lossless.zone/objectstorage
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(opsserver): add health, audit, cluster health, and durable credential management hardening

Browse Source
This commit is contained in:
Jürgen Kunz
2026-04-30 07:10:21 +00:00
parent c3e5cabe3d
commit f4e5f02d0c
34 changed files with 1722 additions and 320 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ts/opsserver/classes.opsserver.ts
+30
View File
@@ -16,6 +16,7 @@ export class OpsServer {
public configHandler!: handlers.ConfigHandler;
public credentialsHandler!: handlers.CredentialsHandler;
public policiesHandler!: handlers.PoliciesHandler;
public auditHandler!: handlers.AuditHandler;
constructor(objectStorageRef: ObjectStorageContainer) {
this.objectStorageRef = objectStorageRef;
@@ -26,6 +27,27 @@ export class OpsServer {
domain: 'localhost',
feedMetadata: undefined,
bundledContent: bundledFiles,
addCustomRoutes: async (typedserver) => {
typedserver.addRoute('/livez', 'GET', async () => {
return this.jsonResponse({ ok: true, status: 'alive' });
});
typedserver.addRoute('/readyz', 'GET', async () => {
const ready = await this.objectStorageRef.isReady();
return this.jsonResponse(
{ ok: ready, status: ready ? 'ready' : 'starting' },
ready ? 200 : 503,
);
});
typedserver.addRoute('/healthz', 'GET', async () => {
return this.jsonResponse(await this.objectStorageRef.getOperationalHealth());
});
typedserver.addRoute('/metrics', 'GET', async () => {
const metrics = await this.objectStorageRef.getOperationalMetrics();
return new Response(metrics, {
headers: { 'content-type': 'text/plain; version=0.0.4' },
});
});
},
});
// Chain typedrouters: server -> opsServer -> individual handlers
@@ -50,6 +72,7 @@ export class OpsServer {
this.configHandler = new handlers.ConfigHandler(this);
this.credentialsHandler = new handlers.CredentialsHandler(this);
this.policiesHandler = new handlers.PoliciesHandler(this);
this.auditHandler = new handlers.AuditHandler(this);
console.log('OpsServer TypedRequest handlers initialized');
}
@@ -60,4 +83,11 @@ export class OpsServer {
console.log('OpsServer stopped');
}
}
private jsonResponse(data: unknown, status = 200): Response {
return new Response(JSON.stringify(data), {
status,
headers: { 'content-type': 'application/json' },
});
}
}
ts/opsserver/handlers/admin.handler.ts
+64 -6
View File
@@ -4,6 +4,7 @@ import * as interfaces from '../../../ts_interfaces/index.ts';
export interface IJwtData {
userId: string;
role: 'admin';
status: 'loggedIn' | 'loggedOut';
expiresAt: number;
}
@@ -11,6 +12,8 @@ export interface IJwtData {
export class AdminHandler {
public typedrouter = new plugins.typedrequest.TypedRouter();
public smartjwtInstance!: plugins.smartjwt.SmartJwt<IJwtData>;
private revokedTokens = new Set<string>();
private failedLoginAttempts = new Map<string, { count: number; firstAttemptAt: number }>();
constructor(private opsServerRef: OpsServer) {
this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
@@ -29,19 +32,37 @@ export class AdminHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_AdminLoginWithUsernameAndPassword>(
'adminLoginWithUsernameAndPassword',
async (dataArg) => {
this.assertLoginNotRateLimited(dataArg.username);
const adminPassword = this.opsServerRef.objectStorageRef.config.adminPassword;
if (dataArg.username !== 'admin' || dataArg.password !== adminPassword) {
this.recordFailedLogin(dataArg.username);
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.username || 'anonymous',
action: 'admin.login',
targetType: 'adminSession',
success: false,
message: 'Invalid credentials',
});
throw new plugins.typedrequest.TypedResponseError('Invalid credentials');
}
this.failedLoginAttempts.delete(dataArg.username);
const expiresAt = Date.now() + 24 * 3600 * 1000;
const userId = 'admin';
const jwt = await this.smartjwtInstance.createJWT({
userId,
role: 'admin',
status: 'loggedIn',
expiresAt,
});
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: userId,
action: 'admin.login',
targetType: 'adminSession',
success: true,
});
console.log('Admin user logged in');
return {
@@ -61,7 +82,16 @@ export class AdminHandler {
this.typedrouter.addTypedHandler(
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_AdminLogout>(
'adminLogout',
async (_dataArg) => {
async (dataArg) => {
if (dataArg.identity?.jwt) {
this.revokedTokens.add(dataArg.identity.jwt);
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'admin.logout',
targetType: 'adminSession',
success: true,
});
}
return { ok: true };
},
),
@@ -75,18 +105,20 @@ export class AdminHandler {
if (!dataArg.identity?.jwt) {
return { valid: false };
}
