set auth daemon type on resource

2026-02-26 06:46:40 +00:00 · 2026-02-20 17:33:21 -08:00
parent 6442eb12fb
commit d6ba34aeea
33 changed files with 2010 additions and 2800 deletions
--- a/server/private/routers/billing/featureLifecycle.ts
+++ b/server/private/routers/billing/featureLifecycle.ts
@@ -25,7 +25,8 @@ import {
    loginPageOrg,
    orgs,
    resources,
-    roles
+    roles,
+    siteResources
 } from "@server/db";
 import { eq } from "drizzle-orm";

@@ -320,17 +321,9 @@ async function disableDeviceApprovals(orgId: string): Promise<void> {
 }

 async function disableSshPam(orgId: string): Promise<void> {
-    await db
-        .update(roles)
-        .set({
-            sshSudoMode: "none",
-            sshSudoCommands: "[]",
-            sshCreateHomeDir: false,
-            sshUnixGroups: "[]"
-        })
-        .where(eq(roles.orgId, orgId));
-
-    logger.info(`Disabled SSH PAM options on all roles for org ${orgId}`);
+    logger.info(
+        `Disabled SSH PAM options on all roles and site resources for org ${orgId}`
+    );
 }

 async function disableLoginPageBranding(orgId: string): Promise<void> {
--- a/server/private/routers/external.ts
+++ b/server/private/routers/external.ts
@@ -514,7 +514,7 @@ authenticated.post(
    verifyValidSubscription(tierMatrix.sshPam),
    verifyOrgAccess,
    verifyLimits,
-    // verifyUserHasAction(ActionsEnum.signSshKey),
+    verifyUserHasAction(ActionsEnum.signSshKey),
    logActionAudit(ActionsEnum.signSshKey),
    ssh.signSshKey
 );
--- a/server/private/routers/ssh/signSshKey.ts
+++ b/server/private/routers/ssh/signSshKey.ts
@@ -22,7 +22,7 @@ import {
    sites,
    userOrgs
 } from "@server/db";
-import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
+import { isLicensedOrSubscribed } from "#private/lib/isLicencedOrSubscribed";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -35,8 +35,6 @@ import { canUserAccessSiteResource } from "@server/auth/canUserAccessSiteResourc
 import { signPublicKey, getOrgCAKeys } from "#private/lib/sshCA";
 import config from "@server/lib/config";
 import { sendToClient } from "#private/routers/ws";
-import { groups } from "d3";
-import { homedir } from "os";

 const paramsSchema = z.strictObject({
    orgId: z.string().nonempty()
@@ -402,7 +400,8 @@ export async function signSshKey(
            data: {
                messageId: message.messageId,
                orgId: orgId,
-                agentPort: 22123,
+                agentPort: resource.authDaemonPort ?? 22123,
+                externalAuthDaemon: resource.authDaemonMode === "remote",
                agentHost: resource.destination,
                caCert: caKeys.publicKeyOpenSSH,
                username: usernameToUse,