feat(config): add reusable security profiles and network targets with route reference resolution

ts/opsserver/handlers/index.ts

@@ -9,4 +9,6 @@ export * from './certificate.handler.js';
 export * from './remoteingress.handler.js';
 export * from './route-management.handler.js';
 export * from './api-token.handler.js';
-export * from './vpn.handler.js';
+export * from './vpn.handler.js';
+export * from './security-profile.handler.js';
+export * from './network-target.handler.js';

ts/opsserver/handlers/network-target.handler.ts

@@ -0,0 +1,167 @@
+import * as plugins from '../../plugins.js';
+import type { OpsServer } from '../classes.opsserver.js';
+import * as interfaces from '../../../ts_interfaces/index.js';
+
+export class NetworkTargetHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  private async requireAuth(
+    request: { identity?: interfaces.data.IIdentity; apiToken?: string },
+    requiredScope?: interfaces.data.TApiTokenScope,
+  ): Promise<string> {
+    if (request.identity?.jwt) {
+      try {
+        const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
+          identity: request.identity,
+        });
+        if (isAdmin) return request.identity.userId;
+      } catch { /* fall through */ }
+    }
+
+    if (request.apiToken) {
+      const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
+      if (tokenManager) {
+        const token = await tokenManager.validateToken(request.apiToken);
+        if (token) {
+          if (!requiredScope || tokenManager.hasScope(token, requiredScope)) {
+            return token.createdBy;
+          }
+          throw new plugins.typedrequest.TypedResponseError('insufficient scope');
+        }
+      }
+    }
+
+    throw new plugins.typedrequest.TypedResponseError('unauthorized');
+  }
+
+  private registerHandlers(): void {
+    // Get all network targets
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetNetworkTargets>(
+        'getNetworkTargets',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'targets:read');
+          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
+          if (!resolver) {
+            return { targets: [] };
+          }
+          return { targets: resolver.listTargets() };
+        },
+      ),
+    );
+
+    // Get a single network target
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetNetworkTarget>(
+        'getNetworkTarget',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'targets:read');
+          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
+          if (!resolver) {
+            return { target: null };
+          }
+          return { target: resolver.getTarget(dataArg.id) || null };
+        },
+      ),
+    );
+
+    // Create a network target
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateNetworkTarget>(
+        'createNetworkTarget',
+        async (dataArg) => {
+          const userId = await this.requireAuth(dataArg, 'targets:write');
+          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
+          if (!resolver) {
+            return { success: false, message: 'Reference resolver not initialized' };
+          }
+          const id = await resolver.createTarget({
+            name: dataArg.name,
+            description: dataArg.description,
+            host: dataArg.host,
+            port: dataArg.port,
+            createdBy: userId,
+          });
+          return { success: true, id };
+        },
+      ),
+    );
+
+    // Update a network target
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateNetworkTarget>(
+        'updateNetworkTarget',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'targets:write');
+          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
+          const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
+          if (!resolver || !manager) {
+            return { success: false, message: 'Not initialized' };
+          }
+
+          const { affectedRouteIds } = await resolver.updateTarget(dataArg.id, {
+            name: dataArg.name,
+            description: dataArg.description,
+            host: dataArg.host,
+            port: dataArg.port,
+          });
+
+          if (affectedRouteIds.length > 0) {
+            await manager.reResolveRoutes(affectedRouteIds);
+          }
+
+          return { success: true, affectedRouteCount: affectedRouteIds.length };
+        },
+      ),
+    );
+
+    // Delete a network target
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteNetworkTarget>(
+        'deleteNetworkTarget',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'targets:write');
+          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
+          const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
+          if (!resolver || !manager) {
+            return { success: false, message: 'Not initialized' };
+          }
+
+          const result = await resolver.deleteTarget(
+            dataArg.id,
+            dataArg.force ?? false,
+            manager.getStoredRoutes(),
+          );
+
+          if (result.success && dataArg.force) {
+            await manager.applyRoutes();
+          }
+
+          return result;
+        },
+      ),
+    );
+
+    // Get routes using a network target
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetNetworkTargetUsage>(
+        'getNetworkTargetUsage',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'targets:read');
+          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
+          const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
+          if (!resolver || !manager) {
+            return { routes: [] };
+          }
+          const usage = resolver.getTargetUsageForId(dataArg.id, manager.getStoredRoutes());
+          return { routes: usage.map((u) => ({ id: u.id, name: u.routeName })) };
+        },
+      ),
+    );
+  }
+}

ts/opsserver/handlers/route-management.handler.ts

@@ -71,7 +71,7 @@ export class RouteManagementHandler {
           if (!manager) {
             return { success: false, message: 'Route management not initialized' };
           }
-          const id = await manager.createRoute(dataArg.route, userId, dataArg.enabled ?? true);
+          const id = await manager.createRoute(dataArg.route, userId, dataArg.enabled ?? true, dataArg.metadata);
           return { success: true, storedRouteId: id };
         },
       ),
@@ -90,6 +90,7 @@ export class RouteManagementHandler {
           const ok = await manager.updateRoute(dataArg.id, {
             route: dataArg.route as any,
             enabled: dataArg.enabled,
+            metadata: dataArg.metadata,
           });
           return { success: ok, message: ok ? undefined : 'Route not found' };
         },

