mirror of
https://github.com/fosrl/pangolin.git
synced 2026-01-28 22:00:51 +00:00
Add name and lock client to specific olm
This commit is contained in:
Owen
@@ -85,6 +85,7 @@ export enum ActionsEnum {
|
|||||||
updateOrgDomain = "updateOrgDomain",
|
updateOrgDomain = "updateOrgDomain",
|
||||||
getDNSRecords = "getDNSRecords",
|
getDNSRecords = "getDNSRecords",
|
||||||
createNewt = "createNewt",
|
createNewt = "createNewt",
|
||||||
|
createOlm = "createOlm",
|
||||||
createIdp = "createIdp",
|
createIdp = "createIdp",
|
||||||
updateIdp = "updateIdp",
|
updateIdp = "updateIdp",
|
||||||
deleteIdp = "deleteIdp",
|
deleteIdp = "deleteIdp",
|
||||||
|
|||||||
@@ -611,6 +611,7 @@ export const clients = pgTable("clients", {
|
|||||||
// optionally tied to a user and in this case delete when the user deletes
|
// optionally tied to a user and in this case delete when the user deletes
|
||||||
onDelete: "cascade"
|
onDelete: "cascade"
|
||||||
}),
|
}),
|
||||||
|
olmId: text("olmId"), // to lock it to a specific olm optionally
|
||||||
name: varchar("name").notNull(),
|
name: varchar("name").notNull(),
|
||||||
pubKey: varchar("pubKey"),
|
pubKey: varchar("pubKey"),
|
||||||
subnet: varchar("subnet").notNull(),
|
subnet: varchar("subnet").notNull(),
|
||||||
@@ -641,6 +642,7 @@ export const olms = pgTable("olms", {
|
|||||||
secretHash: varchar("secretHash").notNull(),
|
secretHash: varchar("secretHash").notNull(),
|
||||||
dateCreated: varchar("dateCreated").notNull(),
|
dateCreated: varchar("dateCreated").notNull(),
|
||||||
version: text("version"),
|
version: text("version"),
|
||||||
|
name: varchar("name"),
|
||||||
clientId: integer("clientId").references(() => clients.clientId, {
|
clientId: integer("clientId").references(() => clients.clientId, {
|
||||||
// we will switch this depending on the current org it wants to connect to
|
// we will switch this depending on the current org it wants to connect to
|
||||||
onDelete: "set null"
|
onDelete: "set null"
|
||||||
|
|||||||
@@ -319,8 +319,10 @@ export const clients = sqliteTable("clients", {
|
|||||||
// optionally tied to a user and in this case delete when the user deletes
|
// optionally tied to a user and in this case delete when the user deletes
|
||||||
onDelete: "cascade"
|
onDelete: "cascade"
|
||||||
}),
|
}),
|
||||||
|
|
||||||
name: text("name").notNull(),
|
name: text("name").notNull(),
|
||||||
pubKey: text("pubKey"),
|
pubKey: text("pubKey"),
|
||||||
|
olmId: text("olmId"), // to lock it to a specific olm optionally
|
||||||
subnet: text("subnet").notNull(),
|
subnet: text("subnet").notNull(),
|
||||||
megabytesIn: integer("bytesIn"),
|
megabytesIn: integer("bytesIn"),
|
||||||
megabytesOut: integer("bytesOut"),
|
megabytesOut: integer("bytesOut"),
|
||||||
@@ -350,6 +352,7 @@ export const olms = sqliteTable("olms", {
|
|||||||
secretHash: text("secretHash").notNull(),
|
secretHash: text("secretHash").notNull(),
|
||||||
dateCreated: text("dateCreated").notNull(),
|
dateCreated: text("dateCreated").notNull(),
|
||||||
version: text("version"),
|
version: text("version"),
|
||||||
|
name: text("name"),
|
||||||
clientId: integer("clientId").references(() => clients.clientId, {
|
