pangolin_mirror/pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-02-27 07:16:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

add clients to resource

Browse Source
This commit is contained in:
miloschwartz
2025-11-07 16:30:24 -08:00
parent c813202f92
commit e51fca1f61
19 changed files with 1212 additions and 189 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
server/db/pg/schema/schema.ts
View File

@@ -213,6 +213,15 @@ export const siteResources = pgTable("siteResources", {
alias: varchar("alias")
});
export const clientSiteResources = pgTable("clientSiteResources", {
clientId: integer("clientId")
.notNull()
.references(() => clients.clientId, { onDelete: "cascade" }),
siteResourceId: integer("siteResourceId")
.notNull()
.references(() => siteResources.siteResourceId, { onDelete: "cascade" })
});
export const roleSiteResources = pgTable("roleSiteResources", {
roleId: integer("roleId")
.notNull()

13
server/db/sqlite/schema/schema.ts
View File

@@ -228,12 +228,21 @@ export const siteResources = sqliteTable("siteResources", {
mode: text("mode").notNull(), // "host" | "cidr" | "port"
protocol: text("protocol"), // only for port mode
proxyPort: integer("proxyPort"), // only for port mode
destinationPort: integer("destinationPort"), // only for port mode
destinationPort: integer("destinationPort"), // only for port mode
destination: text("destination").notNull(), // ip, cidr, hostname
enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
alias: text("alias")
});
export const clientSiteResources = sqliteTable("clientSiteResources", {
clientId: integer("clientId")
.notNull()
.references(() => clients.clientId, { onDelete: "cascade" }),
siteResourceId: integer("siteResourceId")
.notNull()
.references(() => siteResources.siteResourceId, { onDelete: "cascade" })
});
export const roleSiteResources = sqliteTable("roleSiteResources", {
roleId: integer("roleId")
.notNull()
@@ -350,7 +359,7 @@ export const clients = sqliteTable("clients", {
type: text("type").notNull(), // "olm"
online: integer("online", { mode: "boolean" }).notNull().default(false),
// endpoint: text("endpoint"),
lastHolePunch: integer("lastHolePunch")
lastHolePunch: integer("lastHolePunch"),
});
export const clientSites = sqliteTable("clientSites", {

1
server/middlewares/index.ts
View File

@@ -11,6 +11,7 @@ export * from "./verifyRoleAccess";
export * from "./verifyUserAccess";
export * from "./verifyAdmin";
export * from "./verifySetResourceUsers";
export * from "./verifySetResourceClients";
export * from "./verifyUserInRole";
export * from "./verifyAccessTokenAccess";
export * from "./requestTimeout";

1
server/middlewares/integration/index.ts
View File

@@ -7,6 +7,7 @@ export * from "./verifyApiKeyTargetAccess";
export * from "./verifyApiKeyRoleAccess";
export * from "./verifyApiKeyUserAccess";
export * from "./verifyApiKeySetResourceUsers";
export * from "./verifyApiKeySetResourceClients";
export * from "./verifyAccessTokenAccess";
export * from "./verifyApiKeyIsRoot";
export * from "./verifyApiKeyApiKeyAccess";

73
server/middlewares/integration/verifyApiKeySetResourceClients.ts Normal file
View File

