serve.zone/dcrouter
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

BREAKING CHANGE(vpn): replace tag-based VPN access control with source and target profiles

Browse Source
This commit is contained in:
Jürgen Kunz
2026-04-05 00:37:37 +00:00
parent 25365678e0
commit 1ddf83b28d
38 changed files with 1546 additions and 321 deletions
Download Patch File Download Diff File Expand all files Collapse all files

169
ts/opsserver/handlers/source-profile.handler.ts Normal file
View File

@@ -0,0 +1,169 @@
import * as plugins from '../../plugins.js';
import type { OpsServer } from '../classes.opsserver.js';
import * as interfaces from '../../../ts_interfaces/index.js';
export class SourceProfileHandler {
public typedrouter = new plugins.typedrequest.TypedRouter();
constructor(private opsServerRef: OpsServer) {
this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
this.registerHandlers();
}
private async requireAuth(
request: { identity?: interfaces.data.IIdentity; apiToken?: string },
requiredScope?: interfaces.data.TApiTokenScope,
): Promise<string> {
if (request.identity?.jwt) {
try {
const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
identity: request.identity,
});
if (isAdmin) return request.identity.userId;
} catch { /* fall through */ }
}
if (request.apiToken) {
const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
if (tokenManager) {
const token = await tokenManager.validateToken(request.apiToken);
if (token) {
if (!requiredScope || tokenManager.hasScope(token, requiredScope)) {
return token.createdBy;
}
throw new plugins.typedrequest.TypedResponseError('insufficient scope');
}
}
}
throw new plugins.typedrequest.TypedResponseError('unauthorized');
}
private registerHandlers(): void {
// Get all source profiles
this.typedrouter.addTypedHandler(
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetSourceProfiles>(
'getSourceProfiles',
async (dataArg) => {
await this.requireAuth(dataArg, 'source-profiles:read');
const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
if (!resolver) {
return { profiles: [] };
}
return { profiles: resolver.listProfiles() };
},
),
);
// Get a single source profile
this.typedrouter.addTypedHandler(
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetSourceProfile>(
'getSourceProfile',
async (dataArg) => {
await this.requireAuth(dataArg, 'source-profiles:read');
const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
if (!resolver) {
return { profile: null };
}
return { profile: resolver.getProfile(dataArg.id) || null };
},
),
);
// Create a source profile
this.typedrouter.addTypedHandler(
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateSourceProfile>(
'createSourceProfile',
async (dataArg) => {
const userId = await this.requireAuth(dataArg, 'source-profiles:write');
const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
if (!resolver) {
return { success: false, message: 'Reference resolver not initialized' };
}
const id = await resolver.createProfile({
name: dataArg.name,
description: dataArg.description,
security: dataArg.security,
extendsProfiles: dataArg.extendsProfiles,
createdBy: userId,
});
return { success: true, id };
},
),
);
// Update a source profile
this.typedrouter.addTypedHandler(
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateSourceProfile>(
'updateSourceProfile',
async (dataArg) => {
await this.requireAuth(dataArg, 'source-profiles:write');
const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
if (!resolver || !manager) {
return { success: false, message: 'Not initialized' };
}
const { affectedRouteIds } = await resolver.updateProfile(dataArg.id, {
name: dataArg.name,
description: dataArg.description,
security: dataArg.security,
extendsProfiles: dataArg.extendsProfiles,
});
// Propagate to affected routes
if (affectedRouteIds.length > 0) {
await manager.reResolveRoutes(affectedRouteIds);
}
return { success: true, affectedRouteCount: affectedRouteIds.length };
},
),
);
// Delete a source profile
this.typedrouter.addTypedHandler(
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteSourceProfile>(
'deleteSourceProfile',
async (dataArg) => {
await this.requireAuth(dataArg, 'source-profiles:write');
const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
if (!resolver || !manager) {
return { success: false, message: 'Not initialized' };
}
const result = await resolver.deleteProfile(
dataArg.id,
dataArg.force ?? false,
manager.getStoredRoutes(),
);
// If force-deleted with affected routes, re-apply
if (result.success && dataArg.force) {
await manager.applyRoutes();
}
return result;
},
),
);
// Get routes using a source profile
this.typedrouter.addTypedHandler(
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetSourceProfileUsage>(
'getSourceProfileUsage',
async (dataArg) => {
await this.requireAuth(dataArg, 'source-profiles:read');
const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
if (!resolver || !manager) {
return { routes: [] };
}
const usage = resolver.getProfileUsageForId(dataArg.id, manager.getStoredRoutes());
return { routes: usage.map((u) => ({ id: u.id, name: u.routeName })) };
},
),
);
}
}