if (this.revokedTokens.has(dataArg.identity.jwt)) return { valid: false };
try {
const jwtData = await this.smartjwtInstance.verifyJWTAndGetData(dataArg.identity.jwt);
if (jwtData.expiresAt < Date.now()) return { valid: false };
if (jwtData.status !== 'loggedIn') return { valid: false };
if (jwtData.role !== 'admin') return { valid: false };
return {
valid: true,
identity: {
jwt: dataArg.identity.jwt,
userId: jwtData.userId,
username: dataArg.identity.username,
username: jwtData.userId,
expiresAt: jwtData.expiresAt,
role: dataArg.identity.role,
role: jwtData.role,
},
};
} catch {
@@ -103,12 +135,15 @@ export class AdminHandler {
}>(
async (dataArg) => {
if (!dataArg.identity?.jwt) return false;
if (this.revokedTokens.has(dataArg.identity.jwt)) return false;
try {
const jwtData = await this.smartjwtInstance.verifyJWTAndGetData(dataArg.identity.jwt);
if (jwtData.expiresAt < Date.now()) return false;
if (jwtData.status !== 'loggedIn') return false;
if (jwtData.role !== 'admin') return false;
if (dataArg.identity.expiresAt !== jwtData.expiresAt) return false;
if (dataArg.identity.userId !== jwtData.userId) return false;
if (dataArg.identity.role !== jwtData.role) return false;
return true;
} catch {
return false;
@@ -122,10 +157,33 @@ export class AdminHandler {
identity: interfaces.data.IIdentity;
}>(
async (dataArg) => {
const isValid = await this.validIdentityGuard.exec(dataArg);
if (!isValid) return false;
return dataArg.identity.role === 'admin';
return await this.validIdentityGuard.exec(dataArg);
},
{ failedHint: 'user is not admin', name: 'adminIdentityGuard' },
);
private assertLoginNotRateLimited(username: string): void {
const attempt = this.failedLoginAttempts.get(username);
if (!attempt) return;
const windowMs = 60 * 1000;
if (Date.now() - attempt.firstAttemptAt > windowMs) {
this.failedLoginAttempts.delete(username);
return;
}
if (attempt.count >= 5) {
throw new plugins.typedrequest.TypedResponseError('Too many failed login attempts');
}
}
private recordFailedLogin(username: string): void {
const now = Date.now();
const attempt = this.failedLoginAttempts.get(username);
if (!attempt || now - attempt.firstAttemptAt > 60 * 1000) {
this.failedLoginAttempts.set(username, { count: 1, firstAttemptAt: now });
return;
}
attempt.count++;
}
}
ts/opsserver/handlers/audit.handler.ts
+28
View File
@@ -0,0 +1,28 @@
import * as plugins from '../../plugins.ts';
import type { OpsServer } from '../classes.opsserver.ts';
import * as interfaces from '../../../ts_interfaces/index.ts';
import { requireAdminIdentity } from '../helpers/guards.ts';
export class AuditHandler {
public typedrouter = new plugins.typedrequest.TypedRouter();
constructor(private opsServerRef: OpsServer) {
this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
this.registerHandlers();
}
private registerHandlers(): void {
this.typedrouter.addTypedHandler(
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ListAuditEntries>(
'listAuditEntries',
async (dataArg) => {
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
const entries = await this.opsServerRef.objectStorageRef.auditLogger.listRecent(
dataArg.limit ?? 100,
);
return { entries };
},
),
);
}
}
ts/opsserver/handlers/buckets.handler.ts
+80 -13
View File
@@ -1,7 +1,14 @@
import * as plugins from '../../plugins.ts';
import type { OpsServer } from '../classes.opsserver.ts';
import * as interfaces from '../../../ts_interfaces/index.ts';
import { requireValidIdentity } from '../helpers/guards.ts';
import { requireAdminIdentity, requireValidIdentity } from '../helpers/guards.ts';
const getStorageErrorCode = (error: unknown): string | undefined => {
if (!(error instanceof Error)) {
return undefined;
}
return (error as Error & { Code?: string }).Code || error.name;
};
export class BucketsHandler {
public typedrouter = new plugins.typedrequest.TypedRouter();
@@ -29,8 +36,27 @@ export class BucketsHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateBucket>(
'createBucket',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
await this.opsServerRef.objectStorageRef.createBucket(dataArg.bucketName);
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
try {
await this.opsServerRef.objectStorageRef.createBucket(dataArg.bucketName);
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'bucket.create',
targetType: 'bucket',
targetId: dataArg.bucketName,
success: true,
});
} catch (error) {
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'bucket.create',
targetType: 'bucket',
targetId: dataArg.bucketName,
success: false,
message: error instanceof Error ? error.message : String(error),
});
throw error;
}
return { ok: true };
},
),
