Compare commits
1458 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 1f9f1ce610 | |||
| e5398d441e | |||
| d38f9ac2bb | |||
| dc7eb630c3 | |||
| d4138e2141 | |||
| bbcd352817 | |||
| 21d9199978 | |||
| 3e7b9d7bff | |||
| 54acdbe282 | |||
| 11bbd028fc | |||
| 7ae99731f4 | |||
| 17b4fd9a44 | |||
| caa398ae54 | |||
| 035e324e5a | |||
| 272a5737b0 | |||
| be50fd4586 | |||
| 8301511efe | |||
| c527ce6562 | |||
| 80bee900aa | |||
| 54209c2390 | |||
| 3b0ee8d9d4 | |||
| 7a0a877dc0 | |||
| b6ed762724 | |||
| d1d58cf455 | |||
| e22f30c694 | |||
| d71c112959 | |||
| 199e960f6d | |||
| 843b9a0b16 | |||
| b9aedc65fe | |||
| 11f5cfd4f8 | |||
| 2ff2e32e9c | |||
| facb1e4cdf | |||
| 6d129c0738 | |||
| 67a3d226f5 | |||
| 19a3773880 | |||
| 09d5d9082e | |||
| 8eab3b1ee2 | |||
| 30b46ebb6e | |||
| 91d5f89ab9 | |||
| 703050f949 | |||
| 97af17a993 | |||
| 09a8c457ac | |||
| 80317aca83 | |||
| bd10519598 | |||
| 15c7c47b3c | |||
| 0a7e8c3cc2 | |||
| fc2668fca8 | |||
| 8f2c20a2bc | |||
| 462ae7ee8c | |||
| 808abd2038 | |||
| 3de25e51ff | |||
| ef25a9dbe0 | |||
| e21c3afb13 | |||
| cb7962c25d | |||
| f667ee4feb | |||
| 810119e4ee | |||
| d082de3d88 | |||
| 1e7863ce4f | |||
| a942871f3d | |||
| da1205d38e | |||
| 92775a51ca | |||
| ea60aa701e | |||
| b1f7ee02b0 | |||
| affa3bbb6a | |||
| dbb1e7b274 | |||
| b2d1a66279 | |||
| 202466792c | |||
| 4dcf684868 | |||
| 2b8f50af6f | |||
| a8c255ef71 | |||
| d9608bd408 | |||
| be193731c1 | |||
| 0c3edc7560 | |||
| 813a3f07dc | |||
| 417438c209 | |||
| beaa5735ce | |||
| 5cb316f4e9 | |||
| 83de8576bf | |||
| 6b6c9cf4d8 | |||
| e9d424eb80 | |||
| 05617c63c0 | |||
| 8cceed91cf | |||
| 633159fb77 | |||
| 4c8bd4db0a | |||
| d742300e82 | |||
| a521db91a2 | |||
| d4549f1c33 | |||
| 71da22328c | |||
| 0b5b732a48 | |||
| a82bae8f93 | |||
| e59176149b | |||
| 2c3151da9b | |||
| f60b8795ad | |||
| 4054976388 | |||
| 11c30b8b27 | |||
| d4c52bbf2f | |||
| 390c822bb4 | |||
| 2bfc1901a6 | |||
| 5da186b528 | |||
| 600a96c13b | |||
| e4e0da3723 | |||
| 4087d7fb6b | |||
| 9edb86fd73 | |||
| 87f50bf0cc | |||
| 440ebfe08e | |||
| b399d2a291 | |||
| 2c66da1b19 | |||
| 811119a9a6 | |||
| b53f80d317 | |||
| 1b1fba60f1 | |||
| ab19955502 | |||
| 1db9dcec81 | |||
| a89509c8bd | |||
| f0546eb622 | |||
| 12f9ac94fd | |||
| 1717a99cee | |||
| b93d26f09f | |||
| fc54ad49b5 | |||
| f87e136f6b | |||
| 1bf3d2cdd6 | |||
| 5fc5a3ebca | |||
| 49c2d3163e | |||
| e40f325703 | |||
| 8f377a4fb2 | |||
| 45b9e13a13 | |||
| 3699f8f9cb | |||
| 5a2388a1e6 | |||
| 86e6ebc8af | |||
| 005f050a81 | |||
| c82678852e | |||
| 2e3ab10f5e | |||
| 4985ed02d3 | |||
| a2fea7f714 | |||
| ddba2aff21 | |||
| da9e668fb8 | |||
| 9c2d14d8c6 | |||
| c383e74df4 | |||
| 40101f8bb0 | |||
| b20ed9efa9 | |||
| 56266e3b62 | |||
| 47eff8c948 | |||
| 15f36096ef | |||
| 064252586d | |||
| 6181d46a1e | |||
| 9747731668 | |||
| 2a478eef6f | |||
| 4ab101f8a9 | |||
| e35878ee55 | |||
| 807613f28c | |||
| 663244fa3a | |||
| bcc128aeb6 | |||
| ba33cb9895 | |||
| 69e7fedcfc | |||
| 023110b341 | |||
| 7fb95e1726 | |||
| db0a7cc1ce | |||
| 61fc2e5ea7 | |||
| 0871a211ec | |||
| 5a1d5cb66e | |||
| 5a7ca5b542 | |||
| 87e1a509ce | |||
| 75f481bc3d | |||
| 97cdb2eb5a | |||
| 297fd2caf3 | |||
| 22dd4220fe | |||
| 108cb6216c | |||
| e3ef592778 | |||
| 3c37e10638 | |||
| 561f75b6b1 | |||
| e98bcb83ac | |||
| 80284863bb | |||
| bc759c5c9e | |||
| f4854a3a74 | |||
| 376dd465b3 | |||
| 296439fd67 | |||
| 31f675f38c | |||
| 9f68be2a9b | |||
| fed4ec42c4 | |||
| f0efa4203b | |||
| cfbbdedaf5 | |||
| 686789ee4c | |||
| 3fda190ff6 | |||
| 0033f40f4d | |||
| af95052706 | |||
| 9bb2d6cdc8 | |||
| 29563a13a4 | |||
| b41c1f5b27 | |||
| e5652cdb8a | |||
| 7c2ea153c5 | |||
| ccabddc225 | |||
| 42d98fa83b | |||
| 2f2b7f43c1 | |||
| 528bbeca26 | |||
| d60c15b0ae | |||
| ff89a64453 | |||
| 4718c489d3 | |||
| d5d99a4804 | |||
| 8d29602929 | |||
| 9c18936be7 | |||
| cf07cceb5d | |||
| faee9e6330 | |||
| 31725eb3cc | |||
| 04d4e298e8 | |||
| c9cc9581b1 | |||
| 6c2a8bf6de | |||
| 697be01411 | |||
| eac7c67dcc | |||
| 633d9031af | |||
| 05dc558c4a | |||
| 1bd6f240cc | |||
| 7506c0420d | |||
| 5572822c4a | |||
| ea3f1c341b | |||
| 35dffe71cb | |||
| 5428bf4ed0 | |||
| 9a89579e08 | |||
| 784588cebc | |||
| 2e628fe0e4 | |||
| 7590e8d8a1 | |||
| 053ff1e799 | |||
| 278375f7be | |||
| c5ffca499e | |||
| 65c383520b | |||
| 9ae54f445d | |||
| 8183d19400 | |||
| 7425daad3f | |||
| 39d61a35eb | |||
| f3fe11c136 | |||
| 66b1b385a3 | |||
| 822a07d48e | |||
| 3c13b1ea15 | |||
| fee635b861 | |||
| 7e4dea918a | |||
| 56187d61d5 | |||
| 36460d4cc0 | |||
| 88a9b92dc3 | |||
| dd26518d6f | |||
| 60339706bb | |||
| 4b1b3d3d5b | |||
| cf21bacd9c | |||
| e54bd25516 | |||
| 80d257b94b | |||
| e0d0c5dcbf | |||
| 0f02d1bc02 | |||
| f8591f27c5 | |||
| 877985deb3 | |||
| be3877a3ce | |||
| 79de64dc07 | |||
| d0defa380a | |||
| 4eba51de72 | |||
| a48032adb3 | |||
| 6fe4eee336 | |||
| 242123b875 | |||
| 2b38658ea6 | |||
| b18a41e4aa | |||
| d303fa05cb | |||
| 75b87ffba7 | |||
| 62fc2edae9 | |||
| 80b66cf9b9 | |||
| 034bcbd271 | |||
| bc63747efe | |||
| bb7729df00 | |||
| 2a8ceeec1b | |||
| 91ef0d0153 | |||
| e104489257 | |||
| b8101402cd | |||
| 7731849a2f | |||
| c11d24e10a | |||
| a9b7cce49b | |||
| d78223b94f | |||
| 963e9da7dd | |||
| 2cbc88fa05 | |||
| 65bad456cb | |||
| f48a4f7bc0 | |||
| ce3c2f7583 | |||
| 51c357e6c7 | |||
| 7ae29612d4 | |||
| da794adb7d | |||
| 8004ae6870 | |||
| 1bff7bbc2f | |||
| 50db5695fc | |||
| babd90ae71 | |||
| f7050ef989 | |||
| b2778a2c49 | |||
| 096940a152 | |||
| 73eb07de71 | |||
| 74ef844e27 | |||
| c58968536d | |||
| 228efacfe0 | |||
| 1262030abb | |||
| b07fe6d18b | |||
| 63c3ee623b | |||
| 18ec6c8d92 | |||
| d8acccbde4 | |||
| 37eaf34e4d | |||
| cfb63f9742 | |||
| c76b4555e1 | |||
| c25bfbad27 | |||
| 44782f8963 | |||
| e6f7cd6da9 | |||
| 19faa3a29c | |||
| c284dc2e83 | |||
| 1b634955d8 | |||
| be888c3fc1 | |||
| 3f2bb42221 | |||
| 5dc3ae4c7f | |||
| ffb6c64de0 | |||
| 2cbc6fb128 | |||
| 75084028d7 | |||
| f44a7c55dd | |||
| 72fa1d6a14 | |||
| c3820a4e70 | |||
| 6b56c00782 | |||
| 8f0e17774f | |||
| 60c1b572ba | |||
| 604dee9aa5 | |||
| ee42846c90 | |||
| 22ac711dc6 | |||
| d09668b20b | |||
| 16abe98fd9 | |||
| d240201361 | |||
| b7081aff11 | |||
| a55fb21e53 | |||
| e5e7b79712 | |||
| de48a0529e | |||
| 3f37408dae | |||
| a2882857ff | |||
| 476d92b3ac | |||
| bf604f25e9 | |||
| 34a0d2a68b | |||
| 62c7e0a13e | |||
| 753358a17d | |||
| c859393418 | |||
| d747b45f0b | |||
| a24091257a | |||
| 1c60041390 | |||
| 2ab5540085 | |||
| 95c3f74a33 | |||
| 4e7328a1cc | |||
| 6380079239 | |||
| b6aba13d3a | |||
| c0a9db92ef | |||
| 16c0f4eef4 | |||
| a08c6d70fe | |||
| a6568692b7 | |||
| a1196d3da6 | |||
| 70bc4c0b30 | |||
| a0fef89031 | |||
| ea1badf4e0 | |||
| f15654ed11 | |||
| 4435a669a6 | |||
| 0b41fe3d49 | |||
| 90eceb457a | |||
| f39cbc9bf4 | |||
| 50da863bb7 | |||
| c6ddd5c402 | |||
| 0fb5ace9c7 | |||
| cedccd8cdb | |||
| 3bc5ab2136 | |||
| ce77268c82 | |||
| abc0a41d9e | |||
| b9db0a4490 | |||
| 39f40e5160 | |||
| a68b57067c | |||
| 3fd5c98def | |||
| 5a8a48f9bf | |||
| 471ae98204 | |||
| d985bfd3a6 | |||
| aab51a999c | |||
| ae4f5aa58d | |||
| 70d5f55437 | |||
| 08df4b93aa | |||
| 61f0bc95c7 | |||
| 5b0f79a8bc | |||
| 86ff272095 | |||
| ef0575cc36 | |||
| 30a6889ba8 | |||
| ce43e717d5 | |||
| 1f0361e687 | |||
| 07ae57ea72 | |||
| fc982232d6 | |||
| afaf5f976e | |||
| a8ca28acb2 | |||
| b136bd2246 | |||
| d9952b0762 | |||
| 935593885a | |||
| 3fcfd3304f | |||
| 6e271028f3 | |||
| 820f66e58f | |||
| b0fdc10e06 | |||
| b82b41ed26 | |||
| 444d293a29 | |||
| 3e977ba00d | |||
| a724b07846 | |||
| 5f0bc71bcd | |||
| aea7827c1a | |||
| 7a275c86c2 | |||
| 4b703b5c11 | |||
| d865c4c55b | |||
| 5baf0c3c09 | |||
| 1b6e9e8cfe | |||
| cfe33eb974 | |||
| 71273e1b1c | |||
| 02f6e2a8c3 | |||
| 3cc244a1d3 | |||
| 1d9c4dd9e2 | |||
| b9dd0c8e43 | |||
| cd052976eb | |||
| cc498f0e33 | |||
| 1a942937e6 | |||
| d81d1a6b7f | |||
| f64d04e827 | |||
| 540aee3fe2 | |||
| 10542d7282 | |||
| b1d52ad1a3 | |||
| ce2fbef805 | |||
| e312b31e02 | |||
| bc156c715d | |||
| 9a4c1f23c6 | |||
| fe55956079 | |||
| 4cd0b9a0bb | |||
| ab4d567af9 | |||
| 6921447fab | |||
| d47449b082 | |||
| 665806dfe8 | |||
| e248571268 | |||
| fcf03854ff | |||
| dd1fba4e45 | |||
| a1ab8d8f35 | |||
| c789e967db | |||
| d870b9ff49 | |||
| 9c09019ddb | |||
| 9d88683fc5 | |||
| dd2c9f2a02 | |||
| bdb38db5bc | |||
| 96a54fc9cc | |||
| 3a485f74f1 | |||
| 92b0340324 | |||
| 9257ac01c7 | |||
| 4d1d0d9fcb | |||
| f186e7e99e | |||
| 1aa6e3511f | |||
| fb6f5b3953 | |||
| c85a7f6ac5 | |||
| dd54be523f | |||
| d57f064d4c | |||
| 34799b7de2 | |||
| 20a66bba6f | |||
| cdb43d9658 | |||
| 6581ccafa3 | |||
| a3a45b4239 | |||
| d6634b6e8a | |||
| 1089cfbacc | |||
| 1907a3c93b | |||
| 38203e522b | |||
| 407ba567a0 | |||
| f28571629f | |||
| 5a575c916b | |||
| 9a7e534b10 | |||
| 42974d1739 | |||
| 780e8babe4 | |||
| 2c7b8006cf | |||
| 35066c1388 | |||
| 135a5d38af | |||
| 1b7c1ffa70 | |||
| 641f643d2d | |||
| b4ecfceb5e | |||
| 08a84d4bb1 | |||
| 4dbad7ab24 | |||
| 859c0c9477 | |||
| d294bf8534 | |||
| 3c8fea382f | |||
| b81bfcfcee | |||
| 56c415ca05 | |||
| 74fdcceace | |||
| 7dec8ba998 | |||
| c9dc6affe7 | |||
| 8fe45ba78c | |||
| 934886caea | |||
| fae258b145 | |||
| 9f224f655f | |||
| aea7df7dc2 | |||
| 3b675f7de1 | |||
| 8daf7c2872 | |||
| c394490473 | |||
| 92d611df9a | |||
| 3b6b78b3e1 | |||
| aa47f522ef | |||
| 8658198a93 | |||
| 4b770d1385 | |||
| cd4d7372a0 | |||
| dc8243cb51 | |||
| 7b1f8d98f3 | |||
| dd8bcbb3e3 | |||
| d1af7a153f | |||
| 13efa47db7 | |||
| 69bd61c308 | |||
| 7b7ff51289 | |||
| 772ac8af73 | |||
| 8ee520dbb5 | |||
| 8e5d9e94a9 | |||
| c9cb28af45 | |||
| a994f8ff07 | |||
| ea8eaf9736 | |||
| b78db3daef | |||
| 7cf3f8df92 | |||
| f2b5cff3f9 | |||
| 6de9ab8f05 | |||
| ad0e800d8d | |||
| 13b691fd7d | |||
| 65470fb64b | |||
| f23142336b | |||
| 2da4987cd3 | |||
| 253ba554a2 | |||
| 95ce91d94b | |||
| a4548fd874 | |||
| eb03fb7060 | |||
| add9b8dfb0 | |||
| 2adb7b64cb | |||
| 84fef5f1d6 | |||
| def1e9c851 | |||
| 67b08ca61e | |||
| 614df75880 | |||
| 676cf37ee2 | |||
| 6b96e3dce6 | |||
| b67037e2ea | |||
| 5a5b77cf62 | |||
| d2793dfad7 | |||
| ff507f1275 | |||
| 6b04bcb383 | |||
| b2f1115ef8 | |||
| 567ef23ac4 | |||
| 6affebc666 | |||
| 889f78ddb8 | |||
| 9d3f96cf83 | |||
| e5d0673bbf | |||
| 0907c0346f | |||
| 6420a90d08 | |||
| 7fa1180d10 | |||
| 769d36e289 | |||
| a7a41b820e | |||
| 33fdc9a94f | |||
| 8b50f1fb65 | |||
| 2d78a4b628 | |||
| c86026c941 | |||
| db014e3446 | |||
| feb8045643 | |||
| d485a09318 | |||
| 9cff5f66b1 | |||
| 527d4cc777 | |||
| 01361884eb | |||
| 6c4cbcab5d | |||
| aac25f0a53 | |||
| 89f3f3c8cd | |||
| 4a3c201741 | |||
| f5ab837cce | |||
| 00ec7a5c66 | |||
| 03df4d03ed | |||
| 8488edd707 | |||
| 920dbba2a3 | |||
| 71e065a8bc | |||
| e125c762b2 | |||
| 4f01f7c072 | |||
| 9a5ee9d489 | |||
| 665da931f1 | |||
| 7595cf7ac7 | |||
| aa6232d0fc | |||
| beaf5dc843 | |||
| 7158855052 | |||
| 765b2d795f | |||
| 66f00fcf94 | |||
| e408e735be | |||
| e826d0dea6 | |||
| bc6fd0b399 | |||
| d00b737412 | |||
| 1f43713986 | |||
| cc5bec1d83 | |||
| 40125c717c | |||
| 2b402f8fec | |||
| 8e9071a336 | |||
| 18bcf40174 | |||
| 42e9b913f1 | |||
| fcb73f78ea | |||
| a21569bd00 | |||
| 565727ad36 | |||
| 00dce19997 | |||
| 29717e19db | |||
| 97aeee541a | |||
| 44c16d69af | |||
| b70a2bee58 | |||
| f2f56dc6c2 | |||
| 128db20755 | |||
| 12cbd40596 | |||
| ffd0d17b58 | |||
| 33fad57bf7 | |||
| 8bcc130947 | |||
| 19feaf4bf2 | |||
| 88ea4391e0 | |||
| fba37b7ad0 | |||
| 6c1798a8c5 | |||
| b6d688f15e | |||
| 8a57d8dd9c | |||
| 8e0e32c2be | |||
| 6b3a0a2113 | |||
| 4d6ed7eec5 | |||
| 1625dd1add | |||
| 605dd2f3c9 | |||
| 51bb149fd5 | |||
| 2ae4c29418 | |||
| ba71016f87 | |||
| 85c2bd807e | |||
| 517e1d15c8 | |||
| 3d6d5f176a | |||
| 5dd19edb56 | |||
| c6a52ffc75 | |||
| 09b2671759 | |||
| d11a244caa | |||
| 35d16ac683 | |||
| bf79768e05 | |||
| 08a2923cfc | |||
| b99e9a6468 | |||
| cb2ee9c489 | |||
| c1d933259a | |||
| 3cf6abdf27 | |||
| 0f2132e565 | |||
| 5cc88dc73f | |||
| ebe1c7a297 | |||
| 0943cf5d4c | |||
| 3b82ac568f | |||
| b695f34dc8 | |||
| 6df4bba3b6 | |||
| 9f83c0a0e8 | |||
| f617f93a94 | |||
| 51629247a5 | |||
| 0ab1854125 | |||
| b071fa2c9f | |||
| 8e2a79a0f5 | |||
| 71756812b6 | |||
| 76cd716caa | |||
| b0d1291cff | |||
| 9617eb2bd7 | |||
| c1ef5b4fbe | |||
| 8e14bdec95 | |||
| b26dfaf57f | |||
| 1a1c19b24e | |||
| 9d214b18af | |||
| e67b50b356 | |||
| 616caf76cb | |||
| 9a1db4948b | |||
| 1215aa8122 | |||
| d318a756a8 | |||
| b3c1e49c0c | |||
| dc12b00502 | |||
| 5b814e37c4 | |||
| 8483616b04 | |||
| ffe198839a | |||
| db5d1d4a16 | |||
| ad7dcddf24 | |||
| 94408aad21 | |||
| b84a7996a9 | |||
| a9b0bd8b47 | |||
| a32acf7c69 | |||
| 1e27acbf88 | |||
| 4012cc658d | |||
| 84d7a87609 | |||
| 9a92be532a | |||
| 18ac542e30 | |||
| 322475fb5c | |||
| 2f124bffc4 | |||
| 86367383e7 | |||
| d22ba3566d | |||
| c74b423bae | |||
| f8a757c55f | |||
| 6aea3f1643 | |||
| 073dc34522 | |||
| 3f5970a1f9 | |||
| e2f2608358 | |||
| 6d17bb04c4 | |||
| 957e7ba127 | |||
| def710cba8 | |||
| 44da854575 | |||
| d3d2474855 | |||
| d7d37c6f6e | |||
| 3c80b9a229 | |||
| a998a35482 | |||
| 20e0e5ebd0 | |||
| 4d831effe1 | |||
| 80f4dd0e60 | |||
| eafa3076d8 | |||
| fef3cd8354 | |||
| 36ada0705e | |||
| 8ae3c06df7 | |||
| ba127a8536 | |||
| 5c024f3a3a | |||
| 4fdb8583f6 | |||
| 2946df3b8e | |||
| c3b0c4e5e9 | |||
| a79d0f1677 | |||
| bfd7a7f561 | |||
| a5332bb0cc | |||
| b3963cc34b | |||
| ddb132f9fa | |||
| 64c901d91f | |||
| cd9e56fdb7 | |||
| 1b6b112e92 | |||
| 0ff0e83c9f | |||
| 6d491b7bb9 | |||
| cdc50ed47a | |||
| 06cc13c637 | |||
| 464d4990df | |||
| e2441ce284 | |||
| 0b6a3234a5 | |||
| ae8599c723 | |||
| 938e9b0d49 | |||
| 05e4ad3200 | |||
| cb90672573 | |||
| 9eb55ba68c | |||
| e19b6ebc82 | |||
| 5a6de12f74 | |||
| 6e6c91a27c | |||
| cf12ab1ac3 | |||
| aa7004b2ff | |||
| eca87b66f0 | |||
| cc8c89eeae | |||
| 6d14a4df49 | |||
| 6ea4aa1920 | |||
| f12451b8f9 | |||
| 0d4bb65a92 | |||
| d47ad9ac40 | |||
| 94949aa3fd | |||
| df098f55ba | |||
| f81ae24ba7 | |||
| facbb8f0a4 | |||
| 36fbd8818c | |||
| df1e28aabd | |||
| 91883397e6 | |||
| fd1813f3a7 | |||
| ddabfb5ca1 | |||
| ec0666a612 | |||
| bbf42c5802 | |||
| 6aa1d3b094 | |||
| 0d820df797 | |||
| f1ec1a2fb1 | |||
| 32fcf90467 | |||
| 5a53f88fd6 | |||
| 51971c7ef2 | |||
| 491096109a | |||
| 802a41b1bd | |||
| f59fbabede | |||
| 5a7d54058e | |||
| 5ef4490692 | |||
| 817e848d08 | |||
| 166c8326c5 | |||
| 673f1e93f4 | |||
| 4c1e1daf07 | |||
| 7c54df7ed1 | |||
| 9d77fcc457 | |||
| 454449ec8a | |||
| fe67e8e384 | |||
| 715b957660 | |||
| f1e4bf8d36 | |||
| 76aea311a4 | |||
| 3539b9ddb4 | |||
| 1a3cf2094b | |||
| 4530aac4f3 | |||
| 09cb20a084 | |||
| 6d4afd0953 | |||
| d1fb2e19d3 | |||
| dee0ca6864 | |||
| 2934bbdd20 | |||
| 2b46e8eaba | |||
| ed73d089d0 | |||
| 3b89104a59 | |||
| 5bf8b336c5 | |||
| 21a144753d | |||
| c1b8dfc863 | |||
| 5efcd4479a | |||
| e4e8b33e9f | |||
| 35ad235f49 | |||
| 834672c846 | |||
| af13790c93 | |||
| b8180d848a | |||
| fef7563e14 | |||
| 6337cf4359 | |||
| 87bcd8ec1b | |||
| b3cfe82dff | |||
| d65128671c | |||
| 41fdd5de74 | |||
| 2704202ba9 | |||
| 72ef0ae020 | |||
| 1442faa740 | |||
| 6aa589e612 | |||
| 4b1a8e14c4 | |||
| 1a0db10b1a | |||
| b7634086db | |||
| 73e9e830c3 | |||
| a6469e67a8 | |||
| 23ca3efbf4 | |||
| 0f9100fd3a | |||
| c47c411161 | |||
| e88e262abe | |||
| 832d45e32b | |||
| 69e3ac3cd4 | |||
| 50865f4265 | |||
| 0d1a8d9695 | |||
| 5d8486dd7f | |||
| 3c25932787 | |||
| 1d0e1eb126 | |||
| 57c0dc8618 | |||
| 526a147570 | |||
| 0938997548 | |||
| 0876b482f8 | |||
| d558c31f88 | |||
| 6010515da0 | |||
| 868bcd8e34 | |||
| 20c4904965 | |||
| 5a5536b38c | |||
| 53e2296de8 | |||
| d2423919e9 | |||
| 2250fcd177 | |||
| 2a33256d17 | |||
| 117aa750f8 | |||
| 15f161274f | |||
| 09779aca3e | |||
| 1d1f7cecf4 | |||
| dc00668cbe | |||
| 57701e13eb | |||
| 46545cb003 | |||
| a163cc3678 | |||
| 1dfb3408e8 | |||
| 67fb2beba1 | |||
| 6cacc9b83f | |||
| 1f1791feb7 | |||
| 1ba75092f9 | |||
| 08a08e73b3 | |||
| c500979099 | |||
| 2d9c082607 | |||
| 7968c4357b | |||
| 25c08e7279 | |||
| 81ed391efb | |||
| f3bee70c23 | |||
| 15a9eb28d9 | |||
| a0a093ed0b | |||
| 9cec711427 | |||
| 82745c701a | |||
| 68e775659b | |||
| 1c5e3000b6 | |||
| 3b93fd99a1 | |||
| e4fd2b656d | |||
| 159e91a07c | |||
| 530b5082bd | |||
| 3322f1ccb4 | |||
| 1b17fba19f | |||
| 987b5d580e | |||
| cb75ffc3b7 | |||
| 540f0a754d | |||
| 0f9a6fd968 | |||
| 82112abc34 | |||
| 75b5afd544 | |||
| 00e1675f7b | |||
| 2ddbdf977b | |||
| 4c8f0cc9ec | |||
| 18d380ce30 | |||
| e822b681cd | |||
| dd1f7ba544 | |||
| 8c2e6965f1 | |||
| b414f04cce | |||
| 9c71922dda | |||
| 6e4a28f227 | |||
| 64d8f035a2 | |||
| 0a5780a3b3 | |||
| d58b96f4b1 | |||
| f778f5c941 | |||
| 6422208f69 | |||
| c3ebc423b5 | |||
| 68d7b0a416 | |||
| 43546c84eb | |||
| eac36ee442 | |||
| 92f992728f | |||
| 78ad2d17c7 | |||
| 9a88394efe | |||
| 173562654b | |||
| b29bb7384d | |||
| 5a8de8210b | |||
| d5181454f4 | |||
| 0e0666cacf | |||
| e1583a58aa | |||
| 02ba2393b9 | |||
| 8f7e5ab1ed | |||
| 4334480675 | |||
| 6aa406927a | |||
| 5b50024712 | |||
| 7d922ac95f | |||
| 795a3d351e | |||
| 4b4c86b4b7 | |||
| 013af49137 | |||
| a6ae9290f2 | |||
| de70d72e0d | |||
| daf260cf61 | |||
| 92a06e0ea3 | |||
| c16d2ff2ed | |||
| 73a4d7d351 | |||
| 4e07e9c52c | |||
| 743621eb25 | |||
| e9df995e76 | |||
| 943923ff4b | |||
| 3f17f1a468 | |||
| 436996a43d | |||
| d42b6076d2 | |||
| 89cc99f915 | |||
| 1860b4b862 | |||
| efb1d69ac9 | |||
| 0601b55f22 | |||
| 107986d848 | |||
| b6c8fbe43b | |||
| 4208a9f372 | |||
| 3c82a228fb | |||
| a4aa29e48a | |||
| 0f82ba6627 | |||
| 1df5d9fac8 | |||
| 5189583d73 | |||
| b794d2aa40 | |||
| c69059b227 | |||
| b27b62d4c8 | |||
| ee8290d68c | |||
| 82e8e79b16 | |||
| 2d428d2fa0 | |||
| 0005c11a0a | |||
| 559cbeb7d5 | |||
| f91d914ec6 | |||
| e975f56445 | |||
| ce746a2a21 | |||
| 7120ab4b22 | |||
| 12e777b32e | |||
| 9378103ddd | |||
| ec794d5de2 | |||
| 12b18a3e8c | |||
| 91e8a13e59 | |||
| 931ba0f540 | |||
| b6caeda0a5 | |||
| 77d17af15b | |||
| 264c6bf4e8 | |||
| d321d7275c | |||
| 4aa72eb1a3 | |||
| a066a68e1a | |||
| 3855486a00 | |||
| ab494521b1 | |||
| 549e1ead1d | |||
| a0759a79a1 | |||
| 14e1a119d3 | |||
| 6e066d38b0 | |||
| 21f72639b6 | |||
| 8a0c2031d4 | |||
| 56d3a466e5 | |||
| 563e505cc1 | |||
| c44c02b8ba | |||
| b9ab35a05b | |||
| 9fb677e952 | |||
| e253195fdd | |||
| 88d8414eb8 | |||
| 5f3fafb1b0 | |||
| de1338a8cd | |||
| 0800aa2a61 | |||
| 4959d66ac1 | |||
| 9320df8be6 | |||
| 13ec6b6620 | |||
| 2ca3ef019c | |||
| 724e41a54f | |||
| ce5e62d216 | |||
| 874dc2b33e | |||
| 3b2622d590 | |||
| c81d855741 | |||
| 3bce8d3596 | |||
| ee2a1e2bc3 | |||
| a0f3ee74f9 | |||
| 82a36fd632 | |||
| c5084137ab | |||
| 65ec8da100 | |||
| e76e7581a5 | |||
| a97a4b6ec1 | |||
| e38bbde348 | |||
| 026260ddfb | |||
| 97be5eb7d5 | |||
| d7b96ba3f5 | |||
| b42672530f | |||
| b6b2dbd8ab | |||
| 975f3a01f5 | |||
| 4de2dfff85 | |||
| 27d230647f | |||
| 114486608e | |||
| 10fa9274d0 | |||
| 2fd519e102 | |||
| a63c1ec364 | |||
| e61ef2ca2a | |||
| 39b09b7f3f | |||
| 840cc214e3 | |||
| cbdc74768f | |||
| 10f95896aa | |||
| 5b8994d143 | |||
| c46ef2fe9c | |||
| 72524db52d | |||
| ab8fc11ab3 | |||
| 4cd025dd91 | |||
| ce04ea9720 | |||
| a3ce382725 | |||
| 4eb49e3e60 | |||
| 1831ca4e75 | |||
| 2a9481023a | |||
| 8ed01372b8 | |||
| 0611ceb5c3 | |||
| 6a7d4fd385 | |||
| 7bc08c0425 | |||
| 451f3d24a8 | |||
| 36a47c4cfb | |||
| 7dce4500ec | |||
| 72e48a56df | |||
| 293d9865b4 | |||
| 45a2a07747 | |||
| 181bcffe7d | |||
| ed35d25598 | |||
| 05e738e0f4 | |||
| c95e66d531 | |||
| cc2a416a92 | |||
| 70bb42f1fc | |||
| 10d2bc1e9e | |||
| 385f57ec93 | |||
| 9c8ffdb661 | |||
| 5a5feccc76 | |||
| 36e7054386 | |||
| 19de12b12e | |||
| d96e930679 | |||
| 5e51b8ad74 | |||
| 885b9e638d | |||
| 56ef3a934a | |||
| 98bc199c8e | |||
| 0444d3490b | |||
| 54820d1db0 | |||
| 961cbfcacc | |||
| a784cd307e | |||
| b46c948522 | |||
| 7eab2cc0bb | |||
| 5ff2569ece | |||
| c59505be8d | |||
| 2b0e6649fa | |||
| 428e9b546e | |||
| 5089660381 | |||
| 998364b09d | |||
| ac0d88d9b7 | |||
| 401f04b53e | |||
| b046ab7513 | |||
| 65ee9b9544 | |||
| 49c7319342 | |||
| ce7df5ddaa | |||
| af1739fbcb | |||
| f01c9ee41c | |||
| 19f8956218 | |||
| a8c50b8618 | |||
| e86a381ed5 | |||
| dd18375f23 | |||
| 46b72b9e8c | |||
| 7bb2a5a0a5 | |||
| 4b777b1488 | |||
| 428f91b5fa | |||
| caaae77f74 | |||
| 4df27b316c | |||
| 8f52a48937 | |||
| a53da85fb4 | |||
| 08a5785cc5 | |||
| ff928b846d | |||
| 47b3d26d0e | |||
| 6270dce86a | |||
| 864d1d5cc4 | |||
| b63eda64f4 | |||
| b8e942478d | |||
| 6d9bfbf08f | |||
| 35ce947e19 | |||
| b17ba96235 | |||
| f1bdb25497 | |||
| e11527b430 | |||
| 31d3b314e9 | |||
| 3bce57c65c | |||
| d649a83535 | |||
| 3c6b1781bc | |||
| 7dd50f65fc | |||
| 342b4aeddf | |||
| 65908fa00f | |||
| 223e0d0706 | |||
| 5426031cd4 | |||
| adf4a1ffda | |||
| 780feba19c | |||
| c4b3656fad | |||
| 3ac315b52e | |||
| 1b183d32c0 | |||
| 0c643e91a6 | |||
| 54c1dd3bae | |||
| a8f4d2b7d1 | |||
| fab53ba26a | |||
| 62e19a2f4e | |||
| 7d67fb9984 | |||
| 9f67134ce2 | |||
| 51f1693dbd | |||
| 7436aebca7 | |||
| 66fda553e4 | |||
| 432dc81875 | |||
| 2ecf076c0f | |||
| 0d04cc365f | |||
| 9b71c426c7 | |||
| e06dda27cb | |||
| 09baf2f32e | |||
| 3253d60900 | |||
| 18f6e0f75d | |||
| 3b232bcc58 | |||
| c575bb76e7 | |||
| 87e6c7ba36 | |||
| b33a6e6fac | |||
| fc2c13a686 | |||
| f4602a120e | |||
| c8e7e0ee1e | |||
| 7ccceeea0d | |||
| f81f78f294 | |||
| 6cab223f12 | |||
| 0e7aafd364 | |||
| 7b05c02508 | |||
| 5922bfb1a0 | |||
| 43f2e32231 | |||
| 20ebdc6289 | |||
| a80ae49a33 | |||
| 91f1bae3e9 | |||
| 660197eef1 | |||
| 53c138ce3e | |||
| 969db14a3c | |||
| 1ca1059673 | |||
| 9410a18404 | |||
| c1c387bdd8 | |||
| 6e83d77a87 | |||
| ba9a1efa4c | |||
| 9e046b9608 | |||
| 37794eb299 | |||
| 4e66b0e74b | |||
| 44fa873977 | |||
| 505461a533 | |||
| a88c5b1428 | |||
| 97ef1d605c | |||
| 3fc1c9d948 | |||
| 68bd37ab6c | |||
| 5c317c535b | |||
| 37c6b11899 | |||
| 45c567ffa0 | |||
| 49d22498fc | |||
| 23f4302186 | |||
| 775ea64b55 | |||
| 64ad7641af | |||
| 81274960f6 | |||
| d724f5bb5d | |||
| 30e627cca8 | |||
| 53c1e2e742 | |||
| fb4bda077b | |||
| d4f7c4a9c4 | |||
| 1cc0e9b689 | |||
| 584be4dbd2 | |||
| c33e295ce7 | |||
| 1a926a7127 | |||
| eb515a8f7f | |||
| 81b8a8a9e3 | |||
| bcd164219f | |||
| c90e405105 | |||
| 4786fc3a31 | |||
| b2c8311b26 | |||
| 2154811ffb | |||
| 1772ac220f | |||
| 9bd33072f4 | |||
| cf596d980f | |||
| 70f619b726 | |||
| 7743e3890b | |||
| d8df250555 | |||
| 45c9f217c6 | |||
| 8371692cc5 | |||
| 5377dc7a1c | |||
| 02649468e0 | |||
| c5ef00fb0e | |||
| 6f4325e9a0 | |||
| a2a031dfe7 | |||
| e34a4c82eb | |||
| 52fd7df727 | |||
| d5f08437d7 | |||
| 9ee07ba343 | |||
| 4baaa5fc14 | |||
| 61de100630 | |||
| 3694f43ae8 | |||
| 279211142d | |||
| b8822b4d25 | |||
| 0655ba9423 | |||
| e1afbc226c | |||
| 96c450fd08 | |||
| 587e4d104b | |||
| 368c5c374f | |||
| 7675b6409c | |||
| d31da1a41e | |||
| 49e259e259 | |||
| f4684c1858 | |||
| 6e223bb363 | |||
| 22e7038b2c | |||
| 76ba4c1fdf | |||
| 7f25d94a83 | |||
| 769ba27e3a | |||
| a188552ba0 | |||
| 208132082e | |||
| fcd5789221 | |||
| 2c85bcd06b | |||
| c6a8b09cff | |||
| 380ff381fc | |||
| 5eb3951f00 | |||
| c30e94da98 | |||
| 6ca24d51a1 | |||
| 13f512aed6 | |||
| 2bdbc9d688 | |||
| 8e2f30d8de | |||
| a84e1cc9e0 | |||
| 6b28f0c81e | |||
| d28d3ba6ea | |||
| 6efaf9f40d | |||
| 5379b32959 | |||
| 9bb936a40d | |||
| 960fe760f1 | |||
| 2f2105a085 | |||
| de92a28435 | |||
| d8c3484ed5 | |||
| 726e000154 | |||
| d6abe83fdc | |||
| 9df46f7014 | |||
| 908f0d54e2 | |||
| f0010ea12a | |||
| cab8be1a9a | |||
| 0a9dab7cca | |||
| 889ab1f8a8 | |||
| a9019cfb23 | |||
| 441d4bce6e | |||
| dd1e681a9c | |||
| a882619eaf | |||
| f43baaaf1f | |||
| c3dc0bd015 | |||
| 1fd2a0fae2 | |||
| 8ba5b43569 | |||
| 6deefcd003 | |||
| 4d6cea5fcd | |||
| f175ac774f | |||
| 0fe2b24f6b | |||
| 6ad06e6faf | |||
| d47faeced1 | |||
| 498f586eeb | |||
| e94fc6bc65 | |||
| 0a1fe1b725 | |||
| eb40b04b43 | |||
| 6685afdcf9 | |||
| 49232e32bf | |||
| aec0aed211 | |||
| d43b3176f5 | |||
| 190074ea0c | |||
| c5a7719239 | |||
| 5eac131d2e | |||
| 0bc3276ee2 | |||
| 5073507b90 | |||
| 805e6f856a | |||
| 412a9b5294 | |||
| fbf95c5363 | |||
| b907850344 | |||
| 22116373e3 | |||
| 9757c3d8b6 | |||
| f8b85d4b4e | |||
| 4651f19c53 | |||
| 4524bdc094 | |||
| 741850880e | |||
| 53e096f7cb | |||
| 3dfd7e8a43 | |||
| db6e60d0a3 | |||
| 54d2d689c1 | |||
| bb5853827b | |||
| 68f5512732 | |||
| 657072dd17 | |||
| 443a19165f | |||
| b4906ec9ba | |||
| 416e124c02 | |||
| d3e4d8cda8 | |||
| 81972dbb73 | |||
| 39bf64bc35 | |||
| b715786a1e | |||
| ae24eb2d2c | |||
| 20fc59dcda | |||
| 93b09de425 | |||
| bacc130453 | |||
| 79541ec7b8 | |||
| 81197f8a86 | |||
| dcfc7822f4 | |||
| 269bd9aa0f | |||
| 0a0817b860 | |||
| b7a903ab32 | |||
| ab60438aa7 | |||
| b9f3f90de6 | |||
| b53cc397be | |||
| 994fb456c2 | |||
| b36927c7a0 | |||
| 1c57473b6d | |||
| c02c3eaa4a | |||
| 3c265ee577 | |||
| 98dfd05f06 | |||
| faa2e97530 | |||
| 175f10a51d | |||
| 6284930fce | |||
| 6c93aca444 | |||
| d83318cbfc | |||
| 143f362a48 | |||
| 698cd868a8 | |||
| a55842ffff | |||
| 2ffe254879 | |||
| e173f59d89 | |||
| d3870f4920 | |||
| 227501d8f8 | |||
| a16f805709 | |||
| a029b107ae | |||
| f03389a9a0 | |||
| 78fff6bfde | |||
| bc585c24fc | |||
| 0f6c66dc67 | |||
| 6be150bafe | |||
| 1eac7741a5 | |||
| b8ca0499af | |||
| b39a2bcfb1 | |||
| d45b727dca | |||
| 5c31d35e28 | |||
| 8c645315f3 | |||
| ab6377e086 | |||
| 8685cf4208 | |||
| a3f30eff02 | |||
| 081940dff8 | |||
| 26fe1259da | |||
| 3bcbeb24f3 | |||
| 1d0a92c83e | |||
| a44100c2bd | |||
| c4cf4cdec4 | |||
| 2203ebf723 | |||
| 70958185bd | |||
| 7e374baee9 | |||
| 4cf6ca1d55 | |||
| 85f2165a1e | |||
| 1bc7175dd4 | |||
| 8ed9adbfae | |||
| ddaa9c32a7 | |||
| f286d66cbc | |||
| 27b2ec309d | |||
| 91ce8bea4b | |||
| 2ea9d27237 | |||
| 95cbaaae21 | |||
| 955aa41f53 | |||
| cb3fa028c3 | |||
| c746e1bc8d | |||
| da4dd88fdd | |||
| b9bee2836b | |||
| 53c48e6f04 | |||
| 9db5ff9ff7 | |||
| 8e1905a695 | |||
| f3eb823bc3 | |||
| 61c13db090 | |||
| ccbd793f52 | |||
| d13e6896a8 | |||
| 83a36ead10 | |||
| b61b74b0b5 | |||
| 01b068c50f | |||
| fee44ce960 | |||
| 1906504a86 | |||
| 36bcba332c | |||
| 304ab1964c | |||
| b286096c7b | |||
| a22a4b6e74 | |||
| 9a680d2374 | |||
| f80e212b07 | |||
| 8a39b3fd45 | |||
| 61ec938b00 | |||
| 6686de6788 | |||
| 79636cbb30 | |||
| 90d6178a0b | |||
| 2fa1bc6cdc | |||
| c5f6d822ca | |||
| 4de4bf9625 | |||
| 5d956080f2 | |||
| f8e18de2fc | |||
| 884482ec35 | |||
| 9b43948fa4 | |||
| bcd6cd99cc | |||
| 37ceba6b81 | |||
| dfe42e9016 | |||
| 38aa2dace8 | |||
| 136c3eff0c | |||
| 642999c8b1 | |||
| c5fc49b4fa | |||
| cd5a38b1eb | |||
| 595842c2c9 | |||
| 82d5276ade | |||
| 51eb782831 | |||
| de2980e1bc | |||
| 8a3c0d9a08 | |||
| 1a5e9f1005 | |||
| f42c013f33 | |||
| 42c9bda939 | |||
| cbce9fae3a | |||
| e44b15ecd5 | |||
| 7f6ca31757 | |||
| a1eb248474 | |||
| be2b1fd1ce | |||
| 20b65f549e | |||
| 1dc8be373c | |||
| 22b2e6b3d4 | |||
| 89e7107a47 | |||
| 0a69131c38 | |||
| 590f2c29b3 | |||
| 0ddcce6fe1 | |||
| 8a54fb7f23 | |||
| 5c280b024e | |||
| 033cc62ce7 | |||
| 4c69b7a64e | |||
| e7ab9b3f37 | |||
| 3143662f82 | |||
| 18964ba2a3 | |||
| f862404c5c | |||
| c292578f80 | |||
| 7b02d4104d | |||
| 2ef5d90e13 | |||
| d6a8021613 | |||
| c5231d37f6 | |||
| 4d803a40c9 | |||
| 1d709b551a | |||
| 335411de4c | |||
| 0e4abdf4b6 | |||
| 267b40b73c | |||
| ba9a0c5e3c | |||
| 9e0b7ff0d7 | |||
| 003bf7fdf3 | |||
| c3fdda026b | |||
| a53363d064 | |||
| ee21e1faa7 | |||
| e409a34a09 | |||
| 7177ab7f77 | |||
| 801f6fb661 | |||
| 805d82b8d9 | |||
| bd6d790495 | |||
| 2305163474 | |||
| dda53dcb16 | |||
| 2c3e768867 | |||
| 8d682ed9ad | |||
| 47fe497ca1 | |||
| 4d5f364663 | |||
| c3db8b972f | |||
| cfced63ba1 | |||
| 51aa55f963 | |||
| e7df24841e | |||
| e6fd4c32c4 | |||
| f6590aedbd | |||
| 3cb9e02533 | |||
| 4d792350ef |
@@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
alwaysApply: true
|
||||||
|
---
|
||||||
|
|
||||||
|
When adding submit buttons, don't change the text of the button during the loading state. Text should stay static and you should use the loading prop on the button.
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
alwaysApply: true
|
||||||
|
---
|
||||||
|
|
||||||
|
When creating UI for popup dialogs or modals, use the Credenza componennt. This component is mobile responsive and works on desktop and wraps the dialog component and sheet into one.
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
alwaysApply: true
|
||||||
|
---
|
||||||
|
|
||||||
|
Don't write or edit migrations in `server/setup` unless specificall instructed to do so.
|
||||||
@@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
alwaysApply: true
|
||||||
|
---
|
||||||
|
|
||||||
|
When writing TypeScript:
|
||||||
|
|
||||||
|
Prefer to use types instead of interfaces.
