pangolin_mirror/pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-02-07 21:46:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'dev' into feat/device-approvals

Browse Source
This commit is contained in:
Fred KISSIE
2026-01-14 23:08:12 +01:00
parent ce123a7f1a 5f184e9e5e
commit cbf184342b
78 changed files with 2815 additions and 421 deletions
Download Patch File Download Diff File Expand all files Collapse all files

149
.github/workflows/cicd.yml vendored
View File

@@ -329,20 +329,89 @@ jobs:
skopeo login ghcr.io -u "${{ github.actor }}" -p "${{ secrets.GITHUB_TOKEN }}" skopeo login ghcr.io -u "${{ github.actor }}" -p "${{ secrets.GITHUB_TOKEN }}"
shell: bash shell: bash
- name: Copy tag from Docker Hub to GHCR - name: Copy tags from Docker Hub to GHCR
# Mirror the already-built image (all architectures) to GHCR so we can sign it # Mirror the already-built images (all architectures) to GHCR so we can sign them
# Wait a bit for both architectures to be available in Docker Hub manifest # Wait a bit for both architectures to be available in Docker Hub manifest
env: env:
REGISTRY_AUTH_FILE: ${{ runner.temp }}/containers/auth.json REGISTRY_AUTH_FILE: ${{ runner.temp }}/containers/auth.json
run: | run: |
set -euo pipefail set -euo pipefail
TAG=${{ env.TAG }} TAG=${{ env.TAG }}
echo "Waiting for multi-arch manifest to be ready..." MAJOR_TAG=$(echo $TAG | cut -d. -f1)
MINOR_TAG=$(echo $TAG | cut -d. -f1,2)
echo "Waiting for multi-arch manifests to be ready..."
sleep 30 sleep 30
echo "Copying ${{ env.DOCKERHUB_IMAGE }}:${TAG} -> ${{ env.GHCR_IMAGE }}:${TAG}"
skopeo copy --all --retry-times 3 \ # Determine if this is an RC release
docker://$DOCKERHUB_IMAGE:$TAG \ IS_RC="false"
docker://$GHCR_IMAGE:$TAG if echo "$TAG" | grep -qE "rc[0-9]+$"; then
IS_RC="true"
fi
if [ "$IS_RC" = "true" ]; then
echo "RC release detected - copying version-specific tags only"
# SQLite OSS
echo "Copying ${{ env.DOCKERHUB_IMAGE }}:${TAG} -> ${{ env.GHCR_IMAGE }}:${TAG}"
skopeo copy --all --retry-times 3 \
docker://$DOCKERHUB_IMAGE:$TAG \
docker://$GHCR_IMAGE:$TAG
# PostgreSQL OSS
echo "Copying ${{ env.DOCKERHUB_IMAGE }}:postgresql-${TAG} -> ${{ env.GHCR_IMAGE }}:postgresql-${TAG}"
skopeo copy --all --retry-times 3 \
docker://$DOCKERHUB_IMAGE:postgresql-$TAG \
docker://$GHCR_IMAGE:postgresql-$TAG
# SQLite Enterprise
echo "Copying ${{ env.DOCKERHUB_IMAGE }}:ee-${TAG} -> ${{ env.GHCR_IMAGE }}:ee-${TAG}"
skopeo copy --all --retry-times 3 \
docker://$DOCKERHUB_IMAGE:ee-$TAG \
docker://$GHCR_IMAGE:ee-$TAG
# PostgreSQL Enterprise
echo "Copying ${{ env.DOCKERHUB_IMAGE }}:ee-postgresql-${TAG} -> ${{ env.GHCR_IMAGE }}:ee-postgresql-${TAG}"
skopeo copy --all --retry-times 3 \
docker://$DOCKERHUB_IMAGE:ee-postgresql-$TAG \
docker://$GHCR_IMAGE:ee-postgresql-$TAG
else
echo "Regular release detected - copying all tags (latest, major, minor, full version)"
# SQLite OSS - all tags
for TAG_SUFFIX in "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"; do
echo "Copying ${{ env.DOCKERHUB_IMAGE }}:${TAG_SUFFIX} -> ${{ env.GHCR_IMAGE }}:${TAG_SUFFIX}"
skopeo copy --all --retry-times 3 \
docker://$DOCKERHUB_IMAGE:$TAG_SUFFIX \
docker://$GHCR_IMAGE:$TAG_SUFFIX
done
# PostgreSQL OSS - all tags
for TAG_SUFFIX in "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"; do
echo "Copying ${{ env.DOCKERHUB_IMAGE }}:postgresql-${TAG_SUFFIX} -> ${{ env.GHCR_IMAGE }}:postgresql-${TAG_SUFFIX}"
skopeo copy --all --retry-times 3 \
docker://$DOCKERHUB_IMAGE:postgresql-$TAG_SUFFIX \
docker://$GHCR_IMAGE:postgresql-$TAG_SUFFIX
done
# SQLite Enterprise - all tags
for TAG_SUFFIX in "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"; do
echo "Copying ${{ env.DOCKERHUB_IMAGE }}:ee-${TAG_SUFFIX} -> ${{ env.GHCR_IMAGE }}:ee-${TAG_SUFFIX}"
skopeo copy --all --retry-times 3 \
docker://$DOCKERHUB_IMAGE:ee-$TAG_SUFFIX \
docker://$GHCR_IMAGE:ee-$TAG_SUFFIX
done
# PostgreSQL Enterprise - all tags
for TAG_SUFFIX in "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"; do
echo "Copying ${{ env.DOCKERHUB_IMAGE }}:ee-postgresql-${TAG_SUFFIX} -> ${{ env.GHCR_IMAGE }}:ee-postgresql-${TAG_SUFFIX}"
skopeo copy --all --retry-times 3 \
docker://$DOCKERHUB_IMAGE:ee-postgresql-$TAG_SUFFIX \
docker://$GHCR_IMAGE:ee-postgresql-$TAG_SUFFIX
done
fi
echo "All images copied successfully to GHCR!"
shell: bash shell: bash
- name: Login to GitHub Container Registry (for cosign) - name: Login to GitHub Container Registry (for cosign)
@@ -371,28 +440,62 @@ jobs:
issuer="https://token.actions.githubusercontent.com" issuer="https://token.actions.githubusercontent.com"
id_regex="^https://github.com/${{ github.repository }}/.+" # accept this repo (all workflows/refs) id_regex="^https://github.com/${{ github.repository }}/.+" # accept this repo (all workflows/refs)
for IMAGE in "${GHCR_IMAGE}" "${DOCKERHUB_IMAGE}"; do # Determine if this is an RC release
echo "Processing ${IMAGE}:${TAG}" IS_RC="false"
if echo "$TAG" | grep -qE "rc[0-9]+$"; then
IS_RC="true"
fi
DIGEST="$(skopeo inspect --retry-times 3 docker://${IMAGE}:${TAG} | jq -r '.Digest')" # Define image variants to sign
REF="${IMAGE}@${DIGEST}" if [ "$IS_RC" = "true" ]; then
echo "Resolved digest: ${REF}" echo "RC release - signing version-specific tags only"
IMAGE_TAGS=(
"${TAG}"
"postgresql-${TAG}"
"ee-${TAG}"
"ee-postgresql-${TAG}"
)
else
echo "Regular release - signing all tags"
MAJOR_TAG=$(echo $TAG | cut -d. -f1)
MINOR_TAG=$(echo $TAG | cut -d. -f1,2)
IMAGE_TAGS=(
"latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"
"postgresql-latest" "postgresql-$MAJOR_TAG" "postgresql-$MINOR_TAG" "postgresql-$TAG"
"ee-latest" "ee-$MAJOR_TAG" "ee-$MINOR_TAG" "ee-$TAG"
"ee-postgresql-latest" "ee-postgresql-$MAJOR_TAG" "ee-postgresql-$MINOR_TAG" "ee-postgresql-$TAG"
)
fi
echo "==> cosign sign (keyless) --recursive ${REF}" # Sign each image variant for both registries
cosign sign --recursive "${REF}" for BASE_IMAGE in "${GHCR_IMAGE}" "${DOCKERHUB_IMAGE}"; do
for IMAGE_TAG in "${IMAGE_TAGS[@]}"; do
echo "Processing ${BASE_IMAGE}:${IMAGE_TAG}"
echo "==> cosign sign (key) --recursive ${REF}" DIGEST="$(skopeo inspect --retry-times 3 docker://${BASE_IMAGE}:${IMAGE_TAG} | jq -r '.Digest')"
cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${REF}" REF="${BASE_IMAGE}@${DIGEST}"
echo "Resolved digest: ${REF}"
echo "==> cosign verify (public key) ${REF}" echo "==> cosign sign (keyless) --recursive ${REF}"
cosign verify --key env://COSIGN_PUBLIC_KEY "${REF}" -o text cosign sign --recursive "${REF}"
echo "==> cosign verify (keyless policy) ${REF}" echo "==> cosign sign (key) --recursive ${REF}"
cosign verify \ cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${REF}"
--certificate-oidc-issuer "${issuer}" \
--certificate-identity-regexp "${id_regex}" \ echo "==> cosign verify (public key) ${REF}"
"${REF}" -o text cosign verify --key env://COSIGN_PUBLIC_KEY "${REF}" -o text
echo "==> cosign verify (keyless policy) ${REF}"
cosign verify \
--certificate-oidc-issuer "${issuer}" \
--certificate-identity-regexp "${id_regex}" \
"${REF}" -o text
echo "✓ Successfully signed and verified ${BASE_IMAGE}:${IMAGE_TAG}"
done
done done
echo "All images signed and verified successfully!"
shell: bash shell: bash
post-run: post-run:

426
.github/workflows/cicd.yml.backup vendored Normal file
View File

@@ -0,0 +1,426 @@
name: CI/CD Pipeline
# CI/CD workflow for building, publishing, mirroring, signing container images and building release binaries.
# Actions are pinned to specific SHAs to reduce supply-chain risk. This workflow triggers on tag push events.
permissions:
contents: read
packages: write # for GHCR push
id-token: write # for Cosign Keyless (OIDC) Signing
# Required secrets:
# - DOCKER_HUB_USERNAME / DOCKER_HUB_ACCESS_TOKEN: push to Docker Hub
# - GITHUB_TOKEN: used for GHCR login and OIDC keyless signing
# - COSIGN_PRIVATE_KEY / COSIGN_PASSWORD / COSIGN_PUBLIC_KEY: for key-based signing
on:
push:
tags:
- "[0-9]+.[0-9]+.[0-9]+"
- "[0-9]+.[0-9]+.[0-9]+-rc.[0-9]+"
concurrency:
group: ${{ github.ref }}
cancel-in-progress: true
jobs:
pre-run:
runs-on: ubuntu-latest
permissions: write-all
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
role-duration-seconds: 3600
aws-region: ${{ secrets.AWS_REGION }}
- name: Verify AWS identity
run: aws sts get-caller-identity
- name: Start EC2 instances
run: |
aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_AMD_RUNNER }}
echo "EC2 instances started"
release-arm:
name: Build and Release (ARM64)
runs-on: [self-hosted, linux, arm64, us-east-1]
needs: [pre-run]
if: >-
${{
needs.pre-run.result == 'success'
}}
# Job-level timeout to avoid runaway or stuck runs
timeout-minutes: 120
env:
# Target images
DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }}
GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
steps:
- name: Checkout code
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
- name: Monitor storage space
run: |
THRESHOLD=75
USED_SPACE=$(df / | grep / | awk '{ print $5 }' | sed 's/%//g')
echo "Used space: $USED_SPACE%"
if [ "$USED_SPACE" -ge "$THRESHOLD" ]; then
echo "Used space is below the threshold of 75% free. Running Docker system prune."
echo y | docker system prune -a
else
echo "Storage space is above the threshold. No action needed."
fi
- name: Log in to Docker Hub
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
with:
registry: docker.io
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
- name: Extract tag name
id: get-tag
run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
shell: bash
- name: Update version in package.json
run: |
TAG=${{ env.TAG }}
sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
cat server/lib/consts.ts
shell: bash
- name: Check if release candidate
id: check-rc
run: |
TAG=${{ env.TAG }}
if [[ "$TAG" == *"-rc."* ]]; then
echo "IS_RC=true" >> $GITHUB_ENV
else
echo "IS_RC=false" >> $GITHUB_ENV
fi
shell: bash
- name: Build and push Docker images (Docker Hub - ARM64)
run: |
TAG=${{ env.TAG }}
if [ "$IS_RC" = "true" ]; then
make build-rc-arm tag=$TAG
else
make build-release-arm tag=$TAG
fi
echo "Built & pushed ARM64 images to: ${{ env.DOCKERHUB_IMAGE }}:${TAG}"
shell: bash
release-amd:
name: Build and Release (AMD64)
runs-on: [self-hosted, linux, x64, us-east-1]
needs: [pre-run]
if: >-
${{
needs.pre-run.result == 'success'
}}
# Job-level timeout to avoid runaway or stuck runs
timeout-minutes: 120
env:
# Target images
DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }}
GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
steps:
- name: Checkout code
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
- name: Monitor storage space
run: |
THRESHOLD=75
USED_SPACE=$(df / | grep / | awk '{ print $5 }' | sed 's/%//g')
echo "Used space: $USED_SPACE%"
if [ "$USED_SPACE" -ge "$THRESHOLD" ]; then
echo "Used space is below the threshold of 75% free. Running Docker system prune."
echo y | docker system prune -a
else
echo "Storage space is above the threshold. No action needed."
fi
- name: Log in to Docker Hub
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
with:
registry: docker.io
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
- name: Extract tag name
id: get-tag
run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
shell: bash
- name: Update version in package.json
run: |
TAG=${{ env.TAG }}
sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
cat server/lib/consts.ts
shell: bash
- name: Check if release candidate
id: check-rc
run: |
TAG=${{ env.TAG }}
if [[ "$TAG" == *"-rc."* ]]; then
echo "IS_RC=true" >> $GITHUB_ENV
else
echo "IS_RC=false" >> $GITHUB_ENV
fi
shell: bash
- name: Build and push Docker images (Docker Hub - AMD64)
run: |
TAG=${{ env.TAG }}
if [ "$IS_RC" = "true" ]; then
make build-rc-amd tag=$TAG
else
make build-release-amd tag=$TAG
fi
echo "Built & pushed AMD64 images to: ${{ env.DOCKERHUB_IMAGE }}:${TAG}"
shell: bash
create-manifest:
name: Create Multi-Arch Manifests
runs-on: [self-hosted, linux, x64, us-east-1]
needs: [release-arm, release-amd]
if: >-
${{
needs.release-arm.result == 'success' &&
needs.release-amd.result == 'success'
}}
timeout-minutes: 30
steps:
- name: Checkout code
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
- name: Log in to Docker Hub
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
with:
registry: docker.io
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
- name: Extract tag name
id: get-tag
run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
shell: bash
- name: Check if release candidate
id: check-rc
run: |
TAG=${{ env.TAG }}
if [[ "$TAG" == *"-rc."* ]]; then
echo "IS_RC=true" >> $GITHUB_ENV
else
echo "IS_RC=false" >> $GITHUB_ENV
fi
shell: bash
- name: Create multi-arch manifests
run: |
TAG=${{ env.TAG }}
if [ "$IS_RC" = "true" ]; then
make create-manifests-rc tag=$TAG
else
make create-manifests tag=$TAG
fi
echo "Created multi-arch manifests for tag: ${TAG}"
shell: bash
sign-and-package:
name: Sign and Package
runs-on: [self-hosted, linux, x64, us-east-1]
needs: [release-arm, release-amd, create-manifest]
if: >-
${{
needs.release-arm.result == 'success' &&
needs.release-amd.result == 'success' &&
needs.create-manifest.result == 'success'
}}
# Job-level timeout to avoid runaway or stuck runs
timeout-minutes: 120
env:
# Target images
DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }}
GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
steps:
- name: Checkout code
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
- name: Extract tag name
id: get-tag
run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
shell: bash
- name: Install Go
uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
with:
go-version: 1.24
- name: Update version in package.json
run: |
TAG=${{ env.TAG }}
sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
cat server/lib/consts.ts
shell: bash
- name: Pull latest Gerbil version
id: get-gerbil-tag
run: |
LATEST_TAG=$(curl -s https://api.github.com/repos/fosrl/gerbil/tags | jq -r '.[0].name')
echo "LATEST_GERBIL_TAG=$LATEST_TAG" >> $GITHUB_ENV
shell: bash
- name: Pull latest Badger version
id: get-badger-tag
run: |
LATEST_TAG=$(curl -s https://api.github.com/repos/fosrl/badger/tags | jq -r '.[0].name')
echo "LATEST_BADGER_TAG=$LATEST_TAG" >> $GITHUB_ENV
shell: bash
- name: Update install/main.go
run: |
PANGOLIN_VERSION=${{ env.TAG }}
GERBIL_VERSION=${{ env.LATEST_GERBIL_TAG }}
BADGER_VERSION=${{ env.LATEST_BADGER_TAG }}
sed -i "s/config.PangolinVersion = \".*\"/config.PangolinVersion = \"$PANGOLIN_VERSION\"/" install/main.go
sed -i "s/config.GerbilVersion = \".*\"/config.GerbilVersion = \"$GERBIL_VERSION\"/" install/main.go
sed -i "s/config.BadgerVersion = \".*\"/config.BadgerVersion = \"$BADGER_VERSION\"/" install/main.go
echo "Updated install/main.go with Pangolin version $PANGOLIN_VERSION, Gerbil version $GERBIL_VERSION, and Badger version $BADGER_VERSION"
cat install/main.go
shell: bash
- name: Build installer
working-directory: install
run: |
make go-build-release
- name: Upload artifacts from /install/bin
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
name: install-bin
path: install/bin/
- name: Install skopeo + jq
# skopeo: copy/inspect images between registries
# jq: JSON parsing tool used to extract digest values
run: |
sudo apt-get update -y
sudo apt-get install -y skopeo jq
skopeo --version
shell: bash
- name: Login to GHCR
env:
REGISTRY_AUTH_FILE: ${{ runner.temp }}/containers/auth.json
run: |
mkdir -p "$(dirname "$REGISTRY_AUTH_FILE")"
skopeo login ghcr.io -u "${{ github.actor }}" -p "${{ secrets.GITHUB_TOKEN }}"
shell: bash
- name: Copy tag from Docker Hub to GHCR
# Mirror the already-built image (all architectures) to GHCR so we can sign it
# Wait a bit for both architectures to be available in Docker Hub manifest
env:
REGISTRY_AUTH_FILE: ${{ runner.temp }}/containers/auth.json
run: |
set -euo pipefail
TAG=${{ env.TAG }}
echo "Waiting for multi-arch manifest to be ready..."
sleep 30
echo "Copying ${{ env.DOCKERHUB_IMAGE }}:${TAG} -> ${{ env.GHCR_IMAGE }}:${TAG}"
skopeo copy --all --retry-times 3 \
docker://$DOCKERHUB_IMAGE:$TAG \
docker://$GHCR_IMAGE:$TAG
shell: bash
- name: Login to GitHub Container Registry (for cosign)
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Install cosign
# cosign is used to sign and verify container images (key and keyless)
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
- name: Dual-sign and verify (GHCR & Docker Hub)
# Sign each image by digest using keyless (OIDC) and key-based signing,
# then verify both the public key signature and the keyless OIDC signature.
env:
TAG: ${{ env.TAG }}
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
COSIGN_YES: "true"
run: |
set -euo pipefail
issuer="https://token.actions.githubusercontent.com"
id_regex="^https://github.com/${{ github.repository }}/.+" # accept this repo (all workflows/refs)
for IMAGE in "${GHCR_IMAGE}" "${DOCKERHUB_IMAGE}"; do
echo "Processing ${IMAGE}:${TAG}"
DIGEST="$(skopeo inspect --retry-times 3 docker://${IMAGE}:${TAG} | jq -r '.Digest')"
REF="${IMAGE}@${DIGEST}"
echo "Resolved digest: ${REF}"
echo "==> cosign sign (keyless) --recursive ${REF}"
cosign sign --recursive "${REF}"
echo "==> cosign sign (key) --recursive ${REF}"
cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${REF}"
echo "==> cosign verify (public key) ${REF}"
cosign verify --key env://COSIGN_PUBLIC_KEY "${REF}" -o text
echo "==> cosign verify (keyless policy) ${REF}"
cosign verify \
--certificate-oidc-issuer "${issuer}" \
--certificate-identity-regexp "${id_regex}" \
"${REF}" -o text
done
shell: bash
post-run:
needs: [pre-run, release-arm, release-amd, create-manifest, sign-and-package]
if: >-
${{
always() &&
needs.pre-run.result == 'success' &&
(needs.release-arm.result == 'success' || needs.release-arm.result == 'skipped' || needs.release-arm.result == 'failure') &&
(needs.release-amd.result == 'success' || needs.release-amd.result == 'skipped' || needs.release-amd.result == 'failure') &&
(needs.create-manifest.result == 'success' || needs.create-manifest.result == 'skipped' || needs.create-manifest.result == 'failure') &&
(needs.sign-and-package.result == 'success' || needs.sign-and-package.result == 'skipped' || needs.sign-and-package.result == 'failure')
}}
runs-on: ubuntu-latest
permissions: write-all
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
role-duration-seconds: 3600
aws-region: ${{ secrets.AWS_REGION }}
- name: Verify AWS identity
run: aws sts get-caller-identity
- name: Stop EC2 instances
run: |
aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_AMD_RUNNER }}
echo "EC2 instances stopped"

