
+        siteName: string | null;
+        siteNiceId: string | null;
+        clientName: string | null;
+        clientNiceId: string | null;
+        clientType: string | null;
+        userEmail: string | null;
+    }[];
+    pagination: {
+        total: number;
+        limit: number;
+        offset: number;
+    };
+    filterAttributes: {
+        protocols: string[];
+        destAddrs: string[];
+        clients: {
+            id: number;
+            name: string;
+        }[];
+        resources: {
+            id: number;
+            name: string | null;
+        }[];
+        users: {
+            id: string;
+            email: string | null;
+        }[];
+    };
+};
--- a/server/routers/external.ts
+++ b/server/routers/external.ts
@@ -102,6 +102,8 @@ authenticated.put(
    logActionAudit(ActionsEnum.createSite),
    site.createSite
 );
+
+
 authenticated.get(
    "/org/:orgId/sites",
    verifyOrgAccess,
@@ -1203,6 +1205,22 @@ authRouter.post(
    }),
    newt.getNewtToken
 );
+
+authRouter.post(
+    "/newt/register",
+    rateLimit({
+        windowMs: 15 * 60 * 1000,
+        max: 30,
+        keyGenerator: (req) =>
+            `newtRegister:${req.body.provisioningKey?.split(".")[0] || ipKeyGenerator(req.ip || "")}`,
+        handler: (req, res, next) => {
+            const message = `You can only register a newt ${30} times every ${15} minutes. Please try again later.`;
+            return next(createHttpError(HttpCode.TOO_MANY_REQUESTS, message));
+        },
+        store: createStore()
+    }),
+    newt.registerNewt
+);
 authRouter.post(
    "/olm/get-token",
    rateLimit({
--- a/server/routers/newt/handleConnectionLogMessage.ts
+++ b/server/routers/newt/handleConnectionLogMessage.ts
@@ -0,0 +1,13 @@
+import { MessageHandler } from "@server/routers/ws";
+
+export async function flushConnectionLogToDb(): Promise<void> {
+   return;
+}
+
+export async function cleanUpOldLogs(orgId: string, retentionDays: number) {
+    return;
+}
+
+export const handleConnectionLogMessage: MessageHandler = async (context) => {
+    return;
+};
--- a/server/routers/newt/index.ts
+++ b/server/routers/newt/index.ts
@@ -8,3 +8,5 @@ export * from "./handleNewtPingRequestMessage";
 export * from "./handleApplyBlueprintMessage";
 export * from "./handleNewtPingMessage";
 export * from "./handleNewtDisconnectingMessage";
+export * from "./handleConnectionLogMessage";
+export * from "./registerNewt";
--- a/server/routers/newt/registerNewt.ts
+++ b/server/routers/newt/registerNewt.ts
@@ -0,0 +1,266 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db } from "@server/db";
+import {
+    siteProvisioningKeys,
+    siteProvisioningKeyOrg,
+    newts,
+    orgs,
+    roles,
+    roleSites,
+    sites
+} from "@server/db";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { eq, and, sql } from "drizzle-orm";
+import { fromError } from "zod-validation-error";
+import { verifyPassword, hashPassword } from "@server/auth/password";
+import {
+    generateId,
+    generateIdFromEntropySize
+} from "@server/auth/sessions/app";
+import { getUniqueSiteName } from "@server/db/names";
+import moment from "moment";
+import { build } from "@server/build";
+import { usageService } from "@server/lib/billing/usageService";
+import { FeatureId } from "@server/lib/billing";
+import { INSPECT_MAX_BYTES } from "buffer";
+import { v } from "@faker-js/faker/dist/airline-Dz1uGqgJ";
+
+const bodySchema = z.object({
+    provisioningKey: z.string().nonempty()
+});
+
+export type RegisterNewtBody = z.infer<typeof bodySchema>;
+
+export type RegisterNewtResponse = {
+    newtId: string;
+    secret: string;
+};
+
+export async function registerNewt(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedBody = bodySchema.safeParse(req.body);
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { provisioningKey } = parsedBody.data;
+
+        // Keys are in the format "siteProvisioningKeyId.secret"
+        const dotIndex = provisioningKey.indexOf(".");
+        if (dotIndex === -1) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "Invalid provisioning key format"
+                )
+            );
+        }
+
+        const provisioningKeyId = provisioningKey.substring(0, dotIndex);
+        const provisioningKeySecret = provisioningKey.substring(dotIndex + 1);
+
+        // Look up the provisioning key by ID, joining to get the orgId
+        const [keyRecord] = await db
+            .select({
+                siteProvisioningKeyId:
+                    siteProvisioningKeys.siteProvisioningKeyId,
+                siteProvisioningKeyHash:
+                    siteProvisioningKeys.siteProvisioningKeyHash,
+                orgId: siteProvisioningKeyOrg.orgId,
+                maxBatchSize: siteProvisioningKeys.maxBatchSize,
+                numUsed: siteProvisioningKeys.numUsed,
+                validUntil: siteProvisioningKeys.validUntil
+            })
+            .from(siteProvisioningKeys)
+            .innerJoin(
+                siteProvisioningKeyOrg,
+                eq(
+                    siteProvisioningKeys.siteProvisioningKeyId,
+                    siteProvisioningKeyOrg.siteProvisioningKeyId
+                )
+            )
+            .where(
+                eq(
+                    siteProvisioningKeys.siteProvisioningKeyId,
+                    provisioningKeyId
+                )
+            )
+            .limit(1);
+
+        if (!keyRecord) {
+            return next(
+                createHttpError(
+                    HttpCode.UNAUTHORIZED,
+                    "Invalid provisioning key"
+                )
+            );
+        }
+
+        // Verify the secret portion against the stored hash
+        const validSecret = await verifyPassword(
+            provisioningKeySecret,
+            keyRecord.siteProvisioningKeyHash
+        );
+        if (!validSecret) {
+            return next(
+                createHttpError(