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
alwaysApply: true
|
||||||
|
---
|
||||||
|
|
||||||
|
When creating forms, use React form for validation and use Zod schemas.
|
||||||
@@ -34,3 +34,5 @@ build.ts
|
|||||||
tsconfig.json
|
tsconfig.json
|
||||||
Dockerfile*
|
Dockerfile*
|
||||||
drizzle.config.ts
|
drizzle.config.ts
|
||||||
|
allowedDevOrigins.json
|
||||||
|
scratch/
|
||||||
|
|||||||
@@ -1,3 +0,0 @@
|
|||||||
# These are supported funding model platforms
|
|
||||||
|
|
||||||
github: [fosrl]
|
|
||||||
@@ -14,12 +14,13 @@ body:
|
|||||||
label: Environment
|
label: Environment
|
||||||
description: Please fill out the relevant details below for your environment.
|
description: Please fill out the relevant details below for your environment.
|
||||||
value: |
|
value: |
|
||||||
- OS Type & Version: (e.g., Ubuntu 22.04)
|
- OS Type & Version:
|
||||||
- Pangolin Version:
|
- Pangolin Version:
|
||||||
|
- Edition (Community or Enterprise):
|
||||||
- Gerbil Version:
|
- Gerbil Version:
|
||||||
- Traefik Version:
|
- Traefik Version:
|
||||||
- Newt Version:
|
- Newt Version:
|
||||||
- Olm Version: (if applicable)
|
- Client Version:
|
||||||
validations:
|
validations:
|
||||||
required: true
|
required: true
|
||||||
|
|
||||||
|
|||||||
@@ -1,52 +1,42 @@
|
|||||||
version: 2
|
version: 2
|
||||||
|
|
||||||
updates:
|
updates:
|
||||||
- package-ecosystem: "npm"
|
- package-ecosystem: "npm"
|
||||||
directory: "/"
|
directory: "/"
|
||||||
schedule:
|
schedule:
|
||||||
interval: "daily"
|
interval: "daily"
|
||||||
|
open-pull-requests-limit: 1
|
||||||
groups:
|
groups:
|
||||||
dev-patch-updates:
|
npm-dependencies:
|
||||||
dependency-type: "development"
|
patterns:
|
||||||
update-types:
|
- "*"
|
||||||
- "patch"
|
|
||||||
dev-minor-updates:
|
|
||||||
dependency-type: "development"
|
|
||||||
update-types:
|
|
||||||
- "minor"
|
|
||||||
prod-patch-updates:
|
|
||||||
dependency-type: "production"
|
|
||||||
update-types:
|
|
||||||
- "patch"
|
|
||||||
prod-minor-updates:
|
|
||||||
dependency-type: "production"
|
|
||||||
update-types:
|
|
||||||
- "minor"
|
|
||||||
|
|
||||||
- package-ecosystem: "docker"
|
- package-ecosystem: "docker"
|
||||||
directory: "/"
|
directory: "/"
|
||||||
schedule:
|
schedule:
|
||||||
interval: "daily"
|
interval: "daily"
|
||||||
|
open-pull-requests-limit: 1
|
||||||
groups:
|
groups:
|
||||||
patch-updates:
|
docker-dependencies:
|
||||||
update-types:
|
patterns:
|
||||||
- "patch"
|
- "*"
|
||||||
minor-updates:
|
|
||||||
update-types:
|
|
||||||
- "minor"
|
|
||||||
|
|
||||||
- package-ecosystem: "github-actions"
|
- package-ecosystem: "github-actions"
|
||||||
directory: "/"
|
directory: "/"
|
||||||
schedule:
|
schedule:
|
||||||
interval: "weekly"
|
interval: "weekly"
|
||||||
|
open-pull-requests-limit: 1
|
||||||
|
groups:
|
||||||
|
github-actions-dependencies:
|
||||||
|
patterns:
|
||||||
|
- "*"
|
||||||
|
|
||||||
- package-ecosystem: "gomod"
|
- package-ecosystem: "gomod"
|
||||||
directory: "/install"
|
directory: "/install"
|
||||||
schedule:
|
schedule:
|
||||||
interval: "daily"
|
interval: "daily"
|
||||||
|
open-pull-requests-limit: 1
|
||||||
groups:
|
groups:
|
||||||
patch-updates:
|
go-install-dependencies:
|
||||||
update-types:
|
patterns:
|
||||||
- "patch"
|
- "*"
|
||||||
minor-updates:
|
|
||||||
update-types:
|
|
||||||
- "minor"
|
|
||||||
|
|||||||
@@ -62,7 +62,7 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||||
|
|
||||||
- name: Monitor storage space
|
- name: Monitor storage space
|
||||||
run: |
|
run: |
|
||||||
@@ -77,7 +77,7 @@ jobs:
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
- name: Log in to Docker Hub
|
- name: Log in to Docker Hub
|
||||||
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
|
uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0
|
||||||
with:
|
with:
|
||||||
registry: docker.io
|
registry: docker.io
|
||||||
username: ${{ secrets.DOCKER_HUB_USERNAME }}
|
username: ${{ secrets.DOCKER_HUB_USERNAME }}
|
||||||
@@ -134,7 +134,7 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||||
|
|
||||||
- name: Monitor storage space
|
- name: Monitor storage space
|
||||||
run: |
|
run: |
|
||||||
@@ -149,7 +149,7 @@ jobs:
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
- name: Log in to Docker Hub
|
- name: Log in to Docker Hub
|
||||||
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
|
uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0
|
||||||
with:
|
with:
|
||||||
registry: docker.io
|
registry: docker.io
|
||||||
username: ${{ secrets.DOCKER_HUB_USERNAME }}
|
username: ${{ secrets.DOCKER_HUB_USERNAME }}
|
||||||
@@ -201,10 +201,10 @@ jobs:
|
|||||||
timeout-minutes: 30
|
timeout-minutes: 30
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||||
|
|
||||||
- name: Log in to Docker Hub
|
- name: Log in to Docker Hub
|
||||||
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
|
uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0
|
||||||
with:
|
with:
|
||||||
registry: docker.io
|
registry: docker.io
|
||||||
username: ${{ secrets.DOCKER_HUB_USERNAME }}
|
username: ${{ secrets.DOCKER_HUB_USERNAME }}
|
||||||
@@ -256,7 +256,7 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||||
|
|
||||||
- name: Extract tag name
|
- name: Extract tag name
|
||||||
id: get-tag
|
id: get-tag
|
||||||
@@ -264,7 +264,7 @@ jobs:
|
|||||||
shell: bash
|
shell: bash
|
||||||
|
|
||||||
- name: Install Go
|
- name: Install Go
|
||||||
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
|
uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
|
||||||
with:
|
with:
|
||||||
go-version: 1.25
|
go-version: 1.25
|
||||||
|
|
||||||
@@ -407,35 +407,27 @@ jobs:
|
|||||||
shell: bash
|
shell: bash
|
||||||
|
|
||||||
- name: Login to GitHub Container Registry (for cosign)
|
- name: Login to GitHub Container Registry (for cosign)
|
||||||
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
|
uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0
|
||||||
with:
|
with:
|
||||||
registry: ghcr.io
|
registry: ghcr.io
|
||||||
username: ${{ github.actor }}
|
username: ${{ github.actor }}
|
||||||
password: ${{ secrets.GITHUB_TOKEN }}
|
password: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
|
||||||
- name: Install cosign
|
- name: Install cosign
|
||||||
# cosign is used to sign and verify container images (key and keyless)
|
# cosign is used to sign container images using keyless (OIDC) signing
|
||||||
uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
|
uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
|
||||||
|
with:
|
||||||
|
cosign-release: v3.0.6
|
||||||
|
|
||||||
- name: Dual-sign and verify (GHCR & Docker Hub)
|
- name: Sign (GHCR, keyless)
|
||||||
# Sign each image by digest using keyless (OIDC) and key-based signing,
|
# Sign each GHCR image by digest using keyless (OIDC) signing via Sigstore/Rekor.
|
||||||
# then verify both the public key signature and the keyless OIDC signature.
|
# Signatures are stored in the registry alongside the image.
|
||||||
env:
|
env:
|
||||||
TAG: ${{ env.TAG }}
|
TAG: ${{ env.TAG }}
|
||||||
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
|
|
||||||
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
|
|
||||||
COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
|
|
||||||
COSIGN_YES: "true"
|
COSIGN_YES: "true"
|
||||||
run: |
|
run: |
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
issuer="https://token.actions.githubusercontent.com"
|
|
||||||
id_regex="^https://github.com/${{ github.repository }}/.+" # accept this repo (all workflows/refs)
|
|
||||||
|
|
||||||
# Track failures
|
|
||||||
FAILED_TAGS=()
|
|
||||||
SUCCESSFUL_TAGS=()
|
|
||||||
|
|
||||||
# Determine if this is an RC release
|
# Determine if this is an RC release
|
||||||
IS_RC="false"
|
IS_RC="false"
|
||||||
if [[ "$TAG" == *"-rc."* ]]; then
|
if [[ "$TAG" == *"-rc."* ]]; then
|
||||||
@@ -463,95 +455,47 @@ jobs:
|
|||||||
)
|
)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Sign each image variant for both registries
|
FAILED_TAGS=()
|
||||||
for BASE_IMAGE in "${GHCR_IMAGE}" "${DOCKERHUB_IMAGE}"; do
|
SUCCESSFUL_TAGS=()
|
||||||
|
|
||||||
for IMAGE_TAG in "${IMAGE_TAGS[@]}"; do
|
for IMAGE_TAG in "${IMAGE_TAGS[@]}"; do
|
||||||
echo "Processing ${BASE_IMAGE}:${IMAGE_TAG}"
|
echo "Processing ${GHCR_IMAGE}:${IMAGE_TAG}"
|
||||||
TAG_FAILED=false
|
TAG_FAILED=false
|
||||||
|
|
||||||
# Wrap the entire tag processing in error handling
|
|
||||||
(
|
(
|
||||||
set -e
|
set -e
|
||||||
DIGEST="$(skopeo inspect --retry-times 3 docker://${BASE_IMAGE}:${IMAGE_TAG} | jq -r '.Digest')"
|
DIGEST="$(skopeo inspect --retry-times 3 docker://${GHCR_IMAGE}:${IMAGE_TAG} | jq -r '.Digest')"
|
||||||
REF="${BASE_IMAGE}@${DIGEST}"
|
REF="${GHCR_IMAGE}@${DIGEST}"
|
||||||
echo "Resolved digest: ${REF}"
|
echo "Resolved digest: ${REF}"
|
||||||
|
|
||||||
echo "==> cosign sign (keyless) --recursive ${REF}"
|
echo "==> cosign sign (keyless) --recursive ${REF}"
|
||||||
cosign sign --recursive "${REF}"
|
cosign sign --recursive "${REF}"
|
||||||
|
|
||||||
echo "==> cosign sign (key) --recursive ${REF}"
|
|
||||||
cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${REF}"
|
|
||||||
|
|
||||||
# Retry wrapper for verification to handle registry propagation delays
|
|
||||||
retry_verify() {
|
|
||||||
local cmd="$1"
|
|
||||||
local attempts=6
|
|
||||||
local delay=5
|
|
||||||
local i=1
|
|
||||||
until eval "$cmd"; do
|
|
||||||
if [ $i -ge $attempts ]; then
|
|
||||||
echo "Verification failed after $attempts attempts"
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
echo "Verification not yet available. Retry $i/$attempts after ${delay}s..."
|
|
||||||
sleep $delay
|
|
||||||
i=$((i+1))
|
|
||||||
delay=$((delay*2))
|
|
||||||
# Cap the delay to avoid very long waits
|
|
||||||
if [ $delay -gt 60 ]; then delay=60; fi
|
|
||||||
done
|
|
||||||
return 0
|
|
||||||
}
|
|
||||||
|
|
||||||
echo "==> cosign verify (public key) ${REF}"
|
|
||||||
if retry_verify "cosign verify --key env://COSIGN_PUBLIC_KEY '${REF}' -o text"; then
|
|
||||||
VERIFIED_INDEX=true
|
|
||||||
else
|
|
||||||
VERIFIED_INDEX=false
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "==> cosign verify (keyless policy) ${REF}"
|
|
||||||
if retry_verify "cosign verify --certificate-oidc-issuer '${issuer}' --certificate-identity-regexp '${id_regex}' '${REF}' -o text"; then
|
|
||||||
VERIFIED_INDEX_KEYLESS=true
|
|
||||||
else
|
|
||||||
VERIFIED_INDEX_KEYLESS=false
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Check if verification succeeded
|
|
||||||
if [ "${VERIFIED_INDEX}" != "true" ] && [ "${VERIFIED_INDEX_KEYLESS}" != "true" ]; then
|
|
||||||
echo "⚠️ WARNING: Verification not available for ${BASE_IMAGE}:${IMAGE_TAG}"
|
|
||||||
echo "This may be due to registry propagation delays. Continuing anyway."
|
|
||||||
fi
|
|
||||||
) || TAG_FAILED=true
|
) || TAG_FAILED=true
|
||||||
|
|
||||||
if [ "$TAG_FAILED" = "true" ]; then
|
if [ "$TAG_FAILED" = "true" ]; then
|
||||||
echo "⚠️ WARNING: Failed to sign/verify ${BASE_IMAGE}:${IMAGE_TAG}"
|
echo "⚠️ WARNING: Failed to sign ${GHCR_IMAGE}:${IMAGE_TAG}"
|
||||||
FAILED_TAGS+=("${BASE_IMAGE}:${IMAGE_TAG}")
|
FAILED_TAGS+=("${GHCR_IMAGE}:${IMAGE_TAG}")
|
||||||
else
|
else
|
||||||
echo "✓ Successfully signed and verified ${BASE_IMAGE}:${IMAGE_TAG}"
|
echo "✓ Successfully signed ${GHCR_IMAGE}:${IMAGE_TAG}"
|
||||||
SUCCESSFUL_TAGS+=("${BASE_IMAGE}:${IMAGE_TAG}")
|
SUCCESSFUL_TAGS+=("${GHCR_IMAGE}:${IMAGE_TAG}")
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
done
|
|
||||||
|
|
||||||
# Report summary
|
|
||||||
echo ""
|
echo ""
|
||||||
echo "=========================================="
|
echo "=========================================="
|
||||||
echo "Sign and Verify Summary"
|
echo "Sign Summary"
|
||||||
echo "=========================================="
|
echo "=========================================="
|
||||||
echo "Successful: ${#SUCCESSFUL_TAGS[@]}"
|
echo "Successful: ${#SUCCESSFUL_TAGS[@]}"
|
||||||
echo "Failed: ${#FAILED_TAGS[@]}"
|
echo "Failed: ${#FAILED_TAGS[@]}"
|
||||||
echo ""
|
|
||||||
|
|
||||||
if [ ${#FAILED_TAGS[@]} -gt 0 ]; then
|
if [ ${#FAILED_TAGS[@]} -gt 0 ]; then
|
||||||
echo "Failed tags:"
|
echo "Failed tags:"
|
||||||
for tag in "${FAILED_TAGS[@]}"; do
|
for tag in "${FAILED_TAGS[@]}"; do
|
||||||
echo " - $tag"
|
echo " - $tag"
|
||||||
done
|
done
|
||||||
echo ""
|
echo "⚠️ WARNING: Some tags failed to sign, but continuing anyway"
|
||||||
echo "⚠️ WARNING: Some tags failed to sign/verify, but continuing anyway"
|
|
||||||
else
|
else
|
||||||
echo "✓ All images signed and verified successfully!"
|
echo "✓ All images signed successfully!"
|
||||||
fi
|
fi
|
||||||
shell: bash
|
shell: bash
|
||||||
|
|
||||||
|
|||||||
@@ -21,10 +21,10 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||||
|
|
||||||
- name: Set up Node.js
|
- name: Set up Node.js
|
||||||
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
|
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
|
||||||
with:
|
with:
|
||||||
node-version: '24'
|
node-version: '24'
|
||||||
|
|
||||||
|
|||||||
@@ -23,7 +23,7 @@ jobs:
|
|||||||
skopeo --version
|
skopeo --version
|
||||||
|
|
||||||
- name: Install cosign
|
- name: Install cosign
|
||||||
uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
|
uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
|
||||||
|
|
||||||
- name: Input check
|
- name: Input check
|
||||||
run: |
|
run: |
|
||||||
|
|||||||
@@ -1,39 +0,0 @@
|
|||||||
name: Restart Runners
|
|
||||||
|
|
||||||
on:
|
|
||||||
schedule:
|
|
||||||
- cron: '0 0 */7 * *'
|
|
||||||
|
|
||||||
permissions:
|
|
||||||
id-token: write
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
ec2-maintenance-prod:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
permissions: write-all
|
|
||||||
steps:
|
|
||||||
- name: Configure AWS credentials
|
|
||||||
uses: aws-actions/configure-aws-credentials@v6
|
|
||||||
with:
|
|
||||||
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
|
|
||||||
role-duration-seconds: 3600
|
|
||||||
aws-region: ${{ secrets.AWS_REGION }}
|
|
||||||
|
|
||||||
- name: Verify AWS identity
|
|
||||||
run: aws sts get-caller-identity
|
|
||||||
|
|
||||||
- name: Start EC2 instance
|
|
||||||
run: |
|
|
||||||
aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
|
|
||||||
aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_AMD_RUNNER }}
|
|
||||||
echo "EC2 instances started"
|
|
||||||
|
|
||||||
- name: Wait
|
|
||||||
run: sleep 600
|
|
||||||
|
|
||||||
- name: Stop EC2 instance
|
|
||||||
run: |
|
|
||||||
aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
|
|
||||||
aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_AMD_RUNNER }}
|
|
||||||
echo "EC2 instances stopped"
|
|
||||||
@@ -1,160 +0,0 @@
|
|||||||
name: SAAS Pipeline
|
|
||||||
|
|
||||||
# CI/CD workflow for building, publishing, mirroring, signing container images and building release binaries.
|
|
||||||
# Actions are pinned to specific SHAs to reduce supply-chain risk. This workflow triggers on tag push events.
|
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
packages: write # for GHCR push
|
|
||||||
id-token: write # for Cosign Keyless (OIDC) Signing
|
|
||||||
|
|
||||||
on:
|
|
||||||
push:
|
|
||||||
tags:
|
|
||||||
- "[0-9]+.[0-9]+.[0-9]+-s.[0-9]+"
|
|
||||||
|
|
||||||
concurrency:
|
|
||||||
group: ${{ github.ref }}
|
|
||||||
cancel-in-progress: true
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
pre-run:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
permissions: write-all
|
|
||||||
steps:
|
|
||||||
- name: Configure AWS credentials
|
|
||||||
uses: aws-actions/configure-aws-credentials@v6
|
|
||||||
with:
|
|
||||||
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
|
|
||||||
role-duration-seconds: 3600
|
|
||||||
aws-region: ${{ secrets.AWS_REGION }}
|
|
||||||
|
|
||||||
- name: Verify AWS identity
|
|
||||||
run: aws sts get-caller-identity
|
|
||||||
|
|
||||||
- name: Start EC2 instances
|
|
||||||
run: |
|
|
||||||
aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
|
|
||||||
echo "EC2 instances started"
|
|
||||||
|
|
||||||
|
|
||||||
release-arm:
|
|
||||||
name: Build and Release (ARM64)
|
|
||||||
runs-on: [self-hosted, linux, arm64, us-east-1]
|
|
||||||
needs: [pre-run]
|
|
||||||
if: >-
|
|
||||||
${{
|
|
||||||
needs.pre-run.result == 'success'
|
|
||||||
}}
|
|
||||||
# Job-level timeout to avoid runaway or stuck runs
|
|
||||||
timeout-minutes: 120
|
|
||||||
env:
|
|
||||||
# Target images
|
|
||||||
AWS_IMAGE: ${{ secrets.aws_account_id }}.dkr.ecr.us-east-1.amazonaws.com/${{ github.event.repository.name }}
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: Checkout code
|
|
||||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
||||||
|
|
||||||
- name: Download MaxMind GeoLite2 databases
|
|
||||||
env:
|
|
||||||
MAXMIND_LICENSE_KEY: ${{ secrets.MAXMIND_LICENSE_KEY }}
|
|
||||||
run: |
|
|
||||||
echo "Downloading MaxMind GeoLite2 databases..."
|
|
||||||
|
|
||||||
# Download GeoLite2-Country
|
|
||||||
curl -L "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country&license_key=${MAXMIND_LICENSE_KEY}&suffix=tar.gz" \
|
|
||||||
-o GeoLite2-Country.tar.gz
|
|
||||||
|
|
||||||
# Download GeoLite2-ASN
|
|
||||||
curl -L "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-ASN&license_key=${MAXMIND_LICENSE_KEY}&suffix=tar.gz" \
|
|
||||||
-o GeoLite2-ASN.tar.gz
|
|
||||||
|
|
||||||
# Extract the .mmdb files
|
|
||||||
tar -xzf GeoLite2-Country.tar.gz --strip-components=1 --wildcards '*.mmdb'
|
|
||||||
tar -xzf GeoLite2-ASN.tar.gz --strip-components=1 --wildcards '*.mmdb'
|
|
||||||
|
|
||||||
# Verify files exist
|
|
||||||
if [ ! -f "GeoLite2-Country.mmdb" ]; then
|
|
||||||
echo "ERROR: Failed to download GeoLite2-Country.mmdb"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ ! -f "GeoLite2-ASN.mmdb" ]; then
|
|
||||||
echo "ERROR: Failed to download GeoLite2-ASN.mmdb"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Clean up tar files
|
|
||||||
rm -f GeoLite2-Country.tar.gz GeoLite2-ASN.tar.gz
|
|
||||||
|
|
||||||
echo "MaxMind databases downloaded successfully"
|
|
||||||
ls -lh GeoLite2-*.mmdb
|
|
||||||
|
|
||||||
- name: Monitor storage space
|
|
||||||
run: |
|
|
||||||
THRESHOLD=75
|
|
||||||
USED_SPACE=$(df / | grep / | awk '{ print $5 }' | sed 's/%//g')
|
|
||||||
echo "Used space: $USED_SPACE%"
|
|
||||||
if [ "$USED_SPACE" -ge "$THRESHOLD" ]; then
|
|
||||||
echo "Used space is below the threshold of 75% free. Running Docker system prune."
|
|
||||||
echo y | docker system prune -a
|
|
||||||
else
|
|
||||||
echo "Storage space is above the threshold. No action needed."
|
|
||||||
fi
|
|
||||||
|
|
||||||
- name: Configure AWS credentials
|
|
||||||
uses: aws-actions/configure-aws-credentials@v6
|
|
||||||
with:
|
|
||||||
role-to-assume: arn:aws:iam::${{ secrets.aws_account_id }}:role/${{ secrets.AWS_ROLE_NAME }}
|
|
||||||
role-duration-seconds: 3600
|
|
||||||
aws-region: ${{ secrets.AWS_REGION }}
|
|
||||||
|
|
||||||
- name: Login to Amazon ECR
|
|
||||||
id: login-ecr
|
|
||||||
uses: aws-actions/amazon-ecr-login@v2
|
|
||||||
|
|
||||||
- name: Extract tag name
|
|
||||||
id: get-tag
|
|
||||||
run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
|
|
||||||
shell: bash
|
|
||||||
|
|
||||||
- name: Update version in package.json
|
|
||||||
run: |
|
|
||||||
TAG=${{ env.TAG }}
|
|
||||||
sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
|
|
||||||
cat server/lib/consts.ts
|
|
||||||
shell: bash
|
|
||||||
|
|
||||||
- name: Build and push Docker images (Docker Hub - ARM64)
|
|
||||||
run: |
|
|
||||||
TAG=${{ env.TAG }}
|
|
||||||
make build-saas tag=$TAG
|
|
||||||
echo "Built & pushed ARM64 images to: ${{ env.AWS_IMAGE }}:${TAG}"
|
|
||||||
shell: bash
|
|
||||||
|
|
||||||
post-run:
|
|
||||||
needs: [pre-run, release-arm]
|
|
||||||
if: >-
|
|
||||||
${{
|
|
||||||
always() &&
|
|
||||||
needs.pre-run.result == 'success' &&
|
|
||||||
(needs.release-arm.result == 'success' || needs.release-arm.result == 'skipped' || needs.release-arm.result == 'failure')
|
|
||||||
}}
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
permissions: write-all
|
|
||||||
steps:
|
|
||||||
- name: Configure AWS credentials
|
|
||||||
uses: aws-actions/configure-aws-credentials@v6
|
|
||||||
with:
|
|
||||||
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
|
|
||||||
role-duration-seconds: 3600
|
|
||||||
aws-region: ${{ secrets.AWS_REGION }}
|
|
||||||
|
|
||||||
- name: Verify AWS identity
|
|
||||||
run: aws sts get-caller-identity
|
|
||||||
|
|
||||||
- name: Stop EC2 instances
|
|
||||||
run: |
|
|
||||||
aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
|
|
||||||
echo "EC2 instances stopped"
|
|
||||||
@@ -14,7 +14,7 @@ jobs:
|
|||||||
stale:
|
stale:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
|
- uses: actions/stale@1e223db275d687790206a7acac4d1a11bd6fe629 # v10.4.0
|
||||||
with:
|
with:
|
||||||
days-before-stale: 14
|
days-before-stale: 14
|
||||||
days-before-close: 14
|
days-before-close: 14
|
||||||
|
|||||||
@@ -14,10 +14,10 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||||
|
|
||||||
- name: Install Node
|
- name: Install Node
|
||||||
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
|
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
|
||||||
with:
|
with:
|
||||||
node-version: '24'
|
node-version: '24'
|
||||||
|
|
||||||
@@ -62,7 +62,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||||
|
|
||||||
- name: Build Docker image sqlite
|
- name: Build Docker image sqlite
|
||||||
run: make dev-build-sqlite
|
run: make dev-build-sqlite
|
||||||
@@ -71,7 +71,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||||
|
|
||||||
- name: Build Docker image pg
|
- name: Build Docker image pg
|
||||||
run: make dev-build-pg
|
run: make dev-build-pg
|
||||||
|
|||||||
@@ -17,9 +17,9 @@ yarn-error.log*
|
|||||||
*.tsbuildinfo
|
*.tsbuildinfo
|
||||||
next-env.d.ts
|
next-env.d.ts
|
||||||
*.db
|
*.db
|
||||||
*.sqlite
|
*.sqlite*
|
||||||
!Dockerfile.sqlite
|
!Dockerfile.sqlite
|
||||||
*.sqlite3
|
*.sqlite3*
|
||||||
*.log
|
*.log
|
||||||
.machinelogs*.json
|
.machinelogs*.json
|
||||||
*-audit.json
|
*-audit.json
|
||||||
@@ -54,3 +54,5 @@ hydrateSaas.ts
|
|||||||
CLAUDE.md
|
CLAUDE.md
|
||||||
drizzle.config.ts
|
drizzle.config.ts
|
||||||
server/setup/migrations.ts
|
server/setup/migrations.ts
|
||||||
|
solo.yml
|
||||||
|
allowedDevOrigins.json
|
||||||
@@ -18,5 +18,8 @@
|
|||||||
"[json]": {
|
"[json]": {
|
||||||
"editor.defaultFormatter": "esbenp.prettier-vscode"
|
"editor.defaultFormatter": "esbenp.prettier-vscode"
|
||||||
},
|
},
|
||||||
"editor.formatOnSave": true
|
"editor.formatOnSave": true,
|
||||||
|
"cSpell.words": [
|
||||||
|
"nessicary"
|
||||||
|
]
|
||||||
}
|
}
|
||||||
@@ -41,7 +41,7 @@
|
|||||||
</strong>
|
</strong>
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
Pangolin is an open-source, identity-based remote access platform built on WireGuard that enables secure, seamless connectivity to private and public resources. Pangolin combines reverse proxy and VPN capabilities into one platform, providing browser-based access to web applications and client-based access to any private resources with NAT traversal, all with granular access controls.
|
Pangolin is an open-source, identity-based remote access platform built on WireGuard® that enables secure connectivity to infrastructure anywhere. It combines reverse-proxy and VPN capabilities into one platform, providing browser-based access to web applications and client-based access to private resources with NAT traversal, all with granular access control.
|
||||||
|
|
||||||
## Installation
|
## Installation
|
||||||
|
|
||||||
@@ -63,11 +63,26 @@ Pangolin is an open-source, identity-based remote access platform built on WireG
|
|||||||
|
|
||||||
Pangolin's site connectors provide gateways into networks so you can access any networked resources. Sites use outbound tunnels and intelligent NAT traversal to make networks behind restrictive firewalls available for authorized access without public IPs or open ports. Easily deploy a site as a binary or container on any platform.
|
Pangolin's site connectors provide gateways into networks so you can access any networked resources. Sites use outbound tunnels and intelligent NAT traversal to make networks behind restrictive firewalls available for authorized access without public IPs or open ports. Easily deploy a site as a binary or container on any platform.
|
||||||
|
|
||||||
|
* Lightweight user-space connector runs anywhere
|
||||||
|
* Punches through any firewall
|
||||||
|
* Doesn't require open ports or a public IP
|
||||||
|
* Strict network segmentation
|
||||||
|
* WireGuard-based
|
||||||
|
* Get alerts when a device or network resource goes down
|
||||||
|
|
||||||
<img src="public/screenshots/sites.png" alt="Sites" width="100%" />
|
<img src="public/screenshots/sites.png" alt="Sites" width="100%" />
|
||||||
|
|
||||||
### Browser-based reverse proxy access
|
### Browser-based reverse proxy access
|
||||||
|
|
||||||
Expose web applications through identity and context-aware tunneled reverse proxies. Users access applications through any web browser with authentication and granular access control without installing a client. Pangolin handles routing, load balancing, health checking, and automatic SSL certificates without exposing your network directly to the internet.
|
Expose HTTPS web applications and connect to VNC, RDP, and SSH entirely in the browser through identity and context-aware tunneled reverse proxies. Users access resources with authentication and granular access control without installing a client. Pangolin handles routing, load balancing, health checking, and automatic SSL certificates without exposing your network directly to the internet.
|
||||||
|
|
||||||
|
* Expose a web panel anywhere
|
||||||
|
* Access via any web browser
|
||||||
|
* Single sign-on across all resources
|
||||||
|
* HTTPS resources
|
||||||
|
* Remote desktop in the browser with VNC and RDP
|
||||||
|
* In-browser SSH terminal with privileged access management (PAM)
|
||||||
|
* PIN codes, passcodes, email OTP, geoblocking, allow-lists, and more
|
||||||
|
|
||||||
<img src="public/clip.gif" alt="Reverse proxy access" width="100%" />
|
<img src="public/clip.gif" alt="Reverse proxy access" width="100%" />
|
||||||
|
|
||||||
@@ -75,14 +90,35 @@ Expose web applications through identity and context-aware tunneled reverse prox
|
|||||||
|
|
||||||
Access private resources like SSH servers, databases, RDP, and entire network ranges through Pangolin clients. Intelligent NAT traversal enables connections even through restrictive firewalls, while DNS aliases provide friendly names and fast connections to resources across all your sites. Add redundancy by routing traffic through multiple connectors in your network.
|
Access private resources like SSH servers, databases, RDP, and entire network ranges through Pangolin clients. Intelligent NAT traversal enables connections even through restrictive firewalls, while DNS aliases provide friendly names and fast connections to resources across all your sites. Add redundancy by routing traffic through multiple connectors in your network.
|
||||||
|
|
||||||
|
* Peer-to-peer with intelligent NAT traversal
|
||||||
|
* Hosts/IPs and port ranges
|
||||||
|
* Network ranges/CIDRs
|
||||||
|
* Friendly DNS aliases for network addresses
|
||||||
|
* Privileged access management (PAM) with SSH resources
|
||||||
|
* Private HTTPS resources only accessible on the private network
|
||||||
|
|
||||||
<img src="public/screenshots/private-resources.png" alt="Private resources" width="100%" />
|
<img src="public/screenshots/private-resources.png" alt="Private resources" width="100%" />
|
||||||
|
|
||||||
### Give users and roles access to resources
|
### Give users and roles access to resources
|
||||||
|
|
||||||
Use Pangolin's built in users or bring your own identity provider and set up role based access control (RBAC). Grant users access to specific resources, not entire networks. Unlike traditional VPNs that expose full network access, Pangolin's zero-trust model ensures users can only reach the applications, services, and routes you explicitly define.
|
Use Pangolin's built-in users or bring your own identity provider and set up role-based access control (RBAC). Grant users access to specific resources, not entire networks. Unlike traditional VPNs that expose full network access, Pangolin's zero-trust model ensures users can only reach the applications, services, and routes you explicitly define.
|
||||||
|
|
||||||
|
* Bring your existing identity provider (IdP) or use Pangolin identities
|
||||||
|
* Sync users and roles from your IdP
|
||||||
|
* User- and role-based access control
|
||||||
|
* Full network audit and access logs
|
||||||
|
|
||||||
<img src="public/screenshots/users.png" alt="Users from identity provider with roles" width="100%" />
|
<img src="public/screenshots/users.png" alt="Users from identity provider with roles" width="100%" />
|
||||||
|
|
||||||
|
### Find and launch resources from a personalized home page
|
||||||
|
|
||||||
|
Give users a landing page to quickly find and open the resources they can access. Resources are grouped by site or label, searchable, and filterable, with grid or list views. Saved views capture filters, grouping, and layout as personal or organization-wide defaults.
|
||||||
|
|
||||||
|
* Single place for admins and non-admins to see accessible resources
|
||||||
|
* Create reusable views for common access patterns
|
||||||
|
|
||||||
|
<img src="public/screenshots/resource-launcher.png" alt="Resource Launcher" width="100%" />
|
||||||
|
|
||||||
## Download Clients
|
## Download Clients
|
||||||
|
|
||||||
Download the Pangolin client for your platform:
|
Download the Pangolin client for your platform:
|
||||||
@@ -107,7 +143,7 @@ the docs to illustrate some basic ideas.
|
|||||||
|
|
||||||
## Licensing
|
## Licensing
|
||||||
|
|
||||||
Pangolin is dual licensed under the AGPL-3 and the [Fossorial Commercial License](https://pangolin.net/fcl.html). For inquiries about commercial licensing, please contact us at [contact@pangolin.net](mailto:contact@pangolin.net).
|
Pangolin is dual licensed under the AGPL-3 and the [Fossorial Commercial License](https://pangolin.net/fcl). For inquiries about commercial licensing, please contact us at [contact@pangolin.net](mailto:contact@pangolin.net).
|
||||||
|
|
||||||
## Contributions
|
## Contributions
|
||||||
|
|
||||||
|
|||||||
@@ -0,0 +1,28 @@
|
|||||||
|
import { CommandModule } from "yargs";
|
||||||
|
import { db, certificates } from "@server/db";
|
||||||
|
|
||||||
|
type ClearCertificatesArgs = {};
|
||||||
|
|
||||||
|
export const clearCertificates: CommandModule<{}, ClearCertificatesArgs> = {
|
||||||
|
command: "clear-certificates",
|
||||||
|
describe: "Delete all entries from the certificates table",
|
||||||
|
builder: (yargs) => {
|
||||||
|
return yargs;
|
||||||
|
},
|
||||||
|
handler: async (argv: {}) => {
|
||||||
|
try {
|
||||||
|
console.log("Clearing all certificates from the database...");
|
||||||
|
|
||||||
|
const deleted = await db.delete(certificates).returning();
|
||||||
|
|
||||||
|
console.log(
|
||||||
|
`Deleted ${deleted.length} certificate(s) from the database`
|
||||||
|
);
|
||||||
|
|
||||||
|
process.exit(0);
|
||||||
|
} catch (error) {
|
||||||
|
console.error("Error:", error);
|
||||||
|
process.exit(1);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
};
|
||||||
@@ -0,0 +1,60 @@
|
|||||||
|
import { CommandModule } from "yargs";
|
||||||
|
import { db, users } from "@server/db";
|
||||||
|
import { eq } from "drizzle-orm";
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Disable 2FA for a user by email address.
|
||||||
|
*/
|
||||||
|
type DisableUser2faArgs = {
|
||||||
|
email: string;
|
||||||
|
};
|
||||||
|
|
||||||
|
export const disableUser2fa: CommandModule<{}, DisableUser2faArgs> = {
|
||||||
|
command: "disable-user-2fa",
|
||||||
|
describe: "Disable 2FA for a user (sets twoFactorEnabled=false, clears secret)",
|
||||||
|
builder: (yargs) => {
|
||||||
|
return yargs.option("email", {
|
||||||
|
type: "string",
|
||||||
|
demandOption: true,
|
||||||
|
describe: "User email address"
|
||||||
|
});
|
||||||
|
},
|
||||||
|
handler: async (argv: { email: string }) => {
|
||||||
|
try {
|
||||||
|
const { email } = argv;
|
||||||
|
console.log(`Looking for user with email: ${email}`);
|
||||||
|
|
||||||
|
// Find the user by email
|
||||||
|
const [user] = await db
|
||||||
|
.select()
|
||||||
|
.from(users)
|
||||||
|
.where(eq(users.email, email))
|
||||||
|
.limit(1);
|
||||||
|
|
||||||
|
if (!user) {
|
||||||
|
console.error(`User with email '${email}' not found`);
|
||||||
|
process.exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!user.twoFactorEnabled) {
|
||||||
|
console.log(`2FA is already disabled for user '${email}'.`);
|
||||||
|
process.exit(0);
|
||||||
|
}
|
||||||
|
|
||||||
|
// Update user: disable 2FA and clear secret
|
||||||
|
await db.update(users)
|
||||||
|
.set({
|
||||||
|
twoFactorEnabled: false,
|
||||||
|
twoFactorSecret: null,
|
||||||
|
twoFactorSetupRequested: false
|
||||||
|
})
|
||||||
|
.where(eq(users.userId, user.userId));
|
||||||
|
|
||||||
|
console.log(`2FA disabled for user '${email}'.`);
|
||||||
|
process.exit(0);
|
||||||
|
} catch (error) {
|
||||||
|
console.error("Error disabling 2FA:", error);
|
||||||
|
process.exit(1);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
};
|
||||||
@@ -1,5 +1,5 @@
|
|||||||
import { CommandModule } from "yargs";
|
import { CommandModule } from "yargs";
|
||||||
import { db, idpOidcConfig, licenseKey } from "@server/db";
|
import { db, idpOidcConfig, licenseKey, certificates, eventStreamingDestinations, alertWebhookActions } from "@server/db";
|
||||||
import { encrypt, decrypt } from "@server/lib/crypto";
|
import { encrypt, decrypt } from "@server/lib/crypto";
|
||||||
import { configFilePath1, configFilePath2 } from "@server/lib/consts";
|
import { configFilePath1, configFilePath2 } from "@server/lib/consts";
|
||||||
import { eq } from "drizzle-orm";
|
import { eq } from "drizzle-orm";
|
||||||
@@ -129,9 +129,15 @@ export const rotateServerSecret: CommandModule<
|
|||||||
console.log("\nReading encrypted data from database...");
|
console.log("\nReading encrypted data from database...");
|
||||||
const idpConfigs = await db.select().from(idpOidcConfig);
|
const idpConfigs = await db.select().from(idpOidcConfig);
|
||||||
const licenseKeys = await db.select().from(licenseKey);
|
const licenseKeys = await db.select().from(licenseKey);
|
||||||
|
const certs = await db.select().from(certificates);
|
||||||
|
const streamingDestinations = await db.select().from(eventStreamingDestinations);
|
||||||
|
const webhookActions = await db.select().from(alertWebhookActions);
|
||||||
|
|
||||||
console.log(`Found ${idpConfigs.length} OIDC IdP configuration(s)`);
|
console.log(`Found ${idpConfigs.length} OIDC IdP configuration(s)`);
|
||||||
console.log(`Found ${licenseKeys.length} license key(s)`);
|
console.log(`Found ${licenseKeys.length} license key(s)`);
|
||||||
|
console.log(`Found ${certs.length} certificate(s)`);
|
||||||
|
console.log(`Found ${streamingDestinations.length} event streaming destination(s)`);
|
||||||
|
console.log(`Found ${webhookActions.length} alert webhook action(s)`);
|
||||||
|
|
||||||
// Prepare all decrypted and re-encrypted values
|
// Prepare all decrypted and re-encrypted values
|
||||||
console.log("\nDecrypting and re-encrypting values...");
|
console.log("\nDecrypting and re-encrypting values...");
|
||||||
@@ -149,8 +155,27 @@ export const rotateServerSecret: CommandModule<
|
|||||||
encryptedInstanceId: string;
|
encryptedInstanceId: string;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
type CertUpdate = {
|
||||||
|
certId: number;
|
||||||
|
encryptedCertFile: string | null;
|
||||||
|
encryptedKeyFile: string | null;
|
||||||
|
};
|
||||||
|
|
||||||
|
type StreamingDestinationUpdate = {
|
||||||
|
destinationId: number;
|
||||||
|
encryptedConfig: string;
|
||||||
|
};
|
||||||
|
|
||||||
|
type WebhookActionUpdate = {
|
||||||
|
webhookActionId: number;
|
||||||
|
encryptedConfig: string;
|
||||||
|
};
|
||||||
|
|
||||||
const idpUpdates: IdpUpdate[] = [];
|
const idpUpdates: IdpUpdate[] = [];
|
||||||
const licenseKeyUpdates: LicenseKeyUpdate[] = [];
|
const licenseKeyUpdates: LicenseKeyUpdate[] = [];
|
||||||
|
const certUpdates: CertUpdate[] = [];
|
||||||
|
const streamingDestinationUpdates: StreamingDestinationUpdate[] = [];
|
||||||
|
const webhookActionUpdates: WebhookActionUpdate[] = [];
|
||||||
|
|
||||||
// Process idpOidcConfig entries
|
// Process idpOidcConfig entries
|
||||||
for (const idpConfig of idpConfigs) {
|
for (const idpConfig of idpConfigs) {
|
||||||
@@ -217,6 +242,70 @@ export const rotateServerSecret: CommandModule<
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Process certificate entries
|
||||||
|
for (const cert of certs) {
|
||||||
|
try {
|
||||||
|
const encryptedCertFile = cert.certFile
|
||||||
|
? encrypt(decrypt(cert.certFile, oldSecret), newSecret)
|
||||||
|
: null;
|
||||||
|
const encryptedKeyFile = cert.keyFile
|
||||||
|
? encrypt(decrypt(cert.keyFile, oldSecret), newSecret)
|
||||||
|
: null;
|
||||||
|
|
||||||
|
certUpdates.push({
|
||||||
|
certId: cert.certId,
|
||||||
|
encryptedCertFile,
|
||||||
|
encryptedKeyFile
|
||||||
|
});
|
||||||
|
} catch (error) {
|
||||||
|
console.error(
|
||||||
|
`Error processing certificate ${cert.certId} (${cert.domain}):`,
|
||||||
|
error
|
||||||
|
);
|
||||||
|
throw error;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Process eventStreamingDestinations entries
|
||||||
|
for (const dest of streamingDestinations) {
|
||||||
|
try {
|
||||||
|
const decryptedConfig = decrypt(dest.config, oldSecret);
|
||||||
|
const encryptedConfig = encrypt(decryptedConfig, newSecret);
|
||||||
|
|
||||||
|
streamingDestinationUpdates.push({
|
||||||
|
destinationId: dest.destinationId,
|
||||||
|
encryptedConfig
|
||||||
|
});
|
||||||
|
} catch (error) {
|
||||||
|
console.error(
|
||||||
|
`Error processing event streaming destination ${dest.destinationId}:`,
|
||||||
|
error
|
||||||
|
);
|
||||||
|
throw error;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Process alertWebhookActions entries
|
||||||
|
for (const webhook of webhookActions) {
|
||||||
|
try {
|
||||||
|
if (webhook.config == null) continue;
|
||||||
|
|
||||||
|
const decryptedConfig = decrypt(webhook.config, oldSecret);
|
||||||
|
const encryptedConfig = encrypt(decryptedConfig, newSecret);
|
||||||
|
|
||||||
|
webhookActionUpdates.push({
|
||||||
|
webhookActionId: webhook.webhookActionId,
|
||||||
|
encryptedConfig
|
||||||
|
});
|
||||||
|
} catch (error) {
|
||||||
|
console.error(
|
||||||
|
`Error processing alert webhook action ${webhook.webhookActionId}:`,
|
||||||
|
error
|
||||||
|
);
|
||||||
|
throw error;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Perform all database updates in a single transaction
|
// Perform all database updates in a single transaction
|
||||||
console.log("\nUpdating database in transaction...");
|
console.log("\nUpdating database in transaction...");
|
||||||
await db.transaction(async (trx) => {
|
await db.transaction(async (trx) => {
|
||||||
@@ -250,10 +339,50 @@ export const rotateServerSecret: CommandModule<
|
|||||||
instanceId: update.encryptedInstanceId
|
instanceId: update.encryptedInstanceId
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Update certificate entries
|
||||||
|
for (const update of certUpdates) {
|
||||||
|
await trx
|
||||||
|
.update(certificates)
|
||||||
|
.set({
|
||||||
|
certFile: update.encryptedCertFile,
|
||||||
|
keyFile: update.encryptedKeyFile
|
||||||
|
})
|
||||||
|
.where(eq(certificates.certId, update.certId));
|
||||||
|
}
|
||||||
|
|
||||||
|
// Update event streaming destination entries
|
||||||
|
for (const update of streamingDestinationUpdates) {
|
||||||
|
await trx
|
||||||
|
.update(eventStreamingDestinations)
|
||||||
|
.set({ config: update.encryptedConfig })
|
||||||
|
.where(
|
||||||
|
eq(
|
||||||
|
eventStreamingDestinations.destinationId,
|
||||||
|
update.destinationId
|
||||||
|
)
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
// Update alert webhook action entries
|
||||||
|
for (const update of webhookActionUpdates) {
|
||||||
|
await trx
|
||||||
|
.update(alertWebhookActions)
|
||||||
|
.set({ config: update.encryptedConfig })
|
||||||
|
.where(
|
||||||
|
eq(
|
||||||
|
alertWebhookActions.webhookActionId,
|
||||||
|
update.webhookActionId
|
||||||
|
)
|
||||||
|
);
|
||||||
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
console.log(`Rotated ${idpUpdates.length} OIDC IdP configuration(s)`);
|
console.log(`Rotated ${idpUpdates.length} OIDC IdP configuration(s)`);
|
||||||
console.log(`Rotated ${licenseKeyUpdates.length} license key(s)`);
|
console.log(`Rotated ${licenseKeyUpdates.length} license key(s)`);
|
||||||
|
console.log(`Rotated ${certUpdates.length} certificate(s)`);
|
||||||
|
console.log(`Rotated ${streamingDestinationUpdates.length} event streaming destination(s)`);
|
||||||
|
console.log(`Rotated ${webhookActionUpdates.length} alert webhook action(s)`);
|
||||||
|
|
||||||
// Update config file with new secret
|
// Update config file with new secret
|
||||||
console.log("\nUpdating config file...");
|
console.log("\nUpdating config file...");
|
||||||
@@ -270,6 +399,9 @@ export const rotateServerSecret: CommandModule<
|
|||||||
console.log(`\nSummary:`);
|
console.log(`\nSummary:`);
|
||||||
console.log(` - OIDC IdP configurations: ${idpUpdates.length}`);
|
console.log(` - OIDC IdP configurations: ${idpUpdates.length}`);
|
||||||
console.log(` - License keys: ${licenseKeyUpdates.length}`);
|
console.log(` - License keys: ${licenseKeyUpdates.length}`);
|
||||||
|
console.log(` - Certificates: ${certUpdates.length}`);
|
||||||
|
console.log(` - Event streaming destinations: ${streamingDestinationUpdates.length}`);
|
||||||
|
console.log(` - Alert webhook actions: ${webhookActionUpdates.length}`);
|
||||||
console.log(
|
console.log(
|
||||||
`\n IMPORTANT: Restart the server for the new secret to take effect.`
|
`\n IMPORTANT: Restart the server for the new secret to take effect.`
|
||||||
);
|
);
|
||||||
|
|||||||
@@ -0,0 +1,85 @@
|
|||||||
|
import { CommandModule } from "yargs";
|
||||||
|
import { db, users } from "@server/db";
|
||||||
|
import { eq } from "drizzle-orm";
|
||||||
|
|
||||||
|
type SetServerAdminArgs = {
|
||||||
|
email: string;
|
||||||
|
remove: boolean;
|
||||||
|
};
|
||||||
|
|
||||||
|
export const setServerAdmin: CommandModule<{}, SetServerAdminArgs> = {
|
||||||
|
command: "set-server-admin",
|
||||||
|
describe: "Add or remove server admin by email address",
|
||||||
|
builder: (yargs) => {
|
||||||
|
return yargs
|
||||||
|
.option("email", {
|
||||||
|
type: "string",
|
||||||
|
demandOption: true,
|
||||||
|
describe: "User email address"
|
||||||
|
})
|
||||||
|
.option("remove", {
|
||||||
|
type: "boolean",
|
||||||
|
default: false,
|
||||||
|
describe: "Remove server admin status from the user"
|
||||||
|
});
|
||||||
|
},
|
||||||
|
handler: async (argv: SetServerAdminArgs) => {
|
||||||
|
try {
|
||||||
|
const email = argv.email.trim().toLowerCase();
|
||||||
|
|
||||||
|
const [user] = await db
|
||||||
|
.select()
|
||||||
|
.from(users)
|
||||||
|
.where(eq(users.email, email))
|
||||||
|
.limit(1);
|
||||||
|
|
||||||
|
if (!user) {
|
||||||
|
console.error(`User with email '${email}' not found`);
|
||||||
|
process.exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (argv.remove) {
|
||||||
|
if (!user.serverAdmin) {
|
||||||
|
console.log(`User '${email}' is not a server admin`);
|
||||||
|
process.exit(0);
|
||||||
|
}
|
||||||
|
|
||||||
|
const serverAdmins = await db
|
||||||
|
.select()
|
||||||
|
.from(users)
|
||||||
|
.where(eq(users.serverAdmin, true));
|
||||||
|
|
||||||
|
if (serverAdmins.length <= 1) {
|
||||||
|
console.error(
|
||||||
|
"Cannot remove server admin: at least one server admin must exist"
|
||||||
|
);
|
||||||
|
process.exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
|
await db
|
||||||
|
.update(users)
|
||||||
|
.set({ serverAdmin: false })
|
||||||
|
.where(eq(users.userId, user.userId));
|
||||||
|
|
||||||
|
console.log(`Server admin status removed from user '${email}'`);
|
||||||
|
process.exit(0);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (user.serverAdmin) {
|
||||||
|
console.log(`User '${email}' is already a server admin`);
|
||||||
|
process.exit(0);
|
||||||
|
}
|
||||||
|
|
||||||
|
await db
|
||||||
|
.update(users)
|
||||||
|
.set({ serverAdmin: true })
|
||||||
|
.where(eq(users.userId, user.userId));
|
||||||
|
|
||||||
|
console.log(`User '${email}' has been marked as a server admin`);
|
||||||
|
process.exit(0);
|
||||||
|
} catch (error) {
|
||||||
|
console.error("Error:", error);
|
||||||
|
process.exit(1);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
};
|
||||||
@@ -9,6 +9,9 @@ import { rotateServerSecret } from "./commands/rotateServerSecret";
|
|||||||
import { clearLicenseKeys } from "./commands/clearLicenseKeys";
|
import { clearLicenseKeys } from "./commands/clearLicenseKeys";
|
||||||
import { deleteClient } from "./commands/deleteClient";
|
import { deleteClient } from "./commands/deleteClient";
|
||||||
import { generateOrgCaKeys } from "./commands/generateOrgCaKeys";
|
import { generateOrgCaKeys } from "./commands/generateOrgCaKeys";
|
||||||
|
import { clearCertificates } from "./commands/clearCertificates";
|
||||||
|
import { disableUser2fa } from "./commands/disableUser2fa";
|
||||||
|
import { setServerAdmin } from "./commands/setServerAdmin";
|
||||||
|
|
||||||
yargs(hideBin(process.argv))
|
yargs(hideBin(process.argv))
|
||||||
.scriptName("pangctl")
|
.scriptName("pangctl")
|
||||||
@@ -19,5 +22,8 @@ yargs(hideBin(process.argv))
|
|||||||
.command(clearLicenseKeys)
|
.command(clearLicenseKeys)
|
||||||
.command(deleteClient)
|
.command(deleteClient)
|
||||||
.command(generateOrgCaKeys)
|
.command(generateOrgCaKeys)
|
||||||
|
.command(clearCertificates)
|
||||||
|
.command(disableUser2fa)
|
||||||
|
.command(setServerAdmin)
|
||||||
.demandCommand()
|
.demandCommand()
|
||||||
.help().argv;
|
.help().argv;
|
||||||
|
|||||||
@@ -41,7 +41,7 @@ services:
|
|||||||
- 80:80 # Port for traefik because of the network_mode
|
- 80:80 # Port for traefik because of the network_mode
|
||||||
|
|
||||||
traefik:
|
traefik:
|
||||||
image: traefik:v3.6
|
image: traefik:v3.7
|
||||||
container_name: traefik
|
container_name: traefik
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
network_mode: service:gerbil # Ports appear on the gerbil service
|
network_mode: service:gerbil # Ports appear on the gerbil service
|
||||||
@@ -0,0 +1,12 @@
|
|||||||
|
services:
|
||||||
|
mailer:
|
||||||
|
image: axllent/mailpit
|
||||||
|
ports:
|
||||||
|
- 8025:8025
|
||||||
|
- 1025:1025
|
||||||
|
volumes:
|
||||||
|
- mailpit-storage:/data
|
||||||
|
environment:
|
||||||
|
- MP_DATABASE=/data/mailpit.db
|
||||||
|
volumes:
|
||||||
|
mailpit-storage:
|
||||||
@@ -1,54 +1,47 @@
|
|||||||
api:
|
api:
|
||||||
insecure: true
|
insecure: true
|
||||||
dashboard: true
|
dashboard: true
|
||||||
|
|
||||||
providers:
|
providers:
|
||||||
http:
|
http:
|
||||||
endpoint: "http://pangolin:3001/api/v1/traefik-config"
|
endpoint: http://pangolin:3001/api/v1/traefik-config
|
||||||
pollInterval: "5s"
|
pollInterval: 5s
|
||||||
file:
|
file:
|
||||||
filename: "/etc/traefik/dynamic_config.yml"
|
filename: /etc/traefik/dynamic_config.yml
|
||||||
|
|
||||||
experimental:
|
experimental:
|
||||||
plugins:
|
plugins:
|
||||||
badger:
|
badger:
|
||||||
moduleName: "github.com/fosrl/badger"
|
moduleName: github.com/fosrl/badger
|
||||||
version: "{{.BadgerVersion}}"
|
version: v1.4.1
|
||||||
|
|
||||||
log:
|
log:
|
||||||
level: "INFO"
|
level: INFO
|
||||||
format: "common"
|
format: common
|
||||||
maxSize: 100
|
maxSize: 100
|
||||||
maxBackups: 3
|
maxBackups: 3
|
||||||
maxAge: 3
|
maxAge: 3
|
||||||
compress: true
|
compress: true
|
||||||
|
|
||||||
certificatesResolvers:
|
certificatesResolvers:
|
||||||
letsencrypt:
|
letsencrypt:
|
||||||
acme:
|
acme:
|
||||||
httpChallenge:
|
httpChallenge:
|
||||||
entryPoint: web
|
entryPoint: web
|
||||||
email: "{{.LetsEncryptEmail}}"
|
email: '{{.LetsEncryptEmail}}'
|
||||||
storage: "/letsencrypt/acme.json"
|
storage: /letsencrypt/acme.json
|
||||||
caServer: "https://acme-v02.api.letsencrypt.org/directory"
|
caServer: https://acme-v02.api.letsencrypt.org/directory
|
||||||
|
|
||||||
entryPoints:
|
entryPoints:
|
||||||
web:
|
web:
|
||||||
address: ":80"
|
address: ':80'
|
||||||
websecure:
|
websecure:
|
||||||
address: ":443"
|
address: ':443'
|
||||||
transport:
|
transport:
|
||||||
respondingTimeouts:
|
respondingTimeouts:
|
||||||
readTimeout: "30m"
|
readTimeout: 30m
|
||||||
http:
|
http:
|
||||||
tls:
|
tls:
|
||||||
certResolver: "letsencrypt"
|
certResolver: letsencrypt
|
||||||
encodedCharacters:
|
encodedCharacters:
|
||||||
allowEncodedSlash: true
|
allowEncodedSlash: true
|
||||||
allowEncodedQuestionMark: true
|
allowEncodedQuestionMark: true
|
||||||
|
|
||||||
serversTransport:
|
serversTransport:
|
||||||
insecureSkipVerify: true
|
insecureSkipVerify: true
|
||||||
|
|
||||||
ping:
|
ping:
|
||||||
entryPoint: "web"
|
entryPoint: web
|
||||||
|
|||||||
@@ -1,4 +1,4 @@
|
|||||||
import { APP_PATH } from "@server/lib/consts";
|
import { APP_PATH } from "./server/lib/consts";
|
||||||
import { defineConfig } from "drizzle-kit";
|
import { defineConfig } from "drizzle-kit";
|
||||||
import path from "path";
|
import path from "path";
|
||||||
|
|
||||||
|
|||||||
@@ -22,7 +22,8 @@ server:
|
|||||||
methods: ["GET", "POST", "PUT", "DELETE", "PATCH"]
|
methods: ["GET", "POST", "PUT", "DELETE", "PATCH"]
|
||||||
allowed_headers: ["X-CSRF-Token", "Content-Type"]
|
allowed_headers: ["X-CSRF-Token", "Content-Type"]
|
||||||
credentials: false
|
credentials: false
|
||||||
{{if .EnableGeoblocking}}maxmind_db_path: "./config/GeoLite2-Country.mmdb"{{end}}
|
{{if .EnableMaxMind}}maxmind_db_path: "./config/GeoLite2-Country.mmdb"{{end}}
|
||||||
|
{{if .EnableMaxMind}}maxmind_asn_path: "./config/GeoLite2-ASN.mmdb"{{end}}
|
||||||
{{if .EnableEmail}}
|
{{if .EnableEmail}}
|
||||||
email:
|
email:
|
||||||
smtp_host: "{{.EmailSMTPHost}}"
|
smtp_host: "{{.EmailSMTPHost}}"
|
||||||
@@ -36,3 +37,6 @@ flags:
|
|||||||
disable_signup_without_invite: true
|
disable_signup_without_invite: true
|
||||||
disable_user_create_org: false
|
disable_user_create_org: false
|
||||||
allow_raw_resources: true
|
allow_raw_resources: true
|
||||||
|
|
||||||
|
{{if .IsPostgreSQL}}postgres:
|
||||||
|
connection_string: postgresql://pangolin:{{.IsPostgreSQLPass}}@postgres:5432/pangolin{{end}}
|
||||||
|
|||||||
@@ -1,15 +1,23 @@
|
|||||||
name: pangolin
|
name: pangolin
|
||||||
services:
|
services:
|
||||||
pangolin:
|
pangolin:
|
||||||
image: docker.io/fosrl/pangolin:{{if .IsEnterprise}}ee-{{end}}{{.PangolinVersion}}
|
image: docker.io/fosrl/pangolin:{{if .IsEnterprise}}ee-{{end}}{{if .IsPostgreSQL}}postgresql-{{end}}{{.PangolinVersion}}
|
||||||
container_name: pangolin
|
container_name: pangolin
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
deploy:
|
deploy:
|
||||||
resources:
|
resources:
|
||||||
limits:
|
limits:
|
||||||
memory: 1g
|
memory: 2g
|
||||||
reservations:
|
reservations:
|
||||||
memory: 256m
|
memory: 512m
|
||||||
|
{{if or .IsPostgreSQL .IsRedis}}depends_on:
|
||||||
|
{{if .IsPostgreSQL}}postgres:
|
||||||
|
condition: service_healthy{{end}}
|
||||||
|
{{if .IsRedis}}redis:
|
||||||
|
condition: service_healthy{{end}}
|
||||||
|
networks:
|
||||||
|
- default
|
||||||
|
- backend{{end}}
|
||||||
volumes:
|
volumes:
|
||||||
- ./config:/app/config
|
- ./config:/app/config
|
||||||
healthcheck:
|
healthcheck:
|
||||||
@@ -17,8 +25,8 @@ services:
|
|||||||
interval: "10s"
|
interval: "10s"
|
||||||
timeout: "10s"
|
timeout: "10s"
|
||||||
retries: 15
|
retries: 15
|
||||||
{{if .InstallGerbil}}
|
|
||||||
gerbil:
|
{{if .InstallGerbil}}gerbil:
|
||||||
image: docker.io/fosrl/gerbil:{{.GerbilVersion}}
|
image: docker.io/fosrl/gerbil:{{.GerbilVersion}}
|
||||||
container_name: gerbil
|
container_name: gerbil
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
@@ -39,17 +47,16 @@ services:
|
|||||||
- 21820:21820/udp
|
- 21820:21820/udp
|
||||||
- 443:443
|
- 443:443
|
||||||
- 443:443/udp # For http3 QUIC if desired
|
- 443:443/udp # For http3 QUIC if desired
|
||||||
- 80:80
|
- 80:80{{end}}
|
||||||
{{end}}
|
|
||||||
traefik:
|
traefik:
|
||||||
image: docker.io/traefik:v3.6
|
image: docker.io/traefik:v3.7
|
||||||
container_name: traefik
|
container_name: traefik
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
{{if .InstallGerbil}} network_mode: service:gerbil # Ports appear on the gerbil service{{end}}{{if not .InstallGerbil}}
|
{{if .InstallGerbil}}network_mode: service:gerbil # Ports appear on the gerbil service{{end}}{{if not .InstallGerbil}}
|
||||||
ports:
|
ports:
|
||||||
- 443:443
|
- 443:443
|
||||||
- 80:80
|
- 80:80{{end}}
|
||||||
{{end}}
|
|
||||||
depends_on:
|
depends_on:
|
||||||
pangolin:
|
pangolin:
|
||||||
condition: service_healthy
|
condition: service_healthy
|
||||||
@@ -60,8 +67,50 @@ services:
|
|||||||
- ./config/letsencrypt:/letsencrypt # Volume to store the Let's Encrypt certificates
|
- ./config/letsencrypt:/letsencrypt # Volume to store the Let's Encrypt certificates
|
||||||
- ./config/traefik/logs:/var/log/traefik # Volume to store Traefik logs
|
- ./config/traefik/logs:/var/log/traefik # Volume to store Traefik logs
|
||||||
|
|
||||||
|
{{if .IsPostgreSQL}}postgres:
|
||||||
|
image: postgres:18
|
||||||
|
container_name: postgres
|
||||||
|
restart: unless-stopped
|
||||||
|
environment:
|
||||||
|
POSTGRES_USER: pangolin
|
||||||
|
POSTGRES_PASSWORD: {{.IsPostgreSQLPass}}
|
||||||
|
POSTGRES_DB: pangolin
|
||||||
|
volumes:
|
||||||
|
- ./postgres18:/var/lib/postgresql
|
||||||
|
healthcheck:
|
||||||
|
test: ["CMD-SHELL", "pg_isready -U pangolin"]
|
||||||
|
interval: 10s
|
||||||
|
timeout: 5s
|
||||||
|
retries: 5
|
||||||
|
networks:
|
||||||
|
- backend{{end}}
|
||||||
|
|
||||||
|
{{if .IsRedis}}redis:
|
||||||
|
image: redis:8-trixie
|
||||||
|
container_name: redis
|
||||||
|
restart: unless-stopped
|
||||||
|
command: >
|
||||||
|
redis-server
|
||||||
|
--save 3600 1000
|
||||||
|
--appendonly yes
|
||||||
|
--requirepass {{.IsRedisPass}}
|
||||||
|
volumes:
|
||||||
|
- ./redis8:/data
|
||||||
|
healthcheck:
|
||||||
|
test: ["CMD", "redis-cli", "-a", "{{.IsRedisPass}}", "ping"]
|
||||||
|
interval: 10s
|
||||||
|
timeout: 3s
|
||||||
|
retries: 3
|
||||||
|
start_period: 10s
|
||||||
|
networks:
|
||||||
|
- backend{{end}}
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
default:
|
default:
|
||||||
driver: bridge
|
driver: bridge
|
||||||
name: pangolin
|
name: pangolin_frontend
|
||||||
{{if .EnableIPv6}} enable_ipv6: true{{end}}
|
{{if .EnableIPv6}} enable_ipv6: true{{end}}
|
||||||
|
{{if or .IsPostgreSQL .IsRedis}} backend:
|
||||||
|
driver: bridge
|
||||||
|
name: pangolin_backend
|
||||||
|
internal: true{{end}}
|
||||||
|
|||||||
@@ -0,0 +1,4 @@
|
|||||||
|
{{if .IsRedis}}redis:
|
||||||
|
host: "redis"
|
||||||
|
port: 6379
|
||||||
|
password: "{{.IsRedisPass}}"{{end}}
|
||||||
@@ -5,7 +5,7 @@ go 1.25.0
|
|||||||
require (
|
require (
|
||||||
github.com/charmbracelet/huh v1.0.0
|
github.com/charmbracelet/huh v1.0.0
|
||||||
github.com/charmbracelet/lipgloss v1.1.0
|
github.com/charmbracelet/lipgloss v1.1.0
|
||||||
golang.org/x/term v0.42.0
|
golang.org/x/term v0.44.0
|
||||||
gopkg.in/yaml.v3 v3.0.1
|
gopkg.in/yaml.v3 v3.0.1
|
||||||
)
|
)
|
||||||
|
|
||||||
@@ -33,6 +33,6 @@ require (
|
|||||||
github.com/rivo/uniseg v0.4.7 // indirect
|
github.com/rivo/uniseg v0.4.7 // indirect
|
||||||
github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
|
github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
|
||||||
golang.org/x/sync v0.15.0 // indirect
|
golang.org/x/sync v0.15.0 // indirect
|
||||||
golang.org/x/sys v0.43.0 // indirect
|
golang.org/x/sys v0.46.0 // indirect
|
||||||
golang.org/x/text v0.23.0 // indirect
|
golang.org/x/text v0.23.0 // indirect
|
||||||
)
|
)
|
||||||
|
|||||||
@@ -69,10 +69,10 @@ golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
|
|||||||
golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
|
golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
|
||||||
golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||||
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||||
golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
|
golang.org/x/sys v0.46.0 h1:noSf2Fq6F8DBgS+LysIkx7rIExoNHJsxOAtPp4rthXw=
|
||||||
golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
|
golang.org/x/sys v0.46.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
|
||||||
golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=
|
golang.org/x/term v0.44.0 h1:0rLvDRCtNj0gZkyIXhCyOb2OAzEhLVqc4B+hrsBhrmc=
|
||||||
golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
|
golang.org/x/term v0.44.0/go.mod h1:7ze4MdzUzLXpSAoFP1H0bOI9aXDqveSvatT5vKcFh2Y=
|
||||||
golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
|
golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
|
||||||
golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
|
golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
|
||||||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
|
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
|
||||||
|
|||||||
@@ -4,6 +4,7 @@ import (
|
|||||||
"crypto/rand"
|
"crypto/rand"
|
||||||
"embed"
|
"embed"
|
||||||
"encoding/base64"
|
"encoding/base64"
|
||||||
|
"flag"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
"io/fs"
|
"io/fs"
|
||||||
@@ -53,9 +54,13 @@ type Config struct {
|
|||||||
InstallGerbil bool
|
InstallGerbil bool
|
||||||
TraefikBouncerKey string
|
TraefikBouncerKey string
|
||||||
DoCrowdsecInstall bool
|
DoCrowdsecInstall bool
|
||||||
EnableGeoblocking bool
|
EnableMaxMind bool
|
||||||
Secret string
|
Secret string
|
||||||
IsEnterprise bool
|
IsEnterprise bool
|
||||||
|
IsPostgreSQL bool
|
||||||
|
IsPostgreSQLPass string
|
||||||
|
IsRedis bool
|
||||||
|
IsRedisPass string
|
||||||
}
|
}
|
||||||
|
|
||||||
type SupportedContainer string
|
type SupportedContainer string
|
||||||
@@ -66,8 +71,14 @@ const (
|
|||||||
Undefined SupportedContainer = "undefined"
|
Undefined SupportedContainer = "undefined"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
var redisFlag *bool
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
|
|
||||||
|
crowdsecFlag := flag.Bool("crowdsec", false, "Enable the CrowdSec installation prompt")
|
||||||
|
redisFlag = flag.Bool("redis", false, "Install Redis as cacheing solution. Required for HA. Not required for the Enterprise version.")