125
.github/workflows/saas.yml vendored Normal file
View File

@@ -0,0 +1,125 @@
name: CI/CD Pipeline
# CI/CD workflow for building, publishing, mirroring, signing container images and building release binaries.
# Actions are pinned to specific SHAs to reduce supply-chain risk. This workflow triggers on tag push events.
permissions:
contents: read
packages: write # for GHCR push
id-token: write # for Cosign Keyless (OIDC) Signing
on:
push:
tags:
- "[0-9]+.[0-9]+.[0-9]+-s.[0-9]+"
concurrency:
group: ${{ github.ref }}
cancel-in-progress: true
jobs:
pre-run:
runs-on: ubuntu-latest
permissions: write-all
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
role-duration-seconds: 3600
aws-region: ${{ secrets.AWS_REGION }}
- name: Verify AWS identity
run: aws sts get-caller-identity
- name: Start EC2 instances
run: |
aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
echo "EC2 instances started"
release-arm:
name: Build and Release (ARM64)
runs-on: [self-hosted, linux, arm64, us-east-1]
needs: [pre-run]
if: >-
${{
needs.pre-run.result == 'success'
}}
# Job-level timeout to avoid runaway or stuck runs
timeout-minutes: 120
env:
# Target images
AWS_IMAGE: ${{ secrets.aws_account_id }}.dkr.ecr.us-east-1.amazonaws.com/${{ github.event.repository.name }}
steps:
- name: Checkout code
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
- name: Monitor storage space
run: |
THRESHOLD=75
USED_SPACE=$(df / | grep / | awk '{ print $5 }' | sed 's/%//g')
echo "Used space: $USED_SPACE%"
if [ "$USED_SPACE" -ge "$THRESHOLD" ]; then
echo "Used space is below the threshold of 75% free. Running Docker system prune."
echo y | docker system prune -a
else
echo "Storage space is above the threshold. No action needed."
fi
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: arn:aws:iam::${{ secrets.aws_account_id }}:role/${{ secrets.AWS_ROLE_NAME }}
role-duration-seconds: 3600
aws-region: ${{ secrets.AWS_REGION }}
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
- name: Extract tag name
id: get-tag
run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
shell: bash
- name: Update version in package.json
run: |
TAG=${{ env.TAG }}
sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
cat server/lib/consts.ts
shell: bash
- name: Build and push Docker images (Docker Hub - ARM64)
run: |
TAG=${{ env.TAG }}
make build-saas tag=$TAG
echo "Built & pushed ARM64 images to: ${{ env.AWS_IMAGE }}:${TAG}"
shell: bash
post-run:
needs: [pre-run, release-arm]
if: >-
${{
always() &&
needs.pre-run.result == 'success' &&
(needs.release-arm.result == 'success' || needs.release-arm.result == 'skipped' || needs.release-arm.result == 'failure')
}}
runs-on: ubuntu-latest
permissions: write-all
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
role-duration-seconds: 3600
aws-region: ${{ secrets.AWS_REGION }}
- name: Verify AWS identity
run: aws sts get-caller-identity
- name: Stop EC2 instances
run: |
aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
echo "EC2 instances stopped"

12
Makefile
View File

@@ -90,6 +90,18 @@ build-ee-postgresql:
--tag fosrl/pangolin:ee-postgresql-$(tag) \ --tag fosrl/pangolin:ee-postgresql-$(tag) \
--push . --push .
build-saas:
@if [ -z "$(tag)" ]; then \
echo "Error: tag is required. Usage: make build-release tag=<tag>"; \
exit 1; \
fi
docker buildx build \
--build-arg BUILD=saas \
--build-arg DATABASE=pg \
--platform linux/arm64 \
--tag $(AWS_IMAGE):$(tag) \
--push .
build-release-arm: build-release-arm:
@if [ -z "$(tag)" ]; then \ @if [ -z "$(tag)" ]; then \
echo "Error: tag is required. Usage: make build-release-arm tag=<tag>"; \ echo "Error: tag is required. Usage: make build-release-arm tag=<tag>"; \

2
install/main.go
View File

@@ -340,7 +340,7 @@ func collectUserInput(reader *bufio.Reader) Config {
// Basic configuration // Basic configuration
fmt.Println("\n=== Basic Configuration ===") fmt.Println("\n=== Basic Configuration ===")
config.IsEnterprise = readBoolNoDefault(reader, "Do you want to install the Enterprise version of Pangolin? The EE is free for persoal use or for businesses making less than 100k USD annually.") config.IsEnterprise = readBoolNoDefault(reader, "Do you want to install the Enterprise version of Pangolin? The EE is free for personal use or for businesses making less than 100k USD annually.")
config.BaseDomain = readString(reader, "Enter your base domain (no subdomain e.g. example.com)", "") config.BaseDomain = readString(reader, "Enter your base domain (no subdomain e.g. example.com)", "")

40
messages/en-US.json
View File

@@ -1143,6 +1143,10 @@
"actionUpdateIdpOrg": "Update IDP Org", "actionUpdateIdpOrg": "Update IDP Org",
"actionCreateClient": "Create Client", "actionCreateClient": "Create Client",
"actionDeleteClient": "Delete Client", "actionDeleteClient": "Delete Client",
"actionArchiveClient": "Archive Client",
"actionUnarchiveClient": "Unarchive Client",
"actionBlockClient": "Block Client",
"actionUnblockClient": "Unblock Client",
"actionUpdateClient": "Update Client", "actionUpdateClient": "Update Client",
"actionListClients": "List Clients", "actionListClients": "List Clients",
"actionGetClient": "Get Client", "actionGetClient": "Get Client",
@@ -1160,7 +1164,7 @@
"create": "Create", "create": "Create",
"orgs": "Organizations", "orgs": "Organizations",
"loginError": "An error occurred while logging in", "loginError": "An error occurred while logging in",
"loginRequiredForDevice": "Login is required to authenticate your device.", "loginRequiredForDevice": "Login is required for your device.",
"passwordForgot": "Forgot your password?", "passwordForgot": "Forgot your password?",
"otpAuth": "Two-Factor Authentication", "otpAuth": "Two-Factor Authentication",
"otpAuthDescription": "Enter the code from your authenticator app or one of your single-use backup codes.", "otpAuthDescription": "Enter the code from your authenticator app or one of your single-use backup codes.",
@@ -1231,7 +1235,7 @@
"sidebarIdentityProviders": "Identity Providers", "sidebarIdentityProviders": "Identity Providers",
"sidebarLicense": "License", "sidebarLicense": "License",
"sidebarClients": "Clients", "sidebarClients": "Clients",
"sidebarUserDevices": "Users", "sidebarUserDevices": "User Devices",
"sidebarMachineClients": "Machines", "sidebarMachineClients": "Machines",
"sidebarDomains": "Domains", "sidebarDomains": "Domains",
"sidebarGeneral": "Manage", "sidebarGeneral": "Manage",
@@ -1904,7 +1908,7 @@
"orgAuthChooseIdpDescription": "Choose your identity provider to continue", "orgAuthChooseIdpDescription": "Choose your identity provider to continue",
"orgAuthNoIdpConfigured": "This organization doesn't have any identity providers configured. You can log in with your Pangolin identity instead.", "orgAuthNoIdpConfigured": "This organization doesn't have any identity providers configured. You can log in with your Pangolin identity instead.",
"orgAuthSignInWithPangolin": "Sign in with Pangolin", "orgAuthSignInWithPangolin": "Sign in with Pangolin",
"orgAuthSignInToOrg": "Sign in to an organization", "orgAuthSignInToOrg": "Use organization's identity provider",
"orgAuthSelectOrgTitle": "Organization Sign In", "orgAuthSelectOrgTitle": "Organization Sign In",
"orgAuthSelectOrgDescription": "Enter your organization ID to continue", "orgAuthSelectOrgDescription": "Enter your organization ID to continue",
"orgAuthOrgIdPlaceholder": "your-organization", "orgAuthOrgIdPlaceholder": "your-organization",
@@ -2272,7 +2276,7 @@
"deviceOrganizationsAccess": "Access to all organizations your account has access to", "deviceOrganizationsAccess": "Access to all organizations your account has access to",
"deviceAuthorize": "Authorize {applicationName}", "deviceAuthorize": "Authorize {applicationName}",
"deviceConnected": "Device Connected!", "deviceConnected": "Device Connected!",
"deviceAuthorizedMessage": "Device is authorized to access your account.", "deviceAuthorizedMessage": "Device is authorized to access your account. Please return to the client application.",
"pangolinCloud": "Pangolin Cloud", "pangolinCloud": "Pangolin Cloud",
"viewDevices": "View Devices", "viewDevices": "View Devices",
"viewDevicesDescription": "Manage your connected devices", "viewDevicesDescription": "Manage your connected devices",
@@ -2422,5 +2426,31 @@
"maintenanceScreenTitle": "Service Temporarily Unavailable", "maintenanceScreenTitle": "Service Temporarily Unavailable",
"maintenanceScreenMessage": "We are currently experiencing technical difficulties. Please check back soon.", "maintenanceScreenMessage": "We are currently experiencing technical difficulties. Please check back soon.",
"maintenanceScreenEstimatedCompletion": "Estimated Completion:", "maintenanceScreenEstimatedCompletion": "Estimated Completion:",
"createInternalResourceDialogDestinationRequired": "Destination is required" "createInternalResourceDialogDestinationRequired": "Destination is required",
"available": "Available",
"archived": "Archived",
"noArchivedDevices": "No archived devices found",
"deviceArchived": "Device archived",
"deviceArchivedDescription": "The device has been successfully archived.",
"errorArchivingDevice": "Error archiving device",
"failedToArchiveDevice": "Failed to archive device",
"deviceQuestionArchive": "Are you sure you want to archive this device?",
"deviceMessageArchive": "The device will be archived and removed from your active devices list.",
"deviceArchiveConfirm": "Archive Device",
"archiveDevice": "Archive Device",
"archive": "Archive",
"deviceUnarchived": "Device unarchived",
"deviceUnarchivedDescription": "The device has been successfully unarchived.",
"errorUnarchivingDevice": "Error unarchiving device",
"failedToUnarchiveDevice": "Failed to unarchive device",
"unarchive": "Unarchive",
"archiveClient": "Archive Client",
"archiveClientQuestion": "Are you sure you want to archive this client?",
"archiveClientMessage": "The client will be archived and removed from your active clients list.",
"archiveClientConfirm": "Archive Client",
"blockClient": "Block Client",
"blockClientQuestion": "Are you sure you want to block this client?",
"blockClientMessage": "The device will be forced to disconnect if currently connected. You can unblock the device later.",
"blockClientConfirm": "Block Client",
"active": "Active"
} }

4
server/auth/actions.ts
View File

@@ -78,6 +78,10 @@ export enum ActionsEnum {
updateSiteResource = "updateSiteResource", updateSiteResource = "updateSiteResource",
createClient = "createClient", createClient = "createClient",
deleteClient = "deleteClient", deleteClient = "deleteClient",
archiveClient = "archiveClient",
unarchiveClient = "unarchiveClient",
blockClient = "blockClient",
unblockClient = "unblockClient",
updateClient = "updateClient", updateClient = "updateClient",
listClients = "listClients", listClients = "listClients",
getClient = "getClient", getClient = "getClient",

8
server/db/pg/schema/schema.ts
View File

@@ -592,7 +592,8 @@ export const idp = pgTable("idp", {
type: varchar("type").notNull(), type: varchar("type").notNull(),
defaultRoleMapping: varchar("defaultRoleMapping"), defaultRoleMapping: varchar("defaultRoleMapping"),
defaultOrgMapping: varchar("defaultOrgMapping"), defaultOrgMapping: varchar("defaultOrgMapping"),
autoProvision: boolean("autoProvision").notNull().default(false) autoProvision: boolean("autoProvision").notNull().default(false),
tags: text("tags")
}); });
export const idpOidcConfig = pgTable("idpOidcConfig", { export const idpOidcConfig = pgTable("idpOidcConfig", {
@@ -690,6 +691,8 @@ export const clients = pgTable("clients", {
// endpoint: varchar("endpoint"), // endpoint: varchar("endpoint"),
lastHolePunch: integer("lastHolePunch"), lastHolePunch: integer("lastHolePunch"),
maxConnections: integer("maxConnections"), maxConnections: integer("maxConnections"),
archived: boolean("archived").notNull().default(false),
blocked: boolean("blocked").notNull().default(false),
approvalState: varchar("approvalState") approvalState: varchar("approvalState")
.$type<"pending" | "approved" | "denied">() .$type<"pending" | "approved" | "denied">()
.default("approved") .default("approved")
@@ -730,7 +733,8 @@ export const olms = pgTable("olms", {
userId: text("userId").references(() => users.userId, { userId: text("userId").references(() => users.userId, {
// optionally tied to a user and in this case delete when the user deletes // optionally tied to a user and in this case delete when the user deletes
onDelete: "cascade" onDelete: "cascade"
}) }),
archived: boolean("archived").notNull().default(false)
}); });
export const olmSessions = pgTable("clientSession", { export const olmSessions = pgTable("clientSession", {

12
server/db/queries/verifySessionQueries.ts
View File

@@ -1,4 +1,4 @@
import { db, loginPage, LoginPage, loginPageOrg, Org, orgs } from "@server/db"; import { db, loginPage, LoginPage, loginPageOrg, Org, orgs, roles } from "@server/db";
import { import {
Resource, Resource,
ResourcePassword, ResourcePassword,
@@ -108,9 +108,17 @@ export async function getUserSessionWithUser(
*/ */
export async function getUserOrgRole(userId: string, orgId: string) { export async function getUserOrgRole(userId: string, orgId: string) {
const userOrgRole = await db const userOrgRole = await db
.select() .select({
userId: userOrgs.userId,
orgId: userOrgs.orgId,
roleId: userOrgs.roleId,
isOwner: userOrgs.isOwner,
autoProvisioned: userOrgs.autoProvisioned,
roleName: roles.name
})
.from(userOrgs) .from(userOrgs)
.where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId))) .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
.leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
.limit(1); .limit(1);
return userOrgRole.length > 0 ? userOrgRole[0] : null; return userOrgRole.length > 0 ? userOrgRole[0] : null;

10
server/db/sqlite/schema/schema.ts
View File

@@ -385,7 +385,9 @@ export const clients = sqliteTable("clients", {
type: text("type").notNull(), // "olm" type: text("type").notNull(), // "olm"
online: integer("online", { mode: "boolean" }).notNull().default(false), online: integer("online", { mode: "boolean" }).notNull().default(false),
// endpoint: text("endpoint"), // endpoint: text("endpoint"),
lastHolePunch: integer("lastHolePunch") lastHolePunch: integer("lastHolePunch"),
archived: integer("archived", { mode: "boolean" }).notNull().default(false),
blocked: integer("blocked", { mode: "boolean" }).notNull().default(false)
}); });
export const clientSitesAssociationsCache = sqliteTable( export const clientSitesAssociationsCache = sqliteTable(
@@ -425,7 +427,8 @@ export const olms = sqliteTable("olms", {
userId: text("userId").references(() => users.userId, { userId: text("userId").references(() => users.userId, {
// optionally tied to a user and in this case delete when the user deletes // optionally tied to a user and in this case delete when the user deletes
onDelete: "cascade" onDelete: "cascade"
}) }),
archived: integer("archived", { mode: "boolean" }).notNull().default(false)
}); });
export const twoFactorBackupCodes = sqliteTable("twoFactorBackupCodes", { export const twoFactorBackupCodes = sqliteTable("twoFactorBackupCodes", {
@@ -779,7 +782,8 @@ export const idp = sqliteTable("idp", {
mode: "boolean" mode: "boolean"
}) })
.notNull() .notNull()
.default(false) .default(false),
tags: text("tags")
}); });
// Identity Provider OAuth Configuration // Identity Provider OAuth Configuration

4
server/lib/blueprints/types.ts
View File

@@ -290,8 +290,8 @@ export const ClientResourceSchema = z
alias: z alias: z
.string() .string()
.regex( .regex(
/^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?$/, /^(?:[a-zA-Z0-9*?](?:[a-zA-Z0-9*?-]{0,61}[a-zA-Z0-9*?])?\.)+[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?$/,
"Alias must be a fully qualified domain name (e.g., example.com)" "Alias must be a fully qualified domain name with optional wildcards (e.g., example.com, *.example.com, host-0?.example.internal)"
) )
.optional(), .optional(),
roles: z roles: z

1
server/middlewares/integration/index.ts
View File

@@ -13,3 +13,4 @@ export * from "./verifyApiKeyIsRoot";
export * from "./verifyApiKeyApiKeyAccess"; export * from "./verifyApiKeyApiKeyAccess";
export * from "./verifyApiKeyClientAccess"; export * from "./verifyApiKeyClientAccess";
export * from "./verifyApiKeySiteResourceAccess"; export * from "./verifyApiKeySiteResourceAccess";
export * from "./verifyApiKeyIdpAccess";

