serve.zone/dcrouter
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(gateway-clients): add policy-based gateway client tokens and gateway client route and DNS management endpoints

Browse Source
This commit is contained in:
Jürgen Kunz
2026-05-09 11:53:45 +00:00
parent 7e3b89d9b4
commit 97505935bb
15 changed files with 604 additions and 92 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ts/opsserver/handlers/api-token.handler.ts
+1
View File
@@ -26,6 +26,7 @@ export class ApiTokenHandler {
dataArg.scopes,
dataArg.expiresInDays ?? null,
dataArg.identity.userId,
dataArg.policy,
);
return { success: true, tokenId: result.id, tokenValue: result.rawToken };
},
ts/opsserver/handlers/workhoster.handler.ts
+339 -68
View File
@@ -2,6 +2,12 @@ import * as plugins from '../../plugins.js';
import type { OpsServer } from '../classes.opsserver.js';
import * as interfaces from '../../../ts_interfaces/index.js';
type TAuthContext = {
userId: string;
isAdmin: boolean;
token?: interfaces.data.IStoredApiToken;
};
export class WorkHosterHandler {
public typedrouter = new plugins.typedrequest.TypedRouter();
@@ -13,13 +19,13 @@ export class WorkHosterHandler {
private async requireAuth(
request: { identity?: interfaces.data.IIdentity; apiToken?: string },
requiredScope?: interfaces.data.TApiTokenScope,
): Promise<string> {
): Promise<TAuthContext> {
if (request.identity?.jwt) {
try {
const isAdmin = await this.opsServerRef.adminHandler.adminIdentityGuard.exec({
identity: request.identity,
});
if (isAdmin) return request.identity.userId;
if (isAdmin) return { userId: request.identity.userId, isAdmin: true };
} catch { /* fall through */ }
}
@@ -29,7 +35,7 @@ export class WorkHosterHandler {
const token = await tokenManager.validateToken(request.apiToken);
if (token) {
if (!requiredScope || tokenManager.hasScope(token, requiredScope)) {
return token.createdBy;
return { userId: token.createdBy, isAdmin: token.policy?.role === 'admin', token };
}
throw new plugins.typedrequest.TypedResponseError('insufficient scope');
}
@@ -44,35 +50,52 @@ export class WorkHosterHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetGatewayCapabilities>(
'getGatewayCapabilities',
async (dataArg) => {
await this.requireAuth(dataArg, 'workhosters:read');
await this.requireAuth(dataArg, 'gateway-clients:read');
return { capabilities: this.getGatewayCapabilities() };
},
),
);
this.typedrouter.addTypedHandler(
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetGatewayClientDomains>(
'getGatewayClientDomains',
async (dataArg) => {
const auth = await this.requireAuth(dataArg, 'gateway-clients:read');
this.assertCapability(auth, 'readDomains');
return { domains: await this.listGatewayClientDomains(auth, dataArg.gatewayClientId) };
},
),
);
this.typedrouter.addTypedHandler(
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetGatewayClientDnsRecords>(
'getGatewayClientDnsRecords',
async (dataArg) => {
const auth = await this.requireAuth(dataArg, 'gateway-clients:read');
this.assertCapability(auth, 'readDnsRecords');
return { records: await this.listGatewayClientDnsRecords(auth, dataArg.gatewayClientId) };
},
),
);
this.typedrouter.addTypedHandler(
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetWorkHosterDomains>(
'getWorkHosterDomains',
async (dataArg) => {
await this.requireAuth(dataArg, 'workhosters:read');
const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
if (!dnsManager) return { domains: [] };
const auth = await this.requireAuth(dataArg, 'workhosters:read');
this.assertCapability(auth, 'readDomains');
return { domains: await this.listGatewayClientDomains(auth) };
},
),
);
const docs = await dnsManager.listDomains();
const domains = docs.map((domainDoc) => {
const domain = dnsManager.toPublicDomain(domainDoc);
const canManageDnsRecords = domain.source === 'dcrouter' || Boolean(domain.providerId);
return {
...domain,
capabilities: {
canCreateSubdomains: canManageDnsRecords,
canManageDnsRecords,
canIssueCertificates: Boolean(this.opsServerRef.dcRouterRef.smartProxy),
canHostEmail: Boolean(this.opsServerRef.dcRouterRef.emailDomainManager),
},
} satisfies interfaces.data.IWorkHosterDomain;
});
return { domains };
this.typedrouter.addTypedHandler(
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_SyncGatewayClientRoute>(
'syncGatewayClientRoute',
async (dataArg) => {
const auth = await this.requireAuth(dataArg, 'gateway-clients:write');
this.assertCapability(auth, 'syncRoutes');
return await this.syncGatewayClientRoute(auth, dataArg.ownership, dataArg.route, dataArg.enabled, dataArg.delete);