|
||||||
|
flag.Parse()
|
||||||
|
|
||||||
// print a banner about prerequisites - opening port 80, 443, 51820, and 21820 on the VPS and firewall and pointing your domain to the VPS IP with a records. Docs are at http://localhost:3000/Getting%20Started/dns-networking
|
// print a banner about prerequisites - opening port 80, 443, 51820, and 21820 on the VPS and firewall and pointing your domain to the VPS IP with a records. Docs are at http://localhost:3000/Getting%20Started/dns-networking
|
||||||
|
|
||||||
fmt.Println("Welcome to the Pangolin installer!")
|
fmt.Println("Welcome to the Pangolin installer!")
|
||||||
@@ -119,11 +130,11 @@ func main() {
|
|||||||
|
|
||||||
fmt.Println("\nConfiguration files created successfully!")
|
fmt.Println("\nConfiguration files created successfully!")
|
||||||
|
|
||||||
// Download MaxMind database if requested
|
// Download MaxMind Country / ASN database if requested
|
||||||
if config.EnableGeoblocking {
|
if config.EnableMaxMind {
|
||||||
fmt.Println("\n=== Downloading MaxMind Database ===")
|
fmt.Println("\n=== Downloading MaxMind Country and ASN Databases ===")
|
||||||
if err := downloadMaxMindDatabase(); err != nil {
|
if err := downloadMaxMindDatabase(); err != nil {
|
||||||
fmt.Printf("Error downloading MaxMind database: %v\n", err)
|
fmt.Printf("Error downloading MaxMind databases: %v\n", err)
|
||||||
fmt.Println("You can download it manually later if needed.")
|
fmt.Println("You can download it manually later if needed.")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -184,15 +195,15 @@ func main() {
|
|||||||
fmt.Println("\n=== MaxMind Database Update ===")
|
fmt.Println("\n=== MaxMind Database Update ===")
|
||||||
if _, err := os.Stat("config/GeoLite2-Country.mmdb"); err == nil {
|
if _, err := os.Stat("config/GeoLite2-Country.mmdb"); err == nil {
|
||||||
fmt.Println("MaxMind GeoLite2 Country database found.")
|
fmt.Println("MaxMind GeoLite2 Country database found.")
|
||||||
if readBool("Would you like to update the MaxMind database to the latest version?", false) {
|
if readBool("Would you like to update the MaxMind databases (Country and ASN) to the latest version?", false) {
|
||||||
if err := downloadMaxMindDatabase(); err != nil {
|
if err := downloadMaxMindDatabase(); err != nil {
|
||||||
fmt.Printf("Error updating MaxMind database: %v\n", err)
|
fmt.Printf("Error updating MaxMind database: %v\n", err)
|
||||||
fmt.Println("You can try updating it manually later if needed.")
|
fmt.Println("You can try updating it manually later if needed.")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
fmt.Println("MaxMind GeoLite2 Country database not found.")
|
fmt.Println("MaxMind GeoLite2 Country and ASN databases not found.")
|
||||||
if readBool("Would you like to download the MaxMind GeoLite2 database for geoblocking functionality?", false) {
|
if readBool("Would you like to download the MaxMind GeoLite2 databases for blocking functionality?", false) {
|
||||||
if err := downloadMaxMindDatabase(); err != nil {
|
if err := downloadMaxMindDatabase(); err != nil {
|
||||||
fmt.Printf("Error downloading MaxMind database: %v\n", err)
|
fmt.Printf("Error downloading MaxMind database: %v\n", err)
|
||||||
fmt.Println("You can try downloading it manually later if needed.")
|
fmt.Println("You can try downloading it manually later if needed.")
|
||||||
@@ -200,13 +211,15 @@ func main() {
|
|||||||
// Now you need to update your config file accordingly to enable geoblocking
|
// Now you need to update your config file accordingly to enable geoblocking
|
||||||
fmt.Print("Please remember to update your config/config.yml file to enable geoblocking! \n\n")
|
fmt.Print("Please remember to update your config/config.yml file to enable geoblocking! \n\n")
|
||||||
// add maxmind_db_path: "./config/GeoLite2-Country.mmdb" under server
|
// add maxmind_db_path: "./config/GeoLite2-Country.mmdb" under server
|
||||||
fmt.Println("Add the following line under the 'server' section:")
|
// add maxmind_asn_path: "./config/GeoLite2-ASN.mmdb" under server
|
||||||
|
fmt.Println("Add the following lines under the 'server' section:")
|
||||||
fmt.Println(" maxmind_db_path: \"./config/GeoLite2-Country.mmdb\"")
|
fmt.Println(" maxmind_db_path: \"./config/GeoLite2-Country.mmdb\"")
|
||||||
|
fmt.Println(" maxmind_asn_path: \"./config/GeoLite2-ASN.mmdb\"")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if !checkIsCrowdsecInstalledInCompose() {
|
if *crowdsecFlag && !checkIsCrowdsecInstalledInCompose() {
|
||||||
fmt.Println("\n=== CrowdSec Install ===")
|
fmt.Println("\n=== CrowdSec Install ===")
|
||||||
// check if crowdsec is installed
|
// check if crowdsec is installed
|
||||||
if readBool("Would you like to install CrowdSec?", false) {
|
if readBool("Would you like to install CrowdSec?", false) {
|
||||||
@@ -480,6 +493,17 @@ func collectUserInput() Config {
|
|||||||
fmt.Println("\n=== Basic Configuration ===")
|
fmt.Println("\n=== Basic Configuration ===")
|
||||||
|
|
||||||
config.IsEnterprise = readBoolNoDefault("Do you want to install the Enterprise version of Pangolin? The EE is free for personal use or for businesses making less than 100k USD annually.")
|
config.IsEnterprise = readBoolNoDefault("Do you want to install the Enterprise version of Pangolin? The EE is free for personal use or for businesses making less than 100k USD annually.")
|
||||||
|
if config.IsEnterprise {
|
||||||
|
if *redisFlag {
|
||||||
|
config.IsRedis = true
|
||||||
|
config.IsRedisPass = readPassword("Enter a unique password for the Redis service.")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
config.IsPostgreSQL = readBool("Do you want to use PostgreSQL (not recommended for most users)?", false)
|
||||||
|
if config.IsPostgreSQL {
|
||||||
|
config.IsPostgreSQLPass = readPassword("Enter a unique password for the PostgreSQL pangolin user.")
|
||||||
|
}
|
||||||
|
|
||||||
config.BaseDomain = readString("Enter your base domain (no subdomain e.g. example.com)", "")
|
config.BaseDomain = readString("Enter your base domain (no subdomain e.g. example.com)", "")
|
||||||
|
|
||||||
@@ -523,7 +547,7 @@ func collectUserInput() Config {
|
|||||||
fmt.Println("\n=== Advanced Configuration ===")
|
fmt.Println("\n=== Advanced Configuration ===")
|
||||||
|
|
||||||
config.EnableIPv6 = readBool("Is your server IPv6 capable?", true)
|
config.EnableIPv6 = readBool("Is your server IPv6 capable?", true)
|
||||||
config.EnableGeoblocking = readBool("Do you want to download the MaxMind GeoLite2 database for geoblocking functionality?", true)
|
config.EnableMaxMind = readBool("Do you want to download the MaxMind GeoLite2 Country and ASN databases for blocking functionality?", true)
|
||||||
|
|
||||||
if config.DashboardDomain == "" {
|
if config.DashboardDomain == "" {
|
||||||
fmt.Println("Error: Dashboard Domain name is required")
|
fmt.Println("Error: Dashboard Domain name is required")
|
||||||
@@ -776,29 +800,42 @@ func checkPortsAvailable(port int) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func downloadMaxMindDatabase() error {
|
func downloadMaxMindDatabase() error {
|
||||||
fmt.Println("Downloading MaxMind GeoLite2 Country database...")
|
fmt.Println("Downloading MaxMind GeoLite2 Country and ASN databases...")
|
||||||
|
|
||||||
// Download the GeoLite2 Country database
|
// Download the GeoLite2 Country databases
|
||||||
if err := run("curl", "-L", "-o", "GeoLite2-Country.tar.gz",
|
if err := run("curl", "-L", "-o", "GeoLite2-Country.tar.gz",
|
||||||
"https://github.com/GitSquared/node-geolite2-redist/raw/refs/heads/master/redist/GeoLite2-Country.tar.gz"); err != nil {
|
"https://github.com/GitSquared/node-geolite2-redist/raw/refs/heads/master/redist/GeoLite2-Country.tar.gz"); err != nil {
|
||||||
return fmt.Errorf("failed to download GeoLite2 database: %v", err)
|
return fmt.Errorf("failed to download GeoLite2 Country database: %v", err)
|
||||||
|
}
|
||||||
|
if err := run("curl", "-L", "-o", "GeoLite2-ASN.tar.gz",
|
||||||
|
"https://github.com/GitSquared/node-geolite2-redist/raw/refs/heads/master/redist/GeoLite2-ASN.tar.gz"); err != nil {
|
||||||
|
return fmt.Errorf("failed to download GeoLite2 ASN database: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Extract the database
|
// Extract the Country database
|
||||||
if err := run("tar", "-xzf", "GeoLite2-Country.tar.gz"); err != nil {
|
if err := run("tar", "-xzf", "GeoLite2-Country.tar.gz"); err != nil {
|
||||||
return fmt.Errorf("failed to extract GeoLite2 database: %v", err)
|
return fmt.Errorf("failed to extract GeoLite2 Country database: %v", err)
|
||||||
|
}
|
||||||
|
if err := run("tar", "-xzf", "GeoLite2-ASN.tar.gz"); err != nil {
|
||||||
|
return fmt.Errorf("failed to extract GeoLite2 ASN database: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Find the .mmdb file and move it to the config directory
|
// Find the .mmdb file and move it to the config directory
|
||||||
if err := run("bash", "-c", "mv GeoLite2-Country_*/GeoLite2-Country.mmdb config/"); err != nil {
|
if err := run("bash", "-c", "mv GeoLite2-Country_*/GeoLite2-Country.mmdb config/"); err != nil {
|
||||||
return fmt.Errorf("failed to move GeoLite2 database to config directory: %v", err)
|
return fmt.Errorf("failed to move GeoLite2 Country database to config directory: %v", err)
|
||||||
|
}
|
||||||
|
if err := run("bash", "-c", "mv GeoLite2-ASN_*/GeoLite2-ASN.mmdb config/"); err != nil {
|
||||||
|
return fmt.Errorf("failed to move GeoLite2 ASN database to config directory: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Clean up the downloaded files
|
// Clean up the downloaded files
|
||||||
if err := run("rm", "-rf", "GeoLite2-Country.tar.gz", "GeoLite2-Country_*"); err != nil {
|
if err := run("sh", "-c", "rm -rf GeoLite2-Country.tar.gz GeoLite2-Country_*"); err != nil {
|
||||||
fmt.Printf("Warning: failed to clean up temporary files: %v\n", err)
|
fmt.Printf("Warning: failed to clean up temporary country files: %v\n", err)
|
||||||
|
}
|
||||||
|
if err := run("sh", "-c", "rm -rf GeoLite2-ASN.tar.gz GeoLite2-ASN_*"); err != nil {
|
||||||
|
fmt.Printf("Warning: failed to clean up temporary ASN files: %v\n", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
fmt.Println("MaxMind GeoLite2 Country database downloaded successfully!")
|
fmt.Println("MaxMind GeoLite2 Country and ASN database downloaded successfully!")
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -152,8 +152,8 @@
|
|||||||
"shareErrorSelectResource": "請選擇一個資源",
|
"shareErrorSelectResource": "請選擇一個資源",
|
||||||
"proxyResourceTitle": "管理公開資源",
|
"proxyResourceTitle": "管理公開資源",
|
||||||
"proxyResourceDescription": "建立和管理可透過網頁瀏覽器公開存取的資源",
|
"proxyResourceDescription": "建立和管理可透過網頁瀏覽器公開存取的資源",
|
||||||
"proxyResourcesBannerTitle": "基於網頁的公開存取",
|
"publicResourcesBannerTitle": "基於網頁的公開存取",
|
||||||
"proxyResourcesBannerDescription": "公開資源是任何人都可以透過網頁瀏覽器存取的 HTTPS 或 TCP/UDP 代理。與私有資源不同,它們不需要客戶端軟體,並且可以包含基於身份和情境感知的存取策略。",
|
"publicResourcesBannerDescription": "公開資源是任何人都可以透過網頁瀏覽器存取的 HTTPS 或 TCP/UDP 代理。與私有資源不同,它們不需要客戶端軟體,並且可以包含基於身份和情境感知的存取策略。",
|
||||||
"clientResourceTitle": "管理私有資源",
|
"clientResourceTitle": "管理私有資源",
|
||||||
"clientResourceDescription": "建立和管理只能透過已連接的客戶端存取的資源",
|
"clientResourceDescription": "建立和管理只能透過已連接的客戶端存取的資源",
|
||||||
"privateResourcesBannerTitle": "零信任私有存取",
|
"privateResourcesBannerTitle": "零信任私有存取",
|
||||||
@@ -489,7 +489,7 @@
|
|||||||
"createdAt": "創建於",
|
"createdAt": "創建於",
|
||||||
"proxyErrorInvalidHeader": "無效的自訂主機 Header。使用域名格式,或將空保存為取消自訂 Header。",
|
"proxyErrorInvalidHeader": "無效的自訂主機 Header。使用域名格式,或將空保存為取消自訂 Header。",
|
||||||
"proxyErrorTls": "無效的 TLS 伺服器名稱。使用域名格式,或保存空以刪除 TLS 伺服器名稱。",
|
"proxyErrorTls": "無效的 TLS 伺服器名稱。使用域名格式,或保存空以刪除 TLS 伺服器名稱。",
|
||||||
"proxyEnableSSL": "啟用 SSL",
|
"proxyEnableSSL": "啟用 TLS",
|
||||||
"proxyEnableSSLDescription": "啟用 SSL/TLS 加密以確保您目標的 HTTPS 連接。",
|
"proxyEnableSSLDescription": "啟用 SSL/TLS 加密以確保您目標的 HTTPS 連接。",
|
||||||
"target": "目標",
|
"target": "目標",
|
||||||
"configureTarget": "配置目標",
|
"configureTarget": "配置目標",
|
||||||
@@ -1099,6 +1099,7 @@
|
|||||||
"actionGenerateAccessToken": "生成訪問令牌",
|
"actionGenerateAccessToken": "生成訪問令牌",
|
||||||
"actionDeleteAccessToken": "刪除訪問令牌",
|
"actionDeleteAccessToken": "刪除訪問令牌",
|
||||||
"actionListAccessTokens": "訪問令牌",
|
"actionListAccessTokens": "訪問令牌",
|
||||||
|
"actionCreateResourceSessionToken": "建立資源工作階段權杖",
|
||||||
"actionCreateResourceRule": "創建資源規則",
|
"actionCreateResourceRule": "創建資源規則",
|
||||||
"actionDeleteResourceRule": "刪除資源規則",
|
"actionDeleteResourceRule": "刪除資源規則",
|
||||||
"actionListResourceRules": "列出資源規則",
|
"actionListResourceRules": "列出資源規則",
|
||||||
@@ -1763,7 +1764,7 @@
|
|||||||
"description": "更可靠、維護成本更低的自架 Pangolin 伺服器,並附帶額外的附加功能",
|
"description": "更可靠、維護成本更低的自架 Pangolin 伺服器,並附帶額外的附加功能",
|
||||||
"introTitle": "託管式自架 Pangolin",
|
"introTitle": "託管式自架 Pangolin",
|
||||||
"introDescription": "這是一種部署選擇,為那些希望簡潔和額外可靠的人設計,同時仍然保持他們的數據的私密性和自我託管性。",
|
"introDescription": "這是一種部署選擇,為那些希望簡潔和額外可靠的人設計,同時仍然保持他們的數據的私密性和自我託管性。",
|
||||||
"introDetail": "通過此選項,您仍然運行您自己的 Pangolin 節點 - - 您的隧道、SSL 終止,並且流量在您的伺服器上保持所有狀態。 不同之處在於,管理和監測是通過我們的雲層儀錶板進行的,該儀錶板開啟了一些好處:",
|
"introDetail": "通過此選項,您仍然運行您自己的 Pangolin 節點 - - 您的隧道、TLS 終止,並且流量在您的伺服器上保持所有狀態。 不同之處在於,管理和監測是通過我們的雲層儀錶板進行的,該儀錶板開啟了一些好處:",
|
||||||
"benefitSimplerOperations": {
|
"benefitSimplerOperations": {
|
||||||
"title": "簡單的操作",
|
"title": "簡單的操作",
|
||||||
"description": "無需運行您自己的郵件伺服器或設置複雜的警報。您將從方框中獲得健康檢查和下限提醒。"
|
"description": "無需運行您自己的郵件伺服器或設置複雜的警報。您將從方框中獲得健康檢查和下限提醒。"
|
||||||
|
|||||||
@@ -1,17 +1,42 @@
|
|||||||
import type { NextConfig } from "next";
|
import type { NextConfig } from "next";
|
||||||
import createNextIntlPlugin from "next-intl/plugin";
|
import createNextIntlPlugin from "next-intl/plugin";
|
||||||
|
import fs from "fs";
|
||||||
|
import path from "path";
|
||||||
|
|
||||||
const withNextIntl = createNextIntlPlugin();
|
const withNextIntl = createNextIntlPlugin();
|
||||||
|
// read allowedDevOrigins.json if it exists
|
||||||
|
let allowedDevOrigins: string[] = [];
|
||||||
|
const allowedDevOriginsPath = path.join(
|
||||||
|
process.cwd(),
|
||||||
|
"allowedDevOrigins.json"
|
||||||
|
);
|
||||||
|
if (fs.existsSync(allowedDevOriginsPath)) {
|
||||||
|
try {
|
||||||
|
const data = fs.readFileSync(allowedDevOriginsPath, "utf-8");
|
||||||
|
allowedDevOrigins = JSON.parse(data);
|
||||||
|
} catch {}
|
||||||
|
}
|
||||||
|
|
||||||
const nextConfig: NextConfig = {
|
const nextConfig: NextConfig = {
|
||||||
reactStrictMode: false,
|
reactStrictMode: false,
|
||||||
eslint: {
|
reactCompiler: true,
|
||||||
ignoreDuringBuilds: true
|
transpilePackages: ["@novnc/novnc"],
|
||||||
|
output: "standalone",
|
||||||
|
allowedDevOrigins,
|
||||||
|
async redirects() {
|
||||||
|
return [
|
||||||
|
{
|
||||||
|
source: "/:orgId/settings/resources/proxy/:path*",
|
||||||
|
destination: "/:orgId/settings/resources/public/:path*",
|
||||||
|
permanent: true
|
||||||
},
|
},
|
||||||
experimental: {
|
{
|
||||||
reactCompiler: true
|
source: "/:orgId/settings/resources/client/:path*",
|
||||||
},
|
destination: "/:orgId/settings/resources/private/:path*",
|
||||||
output: "standalone"
|
permanent: true
|
||||||
|
}
|
||||||
|
];
|
||||||
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
export default withNextIntl(nextConfig);
|
export default withNextIntl(nextConfig);
|
||||||
|
|||||||
@@ -32,13 +32,15 @@
|
|||||||
"format": "prettier --write ."
|
"format": "prettier --write ."
|
||||||
},
|
},
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
"@asteasolutions/zod-to-openapi": "8.4.1",
|
"@asteasolutions/zod-to-openapi": "8.5.0",
|
||||||
"@aws-sdk/client-s3": "3.1011.0",
|
"@devolutions/iron-remote-desktop": "https://static.pangolin.net/packages/devolutions-iron-remote-desktop-0.0.0.tgz",
|
||||||
"@faker-js/faker": "10.3.0",
|
"@devolutions/iron-remote-desktop-rdp": "https://static.pangolin.net/packages/devolutions-iron-remote-desktop-rdp-0.0.1.tgz",
|
||||||
"@headlessui/react": "2.2.9",
|
"@aws-sdk/client-s3": "3.1056.0",
|
||||||
"@hookform/resolvers": "5.2.2",
|
"@headlessui/react": "2.2.10",
|
||||||
|
"@hookform/resolvers": "5.4.0",
|
||||||
"@monaco-editor/react": "4.7.0",
|
"@monaco-editor/react": "4.7.0",
|
||||||
"@node-rs/argon2": "2.0.2",
|
"@node-rs/argon2": "2.0.2",
|
||||||
|
"@novnc/novnc": "^1.7.0",
|
||||||
"@oslojs/crypto": "1.0.1",
|
"@oslojs/crypto": "1.0.1",
|
||||||
"@oslojs/encoding": "1.1.0",
|
"@oslojs/encoding": "1.1.0",
|
||||||
"@radix-ui/react-avatar": "1.1.11",
|
"@radix-ui/react-avatar": "1.1.11",
|
||||||
@@ -59,16 +61,20 @@
|
|||||||
"@radix-ui/react-tabs": "1.1.13",
|
"@radix-ui/react-tabs": "1.1.13",
|
||||||
"@radix-ui/react-toast": "1.2.15",
|
"@radix-ui/react-toast": "1.2.15",
|
||||||
"@radix-ui/react-tooltip": "1.2.8",
|
"@radix-ui/react-tooltip": "1.2.8",
|
||||||
"@react-email/components": "1.0.8",
|
"@react-email/body": "0.3.0",
|
||||||
"@react-email/render": "2.0.4",
|
"@react-email/components": "1.0.12",
|
||||||
"@react-email/tailwind": "2.0.5",
|
"@react-email/render": "2.0.8",
|
||||||
|
"@react-email/tailwind": "2.0.7",
|
||||||
"@simplewebauthn/browser": "13.3.0",
|
"@simplewebauthn/browser": "13.3.0",
|
||||||
"@simplewebauthn/server": "13.3.0",
|
"@simplewebauthn/server": "13.3.1",
|
||||||
"@tailwindcss/forms": "0.5.11",
|
"@tailwindcss/forms": "0.5.11",
|
||||||
"@tanstack/react-query": "5.90.21",
|
"@tanstack/react-query": "5.100.14",
|
||||||
"@tanstack/react-table": "8.21.3",
|
"@tanstack/react-table": "8.21.3",
|
||||||
|
"@xterm/addon-fit": "^0.11.0",
|
||||||
|
"@xterm/addon-web-links": "^0.12.0",
|
||||||
|
"@xterm/xterm": "^6.0.0",
|
||||||
"arctic": "3.7.0",
|
"arctic": "3.7.0",
|
||||||
"axios": "1.15.0",
|
"axios": "1.16.1",
|
||||||
"better-sqlite3": "11.9.1",
|
"better-sqlite3": "11.9.1",
|
||||||
"canvas-confetti": "1.9.4",
|
"canvas-confetti": "1.9.4",
|
||||||
"class-variance-authority": "0.7.1",
|
"class-variance-authority": "0.7.1",
|
||||||
@@ -80,77 +86,76 @@
|
|||||||
"d3": "7.9.0",
|
"d3": "7.9.0",
|
||||||
"drizzle-orm": "0.45.2",
|
"drizzle-orm": "0.45.2",
|
||||||
"express": "5.2.1",
|
"express": "5.2.1",
|
||||||
"express-rate-limit": "8.3.0",
|
"express-rate-limit": "8.5.2",
|
||||||
"glob": "13.0.6",
|
"glob": "13.0.6",
|
||||||
"helmet": "8.1.0",
|
"helmet": "8.2.0",
|
||||||
"http-errors": "2.0.1",
|
"http-errors": "2.0.1",
|
||||||
"input-otp": "1.4.2",
|
"input-otp": "1.4.2",
|
||||||
"ioredis": "5.10.0",
|
"ioredis": "5.11.0",
|
||||||
"jmespath": "0.16.0",
|
"jmespath": "0.16.0",
|
||||||
"js-yaml": "4.1.1",
|
"js-yaml": "4.2.0",
|
||||||
"jsonwebtoken": "9.0.3",
|
"jsonwebtoken": "9.0.3",
|
||||||
"lucide-react": "0.577.0",
|
"lucide-react": "1.17.0",
|
||||||
"maxmind": "5.0.5",
|
"maxmind": "5.0.6",
|
||||||
"moment": "2.30.1",
|
"moment": "2.30.1",
|
||||||
"next": "15.5.15",
|
"next": "16.2.6",
|
||||||
"next-intl": "4.8.3",
|
"next-intl": "4.13.0",
|
||||||
"next-themes": "0.4.6",
|
"next-themes": "0.4.6",
|
||||||
"nextjs-toploader": "3.9.17",
|
"nextjs-toploader": "3.9.17",
|
||||||
"node-cache": "5.1.2",
|
"node-cache": "5.1.2",
|
||||||
"nodemailer": "8.0.5",
|
"nodemailer": "9.0.1",
|
||||||
"oslo": "1.2.1",
|
"oslo": "1.2.1",
|
||||||
"pg": "8.20.0",
|
"pg": "8.21.0",
|
||||||
"posthog-node": "5.28.0",
|
"posthog-node": "5.35.6",
|
||||||
"qrcode.react": "4.2.0",
|
"qrcode.react": "4.2.0",
|
||||||
"react": "19.2.4",
|
"react": "19.2.6",
|
||||||
"react-day-picker": "9.14.0",
|
"react-day-picker": "9.14.0",
|
||||||
"react-dom": "19.2.4",
|
"react-dom": "19.2.6",
|
||||||
"react-easy-sort": "1.8.0",
|
"react-easy-sort": "1.8.0",
|
||||||
"react-hook-form": "7.71.2",
|
"react-hook-form": "7.76.1",
|
||||||
"react-icons": "5.6.0",
|
"react-icons": "5.6.0",
|
||||||
"recharts": "2.15.4",
|
"recharts": "3.8.1",
|
||||||
"reodotdev": "1.1.0",
|
"reodotdev": "1.1.0",
|
||||||
"resend": "6.9.2",
|
"semver": "7.8.1",
|
||||||
"semver": "7.7.4",
|
|
||||||
"sshpk": "1.18.0",
|
"sshpk": "1.18.0",
|
||||||
"stripe": "20.4.1",
|
"stripe": "22.2.0",
|
||||||
"swagger-ui-express": "5.0.1",
|
"swagger-ui-express": "5.0.1",
|
||||||
"tailwind-merge": "3.5.0",
|
"tailwind-merge": "3.6.0",
|
||||||
"topojson-client": "3.1.0",
|
"topojson-client": "3.1.0",
|
||||||
"tw-animate-css": "1.4.0",
|
"tw-animate-css": "1.4.0",
|
||||||
"use-debounce": "10.1.0",
|
"use-debounce": "10.1.1",
|
||||||
"uuid": "13.0.0",
|
"uuid": "14.0.0",
|
||||||
"vaul": "1.1.2",
|
"vaul": "1.1.2",
|
||||||
"visionscarto-world-atlas": "1.0.0",
|
"visionscarto-world-atlas": "1.0.0",
|
||||||
"winston": "3.19.0",
|
"winston": "3.19.0",
|
||||||
"winston-daily-rotate-file": "5.0.0",
|
"winston-daily-rotate-file": "5.0.0",
|
||||||
"ws": "8.19.0",
|
"ws": "8.21.0",
|
||||||
"yaml": "2.8.3",
|
"yaml": "2.9.0",
|
||||||
"yargs": "18.0.0",
|
"yargs": "18.0.0",
|
||||||
"zod": "4.3.6",
|
"zod": "4.4.3",
|
||||||
"zod-validation-error": "5.0.0"
|
"zod-validation-error": "5.0.0"
|
||||||
},
|
},
|
||||||
"devDependencies": {
|
"devDependencies": {
|
||||||
"@dotenvx/dotenvx": "1.54.1",
|
"@dotenvx/dotenvx": "1.69.1",
|
||||||
"@esbuild-plugins/tsconfig-paths": "0.1.2",
|
"@esbuild-plugins/tsconfig-paths": "0.1.2",
|
||||||
"@react-email/preview-server": "5.2.10",
|
"@react-email/ui": "^6.5.0",
|
||||||
"@tailwindcss/postcss": "4.2.2",
|
"@tailwindcss/postcss": "4.3.0",
|
||||||
"@tanstack/react-query-devtools": "5.91.3",
|
"@tanstack/react-query-devtools": "5.100.14",
|
||||||
"@types/better-sqlite3": "7.6.13",
|
"@types/better-sqlite3": "7.6.13",
|
||||||
"@types/cookie-parser": "1.4.10",
|
"@types/cookie-parser": "1.4.10",
|
||||||
"@types/cors": "2.8.19",
|
"@types/cors": "2.8.19",
|
||||||
"@types/crypto-js": "4.2.2",
|
"@types/crypto-js": "4.2.2",
|
||||||
"@types/d3": "7.4.3",
|
"@types/d3": "7.4.3",
|
||||||
"@types/express": "5.0.6",
|
"@types/express": "5.0.6",
|
||||||
"@types/express-session": "1.18.2",
|
"@types/express-session": "1.19.0",
|
||||||
"@types/jmespath": "0.15.2",
|
"@types/jmespath": "0.15.2",
|
||||||
"@types/js-yaml": "4.0.9",
|
"@types/js-yaml": "4.0.9",
|
||||||
"@types/jsonwebtoken": "9.0.10",
|
"@types/jsonwebtoken": "9.0.10",
|
||||||
"@types/node": "25.3.5",
|
"@types/node": "25.9.1",
|
||||||
"@types/nodemailer": "7.0.11",
|
"@types/nodemailer": "8.0.0",
|
||||||
"@types/nprogress": "0.2.3",
|
"@types/nprogress": "0.2.3",
|
||||||
"@types/pg": "8.18.0",
|
"@types/pg": "8.20.0",
|
||||||
"@types/react": "19.2.14",
|
"@types/react": "19.2.15",
|
||||||
"@types/react-dom": "19.2.3",
|
"@types/react-dom": "19.2.3",
|
||||||
"@types/semver": "7.7.1",
|
"@types/semver": "7.7.1",
|
||||||
"@types/sshpk": "1.17.4",
|
"@types/sshpk": "1.17.4",
|
||||||
@@ -160,21 +165,22 @@
|
|||||||
"@types/yargs": "17.0.35",
|
"@types/yargs": "17.0.35",
|
||||||
"babel-plugin-react-compiler": "1.0.0",
|
"babel-plugin-react-compiler": "1.0.0",
|
||||||
"drizzle-kit": "0.31.10",
|
"drizzle-kit": "0.31.10",
|
||||||
"esbuild": "0.27.4",
|
"esbuild": "0.28.1",
|
||||||
"esbuild-node-externals": "1.20.1",
|
"esbuild-node-externals": "1.22.0",
|
||||||
"eslint": "10.0.3",
|
"eslint": "10.4.0",
|
||||||
"eslint-config-next": "16.1.7",
|
"eslint-config-next": "16.2.6",
|
||||||
"postcss": "8.5.8",
|
"postcss": "8.5.15",
|
||||||
"prettier": "3.8.1",
|
"prettier": "3.8.3",
|
||||||
"react-email": "5.2.10",
|
"react-email": "6.5.0",
|
||||||
"tailwindcss": "4.2.2",
|
"tailwindcss": "4.3.0",
|
||||||
"tsc-alias": "1.8.16",
|
"tsc-alias": "1.8.17",
|
||||||
"tsx": "4.21.0",
|
"tsx": "4.22.3",
|
||||||
"typescript": "5.9.3",
|
"typescript": "6.0.3",
|
||||||
"typescript-eslint": "8.56.1"
|
"typescript-eslint": "8.60.0"
|
||||||
},
|
},
|
||||||
"overrides": {
|
"overrides": {
|
||||||
"esbuild": "0.27.4",
|
"esbuild": "0.28.1",
|
||||||
"dompurify": "3.3.2"
|
"dompurify": "3.4.0",
|
||||||
|
"postcss": "8.5.15"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
|
Before Width: | Height: | Size: 588 KiB After Width: | Height: | Size: 621 KiB |
|
Before Width: | Height: | Size: 569 KiB After Width: | Height: | Size: 532 KiB |
|
Before Width: | Height: | Size: 588 KiB After Width: | Height: | Size: 621 KiB |
|
After Width: | Height: | Size: 556 KiB |
|
Before Width: | Height: | Size: 2.4 MiB After Width: | Height: | Size: 574 KiB |
|
Before Width: | Height: | Size: 434 KiB After Width: | Height: | Size: 410 KiB |
|
Before Width: | Height: | Size: 274 KiB After Width: | Height: | Size: 516 KiB |
@@ -5,6 +5,7 @@ import { and, eq, inArray } from "drizzle-orm";
|
|||||||
import createHttpError from "http-errors";
|
import createHttpError from "http-errors";
|
||||||
import HttpCode from "@server/types/HttpCode";
|
import HttpCode from "@server/types/HttpCode";
|
||||||
import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
|
import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
|
||||||
|
import logger from "@server/logger";
|
||||||
|
|
||||||
export enum ActionsEnum {
|
export enum ActionsEnum {
|
||||||
createOrgUser = "createOrgUser",
|
createOrgUser = "createOrgUser",
|
||||||
@@ -20,6 +21,7 @@ export enum ActionsEnum {
|
|||||||
getSite = "getSite",
|
getSite = "getSite",
|
||||||
listSites = "listSites",
|
listSites = "listSites",
|
||||||
updateSite = "updateSite",
|
updateSite = "updateSite",
|
||||||
|
restartSite = "restartSite",
|
||||||
resetSiteBandwidth = "resetSiteBandwidth",
|
resetSiteBandwidth = "resetSiteBandwidth",
|
||||||
reGenerateSecret = "reGenerateSecret",
|
reGenerateSecret = "reGenerateSecret",
|
||||||
createResource = "createResource",
|
createResource = "createResource",
|
||||||
@@ -69,6 +71,7 @@ export enum ActionsEnum {
|
|||||||
setResourceWhitelist = "setResourceWhitelist",
|
setResourceWhitelist = "setResourceWhitelist",
|
||||||
getResourceWhitelist = "getResourceWhitelist",
|
getResourceWhitelist = "getResourceWhitelist",
|
||||||
generateAccessToken = "generateAccessToken",
|
generateAccessToken = "generateAccessToken",
|
||||||
|
createResourceSessionToken = "createResourceSessionToken",
|
||||||
deleteAcessToken = "deleteAcessToken",
|
deleteAcessToken = "deleteAcessToken",
|
||||||
listAccessTokens = "listAccessTokens",
|
listAccessTokens = "listAccessTokens",
|
||||||
createResourceRule = "createResourceRule",
|
createResourceRule = "createResourceRule",
|
||||||
@@ -122,8 +125,6 @@ export enum ActionsEnum {
|
|||||||
createOrgDomain = "createOrgDomain",
|
createOrgDomain = "createOrgDomain",
|
||||||
deleteOrgDomain = "deleteOrgDomain",
|
deleteOrgDomain = "deleteOrgDomain",
|
||||||
restartOrgDomain = "restartOrgDomain",
|
restartOrgDomain = "restartOrgDomain",
|
||||||
sendUsageNotification = "sendUsageNotification",
|
|
||||||
sendTrialNotification = "sendTrialNotification",
|
|
||||||
createRemoteExitNode = "createRemoteExitNode",
|
createRemoteExitNode = "createRemoteExitNode",
|
||||||
updateRemoteExitNode = "updateRemoteExitNode",
|
updateRemoteExitNode = "updateRemoteExitNode",
|
||||||
getRemoteExitNode = "getRemoteExitNode",
|
getRemoteExitNode = "getRemoteExitNode",
|
||||||
@@ -150,11 +151,37 @@ export enum ActionsEnum {
|
|||||||
updateAlertRule = "updateAlertRule",
|
updateAlertRule = "updateAlertRule",
|
||||||
deleteAlertRule = "deleteAlertRule",
|
deleteAlertRule = "deleteAlertRule",
|
||||||
listAlertRules = "listAlertRules",
|
listAlertRules = "listAlertRules",
|
||||||
|
listOrgLabels = "listOrgLabels",
|
||||||
|
createOrgLabel = "createOrgLabel",
|
||||||
|
updateOrgLabel = "updateOrgLabel",
|
||||||
|
deleteOrgLabel = "deleteOrgLabel",
|
||||||
|
attachLabelToItem = "attachLabelToItem",
|
||||||
|
detachLabelFromItem = "detachLabelFromItem",
|
||||||
getAlertRule = "getAlertRule",
|
getAlertRule = "getAlertRule",
|
||||||
createHealthCheck = "createHealthCheck",
|
createHealthCheck = "createHealthCheck",
|
||||||
updateHealthCheck = "updateHealthCheck",
|
updateHealthCheck = "updateHealthCheck",
|
||||||
deleteHealthCheck = "deleteHealthCheck",
|
deleteHealthCheck = "deleteHealthCheck",
|
||||||
listHealthChecks = "listHealthChecks"
|
listHealthChecks = "listHealthChecks",
|
||||||
|
createBrowserGatewayTarget = "createBrowserGatewayTarget",
|
||||||
|
updateBrowserGatewayTarget = "updateBrowserGatewayTarget",
|
||||||
|
deleteBrowserGatewayTarget = "deleteBrowserGatewayTarget",
|
||||||
|
getBrowserGatewayTarget = "getBrowserGatewayTarget",
|
||||||
|
listBrowserGatewayTargets = "listBrowserGatewayTargets",
|
||||||
|
listResourcePolicies = "listResourcePolicies",
|
||||||
|
getResourcePolicy = "getResourcePolicy",
|
||||||
|
createResourcePolicy = "createResourcePolicy",
|
||||||
|
updateResourcePolicy = "updateResourcePolicy",
|
||||||
|
deleteResourcePolicy = "deleteResourcePolicy",
|
||||||
|
listResourcePolicyRoles = "listResourcePolicyRoles",
|
||||||
|
setResourcePolicyRoles = "setResourcePolicyRoles",
|
||||||
|
listResourcePolicyUsers = "listResourcePolicyUsers",
|
||||||
|
setResourcePolicyUsers = "setResourcePolicyUsers",
|
||||||
|
setResourcePolicyPassword = "setResourcePolicyPassword",
|
||||||
|
setResourcePolicyPincode = "setResourcePolicyPincode",
|
||||||
|
setResourcePolicyHeaderAuth = "setResourcePolicyHeaderAuth",
|
||||||
|
setResourcePolicyWhitelist = "setResourcePolicyWhitelist",
|
||||||
|
setResourcePolicyRules = "setResourcePolicyRules",
|
||||||
|
createOrgWideLauncherView = "createOrgWideLauncherView"
|
||||||
}
|
}
|
||||||
|
|
||||||
export async function checkUserActionPermission(
|
export async function checkUserActionPermission(
|
||||||
@@ -187,6 +214,23 @@ export async function checkUserActionPermission(
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// If no direct permission, check role-based permission (any of user's roles)
|
||||||
|
const roleActionPermission = await db
|
||||||
|
.select()
|
||||||
|
.from(roleActions)
|
||||||
|
.where(
|
||||||
|
and(
|
||||||
|
eq(roleActions.actionId, actionId),
|
||||||
|
inArray(roleActions.roleId, userOrgRoleIds),
|
||||||
|
eq(roleActions.orgId, req.userOrgId!)
|
||||||
|
)
|
||||||
|
)
|
||||||
|
.limit(1);
|
||||||
|
|
||||||
|
if (roleActionPermission.length > 0) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
// Check if the user has direct permission for the action in the current org
|
// Check if the user has direct permission for the action in the current org
|
||||||
const userActionPermission = await db
|
const userActionPermission = await db
|
||||||
.select()
|
.select()
|
||||||
@@ -204,20 +248,7 @@ export async function checkUserActionPermission(
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
// If no direct permission, check role-based permission (any of user's roles)
|
return false;
|
||||||
const roleActionPermission = await db
|
|
||||||
.select()
|
|
||||||
.from(roleActions)
|
|
||||||
.where(
|
|
||||||
and(
|
|
||||||
eq(roleActions.actionId, actionId),
|
|
||||||
inArray(roleActions.roleId, userOrgRoleIds),
|
|
||||||
eq(roleActions.orgId, req.userOrgId!)
|
|
||||||
)
|
|
||||||
)
|
|
||||||
.limit(1);
|
|
||||||
|
|
||||||
return roleActionPermission.length > 0;
|
|
||||||
} catch (error) {
|
} catch (error) {
|
||||||
console.error("Error checking user action permission:", error);
|
console.error("Error checking user action permission:", error);
|
||||||
throw createHttpError(
|
throw createHttpError(
|
||||||
|
|||||||
@@ -1,6 +1,12 @@
|
|||||||
import { db } from "@server/db";
|
import { db } from "@server/db";
|
||||||
import { and, eq, inArray } from "drizzle-orm";
|
import { and, eq, inArray, isNull, or } from "drizzle-orm";
|
||||||
import { roleResources, userResources } from "@server/db";
|
import {
|
||||||
|
rolePolicies,
|
||||||
|
roleResources,
|
||||||
|
resources,
|
||||||
|
userPolicies,
|
||||||
|
userResources
|
||||||
|
} from "@server/db";
|
||||||
|
|
||||||
export async function canUserAccessResource({
|
export async function canUserAccessResource({
|
||||||
userId,
|
userId,
|
||||||
@@ -11,9 +17,14 @@ export async function canUserAccessResource({
|
|||||||
resourceId: number;
|
resourceId: number;
|
||||||
roleIds: number[];
|
roleIds: number[];
|
||||||
}): Promise<boolean> {
|
}): Promise<boolean> {
|
||||||
const roleResourceAccess =
|
const [
|
||||||
|
roleResourceAccess,
|
||||||
|
rolePolicyAccess,
|
||||||
|
userResourceAccess,
|
||||||
|
userPolicyAccess
|
||||||
|
] = await Promise.all([
|
||||||
roleIds.length > 0
|
roleIds.length > 0
|
||||||
? await db
|
? db
|
||||||
.select()
|
.select()
|
||||||
.from(roleResources)
|
.from(roleResources)
|
||||||
.where(
|
.where(
|
||||||
@@ -23,13 +34,41 @@ export async function canUserAccessResource({
|
|||||||
)
|
)
|
||||||
)
|
)
|
||||||
.limit(1)
|
.limit(1)
|
||||||
: [];
|
: [],
|
||||||
|
roleIds.length > 0
|
||||||
if (roleResourceAccess.length > 0) {
|
? db
|
||||||
return true;
|
.select({
|
||||||
}
|
roleId: rolePolicies.roleId,
|
||||||
|
resourcePolicyId: rolePolicies.resourcePolicyId
|
||||||
const userResourceAccess = await db
|
})
|
||||||
|
.from(rolePolicies)
|
||||||
|
.innerJoin(
|
||||||
|
resources,
|
||||||
|
// Shared policy wins; only use default policy when no shared
|
||||||
|
// policy is assigned to the resource.