@@ -0,0 +1,73 @@
import { Request, Response, NextFunction } from "express";
import { db } from "@server/db";
import { clients } from "@server/db";
import { and, eq, inArray } from "drizzle-orm";
import createHttpError from "http-errors";
import HttpCode from "@server/types/HttpCode";
export async function verifyApiKeySetResourceClients(
req: Request,
res: Response,
next: NextFunction
) {
const apiKey = req.apiKey;
const singleClientId = req.params.clientId || req.body.clientId || req.query.clientId;
const { clientIds } = req.body;
const allClientIds = clientIds || (singleClientId ? [parseInt(singleClientId as string)] : []);
if (!apiKey) {
return next(
createHttpError(HttpCode.UNAUTHORIZED, "Key not authenticated")
);
}
if (apiKey.isRoot) {
// Root keys can access any client in any org
return next();
}
if (!req.apiKeyOrg) {
return next(
createHttpError(
HttpCode.FORBIDDEN,
"Key does not have access to this organization"
)
);
}
if (allClientIds.length === 0) {
return next();
}
try {
const orgId = req.apiKeyOrg.orgId;
const clientsData = await db
.select()
.from(clients)
.where(
and(
inArray(clients.clientId, allClientIds),
eq(clients.orgId, orgId)
)
);
if (clientsData.length !== allClientIds.length) {
return next(
createHttpError(
HttpCode.FORBIDDEN,
"Key does not have access to one or more specified clients"
)
);
}
return next();
} catch (error) {
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"Error checking if key has access to the specified clients"
)
);
}
}

69
server/middlewares/verifySetResourceClients.ts Normal file
View File

@@ -0,0 +1,69 @@
import { Request, Response, NextFunction } from "express";
import { db } from "@server/db";
import { clients } from "@server/db";
import { and, eq, inArray } from "drizzle-orm";
import createHttpError from "http-errors";
import HttpCode from "@server/types/HttpCode";
export async function verifySetResourceClients(
req: Request,
res: Response,
next: NextFunction
) {
const userId = req.user!.userId;
const singleClientId = req.params.clientId || req.body.clientId || req.query.clientId;
const { clientIds } = req.body;
const allClientIds = clientIds || (singleClientId ? [parseInt(singleClientId as string)] : []);
if (!userId) {
return next(
createHttpError(HttpCode.UNAUTHORIZED, "User not authenticated")
);
}
if (!req.userOrg) {
return next(
createHttpError(
HttpCode.FORBIDDEN,
"User does not have access to this organization"
)
);
}
if (allClientIds.length === 0) {
return next();
}
try {
const orgId = req.userOrg.orgId;
// get all clients for the clientIds
const clientsData = await db
.select()
.from(clients)
.where(
and(
inArray(clients.clientId, allClientIds),
eq(clients.orgId, orgId)
)
);
if (clientsData.length !== allClientIds.length) {
return next(
createHttpError(
HttpCode.FORBIDDEN,
"User does not have access to one or more specified clients"
)
);
}
return next();
} catch (error) {
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"Error checking if user has access to the specified clients"
)
);
}
}

9
server/routers/client/createUserClient.ts
View File

@@ -182,6 +182,15 @@ export async function createUserClient(
);
}
if (existingOlm.userId !== userId) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
`OLM with ID ${olmId} does not belong to user with ID ${userId}`
)
);
}
await db.transaction(async (trx) => {
// TODO: more intelligent way to pick the exit node
const exitNodesList = await listExitNodes(orgId);

9
server/routers/client/deleteClient.ts
View File

@@ -60,6 +60,15 @@ export async function deleteClient(
);
}
if (client.userId) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
`Cannot delete a user client with this endpoint`
)
);
}
await db.transaction(async (trx) => {
// Delete the client-site associations first
await trx