},
),
);
@@ -81,51 +104,15 @@ export class WorkHosterHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_SyncWorkAppRoute>(
'syncWorkAppRoute',
async (dataArg) => {
const userId = await this.requireAuth(dataArg, 'workhosters:write');
const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
if (!manager) {
return { success: false, message: 'Route management not initialized' };
}
const externalKey = this.buildExternalKey(dataArg.ownership);
const existingRoute = manager.findApiRouteByExternalKey(externalKey);
if (dataArg.delete) {
if (!existingRoute) {
return { success: true, action: 'unchanged' };
}
const result = await manager.deleteRoute(existingRoute.id);
return result.success
? { success: true, action: 'deleted', routeId: existingRoute.id }
: { success: false, message: result.message };
}
if (!dataArg.route) {
return { success: false, message: 'route is required unless delete=true' };
}
const metadata: interfaces.data.IRouteMetadata = {
ownerType: 'workhoster',
workHosterType: dataArg.ownership.workHosterType,
workHosterId: dataArg.ownership.workHosterId,
workAppId: dataArg.ownership.workAppId,
externalKey,
const auth = await this.requireAuth(dataArg, 'workhosters:write');
this.assertCapability(auth, 'syncRoutes');
const ownership: interfaces.data.IGatewayClientOwnership = {
gatewayClientType: dataArg.ownership.workHosterType,
gatewayClientId: dataArg.ownership.workHosterId,
appId: dataArg.ownership.workAppId,
hostname: dataArg.ownership.hostname,
};
const route = this.normalizeWorkAppRoute(dataArg.route, dataArg.ownership, externalKey);
if (existingRoute) {
const result = await manager.updateRoute(existingRoute.id, {
route,
enabled: dataArg.enabled ?? true,
metadata,
});
return result.success
? { success: true, action: 'updated', routeId: existingRoute.id }
: { success: false, message: result.message };
}
const routeId = await manager.createRoute(route, userId, dataArg.enabled ?? true, metadata);
return { success: true, action: 'created', routeId };
return await this.syncGatewayClientRoute(auth, ownership, dataArg.route, dataArg.enabled, dataArg.delete);
},
),
);
@@ -146,13 +133,13 @@ export class WorkHosterHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_SyncWorkAppMailIdentity>(
'syncWorkAppMailIdentity',
async (dataArg) => {
const userId = await this.requireAuth(dataArg, 'workhosters:write');
const auth = await this.requireAuth(dataArg, 'workhosters:write');
const manager = this.opsServerRef.dcRouterRef.workAppMailManager;
if (!manager) {
return { success: false, message: 'WorkApp mail manager not initialized' };
}
try {
return await manager.syncMailIdentity(dataArg, userId);
return await manager.syncMailIdentity(dataArg, auth.userId);
} catch (error) {
return { success: false, message: (error as Error).message };
}
@@ -205,6 +192,278 @@ export class WorkHosterHandler {
].map((part) => part.trim()).join(':');
}
private assertCapability(
auth: TAuthContext,
capability: keyof NonNullable<interfaces.data.IApiTokenPolicy['capabilities']>,
): void {
if (auth.isAdmin) return;
const policy = auth.token?.policy;
if (!policy || policy.role !== 'gatewayClient') return;
if (policy.capabilities?.[capability] === true) return;
throw new plugins.typedrequest.TypedResponseError(`token capability missing: ${capability}`);
}
private resolveGatewayClientId(auth: TAuthContext, requestedId?: string): string | undefined {
const policyClient = auth.token?.policy?.gatewayClient;
if (!policyClient) return requestedId;
if (requestedId && requestedId !== policyClient.id) {
throw new plugins.typedrequest.TypedResponseError('gateway client token cannot access another gateway client');
}
return policyClient.id;
}
private assertGatewayClientOwnership(auth: TAuthContext, ownership: interfaces.data.IGatewayClientOwnership): void {
const policy = auth.token?.policy;
if (!policy || policy.role !== 'gatewayClient') return;
if (!policy.gatewayClient) {
throw new plugins.typedrequest.TypedResponseError('gateway client token is missing gatewayClient binding');
}
if (ownership.gatewayClientType !== policy.gatewayClient.type || ownership.gatewayClientId !== policy.gatewayClient.id) {
throw new plugins.typedrequest.TypedResponseError('gateway client token cannot act for this ownership');
}
if (!this.matchesHostnamePatterns(ownership.hostname, policy.hostnamePatterns || [])) {
throw new plugins.typedrequest.TypedResponseError('hostname is outside token policy');
}
}
private assertRouteTargetsAllowed(auth: TAuthContext, route?: interfaces.data.IDcRouterRouteConfig): void {