88
server/middlewares/integration/verifyApiKeyIdpAccess.ts Normal file
View File

@@ -0,0 +1,88 @@
import { Request, Response, NextFunction } from "express";
import { db } from "@server/db";
import { idp, idpOrg, apiKeyOrg } from "@server/db";
import { and, eq } from "drizzle-orm";
import createHttpError from "http-errors";
import HttpCode from "@server/types/HttpCode";
export async function verifyApiKeyIdpAccess(
req: Request,
res: Response,
next: NextFunction
) {
try {
const apiKey = req.apiKey;
const idpId = req.params.idpId || req.body.idpId || req.query.idpId;
const orgId = req.params.orgId;
if (!apiKey) {
return next(
createHttpError(HttpCode.UNAUTHORIZED, "Key not authenticated")
);
}
if (!orgId) {
return next(
createHttpError(HttpCode.BAD_REQUEST, "Invalid organization ID")
);
}
if (!idpId) {
return next(
createHttpError(HttpCode.BAD_REQUEST, "Invalid IDP ID")
);
}
if (apiKey.isRoot) {
// Root keys can access any IDP in any org
return next();
}
const [idpRes] = await db
.select()
.from(idp)
.innerJoin(idpOrg, eq(idp.idpId, idpOrg.idpId))
.where(and(eq(idp.idpId, idpId), eq(idpOrg.orgId, orgId)))
.limit(1);
if (!idpRes || !idpRes.idp || !idpRes.idpOrg) {
return next(
createHttpError(
HttpCode.NOT_FOUND,
`IdP with ID ${idpId} not found for organization ${orgId}`
)
);
}
if (!req.apiKeyOrg) {
const apiKeyOrgRes = await db
.select()
.from(apiKeyOrg)
.where(
and(
eq(apiKeyOrg.apiKeyId, apiKey.apiKeyId),
eq(apiKeyOrg.orgId, idpRes.idpOrg.orgId)
)
);
req.apiKeyOrg = apiKeyOrgRes[0];
}
if (!req.apiKeyOrg) {
return next(
createHttpError(
HttpCode.FORBIDDEN,
"Key does not have access to this organization"
)
);
}
return next();
} catch (error) {
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"Error verifying IDP access"
)
);
}
}

4
server/private/lib/config.ts
View File

@@ -139,6 +139,10 @@ export class PrivateConfig {
process.env.USE_PANGOLIN_DNS = process.env.USE_PANGOLIN_DNS =
this.rawPrivateConfig.flags.use_pangolin_dns.toString(); this.rawPrivateConfig.flags.use_pangolin_dns.toString();
} }
if (this.rawPrivateConfig.flags.use_org_only_idp) {
process.env.USE_ORG_ONLY_IDP =
this.rawPrivateConfig.flags.use_org_only_idp.toString();
}
} }
public getRawPrivateConfig() { public getRawPrivateConfig() {

2
server/private/lib/exitNodes/exitNodes.ts
View File

@@ -288,7 +288,7 @@ export function selectBestExitNode(
const validNodes = pingResults.filter((n) => !n.error && n.weight > 0); const validNodes = pingResults.filter((n) => !n.error && n.weight > 0);
if (validNodes.length === 0) { if (validNodes.length === 0) {
logger.error("No valid exit nodes available"); logger.debug("No valid exit nodes available");
return null; return null;
} }

100
server/private/lib/lock.ts
View File

@@ -24,7 +24,9 @@ export class LockManager {
*/ */
async acquireLock( async acquireLock(
lockKey: string, lockKey: string,
ttlMs: number = 30000 ttlMs: number = 30000,
maxRetries: number = 3,
retryDelayMs: number = 100
): Promise<boolean> { ): Promise<boolean> {
if (!redis || !redis.status || redis.status !== "ready") { if (!redis || !redis.status || redis.status !== "ready") {
return true; return true;
@@ -35,49 +37,67 @@ export class LockManager {
}:${Date.now()}`; }:${Date.now()}`;
const redisKey = `lock:${lockKey}`; const redisKey = `lock:${lockKey}`;
try { for (let attempt = 0; attempt < maxRetries; attempt++) {
// Use SET with NX (only set if not exists) and PX (expire in milliseconds) try {
// This is atomic and handles both setting and expiration // Use SET with NX (only set if not exists) and PX (expire in milliseconds)
const result = await redis.set( // This is atomic and handles both setting and expiration
redisKey, const result = await redis.set(
lockValue, redisKey,
"PX", lockValue,
ttlMs, "PX",
"NX" ttlMs,
); "NX"
if (result === "OK") {
logger.debug(
`Lock acquired: ${lockKey} by ${
config.getRawConfig().gerbil.exit_node_name
}`
); );
return true;
}
// Check if the existing lock is from this worker (reentrant behavior) if (result === "OK") {
const existingValue = await redis.get(redisKey); logger.debug(
if ( `Lock acquired: ${lockKey} by ${
existingValue && config.getRawConfig().gerbil.exit_node_name
existingValue.startsWith( }`
`${config.getRawConfig().gerbil.exit_node_name}:` );
) return true;
) { }
// Extend the lock TTL since it's the same worker
await redis.pexpire(redisKey, ttlMs);
logger.debug(
`Lock extended: ${lockKey} by ${
config.getRawConfig().gerbil.exit_node_name
}`
);
return true;
}
return false; // Check if the existing lock is from this worker (reentrant behavior)
} catch (error) { const existingValue = await redis.get(redisKey);
logger.error(`Failed to acquire lock ${lockKey}:`, error); if (
return false; existingValue &&
existingValue.startsWith(
`${config.getRawConfig().gerbil.exit_node_name}:`
)
) {
// Extend the lock TTL since it's the same worker
await redis.pexpire(redisKey, ttlMs);
logger.debug(
`Lock extended: ${lockKey} by ${
config.getRawConfig().gerbil.exit_node_name
}`
);
return true;
}
// If this isn't our last attempt, wait before retrying with exponential backoff
if (attempt < maxRetries - 1) {
const delay = retryDelayMs * Math.pow(2, attempt);
logger.debug(
`Lock ${lockKey} not available, retrying in ${delay}ms (attempt ${attempt + 1}/${maxRetries})`
);
await new Promise((resolve) => setTimeout(resolve, delay));
}
} catch (error) {
logger.error(`Failed to acquire lock ${lockKey} (attempt ${attempt + 1}/${maxRetries}):`, error);
// On error, still retry if we have attempts left
if (attempt < maxRetries - 1) {
const delay = retryDelayMs * Math.pow(2, attempt);
await new Promise((resolve) => setTimeout(resolve, delay));
}
}
} }
logger.debug(
`Failed to acquire lock ${lockKey} after ${maxRetries} attempts`
);
return false;
} }
/** /**

3
server/private/lib/readConfigFile.ts
View File

@@ -83,7 +83,8 @@ export const privateConfigSchema = z.object({
flags: z flags: z
.object({ .object({
enable_redis: z.boolean().optional().default(false), enable_redis: z.boolean().optional().default(false),
use_pangolin_dns: z.boolean().optional().default(false) use_pangolin_dns: z.boolean().optional().default(false),
use_org_only_idp: z.boolean().optional().default(false)
}) })
.optional() .optional()
.prefault({}), .prefault({}),

10
server/private/lib/traefik/getTraefikConfig.ts
View File

@@ -456,11 +456,11 @@ export async function getTraefikConfig(
// ); // );
} else if (resource.maintenanceModeType === "automatic") { } else if (resource.maintenanceModeType === "automatic") {
showMaintenancePage = !hasHealthyServers; showMaintenancePage = !hasHealthyServers;
if (showMaintenancePage) { // if (showMaintenancePage) {
logger.warn( // logger.warn(
`Resource ${resource.name} (${fullDomain}) has no healthy servers - showing maintenance page (AUTOMATIC mode)` // `Resource ${resource.name} (${fullDomain}) has no healthy servers - showing maintenance page (AUTOMATIC mode)`
); // );
} // }
} }
} }

13
server/private/middlewares/verifySubscription.ts
View File

@@ -27,7 +27,18 @@ export async function verifyValidSubscription(
return next(); return next();
} }
const tier = await getOrgTierData(req.params.orgId); const orgId = req.params.orgId || req.body.orgId || req.query.orgId || req.userOrgId;
if (!orgId) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
"Organization ID is required to verify subscription"
)
);
}
const tier = await getOrgTierData(orgId);
if (!tier.active) { if (!tier.active) {
return next( return next(

4
server/private/routers/external.ts
View File

@@ -455,18 +455,18 @@ authenticated.get(
authenticated.post( authenticated.post(
"/re-key/:clientId/regenerate-client-secret", "/re-key/:clientId/regenerate-client-secret",
verifyClientAccess, // this is first to set the org id
verifyValidLicense, verifyValidLicense,
verifyValidSubscription, verifyValidSubscription,
verifyClientAccess,
verifyUserHasAction(ActionsEnum.reGenerateSecret), verifyUserHasAction(ActionsEnum.reGenerateSecret),
reKey.reGenerateClientSecret reKey.reGenerateClientSecret
); );
authenticated.post( authenticated.post(
"/re-key/:siteId/regenerate-site-secret", "/re-key/:siteId/regenerate-site-secret",
verifySiteAccess, // this is first to set the org id
verifyValidLicense, verifyValidLicense,
verifyValidSubscription, verifyValidSubscription,
verifySiteAccess,
verifyUserHasAction(ActionsEnum.reGenerateSecret), verifyUserHasAction(ActionsEnum.reGenerateSecret),
reKey.reGenerateSiteSecret reKey.reGenerateSiteSecret
); );

51
server/private/routers/integration.ts
View File

@@ -18,7 +18,8 @@ import * as logs from "#private/routers/auditLogs";
import { import {
verifyApiKeyHasAction, verifyApiKeyHasAction,
verifyApiKeyIsRoot, verifyApiKeyIsRoot,
verifyApiKeyOrgAccess verifyApiKeyOrgAccess,
verifyApiKeyIdpAccess
} from "@server/middlewares"; } from "@server/middlewares";
import { import {
verifyValidSubscription, verifyValidSubscription,
@@ -31,6 +32,8 @@ import {
authenticated as a authenticated as a
} from "@server/routers/integration"; } from "@server/routers/integration";
import { logActionAudit } from "#private/middlewares"; import { logActionAudit } from "#private/middlewares";
import config from "#private/lib/config";
import { build } from "@server/build";
export const unauthenticated = ua; export const unauthenticated = ua;
export const authenticated = a; export const authenticated = a;
@@ -88,3 +91,49 @@ authenticated.get(
logActionAudit(ActionsEnum.exportLogs), logActionAudit(ActionsEnum.exportLogs),
logs.exportAccessAuditLogs logs.exportAccessAuditLogs
); );
authenticated.put(
"/org/:orgId/idp/oidc",
verifyValidLicense,
verifyApiKeyOrgAccess,
verifyApiKeyHasAction(ActionsEnum.createIdp),
logActionAudit(ActionsEnum.createIdp),
orgIdp.createOrgOidcIdp
);
authenticated.post(
"/org/:orgId/idp/:idpId/oidc",
verifyValidLicense,
verifyApiKeyOrgAccess,
verifyApiKeyIdpAccess,
verifyApiKeyHasAction(ActionsEnum.updateIdp),
logActionAudit(ActionsEnum.updateIdp),
orgIdp.updateOrgOidcIdp
);
authenticated.delete(
"/org/:orgId/idp/:idpId",
verifyValidLicense,
verifyApiKeyOrgAccess,
verifyApiKeyIdpAccess,
verifyApiKeyHasAction(ActionsEnum.deleteIdp),
logActionAudit(ActionsEnum.deleteIdp),
orgIdp.deleteOrgIdp
);
authenticated.get(
"/org/:orgId/idp/:idpId",
verifyValidLicense,
verifyApiKeyOrgAccess,
verifyApiKeyIdpAccess,
verifyApiKeyHasAction(ActionsEnum.getIdp),
orgIdp.getOrgIdp
);
authenticated.get(
"/org/:orgId/idp",
verifyValidLicense,
verifyApiKeyOrgAccess,
verifyApiKeyHasAction(ActionsEnum.listIdps),
orgIdp.listOrgIdps
);

7
server/private/routers/loginPage/upsertLoginPageBranding.ts
View File

@@ -28,6 +28,7 @@ import { eq, InferInsertModel } from "drizzle-orm";
import { getOrgTierData } from "#private/lib/billing"; import { getOrgTierData } from "#private/lib/billing";
import { TierId } from "@server/lib/billing/tiers"; import { TierId } from "@server/lib/billing/tiers";
import { build } from "@server/build"; import { build } from "@server/build";
import config from "@server/private/lib/config";
const paramsSchema = z.strictObject({ const paramsSchema = z.strictObject({
orgId: z.string() orgId: z.string()
@@ -94,8 +95,10 @@ export async function upsertLoginPageBranding(
typeof loginPageBranding typeof loginPageBranding
>; >;
if (build !== "saas") { if (
// org branding settings are only considered in the saas build build !== "saas" &&
!config.getRawPrivateConfig().flags.use_org_only_idp
) {
const { orgTitle, orgSubtitle, ...rest } = updateData; const { orgTitle, orgSubtitle, ...rest } = updateData;
updateData = rest; updateData = rest;
} }

42
server/private/routers/orgIdp/createOrgOidcIdp.ts
View File

@@ -43,25 +43,27 @@ const bodySchema = z.strictObject({
scopes: z.string().nonempty(), scopes: z.string().nonempty(),
autoProvision: z.boolean().optional(), autoProvision: z.boolean().optional(),
variant: z.enum(["oidc", "google", "azure"]).optional().default("oidc"), variant: z.enum(["oidc", "google", "azure"]).optional().default("oidc"),
roleMapping: z.string().optional() roleMapping: z.string().optional(),
tags: z.string().optional()
}); });
// registry.registerPath({ registry.registerPath({
// method: "put", method: "put",
// path: "/idp/oidc", path: "/org/{orgId}/idp/oidc",
// description: "Create an OIDC IdP.", description: "Create an OIDC IdP for a specific organization.",
// tags: [OpenAPITags.Idp], tags: [OpenAPITags.Idp, OpenAPITags.Org],
// request: { request: {
// body: { params: paramsSchema,
// content: { body: {
// "application/json": { content: {
// schema: bodySchema "application/json": {
// } schema: bodySchema
// } }
// } }
// }, }
// responses: {} },
// }); responses: {}
});
export async function createOrgOidcIdp( export async function createOrgOidcIdp(
req: Request, req: Request,
@@ -103,7 +105,8 @@ export async function createOrgOidcIdp(
name, name,
autoProvision, autoProvision,
variant, variant,
roleMapping roleMapping,
tags
} = parsedBody.data; } = parsedBody.data;
if (build === "saas") { if (build === "saas") {
@@ -131,7 +134,8 @@ export async function createOrgOidcIdp(
.values({ .values({
name, name,
autoProvision, autoProvision,
type: "oidc" type: "oidc",
tags
}) })
.returning(); .returning();

6
server/private/routers/orgIdp/deleteOrgIdp.ts
View File

@@ -32,9 +32,9 @@ const paramsSchema = z
registry.registerPath({ registry.registerPath({
method: "delete", method: "delete",
path: "/idp/{idpId}", path: "/org/{orgId}/idp/{idpId}",
description: "Delete IDP.", description: "Delete IDP for a specific organization.",
tags: [OpenAPITags.Idp], tags: [OpenAPITags.Idp, OpenAPITags.Org],
request: { request: {
params: paramsSchema params: paramsSchema
}, },

20
server/private/routers/orgIdp/getOrgIdp.ts
View File

@@ -48,16 +48,16 @@ async function query(idpId: number, orgId: string) {
return res; return res;
} }
// registry.registerPath({ registry.registerPath({
// method: "get", method: "get",
// path: "/idp/{idpId}", path: "/org/:orgId/idp/:idpId",
// description: "Get an IDP by its IDP ID.", description: "Get an IDP by its IDP ID for a specific organization.",
// tags: [OpenAPITags.Idp], tags: [OpenAPITags.Idp, OpenAPITags.Org],
// request: { request: {
// params: paramsSchema params: paramsSchema
// }, },
// responses: {} responses: {}
// }); });
export async function getOrgIdp( export async function getOrgIdp(
req: Request, req: Request,

24
server/private/routers/orgIdp/listOrgIdps.ts
View File

@@ -50,7 +50,8 @@ async function query(orgId: string, limit: number, offset: number) {
orgId: idpOrg.orgId, orgId: idpOrg.orgId,
name: idp.name, name: idp.name,
type: idp.type, type: idp.type,
variant: idpOidcConfig.variant variant: idpOidcConfig.variant,
tags: idp.tags
}) })
.from(idpOrg) .from(idpOrg)
.where(eq(idpOrg.orgId, orgId)) .where(eq(idpOrg.orgId, orgId))
@@ -62,16 +63,17 @@ async function query(orgId: string, limit: number, offset: number) {
return res; return res;
} }
// registry.registerPath({ registry.registerPath({
// method: "get", method: "get",
// path: "/idp", path: "/org/{orgId}/idp",
// description: "List all IDP in the system.", description: "List all IDP for a specific organization.",
// tags: [OpenAPITags.Idp], tags: [OpenAPITags.Idp, OpenAPITags.Org],
// request: { request: {
// query: querySchema query: querySchema,
// }, params: paramsSchema
// responses: {} },
// }); responses: {}
});
export async function listOrgIdps( export async function listOrgIdps(
req: Request, req: Request,

43
server/private/routers/orgIdp/updateOrgOidcIdp.ts
View File

@@ -46,30 +46,31 @@ const bodySchema = z.strictObject({
namePath: z.string().optional(), namePath: z.string().optional(),
scopes: z.string().optional(), scopes: z.string().optional(),
autoProvision: z.boolean().optional(), autoProvision: z.boolean().optional(),
roleMapping: z.string().optional() roleMapping: z.string().optional(),
tags: z.string().optional()
}); });
export type UpdateOrgIdpResponse = { export type UpdateOrgIdpResponse = {
idpId: number; idpId: number;
}; };
// registry.registerPath({ registry.registerPath({
// method: "post", method: "post",
// path: "/idp/{idpId}/oidc", path: "/org/{orgId}/idp/{idpId}/oidc",
// description: "Update an OIDC IdP.", description: "Update an OIDC IdP for a specific organization.",
// tags: [OpenAPITags.Idp], tags: [OpenAPITags.Idp, OpenAPITags.Org],
// request: { request: {
// params: paramsSchema, params: paramsSchema,
// body: { body: {
// content: { content: {
// "application/json": { "application/json": {
// schema: bodySchema schema: bodySchema
// } }
// } }
// } }
// }, },
// responses: {} responses: {}
// }); });
export async function updateOrgOidcIdp( export async function updateOrgOidcIdp(
req: Request, req: Request,
@@ -109,7 +110,8 @@ export async function updateOrgOidcIdp(
namePath, namePath,
name, name,
autoProvision, autoProvision,
roleMapping roleMapping,
tags
} = parsedBody.data; } = parsedBody.data;
if (build === "saas") { if (build === "saas") {
@@ -167,7 +169,8 @@ export async function updateOrgOidcIdp(
await db.transaction(async (trx) => { await db.transaction(async (trx) => {
const idpData = { const idpData = {
name, name,
autoProvision autoProvision,
tags
}; };
// only update if at least one key is not undefined // only update if at least one key is not undefined

2
server/routers/auth/index.ts
View File

@@ -16,4 +16,4 @@ export * from "./checkResourceSession";
export * from "./securityKey"; export * from "./securityKey";
export * from "./startDeviceWebAuth"; export * from "./startDeviceWebAuth";
export * from "./verifyDeviceWebAuth"; export * from "./verifyDeviceWebAuth";
export * from "./pollDeviceWebAuth"; export * from "./pollDeviceWebAuth";

4
server/routers/badger/verifySession.ts
View File

@@ -942,7 +942,7 @@ async function isUserAllowedToAccessResource(
username: user.username, username: user.username,
email: user.email, email: user.email,
name: user.name, name: user.name,
role: user.role role: userOrgRole.roleName
}; };
} }
@@ -956,7 +956,7 @@ async function isUserAllowedToAccessResource(
username: user.username, username: user.username,
email: user.email, email: user.email,
name: user.name, name: user.name,
role: user.role role: userOrgRole.roleName
}; };
} }

