bastion/nginx-proxy-manager
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Access Lists

Browse Source
This commit is contained in:
Jamie Curnow
2018-08-18 17:16:23 +10:00
parent 3a9fc8e2ea
commit 13f08df46c
17 changed files with 377 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

89
src/backend/internal/access-list.js
View File

@ -1,8 +1,10 @@
'use strict';
const _ = require('lodash');
const error = require('../lib/error');
const accessListModel = require('../models/access_list');
const _ = require('lodash');
const error = require('../lib/error');
const accessListModel = require('../models/access_list');
const accessListAuthModel = require('../models/access_list_auth');
const internalAuditLog = require('./audit-log');
function omissions () {
return ['is_deleted'];
@ -18,8 +20,51 @@ const internalAccessList = {
create: (access, data) => {
return access.can('access_lists:create', data)
.then(access_data => {
// TODO
return {};
return accessListModel
.query()
.omit(omissions())
.insertAndFetch({
name: data.name,
owner_user_id: access.token.get('attrs').id
});
})
.then(row => {
// Now add the items
let promises = [];
data.items.map(function (item) {
promises.push(accessListAuthModel
.query()
.insert({
access_list_id: row.id,
username: item.username,
password: item.password
})
);
});
return Promise.all(promises);
})
.then(row => {
// re-fetch with cert
return internalAccessList.get(access, {
id: row.id,
expand: ['owner', 'items']
});
})
.then(row => {
// Audit log
data.meta = _.assign({}, data.meta || {}, row.meta);
// Add to audit log
return internalAuditLog.add(access, {
action: 'created',
object_type: 'access-list',
object_id: row.id,
meta: data
})
.then(() => {
return row;
});
});
},
@ -62,7 +107,7 @@ const internalAccessList = {
.query()
.where('is_deleted', 0)
.andWhere('id', data.id)
.allowEager('[owner]')
.allowEager('[owner,items]')
.first();
if (access_data.permission_visibility !== 'all') {
@ -82,6 +127,10 @@ const internalAccessList = {
})
.then(row => {
if (row) {
if (typeof row.items !== 'undefined' && row.items) {
row.items = internalAccessList.maskItems(row.items);
}
return _.omit(row, omissions());
} else {
throw new error.ItemNotFoundError(data.id);
@ -134,7 +183,7 @@ const internalAccessList = {
.where('is_deleted', 0)
.groupBy('id')
.omit(['is_deleted'])
.allowEager('[owner]')
.allowEager('[owner,items]')
.orderBy('name', 'ASC');
if (access_data.permission_visibility !== 'all') {
@ -153,6 +202,17 @@ const internalAccessList = {
}
return query;
})
.then(rows => {
if (rows) {
rows.map(function (row, idx) {
if (typeof row.items !== 'undefined' && row.items) {
rows[idx].items = internalAccessList.maskItems(row.items);
}
});
}
return rows;
});
},
@ -177,6 +237,21 @@ const internalAccessList = {
.then(row => {
return parseInt(row.count, 10);
});
},
/**
* @param {Object} list
* @returns {Object}
*/
maskItems: list => {
if (list && typeof list.items !== 'undefined') {
list.items.map(function (val, idx) {
list.items[idx].hint = val.password.charAt(0) + ('*').repeat(val.password.length - 1);
list.items[idx].password = '';
});
}
return list;
}
};

37
src/backend/internal/certificate.js
View File

@ -41,7 +41,6 @@ const internalCertificate = {
return utils.exec(certbot_command + ' renew -q ' + (debug_mode ? '--staging' : ''))
.then(result => {
logger.info(result);
internalCertificate.interval_processing = false;
return internalNginx.reload()
.then(() => {
@ -49,6 +48,42 @@ const internalCertificate = {
return result;
});
})
.then(() => {
// Now go and fetch all the letsencrypt certs from the db and query the files and update expiry times
return certificateModel
.query()
.where('is_deleted', 0)
.andWhere('provider', 'letsencrypt')
.then(certificates => {
if (certificates && certificates.length) {
let promises = [];
certificates.map(function (certificate) {
promises.push(
internalCertificate.getCertificateInfoFromFile('/etc/letsencrypt/live/npm-' + certificate.id + '/fullchain.pem')
.then(cert_info => {
return certificateModel
.query()
.where('id', certificate.id)
.andWhere('provider', 'letsencrypt')
.patch({
expires_on: certificateModel.raw('FROM_UNIXTIME(' + cert_info.dates.to + ')')
});
})
.catch(err => {
// Don't want to stop the train here, just log the error
logger.error(err.message);
})
);
});
return Promise.all(promises);
}
});
})
.then(() => {
internalCertificate.interval_processing = false;
})
.catch(err => {
logger.error(err);
internalCertificate.interval_processing = false;

