calvin.erfmann/pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-06-17 12:57:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'dev' into refactor/standardize-dropdowns

Browse Source
This commit is contained in:
Fred KISSIE
2026-06-03 19:34:22 +02:00
parent 29717e19db f2f56dc6c2
commit 00dce19997
30 changed files with 808 additions and 271 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
cli/commands/setServerAdmin.ts Normal file
View File

@@ -0,0 +1,51 @@
import { CommandModule } from "yargs";
import { db, users } from "@server/db";
import { eq } from "drizzle-orm";
type SetServerAdminArgs = {
email: string;
};
export const setServerAdmin: CommandModule<{}, SetServerAdminArgs> = {
command: "set-server-admin",
describe: "Mark any user as a server admin by email address",
builder: (yargs) => {
return yargs.option("email", {
type: "string",
demandOption: true,
describe: "User email address"
});
},
handler: async (argv: { email: string }) => {
try {
const email = argv.email.trim().toLowerCase();
const [user] = await db
.select()
.from(users)
.where(eq(users.email, email))
.limit(1);
if (!user) {
console.error(`User with email '${email}' not found`);
process.exit(1);
}
if (user.serverAdmin) {
console.log(`User '${email}' is already a server admin`);
process.exit(0);
}
await db
.update(users)
.set({ serverAdmin: true })
.where(eq(users.userId, user.userId));
console.log(`User '${email}' has been marked as a server admin`);
process.exit(0);
} catch (error) {
console.error("Error:", error);
process.exit(1);
}
}
};

2
cli/index.ts
View File

@@ -11,6 +11,7 @@ import { deleteClient } from "./commands/deleteClient";
import { generateOrgCaKeys } from "./commands/generateOrgCaKeys";
import { clearCertificates } from "./commands/clearCertificates";
import { disableUser2fa } from "./commands/disableUser2fa";
import { setServerAdmin } from "./commands/setServerAdmin";
yargs(hideBin(process.argv))
.scriptName("pangctl")
@@ -23,5 +24,6 @@ yargs(hideBin(process.argv))
.command(generateOrgCaKeys)
.command(clearCertificates)
.command(disableUser2fa)
.command(setServerAdmin)
.demandCommand()
.help().argv;

57
server/db/queries/verifySessionQueries.ts
View File

@@ -26,15 +26,22 @@ import {
userPolicies,
users,
ResourceHeaderAuthExtendedCompatibility,
resourceHeaderAuthExtendedCompatibility
resourceHeaderAuthExtendedCompatibility,
resourcePolicies,
resourcePolicyPincode,
ResourcePolicyPincode,
resourcePolicyPassword,
ResourcePolicyPassword,
resourcePolicyHeaderAuth,
ResourcePolicyHeaderAuth
} from "@server/db";
import { and, eq, inArray, or, sql } from "drizzle-orm";
export type ResourceWithAuth = {
resource: Resource | null;
pincode: ResourcePincode | null;
password: ResourcePassword | null;
headerAuth: ResourceHeaderAuth | null;
pincode: ResourcePincode | ResourcePolicyPincode | null;
password: ResourcePassword | ResourcePolicyPassword | null;
headerAuth: ResourceHeaderAuth | ResourcePolicyHeaderAuth | null;
headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
org: Org;
};
@@ -82,6 +89,31 @@ export async function getResourceByDomain(
resources.resourceId
)
)
.leftJoin(
resourcePolicies,
eq(resourcePolicies.resourcePolicyId, resources.resourcePolicyId)
)
.leftJoin(
resourcePolicyPincode,
eq(
resourcePolicyPincode.resourcePolicyId,
resourcePolicies.resourcePolicyId
)
)
.leftJoin(
resourcePolicyPassword,
eq(
resourcePolicyPassword.resourcePolicyId,
resourcePolicies.resourcePolicyId
)
)
.leftJoin(
resourcePolicyHeaderAuth,
eq(
resourcePolicyHeaderAuth.resourcePolicyId,
resourcePolicies.resourcePolicyId
)
)
.innerJoin(orgs, eq(orgs.orgId, resources.orgId))
.where(
or(
@@ -113,11 +145,18 @@ export async function getResourceByDomain(
return {
resource: result.resources,
pincode: result.resourcePincode,
password: result.resourcePassword,
headerAuth: result.resourceHeaderAuth,
headerAuthExtendedCompatibility:
result.resourceHeaderAuthExtendedCompatibility,
pincode: result.resourcePolicyPincode ?? result.resourcePincode,
password: result.resourcePolicyPassword ?? result.resourcePassword,
headerAuth:
result.resourcePolicyHeaderAuth ?? result.resourceHeaderAuth,
headerAuthExtendedCompatibility: result.resourcePolicyHeaderAuth
? ({
headerAuthExtendedCompatibilityId: 0,
resourceId: result.resources.resourceId,
extendedCompatibilityIsActivated:
result.resourcePolicyHeaderAuth.extendedCompatibility
} as ResourceHeaderAuthExtendedCompatibility)
: result.resourceHeaderAuthExtendedCompatibility,
org: result.orgs
};
}

9
server/db/sqlite/schema/schema.ts
View File

@@ -1545,5 +1545,14 @@ export type RoundTripMessageTracker = InferSelectModel<
export type StatusHistory = InferSelectModel<typeof statusHistory>;
export type Label = InferSelectModel<typeof labels>;
export type ResourcePolicy = InferSelectModel<typeof resourcePolicies>;
export type ResourcePolicyPincode = InferSelectModel<
typeof resourcePolicyPincode
>;
export type ResourcePolicyPassword = InferSelectModel<
typeof resourcePolicyPassword
>;
export type ResourcePolicyHeaderAuth = InferSelectModel<
typeof resourcePolicyHeaderAuth
>;
export type RolePolicy = InferSelectModel<typeof rolePolicies>;
export type UserPolicy = InferSelectModel<typeof userPolicies>;

22
server/lib/billing/tierMatrix.ts
View File

@@ -16,18 +16,18 @@ export enum TierFeature {
SessionDurationPolicies = "sessionDurationPolicies", // handle downgrade by setting to default duration
PasswordExpirationPolicies = "passwordExpirationPolicies", // handle downgrade by setting to default duration
AutoProvisioning = "autoProvisioning", // handle downgrade by disabling auto provisioning
SshPam = "sshPam",
FullRbac = "fullRbac",
SiteProvisioningKeys = "siteProvisioningKeys", // handle downgrade by revoking keys if needed
SIEM = "siem", // handle downgrade by disabling SIEM integrations
HTTPPrivateResources = "httpPrivateResources", // handle downgrade by disabling HTTP private resources
DomainNamespaces = "domainNamespaces", // handle downgrade by removing custom domain namespaces
StandaloneHealthChecks = "standaloneHealthChecks",
AlertingRules = "alertingRules",
WildcardSubdomain = "wildcardSubdomain",
Labels = "labels",
NewtAutoUpdate = "newtAutoUpdate",
ResourcePolicies = "resourcePolicies"
ResourcePolicies = "resourcePolicies",
AdvancedPublicResources = "advancedPublicResources",
AdvancedPrivateResources = "advancedPrivateResources"
}
export const tierMatrix: Record<TierFeature, Tier[]> = {
@@ -62,15 +62,25 @@ export const tierMatrix: Record<TierFeature, Tier[]> = {
"enterprise"
],
[TierFeature.AutoProvisioning]: ["tier1", "tier3", "enterprise"],
[TierFeature.SshPam]: ["tier1", "tier3", "enterprise"],
[TierFeature.FullRbac]: ["tier1", "tier2", "tier3", "enterprise"],
[TierFeature.SiteProvisioningKeys]: ["tier3", "enterprise"],
[TierFeature.SIEM]: ["enterprise"],
[TierFeature.HTTPPrivateResources]: ["tier3", "enterprise"],
[TierFeature.DomainNamespaces]: ["tier1", "tier2", "tier3", "enterprise"],
[TierFeature.StandaloneHealthChecks]: ["tier3", "enterprise"],
[TierFeature.AlertingRules]: ["tier3", "enterprise"],
[TierFeature.WildcardSubdomain]: ["tier1", "tier2", "tier3", "enterprise"],
[TierFeature.NewtAutoUpdate]: ["tier1", "tier2", "tier3", "enterprise"],
[TierFeature.ResourcePolicies]: ["tier3", "enterprise"]
[TierFeature.ResourcePolicies]: ["tier3", "enterprise"],
[TierFeature.AdvancedPublicResources]: [
"tier1",
"tier2",
"tier3",
"enterprise"
],
[TierFeature.AdvancedPrivateResources]: [
"tier1",
"tier2",
"tier3",
"enterprise"
]
};