105
server/routers/client/archiveClient.ts Normal file
View File

@@ -0,0 +1,105 @@
import { Request, Response, NextFunction } from "express";
import { z } from "zod";
import { db } from "@server/db";
import { clients } from "@server/db";
import { eq } from "drizzle-orm";
import response from "@server/lib/response";
import HttpCode from "@server/types/HttpCode";
import createHttpError from "http-errors";
import logger from "@server/logger";
import { fromError } from "zod-validation-error";
import { OpenAPITags, registry } from "@server/openApi";
import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
import { sendTerminateClient } from "./terminate";
const archiveClientSchema = z.strictObject({
clientId: z.string().transform(Number).pipe(z.int().positive())
});
registry.registerPath({
method: "post",
path: "/client/{clientId}/archive",
description: "Archive a client by its client ID.",
tags: [OpenAPITags.Client],
request: {
params: archiveClientSchema
},
responses: {}
});
export async function archiveClient(
req: Request,
res: Response,
next: NextFunction
): Promise<any> {
try {
const parsedParams = archiveClientSchema.safeParse(req.params);
if (!parsedParams.success) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromError(parsedParams.error).toString()
)
);
}
const { clientId } = parsedParams.data;
// Check if client exists
const [client] = await db
.select()
.from(clients)
.where(eq(clients.clientId, clientId))
.limit(1);
if (!client) {
return next(
createHttpError(
HttpCode.NOT_FOUND,
`Client with ID ${clientId} not found`
)
);
}
if (client.archived) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
`Client with ID ${clientId} is already archived`
)
);
}
await db.transaction(async (trx) => {
// Archive the client
await trx
.update(clients)
.set({ archived: true })
.where(eq(clients.clientId, clientId));
// Rebuild associations to clean up related data
await rebuildClientAssociationsFromClient(client, trx);
// Send terminate signal if there's an associated OLM
if (client.olmId) {
await sendTerminateClient(client.clientId, client.olmId);
}
});
return response(res, {
data: null,
success: true,
error: false,
message: "Client archived successfully",
status: HttpCode.OK
});
} catch (error) {
logger.error(error);
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"Failed to archive client"
)
);
}
}

101
server/routers/client/blockClient.ts Normal file
View File

@@ -0,0 +1,101 @@
import { Request, Response, NextFunction } from "express";
import { z } from "zod";
import { db } from "@server/db";
import { clients } from "@server/db";
import { eq } from "drizzle-orm";
import response from "@server/lib/response";
import HttpCode from "@server/types/HttpCode";
import createHttpError from "http-errors";
import logger from "@server/logger";
import { fromError } from "zod-validation-error";
import { OpenAPITags, registry } from "@server/openApi";
import { sendTerminateClient } from "./terminate";
const blockClientSchema = z.strictObject({
clientId: z.string().transform(Number).pipe(z.int().positive())
});
registry.registerPath({
method: "post",
path: "/client/{clientId}/block",
description: "Block a client by its client ID.",
tags: [OpenAPITags.Client],
request: {
params: blockClientSchema
},
responses: {}
});
export async function blockClient(
req: Request,
res: Response,
next: NextFunction
): Promise<any> {
try {
const parsedParams = blockClientSchema.safeParse(req.params);
if (!parsedParams.success) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromError(parsedParams.error).toString()
)
);
}
const { clientId } = parsedParams.data;
// Check if client exists
const [client] = await db
.select()
.from(clients)
.where(eq(clients.clientId, clientId))
.limit(1);
if (!client) {
return next(
createHttpError(
HttpCode.NOT_FOUND,
`Client with ID ${clientId} not found`
)
);
}
if (client.blocked) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
`Client with ID ${clientId} is already blocked`
)
);
}
await db.transaction(async (trx) => {
// Block the client
await trx
.update(clients)
.set({ blocked: true })
.where(eq(clients.clientId, clientId));
// Send terminate signal if there's an associated OLM and it's connected
if (client.olmId && client.online) {
await sendTerminateClient(client.clientId, client.olmId);
}
});
return response(res, {
data: null,
success: true,
error: false,
message: "Client blocked successfully",
status: HttpCode.OK
});
} catch (error) {
logger.error(error);
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"Failed to block client"
)
);
}
}

3
server/routers/client/deleteClient.ts
View File

@@ -60,11 +60,12 @@ export async function deleteClient(
); );
} }
// Only allow deletion of machine clients (clients without userId)
if (client.userId) { if (client.userId) {
return next( return next(
createHttpError( createHttpError(
HttpCode.BAD_REQUEST, HttpCode.BAD_REQUEST,
`Cannot delete a user client with this endpoint` `Cannot delete a user client. User clients must be archived instead.`
) )
); );
} }

4
server/routers/client/index.ts
View File

@@ -1,6 +1,10 @@
export * from "./pickClientDefaults"; export * from "./pickClientDefaults";
export * from "./createClient"; export * from "./createClient";
export * from "./deleteClient"; export * from "./deleteClient";
export * from "./archiveClient";
export * from "./unarchiveClient";
export * from "./blockClient";
export * from "./unblockClient";
export * from "./listClients"; export * from "./listClients";
export * from "./updateClient"; export * from "./updateClient";
export * from "./getClient"; export * from "./getClient";

5
server/routers/client/listClients.ts
View File

@@ -137,7 +137,10 @@ function queryClients(
userEmail: users.email, userEmail: users.email,
niceId: clients.niceId, niceId: clients.niceId,
agent: olms.agent, agent: olms.agent,
approvalState: clients.approvalState approvalState: clients.approvalState,
olmArchived: olms.archived,
archived: clients.archived,
blocked: clients.blocked
}) })
.from(clients) .from(clients)
.leftJoin(orgs, eq(clients.orgId, orgs.orgId)) .leftJoin(orgs, eq(clients.orgId, orgs.orgId))

93
server/routers/client/unarchiveClient.ts Normal file
View File

@@ -0,0 +1,93 @@
import { Request, Response, NextFunction } from "express";
import { z } from "zod";
import { db } from "@server/db";
import { clients } from "@server/db";
import { eq } from "drizzle-orm";
import response from "@server/lib/response";
import HttpCode from "@server/types/HttpCode";
import createHttpError from "http-errors";
import logger from "@server/logger";
import { fromError } from "zod-validation-error";
import { OpenAPITags, registry } from "@server/openApi";
const unarchiveClientSchema = z.strictObject({
clientId: z.string().transform(Number).pipe(z.int().positive())
});
registry.registerPath({
method: "post",
path: "/client/{clientId}/unarchive",
description: "Unarchive a client by its client ID.",
tags: [OpenAPITags.Client],
request: {
params: unarchiveClientSchema
},
responses: {}
});
export async function unarchiveClient(
req: Request,
res: Response,
next: NextFunction
): Promise<any> {
try {
const parsedParams = unarchiveClientSchema.safeParse(req.params);
if (!parsedParams.success) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromError(parsedParams.error).toString()
)
);
}
const { clientId } = parsedParams.data;
// Check if client exists
const [client] = await db
.select()
.from(clients)
.where(eq(clients.clientId, clientId))
.limit(1);
if (!client) {
return next(
createHttpError(
HttpCode.NOT_FOUND,
`Client with ID ${clientId} not found`
)
);
}
if (!client.archived) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
`Client with ID ${clientId} is not archived`
)
);
}
// Unarchive the client
await db
.update(clients)
.set({ archived: false })
.where(eq(clients.clientId, clientId));
return response(res, {
data: null,
success: true,
error: false,
message: "Client unarchived successfully",
status: HttpCode.OK
});
} catch (error) {
logger.error(error);
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"Failed to unarchive client"
)
);
}
}

93
server/routers/client/unblockClient.ts Normal file
View File

@@ -0,0 +1,93 @@
import { Request, Response, NextFunction } from "express";
import { z } from "zod";
import { db } from "@server/db";
import { clients } from "@server/db";
import { eq } from "drizzle-orm";
import response from "@server/lib/response";
import HttpCode from "@server/types/HttpCode";
import createHttpError from "http-errors";
import logger from "@server/logger";
import { fromError } from "zod-validation-error";
import { OpenAPITags, registry } from "@server/openApi";
const unblockClientSchema = z.strictObject({
clientId: z.string().transform(Number).pipe(z.int().positive())
});
registry.registerPath({
method: "post",
path: "/client/{clientId}/unblock",
description: "Unblock a client by its client ID.",
tags: [OpenAPITags.Client],
request: {
params: unblockClientSchema
},
responses: {}
});
export async function unblockClient(
req: Request,
res: Response,
next: NextFunction
): Promise<any> {
try {
const parsedParams = unblockClientSchema.safeParse(req.params);
if (!parsedParams.success) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromError(parsedParams.error).toString()
)
);
}
const { clientId } = parsedParams.data;
// Check if client exists
const [client] = await db
.select()
.from(clients)
.where(eq(clients.clientId, clientId))
.limit(1);
if (!client) {
return next(
createHttpError(
HttpCode.NOT_FOUND,
`Client with ID ${clientId} not found`
)
);
}
if (!client.blocked) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
`Client with ID ${clientId} is not blocked`
)
);
}
// Unblock the client
await db
.update(clients)
.set({ blocked: false })
.where(eq(clients.clientId, clientId));
return response(res, {
data: null,
success: true,
error: false,
message: "Client unblocked successfully",
status: HttpCode.OK
});
} catch (error) {
logger.error(error);
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"Failed to unblock client"
)
);
}
}

45
server/routers/external.ts
View File

@@ -174,6 +174,38 @@ authenticated.delete(
client.deleteClient client.deleteClient
); );
authenticated.post(
"/client/:clientId/archive",
verifyClientAccess,
verifyUserHasAction(ActionsEnum.archiveClient),
logActionAudit(ActionsEnum.archiveClient),
client.archiveClient
);
authenticated.post(
"/client/:clientId/unarchive",
verifyClientAccess,
verifyUserHasAction(ActionsEnum.unarchiveClient),
logActionAudit(ActionsEnum.unarchiveClient),
client.unarchiveClient
);
authenticated.post(
"/client/:clientId/block",
verifyClientAccess,
verifyUserHasAction(ActionsEnum.blockClient),
logActionAudit(ActionsEnum.blockClient),
client.blockClient
);
authenticated.post(
"/client/:clientId/unblock",
verifyClientAccess,
verifyUserHasAction(ActionsEnum.unblockClient),
logActionAudit(ActionsEnum.unblockClient),
client.unblockClient
);
authenticated.post( authenticated.post(
"/client/:clientId", "/client/:clientId",
verifyClientAccess, // this will check if the user has access to the client verifyClientAccess, // this will check if the user has access to the client
@@ -816,11 +848,18 @@ authenticated.put("/user/:userId/olm", verifyIsLoggedInUser, olm.createUserOlm);
authenticated.get("/user/:userId/olms", verifyIsLoggedInUser, olm.listUserOlms); authenticated.get("/user/:userId/olms", verifyIsLoggedInUser, olm.listUserOlms);
authenticated.delete( authenticated.post(
"/user/:userId/olm/:olmId", "/user/:userId/olm/:olmId/archive",
verifyIsLoggedInUser, verifyIsLoggedInUser,
verifyOlmAccess, verifyOlmAccess,
olm.deleteUserOlm olm.archiveUserOlm
);
authenticated.post(
"/user/:userId/olm/:olmId/unarchive",
verifyIsLoggedInUser,
verifyOlmAccess,
olm.unarchiveUserOlm
); );
authenticated.get( authenticated.get(

9
server/routers/idp/createOidcIdp.ts
View File

@@ -24,7 +24,8 @@ const bodySchema = z.strictObject({
emailPath: z.string().optional(), emailPath: z.string().optional(),
namePath: z.string().optional(), namePath: z.string().optional(),
scopes: z.string().nonempty(), scopes: z.string().nonempty(),
autoProvision: z.boolean().optional() autoProvision: z.boolean().optional(),
tags: z.string().optional()
}); });
export type CreateIdpResponse = { export type CreateIdpResponse = {
@@ -75,7 +76,8 @@ export async function createOidcIdp(
emailPath, emailPath,
namePath, namePath,
name, name,
autoProvision autoProvision,
tags
} = parsedBody.data; } = parsedBody.data;
const key = config.getRawConfig().server.secret!; const key = config.getRawConfig().server.secret!;
@@ -90,7 +92,8 @@ export async function createOidcIdp(
.values({ .values({
name, name,
autoProvision, autoProvision,
type: "oidc" type: "oidc",
tags
}) })
.returning(); .returning();

3
server/routers/idp/listIdps.ts
View File

@@ -33,7 +33,8 @@ async function query(limit: number, offset: number) {
type: idp.type, type: idp.type,
variant: idpOidcConfig.variant, variant: idpOidcConfig.variant,
orgCount: sql<number>`count(${idpOrg.orgId})`, orgCount: sql<number>`count(${idpOrg.orgId})`,
autoProvision: idp.autoProvision autoProvision: idp.autoProvision,
tags: idp.tags
}) })
.from(idp) .from(idp)
.leftJoin(idpOrg, sql`${idp.idpId} = ${idpOrg.idpId}`) .leftJoin(idpOrg, sql`${idp.idpId} = ${idpOrg.idpId}`)

9
server/routers/idp/updateOidcIdp.ts
View File

@@ -30,7 +30,8 @@ const bodySchema = z.strictObject({
scopes: z.string().optional(), scopes: z.string().optional(),
autoProvision: z.boolean().optional(), autoProvision: z.boolean().optional(),
defaultRoleMapping: z.string().optional(), defaultRoleMapping: z.string().optional(),
defaultOrgMapping: z.string().optional() defaultOrgMapping: z.string().optional(),
tags: z.string().optional()
}); });
export type UpdateIdpResponse = { export type UpdateIdpResponse = {
@@ -94,7 +95,8 @@ export async function updateOidcIdp(
name, name,
autoProvision, autoProvision,
defaultRoleMapping, defaultRoleMapping,
defaultOrgMapping defaultOrgMapping,
tags
} = parsedBody.data; } = parsedBody.data;
// Check if IDP exists and is of type OIDC // Check if IDP exists and is of type OIDC
@@ -127,7 +129,8 @@ export async function updateOidcIdp(
name, name,
autoProvision, autoProvision,
defaultRoleMapping, defaultRoleMapping,
defaultOrgMapping defaultOrgMapping,
tags
}; };
// only update if at least one key is not undefined // only update if at least one key is not undefined

39
server/routers/integration.ts
View File

@@ -759,9 +759,10 @@ authenticated.post(
); );
authenticated.get( authenticated.get(
"/idp", "/idp", // no guards on this because anyone can list idps for login purposes
verifyApiKeyIsRoot, // we do the same for the external api
verifyApiKeyHasAction(ActionsEnum.listIdps), // verifyApiKeyIsRoot,
// verifyApiKeyHasAction(ActionsEnum.listIdps),
idp.listIdps idp.listIdps
); );
@@ -850,6 +851,38 @@ authenticated.delete(
client.deleteClient client.deleteClient
); );
authenticated.post(
"/client/:clientId/archive",
verifyApiKeyClientAccess,
verifyApiKeyHasAction(ActionsEnum.archiveClient),
logActionAudit(ActionsEnum.archiveClient),
client.archiveClient
);
authenticated.post(
"/client/:clientId/unarchive",
verifyApiKeyClientAccess,
verifyApiKeyHasAction(ActionsEnum.unarchiveClient),
logActionAudit(ActionsEnum.unarchiveClient),
client.unarchiveClient
);
authenticated.post(
"/client/:clientId/block",
verifyApiKeyClientAccess,
verifyApiKeyHasAction(ActionsEnum.blockClient),
logActionAudit(ActionsEnum.blockClient),
client.blockClient
);
authenticated.post(
"/client/:clientId/unblock",
verifyApiKeyClientAccess,
verifyApiKeyHasAction(ActionsEnum.unblockClient),
logActionAudit(ActionsEnum.unblockClient),
client.unblockClient
);
authenticated.post( authenticated.post(
"/client/:clientId", "/client/:clientId",
verifyApiKeyClientAccess, verifyApiKeyClientAccess,

81
server/routers/olm/archiveUserOlm.ts Normal file
View File

@@ -0,0 +1,81 @@
import { NextFunction, Request, Response } from "express";
import { db } from "@server/db";
import { olms, clients } from "@server/db";
import { eq } from "drizzle-orm";
import HttpCode from "@server/types/HttpCode";
import createHttpError from "http-errors";
import response from "@server/lib/response";
import { z } from "zod";
import { fromError } from "zod-validation-error";
import logger from "@server/logger";
import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
import { sendTerminateClient } from "../client/terminate";
const paramsSchema = z
.object({
userId: z.string(),
olmId: z.string()
})
.strict();
export async function archiveUserOlm(
req: Request,
res: Response,
next: NextFunction
): Promise<any> {
try {
const parsedParams = paramsSchema.safeParse(req.params);
if (!parsedParams.success) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromError(parsedParams.error).toString()
)
);
}
const { olmId } = parsedParams.data;
// Archive the OLM and disconnect associated clients in a transaction
await db.transaction(async (trx) => {
// Find all clients associated with this OLM
const associatedClients = await trx
.select()
.from(clients)
.where(eq(clients.olmId, olmId));
// Disconnect clients from the OLM (set olmId to null)
for (const client of associatedClients) {
await trx
.update(clients)
.set({ olmId: null })
.where(eq(clients.clientId, client.clientId));
await rebuildClientAssociationsFromClient(client, trx);
await sendTerminateClient(client.clientId, olmId);
}
// Archive the OLM (set archived to true)
await trx
.update(olms)
.set({ archived: true })
.where(eq(olms.olmId, olmId));
});
return response(res, {
data: null,
success: true,
error: false,
message: "Device archived successfully",
status: HttpCode.OK
});
} catch (error) {
logger.error(error);
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"Failed to archive device"
)
);
}
}

49
server/routers/olm/getUserOlm.ts
View File

@@ -1,6 +1,6 @@
import { NextFunction, Request, Response } from "express"; import { NextFunction, Request, Response } from "express";
import { db } from "@server/db"; import { db } from "@server/db";
import { olms } from "@server/db"; import { olms, clients } from "@server/db";
import { eq, and } from "drizzle-orm"; import { eq, and } from "drizzle-orm";
import HttpCode from "@server/types/HttpCode"; import HttpCode from "@server/types/HttpCode";
import createHttpError from "http-errors"; import createHttpError from "http-errors";
@@ -17,6 +17,10 @@ const paramsSchema = z
}) })
.strict(); .strict();
const querySchema = z.object({
orgId: z.string().optional()
});
// registry.registerPath({ // registry.registerPath({
// method: "get", // method: "get",
// path: "/user/{userId}/olm/{olmId}", // path: "/user/{userId}/olm/{olmId}",
@@ -44,15 +48,56 @@ export async function getUserOlm(
); );
} }
const parsedQuery = querySchema.safeParse(req.query);
if (!parsedQuery.success) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromError(parsedQuery.error).toString()
)
);
}
const { olmId, userId } = parsedParams.data; const { olmId, userId } = parsedParams.data;
const { orgId } = parsedQuery.data;
const [olm] = await db const [olm] = await db
.select() .select()
.from(olms) .from(olms)
.where(and(eq(olms.userId, userId), eq(olms.olmId, olmId))); .where(and(eq(olms.userId, userId), eq(olms.olmId, olmId)));
if (!olm) {
return next(
createHttpError(
HttpCode.NOT_FOUND,
"Olm not found"
)
);
}
// If orgId is provided and olm has a clientId, fetch the client to check blocked status
let blocked: boolean | undefined;
if (orgId && olm.clientId) {
const [client] = await db
.select({ blocked: clients.blocked })
.from(clients)
.where(
and(
eq(clients.clientId, olm.clientId),
eq(clients.orgId, orgId)
)
)
.limit(1);
blocked = client?.blocked ?? false;
}
const responseData = blocked !== undefined
? { ...olm, blocked }
: olm;
return response(res, { return response(res, {
data: olm, data: responseData,
success: true, success: true,
error: false, error: false,
message: "Successfully retrieved olm", message: "Successfully retrieved olm",