|
||||||
|
or(
|
||||||
|
eq(
|
||||||
|
resources.resourcePolicyId,
|
||||||
|
rolePolicies.resourcePolicyId
|
||||||
|
),
|
||||||
|
and(
|
||||||
|
isNull(resources.resourcePolicyId),
|
||||||
|
eq(
|
||||||
|
resources.defaultResourcePolicyId,
|
||||||
|
rolePolicies.resourcePolicyId
|
||||||
|
)
|
||||||
|
)
|
||||||
|
)
|
||||||
|
)
|
||||||
|
.where(
|
||||||
|
and(
|
||||||
|
eq(resources.resourceId, resourceId),
|
||||||
|
inArray(rolePolicies.roleId, roleIds)
|
||||||
|
)
|
||||||
|
)
|
||||||
|
.limit(1)
|
||||||
|
: [],
|
||||||
|
db
|
||||||
.select()
|
.select()
|
||||||
.from(userResources)
|
.from(userResources)
|
||||||
.where(
|
.where(
|
||||||
@@ -38,11 +77,44 @@ export async function canUserAccessResource({
|
|||||||
eq(userResources.resourceId, resourceId)
|
eq(userResources.resourceId, resourceId)
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
.limit(1);
|
.limit(1),
|
||||||
|
db
|
||||||
|
.select({
|
||||||
|
userId: userPolicies.userId,
|
||||||
|
resourcePolicyId: userPolicies.resourcePolicyId
|
||||||
|
})
|
||||||
|
.from(userPolicies)
|
||||||
|
.innerJoin(
|
||||||
|
resources,
|
||||||
|
// Shared policy wins; only use default policy when no shared
|
||||||
|
// policy is assigned to the resource.
|
||||||
|
or(
|
||||||
|
eq(
|
||||||
|
resources.resourcePolicyId,
|
||||||
|
userPolicies.resourcePolicyId
|
||||||
|
),
|
||||||
|
and(
|
||||||
|
isNull(resources.resourcePolicyId),
|
||||||
|
eq(
|
||||||
|
resources.defaultResourcePolicyId,
|
||||||
|
userPolicies.resourcePolicyId
|
||||||
|
)
|
||||||
|
)
|
||||||
|
)
|
||||||
|
)
|
||||||
|
.where(
|
||||||
|
and(
|
||||||
|
eq(resources.resourceId, resourceId),
|
||||||
|
eq(userPolicies.userId, userId)
|
||||||
|
)
|
||||||
|
)
|
||||||
|
.limit(1)
|
||||||
|
]);
|
||||||
|
|
||||||
if (userResourceAccess.length > 0) {
|
return (
|
||||||
return true;
|
roleResourceAccess.length > 0 ||
|
||||||
}
|
rolePolicyAccess.length > 0 ||
|
||||||
|
userResourceAccess.length > 0 ||
|
||||||
return false;
|
userPolicyAccess.length > 0
|
||||||
|
);
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -12,7 +12,7 @@ import {
|
|||||||
users
|
users
|
||||||
} from "@server/db";
|
} from "@server/db";
|
||||||
import { db } from "@server/db";
|
import { db } from "@server/db";
|
||||||
import { eq, inArray } from "drizzle-orm";
|
import { and, eq, inArray, ne } from "drizzle-orm";
|
||||||
import config from "@server/lib/config";
|
import config from "@server/lib/config";
|
||||||
import type { RandomReader } from "@oslojs/crypto/random";
|
import type { RandomReader } from "@oslojs/crypto/random";
|
||||||
import { generateRandomString } from "@oslojs/crypto/random";
|
import { generateRandomString } from "@oslojs/crypto/random";
|
||||||
@@ -136,6 +136,45 @@ export async function invalidateAllSessions(userId: string): Promise<void> {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
export async function invalidateAllSessionsExceptCurrent(
|
||||||
|
userId: string,
|
||||||
|
currentSessionId: string
|
||||||
|
): Promise<void> {
|
||||||
|
try {
|
||||||
|
await db.transaction(async (trx) => {
|
||||||
|
const userSessions = await trx
|
||||||
|
.select()
|
||||||
|
.from(sessions)
|
||||||
|
.where(
|
||||||
|
and(
|
||||||
|
eq(sessions.userId, userId),
|
||||||
|
ne(sessions.sessionId, currentSessionId)
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
|
if (userSessions.length > 0) {
|
||||||
|
await trx.delete(resourceSessions).where(
|
||||||
|
inArray(
|
||||||
|
resourceSessions.userSessionId,
|
||||||
|
userSessions.map((s) => s.sessionId)
|
||||||
|
)
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
await trx
|
||||||
|
.delete(sessions)
|
||||||
|
.where(
|
||||||
|
and(
|
||||||
|
eq(sessions.userId, userId),
|
||||||
|
ne(sessions.sessionId, currentSessionId)
|
||||||
|
)
|
||||||
|
);
|
||||||
|
});
|
||||||
|
} catch (e) {
|
||||||
|
logger.error("Failed to invalidate user sessions except current", e);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
export function serializeSessionCookie(
|
export function serializeSessionCookie(
|
||||||
token: string,
|
token: string,
|
||||||
isSecure: boolean,
|
isSecure: boolean,
|
||||||
|
|||||||
@@ -19,6 +19,9 @@ export async function createResourceSession(opts: {
|
|||||||
userSessionId?: string | null;
|
userSessionId?: string | null;
|
||||||
whitelistId?: number | null;
|
whitelistId?: number | null;
|
||||||
accessTokenId?: string | null;
|
accessTokenId?: string | null;
|
||||||
|
policyPasswordId?: number | null;
|
||||||
|
policyPincodeId?: number | null;
|
||||||
|
policyWhitelistId?: number | null;
|
||||||
doNotExtend?: boolean;
|
doNotExtend?: boolean;
|
||||||
expiresAt?: number | null;
|
expiresAt?: number | null;
|
||||||
sessionLength?: number | null;
|
sessionLength?: number | null;
|
||||||
@@ -28,7 +31,10 @@ export async function createResourceSession(opts: {
|
|||||||
!opts.pincodeId &&
|
!opts.pincodeId &&
|
||||||
!opts.whitelistId &&
|
!opts.whitelistId &&
|
||||||
!opts.accessTokenId &&
|
!opts.accessTokenId &&
|
||||||
!opts.userSessionId
|
!opts.userSessionId &&
|
||||||
|
!opts.policyPasswordId &&
|
||||||
|
!opts.policyPincodeId &&
|
||||||
|
!opts.policyWhitelistId
|
||||||
) {
|
) {
|
||||||
throw new Error("Auth method must be provided");
|
throw new Error("Auth method must be provided");
|
||||||
}
|
}
|
||||||
@@ -49,6 +55,9 @@ export async function createResourceSession(opts: {
|
|||||||
whitelistId: opts.whitelistId || null,
|
whitelistId: opts.whitelistId || null,
|
||||||
doNotExtend: opts.doNotExtend || false,
|
doNotExtend: opts.doNotExtend || false,
|
||||||
accessTokenId: opts.accessTokenId || null,
|
accessTokenId: opts.accessTokenId || null,
|
||||||
|
policyPasswordId: opts.policyPasswordId || null,
|
||||||
|
policyPincodeId: opts.policyPincodeId || null,
|
||||||
|
policyWhitelistId: opts.policyWhitelistId || null,
|
||||||
isRequestToken: opts.isRequestToken || false,
|
isRequestToken: opts.isRequestToken || false,
|
||||||
userSessionId: opts.userSessionId || null,
|
userSessionId: opts.userSessionId || null,
|
||||||
issuedAt: new Date().getTime()
|
issuedAt: new Date().getTime()
|
||||||
|
|||||||
@@ -795,10 +795,13 @@ export const COUNTRIES = [
|
|||||||
name: "Serbia",
|
name: "Serbia",
|
||||||
code: "RS"
|
code: "RS"
|
||||||
},
|
},
|
||||||
{
|
// Removed as this is a deprecated ISO country code, not supported anymore
|
||||||
name: "Serbia and Montenegro",
|
// Also the individual flags for Serbia & Montenegro are already included in the list
|
||||||
code: "CS"
|
// more details: https://en.wikipedia.org/wiki/ISO_3166-2:CS
|
||||||
},
|
// {
|
||||||
|
// name: "Serbia and Montenegro",
|
||||||
|
// code: "CS"
|
||||||
|
// },
|
||||||
{
|
{
|
||||||
name: "Seychelles",
|
name: "Seychelles",
|
||||||
code: "SC"
|
code: "SC"
|
||||||
|
|||||||
@@ -1,94 +1,53 @@
|
|||||||
{
|
{
|
||||||
"PowerMac4,4": "eMac",
|
|
||||||
"PowerMac6,4": "eMac",
|
|
||||||
"PowerBook2,1": "iBook",
|
|
||||||
"PowerBook2,2": "iBook",
|
|
||||||
"PowerBook4,1": "iBook",
|
|
||||||
"PowerBook4,2": "iBook",
|
|
||||||
"PowerBook4,3": "iBook",
|
|
||||||
"PowerBook6,3": "iBook",
|
|
||||||
"PowerBook6,5": "iBook",
|
|
||||||
"PowerBook6,7": "iBook",
|
|
||||||
"iMac,1": "iMac",
|
|
||||||
"PowerMac2,1": "iMac",
|
|
||||||
"PowerMac2,2": "iMac",
|
|
||||||
"PowerMac4,1": "iMac",
|
|
||||||
"PowerMac4,2": "iMac",
|
|
||||||
"PowerMac4,5": "iMac",
|
|
||||||
"PowerMac6,1": "iMac",
|
|
||||||
"PowerMac6,3*": "iMac",
|
|
||||||
"PowerMac6,3": "iMac",
|
|
||||||
"PowerMac8,1": "iMac",
|
|
||||||
"PowerMac8,2": "iMac",
|
|
||||||
"PowerMac12,1": "iMac",
|
|
||||||
"iMac4,1": "iMac",
|
|
||||||
"iMac4,2": "iMac",
|
|
||||||
"iMac5,2": "iMac",
|
|
||||||
"iMac5,1": "iMac",
|
|
||||||
"iMac6,1": "iMac",
|
|
||||||
"iMac7,1": "iMac",
|
|
||||||
"iMac8,1": "iMac",
|
|
||||||
"iMac9,1": "iMac",
|
|
||||||
"iMac10,1": "iMac",
|
|
||||||
"iMac11,1": "iMac",
|
|
||||||
"iMac11,2": "iMac",
|
|
||||||
"iMac11,3": "iMac",
|
|
||||||
"iMac12,1": "iMac",
|
|
||||||
"iMac12,2": "iMac",
|
|
||||||
"iMac13,1": "iMac",
|
|
||||||
"iMac13,2": "iMac",
|
|
||||||
"iMac14,1": "iMac",
|
|
||||||
"iMac14,3": "iMac",
|
|
||||||
"iMac14,2": "iMac",
|
|
||||||
"iMac14,4": "iMac",
|
|
||||||
"iMac15,1": "iMac",
|
|
||||||
"iMac16,1": "iMac",
|
|
||||||
"iMac16,2": "iMac",
|
|
||||||
"iMac17,1": "iMac",
|
|
||||||
"iMac18,1": "iMac",
|
|
||||||
"iMac18,2": "iMac",
|
|
||||||
"iMac18,3": "iMac",
|
|
||||||
"iMac19,2": "iMac",
|
|
||||||
"iMac19,1": "iMac",
|
|
||||||
"iMac20,1": "iMac",
|
|
||||||
"iMac20,2": "iMac",
|
|
||||||
"iMac21,2": "iMac",
|
|
||||||
"iMac21,1": "iMac",
|
|
||||||
"iMacPro1,1": "iMac Pro",
|
|
||||||
"PowerMac10,1": "Mac mini",
|
|
||||||
"PowerMac10,2": "Mac mini",
|
|
||||||
"Macmini1,1": "Mac mini",
|
|
||||||
"Macmini2,1": "Mac mini",
|
|
||||||
"Macmini3,1": "Mac mini",
|
|
||||||
"Macmini4,1": "Mac mini",
|
|
||||||
"Macmini5,1": "Mac mini",
|
|
||||||
"Macmini5,2": "Mac mini",
|
|
||||||
"Macmini5,3": "Mac mini",
|
|
||||||
"Macmini6,1": "Mac mini",
|
|
||||||
"Macmini6,2": "Mac mini",
|
|
||||||
"Macmini7,1": "Mac mini",
|
|
||||||
"Macmini8,1": "Mac mini",
|
|
||||||
"ADP3,2": "Mac mini",
|
"ADP3,2": "Mac mini",
|
||||||
"Macmini9,1": "Mac mini",
|
|
||||||
"Mac14,3": "Mac mini",
|
|
||||||
"Mac14,12": "Mac mini",
|
|
||||||
"MacPro1,1*": "Mac Pro",
|
|
||||||
"MacPro2,1": "Mac Pro",
|
|
||||||
"MacPro3,1": "Mac Pro",
|
|
||||||
"MacPro4,1": "Mac Pro",
|
|
||||||
"MacPro5,1": "Mac Pro",
|
|
||||||
"MacPro6,1": "Mac Pro",
|
|
||||||
"MacPro7,1": "Mac Pro",
|
|
||||||
"N/A*": "Power Macintosh",
|
|
||||||
"PowerMac1,1": "Power Macintosh",
|
|
||||||
"PowerMac3,1": "Power Macintosh",
|
|
||||||
"PowerMac3,3": "Power Macintosh",
|
|
||||||
"PowerMac3,4": "Power Macintosh",
|
|
||||||
"PowerMac3,5": "Power Macintosh",
|
|
||||||
"PowerMac3,6": "Power Macintosh",
|
|
||||||
"Mac13,1": "Mac Studio",
|
"Mac13,1": "Mac Studio",
|
||||||
"Mac13,2": "Mac Studio",
|
"Mac13,2": "Mac Studio",
|
||||||
|
"Mac14,10": "MacBook Pro",
|
||||||
|
"Mac14,12": "Mac mini",
|
||||||
|
"Mac14,13": "Mac Studio",
|
||||||
|
"Mac14,14": "Mac Studio",
|
||||||
|
"Mac14,15": "MacBook Air",
|
||||||
|
"Mac14,2": "MacBook Air",
|
||||||
|
"Mac14,3": "Mac mini",
|
||||||
|
"Mac14,5": "MacBook Pro",
|
||||||
|
"Mac14,6": "MacBook Pro",
|
||||||
|
"Mac14,7": "MacBook Pro",
|
||||||
|
"Mac14,8": "Mac Pro",
|
||||||
|
"Mac14,9": "MacBook Pro",
|
||||||
|
"Mac15,10": "MacBook Pro",
|
||||||
|
"Mac15,11": "MacBook Pro",
|
||||||
|
"Mac15,12": "MacBook Air",
|
||||||
|
"Mac15,13": "MacBook Air",
|
||||||
|
"Mac15,14": "Mac Studio",
|
||||||
|
"Mac15,3": "MacBook Pro",
|
||||||
|
"Mac15,4": "iMac",
|
||||||
|
"Mac15,5": "iMac",
|
||||||
|
"Mac15,6": "MacBook Pro",
|
||||||
|
"Mac15,7": "MacBook Pro",
|
||||||
|
"Mac15,8": "MacBook Pro",
|
||||||
|
"Mac15,9": "MacBook Pro",
|
||||||
|
"Mac16,1": "MacBook Pro",
|
||||||
|
"Mac16,10": "Mac mini",
|
||||||
|
"Mac16,11": "Mac mini",
|
||||||
|
"Mac16,12": "MacBook Air",
|
||||||
|
"Mac16,13": "MacBook Air",
|
||||||
|
"Mac16,2": "iMac",
|
||||||
|
"Mac16,3": "iMac",
|
||||||
|
"Mac16,5": "MacBook Pro",
|
||||||
|
"Mac16,6": "MacBook Pro",
|
||||||
|
"Mac16,7": "MacBook Pro",
|
||||||
|
"Mac16,8": "MacBook Pro",
|
||||||
|
"Mac16,9": "Mac Studio",
|
||||||
|
"Mac17,2": "MacBook Pro",
|
||||||
|
"Mac17,3": "MacBook Air",
|
||||||
|
"Mac17,4": "MacBook Air",
|
||||||
|
"Mac17,5": "MacBook Neo",
|
||||||
|
"Mac17,6": "MacBook Pro",
|
||||||
|
"Mac17,7": "MacBook Pro",
|
||||||
|
"Mac17,8": "MacBook Pro",
|
||||||
|
"Mac17,9": "MacBook Pro",
|
||||||
"MacBook1,1": "MacBook",
|
"MacBook1,1": "MacBook",
|
||||||
|
"MacBook10,1": "MacBook",
|
||||||
"MacBook2,1": "MacBook",
|
"MacBook2,1": "MacBook",
|
||||||
"MacBook3,1": "MacBook",
|
"MacBook3,1": "MacBook",
|
||||||
"MacBook4,1": "MacBook",
|
"MacBook4,1": "MacBook",
|
||||||
@@ -98,8 +57,8 @@
|
|||||||
"MacBook7,1": "MacBook",
|
"MacBook7,1": "MacBook",
|
||||||
"MacBook8,1": "MacBook",
|
"MacBook8,1": "MacBook",
|
||||||
"MacBook9,1": "MacBook",
|
"MacBook9,1": "MacBook",
|
||||||
"MacBook10,1": "MacBook",
|
|
||||||
"MacBookAir1,1": "MacBook Air",
|
"MacBookAir1,1": "MacBook Air",
|
||||||
|
"MacBookAir10,1": "MacBook Air",
|
||||||
"MacBookAir2,1": "MacBook Air",
|
"MacBookAir2,1": "MacBook Air",
|
||||||
"MacBookAir3,1": "MacBook Air",
|
"MacBookAir3,1": "MacBook Air",
|
||||||
"MacBookAir3,2": "MacBook Air",
|
"MacBookAir3,2": "MacBook Air",
|
||||||
@@ -114,88 +73,163 @@
|
|||||||
"MacBookAir8,1": "MacBook Air",
|
"MacBookAir8,1": "MacBook Air",
|
||||||
"MacBookAir8,2": "MacBook Air",
|
"MacBookAir8,2": "MacBook Air",
|
||||||
"MacBookAir9,1": "MacBook Air",
|
"MacBookAir9,1": "MacBook Air",
|
||||||
"MacBookAir10,1": "MacBook Air",
|
|
||||||
"Mac14,2": "MacBook Air",
|
|
||||||
"MacBookPro1,1": "MacBook Pro",
|
"MacBookPro1,1": "MacBook Pro",
|
||||||
"MacBookPro1,2": "MacBook Pro",
|
"MacBookPro1,2": "MacBook Pro",
|
||||||
"MacBookPro2,2": "MacBook Pro",
|
|
||||||
"MacBookPro2,1": "MacBook Pro",
|
|
||||||
"MacBookPro3,1": "MacBook Pro",
|
|
||||||
"MacBookPro4,1": "MacBook Pro",
|
|
||||||
"MacBookPro5,1": "MacBook Pro",
|
|
||||||
"MacBookPro5,2": "MacBook Pro",
|
|
||||||
"MacBookPro5,5": "MacBook Pro",
|
|
||||||
"MacBookPro5,4": "MacBook Pro",
|
|
||||||
"MacBookPro5,3": "MacBook Pro",
|
|
||||||
"MacBookPro7,1": "MacBook Pro",
|
|
||||||
"MacBookPro6,2": "MacBook Pro",
|
|
||||||
"MacBookPro6,1": "MacBook Pro",
|
|
||||||
"MacBookPro8,1": "MacBook Pro",
|
|
||||||
"MacBookPro8,2": "MacBook Pro",
|
|
||||||
"MacBookPro8,3": "MacBook Pro",
|
|
||||||
"MacBookPro9,2": "MacBook Pro",
|
|
||||||
"MacBookPro9,1": "MacBook Pro",
|
|
||||||
"MacBookPro10,1": "MacBook Pro",
|
"MacBookPro10,1": "MacBook Pro",
|
||||||
"MacBookPro10,2": "MacBook Pro",
|
"MacBookPro10,2": "MacBook Pro",
|
||||||
"MacBookPro11,1": "MacBook Pro",
|
"MacBookPro11,1": "MacBook Pro",
|
||||||
"MacBookPro11,2": "MacBook Pro",
|
"MacBookPro11,2": "MacBook Pro",
|
||||||
"MacBookPro11,3": "MacBook Pro",
|
"MacBookPro11,3": "MacBook Pro",
|
||||||
"MacBookPro12,1": "MacBook Pro",
|
|
||||||
"MacBookPro11,4": "MacBook Pro",
|
"MacBookPro11,4": "MacBook Pro",
|
||||||
"MacBookPro11,5": "MacBook Pro",
|
"MacBookPro11,5": "MacBook Pro",
|
||||||
|
"MacBookPro12,1": "MacBook Pro",
|
||||||
"MacBookPro13,1": "MacBook Pro",
|
"MacBookPro13,1": "MacBook Pro",
|
||||||
"MacBookPro13,2": "MacBook Pro",
|
"MacBookPro13,2": "MacBook Pro",
|
||||||
"MacBookPro13,3": "MacBook Pro",
|
"MacBookPro13,3": "MacBook Pro",
|
||||||
"MacBookPro14,1": "MacBook Pro",
|
"MacBookPro14,1": "MacBook Pro",
|
||||||
"MacBookPro14,2": "MacBook Pro",
|
"MacBookPro14,2": "MacBook Pro",
|
||||||
"MacBookPro14,3": "MacBook Pro",
|
"MacBookPro14,3": "MacBook Pro",
|
||||||
"MacBookPro15,2": "MacBook Pro",
|
|
||||||
"MacBookPro15,1": "MacBook Pro",
|
"MacBookPro15,1": "MacBook Pro",
|
||||||
|
"MacBookPro15,2": "MacBook Pro",
|
||||||
"MacBookPro15,3": "MacBook Pro",
|
"MacBookPro15,3": "MacBook Pro",
|
||||||
"MacBookPro15,4": "MacBook Pro",
|
"MacBookPro15,4": "MacBook Pro",
|
||||||
"MacBookPro16,1": "MacBook Pro",
|
"MacBookPro16,1": "MacBook Pro",
|
||||||
"MacBookPro16,3": "MacBook Pro",
|
|
||||||
"MacBookPro16,2": "MacBook Pro",
|
"MacBookPro16,2": "MacBook Pro",
|
||||||
|
"MacBookPro16,3": "MacBook Pro",
|
||||||
"MacBookPro16,4": "MacBook Pro",
|
"MacBookPro16,4": "MacBook Pro",
|
||||||
"MacBookPro17,1": "MacBook Pro",
|
"MacBookPro17,1": "MacBook Pro",
|
||||||
"MacBookPro18,3": "MacBook Pro",
|
|
||||||
"MacBookPro18,4": "MacBook Pro",
|
|
||||||
"MacBookPro18,1": "MacBook Pro",
|
"MacBookPro18,1": "MacBook Pro",
|
||||||
"MacBookPro18,2": "MacBook Pro",
|
"MacBookPro18,2": "MacBook Pro",
|
||||||
"Mac14,7": "MacBook Pro",
|
"MacBookPro18,3": "MacBook Pro",
|
||||||
"Mac14,9": "MacBook Pro",
|
"MacBookPro18,4": "MacBook Pro",
|
||||||
"Mac14,5": "MacBook Pro",
|
"MacBookPro2,1": "MacBook Pro",
|
||||||
"Mac14,10": "MacBook Pro",
|
"MacBookPro2,2": "MacBook Pro",
|
||||||
"Mac14,6": "MacBook Pro",
|
"MacBookPro3,1": "MacBook Pro",
|
||||||
"PowerMac1,2": "Power Macintosh",
|
"MacBookPro4,1": "MacBook Pro",
|
||||||
"PowerMac5,1": "Power Macintosh",
|
"MacBookPro5,1": "MacBook Pro",
|
||||||
"PowerMac7,2": "Power Macintosh",
|
"MacBookPro5,2": "MacBook Pro",
|
||||||
"PowerMac7,3": "Power Macintosh",
|
"MacBookPro5,3": "MacBook Pro",
|
||||||
"PowerMac9,1": "Power Macintosh",
|
"MacBookPro5,4": "MacBook Pro",
|
||||||
"PowerMac11,2": "Power Macintosh",
|
"MacBookPro5,5": "MacBook Pro",
|
||||||
|
"MacBookPro6,1": "MacBook Pro",
|
||||||
|
"MacBookPro6,2": "MacBook Pro",
|
||||||
|
"MacBookPro7,1": "MacBook Pro",
|
||||||
|
"MacBookPro8,1": "MacBook Pro",
|
||||||
|
"MacBookPro8,2": "MacBook Pro",
|
||||||
|
"MacBookPro8,3": "MacBook Pro",
|
||||||
|
"MacBookPro9,1": "MacBook Pro",
|
||||||
|
"MacBookPro9,2": "MacBook Pro",
|
||||||
|
"MacPro1,1": "Mac Pro",
|
||||||
|
"MacPro2,1": "Mac Pro",
|
||||||
|
"MacPro3,1": "Mac Pro",
|
||||||
|
"MacPro4,1": "Mac Pro",
|
||||||
|
"MacPro5,1": "Mac Pro",
|
||||||
|
"MacPro6,1": "Mac Pro",
|
||||||
|
"MacPro7,1": "Mac Pro",
|
||||||
|
"Macmini1,1": "Mac mini",
|
||||||
|
"Macmini2,1": "Mac mini",
|
||||||
|
"Macmini3,1": "Mac mini",
|
||||||
|
"Macmini4,1": "Mac mini",
|
||||||
|
"Macmini5,1": "Mac mini",
|
||||||
|
"Macmini5,2": "Mac mini",
|
||||||
|
"Macmini5,3": "Mac mini",
|
||||||
|
"Macmini6,1": "Mac mini",
|
||||||
|
"Macmini6,2": "Mac mini",
|
||||||
|
"Macmini7,1": "Mac mini",
|
||||||
|
"Macmini8,1": "Mac mini",
|
||||||
|
"Macmini9,1": "Mac mini",
|
||||||
"PowerBook1,1": "PowerBook",
|
"PowerBook1,1": "PowerBook",
|
||||||
|
"PowerBook2,1": "iBook",
|
||||||
|
"PowerBook2,2": "iBook",
|
||||||
"PowerBook3,1": "PowerBook",
|
"PowerBook3,1": "PowerBook",
|
||||||
"PowerBook3,2": "PowerBook",
|
"PowerBook3,2": "PowerBook",
|
||||||
"PowerBook3,3": "PowerBook",
|
"PowerBook3,3": "PowerBook",
|
||||||
"PowerBook3,4": "PowerBook",
|
"PowerBook3,4": "PowerBook",
|
||||||
"PowerBook3,5": "PowerBook",
|
"PowerBook3,5": "PowerBook",
|
||||||
"PowerBook6,1": "PowerBook",
|
"PowerBook4,1": "iBook",
|
||||||
|
"PowerBook4,2": "iBook",
|
||||||
|
"PowerBook4,3": "iBook",
|
||||||
"PowerBook5,1": "PowerBook",
|
"PowerBook5,1": "PowerBook",
|
||||||
"PowerBook6,2": "PowerBook",
|
|
||||||
"PowerBook5,2": "PowerBook",
|
"PowerBook5,2": "PowerBook",
|
||||||
"PowerBook5,3": "PowerBook",
|
"PowerBook5,3": "PowerBook",
|
||||||
"PowerBook6,4": "PowerBook",
|
|
||||||
"PowerBook5,4": "PowerBook",
|
"PowerBook5,4": "PowerBook",
|
||||||
"PowerBook5,5": "PowerBook",
|
"PowerBook5,5": "PowerBook",
|
||||||
"PowerBook6,8": "PowerBook",
|
|
||||||
"PowerBook5,6": "PowerBook",
|
"PowerBook5,6": "PowerBook",
|
||||||
"PowerBook5,7": "PowerBook",
|
"PowerBook5,7": "PowerBook",
|
||||||
"PowerBook5,8": "PowerBook",
|
"PowerBook5,8": "PowerBook",
|
||||||
"PowerBook5,9": "PowerBook",
|
"PowerBook5,9": "PowerBook",
|
||||||
|
"PowerBook6,1": "PowerBook",
|
||||||
|
"PowerBook6,2": "PowerBook",
|
||||||
|
"PowerBook6,3": "iBook",
|
||||||
|
"PowerBook6,4": "PowerBook",
|
||||||
|
"PowerBook6,5": "iBook",
|
||||||
|
"PowerBook6,7": "iBook",
|
||||||
|
"PowerBook6,8": "PowerBook",
|
||||||
|
"PowerMac1,1": "Power Macintosh",
|
||||||
|
"PowerMac1,2": "Power Macintosh",
|
||||||
|
"PowerMac10,1": "Mac mini",
|
||||||
|
"PowerMac10,2": "Mac mini",
|
||||||
|
"PowerMac11,2": "Power Macintosh",
|
||||||
|
"PowerMac12,1": "iMac",
|
||||||
|
"PowerMac2,1": "iMac",
|
||||||
|
"PowerMac2,2": "iMac",
|
||||||
|
"PowerMac3,1": "Mac Server",
|
||||||
|
"PowerMac3,3": "Power Macintosh",
|
||||||
|
"PowerMac3,4": "Power Macintosh",
|
||||||
|
"PowerMac3,5": "Power Macintosh",
|
||||||
|
"PowerMac3,6": "Power Macintosh",
|
||||||
|
"PowerMac4,1": "iMac",
|
||||||
|
"PowerMac4,2": "iMac",
|
||||||
|
"PowerMac4,4": "eMac",
|
||||||
|
"PowerMac4,5": "iMac",
|
||||||
|
"PowerMac5,1": "Power Macintosh",
|
||||||
|
"PowerMac6,1": "iMac",
|
||||||
|
"PowerMac6,3": "iMac",
|
||||||
|
"PowerMac6,4": "eMac",
|
||||||
|
"PowerMac7,2": "Power Macintosh",
|
||||||
|
"PowerMac7,3": "Power Macintosh",
|
||||||
|
"PowerMac8,1": "iMac",
|
||||||
|
"PowerMac8,2": "iMac",
|
||||||
|
"PowerMac9,1": "Power Macintosh",
|
||||||
"RackMac1,1": "Xserve",
|
"RackMac1,1": "Xserve",
|
||||||
"RackMac1,2": "Xserve",
|
"RackMac1,2": "Xserve",
|
||||||
"RackMac3,1": "Xserve",
|
"RackMac3,1": "Xserve",
|
||||||
"Xserve1,1": "Xserve",
|
"Xserve1,1": "Xserve",
|
||||||
"Xserve2,1": "Xserve",
|
"Xserve2,1": "Xserve",
|
||||||
"Xserve3,1": "Xserve"
|
"Xserve3,1": "Xserve",
|
||||||
|
"iMac,1": "iMac",
|
||||||
|
"iMac10,1": "iMac",
|
||||||
|
"iMac11,1": "iMac",
|
||||||
|
"iMac11,2": "iMac",
|
||||||
|
"iMac11,3": "iMac",
|
||||||
|
"iMac12,1": "iMac",
|
||||||
|
"iMac12,2": "iMac",
|
||||||
|
"iMac13,1": "iMac",
|
||||||
|
"iMac13,2": "iMac",
|
||||||
|
"iMac14,1": "iMac",
|
||||||
|
"iMac14,2": "iMac",
|
||||||
|
"iMac14,3": "iMac",
|
||||||
|
"iMac14,4": "iMac",
|
||||||
|
"iMac15,1": "iMac",
|
||||||
|
"iMac16,1": "iMac",
|
||||||
|
"iMac16,2": "iMac",
|
||||||
|
"iMac17,1": "iMac",
|
||||||
|
"iMac18,1": "iMac",
|
||||||
|
"iMac18,2": "iMac",
|
||||||
|
"iMac18,3": "iMac",
|
||||||
|
"iMac19,1": "iMac",
|
||||||
|
"iMac19,2": "iMac",
|
||||||
|
"iMac20,1": "iMac",
|
||||||
|
"iMac20,2": "iMac",
|
||||||
|
"iMac21,1": "iMac",
|
||||||
|
"iMac21,2": "iMac",
|
||||||
|
"iMac4,1": "iMac",
|
||||||
|
"iMac4,2": "iMac",
|
||||||
|
"iMac5,1": "iMac",
|
||||||
|
"iMac5,2": "iMac",
|
||||||
|
"iMac6,1": "iMac",
|
||||||
|
"iMac7,1": "iMac",
|
||||||
|
"iMac8,1": "iMac",
|
||||||
|
"iMac9,1": "iMac",
|
||||||
|
"iMacPro1,1": "iMac Pro"
|
||||||
}
|
}
|
||||||
@@ -1,6 +1,12 @@
|
|||||||
import { join } from "path";
|
import { join } from "path";
|
||||||
import { readFileSync } from "fs";
|
import { readFileSync } from "fs";
|
||||||
import { clients, db, resources, siteResources } from "@server/db";
|
import {
|
||||||
|
clients,
|
||||||
|
db,
|
||||||
|
resourcePolicies,
|
||||||
|
resources,
|
||||||
|
siteResources
|
||||||
|
} from "@server/db";
|
||||||
import { randomInt } from "crypto";
|
import { randomInt } from "crypto";
|
||||||
import { exitNodes, sites } from "@server/db";
|
import { exitNodes, sites } from "@server/db";
|
||||||
import { eq, and } from "drizzle-orm";
|
import { eq, and } from "drizzle-orm";
|
||||||
@@ -107,6 +113,35 @@ export async function getUniqueResourceName(orgId: string): Promise<string> {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
export async function getUniqueResourcePolicyName(
|
||||||
|
orgId: string
|
||||||
|
): Promise<string> {
|
||||||
|
let loops = 0;
|
||||||
|
while (true) {
|
||||||
|
if (loops > 100) {
|
||||||
|
throw new Error("Could not generate a unique name");
|
||||||
|
}
|
||||||
|
|
||||||
|
const name = generateName();
|
||||||
|
const policyCount = await db
|
||||||
|
.select({
|
||||||
|
niceId: resourcePolicies.niceId,
|
||||||
|
orgId: resourcePolicies.orgId
|
||||||
|
})
|
||||||
|
.from(resourcePolicies)
|
||||||
|
.where(
|
||||||
|
and(
|
||||||
|
eq(resourcePolicies.niceId, name),
|
||||||
|
eq(resourcePolicies.orgId, orgId)
|
||||||
|
)
|
||||||
|
);
|
||||||
|
if (policyCount.length === 0) {
|
||||||
|
return name;
|
||||||
|
}
|
||||||
|
loops++;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
export async function getUniqueSiteResourceName(
|
export async function getUniqueSiteResourceName(
|
||||||
orgId: string
|
orgId: string
|
||||||
): Promise<string> {
|
): Promise<string> {
|
||||||
|
|||||||
@@ -87,7 +87,7 @@ function createDb() {
|
|||||||
|
|
||||||
export const db = createDb();
|
export const db = createDb();
|
||||||
export default db;
|
export default db;
|
||||||
export const primaryDb = db.$primary;
|
export const primaryDb = db.$primary as typeof db; // is this typeof a problem - technically they are different types
|
||||||
export type Transaction = Parameters<
|
export type Transaction = Parameters<
|
||||||
Parameters<(typeof db)["transaction"]>[0]
|
Parameters<(typeof db)["transaction"]>[0]
|
||||||
>[0];
|
>[0];
|
||||||
|
|||||||
@@ -4,3 +4,4 @@ export * from "./safeRead";
|
|||||||
export * from "./schema/schema";
|
export * from "./schema/schema";
|
||||||
export * from "./schema/privateSchema";
|
export * from "./schema/privateSchema";
|
||||||
export * from "./migrate";
|
export * from "./migrate";
|
||||||
|
export { alias } from "drizzle-orm/pg-core";
|
||||||
|
|||||||
@@ -2,7 +2,7 @@ import { drizzle as DrizzlePostgres } from "drizzle-orm/node-postgres";
|
|||||||
import { readConfigFile } from "@server/lib/readConfigFile";
|
import { readConfigFile } from "@server/lib/readConfigFile";
|
||||||
import { withReplicas } from "drizzle-orm/pg-core";
|
import { withReplicas } from "drizzle-orm/pg-core";
|
||||||
import { build } from "@server/build";
|
import { build } from "@server/build";
|
||||||
import { db as mainDb, primaryDb as mainPrimaryDb } from "./driver";
|
import { db as mainDb } from "./driver";
|
||||||
import { createPool } from "./poolConfig";
|
import { createPool } from "./poolConfig";
|
||||||
|
|
||||||
function createLogsDb() {
|
function createLogsDb() {
|
||||||
@@ -63,8 +63,7 @@ function createLogsDb() {
|
|||||||
})
|
})
|
||||||
);
|
);
|
||||||
} else {
|
} else {
|
||||||
const maxReplicaConnections =
|
const maxReplicaConnections = poolConfig?.max_replica_connections || 20;
|
||||||
poolConfig?.max_replica_connections || 20;
|
|
||||||
for (const conn of replicaConnections) {
|
for (const conn of replicaConnections) {
|
||||||
const replicaPool = createPool(
|
const replicaPool = createPool(
|
||||||
conn.connection_string,
|
conn.connection_string,
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
|
import config from "@server/lib/config";
|
||||||
import { Pool, PoolConfig } from "pg";
|
import { Pool, PoolConfig } from "pg";
|
||||||
import logger from "@server/logger";
|
|
||||||
|
|
||||||
export function createPoolConfig(
|
export function createPoolConfig(
|
||||||
connectionString: string,
|
connectionString: string,
|
||||||
@@ -27,7 +27,7 @@ export function attachPoolErrorHandlers(pool: Pool, label: string): void {
|
|||||||
pool.on("error", (err) => {
|
pool.on("error", (err) => {
|
||||||
// This catches errors on idle clients in the pool. Without this
|
// This catches errors on idle clients in the pool. Without this
|
||||||
// handler an unexpected disconnect would crash the process.
|
// handler an unexpected disconnect would crash the process.
|
||||||
logger.error(
|
console.error(
|
||||||
`Unexpected error on idle ${label} database client: ${err.message}`
|
`Unexpected error on idle ${label} database client: ${err.message}`
|
||||||
);
|
);
|
||||||
});
|
});
|
||||||
@@ -36,10 +36,32 @@ export function attachPoolErrorHandlers(pool: Pool, label: string): void {
|
|||||||
// Set a statement timeout on every new connection so a single slow
|
// Set a statement timeout on every new connection so a single slow
|
||||||
// query can't block the pool forever
|
// query can't block the pool forever
|
||||||
client.query("SET statement_timeout = '30s'").catch((err: Error) => {
|
client.query("SET statement_timeout = '30s'").catch((err: Error) => {
|
||||||
logger.warn(
|
console.warn(
|
||||||
`Failed to set statement_timeout on ${label} client: ${err.message}`
|
`Failed to set statement_timeout on ${label} client: ${err.message}`
|
||||||
);
|
);
|
||||||
});
|
});
|
||||||
|
|
||||||
|
// Disable JIT compilation for this connection. Our hot-path queries
|
||||||
|
// (e.g. resource-by-domain lookups) join many tables but only ever
|
||||||
|
// return a handful of rows. When planner row estimates drift (e.g.
|
||||||
|
// due to autovacuum lag under write-heavy load), Postgres decides
|
||||||
|
// these plans are expensive enough to JIT-compile, which can add
|
||||||
|
// multiple seconds of pure compilation overhead per query and
|
||||||
|
// saturate the connection pool. JIT never pays off for these
|
||||||
|
// short-lived OLTP queries, so it's disabled outright rather than
|
||||||
|
// relying on statistics staying fresh.
|
||||||
|
//
|
||||||
|
// Set via a runtime SET command rather than the `options: "-c
|
||||||
|
// jit=off"` startup parameter: connections in SaaS mode go through
|
||||||
|
// a pooler (e.g. PgBouncer) that rejects arbitrary startup packet
|
||||||
|
// options with a protocol_violation (08P01) error.
|
||||||
|
if (config.getRawConfig().postgres?.pool.jit_mode == false) {
|
||||||
|
client.query("SET jit = off").catch((err: Error) => {
|
||||||
|
console.warn(
|
||||||
|
`Failed to set jit=off on ${label} client: ${err.message}`
|
||||||
|
);
|
||||||
|
});
|
||||||
|
}
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -2,6 +2,7 @@ import {
|
|||||||
pgTable,
|
pgTable,
|
||||||
serial,
|
serial,
|
||||||
varchar,
|
varchar,
|
||||||
|
unique,
|
||||||
boolean,
|
boolean,
|
||||||
integer,
|
integer,
|
||||||
bigint,
|
bigint,
|
||||||
@@ -11,7 +12,7 @@ import {
|
|||||||
primaryKey,
|
primaryKey,
|
||||||
uniqueIndex
|
uniqueIndex
|
||||||
} from "drizzle-orm/pg-core";
|
} from "drizzle-orm/pg-core";
|
||||||
import { InferSelectModel } from "drizzle-orm";
|
import { InferSelectModel, sql } from "drizzle-orm";
|
||||||
import {
|
import {
|
||||||
domains,
|
domains,
|
||||||
orgs,
|
orgs,
|
||||||
@@ -19,12 +20,13 @@ import {
|
|||||||
roles,
|
roles,
|
||||||
users,
|
users,
|
||||||
exitNodes,
|
exitNodes,
|
||||||
sessions,
|
|
||||||
clients,
|
|
||||||
resources,
|
resources,
|
||||||
siteResources,
|
siteResources,
|
||||||
targetHealthCheck,
|
targetHealthCheck,
|
||||||
sites
|
sites,
|
||||||
|
clients,
|
||||||
|
sessions,
|
||||||
|
labels
|
||||||
} from "./schema";
|
} from "./schema";
|
||||||
|
|
||||||
export const certificates = pgTable("certificates", {
|
export const certificates = pgTable("certificates", {
|
||||||
@@ -197,6 +199,42 @@ export const remoteExitNodes = pgTable("remoteExitNode", {
|
|||||||
})
|
})
|
||||||
});
|
});
|
||||||
|
|
||||||
|
export const remoteExitNodeResources = pgTable("remoteExitNodeResources", {
|
||||||
|
remoteExitNodeResourceId: serial("remoteExitNodeResourceId").primaryKey(),
|
||||||
|
remoteExitNodeId: varchar("remoteExitNodeId")
|
||||||
|
.notNull()
|
||||||
|
.references(() => remoteExitNodes.remoteExitNodeId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
}),
|
||||||
|
destination: varchar("destination").notNull() // a cidr range
|
||||||
|
});
|
||||||
|
|
||||||
|
export const remoteExitNodePreferenceLabels = pgTable(
|
||||||
|
// this controls what sites are enforced to connect to this node
|
||||||
|
"remoteExitNodePreferenceLabels",
|
||||||
|
{
|
||||||
|
remoteExitNodePreferenceLabelId: serial(
|
||||||
|
"remoteExitNodePreferenceLabelId"
|
||||||
|
).primaryKey(),
|
||||||
|
remoteExitNodeId: varchar("remoteExitNodeId")
|
||||||
|
.references(() => remoteExitNodes.remoteExitNodeId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
.notNull(),
|
||||||
|
labelId: integer("labelId")
|
||||||
|
.references(() => labels.labelId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
.notNull()
|
||||||
|
},
|
||||||
|
(t) => [
|
||||||
|
unique("remote_exit_node_preference_label_uniq").on(
|
||||||
|
t.remoteExitNodeId,
|
||||||
|
t.labelId
|
||||||
|
)
|
||||||
|
]
|
||||||
|
);
|
||||||
|
|
||||||
export const remoteExitNodeSessions = pgTable("remoteExitNodeSession", {
|
export const remoteExitNodeSessions = pgTable("remoteExitNodeSession", {
|
||||||
sessionId: varchar("id").primaryKey(),
|
sessionId: varchar("id").primaryKey(),
|
||||||
remoteExitNodeId: varchar("remoteExitNodeId")
|
remoteExitNodeId: varchar("remoteExitNodeId")
|
||||||
@@ -207,17 +245,28 @@ export const remoteExitNodeSessions = pgTable("remoteExitNodeSession", {
|
|||||||
expiresAt: bigint("expiresAt", { mode: "number" }).notNull()
|
expiresAt: bigint("expiresAt", { mode: "number" }).notNull()
|
||||||
});
|
});
|
||||||
|
|
||||||
export const loginPage = pgTable("loginPage", {
|
export const loginPage = pgTable(
|
||||||
|
"loginPage",
|
||||||
|
{
|
||||||
loginPageId: serial("loginPageId").primaryKey(),
|
loginPageId: serial("loginPageId").primaryKey(),
|
||||||
subdomain: varchar("subdomain"),
|
subdomain: varchar("subdomain"),
|
||||||
fullDomain: varchar("fullDomain"),
|
fullDomain: varchar("fullDomain"),
|
||||||
exitNodeId: integer("exitNodeId").references(() => exitNodes.exitNodeId, {
|
exitNodeId: integer("exitNodeId").references(
|
||||||
|
() => exitNodes.exitNodeId,
|
||||||
|
{
|
||||||
onDelete: "set null"
|
onDelete: "set null"
|
||||||
}),
|
}
|
||||||
|
),
|
||||||
domainId: varchar("domainId").references(() => domains.domainId, {
|
domainId: varchar("domainId").references(() => domains.domainId, {
|
||||||
onDelete: "set null"
|
onDelete: "set null"
|
||||||
})
|
})
|
||||||
});
|
},
|
||||||
|
(t) => [
|
||||||
|
index("idx_loginpage_fulldomain")
|
||||||
|
.on(t.fullDomain)
|
||||||
|
.where(sql`${t.fullDomain} IS NOT NULL`)
|
||||||
|
]
|
||||||
|
);
|
||||||
|
|
||||||
export const loginPageOrg = pgTable("loginPageOrg", {
|
export const loginPageOrg = pgTable("loginPageOrg", {
|
||||||
loginPageId: integer("loginPageId")
|
loginPageId: integer("loginPageId")
|
||||||
@@ -332,6 +381,7 @@ export const connectionAuditLog = pgTable(
|
|||||||
clientId: integer("clientId").references(() => clients.clientId, {
|
clientId: integer("clientId").references(() => clients.clientId, {
|
||||||
onDelete: "cascade"
|
onDelete: "cascade"
|
||||||
}),
|
}),
|
||||||
|
clientEndpoint: text("clientEndpoint"),
|
||||||
userId: text("userId").references(() => users.userId, {
|
userId: text("userId").references(() => users.userId, {
|
||||||
onDelete: "cascade"
|
onDelete: "cascade"
|
||||||
}),
|
}),
|
||||||
@@ -439,6 +489,8 @@ export const eventStreamingDestinations = pgTable(
|
|||||||
type: varchar("type", { length: 50 }).notNull(), // e.g. "http", "kafka", etc.
|
type: varchar("type", { length: 50 }).notNull(), // e.g. "http", "kafka", etc.
