BREAKING CHANGE(vpn): replace tag-based VPN access control with source and target profiles

2026-04-05 00:37:37 +00:00
parent 25365678e0
commit 1ddf83b28d
38 changed files with 1546 additions and 321 deletions
--- a/ts_interfaces/data/index.ts
+++ b/ts_interfaces/data/index.ts
@@ -2,4 +2,5 @@ export * from './auth.js';
 export * from './stats.js';
 export * from './remoteingress.js';
 export * from './route-management.js';
+export * from './target-profile.js';
 export * from './vpn.js';
--- a/ts_interfaces/data/remoteingress.ts
+++ b/ts_interfaces/data/remoteingress.ts
@@ -51,26 +51,14 @@ export interface IRouteRemoteIngress {
  edgeFilter?: string[];
 }

-/**
- * Route-level VPN access configuration.
- * When attached to a route, controls VPN client access.
- */
-export interface IRouteVpn {
-  /** Enable VPN client access for this route */
-  enabled: boolean;
-  /** When true (default), ONLY VPN clients can access this route (replaces ipAllowList).
-   *  When false, VPN client IPs are added alongside the existing allowlist. */
-  mandatory?: boolean;
-  /** Only allow VPN clients with these server-defined tags. Omitted = all VPN clients. */
-  allowedServerDefinedClientTags?: string[];
-}
-
 /**
 * Extended route config used within dcrouter.
- * Adds optional `remoteIngress` and `vpn` properties to SmartProxy's IRouteConfig.
+ * Adds optional `remoteIngress` and `vpnOnly` properties to SmartProxy's IRouteConfig.
 * SmartProxy ignores unknown properties at runtime.
 */
 export type IDcRouterRouteConfig = IRouteConfig & {
  remoteIngress?: IRouteRemoteIngress;
-  vpn?: IRouteVpn;
+  /** When true, only VPN clients whose TargetProfile matches this route get access.
+   *  Matching is determined by domain overlap, target overlap, or direct routeRef. */
+  vpnOnly?: boolean;
 };
--- a/ts_interfaces/data/route-management.ts
+++ b/ts_interfaces/data/route-management.ts
@@ -12,18 +12,22 @@ export type TApiTokenScope =
  | 'routes:read' | 'routes:write'
  | 'config:read'
  | 'tokens:read' | 'tokens:manage'
-  | 'profiles:read' | 'profiles:write'
+  | 'source-profiles:read' | 'source-profiles:write'
+  | 'target-profiles:read' | 'target-profiles:write'
  | 'targets:read' | 'targets:write';

 // ============================================================================
-// Security Profile Types
+// Source Profile Types (source-side: who can access)
 // ============================================================================

 /**
- * A reusable, named security profile that can be referenced by routes.
+ * A reusable, named source profile that can be referenced by routes.
 * Stores the full IRouteSecurity shape from SmartProxy.
+ *
+ * SourceProfile = source-side (who can access: ipAllowList, rateLimit, auth)
+ * TargetProfile = target-side (what can be accessed: domains, IP:port targets, route refs)
 */
-export interface ISecurityProfile {
+export interface ISourceProfile {
  id: string;
  name: string;
  description?: string;
@@ -62,12 +66,12 @@ export interface INetworkTarget {
 * Metadata on a stored route tracking where its resolved values came from.
 */
 export interface IRouteMetadata {
-  /** ID of the SecurityProfileDoc used to resolve this route's security. */
-  securityProfileRef?: string;
+  /** ID of the SourceProfileDoc used to resolve this route's security. */
+  sourceProfileRef?: string;
  /** ID of the NetworkTargetDoc used to resolve this route's targets. */
  networkTargetRef?: string;
  /** Snapshot of the profile name at resolution time, for display. */
-  securityProfileName?: string;
+  sourceProfileName?: string;
  /** Snapshot of the target name at resolution time, for display. */
  networkTargetName?: string;
  /** Timestamp of last reference resolution. */
--- a/ts_interfaces/data/target-profile.ts
+++ b/ts_interfaces/data/target-profile.ts
@@ -0,0 +1,29 @@
+/**
+ * A specific IP:port target within a TargetProfile.
+ */
+export interface ITargetProfileTarget {
+  host: string;
+  port: number;
+}
+
+/**
+ * A reusable, named target profile that defines what resources a VPN client can reach.
+ * Assigned to VPN clients via targetProfileIds.
+ *
+ * SourceProfile = source-side (who can access: ipAllowList, rateLimit, auth)
+ * TargetProfile = target-side (what can be accessed: domains, IP:port targets, route refs)
+ */
+export interface ITargetProfile {
+  id: string;
+  name: string;
+  description?: string;
+  /** Domain patterns this profile grants access to (supports wildcards: '*.example.com') */
+  domains?: string[];
+  /** Specific IP:port targets this profile grants access to */
+  targets?: ITargetProfileTarget[];
+  /** Route references by stored route ID or route name */
+  routeRefs?: string[];
+  createdAt: number;
+  updatedAt: number;
+  createdBy: string;
+}
--- a/ts_interfaces/data/vpn.ts
+++ b/ts_interfaces/data/vpn.ts
@@ -4,7 +4,8 @@
 export interface IVpnClient {
  clientId: string;
  enabled: boolean;
-  serverDefinedClientTags?: string[];
+  /** IDs of TargetProfiles assigned to this client */
+  targetProfileIds?: string[];
  description?: string;
  assignedIp?: string;
  createdAt: number;