clientId: integer("clientId").references(() => clients.clientId, {
|
||||||
// we will switch this depending on the current org it wants to connect to
|
// we will switch this depending on the current org it wants to connect to
|
||||||
onDelete: "set null"
|
onDelete: "set null"
|
||||||
|
|||||||
@@ -201,7 +201,8 @@ export async function createClient(
|
|||||||
orgId,
|
orgId,
|
||||||
name,
|
name,
|
||||||
subnet: updatedSubnet,
|
subnet: updatedSubnet,
|
||||||
type
|
type,
|
||||||
|
olmId // this is to lock it to a specific olm even if the olm moves across clients
|
||||||
})
|
})
|
||||||
.returning();
|
.returning();
|
||||||
|
|
||||||
@@ -228,15 +229,6 @@ export async function createClient(
|
|||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
const secretHash = await hashPassword(secret);
|
|
||||||
|
|
||||||
await trx.insert(olms).values({
|
|
||||||
olmId,
|
|
||||||
secretHash,
|
|
||||||
clientId: newClient.clientId,
|
|
||||||
dateCreated: moment().toISOString()
|
|
||||||
});
|
|
||||||
|
|
||||||
return response<CreateClientResponse>(res, {
|
return response<CreateClientResponse>(res, {
|
||||||
data: newClient,
|
data: newClient,
|
||||||
success: true,
|
success: true,
|
||||||
|
|||||||
@@ -16,6 +16,8 @@ import * as idp from "./idp";
|
|||||||
import * as blueprints from "./blueprints";
|
import * as blueprints from "./blueprints";
|
||||||
import * as apiKeys from "./apiKeys";
|
import * as apiKeys from "./apiKeys";
|
||||||
import * as logs from "./auditLogs";
|
import * as logs from "./auditLogs";
|
||||||
|
import * as newt from "./newt";
|
||||||
|
import * as olm from "./olm";
|
||||||
import HttpCode from "@server/types/HttpCode";
|
import HttpCode from "@server/types/HttpCode";
|
||||||
import {
|
import {
|
||||||
verifyAccessTokenAccess,
|
verifyAccessTokenAccess,
|
||||||
@@ -40,8 +42,6 @@ import {
|
|||||||
verifySiteResourceAccess
|
verifySiteResourceAccess
|
||||||
} from "@server/middlewares";
|
} from "@server/middlewares";
|
||||||
import { ActionsEnum } from "@server/auth/actions";
|
import { ActionsEnum } from "@server/auth/actions";
|
||||||
import { createNewt, getNewtToken } from "./newt";
|
|
||||||
import { getOlmToken } from "./olm";
|
|
||||||
import rateLimit, { ipKeyGenerator } from "express-rate-limit";
|
import rateLimit, { ipKeyGenerator } from "express-rate-limit";
|
||||||
import createHttpError from "http-errors";
|
import createHttpError from "http-errors";
|
||||||
import { build } from "@server/build";
|
import { build } from "@server/build";
|
||||||
@@ -726,6 +726,12 @@ authenticated.delete(
|
|||||||
// createNewt
|
// createNewt
|
||||||
// );
|
// );
|
||||||
|
|
||||||
|
authenticated.put(
|
||||||
|
"/olm",
|
||||||
|
verifyUserHasAction(ActionsEnum.createOlm),
|
||||||
|
olm.createOlm
|
||||||
|
);
|
||||||
|
|
||||||
authenticated.put(
|
authenticated.put(
|
||||||
"/idp/oidc",
|
"/idp/oidc",
|
||||||
verifyUserIsServerAdmin,
|
verifyUserIsServerAdmin,
|
||||||
@@ -978,7 +984,7 @@ authRouter.post(
|
|||||||
},
|
},
|
||||||
store: createStore()
|
store: createStore()
|
||||||
}),
|
}),
|
||||||
getNewtToken
|
newt.getNewtToken
|
||||||
);
|
);
|
||||||
authRouter.post(
|