30
server/lib/blueprints/proxyResources.ts
View File

@@ -337,6 +337,15 @@ export async function updateProxyResources(
resourceData.maintenance?.message,
maintenanceEstimatedTime:
resourceData.maintenance?.["estimated-time"],
proxyProtocol:
resourceData.mode === "tcp"
? (resourceData["proxy-protocol"] ?? false)
: false,
proxyProtocolVersion:
resourceData.mode === "tcp"
? (resourceData["proxy-protocol-version"] ??
1)
: 1,
resourcePolicyId: sharedPolicy.resourcePolicyId
})
.where(
@@ -504,6 +513,15 @@ export async function updateProxyResources(
resourceData.maintenance?.message,
maintenanceEstimatedTime:
resourceData.maintenance?.["estimated-time"],
proxyProtocol:
resourceData.mode === "tcp"
? (resourceData["proxy-protocol"] ?? false)
: false,
proxyProtocolVersion:
resourceData.mode === "tcp"
? (resourceData["proxy-protocol-version"] ??
1)
: 1,
resourcePolicyId: null,
defaultResourcePolicyId: inlinePolicyId
})
@@ -994,6 +1012,14 @@ export async function updateProxyResources(
maintenanceMessage: resourceData.maintenance?.message,
maintenanceEstimatedTime:
resourceData.maintenance?.["estimated-time"],
proxyProtocol:
resourceData.mode === "tcp"
? (resourceData["proxy-protocol"] ?? false)
: false,
proxyProtocolVersion:
resourceData.mode === "tcp"
? (resourceData["proxy-protocol-version"] ?? 1)
: 1,
defaultResourcePolicyId: inlinePolicy.resourcePolicyId,
resourcePolicyId: sharedPolicyId,
// Only set these resource-level fields when using a shared policy
@@ -1231,7 +1257,9 @@ async function syncRoleResources(
}))
);
role = created;
logger.info(`Auto-created role "${roleName}" in org ${orgId} from blueprint`);
logger.info(
`Auto-created role "${roleName}" in org ${orgId} from blueprint`
);
}
if (role.isAdmin) {

21
server/lib/blueprints/types.ts
View File

@@ -201,7 +201,9 @@ export const PublicResourceSchema = z
headers: z.array(HeaderSchema).optional(),
rules: z.array(RuleSchema).optional(),
maintenance: MaintenanceSchema.optional(),
"auth-daemon": AuthDaemonSchema.optional()
"auth-daemon": AuthDaemonSchema.optional(),
"proxy-protocol": z.boolean().optional(),
"proxy-protocol-version": z.int().min(1).optional()
})
.refine(
(resource) => {
@@ -378,6 +380,23 @@ export const PublicResourceSchema = z
'Wildcard full-domain must have "*" as the leftmost label only, followed by at least two valid hostname labels (e.g. "*.example.com" or "*.level1.example.com"). Patterns like "*example.com" or "level2.*.example.com" are not supported.'
}
)
.refine(
(resource) => {
const effectiveMode = resource.mode ?? resource.protocol;
if (effectiveMode !== "tcp") {
return (
resource["proxy-protocol"] === undefined &&
resource["proxy-protocol-version"] === undefined
);
}
return true;
},
{
path: ["proxy-protocol"],
message:
"'proxy-protocol' and 'proxy-protocol-version' can only be set when mode is 'tcp'"
}
)
.transform((resource) => {
// Normalize: prefer mode, fall back to protocol for backwards compatibility
if (resource.mode === undefined && resource.protocol !== undefined) {

13
server/private/routers/billing/featureLifecycle.ts
View File

@@ -308,8 +308,8 @@ async function disableFeature(
await disableAutoProvisioning(orgId);
break;
case TierFeature.SshPam:
await disableSshPam(orgId);
case TierFeature.AdvancedPrivateResources:
await disableAdvancedPrivateResources(orgId);
break;
case TierFeature.FullRbac:
@@ -357,10 +357,11 @@ async function disableDeviceApprovals(orgId: string): Promise<void> {
logger.info(`Disabled device approvals on all roles for org ${orgId}`);
}
async function disableSshPam(orgId: string): Promise<void> {
logger.info(
`Disabled SSH PAM options on all roles and site resources for org ${orgId}`
);
async function disableAdvancedPrivateResources(orgId: string): Promise<void> {
// TODO: implement logic to disable advanced private resourcs like ssh and ssh pam
// logger.info(
// `Disabled advanced private resources on all roles and site resources for org ${orgId}`
// );
}
async function disableFullRbac(orgId: string): Promise<void> {

2
server/private/routers/external.ts
View File

@@ -610,7 +610,7 @@ authenticated.put(
authenticated.post(
"/org/:orgId/ssh/sign-key",
verifyValidLicense,
verifyValidSubscription(tierMatrix.sshPam),
verifyValidSubscription(tierMatrix.advancedPrivateResources),
verifyOrgAccess,
verifyLimits,
verifyUserHasAction(ActionsEnum.signSshKey),

63
server/private/routers/hybrid.ts
View File

@@ -35,7 +35,14 @@ import {
ResourceHeaderAuthExtendedCompatibility,
orgs,
requestAuditLog,
Org
Org,
resourcePolicies,
resourcePolicyPincode,
ResourcePolicyPincode,
resourcePolicyPassword,
ResourcePolicyPassword,
resourcePolicyHeaderAuth,
ResourcePolicyHeaderAuth
} from "@server/db";
import {
resources,
@@ -204,9 +211,9 @@ export type ValidateResourceSessionTokenBody = z.infer<
// Type definitions for API responses
export type ResourceWithAuth = {
resource: Resource | null;
pincode: ResourcePincode | null;
password: ResourcePassword | null;
headerAuth: ResourceHeaderAuth | null;
pincode: ResourcePincode | ResourcePolicyPincode | null;
password: ResourcePassword | ResourcePolicyPassword | null;
headerAuth: ResourceHeaderAuth | ResourcePolicyHeaderAuth | null;
headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
org: Org;
};
@@ -529,6 +536,34 @@ hybridRouter.get(
resources.resourceId
)
)
.leftJoin(
resourcePolicies,
eq(
resourcePolicies.resourcePolicyId,
resources.resourcePolicyId
)
)
.leftJoin(
resourcePolicyPincode,
eq(
resourcePolicyPincode.resourcePolicyId,
resourcePolicies.resourcePolicyId
)
)
.leftJoin(
resourcePolicyPassword,
eq(
resourcePolicyPassword.resourcePolicyId,
resourcePolicies.resourcePolicyId
)
)
.leftJoin(
resourcePolicyHeaderAuth,
eq(
resourcePolicyHeaderAuth.resourcePolicyId,
resourcePolicies.resourcePolicyId
)
)
.innerJoin(orgs, eq(orgs.orgId, resources.orgId))
.where(
or(
@@ -581,11 +616,21 @@ hybridRouter.get(
const resourceWithAuth: ResourceWithAuth = {
resource: result.resources,
pincode: result.resourcePincode,
password: result.resourcePassword,
headerAuth: result.resourceHeaderAuth,
headerAuthExtendedCompatibility:
result.resourceHeaderAuthExtendedCompatibility,
pincode: result.resourcePolicyPincode ?? result.resourcePincode,
password:
result.resourcePolicyPassword ?? result.resourcePassword,
headerAuth:
result.resourcePolicyHeaderAuth ??
result.resourceHeaderAuth,
headerAuthExtendedCompatibility: result.resourcePolicyHeaderAuth
? ({
headerAuthExtendedCompatibilityId: 0,
resourceId: result.resources.resourceId,
extendedCompatibilityIsActivated:
result.resourcePolicyHeaderAuth
.extendedCompatibility
} as ResourceHeaderAuthExtendedCompatibility)
: result.resourceHeaderAuthExtendedCompatibility,
org: result.orgs
};