94
server/routers/olm/handleOlmPingMessage.ts
View File

@@ -1,7 +1,7 @@
import { db } from "@server/db"; import { db } from "@server/db";
import { disconnectClient } from "#dynamic/routers/ws"; import { disconnectClient } from "#dynamic/routers/ws";
import { MessageHandler } from "@server/routers/ws"; import { MessageHandler } from "@server/routers/ws";
import { clients, Olm } from "@server/db"; import { clients, olms, Olm } from "@server/db";
import { eq, lt, isNull, and, or } from "drizzle-orm"; import { eq, lt, isNull, and, or } from "drizzle-orm";
import logger from "@server/logger"; import logger from "@server/logger";
import { validateSessionToken } from "@server/auth/sessions/app"; import { validateSessionToken } from "@server/auth/sessions/app";
@@ -108,29 +108,17 @@ export const handleOlmPingMessage: MessageHandler = async (context) => {
return; return;
} }
if (olm.userId) { if (!olm.clientId) {
// we need to check a user token to make sure its still valid logger.warn("Olm has no client ID!");
const { session: userSession, user } = return;
await validateSessionToken(userToken); }
if (!userSession || !user) {
logger.warn("Invalid user session for olm ping");
return; // by returning here we just ignore the ping and the setInterval will force it to disconnect
}
if (user.userId !== olm.userId) {
logger.warn("User ID mismatch for olm ping");
return;
}
try {
// get the client // get the client
const [client] = await db const [client] = await db
.select() .select()
.from(clients) .from(clients)
.where( .where(eq(clients.clientId, olm.clientId))
and(
eq(clients.olmId, olm.olmId),
eq(clients.userId, olm.userId)
)
)
.limit(1); .limit(1);
if (!client) { if (!client) {
@@ -138,38 +126,62 @@ export const handleOlmPingMessage: MessageHandler = async (context) => {
return; return;
} }
const sessionId = encodeHexLowerCase( if (client.blocked) {
sha256(new TextEncoder().encode(userToken)) // NOTE: by returning we dont update the lastPing, so the offline checker will eventually disconnect them
); logger.debug(`Blocked client ${client.clientId} attempted olm ping`);
const policyCheck = await checkOrgAccessPolicy({
orgId: client.orgId,
userId: olm.userId,
sessionId // this is the user token passed in the message
});
if (!policyCheck.allowed) {
logger.warn(
`Olm user ${olm.userId} does not pass access policies for org ${client.orgId}: ${policyCheck.error}`
);
return; return;
} }
}
if (!olm.clientId) { if (olm.userId) {
logger.warn("Olm has no client ID!"); // we need to check a user token to make sure its still valid
return; const { session: userSession, user } =
} await validateSessionToken(userToken);
if (!userSession || !user) {
logger.warn("Invalid user session for olm ping");
return; // by returning here we just ignore the ping and the setInterval will force it to disconnect
}
if (user.userId !== olm.userId) {
logger.warn("User ID mismatch for olm ping");
return;
}
if (user.userId !== client.userId) {
logger.warn("Client user ID mismatch for olm ping");
return;
}
const sessionId = encodeHexLowerCase(
sha256(new TextEncoder().encode(userToken))
);
const policyCheck = await checkOrgAccessPolicy({
orgId: client.orgId,
userId: olm.userId,
sessionId // this is the user token passed in the message
});
if (!policyCheck.allowed) {
logger.warn(
`Olm user ${olm.userId} does not pass access policies for org ${client.orgId}: ${policyCheck.error}`
);
return;
}
}
try {
// Update the client's last ping timestamp
await db await db
.update(clients) .update(clients)
.set({ .set({
lastPing: Math.floor(Date.now() / 1000), lastPing: Math.floor(Date.now() / 1000),
online: true online: true,
archived: false
}) })
.where(eq(clients.clientId, olm.clientId)); .where(eq(clients.clientId, olm.clientId));
if (olm.archived) {
await db
.update(olms)
.set({ archived: false })
.where(eq(olms.olmId, olm.olmId));
}
} catch (error) { } catch (error) {
logger.error("Error handling ping message", { error }); logger.error("Error handling ping message", { error });
} }

16
server/routers/olm/handleOlmRegisterMessage.ts
View File

@@ -55,6 +55,11 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
return; return;
} }
if (client.blocked) {
logger.debug(`Client ${client.clientId} is blocked. Ignoring register.`);
return;
}
const [org] = await db const [org] = await db
.select() .select()
.from(orgs) .from(orgs)
@@ -112,18 +117,20 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
if ( if (
(olmVersion && olm.version !== olmVersion) || (olmVersion && olm.version !== olmVersion) ||
(olmAgent && olm.agent !== olmAgent) (olmAgent && olm.agent !== olmAgent) ||
olm.archived
) { ) {
await db await db
.update(olms) .update(olms)
.set({ .set({
version: olmVersion, version: olmVersion,
agent: olmAgent agent: olmAgent,
archived: false
}) })
.where(eq(olms.olmId, olm.olmId)); .where(eq(olms.olmId, olm.olmId));
} }
if (client.pubKey !== publicKey) { if (client.pubKey !== publicKey || client.archived) {
logger.info( logger.info(
"Public key mismatch. Updating public key and clearing session info..." "Public key mismatch. Updating public key and clearing session info..."
); );
@@ -131,7 +138,8 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
await db await db
.update(clients) .update(clients)
.set({ .set({
pubKey: publicKey pubKey: publicKey,
archived: false,
}) })
.where(eq(clients.clientId, client.clientId)); .where(eq(clients.clientId, client.clientId));

4
server/routers/olm/index.ts
View File

@@ -3,9 +3,9 @@ export * from "./getOlmToken";
export * from "./createUserOlm"; export * from "./createUserOlm";
export * from "./handleOlmRelayMessage"; export * from "./handleOlmRelayMessage";
export * from "./handleOlmPingMessage"; export * from "./handleOlmPingMessage";
export * from "./deleteUserOlm"; export * from "./archiveUserOlm";
export * from "./unarchiveUserOlm";
export * from "./listUserOlms"; export * from "./listUserOlms";
export * from "./deleteUserOlm";
export * from "./getUserOlm"; export * from "./getUserOlm";
export * from "./handleOlmServerPeerAddMessage"; export * from "./handleOlmServerPeerAddMessage";
export * from "./handleOlmUnRelayMessage"; export * from "./handleOlmUnRelayMessage";

8
server/routers/olm/listUserOlms.ts
View File

@@ -51,6 +51,7 @@ export type ListUserOlmsResponse = {
name: string | null; name: string | null;
clientId: number | null; clientId: number | null;
userId: string | null; userId: string | null;
archived: boolean;
}>; }>;
pagination: { pagination: {
total: number; total: number;
@@ -89,7 +90,7 @@ export async function listUserOlms(
const { userId } = parsedParams.data; const { userId } = parsedParams.data;
// Get total count // Get total count (including archived OLMs)
const [totalCountResult] = await db const [totalCountResult] = await db
.select({ count: count() }) .select({ count: count() })
.from(olms) .from(olms)
@@ -97,7 +98,7 @@ export async function listUserOlms(
const total = totalCountResult?.count || 0; const total = totalCountResult?.count || 0;
// Get OLMs for the current user // Get OLMs for the current user (including archived OLMs)
const userOlms = await db const userOlms = await db
.select({ .select({
olmId: olms.olmId, olmId: olms.olmId,
@@ -105,7 +106,8 @@ export async function listUserOlms(
version: olms.version, version: olms.version,
name: olms.name, name: olms.name,
clientId: olms.clientId, clientId: olms.clientId,
userId: olms.userId userId: olms.userId,
archived: olms.archived
}) })
.from(olms) .from(olms)
.where(eq(olms.userId, userId)) .where(eq(olms.userId, userId))

84
server/routers/olm/unarchiveUserOlm.ts Normal file
View File

@@ -0,0 +1,84 @@
import { NextFunction, Request, Response } from "express";
import { db } from "@server/db";
import { olms } from "@server/db";
import { eq } from "drizzle-orm";
import HttpCode from "@server/types/HttpCode";
import createHttpError from "http-errors";
import response from "@server/lib/response";
import { z } from "zod";
import { fromError } from "zod-validation-error";
import logger from "@server/logger";
const paramsSchema = z
.object({
userId: z.string(),
olmId: z.string()
})
.strict();
export async function unarchiveUserOlm(
req: Request,
res: Response,
next: NextFunction
): Promise<any> {
try {
const parsedParams = paramsSchema.safeParse(req.params);
if (!parsedParams.success) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromError(parsedParams.error).toString()
)
);
}
const { olmId } = parsedParams.data;
// Check if OLM exists and is archived
const [olm] = await db
.select()
.from(olms)
.where(eq(olms.olmId, olmId))
.limit(1);
if (!olm) {
return next(
createHttpError(
HttpCode.NOT_FOUND,
`OLM with ID ${olmId} not found`
)
);
}
if (!olm.archived) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
`OLM with ID ${olmId} is not archived`
)
);
}
// Unarchive the OLM (set archived to false)
await db
.update(olms)
.set({ archived: false })
.where(eq(olms.olmId, olmId));
return response(res, {
data: null,
success: true,
error: false,
message: "Device unarchived successfully",
status: HttpCode.OK
});
} catch (error) {
logger.error(error);
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"Failed to unarchive device"
)
);
}
}

18
src/app/[orgId]/settings/(private)/idp/layout.tsx Normal file
View File

@@ -0,0 +1,18 @@
import { pullEnv } from "@app/lib/pullEnv";
import { build } from "@server/build";
import { redirect } from "next/navigation";
interface LayoutProps {
children: React.ReactNode;
params: Promise<{}>;
}
export default async function Layout(props: LayoutProps) {
const env = pullEnv();
if (build !== "saas" && !env.flags.useOrgOnlyIdp) {
redirect("/");
}
return props.children;
}

4
src/app/[orgId]/settings/clients/machine/page.tsx
View File

@@ -59,7 +59,9 @@ export default async function ClientsPage(props: ClientsPageProps) {
username: client.username, username: client.username,
userEmail: client.userEmail, userEmail: client.userEmail,
niceId: client.niceId, niceId: client.niceId,
agent: client.agent agent: client.agent,
archived: client.archived || false,
blocked: client.blocked || false
}; };
}; };

2
src/app/[orgId]/settings/clients/user/page.tsx
View File

@@ -56,6 +56,8 @@ export default async function ClientsPage(props: ClientsPageProps) {
userEmail: client.userEmail, userEmail: client.userEmail,
niceId: client.niceId, niceId: client.niceId,
agent: client.agent, agent: client.agent,
archived: client.archived || false,
blocked: client.blocked || false,
approvalState: client.approvalState ?? "approved" approvalState: client.approvalState ?? "approved"
}; };
}; };

2
src/app/[orgId]/settings/layout.tsx
View File

@@ -82,7 +82,7 @@ export default async function SettingsLayout(props: SettingsLayoutProps) {
<Layout <Layout
orgId={params.orgId} orgId={params.orgId}
orgs={orgs} orgs={orgs}
navItems={orgNavSections()} navItems={orgNavSections(env)}
> >
{children} {children}
</Layout> </Layout>

9
src/app/[orgId]/settings/resources/proxy/[niceId]/authentication/page.tsx
View File

@@ -36,8 +36,8 @@ import {
import type { ResourceContextType } from "@app/contexts/resourceContext"; import type { ResourceContextType } from "@app/contexts/resourceContext";
import { useEnvContext } from "@app/hooks/useEnvContext"; import { useEnvContext } from "@app/hooks/useEnvContext";
import { useOrgContext } from "@app/hooks/useOrgContext"; import { useOrgContext } from "@app/hooks/useOrgContext";
import { usePaidStatus } from "@app/hooks/usePaidStatus";
import { useResourceContext } from "@app/hooks/useResourceContext"; import { useResourceContext } from "@app/hooks/useResourceContext";
import { useSubscriptionStatusContext } from "@app/hooks/useSubscriptionStatusContext";
import { toast } from "@app/hooks/useToast"; import { toast } from "@app/hooks/useToast";
import { createApiClient, formatAxiosError } from "@app/lib/api"; import { createApiClient, formatAxiosError } from "@app/lib/api";
import { orgQueries, resourceQueries } from "@app/lib/queries"; import { orgQueries, resourceQueries } from "@app/lib/queries";
@@ -95,7 +95,7 @@ export default function ResourceAuthenticationPage() {
const router = useRouter(); const router = useRouter();
const t = useTranslations(); const t = useTranslations();
const subscription = useSubscriptionStatusContext(); const { isPaidUser } = usePaidStatus();
const queryClient = useQueryClient(); const queryClient = useQueryClient();
const { data: resourceRoles = [], isLoading: isLoadingResourceRoles } = const { data: resourceRoles = [], isLoading: isLoadingResourceRoles } =
@@ -129,7 +129,8 @@ export default function ResourceAuthenticationPage() {
); );
const { data: orgIdps = [], isLoading: isLoadingOrgIdps } = useQuery( const { data: orgIdps = [], isLoading: isLoadingOrgIdps } = useQuery(
orgQueries.identityProviders({ orgQueries.identityProviders({
orgId: org.org.orgId orgId: org.org.orgId,
useOrgOnlyIdp: env.flags.useOrgOnlyIdp
}) })
); );
@@ -159,7 +160,7 @@ export default function ResourceAuthenticationPage() {
const allIdps = useMemo(() => { const allIdps = useMemo(() => {
if (build === "saas") { if (build === "saas") {
if (subscription?.subscribed) { if (isPaidUser) {
return orgIdps.map((idp) => ({ return orgIdps.map((idp) => ({
id: idp.idpId, id: idp.idpId,
text: idp.name text: idp.name

5
src/app/admin/layout.tsx
View File

@@ -11,6 +11,7 @@ import { AxiosResponse } from "axios";
import { authCookieHeader } from "@app/lib/api/cookies"; import { authCookieHeader } from "@app/lib/api/cookies";
import { Layout } from "@app/components/Layout"; import { Layout } from "@app/components/Layout";
import { adminNavSections } from "../navigation"; import { adminNavSections } from "../navigation";
import { pullEnv } from "@app/lib/pullEnv";
export const dynamic = "force-dynamic"; export const dynamic = "force-dynamic";
@@ -27,6 +28,8 @@ export default async function AdminLayout(props: LayoutProps) {
const getUser = cache(verifySession); const getUser = cache(verifySession);
const user = await getUser(); const user = await getUser();
const env = pullEnv();
if (!user || !user.serverAdmin) { if (!user || !user.serverAdmin) {
redirect(`/`); redirect(`/`);
} }
@@ -48,7 +51,7 @@ export default async function AdminLayout(props: LayoutProps) {
return ( return (
<UserProvider user={user}> <UserProvider user={user}>
<Layout orgs={orgs} navItems={adminNavSections}> <Layout orgs={orgs} navItems={adminNavSections(env)}>
{props.children} {props.children}
</Layout> </Layout>
</UserProvider> </UserProvider>

22
src/app/auth/layout.tsx
View File

@@ -44,7 +44,7 @@ export default async function AuthLayout({ children }: AuthLayoutProps) {
return ( return (
<div className="h-full flex flex-col"> <div className="h-full flex flex-col">
<div className="flex justify-end items-center p-3 space-x-2"> <div className="hidden md:flex justify-end items-center p-3 space-x-2">
<ThemeSwitcher /> <ThemeSwitcher />
</div> </div>
@@ -127,26 +127,6 @@ export default async function AuthLayout({ children }: AuthLayoutProps) {
</a> </a>
</> </>
)} )}
<Separator orientation="vertical" />
<a
href="https://docs.pangolin.net"
target="_blank"
rel="noopener noreferrer"
aria-label="Built by Fossorial"
className="flex items-center space-x-2 whitespace-nowrap"
>
<span>{t("docs")}</span>
</a>
<Separator orientation="vertical" />
<a
href="https://github.com/fosrl/pangolin"
target="_blank"
rel="noopener noreferrer"
aria-label="GitHub"
className="flex items-center space-x-2 whitespace-nowrap"
>
<span>{t("github")}</span>
</a>
</div> </div>
</footer> </footer>
)} )}

29
src/app/auth/login/device/success/page.tsx
View File

@@ -7,6 +7,7 @@ import { useLicenseStatusContext } from "@app/hooks/useLicenseStatusContext";
import { CheckCircle2 } from "lucide-react"; import { CheckCircle2 } from "lucide-react";
import { useTranslations } from "next-intl"; import { useTranslations } from "next-intl";
import Link from "next/link"; import Link from "next/link";
import { useEffect } from "react";
export default function DeviceAuthSuccessPage() { export default function DeviceAuthSuccessPage() {
const { env } = useEnvContext(); const { env } = useEnvContext();
@@ -20,6 +21,32 @@ export default function DeviceAuthSuccessPage() {
? env.branding.logo?.authPage?.height || 58 ? env.branding.logo?.authPage?.height || 58
: 58; : 58;
useEffect(() => {
// Detect if we're on iOS or Android
const userAgent = navigator.userAgent || navigator.vendor || (window as any).opera;
const isIOS = /iPad|iPhone|iPod/.test(userAgent) && !(window as any).MSStream;
const isAndroid = /android/i.test(userAgent);
if (isAndroid) {
// For Android Chrome Custom Tabs, use intent:// scheme which works more reliably
// This explicitly tells Chrome to send an intent to the app, which will bring
// SignInCodeActivity back to the foreground (it has launchMode="singleTop")
setTimeout(() => {
window.location.href = "intent://auth-success#Intent;scheme=pangolin;package=net.pangolin.Pangolin;end";
}, 500);
} else if (isIOS) {
// Wait 500ms then attempt to open the app
setTimeout(() => {
// Try to open the app using deep link
window.location.href = "pangolin://";
setTimeout(() => {
window.location.href = "https://apps.apple.com/app/pangolin/net.pangolin.Pangolin.PangoliniOS";
}, 2000);
}, 500);
}
}, []);
return ( return (
<> <>
<Card> <Card>
@@ -55,4 +82,4 @@ export default function DeviceAuthSuccessPage() {
</p> </p>
</> </>
); );
} }

