fix(opsserver,vpn): tighten admin bootstrap behavior when the database is unavailable and include wildcard VPN profile matches in route access rules
This commit is contained in:
@@ -24,7 +24,8 @@ export class AdminHandler {
|
||||
// JWT instance
|
||||
public smartjwtInstance!: plugins.smartjwt.SmartJwt<IJwtData>;
|
||||
|
||||
// Ephemeral bootstrap users. Persisted accounts take over once an active admin exists.
|
||||
// Ephemeral bootstrap users. DB-backed instances may use these only until the
|
||||
// database is ready and the first persistent admin account has been created.
|
||||
private users = new Map<string, {
|
||||
id: string;
|
||||
username: string;
|
||||
@@ -87,9 +88,12 @@ export class AdminHandler {
|
||||
* Used by UsersHandler to serve the admin-only listUsers endpoint.
|
||||
*/
|
||||
public async listUsers(): Promise<interfaces.requests.IAdminUserProjection[]> {
|
||||
if (await this.hasPersistentAdminAccount()) {
|
||||
const store = this.getAccountStore();
|
||||
const accounts = await store!.listAccounts();
|
||||
const accountState = await this.getPersistentAccountState();
|
||||
if (accountState.dbEnabled && !accountState.dbReady) {
|
||||
throw new plugins.typedrequest.TypedResponseError('database is not ready');
|
||||
}
|
||||
if (accountState.hasPersistentAdmin) {
|
||||
const accounts = await accountState.store!.listAccounts();
|
||||
return accounts.map((accountArg) => this.accountToUser(accountArg));
|
||||
}
|
||||
|
||||
@@ -101,16 +105,14 @@ export class AdminHandler {
|
||||
}
|
||||
|
||||
public async getBootstrapStatus(): Promise<interfaces.requests.IReq_GetAdminBootstrapStatus['response']> {
|
||||
const dbEnabled = this.opsServerRef.dcRouterRef.options.dbConfig?.enabled !== false;
|
||||
const store = this.getAccountStore();
|
||||
const dbReady = !!store;
|
||||
const hasPersistentAdmin = dbReady ? await store.hasActiveAdminAccount() : false;
|
||||
const accountState = await this.getPersistentAccountState();
|
||||
const bootstrapAvailable = !accountState.dbEnabled || (accountState.dbReady && !accountState.hasPersistentAdmin);
|
||||
return {
|
||||
dbEnabled,
|
||||
dbReady,
|
||||
hasPersistentAdmin,
|
||||
needsBootstrap: dbEnabled && dbReady && !hasPersistentAdmin,
|
||||
ephemeralAdminAvailable: !hasPersistentAdmin,
|
||||
dbEnabled: accountState.dbEnabled,
|
||||
dbReady: accountState.dbReady,
|
||||
hasPersistentAdmin: accountState.hasPersistentAdmin,
|
||||
needsBootstrap: accountState.dbEnabled && accountState.dbReady && !accountState.hasPersistentAdmin,
|
||||
ephemeralAdminAvailable: bootstrapAvailable,
|
||||
idpGlobalConfigured: this.isIdpGlobalConfigured(),
|
||||
};
|
||||
}
|
||||
@@ -408,10 +410,14 @@ export class AdminHandler {
|
||||
password: string;
|
||||
authSource?: interfaces.requests.TAdminLoginAuthSource;
|
||||
}): Promise<TAdminUser | null> {
|
||||
if (await this.hasPersistentAdminAccount()) {
|
||||
const store = this.getAccountStore();
|
||||
const accountState = await this.getPersistentAccountState();
|
||||
if (accountState.dbEnabled && !accountState.dbReady) {
|
||||
throw new plugins.typedrequest.TypedResponseError('database is not ready');
|
||||
}
|
||||
|
||||
if (accountState.hasPersistentAdmin) {
|
||||
const authService = new plugins.idpSdkServer.AccountAuthService({
|
||||
store: store!,
|
||||
store: accountState.store!,
|
||||
idpClient: this.getIdpClient() as plugins.idpSdkServer.IdpGlobalServerClient | undefined,
|
||||
});
|
||||
const result = await authService.authenticate({
|
||||
@@ -431,8 +437,13 @@ export class AdminHandler {
|
||||
}
|
||||
|
||||
private async resolveUser(userIdArg: string): Promise<TAdminUser | null> {
|
||||
if (await this.hasPersistentAdminAccount()) {
|
||||
const account = await this.getAccountStore()!.getAccountById(userIdArg);
|
||||
const accountState = await this.getPersistentAccountState();
|
||||
if (accountState.dbEnabled && !accountState.dbReady) {
|
||||
return null;
|
||||
}
|
||||
|
||||
if (accountState.hasPersistentAdmin) {
|
||||
const account = await accountState.store!.getAccountById(userIdArg);
|
||||
if (!account || account.status !== 'active') {
|
||||
return null;
|
||||
}
|
||||
@@ -442,13 +453,25 @@ export class AdminHandler {
|
||||
return this.users.get(userIdArg) || null;
|
||||
}
|
||||
|
||||
private async hasPersistentAdminAccount(): Promise<boolean> {
|
||||
const store = this.getAccountStore();
|
||||
return store ? store.hasActiveAdminAccount() : false;
|
||||
private async getPersistentAccountState(): Promise<{
|
||||
dbEnabled: boolean;
|
||||
dbReady: boolean;
|
||||
store: plugins.idpSdkServer.SmartdataAccountStore | null;
|
||||
hasPersistentAdmin: boolean;
|
||||
}> {
|
||||
const dbEnabled = this.isPersistenceEnabled();
|
||||
const store = dbEnabled ? this.getAccountStore() : null;
|
||||
const dbReady = !!store;
|
||||
const hasPersistentAdmin = store ? await store.hasActiveAdminAccount() : false;
|
||||
return { dbEnabled, dbReady, store, hasPersistentAdmin };
|
||||
}
|
||||
|
||||
private isPersistenceEnabled(): boolean {
|
||||
return this.opsServerRef.dcRouterRef.options.dbConfig?.enabled !== false;
|
||||
}
|
||||
|
||||
private getAccountStore(): plugins.idpSdkServer.SmartdataAccountStore | null {
|
||||
if (this.opsServerRef.dcRouterRef.options.dbConfig?.enabled === false) {
|
||||
if (!this.isPersistenceEnabled()) {
|
||||
return null;
|
||||
}
|
||||
const dcRouterDb = this.opsServerRef.dcRouterRef.dcRouterDb;
|
||||
|
||||
Reference in New Issue
Block a user