37
server/private/routers/ssh/signSshKey.ts
View File

@@ -78,41 +78,9 @@ export type SignSshKeyResponse = {
validAfter?: string;
validBefore?: string;
expiresIn?: number;
authDaemonMode: "site" | "remote" | "native" | null;
};
// registry.registerPath({
// method: "post",
// path: "/org/{orgId}/ssh/sign-key",
// description: "Sign an SSH public key for access to a resource.",
// tags: [OpenAPITags.Org, OpenAPITags.Ssh],
// request: {
// params: paramsSchema,
// body: {
// content: {
// "application/json": {
// schema: bodySchema
// }
// }
// }
// },
// responses: {
// 200: {
// description: "Successful response",
// content: {
// "application/json": {
// schema: z.object({
// data: z.unknown().nullable(),
// success: z.boolean(),
// error: z.boolean(),
// message: z.string(),
// status: z.number()
// })
// }
// }
// }
// }
// });
export async function signSshKey(
req: Request,
res: Response,
@@ -181,7 +149,7 @@ export async function signSshKey(
const isLicensed = await isLicensedOrSubscribed(
orgId,
tierMatrix.sshPam
tierMatrix.advancedPrivateResources
);
if (!isLicensed) {
return next(
@@ -654,6 +622,7 @@ export async function signSshKey(
siteIds: siteIds,
siteId: siteIds[0], // just pick the first one for backward compatibility with older olms
keyId: cert?.keyId,
authDaemonMode: resource.authDaemonMode,
validPrincipals: cert?.validPrincipals,
validAfter: cert?.validAfter.toISOString(),
validBefore: cert?.validBefore.toISOString(),

27
server/routers/badger/verifySession.ts
View File

@@ -17,6 +17,9 @@ import {
ResourceHeaderAuthExtendedCompatibility,
ResourcePassword,
ResourcePincode,
ResourcePolicyPincode,
ResourcePolicyPassword,
ResourcePolicyHeaderAuth,
ResourceRule
} from "@server/db";
import config from "@server/lib/config";
@@ -134,9 +137,12 @@ export async function verifyResourceSession(
let resourceData:
| {
resource: Resource | null;
pincode: ResourcePincode | null;
password: ResourcePassword | null;
headerAuth: ResourceHeaderAuth | null;
pincode: ResourcePincode | ResourcePolicyPincode | null;
password: ResourcePassword | ResourcePolicyPassword | null;
headerAuth:
| ResourceHeaderAuth
| ResourcePolicyHeaderAuth
| null;
headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
org: Org;
}
@@ -577,7 +583,11 @@ export async function verifyResourceSession(
return notAllowed(res, redirectPath, resource.orgId);
}
if (pincode && resourceSession.pincodeId) {
if (
pincode &&
(resourceSession.pincodeId ||
resourceSession.policyPincodeId)
) {
logger.debug(
"Resource allowed because pincode session is valid"
);
@@ -596,7 +606,11 @@ export async function verifyResourceSession(
return allowed(res, undefined, dontStripSession);
}
if (password && resourceSession.passwordId) {
if (
password &&
(resourceSession.passwordId ||
resourceSession.policyPasswordId)
) {
logger.debug(
"Resource allowed because password session is valid"
);
@@ -617,7 +631,8 @@ export async function verifyResourceSession(
if (
resource.emailWhitelistEnabled &&
resourceSession.whitelistId
(resourceSession.whitelistId ||
resourceSession.policyWhitelistId)
) {
logger.debug(
"Resource allowed because whitelist session is valid"

17
server/routers/resource/createResource.ts
View File

@@ -31,7 +31,7 @@ import {
} from "@server/lib/domainUtils";
import { isSubscribed } from "#dynamic/lib/isSubscribed";
import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
import { tierMatrix } from "@server/lib/billing/tierMatrix";
import { TierFeature, tierMatrix } from "@server/lib/billing/tierMatrix";
import {
getUniqueResourceName,
getUniqueResourcePolicyName
@@ -342,6 +342,21 @@ async function createHttpResource(
}
}
if (
["ssh", "rdp", "vnc"].includes(mode!) &&
!isLicensedOrSubscribed(
orgId!,
tierMatrix[TierFeature.AdvancedPublicResources]
)
) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
"Your current subscription does not support browser gateway resources. Please upgrade to access this feature."
)
);
}
// Validate domain and construct full domain
const domainResult = await validateAndConstructDomain(
domainId,

2
server/routers/resource/getUserResources.ts
View File

@@ -438,6 +438,7 @@ export async function getUserResources(
return {
siteResourceId: siteResource.siteResourceId,
name: siteResource.name,
niceId: siteResource.niceId,
destination: siteResource.destination,
mode: siteResource.mode,
ssl: siteResource.ssl,
@@ -492,6 +493,7 @@ export type GetUserResourcesResponse = {
siteResources: Array<{
siteResourceId: number;
name: string;
niceId: string;
destination: string;
mode: string;
tcpPortRangeString: string | null;

33
server/routers/role/createRole.ts
View File

@@ -123,23 +123,40 @@ export async function createRole(
);
}
const isLicensedDeviceApprovals = await isLicensedOrSubscribed(orgId, tierMatrix.deviceApprovals);
const isLicensedDeviceApprovals = await isLicensedOrSubscribed(
orgId,
tierMatrix.deviceApprovals
);
if (!isLicensedDeviceApprovals) {
roleData.requireDeviceApproval = undefined;
}
const isLicensedSshPam = await isLicensedOrSubscribed(orgId, tierMatrix.sshPam);
const isLicensedSshPam = await isLicensedOrSubscribed(
orgId,
tierMatrix.advancedPrivateResources
);
const roleInsertValues: Record<string, unknown> = {
name: roleData.name,
orgId
};
if (roleData.description !== undefined) roleInsertValues.description = roleData.description;
if (roleData.requireDeviceApproval !== undefined) roleInsertValues.requireDeviceApproval = roleData.requireDeviceApproval;
if (roleData.description !== undefined)
roleInsertValues.description = roleData.description;
if (roleData.requireDeviceApproval !== undefined)
roleInsertValues.requireDeviceApproval =
roleData.requireDeviceApproval;
if (isLicensedSshPam) {
if (roleData.sshSudoMode !== undefined) roleInsertValues.sshSudoMode = roleData.sshSudoMode;
if (roleData.sshSudoCommands !== undefined) roleInsertValues.sshSudoCommands = JSON.stringify(roleData.sshSudoCommands);
if (roleData.sshCreateHomeDir !== undefined) roleInsertValues.sshCreateHomeDir = roleData.sshCreateHomeDir;
if (roleData.sshUnixGroups !== undefined) roleInsertValues.sshUnixGroups = JSON.stringify(roleData.sshUnixGroups);
if (roleData.sshSudoMode !== undefined)
roleInsertValues.sshSudoMode = roleData.sshSudoMode;
if (roleData.sshSudoCommands !== undefined)
roleInsertValues.sshSudoCommands = JSON.stringify(
roleData.sshSudoCommands
);
if (roleData.sshCreateHomeDir !== undefined)
roleInsertValues.sshCreateHomeDir = roleData.sshCreateHomeDir;
if (roleData.sshUnixGroups !== undefined)
roleInsertValues.sshUnixGroups = JSON.stringify(
roleData.sshUnixGroups
);
}
await db.transaction(async (trx) => {