authRouter.post(
|
||||||
"/olm/get-token",
|
"/olm/get-token",
|
||||||
@@ -993,7 +999,7 @@ authRouter.post(
|
|||||||
},
|
},
|
||||||
store: createStore()
|
store: createStore()
|
||||||
}),
|
}),
|
||||||
getOlmToken
|
olm.getOlmToken
|
||||||
);
|
);
|
||||||
|
|
||||||
authRouter.post(
|
authRouter.post(
|
||||||
|
|||||||
@@ -11,6 +11,7 @@ import * as accessToken from "./accessToken";
|
|||||||
import * as apiKeys from "./apiKeys";
|
import * as apiKeys from "./apiKeys";
|
||||||
import * as idp from "./idp";
|
import * as idp from "./idp";
|
||||||
import * as siteResource from "./siteResource";
|
import * as siteResource from "./siteResource";
|
||||||
|
import * as olm from "./olm";
|
||||||
import {
|
import {
|
||||||
verifyApiKey,
|
verifyApiKey,
|
||||||
verifyApiKeyOrgAccess,
|
verifyApiKeyOrgAccess,
|
||||||
@@ -556,6 +557,12 @@ authenticated.delete(
|
|||||||
// newt.createNewt
|
// newt.createNewt
|
||||||
// );
|
// );
|
||||||
|
|
||||||
|
authenticated.put(
|
||||||
|
"/olm",
|
||||||
|
verifyApiKeyHasAction(ActionsEnum.createOlm),
|
||||||
|
olm.createOlm
|
||||||
|
);
|
||||||
|
|
||||||
authenticated.get(
|
authenticated.get(
|
||||||
`/org/:orgId/api-keys`,
|
`/org/:orgId/api-keys`,
|
||||||
verifyApiKeyIsRoot,
|
verifyApiKeyIsRoot,
|
||||||
|
|||||||
@@ -3,41 +3,40 @@ import { db } from "@server/db";
|
|||||||
import { hash } from "@node-rs/argon2";
|
import { hash } from "@node-rs/argon2";
|
||||||
import HttpCode from "@server/types/HttpCode";
|
import HttpCode from "@server/types/HttpCode";
|
||||||
import { z } from "zod";
|
import { z } from "zod";
|
||||||
import { newts } from "@server/db";
|
import { olms } from "@server/db";
|
||||||
import createHttpError from "http-errors";
|
import createHttpError from "http-errors";
|
||||||
import response from "@server/lib/response";
|
import response from "@server/lib/response";
|
||||||
import { SqliteError } from "better-sqlite3";
|
import { SqliteError } from "better-sqlite3";
|
||||||
import moment from "moment";
|
import moment from "moment";
|
||||||
import { generateSessionToken } from "@server/auth/sessions/app";
|
import { generateId, generateSessionToken } from "@server/auth/sessions/app";
|
||||||
import { createNewtSession } from "@server/auth/sessions/newt";
|
import { createOlmSession } from "@server/auth/sessions/olm";
|
||||||
import { fromError } from "zod-validation-error";
|
import { fromError } from "zod-validation-error";
|
||||||
import { hashPassword } from "@server/auth/password";
|
import { hashPassword } from "@server/auth/password";
|
||||||
|
|
||||||
export const createNewtBodySchema = z.object({});
|
export const createOlmBodySchema = z.object({});
|
||||||
|
|
||||||
export type CreateNewtBody = z.infer<typeof createNewtBodySchema>;
|
export type CreateOlmBody = z.infer<typeof createOlmBodySchema>;
|
||||||
|
|
||||||
export type CreateNewtResponse = {
|
export type CreateOlmResponse = {
|
||||||
token: string;
|
// token: string;
|
||||||
newtId: string;
|
olmId: string;
|
||||||
secret: string;
|
secret: string;
|
||||||
};
|
};
|
||||||
|
|
||||||
const createNewtSchema = z
|
const createOlmSchema = z
|
||||||
.object({
|
.object({
|
||||||
