Merge branch 'dev' into feat/resource-policies

server/db/pg/index.ts

@@ -1,4 +1,6 @@
 export * from "./driver";
+export * from "./logsDriver";
+export * from "./safeRead";
 export * from "./schema/schema";
 export * from "./schema/privateSchema";
 export * from "./migrate";

server/db/pg/logsDriver.ts

@@ -0,0 +1,87 @@
+import { drizzle as DrizzlePostgres } from "drizzle-orm/node-postgres";
+import { Pool } from "pg";
+import { readConfigFile } from "@server/lib/readConfigFile";
+import { withReplicas } from "drizzle-orm/pg-core";
+import { build } from "@server/build";
+import { db as mainDb, primaryDb as mainPrimaryDb } from "./driver";
+
+function createLogsDb() {
+    // Only use separate logs database in SaaS builds
+    if (build !== "saas") {
+        return mainDb;
+    }
+
+    const config = readConfigFile();
+
+    // Merge configs, prioritizing private config
+    const logsConfig = config.postgres_logs;
+
+    // Check environment variable first
+    let connectionString = process.env.POSTGRES_LOGS_CONNECTION_STRING;
+    let replicaConnections: Array<{ connection_string: string }> = [];
+
+    if (!connectionString && logsConfig) {
+        connectionString = logsConfig.connection_string;
+        replicaConnections = logsConfig.replicas || [];
+    }
+
+    // If POSTGRES_LOGS_REPLICA_CONNECTION_STRINGS is set, use it
+    if (process.env.POSTGRES_LOGS_REPLICA_CONNECTION_STRINGS) {
+        replicaConnections =
+            process.env.POSTGRES_LOGS_REPLICA_CONNECTION_STRINGS.split(",").map(
+                (conn) => ({
+                    connection_string: conn.trim()
+                })
+            );
+    }
+
+    // If no logs database is configured, fall back to main database
+    if (!connectionString) {
+        return mainDb;
+    }
+
+    // Create separate connection pool for logs database
+    const poolConfig = logsConfig?.pool || config.postgres?.pool;
+    const primaryPool = new Pool({
+        connectionString,
+        max: poolConfig?.max_connections || 20,
+        idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
+        connectionTimeoutMillis: poolConfig?.connection_timeout_ms || 5000
+    });
+
+    const replicas = [];
+
+    if (!replicaConnections.length) {
+        replicas.push(
+            DrizzlePostgres(primaryPool, {
+                logger: process.env.QUERY_LOGGING == "true"
+            })
+        );
+    } else {
+        for (const conn of replicaConnections) {
+            const replicaPool = new Pool({
+                connectionString: conn.connection_string,
+                max: poolConfig?.max_replica_connections || 20,
+                idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
+                connectionTimeoutMillis:
+                    poolConfig?.connection_timeout_ms || 5000
+            });
+            replicas.push(
+                DrizzlePostgres(replicaPool, {
+                    logger: process.env.QUERY_LOGGING == "true"
+                })
+            );
+        }
+    }
+
+    return withReplicas(
+        DrizzlePostgres(primaryPool, {
+            logger: process.env.QUERY_LOGGING == "true"
+        }),
+        replicas as any
+    );
+}
+
+export const logsDb = createLogsDb();
+export default logsDb;
+export const primaryLogsDb = logsDb.$primary;

server/db/pg/safeRead.ts

@@ -0,0 +1,24 @@
+import { db, primaryDb } from "./driver";
+
+/**
+ * Runs a read query with replica fallback for Postgres.
+ * Executes the query against the replica first (when replicas exist).
+ * If the query throws or returns no data (null, undefined, or empty array),
+ * runs the same query against the primary.
+ */
+export async function safeRead<T>(
+    query: (d: typeof db | typeof primaryDb) => Promise<T>
+): Promise<T> {
+    try {
+        const result = await query(db);
+        if (result === undefined || result === null) {
+            return query(primaryDb);
+        }
+        if (Array.isArray(result) && result.length === 0) {
+            return query(primaryDb);
+        }
+        return result;
+    } catch {
+        return query(primaryDb);
+    }
+}