@@ -41,9 +67,25 @@ export class BucketsHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteBucket>(
'deleteBucket',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
await this.opsServerRef.objectStorageRef.deleteBucket(dataArg.bucketName);
await this.opsServerRef.objectStorageRef.policyManager.onBucketDeleted(dataArg.bucketName);
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
try {
await this.opsServerRef.objectStorageRef.deleteBucket(dataArg.bucketName);
} catch (error) {
if (getStorageErrorCode(error) === 'NoSuchBucket') {
throw new plugins.typedrequest.TypedResponseError('Bucket not found');
}
throw error;
}
await this.opsServerRef.objectStorageRef.policyManager.onBucketDeleted(
dataArg.bucketName,
);
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'bucket.delete',
targetType: 'bucket',
targetId: dataArg.bucketName,
success: true,
});
return { ok: true };
},
),
@@ -54,8 +96,16 @@ export class BucketsHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetBucketPolicy>(
'getBucketPolicy',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
const policy = await this.opsServerRef.objectStorageRef.getBucketPolicy(dataArg.bucketName);
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
let policy: string | null;
try {
policy = await this.opsServerRef.objectStorageRef.getBucketPolicy(dataArg.bucketName);
} catch (error) {
if (getStorageErrorCode(error) === 'NoSuchBucket') {
throw new plugins.typedrequest.TypedResponseError('Bucket not found');
}
throw error;
}
return { policy };
},
),
@@ -66,14 +116,24 @@ export class BucketsHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_PutBucketPolicy>(
'putBucketPolicy',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
// Validate JSON
try {
JSON.parse(dataArg.policy);
} catch {
throw new Error('Invalid JSON policy document');
throw new plugins.typedrequest.TypedResponseError('Invalid JSON policy document');
}
try {
await this.opsServerRef.objectStorageRef.putBucketPolicy(
dataArg.bucketName,
dataArg.policy,
);
} catch (error) {
if (getStorageErrorCode(error) === 'NoSuchBucket') {
throw new plugins.typedrequest.TypedResponseError('Bucket not found');
}
throw error;
}
await this.opsServerRef.objectStorageRef.putBucketPolicy(dataArg.bucketName, dataArg.policy);
return { ok: true };
},
),
@@ -84,8 +144,15 @@ export class BucketsHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteBucketPolicy>(
'deleteBucketPolicy',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
await this.opsServerRef.objectStorageRef.deleteBucketPolicy(dataArg.bucketName);
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
try {
await this.opsServerRef.objectStorageRef.deleteBucketPolicy(dataArg.bucketName);
} catch (error) {
if (getStorageErrorCode(error) === 'NoSuchBucket') {
throw new plugins.typedrequest.TypedResponseError('Bucket not found');
}
throw error;
}
return { ok: true };
},
),
ts/opsserver/handlers/credentials.handler.ts
+63 -18
View File
@@ -1,7 +1,7 @@
import * as plugins from '../../plugins.ts';
import type { OpsServer } from '../classes.opsserver.ts';
import * as interfaces from '../../../ts_interfaces/index.ts';
import { requireValidIdentity } from '../helpers/guards.ts';
import { requireAdminIdentity, requireValidIdentity } from '../helpers/guards.ts';
export class CredentialsHandler {
public typedrouter = new plugins.typedrequest.TypedRouter();
@@ -18,10 +18,12 @@ export class CredentialsHandler {
'getCredentials',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
const credentials = this.opsServerRef.objectStorageRef.config.accessCredentials.map(
const activeCredentials = await this.opsServerRef.objectStorageRef
.listAccessCredentials();
const credentials = activeCredentials.map(
(cred) => ({
accessKeyId: cred.accessKeyId,
secretAccessKey: cred.secretAccessKey.slice(0, 4) + '****',
secretAccessKey: '********',
}),
);
return { credentials };
@@ -34,14 +36,38 @@ export class CredentialsHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_AddCredential>(
'addCredential',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
this.opsServerRef.objectStorageRef.config.accessCredentials.push({
accessKeyId: dataArg.accessKeyId,
secretAccessKey: dataArg.secretAccessKey,
});
// Update the smartstorage auth config
this.opsServerRef.objectStorageRef.smartstorageInstance.config.auth!.credentials =
this.opsServerRef.objectStorageRef.config.accessCredentials;
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
const credentials = this.opsServerRef.objectStorageRef.config.accessCredentials;
if (credentials.some((credential) => credential.accessKeyId === dataArg.accessKeyId)) {
throw new plugins.typedrequest.TypedResponseError('Credential already exists');