newtId: z.string(),
|
userId: z.string().optional(),
|
||||||
secret: z.string()
|
name: z.string().min(1).max(255)
|
||||||
})
|
})
|
||||||
.strict();
|
.strict();
|
||||||
|
|
||||||
export async function createNewt(
|
export async function createOlm(
|
||||||
req: Request,
|
req: Request,
|
||||||
res: Response,
|
res: Response,
|
||||||
next: NextFunction
|
next: NextFunction
|
||||||
): Promise<any> {
|
): Promise<any> {
|
||||||
try {
|
try {
|
||||||
|
const parsedBody = createOlmSchema.safeParse(req.body);
|
||||||
const parsedBody = createNewtSchema.safeParse(req.body);
|
|
||||||
if (!parsedBody.success) {
|
if (!parsedBody.success) {
|
||||||
return next(
|
return next(
|
||||||
createHttpError(
|
createHttpError(
|
||||||
@@ -47,60 +46,55 @@ export async function createNewt(
|
|||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
const { newtId, secret } = parsedBody.data;
|
const { userId, name } = parsedBody.data;
|
||||||
|
let userIdFinal = userId;
|
||||||
|
|
||||||
if (req.user && !req.userOrgRoleId) {
|
if (req.user) { // overwrite the user with the one calling because we want to assign the olm to the user creating it
|
||||||
return next(
|
userIdFinal = req.user.userId;
|
||||||
createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
|
} else if (!userIdFinal) {
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
const secretHash = await hashPassword(secret);
|
|
||||||
|
|
||||||
await db.insert(newts).values({
|
|
||||||
newtId: newtId,
|
|
||||||
secretHash,
|
|
||||||
dateCreated: moment().toISOString(),
|
|
||||||
});
|
|
||||||
|
|
||||||
// give the newt their default permissions:
|
|
||||||
// await db.insert(newtActions).values({
|
|
||||||
// newtId: newtId,
|
|
||||||
// actionId: ActionsEnum.createOrg,
|
|
||||||
// orgId: null,
|
|
||||||
// });
|
|
||||||
|
|
||||||
const token = generateSessionToken();
|
|
||||||
await createNewtSession(token, newtId);
|
|
||||||
|
|
||||||
return response<CreateNewtResponse>(res, {
|
|
||||||
data: {
|
|
||||||
newtId,
|
|
||||||
secret,
|
|
||||||
token,
|
|
||||||
},
|
|
||||||
success: true,
|
|
||||||
error: false,
|
|
||||||
message: "Newt created successfully",
|
|
||||||
status: HttpCode.OK,
|
|
||||||
});
|
|
||||||
} catch (e) {
|
|
||||||
if (e instanceof SqliteError && e.code === "SQLITE_CONSTRAINT_UNIQUE") {
|
|
||||||
return next(
|
return next(
|
||||||
createHttpError(
|
createHttpError(
|
||||||
HttpCode.BAD_REQUEST,
|
HttpCode.BAD_REQUEST,
|
||||||
"A newt with that email address already exists"
|
"Either userId must be provided or request must be authenticated"
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
} else {
|
}
|
||||||
|
|
||||||
|
const olmId = generateId(15);
|
||||||
|
const secret = generateId(48);
|
||||||
|
|
||||||
|
const secretHash = await hashPassword(secret);
|
||||||
|
|
||||||
|
await db.insert(olms).values({
|
||||||
|
olmId: olmId,
|
||||||
|
userId: userId,
|
||||||
|
name,
|
||||||
|
secretHash,
|
||||||
|
dateCreated: moment().toISOString()
|
||||||
|
});
|
||||||
|
|
||||||
|
// const token = generateSessionToken();
|
||||||
|
// await createOlmSession(token, olmId);
|
||||||
|
|
||||||
|
return response<CreateOlmResponse>(res, {