server/db/pg/schema/schema.ts

@@ -53,7 +53,11 @@ export const orgs = pgTable("orgs", {
         .default(0),
     settingsLogRetentionDaysAction: integer("settingsLogRetentionDaysAction") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
         .notNull()
-        .default(0)
+        .default(0),
+    sshCaPrivateKey: text("sshCaPrivateKey"), // Encrypted SSH CA private key (PEM format)
+    sshCaPublicKey: text("sshCaPublicKey"), // SSH CA public key (OpenSSH format)
+    isBillingOrg: boolean("isBillingOrg"),
+    billingOrgId: varchar("billingOrgId")
 });
 
 export const orgDomains = pgTable("orgDomains", {
@@ -232,7 +236,11 @@ export const siteResources = pgTable("siteResources", {
     aliasAddress: varchar("aliasAddress"),
     tcpPortRangeString: varchar("tcpPortRangeString").notNull().default("*"),
     udpPortRangeString: varchar("udpPortRangeString").notNull().default("*"),
-    disableIcmp: boolean("disableIcmp").notNull().default(false)
+    disableIcmp: boolean("disableIcmp").notNull().default(false),
+    authDaemonPort: integer("authDaemonPort").default(22123),
+    authDaemonMode: varchar("authDaemonMode", { length: 32 })
+        .$type<"site" | "remote">()
+        .default("site")
 });
 
 export const clientSiteResources = pgTable("clientSiteResources", {
@@ -332,7 +340,8 @@ export const userOrgs = pgTable("userOrgs", {
         .notNull()
         .references(() => roles.roleId),
     isOwner: boolean("isOwner").notNull().default(false),
-    autoProvisioned: boolean("autoProvisioned").default(false)
+    autoProvisioned: boolean("autoProvisioned").default(false),
+    pamUsername: varchar("pamUsername") // cleaned username for ssh and such
 });
 
 export const emailVerificationCodes = pgTable("emailVerificationCodes", {
@@ -371,7 +380,11 @@ export const roles = pgTable("roles", {
     isAdmin: boolean("isAdmin"),
     name: varchar("name").notNull(),
     description: varchar("description"),
-    requireDeviceApproval: boolean("requireDeviceApproval").default(false)
+    requireDeviceApproval: boolean("requireDeviceApproval").default(false),
+    sshSudoMode: varchar("sshSudoMode", { length: 32 }).default("none"), // "none" | "full" | "commands"
+    sshSudoCommands: text("sshSudoCommands").default("[]"),
+    sshCreateHomeDir: boolean("sshCreateHomeDir").default(true),
+    sshUnixGroups: text("sshUnixGroups").default("[]")
 });
 
 export const roleActions = pgTable("roleActions", {
@@ -1081,6 +1094,16 @@ export const deviceWebAuthCodes = pgTable("deviceWebAuthCodes", {
     })
 });
 
+export const roundTripMessageTracker = pgTable("roundTripMessageTracker", {
+    messageId: serial("messageId").primaryKey(),
+    wsClientId: varchar("clientId"),
+    messageType: varchar("messageType"),
+    sentAt: bigint("sentAt", { mode: "number" }).notNull(),
+    receivedAt: bigint("receivedAt", { mode: "number" }),
+    error: text("error"),
+    complete: boolean("complete").notNull().default(false)
+});
+
 export type Org = InferSelectModel<typeof orgs>;
 export type User = InferSelectModel<typeof users>;
 export type Site = InferSelectModel<typeof sites>;
@@ -1141,6 +1164,9 @@ export type SecurityKey = InferSelectModel<typeof securityKeys>;
 export type WebauthnChallenge = InferSelectModel<typeof webauthnChallenge>;
 export type DeviceWebAuthCode = InferSelectModel<typeof deviceWebAuthCodes>;
 export type RequestAuditLog = InferSelectModel<typeof requestAuditLog>;
+export type RoundTripMessageTracker = InferSelectModel<
+    typeof roundTripMessageTracker
+>;
 export type ResourcePolicy = InferSelectModel<typeof resourcePolicies>;
 export type RolePolicy = InferSelectModel<typeof rolePolicies>;
 export type UserPolicy = InferSelectModel<typeof userPolicies>;

server/db/sqlite/index.ts

@@ -1,4 +1,6 @@
 export * from "./driver";
+export * from "./logsDriver";
+export * from "./safeRead";
 export * from "./schema/schema";
 export * from "./schema/privateSchema";
 export * from "./migrate";