18
server/routers/role/updateRole.ts
View File

@@ -134,12 +134,18 @@ export async function updateRole(
);
}
const isLicensedDeviceApprovals = await isLicensedOrSubscribed(orgId, tierMatrix.deviceApprovals);
const isLicensedDeviceApprovals = await isLicensedOrSubscribed(
orgId,
tierMatrix.deviceApprovals
);
if (!isLicensedDeviceApprovals) {
updateData.requireDeviceApproval = undefined;
}
const isLicensedSshPam = await isLicensedOrSubscribed(orgId, tierMatrix.sshPam);
const isLicensedSshPam = await isLicensedOrSubscribed(
orgId,
tierMatrix.advancedPrivateResources
);
if (!isLicensedSshPam) {
delete updateData.sshSudoMode;
delete updateData.sshSudoCommands;
@@ -147,10 +153,14 @@ export async function updateRole(
delete updateData.sshUnixGroups;
} else {
if (Array.isArray(updateData.sshSudoCommands)) {
updateData.sshSudoCommands = JSON.stringify(updateData.sshSudoCommands);
updateData.sshSudoCommands = JSON.stringify(
updateData.sshSudoCommands
);
}
if (Array.isArray(updateData.sshUnixGroups)) {
updateData.sshUnixGroups = JSON.stringify(updateData.sshUnixGroups);
updateData.sshUnixGroups = JSON.stringify(
updateData.sshUnixGroups
);
}
}

34
server/routers/siteResource/createSiteResource.ts
View File

@@ -49,7 +49,6 @@ const createSiteResourceSchema = z
scheme: z.enum(["http", "https"]).optional(),
siteIds: z.array(z.int()).optional(),
siteId: z.number().int().positive().optional(), // DEPRECATED: for backward compatibility, we will convert this to siteIds array if provided
// proxyPort: z.int().positive().optional(),
destinationPort: z.int().positive().optional(),
destination: z.string().min(1).optional(),
enabled: z.boolean().default(true),
@@ -174,6 +173,25 @@ const createSiteResourceSchema = z
{
message: "At least one of siteIds or siteId must be provided"
}
)
.refine(
(data) => {
if (data.mode !== "ssh") return true;
const isSingleSiteMode =
data.authDaemonMode === "native" ||
(data.pamMode === "push" && data.authDaemonMode === "site") ||
(data.pamMode === "push" && data.authDaemonMode === undefined);
if (!isSingleSiteMode) return true;
const effectiveSiteIds = [
...(data.siteIds ?? []),
...(data.siteId !== undefined ? [data.siteId] : [])
];
const uniqueSiteIds = new Set(effectiveSiteIds);
return uniqueSiteIds.size <= 1;
},
{
message: "Only one site is allowed for this SSH daemon mode"
}
);
export type CreateSiteResourceBody = z.infer<typeof createSiteResourceSchema>;
@@ -248,7 +266,6 @@ export async function createSiteResource(
siteId,
mode,
scheme,
// proxyPort,
destinationPort,
destination,
enabled,
@@ -276,7 +293,7 @@ export async function createSiteResource(
if (mode == "http") {
const hasHttpFeature = await isLicensedOrSubscribed(
orgId,
tierMatrix[TierFeature.HTTPPrivateResources]
tierMatrix[TierFeature.AdvancedPrivateResources]
);
if (!hasHttpFeature) {
return next(
@@ -408,9 +425,18 @@ export async function createSiteResource(
const isLicensedSshPam = await isLicensedOrSubscribed(
orgId,
tierMatrix.sshPam
tierMatrix.advancedPrivateResources
);
if (mode == "ssh" && !isLicensedSshPam) {
return next(
createHttpError(
HttpCode.FORBIDDEN,
"SSH private resources are not included in your current plan. Please upgrade."
)
);
}
let updatedNiceId = niceId;
if (!niceId) {
updatedNiceId = await getUniqueSiteResourceName(orgId);

44
server/routers/siteResource/updateSiteResource.ts
View File

@@ -59,7 +59,6 @@ const updateSiteResourceSchema = z
mode: z.enum(["host", "cidr", "http", "ssh"]).optional(),
ssl: z.boolean().optional(),
scheme: z.enum(["http", "https"]).nullish(),
// proxyPort: z.int().positive().nullish(),
destinationPort: z.int().positive().nullish(),
destination: z.string().min(1).optional(),
enabled: z.boolean().optional(),
@@ -182,6 +181,25 @@ const updateSiteResourceSchema = z
{
message: "At least one of siteIds or siteId must be provided"
}
)
.refine(
(data) => {
if (data.mode !== "ssh") return true;
const isSingleSiteMode =
data.authDaemonMode === "native" ||
(data.pamMode === "push" && data.authDaemonMode === "site") ||
(data.pamMode === "push" && data.authDaemonMode === undefined);
if (!isSingleSiteMode) return true;
const effectiveSiteIds = [
...(data.siteIds ?? []),
...(data.siteId !== undefined ? [data.siteId] : [])
];
const uniqueSiteIds = new Set(effectiveSiteIds);
return uniqueSiteIds.size <= 1;
},
{
message: "Only one site is allowed for this SSH daemon mode"
}
);
export type UpdateSiteResourceBody = z.infer<typeof updateSiteResourceSchema>;
@@ -296,7 +314,7 @@ export async function updateSiteResource(
if (mode == "http") {
const hasHttpFeature = await isLicensedOrSubscribed(
existingSiteResource.orgId,
tierMatrix[TierFeature.HTTPPrivateResources]
tierMatrix[TierFeature.AdvancedPrivateResources]
);
if (!hasHttpFeature) {
return next(
@@ -310,7 +328,7 @@ export async function updateSiteResource(
const isLicensedSshPam = await isLicensedOrSubscribed(
existingSiteResource.orgId,
tierMatrix.sshPam
tierMatrix.advancedPrivateResources
);
const [org] = await db
@@ -632,6 +650,15 @@ export async function updateSiteResource(
})
}
: {};
let tcpPortRangeStringAdjusted = tcpPortRangeString;
if (mode === "http") {
tcpPortRangeStringAdjusted = "443,80";
} else if (mode === "ssh") {
tcpPortRangeStringAdjusted = destinationPort
? destinationPort.toString()
: "22";
}
[updatedSiteResource] = await trx
.update(siteResources)
.set({
@@ -644,9 +671,14 @@ export async function updateSiteResource(
destinationPort: destinationPort,
enabled: enabled,
alias: alias ? alias.trim() : null,
tcpPortRangeString: tcpPortRangeString,
udpPortRangeString: udpPortRangeString,
disableIcmp: disableIcmp,
tcpPortRangeString: tcpPortRangeStringAdjusted,
udpPortRangeString:
mode == "http" || mode == "ssh"
? ""
: udpPortRangeString,
disableIcmp:
disableIcmp ||
(mode == "http" || mode == "ssh" ? true : false),
domainId,
subdomain: finalSubdomain,
fullDomain,

2
server/setup/scriptsSqlite/1.19.0.ts
View File

@@ -32,8 +32,6 @@ export function generateName(): string {
return name.replace(/[^a-z0-9-]/g, "");
}
await migration();
export default async function migration() {
console.log(`Running setup script ${version}...`);

