mirror of
https://github.com/Termix-SSH/Termix.git
synced 2026-07-16 21:33:41 +00:00
refactor(ssh): split tunnel module into layered directory
ssh/tunnel/{index,routes,manager}.ts: server boot in index, HTTP handlers
in routes, tunnel state and engine (connect/retry/autostart) in manager.
Code motion only; port 30003 and endpoints unchanged.
This commit is contained in:
@@ -0,0 +1,92 @@
|
|||||||
|
import express from "express";
|
||||||
|
import { createServer } from "http";
|
||||||
|
|
||||||
|
import { createCorsMiddleware } from "../../utils/cors-config.js";
|
||||||
|
import cookieParser from "cookie-parser";
|
||||||
|
import { WebSocketServer } from "ws";
|
||||||
|
|
||||||
|
import { tunnelLogger } from "../../utils/logger.js";
|
||||||
|
import { AuthManager } from "../../utils/auth-manager.js";
|
||||||
|
|
||||||
|
import {
|
||||||
|
describeC2SRelayError,
|
||||||
|
extractRequestToken,
|
||||||
|
sendC2SError,
|
||||||
|
} from "../tunnel-c2s-relay-utils.js";
|
||||||
|
import {
|
||||||
|
handleC2SRelayOpen,
|
||||||
|
handleC2SRelayTest,
|
||||||
|
type C2SOpenMessage,
|
||||||
|
} from "../tunnel-c2s-relay.js";
|
||||||
|
|
||||||
|
import { registerTunnelRoutes } from "./routes.js";
|
||||||
|
import { initializeAutoStartTunnels } from "./manager.js";
|
||||||
|
|
||||||
|
const authManager = AuthManager.getInstance();
|
||||||
|
|
||||||
|
const app = express();
|
||||||
|
app.use(createCorsMiddleware(["GET", "POST", "PUT", "DELETE", "OPTIONS"]));
|
||||||
|
app.use(cookieParser());
|
||||||
|
app.use(express.json());
|
||||||
|
app.use((_req, res, next) => {
|
||||||
|
res.setHeader("Cache-Control", "no-store");
|
||||||
|
next();
|
||||||
|
});
|
||||||
|
|
||||||
|
registerTunnelRoutes(app);
|
||||||
|
|
||||||
|
const PORT = 30003;
|
||||||
|
const server = createServer(app);
|
||||||
|
const c2sRelayWss = new WebSocketServer({
|
||||||
|
server,
|
||||||
|
path: "/ssh/tunnel/c2s/stream",
|
||||||
|
});
|
||||||
|
|
||||||
|
c2sRelayWss.on("connection", (ws, req) => {
|
||||||
|
let opened = false;
|
||||||
|
|
||||||
|
ws.once("message", async (raw) => {
|
||||||
|
try {
|
||||||
|
const token = extractRequestToken(req);
|
||||||
|
const payload = token ? await authManager.verifyJWTToken(token) : null;
|
||||||
|
if (!payload?.userId || payload.pendingTOTP) {
|
||||||
|
sendC2SError(ws, "Authentication required");
|
||||||
|
ws.close();
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
const message = JSON.parse(raw.toString()) as C2SOpenMessage;
|
||||||
|
if (message.type !== "open" && message.type !== "test") {
|
||||||
|
throw new Error("Invalid client tunnel relay request");
|
||||||
|
}
|
||||||
|
|
||||||
|
opened = true;
|
||||||
|
if (message.type === "test") {
|
||||||
|
await handleC2SRelayTest(ws, message, payload.userId);
|
||||||
|
} else {
|
||||||
|
await handleC2SRelayOpen(ws, message, payload.userId);
|
||||||
|
}
|
||||||
|
} catch (error) {
|
||||||
|
const message = describeC2SRelayError(error);
|
||||||
|
tunnelLogger.error("Failed to open C2S relay", error, {
|
||||||
|
operation: "c2s_relay_open_failed",
|
||||||
|
});
|
||||||
|
sendC2SError(ws, message);
|
||||||
|
ws.close();
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
ws.on("close", () => {
|
||||||
|
if (!opened) {
|
||||||
|
tunnelLogger.info("C2S relay closed before opening", {
|
||||||
|
operation: "c2s_relay_closed_before_open",
|
||||||
|
});
|
||||||
|
}
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
|
server.listen(PORT, () => {
|
||||||
|
setTimeout(() => {
|
||||||
|
initializeAutoStartTunnels();
|
||||||
|
}, 2000);
|
||||||
|
});
|
||||||
@@ -1,35 +1,28 @@
|
|||||||
import express, { type Response } from "express";
|
import { type Response } from "express";
|
||||||
import { createServer } from "http";
|
|
||||||
import {
|
import {
|
||||||
createServer as createTcpServer,
|
createServer as createTcpServer,
|
||||||
Socket as TcpSocket,
|
Socket as TcpSocket,
|
||||||
type Server as TcpServer,
|
type Server as TcpServer,
|
||||||
} from "net";
|
} from "net";
|
||||||
import { createCorsMiddleware } from "../utils/cors-config.js";
|
|
||||||
import cookieParser from "cookie-parser";
|
|
||||||
import { Client, type ClientChannel } from "ssh2";
|
import { Client, type ClientChannel } from "ssh2";
|
||||||
import { WebSocketServer } from "ws";
|
import { SSH_ALGORITHMS } from "../../utils/ssh-algorithms.js";
|
||||||
import { SSH_ALGORITHMS } from "../utils/ssh-algorithms.js";
|
|
||||||
import { ChildProcess } from "child_process";
|
import { ChildProcess } from "child_process";
|
||||||
import axios from "axios";
|
import axios from "axios";
|
||||||
import { createCurrentHostResolutionRepository } from "../database/repositories/factory.js";
|
import { createCurrentHostResolutionRepository } from "../../database/repositories/factory.js";
|
||||||
import type {
|
import type {
|
||||||
SSHHost,
|
SSHHost,
|
||||||
TunnelConfig,
|
TunnelConfig,
|
||||||
TunnelStatus,
|
TunnelStatus,
|
||||||
VerificationData,
|
VerificationData,
|
||||||
AuthenticatedRequest,
|
} from "../../../types/index.js";
|
||||||
} from "../../types/index.js";
|
import { CONNECTION_STATES } from "../../../types/index.js";
|
||||||
import { CONNECTION_STATES } from "../../types/index.js";
|
import { tunnelLogger } from "../../utils/logger.js";
|
||||||
import { tunnelLogger } from "../utils/logger.js";
|
import { logAudit } from "../../utils/audit-logger.js";
|
||||||
import { logAudit } from "../utils/audit-logger.js";
|
import { SystemCrypto } from "../../utils/system-crypto.js";
|
||||||
import { SystemCrypto } from "../utils/system-crypto.js";
|
import { DataCrypto } from "../../utils/data-crypto.js";
|
||||||
import { DataCrypto } from "../utils/data-crypto.js";
|
import { createSocks5Connection } from "../../utils/socks5-helper.js";
|
||||||
import { createSocks5Connection } from "../utils/socks5-helper.js";
|
import { withConnection } from "../ssh-connection-pool.js";
|
||||||
import { AuthManager } from "../utils/auth-manager.js";
|
import { preparePrivateKeyForSSH2 } from "../../utils/ssh-key-utils.js";
|
||||||
import { PermissionManager } from "../utils/permission-manager.js";
|
|
||||||
import { withConnection } from "./ssh-connection-pool.js";
|
|
||||||
import { preparePrivateKeyForSSH2 } from "../utils/ssh-key-utils.js";
|
|
||||||
import {
|
import {
|
||||||
applyAuthOptions,
|
applyAuthOptions,
|
||||||
bindForwardIn,
|
bindForwardIn,
|
||||||
@@ -38,7 +31,7 @@ import {
|
|||||||
getManagedTunnelAlgorithms,
|
getManagedTunnelAlgorithms,
|
||||||
pipeTunnelStreams,
|
pipeTunnelStreams,
|
||||||
unbindForwardIn,
|
unbindForwardIn,
|
||||||
} from "./tunnel-ssh-primitives.js";
|
} from "../tunnel-ssh-primitives.js";
|
||||||
import {
|
import {
|
||||||
classifyTunnelError,
|
classifyTunnelError,
|
||||||
getTunnelBindHost,
|
getTunnelBindHost,
|
||||||
@@ -46,61 +39,41 @@ import {
|
|||||||
getTunnelMode,
|
getTunnelMode,
|
||||||
getTunnelScope,
|
getTunnelScope,
|
||||||
normalizeTunnelName,
|
normalizeTunnelName,
|
||||||
validateTunnelConfig,
|
} from "../tunnel-utils.js";
|
||||||
} from "./tunnel-utils.js";
|
|
||||||
import {
|
|
||||||
describeC2SRelayError,
|
|
||||||
extractRequestToken,
|
|
||||||
sendC2SError,
|
|
||||||
} from "./tunnel-c2s-relay-utils.js";
|
|
||||||
import {
|
|
||||||
handleC2SRelayOpen,
|
|
||||||
handleC2SRelayTest,
|
|
||||||
type C2SOpenMessage,
|
|
||||||
} from "./tunnel-c2s-relay.js";
|
|
||||||
import { resolveSshConnectConfigHost } from "./ssh-dns.js";
|
|
||||||
