calvin.erfmann/pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-04-12 22:26:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

Crud working

Browse Source
This commit is contained in:
Owen
2026-04-11 21:09:12 -07:00
parent fc4633db91
commit 5803da4893
13 changed files with 258 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

113
server/lib/blueprints/clientResources.ts
View File

@@ -1,6 +1,8 @@
import {
clients,
clientSiteResources,
domains,
orgDomains,
roles,
roleSiteResources,
SiteResource,
@@ -11,10 +13,83 @@ import {
userSiteResources
} from "@server/db";
import { sites } from "@server/db";
import { eq, and, ne, inArray, or } from "drizzle-orm";
import { eq, and, ne, inArray, or, isNotNull } from "drizzle-orm";
import { Config } from "./types";
import logger from "@server/logger";
import { getNextAvailableAliasAddress } from "../ip";
import { createCertificate } from "#dynamic/routers/certificates/createCertificate";
async function getDomainForSiteResource(
siteResourceId: number | undefined,
fullDomain: string,
orgId: string,
trx: Transaction
): Promise<{ subdomain: string | null; domainId: string }> {
const [fullDomainExists] = await trx
.select({ siteResourceId: siteResources.siteResourceId })
.from(siteResources)
.where(
and(
eq(siteResources.fullDomain, fullDomain),
eq(siteResources.orgId, orgId),
siteResourceId
? ne(siteResources.siteResourceId, siteResourceId)
: isNotNull(siteResources.siteResourceId)
)
)
.limit(1);
if (fullDomainExists) {
throw new Error(
`Site resource already exists with domain: ${fullDomain} in org ${orgId}`
);
}
const possibleDomains = await trx
.select()
.from(domains)
.innerJoin(orgDomains, eq(domains.domainId, orgDomains.domainId))
.where(and(eq(orgDomains.orgId, orgId), eq(domains.verified, true)))
.execute();
if (possibleDomains.length === 0) {
throw new Error(
`Domain not found for full-domain: ${fullDomain} in org ${orgId}`
);
}
const validDomains = possibleDomains.filter((domain) => {
if (domain.domains.type == "ns" || domain.domains.type == "wildcard") {
return (
fullDomain === domain.domains.baseDomain ||
fullDomain.endsWith(`.${domain.domains.baseDomain}`)
);
} else if (domain.domains.type == "cname") {
return fullDomain === domain.domains.baseDomain;
}
});
if (validDomains.length === 0) {
throw new Error(
`Domain not found for full-domain: ${fullDomain} in org ${orgId}`
);
}
const domainSelection = validDomains[0].domains;
const baseDomain = domainSelection.baseDomain;
let subdomain: string | null = null;
if (fullDomain !== baseDomain) {
subdomain = fullDomain.replace(`.${baseDomain}`, "");
}
await createCertificate(domainSelection.domainId, fullDomain, trx);
return {
subdomain,
domainId: domainSelection.domainId
};
}
function siteResourceModeForDb(mode: "host" | "cidr" | "http" | "https"): {
mode: "host" | "cidr" | "http";
@@ -91,6 +166,19 @@ export async function updateClientResources(
if (existingResource) {
const mappedMode = siteResourceModeForDb(resourceData.mode);
let domainInfo:
| { subdomain: string | null; domainId: string }
| undefined;
if (resourceData["full-domain"] && mappedMode.mode === "http") {
domainInfo = await getDomainForSiteResource(
existingResource.siteResourceId,
resourceData["full-domain"],
orgId,
trx
);
}
// Update existing resource
const [updatedResource] = await trx
.update(siteResources)
@@ -107,7 +195,10 @@ export async function updateClientResources(
alias: resourceData.alias || null,
disableIcmp: resourceData["disable-icmp"],
tcpPortRangeString: resourceData["tcp-ports"],
udpPortRangeString: resourceData["udp-ports"]
udpPortRangeString: resourceData["udp-ports"],
fullDomain: resourceData["full-domain"] || null,
subdomain: domainInfo ? domainInfo.subdomain : null,
domainId: domainInfo ? domainInfo.domainId : null
})
.where(
eq(
@@ -118,7 +209,6 @@ export async function updateClientResources(
.returning();
const siteResourceId = existingResource.siteResourceId;
const orgId = existingResource.orgId;
await trx
.delete(clientSiteResources)
@@ -231,6 +321,18 @@ export async function updateClientResources(
aliasAddress = await getNextAvailableAliasAddress(orgId);
}
let domainInfo:
| { subdomain: string | null; domainId: string }
| undefined;
if (resourceData["full-domain"] && mappedMode.mode === "http") {
domainInfo = await getDomainForSiteResource(
undefined,
resourceData["full-domain"],
orgId,
trx
);
}
// Create new resource
const [newResource] = await trx
.insert(siteResources)
@@ -250,7 +352,10 @@ export async function updateClientResources(
aliasAddress: aliasAddress,
disableIcmp: resourceData["disable-icmp"],
tcpPortRangeString: resourceData["tcp-ports"],
udpPortRangeString: resourceData["udp-ports"]
udpPortRangeString: resourceData["udp-ports"],
fullDomain: resourceData["full-domain"] || null,
subdomain: domainInfo ? domainInfo.subdomain : null,
domainId: domainInfo ? domainInfo.domainId : null
})
.returning();