70
src/app/[orgId]/settings/resources/public/[niceId]/rdp/page.tsx
View File

@@ -10,11 +10,14 @@ import {
SettingsSectionTitle
} from "@app/components/Settings";
import { BrowserGatewayTargetForm } from "@app/components/BrowserGatewayTargetForm";
import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
import { type Selectedsite } from "@app/components/site-selector";
import { Button } from "@app/components/ui/button";
import { toast } from "@app/hooks/useToast";
import { useResourceContext } from "@app/hooks/useResourceContext";
import { useEnvContext } from "@app/hooks/useEnvContext";
import { usePaidStatus } from "@app/hooks/usePaidStatus";
import { tierMatrix, TierFeature } from "@server/lib/billing/tierMatrix";
import { createApiClient } from "@app/lib/api";
import { formatAxiosError } from "@app/lib/api/formatAxiosError";
import { useQuery } from "@tanstack/react-query";
@@ -48,13 +51,21 @@ export default function SshSettingsPage(props: {
}) {
const params = use(props.params);
const { resource, updateResource } = useResourceContext();
const { isPaidUser } = usePaidStatus();
const disabled = !isPaidUser(
tierMatrix[TierFeature.AdvancedPublicResources]
);
return (
<SettingsContainer>
<PaidFeaturesAlert
tiers={tierMatrix[TierFeature.AdvancedPublicResources]}
/>
<SshServerForm
orgId={params.orgId}
resource={resource}
updateResource={updateResource}
disabled={disabled}
/>
</SettingsContainer>
);
@@ -63,11 +74,13 @@ export default function SshSettingsPage(props: {
function SshServerForm({
orgId,
resource,
updateResource
updateResource,
disabled
}: {
orgId: string;
resource: GetResourceResponse;
updateResource: ResourceContextType["updateResource"];
disabled: boolean;
}) {
const t = useTranslations();
const api = createApiClient(useEnvContext());
@@ -220,31 +233,36 @@ function SshServerForm({
{t("rdpServerDescription")}
</SettingsSectionDescription>
</SettingsSectionHeader>
<SettingsSectionBody>
<SettingsSectionForm variant="half">
<BrowserGatewayTargetForm
orgId={orgId}
multiSite={true}
selectedSites={selectedSites}
onSitesChange={setSelectedSites}
destination={bgDestination}
destinationPort={bgDestinationPort}
onDestinationChange={setBgDestination}
onDestinationPortChange={setBgDestinationPort}
learnMoreHref="https://docs.pangolin.net/manage/resources/public/rdp"
defaultPort={3389}
/>
</SettingsSectionForm>
</SettingsSectionBody>
<form action={formAction} className="flex justify-end mt-4">
<Button
disabled={isSubmitting}
loading={isSubmitting}
type="submit"
>
{t("saveSettings")}
</Button>
</form>
<fieldset
disabled={disabled}
className={disabled ? "opacity-50 pointer-events-none" : ""}
>
<SettingsSectionBody>
<SettingsSectionForm variant="half">
<BrowserGatewayTargetForm
orgId={orgId}
multiSite={true}
selectedSites={selectedSites}
onSitesChange={setSelectedSites}
destination={bgDestination}
destinationPort={bgDestinationPort}
onDestinationChange={setBgDestination}
onDestinationPortChange={setBgDestinationPort}
learnMoreHref="https://docs.pangolin.net/manage/resources/public/rdp"
defaultPort={3389}
/>
</SettingsSectionForm>
</SettingsSectionBody>
<form action={formAction} className="flex justify-end mt-4">
<Button
disabled={isSubmitting}
loading={isSubmitting}
type="submit"
>
{t("saveSettings")}
</Button>
</form>
</fieldset>
</SettingsSection>
);
}

23
src/app/[orgId]/settings/resources/public/[niceId]/ssh/page.tsx
View File

@@ -11,10 +11,13 @@ import {
} from "@app/components/Settings";
import { StrategySelect, StrategyOption } from "@app/components/StrategySelect";
import { BrowserGatewayTargetForm } from "@app/components/BrowserGatewayTargetForm";
import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
import {
SitesSelector,
type Selectedsite
} from "@app/components/site-selector";
import { usePaidStatus } from "@app/hooks/usePaidStatus";
import { tierMatrix, TierFeature } from "@server/lib/billing/tierMatrix";
import { Button } from "@app/components/ui/button";
import { Input } from "@app/components/ui/input";
import {
@@ -68,13 +71,21 @@ export default function SshSettingsPage(props: {
}) {
const params = use(props.params);
const { resource, updateResource } = useResourceContext();
const { isPaidUser } = usePaidStatus();
const disabled = !isPaidUser(
tierMatrix[TierFeature.AdvancedPublicResources]
);
return (
<SettingsContainer>
<PaidFeaturesAlert
tiers={tierMatrix[TierFeature.AdvancedPublicResources]}
/>
<SshServerForm
orgId={params.orgId}
resource={resource}
updateResource={updateResource}
disabled={disabled}
/>
</SettingsContainer>
);
@@ -83,11 +94,13 @@ export default function SshSettingsPage(props: {
function SshServerForm({
orgId,
resource,
updateResource
updateResource,
disabled
}: {
orgId: string;
resource: GetResourceResponse;
updateResource: ResourceContextType["updateResource"];
disabled: boolean;
}) {
const t = useTranslations();
const api = createApiClient(useEnvContext());
@@ -366,6 +379,10 @@ function SshServerForm({
{t("sshServerDescription")}
</SettingsSectionDescription>
</SettingsSectionHeader>
<fieldset
disabled={disabled}
className={disabled ? "opacity-50 pointer-events-none" : ""}
>
<SettingsSectionBody>
<SettingsSectionForm variant="half">
<div className="space-y-3">
@@ -480,7 +497,8 @@ function SshServerForm({
/>
</PopoverContent>
</Popover>
) : standardDaemonLocation !== "site" ? (
) : standardDaemonLocation !== "site" ||
pamMode === "passthrough" ? (
<BrowserGatewayTargetForm
orgId={orgId}
multiSite={true}
@@ -519,6 +537,7 @@ function SshServerForm({
{t("saveSettings")}
</Button>
</form>
</fieldset>
</SettingsSection>
);
}

70
src/app/[orgId]/settings/resources/public/[niceId]/vnc/page.tsx
View File

@@ -10,11 +10,14 @@ import {
SettingsSectionTitle
} from "@app/components/Settings";
import { BrowserGatewayTargetForm } from "@app/components/BrowserGatewayTargetForm";
import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
import { type Selectedsite } from "@app/components/site-selector";
import { Button } from "@app/components/ui/button";
import { toast } from "@app/hooks/useToast";
import { useResourceContext } from "@app/hooks/useResourceContext";
import { useEnvContext } from "@app/hooks/useEnvContext";
import { usePaidStatus } from "@app/hooks/usePaidStatus";
import { tierMatrix, TierFeature } from "@server/lib/billing/tierMatrix";
import { createApiClient } from "@app/lib/api";
import { formatAxiosError } from "@app/lib/api/formatAxiosError";
import { useQuery } from "@tanstack/react-query";
@@ -46,13 +49,21 @@ export default function SshSettingsPage(props: {
}) {
const params = use(props.params);
const { resource, updateResource } = useResourceContext();
const { isPaidUser } = usePaidStatus();
const disabled = !isPaidUser(
tierMatrix[TierFeature.AdvancedPublicResources]
);
return (
<SettingsContainer>
<PaidFeaturesAlert
tiers={tierMatrix[TierFeature.AdvancedPublicResources]}
/>
<SshServerForm
orgId={params.orgId}
resource={resource}
updateResource={updateResource}
disabled={disabled}
/>
</SettingsContainer>
);
@@ -61,11 +72,13 @@ export default function SshSettingsPage(props: {
function SshServerForm({
orgId,
resource,
updateResource
updateResource,
disabled
}: {
orgId: string;
resource: GetResourceResponse;
updateResource: ResourceContextType["updateResource"];
disabled: boolean;
}) {
const t = useTranslations();
const api = createApiClient(useEnvContext());
@@ -218,31 +231,36 @@ function SshServerForm({
{t("vncServerDescription")}
</SettingsSectionDescription>
</SettingsSectionHeader>
<SettingsSectionBody>
<SettingsSectionForm variant="half">
<BrowserGatewayTargetForm
orgId={orgId}
multiSite={true}
selectedSites={selectedSites}
onSitesChange={setSelectedSites}
destination={bgDestination}
destinationPort={bgDestinationPort}
onDestinationChange={setBgDestination}
onDestinationPortChange={setBgDestinationPort}
learnMoreHref="https://docs.pangolin.net/manage/resources/public/vnc"
defaultPort={5900}
/>
</SettingsSectionForm>
</SettingsSectionBody>
<form action={formAction} className="flex justify-end mt-4">
<Button
disabled={isSubmitting}
loading={isSubmitting}
type="submit"
>
{t("saveSettings")}
</Button>
</form>
<fieldset
disabled={disabled}
className={disabled ? "opacity-50 pointer-events-none" : ""}
>
<SettingsSectionBody>
<SettingsSectionForm variant="half">
<BrowserGatewayTargetForm
orgId={orgId}
multiSite={true}
selectedSites={selectedSites}
onSitesChange={setSelectedSites}
destination={bgDestination}
destinationPort={bgDestinationPort}
onDestinationChange={setBgDestination}
onDestinationPortChange={setBgDestinationPort}
learnMoreHref="https://docs.pangolin.net/manage/resources/public/vnc"
defaultPort={5900}
/>
</SettingsSectionForm>
</SettingsSectionBody>
<form action={formAction} className="flex justify-end mt-4">
<Button
disabled={isSubmitting}
loading={isSubmitting}
type="submit"
>
{t("saveSettings")}
</Button>
</form>
</fieldset>
</SettingsSection>
);
}