|
||||||
config: text("config").notNull(), // JSON string with the configuration for the destination
|
config: text("config").notNull(), // JSON string with the configuration for the destination
|
||||||
enabled: boolean("enabled").notNull().default(true),
|
enabled: boolean("enabled").notNull().default(true),
|
||||||
|
lastError: text("lastError"), // last send error message, null if healthy
|
||||||
|
lastErrorAt: bigint("lastErrorAt", { mode: "number" }), // epoch ms of last error, null if healthy
|
||||||
createdAt: bigint("createdAt", { mode: "number" }).notNull(),
|
createdAt: bigint("createdAt", { mode: "number" }).notNull(),
|
||||||
updatedAt: bigint("updatedAt", { mode: "number" }).notNull()
|
updatedAt: bigint("updatedAt", { mode: "number" }).notNull()
|
||||||
}
|
}
|
||||||
@@ -566,6 +618,17 @@ export const alertWebhookActions = pgTable("alertWebhookActions", {
|
|||||||
lastSentAt: bigint("lastSentAt", { mode: "number" }) // nullable
|
lastSentAt: bigint("lastSentAt", { mode: "number" }) // nullable
|
||||||
});
|
});
|
||||||
|
|
||||||
|
export const trialNotifications = pgTable("trialNotifications", {
|
||||||
|
notificationId: serial("notificationId").primaryKey(),
|
||||||
|
subscriptionId: varchar("subscriptionId", { length: 255 })
|
||||||
|
.notNull()
|
||||||
|
.references(() => subscriptions.subscriptionId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
}),
|
||||||
|
notificationType: varchar("notificationType", { length: 50 }).notNull(), // trial_ending_5d, trial_ending_24h, trial_ended
|
||||||
|
sentAt: bigint("sentAt", { mode: "number" }).notNull()
|
||||||
|
});
|
||||||
|
|
||||||
export type Approval = InferSelectModel<typeof approvals>;
|
export type Approval = InferSelectModel<typeof approvals>;
|
||||||
export type Limit = InferSelectModel<typeof limits>;
|
export type Limit = InferSelectModel<typeof limits>;
|
||||||
export type Account = InferSelectModel<typeof account>;
|
export type Account = InferSelectModel<typeof account>;
|
||||||
@@ -604,3 +667,12 @@ export type EventStreamingCursor = InferSelectModel<
|
|||||||
typeof eventStreamingCursors
|
typeof eventStreamingCursors
|
||||||
>;
|
>;
|
||||||
export type AlertResources = InferSelectModel<typeof alertResources>;
|
export type AlertResources = InferSelectModel<typeof alertResources>;
|
||||||
|
export type AlertHealthChecks = InferSelectModel<typeof alertHealthChecks>;
|
||||||
|
export type AlertSites = InferSelectModel<typeof alertSites>;
|
||||||
|
export type AlertRules = InferSelectModel<typeof alertRules>;
|
||||||
|
export type AlertEmailActions = InferSelectModel<typeof alertEmailActions>;
|
||||||
|
export type AlertEmailRecipients = InferSelectModel<
|
||||||
|
typeof alertEmailRecipients
|
||||||
|
>;
|
||||||
|
export type AlertWebhookActions = InferSelectModel<typeof alertWebhookActions>;
|
||||||
|
export type TrialNotification = InferSelectModel<typeof trialNotifications>;
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
import { randomUUID } from "crypto";
|
import { randomUUID } from "crypto";
|
||||||
import { InferSelectModel } from "drizzle-orm";
|
import { InferSelectModel, sql } from "drizzle-orm";
|
||||||
import {
|
import {
|
||||||
bigint,
|
bigint,
|
||||||
boolean,
|
boolean,
|
||||||
@@ -25,7 +25,8 @@ export const domains = pgTable("domains", {
|
|||||||
certResolver: varchar("certResolver"),
|
certResolver: varchar("certResolver"),
|
||||||
customCertResolver: varchar("customCertResolver"),
|
customCertResolver: varchar("customCertResolver"),
|
||||||
preferWildcardCert: boolean("preferWildcardCert"),
|
preferWildcardCert: boolean("preferWildcardCert"),
|
||||||
errorMessage: text("errorMessage")
|
errorMessage: text("errorMessage"),
|
||||||
|
lastCheckedAt: integer("lastCheckedAt")
|
||||||
});
|
});
|
||||||
|
|
||||||
export const dnsRecords = pgTable("dnsRecords", {
|
export const dnsRecords = pgTable("dnsRecords", {
|
||||||
@@ -65,7 +66,12 @@ export const orgs = pgTable("orgs", {
|
|||||||
sshCaPrivateKey: text("sshCaPrivateKey"), // Encrypted SSH CA private key (PEM format)
|
sshCaPrivateKey: text("sshCaPrivateKey"), // Encrypted SSH CA private key (PEM format)
|
||||||
sshCaPublicKey: text("sshCaPublicKey"), // SSH CA public key (OpenSSH format)
|
sshCaPublicKey: text("sshCaPublicKey"), // SSH CA public key (OpenSSH format)
|
||||||
isBillingOrg: boolean("isBillingOrg"),
|
isBillingOrg: boolean("isBillingOrg"),
|
||||||
billingOrgId: varchar("billingOrgId")
|
billingOrgId: varchar("billingOrgId"),
|
||||||
|
settingsEnableGlobalNewtAutoUpdate: boolean(
|
||||||
|
"settingsEnableGlobalNewtAutoUpdate"
|
||||||
|
)
|
||||||
|
.notNull()
|
||||||
|
.default(false)
|
||||||
});
|
});
|
||||||
|
|
||||||
export const orgDomains = pgTable("orgDomains", {
|
export const orgDomains = pgTable("orgDomains", {
|
||||||
@@ -77,7 +83,9 @@ export const orgDomains = pgTable("orgDomains", {
|
|||||||
.references(() => domains.domainId, { onDelete: "cascade" })
|
.references(() => domains.domainId, { onDelete: "cascade" })
|
||||||
});
|
});
|
||||||
|
|
||||||
export const sites = pgTable("sites", {
|
export const sites = pgTable(
|
||||||
|
"sites",
|
||||||
|
{
|
||||||
siteId: serial("siteId").primaryKey(),
|
siteId: serial("siteId").primaryKey(),
|
||||||
orgId: varchar("orgId")
|
orgId: varchar("orgId")
|
||||||
.references(() => orgs.orgId, {
|
.references(() => orgs.orgId, {
|
||||||
@@ -102,14 +110,44 @@ export const sites = pgTable("sites", {
|
|||||||
publicKey: varchar("publicKey"),
|
publicKey: varchar("publicKey"),
|
||||||
lastHolePunch: bigint("lastHolePunch", { mode: "number" }),
|
lastHolePunch: bigint("lastHolePunch", { mode: "number" }),
|
||||||
listenPort: integer("listenPort"),
|
listenPort: integer("listenPort"),
|
||||||
dockerSocketEnabled: boolean("dockerSocketEnabled").notNull().default(true),
|
dockerSocketEnabled: boolean("dockerSocketEnabled")
|
||||||
|
.notNull()
|
||||||
|
.default(true),
|
||||||
|
autoUpdateEnabled: boolean("autoUpdateEnabled")
|
||||||
|
.notNull()
|
||||||
|
.default(false),
|
||||||
|
autoUpdateOverrideOrg: boolean("autoUpdateOverrideOrg")
|
||||||
|
.notNull()
|
||||||
|
.default(false),
|
||||||
status: varchar("status")
|
status: varchar("status")
|
||||||
.$type<"pending" | "approved">()
|
.$type<"pending" | "approved">()
|
||||||
.default("approved")
|
.default("approved")
|
||||||
});
|
},
|
||||||
|
(t) => [
|
||||||
|
index("idx_sites_exitnodeid").on(t.exitNodeId),
|
||||||
|
index("idx_sites_exitnode_type_siteid").on(
|
||||||
|
t.exitNodeId,
|
||||||
|
t.type,
|
||||||
|
t.siteId
|
||||||
|
),
|
||||||
|
index("idx_sites_orgid_niceid").on(t.orgId, t.niceId)
|
||||||
|
]
|
||||||
|
);
|
||||||
|
|
||||||
export const resources = pgTable("resources", {
|
export const resources = pgTable(
|
||||||
|
"resources",
|
||||||
|
{
|
||||||
resourceId: serial("resourceId").primaryKey(),
|
resourceId: serial("resourceId").primaryKey(),
|
||||||
|
resourcePolicyId: integer("resourcePolicyId").references(
|
||||||
|
() => resourcePolicies.resourcePolicyId,
|
||||||
|
{ onDelete: "set null" }
|
||||||
|
),
|
||||||
|
defaultResourcePolicyId: integer("defaultResourcePolicyId").references(
|
||||||
|
() => resourcePolicies.resourcePolicyId,
|
||||||
|
{
|
||||||
|
onDelete: "restrict"
|
||||||
|
}
|
||||||
|
),
|
||||||
resourceGuid: varchar("resourceGuid", { length: 36 })
|
resourceGuid: varchar("resourceGuid", { length: 36 })
|
||||||
.unique()
|
.unique()
|
||||||
.notNull()
|
.notNull()
|
||||||
@@ -128,14 +166,10 @@ export const resources = pgTable("resources", {
|
|||||||
}),
|
}),
|
||||||
ssl: boolean("ssl").notNull().default(false),
|
ssl: boolean("ssl").notNull().default(false),
|
||||||
blockAccess: boolean("blockAccess").notNull().default(false),
|
blockAccess: boolean("blockAccess").notNull().default(false),
|
||||||
sso: boolean("sso").notNull().default(true),
|
|
||||||
http: boolean("http").notNull().default(true),
|
|
||||||
protocol: varchar("protocol").notNull(),
|
|
||||||
proxyPort: integer("proxyPort"),
|
proxyPort: integer("proxyPort"),
|
||||||
emailWhitelistEnabled: boolean("emailWhitelistEnabled")
|
sso: boolean("sso"),
|
||||||
.notNull()
|
emailWhitelistEnabled: boolean("emailWhitelistEnabled"),
|
||||||
.default(false),
|
applyRules: boolean("applyRules"),
|
||||||
applyRules: boolean("applyRules").notNull().default(false),
|
|
||||||
enabled: boolean("enabled").notNull().default(true),
|
enabled: boolean("enabled").notNull().default(true),
|
||||||
stickySession: boolean("stickySession").notNull().default(false),
|
stickySession: boolean("stickySession").notNull().default(false),
|
||||||
tlsServerName: varchar("tlsServerName"),
|
tlsServerName: varchar("tlsServerName"),
|
||||||
@@ -147,7 +181,6 @@ export const resources = pgTable("resources", {
|
|||||||
headers: text("headers"), // comma-separated list of headers to add to the request
|
headers: text("headers"), // comma-separated list of headers to add to the request
|
||||||
proxyProtocol: boolean("proxyProtocol").notNull().default(false),
|
proxyProtocol: boolean("proxyProtocol").notNull().default(false),
|
||||||
proxyProtocolVersion: integer("proxyProtocolVersion").default(1),
|
proxyProtocolVersion: integer("proxyProtocolVersion").default(1),
|
||||||
|
|
||||||
maintenanceModeEnabled: boolean("maintenanceModeEnabled")
|
maintenanceModeEnabled: boolean("maintenanceModeEnabled")
|
||||||
.notNull()
|
.notNull()
|
||||||
.default(false),
|
.default(false),
|
||||||
@@ -159,10 +192,126 @@ export const resources = pgTable("resources", {
|
|||||||
maintenanceEstimatedTime: text("maintenanceEstimatedTime"),
|
maintenanceEstimatedTime: text("maintenanceEstimatedTime"),
|
||||||
postAuthPath: text("postAuthPath"),
|
postAuthPath: text("postAuthPath"),
|
||||||
health: varchar("health").default("unknown"), // "healthy", "unhealthy", "unknown"
|
health: varchar("health").default("unknown"), // "healthy", "unhealthy", "unknown"
|
||||||
wildcard: boolean("wildcard").notNull().default(false)
|
wildcard: boolean("wildcard").notNull().default(false),
|
||||||
|
mode: text("mode").default("http").notNull(), // rdp, ssh, http, vnc
|
||||||
|
pamMode: varchar("pamMode", { length: 32 })
|
||||||
|
.$type<"passthrough" | "push">()
|
||||||
|
.default("passthrough"),
|
||||||
|
authDaemonMode: varchar("authDaemonMode", { length: 32 })
|
||||||
|
.$type<"site" | "remote" | "native">()
|
||||||
|
.default("site"),
|
||||||
|
authDaemonPort: integer("authDaemonPort").default(22123)
|
||||||
|
},
|
||||||
|
(t) => [
|
||||||
|
index("idx_resources_fulldomain")
|
||||||
|
.on(t.fullDomain)
|
||||||
|
.where(sql`${t.fullDomain} IS NOT NULL`),
|
||||||
|
index("idx_resources_niceid").on(t.niceId),
|
||||||
|
index("idx_resources_orgid_niceid").on(t.orgId, t.niceId)
|
||||||
|
]
|
||||||
|
);
|
||||||
|
|
||||||
|
export const labels = pgTable("labels", {
|
||||||
|
labelId: serial("labelId").primaryKey(),
|
||||||
|
name: varchar("name").notNull(),
|
||||||
|
color: varchar("color").notNull(),
|
||||||
|
orgId: varchar("orgId")
|
||||||
|
.references(() => orgs.orgId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
.notNull()
|
||||||
});
|
});
|
||||||
|
|
||||||
export const targets = pgTable("targets", {
|
export const launcherViews = pgTable("launcherViews", {
|
||||||
|
viewId: serial("viewId").primaryKey(),
|
||||||
|
orgId: varchar("orgId")
|
||||||
|
.notNull()
|
||||||
|
.references(() => orgs.orgId, { onDelete: "cascade" }),
|
||||||
|
userId: varchar("userId").references(() => users.userId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
}),
|
||||||
|
name: varchar("name").notNull(),
|
||||||
|
config: text("config").notNull(),
|
||||||
|
isDefault: boolean("isDefault").notNull().default(false),
|
||||||
|
createdAt: varchar("createdAt").notNull(),
|
||||||
|
updatedAt: varchar("updatedAt").notNull()
|
||||||
|
});
|
||||||
|
|
||||||
|
export const siteLabels = pgTable(
|
||||||
|
"siteLabels",
|
||||||
|
{
|
||||||
|
siteLabelId: serial("siteLabelId").primaryKey(),
|
||||||
|
siteId: integer("siteId")
|
||||||
|
.references(() => sites.siteId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
.notNull(),
|
||||||
|
labelId: integer("labelId")
|
||||||
|
.references(() => labels.labelId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
.notNull()
|
||||||
|
},
|
||||||
|
(t) => [unique("site_label_uniq").on(t.siteId, t.labelId)]
|
||||||
|
);
|
||||||
|
|
||||||
|
export const resourceLabels = pgTable(
|
||||||
|
"resourceLabels",
|
||||||
|
{
|
||||||
|
resourceLabelId: serial("resourceLabelId").primaryKey(),
|
||||||
|
resourceId: integer("resourceId")
|
||||||
|
.references(() => resources.resourceId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
.notNull(),
|
||||||
|
labelId: integer("labelId")
|
||||||
|
.references(() => labels.labelId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
.notNull()
|
||||||
|
},
|
||||||
|
(t) => [unique("resource_label_uniq").on(t.resourceId, t.labelId)]
|
||||||
|
);
|
||||||
|
|
||||||
|
export const siteResourceLabels = pgTable(
|
||||||
|
"siteResourceLabels",
|
||||||
|
{
|
||||||
|
siteResourceLabelId: serial("siteResourceLabelId").primaryKey(),
|
||||||
|
siteResourceId: integer("siteResourceId")
|
||||||
|
.references(() => siteResources.siteResourceId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
.notNull(),
|
||||||
|
labelId: integer("labelId")
|
||||||
|
.references(() => labels.labelId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
.notNull()
|
||||||
|
},
|
||||||
|
(t) => [unique("site_resource_label_uniq").on(t.siteResourceId, t.labelId)]
|
||||||
|
);
|
||||||
|
|
||||||
|
export const clientLabels = pgTable(
|
||||||
|
"clientLabels",
|
||||||
|
{
|
||||||
|
clientLabelId: serial("clientLabelId").primaryKey(),
|
||||||
|
clientId: integer("clientId")
|
||||||
|
.references(() => clients.clientId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
.notNull(),
|
||||||
|
labelId: integer("labelId")
|
||||||
|
.references(() => labels.labelId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
.notNull()
|
||||||
|
},
|
||||||
|
(t) => [unique("client_label_uniq").on(t.clientId, t.labelId)]
|
||||||
|
);
|
||||||
|
|
||||||
|
export const targets = pgTable(
|
||||||
|
"targets",
|
||||||
|
{
|
||||||
targetId: serial("targetId").primaryKey(),
|
targetId: serial("targetId").primaryKey(),
|
||||||
resourceId: integer("resourceId")
|
resourceId: integer("resourceId")
|
||||||
.references(() => resources.resourceId, {
|
.references(() => resources.resourceId, {
|
||||||
@@ -183,10 +332,24 @@ export const targets = pgTable("targets", {
|
|||||||
pathMatchType: text("pathMatchType"), // exact, prefix, regex
|
pathMatchType: text("pathMatchType"), // exact, prefix, regex
|
||||||
rewritePath: text("rewritePath"), // if set, rewrites the path to this value before sending to the target
|
rewritePath: text("rewritePath"), // if set, rewrites the path to this value before sending to the target
|
||||||
rewritePathType: text("rewritePathType"), // exact, prefix, regex, stripPrefix
|
rewritePathType: text("rewritePathType"), // exact, prefix, regex, stripPrefix
|
||||||
priority: integer("priority").notNull().default(100)
|
priority: integer("priority").notNull().default(100),
|
||||||
});
|
mode: varchar("mode")
|
||||||
|
.$type<"http" | "tcp" | "udp" | "ssh" | "rdp" | "vnc">()
|
||||||
|
.notNull()
|
||||||
|
.default("http"),
|
||||||
|
authToken: varchar("authToken")
|
||||||
|
},
|
||||||
|
(t) => [
|
||||||
|
index("idx_targets_resourceid_siteid").on(t.resourceId, t.siteId),
|
||||||
|
index("idx_targets_site_enabled_priority_target_resource")
|
||||||
|
.on(t.siteId, t.priority.desc(), t.targetId, t.resourceId)
|
||||||
|
.where(sql`${t.enabled} = true`)
|
||||||
|
]
|
||||||
|
);
|
||||||
|
|
||||||
export const targetHealthCheck = pgTable("targetHealthCheck", {
|
export const targetHealthCheck = pgTable(
|
||||||
|
"targetHealthCheck",
|
||||||
|
{
|
||||||
targetHealthCheckId: serial("targetHealthCheckId").primaryKey(),
|
targetHealthCheckId: serial("targetHealthCheckId").primaryKey(),
|
||||||
targetId: integer("targetId").references(() => targets.targetId, {
|
targetId: integer("targetId").references(() => targets.targetId, {
|
||||||
onDelete: "cascade"
|
onDelete: "cascade"
|
||||||
@@ -196,9 +359,11 @@ export const targetHealthCheck = pgTable("targetHealthCheck", {
|
|||||||
onDelete: "cascade"
|
onDelete: "cascade"
|
||||||
})
|
})
|
||||||
.notNull(),
|
.notNull(),
|
||||||
siteId: integer("siteId").references(() => sites.siteId, {
|
siteId: integer("siteId")
|
||||||
|
.references(() => sites.siteId, {
|
||||||
onDelete: "cascade"
|
onDelete: "cascade"
|
||||||
}).notNull(),
|
})
|
||||||
|
.notNull(),
|
||||||
name: varchar("name"),
|
name: varchar("name"),
|
||||||
hcEnabled: boolean("hcEnabled").notNull().default(false),
|
hcEnabled: boolean("hcEnabled").notNull().default(false),
|
||||||
hcPath: varchar("hcPath"),
|
hcPath: varchar("hcPath"),
|
||||||
@@ -219,7 +384,9 @@ export const targetHealthCheck = pgTable("targetHealthCheck", {
|
|||||||
hcTlsServerName: text("hcTlsServerName"),
|
hcTlsServerName: text("hcTlsServerName"),
|
||||||
hcHealthyThreshold: integer("hcHealthyThreshold").default(1),
|
hcHealthyThreshold: integer("hcHealthyThreshold").default(1),
|
||||||
hcUnhealthyThreshold: integer("hcUnhealthyThreshold").default(1)
|
hcUnhealthyThreshold: integer("hcUnhealthyThreshold").default(1)
|
||||||
});
|
},
|
||||||
|
(t) => [index("idx_targethealthcheck_targetid").on(t.targetId)]
|
||||||
|
);
|
||||||
|
|
||||||
export const exitNodes = pgTable("exitNodes", {
|
export const exitNodes = pgTable("exitNodes", {
|
||||||
exitNodeId: serial("exitNodeId").primaryKey(),
|
exitNodeId: serial("exitNodeId").primaryKey(),
|
||||||
@@ -236,7 +403,9 @@ export const exitNodes = pgTable("exitNodes", {
|
|||||||
region: varchar("region")
|
region: varchar("region")
|
||||||
});
|
});
|
||||||
|
|
||||||
export const siteResources = pgTable("siteResources", {
|
export const siteResources = pgTable(
|
||||||
|
"siteResources",
|
||||||
|
{
|
||||||
// this is for the clients
|
// this is for the clients
|
||||||
siteResourceId: serial("siteResourceId").primaryKey(),
|
siteResourceId: serial("siteResourceId").primaryKey(),
|
||||||
orgId: varchar("orgId")
|
orgId: varchar("orgId")
|
||||||
@@ -254,29 +423,42 @@ export const siteResources = pgTable("siteResources", {
|
|||||||
niceId: varchar("niceId").notNull(),
|
niceId: varchar("niceId").notNull(),
|
||||||
name: varchar("name").notNull(),
|
name: varchar("name").notNull(),
|
||||||
ssl: boolean("ssl").notNull().default(false),
|
ssl: boolean("ssl").notNull().default(false),
|
||||||
mode: varchar("mode").$type<"host" | "cidr" | "http">().notNull(), // "host" | "cidr" | "http"
|
mode: varchar("mode")
|
||||||
|
.$type<"host" | "cidr" | "http" | "ssh">()
|
||||||
|
.notNull(), // "host" | "cidr" | "http"
|
||||||
scheme: varchar("scheme").$type<"http" | "https">(), // only for when we are doing https or http mode
|
scheme: varchar("scheme").$type<"http" | "https">(), // only for when we are doing https or http mode
|
||||||
proxyPort: integer("proxyPort"), // only for port mode
|
proxyPort: integer("proxyPort"), // only for port mode
|
||||||
destinationPort: integer("destinationPort"), // only for port mode
|
destinationPort: integer("destinationPort"), // only for port mode
|
||||||
destination: varchar("destination").notNull(), // ip, cidr, hostname; validate against the mode
|
destination: varchar("destination"), // ip, cidr, hostname; validate against the mode
|
||||||
enabled: boolean("enabled").notNull().default(true),
|
enabled: boolean("enabled").notNull().default(true),
|
||||||
alias: varchar("alias"),
|
alias: varchar("alias"),
|
||||||
aliasAddress: varchar("aliasAddress"),
|
aliasAddress: varchar("aliasAddress"),
|
||||||
tcpPortRangeString: varchar("tcpPortRangeString").notNull().default("*"),
|
tcpPortRangeString: varchar("tcpPortRangeString")
|
||||||
udpPortRangeString: varchar("udpPortRangeString").notNull().default("*"),
|
.notNull()
|
||||||
|
.default("*"),
|
||||||
|
udpPortRangeString: varchar("udpPortRangeString")
|
||||||
|
.notNull()
|
||||||
|
.default("*"),
|
||||||
disableIcmp: boolean("disableIcmp").notNull().default(false),
|
disableIcmp: boolean("disableIcmp").notNull().default(false),
|
||||||
authDaemonPort: integer("authDaemonPort").default(22123),
|
authDaemonPort: integer("authDaemonPort").default(22123),
|
||||||
|
pamMode: varchar("pamMode", { length: 32 })
|
||||||
|
.$type<"passthrough" | "push">()
|
||||||
|
.default("passthrough"),
|
||||||
authDaemonMode: varchar("authDaemonMode", { length: 32 })
|
authDaemonMode: varchar("authDaemonMode", { length: 32 })
|
||||||
.$type<"site" | "remote">()
|
.$type<"site" | "remote" | "native">()
|
||||||
.default("site"),
|
.default("site"),
|
||||||
domainId: varchar("domainId").references(() => domains.domainId, {
|
domainId: varchar("domainId").references(() => domains.domainId, {
|
||||||
onDelete: "set null"
|
onDelete: "set null"
|
||||||
}),
|
}),
|
||||||
subdomain: varchar("subdomain"),
|
subdomain: varchar("subdomain"),
|
||||||
fullDomain: varchar("fullDomain")
|
fullDomain: varchar("fullDomain")
|
||||||
});
|
},
|
||||||
|
(t) => [index("idx_siteresources_orgid_niceid").on(t.orgId, t.niceId)]
|
||||||
|
);
|
||||||
|
|
||||||
export const networks = pgTable("networks", {
|
export const networks = pgTable(
|
||||||
|
"networks",
|
||||||
|
{
|
||||||
networkId: serial("networkId").primaryKey(),
|
networkId: serial("networkId").primaryKey(),
|
||||||
niceId: text("niceId"),
|
niceId: text("niceId"),
|
||||||
name: text("name"),
|
name: text("name"),
|
||||||
@@ -289,9 +471,13 @@ export const networks = pgTable("networks", {
|
|||||||
onDelete: "cascade"
|
onDelete: "cascade"
|
||||||
})
|
})
|
||||||
.notNull()
|
.notNull()
|
||||||
});
|
},
|
||||||
|
(t) => [index("idx_networks_orgid").on(t.orgId)]
|
||||||
|
);
|
||||||
|
|
||||||
export const siteNetworks = pgTable("siteNetworks", {
|
export const siteNetworks = pgTable(
|
||||||
|
"siteNetworks",
|
||||||
|
{
|
||||||
siteId: integer("siteId")
|
siteId: integer("siteId")
|
||||||
.notNull()
|
.notNull()
|
||||||
.references(() => sites.siteId, {
|
.references(() => sites.siteId, {
|
||||||
@@ -300,34 +486,63 @@ export const siteNetworks = pgTable("siteNetworks", {
|
|||||||
networkId: integer("networkId")
|
networkId: integer("networkId")
|
||||||
.notNull()
|
.notNull()
|
||||||
.references(() => networks.networkId, { onDelete: "cascade" })
|
.references(() => networks.networkId, { onDelete: "cascade" })
|
||||||
});
|
},
|
||||||
|
(t) => [
|
||||||
|
index("idx_sitenetworks_siteid").on(t.siteId),
|
||||||
|
index("idx_sitenetworks_networkid").on(t.networkId)
|
||||||
|
]
|
||||||
|
);
|
||||||
|
|
||||||
export const clientSiteResources = pgTable("clientSiteResources", {
|
export const clientSiteResources = pgTable(
|
||||||
|
"clientSiteResources",
|
||||||
|
{
|
||||||
clientId: integer("clientId")
|
clientId: integer("clientId")
|
||||||
.notNull()
|
.notNull()
|
||||||
.references(() => clients.clientId, { onDelete: "cascade" }),
|
.references(() => clients.clientId, { onDelete: "cascade" }),
|
||||||
siteResourceId: integer("siteResourceId")
|
siteResourceId: integer("siteResourceId")
|
||||||
.notNull()
|
.notNull()
|
||||||
.references(() => siteResources.siteResourceId, { onDelete: "cascade" })
|
.references(() => siteResources.siteResourceId, {
|
||||||
});
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
},
|
||||||
|
(t) => [
|
||||||
|
index("idx_clientsiteresources_clientid").on(t.clientId),
|
||||||
|
index("idx_clientsiteresources_siteresourceid").on(t.siteResourceId)
|
||||||
|
]
|
||||||
|
);
|
||||||
|
|
||||||
export const roleSiteResources = pgTable("roleSiteResources", {
|
export const roleSiteResources = pgTable(
|
||||||
|
"roleSiteResources",
|
||||||
|
{
|
||||||
roleId: integer("roleId")
|
roleId: integer("roleId")
|
||||||
.notNull()
|
.notNull()
|
||||||
.references(() => roles.roleId, { onDelete: "cascade" }),
|
.references(() => roles.roleId, { onDelete: "cascade" }),
|
||||||
siteResourceId: integer("siteResourceId")
|
siteResourceId: integer("siteResourceId")
|
||||||
.notNull()
|
.notNull()
|
||||||
.references(() => siteResources.siteResourceId, { onDelete: "cascade" })
|
.references(() => siteResources.siteResourceId, {
|
||||||
});
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
},
|
||||||
|
(t) => [index("idx_rolesiteresources_siteresourceid").on(t.siteResourceId)]
|
||||||
|
);
|
||||||
|
|
||||||
export const userSiteResources = pgTable("userSiteResources", {
|
export const userSiteResources = pgTable(
|
||||||
|
"userSiteResources",
|
||||||
|
{
|
||||||
userId: varchar("userId")
|
userId: varchar("userId")
|
||||||
.notNull()
|
.notNull()
|
||||||
.references(() => users.userId, { onDelete: "cascade" }),
|
.references(() => users.userId, { onDelete: "cascade" }),
|
||||||
siteResourceId: integer("siteResourceId")
|
siteResourceId: integer("siteResourceId")
|
||||||
.notNull()
|
.notNull()
|
||||||
.references(() => siteResources.siteResourceId, { onDelete: "cascade" })
|
.references(() => siteResources.siteResourceId, {
|
||||||
});
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
},
|
||||||
|
(t) => [
|
||||||
|
index("idx_usersiteresources_userid").on(t.userId),
|
||||||
|
index("idx_usersiteresources_siteresourceid").on(t.siteResourceId)
|
||||||
|
]
|
||||||
|
);
|
||||||
|
|
||||||
export const users = pgTable("user", {
|
export const users = pgTable("user", {
|
||||||
userId: varchar("id").primaryKey(),
|
userId: varchar("id").primaryKey(),
|
||||||
@@ -352,7 +567,9 @@ export const users = pgTable("user", {
|
|||||||
locale: varchar("locale")
|
locale: varchar("locale")
|
||||||
});
|
});
|
||||||
|
|
||||||
export const newts = pgTable("newt", {
|
export const newts = pgTable(
|
||||||
|
"newt",
|
||||||
|
{
|
||||||
newtId: varchar("id").primaryKey(),
|
newtId: varchar("id").primaryKey(),
|
||||||
secretHash: varchar("secretHash").notNull(),
|
secretHash: varchar("secretHash").notNull(),
|
||||||
dateCreated: varchar("dateCreated").notNull(),
|
dateCreated: varchar("dateCreated").notNull(),
|
||||||
@@ -360,7 +577,9 @@ export const newts = pgTable("newt", {
|
|||||||
siteId: integer("siteId").references(() => sites.siteId, {
|
siteId: integer("siteId").references(() => sites.siteId, {
|
||||||
onDelete: "cascade"
|
onDelete: "cascade"
|
||||||
})
|
})
|
||||||
});
|
},
|
||||||
|
(t) => [index("idx_newt_siteid").on(t.siteId)]
|
||||||
|
);
|
||||||
|
|
||||||
export const twoFactorBackupCodes = pgTable("twoFactorBackupCodes", {
|
export const twoFactorBackupCodes = pgTable("twoFactorBackupCodes", {
|
||||||
codeId: serial("id").primaryKey(),
|
codeId: serial("id").primaryKey(),
|
||||||
@@ -461,7 +680,9 @@ export const userOrgRoles = pgTable(
|
|||||||
(t) => [unique().on(t.userId, t.orgId, t.roleId)]
|
(t) => [unique().on(t.userId, t.orgId, t.roleId)]
|
||||||
);
|
);
|
||||||
|
|
||||||
export const roleActions = pgTable("roleActions", {
|
export const roleActions = pgTable(
|
||||||
|
"roleActions",
|
||||||
|
{
|
||||||
roleId: integer("roleId")
|
roleId: integer("roleId")
|
||||||
.notNull()
|
.notNull()
|
||||||
.references(() => roles.roleId, { onDelete: "cascade" }),
|
.references(() => roles.roleId, { onDelete: "cascade" }),
|
||||||
@@ -471,9 +692,19 @@ export const roleActions = pgTable("roleActions", {
|
|||||||
orgId: varchar("orgId")
|
orgId: varchar("orgId")
|
||||||
.notNull()
|
.notNull()
|
||||||
.references(() => orgs.orgId, { onDelete: "cascade" })
|
.references(() => orgs.orgId, { onDelete: "cascade" })
|
||||||
});
|
},
|
||||||
|
(t) => [
|
||||||
|
index("idx_roleActions_roleId_orgId_actionId").on(
|
||||||
|
t.roleId,
|
||||||
|
t.orgId,
|
||||||
|
t.actionId
|
||||||
|
)
|
||||||
|
]
|
||||||
|
);
|
||||||
|
|
||||||
export const userActions = pgTable("userActions", {
|
export const userActions = pgTable(
|
||||||
|
"userActions",
|
||||||
|
{
|
||||||
userId: varchar("userId")
|
userId: varchar("userId")
|
||||||
.notNull()
|
.notNull()
|
||||||
.references(() => users.userId, { onDelete: "cascade" }),
|
.references(() => users.userId, { onDelete: "cascade" }),
|
||||||
@@ -483,7 +714,15 @@ export const userActions = pgTable("userActions", {
|
|||||||
orgId: varchar("orgId")
|
orgId: varchar("orgId")
|
||||||
.notNull()
|
.notNull()
|
||||||
.references(() => orgs.orgId, { onDelete: "cascade" })
|
.references(() => orgs.orgId, { onDelete: "cascade" })
|
||||||
});
|
},
|
||||||
|
(t) => [
|
||||||
|
index("idx_userActions_userId_orgId_actionId").on(
|
||||||
|
t.userId,
|
||||||
|
t.orgId,
|
||||||
|
t.actionId
|
||||||
|
)
|
||||||
|
]
|
||||||
|
);
|
||||||
|
|
||||||
export const roleSites = pgTable("roleSites", {
|
export const roleSites = pgTable("roleSites", {
|
||||||
roleId: integer("roleId")
|
roleId: integer("roleId")
|
||||||
@@ -521,6 +760,38 @@ export const userResources = pgTable("userResources", {
|
|||||||
.references(() => resources.resourceId, { onDelete: "cascade" })
|
.references(() => resources.resourceId, { onDelete: "cascade" })
|
||||||
});
|
});
|
||||||
|
|
||||||
|
export const rolePolicies = pgTable("rolePolicies", {
|
||||||
|
roleId: integer("roleId")
|
||||||
|
.notNull()
|
||||||
|
.references(() => roles.roleId, { onDelete: "cascade" }),
|
||||||
|
resourcePolicyId: integer("resourcePolicyId")
|
||||||
|
.notNull()
|
||||||
|
.references(() => resourcePolicies.resourcePolicyId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
});
|
||||||
|
|
||||||
|
export const userPolicies = pgTable("userPolicies", {
|
||||||
|
userId: varchar("userId")
|
||||||
|
.notNull()
|
||||||
|
.references(() => users.userId, { onDelete: "cascade" }),
|
||||||
|
resourcePolicyId: integer("resourcePolicyId")
|
||||||
|
.notNull()
|
||||||
|
.references(() => resourcePolicies.resourcePolicyId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
});
|
||||||
|
|
||||||
|
export const resourcePolicyWhiteList = pgTable("resourcePolicyWhitelist", {
|
||||||
|
whitelistId: serial("id").primaryKey(),
|
||||||
|
email: varchar("email").notNull(),
|
||||||
|
resourcePolicyId: integer("resourcePolicyId")
|
||||||
|
.notNull()
|
||||||
|
.references(() => resourcePolicies.resourcePolicyId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
});
|
||||||
|
|
||||||
export const userInvites = pgTable("userInvites", {
|
export const userInvites = pgTable("userInvites", {
|
||||||
inviteId: varchar("inviteId").primaryKey(),
|
inviteId: varchar("inviteId").primaryKey(),
|
||||||
orgId: varchar("orgId")
|
orgId: varchar("orgId")
|
||||||
@@ -586,6 +857,40 @@ export const resourceHeaderAuthExtendedCompatibility = pgTable(
|
|||||||
}
|
}
|
||||||
);
|
);
|
||||||
|
|
||||||
|
export const resourcePolicyPincode = pgTable("resourcePolicyPincode", {
|
||||||
|
pincodeId: serial("pincodeId").primaryKey(),
|
||||||
|
pincodeHash: varchar("pincodeHash").notNull(),
|
||||||
|
digitLength: integer("digitLength").notNull(),
|
||||||
|
resourcePolicyId: integer("resourcePolicyId")
|
||||||
|
.notNull()
|
||||||
|
.references(() => resourcePolicies.resourcePolicyId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
});
|
||||||
|
|
||||||
|
export const resourcePolicyPassword = pgTable("resourcePolicyPassword", {
|
||||||
|
passwordId: serial("passwordId").primaryKey(),
|
||||||
|
passwordHash: varchar("passwordHash").notNull(),
|
||||||
|
resourcePolicyId: integer("resourcePolicyId")
|
||||||
|
.notNull()
|
||||||
|
.references(() => resourcePolicies.resourcePolicyId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
});
|
||||||
|
|
||||||
|
export const resourcePolicyHeaderAuth = pgTable("resourcePolicyHeaderAuth", {
|
||||||
|
headerAuthId: serial("headerAuthId").primaryKey(),
|
||||||
|
headerAuthHash: varchar("headerAuthHash").notNull(),
|
||||||
|
extendedCompatibility: boolean("extendedCompatibility")
|
||||||
|
.notNull()
|
||||||
|
.default(true),
|
||||||
|
resourcePolicyId: integer("resourcePolicyId")
|
||||||
|
.notNull()
|
||||||
|
.references(() => resourcePolicies.resourcePolicyId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
});
|
||||||
|
|
||||||
export const resourceAccessToken = pgTable("resourceAccessToken", {
|
export const resourceAccessToken = pgTable("resourceAccessToken", {
|
||||||
accessTokenId: varchar("accessTokenId").primaryKey(),
|
accessTokenId: varchar("accessTokenId").primaryKey(),
|
||||||
orgId: varchar("orgId")
|
orgId: varchar("orgId")
|
||||||
@@ -594,6 +899,7 @@ export const resourceAccessToken = pgTable("resourceAccessToken", {
|
|||||||
resourceId: integer("resourceId")
|
resourceId: integer("resourceId")
|
||||||
.notNull()
|
.notNull()
|
||||||
.references(() => resources.resourceId, { onDelete: "cascade" }),
|
.references(() => resources.resourceId, { onDelete: "cascade" }),
|
||||||
|
path: varchar("path"),
|
||||||
tokenHash: varchar("tokenHash").notNull(),
|
tokenHash: varchar("tokenHash").notNull(),
|
||||||
sessionLength: bigint("sessionLength", { mode: "number" }).notNull(),
|
sessionLength: bigint("sessionLength", { mode: "number" }).notNull(),
|
||||||
expiresAt: bigint("expiresAt", { mode: "number" }),
|
expiresAt: bigint("expiresAt", { mode: "number" }),
|
||||||
@@ -641,6 +947,24 @@ export const resourceSessions = pgTable("resourceSessions", {
|
|||||||
onDelete: "cascade"
|
onDelete: "cascade"
|
||||||
}
|
}
|
||||||
),
|
),
|
||||||
|
policyPasswordId: integer("policyPasswordId").references(
|
||||||
|
() => resourcePolicyPassword.passwordId,
|
||||||
|
{
|
||||||
|
onDelete: "cascade"
|
||||||
|
}
|
||||||
|
),
|
||||||
|
policyPincodeId: integer("policyPincodeId").references(
|
||||||
|
() => resourcePolicyPincode.pincodeId,
|
||||||
|
{
|
||||||
|
onDelete: "cascade"
|
||||||
|
}
|
||||||
|
),
|
||||||
|
policyWhitelistId: integer("policyWhitelistId").references(
|
||||||
|
() => resourcePolicyWhiteList.whitelistId,
|
||||||
|
{
|
||||||
|
onDelete: "cascade"
|
||||||
|
}
|
||||||
|
),
|
||||||
issuedAt: bigint("issuedAt", { mode: "number" })
|
issuedAt: bigint("issuedAt", { mode: "number" })
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -675,10 +999,71 @@ export const resourceRules = pgTable("resourceRules", {
|
|||||||
enabled: boolean("enabled").notNull().default(true),
|
enabled: boolean("enabled").notNull().default(true),
|
||||||
priority: integer("priority").notNull(),
|
priority: integer("priority").notNull(),
|
||||||
action: varchar("action").notNull(), // ACCEPT, DROP, PASS
|
action: varchar("action").notNull(), // ACCEPT, DROP, PASS
|
||||||
match: varchar("match").notNull(), // CIDR, PATH, IP
|
match: varchar("match")
|
||||||
|
.$type<
|
||||||
|
| "CIDR"
|
||||||
|
| "PATH"
|
||||||
|
| "IP"
|
||||||
|
| "COUNTRY"
|
||||||
|
| "COUNTRY_IS_NOT"
|
||||||
|
| "ASN"
|
||||||
|
| "REGION"
|
||||||
|
>()
|
||||||
|
.notNull(), // CIDR, PATH, IP
|
||||||
value: varchar("value").notNull()
|
value: varchar("value").notNull()
|
||||||
});
|
});
|
||||||
|
|
||||||
|
export const resourcePolicyRules = pgTable("resourcePolicyRules", {
|
||||||
|
ruleId: serial("ruleId").primaryKey(),
|
||||||
|
resourcePolicyId: integer("resourcePolicyId")
|
||||||
|
.notNull()
|
||||||
|
.references(() => resourcePolicies.resourcePolicyId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
}),
|
||||||
|
enabled: boolean("enabled").notNull().default(true),
|
||||||
|
priority: integer("priority").notNull(),
|
||||||
|
action: varchar("action").$type<"ACCEPT" | "DROP" | "PASS">().notNull(),
|
||||||
|
match: varchar("match")
|
||||||
|
.$type<
|
||||||
|
| "CIDR"
|
||||||
|
| "PATH"
|
||||||
|
| "IP"
|
||||||
|
| "COUNTRY"
|
||||||
|
| "COUNTRY_IS_NOT"
|
||||||
|
| "ASN"
|
||||||
|
| "REGION"
|
||||||
|
>()
|
||||||
|
.notNull(),
|
||||||
|
value: varchar("value").notNull()
|
||||||
|
});
|
||||||
|
|
||||||
|
export const resourcePolicies = pgTable(
|
||||||
|
"resourcePolicies",
|
||||||
|
{
|
||||||
|
resourcePolicyId: serial("resourcePolicyId").primaryKey(),
|
||||||
|
sso: boolean("sso").notNull().default(true),
|
||||||
|
applyRules: boolean("applyRules").notNull().default(false),
|
||||||
|
scope: varchar("scope")
|
||||||
|
.$type<"global" | "resource">()
|
||||||
|
.notNull()
|
||||||
|
.default("global"),
|
||||||
|
emailWhitelistEnabled: boolean("emailWhitelistEnabled")
|
||||||
|
.notNull()
|
||||||
|
.default(false),
|
||||||
|
idpId: integer("idpId").references(() => idp.idpId, {
|
||||||
|
onDelete: "set null"
|
||||||
|
}),
|
||||||
|
niceId: text("niceId").notNull(),
|
||||||
|
name: varchar("name").notNull(),
|
||||||
|
orgId: varchar("orgId")
|
||||||
|
.references(() => orgs.orgId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
.notNull()
|
||||||
|
},
|
||||||
|
(t) => [index("idx_resourcepolicies_orgid_niceid").on(t.orgId, t.niceId)]
|
||||||
|
);
|
||||||
|
|
||||||
export const supporterKey = pgTable("supporterKey", {
|
export const supporterKey = pgTable("supporterKey", {
|
||||||
keyId: serial("keyId").primaryKey(),
|
keyId: serial("keyId").primaryKey(),
|
||||||
key: varchar("key").notNull(),
|
key: varchar("key").notNull(),
|
||||||
@@ -765,7 +1150,9 @@ export const idpOrg = pgTable("idpOrg", {
|
|||||||
orgMapping: varchar("orgMapping")
|
orgMapping: varchar("orgMapping")
|
||||||
});
|
});
|
||||||
|
|
||||||
export const clients = pgTable("clients", {
|
export const clients = pgTable(
|
||||||
|
"clients",
|
||||||
|
{
|
||||||
clientId: serial("clientId").primaryKey(),
|
clientId: serial("clientId").primaryKey(),
|
||||||
orgId: varchar("orgId")
|
orgId: varchar("orgId")
|
||||||
.references(() => orgs.orgId, {
|
.references(() => orgs.orgId, {
|
||||||
@@ -798,7 +1185,12 @@ export const clients = pgTable("clients", {
|
|||||||
approvalState: varchar("approvalState").$type<
|
approvalState: varchar("approvalState").$type<
|
||||||
"pending" | "approved" | "denied"
|
"pending" | "approved" | "denied"
|
||||||
>()
|
>()
|
||||||
});
|
},
|
||||||
|
(t) => [
|
||||||
|
index("idx_clients_userid").on(t.userId),
|
||||||
|
index("idx_clients_orgid_niceid").on(t.orgId, t.niceId)
|
||||||
|
]
|
||||||
|
);
|
||||||
|
|
||||||
export const clientSitesAssociationsCache = pgTable(
|
export const clientSitesAssociationsCache = pgTable(
|
||||||
"clientSitesAssociationsCache",
|
"clientSitesAssociationsCache",
|
||||||
@@ -810,7 +1202,11 @@ export const clientSitesAssociationsCache = pgTable(
|
|||||||
isJitMode: boolean("isJitMode").notNull().default(false),
|
isJitMode: boolean("isJitMode").notNull().default(false),
|
||||||
endpoint: varchar("endpoint"),
|
endpoint: varchar("endpoint"),
|
||||||
publicKey: varchar("publicKey") // this will act as the session's public key for hole punching so we can track when it changes
|
publicKey: varchar("publicKey") // this will act as the session's public key for hole punching so we can track when it changes
|
||||||
}
|
},
|
||||||
|
(t) => [
|
||||||
|
primaryKey({ columns: [t.clientId, t.siteId] }),
|
||||||
|
index("idx_clientsitesassociationscache_siteid").on(t.siteId)
|
||||||
|
]
|
||||||
);
|
);
|
||||||
|
|
||||||
export const clientSiteResourcesAssociationsCache = pgTable(
|
export const clientSiteResourcesAssociationsCache = pgTable(
|
||||||
@@ -819,7 +1215,14 @@ export const clientSiteResourcesAssociationsCache = pgTable(
|
|||||||
clientId: integer("clientId") // not a foreign key here so after its deleted the rebuild function can delete it and send the message
|
clientId: integer("clientId") // not a foreign key here so after its deleted the rebuild function can delete it and send the message
|
||||||
.notNull(),
|
.notNull(),
|
||||||
siteResourceId: integer("siteResourceId").notNull()
|
siteResourceId: integer("siteResourceId").notNull()
|
||||||
}
|
},
|
||||||
|
(t) => [
|
||||||
|
primaryKey({ columns: [t.clientId, t.siteResourceId] }),
|
||||||
|
index("idx_clientSiteResourcesAssociationsCache_siteResourceId").on(
|
||||||
|
t.siteResourceId,
|
||||||
|
t.clientId
|
||||||
|
)
|
||||||
|
]
|
||||||
);
|
);
|
||||||
|
|
||||||
export const clientPostureSnapshots = pgTable("clientPostureSnapshots", {
|
export const clientPostureSnapshots = pgTable("clientPostureSnapshots", {
|
||||||
@@ -832,7 +1235,9 @@ export const clientPostureSnapshots = pgTable("clientPostureSnapshots", {
|
|||||||
collectedAt: integer("collectedAt").notNull()
|
collectedAt: integer("collectedAt").notNull()
|
||||||
});
|
});
|
||||||
|
|
||||||
export const olms = pgTable("olms", {
|
export const olms = pgTable(
|
||||||
|
"olms",
|
||||||
|
{
|
||||||
olmId: varchar("id").primaryKey(),
|
olmId: varchar("id").primaryKey(),
|
||||||
secretHash: varchar("secretHash").notNull(),
|
secretHash: varchar("secretHash").notNull(),
|
||||||
dateCreated: varchar("dateCreated").notNull(),
|
dateCreated: varchar("dateCreated").notNull(),
|
||||||
@@ -848,7 +1253,9 @@ export const olms = pgTable("olms", {
|
|||||||
onDelete: "cascade"
|
onDelete: "cascade"
|
||||||
}),
|
}),
|
||||||
archived: boolean("archived").notNull().default(false)
|
archived: boolean("archived").notNull().default(false)
|
||||||
});
|
},
|
||||||
|
(t) => [index("idx_olms_clientid").on(t.clientId)]
|
||||||
|
);
|
||||||
|
|
||||||
export const currentFingerprint = pgTable("currentFingerprint", {
|
export const currentFingerprint = pgTable("currentFingerprint", {
|
||||||
fingerprintId: serial("id").primaryKey(),
|
fingerprintId: serial("id").primaryKey(),
|
||||||
@@ -1097,7 +1504,9 @@ export const roundTripMessageTracker = pgTable("roundTripMessageTracker", {
|
|||||||
complete: boolean("complete").notNull().default(false)
|
complete: boolean("complete").notNull().default(false)
|
||||||
});
|
});
|
||||||
|
|
||||||
export const statusHistory = pgTable("statusHistory", {
|
export const statusHistory = pgTable(
|
||||||
|
"statusHistory",
|
||||||
|
{
|
||||||
id: serial("id").primaryKey(),
|
id: serial("id").primaryKey(),
|
||||||
entityType: varchar("entityType").notNull(),
|
entityType: varchar("entityType").notNull(),
|
||||||
entityId: integer("entityId").notNull(),
|
entityId: integer("entityId").notNull(),
|
||||||
@@ -1105,11 +1514,20 @@ export const statusHistory = pgTable("statusHistory", {
|
|||||||
.notNull()
|
.notNull()
|
||||||
.references(() => orgs.orgId, { onDelete: "cascade" }),
|
.references(() => orgs.orgId, { onDelete: "cascade" }),
|
||||||
status: varchar("status").notNull(),
|
status: varchar("status").notNull(),
|
||||||
timestamp: integer("timestamp").notNull(),
|
timestamp: integer("timestamp").notNull()
|
||||||
}, (table) => [
|
},
|
||||||
index("idx_statusHistory_entity").on(table.entityType, table.entityId, table.timestamp),
|
(table) => [
|
||||||
index("idx_statusHistory_org_timestamp").on(table.orgId, table.timestamp),
|
index("idx_statusHistory_entity").on(
|
||||||
]);
|
table.entityType,
|
||||||
|
table.entityId,
|
||||||
|
table.timestamp
|
||||||
|
),
|
||||||
|
index("idx_statusHistory_org_timestamp").on(
|
||||||
|
table.orgId,
|
||||||
|
table.timestamp
|
||||||
|
)
|
||||||
|
]
|
||||||
|
);
|
||||||
|
|
||||||
export type Org = InferSelectModel<typeof orgs>;
|
export type Org = InferSelectModel<typeof orgs>;
|
||||||
export type User = InferSelectModel<typeof users>;
|
export type User = InferSelectModel<typeof users>;
|
||||||
@@ -1147,6 +1565,16 @@ export type ResourceHeaderAuthExtendedCompatibility = InferSelectModel<
|
|||||||
export type ResourceOtp = InferSelectModel<typeof resourceOtp>;
|
export type ResourceOtp = InferSelectModel<typeof resourceOtp>;
|
||||||
export type ResourceAccessToken = InferSelectModel<typeof resourceAccessToken>;
|
export type ResourceAccessToken = InferSelectModel<typeof resourceAccessToken>;
|
||||||
export type ResourceWhitelist = InferSelectModel<typeof resourceWhitelist>;
|
export type ResourceWhitelist = InferSelectModel<typeof resourceWhitelist>;
|
||||||
|
export type ResourcePolicyPincode = InferSelectModel<
|
||||||
|
typeof resourcePolicyPincode
|
||||||
|
>;
|
||||||
|
export type ResourcePolicyPassword = InferSelectModel<
|
||||||
|
typeof resourcePolicyPassword
|
||||||
|
>;
|
||||||
|
export type ResourcePolicyHeaderAuth = InferSelectModel<
|
||||||
|
typeof resourcePolicyHeaderAuth
|
||||||
|
>;
|
||||||
|
|
||||||
export type VersionMigration = InferSelectModel<typeof versionMigrations>;
|
export type VersionMigration = InferSelectModel<typeof versionMigrations>;
|
||||||
export type ResourceRule = InferSelectModel<typeof resourceRules>;
|
export type ResourceRule = InferSelectModel<typeof resourceRules>;
|
||||||
export type Domain = InferSelectModel<typeof domains>;
|
export type Domain = InferSelectModel<typeof domains>;
|
||||||
@@ -1179,3 +1607,9 @@ export type RoundTripMessageTracker = InferSelectModel<
|
|||||||
>;
|
>;
|
||||||
export type Network = InferSelectModel<typeof networks>;
|
export type Network = InferSelectModel<typeof networks>;
|
||||||
export type StatusHistory = InferSelectModel<typeof statusHistory>;
|
export type StatusHistory = InferSelectModel<typeof statusHistory>;
|
||||||
|
export type Label = InferSelectModel<typeof labels>;
|
||||||
|
export type LauncherView = InferSelectModel<typeof launcherViews>;
|
||||||
|
export type ResourcePolicy = InferSelectModel<typeof resourcePolicies>;
|
||||||
|
export type RolePolicy = InferSelectModel<typeof rolePolicies>;
|
||||||
|
export type UserPolicy = InferSelectModel<typeof userPolicies>;
|
||||||
|
export type ResourcePolicyRule = InferSelectModel<typeof resourcePolicyRules>;
|
||||||
|
|||||||
@@ -17,22 +17,37 @@ import {
|
|||||||
resourceHeaderAuth,
|
resourceHeaderAuth,
|
||||||
ResourceHeaderAuth,
|
ResourceHeaderAuth,
|
||||||
resourceRules,
|
resourceRules,
|
||||||
|
resourcePolicyRules,
|
||||||
resources,
|
resources,
|
||||||
roleResources,
|
roleResources,
|
||||||
|
rolePolicies,
|
||||||
sessions,
|
sessions,
|
||||||
userResources,
|
userResources,
|
||||||
|
userPolicies,
|
||||||
users,
|
users,
|
||||||
ResourceHeaderAuthExtendedCompatibility,
|
ResourceHeaderAuthExtendedCompatibility,
|
||||||
resourceHeaderAuthExtendedCompatibility
|
resourceHeaderAuthExtendedCompatibility,
|
||||||
|
resourcePolicies,
|
||||||
|
resourcePolicyPincode,
|
||||||
|
ResourcePolicyPincode,
|
||||||
|
resourcePolicyPassword,
|
||||||
|
ResourcePolicyPassword,
|
||||||
|
resourcePolicyHeaderAuth,
|
||||||
|
ResourcePolicyHeaderAuth
|
||||||
} from "@server/db";
|
} from "@server/db";
|
||||||
import { and, eq, inArray, or, sql } from "drizzle-orm";
|
import { alias } from "@server/db";
|
||||||
|
import { and, eq, inArray, isNull, or, sql } from "drizzle-orm";
|
||||||
|
import logger from "@server/logger";
|
||||||
|
|
||||||
export type ResourceWithAuth = {
|
export type ResourceWithAuth = {
|
||||||
resource: Resource | null;
|
resource: Resource | null;
|
||||||
pincode: ResourcePincode | null;
|
pincode: ResourcePincode | ResourcePolicyPincode | null;
|
||||||
password: ResourcePassword | null;
|
password: ResourcePassword | ResourcePolicyPassword | null;
|
||||||
headerAuth: ResourceHeaderAuth | null;
|
headerAuth: ResourceHeaderAuth | ResourcePolicyHeaderAuth | null;
|
||||||
headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
|
headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
|
||||||
|
applyRules: boolean | null;
|
||||||
|
sso: boolean | null;
|
||||||
|
emailWhitelistEnabled: boolean | null;
|
||||||
org: Org;
|
org: Org;
|
||||||
};
|
};
|
||||||
|
|
||||||
@@ -57,6 +72,33 @@ export async function getResourceByDomain(
|
|||||||
wildcardCandidates.push(`*.${parts.slice(i).join(".")}`);
|
wildcardCandidates.push(`*.${parts.slice(i).join(".")}`);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
const sharedPolicy = alias(resourcePolicies, "sharedPolicy");
|
||||||
|
const defaultPolicy = alias(resourcePolicies, "defaultPolicy");
|
||||||
|
const sharedPolicyPincode = alias(
|
||||||
|
resourcePolicyPincode,
|
||||||
|
"sharedPolicyPincode"
|
||||||
|
);
|
||||||
|
const defaultPolicyPincode = alias(
|
||||||
|
resourcePolicyPincode,
|
||||||
|
"defaultPolicyPincode"
|
||||||
|
);
|
||||||
|
const sharedPolicyPassword = alias(
|
||||||
|
resourcePolicyPassword,
|
||||||
|
"sharedPolicyPassword"
|
||||||
|
);
|
||||||
|
const defaultPolicyPassword = alias(
|
||||||
|
resourcePolicyPassword,
|
||||||
|
"defaultPolicyPassword"
|
||||||
|
);
|
||||||
|
const sharedPolicyHeaderAuth = alias(
|
||||||
|
resourcePolicyHeaderAuth,
|
||||||
|
"sharedPolicyHeaderAuth"
|
||||||
|
);
|
||||||
|
const defaultPolicyHeaderAuth = alias(
|
||||||
|
resourcePolicyHeaderAuth,
|
||||||
|
"defaultPolicyHeaderAuth"
|
||||||
|
);
|
||||||
|
|
||||||
const potentialResults = await db
|
const potentialResults = await db
|
||||||
.select()
|
.select()
|
||||||
.from(resources)
|
.from(resources)
|
||||||
@@ -79,6 +121,59 @@ export async function getResourceByDomain(
|
|||||||
resources.resourceId
|
resources.resourceId
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
|
.leftJoin(
|
||||||
|
sharedPolicy,
|
||||||
|
eq(sharedPolicy.resourcePolicyId, resources.resourcePolicyId)
|
||||||
|
)
|
||||||
|
.leftJoin(
|
||||||
|
sharedPolicyPincode,
|
||||||
|
eq(
|
||||||
|
sharedPolicyPincode.resourcePolicyId,
|
||||||
|
sharedPolicy.resourcePolicyId
|
||||||
|
)
|
||||||
|
)
|
||||||
|
.leftJoin(
|
||||||
|
sharedPolicyPassword,
|
||||||
|
eq(
|
||||||
|
sharedPolicyPassword.resourcePolicyId,
|
||||||
|
sharedPolicy.resourcePolicyId
|
||||||
|
)
|
||||||
|
)
|
||||||
|
.leftJoin(
|
||||||
|
sharedPolicyHeaderAuth,
|
||||||
|
eq(
|
||||||
|
sharedPolicyHeaderAuth.resourcePolicyId,
|
||||||
|
sharedPolicy.resourcePolicyId
|
||||||
|
)
|
||||||
|
)
|
||||||
|
.leftJoin(
|
||||||
|
defaultPolicy,
|
||||||
|
eq(
|
||||||
|
defaultPolicy.resourcePolicyId,
|
||||||
|
resources.defaultResourcePolicyId
|
||||||
|
)
|
||||||
|
)
|
||||||
|
.leftJoin(
|
||||||
|
defaultPolicyPincode,
|
||||||
|
eq(
|
||||||
|
defaultPolicyPincode.resourcePolicyId,
|
||||||
|
defaultPolicy.resourcePolicyId
|
||||||
|
)
|
||||||
|
)
|
||||||
|
.leftJoin(
|
||||||
|
defaultPolicyPassword,
|
||||||
|
eq(
|
||||||
|
defaultPolicyPassword.resourcePolicyId,
|
||||||
|
defaultPolicy.resourcePolicyId
|
||||||
|
)
|
||||||
|
)
|
||||||
|
.leftJoin(
|
||||||
|
defaultPolicyHeaderAuth,
|
||||||
|
eq(
|
||||||
|
defaultPolicyHeaderAuth.resourcePolicyId,
|
||||||
|
defaultPolicy.resourcePolicyId
|
||||||
|
)
|
||||||
|
)
|
||||||
.innerJoin(orgs, eq(orgs.orgId, resources.orgId))
|
.innerJoin(orgs, eq(orgs.orgId, resources.orgId))
|
||||||
.where(
|
.where(
|
||||||
or(
|
or(
|
||||||
@@ -108,13 +203,51 @@ export async function getResourceByDomain(
|
|||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// If a shared (custom) policy is assigned to the resource, use ONLY
|
||||||
|
// its values — do not fall back to the default policy. The default
|
||||||
|
// policy is only consulted when no shared policy is assigned at all.
