feat(opsserver): add health, audit, cluster health, and durable credential management hardening

2026-04-30 07:10:21 +00:00
parent c3e5cabe3d
commit f4e5f02d0c
34 changed files with 1722 additions and 320 deletions
@@ -1,7 +1,7 @@
 import * as plugins from '../../plugins.ts';
 import type { OpsServer } from '../classes.opsserver.ts';
 import * as interfaces from '../../../ts_interfaces/index.ts';
-import { requireValidIdentity } from '../helpers/guards.ts';
+import { requireAdminIdentity, requireValidIdentity } from '../helpers/guards.ts';

 export class CredentialsHandler {
  public typedrouter = new plugins.typedrequest.TypedRouter();
@@ -18,10 +18,12 @@ export class CredentialsHandler {
        'getCredentials',
        async (dataArg) => {
          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
-          const credentials = this.opsServerRef.objectStorageRef.config.accessCredentials.map(
+          const activeCredentials = await this.opsServerRef.objectStorageRef
+            .listAccessCredentials();
+          const credentials = activeCredentials.map(
            (cred) => ({
              accessKeyId: cred.accessKeyId,
-              secretAccessKey: cred.secretAccessKey.slice(0, 4) + '****',
+              secretAccessKey: '********',
            }),
          );
          return { credentials };
@@ -34,14 +36,38 @@ export class CredentialsHandler {
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_AddCredential>(
        'addCredential',
        async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
-          this.opsServerRef.objectStorageRef.config.accessCredentials.push({
-            accessKeyId: dataArg.accessKeyId,
-            secretAccessKey: dataArg.secretAccessKey,
-          });
-          // Update the smartstorage auth config
-          this.opsServerRef.objectStorageRef.smartstorageInstance.config.auth!.credentials =
-            this.opsServerRef.objectStorageRef.config.accessCredentials;
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
+          const credentials = this.opsServerRef.objectStorageRef.config.accessCredentials;
+          if (credentials.some((credential) => credential.accessKeyId === dataArg.accessKeyId)) {
+            throw new plugins.typedrequest.TypedResponseError('Credential already exists');
+          }
+
+          try {
+            await this.opsServerRef.objectStorageRef.replaceAccessCredentials([
+              ...credentials,
+              {
+                accessKeyId: dataArg.accessKeyId,
+                secretAccessKey: dataArg.secretAccessKey,
+              },
+            ]);
+            await this.opsServerRef.objectStorageRef.auditLogger.log({
+              actorUserId: dataArg.identity.userId,
+              action: 'credential.add',
+              targetType: 'credential',
+              targetId: dataArg.accessKeyId,
+              success: true,
+            });
+          } catch (error) {
+            await this.opsServerRef.objectStorageRef.auditLogger.log({
+              actorUserId: dataArg.identity.userId,
+              action: 'credential.add',
+              targetType: 'credential',
+              targetId: dataArg.accessKeyId,
+              success: false,
+              message: error instanceof Error ? error.message : String(error),
+            });
+            throw error;
+          }
          return { ok: true };
        },
      ),
@@ -52,19 +78,38 @@ export class CredentialsHandler {
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RemoveCredential>(
        'removeCredential',
        async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
          const creds = this.opsServerRef.objectStorageRef.config.accessCredentials;
+          if (!creds.some((credential) => credential.accessKeyId === dataArg.accessKeyId)) {
+            throw new plugins.typedrequest.TypedResponseError('Credential not found');
+          }
          if (creds.length <= 1) {
            throw new plugins.typedrequest.TypedResponseError(
              'Cannot remove the last credential',
            );
          }
-          this.opsServerRef.objectStorageRef.config.accessCredentials = creds.filter(
-            (c) => c.accessKeyId !== dataArg.accessKeyId,
-          );
-          // Update the smartstorage auth config
-          this.opsServerRef.objectStorageRef.smartstorageInstance.config.auth!.credentials =
-            this.opsServerRef.objectStorageRef.config.accessCredentials;
+          try {
+            await this.opsServerRef.objectStorageRef.replaceAccessCredentials(
+              creds.filter((credential) => credential.accessKeyId !== dataArg.accessKeyId),
+            );
+            await this.opsServerRef.objectStorageRef.auditLogger.log({
+              actorUserId: dataArg.identity.userId,
+              action: 'credential.remove',
+              targetType: 'credential',
+              targetId: dataArg.accessKeyId,
+              success: true,
+            });
+          } catch (error) {
+            await this.opsServerRef.objectStorageRef.auditLogger.log({
+              actorUserId: dataArg.identity.userId,
+              action: 'credential.remove',
+              targetType: 'credential',
+              targetId: dataArg.accessKeyId,
+              success: false,
+              message: error instanceof Error ? error.message : String(error),
+            });
+            throw error;
+          }
          return { ok: true };
        },
      ),