35
src/app/auth/login/page.tsx
View File

@@ -70,7 +70,7 @@ export default async function Page(props: {
} }
let loginIdps: LoginFormIDP[] = []; let loginIdps: LoginFormIDP[] = [];
if (build !== "saas") { if (build === "oss" || !env.flags.useOrgOnlyIdp) {
const idpsRes = await cache( const idpsRes = await cache(
async () => await priv.get<AxiosResponse<ListIdpsResponse>>("/idp") async () => await priv.get<AxiosResponse<ListIdpsResponse>>("/idp")
)(); )();
@@ -103,6 +103,10 @@ export default async function Page(props: {
redirect={redirectUrl} redirect={redirectUrl}
idps={loginIdps} idps={loginIdps}
forceLogin={forceLogin} forceLogin={forceLogin}
showOrgLogin={
!isInvite && (build === "saas" || env.flags.useOrgOnlyIdp)
}
searchParams={searchParams}
/> />
{(!signUpDisabled || isInvite) && ( {(!signUpDisabled || isInvite) && (
@@ -120,35 +124,6 @@ export default async function Page(props: {
</Link> </Link>
</p> </p>
)} )}
{!isInvite && build === "saas" ? (
<div className="text-center text-muted-foreground mt-12 flex flex-col items-center">
<span>{t("needToSignInToOrg")}</span>
<Link
href={`/auth/org${buildQueryString(searchParams)}`}
className="underline"
>
{t("orgAuthSignInToOrg")}
</Link>
</div>
) : null}
</> </>
); );
} }
function buildQueryString(searchParams: {
[key: string]: string | string[] | undefined;
}): string {
const params = new URLSearchParams();
const redirect = searchParams.redirect;
const forceLogin = searchParams.forceLogin;
if (redirect && typeof redirect === "string") {
params.set("redirect", redirect);
}
if (forceLogin && typeof forceLogin === "string") {
params.set("forceLogin", forceLogin);
}
const queryString = params.toString();
return queryString ? `?${queryString}` : "";
}

41
src/app/auth/org/[orgId]/page.tsx
View File

@@ -11,6 +11,7 @@ import {
} from "@server/routers/loginPage/types"; } from "@server/routers/loginPage/types";
import { redirect } from "next/navigation"; import { redirect } from "next/navigation";
import OrgLoginPage from "@app/components/OrgLoginPage"; import OrgLoginPage from "@app/components/OrgLoginPage";
import { pullEnv } from "@app/lib/pullEnv";
export const dynamic = "force-dynamic"; export const dynamic = "force-dynamic";
@@ -21,7 +22,9 @@ export default async function OrgAuthPage(props: {
const searchParams = await props.searchParams; const searchParams = await props.searchParams;
const params = await props.params; const params = await props.params;
if (build !== "saas") { const env = pullEnv();
if (build !== "saas" && !env.flags.useOrgOnlyIdp) {
const queryString = new URLSearchParams(searchParams as any).toString(); const queryString = new URLSearchParams(searchParams as any).toString();
redirect(`/auth/login${queryString ? `?${queryString}` : ""}`); redirect(`/auth/login${queryString ? `?${queryString}` : ""}`);
} }
@@ -50,29 +53,25 @@ export default async function OrgAuthPage(props: {
} catch (e) {} } catch (e) {}
let loginIdps: LoginFormIDP[] = []; let loginIdps: LoginFormIDP[] = [];
if (build === "saas") { const idpsRes = await priv.get<AxiosResponse<ListOrgIdpsResponse>>(
const idpsRes = await priv.get<AxiosResponse<ListOrgIdpsResponse>>( `/org/${orgId}/idp`
`/org/${orgId}/idp` );
);
loginIdps = idpsRes.data.data.idps.map((idp) => ({ loginIdps = idpsRes.data.data.idps.map((idp) => ({
idpId: idp.idpId, idpId: idp.idpId,
name: idp.name, name: idp.name,
variant: idp.variant variant: idp.variant
})) as LoginFormIDP[]; })) as LoginFormIDP[];
}
let branding: LoadLoginPageBrandingResponse | null = null; let branding: LoadLoginPageBrandingResponse | null = null;
if (build === "saas") { try {
try { const res = await priv.get<
const res = await priv.get< AxiosResponse<LoadLoginPageBrandingResponse>
AxiosResponse<LoadLoginPageBrandingResponse> >(`/login-page-branding?orgId=${orgId}`);
>(`/login-page-branding?orgId=${orgId}`); if (res.status === 200) {
if (res.status === 200) { branding = res.data.data;
branding = res.data.data; }
} } catch (error) {}
} catch (error) {}
}
return ( return (
<OrgLoginPage <OrgLoginPage

6
src/app/auth/org/page.tsx
View File

@@ -33,12 +33,12 @@ export default async function OrgAuthPage(props: {
const forceLoginParam = searchParams.forceLogin; const forceLoginParam = searchParams.forceLogin;
const forceLogin = forceLoginParam === "true"; const forceLogin = forceLoginParam === "true";
if (build !== "saas") { const env = pullEnv();
if (build !== "saas" && !env.flags.useOrgOnlyIdp) {
redirect("/"); redirect("/");
} }
const env = pullEnv();
const authHeader = await authCookieHeader(); const authHeader = await authCookieHeader();
if (searchParams.token) { if (searchParams.token) {

2
src/app/auth/resource/[resourceGuid]/page.tsx
View File

@@ -204,7 +204,7 @@ export default async function ResourceAuthPage(props: {
} }
let loginIdps: LoginFormIDP[] = []; let loginIdps: LoginFormIDP[] = [];
if (build === "saas") { if (build === "saas" || env.flags.useOrgOnlyIdp) {
if (subscribed) { if (subscribed) {
const idpsRes = await cache( const idpsRes = await cache(
async () => async () =>

2
src/app/globals.css
View File

@@ -21,6 +21,7 @@
--accent: oklch(0.967 0.001 286.375); --accent: oklch(0.967 0.001 286.375);
--accent-foreground: oklch(0.21 0.006 285.885); --accent-foreground: oklch(0.21 0.006 285.885);
--destructive: oklch(0.577 0.245 27.325); --destructive: oklch(0.577 0.245 27.325);
--destructive-foreground: oklch(0.985 0 0);
--border: oklch(0.91 0.004 286.32); --border: oklch(0.91 0.004 286.32);
--input: oklch(0.92 0.004 286.32); --input: oklch(0.92 0.004 286.32);
--ring: oklch(0.705 0.213 47.604); --ring: oklch(0.705 0.213 47.604);
@@ -55,6 +56,7 @@
--accent: oklch(0.274 0.006 286.033); --accent: oklch(0.274 0.006 286.033);
--accent-foreground: oklch(0.985 0 0); --accent-foreground: oklch(0.985 0 0);
--destructive: oklch(0.5382 0.1949 22.216); --destructive: oklch(0.5382 0.1949 22.216);
--destructive-foreground: oklch(0.985 0 0);
--border: oklch(1 0 0 / 13%); --border: oklch(1 0 0 / 13%);
--input: oklch(1 0 0 / 18%); --input: oklch(1 0 0 / 18%);
--ring: oklch(0.646 0.222 41.116); --ring: oklch(0.646 0.222 41.116);

36
src/app/navigation.tsx
View File

@@ -1,4 +1,5 @@
import { SidebarNavItem } from "@app/components/SidebarNav"; import { SidebarNavItem } from "@app/components/SidebarNav";
import { Env } from "@app/lib/types/env";
import { build } from "@server/build"; import { build } from "@server/build";
import { import {
ChartLine, ChartLine,
@@ -39,7 +40,7 @@ export const orgLangingNavItems: SidebarNavItem[] = [
} }
]; ];
export const orgNavSections = (): SidebarNavSection[] => [ export const orgNavSections = (env?: Env): SidebarNavSection[] => [
{ {
heading: "sidebarGeneral", heading: "sidebarGeneral",
items: [ items: [
@@ -92,8 +93,7 @@ export const orgNavSections = (): SidebarNavSection[] => [
{ {
title: "sidebarRemoteExitNodes", title: "sidebarRemoteExitNodes",
href: "/{orgId}/settings/remote-exit-nodes", href: "/{orgId}/settings/remote-exit-nodes",
icon: <Server className="size-4 flex-none" />, icon: <Server className="size-4 flex-none" />
showEE: true
} }
] ]
: []) : [])
@@ -123,13 +123,21 @@ export const orgNavSections = (): SidebarNavSection[] => [
href: "/{orgId}/settings/access/roles", href: "/{orgId}/settings/access/roles",
icon: <Users className="size-4 flex-none" /> icon: <Users className="size-4 flex-none" />
}, },
...(build === "saas" ...(build === "saas" || env?.flags.useOrgOnlyIdp
? [ ? [
{ {
title: "sidebarIdentityProviders", title: "sidebarIdentityProviders",
href: "/{orgId}/settings/idp", href: "/{orgId}/settings/idp",
icon: <Fingerprint className="size-4 flex-none" />, icon: <Fingerprint className="size-4 flex-none" />
showEE: true }
]
: []),
...(build !== "oss"
? [
{
title: "sidebarApprovals",
href: "/{orgId}/settings/access/approvals",
icon: <UserCog className="size-4 flex-none" />
} }
] ]
: []), : []),
@@ -237,7 +245,7 @@ export const orgNavSections = (): SidebarNavSection[] => [
} }
]; ];
export const adminNavSections: SidebarNavSection[] = [ export const adminNavSections = (env?: Env): SidebarNavSection[] => [
{ {
heading: "sidebarAdmin", heading: "sidebarAdmin",
items: [ items: [
@@ -251,11 +259,15 @@ export const adminNavSections: SidebarNavSection[] = [
href: "/admin/api-keys", href: "/admin/api-keys",
icon: <KeyRound className="size-4 flex-none" /> icon: <KeyRound className="size-4 flex-none" />
}, },
{ ...(build === "oss" || !env?.flags.useOrgOnlyIdp
title: "sidebarIdentityProviders", ? [
href: "/admin/idp", {
icon: <Fingerprint className="size-4 flex-none" /> title: "sidebarIdentityProviders",
}, href: "/admin/idp",
icon: <Fingerprint className="size-4 flex-none" />
}
]
: []),
...(build == "enterprise" ...(build == "enterprise"
? [ ? [
{ {

6
src/components/AuthPageBrandingForm.tsx
View File

@@ -118,6 +118,7 @@ export default function AuthPageBrandingForm({
const brandingData = form.getValues(); const brandingData = form.getValues();
if (!isValid || !isPaidUser) return; if (!isValid || !isPaidUser) return;
try { try {
const updateRes = await api.put( const updateRes = await api.put(
`/org/${orgId}/login-page-branding`, `/org/${orgId}/login-page-branding`,
@@ -289,7 +290,8 @@ export default function AuthPageBrandingForm({
</div> </div>
</div> </div>
{build === "saas" && ( {build === "saas" ||
env.env.flags.useOrgOnlyIdp ? (
<> <>
<div className="mt-3 mb-6"> <div className="mt-3 mb-6">
<SettingsSectionTitle> <SettingsSectionTitle>
@@ -343,7 +345,7 @@ export default function AuthPageBrandingForm({
/> />
</div> </div>
</> </>
)} ) : null}
<div className="mt-3 mb-6"> <div className="mt-3 mb-6">
<SettingsSectionTitle> <SettingsSectionTitle>

5
src/components/ConfirmDeleteDialog.tsx
View File

@@ -63,6 +63,8 @@ export default function ConfirmDeleteDialog({
} }
}); });
const isConfirmed = form.watch("string") === string;
async function onSubmit() { async function onSubmit() {
try { try {
await onConfirm(); await onConfirm();
@@ -139,7 +141,8 @@ export default function ConfirmDeleteDialog({
type="submit" type="submit"
form="confirm-delete-form" form="confirm-delete-form"
loading={loading} loading={loading}
disabled={loading} disabled={loading || !isConfirmed}
className={!isConfirmed && !loading ? "opacity-50" : ""}
> >
{buttonText} {buttonText}
</Button> </Button>

47
src/components/DashboardLoginForm.tsx
View File

@@ -17,17 +17,26 @@ import { cleanRedirect } from "@app/lib/cleanRedirect";
import BrandingLogo from "@app/components/BrandingLogo"; import BrandingLogo from "@app/components/BrandingLogo";
import { useTranslations } from "next-intl"; import { useTranslations } from "next-intl";
import { useLicenseStatusContext } from "@app/hooks/useLicenseStatusContext"; import { useLicenseStatusContext } from "@app/hooks/useLicenseStatusContext";
import Link from "next/link";
import { Button } from "./ui/button";
import { ArrowRight } from "lucide-react";
type DashboardLoginFormProps = { type DashboardLoginFormProps = {
redirect?: string; redirect?: string;
idps?: LoginFormIDP[]; idps?: LoginFormIDP[];
forceLogin?: boolean; forceLogin?: boolean;
showOrgLogin?: boolean;
searchParams?: {
[key: string]: string | string[] | undefined;
};
}; };
export default function DashboardLoginForm({ export default function DashboardLoginForm({
redirect, redirect,
idps, idps,
forceLogin forceLogin,
showOrgLogin,
searchParams
}: DashboardLoginFormProps) { }: DashboardLoginFormProps) {
const router = useRouter(); const router = useRouter();
const { env } = useEnvContext(); const { env } = useEnvContext();
@@ -35,6 +44,9 @@ export default function DashboardLoginForm({
const { isUnlocked } = useLicenseStatusContext(); const { isUnlocked } = useLicenseStatusContext();
function getSubtitle() { function getSubtitle() {
if (forceLogin) {
return t("loginRequiredForDevice");
}
if (isUnlocked() && env.branding?.loginPage?.subtitleText) { if (isUnlocked() && env.branding?.loginPage?.subtitleText) {
return env.branding.loginPage.subtitleText; return env.branding.loginPage.subtitleText;
} }
@@ -57,6 +69,22 @@ export default function DashboardLoginForm({
<div className="text-center space-y-1 pt-3"> <div className="text-center space-y-1 pt-3">
<p className="text-muted-foreground">{getSubtitle()}</p> <p className="text-muted-foreground">{getSubtitle()}</p>
</div> </div>
{showOrgLogin && (
<div className="space-y-2 mt-4">
<Link
href={`/auth/org${buildQueryString(searchParams || {})}`}
className="underline"
>
<Button
variant="secondary"
className="w-full gap-2"
>
{t("orgAuthSignInToOrg")}
<ArrowRight className="h-4 w-4" />
</Button>
</Link>
</div>
)}
</CardHeader> </CardHeader>
<CardContent className="pt-6"> <CardContent className="pt-6">
<LoginForm <LoginForm
@@ -76,3 +104,20 @@ export default function DashboardLoginForm({
</Card> </Card>
); );
} }
function buildQueryString(searchParams: {
[key: string]: string | string[] | undefined;
}): string {
const params = new URLSearchParams();
const redirect = searchParams.redirect;
const forceLogin = searchParams.forceLogin;
if (redirect && typeof redirect === "string") {
params.set("redirect", redirect);
}
if (forceLogin && typeof forceLogin === "string") {
params.set("forceLogin", forceLogin);
}
const queryString = params.toString();
return queryString ? `?${queryString}` : "";
}

4
src/components/DeviceLoginForm.tsx
View File

@@ -85,8 +85,6 @@ export default function DeviceLoginForm({
data.code = data.code.slice(0, 4) + "-" + data.code.slice(4); data.code = data.code.slice(0, 4) + "-" + data.code.slice(4);
} }
await new Promise((resolve) => setTimeout(resolve, 300));
// First check - get metadata // First check - get metadata
const res = await api.post( const res = await api.post(
"/device-web-auth/verify?forceLogin=true", "/device-web-auth/verify?forceLogin=true",
@@ -117,8 +115,6 @@ export default function DeviceLoginForm({
setLoading(true); setLoading(true);
try { try {
await new Promise((resolve) => setTimeout(resolve, 300));
// Final verify // Final verify
await api.post("/device-web-auth/verify", { await api.post("/device-web-auth/verify", {
code: code, code: code,

9
src/components/LoginForm.tsx
View File

@@ -409,15 +409,6 @@ export default function LoginForm({
return ( return (
<div className="space-y-4"> <div className="space-y-4">
{forceLogin && (
<Alert variant="neutral">
<AlertDescription className="flex items-center gap-2">
<LockIcon className="w-4 h-4" />
{t("loginRequiredForDevice")}
</AlertDescription>
</Alert>
)}
{showSecurityKeyPrompt && ( {showSecurityKeyPrompt && (
<Alert> <Alert>
<FingerprintIcon className="w-5 h-5 mr-2" /> <FingerprintIcon className="w-5 h-5 mr-2" />