import { handleSocks5Connect } from "./tunnel-socks5-relay.js";
|
|
||||||
|
|
||||||
const app = express();
|
import { resolveSshConnectConfigHost } from "../ssh-dns.js";
|
||||||
app.use(createCorsMiddleware(["GET", "POST", "PUT", "DELETE", "OPTIONS"]));
|
import { handleSocks5Connect } from "../tunnel-socks5-relay.js";
|
||||||
app.use(cookieParser());
|
|
||||||
app.use(express.json());
|
|
||||||
app.use((_req, res, next) => {
|
|
||||||
res.setHeader("Cache-Control", "no-store");
|
|
||||||
next();
|
|
||||||
});
|
|
||||||
|
|
||||||
const authManager = AuthManager.getInstance();
|
export const activeTunnels = new Map<string, Client>();
|
||||||
const permissionManager = PermissionManager.getInstance();
|
export const retryCounters = new Map<string, number>();
|
||||||
const authenticateJWT = authManager.createAuthMiddleware();
|
export const connectionStatus = new Map<string, TunnelStatus>();
|
||||||
|
export const tunnelVerifications = new Map<string, VerificationData>();
|
||||||
|
export const manualDisconnects = new Set<string>();
|
||||||
|
export const verificationTimers = new Map<string, NodeJS.Timeout>();
|
||||||
|
export const activeRetryTimers = new Map<string, NodeJS.Timeout>();
|
||||||
|
export const countdownIntervals = new Map<string, NodeJS.Timeout>();
|
||||||
|
export const retryExhaustedTunnels = new Set<string>();
|
||||||
|
export const cleanupInProgress = new Set<string>();
|
||||||
|
export const tunnelConnecting = new Set<string>();
|
||||||
|
export const lastTunnelErrors = new Map<string, string>();
|
||||||
|
export const lastTunnelErrorTypes = new Map<
|
||||||
|
string,
|
||||||
|
TunnelStatus["errorType"]
|
||||||
|
>();
|
||||||
|
|
||||||
const activeTunnels = new Map<string, Client>();
|
export const tunnelConfigs = new Map<string, TunnelConfig>();
|
||||||
const retryCounters = new Map<string, number>();
|
export const activeTunnelProcesses = new Map<string, ChildProcess>();
|
||||||
const connectionStatus = new Map<string, TunnelStatus>();
|
export const pendingTunnelOperations = new Map<string, Promise<void>>();
|
||||||
const tunnelVerifications = new Map<string, VerificationData>();
|
export const tunnelStatusClients = new Set<Response>();
|
||||||
const manualDisconnects = new Set<string>();
|
|
||||||
const verificationTimers = new Map<string, NodeJS.Timeout>();
|
|
||||||
const activeRetryTimers = new Map<string, NodeJS.Timeout>();
|
|
||||||
const countdownIntervals = new Map<string, NodeJS.Timeout>();
|
|
||||||
const retryExhaustedTunnels = new Set<string>();
|
|
||||||
const cleanupInProgress = new Set<string>();
|
|
||||||
const tunnelConnecting = new Set<string>();
|
|
||||||
const lastTunnelErrors = new Map<string, string>();
|
|
||||||
const lastTunnelErrorTypes = new Map<string, TunnelStatus["errorType"]>();
|
|
||||||
|
|
||||||
const tunnelConfigs = new Map<string, TunnelConfig>();
|
export const INTERNAL_HOST_API_BASE_URL = "http://localhost:30001/host/db/host";
|
||||||
const activeTunnelProcesses = new Map<string, ChildProcess>();
|
export const AUTOSTART_FETCH_RETRIES = 6;
|
||||||
const pendingTunnelOperations = new Map<string, Promise<void>>();
|
|
||||||
const tunnelStatusClients = new Set<Response>();
|
|
||||||
|
|
||||||
const INTERNAL_HOST_API_BASE_URL = "http://localhost:30001/host/db/host";
|
export function sleep(ms: number): Promise<void> {
|
||||||
const AUTOSTART_FETCH_RETRIES = 6;
|
|
||||||
|
|
||||||
function sleep(ms: number): Promise<void> {
|
|
||||||
return new Promise((resolve) => setTimeout(resolve, ms));
|
return new Promise((resolve) => setTimeout(resolve, ms));
|
||||||
}
|
}
|
||||||
|
|
||||||
function describeAxiosError(error: unknown): string {
|
export function describeAxiosError(error: unknown): string {
|
||||||
if (axios.isAxiosError(error)) {
|
if (axios.isAxiosError(error)) {
|
||||||
return error.response
|
return error.response
|
||||||
? `${error.response.status} ${error.response.statusText}`
|
? `${error.response.status} ${error.response.statusText}`
|
||||||
@@ -110,7 +83,7 @@ function describeAxiosError(error: unknown): string {
|
|||||||
return error instanceof Error ? error.message : "Unknown error";
|
return error instanceof Error ? error.message : "Unknown error";
|
||||||
}
|
}
|
||||||
|
|
||||||
async function fetchInternalHosts(
|
export async function fetchInternalHosts(
|
||||||
path: "internal" | "internal/all",
|
path: "internal" | "internal/all",
|
||||||
internalAuthToken: string,
|
internalAuthToken: string,
|
||||||
): Promise<SSHHost[]> {
|
): Promise<SSHHost[]> {
|
||||||
@@ -153,7 +126,7 @@ async function fetchInternalHosts(
|
|||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
type ActiveTunnelRuntime = {
|
export type ActiveTunnelRuntime = {
|
||||||
sourceClient: Client;
|
sourceClient: Client;
|
||||||
endpointClient?: Client;
|
endpointClient?: Client;
|
||||||
bindClient?: Client;
|
bindClient?: Client;
|
||||||
@@ -163,9 +136,9 @@ type ActiveTunnelRuntime = {
|
|||||||
close: () => void;
|
close: () => void;
|
||||||
};
|
};
|
||||||
|
|
||||||
const activeTunnelRuntimes = new Map<string, ActiveTunnelRuntime>();
|
export const activeTunnelRuntimes = new Map<string, ActiveTunnelRuntime>();
|
||||||
|
|
||||||
function findHostByTunnelEndpoint(
|
export function findHostByTunnelEndpoint(
|
||||||
hosts: SSHHost[],
|
hosts: SSHHost[],
|
||||||
endpointHost?: string,
|
endpointHost?: string,
|
||||||
): SSHHost | undefined {
|
): SSHHost | undefined {
|
||||||
@@ -183,7 +156,10 @@ function findHostByTunnelEndpoint(
|
|||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
function broadcastTunnelStatus(tunnelName: string, status: TunnelStatus): void {
|
export function broadcastTunnelStatus(
|
||||||
|
tunnelName: string,
|
||||||
|
status: TunnelStatus,
|
||||||
|
): void {
|
||||||
if (
|
if (
|
||||||
status.status === CONNECTION_STATES.CONNECTED &&
|
status.status === CONNECTION_STATES.CONNECTED &&
|
||||||
activeRetryTimers.has(tunnelName)
|
activeRetryTimers.has(tunnelName)
|
||||||
@@ -229,7 +205,7 @@ function broadcastTunnelStatus(tunnelName: string, status: TunnelStatus): void {
|
|||||||
broadcastTunnelStatusSnapshot();
|
broadcastTunnelStatusSnapshot();
|
||||||
}
|
}
|
||||||
|
|
||||||
function getAllTunnelStatus(): Record<string, TunnelStatus> {
|
export function getAllTunnelStatus(): Record<string, TunnelStatus> {
|
||||||
const tunnelStatus: Record<string, TunnelStatus> = {};
|
const tunnelStatus: Record<string, TunnelStatus> = {};
|
||||||
connectionStatus.forEach((status, key) => {
|
connectionStatus.forEach((status, key) => {
|
||||||
tunnelStatus[key] = status;
|
tunnelStatus[key] = status;
|
||||||
@@ -237,7 +213,7 @@ function getAllTunnelStatus(): Record<string, TunnelStatus> {
|
|||||||
return tunnelStatus;
|
return tunnelStatus;
|
||||||
}
|
}
|
||||||
|
|
||||||
function sendTunnelStatusSnapshot(res: Response): void {
|
export function sendTunnelStatusSnapshot(res: Response): void {
|
||||||
try {
|
try {
|
||||||
res.write(
|
res.write(
|
||||||
`event: statuses\ndata: ${JSON.stringify(getAllTunnelStatus())}\n\n`,
|
`event: statuses\ndata: ${JSON.stringify(getAllTunnelStatus())}\n\n`,
|
||||||
@@ -247,13 +223,13 @@ function sendTunnelStatusSnapshot(res: Response): void {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
function broadcastTunnelStatusSnapshot(): void {
|
export function broadcastTunnelStatusSnapshot(): void {
|
||||||
for (const client of tunnelStatusClients) {
|
for (const client of tunnelStatusClients) {
|
||||||
sendTunnelStatusSnapshot(client);
|