35
server/routers/external.ts
View File

@@ -29,6 +29,7 @@ import {
verifyTargetAccess,
verifyRoleAccess,
verifySetResourceUsers,
verifySetResourceClients,
verifyUserAccess,
getUserOrgs,
verifyUserIsServerAdmin,
@@ -301,6 +302,13 @@ authenticated.get(
siteResource.listSiteResourceUsers
);
authenticated.get(
"/site-resource/:siteResourceId/clients",
verifySiteResourceAccess,
verifyUserHasAction(ActionsEnum.listResourceUsers),
siteResource.listSiteResourceClients
);
authenticated.post(
"/site-resource/:siteResourceId/roles",
verifySiteResourceAccess,
@@ -319,6 +327,33 @@ authenticated.post(
siteResource.setSiteResourceUsers,
);
authenticated.post(
"/site-resource/:siteResourceId/clients",
verifySiteResourceAccess,
verifySetResourceClients,
verifyUserHasAction(ActionsEnum.setResourceUsers),
logActionAudit(ActionsEnum.setResourceUsers),
siteResource.setSiteResourceClients,
);
authenticated.post(
"/site-resource/:siteResourceId/clients/add",
verifySiteResourceAccess,
verifySetResourceClients,
verifyUserHasAction(ActionsEnum.setResourceUsers),
logActionAudit(ActionsEnum.setResourceUsers),
siteResource.addClientToSiteResource,
);
authenticated.post(
"/site-resource/:siteResourceId/clients/remove",
verifySiteResourceAccess,
verifySetResourceClients,
verifyUserHasAction(ActionsEnum.setResourceUsers),
logActionAudit(ActionsEnum.setResourceUsers),
siteResource.removeClientFromSiteResource,
);
authenticated.put(
"/org/:orgId/resource",
verifyOrgAccess,

37
server/routers/integration.ts
View File

@@ -25,7 +25,8 @@ import {
verifyApiKeyIsRoot,
verifyApiKeyClientAccess,
verifyClientsEnabled,
verifyApiKeySiteResourceAccess
verifyApiKeySiteResourceAccess,
verifyApiKeySetResourceClients
} from "@server/middlewares";
import HttpCode from "@server/types/HttpCode";
import { Router } from "express";
@@ -211,6 +212,13 @@ authenticated.get(
siteResource.listSiteResourceUsers
);
authenticated.get(
"/site-resource/:siteResourceId/clients",
verifyApiKeySiteResourceAccess,
verifyApiKeyHasAction(ActionsEnum.listResourceUsers),
siteResource.listSiteResourceClients
);
authenticated.post(
"/site-resource/:siteResourceId/roles",
verifyApiKeySiteResourceAccess,
@@ -265,6 +273,33 @@ authenticated.post(
siteResource.removeUserFromSiteResource
);
authenticated.post(
"/site-resource/:siteResourceId/clients",
verifyApiKeySiteResourceAccess,
verifyApiKeySetResourceClients,
verifyApiKeyHasAction(ActionsEnum.setResourceUsers),
logActionAudit(ActionsEnum.setResourceUsers),
siteResource.setSiteResourceClients
);
authenticated.post(
"/site-resource/:siteResourceId/clients/add",
verifyApiKeySiteResourceAccess,
verifyApiKeySetResourceClients,
verifyApiKeyHasAction(ActionsEnum.setResourceUsers),
logActionAudit(ActionsEnum.setResourceUsers),
siteResource.addClientToSiteResource
);
authenticated.post(
"/site-resource/:siteResourceId/clients/remove",
verifyApiKeySiteResourceAccess,
verifyApiKeySetResourceClients,
verifyApiKeyHasAction(ActionsEnum.setResourceUsers),
logActionAudit(ActionsEnum.setResourceUsers),
siteResource.removeClientFromSiteResource
);
authenticated.put(
"/org/:orgId/resource",
verifyApiKeyOrgAccess,