2
server/lib/blueprints/proxyResources.ts
View File

@@ -1100,7 +1100,7 @@ function checkIfTargetChanged(
return false;
}
async function getDomain(
export async function getDomain(
resourceId: number | undefined,
fullDomain: string,
orgId: string,

37
server/lib/blueprints/types.ts
View File

@@ -325,7 +325,7 @@ export function isTargetsOnlyResource(resource: any): boolean {
export const ClientResourceSchema = z
.object({
name: z.string().min(1).max(255),
mode: z.enum(["host", "cidr", "http", "https"]),
mode: z.enum(["host", "cidr", "http"]),
site: z.string(),
// protocol: z.enum(["tcp", "udp"]).optional(),
// proxyPort: z.int().positive().optional(),
@@ -335,6 +335,8 @@ export const ClientResourceSchema = z
"tcp-ports": portRangeStringSchema.optional().default("*"),
"udp-ports": portRangeStringSchema.optional().default("*"),
"disable-icmp": z.boolean().optional().default(false),
"full-domain": z.string().optional(),
ssl: z.boolean().optional(),
alias: z
.string()
.regex(
@@ -477,6 +479,39 @@ export const ConfigSchema = z
});
}
// Enforce the full-domain uniqueness across client-resources in the same stack
const clientFullDomainMap = new Map<string, string[]>();
Object.entries(config["client-resources"]).forEach(
([resourceKey, resource]) => {
const fullDomain = resource["full-domain"];
if (fullDomain) {
if (!clientFullDomainMap.has(fullDomain)) {
clientFullDomainMap.set(fullDomain, []);
}
clientFullDomainMap.get(fullDomain)!.push(resourceKey);
}
}
);
const clientFullDomainDuplicates = Array.from(
clientFullDomainMap.entries()
)
.filter(([_, resourceKeys]) => resourceKeys.length > 1)
.map(
([fullDomain, resourceKeys]) =>
`'${fullDomain}' used by resources: ${resourceKeys.join(", ")}`
)
.join("; ");
if (clientFullDomainDuplicates.length !== 0) {
ctx.addIssue({
code: z.ZodIssueCode.custom,
path: ["client-resources"],
message: `Duplicate 'full-domain' values found: ${clientFullDomainDuplicates}`
});
}
// Enforce proxy-port uniqueness within proxy-resources per protocol
const protocolPortMap = new Map<string, string[]>();

5
server/lib/ip.ts
View File

@@ -478,9 +478,9 @@ export type Alias = { alias: string | null; aliasAddress: string | null };
export function generateAliasConfig(allSiteResources: SiteResource[]): Alias[] {
return allSiteResources
.filter((sr) => sr.alias && sr.aliasAddress && sr.mode == "host")
.filter((sr) => sr.aliasAddress && ((sr.alias && sr.mode == "host") || (sr.fullDomain && sr.mode == "http")))
.map((sr) => ({
alias: sr.alias,
alias: sr.alias || sr.fullDomain,
aliasAddress: sr.aliasAddress
}));
}
@@ -672,7 +672,6 @@ export async function generateSubnetProxyTargetV2(
);
return;
}
const publicProtocol = siteResource.ssl ? "https" : "http";
// also push a match for the alias address
let tlsCert: string | undefined;
let tlsKey: string | undefined;

1
server/routers/olm/handleOlmRegisterMessage.ts
View File

@@ -17,7 +17,6 @@ import { getUserDeviceName } from "@server/db/names";
import { buildSiteConfigurationForOlmClient } from "./buildConfiguration";
import { OlmErrorCodes, sendOlmError } from "./error";
import { handleFingerprintInsertion } from "./fingerprintingUtils";
import { Alias } from "@server/lib/ip";
import { build } from "@server/build";
import { canCompress } from "@server/lib/clientVersionChecks";
import config from "@server/lib/config";