sendTunnelStatusSnapshot(client);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
async function cleanupTunnelResources(
|
export async function cleanupTunnelResources(
|
||||||
tunnelName: string,
|
tunnelName: string,
|
||||||
forceCleanup = false,
|
forceCleanup = false,
|
||||||
): Promise<void> {
|
): Promise<void> {
|
||||||
@@ -366,7 +342,7 @@ async function cleanupTunnelResources(
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
function resetRetryState(tunnelName: string): void {
|
export function resetRetryState(tunnelName: string): void {
|
||||||
retryCounters.delete(tunnelName);
|
retryCounters.delete(tunnelName);
|
||||||
retryExhaustedTunnels.delete(tunnelName);
|
retryExhaustedTunnels.delete(tunnelName);
|
||||||
lastTunnelErrors.delete(tunnelName);
|
lastTunnelErrors.delete(tunnelName);
|
||||||
@@ -393,7 +369,7 @@ function resetRetryState(tunnelName: string): void {
|
|||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
async function handleDisconnect(
|
export async function handleDisconnect(
|
||||||
tunnelName: string,
|
tunnelName: string,
|
||||||
tunnelConfig: TunnelConfig | null,
|
tunnelConfig: TunnelConfig | null,
|
||||||
shouldRetry = true,
|
shouldRetry = true,
|
||||||
@@ -534,7 +510,7 @@ async function handleDisconnect(
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
function setupPingInterval(tunnelName: string): void {
|
export function setupPingInterval(tunnelName: string): void {
|
||||||
const pingKey = `${tunnelName}_ping`;
|
const pingKey = `${tunnelName}_ping`;
|
||||||
if (verificationTimers.has(pingKey)) {
|
if (verificationTimers.has(pingKey)) {
|
||||||
clearInterval(verificationTimers.get(pingKey)!);
|
clearInterval(verificationTimers.get(pingKey)!);
|
||||||
@@ -562,7 +538,7 @@ function setupPingInterval(tunnelName: string): void {
|
|||||||
verificationTimers.set(pingKey, pingInterval);
|
verificationTimers.set(pingKey, pingInterval);
|
||||||
}
|
}
|
||||||
|
|
||||||
async function connectEndpointThroughSource(
|
export async function connectEndpointThroughSource(
|
||||||
sourceClient: Client,
|
sourceClient: Client,
|
||||||
tunnelConfig: TunnelConfig,
|
tunnelConfig: TunnelConfig,
|
||||||
endpointCredentials: {
|
endpointCredentials: {
|
||||||
@@ -595,7 +571,7 @@ async function connectEndpointThroughSource(
|
|||||||
return connectClient(endpointOptions, tunnelConfig.name, "endpoint");
|
return connectClient(endpointOptions, tunnelConfig.name, "endpoint");
|
||||||
}
|
}
|
||||||
|
|
||||||
function resolveS2SLocalTargetHost(tunnelConfig: TunnelConfig): string {
|
export function resolveS2SLocalTargetHost(tunnelConfig: TunnelConfig): string {
|
||||||
const targetHost = tunnelConfig.targetHost?.trim();
|
const targetHost = tunnelConfig.targetHost?.trim();
|
||||||
|
|
||||||
if (
|
if (
|
||||||
@@ -609,7 +585,7 @@ function resolveS2SLocalTargetHost(tunnelConfig: TunnelConfig): string {
|
|||||||
return targetHost;
|
return targetHost;
|
||||||
}
|
}
|
||||||
|
|
||||||
function isSingleHostTunnel(tunnelConfig: TunnelConfig): boolean {
|
export function isSingleHostTunnel(tunnelConfig: TunnelConfig): boolean {
|
||||||
if (!tunnelConfig.endpointHost && !tunnelConfig.endpointIP) return true;
|
if (!tunnelConfig.endpointHost && !tunnelConfig.endpointIP) return true;
|
||||||
if (
|
if (
|
||||||
tunnelConfig.endpointHost === "127.0.0.1" ||
|
tunnelConfig.endpointHost === "127.0.0.1" ||
|
||||||
@@ -627,13 +603,15 @@ function isSingleHostTunnel(tunnelConfig: TunnelConfig): boolean {
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
function shouldEstablishDirectTunnel(tunnelConfig: TunnelConfig): boolean {
|
export function shouldEstablishDirectTunnel(
|
||||||
|
tunnelConfig: TunnelConfig,
|
||||||
|
): boolean {
|
||||||
if (isSingleHostTunnel(tunnelConfig)) return true;
|
if (isSingleHostTunnel(tunnelConfig)) return true;
|
||||||
const mode = getTunnelMode(tunnelConfig);
|
const mode = getTunnelMode(tunnelConfig);
|
||||||
return mode !== "remote" && !tunnelConfig.endpointUsername;
|
return mode !== "remote" && !tunnelConfig.endpointUsername;
|
||||||
}
|
}
|
||||||
|
|
||||||
async function establishDirectTunnel(
|
export async function establishDirectTunnel(
|
||||||
sourceClient: Client,
|
sourceClient: Client,
|
||||||
tunnelConfig: TunnelConfig,
|
tunnelConfig: TunnelConfig,
|
||||||
): Promise<void> {
|
): Promise<void> {
|
||||||
@@ -760,7 +738,7 @@ async function establishDirectTunnel(
|
|||||||
activeTunnels.set(tunnelName, sourceClient);
|
activeTunnels.set(tunnelName, sourceClient);
|
||||||
}
|
}
|
||||||
|
|
||||||
async function establishManagedS2STunnel(
|
export async function establishManagedS2STunnel(
|
||||||
sourceClient: Client,
|
sourceClient: Client,
|
||||||
tunnelConfig: TunnelConfig,
|
tunnelConfig: TunnelConfig,
|
||||||
endpointCredentials: {
|
endpointCredentials: {
|
||||||
@@ -871,7 +849,7 @@ async function establishManagedS2STunnel(
|
|||||||
activeTunnels.set(tunnelName, sourceClient);
|
activeTunnels.set(tunnelName, sourceClient);
|
||||||
}
|
}
|
||||||
|
|
||||||
async function connectSSHTunnel(
|
export async function connectSSHTunnel(
|
||||||
tunnelConfig: TunnelConfig,
|
tunnelConfig: TunnelConfig,
|
||||||
retryAttempt = 0,
|
retryAttempt = 0,
|
||||||
): Promise<void> {
|
): Promise<void> {
|
||||||
@@ -957,7 +935,7 @@ async function connectSSHTunnel(
|
|||||||
!tunnelConfig.sourceSSHKey
|
!tunnelConfig.sourceSSHKey
|
||||||
) {
|
) {
|
||||||
try {
|
try {
|
||||||
const { resolveHostById } = await import("./host-resolver.js");
|
const { resolveHostById } = await import("../host-resolver.js");
|
||||||
const resolvedHost = await resolveHostById(
|
const resolvedHost = await resolveHostById(
|
||||||
tunnelConfig.sourceHostId,
|
tunnelConfig.sourceHostId,
|
||||||
effectiveUserId,
|
effectiveUserId,
|
||||||
@@ -995,7 +973,7 @@ async function connectSSHTunnel(
|
|||||||
// Legacy: credential resolution from credentialId
|
// Legacy: credential resolution from credentialId
|
||||||
try {
|
try {
|
||||||
if (tunnelConfig.sourceHostId) {
|
if (tunnelConfig.sourceHostId) {
|
||||||
const { resolveHostById } = await import("./host-resolver.js");
|
const { resolveHostById } = await import("../host-resolver.js");
|
||||||
const resolvedHost = await resolveHostById(
|
const resolvedHost = await resolveHostById(
|
||||||
tunnelConfig.sourceHostId,
|
tunnelConfig.sourceHostId,
|
||||||
effectiveUserId,
|
effectiveUserId,
|
||||||
@@ -1522,7 +1500,7 @@ async function connectSSHTunnel(
|
|||||||
conn.connect(connOptions);
|
conn.connect(connOptions);
|
||||||
}
|
}
|
||||||
|
|
||||||
async function killRemoteTunnelByMarker(
|
export async function killRemoteTunnelByMarker(
|
||||||
tunnelConfig: TunnelConfig,
|
tunnelConfig: TunnelConfig,
|
||||||
tunnelName: string,
|
tunnelName: string,
|
||||||
callback: (err?: Error) => void,
|
callback: (err?: Error) => void,
|
||||||
@@ -1551,7 +1529,7 @@ async function killRemoteTunnelByMarker(
|
|||||||
!tunnelConfig.sourceSSHKey
|
!tunnelConfig.sourceSSHKey
|
||||||
) {
|
) {
|
||||||
try {
|
try {
|
||||||
const { resolveHostById } = await import("./host-resolver.js");
|
const { resolveHostById } = await import("../host-resolver.js");
|
||||||
const resolvedHost = await resolveHostById(
|
const resolvedHost = await resolveHostById(
|
||||||
tunnelConfig.sourceHostId,
|
tunnelConfig.sourceHostId,
|
||||||
tunnelConfig.sourceUserId,
|
tunnelConfig.sourceUserId,
|
||||||
@@ -1814,555 +1792,8 @@ async function killRemoteTunnelByMarker(
|
|||||||
* 200:
|
* 200:
|
||||||
* description: A list of all tunnel statuses.