|
||||||
|
const hasSharedPolicy = result.sharedPolicy !== null;
|
||||||
|
|
||||||
|
const effectivePolicyPincode = hasSharedPolicy
|
||||||
|
? result.sharedPolicyPincode
|
||||||
|
: (result.defaultPolicyPincode ?? null);
|
||||||
|
const effectivePolicyPassword = hasSharedPolicy
|
||||||
|
? result.sharedPolicyPassword
|
||||||
|
: (result.defaultPolicyPassword ?? null);
|
||||||
|
const effectivePolicyHeaderAuth = hasSharedPolicy
|
||||||
|
? result.sharedPolicyHeaderAuth
|
||||||
|
: (result.defaultPolicyHeaderAuth ?? null);
|
||||||
|
const selectedPolicy = hasSharedPolicy
|
||||||
|
? result.sharedPolicy
|
||||||
|
: result.defaultPolicy;
|
||||||
|
const effectiveApplyRules =
|
||||||
|
selectedPolicy?.applyRules ?? result.resources.applyRules;
|
||||||
|
const effectiveSSO = selectedPolicy?.sso ?? result.resources.sso;
|
||||||
|
const effectiveEmailWhitelistEnabled =
|
||||||
|
selectedPolicy?.emailWhitelistEnabled ??
|
||||||
|
result.resources.emailWhitelistEnabled;
|
||||||
|
|
||||||
return {
|
return {
|
||||||
resource: result.resources,
|
resource: {
|
||||||
pincode: result.resourcePincode,
|
...result.resources,
|
||||||
password: result.resourcePassword,
|
applyRules: effectiveApplyRules,
|
||||||
headerAuth: result.resourceHeaderAuth,
|
sso: effectiveSSO,
|
||||||
headerAuthExtendedCompatibility:
|
emailWhitelistEnabled: effectiveEmailWhitelistEnabled
|
||||||
result.resourceHeaderAuthExtendedCompatibility,
|
}, // doing this for backward compatability so the remote nodes get the value as part of the resource struct
|
||||||
|
pincode: effectivePolicyPincode ?? result.resourcePincode,
|
||||||
|
password: effectivePolicyPassword ?? result.resourcePassword,
|
||||||
|
headerAuth: effectivePolicyHeaderAuth ?? result.resourceHeaderAuth,
|
||||||
|
headerAuthExtendedCompatibility: effectivePolicyHeaderAuth
|
||||||
|
? ({
|
||||||
|
headerAuthExtendedCompatibilityId: 0,
|
||||||
|
resourceId: result.resources.resourceId,
|
||||||
|
extendedCompatibilityIsActivated:
|
||||||
|
effectivePolicyHeaderAuth.extendedCompatibility
|
||||||
|
} as ResourceHeaderAuthExtendedCompatibility)
|
||||||
|
: result.resourceHeaderAuthExtendedCompatibility,
|
||||||
|
applyRules: effectiveApplyRules,
|
||||||
|
sso: effectiveSSO,
|
||||||
|
emailWhitelistEnabled: effectiveEmailWhitelistEnabled,
|
||||||
org: result.orgs
|
org: result.orgs
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
@@ -154,13 +287,14 @@ export async function getRoleName(roleId: number): Promise<string | null> {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Check if role has access to resource
|
* Check if role has access to resource (direct or via resource policy)
|
||||||
*/
|
*/
|
||||||
export async function getRoleResourceAccess(
|
export async function getRoleResourceAccess(
|
||||||
resourceId: number,
|
resourceId: number,
|
||||||
roleIds: number[]
|
roleIds: number[]
|
||||||
) {
|
) {
|
||||||
const roleResourceAccess = await db
|
const [direct, viaPolicies] = await Promise.all([
|
||||||
|
db
|
||||||
.select()
|
.select()
|
||||||
.from(roleResources)
|
.from(roleResources)
|
||||||
.where(
|
.where(
|
||||||
@@ -168,19 +302,52 @@ export async function getRoleResourceAccess(
|
|||||||
eq(roleResources.resourceId, resourceId),
|
eq(roleResources.resourceId, resourceId),
|
||||||
inArray(roleResources.roleId, roleIds)
|
inArray(roleResources.roleId, roleIds)
|
||||||
)
|
)
|
||||||
);
|
),
|
||||||
|
db
|
||||||
|
.select({
|
||||||
|
roleId: rolePolicies.roleId,
|
||||||
|
resourcePolicyId: rolePolicies.resourcePolicyId
|
||||||
|
})
|
||||||
|
.from(rolePolicies)
|
||||||
|
.innerJoin(
|
||||||
|
resources,
|
||||||
|
// Shared policy wins; only use default policy when no shared
|
||||||
|
// policy is assigned to the resource.
|
||||||
|
or(
|
||||||
|
eq(
|
||||||
|
resources.resourcePolicyId,
|
||||||
|
rolePolicies.resourcePolicyId
|
||||||
|
),
|
||||||
|
and(
|
||||||
|
isNull(resources.resourcePolicyId),
|
||||||
|
eq(
|
||||||
|
resources.defaultResourcePolicyId,
|
||||||
|
rolePolicies.resourcePolicyId
|
||||||
|
)
|
||||||
|
)
|
||||||
|
)
|
||||||
|
)
|
||||||
|
.where(
|
||||||
|
and(
|
||||||
|
eq(resources.resourceId, resourceId),
|
||||||
|
inArray(rolePolicies.roleId, roleIds)
|
||||||
|
)
|
||||||
|
)
|
||||||
|
]);
|
||||||
|
|
||||||
return roleResourceAccess.length > 0 ? roleResourceAccess : null;
|
const combined = [...direct, ...viaPolicies];
|
||||||
|
return combined.length > 0 ? combined : null;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Check if user has direct access to resource
|
* Check if user has access to resource (direct or via resource policy)
|
||||||
*/
|
*/
|
||||||
export async function getUserResourceAccess(
|
export async function getUserResourceAccess(
|
||||||
userId: string,
|
userId: string,
|
||||||
resourceId: number
|
resourceId: number
|
||||||
) {
|
) {
|
||||||
const userResourceAccess = await db
|
const [direct, viaPolicies] = await Promise.all([
|
||||||
|
db
|
||||||
.select()
|
.select()
|
||||||
.from(userResources)
|
.from(userResources)
|
||||||
.where(
|
.where(
|
||||||
@@ -189,23 +356,96 @@ export async function getUserResourceAccess(
|
|||||||
eq(userResources.resourceId, resourceId)
|
eq(userResources.resourceId, resourceId)
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
.limit(1);
|
.limit(1),
|
||||||
|
db
|
||||||
|
.select({
|
||||||
|
userId: userPolicies.userId,
|
||||||
|
resourcePolicyId: userPolicies.resourcePolicyId
|
||||||
|
})
|
||||||
|
.from(userPolicies)
|
||||||
|
.innerJoin(
|
||||||
|
resources,
|
||||||
|
// Shared policy wins; only use default policy when no shared
|
||||||
|
// policy is assigned to the resource.
|
||||||
|
or(
|
||||||
|
eq(
|
||||||
|
resources.resourcePolicyId,
|
||||||
|
userPolicies.resourcePolicyId
|
||||||
|
),
|
||||||
|
and(
|
||||||
|
isNull(resources.resourcePolicyId),
|
||||||
|
eq(
|
||||||
|
resources.defaultResourcePolicyId,
|
||||||
|
userPolicies.resourcePolicyId
|
||||||
|
)
|
||||||
|
)
|
||||||
|
)
|
||||||
|
)
|
||||||
|
.where(
|
||||||
|
and(
|
||||||
|
eq(resources.resourceId, resourceId),
|
||||||
|
eq(userPolicies.userId, userId)
|
||||||
|
)
|
||||||
|
)
|
||||||
|
.limit(1)
|
||||||
|
]);
|
||||||
|
|
||||||
return userResourceAccess.length > 0 ? userResourceAccess[0] : null;
|
return direct[0] ?? viaPolicies[0] ?? null;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get resource rules for a given resource
|
* Get resource rules for a given resource (direct and via resource policy)
|
||||||
*/
|
*/
|
||||||
export async function getResourceRules(
|
export async function getResourceRules(
|
||||||
resourceId: number
|
resourceId: number
|
||||||
): Promise<ResourceRule[]> {
|
): Promise<ResourceRule[]> {
|
||||||
const rules = await db
|
const [directRules, policyRules] = await Promise.all([
|
||||||
|
db
|
||||||
.select()
|
.select()
|
||||||
.from(resourceRules)
|
.from(resourceRules)
|
||||||
.where(eq(resourceRules.resourceId, resourceId));
|
.where(eq(resourceRules.resourceId, resourceId)),
|
||||||
|
db
|
||||||
|
.select({
|
||||||
|
ruleId: resourcePolicyRules.ruleId,
|
||||||
|
resourceId: sql<number>`${resourceId}`,
|
||||||
|
enabled: resourcePolicyRules.enabled,
|
||||||
|
priority: resourcePolicyRules.priority,
|
||||||
|
action: resourcePolicyRules.action,
|
||||||
|
match: resourcePolicyRules.match,
|
||||||
|
value: resourcePolicyRules.value
|
||||||
|
})
|
||||||
|
.from(resourcePolicyRules)
|
||||||
|
.innerJoin(
|
||||||
|
resources,
|
||||||
|
// Shared policy wins; only use default policy when no shared
|
||||||
|
// policy is assigned to the resource.
|
||||||
|
or(
|
||||||
|
eq(
|
||||||
|
resources.resourcePolicyId,
|
||||||
|
resourcePolicyRules.resourcePolicyId
|
||||||
|
),
|
||||||
|
and(
|
||||||
|
isNull(resources.resourcePolicyId),
|
||||||
|
eq(
|
||||||
|
resources.defaultResourcePolicyId,
|
||||||
|
resourcePolicyRules.resourcePolicyId
|
||||||
|
)
|
||||||
|
)
|
||||||
|
)
|
||||||
|
)
|
||||||
|
.where(eq(resources.resourceId, resourceId))
|
||||||
|
]);
|
||||||
|
|
||||||
return rules;
|
const maxDirectPriority = directRules.reduce(
|
||||||
|
(max, r) => Math.max(max, r.priority),
|
||||||
|
0
|
||||||
|
);
|
||||||
|
const offsetPolicyRules = policyRules.map((r) => ({
|
||||||
|
...r,
|
||||||
|
priority: maxDirectPriority + r.priority
|
||||||
|
}));
|
||||||
|
|
||||||
|
return [...directRules, ...offsetPolicyRules] as ResourceRule[];
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|||||||
@@ -13,6 +13,30 @@ bootstrapVolume();
|
|||||||
|
|
||||||
function createDb() {
|
function createDb() {
|
||||||
const sqlite = new Database(location);
|
const sqlite = new Database(location);
|
||||||
|
|
||||||
|
if (process.env.ENABLE_SQLITE_WAL_MODE == "true") {
|
||||||
|
// Enable WAL mode — allows concurrent readers + single writer, preventing
|
||||||
|
// contention across subsystems (verifySession, Traefik, audit, ping).
|
||||||
|
// NOTE: journal_mode persists in the DB file once set; unsetting this
|
||||||
|
// env var does NOT revert an existing WAL database.
|
||||||
|
sqlite.pragma("journal_mode = WAL");
|
||||||
|
// NORMAL sync mode: safe with WAL, reduces write lock hold time.
|
||||||
|
sqlite.pragma("synchronous = NORMAL");
|
||||||
|
}
|
||||||
|
|
||||||
|
// No busy_timeout pragma: better-sqlite3 already arms
|
||||||
|
// sqlite3_busy_timeout(db, 5000) via its default `timeout` option
|
||||||
|
// (lib/database.js), so an explicit pragma is redundant.
|
||||||
|
|
||||||
|
// Intentionally NOT setting cache_size or mmap_size: a large page cache plus
|
||||||
|
// a multi-hundred-MB mmap region inflate RSS and cause page-cache thrashing
|
||||||
|
// on small (~1 GB) instances. Leave SQLite on its conservative defaults.
|
||||||
|
|
||||||
|
// Intentionally NOT wrapping prepare()/statements: better-sqlite3 finalizes
|
||||||
|
// sqlite3_stmt in the Statement destructor at GC, and drizzle-orm prepares a
|
||||||
|
// fresh statement per query (no statement cache), so statements cannot
|
||||||
|
// accumulate. better-sqlite3 11.x exposes no Statement.finalize() at all.
|
||||||
|
|
||||||
return DrizzleSqlite(sqlite, {
|
return DrizzleSqlite(sqlite, {
|
||||||
schema
|
schema
|
||||||
});
|
});
|
||||||
@@ -23,7 +47,7 @@ export default db;
|
|||||||
export const primaryDb = db;
|
export const primaryDb = db;
|
||||||
export type Transaction = Parameters<
|
export type Transaction = Parameters<
|
||||||
Parameters<(typeof db)["transaction"]>[0]
|
Parameters<(typeof db)["transaction"]>[0]
|
||||||
>[0];
|
>[0];
|
||||||
export const DB_TYPE: "pg" | "sqlite" = "sqlite";
|
export const DB_TYPE: "pg" | "sqlite" = "sqlite";
|
||||||
|
|
||||||
function checkFileExists(filePath: string): boolean {
|
function checkFileExists(filePath: string): boolean {
|
||||||
|
|||||||
@@ -4,3 +4,4 @@ export * from "./safeRead";
|
|||||||
export * from "./schema/schema";
|
export * from "./schema/schema";
|
||||||
export * from "./schema/privateSchema";
|
export * from "./schema/privateSchema";
|
||||||
export * from "./migrate";
|
export * from "./migrate";
|
||||||
|
export { alias } from "drizzle-orm/sqlite-core";
|
||||||
|
|||||||
@@ -12,6 +12,7 @@ import {
|
|||||||
clients,
|
clients,
|
||||||
domains,
|
domains,
|
||||||
exitNodes,
|
exitNodes,
|
||||||
|
labels,
|
||||||
orgs,
|
orgs,
|
||||||
resources,
|
resources,
|
||||||
roles,
|
roles,
|
||||||
@@ -192,6 +193,44 @@ export const remoteExitNodes = sqliteTable("remoteExitNode", {
|
|||||||
})
|
})
|
||||||
});
|
});
|
||||||
|
|
||||||
|
export const remoteExitNodeResources = sqliteTable("remoteExitNodeResources", {
|
||||||
|
remoteExitNodeResourceId: integer("remoteExitNodeResourceId").primaryKey({
|
||||||
|
autoIncrement: true
|
||||||
|
}),
|
||||||
|
remoteExitNodeId: text("remoteExitNodeId")
|
||||||
|
.notNull()
|
||||||
|
.references(() => remoteExitNodes.remoteExitNodeId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
}),
|
||||||
|
destination: text("destination").notNull() // a cidr range
|
||||||
|
});
|
||||||
|
|
||||||
|
export const remoteExitNodePreferenceLabels = sqliteTable(
|
||||||
|
// this controls what sites are enforced to connect to this node
|
||||||
|
"remoteExitNodePreferenceLabels",
|
||||||
|
{
|
||||||
|
remoteExitNodePreferenceLabelId: integer(
|
||||||
|
"remoteExitNodePreferenceLabelId"
|
||||||
|
).primaryKey({ autoIncrement: true }),
|
||||||
|
remoteExitNodeId: text("remoteExitNodeId")
|
||||||
|
.references(() => remoteExitNodes.remoteExitNodeId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
.notNull(),
|
||||||
|
labelId: integer("labelId")
|
||||||
|
.references(() => labels.labelId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
.notNull()
|
||||||
|
},
|
||||||
|
(t) => [
|
||||||
|
uniqueIndex("remote_exit_node_preference_label_uniq").on(
|
||||||
|
t.remoteExitNodeId,
|
||||||
|
t.labelId
|
||||||
|
)
|
||||||
|
]
|
||||||
|
);
|
||||||
|
|
||||||
export const remoteExitNodeSessions = sqliteTable("remoteExitNodeSession", {
|
export const remoteExitNodeSessions = sqliteTable("remoteExitNodeSession", {
|
||||||
sessionId: text("id").primaryKey(),
|
sessionId: text("id").primaryKey(),
|
||||||
remoteExitNodeId: text("remoteExitNodeId")
|
remoteExitNodeId: text("remoteExitNodeId")
|
||||||
@@ -329,6 +368,7 @@ export const connectionAuditLog = sqliteTable(
|
|||||||
clientId: integer("clientId").references(() => clients.clientId, {
|
clientId: integer("clientId").references(() => clients.clientId, {
|
||||||
onDelete: "cascade"
|
onDelete: "cascade"
|
||||||
}),
|
}),
|
||||||
|
clientEndpoint: text("clientEndpoint"),
|
||||||
userId: text("userId").references(() => users.userId, {
|
userId: text("userId").references(() => users.userId, {
|
||||||
onDelete: "cascade"
|
onDelete: "cascade"
|
||||||
}),
|
}),
|
||||||
@@ -442,6 +482,8 @@ export const eventStreamingDestinations = sqliteTable(
|
|||||||
enabled: integer("enabled", { mode: "boolean" })
|
enabled: integer("enabled", { mode: "boolean" })
|
||||||
.notNull()
|
.notNull()
|
||||||
.default(true),
|
.default(true),
|
||||||
|
lastError: text("lastError"), // last send error message, null if healthy
|
||||||
|
lastErrorAt: integer("lastErrorAt"), // epoch ms of last error, null if healthy
|
||||||
createdAt: integer("createdAt").notNull(),
|
createdAt: integer("createdAt").notNull(),
|
||||||
updatedAt: integer("updatedAt").notNull()
|
updatedAt: integer("updatedAt").notNull()
|
||||||
}
|
}
|
||||||
@@ -569,6 +611,19 @@ export const alertWebhookActions = sqliteTable("alertWebhookActions", {
|
|||||||
lastSentAt: integer("lastSentAt")
|
lastSentAt: integer("lastSentAt")
|
||||||
});
|
});
|
||||||
|
|
||||||
|
export const trialNotifications = sqliteTable("trialNotifications", {
|
||||||
|
notificationId: integer("notificationId").primaryKey({
|
||||||
|
autoIncrement: true
|
||||||
|
}),
|
||||||
|
subscriptionId: text("subscriptionId")
|
||||||
|
.notNull()
|
||||||
|
.references(() => subscriptions.subscriptionId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
}),
|
||||||
|
notificationType: text("notificationType").notNull(), // trial_ending_5d, trial_ending_24h, trial_ended
|
||||||
|
sentAt: integer("sentAt").notNull()
|
||||||
|
});
|
||||||
|
|
||||||
export type Approval = InferSelectModel<typeof approvals>;
|
export type Approval = InferSelectModel<typeof approvals>;
|
||||||
export type Limit = InferSelectModel<typeof limits>;
|
export type Limit = InferSelectModel<typeof limits>;
|
||||||
export type Account = InferSelectModel<typeof account>;
|
export type Account = InferSelectModel<typeof account>;
|
||||||
@@ -601,3 +656,10 @@ export type EventStreamingCursor = InferSelectModel<
|
|||||||
typeof eventStreamingCursors
|
typeof eventStreamingCursors
|
||||||
>;
|
>;
|
||||||
export type AlertResources = InferSelectModel<typeof alertResources>;
|
export type AlertResources = InferSelectModel<typeof alertResources>;
|
||||||
|
export type AlertHealthChecks = InferSelectModel<typeof alertHealthChecks>;
|
||||||
|
export type AlertSites = InferSelectModel<typeof alertSites>;
|
||||||
|
export type AlertRule = InferSelectModel<typeof alertRules>;
|
||||||
|
export type AlertEmailAction = InferSelectModel<typeof alertEmailActions>;
|
||||||
|
export type AlertEmailRecipient = InferSelectModel<typeof alertEmailRecipients>;
|
||||||
|
export type AlertWebhookAction = InferSelectModel<typeof alertWebhookActions>;
|
||||||
|
export type TrialNotification = InferSelectModel<typeof trialNotifications>;
|
||||||
|
|||||||
@@ -20,8 +20,10 @@ export const domains = sqliteTable("domains", {
|
|||||||
failed: integer("failed", { mode: "boolean" }).notNull().default(false),
|
failed: integer("failed", { mode: "boolean" }).notNull().default(false),
|
||||||
tries: integer("tries").notNull().default(0),
|
tries: integer("tries").notNull().default(0),
|
||||||
certResolver: text("certResolver"),
|
certResolver: text("certResolver"),
|
||||||
|
customCertResolver: text("customCertResolver"),
|
||||||
preferWildcardCert: integer("preferWildcardCert", { mode: "boolean" }),
|
preferWildcardCert: integer("preferWildcardCert", { mode: "boolean" }),
|
||||||
errorMessage: text("errorMessage")
|
errorMessage: text("errorMessage"),
|
||||||
|
lastCheckedAt: integer("lastCheckedAt")
|
||||||
});
|
});
|
||||||
|
|
||||||
export const dnsRecords = sqliteTable("dnsRecords", {
|
export const dnsRecords = sqliteTable("dnsRecords", {
|
||||||
@@ -62,7 +64,13 @@ export const orgs = sqliteTable("orgs", {
|
|||||||
sshCaPrivateKey: text("sshCaPrivateKey"), // Encrypted SSH CA private key (PEM format)
|
sshCaPrivateKey: text("sshCaPrivateKey"), // Encrypted SSH CA private key (PEM format)
|
||||||
sshCaPublicKey: text("sshCaPublicKey"), // SSH CA public key (OpenSSH format)
|
sshCaPublicKey: text("sshCaPublicKey"), // SSH CA public key (OpenSSH format)
|
||||||
isBillingOrg: integer("isBillingOrg", { mode: "boolean" }),
|
isBillingOrg: integer("isBillingOrg", { mode: "boolean" }),
|
||||||
billingOrgId: text("billingOrgId")
|
billingOrgId: text("billingOrgId"),
|
||||||
|
settingsEnableGlobalNewtAutoUpdate: integer(
|
||||||
|
"settingsEnableGlobalNewtAutoUpdate",
|
||||||
|
{ mode: "boolean" }
|
||||||
|
)
|
||||||
|
.notNull()
|
||||||
|
.default(false)
|
||||||
});
|
});
|
||||||
|
|
||||||
export const userDomains = sqliteTable("userDomains", {
|
export const userDomains = sqliteTable("userDomains", {
|
||||||
@@ -116,11 +124,29 @@ export const sites = sqliteTable("sites", {
|
|||||||
dockerSocketEnabled: integer("dockerSocketEnabled", { mode: "boolean" })
|
dockerSocketEnabled: integer("dockerSocketEnabled", { mode: "boolean" })
|
||||||
.notNull()
|
.notNull()
|
||||||
.default(true),
|
.default(true),
|
||||||
|
autoUpdateEnabled: integer("autoUpdateEnabled", { mode: "boolean" })
|
||||||
|
.notNull()
|
||||||
|
.default(false),
|
||||||
|
autoUpdateOverrideOrg: integer("autoUpdateOverrideOrg", {
|
||||||
|
mode: "boolean"
|
||||||
|
})
|
||||||
|
.notNull()
|
||||||
|
.default(false),
|
||||||
status: text("status").$type<"pending" | "approved">().default("approved")
|
status: text("status").$type<"pending" | "approved">().default("approved")
|
||||||
});
|
});
|
||||||
|
|
||||||
export const resources = sqliteTable("resources", {
|
export const resources = sqliteTable("resources", {
|
||||||
resourceId: integer("resourceId").primaryKey({ autoIncrement: true }),
|
resourceId: integer("resourceId").primaryKey({ autoIncrement: true }),
|
||||||
|
resourcePolicyId: integer("resourcePolicyId").references(
|
||||||
|
() => resourcePolicies.resourcePolicyId,
|
||||||
|
{ onDelete: "set null" }
|
||||||
|
),
|
||||||
|
defaultResourcePolicyId: integer("defaultResourcePolicyId").references(
|
||||||
|
() => resourcePolicies.resourcePolicyId,
|
||||||
|
{
|
||||||
|
onDelete: "restrict"
|
||||||
|
}
|
||||||
|
),
|
||||||
resourceGuid: text("resourceGuid", { length: 36 })
|
resourceGuid: text("resourceGuid", { length: 36 })
|
||||||
.unique()
|
.unique()
|
||||||
.notNull()
|
.notNull()
|
||||||
@@ -141,16 +167,12 @@ export const resources = sqliteTable("resources", {
|
|||||||
blockAccess: integer("blockAccess", { mode: "boolean" })
|
blockAccess: integer("blockAccess", { mode: "boolean" })
|
||||||
.notNull()
|
.notNull()
|
||||||
.default(false),
|
.default(false),
|
||||||
sso: integer("sso", { mode: "boolean" }).notNull().default(true),
|
|
||||||
http: integer("http", { mode: "boolean" }).notNull().default(true),
|
|
||||||
protocol: text("protocol").notNull(),
|
|
||||||
proxyPort: integer("proxyPort"),
|
proxyPort: integer("proxyPort"),
|
||||||
emailWhitelistEnabled: integer("emailWhitelistEnabled", { mode: "boolean" })
|
sso: integer("sso", { mode: "boolean" }),
|
||||||
.notNull()
|
emailWhitelistEnabled: integer("emailWhitelistEnabled", {
|
||||||
.default(false),
|
mode: "boolean"
|
||||||
applyRules: integer("applyRules", { mode: "boolean" })
|
}),
|
||||||
.notNull()
|
applyRules: integer("applyRules", { mode: "boolean" }),
|
||||||
.default(false),
|
|
||||||
enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
|
enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
|
||||||
stickySession: integer("stickySession", { mode: "boolean" })
|
stickySession: integer("stickySession", { mode: "boolean" })
|
||||||
.notNull()
|
.notNull()
|
||||||
@@ -166,7 +188,6 @@ export const resources = sqliteTable("resources", {
|
|||||||
.notNull()
|
.notNull()
|
||||||
.default(false),
|
.default(false),
|
||||||
proxyProtocolVersion: integer("proxyProtocolVersion").default(1),
|
proxyProtocolVersion: integer("proxyProtocolVersion").default(1),
|
||||||
|
|
||||||
maintenanceModeEnabled: integer("maintenanceModeEnabled", {
|
maintenanceModeEnabled: integer("maintenanceModeEnabled", {
|
||||||
mode: "boolean"
|
mode: "boolean"
|
||||||
})
|
})
|
||||||
@@ -180,9 +201,123 @@ export const resources = sqliteTable("resources", {
|
|||||||
maintenanceEstimatedTime: text("maintenanceEstimatedTime"),
|
maintenanceEstimatedTime: text("maintenanceEstimatedTime"),
|
||||||
postAuthPath: text("postAuthPath"),
|
postAuthPath: text("postAuthPath"),
|
||||||
health: text("health").default("unknown"), // "healthy", "unhealthy", "unknown"
|
health: text("health").default("unknown"), // "healthy", "unhealthy", "unknown"
|
||||||
wildcard: integer("wildcard", { mode: "boolean" }).notNull().default(false)
|
wildcard: integer("wildcard", { mode: "boolean" }).notNull().default(false),
|
||||||
|
mode: text("mode").default("http").notNull(), // rdp, ssh, http, vnc
|
||||||
|
pamMode: text("pamMode")
|
||||||
|
.$type<"passthrough" | "push">()
|
||||||
|
.default("passthrough"),
|
||||||
|
authDaemonMode: text("authDaemonMode")
|
||||||
|
.$type<"site" | "remote" | "native">()
|
||||||
|
.default("site"),
|
||||||
|
authDaemonPort: integer("authDaemonPort").default(22123)
|
||||||
});
|
});
|
||||||
|
|
||||||
|
export const labels = sqliteTable("labels", {
|
||||||
|
labelId: integer("labelId").primaryKey({ autoIncrement: true }),
|
||||||
|
name: text("name").notNull(),
|
||||||
|
color: text("color").notNull(),
|
||||||
|
orgId: text("orgId")
|
||||||
|
.references(() => orgs.orgId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
.notNull()
|
||||||
|
});
|
||||||
|
|
||||||
|
export const launcherViews = sqliteTable("launcherViews", {
|
||||||
|
viewId: integer("viewId").primaryKey({ autoIncrement: true }),
|
||||||
|
orgId: text("orgId")
|
||||||
|
.notNull()
|
||||||
|
.references(() => orgs.orgId, { onDelete: "cascade" }),
|
||||||
|
userId: text("userId").references(() => users.userId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
}),
|
||||||
|
name: text("name").notNull(),
|
||||||
|
config: text("config").notNull(),
|
||||||
|
isDefault: integer("isDefault", { mode: "boolean" })
|
||||||
|
.notNull()
|
||||||
|
.default(false),
|
||||||
|
createdAt: text("createdAt").notNull(),
|
||||||
|
updatedAt: text("updatedAt").notNull()
|
||||||
|
});
|
||||||
|
|
||||||
|
export const siteLabels = sqliteTable(
|
||||||
|
"siteLabels",
|
||||||
|
{
|
||||||
|
siteLabelId: integer("siteLabelId").primaryKey({ autoIncrement: true }),
|
||||||
|
siteId: integer("siteId")
|
||||||
|
.references(() => sites.siteId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
.notNull(),
|
||||||
|
labelId: integer("labelId")
|
||||||
|
.references(() => labels.labelId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
.notNull()
|
||||||
|
},
|
||||||
|
(t) => [unique("site_label_uniq").on(t.siteId, t.labelId)]
|
||||||
|
);
|
||||||
|
|
||||||
|
export const resourceLabels = sqliteTable(
|
||||||
|
"resourceLabels",
|
||||||
|
{
|
||||||
|
resourceLabelId: integer("resourceLabelId").primaryKey({
|
||||||
|
autoIncrement: true
|
||||||
|
}),
|
||||||
|
resourceId: integer("resourceId")
|
||||||
|
.references(() => resources.resourceId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
.notNull(),
|
||||||
|
labelId: integer("labelId")
|
||||||
|
.references(() => labels.labelId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
.notNull()
|
||||||
|
},
|
||||||
|
(t) => [unique("resource_label_uniq").on(t.resourceId, t.labelId)]
|
||||||
|
);
|
||||||
|
|
||||||
|
export const siteResourceLabels = sqliteTable(
|
||||||
|
"siteResourceLabels",
|
||||||
|
{
|
||||||
|
siteResourceLabelId: integer("siteResourceLabelId").primaryKey({
|
||||||
|
autoIncrement: true
|
||||||
|
}),
|
||||||
|
siteResourceId: integer("siteResourceId")
|
||||||
|
.references(() => siteResources.siteResourceId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
.notNull(),
|
||||||
|
labelId: integer("labelId")
|
||||||
|
.references(() => labels.labelId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
.notNull()
|
||||||
|
},
|
||||||
|
(t) => [unique("site_resource_label_uniq").on(t.siteResourceId, t.labelId)]
|
||||||
|
);
|
||||||
|
|
||||||
|
export const clientLabels = sqliteTable(
|
||||||
|
"clientLabels",
|
||||||
|
{
|
||||||
|
clientLabelId: integer("clientLabelId").primaryKey({
|
||||||
|
autoIncrement: true
|
||||||
|
}),
|
||||||
|
clientId: integer("clientId")
|
||||||
|
.references(() => clients.clientId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
.notNull(),
|
||||||
|
labelId: integer("labelId")
|
||||||
|
.references(() => labels.labelId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
.notNull()
|
||||||
|
},
|
||||||
|
(t) => [unique("client_label_uniq").on(t.clientId, t.labelId)]
|
||||||
|
);
|
||||||
|
|
||||||
export const targets = sqliteTable("targets", {
|
export const targets = sqliteTable("targets", {
|
||||||
targetId: integer("targetId").primaryKey({ autoIncrement: true }),
|
targetId: integer("targetId").primaryKey({ autoIncrement: true }),
|
||||||
resourceId: integer("resourceId")
|
resourceId: integer("resourceId")
|
||||||
@@ -204,7 +339,12 @@ export const targets = sqliteTable("targets", {
|
|||||||
pathMatchType: text("pathMatchType"), // exact, prefix, regex
|
pathMatchType: text("pathMatchType"), // exact, prefix, regex
|
||||||
rewritePath: text("rewritePath"), // if set, rewrites the path to this value before sending to the target
|
rewritePath: text("rewritePath"), // if set, rewrites the path to this value before sending to the target
|
||||||
rewritePathType: text("rewritePathType"), // exact, prefix, regex, stripPrefix
|
rewritePathType: text("rewritePathType"), // exact, prefix, regex, stripPrefix
|
||||||
priority: integer("priority").notNull().default(100)
|
priority: integer("priority").notNull().default(100),
|
||||||
|
mode: text("mode")
|
||||||
|
.$type<"http" | "tcp" | "udp" | "ssh" | "rdp" | "vnc">()
|
||||||
|
.notNull()
|
||||||
|
.default("http"),
|
||||||
|
authToken: text("authToken")
|
||||||
});
|
});
|
||||||
|
|
||||||
export const targetHealthCheck = sqliteTable("targetHealthCheck", {
|
export const targetHealthCheck = sqliteTable("targetHealthCheck", {
|
||||||
@@ -219,9 +359,11 @@ export const targetHealthCheck = sqliteTable("targetHealthCheck", {
|
|||||||
onDelete: "cascade"
|
onDelete: "cascade"
|
||||||
})
|
})
|
||||||
.notNull(),
|
.notNull(),
|
||||||
siteId: integer("siteId").references(() => sites.siteId, {
|
siteId: integer("siteId")
|
||||||
|
.references(() => sites.siteId, {
|
||||||
onDelete: "cascade"
|
onDelete: "cascade"
|
||||||
}).notNull(),
|
})
|
||||||
|
.notNull(),
|
||||||
name: text("name"),
|
name: text("name"),
|
||||||
hcEnabled: integer("hcEnabled", { mode: "boolean" })
|
hcEnabled: integer("hcEnabled", { mode: "boolean" })
|
||||||
.notNull()
|
.notNull()
|
||||||
@@ -281,11 +423,11 @@ export const siteResources = sqliteTable("siteResources", {
|
|||||||
niceId: text("niceId").notNull(),
|
niceId: text("niceId").notNull(),
|
||||||
name: text("name").notNull(),
|
name: text("name").notNull(),
|
||||||
ssl: integer("ssl", { mode: "boolean" }).notNull().default(false),
|
ssl: integer("ssl", { mode: "boolean" }).notNull().default(false),
|
||||||
mode: text("mode").$type<"host" | "cidr" | "http">().notNull(), // "host" | "cidr" | "http"
|
mode: text("mode").$type<"host" | "cidr" | "http" | "ssh">().notNull(), // "host" | "cidr" | "http"
|
||||||
scheme: text("scheme").$type<"http" | "https">(), // only for when we are doing https or http mode
|
scheme: text("scheme").$type<"http" | "https">(), // only for when we are doing https or http mode
|
||||||
proxyPort: integer("proxyPort"), // only for port mode
|
proxyPort: integer("proxyPort"), // only for port mode
|
||||||
destinationPort: integer("destinationPort"), // only for port mode
|
destinationPort: integer("destinationPort"), // only for port mode
|
||||||
destination: text("destination").notNull(), // ip, cidr, hostname
|
destination: text("destination"), // ip, cidr, hostname
|
||||||
enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
|
enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
|
||||||
alias: text("alias"),
|
alias: text("alias"),
|
||||||
aliasAddress: text("aliasAddress"),
|
aliasAddress: text("aliasAddress"),
|
||||||
@@ -295,8 +437,11 @@ export const siteResources = sqliteTable("siteResources", {
|
|||||||
.notNull()
|
.notNull()
|
||||||
.default(false),
|
.default(false),
|
||||||
authDaemonPort: integer("authDaemonPort").default(22123),
|
authDaemonPort: integer("authDaemonPort").default(22123),
|
||||||
|
pamMode: text("pamMode")
|
||||||
|
.$type<"passthrough" | "push">()
|
||||||
|
.default("passthrough"),
|
||||||
authDaemonMode: text("authDaemonMode")
|
authDaemonMode: text("authDaemonMode")
|
||||||
.$type<"site" | "remote">()
|
.$type<"site" | "remote" | "native">()
|
||||||
.default("site"),
|
.default("site"),
|
||||||
domainId: text("domainId").references(() => domains.domainId, {
|
domainId: text("domainId").references(() => domains.domainId, {
|
||||||
onDelete: "set null"
|
onDelete: "set null"
|
||||||
@@ -909,6 +1054,47 @@ export const resourceHeaderAuth = sqliteTable("resourceHeaderAuth", {
|
|||||||
headerAuthHash: text("headerAuthHash").notNull()
|
headerAuthHash: text("headerAuthHash").notNull()
|
||||||
});
|
});
|
||||||
|
|
||||||
|
export const resourcePolicyPincode = sqliteTable("resourcePolicyPincode", {
|
||||||
|
pincodeId: integer("pincodeId").primaryKey({ autoIncrement: true }),
|
||||||
|
pincodeHash: text("pincodeHash").notNull(),
|
||||||
|
digitLength: integer("digitLength").notNull(),
|
||||||
|
resourcePolicyId: integer("resourcePolicyId")
|
||||||
|
.notNull()
|
||||||
|
.references(() => resourcePolicies.resourcePolicyId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
});
|
||||||
|
|
||||||
|
export const resourcePolicyPassword = sqliteTable("resourcePolicyPassword", {
|
||||||
|
passwordId: integer("passwordId").primaryKey({ autoIncrement: true }),
|
||||||
|
passwordHash: text("passwordHash").notNull(),
|
||||||
|
resourcePolicyId: integer("resourcePolicyId")
|
||||||
|
.notNull()
|
||||||
|
.references(() => resourcePolicies.resourcePolicyId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
});
|
||||||
|
|
||||||
|
export const resourcePolicyHeaderAuth = sqliteTable(
|
||||||
|
"resourcePolicyHeaderAuth",
|
||||||
|
{
|
||||||
|
headerAuthId: integer("headerAuthId").primaryKey({
|
||||||
|
autoIncrement: true
|
||||||
|
}),
|
||||||
|
headerAuthHash: text("headerAuthHash").notNull(),
|
||||||
|
extendedCompatibility: integer("extendedCompatibility", {
|
||||||
|
mode: "boolean"
|
||||||
|
})
|
||||||
|
.notNull()
|
||||||
|
.default(true),
|
||||||
|
resourcePolicyId: integer("resourcePolicyId")
|
||||||
|
.notNull()
|
||||||
|
.references(() => resourcePolicies.resourcePolicyId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
}
|
||||||
|
);
|
||||||
|
|
||||||
export const resourceHeaderAuthExtendedCompatibility = sqliteTable(
|
export const resourceHeaderAuthExtendedCompatibility = sqliteTable(
|
||||||
"resourceHeaderAuthExtendedCompatibility",
|
"resourceHeaderAuthExtendedCompatibility",
|
||||||
{
|
{
|
||||||
@@ -937,6 +1123,7 @@ export const resourceAccessToken = sqliteTable("resourceAccessToken", {
|
|||||||
resourceId: integer("resourceId")
|
resourceId: integer("resourceId")
|
||||||
.notNull()
|
.notNull()
|
||||||
.references(() => resources.resourceId, { onDelete: "cascade" }),
|
.references(() => resources.resourceId, { onDelete: "cascade" }),
|
||||||
|
path: text("path"),
|
||||||
tokenHash: text("tokenHash").notNull(),
|
tokenHash: text("tokenHash").notNull(),
|
||||||
sessionLength: integer("sessionLength").notNull(),
|
sessionLength: integer("sessionLength").notNull(),
|
||||||
expiresAt: integer("expiresAt"),
|
expiresAt: integer("expiresAt"),
|
||||||
@@ -983,6 +1170,24 @@ export const resourceSessions = sqliteTable("resourceSessions", {
|
|||||||
onDelete: "cascade"
|
onDelete: "cascade"
|
||||||
}
|
}
|
||||||
),
|
),
|
||||||
|
policyPasswordId: integer("policyPasswordId").references(
|
||||||
|
() => resourcePolicyPassword.passwordId,
|
||||||
|
{
|
||||||
|
onDelete: "cascade"
|
||||||
|
}
|
||||||
|
),
|
||||||
|
policyPincodeId: integer("policyPincodeId").references(
|
||||||
|
() => resourcePolicyPincode.pincodeId,
|
||||||
|
{
|
||||||
|
onDelete: "cascade"
|
||||||
|
}
|
||||||
|
),
|
||||||
|
policyWhitelistId: integer("policyWhitelistId").references(
|
||||||
|
() => resourcePolicyWhiteList.whitelistId,
|
||||||
|
{
|
||||||
|
onDelete: "cascade"
|
||||||
|
}
|
||||||
|
),
|
||||||
issuedAt: integer("issuedAt")
|
issuedAt: integer("issuedAt")
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -1019,10 +1224,101 @@ export const resourceRules = sqliteTable("resourceRules", {
|
|||||||
enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
|
enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
|
||||||
priority: integer("priority").notNull(),
|
priority: integer("priority").notNull(),
|
||||||
action: text("action").notNull(), // ACCEPT, DROP, PASS
|
action: text("action").notNull(), // ACCEPT, DROP, PASS
|
||||||
match: text("match").notNull(), // CIDR, PATH, IP
|
match: text("match")
|
||||||
|
.$type<
|
||||||
|
| "CIDR"
|
||||||
|
| "PATH"
|
||||||
|
| "IP"
|
||||||
|
| "COUNTRY"
|
||||||
|
| "COUNTRY_IS_NOT"
|
||||||
|
| "ASN"
|
||||||
|
| "REGION"
|
||||||
|
>()
|
||||||
|
.notNull(), // CIDR, PATH, IP
|
||||||
value: text("value").notNull()
|
value: text("value").notNull()
|
||||||
});
|
});
|
||||||
|
|
||||||
|
export const rolePolicies = sqliteTable("rolePolicies", {
|
||||||
|
roleId: integer("roleId")
|
||||||
|
.notNull()
|
||||||
|
.references(() => roles.roleId, { onDelete: "cascade" }),
|
||||||
|
resourcePolicyId: integer("resourcePolicyId")
|
||||||
|
.notNull()
|
||||||
|
.references(() => resourcePolicies.resourcePolicyId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
});
|
||||||
|
|
||||||
|
export const userPolicies = sqliteTable("userPolicies", {
|
||||||
|
userId: text("userId")
|
||||||
|
.notNull()
|
||||||
|
.references(() => users.userId, { onDelete: "cascade" }),
|
||||||
|
resourcePolicyId: integer("resourcePolicyId")
|
||||||
|
.notNull()
|
||||||
|
.references(() => resourcePolicies.resourcePolicyId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
});
|
||||||
|
|
||||||
|
export const resourcePolicyWhiteList = sqliteTable("resourcePolicyWhitelist", {
|
||||||
|
whitelistId: integer("id").primaryKey({ autoIncrement: true }),
|
||||||
|
email: text("email").notNull(),
|
||||||
|
resourcePolicyId: integer("resourcePolicyId")
|
||||||
|
.notNull()
|
||||||
|
.references(() => resourcePolicies.resourcePolicyId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
});
|
||||||
|
|
||||||
|
export const resourcePolicyRules = sqliteTable("resourcePolicyRules", {
|
||||||
|
ruleId: integer("ruleId").primaryKey({ autoIncrement: true }),
|
||||||
|
resourcePolicyId: integer("resourcePolicyId")
|
||||||
|
.notNull()
|
||||||
|
.references(() => resourcePolicies.resourcePolicyId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
}),
|
||||||
|
enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
|
||||||
|
priority: integer("priority").notNull(),
|
||||||
|
action: text("action").$type<"ACCEPT" | "DROP" | "PASS">().notNull(),
|
||||||
|
match: text("match")
|
||||||
|
.$type<
|
||||||
|
| "CIDR"
|
||||||
|
| "PATH"
|
||||||
|
| "IP"
|
||||||
|
| "COUNTRY"
|
||||||
|
| "COUNTRY_IS_NOT"
|
||||||
|
| "ASN"
|
||||||
|
| "REGION"
|
||||||
|
>()
|
||||||
|
.notNull(),
|
||||||
|
value: text("value").notNull()
|
||||||
|
});
|
||||||
|
|
||||||
|
export const resourcePolicies = sqliteTable("resourcePolicies", {
|
||||||
|
resourcePolicyId: integer("resourcePolicyId").primaryKey(),
|
||||||
|
sso: integer("sso", { mode: "boolean" }).notNull().default(true),
|
||||||
|
applyRules: integer("applyRules", { mode: "boolean" })
|
||||||
|
.notNull()
|
||||||
|
.default(false),
|
||||||
|
scope: text("scope")
|
||||||
|
.$type<"global" | "resource">()
|
||||||
|
.notNull()
|
||||||
|
.default("global"),
|
||||||
|
emailWhitelistEnabled: integer("emailWhitelistEnabled", { mode: "boolean" })
|
||||||
|
.notNull()
|
||||||
|
.default(false),
|
||||||
|
niceId: text("niceId").notNull(),
|
||||||
|
idpId: integer("idpId").references(() => idp.idpId, {
|
||||||
|
onDelete: "set null"
|
||||||
|
}),
|
||||||
|
name: text("name").notNull(),
|
||||||
|
orgId: text("orgId")
|
||||||
|
.references(() => orgs.orgId, {
|
||||||
|
onDelete: "cascade"
|
||||||
|
})
|
||||||
|
.notNull()
|
||||||
|
});
|
||||||
|
|
||||||
export const supporterKey = sqliteTable("supporterKey", {
|
export const supporterKey = sqliteTable("supporterKey", {
|
||||||
keyId: integer("keyId").primaryKey({ autoIncrement: true }),
|
keyId: integer("keyId").primaryKey({ autoIncrement: true }),
|
||||||
key: text("key").notNull(),
|
key: text("key").notNull(),
|
||||||
@@ -1196,7 +1492,9 @@ export const roundTripMessageTracker = sqliteTable("roundTripMessageTracker", {
|
|||||||
complete: integer("complete", { mode: "boolean" }).notNull().default(false)
|
complete: integer("complete", { mode: "boolean" }).notNull().default(false)
|
||||||
});
|
});
|
||||||
|
|
||||||
export const statusHistory = sqliteTable("statusHistory", {
|
export const statusHistory = sqliteTable(
|
||||||
|
"statusHistory",
|
||||||
|
{
|
||||||
id: integer("id").primaryKey({ autoIncrement: true }),
|
id: integer("id").primaryKey({ autoIncrement: true }),
|
||||||
entityType: text("entityType").notNull(), // "site" | "healthCheck"
|
entityType: text("entityType").notNull(), // "site" | "healthCheck"
|
||||||
entityId: integer("entityId").notNull(), // siteId or targetHealthCheckId
|
entityId: integer("entityId").notNull(), // siteId or targetHealthCheckId
|
||||||
@@ -1204,11 +1502,20 @@ export const statusHistory = sqliteTable("statusHistory", {
|
|||||||
.notNull()
|
.notNull()
|
||||||
.references(() => orgs.orgId, { onDelete: "cascade" }),
|
.references(() => orgs.orgId, { onDelete: "cascade" }),
|
||||||
status: text("status").notNull(), // "online"/"offline" for sites; "healthy"/"unhealthy"/"unknown" for healthChecks
|
status: text("status").notNull(), // "online"/"offline" for sites; "healthy"/"unhealthy"/"unknown" for healthChecks
|
||||||
timestamp: integer("timestamp").notNull(), // unix epoch seconds
|
timestamp: integer("timestamp").notNull() // unix epoch seconds
|
||||||
}, (table) => [
|
},
|
||||||
index("idx_statusHistory_entity").on(table.entityType, table.entityId, table.timestamp),
|
(table) => [
|
||||||
index("idx_statusHistory_org_timestamp").on(table.orgId, table.timestamp),
|
index("idx_statusHistory_entity").on(
|
||||||
]);
|
table.entityType,
|
||||||
|
table.entityId,
|
||||||
|
table.timestamp
|
||||||
|
),
|
||||||
|
index("idx_statusHistory_org_timestamp").on(
|
||||||
|
table.orgId,
|
||||||
|
table.timestamp
|
||||||
|
)
|
||||||
|
]
|
||||||
|
);
|
||||||
|
|
||||||
export type Org = InferSelectModel<typeof orgs>;
|
export type Org = InferSelectModel<typeof orgs>;
|
||||||
export type User = InferSelectModel<typeof users>;
|
export type User = InferSelectModel<typeof users>;
|
||||||
@@ -1278,3 +1585,17 @@ export type RoundTripMessageTracker = InferSelectModel<
|
|||||||
typeof roundTripMessageTracker
|
typeof roundTripMessageTracker
|
||||||
>;
|
>;
|
||||||
export type StatusHistory = InferSelectModel<typeof statusHistory>;
|
export type StatusHistory = InferSelectModel<typeof statusHistory>;
|
||||||
|
export type Label = InferSelectModel<typeof labels>;
|
||||||
|
export type LauncherView = InferSelectModel<typeof launcherViews>;
|
||||||
|
export type ResourcePolicy = InferSelectModel<typeof resourcePolicies>;
|
||||||
|
export type ResourcePolicyPincode = InferSelectModel<
|
||||||
|
typeof resourcePolicyPincode
|
||||||
|
>;
|
||||||
|
export type ResourcePolicyPassword = InferSelectModel<
|
||||||
|
typeof resourcePolicyPassword
|
||||||
|
>;
|
||||||
|
export type ResourcePolicyHeaderAuth = InferSelectModel<
|
||||||
|
typeof resourcePolicyHeaderAuth
|
||||||
|
>;
|
||||||
|
export type RolePolicy = InferSelectModel<typeof rolePolicies>;
|
||||||
|
export type UserPolicy = InferSelectModel<typeof userPolicies>;
|
||||||
|
|||||||
@@ -64,7 +64,7 @@ export const NotifyTrialExpiring = ({
|
|||||||
|
|
||||||
<EmailText>
|
<EmailText>
|
||||||
Some features and resources may now be
|
Some features and resources may now be
|
||||||
restricted or disconnected. To restore full
|
restricted. To restore full
|
||||||
access and continue using all the features
|
access and continue using all the features
|
||||||
you had during your trial, please upgrade to
|
you had during your trial, please upgrade to
|
||||||
a paid plan.
|
a paid plan.
|
||||||
@@ -85,7 +85,7 @@ export const NotifyTrialExpiring = ({
|
|||||||
<strong>{orgName}</strong> will end on{" "}
|
<strong>{orgName}</strong> will end on{" "}
|
||||||
<strong>{trialEndsAt}</strong>
|
<strong>{trialEndsAt}</strong>
|
||||||
{isLastDay
|
{isLastDay
|
||||||
? " — that's tomorrow!"