108
src/app/[orgId]/settings/resources/public/create/page.tsx
View File

@@ -27,7 +27,6 @@ import {
StrategySelect,
type StrategyOption
} from "@app/components/StrategySelect";
import { ResourceTargetAddressItem } from "@app/components/resource-target-address-item";
import { BrowserGatewayTargetForm } from "@app/components/BrowserGatewayTargetForm";
import {
SitesSelector,
@@ -73,7 +72,10 @@ import {
} from "@app/components/ui/tooltip";
import { Alert, AlertDescription, AlertTitle } from "@app/components/ui/alert";
import { useEnvContext } from "@app/hooks/useEnvContext";
import { usePaidStatus } from "@app/hooks/usePaidStatus";
import { toast } from "@app/hooks/useToast";
import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
import { tierMatrix, TierFeature } from "@server/lib/billing/tierMatrix";
import { createApiClient, formatAxiosError } from "@app/lib/api";
import { DockerManager, DockerState } from "@app/lib/docker";
import { orgQueries } from "@app/lib/queries";
@@ -227,6 +229,8 @@ export default function Page() {
orgQueries.sites({ orgId: orgId as string })
);
const { isPaidUser } = usePaidStatus();
const [remoteExitNodes, setRemoteExitNodes] = useState<
ListRemoteExitNodesResponse["remoteExitNodes"]
>([]);
@@ -239,6 +243,14 @@ export default function Page() {
// Resource type state
const [resourceType, setResourceType] = useState<NewResourceType>("http");
const isBrowserGatewayType =
resourceType === "ssh" ||
resourceType === "rdp" ||
resourceType === "vnc";
const browserGatewayDisabled =
isBrowserGatewayType &&
!isPaidUser(tierMatrix[TierFeature.AdvancedPublicResources]);
// Target management state (managed by ProxyResourceTargetsForm; mirrored here for onSubmit)
const [targets, setTargets] = useState<LocalTarget[]>([]);
@@ -871,6 +883,14 @@ export default function Page() {
{/* SSH Server Section */}
{resourceType === "ssh" && (
<SettingsSection>
<PaidFeaturesAlert
tiers={
tierMatrix[
TierFeature
.AdvancedPublicResources
]
}
/>
<SettingsSectionHeader>
<SettingsSectionTitle>
{t("sshServer")}
@@ -879,6 +899,14 @@ export default function Page() {
{t("sshServerDescription")}
</SettingsSectionDescription>
</SettingsSectionHeader>
<fieldset
disabled={browserGatewayDisabled}
className={
browserGatewayDisabled
? "opacity-50 pointer-events-none"
: ""
}
>
<SettingsSectionBody>
<SettingsSectionForm variant="half">
{/* Mode */}
@@ -896,26 +924,23 @@ export default function Page() {
/>
</div>
{/* Auth Method (standard only) */}
{!isNative && (
<div className="space-y-3">
<p className="text-sm font-semibold">
{t(
"sshAuthenticationMethod"
)}
</p>
<StrategySelect<
"passthrough" | "push"
>
value={pamMode}
options={
authMethodOptions
}
onChange={setPamMode}
cols={2}
/>
</div>
)}
<div className="space-y-3">
<p className="text-sm font-semibold">
{t(
"sshAuthenticationMethod"
)}
</p>
<StrategySelect<
"passthrough" | "push"
>
value={pamMode}
options={
authMethodOptions
}
onChange={setPamMode}
cols={2}
/>
</div>
{/* Daemon Location (standard + push) */}
{showDaemonLocation && (
@@ -1046,7 +1071,9 @@ export default function Page() {
</PopoverContent>
</Popover>
) : standardDaemonLocation !==
"site" ? (
"site" ||
pamMode ===
"passthrough" ? (
<BrowserGatewayTargetForm
orgId={orgId as string}
multiSite={true}
@@ -1100,12 +1127,21 @@ export default function Page() {
</div>
</SettingsSectionForm>
</SettingsSectionBody>
</fieldset>
</SettingsSection>
)}
{/* RDP Server Section */}
{resourceType === "rdp" && (
<SettingsSection>
<PaidFeaturesAlert
tiers={
tierMatrix[
TierFeature
.AdvancedPublicResources
]
}
/>
<SettingsSectionHeader>
<SettingsSectionTitle>
{t("rdpServer")}
@@ -1114,6 +1150,14 @@ export default function Page() {
{t("rdpServerDescription")}
</SettingsSectionDescription>
</SettingsSectionHeader>
<fieldset
disabled={browserGatewayDisabled}
className={
browserGatewayDisabled
? "opacity-50 pointer-events-none"
: ""
}
>
<SettingsSectionBody>
<SettingsSectionForm variant="half">
<BrowserGatewayTargetForm
@@ -1138,12 +1182,21 @@ export default function Page() {
/>
</SettingsSectionForm>
</SettingsSectionBody>
</fieldset>
</SettingsSection>
)}
{/* VNC Server Section */}
{resourceType === "vnc" && (
<SettingsSection>
<PaidFeaturesAlert
tiers={
tierMatrix[
TierFeature
.AdvancedPublicResources
]
}
/>
<SettingsSectionHeader>
<SettingsSectionTitle>
{t("vncServer")}
@@ -1152,6 +1205,14 @@ export default function Page() {
{t("vncServerDescription")}
</SettingsSectionDescription>
</SettingsSectionHeader>
<fieldset
disabled={browserGatewayDisabled}
className={
browserGatewayDisabled
? "opacity-50 pointer-events-none"
: ""
}
>
<SettingsSectionBody>
<SettingsSectionForm variant="half">
<BrowserGatewayTargetForm
@@ -1176,6 +1237,7 @@ export default function Page() {
/>
</SettingsSectionForm>
</SettingsSectionBody>
</fieldset>
</SettingsSection>
)}
@@ -1227,7 +1289,7 @@ export default function Page() {
}
}}
loading={createLoading}
disabled={!areAllTargetsValid()}
disabled={!areAllTargetsValid() || browserGatewayDisabled}
>
{t("resourceCreate")}
</Button>

8
src/components/CreatePrivateResourceDialog.tsx
View File

@@ -103,6 +103,7 @@ export default function CreatePrivateResourceDialog({
data.alias.trim()
? data.alias
: undefined,
destinationPort: data.destinationPort ?? undefined,
pamMode: data.pamMode ?? undefined,
...(data.authDaemonMode != null && {
authDaemonMode: data.authDaemonMode
@@ -112,13 +113,14 @@ export default function CreatePrivateResourceDialog({
authDaemonPort: data.authDaemonPort
})
}),
...((data.mode === "host" ||
data.mode === "ssh" ||
data.mode === "cidr") && {
...((data.mode === "host" || data.mode === "cidr") && {
tcpPortRangeString: data.tcpPortRangeString,
udpPortRangeString: data.udpPortRangeString,
disableIcmp: data.disableIcmp ?? false
}),
...(data.mode === "ssh" && {
disableIcmp: data.disableIcmp ?? false
}),
roleIds: data.roles
? data.roles.map((r) => parseInt(r.id))
: [],