ts/opsserver/handlers/security-profile.handler.ts

@@ -0,0 +1,169 @@
+import * as plugins from '../../plugins.js';
+import type { OpsServer } from '../classes.opsserver.js';
+import * as interfaces from '../../../ts_interfaces/index.js';
+
+export class SecurityProfileHandler {
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(private opsServerRef: OpsServer) {
+    this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
+    this.registerHandlers();
+  }
+
+  private async requireAuth(
+    request: { identity?: interfaces.data.IIdentity; apiToken?: string },
+    requiredScope?: interfaces.data.TApiTokenScope,
+  ): Promise<string> {
+    if (request.identity?.jwt) {
+      try {
+        const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
+          identity: request.identity,
+        });
+        if (isAdmin) return request.identity.userId;
+      } catch { /* fall through */ }
+    }
+
+    if (request.apiToken) {
+      const tokenManager = this.opsServerRef.dcRouterRef.apiTokenManager;
+      if (tokenManager) {
+        const token = await tokenManager.validateToken(request.apiToken);
+        if (token) {
+          if (!requiredScope || tokenManager.hasScope(token, requiredScope)) {
+            return token.createdBy;
+          }
+          throw new plugins.typedrequest.TypedResponseError('insufficient scope');
+        }
+      }
+    }
+
+    throw new plugins.typedrequest.TypedResponseError('unauthorized');
+  }
+
+  private registerHandlers(): void {
+    // Get all security profiles
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetSecurityProfiles>(
+        'getSecurityProfiles',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'profiles:read');
+          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
+          if (!resolver) {
+            return { profiles: [] };
+          }
+          return { profiles: resolver.listProfiles() };
+        },
+      ),
+    );
+
+    // Get a single security profile
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetSecurityProfile>(
+        'getSecurityProfile',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'profiles:read');
+          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
+          if (!resolver) {
+            return { profile: null };
+          }
+          return { profile: resolver.getProfile(dataArg.id) || null };
+        },
+      ),
+    );
+
+    // Create a security profile
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateSecurityProfile>(
+        'createSecurityProfile',
+        async (dataArg) => {
+          const userId = await this.requireAuth(dataArg, 'profiles:write');
+          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
+          if (!resolver) {
+            return { success: false, message: 'Reference resolver not initialized' };
+          }
+          const id = await resolver.createProfile({
+            name: dataArg.name,
+            description: dataArg.description,
+            security: dataArg.security,
+            extendsProfiles: dataArg.extendsProfiles,
+            createdBy: userId,
+          });
+          return { success: true, id };
+        },
+      ),
+    );
+
+    // Update a security profile
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateSecurityProfile>(
+        'updateSecurityProfile',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'profiles:write');
+          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
+          const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
+          if (!resolver || !manager) {
+            return { success: false, message: 'Not initialized' };
+          }
+
+          const { affectedRouteIds } = await resolver.updateProfile(dataArg.id, {
+            name: dataArg.name,
+            description: dataArg.description,
+            security: dataArg.security,
+            extendsProfiles: dataArg.extendsProfiles,
+          });
+
+          // Propagate to affected routes
+          if (affectedRouteIds.length > 0) {
+            await manager.reResolveRoutes(affectedRouteIds);
+          }
+
+          return { success: true, affectedRouteCount: affectedRouteIds.length };
+        },
+      ),
+    );
+
+    // Delete a security profile
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteSecurityProfile>(
+        'deleteSecurityProfile',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'profiles:write');
+          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
+          const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
+          if (!resolver || !manager) {
+            return { success: false, message: 'Not initialized' };
+          }
+
+          const result = await resolver.deleteProfile(
+            dataArg.id,
+            dataArg.force ?? false,
+            manager.getStoredRoutes(),
+          );
+
+          // If force-deleted with affected routes, re-apply
+          if (result.success && dataArg.force) {
+            await manager.applyRoutes();
+          }
+
+          return result;
+        },
+      ),
+    );
+
+    // Get routes using a security profile
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetSecurityProfileUsage>(
+        'getSecurityProfileUsage',
+        async (dataArg) => {
+          await this.requireAuth(dataArg, 'profiles:read');
+          const resolver = this.opsServerRef.dcRouterRef.referenceResolver;
+          const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
+          if (!resolver || !manager) {
+            return { routes: [] };
+          }
+          const usage = resolver.getProfileUsageForId(dataArg.id, manager.getStoredRoutes());
+          return { routes: usage.map((u) => ({ id: u.id, name: u.routeName })) };
+        },
+      ),
+    );
+  }
+}