|
? " - that's tomorrow!"
|
||||||
: `, in ${daysRemaining} days`}
|
: `, in ${daysRemaining} days`}
|
||||||
.
|
.
|
||||||
</EmailText>
|
</EmailText>
|
||||||
@@ -93,8 +93,7 @@ export const NotifyTrialExpiring = ({
|
|||||||
<EmailText>
|
<EmailText>
|
||||||
After your trial ends, your account will be
|
After your trial ends, your account will be
|
||||||
moved to the free plan and some
|
moved to the free plan and some
|
||||||
functionality may be restricted or your
|
functionality may be restricted.
|
||||||
sites may disconnect.
|
|
||||||
</EmailText>
|
</EmailText>
|
||||||
|
|
||||||
<EmailText>
|
<EmailText>
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
#! /usr/bin/env node
|
#! /usr/bin/env node
|
||||||
import "./extendZod.ts";
|
import "./extendZod";
|
||||||
|
|
||||||
import { runSetupFunctions } from "./setup";
|
import { runSetupFunctions } from "./setup";
|
||||||
import { createApiServer } from "./apiServer";
|
import { createApiServer } from "./apiServer";
|
||||||
@@ -24,6 +24,7 @@ import license from "#dynamic/license/license";
|
|||||||
import { initLogCleanupInterval } from "@server/lib/cleanupLogs";
|
import { initLogCleanupInterval } from "@server/lib/cleanupLogs";
|
||||||
import { initAcmeCertSync } from "#dynamic/lib/acmeCertSync";
|
import { initAcmeCertSync } from "#dynamic/lib/acmeCertSync";
|
||||||
import { fetchServerIp } from "@server/lib/serverIpService";
|
import { fetchServerIp } from "@server/lib/serverIpService";
|
||||||
|
import { startRebuildQueueProcessor } from "@server/lib/rebuildClientAssociations";
|
||||||
|
|
||||||
async function startServers() {
|
async function startServers() {
|
||||||
await setHostMeta();
|
await setHostMeta();
|
||||||
@@ -41,6 +42,7 @@ async function startServers() {
|
|||||||
|
|
||||||
initLogCleanupInterval();
|
initLogCleanupInterval();
|
||||||
initAcmeCertSync();
|
initAcmeCertSync();
|
||||||
|
startRebuildQueueProcessor();
|
||||||
|
|
||||||
// Start all servers
|
// Start all servers
|
||||||
const apiServer = createApiServer();
|
const apiServer = createApiServer();
|
||||||
|
|||||||
@@ -152,11 +152,19 @@ function getOpenApiDocumentation() {
|
|||||||
|
|
||||||
if (!hasExistingResponses) {
|
if (!hasExistingResponses) {
|
||||||
def.route.responses = {
|
def.route.responses = {
|
||||||
"*": {
|
"200": {
|
||||||
description: "",
|
description: "Successful response",
|
||||||
content: {
|
content: {
|
||||||
"application/json": {
|
"application/json": {
|
||||||
schema: z.object({})
|
schema: z.object({
|
||||||
|
data: z
|
||||||
|
.record(z.string(), z.any())
|
||||||
|
.nullable(),
|
||||||
|
success: z.boolean(),
|
||||||
|
error: z.boolean(),
|
||||||
|
message: z.string(),
|
||||||
|
status: z.number()
|
||||||
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,27 +1,153 @@
|
|||||||
// stub
|
import logger from "@server/logger";
|
||||||
|
import { processAlerts } from "#dynamic/lib/alerts";
|
||||||
|
import {
|
||||||
|
db,
|
||||||
|
statusHistory,
|
||||||
|
targetHealthCheck,
|
||||||
|
targets,
|
||||||
|
resources,
|
||||||
|
Transaction,
|
||||||
|
logsDb
|
||||||
|
} from "@server/db";
|
||||||
|
import { eq } from "drizzle-orm";
|
||||||
|
import { invalidateStatusHistoryCache } from "@server/lib/statusHistory";
|
||||||
|
import {
|
||||||
|
fireResourceDegradedAlert,
|
||||||
|
fireResourceHealthyAlert,
|
||||||
|
fireResourceUnhealthyAlert,
|
||||||
|
fireResourceUnknownAlert
|
||||||
|
} from "./resourceEvents";
|
||||||
|
|
||||||
|
// ---------------------------------------------------------------------------
|
||||||
|
// Public API
|
||||||
|
// ---------------------------------------------------------------------------
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Fire a `health_check_healthy` alert for the given health check.
|
||||||
|
*
|
||||||
|
* Call this after a previously-failing health check has recovered so that any
|
||||||
|
* matching `alertRules` can dispatch their email and webhook actions.
|
||||||
|
*
|
||||||
|
* @param orgId - Organisation that owns the health check.
|
||||||
|
* @param healthCheckId - Numeric primary key of the health check.
|
||||||
|
* @param healthCheckName - Human-readable name shown in notifications (optional).
|
||||||
|
* @param extra - Any additional key/value pairs to include in the payload.
|
||||||
|
*/
|
||||||
export async function fireHealthCheckHealthyAlert(
|
export async function fireHealthCheckHealthyAlert(
|
||||||
orgId: string,
|
orgId: string,
|
||||||
healthCheckId: number,
|
healthCheckId: number,
|
||||||
healthCheckName?: string,
|
healthCheckName?: string | null,
|
||||||
healthCheckTargetId?: number | null,
|
healthCheckTargetId?: number | null,
|
||||||
extra?: Record<string, unknown>,
|
extra?: Record<string, unknown>,
|
||||||
send: boolean = true,
|
send: boolean = true,
|
||||||
trx?: unknown
|
trx: Transaction | typeof db = db
|
||||||
): Promise<void> {
|
): Promise<void> {
|
||||||
|
try {
|
||||||
|
await logsDb.insert(statusHistory).values({
|
||||||
|
entityType: "health_check",
|
||||||
|
entityId: healthCheckId,
|
||||||
|
orgId: orgId,
|
||||||
|
status: "healthy",
|
||||||
|
timestamp: Math.floor(Date.now() / 1000)
|
||||||
|
});
|
||||||
|
await invalidateStatusHistoryCache("health_check", healthCheckId);
|
||||||
|
|
||||||
|
await handleResource(orgId, healthCheckTargetId, send, trx);
|
||||||
|
|
||||||
|
if (!send) {
|
||||||
return;
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
await processAlerts({
|
||||||
|
eventType: "health_check_healthy",
|
||||||
|
orgId,
|
||||||
|
healthCheckId,
|
||||||
|
data: {
|
||||||
|
...(healthCheckName != null ? { healthCheckName } : {}),
|
||||||
|
...extra
|
||||||
|
}
|
||||||
|
});
|
||||||
|
await processAlerts({
|
||||||
|
eventType: "health_check_toggle",
|
||||||
|
orgId,
|
||||||
|
healthCheckId,
|
||||||
|
data: {
|
||||||
|
healthCheckId,
|
||||||
|
status: "healthy",
|
||||||
|
...(healthCheckName != null ? { healthCheckName } : {}),
|
||||||
|
...extra
|
||||||
|
}
|
||||||
|
});
|
||||||
|
} catch (err) {
|
||||||
|
logger.error(
|
||||||
|
`fireHealthCheckHealthyAlert: unexpected error for healthCheckId ${healthCheckId}`,
|
||||||
|
err
|
||||||
|
);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Fire a `health_check_unhealthy` alert for the given health check.
|
||||||
|
*
|
||||||
|
* Call this after a health check has been detected as failing so that any
|
||||||
|
* matching `alertRules` can dispatch their email and webhook actions.
|
||||||
|
*
|
||||||
|
* @param orgId - Organisation that owns the health check.
|
||||||
|
* @param healthCheckId - Numeric primary key of the health check.
|
||||||
|
* @param healthCheckName - Human-readable name shown in notifications (optional).
|
||||||
|
* @param extra - Any additional key/value pairs to include in the payload.
|
||||||
|
*/
|
||||||
export async function fireHealthCheckUnhealthyAlert(
|
export async function fireHealthCheckUnhealthyAlert(
|
||||||
orgId: string,
|
orgId: string,
|
||||||
healthCheckId: number,
|
healthCheckId: number,
|
||||||
healthCheckName?: string,
|
healthCheckName?: string | null,
|
||||||
healthCheckTargetId?: number | null,
|
healthCheckTargetId?: number | null,
|
||||||
extra?: Record<string, unknown>,
|
extra?: Record<string, unknown>,
|
||||||
send: boolean = true,
|
send: boolean = true,
|
||||||
trx?: unknown
|
trx: Transaction | typeof db = db
|
||||||
): Promise<void> {
|
): Promise<void> {
|
||||||
|
try {
|
||||||
|
await logsDb.insert(statusHistory).values({
|
||||||
|
entityType: "health_check",
|
||||||
|
entityId: healthCheckId,
|
||||||
|
orgId: orgId,
|
||||||
|
status: "unhealthy",
|
||||||
|
timestamp: Math.floor(Date.now() / 1000)
|
||||||
|
});
|
||||||
|
await invalidateStatusHistoryCache("health_check", healthCheckId);
|
||||||
|
|
||||||
|
await handleResource(orgId, healthCheckTargetId, send, trx);
|
||||||
|
|
||||||
|
if (!send) {
|
||||||
return;
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
await processAlerts({
|
||||||
|
eventType: "health_check_unhealthy",
|
||||||
|
orgId,
|
||||||
|
healthCheckId,
|
||||||
|
data: {
|
||||||
|
...(healthCheckName != null ? { healthCheckName } : {}),
|
||||||
|
...extra
|
||||||
|
}
|
||||||
|
});
|
||||||
|
await processAlerts({
|
||||||
|
eventType: "health_check_toggle",
|
||||||
|
orgId,
|
||||||
|
healthCheckId,
|
||||||
|
data: {
|
||||||
|
healthCheckId,
|
||||||
|
status: "unhealthy",
|
||||||
|
...(healthCheckName != null ? { healthCheckName } : {}),
|
||||||
|
...extra
|
||||||
|
}
|
||||||
|
});
|
||||||
|
} catch (err) {
|
||||||
|
logger.error(
|
||||||
|
`fireHealthCheckUnhealthyAlert: unexpected error for healthCheckId ${healthCheckId}`,
|
||||||
|
err
|
||||||
|
);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
export async function fireHealthCheckUnknownAlert(
|
export async function fireHealthCheckUnknownAlert(
|
||||||
@@ -31,7 +157,145 @@ export async function fireHealthCheckUnknownAlert(
|
|||||||
healthCheckTargetId?: number | null,
|
healthCheckTargetId?: number | null,
|
||||||
extra?: Record<string, unknown>,
|
extra?: Record<string, unknown>,
|
||||||
send: boolean = true,
|
send: boolean = true,
|
||||||
trx?: unknown
|
trx: Transaction | typeof db = db
|
||||||
): Promise<void> {
|
): Promise<void> {
|
||||||
|
try {
|
||||||
|
await logsDb.insert(statusHistory).values({
|
||||||
|
entityType: "health_check",
|
||||||
|
entityId: healthCheckId,
|
||||||
|
orgId: orgId,
|
||||||
|
status: "unknown",
|
||||||
|
timestamp: Math.floor(Date.now() / 1000)
|
||||||
|
});
|
||||||
|
await invalidateStatusHistoryCache("health_check", healthCheckId);
|
||||||
|
|
||||||
|
await handleResource(orgId, healthCheckTargetId, send, trx);
|
||||||
|
|
||||||
|
if (!send) {
|
||||||
return;
|
return;
|
||||||
|
}
|
||||||
|
} catch (err) {
|
||||||
|
logger.error(
|
||||||
|
`fireHealthCheckUnknownAlert: unexpected error for healthCheckId ${healthCheckId}`,
|
||||||
|
err
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
async function handleResource(
|
||||||
|
orgId: string,
|
||||||
|
healthCheckTargetId?: number | null,
|
||||||
|
send: boolean = true,
|
||||||
|
trx: Transaction | typeof db = db
|
||||||
|
) {
|
||||||
|
if (!healthCheckTargetId) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
// we have targets lets get them
|
||||||
|
const [target] = await trx
|
||||||
|
.select()
|
||||||
|
.from(targets)
|
||||||
|
.where(eq(targets.targetId, healthCheckTargetId))
|
||||||
|
.limit(1);
|
||||||
|
|
||||||
|
if (!target) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
const [resource] = await trx
|
||||||
|
.select()
|
||||||
|
.from(resources)
|
||||||
|
.where(eq(resources.resourceId, target.resourceId))
|
||||||
|
.limit(1);
|
||||||
|
|
||||||
|
if (!resource) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
const otherTargets = await trx
|
||||||
|
.select({ hcHealth: targetHealthCheck.hcHealth })
|
||||||
|
.from(targets)
|
||||||
|
.innerJoin(
|
||||||
|
targetHealthCheck,
|
||||||
|
eq(targetHealthCheck.targetId, targets.targetId)
|
||||||
|
)
|
||||||
|
.where(eq(targets.resourceId, resource.resourceId));
|
||||||
|
|
||||||
|
const monitoredTargets = otherTargets.filter(
|
||||||
|
(t) => t.hcHealth !== "unknown"
|
||||||
|
);
|
||||||
|
|
||||||
|
let health = "healthy";
|
||||||
|
const allUnknown = monitoredTargets.length === 0;
|
||||||
|
const allHealthy = monitoredTargets.every(
|
||||||
|
(t) => t.hcHealth === "healthy"
|
||||||
|
);
|
||||||
|
const allUnhealthy = monitoredTargets.every(
|
||||||
|
(t) => t.hcHealth === "unhealthy"
|
||||||
|
);
|
||||||
|
|
||||||
|
if (allUnknown) {
|
||||||
|
logger.debug(
|
||||||
|
`Marking resource ${resource.resourceId} as unknown because all health checks are disabled`
|
||||||
|
);
|
||||||
|
health = "unknown";
|
||||||
|
} else if (allHealthy) {
|
||||||
|
health = "healthy";
|
||||||
|
} else if (allUnhealthy) {
|
||||||
|
logger.debug(
|
||||||
|
`Marking resource ${resource.resourceId} as unhealthy because all targets are unhealthy`
|
||||||
|
);
|
||||||
|
health = "unhealthy";
|
||||||
|
} else {
|
||||||
|
logger.debug(
|
||||||
|
`Marking resource ${resource.resourceId} as degraded because some targets are unhealthy`
|
||||||
|
);
|
||||||
|
health = "degraded";
|
||||||
|
}
|
||||||
|
|
||||||
|
if (health != resource.health) {
|
||||||
|
// it changed
|
||||||
|
await trx
|
||||||
|
.update(resources)
|
||||||
|
.set({ health })
|
||||||
|
.where(eq(resources.resourceId, resource.resourceId));
|
||||||
|
|
||||||
|
if (health === "unknown") {
|
||||||
|
await fireResourceUnknownAlert(
|
||||||
|
orgId,
|
||||||
|
resource.resourceId,
|
||||||
|
resource.name,
|
||||||
|
undefined,
|
||||||
|
send,
|
||||||
|
trx
|
||||||
|
);
|
||||||
|
} else if (health === "unhealthy") {
|
||||||
|
await fireResourceUnhealthyAlert(
|
||||||
|
orgId,
|
||||||
|
resource.resourceId,
|
||||||
|
resource.name,
|
||||||
|
undefined,
|
||||||
|
send,
|
||||||
|
trx
|
||||||
|
);
|
||||||
|
} else if (health === "healthy") {
|
||||||
|
await fireResourceHealthyAlert(
|
||||||
|
orgId,
|
||||||
|
resource.resourceId,
|
||||||
|
resource.name,
|
||||||
|
undefined,
|
||||||
|
send,
|
||||||
|
trx
|
||||||
|
);
|
||||||
|
} else if (health === "degraded") {
|
||||||
|
await fireResourceDegradedAlert(
|
||||||
|
orgId,
|
||||||
|
resource.resourceId,
|
||||||
|
resource.name,
|
||||||
|
undefined,
|
||||||
|
send,
|
||||||
|
trx
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,26 +1,243 @@
|
|||||||
|
import logger from "@server/logger";
|
||||||
|
import { processAlerts } from "#dynamic/lib/alerts";
|
||||||
|
import { db, logsDb, statusHistory, Transaction } from "@server/db";
|
||||||
|
import { invalidateStatusHistoryCache } from "@server/lib/statusHistory";
|
||||||
|
|
||||||
|
// ---------------------------------------------------------------------------
|
||||||
|
// Public API
|
||||||
|
// ---------------------------------------------------------------------------
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Fire a `resource_healthy` alert for the given resource.
|
||||||
|
*
|
||||||
|
* Call this after a previously-unhealthy resource has recovered so that any
|
||||||
|
* matching `alertRules` can dispatch their email and webhook actions.
|
||||||
|
*
|
||||||
|
* @param orgId - Organisation that owns the resource.
|
||||||
|
* @param resourceId - Numeric primary key of the resource.
|
||||||
|
* @param resourceName - Human-readable name shown in notifications (optional).
|
||||||
|
* @param extra - Any additional key/value pairs to include in the payload.
|
||||||
|
*/
|
||||||
export async function fireResourceHealthyAlert(
|
export async function fireResourceHealthyAlert(
|
||||||
orgId: string,
|
orgId: string,
|
||||||
resourceId: number,
|
resourceId: number,
|
||||||
resourceName?: string | null,
|
resourceName?: string | null,
|
||||||
extra?: Record<string, unknown>,
|
extra?: Record<string, unknown>,
|
||||||
send: boolean = true,
|
send: boolean = true,
|
||||||
trx?: unknown
|
trx: Transaction | typeof db = db
|
||||||
): Promise<void> {}
|
): Promise<void> {
|
||||||
|
try {
|
||||||
|
await logsDb.insert(statusHistory).values({
|
||||||
|
entityType: "resource",
|
||||||
|
entityId: resourceId,
|
||||||
|
orgId: orgId,
|
||||||
|
status: "healthy",
|
||||||
|
timestamp: Math.floor(Date.now() / 1000)
|
||||||
|
});
|
||||||
|
await invalidateStatusHistoryCache("resource", resourceId);
|
||||||
|
|
||||||
|
if (!send) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
await processAlerts({
|
||||||
|
eventType: "resource_healthy",
|
||||||
|
orgId,
|
||||||
|
resourceId,
|
||||||
|
data: {
|
||||||
|
...(resourceName != null ? { resourceName } : {}),
|
||||||
|
...extra
|
||||||
|
}
|
||||||
|
});
|
||||||
|
await processAlerts({
|
||||||
|
eventType: "resource_toggle",
|
||||||
|
orgId,
|
||||||
|
resourceId,
|
||||||
|
data: {
|
||||||
|
resourceId,
|
||||||
|
status: "healthy",
|
||||||
|
...(resourceName != null ? { resourceName } : {}),
|
||||||
|
...extra
|
||||||
|
}
|
||||||
|
});
|
||||||
|
} catch (err) {
|
||||||
|
logger.error(
|
||||||
|
`fireResourceHealthyAlert: unexpected error for resourceId ${resourceId}`,
|
||||||
|
err
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Fire a `resource_unhealthy` alert for the given resource.
|
||||||
|
*
|
||||||
|
* Call this after a resource has been detected as unhealthy so that any
|
||||||
|
* matching `alertRules` can dispatch their email and webhook actions.
|
||||||
|
*
|
||||||
|
* @param orgId - Organisation that owns the resource.
|
||||||
|
* @param resourceId - Numeric primary key of the resource.
|
||||||
|
* @param resourceName - Human-readable name shown in notifications (optional).
|
||||||
|
* @param extra - Any additional key/value pairs to include in the payload.
|
||||||
|
*/
|
||||||
export async function fireResourceUnhealthyAlert(
|
export async function fireResourceUnhealthyAlert(
|
||||||
orgId: string,
|
orgId: string,
|
||||||
resourceId: number,
|
resourceId: number,
|
||||||
resourceName?: string | null,
|
resourceName?: string | null,
|
||||||
extra?: Record<string, unknown>,
|
extra?: Record<string, unknown>,
|
||||||
send: boolean = true,
|
send: boolean = true,
|
||||||
trx?: unknown
|
trx: Transaction | typeof db = db
|
||||||
): Promise<void> {}
|
): Promise<void> {
|
||||||
|
try {
|
||||||
|
await logsDb.insert(statusHistory).values({
|
||||||
|
entityType: "resource",
|
||||||
|
entityId: resourceId,
|
||||||
|
orgId: orgId,
|
||||||
|
status: "unhealthy",
|
||||||
|
timestamp: Math.floor(Date.now() / 1000)
|
||||||
|
});
|
||||||
|
await invalidateStatusHistoryCache("resource", resourceId);
|
||||||
|
|
||||||
export async function fireResourceToggleAlert(
|
if (!send) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
await processAlerts({
|
||||||
|
eventType: "resource_unhealthy",
|
||||||
|
orgId,
|
||||||
|
resourceId,
|
||||||
|
data: {
|
||||||
|
...(resourceName != null ? { resourceName } : {}),
|
||||||
|
...extra
|
||||||
|
}
|
||||||
|
});
|
||||||
|
await processAlerts({
|
||||||
|
eventType: "resource_toggle",
|
||||||
|
orgId,
|
||||||
|
resourceId,
|
||||||
|
data: {
|
||||||
|
resourceId,
|
||||||
|
status: "unhealthy",
|
||||||
|
...(resourceName != null ? { resourceName } : {}),
|
||||||
|
...extra
|
||||||
|
}
|
||||||
|
});
|
||||||
|
} catch (err) {
|
||||||
|
logger.error(
|
||||||
|
`fireResourceUnhealthyAlert: unexpected error for resourceId ${resourceId}`,
|
||||||
|
err
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Fire a `resource_degraded` alert for the given resource.
|
||||||
|
*
|
||||||
|
* Call this after a resource has been detected as degraded so that any
|
||||||
|
* matching `alertRules` can dispatch their email and webhook actions.
|
||||||
|
*
|
||||||
|
* @param orgId - Organisation that owns the resource.
|
||||||
|
* @param resourceId - Numeric primary key of the resource.
|
||||||
|
* @param resourceName - Human-readable name shown in notifications (optional).
|
||||||
|
* @param extra - Any additional key/value pairs to include in the payload.
|
||||||
|
*/
|
||||||
|
export async function fireResourceDegradedAlert(
|
||||||
orgId: string,
|
orgId: string,
|
||||||
resourceId: number,
|
resourceId: number,
|
||||||
resourceName?: string | null,
|
resourceName?: string | null,
|
||||||
extra?: Record<string, unknown>,
|
extra?: Record<string, unknown>,
|
||||||
send: boolean = true,
|
send: boolean = true,
|
||||||
trx?: unknown
|
trx: Transaction | typeof db = db
|
||||||
): Promise<void> {}
|
): Promise<void> {
|
||||||
|
try {
|
||||||
|
await logsDb.insert(statusHistory).values({
|
||||||
|
entityType: "resource",
|
||||||
|
entityId: resourceId,
|
||||||
|
orgId: orgId,
|
||||||
|
status: "degraded",
|
||||||
|
timestamp: Math.floor(Date.now() / 1000)
|
||||||
|
});
|
||||||
|
await invalidateStatusHistoryCache("resource", resourceId);
|
||||||
|
|
||||||
|
if (!send) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
await processAlerts({
|
||||||
|
eventType: "resource_degraded",
|
||||||
|
orgId,
|
||||||
|
resourceId,
|
||||||
|
data: {
|
||||||
|
...(resourceName != null ? { resourceName } : {}),
|
||||||
|
...extra
|
||||||
|
}
|
||||||
|
});
|
||||||
|
await processAlerts({
|
||||||
|
eventType: "resource_toggle",
|
||||||
|
orgId,
|
||||||
|
resourceId,
|
||||||
|
data: {
|
||||||
|
resourceId,
|
||||||
|
status: "degraded",
|
||||||
|
...(resourceName != null ? { resourceName } : {}),
|
||||||
|
...extra
|
||||||
|
}
|
||||||
|
});
|
||||||
|
} catch (err) {
|
||||||
|
logger.error(
|
||||||
|
`fireResourceDegradedAlert: unexpected error for resourceId ${resourceId}`,
|
||||||
|
err
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Fire a `resource_unknown` alert for the given resource.
|
||||||
|
*
|
||||||
|
* Call this when all health checks on a resource are disabled so that the
|
||||||
|
* resource status transitions to unknown.
|
||||||
|
*
|
||||||
|
* @param orgId - Organisation that owns the resource.
|
||||||
|
* @param resourceId - Numeric primary key of the resource.
|
||||||
|
* @param resourceName - Human-readable name shown in notifications (optional).
|
||||||
|
* @param extra - Any additional key/value pairs to include in the payload.
|
||||||
|
*/
|
||||||
|
export async function fireResourceUnknownAlert(
|
||||||
|
orgId: string,
|
||||||
|
resourceId: number,
|
||||||
|
resourceName?: string | null,
|
||||||
|
extra?: Record<string, unknown>,
|
||||||
|
send: boolean = true,
|
||||||
|
trx: Transaction | typeof db = db
|
||||||
|
): Promise<void> {
|
||||||
|
try {
|
||||||
|
await logsDb.insert(statusHistory).values({
|
||||||
|
entityType: "resource",
|
||||||
|
entityId: resourceId,
|
||||||
|
orgId: orgId,
|
||||||
|
status: "unknown",
|
||||||
|
timestamp: Math.floor(Date.now() / 1000)
|
||||||
|
});
|
||||||
|
await invalidateStatusHistoryCache("resource", resourceId);
|
||||||
|
|
||||||
|
if (!send) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
await processAlerts({
|
||||||
|
eventType: "resource_toggle",
|
||||||
|
orgId,
|
||||||
|
resourceId,
|
||||||
|
data: {
|
||||||
|
resourceId,
|
||||||
|
status: "unknown",
|
||||||
|
...(resourceName != null ? { resourceName } : {}),
|
||||||
|
...extra
|
||||||
|
}
|
||||||
|
});
|
||||||
|
} catch (err) {
|
||||||
|
logger.error(
|
||||||
|
`fireResourceUnknownAlert: unexpected error for resourceId ${resourceId}`,
|
||||||
|
err
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|||||||
@@ -1,21 +1,156 @@
|
|||||||
// stub
|
import logger from "@server/logger";
|
||||||
|
import { processAlerts } from "#dynamic/lib/alerts";
|
||||||
|
import {
|
||||||
|
db,
|
||||||
|
logsDb,
|
||||||
|
statusHistory,
|
||||||
|
targetHealthCheck,
|
||||||
|
Transaction
|
||||||
|
} from "@server/db";
|
||||||
|
import { invalidateStatusHistoryCache } from "@server/lib/statusHistory";
|
||||||
|
import { and, eq, inArray } from "drizzle-orm";
|
||||||
|
import { fireHealthCheckUnhealthyAlert } from "./healthCheckEvents";
|
||||||
|
|
||||||
|
// ---------------------------------------------------------------------------
|
||||||
|
// Public API
|
||||||
|
// ---------------------------------------------------------------------------
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Fire a `site_online` alert for the given site.
|
||||||
|
*
|
||||||
|
* Call this after the site has been confirmed reachable / connected so that
|
||||||
|
* any matching `alertRules` can dispatch their email and webhook actions.
|
||||||
|
*
|
||||||
|
* @param orgId - Organisation that owns the site.
|
||||||
|
* @param siteId - Numeric primary key of the site.
|
||||||
|
* @param siteName - Human-readable name shown in notifications (optional).
|
||||||
|
* @param extra - Any additional key/value pairs to include in the payload.
|
||||||
|
*/
|
||||||
export async function fireSiteOnlineAlert(
|
export async function fireSiteOnlineAlert(
|
||||||
orgId: string,
|
orgId: string,
|
||||||
siteId: number,
|
siteId: number,
|
||||||
siteName?: string,
|
siteName?: string,
|
||||||
extra?: Record<string, unknown>,
|
extra?: Record<string, unknown>,
|
||||||
trx?: unknown
|
trx: Transaction | typeof db = db
|
||||||
): Promise<void> {
|
): Promise<void> {
|
||||||
return;
|
try {
|
||||||
|
await logsDb.insert(statusHistory).values({
|
||||||
|
entityType: "site",
|
||||||
|
entityId: siteId,
|
||||||
|
orgId: orgId,
|
||||||
|
status: "online",
|
||||||
|
timestamp: Math.floor(Date.now() / 1000)
|
||||||
|
});
|
||||||
|
await invalidateStatusHistoryCache("site", siteId);
|
||||||
|
|
||||||
|
await processAlerts({
|
||||||
|
eventType: "site_online",
|
||||||
|
orgId,
|
||||||
|
siteId,
|
||||||
|
data: {
|
||||||
|
...(siteName != null ? { siteName } : {}),
|
||||||
|
...extra
|
||||||
|
}
|
||||||
|
});
|
||||||
|
await processAlerts({
|
||||||
|
eventType: "site_toggle",
|
||||||
|
orgId,
|
||||||
|
siteId,
|
||||||
|
data: {
|
||||||
|
siteId,
|
||||||
|
status: "online",
|
||||||
|
...(siteName != null ? { siteName } : {}),
|
||||||
|
...extra
|
||||||
|
}
|
||||||
|
});
|
||||||
|
} catch (err) {
|
||||||
|
logger.error(
|
||||||
|
`fireSiteOnlineAlert: unexpected error for siteId ${siteId}`,
|
||||||
|
err
|
||||||
|
);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Fire a `site_offline` alert for the given site.
|
||||||
|
*
|
||||||
|
* Call this after the site has been detected as unreachable / disconnected so
|
||||||
|
* that any matching `alertRules` can dispatch their email and webhook actions.
|
||||||
|
*
|
||||||
|
* @param orgId - Organisation that owns the site.
|
||||||
|
* @param siteId - Numeric primary key of the site.
|
||||||
|
* @param siteName - Human-readable name shown in notifications (optional).
|
||||||
|
* @param extra - Any additional key/value pairs to include in the payload.
|
||||||
|
*/
|
||||||
export async function fireSiteOfflineAlert(
|
export async function fireSiteOfflineAlert(
|
||||||
orgId: string,
|
orgId: string,
|
||||||
siteId: number,
|
siteId: number,
|
||||||
siteName?: string,
|
siteName?: string,
|
||||||
extra?: Record<string, unknown>,
|
extra?: Record<string, unknown>,
|
||||||
trx?: unknown
|
trx: Transaction | typeof db = db
|
||||||
): Promise<void> {
|
): Promise<void> {
|
||||||
return;
|
try {
|
||||||
|
await logsDb.insert(statusHistory).values({
|
||||||
|
entityType: "site",
|
||||||
|
entityId: siteId,
|
||||||
|
orgId: orgId,
|
||||||
|
status: "offline",
|
||||||
|
timestamp: Math.floor(Date.now() / 1000)
|
||||||
|
});
|
||||||
|
await invalidateStatusHistoryCache("site", siteId);
|
||||||
|
|
||||||
|
const unhealthyHealthChecks = await trx
|
||||||
|
.update(targetHealthCheck)
|
||||||
|
.set({ hcHealth: "unhealthy" })
|
||||||
|
.where(
|
||||||
|
and(
|
||||||
|
eq(targetHealthCheck.orgId, orgId),
|
||||||
|
eq(targetHealthCheck.siteId, siteId),
|
||||||
|
eq(targetHealthCheck.hcEnabled, true) // only effect the ones that are enabled
|
||||||
|
)
|
||||||
|
)
|
||||||
|
.returning();
|
||||||
|
|
||||||
|
for (const healthCheck of unhealthyHealthChecks) {
|
||||||
|
logger.info(
|
||||||
|
`Marking health check ${healthCheck.targetHealthCheckId} unhealthy due to site ${siteId} being marked offline`
|
||||||
|
);
|
||||||
|
|
||||||
|
await fireHealthCheckUnhealthyAlert(
|
||||||
|
healthCheck.orgId,
|
||||||
|
healthCheck.targetHealthCheckId,
|
||||||
|
healthCheck.name,
|
||||||
|
healthCheck.targetId, // for the resource if we have one
|
||||||
|
undefined,
|
||||||
|
true,
|
||||||
|
trx
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
await processAlerts({
|
||||||
|
eventType: "site_offline",
|
||||||
|
orgId,
|
||||||
|
siteId,
|
||||||
|
data: {
|
||||||
|
...(siteName != null ? { siteName } : {}),
|
||||||
|
...extra
|
||||||
|
}
|
||||||
|
});
|
||||||
|
await processAlerts({
|
||||||
|
eventType: "site_toggle",
|
||||||
|
orgId,
|
||||||
|
siteId,
|
||||||
|
data: {
|
||||||
|
siteId,
|
||||||
|
status: "offline",
|
||||||
|
...(siteName != null ? { siteName } : {}),
|
||||||
|
...extra
|
||||||
|
}
|
||||||
|
});
|
||||||
|
} catch (err) {
|
||||||
|
logger.error(
|
||||||
|
`fireSiteOfflineAlert: unexpected error for siteId ${siteId}`,
|
||||||
|
err
|
||||||
|
);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
@@ -1,3 +1,4 @@
|
|||||||
export * from "./events/siteEvents";
|
export * from "./events/siteEvents";
|
||||||
export * from "./events/healthCheckEvents";
|
export * from "./events/healthCheckEvents";
|
||||||
export * from "./events/resourceEvents";
|
export * from "./events/resourceEvents";
|
||||||
|
export * from "./processAlerts";
|
||||||
|
|||||||
@@ -0,0 +1,5 @@
|
|||||||
|
import { AlertContext } from "@server/routers/alertRule/types";
|
||||||
|
|
||||||
|
export async function processAlerts(context: AlertContext): Promise<void> {
|
||||||
|
return;
|
||||||
|
}
|
||||||
@@ -1,28 +1,39 @@
|
|||||||
export enum FeatureId {
|
export enum LimitId {
|
||||||
USERS = "users",
|
USERS = "users",
|
||||||
SITES = "sites",
|
SITES = "sites",
|
||||||
EGRESS_DATA_MB = "egressDataMb",
|
EGRESS_DATA_MB = "egressDataMb",
|
||||||
DOMAINS = "domains",
|
DOMAINS = "domains",
|
||||||
REMOTE_EXIT_NODES = "remoteExitNodes",
|
REMOTE_EXIT_NODES = "remoteExitNodes",
|
||||||
ORGINIZATIONS = "organizations",
|
ORGANIZATIONS = "organizations",
|
||||||
|
PUBLIC_RESOURCES = "publicResources",
|
||||||
|
PRIVATE_RESOURCES = "privateResources",
|
||||||
|
MACHINE_CLIENTS = "machineClients",
|
||||||
TIER1 = "tier1"
|
TIER1 = "tier1"
|
||||||
}
|
}
|
||||||
|
|
||||||
export async function getFeatureDisplayName(featureId: FeatureId): Promise<string> {
|
export async function getFeatureDisplayName(
|
||||||
|
featureId: LimitId
|
||||||
|
): Promise<string> {
|
||||||
switch (featureId) {
|
switch (featureId) {
|
||||||
case FeatureId.USERS:
|
case LimitId.USERS:
|
||||||
return "Users";
|
return "Users";
|
||||||
case FeatureId.SITES:
|
case LimitId.SITES:
|
||||||
return "Sites";
|
return "Sites";
|
||||||
case FeatureId.EGRESS_DATA_MB:
|
case LimitId.EGRESS_DATA_MB:
|
||||||
return "Egress Data (MB)";
|
return "Egress Data (MB)";
|
||||||
case FeatureId.DOMAINS:
|
case LimitId.DOMAINS:
|
||||||
return "Domains";
|
return "Domains";
|
||||||
case FeatureId.REMOTE_EXIT_NODES:
|
case LimitId.REMOTE_EXIT_NODES:
|
||||||
return "Remote Exit Nodes";
|
return "Remote Exit Nodes";
|
||||||
case FeatureId.ORGINIZATIONS:
|
case LimitId.ORGANIZATIONS:
|
||||||
return "Organizations";
|
return "Organizations";
|
||||||
case FeatureId.TIER1:
|
case LimitId.PUBLIC_RESOURCES:
|
||||||
|
return "Public Resources";
|
||||||
|
case LimitId.PRIVATE_RESOURCES:
|
||||||
|
return "Private Resources";
|
||||||
|
case LimitId.MACHINE_CLIENTS:
|
||||||
|
return "Machine Clients";
|
||||||
|
case LimitId.TIER1:
|
||||||
return "Home Lab";
|
return "Home Lab";
|
||||||
default:
|
default:
|
||||||
return featureId;
|
return featureId;
|
||||||
@@ -30,15 +41,16 @@ export async function getFeatureDisplayName(featureId: FeatureId): Promise<strin
|
|||||||
}
|
}
|
||||||
|
|
||||||
// this is from the old system
|
// this is from the old system
|
||||||
export const FeatureMeterIds: Partial<Record<FeatureId, string>> = { // right now we are not charging for any data
|
export const FeatureMeterIds: Partial<Record<LimitId, string>> = {
|
||||||
|
// right now we are not charging for any data
|
||||||
// [FeatureId.EGRESS_DATA_MB]: "mtr_61Srreh9eWrExDSCe41D3Ee2Ir7Wm5YW"
|
// [FeatureId.EGRESS_DATA_MB]: "mtr_61Srreh9eWrExDSCe41D3Ee2Ir7Wm5YW"
|
||||||
};
|
};
|
||||||
|
|
||||||
export const FeatureMeterIdsSandbox: Partial<Record<FeatureId, string>> = {
|
export const FeatureMeterIdsSandbox: Partial<Record<LimitId, string>> = {
|
||||||
// [FeatureId.EGRESS_DATA_MB]: "mtr_test_61Snh2a2m6qome5Kv41DCpkOb237B3dQ"
|
// [FeatureId.EGRESS_DATA_MB]: "mtr_test_61Snh2a2m6qome5Kv41DCpkOb237B3dQ"
|
||||||
};
|
};
|
||||||
|
|
||||||
export function getFeatureMeterId(featureId: FeatureId): string | undefined {
|
export function getFeatureMeterId(featureId: LimitId): string | undefined {
|
||||||
if (
|
if (
|
||||||
process.env.ENVIRONMENT == "prod" &&
|
process.env.ENVIRONMENT == "prod" &&
|
||||||
process.env.SANDBOX_MODE !== "true"
|
process.env.SANDBOX_MODE !== "true"
|
||||||
@@ -49,22 +61,20 @@ export function getFeatureMeterId(featureId: FeatureId): string | undefined {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
export function getFeatureIdByMetricId(
|
export function getFeatureIdByMetricId(metricId: string): LimitId | undefined {
|
||||||
metricId: string
|
return (Object.entries(FeatureMeterIds) as [LimitId, string][]).find(
|
||||||
): FeatureId | undefined {
|
|
||||||
return (Object.entries(FeatureMeterIds) as [FeatureId, string][]).find(
|
|
||||||
([_, v]) => v === metricId
|
([_, v]) => v === metricId
|
||||||
)?.[0];
|
)?.[0];
|
||||||
}
|
}
|
||||||
|
|
||||||
export type FeaturePriceSet = Partial<Record<FeatureId, string>>;
|
export type FeaturePriceSet = Partial<Record<LimitId, string>>;
|
||||||
|
|
||||||
export const tier1FeaturePriceSet: FeaturePriceSet = {
|
export const tier1FeaturePriceSet: FeaturePriceSet = {
|
||||||
[FeatureId.TIER1]: "price_1SzVE3D3Ee2Ir7Wm6wT5Dl3G"
|
[LimitId.TIER1]: "price_1SzVE3D3Ee2Ir7Wm6wT5Dl3G"
|
||||||
};
|
};
|
||||||
|
|
||||||
export const tier1FeaturePriceSetSandbox: FeaturePriceSet = {
|
export const tier1FeaturePriceSetSandbox: FeaturePriceSet = {
|
||||||
[FeatureId.TIER1]: "price_1SxgpPDCpkOb237Bfo4rIsoT"
|
[LimitId.TIER1]: "price_1SxgpPDCpkOb237Bfo4rIsoT"
|
||||||
};
|
};
|
||||||
|
|
||||||
export function getTier1FeaturePriceSet(): FeaturePriceSet {
|
export function getTier1FeaturePriceSet(): FeaturePriceSet {
|
||||||
@@ -79,11 +89,11 @@ export function getTier1FeaturePriceSet(): FeaturePriceSet {
|
|||||||
}
|
}
|
||||||
|
|
||||||
export const tier2FeaturePriceSet: FeaturePriceSet = {
|
export const tier2FeaturePriceSet: FeaturePriceSet = {
|
||||||
[FeatureId.USERS]: "price_1SzVCcD3Ee2Ir7Wmn6U3KvPN"
|
[LimitId.USERS]: "price_1SzVCcD3Ee2Ir7Wmn6U3KvPN"
|
||||||
};
|
};
|
||||||
|
|
||||||
export const tier2FeaturePriceSetSandbox: FeaturePriceSet = {
|
export const tier2FeaturePriceSetSandbox: FeaturePriceSet = {
|
||||||
[FeatureId.USERS]: "price_1SxaEHDCpkOb237BD9lBkPiR"
|
[LimitId.USERS]: "price_1SxaEHDCpkOb237BD9lBkPiR"
|
||||||
};
|
};
|
||||||
|
|
||||||
export function getTier2FeaturePriceSet(): FeaturePriceSet {
|
export function getTier2FeaturePriceSet(): FeaturePriceSet {
|
||||||
@@ -98,11 +108,11 @@ export function getTier2FeaturePriceSet(): FeaturePriceSet {
|
|||||||
}
|
}
|
||||||
|
|
||||||
export const tier3FeaturePriceSet: FeaturePriceSet = {
|
export const tier3FeaturePriceSet: FeaturePriceSet = {
|
||||||
[FeatureId.USERS]: "price_1SzVDKD3Ee2Ir7WmPtOKNusv"
|
[LimitId.USERS]: "price_1SzVDKD3Ee2Ir7WmPtOKNusv"
|
||||||
};
|
};
|
||||||
|
|
||||||
export const tier3FeaturePriceSetSandbox: FeaturePriceSet = {
|
export const tier3FeaturePriceSetSandbox: FeaturePriceSet = {
|
||||||
[FeatureId.USERS]: "price_1SxaEODCpkOb237BiXdCBSfs"
|
[LimitId.USERS]: "price_1SxaEODCpkOb237BiXdCBSfs"
|
||||||
};
|
};
|
||||||
|
|
||||||
export function getTier3FeaturePriceSet(): FeaturePriceSet {
|
export function getTier3FeaturePriceSet(): FeaturePriceSet {
|
||||||
@@ -116,7 +126,7 @@ export function getTier3FeaturePriceSet(): FeaturePriceSet {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
export function getFeatureIdByPriceId(priceId: string): FeatureId | undefined {
|
export function getFeatureIdByPriceId(priceId: string): LimitId | undefined {
|
||||||
// Check all feature price sets
|
// Check all feature price sets
|
||||||
const allPriceSets = [
|
const allPriceSets = [
|
||||||
getTier1FeaturePriceSet(),
|
getTier1FeaturePriceSet(),
|
||||||
@@ -125,7 +135,7 @@ export function getFeatureIdByPriceId(priceId: string): FeatureId | undefined {
|
|||||||
];
|
];
|
||||||
|
|
||||||
for (const priceSet of allPriceSets) {
|
for (const priceSet of allPriceSets) {
|
||||||
const entry = (Object.entries(priceSet) as [FeatureId, string][]).find(
|
const entry = (Object.entries(priceSet) as [LimitId, string][]).find(
|
||||||
([_, price]) => price === priceId
|
([_, price]) => price === priceId
|
||||||
);
|
);
|
||||||
if (entry) {
|
if (entry) {
|
||||||
|
|||||||
@@ -1,19 +1,19 @@
|
|||||||
import Stripe from "stripe";
|
import Stripe from "stripe";
|
||||||
import { FeatureId, FeaturePriceSet } from "./features";
|
import { LimitId, FeaturePriceSet } from "./features";
|
||||||
import { usageService } from "./usageService";
|
import { usageService } from "./usageService";
|
||||||
|
|
||||||
export async function getLineItems(
|
export async function getLineItems(
|
||||||
featurePriceSet: FeaturePriceSet,
|
featurePriceSet: FeaturePriceSet,
|
||||||
orgId: string,
|
orgId: string
|
||||||
): Promise<Stripe.Checkout.SessionCreateParams.LineItem[]> {
|
): Promise<Stripe.Checkout.SessionCreateParams.LineItem[]> {
|
||||||
const users = await usageService.getUsage(orgId, FeatureId.USERS);
|
const users = await usageService.getUsage(orgId, LimitId.USERS);
|
||||||
|
|
||||||
return Object.entries(featurePriceSet).map(([featureId, priceId]) => {
|
return Object.entries(featurePriceSet).map(([featureId, priceId]) => {
|
||||||
let quantity: number | undefined;
|
let quantity: number | undefined;
|
||||||
|
|
||||||
if (featureId === FeatureId.USERS) {
|
if (featureId === LimitId.USERS) {
|
||||||
quantity = users?.instantaneousValue || 1;
|
quantity = users?.instantaneousValue || 1;
|
||||||
} else if (featureId === FeatureId.TIER1) {
|
} else if (featureId === LimitId.TIER1) {
|
||||||
quantity = 1;
|
quantity = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -1,8 +1,9 @@
|
|||||||
export async function getOrgTierData(
|
export async function getOrgTierData(
|
||||||
orgId: string
|
orgId: string
|
||||||
): Promise<{ tier: string | null; active: boolean }> {
|
): Promise<{ tier: string | null; active: boolean; isTrial: boolean }> {
|
||||||
const tier = null;
|
const tier = null;
|
||||||
const active = false;
|
const active = false;
|
||||||
|
const isTrial = false;
|
||||||
|
|
||||||
return { tier, active };
|
return { tier, active, isTrial };
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,70 +1,82 @@
|
|||||||
import { FeatureId } from "./features";
|
import { LimitId } from "./features";
|
||||||
|
|
||||||
export type LimitSet = Partial<{
|
export type LimitSet = Partial<{
|
||||||
[key in FeatureId]: {
|
[key in LimitId]: {
|
||||||
value: number | null; // null indicates no limit
|
value: number | null; // null indicates no limit
|
||||||
description?: string;
|
description?: string;
|
||||||
};
|
};
|
||||||
}>;
|
}>;
|
||||||
|
|
||||||
export const freeLimitSet: LimitSet = {
|
export const freeLimitSet: LimitSet = {
|
||||||
[FeatureId.SITES]: { value: 5, description: "Basic limit" },
|
[LimitId.SITES]: { value: 5, description: "Basic limit" },
|
||||||
[FeatureId.USERS]: { value: 5, description: "Basic limit" },
|
[LimitId.USERS]: { value: 5, description: "Basic limit" },
|
||||||
[FeatureId.DOMAINS]: { value: 5, description: "Basic limit" },
|
[LimitId.DOMAINS]: { value: 5, description: "Basic limit" },
|
||||||
[FeatureId.REMOTE_EXIT_NODES]: { value: 1, description: "Basic limit" },
|
[LimitId.REMOTE_EXIT_NODES]: { value: 1, description: "Basic limit" },
|
||||||
[FeatureId.ORGINIZATIONS]: { value: 1, description: "Basic limit" },
|
[LimitId.ORGANIZATIONS]: { value: 1, description: "Basic limit" },
|
||||||
|
[LimitId.PUBLIC_RESOURCES]: { value: 15, description: "Basic limit" },
|
||||||
|
[LimitId.PRIVATE_RESOURCES]: { value: 15, description: "Basic limit" },
|
||||||
|
[LimitId.MACHINE_CLIENTS]: { value: 5, description: "Basic limit" }
|
||||||
};
|
};
|
||||||
|
|
||||||
export const tier1LimitSet: LimitSet = {
|
export const tier1LimitSet: LimitSet = {
|
||||||
[FeatureId.USERS]: { value: 7, description: "Home limit" },
|
[LimitId.USERS]: { value: 7, description: "Home limit" },
|
||||||
[FeatureId.SITES]: { value: 10, description: "Home limit" },
|
[LimitId.SITES]: { value: 10, description: "Home limit" },
|
||||||
[FeatureId.DOMAINS]: { value: 10, description: "Home limit" },
|
[LimitId.DOMAINS]: { value: 10, description: "Home limit" },
|
||||||
[FeatureId.REMOTE_EXIT_NODES]: { value: 1, description: "Home limit" },
|
[LimitId.REMOTE_EXIT_NODES]: { value: 1, description: "Home limit" },
|
||||||
[FeatureId.ORGINIZATIONS]: { value: 1, description: "Home limit" },
|
[LimitId.ORGANIZATIONS]: { value: 1, description: "Home limit" },
|
||||||
|
[LimitId.PUBLIC_RESOURCES]: { value: 30, description: "Home limit" },
|
||||||
|
[LimitId.PRIVATE_RESOURCES]: { value: 30, description: "Home limit" },
|
||||||
|
[LimitId.MACHINE_CLIENTS]: { value: 10, description: "Home limit" }
|
||||||
};
|
};
|
||||||
|
|
||||||
export const tier2LimitSet: LimitSet = {
|
export const tier2LimitSet: LimitSet = {
|
||||||
[FeatureId.USERS]: {
|
[LimitId.USERS]: {
|
||||||
value: 100,
|
|
||||||
description: "Team limit"
|
|
||||||
},
|
|
||||||
[FeatureId.SITES]: {
|
|
||||||
value: 50,
|
value: 50,
|
||||||
description: "Team limit"
|
description: "Team limit"
|
||||||
},
|
},
|
||||||
[FeatureId.DOMAINS]: {
|
[LimitId.SITES]: {
|
||||||
value: 50,
|
value: 50,
|
||||||
description: "Team limit"
|
description: "Team limit"
|
||||||
},
|
},
|
||||||
[FeatureId.REMOTE_EXIT_NODES]: {
|
[LimitId.DOMAINS]: {
|
||||||
|
value: 50,
|
||||||
|
description: "Team limit"
|
||||||
|
},
|
||||||
|
[LimitId.REMOTE_EXIT_NODES]: {
|
||||||
value: 3,
|
value: 3,
|
||||||
description: "Team limit"
|
description: "Team limit"
|
||||||
},
|
},
|
||||||
[FeatureId.ORGINIZATIONS]: {
|
[LimitId.ORGANIZATIONS]: {
|
||||||
value: 1,
|
value: 1,
|
||||||
description: "Team limit"
|
description: "Team limit"
|
||||||
}
|
},
|
||||||
|
[LimitId.PUBLIC_RESOURCES]: { value: 150, description: "Team limit" },
|
||||||
|
[LimitId.PRIVATE_RESOURCES]: { value: 150, description: "Team limit" },
|
||||||
|
[LimitId.MACHINE_CLIENTS]: { value: 25, description: "Team limit" }
|
||||||
};
|
};
|
||||||
|
|
||||||
export const tier3LimitSet: LimitSet = {
|
export const tier3LimitSet: LimitSet = {
|
||||||
[FeatureId.USERS]: {
|
[LimitId.USERS]: {
|
||||||
value: 500,
|
|
||||||
description: "Business limit"
|
|
||||||
},
|
|
||||||
[FeatureId.SITES]: {
|
|
||||||
value: 250,
|
value: 250,
|
||||||
description: "Business limit"
|
description: "Business limit"
|
||||||
},
|
},
|
||||||
[FeatureId.DOMAINS]: {
|
[LimitId.SITES]: {
|
||||||
|
value: 250,
|
||||||
|
description: "Business limit"
|
||||||
|
},
|
||||||
|
[LimitId.DOMAINS]: {
|
||||||
value: 100,
|
value: 100,
|
||||||
description: "Business limit"
|
description: "Business limit"
|
||||||
},
|
},
|
||||||
[FeatureId.REMOTE_EXIT_NODES]: {
|
[LimitId.REMOTE_EXIT_NODES]: {
|
||||||
value: 20,
|
value: 20,
|
||||||
description: "Business limit"
|
description: "Business limit"
|
||||||
},
|
},
|
||||||
[FeatureId.ORGINIZATIONS]: {
|
[LimitId.ORGANIZATIONS]: {
|
||||||
value: 5,
|
value: 5,
|
||||||
description: "Business limit"
|
description: "Business limit"
|
||||||
},
|
},
|
||||||
|
[LimitId.PUBLIC_RESOURCES]: { value: 750, description: "Business limit" },
|
||||||
|
[LimitId.PRIVATE_RESOURCES]: { value: 750, description: "Business limit" },
|
||||||
|
[LimitId.MACHINE_CLIENTS]: { value: 100, description: "Business limit" }
|
||||||
};
|
};
|
||||||
|
|||||||
@@ -1,7 +1,7 @@
|
|||||||
import { db, limits } from "@server/db";
|
import { db, limits } from "@server/db";
|
||||||
import { and, eq } from "drizzle-orm";
|
import { and, eq } from "drizzle-orm";
|
||||||
import { LimitSet } from "./limitSet";
|
import { LimitSet } from "./limitSet";
|
||||||
import { FeatureId } from "./features";
|
import { LimitId } from "./features";
|
||||||
import logger from "@server/logger";
|
import logger from "@server/logger";
|
||||||
|
|
||||||
class LimitService {
|
class LimitService {
|
||||||
@@ -38,7 +38,7 @@ class LimitService {
|
|||||||
|
|
||||||
async getOrgLimit(
|
async getOrgLimit(
|
||||||
orgId: string,
|
orgId: string,
|
||||||
featureId: FeatureId
|
featureId: LimitId
|
||||||
): Promise<number | null> {
|
): Promise<number | null> {
|
||||||
const limitId = `${orgId}-${featureId}`;
|
const limitId = `${orgId}-${featureId}`;
|
||||||
const [limit] = await db
|
const [limit] = await db
|
||||||
|
|||||||
@@ -16,15 +16,17 @@ export enum TierFeature {
|
|||||||
SessionDurationPolicies = "sessionDurationPolicies", // handle downgrade by setting to default duration
|