const policy = auth.token?.policy;
if (!policy || policy.role !== 'gatewayClient' || !route) return;
const allowedTargets = policy.allowedRouteTargets || [];
if (allowedTargets.length === 0) {
throw new plugins.typedrequest.TypedResponseError('gateway client token has no allowed route targets');
}
const targets = ((route.action as any)?.targets || []) as Array<{ host?: string; port?: number }>;
for (const target of targets) {
const host = String(target.host || '').trim().toLowerCase();
const port = Number(target.port);
const allowed = allowedTargets.some((allowedTarget) => {
return allowedTarget.host.trim().toLowerCase() === host && allowedTarget.ports.includes(port);
});
if (!allowed) {
throw new plugins.typedrequest.TypedResponseError(`route target is outside token policy: ${host}:${port}`);
}
}
}
private matchesHostnamePatterns(hostname: string, patterns: string[]): boolean {
const normalizedHostname = hostname.trim().toLowerCase();
if (!normalizedHostname) return false;
for (const pattern of patterns) {
const normalizedPattern = pattern.trim().toLowerCase();
if (!normalizedPattern) continue;
if (normalizedPattern === normalizedHostname) return true;
if (normalizedPattern.startsWith('*.')) {
const suffix = normalizedPattern.slice(2);
if (!normalizedHostname.endsWith(`.${suffix}`)) continue;
const prefix = normalizedHostname.slice(0, -(suffix.length + 1));
if (prefix && !prefix.includes('.')) return true;
}
}
return false;
}
private getRouteHostnames(route: interfaces.data.IDcRouterRouteConfig): string[] {
const domains = (route.match as any)?.domains;
if (Array.isArray(domains)) {
return domains.map((domain) => String(domain).trim().toLowerCase()).filter(Boolean);
}
if (typeof domains === 'string') {
return domains.split(',').map((domain) => domain.trim().toLowerCase()).filter(Boolean);
}
return [];
}
private getOwnedRoutes(gatewayClientId?: string): interfaces.data.IMergedRoute[] {
const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
if (!manager) return [];
return manager.getMergedRoutes().routes.filter((route) => {
const metadata = route.metadata;
if (!metadata) return false;
const ownerType = metadata.ownerType;
const isGatewayOwned = ownerType === 'gatewayClient' || ownerType === 'workhoster';
if (!isGatewayOwned) return false;
const routeGatewayClientId = metadata.gatewayClientId || metadata.workHosterId;
return gatewayClientId ? routeGatewayClientId === gatewayClientId : true;
});
}
private async listGatewayClientDomains(
auth: TAuthContext,
requestedGatewayClientId?: string,
): Promise<interfaces.data.IGatewayClientDomain[]> {
const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
if (!dnsManager) return [];
const gatewayClientId = this.resolveGatewayClientId(auth, requestedGatewayClientId);
const ownedRoutes = this.getOwnedRoutes(gatewayClientId);
const routeHostnames = ownedRoutes.flatMap((route) => this.getRouteHostnames(route.route));
const docs = await dnsManager.listDomains();
return docs
.filter((domainDoc) => {
if (!auth.token?.policy || auth.token.policy.role !== 'gatewayClient') return true;
return routeHostnames.some((hostname) => this.isHostnameInDomain(hostname, domainDoc.name));
})
.map((domainDoc) => {
const domain = dnsManager.toPublicDomain(domainDoc);
const canManageDnsRecords = domain.source === 'dcrouter' || Boolean(domain.providerId);
const serviceCount = routeHostnames.filter((hostname) => this.isHostnameInDomain(hostname, domain.name)).length;
return {
...domain,
serviceCount,
managePath: `/domains/${domain.id}`,
capabilities: {
canCreateSubdomains: canManageDnsRecords,
canManageDnsRecords,
canIssueCertificates: Boolean(this.opsServerRef.dcRouterRef.smartProxy),
canHostEmail: Boolean(this.opsServerRef.dcRouterRef.emailDomainManager),
},
} satisfies interfaces.data.IGatewayClientDomain;
});
}
private async listGatewayClientDnsRecords(
auth: TAuthContext,
requestedGatewayClientId?: string,
): Promise<interfaces.data.IGatewayClientDnsRecord[]> {
const dnsManager = this.opsServerRef.dcRouterRef.dnsManager;
if (!dnsManager) return [];
const gatewayClientId = this.resolveGatewayClientId(auth, requestedGatewayClientId);
const ownedRoutes = this.getOwnedRoutes(gatewayClientId);
const domains = await dnsManager.listDomains();
const records: interfaces.data.IGatewayClientDnsRecord[] = [];
for (const route of ownedRoutes) {
const metadata = route.metadata;
if (!metadata) continue;
const gatewayClientType = metadata.gatewayClientType || metadata.workHosterType || 'custom';