156
server/routers/siteResource/addClientToSiteResource.ts Normal file
View File

@@ -0,0 +1,156 @@
import { Request, Response, NextFunction } from "express";
import { z } from "zod";
import { db, siteResources, clients, clientSiteResources } from "@server/db";
import response from "@server/lib/response";
import HttpCode from "@server/types/HttpCode";
import createHttpError from "http-errors";
import logger from "@server/logger";
import { fromError } from "zod-validation-error";
import { eq, and } from "drizzle-orm";
import { OpenAPITags, registry } from "@server/openApi";
import { rebuildSiteClientAssociations } from "@server/lib/rebuildSiteClientAssociations";
const addClientToSiteResourceBodySchema = z
.object({
clientId: z.number().int().positive()
})
.strict();
const addClientToSiteResourceParamsSchema = z
.object({
siteResourceId: z
.string()
.transform(Number)
.pipe(z.number().int().positive())
})
.strict();
registry.registerPath({
method: "post",
path: "/site-resource/{siteResourceId}/clients/add",
description: "Add a single client to a site resource. Clients with a userId cannot be added.",
tags: [OpenAPITags.Resource, OpenAPITags.Client],
request: {
params: addClientToSiteResourceParamsSchema,
body: {
content: {
"application/json": {
schema: addClientToSiteResourceBodySchema
}
}
}
},
responses: {}
});
export async function addClientToSiteResource(
req: Request,
res: Response,
next: NextFunction
): Promise<any> {
try {
const parsedBody = addClientToSiteResourceBodySchema.safeParse(req.body);
if (!parsedBody.success) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromError(parsedBody.error).toString()
)
);
}
const { clientId } = parsedBody.data;
const parsedParams = addClientToSiteResourceParamsSchema.safeParse(
req.params
);
if (!parsedParams.success) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromError(parsedParams.error).toString()
)
);
}
const { siteResourceId } = parsedParams.data;
// get the site resource
const [siteResource] = await db
.select()
.from(siteResources)
.where(eq(siteResources.siteResourceId, siteResourceId))
.limit(1);
if (!siteResource) {
return next(
createHttpError(HttpCode.NOT_FOUND, "Site resource not found")
);
}
// Check if client exists and has a userId
const [client] = await db
.select()
.from(clients)
.where(eq(clients.clientId, clientId))
.limit(1);
if (!client) {
return next(
createHttpError(HttpCode.NOT_FOUND, "Client not found")
);
}
if (client.userId !== null) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
"Cannot add clients that are associated with a user"
)
);
}
// Check if client already exists in site resource
const existingEntry = await db
.select()
.from(clientSiteResources)
.where(
and(
eq(clientSiteResources.siteResourceId, siteResourceId),
eq(clientSiteResources.clientId, clientId)
)
);
if (existingEntry.length > 0) {
return next(
createHttpError(
HttpCode.CONFLICT,
"Client already assigned to site resource"
)
);
}
await db.transaction(async (trx) => {
await trx.insert(clientSiteResources).values({
clientId,
siteResourceId
});
await rebuildSiteClientAssociations(siteResource, trx);
});
return response(res, {
data: {},
success: true,
error: false,
message: "Client added to site resource successfully",
status: HttpCode.CREATED
});
} catch (error) {
logger.error(error);
return next(
createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
);
}
}

4
server/routers/siteResource/index.ts
View File

@@ -6,9 +6,13 @@ export * from "./listSiteResources";
export * from "./listAllSiteResourcesByOrg";
export * from "./listSiteResourceRoles";
export * from "./listSiteResourceUsers";
export * from "./listSiteResourceClients";
export * from "./setSiteResourceRoles";
export * from "./setSiteResourceUsers";
export * from "./addRoleToSiteResource";
export * from "./removeRoleFromSiteResource";
export * from "./addUserToSiteResource";
export * from "./removeUserFromSiteResource";
export * from "./setSiteResourceClients";
export * from "./addClientToSiteResource";
export * from "./removeClientFromSiteResource";