SessionDurationPolicies = "sessionDurationPolicies", // handle downgrade by setting to default duration
|
||||||
PasswordExpirationPolicies = "passwordExpirationPolicies", // handle downgrade by setting to default duration
|
PasswordExpirationPolicies = "passwordExpirationPolicies", // handle downgrade by setting to default duration
|
||||||
AutoProvisioning = "autoProvisioning", // handle downgrade by disabling auto provisioning
|
AutoProvisioning = "autoProvisioning", // handle downgrade by disabling auto provisioning
|
||||||
SshPam = "sshPam",
|
|
||||||
FullRbac = "fullRbac",
|
FullRbac = "fullRbac",
|
||||||
SiteProvisioningKeys = "siteProvisioningKeys", // handle downgrade by revoking keys if needed
|
SiteProvisioningKeys = "siteProvisioningKeys", // handle downgrade by revoking keys if needed
|
||||||
SIEM = "siem", // handle downgrade by disabling SIEM integrations
|
SIEM = "siem", // handle downgrade by disabling SIEM integrations
|
||||||
HTTPPrivateResources = "httpPrivateResources", // handle downgrade by disabling HTTP private resources
|
|
||||||
DomainNamespaces = "domainNamespaces", // handle downgrade by removing custom domain namespaces
|
DomainNamespaces = "domainNamespaces", // handle downgrade by removing custom domain namespaces
|
||||||
StandaloneHealthChecks = "standaloneHealthChecks",
|
StandaloneHealthChecks = "standaloneHealthChecks",
|
||||||
AlertingRules = "alertingRules",
|
AlertingRules = "alertingRules",
|
||||||
WildcardSubdomain = "wildcardSubdomain"
|
WildcardSubdomain = "wildcardSubdomain",
|
||||||
|
NewtAutoUpdate = "newtAutoUpdate",
|
||||||
|
ResourcePolicies = "resourcePolicies",
|
||||||
|
AdvancedPublicResources = "advancedPublicResources",
|
||||||
|
AdvancedPrivateResources = "advancedPrivateResources"
|
||||||
}
|
}
|
||||||
|
|
||||||
export const tierMatrix: Record<TierFeature, Tier[]> = {
|
export const tierMatrix: Record<TierFeature, Tier[]> = {
|
||||||
@@ -58,13 +60,15 @@ export const tierMatrix: Record<TierFeature, Tier[]> = {
|
|||||||
"enterprise"
|
"enterprise"
|
||||||
],
|
],
|
||||||
[TierFeature.AutoProvisioning]: ["tier1", "tier3", "enterprise"],
|
[TierFeature.AutoProvisioning]: ["tier1", "tier3", "enterprise"],
|
||||||
[TierFeature.SshPam]: ["tier1", "tier3", "enterprise"],
|
|
||||||
[TierFeature.FullRbac]: ["tier1", "tier2", "tier3", "enterprise"],
|
[TierFeature.FullRbac]: ["tier1", "tier2", "tier3", "enterprise"],
|
||||||
[TierFeature.SiteProvisioningKeys]: ["tier3", "enterprise"],
|
[TierFeature.SiteProvisioningKeys]: ["tier3", "enterprise"],
|
||||||
[TierFeature.SIEM]: ["enterprise"],
|
[TierFeature.SIEM]: ["enterprise"],
|
||||||
[TierFeature.HTTPPrivateResources]: ["tier3", "enterprise"],
|
|
||||||
[TierFeature.DomainNamespaces]: ["tier1", "tier2", "tier3", "enterprise"],
|
[TierFeature.DomainNamespaces]: ["tier1", "tier2", "tier3", "enterprise"],
|
||||||
[TierFeature.StandaloneHealthChecks]: ["tier2", "tier3", "enterprise"],
|
[TierFeature.StandaloneHealthChecks]: ["tier3", "enterprise"],
|
||||||
[TierFeature.AlertingRules]: ["tier2", "tier3", "enterprise"],
|
[TierFeature.AlertingRules]: ["tier3", "enterprise"],
|
||||||
[TierFeature.WildcardSubdomain]: ["tier1", "tier2", "tier3", "enterprise"]
|
[TierFeature.WildcardSubdomain]: ["tier1", "tier2", "tier3", "enterprise"],
|
||||||
|
[TierFeature.NewtAutoUpdate]: ["tier1", "tier2", "tier3", "enterprise"],
|
||||||
|
[TierFeature.ResourcePolicies]: ["tier3", "enterprise"],
|
||||||
|
[TierFeature.AdvancedPublicResources]: ["tier3", "enterprise"],
|
||||||
|
[TierFeature.AdvancedPrivateResources]: ["tier3", "enterprise"]
|
||||||
};
|
};
|
||||||
|
|||||||
@@ -9,10 +9,10 @@ import {
|
|||||||
Transaction,
|
Transaction,
|
||||||
orgs
|
orgs
|
||||||
} from "@server/db";
|
} from "@server/db";
|
||||||
import { FeatureId, getFeatureMeterId } from "./features";
|
import { LimitId, getFeatureMeterId } from "./features";
|
||||||
import logger from "@server/logger";
|
import logger from "@server/logger";
|
||||||
import { build } from "@server/build";
|
import { build } from "@server/build";
|
||||||
import cache from "#dynamic/lib/cache";
|
import { regionalCache as cache } from "#dynamic/lib/cache";
|
||||||
|
|
||||||
export function noop() {
|
export function noop() {
|
||||||
if (build !== "saas") {
|
if (build !== "saas") {
|
||||||
@@ -22,7 +22,6 @@ export function noop() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
export class UsageService {
|
export class UsageService {
|
||||||
|
|
||||||
constructor() {
|
constructor() {
|
||||||
if (noop()) {
|
if (noop()) {
|
||||||
return;
|
return;
|
||||||
@@ -38,7 +37,7 @@ export class UsageService {
|
|||||||
|
|
||||||
public async add(
|
public async add(
|
||||||
orgId: string,
|
orgId: string,
|
||||||
featureId: FeatureId,
|
featureId: LimitId,
|
||||||
value: number,
|
value: number,
|
||||||
transaction: any = null
|
transaction: any = null
|
||||||
): Promise<Usage | null> {
|
): Promise<Usage | null> {
|
||||||
@@ -57,7 +56,10 @@ export class UsageService {
|
|||||||
try {
|
try {
|
||||||
let usage;
|
let usage;
|
||||||
if (transaction) {
|
if (transaction) {
|
||||||
const orgIdToUse = await this.getBillingOrg(orgId, transaction);
|
const orgIdToUse = await this.getBillingOrg(
|
||||||
|
orgId,
|
||||||
|
transaction
|
||||||
|
);
|
||||||
usage = await this.internalAddUsage(
|
usage = await this.internalAddUsage(
|
||||||
orgIdToUse,
|
orgIdToUse,
|
||||||
featureId,
|
featureId,
|
||||||
@@ -112,7 +114,7 @@ export class UsageService {
|
|||||||
|
|
||||||
private async internalAddUsage(
|
private async internalAddUsage(
|
||||||
orgId: string, // here the orgId is the billing org already resolved by getBillingOrg in updateCount
|
orgId: string, // here the orgId is the billing org already resolved by getBillingOrg in updateCount
|
||||||
featureId: FeatureId,
|
featureId: LimitId,
|
||||||
value: number,
|
value: number,
|
||||||
trx: Transaction
|
trx: Transaction
|
||||||
): Promise<Usage> {
|
): Promise<Usage> {
|
||||||
@@ -161,7 +163,7 @@ export class UsageService {
|
|||||||
|
|
||||||
async updateCount(
|
async updateCount(
|
||||||
orgId: string,
|
orgId: string,
|
||||||
featureId: FeatureId,
|
featureId: LimitId,
|
||||||
value?: number,
|
value?: number,
|
||||||
customerId?: string
|
customerId?: string
|
||||||
): Promise<void> {
|
): Promise<void> {
|
||||||
@@ -225,7 +227,7 @@ export class UsageService {
|
|||||||
|
|
||||||
private async getCustomerId(
|
private async getCustomerId(
|
||||||
orgId: string,
|
orgId: string,
|
||||||
featureId: FeatureId
|
featureId: LimitId
|
||||||
): Promise<string | null> {
|
): Promise<string | null> {
|
||||||
const orgIdToUse = await this.getBillingOrg(orgId);
|
const orgIdToUse = await this.getBillingOrg(orgId);
|
||||||
|
|
||||||
@@ -267,18 +269,19 @@ export class UsageService {
|
|||||||
|
|
||||||
public async getUsage(
|
public async getUsage(
|
||||||
orgId: string,
|
orgId: string,
|
||||||
featureId: FeatureId,
|
featureId: LimitId,
|
||||||
trx: Transaction | typeof db = db
|
trx: Transaction | typeof db = db
|
||||||
): Promise<Usage | null> {
|
): Promise<Usage | null> {
|
||||||
if (noop()) {
|
if (noop()) {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
const orgIdToUse = await this.getBillingOrg(orgId, trx);
|
let orgIdToUse = orgId;
|
||||||
|
try {
|
||||||
|
orgIdToUse = await this.getBillingOrg(orgId, trx);
|
||||||
|
|
||||||
const usageId = `${orgIdToUse}-${featureId}`;
|
const usageId = `${orgIdToUse}-${featureId}`;
|
||||||
|
|
||||||
try {
|
|
||||||
const [result] = await trx
|
const [result] = await trx
|
||||||
.select()
|
.select()
|
||||||
.from(usage)
|
.from(usage)
|
||||||
@@ -338,10 +341,14 @@ export class UsageService {
|
|||||||
`Failed to get usage for ${orgIdToUse}/${featureId}:`,
|
`Failed to get usage for ${orgIdToUse}/${featureId}:`,
|
||||||
error
|
error
|
||||||
);
|
);
|
||||||
|
if (process.env.NODE_ENV !== "development") {
|
||||||
throw error;
|
throw error;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
public async getBillingOrg(
|
public async getBillingOrg(
|
||||||
orgId: string,
|
orgId: string,
|
||||||
trx: Transaction | typeof db = db
|
trx: Transaction | typeof db = db
|
||||||
@@ -374,7 +381,7 @@ export class UsageService {
|
|||||||
|
|
||||||
public async checkLimitSet(
|
public async checkLimitSet(
|
||||||
orgId: string,
|
orgId: string,
|
||||||
featureId?: FeatureId,
|
featureId?: LimitId,
|
||||||
usage?: Usage,
|
usage?: Usage,
|
||||||
trx: Transaction | typeof db = db
|
trx: Transaction | typeof db = db
|
||||||
): Promise<boolean> {
|
): Promise<boolean> {
|
||||||
@@ -382,13 +389,13 @@ export class UsageService {
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
const orgIdToUse = await this.getBillingOrg(orgId, trx);
|
|
||||||
|
|
||||||
// This method should check the current usage against the limits set for the organization
|
// This method should check the current usage against the limits set for the organization
|
||||||
// and kick out all of the sites on the org
|
// and kick out all of the sites on the org
|
||||||
let hasExceededLimits = false;
|
let hasExceededLimits = false;
|
||||||
|
let orgIdToUse = orgId;
|
||||||
try {
|
try {
|
||||||
|
orgIdToUse = await this.getBillingOrg(orgId, trx);
|
||||||
|
|
||||||
let orgLimits: Limit[] = [];
|
let orgLimits: Limit[] = [];
|
||||||
if (featureId) {
|
if (featureId) {
|
||||||
// Get all limits set for this organization
|
// Get all limits set for this organization
|
||||||
@@ -422,7 +429,7 @@ export class UsageService {
|
|||||||
} else {
|
} else {
|
||||||
currentUsage = await this.getUsage(
|
currentUsage = await this.getUsage(
|
||||||
orgIdToUse,
|
orgIdToUse,
|
||||||
limit.featureId as FeatureId,
|
limit.featureId as LimitId,
|
||||||
trx
|
trx
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -3,29 +3,43 @@ import {
|
|||||||
newts,
|
newts,
|
||||||
blueprints,
|
blueprints,
|
||||||
Blueprint,
|
Blueprint,
|
||||||
Site,
|
|
||||||
siteResources,
|
siteResources,
|
||||||
roleSiteResources,
|
roleSiteResources,
|
||||||
userSiteResources,
|
userSiteResources,
|
||||||
clientSiteResources
|
clientSiteResources
|
||||||
} from "@server/db";
|
} from "@server/db";
|
||||||
import { Config, ConfigSchema } from "./types";
|
import { Config, ConfigSchema, isTargetsOnlyResource } from "./types";
|
||||||
import { ProxyResourcesResults, updateProxyResources } from "./proxyResources";
|
import {
|
||||||
|
PublicResourcesResults,
|
||||||
|
updatePublicResources
|
||||||
|
} from "./publicResources";
|
||||||
import { fromError } from "zod-validation-error";
|
import { fromError } from "zod-validation-error";
|
||||||
import logger from "@server/logger";
|
import logger from "@server/logger";
|
||||||
import { sites } from "@server/db";
|
import { sites } from "@server/db";
|
||||||
import { eq, and, isNotNull } from "drizzle-orm";
|
import { eq, and, isNotNull } from "drizzle-orm";
|
||||||
import { addTargets as addProxyTargets } from "@server/routers/newt/targets";
|
import {
|
||||||
import { addTargets as addClientTargets } from "@server/routers/client/targets";
|
addTargets as addProxyTargets,
|
||||||
|
sendBrowserGatewayTargets
|
||||||
|
} from "@server/routers/newt/targets";
|
||||||
import {
|
import {
|
||||||
ClientResourcesResults,
|
ClientResourcesResults,
|
||||||
updateClientResources
|
updatePrivateResources
|
||||||
} from "./clientResources";
|
} from "./privateResources";
|
||||||
|
import { updateResourcePolicies } from "./resourcePolicies";
|
||||||
import { BlueprintSource } from "@server/routers/blueprints/types";
|
import { BlueprintSource } from "@server/routers/blueprints/types";
|
||||||
import { stringify as stringifyYaml } from "yaml";
|
import { stringify as stringifyYaml } from "yaml";
|
||||||
import { faker } from "@faker-js/faker";
|
import { generateName } from "@server/db/names";
|
||||||
import { handleMessagingForUpdatedSiteResource } from "@server/routers/siteResource";
|
import {
|
||||||
import { rebuildClientAssociationsFromSiteResource } from "../rebuildClientAssociations";
|
handleMessagingForUpdatedSiteResource,
|
||||||
|
rebuildClientAssociationsFromSiteResource,
|
||||||
|
waitForSiteResourceRebuildIdle
|
||||||
|
} from "../rebuildClientAssociations";
|
||||||
|
import { build } from "@server/build";
|
||||||
|
import HttpCode from "@server/types/HttpCode";
|
||||||
|
import createHttpError from "http-errors";
|
||||||
|
import next from "next";
|
||||||
|
import { LimitId } from "../billing";
|
||||||
|
import { usageService } from "../billing/usageService";
|
||||||
|
|
||||||
type ApplyBlueprintArgs = {
|
type ApplyBlueprintArgs = {
|
||||||
orgId: string;
|
orgId: string;
|
||||||
@@ -42,40 +56,39 @@ export async function applyBlueprint({
|
|||||||
name,
|
name,
|
||||||
source = "API"
|
source = "API"
|
||||||
}: ApplyBlueprintArgs): Promise<Blueprint> {
|
}: ApplyBlueprintArgs): Promise<Blueprint> {
|
||||||
// Validate the input data
|
let blueprintSucceeded: boolean = false;
|
||||||
|
let blueprintMessage = "";
|
||||||
|
let error: any | null = null;
|
||||||
|
|
||||||
|
try {
|
||||||
const validationResult = ConfigSchema.safeParse(configData);
|
const validationResult = ConfigSchema.safeParse(configData);
|
||||||
if (!validationResult.success) {
|
if (!validationResult.success) {
|
||||||
throw new Error(fromError(validationResult.error).toString());
|
throw new Error(fromError(validationResult.error).toString());
|
||||||
}
|
}
|
||||||
|
|
||||||
const config: Config = validationResult.data;
|
const config: Config = validationResult.data;
|
||||||
let blueprintSucceeded: boolean = false;
|
|
||||||
let blueprintMessage: string;
|
|
||||||
let error: any | null = null;
|
|
||||||
|
|
||||||
try {
|
let publicResourcesResults: PublicResourcesResults = [];
|
||||||
let proxyResourcesResults: ProxyResourcesResults = [];
|
let privateResourcesResults: ClientResourcesResults = [];
|
||||||
let clientResourcesResults: ClientResourcesResults = [];
|
|
||||||
await db.transaction(async (trx) => {
|
await db.transaction(async (trx) => {
|
||||||
proxyResourcesResults = await updateProxyResources(
|
await updateResourcePolicies(orgId, config, trx);
|
||||||
orgId,
|
|
||||||
config,
|
|
||||||
trx,
|
|
||||||
siteId
|
|
||||||
);
|
|
||||||
clientResourcesResults = await updateClientResources(
|
|
||||||
orgId,
|
|
||||||
config,
|
|
||||||
trx,
|
|
||||||
siteId
|
|
||||||
);
|
|
||||||
|
|
||||||
logger.debug(
|
publicResourcesResults = await updatePublicResources(
|
||||||
`Successfully updated proxy resources for org ${orgId}: ${JSON.stringify(proxyResourcesResults)}`
|
orgId,
|
||||||
|
config,
|
||||||
|
trx,
|
||||||
|
siteId
|
||||||
|
);
|
||||||
|
privateResourcesResults = await updatePrivateResources(
|
||||||
|
orgId,
|
||||||
|
config,
|
||||||
|
trx,
|
||||||
|
siteId
|
||||||
);
|
);
|
||||||
|
|
||||||
// We need to update the targets on the newts from the successfully updated information
|
// We need to update the targets on the newts from the successfully updated information
|
||||||
for (const result of proxyResourcesResults) {
|
for (const result of publicResourcesResults) {
|
||||||
for (const target of result.targetsToUpdate) {
|
for (const target of result.targetsToUpdate) {
|
||||||
const [site] = await trx
|
const [site] = await trx
|
||||||
.select()
|
.select()
|
||||||
@@ -102,178 +115,63 @@ export async function applyBlueprint({
|
|||||||
(hc) => hc.targetId === target.targetId
|
(hc) => hc.targetId === target.targetId
|
||||||
);
|
);
|
||||||
|
|
||||||
|
if (["http", "tcp", "udp"].includes(target.mode)) {
|
||||||
await addProxyTargets(
|
await addProxyTargets(
|
||||||
site.newt.newtId,
|
site.newt.newtId,
|
||||||
[target],
|
[target],
|
||||||
matchingHealthcheck ? [matchingHealthcheck] : [],
|
matchingHealthcheck
|
||||||
result.proxyResource.protocol,
|
? [matchingHealthcheck]
|
||||||
|
: [],
|
||||||
|
result.proxyResource.mode === "udp"
|
||||||
|
? "udp"
|
||||||
|
: "tcp",
|
||||||
|
site.newt.version
|
||||||
|
);
|
||||||
|
} else if (
|
||||||
|
["ssh", "rdp", "vnc"].includes(target.mode)
|
||||||
|
) {
|
||||||
|
await sendBrowserGatewayTargets(
|
||||||
|
site.newt.newtId,
|
||||||
|
[target],
|
||||||
site.newt.version
|
site.newt.version
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
logger.debug(
|
logger.debug(
|
||||||
`Successfully updated client resources for org ${orgId}: ${JSON.stringify(clientResourcesResults)}`
|
`Successfully updated public resources for org ${orgId}: ${JSON.stringify(publicResourcesResults)}`
|
||||||
);
|
);
|
||||||
|
|
||||||
// We need to update the targets on the newts from the successfully updated information
|
// We need to update the targets on the newts from the successfully updated information
|
||||||
for (const result of clientResourcesResults) {
|
for (const result of privateResourcesResults) {
|
||||||
if (
|
rebuildClientAssociationsFromSiteResource(
|
||||||
result.oldSiteResource &&
|
result.newSiteResource
|
||||||
JSON.stringify(result.newSites?.sort()) !==
|
)
|
||||||
JSON.stringify(result.oldSites?.sort())
|
.then(() =>
|
||||||
) {
|
waitForSiteResourceRebuildIdle(
|
||||||
// query existing associations
|
result.newSiteResource.siteResourceId
|
||||||
const existingRoleIds = await trx
|
|
||||||
.select()
|
|
||||||
.from(roleSiteResources)
|
|
||||||
.where(
|
|
||||||
eq(
|
|
||||||
roleSiteResources.siteResourceId,
|
|
||||||
result.oldSiteResource.siteResourceId
|
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
.then((rows) => rows.map((row) => row.roleId));
|
.then(() =>
|
||||||
|
handleMessagingForUpdatedSiteResource(
|
||||||
const existingUserIds = await trx
|
|
||||||
.select()
|
|
||||||
.from(userSiteResources)
|
|
||||||
.where(
|
|
||||||
eq(
|
|
||||||
userSiteResources.siteResourceId,
|
|
||||||
result.oldSiteResource.siteResourceId
|
|
||||||
)
|
|
||||||
)
|
|
||||||
.then((rows) => rows.map((row) => row.userId));
|
|
||||||
|
|
||||||
const existingClientIds = await trx
|
|
||||||
.select()
|
|
||||||
.from(clientSiteResources)
|
|
||||||
.where(
|
|
||||||
eq(
|
|
||||||
clientSiteResources.siteResourceId,
|
|
||||||
result.oldSiteResource.siteResourceId
|
|
||||||
)
|
|
||||||
)
|
|
||||||
.then((rows) => rows.map((row) => row.clientId));
|
|
||||||
|
|
||||||
// delete the existing site resource
|
|
||||||
await trx
|
|
||||||
.delete(siteResources)
|
|
||||||
.where(
|
|
||||||
and(
|
|
||||||
eq(
|
|
||||||
siteResources.siteResourceId,
|
|
||||||
result.oldSiteResource.siteResourceId
|
|
||||||
)
|
|
||||||
)
|
|
||||||
);
|
|
||||||
|
|
||||||
await rebuildClientAssociationsFromSiteResource(
|
|
||||||
result.oldSiteResource,
|
|
||||||
trx
|
|
||||||
);
|
|
||||||
|
|
||||||
const [insertedSiteResource] = await trx
|
|
||||||
.insert(siteResources)
|
|
||||||
.values({
|
|
||||||
...result.newSiteResource
|
|
||||||
})
|
|
||||||
.returning();
|
|
||||||
|
|
||||||
// wait some time to allow for messages to be handled
|
|
||||||
await new Promise((resolve) => setTimeout(resolve, 750));
|
|
||||||
|
|
||||||
//////////////////// update the associations ////////////////////
|
|
||||||
|
|
||||||
if (existingRoleIds.length > 0) {
|
|
||||||
await trx.insert(roleSiteResources).values(
|
|
||||||
existingRoleIds.map((roleId) => ({
|
|
||||||
roleId,
|
|
||||||
siteResourceId:
|
|
||||||
insertedSiteResource!.siteResourceId
|
|
||||||
}))
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (existingUserIds.length > 0) {
|
|
||||||
await trx.insert(userSiteResources).values(
|
|
||||||
existingUserIds.map((userId) => ({
|
|
||||||
userId,
|
|
||||||
siteResourceId:
|
|
||||||
insertedSiteResource!.siteResourceId
|
|
||||||
}))
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (existingClientIds.length > 0) {
|
|
||||||
await trx.insert(clientSiteResources).values(
|
|
||||||
existingClientIds.map((clientId) => ({
|
|
||||||
clientId,
|
|
||||||
siteResourceId:
|
|
||||||
insertedSiteResource!.siteResourceId
|
|
||||||
}))
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
await rebuildClientAssociationsFromSiteResource(
|
|
||||||
insertedSiteResource,
|
|
||||||
trx
|
|
||||||
);
|
|
||||||
} else {
|
|
||||||
let good = true;
|
|
||||||
for (const newSite of result.newSites) {
|
|
||||||
const [site] = await trx
|
|
||||||
.select()
|
|
||||||
.from(sites)
|
|
||||||
.innerJoin(newts, eq(sites.siteId, newts.siteId))
|
|
||||||
.where(
|
|
||||||
and(
|
|
||||||
eq(sites.siteId, newSite.siteId),
|
|
||||||
eq(sites.orgId, orgId),
|
|
||||||
eq(sites.type, "newt"),
|
|
||||||
isNotNull(sites.pubKey)
|
|
||||||
)
|
|
||||||
)
|
|
||||||
.limit(1);
|
|
||||||
|
|
||||||
if (!site) {
|
|
||||||
logger.debug(
|
|
||||||
`No newt sites found for client resource ${result.newSiteResource.siteResourceId}, skipping target update`
|
|
||||||
);
|
|
||||||
good = false;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
logger.debug(
|
|
||||||
`Updating client resource ${result.newSiteResource.siteResourceId} on site ${newSite.siteId}`
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!good) {
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
await handleMessagingForUpdatedSiteResource(
|
|
||||||
result.oldSiteResource,
|
result.oldSiteResource,
|
||||||
result.newSiteResource,
|
result.newSiteResource,
|
||||||
result.newSites.map((site) => ({
|
result.oldSites.map((s) => s.siteId),
|
||||||
siteId: site.siteId,
|
result.newSites.map((s) => s.siteId)
|
||||||
orgId: result.newSiteResource.orgId
|
)
|
||||||
})),
|
)
|
||||||
trx
|
.catch((e) => {
|
||||||
|
logger.error(
|
||||||
|
`Failed to rebuild and handle messaging for site resource ${result.newSiteResource.siteResourceId}. Error: ${e}`
|
||||||
);
|
);
|
||||||
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
// await addClientTargets(
|
logger.debug(
|
||||||
// site.newt.newtId,
|
`Successfully updated private resources for org ${orgId}: ${JSON.stringify(privateResourcesResults)}`
|
||||||
// result.resource.destination,
|
);
|
||||||
// result.resource.destinationPort,
|
|
||||||
// result.resource.protocol,
|
|
||||||
// result.resource.proxyPort
|
|
||||||
// );
|
|
||||||
}
|
|
||||||
});
|
});
|
||||||
|
|
||||||
blueprintSucceeded = true;
|
blueprintSucceeded = true;
|
||||||
@@ -281,7 +179,9 @@ export async function applyBlueprint({
|
|||||||
} catch (err) {
|
} catch (err) {
|
||||||
blueprintSucceeded = false;
|
blueprintSucceeded = false;
|
||||||
blueprintMessage = `Blueprint applied with errors: ${err}`;
|
blueprintMessage = `Blueprint applied with errors: ${err}`;
|
||||||
logger.error(blueprintMessage);
|
logger.debug(
|
||||||
|
`Org ${orgId} blueprint apply issues: ${blueprintMessage}`
|
||||||
|
);
|
||||||
error = err;
|
error = err;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -291,9 +191,7 @@ export async function applyBlueprint({
|
|||||||
.insert(blueprints)
|
.insert(blueprints)
|
||||||
.values({
|
.values({
|
||||||
orgId,
|
orgId,
|
||||||
name:
|
name: name ?? generateName(),
|
||||||
name ??
|
|
||||||
`${faker.word.adjective()}-${faker.word.adjective()}-${faker.word.noun()}`,
|
|
||||||
contents: stringifyYaml(configData),
|
contents: stringifyYaml(configData),
|
||||||
createdAt: Math.floor(Date.now() / 1000),
|
createdAt: Math.floor(Date.now() / 1000),
|
||||||
succeeded: blueprintSucceeded,
|
succeeded: blueprintSucceeded,
|
||||||
|
|||||||
@@ -1,10 +1,56 @@
|
|||||||
import { sendToClient } from "#dynamic/routers/ws";
|
import { sendToClient } from "#dynamic/routers/ws";
|
||||||
import { processContainerLabels } from "./parseDockerContainers";
|
import { processContainerLabels } from "./parseDockerContainers";
|
||||||
import { applyBlueprint } from "./applyBlueprint";
|
import { applyBlueprint } from "./applyBlueprint";
|
||||||
|
import { PrivateResourceSchema, PublicResourceSchema } from "./types";
|
||||||
import { db, sites } from "@server/db";
|
import { db, sites } from "@server/db";
|
||||||
import { eq } from "drizzle-orm";
|
import { eq } from "drizzle-orm";
|
||||||
import logger from "@server/logger";
|
import logger from "@server/logger";
|
||||||
|
|
||||||
|
type BlueprintResult = ReturnType<typeof processContainerLabels>;
|
||||||
|
|
||||||
|
function filterInvalidResources(blueprint: BlueprintResult): {
|
||||||
|
skippedCount: number;
|
||||||
|
skippedKeys: string[];
|
||||||
|
} {
|
||||||
|
const skippedKeys: string[] = [];
|
||||||
|
|
||||||
|
for (const section of ["proxy-resources", "public-resources"] as const) {
|
||||||
|
const resources = blueprint[section];
|
||||||
|
for (const [key, value] of Object.entries(resources)) {
|
||||||
|
const result = PublicResourceSchema.safeParse(value);
|
||||||
|
if (!result.success) {
|
||||||
|
const errors = result.error.issues
|
||||||
|
.map((i) => `${i.path.join(".")}: ${i.message}`)
|
||||||
|
.join("; ");
|
||||||
|
logger.warn(
|
||||||
|
`Skipping invalid Docker ${section} "${key}": ${errors}`
|
||||||
|
);
|
||||||
|
delete resources[key];
|
||||||
|
skippedKeys.push(`${section}.${key}`);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
for (const section of ["client-resources", "private-resources"] as const) {
|
||||||
|
const resources = blueprint[section];
|
||||||
|
for (const [key, value] of Object.entries(resources)) {
|
||||||
|
const result = PrivateResourceSchema.safeParse(value);
|
||||||
|
if (!result.success) {
|
||||||
|
const errors = result.error.issues
|
||||||
|
.map((i) => `${i.path.join(".")}: ${i.message}`)
|
||||||
|
.join("; ");
|
||||||
|
logger.warn(
|
||||||
|
`Skipping invalid Docker ${section} "${key}": ${errors}`
|
||||||
|
);
|
||||||
|
delete resources[key];
|
||||||
|
skippedKeys.push(`${section}.${key}`);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return { skippedCount: skippedKeys.length, skippedKeys };
|
||||||
|
}
|
||||||
|
|
||||||
export async function applyNewtDockerBlueprint(
|
export async function applyNewtDockerBlueprint(
|
||||||
siteId: number,
|
siteId: number,
|
||||||
newtId: string,
|
newtId: string,
|
||||||
@@ -21,17 +67,27 @@ export async function applyNewtDockerBlueprint(
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
// logger.debug(`Applying Docker blueprint to site: ${siteId}`);
|
let skippedCount = 0;
|
||||||
// logger.debug(`Containers: ${JSON.stringify(containers, null, 2)}`);
|
let skippedKeys: string[] = [];
|
||||||
|
|
||||||
try {
|
try {
|
||||||
const blueprint = processContainerLabels(containers);
|
// Some Newt clients can report null/undefined containers when Docker
|
||||||
|
// labels are unavailable. Treat that as an empty blueprint payload.
|
||||||
|
const safeContainers = Array.isArray(containers) ? containers : [];
|
||||||
|
const blueprint = processContainerLabels(safeContainers);
|
||||||
|
|
||||||
logger.debug(`Received Docker blueprint: ${JSON.stringify(blueprint)}`);
|
logger.debug(
|
||||||
|
`Received Docker blueprint with ${Object.keys(blueprint["proxy-resources"]).length} proxy, ${Object.keys(blueprint["client-resources"]).length} client resource(s)`
|
||||||
|
);
|
||||||
|
|
||||||
// make sure this is not an empty object
|
const filterResult = filterInvalidResources(blueprint);
|
||||||
if (isEmptyObject(blueprint)) {
|
skippedCount = filterResult.skippedCount;
|
||||||
return;
|
skippedKeys = filterResult.skippedKeys;
|
||||||
|
|
||||||
|
if (skippedCount > 0) {
|
||||||
|
logger.warn(
|
||||||
|
`Filtered ${skippedCount} invalid resource(s) from Docker blueprint: ${skippedKeys.join(", ")}`
|
||||||
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (
|
if (
|
||||||
@@ -40,6 +96,15 @@ export async function applyNewtDockerBlueprint(
|
|||||||
isEmptyObject(blueprint["public-resources"]) &&
|
isEmptyObject(blueprint["public-resources"]) &&
|
||||||
isEmptyObject(blueprint["private-resources"])
|
isEmptyObject(blueprint["private-resources"])
|
||||||
) {
|
) {
|
||||||
|
if (skippedCount > 0) {
|
||||||
|
await sendToClient(newtId, {
|
||||||
|
type: "newt/blueprint/results",
|
||||||
|
data: {
|
||||||
|
success: false,
|
||||||
|
message: `All resources were invalid and skipped: ${skippedKeys.join(", ")}`
|
||||||
|
}
|
||||||
|
});
|
||||||
|
}
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -51,7 +116,7 @@ export async function applyNewtDockerBlueprint(
|
|||||||
source: "NEWT"
|
source: "NEWT"
|
||||||
});
|
});
|
||||||
} catch (error) {
|
} catch (error) {
|
||||||
logger.error(`Failed to update database from config: ${error}`);
|
logger.debug(`Failed to update database from config: ${error}`);
|
||||||
await sendToClient(newtId, {
|
await sendToClient(newtId, {
|
||||||
type: "newt/blueprint/results",
|
type: "newt/blueprint/results",
|
||||||
data: {
|
data: {
|
||||||
@@ -66,7 +131,10 @@ export async function applyNewtDockerBlueprint(
|
|||||||
type: "newt/blueprint/results",
|
type: "newt/blueprint/results",
|
||||||
data: {
|
data: {
|
||||||
success: true,
|
success: true,
|
||||||
message: "Config updated successfully"
|
message:
|
||||||
|
skippedCount > 0
|
||||||
|
? `Config updated successfully. Skipped ${skippedCount} invalid resource(s): ${skippedKeys.join(", ")}`
|
||||||
|
: "Config updated successfully"
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -3,6 +3,7 @@ import {
|
|||||||
clientSiteResources,
|
clientSiteResources,
|
||||||
domains,
|
domains,
|
||||||
orgDomains,
|
orgDomains,
|
||||||
|
roleActions,
|
||||||
roles,
|
roles,
|
||||||
roleSiteResources,
|
roleSiteResources,
|
||||||
Site,
|
Site,
|
||||||
@@ -19,8 +20,17 @@ import { sites } from "@server/db";
|
|||||||
import { eq, and, ne, inArray, or, isNotNull } from "drizzle-orm";
|
import { eq, and, ne, inArray, or, isNotNull } from "drizzle-orm";
|
||||||
import { Config } from "./types";
|
import { Config } from "./types";
|
||||||
import logger from "@server/logger";
|
import logger from "@server/logger";
|
||||||
|
import { defaultRoleAllowedActions } from "@server/routers/role/createRole";
|
||||||
import { getNextAvailableAliasAddress } from "../ip";
|
import { getNextAvailableAliasAddress } from "../ip";
|
||||||
import { createCertificate } from "#dynamic/routers/certificates/createCertificate";
|
import { createCertificate } from "#dynamic/routers/certificates/createCertificate";
|
||||||
|
import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
|
||||||
|
import { tierMatrix } from "../billing/tierMatrix";
|
||||||
|
import { build } from "@server/build";
|
||||||
|
import HttpCode from "@server/types/HttpCode";
|
||||||
|
import createHttpError from "http-errors";
|
||||||
|
import next from "next";
|
||||||
|
import { LimitId } from "../billing";
|
||||||
|
import { usageService } from "../billing/usageService";
|
||||||
|
|
||||||
async function getDomainForSiteResource(
|
async function getDomainForSiteResource(
|
||||||
siteResourceId: number | undefined,
|
siteResourceId: number | undefined,
|
||||||
@@ -101,7 +111,7 @@ export type ClientResourcesResults = {
|
|||||||
oldSites: { siteId: number }[];
|
oldSites: { siteId: number }[];
|
||||||
}[];
|
}[];
|
||||||
|
|
||||||
export async function updateClientResources(
|
export async function updatePrivateResources(
|
||||||
orgId: string,
|
orgId: string,
|
||||||
config: Config,
|
config: Config,
|
||||||
trx: Transaction,
|
trx: Transaction,
|
||||||
@@ -112,6 +122,30 @@ export async function updateClientResources(
|
|||||||
for (const [resourceNiceId, resourceData] of Object.entries(
|
for (const [resourceNiceId, resourceData] of Object.entries(
|
||||||
config["client-resources"]
|
config["client-resources"]
|
||||||
)) {
|
)) {
|
||||||
|
if (resourceData.mode === "http") {
|
||||||
|
const hasHttpFeature = await isLicensedOrSubscribed(
|
||||||
|
orgId,
|
||||||
|
tierMatrix.advancedPrivateResources
|
||||||
|
);
|
||||||
|
if (!hasHttpFeature) {
|
||||||
|
throw new Error(
|
||||||
|
"HTTP private resources are not included in your current plan. Please upgrade."
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (resourceData.mode === "ssh") {
|
||||||
|
const hasSshFeature = await isLicensedOrSubscribed(
|
||||||
|
orgId,
|
||||||
|
tierMatrix.advancedPrivateResources
|
||||||
|
);
|
||||||
|
if (!hasSshFeature) {
|
||||||
|
throw new Error(
|
||||||
|
"SSH private resources are not included in your current plan. Please upgrade."
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
const [existingResource] = await trx
|
const [existingResource] = await trx
|
||||||
.select()
|
.select()
|
||||||
.from(siteResources)
|
.from(siteResources)
|
||||||
@@ -125,48 +159,29 @@ export async function updateClientResources(
|
|||||||
|
|
||||||
const existingSiteIds = existingResource?.networkId
|
const existingSiteIds = existingResource?.networkId
|
||||||
? await trx
|
? await trx
|
||||||
.select({ siteId: sites.siteId })
|
.select({ siteId: siteNetworks.siteId })
|
||||||
.from(siteNetworks)
|
.from(siteNetworks)
|
||||||
.where(eq(siteNetworks.networkId, existingResource.networkId))
|
.where(eq(siteNetworks.networkId, existingResource.networkId))
|
||||||
: [];
|
: [];
|
||||||
|
|
||||||
let allSites: { siteId: number }[] = [];
|
const allSites: { siteId: number }[] = [];
|
||||||
if (resourceData.site) {
|
|
||||||
let siteSingle;
|
|
||||||
const resourceSiteId = resourceData.site;
|
|
||||||
|
|
||||||
if (resourceSiteId) {
|
if (resourceData.site) {
|
||||||
// Look up site by niceId
|
// Look up site by niceId
|
||||||
[siteSingle] = await trx
|
const [siteSingle] = await trx
|
||||||
.select({ siteId: sites.siteId })
|
.select({ siteId: sites.siteId })
|
||||||
.from(sites)
|
.from(sites)
|
||||||
.where(
|
.where(
|
||||||
and(
|
and(
|
||||||
eq(sites.niceId, resourceSiteId),
|
eq(sites.niceId, resourceData.site),
|
||||||
eq(sites.orgId, orgId)
|
eq(sites.orgId, orgId)
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
.limit(1);
|
.limit(1);
|
||||||
} else if (siteId) {
|
if (siteSingle) {
|
||||||
// Use the provided siteId directly, but verify it belongs to the org
|
|
||||||
[siteSingle] = await trx
|
|
||||||
.select({ siteId: sites.siteId })
|
|
||||||
.from(sites)
|
|
||||||
.where(
|
|
||||||
and(eq(sites.siteId, siteId), eq(sites.orgId, orgId))
|
|
||||||
)
|
|
||||||
.limit(1);
|
|
||||||
} else {
|
|
||||||
throw new Error(`Target site is required`);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!siteSingle) {
|
|
||||||
throw new Error(
|
|
||||||
`Site not found: ${resourceSiteId} in org ${orgId}`
|
|
||||||
);
|
|
||||||
}
|
|
||||||
allSites.push(siteSingle);
|
allSites.push(siteSingle);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (resourceData.sites) {
|
if (resourceData.sites) {
|
||||||
for (const siteNiceId of resourceData.sites) {
|
for (const siteNiceId of resourceData.sites) {
|
||||||
@@ -180,14 +195,30 @@ export async function updateClientResources(
|
|||||||
)
|
)
|
||||||
)
|
)
|
||||||
.limit(1);
|
.limit(1);
|
||||||
if (!site) {
|
if (site) {
|
||||||
throw new Error(
|
|
||||||
`Site not found: ${siteId} in org ${orgId}`
|
|
||||||
);
|
|
||||||
}
|
|
||||||
allSites.push(site);
|
allSites.push(site);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (siteId && allSites.length === 0) {
|
||||||
|
// only add if there are not provided sites
|
||||||
|
// Use the provided siteId directly, but verify it belongs to the org
|
||||||
|
const [siteSingle] = await trx
|
||||||
|
.select({ siteId: sites.siteId })
|
||||||
|
.from(sites)
|
||||||
|
.where(and(eq(sites.siteId, siteId), eq(sites.orgId, orgId)))
|
||||||
|
.limit(1);
|
||||||
|
if (siteSingle) {
|
||||||
|
allSites.push(siteSingle);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (allSites.length === 0) {
|
||||||
|
throw new Error(
|
||||||
|
`No valid sites found for private private resource ${resourceNiceId} in org ${orgId}`
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
if (existingResource) {
|
if (existingResource) {
|
||||||
let domainInfo:
|
let domainInfo:
|
||||||
@@ -215,12 +246,24 @@ export async function updateClientResources(
|
|||||||
enabled: true, // hardcoded for now
|
enabled: true, // hardcoded for now
|
||||||
// enabled: resourceData.enabled ?? true,
|
// enabled: resourceData.enabled ?? true,
|
||||||
alias: resourceData.alias || null,
|
alias: resourceData.alias || null,
|
||||||
disableIcmp: resourceData["disable-icmp"],
|
disableIcmp:
|
||||||
tcpPortRangeString: resourceData["tcp-ports"],
|
resourceData["disable-icmp"] ||
|
||||||
udpPortRangeString: resourceData["udp-ports"],
|
(resourceData.mode == "http" ? true : false), // default to true for http resources, otherwise false
|
||||||
|
tcpPortRangeString:
|
||||||
|
resourceData.mode == "http"
|
||||||
|
? "443,80"
|
||||||
|
: resourceData["tcp-ports"],
|
||||||
|
udpPortRangeString:
|
||||||
|
resourceData.mode == "http"
|
||||||
|
? ""
|
||||||
|
: resourceData["udp-ports"],
|
||||||
fullDomain: resourceData["full-domain"] || null,
|
fullDomain: resourceData["full-domain"] || null,
|
||||||
subdomain: domainInfo ? domainInfo.subdomain : null,
|
subdomain: domainInfo ? domainInfo.subdomain : null,
|
||||||
domainId: domainInfo ? domainInfo.domainId : null
|
domainId: domainInfo ? domainInfo.domainId : null,
|
||||||
|
pamMode: resourceData["auth-daemon"]?.pam || "passthrough",
|
||||||
|
authDaemonMode:
|
||||||
|
resourceData["auth-daemon"]?.mode || "native",
|
||||||
|
authDaemonPort: resourceData["auth-daemon"]?.port || 22123
|
||||||
})
|
})
|
||||||
.where(
|
.where(
|
||||||
eq(
|
eq(
|
||||||
@@ -327,8 +370,7 @@ export async function updateClientResources(
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (resourceData.roles.length > 0) {
|
if (resourceData.roles.length > 0) {
|
||||||
// Re-add specified roles but we need to get the roleIds from the role name in the array
|
const existingRoles = await trx
|
||||||
const rolesToUpdate = await trx
|
|
||||||
.select()
|
.select()
|
||||||
.from(roles)
|
.from(roles)
|
||||||
.where(
|
.where(
|
||||||
@@ -338,7 +380,30 @@ export async function updateClientResources(
|
|||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
const roleIds = rolesToUpdate.map((role) => role.roleId);
|
const foundNames = new Set(existingRoles.map((r) => r.name));
|
||||||
|
const missingNames = resourceData.roles.filter(
|
||||||
|
(n) => !foundNames.has(n)
|
||||||
|
);
|
||||||
|
|
||||||
|
for (const name of missingNames) {
|
||||||
|
const [created] = await trx
|
||||||
|
.insert(roles)
|
||||||
|
.values({ name, orgId })
|
||||||
|
.returning();
|
||||||
|
await trx.insert(roleActions).values(
|
||||||
|
defaultRoleAllowedActions.map((action) => ({
|
||||||
|
roleId: created.roleId,
|
||||||
|
actionId: action,
|
||||||
|
orgId
|
||||||
|
}))
|
||||||
|
);
|
||||||
|
existingRoles.push(created);
|
||||||
|
logger.info(
|
||||||
|
`Auto-created role "${name}" in org ${orgId} from blueprint`
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
const roleIds = existingRoles.map((role) => role.roleId);
|
||||||
|
|
||||||
await trx
|
await trx
|
||||||
.insert(roleSiteResources)
|
.insert(roleSiteResources)
|
||||||
@@ -354,9 +419,47 @@ export async function updateClientResources(
|
|||||||
oldSites: existingSiteIds
|
oldSites: existingSiteIds
|
||||||
});
|
});
|
||||||
} else {
|
} else {
|
||||||
|
// create a brand new resource
|
||||||
|
|
||||||
|
if (build == "saas") {
|
||||||
|
const usage = await usageService.getUsage(
|
||||||
|
orgId,
|
||||||
|
LimitId.PRIVATE_RESOURCES
|
||||||
|
);
|
||||||
|
if (!usage) {
|
||||||
|
throw new Error(
|
||||||
|
`Usage data not found for org ${orgId} and limit ${LimitId.PRIVATE_RESOURCES}`
|
||||||
|
);
|
||||||
|
}
|
||||||
|
const rejectResource = await usageService.checkLimitSet(
|
||||||
|
orgId,
|
||||||
|
|
||||||
|
LimitId.PRIVATE_RESOURCES,
|
||||||
|
{
|
||||||
|
...usage,
|
||||||
|
instantaneousValue: (usage.instantaneousValue || 0) + 1
|
||||||
|
} // We need to add one to know if we are violating the limit
|
||||||
|
);
|
||||||
|
if (rejectResource) {
|
||||||
|
throw new Error(
|
||||||
|
"Private resource limit exceeded. Please upgrade your plan."
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
let aliasAddress: string | null = null;
|
let aliasAddress: string | null = null;
|
||||||
if (resourceData.mode === "host" || resourceData.mode === "http") {
|
let releaseAliasLock: (() => Promise<void>) | null = null;
|
||||||
aliasAddress = await getNextAvailableAliasAddress(orgId);
|
if (
|
||||||
|
resourceData.mode === "host" ||
|
||||||
|
resourceData.mode === "http" ||
|
||||||
|
resourceData.mode === "ssh"
|
||||||
|
) {
|
||||||
|
const { value, release } = await getNextAvailableAliasAddress(
|
||||||
|
orgId,
|
||||||
|
trx
|
||||||
|
);
|
||||||
|
aliasAddress = value;
|
||||||
|
releaseAliasLock = release;
|
||||||
}
|
}
|
||||||
|
|
||||||
let domainInfo:
|
let domainInfo:
|
||||||
@@ -397,15 +500,29 @@ export async function updateClientResources(
|
|||||||
// enabled: resourceData.enabled ?? true,
|
// enabled: resourceData.enabled ?? true,
|
||||||
alias: resourceData.alias || null,
|
alias: resourceData.alias || null,
|
||||||
aliasAddress: aliasAddress,
|
aliasAddress: aliasAddress,
|
||||||
disableIcmp: resourceData["disable-icmp"],
|
disableIcmp:
|
||||||
tcpPortRangeString: resourceData["tcp-ports"],
|
resourceData["disable-icmp"] ||
|
||||||
udpPortRangeString: resourceData["udp-ports"],
|
(resourceData.mode == "http" ? true : false), // default to true for http resources, otherwise false
|
||||||
|
tcpPortRangeString:
|
||||||
|
resourceData.mode == "http"
|
||||||
|
? "443,80"
|
||||||
|
: resourceData["tcp-ports"],
|
||||||
|
udpPortRangeString:
|
||||||
|
resourceData.mode == "http"
|
||||||
|
? ""
|
||||||
|
: resourceData["udp-ports"],
|
||||||
fullDomain: resourceData["full-domain"] || null,
|
fullDomain: resourceData["full-domain"] || null,
|
||||||
subdomain: domainInfo ? domainInfo.subdomain : null,
|
subdomain: domainInfo ? domainInfo.subdomain : null,
|
||||||
domainId: domainInfo ? domainInfo.domainId : null
|
domainId: domainInfo ? domainInfo.domainId : null,
|
||||||
|
pamMode: resourceData["auth-daemon"]?.pam || "passthrough",
|
||||||
|
authDaemonMode:
|
||||||
|
resourceData["auth-daemon"]?.mode || "native",
|
||||||
|
authDaemonPort: resourceData["auth-daemon"]?.port || 22123
|
||||||
})
|
})
|
||||||
.returning();
|
.returning();
|
||||||
|
|
||||||
|
await releaseAliasLock?.();
|
||||||
|
|
||||||
const siteResourceId = newResource.siteResourceId;
|
const siteResourceId = newResource.siteResourceId;
|
||||||
|
|
||||||
for (const site of allSites) {
|
for (const site of allSites) {
|
||||||
@@ -431,8 +548,7 @@ export async function updateClientResources(
|
|||||||
});
|
});
|
||||||
|
|
||||||
if (resourceData.roles.length > 0) {
|
if (resourceData.roles.length > 0) {
|
||||||
// get roleIds from role names
|
const existingRoles = await trx
|
||||||
const rolesToUpdate = await trx
|
|
||||||
.select()
|
.select()
|
||||||
.from(roles)
|
.from(roles)
|
||||||
.where(
|
.where(
|
||||||
@@ -442,7 +558,30 @@ export async function updateClientResources(
|
|||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
const roleIds = rolesToUpdate.map((role) => role.roleId);
|
const foundNames = new Set(existingRoles.map((r) => r.name));
|
||||||
|
const missingNames = resourceData.roles.filter(
|
||||||
|
(n) => !foundNames.has(n)
|
||||||
|
);
|
||||||
|
|
||||||
|
for (const name of missingNames) {
|
||||||
|
const [created] = await trx
|
||||||
|
.insert(roles)
|
||||||
|
.values({ name, orgId })
|
||||||
|
.returning();
|
||||||
|
await trx.insert(roleActions).values(
|
||||||
|
defaultRoleAllowedActions.map((action) => ({
|
||||||
|
roleId: created.roleId,
|
||||||
|
actionId: action,
|
||||||
|
orgId
|
||||||
|
}))
|
||||||
|
);
|
||||||
|
existingRoles.push(created);
|
||||||
|
logger.info(
|
||||||
|
`Auto-created role "${name}" in org ${orgId} from blueprint`
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
const roleIds = existingRoles.map((role) => role.roleId);
|
||||||
|
|
||||||
await trx
|
await trx
|
||||||
.insert(roleSiteResources)
|
.insert(roleSiteResources)
|
||||||
@@ -504,6 +643,8 @@ export async function updateClientResources(
|
|||||||
`Created new client resource ${newResource.name} (${newResource.siteResourceId}) for org ${orgId}`
|
`Created new client resource ${newResource.name} (${newResource.siteResourceId}) for org ${orgId}`
|
||||||
);
|
);
|
||||||
|
|
||||||
|
await usageService.add(orgId, LimitId.PRIVATE_RESOURCES, 1, trx);
|
||||||
|
|
||||||
results.push({
|
results.push({
|
||||||
newSiteResource: newResource,
|
newSiteResource: newResource,
|
||||||
newSites: allSites,
|
newSites: allSites,
|
||||||