}
try {
await this.opsServerRef.objectStorageRef.replaceAccessCredentials([
...credentials,
{
accessKeyId: dataArg.accessKeyId,
secretAccessKey: dataArg.secretAccessKey,
},
]);
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'credential.add',
targetType: 'credential',
targetId: dataArg.accessKeyId,
success: true,
});
} catch (error) {
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'credential.add',
targetType: 'credential',
targetId: dataArg.accessKeyId,
success: false,
message: error instanceof Error ? error.message : String(error),
});
throw error;
}
return { ok: true };
},
),
@@ -52,19 +78,38 @@ export class CredentialsHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RemoveCredential>(
'removeCredential',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
const creds = this.opsServerRef.objectStorageRef.config.accessCredentials;
if (!creds.some((credential) => credential.accessKeyId === dataArg.accessKeyId)) {
throw new plugins.typedrequest.TypedResponseError('Credential not found');
}
if (creds.length <= 1) {
throw new plugins.typedrequest.TypedResponseError(
'Cannot remove the last credential',
);
}
this.opsServerRef.objectStorageRef.config.accessCredentials = creds.filter(
(c) => c.accessKeyId !== dataArg.accessKeyId,
);
// Update the smartstorage auth config
this.opsServerRef.objectStorageRef.smartstorageInstance.config.auth!.credentials =
this.opsServerRef.objectStorageRef.config.accessCredentials;
try {
await this.opsServerRef.objectStorageRef.replaceAccessCredentials(
creds.filter((credential) => credential.accessKeyId !== dataArg.accessKeyId),
);
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'credential.remove',
targetType: 'credential',
targetId: dataArg.accessKeyId,
success: true,
});
} catch (error) {
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'credential.remove',
targetType: 'credential',
targetId: dataArg.accessKeyId,
success: false,
message: error instanceof Error ? error.message : String(error),
});
throw error;
}
return { ok: true };
},
),
ts/opsserver/handlers/index.ts
+1
View File
@@ -5,3 +5,4 @@ export { ObjectsHandler } from './objects.handler.ts';
export { ConfigHandler } from './config.handler.ts';
export { CredentialsHandler } from './credentials.handler.ts';
export { PoliciesHandler } from './policies.handler.ts';
export { AuditHandler } from './audit.handler.ts';
ts/opsserver/handlers/objects.handler.ts
+49 -8
View File
@@ -1,7 +1,7 @@
import * as plugins from '../../plugins.ts';
import type { OpsServer } from '../classes.opsserver.ts';
import * as interfaces from '../../../ts_interfaces/index.ts';
import { requireValidIdentity } from '../helpers/guards.ts';
import { requireAdminIdentity, requireValidIdentity } from '../helpers/guards.ts';
export class ObjectsHandler {
public typedrouter = new plugins.typedrequest.TypedRouter();
@@ -34,8 +34,15 @@ export class ObjectsHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteObject>(
'deleteObject',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
await this.opsServerRef.objectStorageRef.deleteObject(dataArg.bucketName, dataArg.key);
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'object.delete',
targetType: 'object',
targetId: `${dataArg.bucketName}/${dataArg.key}`,
success: true,
});
return { ok: true };
},
),
@@ -57,13 +64,20 @@ export class ObjectsHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_PutObject>(
'putObject',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
await this.opsServerRef.objectStorageRef.putObject(
dataArg.bucketName,
dataArg.key,
dataArg.base64Content,
dataArg.contentType,
);
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'object.put',
targetType: 'object',
targetId: `${dataArg.bucketName}/${dataArg.key}`,
success: true,
});
return { ok: true };
},
),
@@ -74,8 +88,15 @@ export class ObjectsHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeletePrefix>(
'deletePrefix',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
await this.opsServerRef.objectStorageRef.deletePrefix(dataArg.bucketName, dataArg.prefix);
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'objectPrefix.delete',
targetType: 'objectPrefix',
targetId: `${dataArg.bucketName}/${dataArg.prefix}`,
success: true,
});
return { ok: true };
},
),
@@ -98,12 +119,22 @@ export class ObjectsHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_MoveObject>(
'moveObject',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
return await this.opsServerRef.objectStorageRef.moveObject(
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
const result = await this.opsServerRef.objectStorageRef.moveObject(