28
server/routers/siteResource/createSiteResource.ts
View File

@@ -66,7 +66,7 @@ const createSiteResourceSchema = z
.strict()
.refine(
(data) => {
if (data.mode === "host" || data.mode == "http") {
if (data.mode === "host") {
if (data.mode == "host") {
// Check if it's a valid IP address using zod (v4 or v6)
const isValidIP = z
@@ -262,7 +262,6 @@ export async function createSiteResource(
let fullDomain: string | null = null;
let finalSubdomain: string | null = null;
let finalAlias = alias ? alias.trim() : null;
if (domainId && subdomain) {
// Validate domain and construct full domain
const domainResult = await validateAndConstructDomain(
@@ -279,18 +278,32 @@ export async function createSiteResource(
fullDomain = domainResult.fullDomain;
finalSubdomain = domainResult.subdomain;
finalAlias = fullDomain; // we will use the full domain as the alias for uniqueness checks and routing
// make sure the full domain is unique
const existingResource = await db
.select()
.from(siteResources)
.where(eq(siteResources.fullDomain, fullDomain));
if (existingResource.length > 0) {
return next(
createHttpError(
HttpCode.CONFLICT,
"Resource with that domain already exists"
)
);
}
}
// make sure the alias is unique within the org if provided
if (finalAlias) {
if (alias) {
const [conflict] = await db
.select()
.from(siteResources)
.where(
and(
eq(siteResources.orgId, orgId),
eq(siteResources.alias, finalAlias.trim())
eq(siteResources.alias, alias.trim())
)
)
.limit(1);
@@ -330,13 +343,14 @@ export async function createSiteResource(
scheme,
destinationPort,
enabled,
alias: finalAlias,
alias: alias ? alias.trim() : null,
aliasAddress,
tcpPortRangeString,
udpPortRangeString,
disableIcmp,
domainId,
subdomain: finalSubdomain
subdomain: finalSubdomain,
fullDomain
};
if (isLicensedSshPam) {
if (authDaemonPort !== undefined)

3
server/routers/siteResource/listAllSiteResourcesByOrg.ts
View File

@@ -101,6 +101,9 @@ function querySiteResourcesBase() {
disableIcmp: siteResources.disableIcmp,
authDaemonMode: siteResources.authDaemonMode,
authDaemonPort: siteResources.authDaemonPort,
subdomain: siteResources.subdomain,
domainId: siteResources.domainId,
fullDomain: siteResources.fullDomain,
siteName: sites.name,
siteNiceId: sites.niceId,
siteAddress: sites.address

33
server/routers/siteResource/updateSiteResource.ts
View File

@@ -81,11 +81,9 @@ const updateSiteResourceSchema = z
.refine(
(data) => {
if (
(data.mode === "host" ||
data.mode == "http") &&
data.mode === "host" &&
data.destination
) {
if (data.mode == "host") {
const isValidIP = z
// .union([z.ipv4(), z.ipv6()])
.union([z.ipv4()]) // for now lets just do ipv4 until we verify ipv6 works everywhere
@@ -94,7 +92,6 @@ const updateSiteResourceSchema = z
if (isValidIP) {
return true;
}
}
// Check if it's a valid domain (hostname pattern, TLD not required)
const domainRegex =
@@ -309,7 +306,6 @@ export async function updateSiteResource(
let fullDomain: string | null = null;
let finalSubdomain: string | null = null;
let finalAlias = alias ? alias.trim() : null;
if (domainId && subdomain) {
// Validate domain and construct full domain
const domainResult = await validateAndConstructDomain(
@@ -326,18 +322,32 @@ export async function updateSiteResource(
fullDomain = domainResult.fullDomain;
finalSubdomain = domainResult.subdomain;
finalAlias = fullDomain; // we will use the full domain as the alias for uniqueness checks and routing
// make sure the full domain is unique
const existingResource = await db
.select()
.from(siteResources)
.where(eq(siteResources.fullDomain, fullDomain));
if (existingResource.length > 0) {
return next(
createHttpError(
HttpCode.CONFLICT,
"Resource with that domain already exists"
)
);
}
}
// make sure the alias is unique within the org if provided
if (finalAlias) {
if (alias) {
const [conflict] = await db
.select()
.from(siteResources)
.where(
and(
eq(siteResources.orgId, existingSiteResource.orgId),
eq(siteResources.alias, finalAlias.trim()),
eq(siteResources.alias, alias.trim()),
ne(siteResources.siteResourceId, siteResourceId) // exclude self
)
)
@@ -405,12 +415,13 @@ export async function updateSiteResource(
destination,
destinationPort,
enabled,
alias: finalAlias,
alias: alias ? alias.trim() : null,
tcpPortRangeString,
udpPortRangeString,
disableIcmp,
domainId,
subdomain: finalSubdomain,
fullDomain,
...sshPamSet
})
.where(
@@ -507,18 +518,20 @@ export async function updateSiteResource(
.set({
name: name,
siteId: siteId,
niceId: niceId,
mode: mode,
scheme,
ssl,
destination: destination,
destinationPort: destinationPort,
enabled: enabled,
alias: finalAlias,
alias: alias ? alias.trim() : null,
tcpPortRangeString: tcpPortRangeString,
udpPortRangeString: udpPortRangeString,
disableIcmp: disableIcmp,
domainId,
subdomain: finalSubdomain,
fullDomain,
...sshPamSet
})
.where(