211
src/components/MachineClientsTable.tsx
View File

@@ -12,7 +12,12 @@ import {
import { useEnvContext } from "@app/hooks/useEnvContext"; import { useEnvContext } from "@app/hooks/useEnvContext";
import { toast } from "@app/hooks/useToast"; import { toast } from "@app/hooks/useToast";
import { createApiClient, formatAxiosError } from "@app/lib/api"; import { createApiClient, formatAxiosError } from "@app/lib/api";
import { ArrowRight, ArrowUpDown, MoreHorizontal } from "lucide-react"; import {
ArrowRight,
ArrowUpDown,
MoreHorizontal,
CircleSlash
} from "lucide-react";
import { useTranslations } from "next-intl"; import { useTranslations } from "next-intl";
import Link from "next/link"; import Link from "next/link";
import { useRouter } from "next/navigation"; import { useRouter } from "next/navigation";
@@ -35,6 +40,8 @@ export type ClientRow = {
userEmail: string | null; userEmail: string | null;
niceId: string; niceId: string;
agent: string | null; agent: string | null;
archived?: boolean;
blocked?: boolean;
approvalState: "approved" | "pending" | "denied"; approvalState: "approved" | "pending" | "denied";
}; };
@@ -52,6 +59,7 @@ export default function MachineClientsTable({
const t = useTranslations(); const t = useTranslations();
const [isDeleteModalOpen, setIsDeleteModalOpen] = useState(false); const [isDeleteModalOpen, setIsDeleteModalOpen] = useState(false);
const [isBlockModalOpen, setIsBlockModalOpen] = useState(false);
const [selectedClient, setSelectedClient] = useState<ClientRow | null>( const [selectedClient, setSelectedClient] = useState<ClientRow | null>(
null null
); );
@@ -97,6 +105,76 @@ export default function MachineClientsTable({
}); });
}; };
const archiveClient = (clientId: number) => {
api.post(`/client/${clientId}/archive`)
.catch((e) => {
console.error("Error archiving client", e);
toast({
variant: "destructive",
title: "Error archiving client",
description: formatAxiosError(e, "Error archiving client")
});
})
.then(() => {
startTransition(() => {
router.refresh();
});
});
};
const unarchiveClient = (clientId: number) => {
api.post(`/client/${clientId}/unarchive`)
.catch((e) => {
console.error("Error unarchiving client", e);
toast({
variant: "destructive",
title: "Error unarchiving client",
description: formatAxiosError(e, "Error unarchiving client")
});
})
.then(() => {
startTransition(() => {
router.refresh();
});
});
};
const blockClient = (clientId: number) => {
api.post(`/client/${clientId}/block`)
.catch((e) => {
console.error("Error blocking client", e);
toast({
variant: "destructive",
title: "Error blocking client",
description: formatAxiosError(e, "Error blocking client")
});
})
.then(() => {
startTransition(() => {
router.refresh();
setIsBlockModalOpen(false);
setSelectedClient(null);
});
});
};
const unblockClient = (clientId: number) => {
api.post(`/client/${clientId}/unblock`)
.catch((e) => {
console.error("Error unblocking client", e);
toast({
variant: "destructive",
title: "Error unblocking client",
description: formatAxiosError(e, "Error unblocking client")
});
})
.then(() => {
startTransition(() => {
router.refresh();
});
});
};
// Check if there are any rows without userIds in the current view's data // Check if there are any rows without userIds in the current view's data
const hasRowsWithoutUserId = useMemo(() => { const hasRowsWithoutUserId = useMemo(() => {
return machineClients.some((client) => !client.userId) ?? false; return machineClients.some((client) => !client.userId) ?? false;
@@ -122,6 +200,28 @@ export default function MachineClientsTable({
<ArrowUpDown className="ml-2 h-4 w-4" /> <ArrowUpDown className="ml-2 h-4 w-4" />
</Button> </Button>
); );
},
cell: ({ row }) => {
const r = row.original;
return (
<div className="flex items-center gap-2">
<span>{r.name}</span>
{r.archived && (
<Badge variant="secondary">
{t("archived")}
</Badge>
)}
{r.blocked && (
<Badge
variant="destructive"
className="flex items-center gap-1"
>
<CircleSlash className="h-3 w-3" />
{t("blocked")}
</Badge>
)}
</div>
);
} }
}, },
{ {
@@ -301,14 +401,37 @@ export default function MachineClientsTable({
</Button> </Button>
</DropdownMenuTrigger> </DropdownMenuTrigger>
<DropdownMenuContent align="end"> <DropdownMenuContent align="end">
{/* <Link */} <DropdownMenuItem
{/* className="block w-full" */} onClick={() => {
{/* href={`/${clientRow.orgId}/settings/sites/${clientRow.nice}`} */} if (clientRow.archived) {
{/* > */} unarchiveClient(clientRow.id);
{/* <DropdownMenuItem> */} } else {
{/* View settings */} archiveClient(clientRow.id);
{/* </DropdownMenuItem> */} }
{/* </Link> */} }}
>
<span>
{clientRow.archived
? "Unarchive"
: "Archive"}
</span>
</DropdownMenuItem>
<DropdownMenuItem
onClick={() => {
if (clientRow.blocked) {
unblockClient(clientRow.id);
} else {
setSelectedClient(clientRow);
setIsBlockModalOpen(true);
}
}}
>
<span>
{clientRow.blocked
? "Unblock"
: "Block"}
</span>
</DropdownMenuItem>
<DropdownMenuItem <DropdownMenuItem
onClick={() => { onClick={() => {
setSelectedClient(clientRow); setSelectedClient(clientRow);
@@ -359,6 +482,27 @@ export default function MachineClientsTable({
title="Delete Client" title="Delete Client"
/> />
)} )}
{selectedClient && (
<ConfirmDeleteDialog
open={isBlockModalOpen}
setOpen={(val) => {
setIsBlockModalOpen(val);
if (!val) {
setSelectedClient(null);
}
}}
dialog={
<div className="space-y-2">
<p>{t("blockClientQuestion")}</p>
<p>{t("blockClientMessage")}</p>
</div>
}
buttonText={t("blockClientConfirm")}
onConfirm={async () => blockClient(selectedClient!.id)}
string={selectedClient.name}
title={t("blockClient")}
/>
)}
<DataTable <DataTable
columns={columns} columns={columns}
@@ -377,6 +521,55 @@ export default function MachineClientsTable({
columnVisibility={defaultMachineColumnVisibility} columnVisibility={defaultMachineColumnVisibility}
stickyLeftColumn="name" stickyLeftColumn="name"
stickyRightColumn="actions" stickyRightColumn="actions"
filters={[
{
id: "status",
label: t("status") || "Status",
multiSelect: true,
displayMode: "calculated",
options: [
{
id: "active",
label: t("active") || "Active",
value: "active"
},
{
id: "archived",
label: t("archived") || "Archived",
value: "archived"
},
{
id: "blocked",
label: t("blocked") || "Blocked",
value: "blocked"
}
],
filterFn: (
row: ClientRow,
selectedValues: (string | number | boolean)[]
) => {
if (selectedValues.length === 0) return true;
const rowArchived = row.archived || false;
const rowBlocked = row.blocked || false;
const isActive = !rowArchived && !rowBlocked;
if (selectedValues.includes("active") && isActive)
return true;
if (
selectedValues.includes("archived") &&
rowArchived
)
return true;
if (
selectedValues.includes("blocked") &&
rowBlocked
)
return true;
return false;
},
defaultValues: ["active"] // Default to showing active clients
}
]}
/> />
</> </>
); );

35
src/components/PermissionsSelectBox.tsx
View File

@@ -103,6 +103,10 @@ function getActionsCategories(root: boolean) {
Client: { Client: {
[t("actionCreateClient")]: "createClient", [t("actionCreateClient")]: "createClient",
[t("actionDeleteClient")]: "deleteClient", [t("actionDeleteClient")]: "deleteClient",
[t("actionArchiveClient")]: "archiveClient",
[t("actionUnarchiveClient")]: "unarchiveClient",
[t("actionBlockClient")]: "blockClient",
[t("actionUnblockClient")]: "unblockClient",
[t("actionUpdateClient")]: "updateClient", [t("actionUpdateClient")]: "updateClient",
[t("actionListClients")]: "listClients", [t("actionListClients")]: "listClients",
[t("actionGetClient")]: "getClient" [t("actionGetClient")]: "getClient"
@@ -114,6 +118,16 @@ function getActionsCategories(root: boolean) {
} }
}; };
if (root || build === "saas" || env.flags.useOrgOnlyIdp) {
actionsByCategory["Identity Provider (IDP)"] = {
[t("actionCreateIdp")]: "createIdp",
[t("actionUpdateIdp")]: "updateIdp",
[t("actionDeleteIdp")]: "deleteIdp",
[t("actionListIdps")]: "listIdps",
[t("actionGetIdp")]: "getIdp"
};
}
if (root) { if (root) {
actionsByCategory["Organization"] = { actionsByCategory["Organization"] = {
[t("actionListOrgs")]: "listOrgs", [t("actionListOrgs")]: "listOrgs",
@@ -128,24 +142,21 @@ function getActionsCategories(root: boolean) {
...actionsByCategory["Organization"] ...actionsByCategory["Organization"]
}; };
actionsByCategory["Identity Provider (IDP)"] = { actionsByCategory["Identity Provider (IDP)"][t("actionCreateIdpOrg")] =
[t("actionCreateIdp")]: "createIdp", "createIdpOrg";
[t("actionUpdateIdp")]: "updateIdp", actionsByCategory["Identity Provider (IDP)"][t("actionDeleteIdpOrg")] =
[t("actionDeleteIdp")]: "deleteIdp", "deleteIdpOrg";
[t("actionListIdps")]: "listIdps", actionsByCategory["Identity Provider (IDP)"][t("actionListIdpOrgs")] =
[t("actionGetIdp")]: "getIdp", "listIdpOrgs";
[t("actionCreateIdpOrg")]: "createIdpOrg", actionsByCategory["Identity Provider (IDP)"][t("actionUpdateIdpOrg")] =
[t("actionDeleteIdpOrg")]: "deleteIdpOrg", "updateIdpOrg";
[t("actionListIdpOrgs")]: "listIdpOrgs",
[t("actionUpdateIdpOrg")]: "updateIdpOrg"
};
actionsByCategory["User"] = { actionsByCategory["User"] = {
[t("actionUpdateUser")]: "updateUser", [t("actionUpdateUser")]: "updateUser",
[t("actionGetUser")]: "getUser" [t("actionGetUser")]: "getUser"
}; };
if (build == "saas") { if (build === "saas") {
actionsByCategory["SAAS"] = { actionsByCategory["SAAS"] = {
["Send Usage Notification Email"]: "sendUsageNotification" ["Send Usage Notification Email"]: "sendUsageNotification"
}; };

226
src/components/UserDevicesTable.tsx
View File

@@ -16,7 +16,8 @@ import {
ArrowRight, ArrowRight,
ArrowUpDown, ArrowUpDown,
ArrowUpRight, ArrowUpRight,
MoreHorizontal MoreHorizontal,
CircleSlash
} from "lucide-react"; } from "lucide-react";
import { useTranslations } from "next-intl"; import { useTranslations } from "next-intl";
import Link from "next/link"; import Link from "next/link";
@@ -45,6 +46,8 @@ export type ClientRow = {
niceId: string; niceId: string;
agent: string | null; agent: string | null;
approvalState: "approved" | "pending" | "denied"; approvalState: "approved" | "pending" | "denied";
archived?: boolean;
blocked?: boolean;
}; };
type ClientTableProps = { type ClientTableProps = {
@@ -57,6 +60,7 @@ export default function UserDevicesTable({ userClients }: ClientTableProps) {
const t = useTranslations(); const t = useTranslations();
const [isDeleteModalOpen, setIsDeleteModalOpen] = useState(false); const [isDeleteModalOpen, setIsDeleteModalOpen] = useState(false);
const [isBlockModalOpen, setIsBlockModalOpen] = useState(false);
const [selectedClient, setSelectedClient] = useState<ClientRow | null>( const [selectedClient, setSelectedClient] = useState<ClientRow | null>(
null null
); );
@@ -103,6 +107,76 @@ export default function UserDevicesTable({ userClients }: ClientTableProps) {
}); });
}; };
const archiveClient = (clientId: number) => {
api.post(`/client/${clientId}/archive`)
.catch((e) => {
console.error("Error archiving client", e);
toast({
variant: "destructive",
title: "Error archiving client",
description: formatAxiosError(e, "Error archiving client")
});
})
.then(() => {
startTransition(() => {
router.refresh();
});
});
};
const unarchiveClient = (clientId: number) => {
api.post(`/client/${clientId}/unarchive`)
.catch((e) => {
console.error("Error unarchiving client", e);
toast({
variant: "destructive",
title: "Error unarchiving client",
description: formatAxiosError(e, "Error unarchiving client")
});
})
.then(() => {
startTransition(() => {
router.refresh();
});
});
};
const blockClient = (clientId: number) => {
api.post(`/client/${clientId}/block`)
.catch((e) => {
console.error("Error blocking client", e);
toast({
variant: "destructive",
title: "Error blocking client",
description: formatAxiosError(e, "Error blocking client")
});
})
.then(() => {
startTransition(() => {
router.refresh();
setIsBlockModalOpen(false);
setSelectedClient(null);
});
});
};
const unblockClient = (clientId: number) => {
api.post(`/client/${clientId}/unblock`)
.catch((e) => {
console.error("Error unblocking client", e);
toast({
variant: "destructive",
title: "Error unblocking client",
description: formatAxiosError(e, "Error unblocking client")
});
})
.then(() => {
startTransition(() => {
router.refresh();
});
});
};
// Check if there are any rows without userIds in the current view's data // Check if there are any rows without userIds in the current view's data
const hasRowsWithoutUserId = useMemo(() => { const hasRowsWithoutUserId = useMemo(() => {
return userClients.some((client) => !client.userId); return userClients.some((client) => !client.userId);
@@ -128,6 +202,28 @@ export default function UserDevicesTable({ userClients }: ClientTableProps) {
<ArrowUpDown className="ml-2 h-4 w-4" /> <ArrowUpDown className="ml-2 h-4 w-4" />
</Button> </Button>
); );
},
cell: ({ row }) => {
const r = row.original;
return (
<div className="flex items-center gap-2">
<span>{r.name}</span>
{r.archived && (
<Badge variant="secondary">
{t("archived")}
</Badge>
)}
{r.blocked && (
<Badge
variant="destructive"
className="flex items-center gap-1"
>
<CircleSlash className="h-3 w-3" />
{t("blocked")}
</Badge>
)}
</div>
);
} }
}, },
{ {
@@ -351,7 +447,7 @@ export default function UserDevicesTable({ userClients }: ClientTableProps) {
header: () => <span className="p-3"></span>, header: () => <span className="p-3"></span>,
cell: ({ row }) => { cell: ({ row }) => {
const clientRow = row.original; const clientRow = row.original;
return !clientRow.userId ? ( return (
<div className="flex items-center gap-2 justify-end"> <div className="flex items-center gap-2 justify-end">
<DropdownMenu> <DropdownMenu>
<DropdownMenuTrigger asChild> <DropdownMenuTrigger asChild>
@@ -361,34 +457,62 @@ export default function UserDevicesTable({ userClients }: ClientTableProps) {
</Button> </Button>
</DropdownMenuTrigger> </DropdownMenuTrigger>
<DropdownMenuContent align="end"> <DropdownMenuContent align="end">
{/* <Link */}
{/* className="block w-full" */}
{/* href={`/${clientRow.orgId}/settings/sites/${clientRow.nice}`} */}
{/* > */}
{/* <DropdownMenuItem> */}
{/* View settings */}
{/* </DropdownMenuItem> */}
{/* </Link> */}
<DropdownMenuItem <DropdownMenuItem
onClick={() => { onClick={() => {
setSelectedClient(clientRow); if (clientRow.archived) {
setIsDeleteModalOpen(true); unarchiveClient(clientRow.id);
} else {
archiveClient(clientRow.id);
}
}} }}
> >
<span className="text-red-500">Delete</span> <span>
{clientRow.archived
? "Unarchive"
: "Archive"}
</span>
</DropdownMenuItem> </DropdownMenuItem>
<DropdownMenuItem
onClick={() => {
if (clientRow.blocked) {
unblockClient(clientRow.id);
} else {
setSelectedClient(clientRow);
setIsBlockModalOpen(true);
}
}}
>
<span>
{clientRow.blocked
? "Unblock"
: "Block"}
</span>
</DropdownMenuItem>
{!clientRow.userId && (
// Machine client - also show delete option
<DropdownMenuItem
onClick={() => {
setSelectedClient(clientRow);
setIsDeleteModalOpen(true);
}}
>
<span className="text-red-500">
Delete
</span>
</DropdownMenuItem>
)}
</DropdownMenuContent> </DropdownMenuContent>
</DropdownMenu> </DropdownMenu>
<Link <Link
href={`/${clientRow.orgId}/settings/clients/${clientRow.id}`} href={`/${clientRow.orgId}/settings/clients/${clientRow.id}`}
> >
<Button variant={"outline"}> <Button variant={"outline"}>
Edit View
<ArrowRight className="ml-2 w-4 h-4" /> <ArrowRight className="ml-2 w-4 h-4" />
</Button> </Button>
</Link> </Link>
</div> </div>
) : null; );
} }
}); });
@@ -397,7 +521,7 @@ export default function UserDevicesTable({ userClients }: ClientTableProps) {
return ( return (
<> <>
{selectedClient && ( {selectedClient && !selectedClient.userId && (
<ConfirmDeleteDialog <ConfirmDeleteDialog
open={isDeleteModalOpen} open={isDeleteModalOpen}
setOpen={(val) => { setOpen={(val) => {
@@ -416,6 +540,27 @@ export default function UserDevicesTable({ userClients }: ClientTableProps) {
title="Delete Client" title="Delete Client"
/> />
)} )}
{selectedClient && (
<ConfirmDeleteDialog
open={isBlockModalOpen}
setOpen={(val) => {
setIsBlockModalOpen(val);
if (!val) {
setSelectedClient(null);
}
}}
dialog={
<div className="space-y-2">
<p>{t("blockClientQuestion")}</p>
<p>{t("blockClientMessage")}</p>
</div>
}
buttonText={t("blockClientConfirm")}
onConfirm={async () => blockClient(selectedClient!.id)}
string={selectedClient.name}
title={t("blockClient")}
/>
)}
<ClientDownloadBanner /> <ClientDownloadBanner />
@@ -432,6 +577,55 @@ export default function UserDevicesTable({ userClients }: ClientTableProps) {
columnVisibility={defaultUserColumnVisibility} columnVisibility={defaultUserColumnVisibility}
stickyLeftColumn="name" stickyLeftColumn="name"
stickyRightColumn="actions" stickyRightColumn="actions"
filters={[
{
id: "status",
label: t("status") || "Status",
multiSelect: true,
displayMode: "calculated",
options: [
{
id: "active",
label: t("active") || "Active",
value: "active"
},
{
id: "archived",
label: t("archived") || "Archived",
value: "archived"
},
{
id: "blocked",
label: t("blocked") || "Blocked",
value: "blocked"
}
],
filterFn: (
row: ClientRow,
selectedValues: (string | number | boolean)[]
) => {
if (selectedValues.length === 0) return true;
const rowArchived = row.archived || false;
const rowBlocked = row.blocked || false;
const isActive = !rowArchived && !rowBlocked;
if (selectedValues.includes("active") && isActive)
return true;
if (
selectedValues.includes("archived") &&
rowArchived
)
return true;
if (
selectedValues.includes("blocked") &&
rowBlocked
)
return true;
return false;
},
defaultValues: ["active"] // Default to showing active clients
}
]}
/> />
</> </>
); );