|
* description: A list of all tunnel statuses.
|
||||||
*/
|
*/
|
||||||
app.get(
|
|
||||||
"/ssh/tunnel/status",
|
|
||||||
authenticateJWT,
|
|
||||||
(req: AuthenticatedRequest, res: Response) => {
|
|
||||||
if (!req.userId) {
|
|
||||||
return res.status(401).json({ error: "Authentication required" });
|
|
||||||
}
|
|
||||||
|
|
||||||
res.json(getAllTunnelStatus());
|
export async function initializeAutoStartTunnels(): Promise<void> {
|
||||||
},
|
|
||||||
);
|
|
||||||
|
|
||||||
app.get(
|
|
||||||
"/ssh/tunnel/status/stream",
|
|
||||||
authenticateJWT,
|
|
||||||
(req: AuthenticatedRequest, res: Response) => {
|
|
||||||
if (!req.userId) {
|
|
||||||
return res.status(401).json({ error: "Authentication required" });
|
|
||||||
}
|
|
||||||
|
|
||||||
res.writeHead(200, {
|
|
||||||
"Content-Type": "text/event-stream",
|
|
||||||
"Cache-Control": "no-store, no-transform",
|
|
||||||
Connection: "keep-alive",
|
|
||||||
"X-Accel-Buffering": "no",
|
|
||||||
});
|
|
||||||
res.flushHeaders?.();
|
|
||||||
|
|
||||||
tunnelStatusClients.add(res);
|
|
||||||
sendTunnelStatusSnapshot(res);
|
|
||||||
|
|
||||||
const heartbeat = setInterval(() => {
|
|
||||||
try {
|
|
||||||
res.write(": keepalive\n\n");
|
|
||||||
} catch {
|
|
||||||
closeStream();
|
|
||||||
}
|
|
||||||
}, 30000);
|
|
||||||
|
|
||||||
const closeStream = () => {
|
|
||||||
clearInterval(heartbeat);
|
|
||||||
tunnelStatusClients.delete(res);
|
|
||||||
};
|
|
||||||
|
|
||||||
req.on("close", closeStream);
|
|
||||||
},
|
|
||||||
);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* @openapi
|
|
||||||
* /ssh/tunnel/status/{tunnelName}:
|
|
||||||
* get:
|
|
||||||
* summary: Get tunnel status by name
|
|
||||||
* description: Retrieves the status of a specific SSH tunnel by its name.
|
|
||||||
* tags:
|
|
||||||
* - SSH Tunnels
|
|
||||||
* parameters:
|
|
||||||
* - in: path
|
|
||||||
* name: tunnelName
|
|
||||||
* required: true
|
|
||||||
* schema:
|
|
||||||
* type: string
|
|
||||||
* responses:
|
|
||||||
* 200:
|
|
||||||
* description: Tunnel status.
|
|
||||||
* 404:
|
|
||||||
* description: Tunnel not found.
|
|
||||||
*/
|
|
||||||
app.get(
|
|
||||||
"/ssh/tunnel/status/:tunnelName",
|
|
||||||
authenticateJWT,
|
|
||||||
(req: AuthenticatedRequest, res: Response) => {
|
|
||||||
if (!req.userId) {
|
|
||||||
return res.status(401).json({ error: "Authentication required" });
|
|
||||||
}
|
|
||||||
|
|
||||||
const tunnelNameParam = req.params.tunnelName;
|
|
||||||
const tunnelName = Array.isArray(tunnelNameParam)
|
|
||||||
? tunnelNameParam[0]
|
|
||||||
: tunnelNameParam;
|
|
||||||
const status = connectionStatus.get(tunnelName);
|
|
||||||
|
|
||||||
if (!status) {
|
|
||||||
return res.status(404).json({ error: "Tunnel not found" });
|
|
||||||
}
|
|
||||||
|
|
||||||
res.json({ name: tunnelName, status });
|
|
||||||
},
|
|
||||||
);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* @openapi
|
|
||||||
* /ssh/tunnel/connect:
|
|
||||||
* post:
|
|
||||||
* summary: Connect SSH tunnel
|
|
||||||
* description: Establishes an SSH tunnel connection with the specified configuration.
|
|
||||||
* tags:
|
|
||||||
* - SSH Tunnels
|
|
||||||
* requestBody:
|
|
||||||
* required: true
|
|
||||||
* content:
|
|
||||||
* application/json:
|
|
||||||
* schema:
|
|
||||||
* type: object
|
|
||||||
* properties:
|
|
||||||
* name:
|
|
||||||
* type: string
|
|
||||||
* sourceHostId:
|
|
||||||
* type: integer
|
|
||||||
* tunnelIndex:
|
|
||||||
* type: integer
|
|
||||||
* responses:
|
|
||||||
* 200:
|
|
||||||
* description: Connection request received.
|
|
||||||
* 400:
|
|
||||||
* description: Invalid tunnel configuration.
|
|
||||||
* 401:
|
|
||||||
* description: Authentication required.
|
|
||||||
* 403:
|
|
||||||
* description: Access denied to this host.
|
|
||||||
* 500:
|
|
||||||
* description: Failed to connect tunnel.
|
|
||||||
*/
|
|
||||||
app.post(
|
|
||||||
"/ssh/tunnel/connect",
|
|
||||||
authenticateJWT,
|
|
||||||
async (req: AuthenticatedRequest, res: Response) => {
|
|
||||||
const tunnelConfig: TunnelConfig = req.body;
|
|
||||||
const userId = req.userId;
|
|
||||||
|
|
||||||
if (!userId) {
|
|
||||||
return res.status(401).json({ error: "Authentication required" });
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!tunnelConfig || !tunnelConfig.name) {
|
|
||||||
return res.status(400).json({ error: "Invalid tunnel configuration" });
|
|
||||||
}
|
|
||||||
|
|
||||||
const tunnelName = tunnelConfig.name;
|
|
||||||
tunnelConfig.requestingUserId = userId;
|
|
||||||
|
|
||||||
try {
|
|
||||||
if (!validateTunnelConfig(tunnelName, tunnelConfig)) {
|
|
||||||
tunnelLogger.error(`Tunnel config validation failed`, {
|
|
||||||
operation: "tunnel_connect",
|
|
||||||
tunnelName,
|
|
||||||
configHostId: tunnelConfig.sourceHostId,
|
|
||||||
configTunnelIndex: tunnelConfig.tunnelIndex,
|
|
||||||
});
|
|
||||||
return res.status(400).json({
|
|
||||||
error: "Tunnel configuration does not match tunnel name",
|
|
||||||
});
|
|
||||||
}
|
|
||||||
|
|
||||||
if (tunnelConfig.sourceHostId) {
|
|
||||||
const accessInfo = await permissionManager.canAccessHost(
|
|
||||||
userId,
|
|
||||||
tunnelConfig.sourceHostId,
|
|
||||||
"read",
|
|
||||||
);
|
|
||||||
|
|
||||||
if (!accessInfo.hasAccess) {
|
|
||||||
tunnelLogger.warn("User attempted tunnel connect without access", {
|
|
||||||
operation: "tunnel_connect_unauthorized",
|
|
||||||
userId,
|
|
||||||
hostId: tunnelConfig.sourceHostId,
|
|
||||||
tunnelName,
|
|
||||||
});
|
|
||||||
return res.status(403).json({ error: "Access denied to this host" });
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if (pendingTunnelOperations.has(tunnelName)) {
|
|
||||||
try {
|
|
||||||
await pendingTunnelOperations.get(tunnelName);
|
|
||||||
} catch {
|
|
||||||
tunnelLogger.warn(`Previous tunnel operation failed`, { tunnelName });
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
const operation = (async () => {
|
|
||||||
manualDisconnects.delete(tunnelName);
|
|
||||||
retryCounters.delete(tunnelName);
|
|
||||||
retryExhaustedTunnels.delete(tunnelName);
|
|
||||||
|
|
||||||
await cleanupTunnelResources(tunnelName);
|
|
||||||
|
|
||||||
if (tunnelConfigs.has(tunnelName)) {
|
|
||||||
const existingConfig = tunnelConfigs.get(tunnelName);
|
|
||||||
if (
|
|
||||||
existingConfig &&
|
|
||||||
(existingConfig.sourceHostId !== tunnelConfig.sourceHostId ||
|
|
||||||
existingConfig.tunnelIndex !== tunnelConfig.tunnelIndex)
|
|
||||||
) {
|
|
||||||
throw new Error(`Tunnel name collision detected: ${tunnelName}`);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if (
|
|
||||||
!isSingleHostTunnel(tunnelConfig) &&
|
|
||||||
(!tunnelConfig.endpointIP || !tunnelConfig.endpointUsername)
|
|
||||||
) {
|
|
||||||
try {
|
|
||||||
const systemCrypto = SystemCrypto.getInstance();
|
|
||||||
const internalAuthToken = await systemCrypto.getInternalAuthToken();
|
|
||||||
|
|
||||||
const allHostsResponse = await axios.get(
|
|
||||||
"http://localhost:30001/host/db/host/internal/all",
|
|
||||||
{
|
|
||||||
headers: {
|
|
||||||
"Content-Type": "application/json",
|
|
||||||
"X-Internal-Auth-Token": internalAuthToken,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
);
|
|
||||||
|
|
||||||
const allHosts: SSHHost[] = allHostsResponse.data || [];
|
|
||||||
const endpointHost = findHostByTunnelEndpoint(
|
|
||||||
allHosts,
|
|
||||||
tunnelConfig.endpointHost,
|
|
||||||
);
|
|
||||||
|
|
||||||
if (!endpointHost) {
|
|
||||||
if (getTunnelMode(tunnelConfig) !== "remote") {
|
|
||||||
tunnelConfig.endpointIP =
|
|
||||||
tunnelConfig.endpointIP || tunnelConfig.endpointHost;
|
|
||||||
} else {
|
|
||||||
throw new Error(
|
|
||||||