|
||||||
|
data: {
|
||||||
|
olmId,
|
||||||
|
secret
|
||||||
|
// token,
|
||||||
|
},
|
||||||
|
success: true,
|
||||||
|
error: false,
|
||||||
|
message: "Olm created successfully",
|
||||||
|
status: HttpCode.OK
|
||||||
|
});
|
||||||
|
} catch (e) {
|
||||||
console.error(e);
|
console.error(e);
|
||||||
|
|
||||||
return next(
|
return next(
|
||||||
createHttpError(
|
createHttpError(
|
||||||
HttpCode.INTERNAL_SERVER_ERROR,
|
HttpCode.INTERNAL_SERVER_ERROR,
|
||||||
"Failed to create newt"
|
"Failed to create olm"
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|||||||
@@ -30,7 +30,7 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
const { publicKey, relay, olmVersion, orgId, deviceName } = message.data;
|
const { publicKey, relay, olmVersion, orgId } = message.data;
|
||||||
let client: Client;
|
let client: Client;
|
||||||
|
|
||||||
if (orgId) {
|
if (orgId) {
|
||||||
@@ -40,7 +40,7 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
|
|||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
client = await getOrCreateOrgClient(orgId, olm.userId, deviceName);
|
client = await getOrCreateOrgClient(orgId, olm.userId, olm.olmId, olm.name || "User Device");
|
||||||
} catch (err) {
|
} catch (err) {
|
||||||
logger.error(
|
logger.error(
|
||||||
`Error switching olm client ${olm.olmId} to org ${orgId}: ${err}`
|
`Error switching olm client ${olm.olmId} to org ${orgId}: ${err}`
|
||||||
@@ -293,7 +293,8 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
|
|||||||
async function getOrCreateOrgClient(
|
async function getOrCreateOrgClient(
|
||||||
orgId: string,
|
orgId: string,
|
||||||
userId: string,
|
userId: string,
|
||||||
deviceName?: string,
|
olmId: string,
|
||||||
|
name: string,
|
||||||
trx: Transaction | typeof db = db
|
trx: Transaction | typeof db = db
|
||||||
): Promise<Client> {
|
): Promise<Client> {
|
||||||
let client: Client;
|
let client: Client;
|
||||||
@@ -328,7 +329,13 @@ async function getOrCreateOrgClient(
|
|||||||
const [existingClient] = await trx
|
const [existingClient] = await trx
|
||||||
.select()
|
.select()
|
||||||
.from(clients)
|
.from(clients)
|
||||||
.where(and(eq(clients.orgId, orgId), eq(clients.userId, userId)))
|
.where(
|
||||||
|
and(
|
||||||
|
eq(clients.orgId, orgId),
|
||||||
|
eq(clients.userId, userId),
|
||||||
|
eq(clients.olmId, olmId)
|
||||||
|
)
|
||||||
|
) // checking the olmid here because we want to create a new client PER OLM PER ORG
|
||||||
.limit(1);
|
.limit(1);
|
||||||
|
|
||||||
if (!existingClient) {
|
if (!existingClient) {
|
||||||
@@ -364,10 +371,11 @@ async function getOrCreateOrgClient(
|
|||||||
.values({
|
.values({
|
||||||
exitNodeId: randomExitNode.exitNodeId,
|
exitNodeId: randomExitNode.exitNodeId,
|
||||||
orgId,
|
orgId,
|
||||||
name: deviceName || "User Device",
|
name,
|
||||||
subnet: updatedSubnet,
|
subnet: updatedSubnet,
|
||||||
type: "olm",
|
type: "olm",
|
||||||
userId: userId
|
userId: userId,
|
||||||
|
olmId: olmId // to lock this client to the olm even as the olm moves between clients in different orgs
|
||||||
})
|
})
|
||||||
.returning();
|
.returning();
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user