210
src/components/ViewDevicesDialog.tsx
View File

@@ -27,6 +27,7 @@ import {
TableHeader, TableHeader,
TableRow TableRow
} from "@app/components/ui/table"; } from "@app/components/ui/table";
import { Tabs, TabsList, TabsTrigger, TabsContent } from "@app/components/ui/tabs";
import ConfirmDeleteDialog from "@app/components/ConfirmDeleteDialog"; import ConfirmDeleteDialog from "@app/components/ConfirmDeleteDialog";
import { Loader2, RefreshCw } from "lucide-react"; import { Loader2, RefreshCw } from "lucide-react";
import moment from "moment"; import moment from "moment";
@@ -44,6 +45,7 @@ type Device = {
name: string | null; name: string | null;
clientId: number | null; clientId: number | null;
userId: string | null; userId: string | null;
archived: boolean;
}; };
export default function ViewDevicesDialog({ export default function ViewDevicesDialog({
@@ -57,8 +59,9 @@ export default function ViewDevicesDialog({
const [devices, setDevices] = useState<Device[]>([]); const [devices, setDevices] = useState<Device[]>([]);
const [loading, setLoading] = useState(false); const [loading, setLoading] = useState(false);
const [isDeleteModalOpen, setIsDeleteModalOpen] = useState(false); const [isArchiveModalOpen, setIsArchiveModalOpen] = useState(false);
const [selectedDevice, setSelectedDevice] = useState<Device | null>(null); const [selectedDevice, setSelectedDevice] = useState<Device | null>(null);
const [activeTab, setActiveTab] = useState<"available" | "archived">("available");
const fetchDevices = async () => { const fetchDevices = async () => {
setLoading(true); setLoading(true);
@@ -90,26 +93,59 @@ export default function ViewDevicesDialog({
} }
}, [open]); }, [open]);
const deleteDevice = async (olmId: string) => { const archiveDevice = async (olmId: string) => {
try { try {
await api.delete(`/user/${user?.userId}/olm/${olmId}`); await api.post(`/user/${user?.userId}/olm/${olmId}/archive`);
toast({ toast({
title: t("deviceDeleted") || "Device deleted", title: t("deviceArchived") || "Device archived",
description: description:
t("deviceDeletedDescription") || t("deviceArchivedDescription") ||
"The device has been successfully deleted." "The device has been successfully archived."
}); });
setDevices(devices.filter((d) => d.olmId !== olmId)); // Update the device's archived status in the local state
setIsDeleteModalOpen(false); setDevices(
devices.map((d) =>
d.olmId === olmId ? { ...d, archived: true } : d
)
);
setIsArchiveModalOpen(false);
setSelectedDevice(null); setSelectedDevice(null);
} catch (error: any) { } catch (error: any) {
console.error("Error deleting device:", error); console.error("Error archiving device:", error);
toast({ toast({
variant: "destructive", variant: "destructive",
title: t("errorDeletingDevice") || "Error deleting device", title: t("errorArchivingDevice"),
description: formatAxiosError( description: formatAxiosError(
error, error,
t("failedToDeleteDevice") || "Failed to delete device" t("failedToArchiveDevice")
)
});
}
};
const unarchiveDevice = async (olmId: string) => {
try {
await api.post(`/user/${user?.userId}/olm/${olmId}/unarchive`);
toast({
title: t("deviceUnarchived") || "Device unarchived",
description:
t("deviceUnarchivedDescription") ||
"The device has been successfully unarchived."
});
// Update the device's archived status in the local state
setDevices(
devices.map((d) =>
d.olmId === olmId ? { ...d, archived: false } : d
)
);
} catch (error: any) {
console.error("Error unarchiving device:", error);
toast({
variant: "destructive",
title: t("errorUnarchivingDevice") || "Error unarchiving device",
description: formatAxiosError(
error,
t("failedToUnarchiveDevice") || "Failed to unarchive device"
) )
}); });
} }
@@ -118,7 +154,7 @@ export default function ViewDevicesDialog({
function reset() { function reset() {
setDevices([]); setDevices([]);
setSelectedDevice(null); setSelectedDevice(null);
setIsDeleteModalOpen(false); setIsArchiveModalOpen(false);
} }
return ( return (
@@ -147,9 +183,40 @@ export default function ViewDevicesDialog({
<div className="flex items-center justify-center py-8"> <div className="flex items-center justify-center py-8">
<Loader2 className="h-6 w-6 animate-spin" /> <Loader2 className="h-6 w-6 animate-spin" />
</div> </div>
) : devices.length === 0 ? ( ) : (
<Tabs
value={activeTab}
onValueChange={(value) =>
setActiveTab(value as "available" | "archived")
}
className="w-full"
>
<TabsList className="grid w-full grid-cols-2">
<TabsTrigger value="available">
{t("available") || "Available"} (
{
devices.filter(
(d) => !d.archived
).length
}
)
</TabsTrigger>
<TabsTrigger value="archived">
{t("archived") || "Archived"} (
{
devices.filter(
(d) => d.archived
).length
}
)
</TabsTrigger>
</TabsList>
<TabsContent value="available" className="mt-4">
{devices.filter((d) => !d.archived)
.length === 0 ? (
<div className="text-center py-8 text-muted-foreground"> <div className="text-center py-8 text-muted-foreground">
{t("noDevices") || "No devices found"} {t("noDevices") ||
"No devices found"}
</div> </div>
) : ( ) : (
<div className="rounded-md border"> <div className="rounded-md border">
@@ -164,22 +231,33 @@ export default function ViewDevicesDialog({
"Date Created"} "Date Created"}
</TableHead> </TableHead>
<TableHead> <TableHead>
{t("actions") || "Actions"} {t("actions") ||
"Actions"}
</TableHead> </TableHead>
</TableRow> </TableRow>
</TableHeader> </TableHeader>
<TableBody> <TableBody>
{devices.map((device) => ( {devices
<TableRow key={device.olmId}> .filter(
(d) => !d.archived
)
.map((device) => (
<TableRow
key={device.olmId}
>
<TableCell className="font-medium"> <TableCell className="font-medium">
{device.name || {device.name ||
t("unnamedDevice") || t(
"unnamedDevice"
) ||
"Unnamed Device"} "Unnamed Device"}
</TableCell> </TableCell>
<TableCell> <TableCell>
{moment( {moment(
device.dateCreated device.dateCreated
).format("lll")} ).format(
"lll"
)}
</TableCell> </TableCell>
<TableCell> <TableCell>
<Button <Button
@@ -188,13 +266,15 @@ export default function ViewDevicesDialog({
setSelectedDevice( setSelectedDevice(
device device
); );
setIsDeleteModalOpen( setIsArchiveModalOpen(
true true
); );
}} }}
> >
{t("delete") || {t(
"Delete"} "archive"
) ||
"Archive"}
</Button> </Button>
</TableCell> </TableCell>
</TableRow> </TableRow>
@@ -202,6 +282,74 @@ export default function ViewDevicesDialog({
</TableBody> </TableBody>
</Table> </Table>
</div> </div>
)}
</TabsContent>
<TabsContent value="archived" className="mt-4">
{devices.filter((d) => d.archived)
.length === 0 ? (
<div className="text-center py-8 text-muted-foreground">
{t("noArchivedDevices") ||
"No archived devices found"}
</div>
) : (
<div className="rounded-md border">
<Table>
<TableHeader>
<TableRow>
<TableHead className="pl-3">
{t("name") || "Name"}
</TableHead>
<TableHead>
{t("dateCreated") ||
"Date Created"}
</TableHead>
<TableHead>
{t("actions") ||
"Actions"}
</TableHead>
</TableRow>
</TableHeader>
<TableBody>
{devices
.filter(
(d) => d.archived
)
.map((device) => (
<TableRow
key={device.olmId}
>
<TableCell className="font-medium">
{device.name ||
t(
"unnamedDevice"
) ||
"Unnamed Device"}
</TableCell>
<TableCell>
{moment(
device.dateCreated
).format(
"lll"
)}
</TableCell>
<TableCell>
<Button
variant="outline"
onClick={() => {
unarchiveDevice(device.olmId);
}}
>
{t("unarchive") || "Unarchive"}
</Button>
</TableCell>
</TableRow>
))}
</TableBody>
</Table>
</div>
)}
</TabsContent>
</Tabs>
)} )}
</CredenzaBody> </CredenzaBody>
<CredenzaFooter> <CredenzaFooter>
@@ -216,9 +364,9 @@ export default function ViewDevicesDialog({
{selectedDevice && ( {selectedDevice && (
<ConfirmDeleteDialog <ConfirmDeleteDialog
open={isDeleteModalOpen} open={isArchiveModalOpen}
setOpen={(val) => { setOpen={(val) => {
setIsDeleteModalOpen(val); setIsArchiveModalOpen(val);
if (!val) { if (!val) {
setSelectedDevice(null); setSelectedDevice(null);
} }
@@ -226,19 +374,19 @@ export default function ViewDevicesDialog({
dialog={ dialog={
<div className="space-y-2"> <div className="space-y-2">
<p> <p>
{t("deviceQuestionRemove") || {t("deviceQuestionArchive") ||
"Are you sure you want to delete this device?"} "Are you sure you want to archive this device?"}
</p> </p>
<p> <p>
{t("deviceMessageRemove") || {t("deviceMessageArchive") ||
"This action cannot be undone."} "The device will be archived and removed from your active devices list."}
</p> </p>
</div> </div>
} }
buttonText={t("deviceDeleteConfirm") || "Delete Device"} buttonText={t("deviceArchiveConfirm") || "Archive Device"}
onConfirm={async () => deleteDevice(selectedDevice.olmId)} onConfirm={async () => archiveDevice(selectedDevice.olmId)}
string={selectedDevice.name || selectedDevice.olmId} string={selectedDevice.name || selectedDevice.olmId}
title={t("deleteDevice") || "Delete Device"} title={t("archiveDevice") || "Archive Device"}
/> />
)} )}
</> </>

2
src/components/private/SplashImage.tsx
View File

@@ -21,7 +21,7 @@ export default function SplashImage({ children }: SplashImageProps) {
if (!env.branding.background_image_path) { if (!env.branding.background_image_path) {
return false; return false;
} }
const pathsPrefixes = ["/auth/login", "/auth/signup", "/auth/resource"]; const pathsPrefixes = ["/auth/login", "/auth/signup", "/auth/resource", "/auth/org"];
for (const prefix of pathsPrefixes) { for (const prefix of pathsPrefixes) {
if (pathname.startsWith(prefix)) { if (pathname.startsWith(prefix)) {
return true; return true;

10
src/components/private/ValidateSessionTransferToken.tsx
View File

@@ -50,9 +50,13 @@ export default function ValidateSessionTransferToken(
} }
if (doRedirect) { if (doRedirect) {
// add redirect param to dashboardUrl if provided if (props.redirect && props.redirect.startsWith("http")) {
const fullUrl = `${env.app.dashboardUrl}${props.redirect || ""}`; router.push(props.redirect);
router.push(fullUrl); } else {
// add redirect param to dashboardUrl if provided
const fullUrl = `${env.app.dashboardUrl}${props.redirect || ""}`;
router.push(fullUrl);
}
} }
} }

175
src/components/ui/data-table.tsx
View File

@@ -33,7 +33,7 @@ import { Button } from "@app/components/ui/button";
import { useEffect, useMemo, useRef, useState } from "react"; import { useEffect, useMemo, useRef, useState } from "react";
import { Input } from "@app/components/ui/input"; import { Input } from "@app/components/ui/input";
import { DataTablePagination } from "@app/components/DataTablePagination"; import { DataTablePagination } from "@app/components/DataTablePagination";
import { Plus, Search, RefreshCw, Columns } from "lucide-react"; import { Plus, Search, RefreshCw, Columns, Filter } from "lucide-react";
import { import {
Card, Card,
CardContent, CardContent,
@@ -140,6 +140,22 @@ type TabFilter = {
filterFn: (row: any) => boolean; filterFn: (row: any) => boolean;
}; };
type FilterOption = {
id: string;
label: string;
value: string | number | boolean;
};
type DataTableFilter = {
id: string;
label: string;
options: FilterOption[];
multiSelect?: boolean;
filterFn: (row: any, selectedValues: (string | number | boolean)[]) => boolean;
defaultValues?: (string | number | boolean)[];
displayMode?: "label" | "calculated"; // How to display the filter button text
};
type DataTableProps<TData, TValue> = { type DataTableProps<TData, TValue> = {
columns: ExtendedColumnDef<TData, TValue>[]; columns: ExtendedColumnDef<TData, TValue>[];
data: TData[]; data: TData[];
@@ -156,6 +172,8 @@ type DataTableProps<TData, TValue> = {
}; };
tabs?: TabFilter[]; tabs?: TabFilter[];
defaultTab?: string; defaultTab?: string;
filters?: DataTableFilter[];
filterDisplayMode?: "label" | "calculated"; // Global filter display mode (can be overridden per filter)
persistPageSize?: boolean | string; persistPageSize?: boolean | string;
defaultPageSize?: number; defaultPageSize?: number;
columnVisibility?: Record<string, boolean>; columnVisibility?: Record<string, boolean>;
@@ -178,6 +196,8 @@ export function DataTable<TData, TValue>({
defaultSort, defaultSort,
tabs, tabs,
defaultTab, defaultTab,
filters,
filterDisplayMode = "label",
persistPageSize = false, persistPageSize = false,
defaultPageSize = 20, defaultPageSize = 20,
columnVisibility: defaultColumnVisibility, columnVisibility: defaultColumnVisibility,
@@ -235,6 +255,15 @@ export function DataTable<TData, TValue>({
const [activeTab, setActiveTab] = useState<string>( const [activeTab, setActiveTab] = useState<string>(
defaultTab || tabs?.[0]?.id || "" defaultTab || tabs?.[0]?.id || ""
); );
const [activeFilters, setActiveFilters] = useState<Record<string, (string | number | boolean)[]>>(
() => {
const initial: Record<string, (string | number | boolean)[]> = {};
filters?.forEach((filter) => {
initial[filter.id] = filter.defaultValues || [];
});
return initial;
}
);
// Track initial values to avoid storing defaults on first render // Track initial values to avoid storing defaults on first render
const initialPageSize = useRef(pageSize); const initialPageSize = useRef(pageSize);
@@ -242,19 +271,32 @@ export function DataTable<TData, TValue>({
const hasUserChangedPageSize = useRef(false); const hasUserChangedPageSize = useRef(false);
const hasUserChangedColumnVisibility = useRef(false); const hasUserChangedColumnVisibility = useRef(false);
// Apply tab filter to data // Apply tab and custom filters to data
const filteredData = useMemo(() => { const filteredData = useMemo(() => {
if (!tabs || activeTab === "") { let result = data;
return data;
// Apply tab filter
if (tabs && activeTab !== "") {
const activeTabFilter = tabs.find((tab) => tab.id === activeTab);
if (activeTabFilter) {
result = result.filter(activeTabFilter.filterFn);
}
} }
const activeTabFilter = tabs.find((tab) => tab.id === activeTab); // Apply custom filters
if (!activeTabFilter) { if (filters && filters.length > 0) {
return data; filters.forEach((filter) => {
const selectedValues = activeFilters[filter.id] || [];
if (selectedValues.length > 0) {
result = result.filter((row) =>
filter.filterFn(row, selectedValues)
);
}
});
} }
return data.filter(activeTabFilter.filterFn); return result;
}, [data, tabs, activeTab]); }, [data, tabs, activeTab, filters, activeFilters]);
const table = useReactTable({ const table = useReactTable({
data: filteredData, data: filteredData,
@@ -318,6 +360,64 @@ export function DataTable<TData, TValue>({
setPagination((prev) => ({ ...prev, pageIndex: 0 })); setPagination((prev) => ({ ...prev, pageIndex: 0 }));
}; };
const handleFilterChange = (
filterId: string,
optionValue: string | number | boolean,
checked: boolean
) => {
setActiveFilters((prev) => {
const currentValues = prev[filterId] || [];
const filter = filters?.find((f) => f.id === filterId);
if (!filter) return prev;
let newValues: (string | number | boolean)[];
if (filter.multiSelect) {
// Multi-select: add or remove the value
if (checked) {
newValues = [...currentValues, optionValue];
} else {
newValues = currentValues.filter((v) => v !== optionValue);
}
} else {
// Single-select: replace the value
newValues = checked ? [optionValue] : [];
}
return {
...prev,
[filterId]: newValues
};
});
// Reset to first page when changing filters
setPagination((prev) => ({ ...prev, pageIndex: 0 }));
};
// Calculate display text for a filter based on selected values
const getFilterDisplayText = (filter: DataTableFilter): string => {
const selectedValues = activeFilters[filter.id] || [];
if (selectedValues.length === 0) {
return filter.label;
}
const selectedOptions = filter.options.filter((option) =>
selectedValues.includes(option.value)
);
if (selectedOptions.length === 0) {
return filter.label;
}
if (selectedOptions.length === 1) {
return selectedOptions[0].label;
}
// Multiple selections: always join with "and"
return selectedOptions.map((opt) => opt.label).join(" and ");
};
// Enhanced pagination component that updates our local state // Enhanced pagination component that updates our local state
const handlePageSizeChange = (newPageSize: number) => { const handlePageSizeChange = (newPageSize: number) => {
hasUserChangedPageSize.current = true; hasUserChangedPageSize.current = true;
@@ -387,6 +487,63 @@ export function DataTable<TData, TValue>({
/> />
<Search className="h-4 w-4 absolute left-2 top-1/2 transform -translate-y-1/2 text-muted-foreground" /> <Search className="h-4 w-4 absolute left-2 top-1/2 transform -translate-y-1/2 text-muted-foreground" />
</div> </div>
{filters && filters.length > 0 && (
<div className="flex gap-2">
{filters.map((filter) => {
const selectedValues = activeFilters[filter.id] || [];
const hasActiveFilters = selectedValues.length > 0;
const displayMode = filter.displayMode || filterDisplayMode;
const displayText = displayMode === "calculated"
? getFilterDisplayText(filter)
: filter.label;
return (
<DropdownMenu key={filter.id}>
<DropdownMenuTrigger asChild>
<Button
variant={"outline"}
size="sm"
className="h-9"
>
<Filter className="h-4 w-4 mr-2" />
{displayText}
{displayMode === "label" && hasActiveFilters && (
<span className="ml-2 bg-muted text-foreground rounded-full px-2 py-0.5 text-xs">
{selectedValues.length}
</span>
)}
</Button>
</DropdownMenuTrigger>
<DropdownMenuContent align="start" className="w-48">
<DropdownMenuLabel>
{filter.label}
</DropdownMenuLabel>
<DropdownMenuSeparator />
{filter.options.map((option) => {
const isChecked = selectedValues.includes(option.value);
return (
<DropdownMenuCheckboxItem
key={option.id}
checked={isChecked}
onCheckedChange={(checked) =>
handleFilterChange(
filter.id,
option.value,
checked
)
}
onSelect={(e) => e.preventDefault()}
>
{option.label}
</DropdownMenuCheckboxItem>
);
})}
</DropdownMenuContent>
</DropdownMenu>
);
})}
</div>
)}
{tabs && tabs.length > 0 && ( {tabs && tabs.length > 0 && (
<Tabs <Tabs
value={activeTab} value={activeTab}

4
src/lib/pullEnv.ts
View File

@@ -63,7 +63,9 @@ export function pullEnv(): Env {
disableProductHelpBanners: disableProductHelpBanners:
process.env.FLAGS_DISABLE_PRODUCT_HELP_BANNERS === "true" process.env.FLAGS_DISABLE_PRODUCT_HELP_BANNERS === "true"
? true ? true
: false : false,
useOrgOnlyIdp:
process.env.USE_ORG_ONLY_IDP === "true" ? true : false
}, },
branding: { branding: {

15
src/lib/queries.ts
View File

@@ -158,7 +158,13 @@ export const orgQueries = {
return res.data.data.domains; return res.data.data.domains;
} }
}), }),
identityProviders: ({ orgId }: { orgId: string }) => identityProviders: ({
orgId,
useOrgOnlyIdp
}: {
orgId: string;
useOrgOnlyIdp?: boolean;
}) =>
queryOptions({ queryOptions({
queryKey: ["ORG", orgId, "IDPS"] as const, queryKey: ["ORG", orgId, "IDPS"] as const,
queryFn: async ({ signal, meta }) => { queryFn: async ({ signal, meta }) => {
@@ -166,7 +172,12 @@ export const orgQueries = {
AxiosResponse<{ AxiosResponse<{
idps: { idpId: number; name: string }[]; idps: { idpId: number; name: string }[];
}> }>
>(build === "saas" ? `/org/${orgId}/idp` : "/idp", { signal }); >(
build === "saas" || useOrgOnlyIdp
? `/org/${orgId}/idp`
: "/idp",
{ signal }
);
return res.data.data.idps; return res.data.data.idps;
} }
}) })

2
src/lib/themeColors.ts
View File

@@ -15,6 +15,7 @@ const defaultTheme = {
accent: "oklch(0.967 0.001 286.375)", accent: "oklch(0.967 0.001 286.375)",
"accent-foreground": "oklch(0.21 0.006 285.885)", "accent-foreground": "oklch(0.21 0.006 285.885)",
destructive: "oklch(0.577 0.245 27.325)", destructive: "oklch(0.577 0.245 27.325)",
"destructive-foreground": "oklch(0.985 0 0)",
border: "oklch(0.92 0.004 286.32)", border: "oklch(0.92 0.004 286.32)",
input: "oklch(0.92 0.004 286.32)", input: "oklch(0.92 0.004 286.32)",
ring: "oklch(0.705 0.213 47.604)", ring: "oklch(0.705 0.213 47.604)",
@@ -41,6 +42,7 @@ const defaultTheme = {
accent: "oklch(0.274 0.006 286.033)", accent: "oklch(0.274 0.006 286.033)",
"accent-foreground": "oklch(0.985 0 0)", "accent-foreground": "oklch(0.985 0 0)",
destructive: "oklch(0.704 0.191 22.216)", destructive: "oklch(0.704 0.191 22.216)",
"destructive-foreground": "oklch(0.985 0 0)",
border: "oklch(1 0 0 / 10%)", border: "oklch(1 0 0 / 10%)",
input: "oklch(1 0 0 / 15%)", input: "oklch(1 0 0 / 15%)",
ring: "oklch(0.646 0.222 41.116)", ring: "oklch(0.646 0.222 41.116)",

1
src/lib/types/env.ts
View File

@@ -34,6 +34,7 @@ export type Env = {
hideSupporterKey: boolean; hideSupporterKey: boolean;
usePangolinDns: boolean; usePangolinDns: boolean;
disableProductHelpBanners: boolean; disableProductHelpBanners: boolean;
useOrgOnlyIdp: boolean;
}; };
branding: { branding: {
appName?: string; appName?: string;