`Endpoint host '${tunnelConfig.endpointHost}' not found in database`,
|
|
||||||
);
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
if (!endpointHost.id) {
|
|
||||||
throw new Error("Endpoint host not found");
|
|
||||||
}
|
|
||||||
|
|
||||||
const endpointAccess = await permissionManager.canAccessHost(
|
|
||||||
userId,
|
|
||||||
endpointHost.id,
|
|
||||||
"read",
|
|
||||||
);
|
|
||||||
if (!endpointAccess.hasAccess) {
|
|
||||||
tunnelLogger.warn(
|
|
||||||
"User attempted tunnel connect without endpoint access",
|
|
||||||
{
|
|
||||||
operation: "tunnel_connect_endpoint_unauthorized",
|
|
||||||
userId,
|
|
||||||
hostId: endpointHost.id,
|
|
||||||
tunnelName,
|
|
||||||
},
|
|
||||||
);
|
|
||||||
throw new Error("Endpoint host not found");
|
|
||||||
}
|
|
||||||
|
|
||||||
tunnelConfig.endpointIP = endpointHost.ip;
|
|
||||||
tunnelConfig.endpointSSHPort = endpointHost.port;
|
|
||||||
tunnelConfig.endpointUsername = endpointHost.username;
|
|
||||||
tunnelConfig.endpointAuthMethod = endpointHost.authType;
|
|
||||||
tunnelConfig.endpointKeyType = endpointHost.keyType;
|
|
||||||
tunnelConfig.endpointCredentialId =
|
|
||||||
endpointHost.userId === userId
|
|
||||||
? endpointHost.credentialId
|
|
||||||
: undefined;
|
|
||||||
tunnelConfig.endpointUserId = userId;
|
|
||||||
|
|
||||||
// Resolve credentials server-side instead of from HTTP response
|
|
||||||
if (endpointHost.id) {
|
|
||||||
try {
|
|
||||||
const { resolveHostById } =
|
|
||||||
await import("./host-resolver.js");
|
|
||||||
const resolved = await resolveHostById(
|
|
||||||
endpointHost.id,
|
|
||||||
userId,
|
|
||||||
);
|
|
||||||
if (resolved) {
|
|
||||||
tunnelConfig.endpointPassword = resolved.password;
|
|
||||||
tunnelConfig.endpointSSHKey = resolved.key;
|
|
||||||
tunnelConfig.endpointKeyPassword = resolved.keyPassword;
|
|
||||||
}
|
|
||||||
} catch (credError) {
|
|
||||||
tunnelLogger.warn(
|
|
||||||
"Failed to resolve endpoint credentials from DB",
|
|
||||||
{
|
|
||||||
operation: "tunnel_endpoint_credential_resolve",
|
|
||||||
endpointHostId: endpointHost.id,
|
|
||||||
error:
|
|
||||||
credError instanceof Error
|
|
||||||
? credError.message
|
|
||||||
: "Unknown",
|
|
||||||
},
|
|
||||||
);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
} catch (resolveError) {
|
|
||||||
tunnelLogger.error(
|
|
||||||
"Failed to resolve endpoint host",
|
|
||||||
resolveError,
|
|
||||||
{
|
|
||||||
operation: "tunnel_connect_resolve_endpoint_failed",
|
|
||||||
tunnelName,
|
|
||||||
endpointHost: tunnelConfig.endpointHost,
|
|
||||||
},
|
|
||||||
);
|
|
||||||
throw new Error(
|
|
||||||
`Failed to resolve endpoint host: ${resolveError instanceof Error ? resolveError.message : "Unknown error"}`,
|
|
||||||
{ cause: resolveError },
|
|
||||||
);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
tunnelConfigs.set(tunnelName, tunnelConfig);
|
|
||||||
await connectSSHTunnel(tunnelConfig, 0);
|
|
||||||
})();
|
|
||||||
|
|
||||||
pendingTunnelOperations.set(tunnelName, operation);
|
|
||||||
|
|
||||||
res.json({ message: "Connection request received", tunnelName });
|
|
||||||
|
|
||||||
operation
|
|
||||||
.catch((err) => {
|
|
||||||
tunnelLogger.error("Tunnel operation failed", err, {
|
|
||||||
operation: "tunnel_operation_failed",
|
|
||||||
tunnelName,
|
|
||||||
});
|
|
||||||
broadcastTunnelStatus(tunnelName, {
|
|
||||||
connected: false,
|
|
||||||
status: CONNECTION_STATES.FAILED,
|
|
||||||
reason: err instanceof Error ? err.message : "Unknown error",
|
|
||||||
});
|
|
||||||
tunnelConnecting.delete(tunnelName);
|
|
||||||
})
|
|
||||||
.finally(() => {
|
|
||||||
pendingTunnelOperations.delete(tunnelName);
|
|
||||||
});
|
|
||||||
} catch (error) {
|
|
||||||
tunnelLogger.error("Failed to process tunnel connect", error, {
|
|
||||||
operation: "tunnel_connect",
|
|
||||||
tunnelName,
|
|
||||||
userId,
|
|
||||||
});
|
|
||||||
res.status(500).json({ error: "Failed to connect tunnel" });
|
|
||||||
}
|
|
||||||
},
|
|
||||||
);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* @openapi
|
|
||||||
* /ssh/tunnel/disconnect:
|
|
||||||
* post:
|
|
||||||
* summary: Disconnect SSH tunnel
|
|
||||||
* description: Disconnects an active SSH tunnel.
|
|
||||||
* tags:
|
|
||||||
* - SSH Tunnels
|
|
||||||
* requestBody:
|
|
||||||
* required: true
|
|
||||||
* content:
|
|
||||||
* application/json:
|
|
||||||
* schema:
|
|
||||||
* type: object
|
|
||||||
* properties:
|
|
||||||
* tunnelName:
|
|
||||||
* type: string
|
|
||||||
* responses:
|
|
||||||
* 200:
|
|
||||||
* description: Disconnect request received.
|
|
||||||
* 400:
|
|
||||||
* description: Tunnel name required.
|
|
||||||
* 401:
|
|
||||||
* description: Authentication required.
|
|
||||||
* 403:
|
|
||||||
* description: Access denied.
|
|
||||||
* 500:
|
|
||||||
* description: Failed to disconnect tunnel.
|
|
||||||
*/
|
|
||||||
app.post(
|
|
||||||
"/ssh/tunnel/disconnect",
|
|
||||||
authenticateJWT,
|
|
||||||
async (req: AuthenticatedRequest, res: Response) => {
|
|
||||||
const { tunnelName } = req.body;
|
|
||||||
const userId = req.userId;
|
|
||||||
|
|
||||||
if (!userId) {
|
|
||||||
return res.status(401).json({ error: "Authentication required" });
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!tunnelName) {
|
|
||||||
return res.status(400).json({ error: "Tunnel name required" });
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
|
||||||
const config = tunnelConfigs.get(tunnelName);
|
|
||||||
if (config && config.sourceHostId) {
|
|
||||||
const accessInfo = await permissionManager.canAccessHost(
|
|
||||||
userId,
|
|
||||||
config.sourceHostId,
|
|
||||||
"read",
|
|
||||||
);
|
|
||||||
if (!accessInfo.hasAccess) {
|
|
||||||
return res.status(403).json({ error: "Access denied" });
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
tunnelLogger.info("Tunnel stop request received", {
|
|
||||||
operation: "tunnel_stop_request",
|
|
||||||
userId,
|
|
||||||
hostId: config?.sourceHostId,
|
|
||||||
tunnelName,
|
|
||||||
});
|
|
||||||
manualDisconnects.add(tunnelName);
|
|
||||||
retryCounters.delete(tunnelName);
|
|
||||||
retryExhaustedTunnels.delete(tunnelName);
|
|
||||||
|
|
||||||
if (activeRetryTimers.has(tunnelName)) {
|
|
||||||
clearTimeout(activeRetryTimers.get(tunnelName)!);
|
|
||||||
activeRetryTimers.delete(tunnelName);
|
|
||||||
}
|
|
||||||
|
|
||||||
await cleanupTunnelResources(tunnelName, true);
|
|
||||||
tunnelLogger.info("Tunnel cleanup completed", {
|
|
||||||
operation: "tunnel_cleanup_complete",
|
|
||||||
userId,
|
|
||||||
hostId: config?.sourceHostId,
|
|
||||||
tunnelName,
|
|
||||||
});
|
|
||||||
|
|
||||||
broadcastTunnelStatus(tunnelName, {
|
|
||||||
connected: false,
|
|
||||||
status: CONNECTION_STATES.DISCONNECTED,
|
|
||||||
manualDisconnect: true,
|
|
||||||
});
|
|
||||||
|
|
||||||
const tunnelConfig = tunnelConfigs.get(tunnelName) || null;
|
|
||||||
handleDisconnect(tunnelName, tunnelConfig, false);
|
|
||||||
|
|
||||||
setTimeout(() => {
|
|
||||||
manualDisconnects.delete(tunnelName);
|
|
||||||
}, 5000);
|
|
||||||
|
|
||||||
res.json({ message: "Disconnect request received", tunnelName });
|
|
||||||
} catch (error) {
|
|
||||||
tunnelLogger.error("Failed to disconnect tunnel", error, {
|
|
||||||
operation: "tunnel_disconnect",
|
|
||||||
tunnelName,
|
|
||||||
userId,
|
|
||||||
});
|
|
||||||
res.status(500).json({ error: "Failed to disconnect tunnel" });
|
|
||||||
}
|
|
||||||
},
|
|
||||||
);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* @openapi
|
|
||||||
* /ssh/tunnel/cancel:
|
|
||||||
* post:
|
|
||||||
* summary: Cancel tunnel retry
|
|
||||||
* description: Cancels the retry mechanism for a failed SSH tunnel connection.