85
server/routers/siteResource/listSiteResourceClients.ts Normal file
View File

@@ -0,0 +1,85 @@
import { Request, Response, NextFunction } from "express";
import { z } from "zod";
import { db } from "@server/db";
import { clientSiteResources, clients } from "@server/db";
import { eq } from "drizzle-orm";
import response from "@server/lib/response";
import HttpCode from "@server/types/HttpCode";
import createHttpError from "http-errors";
import logger from "@server/logger";
import { fromError } from "zod-validation-error";
import { OpenAPITags, registry } from "@server/openApi";
const listSiteResourceClientsSchema = z
.object({
siteResourceId: z
.string()
.transform(Number)
.pipe(z.number().int().positive())
})
.strict();
async function queryClients(siteResourceId: number) {
return await db
.select({
clientId: clientSiteResources.clientId,
name: clients.name,
subnet: clients.subnet
})
.from(clientSiteResources)
.innerJoin(clients, eq(clientSiteResources.clientId, clients.clientId))
.where(eq(clientSiteResources.siteResourceId, siteResourceId));
}
export type ListSiteResourceClientsResponse = {
clients: NonNullable<Awaited<ReturnType<typeof queryClients>>>;
};
registry.registerPath({
method: "get",
path: "/site-resource/{siteResourceId}/clients",
description: "List all clients for a site resource.",
tags: [OpenAPITags.Resource, OpenAPITags.Client],
request: {
params: listSiteResourceClientsSchema
},
responses: {}
});
export async function listSiteResourceClients(
req: Request,
res: Response,
next: NextFunction
): Promise<any> {
try {
const parsedParams = listSiteResourceClientsSchema.safeParse(req.params);
if (!parsedParams.success) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromError(parsedParams.error).toString()
)
);
}
const { siteResourceId } = parsedParams.data;
const siteResourceClientsList = await queryClients(siteResourceId);
return response<ListSiteResourceClientsResponse>(res, {
data: {
clients: siteResourceClientsList
},
success: true,
error: false,
message: "Site resource clients retrieved successfully",
status: HttpCode.OK
});
} catch (error) {
logger.error(error);
return next(
createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
);
}
}

162
server/routers/siteResource/removeClientFromSiteResource.ts Normal file
View File

@@ -0,0 +1,162 @@
import { Request, Response, NextFunction } from "express";
import { z } from "zod";
import { db, siteResources, clients, clientSiteResources } from "@server/db";
import response from "@server/lib/response";
import HttpCode from "@server/types/HttpCode";
import createHttpError from "http-errors";
import logger from "@server/logger";
import { fromError } from "zod-validation-error";
import { eq, and } from "drizzle-orm";
import { OpenAPITags, registry } from "@server/openApi";
import { rebuildSiteClientAssociations } from "@server/lib/rebuildSiteClientAssociations";
const removeClientFromSiteResourceBodySchema = z
.object({
clientId: z.number().int().positive()
})
.strict();
const removeClientFromSiteResourceParamsSchema = z
.object({
siteResourceId: z
.string()
.transform(Number)
.pipe(z.number().int().positive())
})
.strict();
registry.registerPath({
method: "post",
path: "/site-resource/{siteResourceId}/clients/remove",
description: "Remove a single client from a site resource. Clients with a userId cannot be removed.",
tags: [OpenAPITags.Resource, OpenAPITags.Client],
request: {
params: removeClientFromSiteResourceParamsSchema,
body: {
content: {
"application/json": {
schema: removeClientFromSiteResourceBodySchema
}
}
}
},
responses: {}
});
export async function removeClientFromSiteResource(
req: Request,
res: Response,
next: NextFunction
): Promise<any> {
try {
const parsedBody = removeClientFromSiteResourceBodySchema.safeParse(
req.body
);
if (!parsedBody.success) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromError(parsedBody.error).toString()
)
);
}
const { clientId } = parsedBody.data;
const parsedParams = removeClientFromSiteResourceParamsSchema.safeParse(
req.params
);
if (!parsedParams.success) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromError(parsedParams.error).toString()
)
);
}
const { siteResourceId } = parsedParams.data;
// get the site resource
const [siteResource] = await db
.select()
.from(siteResources)
.where(eq(siteResources.siteResourceId, siteResourceId))
.limit(1);
if (!siteResource) {
return next(
createHttpError(HttpCode.NOT_FOUND, "Site resource not found")
);
}
// Check if client exists and has a userId
const [client] = await db
.select()
.from(clients)
.where(eq(clients.clientId, clientId))
.limit(1);
if (!client) {
return next(
createHttpError(HttpCode.NOT_FOUND, "Client not found")
);
}
if (client.userId !== null) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
"Cannot remove clients that are associated with a user"
)
);
}
// Check if client exists in site resource
const existingEntry = await db
.select()
.from(clientSiteResources)
.where(
and(
eq(clientSiteResources.siteResourceId, siteResourceId),
eq(clientSiteResources.clientId, clientId)
)
);
if (existingEntry.length === 0) {
return next(
createHttpError(
HttpCode.NOT_FOUND,
"Client not found in site resource"
)
);
}
await db.transaction(async (trx) => {
await trx
.delete(clientSiteResources)
.where(
and(
eq(clientSiteResources.siteResourceId, siteResourceId),
eq(clientSiteResources.clientId, clientId)
)
);
await rebuildSiteClientAssociations(siteResource, trx);
});
return response(res, {
data: {},
success: true,
error: false,
message: "Client removed from site resource successfully",
status: HttpCode.OK
});
} catch (error) {
logger.error(error);
return next(
createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
);
}
}