14
src/components/CreateRoleForm.tsx
View File

@@ -16,10 +16,7 @@ import { useOrgContext } from "@app/hooks/useOrgContext";
import { usePaidStatus } from "@app/hooks/usePaidStatus";
import { toast } from "@app/hooks/useToast";
import { createApiClient, formatAxiosError } from "@app/lib/api";
import type {
CreateRoleBody,
CreateRoleResponse
} from "@server/routers/role";
import type { CreateRoleBody, CreateRoleResponse } from "@server/routers/role";
import { AxiosResponse } from "axios";
import { useTranslations } from "next-intl";
import { useTransition } from "react";
@@ -50,7 +47,7 @@ export default function CreateRoleForm({
requireDeviceApproval: values.requireDeviceApproval,
allowSsh: values.allowSsh
};
if (isPaidUser(tierMatrix.sshPam)) {
if (isPaidUser(tierMatrix.advancedPrivateResources)) {
payload.sshSudoMode = values.sshSudoMode;
payload.sshCreateHomeDir = values.sshCreateHomeDir;
payload.sshSudoCommands =
@@ -69,10 +66,9 @@ export default function CreateRoleForm({
}
}
const res = await api
.put<AxiosResponse<CreateRoleResponse>>(
`/org/${org?.org.orgId}/role`,
payload
)
.put<
AxiosResponse<CreateRoleResponse>
>(`/org/${org?.org.orgId}/role`, payload)
.catch((e) => {
toast({
variant: "destructive",

8
src/components/EditPrivateResourceDialog.tsx
View File

@@ -104,6 +104,7 @@ export default function EditPrivateResourceDialog({
data.alias.trim()
? data.alias
: null,
destinationPort: data.destinationPort ?? null,
pamMode: data.pamMode ?? undefined,
...(data.authDaemonMode != null && {
authDaemonMode: data.authDaemonMode
@@ -112,13 +113,14 @@ export default function EditPrivateResourceDialog({
authDaemonPort: data.authDaemonPort || null
})
}),
...((data.mode === "host" ||
data.mode === "ssh" ||
data.mode === "cidr") && {
...((data.mode === "host" || data.mode === "cidr") && {
tcpPortRangeString: data.tcpPortRangeString,
udpPortRangeString: data.udpPortRangeString,
disableIcmp: data.disableIcmp ?? false
}),
...(data.mode === "ssh" && {
disableIcmp: data.disableIcmp ?? false
}),
roleIds: (data.roles || []).map((r) => parseInt(r.id)),
userIds: (data.users || []).map((u) => u.id),
clientIds: (data.clients || []).map((c) => parseInt(c.id))

14
src/components/EditRoleForm.tsx
View File

@@ -16,10 +16,7 @@ import { usePaidStatus } from "@app/hooks/usePaidStatus";
import { toast } from "@app/hooks/useToast";
import { createApiClient, formatAxiosError } from "@app/lib/api";
import type { Role } from "@server/db";
import type {
UpdateRoleBody,
UpdateRoleResponse
} from "@server/routers/role";
import type { UpdateRoleBody, UpdateRoleResponse } from "@server/routers/role";
import { AxiosResponse } from "axios";
import { useTranslations } from "next-intl";
import { useTransition } from "react";
@@ -53,7 +50,7 @@ export default function EditRoleForm({
payload.name = values.name;
payload.description = values.description || undefined;
}
if (isPaidUser(tierMatrix.sshPam)) {
if (isPaidUser(tierMatrix.advancedPrivateResources)) {
payload.sshSudoMode = values.sshSudoMode;
payload.sshCreateHomeDir = values.sshCreateHomeDir;
payload.sshSudoCommands =
@@ -72,10 +69,9 @@ export default function EditRoleForm({
}
}
const res = await api
.post<AxiosResponse<UpdateRoleResponse>>(
`/role/${role.roleId}`,
payload
)
.post<
AxiosResponse<UpdateRoleResponse>
>(`/role/${role.roleId}`, payload)
.catch((e) => {
toast({
variant: "destructive",

149
src/components/MemberResourcesPortal.tsx
View File

@@ -41,6 +41,7 @@ import {
TooltipTrigger
} from "@/components/ui/tooltip";
import CopyToClipboard from "@app/components/CopyToClipboard";
import { Badge } from "@/components/ui/badge";
// Update Resource type to include site information
type Resource = {
@@ -49,7 +50,7 @@ type Resource = {
domain: string;
enabled: boolean;
protected: boolean;
// mode: string; // "http", "tcp", "udp", "rdp", "vnc", "ssh"
mode: string; // "http", "tcp", "udp", "rdp", "vnc", "ssh"
// Auth method fields
sso?: boolean;
password?: boolean;
@@ -62,6 +63,7 @@ type Resource = {
type SiteResource = {
siteResourceId: number;
name: string;
niceId: string;
destination: string;
mode: string;
ssl: boolean;
@@ -754,7 +756,13 @@ export default function MemberResourcesPortal({
</TooltipProvider>
</div>
<div className="flex-shrink-0">
<div className="flex-shrink-0 flex items-center gap-2">
<Badge
variant="secondary"
className="text-xs"
>
{resource.mode.toUpperCase()}
</Badge>
<ResourceInfo
resource={resource}
/>
@@ -860,7 +868,13 @@ export default function MemberResourcesPortal({
</TooltipProvider>
</div>
<div className="flex-shrink-0">
<div className="flex-shrink-0 flex items-center gap-2">
<Badge
variant="secondary"
className="text-xs"
>
{siteResource.mode.toUpperCase()}
</Badge>
<InfoPopup>
<div className="space-y-2 text-sm">
<div className="text-xs font-medium mb-1.5">
@@ -876,24 +890,24 @@ export default function MemberResourcesPortal({
:
</span>
<span className="ml-2 text-muted-foreground capitalize">
{
siteResource.mode
}
</span>
</div>
<div>
<span className="font-medium">
{t(
"memberPortalDestination"
)}
:
</span>
<span className="ml-2 text-muted-foreground">
{
siteResource.destination
}
{siteResource.mode.toUpperCase()}
</span>
</div>
{siteResource.destination && (
<div>
<span className="font-medium">
{t(
"memberPortalDestination"
)}
:
</span>
<span className="ml-2 text-muted-foreground">
{
siteResource.destination
}
</span>
</div>
)}
{siteResource.alias && (
<div>
<span className="font-medium">
@@ -942,45 +956,35 @@ export default function MemberResourcesPortal({
isLink={true}
/>
) : siteResource.alias ? (
<>
{/* Alias as primary */}
<div className="flex items-center gap-2 mb-1">
<div className="text-base font-semibold text-foreground text-left truncate flex-1">
{
siteResource.alias
}
</div>
<Button
variant="ghost"
size="icon"
className="h-8 w-8 text-muted-foreground"
onClick={() => {
navigator.clipboard.writeText(
siteResource.alias!
);
toast({
title: t(
"memberPortalCopiedToClipboard"
/* Alias as primary */
<div className="flex items-center gap-2">
<div className="text-sm text-muted-foreground font-medium text-left truncate flex-1">
{siteResource.alias}
</div>
<Button
variant="ghost"
size="icon"
className="h-8 w-8 text-muted-foreground"
onClick={() => {
navigator.clipboard.writeText(
siteResource.alias!
);
toast({
title: t(
"memberPortalCopiedToClipboard"
),
description:
t(
"memberPortalCopiedAliasDescription"
),
description:
t(
"memberPortalCopiedAliasDescription"
),
duration: 2000
});
}}
>
<Copy className="h-4 w-4" />
</Button>
</div>
{/* Destination as secondary */}
<div className="text-xs text-muted-foreground truncate">
{
siteResource.destination
}
</div>
</>
) : (
duration: 2000
});
}}
>
<Copy className="h-4 w-4" />
</Button>
</div>
) : siteResource.destination ? (
/* Destination as primary when no alias */
<div className="flex items-center gap-2">
<div className="text-sm text-muted-foreground font-medium text-left truncate flex-1">
@@ -1011,6 +1015,37 @@ export default function MemberResourcesPortal({
<Copy className="h-4 w-4" />
</Button>
</div>
) : (
/* niceId fallback when no alias and no destination */
<div className="flex items-center gap-2">
<div className="text-sm text-muted-foreground font-medium text-left truncate flex-1">
{
siteResource.niceId
}
</div>
<Button
variant="ghost"
size="icon"
className="h-8 w-8 text-muted-foreground"
onClick={() => {
navigator.clipboard.writeText(
siteResource.niceId
);
toast({
title: t(
"memberPortalCopiedToClipboard"
),
description:
t(
"memberPortalCopiedDestinationDescription"
),
duration: 2000
});
}}
>
<Copy className="h-4 w-4" />
</Button>
</div>
)}
</div>
</div>