|
|
||||||
* tags:
|
|
||||||
* - SSH Tunnels
|
|
||||||
* requestBody:
|
|
||||||
* required: true
|
|
||||||
* content:
|
|
||||||
* application/json:
|
|
||||||
* schema:
|
|
||||||
* type: object
|
|
||||||
* properties:
|
|
||||||
* tunnelName:
|
|
||||||
* type: string
|
|
||||||
* responses:
|
|
||||||
* 200:
|
|
||||||
* description: Cancel request received.
|
|
||||||
* 400:
|
|
||||||
* description: Tunnel name required.
|
|
||||||
* 401:
|
|
||||||
* description: Authentication required.
|
|
||||||
* 403:
|
|
||||||
* description: Access denied.
|
|
||||||
* 500:
|
|
||||||
* description: Failed to cancel tunnel retry.
|
|
||||||
*/
|
|
||||||
app.post(
|
|
||||||
"/ssh/tunnel/cancel",
|
|
||||||
authenticateJWT,
|
|
||||||
async (req: AuthenticatedRequest, res: Response) => {
|
|
||||||
const { tunnelName } = req.body;
|
|
||||||
const userId = req.userId;
|
|
||||||
|
|
||||||
if (!userId) {
|
|
||||||
return res.status(401).json({ error: "Authentication required" });
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!tunnelName) {
|
|
||||||
return res.status(400).json({ error: "Tunnel name required" });
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
|
||||||
const config = tunnelConfigs.get(tunnelName);
|
|
||||||
if (config && config.sourceHostId) {
|
|
||||||
const accessInfo = await permissionManager.canAccessHost(
|
|
||||||
userId,
|
|
||||||
config.sourceHostId,
|
|
||||||
"read",
|
|
||||||
);
|
|
||||||
if (!accessInfo.hasAccess) {
|
|
||||||
return res.status(403).json({ error: "Access denied" });
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
retryCounters.delete(tunnelName);
|
|
||||||
retryExhaustedTunnels.delete(tunnelName);
|
|
||||||
|
|
||||||
if (activeRetryTimers.has(tunnelName)) {
|
|
||||||
clearTimeout(activeRetryTimers.get(tunnelName)!);
|
|
||||||
activeRetryTimers.delete(tunnelName);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (countdownIntervals.has(tunnelName)) {
|
|
||||||
clearInterval(countdownIntervals.get(tunnelName)!);
|
|
||||||
countdownIntervals.delete(tunnelName);
|
|
||||||
}
|
|
||||||
|
|
||||||
await cleanupTunnelResources(tunnelName, true);
|
|
||||||
|
|
||||||
broadcastTunnelStatus(tunnelName, {
|
|
||||||
connected: false,
|
|
||||||
status: CONNECTION_STATES.DISCONNECTED,
|
|
||||||
manualDisconnect: true,
|
|
||||||
});
|
|
||||||
|
|
||||||
const tunnelConfig = tunnelConfigs.get(tunnelName) || null;
|
|
||||||
handleDisconnect(tunnelName, tunnelConfig, false);
|
|
||||||
|
|
||||||
setTimeout(() => {
|
|
||||||
manualDisconnects.delete(tunnelName);
|
|
||||||
}, 5000);
|
|
||||||
|
|
||||||
res.json({ message: "Cancel request received", tunnelName });
|
|
||||||
} catch (error) {
|
|
||||||
tunnelLogger.error("Failed to cancel tunnel retry", error, {
|
|
||||||
operation: "tunnel_cancel",
|
|
||||||
tunnelName,
|
|
||||||
userId,
|
|
||||||
});
|
|
||||||
res.status(500).json({ error: "Failed to cancel tunnel retry" });
|
|
||||||
}
|
|
||||||
},
|
|
||||||
);
|
|
||||||
|
|
||||||
async function initializeAutoStartTunnels(): Promise<void> {
|
|
||||||
try {
|
try {
|
||||||
const systemCrypto = SystemCrypto.getInstance();
|
const systemCrypto = SystemCrypto.getInstance();
|
||||||
const internalAuthToken = await systemCrypto.getInternalAuthToken();
|
const internalAuthToken = await systemCrypto.getInternalAuthToken();
|
||||||
@@ -2473,59 +1904,3 @@ async function initializeAutoStartTunnels(): Promise<void> {
|
|||||||
);
|
);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
const PORT = 30003;
|
|
||||||
const server = createServer(app);
|
|
||||||
const c2sRelayWss = new WebSocketServer({
|
|
||||||
server,
|
|
||||||
path: "/ssh/tunnel/c2s/stream",
|
|
||||||
});
|
|
||||||
|
|
||||||
c2sRelayWss.on("connection", (ws, req) => {
|
|
||||||
let opened = false;
|
|
||||||
|
|
||||||
ws.once("message", async (raw) => {
|
|
||||||
try {
|
|
||||||
const token = extractRequestToken(req);
|
|
||||||
const payload = token ? await authManager.verifyJWTToken(token) : null;
|
|
||||||
if (!payload?.userId || payload.pendingTOTP) {
|
|
||||||
sendC2SError(ws, "Authentication required");
|
|
||||||
ws.close();
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
const message = JSON.parse(raw.toString()) as C2SOpenMessage;
|
|
||||||
if (message.type !== "open" && message.type !== "test") {
|
|
||||||
throw new Error("Invalid client tunnel relay request");
|
|
||||||
}
|
|
||||||
|
|
||||||
opened = true;
|
|
||||||
if (message.type === "test") {
|
|
||||||
await handleC2SRelayTest(ws, message, payload.userId);
|
|
||||||
} else {
|
|
||||||
await handleC2SRelayOpen(ws, message, payload.userId);
|
|
||||||
}
|
|
||||||
} catch (error) {
|
|
||||||
const message = describeC2SRelayError(error);
|
|
||||||
tunnelLogger.error("Failed to open C2S relay", error, {
|
|
||||||
operation: "c2s_relay_open_failed",
|
|
||||||
});
|
|
||||||
sendC2SError(ws, message);
|
|
||||||
ws.close();
|
|
||||||
}
|
|
||||||
});
|
|
||||||
|
|
||||||
ws.on("close", () => {
|
|
||||||
if (!opened) {
|
|
||||||
tunnelLogger.info("C2S relay closed before opening", {
|
|
||||||
operation: "c2s_relay_closed_before_open",
|
|
||||||
});
|
|
||||||
}
|
|
||||||
});
|
|
||||||
});
|
|
||||||
|
|
||||||
server.listen(PORT, () => {
|
|
||||||
setTimeout(() => {
|
|
||||||
initializeAutoStartTunnels();
|
|
||||||
}, 2000);
|
|
||||||
});
|
|
||||||
@@ -0,0 +1,596 @@
|
|||||||
|
import express, { type Response } from "express";
|
||||||
|
|
||||||
|
import axios from "axios";
|
||||||
|
import type {
|
||||||
|
SSHHost,
|
||||||
|
TunnelConfig,
|
||||||
|
AuthenticatedRequest,
|
||||||
|
} from "../../../types/index.js";
|
||||||
|
import { CONNECTION_STATES } from "../../../types/index.js";
|
||||||
|
import { tunnelLogger } from "../../utils/logger.js";
|
||||||
|
import { SystemCrypto } from "../../utils/system-crypto.js";
|
||||||
|
import { AuthManager } from "../../utils/auth-manager.js";
|
||||||
|
import { PermissionManager } from "../../utils/permission-manager.js";
|
||||||
|
|
||||||
|
import { getTunnelMode, validateTunnelConfig } from "../tunnel-utils.js";
|
||||||
|
|
||||||
|
import {
|
||||||
|
tunnelConfigs,
|
||||||
|
activeRetryTimers,
|
||||||
|
pendingTunnelOperations,
|
||||||
|
manualDisconnects,
|
||||||
|
retryExhaustedTunnels,
|
||||||
|
retryCounters,
|
||||||
|
countdownIntervals,
|
||||||
|
tunnelConnecting,
|
||||||
|
tunnelStatusClients,
|
||||||
|
connectionStatus,
|
||||||
|
cleanupTunnelResources,
|
||||||
|
broadcastTunnelStatus,
|
||||||
|
handleDisconnect,
|
||||||
|
sendTunnelStatusSnapshot,
|
||||||
|
isSingleHostTunnel,
|
||||||
|
getAllTunnelStatus,
|
||||||
|
findHostByTunnelEndpoint,
|
||||||
|
connectSSHTunnel,
|
||||||
|
} from "./manager.js";
|
