Working on k8s

Clean email
Resolve potential issues with processing roleIds
2026-02-22 04:46:40 +00:00 · 2026-02-19 17:55:49 -08:00 · 2026-02-18 14:07:50 -08:00 · 2026-02-18 13:55:04 -08:00 · 2026-02-18 11:56:01 -08:00
10 changed files with 129 additions and 55 deletions
--- a/.github/workflows/saas.yml
+++ b/.github/workflows/saas.yml
@@ -56,6 +56,41 @@ jobs:
            - name: Checkout code
              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

+            - name: Download MaxMind GeoLite2 databases
+              env:
+                MAXMIND_LICENSE_KEY: ${{ secrets.MAXMIND_LICENSE_KEY }}
+              run: |
+                echo "Downloading MaxMind GeoLite2 databases..."
+
+                # Download GeoLite2-Country
+                curl -L "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country&license_key=${MAXMIND_LICENSE_KEY}&suffix=tar.gz" \
+                  -o GeoLite2-Country.tar.gz
+
+                # Download GeoLite2-ASN
+                curl -L "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-ASN&license_key=${MAXMIND_LICENSE_KEY}&suffix=tar.gz" \
+                  -o GeoLite2-ASN.tar.gz
+
+                # Extract the .mmdb files
+                tar -xzf GeoLite2-Country.tar.gz --strip-components=1 --wildcards '*.mmdb'
+                tar -xzf GeoLite2-ASN.tar.gz --strip-components=1 --wildcards '*.mmdb'
+
+                # Verify files exist
+                if [ ! -f "GeoLite2-Country.mmdb" ]; then
+                  echo "ERROR: Failed to download GeoLite2-Country.mmdb"
+                  exit 1
+                fi
+
+                if [ ! -f "GeoLite2-ASN.mmdb" ]; then
+                  echo "ERROR: Failed to download GeoLite2-ASN.mmdb"
+                  exit 1
+                fi
+
+                # Clean up tar files
+                rm -f GeoLite2-Country.tar.gz GeoLite2-ASN.tar.gz
+
+                echo "MaxMind databases downloaded successfully"
+                ls -lh GeoLite2-*.mmdb
+
            - name: Monitor storage space
              run: |
                  THRESHOLD=75
--- a/8
+++ b/8
@@ -49,6 +49,14 @@ COPY server/db/ios_models.json ./dist/ios_models.json
 COPY server/db/mac_models.json ./dist/mac_models.json
 COPY public ./public

+# Copy MaxMind databases for SaaS builds
+ARG BUILD=oss
+RUN mkdir -p ./maxmind
+
+# This is only for saas
+COPY --from=builder-dev /app/GeoLite2-Country.mmdb ./maxmind/GeoLite2-Country.mmdb
+COPY --from=builder-dev /app/GeoLite2-ASN.mmdb ./maxmind/GeoLite2-ASN.mmdb
+
 # OCI Image Labels - Build Args for dynamic values
 ARG VERSION="dev"
 ARG REVISION=""
--- a/server/middlewares/integration/verifyApiKeyRoleAccess.ts
+++ b/server/middlewares/integration/verifyApiKeyRoleAccess.ts
@@ -23,9 +23,14 @@ export async function verifyApiKeyRoleAccess(
            );
        }

-        const { roleIds } = req.body;
-        const allRoleIds =
-            roleIds || (isNaN(singleRoleId) ? [] : [singleRoleId]);
+        let allRoleIds: number[] = [];
+        if (!isNaN(singleRoleId)) {
+            // If roleId is provided in URL params, query params, or body (single), use it exclusively
+            allRoleIds = [singleRoleId];
+        } else if (req.body?.roleIds) {
+            // Only use body.roleIds if no single roleId was provided
+            allRoleIds = req.body.roleIds;
+        }

        if (allRoleIds.length === 0) {
            return next();
--- a/server/middlewares/verifyRoleAccess.ts
+++ b/server/middlewares/verifyRoleAccess.ts
@@ -23,8 +23,14 @@ export async function verifyRoleAccess(
        );
    }