server/db/sqlite/logsDriver.ts

@@ -0,0 +1,7 @@
+import { db as mainDb } from "./driver";
+
+// SQLite doesn't support separate databases for logs in the same way as Postgres
+// Always use the main database connection for SQLite
+export const logsDb = mainDb;
+export default logsDb;
+export const primaryLogsDb = logsDb;

server/db/sqlite/safeRead.ts

@@ -0,0 +1,11 @@
+import { db } from "./driver";
+
+/**
+ * Runs a read query. For SQLite there is no replica/primary distinction,
+ * so the query is executed once against the database.
+ */
+export async function safeRead<T>(
+    query: (d: typeof db) => Promise<T>
+): Promise<T> {
+    return query(db);
+}

server/db/sqlite/schema/schema.ts

@@ -45,7 +45,11 @@ export const orgs = sqliteTable("orgs", {
         .default(0),
     settingsLogRetentionDaysAction: integer("settingsLogRetentionDaysAction") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
         .notNull()
-        .default(0)
+        .default(0),
+    sshCaPrivateKey: text("sshCaPrivateKey"), // Encrypted SSH CA private key (PEM format)
+    sshCaPublicKey: text("sshCaPublicKey"), // SSH CA public key (OpenSSH format)
+    isBillingOrg: integer("isBillingOrg", { mode: "boolean" }),
+    billingOrgId: text("billingOrgId")
 });
 
 export const userDomains = sqliteTable("userDomains", {
@@ -255,7 +259,11 @@ export const siteResources = sqliteTable("siteResources", {
     udpPortRangeString: text("udpPortRangeString").notNull().default("*"),
     disableIcmp: integer("disableIcmp", { mode: "boolean" })
         .notNull()
-        .default(false)
+        .default(false),
+    authDaemonPort: integer("authDaemonPort").default(22123),
+    authDaemonMode: text("authDaemonMode")
+        .$type<"site" | "remote">()
+        .default("site")
 });
 
 export const clientSiteResources = sqliteTable("clientSiteResources", {
@@ -635,7 +643,8 @@ export const userOrgs = sqliteTable("userOrgs", {
     isOwner: integer("isOwner", { mode: "boolean" }).notNull().default(false),
     autoProvisioned: integer("autoProvisioned", {
         mode: "boolean"
-    }).default(false)
+    }).default(false),
+    pamUsername: text("pamUsername") // cleaned username for ssh and such
 });
 
 export const emailVerificationCodes = sqliteTable("emailVerificationCodes", {
@@ -676,7 +685,13 @@ export const roles = sqliteTable("roles", {
     description: text("description"),
     requireDeviceApproval: integer("requireDeviceApproval", {
         mode: "boolean"
-    }).default(false)
+    }).default(false),
+    sshSudoMode: text("sshSudoMode").default("none"), // "none" | "full" | "commands"
+    sshSudoCommands: text("sshSudoCommands").default("[]"),
+    sshCreateHomeDir: integer("sshCreateHomeDir", { mode: "boolean" }).default(
+        true
+    ),
+    sshUnixGroups: text("sshUnixGroups").default("[]")
 });
 
 export const roleActions = sqliteTable("roleActions", {
@@ -1122,6 +1137,16 @@ export const deviceWebAuthCodes = sqliteTable("deviceWebAuthCodes", {
     })
 });
 
+export const roundTripMessageTracker = sqliteTable("roundTripMessageTracker", {
+    messageId: integer("messageId").primaryKey({ autoIncrement: true }),
+    wsClientId: text("clientId"),
+    messageType: text("messageType"),
+    sentAt: integer("sentAt").notNull(),
+    receivedAt: integer("receivedAt"),
+    error: text("error"),
+    complete: integer("complete", { mode: "boolean" }).notNull().default(false)
+});
+
 export type Org = InferSelectModel<typeof orgs>;
 export type User = InferSelectModel<typeof users>;
 export type Site = InferSelectModel<typeof sites>;
@@ -1183,3 +1208,6 @@ export type SecurityKey = InferSelectModel<typeof securityKeys>;
 export type WebauthnChallenge = InferSelectModel<typeof webauthnChallenge>;
 export type RequestAuditLog = InferSelectModel<typeof requestAuditLog>;
 export type DeviceWebAuthCode = InferSelectModel<typeof deviceWebAuthCodes>;
+export type RoundTripMessageTracker = InferSelectModel<
+    typeof roundTripMessageTracker
+>;