dataArg.bucketName,
dataArg.sourceKey,
dataArg.destKey,
);
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'object.move',
targetType: 'object',
targetId: `${dataArg.bucketName}/${dataArg.sourceKey}`,
success: result.success,
metadata: { destKey: dataArg.destKey },
message: result.error,
});
return result;
},
),
);
@@ -113,12 +144,22 @@ export class ObjectsHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_MovePrefix>(
'movePrefix',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
return await this.opsServerRef.objectStorageRef.movePrefix(
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
const result = await this.opsServerRef.objectStorageRef.movePrefix(
dataArg.bucketName,
dataArg.sourcePrefix,
dataArg.destPrefix,
);
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'objectPrefix.move',
targetType: 'objectPrefix',
targetId: `${dataArg.bucketName}/${dataArg.sourcePrefix}`,
success: result.success,
metadata: { destPrefix: dataArg.destPrefix },
message: result.error,
});
return result;
},
),
);
ts/opsserver/handlers/policies.handler.ts
+52 -7
View File
@@ -1,7 +1,7 @@
import * as plugins from '../../plugins.ts';
import type { OpsServer } from '../classes.opsserver.ts';
import * as interfaces from '../../../ts_interfaces/index.ts';
import { requireValidIdentity } from '../helpers/guards.ts';
import { requireAdminIdentity, requireValidIdentity } from '../helpers/guards.ts';
export class PoliciesHandler {
public typedrouter = new plugins.typedrequest.TypedRouter();
@@ -30,8 +30,15 @@ export class PoliciesHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateNamedPolicy>(
'createNamedPolicy',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
const policy = await pm().createPolicy(dataArg.name, dataArg.description, dataArg.statements);
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'policy.create',
targetType: 'policy',
targetId: policy.id,
success: true,
});
return { policy };
},
),
@@ -42,8 +49,15 @@ export class PoliciesHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateNamedPolicy>(
'updateNamedPolicy',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
const policy = await pm().updatePolicy(dataArg.policyId, dataArg.name, dataArg.description, dataArg.statements);
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'policy.update',
targetType: 'policy',
targetId: dataArg.policyId,
success: true,
});
return { policy };
},
),
@@ -54,8 +68,15 @@ export class PoliciesHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteNamedPolicy>(
'deleteNamedPolicy',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
await pm().deletePolicy(dataArg.policyId);
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'policy.delete',
targetType: 'policy',
targetId: dataArg.policyId,
success: true,
});
return { ok: true };
},
),
@@ -77,8 +98,16 @@ export class PoliciesHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_AttachPolicyToBucket>(
'attachPolicyToBucket',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
await pm().attachPolicyToBucket(dataArg.policyId, dataArg.bucketName);
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'policy.attach',
targetType: 'bucket',
targetId: dataArg.bucketName,
success: true,
metadata: { policyId: dataArg.policyId },
});
return { ok: true };
},
),
@@ -89,8 +118,16 @@ export class PoliciesHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DetachPolicyFromBucket>(
'detachPolicyFromBucket',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
await pm().detachPolicyFromBucket(dataArg.policyId, dataArg.bucketName);
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'policy.detach',
targetType: 'bucket',
targetId: dataArg.bucketName,
success: true,
metadata: { policyId: dataArg.policyId },
});
return { ok: true };
},
),
@@ -118,8 +155,16 @@ export class PoliciesHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_SetPolicyBuckets>(
'setPolicyBuckets',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
await pm().setPolicyBuckets(dataArg.policyId, dataArg.bucketNames);
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'policy.setBuckets',
targetType: 'policy',
targetId: dataArg.policyId,
success: true,
metadata: { bucketCount: dataArg.bucketNames.length },
});
return { ok: true };
},
),
ts/opsserver/handlers/status.handler.ts
+11
View File
@@ -23,5 +23,16 @@ export class StatusHandler {
},
),
);
this.typedrouter.addTypedHandler(
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetClusterHealth>(
'getClusterHealth',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
const clusterHealth = await this.opsServerRef.objectStorageRef.getClusterHealth();
return { clusterHealth };
},
),
);
}
}