18
src/backend/models/access_list.js
View File

@ -3,9 +3,10 @@
'use strict';
const db = require('../db');
const Model = require('objection').Model;
const User = require('./user');
const db = require('../db');
const Model = require('objection').Model;
const User = require('./user');
const AccessListAuth = require('./access_list_auth');
Model.knex(db);
@ -44,6 +45,17 @@ class AccessList extends Model {
qb.where('user.is_deleted', 0);
qb.omit(['id', 'created_on', 'modified_on', 'is_deleted', 'email', 'roles']);
}
},
items: {
relation: Model.HasManyRelation,
modelClass: AccessListAuth,
join: {
from: 'access_list.id',
to: 'access_list_auth.access_list_id'
},
modify: function (qb) {
qb.omit(['id', 'created_on', 'modified_on']);
}
}
};
}

2
src/backend/models/access_list_auth.js
View File

@ -34,7 +34,7 @@ class AccessListAuth extends Model {
return {
access_list: {
relation: Model.HasOneRelation,
modelClass: './access_list',
modelClass: require('./access_list'),
join: {
from: 'access_list_auth.access_list_id',
to: 'access_list.id'

14
src/backend/routes/api/nginx/access_lists.js
View File

@ -75,7 +75,7 @@ router
* /api/nginx/access-lists/123
*/
router
.route('/:host_id')
.route('/:list_id')
.options((req, res) => {
res.sendStatus(204);
})
@ -88,10 +88,10 @@ router
*/
.get((req, res, next) => {
validator({
required: ['host_id'],
required: ['list_id'],
additionalProperties: false,
properties: {
host_id: {
list_id: {
$ref: 'definitions#/definitions/id'
},
expand: {
@ -99,12 +99,12 @@ router
}
}
}, {
host_id: req.params.host_id,
list_id: req.params.list_id,
expand: (typeof req.query.expand === 'string' ? req.query.expand.split(',') : null)
})
.then(data => {
return internalAccessList.get(res.locals.access, {
id: parseInt(data.host_id, 10),
id: parseInt(data.list_id, 10),
expand: data.expand
});
})
@ -123,7 +123,7 @@ router
.put((req, res, next) => {
apiValidator({$ref: 'endpoints/access-lists#/links/2/schema'}, req.body)
.then(payload => {
payload.id = parseInt(req.params.host_id, 10);
payload.id = parseInt(req.params.list_id, 10);
return internalAccessList.update(res.locals.access, payload);
})
.then(result => {
@ -139,7 +139,7 @@ router
* Update and existing access-list
*/
.delete((req, res, next) => {
internalAccessList.delete(res.locals.access, {id: parseInt(req.params.host_id, 10)})
internalAccessList.delete(res.locals.access, {id: parseInt(req.params.list_id, 10)})
.then(result => {
res.status(200)
.send(result);

125
src/backend/schema/endpoints/access-lists.json Normal file
View File

@ -0,0 +1,125 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"$id": "endpoints/access-lists",
"title": "Access Lists",
"description": "Endpoints relating to Access Lists",
"stability": "stable",
"type": "object",
"definitions": {
"id": {
"$ref": "../definitions.json#/definitions/id"
},
"created_on": {
"$ref": "../definitions.json#/definitions/created_on"
},
"modified_on": {
"$ref": "../definitions.json#/definitions/modified_on"
},
"name": {
"type": "string",
"description": "Name of the Access List"
},
"meta": {
"type": "object"
}
},
"properties": {
"id": {
"$ref": "#/definitions/id"
},
"created_on": {
"$ref": "#/definitions/created_on"
},
"modified_on": {
"$ref": "#/definitions/modified_on"
},
"name": {
"$ref": "#/definitions/name"
},
"meta": {
"$ref": "#/definitions/meta"
}
},
"links": [
{
"title": "List",
"description": "Returns a list of Access Lists",
"href": "/nginx/access-lists",
"access": "private",
"method": "GET",
"rel": "self",
"http_header": {
"$ref": "../examples.json#/definitions/auth_header"
},
"targetSchema": {
"type": "array",
"items": {
"$ref": "#/properties"
}
}
},
{
"title": "Create",
"description": "Creates a new Access List",
"href": "/nginx/access-list",
"access": "private",
"method": "POST",
"rel": "create",
"http_header": {
"$ref": "../examples.json#/definitions/auth_header"
},
"schema": {
"type": "object",
"additionalProperties": false,
"required": [
"name"
],
"properties": {
"name": {
"$ref": "#/definitions/name"
},
"items": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"username": {
"type": "string",
"minLength": 1
},
"password": {
"type": "string",
"minLength": 1
}
}
}
},
"meta": {
"$ref": "#/definitions/meta"
}
}
},
"targetSchema": {
"properties": {
"$ref": "#/properties"
}
}
},
{
"title": "Delete",
"description": "Deletes a existing Access List",
"href": "/nginx/access-list/{definitions.identity.example}",
"access": "private",
"method": "DELETE",
"rel": "delete",
"http_header": {
"$ref": "../examples.json#/definitions/auth_header"
},
"targetSchema": {
"type": "boolean"
}
}
]
}

3
src/backend/schema/index.json
View File

@ -31,6 +31,9 @@
},
"certificates": {
"$ref": "endpoints/certificates.json"
},
"access-lists": {
"$ref": "endpoints/access-lists.json"
}
}
}