feat(gateway-clients): add policy-based gateway client tokens and gateway client route and DNS management endpoints
This commit is contained in:
@@ -9,6 +9,7 @@ export type IRouteSecurity = NonNullable<IRouteConfig['security']>;
|
||||
// ============================================================================
|
||||
|
||||
export type TApiTokenScope =
|
||||
| '*'
|
||||
| 'routes:read' | 'routes:write'
|
||||
| 'config:read'
|
||||
| 'certificates:read' | 'certificates:write'
|
||||
@@ -21,9 +22,33 @@ export type TApiTokenScope =
|
||||
| 'dns-records:read' | 'dns-records:write'
|
||||
| 'acme-config:read' | 'acme-config:write'
|
||||
| 'email-domains:read' | 'email-domains:write'
|
||||
| 'gateway-clients:read' | 'gateway-clients:write'
|
||||
| 'workhosters:read' | 'workhosters:write';
|
||||
|
||||
export type TWorkHosterType = 'onebox' | 'cloudly' | 'custom';
|
||||
export type TGatewayClientType = 'onebox' | 'cloudly' | 'custom';
|
||||
/** @deprecated Use TGatewayClientType. */
|
||||
export type TWorkHosterType = TGatewayClientType;
|
||||
|
||||
export interface IApiTokenPolicy {
|
||||
role: 'admin' | 'gatewayClient' | 'operator';
|
||||
scopes?: TApiTokenScope[];
|
||||
gatewayClient?: {
|
||||
type: TGatewayClientType;
|
||||
id: string;
|
||||
};
|
||||
hostnamePatterns?: string[];
|
||||
allowedRouteTargets?: Array<{
|
||||
host: string;
|
||||
ports: number[];
|
||||
}>;
|
||||
capabilities?: {
|
||||
readDomains?: boolean;
|
||||
readDnsRecords?: boolean;
|
||||
syncRoutes?: boolean;
|
||||
syncDnsRecords?: boolean;
|
||||
requestCertificates?: boolean;
|
||||
};
|
||||
}
|
||||
|
||||
// ============================================================================
|
||||
// Source Profile Types (source-side: who can access)
|
||||
@@ -86,9 +111,15 @@ export interface IRouteMetadata {
|
||||
/** Timestamp of last reference resolution. */
|
||||
lastResolvedAt?: number;
|
||||
/** External route ownership, used by WorkHoster reconciliation. */
|
||||
ownerType?: 'workhoster' | 'operator' | 'system';
|
||||
workHosterType?: TWorkHosterType;
|
||||
ownerType?: 'gatewayClient' | 'workhoster' | 'operator' | 'system';
|
||||
gatewayClientType?: TGatewayClientType;
|
||||
gatewayClientId?: string;
|
||||
gatewayClientAppId?: string;
|
||||
/** @deprecated Use gatewayClientType. */
|
||||
workHosterType?: TGatewayClientType;
|
||||
/** @deprecated Use gatewayClientId. */
|
||||
workHosterId?: string;
|
||||
/** @deprecated Use gatewayClientAppId. */
|
||||
workAppId?: string;
|
||||
externalKey?: string;
|
||||
}
|
||||
@@ -123,6 +154,7 @@ export interface IApiTokenInfo {
|
||||
id: string;
|
||||
name: string;
|
||||
scopes: TApiTokenScope[];
|
||||
policy?: IApiTokenPolicy;
|
||||
createdAt: number;
|
||||
expiresAt: number | null;
|
||||
lastUsedAt: number | null;
|
||||
@@ -156,6 +188,7 @@ export interface IStoredApiToken {
|
||||
name: string;
|
||||
tokenHash: string;
|
||||
scopes: TApiTokenScope[];
|
||||
policy?: IApiTokenPolicy;
|
||||
createdAt: number;
|
||||
expiresAt: number | null;
|
||||
lastUsedAt: number | null;
|
||||
|
||||
Reference in New Issue
Block a user