+                    HttpCode.UNAUTHORIZED,
+                    "Invalid provisioning key"
+                )
+            );
+        }
+
+        if (keyRecord.maxBatchSize && keyRecord.numUsed >= keyRecord.maxBatchSize) {
+            return next(
+                createHttpError(
+                    HttpCode.UNAUTHORIZED,
+                    "Provisioning key has reached its maximum usage"
+                )
+            );
+        }
+
+        if (keyRecord.validUntil && new Date(keyRecord.validUntil) < new Date()) {
+            return next(
+                createHttpError(
+                    HttpCode.UNAUTHORIZED,
+                    "Provisioning key has expired"
+                )
+            );
+        }
+
+        const { orgId } = keyRecord;
+
+        // Verify the org exists
+        const [org] = await db.select().from(orgs).where(eq(orgs.orgId, orgId));
+        if (!org) {
+            return next(
+                createHttpError(HttpCode.NOT_FOUND, "Organization not found")
+            );
+        }
+
+        // SaaS billing check
+        if (build == "saas") {
+            const usage = await usageService.getUsage(orgId, FeatureId.SITES);
+            if (!usage) {
+                return next(
+                    createHttpError(
+                        HttpCode.NOT_FOUND,
+                        "No usage data found for this organization"
+                    )
+                );
+            }
+            const rejectSites = await usageService.checkLimitSet(
+                orgId,
+                FeatureId.SITES,
+                {
+                    ...usage,
+                    instantaneousValue: (usage.instantaneousValue || 0) + 1
+                }
+            );
+            if (rejectSites) {
+                return next(
+                    createHttpError(
+                        HttpCode.FORBIDDEN,
+                        "Site limit exceeded. Please upgrade your plan."
+                    )
+                );
+            }
+        }
+
+        const niceId = await getUniqueSiteName(orgId);
+        const newtId = generateId(15);
+        const newtSecret = generateIdFromEntropySize(25);
+        const secretHash = await hashPassword(newtSecret);
+
+        let newSiteId: number | undefined;
+
+        await db.transaction(async (trx) => {
+            // Create the site (type "newt", name = niceId)
+            const [newSite] = await trx
+                .insert(sites)
+                .values({
+                    orgId,
+                    name: niceId,
+                    niceId,
+                    type: "newt",
+                    dockerSocketEnabled: true
+                })
+                .returning();
+
+            newSiteId = newSite.siteId;
+
+            // Grant admin role access to the new site
+            const [adminRole] = await trx
+                .select()
+                .from(roles)
+                .where(and(eq(roles.isAdmin, true), eq(roles.orgId, orgId)))
+                .limit(1);
+
+            if (!adminRole) {
+                throw new Error(`Admin role not found for org ${orgId}`);
+            }
+
+            await trx.insert(roleSites).values({
+                roleId: adminRole.roleId,
+                siteId: newSite.siteId
+            });
+
+            // Create the newt for this site
+            await trx.insert(newts).values({
+                newtId,
+                secretHash,
+                siteId: newSite.siteId,
+                dateCreated: moment().toISOString()
+            });
+
+            // Consume the provisioning key — cascade removes siteProvisioningKeyOrg
+            await trx
+                .update(siteProvisioningKeys)
+                .set({
+                    lastUsed: moment().toISOString(),
+                    numUsed: sql`${siteProvisioningKeys.numUsed} + 1`
+                })
+                .where(
+                    eq(
+                        siteProvisioningKeys.siteProvisioningKeyId,
+                        provisioningKeyId
+                    )
+                );
+
+            await usageService.add(orgId, FeatureId.SITES, 1, trx);
+        });
+
+        logger.info(
+            `Provisioned new site (ID: ${newSiteId}) and newt (ID: ${newtId}) for org ${orgId} via provisioning key ${provisioningKeyId}`
+        );
+
+        return response<RegisterNewtResponse>(res, {
+            data: {
+                newtId,
+                secret: newtSecret
+            },
+            success: true,
+            error: false,
+            message: "Newt registered successfully",
+            status: HttpCode.CREATED
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
--- a/server/routers/siteProvisioning/types.ts
+++ b/server/routers/siteProvisioning/types.ts
@@ -0,0 +1,41 @@
+export type SiteProvisioningKeyListItem = {
+    siteProvisioningKeyId: string;
+    orgId: string;
+    lastChars: string;
+    createdAt: string;
+    name: string;
+    lastUsed: string | null;
+    maxBatchSize: number | null;
+    numUsed: number;
+    validUntil: string | null;
+};
+
+export type ListSiteProvisioningKeysResponse = {
+    siteProvisioningKeys: SiteProvisioningKeyListItem[];
+    pagination: { total: number; limit: number; offset: number };
+};
+
+export type CreateSiteProvisioningKeyResponse = {
+    siteProvisioningKeyId: string;
+    orgId: string;
+    name: string;
+    siteProvisioningKey: string;
+    lastChars: string;
+    createdAt: string;
+    lastUsed: string | null;
+    maxBatchSize: number | null;
+    numUsed: number;
+    validUntil: string | null;
+};
+
+export type UpdateSiteProvisioningKeyResponse = {
+    siteProvisioningKeyId: string;
+    orgId: string;
+    name: string;
+    lastChars: string;
+    createdAt: string;
+    lastUsed: string | null;
+    maxBatchSize: number | null;
+    numUsed: number;
+    validUntil: string | null;
+};