||||||
|
|
||||||
|
const permissionManager = PermissionManager.getInstance();
|
||||||
|
|
||||||
|
const authManager = AuthManager.getInstance();
|
||||||
|
const authenticateJWT = authManager.createAuthMiddleware();
|
||||||
|
|
||||||
|
export function registerTunnelRoutes(app: express.Express): void {
|
||||||
|
app.get(
|
||||||
|
"/ssh/tunnel/status",
|
||||||
|
authenticateJWT,
|
||||||
|
(req: AuthenticatedRequest, res: Response) => {
|
||||||
|
if (!req.userId) {
|
||||||
|
return res.status(401).json({ error: "Authentication required" });
|
||||||
|
}
|
||||||
|
|
||||||
|
res.json(getAllTunnelStatus());
|
||||||
|
},
|
||||||
|
);
|
||||||
|
|
||||||
|
app.get(
|
||||||
|
"/ssh/tunnel/status/stream",
|
||||||
|
authenticateJWT,
|
||||||
|
(req: AuthenticatedRequest, res: Response) => {
|
||||||
|
if (!req.userId) {
|
||||||
|
return res.status(401).json({ error: "Authentication required" });
|
||||||
|
}
|
||||||
|
|
||||||
|
res.writeHead(200, {
|
||||||
|
"Content-Type": "text/event-stream",
|
||||||
|
"Cache-Control": "no-store, no-transform",
|
||||||
|
Connection: "keep-alive",
|
||||||
|
"X-Accel-Buffering": "no",
|
||||||
|
});
|
||||||
|
res.flushHeaders?.();
|
||||||
|
|
||||||
|
tunnelStatusClients.add(res);
|
||||||
|
sendTunnelStatusSnapshot(res);
|
||||||
|
|
||||||
|
const heartbeat = setInterval(() => {
|
||||||
|
try {
|
||||||
|
res.write(": keepalive\n\n");
|
||||||
|
} catch {
|
||||||
|
closeStream();
|
||||||
|
}
|
||||||
|
}, 30000);
|
||||||
|
|
||||||
|
const closeStream = () => {
|
||||||
|
clearInterval(heartbeat);
|
||||||
|
tunnelStatusClients.delete(res);
|
||||||
|
};
|
||||||
|
|
||||||
|
req.on("close", closeStream);
|
||||||
|
},
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @openapi
|
||||||
|
* /ssh/tunnel/status/{tunnelName}:
|
||||||
|
* get:
|
||||||
|
* summary: Get tunnel status by name
|
||||||
|
* description: Retrieves the status of a specific SSH tunnel by its name.
|
||||||
|
* tags:
|
||||||
|
* - SSH Tunnels
|
||||||
|
* parameters:
|
||||||
|
* - in: path
|
||||||
|
* name: tunnelName
|
||||||
|
* required: true
|
||||||
|
* schema:
|
||||||
|
* type: string
|
||||||
|
* responses:
|
||||||
|
* 200:
|
||||||
|
* description: Tunnel status.
|
||||||
|
* 404:
|
||||||
|
* description: Tunnel not found.
|
||||||
|
*/
|
||||||
|
app.get(
|
||||||
|
"/ssh/tunnel/status/:tunnelName",
|
||||||
|
authenticateJWT,
|
||||||
|
(req: AuthenticatedRequest, res: Response) => {
|
||||||
|
if (!req.userId) {
|
||||||
|
return res.status(401).json({ error: "Authentication required" });
|
||||||
|
}
|
||||||
|
|
||||||
|
const tunnelNameParam = req.params.tunnelName;
|
||||||
|
const tunnelName = Array.isArray(tunnelNameParam)
|
||||||
|
? tunnelNameParam[0]
|
||||||
|
: tunnelNameParam;
|
||||||
|
const status = connectionStatus.get(tunnelName);
|
||||||
|
|
||||||
|
if (!status) {
|
||||||
|
return res.status(404).json({ error: "Tunnel not found" });
|
||||||
|
}
|
||||||
|
|
||||||
|
res.json({ name: tunnelName, status });
|
||||||
|
},
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @openapi
|
||||||
|
* /ssh/tunnel/connect:
|
||||||
|
* post:
|
||||||
|
* summary: Connect SSH tunnel
|
||||||
|
* description: Establishes an SSH tunnel connection with the specified configuration.
|
||||||
|
* tags:
|
||||||
|
* - SSH Tunnels
|
||||||
|
* requestBody:
|
||||||
|
* required: true
|
||||||
|
* content:
|
||||||
|
* application/json:
|
||||||
|
* schema:
|
||||||
|
* type: object
|
||||||
|
* properties:
|
||||||
|
* name:
|
||||||
|
* type: string
|
||||||
|
* sourceHostId:
|
||||||
|
* type: integer
|
||||||
|
* tunnelIndex:
|
||||||
|
* type: integer
|
||||||
|
* responses:
|
||||||
|
* 200:
|
||||||
|
* description: Connection request received.
|
||||||
|
* 400:
|
||||||
|
* description: Invalid tunnel configuration.
|
||||||
|
* 401:
|
||||||
|
* description: Authentication required.
|
||||||
|
* 403:
|
||||||
|
* description: Access denied to this host.
|
||||||
|
* 500:
|
||||||
|
* description: Failed to connect tunnel.
|
||||||
|
*/
|
||||||
|
app.post(
|
||||||
|
"/ssh/tunnel/connect",
|
||||||
|
authenticateJWT,
|
||||||
|
async (req: AuthenticatedRequest, res: Response) => {
|
||||||
|
const tunnelConfig: TunnelConfig = req.body;
|
||||||
|
const userId = req.userId;
|
||||||
|
|
||||||
|
if (!userId) {
|
||||||
|
return res.status(401).json({ error: "Authentication required" });
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!tunnelConfig || !tunnelConfig.name) {
|
||||||
|
return res.status(400).json({ error: "Invalid tunnel configuration" });
|
||||||
|
}
|
||||||
|
|
||||||
|
const tunnelName = tunnelConfig.name;
|
||||||
|
tunnelConfig.requestingUserId = userId;
|
||||||
|
|
||||||
|
try {
|
||||||
|
if (!validateTunnelConfig(tunnelName, tunnelConfig)) {
|
||||||
|
tunnelLogger.error(`Tunnel config validation failed`, {
|
||||||
|
operation: "tunnel_connect",
|
||||||
|
tunnelName,
|
||||||
|
configHostId: tunnelConfig.sourceHostId,
|
||||||
|
configTunnelIndex: tunnelConfig.tunnelIndex,
|
||||||
|
});
|
||||||
|
return res.status(400).json({
|
||||||
|
error: "Tunnel configuration does not match tunnel name",
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
if (tunnelConfig.sourceHostId) {
|
||||||
|
const accessInfo = await permissionManager.canAccessHost(
|
||||||
|
userId,
|
||||||
|
tunnelConfig.sourceHostId,
|
||||||
|
"read",
|
||||||
|
);
|
||||||
|
|
||||||
|
if (!accessInfo.hasAccess) {
|
||||||
|
tunnelLogger.warn("User attempted tunnel connect without access", {
|
||||||
|
operation: "tunnel_connect_unauthorized",
|
||||||
|
userId,
|
||||||
|
hostId: tunnelConfig.sourceHostId,
|
||||||
|
tunnelName,
|
||||||
|
});
|
||||||
|
return res
|
||||||
|
.status(403)
|
||||||
|
.json({ error: "Access denied to this host" });
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (pendingTunnelOperations.has(tunnelName)) {
|
||||||
|
try {
|
||||||
|
await pendingTunnelOperations.get(tunnelName);
|
||||||
|
} catch {
|
||||||
|
tunnelLogger.warn(`Previous tunnel operation failed`, {
|
||||||
|
tunnelName,
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
const operation = (async () => {
|
||||||
|
manualDisconnects.delete(tunnelName);
|
||||||
|
retryCounters.delete(tunnelName);
|
||||||
|
retryExhaustedTunnels.delete(tunnelName);
|
||||||
|
|
||||||
|
await cleanupTunnelResources(tunnelName);
|
||||||
|
|
||||||
|
if (tunnelConfigs.has(tunnelName)) {
|
||||||
|
const existingConfig = tunnelConfigs.get(tunnelName);
|
||||||
|
if (
|
||||||
|
existingConfig &&
|
||||||
|
(existingConfig.sourceHostId !== tunnelConfig.sourceHostId ||
|
||||||
|
existingConfig.tunnelIndex !== tunnelConfig.tunnelIndex)
|
||||||
|
) {
|
||||||
|