const routeGatewayClientId = metadata.gatewayClientId || metadata.workHosterId || '';
const appId = metadata.gatewayClientAppId || metadata.workAppId || '';
for (const hostname of this.getRouteHostnames(route.route)) {
if (auth.token?.policy?.role === 'gatewayClient' && !this.matchesHostnamePatterns(hostname, auth.token.policy.hostnamePatterns || [])) {
continue;
}
const domainDoc = domains.find((domain) => this.isHostnameInDomain(hostname, domain.name));
const domainRecords = domainDoc ? await dnsManager.listRecordsForDomain(domainDoc.id) : [];
const matchingRecords = domainRecords.filter((record) => record.name === hostname);
if (matchingRecords.length === 0) {
records.push({
id: `missing:${hostname}`,
domainId: domainDoc?.id || '',
domainName: domainDoc?.name,
name: hostname,
type: 'MISSING',
value: '',
ttl: 0,
source: 'local',
status: 'missing',
gatewayClientType,
gatewayClientId: routeGatewayClientId,
appId,
hostname,
routeId: route.id,
managePath: domainDoc ? `/domains/${domainDoc.id}/dns` : '/domains',
createdAt: route.createdAt || 0,
updatedAt: route.updatedAt || 0,
createdBy: '',
});
continue;
}
for (const recordDoc of matchingRecords) {
const record = dnsManager.toPublicRecord(recordDoc);
records.push({
...record,
domainName: domainDoc?.name,
status: 'active',
gatewayClientType,
gatewayClientId: routeGatewayClientId,
appId,
hostname,
routeId: route.id,
managePath: `/dns-records/${record.id}`,
});
}
}
}
return records;
}
private isHostnameInDomain(hostname: string, domainName: string): boolean {
const normalizedHostname = hostname.trim().toLowerCase();
const normalizedDomainName = domainName.trim().toLowerCase();
return normalizedHostname === normalizedDomainName || normalizedHostname.endsWith(`.${normalizedDomainName}`);
}
private async syncGatewayClientRoute(
auth: TAuthContext,
ownership: interfaces.data.IGatewayClientOwnership,
route?: interfaces.data.IDcRouterRouteConfig,
enabled?: boolean,
deleteRoute?: boolean,
): Promise<interfaces.data.IGatewayClientRouteSyncResult> {
this.assertGatewayClientOwnership(auth, ownership);
this.assertRouteTargetsAllowed(auth, route);
const manager = this.opsServerRef.dcRouterRef.routeConfigManager;
if (!manager) {
return { success: false, message: 'Route management not initialized' };
}
const externalKey = this.buildGatewayClientExternalKey(ownership);
const existingRoute = manager.findApiRouteByExternalKey(externalKey);
if (deleteRoute) {
if (!existingRoute) {
return { success: true, action: 'unchanged' };
}
const result = await manager.deleteRoute(existingRoute.id);
return result.success
? { success: true, action: 'deleted', routeId: existingRoute.id }
: { success: false, message: result.message };
}
if (!route) {
return { success: false, message: 'route is required unless delete=true' };
}
const metadata: interfaces.data.IRouteMetadata = {
ownerType: 'gatewayClient',
gatewayClientType: ownership.gatewayClientType,
gatewayClientId: ownership.gatewayClientId,
gatewayClientAppId: ownership.appId,
workHosterType: ownership.gatewayClientType,
workHosterId: ownership.gatewayClientId,
workAppId: ownership.appId,
externalKey,
};
const normalizedRoute = this.normalizeGatewayClientRoute(route, ownership, externalKey);
if (existingRoute) {
const result = await manager.updateRoute(existingRoute.id, {
route: normalizedRoute,
enabled: enabled ?? true,
metadata,
});
return result.success
? { success: true, action: 'updated', routeId: existingRoute.id }
: { success: false, message: result.message };
}
const routeId = await manager.createRoute(normalizedRoute, auth.userId, enabled ?? true, metadata);
return { success: true, action: 'created', routeId };
}
private buildGatewayClientExternalKey(ownership: interfaces.data.IGatewayClientOwnership): string {
return [
ownership.gatewayClientType,
ownership.gatewayClientId,
ownership.appId,
ownership.hostname,
].map((part) => part.trim()).join(':');
}
private normalizeWorkAppRoute(
route: interfaces.data.IDcRouterRouteConfig,
ownership: interfaces.data.IWorkAppRouteOwnership,
@@ -216,4 +475,16 @@ export class WorkHosterHandler {
}
return normalizedRoute;
}
private normalizeGatewayClientRoute(
route: interfaces.data.IDcRouterRouteConfig,
ownership: interfaces.data.IGatewayClientOwnership,
externalKey: string,
): interfaces.data.IDcRouterRouteConfig {
const normalizedRoute = { ...route };
if (!normalizedRoute.name) {
normalizedRoute.name = `gateway-client-${externalKey.replace(/[^a-zA-Z0-9-]+/g, '-').slice(0, 80)}`;
}
return normalizedRoute;
}
}