125
src/components/PrivateResourceForm.tsx
View File

@@ -224,8 +224,10 @@ export function PrivateResourceForm({
const { env } = useEnvContext();
const { isPaidUser } = usePaidStatus();
const disableEnterpriseFeatures = env.flags.disableEnterpriseFeatures;
const sshSectionDisabled = !isPaidUser(tierMatrix.sshPam);
const httpSectionDisabled = !isPaidUser(tierMatrix.httpPrivateResources);
const sshSectionDisabled = !isPaidUser(tierMatrix.advancedPrivateResources);
const httpSectionDisabled = !isPaidUser(
tierMatrix.advancedPrivateResources
);
const nameRequiredKey =
variant === "create"
@@ -365,6 +367,19 @@ export function PrivateResourceForm({
path: ["destination"]
});
}
if (data.mode === "ssh" && !isNativeSsh) {
if (
data.destinationPort == null ||
!Number.isFinite(data.destinationPort) ||
data.destinationPort < 1
) {
ctx.addIssue({
code: z.ZodIssueCode.custom,
message: t("internalResourceHttpPortRequired"),
path: ["destinationPort"]
});
}
}
if (data.mode !== "http") return;
if (!data.scheme) {
ctx.addIssue({
@@ -548,7 +563,7 @@ export function PrivateResourceForm({
mode: "host",
destination: "",
alias: null,
destinationPort: null,
destinationPort: 22,
scheme: "http",
ssl: true,
httpConfigSubdomain: null,
@@ -581,6 +596,7 @@ export function PrivateResourceForm({
const httpConfigDomainId = form.watch("httpConfigDomainId");
const httpConfigFullDomain = form.watch("httpConfigFullDomain");
const isHttpMode = mode === "http";
const isSshMode = mode === "ssh";
const authDaemonMode = form.watch("authDaemonMode") ?? "site";
const pamMode = form.watch("pamMode") ?? "passthrough";
const isNative = sshServerMode === "native";
@@ -726,8 +742,17 @@ export function PrivateResourceForm({
]);
useEffect(() => {
onSubmitDisabledChange?.(isHttpMode && httpSectionDisabled);
}, [isHttpMode, httpSectionDisabled, onSubmitDisabledChange]);
onSubmitDisabledChange?.(
(isHttpMode && httpSectionDisabled) ||
(isSshMode && sshSectionDisabled)
);
}, [
isHttpMode,
httpSectionDisabled,
isSshMode,
sshSectionDisabled,
onSubmitDisabledChange
]);
return (
<Form {...form}>
@@ -735,6 +760,7 @@ export function PrivateResourceForm({
onSubmit={form.handleSubmit((values) => {
const siteIds = values.siteIds;
const trimmedDestination = values.destination?.trim();
const isSshMode = values.mode === "ssh";
onSubmit({
...values,
siteIds,
@@ -742,6 +768,12 @@ export function PrivateResourceForm({
trimmedDestination && trimmedDestination.length > 0
? trimmedDestination
: null,
tcpPortRangeString: isSshMode
? undefined
: values.tcpPortRangeString,
udpPortRangeString: isSshMode
? undefined
: values.udpPortRangeString,
clients: (values.clients ?? []).map((c) => ({
id: c.clientId.toString(),
text: c.name
@@ -826,8 +858,11 @@ export function PrivateResourceForm({
{t("sites")}
</FormLabel>
{mode === "ssh" &&
sshServerMode ===
"native" ? (
(sshServerMode ===
"native" ||
(pamMode === "push" &&
authDaemonMode ===
"site")) ? (
<Popover>
<PopoverTrigger
asChild
@@ -1106,8 +1141,10 @@ export function PrivateResourceForm({
""
}
disabled={
isHttpMode &&
httpSectionDisabled
(isHttpMode &&
httpSectionDisabled) ||
(isSshMode &&
sshSectionDisabled)
}
onChange={(e) =>
field.onChange(
@@ -1146,6 +1183,10 @@ export function PrivateResourceForm({
field.value ??
""
}
disabled={
isSshMode &&
sshSectionDisabled
}
/>
</FormControl>
<FormMessage />
@@ -1179,7 +1220,10 @@ export function PrivateResourceForm({
""
}
disabled={
httpSectionDisabled
(isHttpMode &&
httpSectionDisabled) ||
(isSshMode &&
sshSectionDisabled)
}
onChange={(e) => {
const raw =
@@ -1214,9 +1258,9 @@ export function PrivateResourceForm({
</div>
</div>
{isHttpMode && (
{(isHttpMode || isSshMode) && (
<PaidFeaturesAlert
tiers={tierMatrix.httpPrivateResources}
tiers={tierMatrix.advancedPrivateResources}
/>
)}
@@ -1750,7 +1794,9 @@ export function PrivateResourceForm({
{/* SSH Access tab (ssh mode only) */}
{!disableEnterpriseFeatures && mode === "ssh" && (
<div className="space-y-4 mt-4 p-1">
<PaidFeaturesAlert tiers={tierMatrix.sshPam} />
<PaidFeaturesAlert
tiers={tierMatrix.advancedPrivateResources}
/>
{/* Mode */}
<div className="space-y-3">
@@ -1862,6 +1908,36 @@ export function PrivateResourceForm({
"authDaemonPort",
null
);
} else if (
v === "push"
) {
// push + site (default) = single site
const curAuthMode =
form.getValues(
"authDaemonMode"
);
if (
curAuthMode !==
"remote" &&
selectedSites.length >
1
) {
const first =
selectedSites.slice(
0,
1
);
setSelectedSites(
first
);
form.setValue(
"siteIds",
first.map(
(s) =>
s.siteId
)
);
}
}
}}
cols={2}
@@ -1929,6 +2005,29 @@ export function PrivateResourceForm({
"authDaemonPort",
null
);
// site daemon = single site
if (
selectedSites.length >
1
) {
const first =
selectedSites.slice(
0,
1
);
setSelectedSites(
first
);
form.setValue(
"siteIds",
first.map(
(
s
) =>
s.siteId
)
);
}
}
}}
cols={2}

6
src/components/RoleForm.tsx
View File

@@ -164,7 +164,7 @@ export function RoleForm({
}
}, [variant, role, form]);
const sshDisabled = !isPaidUser(tierMatrix.sshPam);
const sshDisabled = !isPaidUser(tierMatrix.advancedPrivateResources);
const sshSudoMode = form.watch("sshSudoMode");
const isAdminRole = variant === "edit" && role?.isAdmin === true;
@@ -319,7 +319,9 @@ export function RoleForm({
{/* SSH tab - hidden when enterprise features are disabled */}
{!env.flags.disableEnterpriseFeatures && (
<div className="space-y-4 mt-4">
<PaidFeaturesAlert tiers={tierMatrix.sshPam} />
<PaidFeaturesAlert
tiers={tierMatrix.advancedPrivateResources}
/>
<FormField
control={form.control}
name="allowSsh"