149
server/routers/siteResource/setSiteResourceClients.ts Normal file
View File

@@ -0,0 +1,149 @@
import { Request, Response, NextFunction } from "express";
import { z } from "zod";
import { db, siteResources, clients, clientSiteResources } from "@server/db";
import response from "@server/lib/response";
import HttpCode from "@server/types/HttpCode";
import createHttpError from "http-errors";
import logger from "@server/logger";
import { fromError } from "zod-validation-error";
import { eq, inArray } from "drizzle-orm";
import { OpenAPITags, registry } from "@server/openApi";
import { rebuildSiteClientAssociations } from "@server/lib/rebuildSiteClientAssociations";
const setSiteResourceClientsBodySchema = z
.object({
clientIds: z.array(z.number().int().positive())
})
.strict();
const setSiteResourceClientsParamsSchema = z
.object({
siteResourceId: z
.string()
.transform(Number)
.pipe(z.number().int().positive())
})
.strict();
registry.registerPath({
method: "post",
path: "/site-resource/{siteResourceId}/clients",
description:
"Set clients for a site resource. This will replace all existing clients. Clients with a userId cannot be added.",
tags: [OpenAPITags.Resource, OpenAPITags.Client],
request: {
params: setSiteResourceClientsParamsSchema,
body: {
content: {
"application/json": {
schema: setSiteResourceClientsBodySchema
}
}
}
},
responses: {}
});
export async function setSiteResourceClients(
req: Request,
res: Response,
next: NextFunction
): Promise<any> {
try {
const parsedBody = setSiteResourceClientsBodySchema.safeParse(req.body);
if (!parsedBody.success) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromError(parsedBody.error).toString()
)
);
}
const { clientIds } = parsedBody.data;
const parsedParams = setSiteResourceClientsParamsSchema.safeParse(req.params);
if (!parsedParams.success) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromError(parsedParams.error).toString()
)
);
}
const { siteResourceId } = parsedParams.data;
// get the site resource
const [siteResource] = await db
.select()
.from(siteResources)
.where(eq(siteResources.siteResourceId, siteResourceId))
.limit(1);
if (!siteResource) {
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"Site resource not found"
)
);
}
// Check if any clients have a userId (associated with a user)
if (clientIds.length > 0) {
const clientsWithUsers = await db
.select()
.from(clients)
.where(
inArray(clients.clientId, clientIds)
);
const clientsWithUserId = clientsWithUsers.filter(
(client) => client.userId !== null
);
if (clientsWithUserId.length > 0) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
"Cannot add clients that are associated with a user"
)
);
}
}
await db.transaction(async (trx) => {
await trx
.delete(clientSiteResources)
.where(eq(clientSiteResources.siteResourceId, siteResourceId));
if (clientIds.length > 0) {
await Promise.all(
clientIds.map((clientId) =>
trx
.insert(clientSiteResources)
.values({ clientId, siteResourceId })
.returning()
)
);
}
await rebuildSiteClientAssociations(siteResource, trx);
});
return response(res, {
data: {},
success: true,
error: false,
message: "Clients set for site resource successfully",
status: HttpCode.CREATED
});
} catch (error) {
logger.error(error);
return next(
createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
);
}
}