-    const roleIds = req.body?.roleIds;
-    const allRoleIds = roleIds || (isNaN(singleRoleId) ? [] : [singleRoleId]);
+    let allRoleIds: number[] = [];
+    if (!isNaN(singleRoleId)) {
+        // If roleId is provided in URL params, query params, or body (single), use it exclusively
+        allRoleIds = [singleRoleId];
+    } else if (req.body?.roleIds) {
+        // Only use body.roleIds if no single roleId was provided
+        allRoleIds = req.body.roleIds;
+    }

    if (allRoleIds.length === 0) {
        return next();
--- a/server/private/lib/readConfigFile.ts
+++ b/server/private/lib/readConfigFile.ts
@@ -72,15 +72,15 @@ export const privateConfigSchema = z.object({
                        db: z.int().nonnegative().optional().default(0)
                    })
                )
+                .optional(),
+            tls: z
+                .object({
+                    rejectUnauthorized: z
+                        .boolean()
+                        .optional()
+                        .default(true)
+                })
                .optional()
-            // tls: z
-            //     .object({
-            //         reject_unauthorized: z
-            //             .boolean()
-            //             .optional()
-            //             .default(true)
-            //     })
-            //     .optional()
        })
        .optional(),
    gerbil: z
--- a/server/private/lib/redis.ts
+++ b/server/private/lib/redis.ts
@@ -108,11 +108,15 @@ class RedisManager {
            port: redisConfig.port!,
            password: redisConfig.password,
            db: redisConfig.db
-            // tls: {
-            //     rejectUnauthorized:
-            //         redisConfig.tls?.reject_unauthorized || false
-            // }
        };
+        
+        // Enable TLS if configured (required for AWS ElastiCache in-transit encryption)
+        if (redisConfig.tls) {
+            opts.tls = {
+                rejectUnauthorized: redisConfig.tls.rejectUnauthorized ?? true
+            };
+        }
+        
        return opts;
    }

@@ -130,11 +134,15 @@ class RedisManager {
            port: replica.port!,
            password: replica.password,
            db: replica.db || redisConfig.db
-            // tls: {
-            //     rejectUnauthorized:
-            //         replica.tls?.reject_unauthorized || false
-            // }
        };
+        
+        // Enable TLS if configured (required for AWS ElastiCache in-transit encryption)
+        if (redisConfig.tls) {
+            opts.tls = {
+                rejectUnauthorized: redisConfig.tls.rejectUnauthorized ?? true
+            };
+        }
+        
        return opts;
    }

--- a/server/private/routers/ssh/signSshKey.ts
+++ b/server/private/routers/ssh/signSshKey.ts
@@ -139,7 +139,7 @@ export async function signSshKey(
        if (!userOrg.pamUsername) {
            if (req.user?.email) {
                // Extract username from email (first part before @)
-                usernameToUse = req.user?.email.split("@")[0];
+                usernameToUse = req.user?.email.split("@")[0].replace(/[^a-zA-Z0-9_-]/g, "");
                if (!usernameToUse) {
                    return next(
                        createHttpError(
--- a/server/routers/client/updateClient.ts
+++ b/server/routers/client/updateClient.ts
@@ -6,7 +6,7 @@ import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
 import logger from "@server/logger";
-import { eq, and } from "drizzle-orm";
+import { eq, and, ne } from "drizzle-orm";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";

@@ -93,7 +93,8 @@ export async function updateClient(
                .where(
                    and(
                        eq(clients.niceId, niceId),
-                        eq(clients.orgId, clients.orgId)
+                        eq(clients.orgId, clients.orgId),
+                        ne(clients.clientId, clientId)
                    )
                )
                .limit(1);
--- a/server/routers/resource/updateResource.ts
+++ b/server/routers/resource/updateResource.ts
@@ -9,7 +9,7 @@ import {
    Resource,
    resources
 } from "@server/db";
-import { eq, and } from "drizzle-orm";
+import { eq, and, ne } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
@@ -33,7 +33,15 @@ const updateResourceParamsSchema = z.strictObject({
 const updateHttpResourceBodySchema = z
    .strictObject({
        name: z.string().min(1).max(255).optional(),
-        niceId: z.string().min(1).max(255).regex(/^[a-zA-Z0-9-]+$/, "niceId can only contain letters, numbers, and dashes").optional(),
+        niceId: z
+            .string()
+            .min(1)
+            .max(255)
+            .regex(
+                /^[a-zA-Z0-9-]+$/,
+                "niceId can only contain letters, numbers, and dashes"
+            )
+            .optional(),
        subdomain: subdomainSchema.nullable().optional(),
        ssl: z.boolean().optional(),
        sso: z.boolean().optional(),
@@ -248,14 +256,13 @@ async function updateHttpResource(
            .where(
                and(
                    eq(resources.niceId, updateData.niceId),
-                    eq(resources.orgId, resource.orgId)
+                    eq(resources.orgId, resource.orgId),
+                    ne(resources.resourceId, resource.resourceId) // exclude the current resource from the search
                )
-            );
+            )
+            .limit(1);

-        if (
-            existingResource &&
-            existingResource.resourceId !== resource.resourceId
-        ) {
+        if (existingResource) {
            return next(
                createHttpError(
                    HttpCode.CONFLICT,
@@ -343,7 +350,10 @@ async function updateHttpResource(
        headers = null;
    }

-    const isLicensed = await isLicensedOrSubscribed(resource.orgId, tierMatrix.maintencePage);
+    const isLicensed = await isLicensedOrSubscribed(
+        resource.orgId,
+        tierMatrix.maintencePage
+    );
    if (!isLicensed) {
        updateData.maintenanceModeEnabled = undefined;
        updateData.maintenanceModeType = undefined;
--- a/server/routers/site/updateSite.ts
+++ b/server/routers/site/updateSite.ts
@@ -2,7 +2,7 @@ import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db } from "@server/db";
 import { sites } from "@server/db";
-import { eq, and } from "drizzle-orm";
+import { eq, and, ne } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
@@ -19,8 +19,8 @@ const updateSiteBodySchema = z
    .strictObject({
        name: z.string().min(1).max(255).optional(),
        niceId: z.string().min(1).max(255).optional(),
-        dockerSocketEnabled: z.boolean().optional(),
-        remoteSubnets: z.string().optional()
+        dockerSocketEnabled: z.boolean().optional()
+        // remoteSubnets: z.string().optional()
        // subdomain: z
        //     .string()
        //     .min(1)
@@ -86,18 +86,19 @@ export async function updateSite(

        // if niceId is provided, check if it's already in use by another site
        if (updateData.niceId) {
-            const existingSite = await db
+            const [existingSite] = await db
                .select()
                .from(sites)
                .where(
                    and(
                        eq(sites.niceId, updateData.niceId),
-                        eq(sites.orgId, sites.orgId)
+                        eq(sites.orgId, sites.orgId),
+                        ne(sites.siteId, siteId)
                    )
                )
                .limit(1);

-            if (existingSite.length > 0 && existingSite[0].siteId !== siteId) {
+            if (existingSite) {
                return next(
                    createHttpError(
                        HttpCode.CONFLICT,
@@ -107,22 +108,22 @@ export async function updateSite(
            }
        }

-        // if remoteSubnets is provided, ensure it's a valid comma-separated list of cidrs
-        if (updateData.remoteSubnets) {
-            const subnets = updateData.remoteSubnets
-                .split(",")
-                .map((s) => s.trim());
-            for (const subnet of subnets) {
-                if (!isValidCIDR(subnet)) {
-                    return next(
-                        createHttpError(
-                            HttpCode.BAD_REQUEST,
-                            `Invalid CIDR format: ${subnet}`
-                        )
-                    );
-                }
-            }
-        }
+        // // if remoteSubnets is provided, ensure it's a valid comma-separated list of cidrs
+        // if (updateData.remoteSubnets) {
+        //     const subnets = updateData.remoteSubnets
+        //         .split(",")
+        //         .map((s) => s.trim());
+        //     for (const subnet of subnets) {
+        //         if (!isValidCIDR(subnet)) {
+        //             return next(
+        //                 createHttpError(
+        //                     HttpCode.BAD_REQUEST,
+        //                     `Invalid CIDR format: ${subnet}`
+        //                 )
+        //             );
+        //         }
+        //     }
+        // }

        const updatedSite = await db
            .update(sites)
Author	SHA1	Message	Date
Owen	b786497299	Working on k8s	2026-02-19 17:55:49 -08:00
Owen	874794c996	Clean email	2026-02-18 14:07:50 -08:00
Owen	5e37c4e85f	Resolve potential issues with processing roleIds	2026-02-18 13:55:04 -08:00
Owen	4e7eac368f	Uniform ne check on niceId and dont reject clients	2026-02-18 11:56:01 -08:00