throw new Error(`Tunnel name collision detected: ${tunnelName}`);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (
|
||||||
|
!isSingleHostTunnel(tunnelConfig) &&
|
||||||
|
(!tunnelConfig.endpointIP || !tunnelConfig.endpointUsername)
|
||||||
|
) {
|
||||||
|
try {
|
||||||
|
const systemCrypto = SystemCrypto.getInstance();
|
||||||
|
const internalAuthToken =
|
||||||
|
await systemCrypto.getInternalAuthToken();
|
||||||
|
|
||||||
|
const allHostsResponse = await axios.get(
|
||||||
|
"http://localhost:30001/host/db/host/internal/all",
|
||||||
|
{
|
||||||
|
headers: {
|
||||||
|
"Content-Type": "application/json",
|
||||||
|
"X-Internal-Auth-Token": internalAuthToken,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
);
|
||||||
|
|
||||||
|
const allHosts: SSHHost[] = allHostsResponse.data || [];
|
||||||
|
const endpointHost = findHostByTunnelEndpoint(
|
||||||
|
allHosts,
|
||||||
|
tunnelConfig.endpointHost,
|
||||||
|
);
|
||||||
|
|
||||||
|
if (!endpointHost) {
|
||||||
|
if (getTunnelMode(tunnelConfig) !== "remote") {
|
||||||
|
tunnelConfig.endpointIP =
|
||||||
|
tunnelConfig.endpointIP || tunnelConfig.endpointHost;
|
||||||
|
} else {
|
||||||
|
throw new Error(
|
||||||
|
`Endpoint host '${tunnelConfig.endpointHost}' not found in database`,
|
||||||
|
);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
if (!endpointHost.id) {
|
||||||
|
throw new Error("Endpoint host not found");
|
||||||
|
}
|
||||||
|
|
||||||
|
const endpointAccess = await permissionManager.canAccessHost(
|
||||||
|
userId,
|
||||||
|
endpointHost.id,
|
||||||
|
"read",
|
||||||
|
);
|
||||||
|
if (!endpointAccess.hasAccess) {
|
||||||
|
tunnelLogger.warn(
|
||||||
|
"User attempted tunnel connect without endpoint access",
|
||||||
|
{
|
||||||
|
operation: "tunnel_connect_endpoint_unauthorized",
|
||||||
|
userId,
|
||||||
|
hostId: endpointHost.id,
|
||||||
|
tunnelName,
|
||||||
|
},
|
||||||
|
);
|
||||||
|
throw new Error("Endpoint host not found");
|
||||||
|
}
|
||||||
|
|
||||||
|
tunnelConfig.endpointIP = endpointHost.ip;
|
||||||
|
tunnelConfig.endpointSSHPort = endpointHost.port;
|
||||||
|
tunnelConfig.endpointUsername = endpointHost.username;
|
||||||
|
tunnelConfig.endpointAuthMethod = endpointHost.authType;
|
||||||
|
tunnelConfig.endpointKeyType = endpointHost.keyType;
|
||||||
|
tunnelConfig.endpointCredentialId =
|
||||||
|
endpointHost.userId === userId
|
||||||
|
? endpointHost.credentialId
|
||||||
|
: undefined;
|
||||||
|
tunnelConfig.endpointUserId = userId;
|
||||||
|
|
||||||
|
// Resolve credentials server-side instead of from HTTP response
|
||||||
|
if (endpointHost.id) {
|
||||||
|
try {
|
||||||
|
const { resolveHostById } =
|
||||||
|
await import("../host-resolver.js");
|
||||||
|
const resolved = await resolveHostById(
|
||||||
|
endpointHost.id,
|
||||||
|
userId,
|
||||||
|
);
|
||||||
|
if (resolved) {
|
||||||
|
tunnelConfig.endpointPassword = resolved.password;
|
||||||
|
tunnelConfig.endpointSSHKey = resolved.key;
|
||||||
|
tunnelConfig.endpointKeyPassword = resolved.keyPassword;
|
||||||
|
}
|
||||||
|
} catch (credError) {
|
||||||
|
tunnelLogger.warn(
|
||||||
|
"Failed to resolve endpoint credentials from DB",
|
||||||
|
{
|
||||||
|
operation: "tunnel_endpoint_credential_resolve",
|
||||||
|
endpointHostId: endpointHost.id,
|
||||||
|
error:
|
||||||
|
credError instanceof Error
|
||||||
|
? credError.message
|
||||||
|
: "Unknown",
|
||||||
|
},
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} catch (resolveError) {
|
||||||
|
tunnelLogger.error(
|
||||||
|
"Failed to resolve endpoint host",
|
||||||
|
resolveError,
|
||||||
|
{
|
||||||
|
operation: "tunnel_connect_resolve_endpoint_failed",
|
||||||
|
tunnelName,
|
||||||
|
endpointHost: tunnelConfig.endpointHost,
|
||||||
|
},
|
||||||
|
);
|
||||||
|
throw new Error(
|
||||||
|
`Failed to resolve endpoint host: ${resolveError instanceof Error ? resolveError.message : "Unknown error"}`,
|
||||||
|
{ cause: resolveError },
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
tunnelConfigs.set(tunnelName, tunnelConfig);
|
||||||
|
await connectSSHTunnel(tunnelConfig, 0);
|
||||||
|
})();
|
||||||
|
|
||||||
|
pendingTunnelOperations.set(tunnelName, operation);
|
||||||
|
|
||||||
|
res.json({ message: "Connection request received", tunnelName });
|
||||||
|
|
||||||
|
operation
|
||||||
|
.catch((err) => {
|
||||||
|
tunnelLogger.error("Tunnel operation failed", err, {
|
||||||
|
operation: "tunnel_operation_failed",
|
||||||
|
tunnelName,
|
||||||
|
});
|
||||||
|
broadcastTunnelStatus(tunnelName, {
|
||||||
|
connected: false,
|
||||||
|
status: CONNECTION_STATES.FAILED,
|
||||||
|
reason: err instanceof Error ? err.message : "Unknown error",
|
||||||
|
});
|
||||||
|
tunnelConnecting.delete(tunnelName);
|
||||||
|
})
|
||||||
|
.finally(() => {
|
||||||
|
pendingTunnelOperations.delete(tunnelName);
|
||||||
|
});
|
||||||
|
} catch (error) {
|
||||||
|
tunnelLogger.error("Failed to process tunnel connect", error, {
|
||||||
|
operation: "tunnel_connect",
|
||||||
|
tunnelName,
|
||||||
|
userId,
|
||||||
|
});
|
||||||
|
res.status(500).json({ error: "Failed to connect tunnel" });
|
||||||
|
}
|
||||||
|
},
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @openapi
|
||||||
|
* /ssh/tunnel/disconnect:
|
||||||
|
* post:
|
||||||
|
* summary: Disconnect SSH tunnel
|
||||||
|
* description: Disconnects an active SSH tunnel.
|
||||||
|
* tags:
|
||||||
|
* - SSH Tunnels
|
||||||
|
* requestBody:
|
||||||
|
* required: true
|
||||||
|
* content:
|
||||||
|
* application/json:
|
||||||
|
* schema:
|
||||||
|
* type: object
|
||||||
|
* properties:
|
||||||
|
* tunnelName:
|
||||||
|
* type: string
|
||||||
|
* responses:
|
||||||
|
* 200:
|
||||||
|
* description: Disconnect request received.
|
||||||
|
* 400:
|
||||||
|
* description: Tunnel name required.
|
||||||
|
* 401:
|
||||||
|
* description: Authentication required.
|
||||||
|
* 403:
|
||||||
|
* description: Access denied.
|
||||||
|
* 500:
|
||||||
|
* description: Failed to disconnect tunnel.
|
||||||
|
*/
|
||||||
|
app.post(
|
||||||
|
"/ssh/tunnel/disconnect",
|
||||||
|
authenticateJWT,
|
||||||
|
async (req: AuthenticatedRequest, res: Response) => {
|
||||||
|
const { tunnelName } = req.body;
|
||||||
|
const userId = req.userId;
|
||||||
|
|
||||||
|
if (!userId) {
|
||||||
|
return res.status(401).json({ error: "Authentication required" });
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!tunnelName) {
|
||||||
|
return res.status(400).json({ error: "Tunnel name required" });
|
||||||
|
}
|
||||||
|
|
||||||
|
try {
|
||||||
|
const config = tunnelConfigs.get(tunnelName);
|
||||||
|
if (config && config.sourceHostId) {
|
||||||
|
const accessInfo = await permissionManager.canAccessHost(
|
||||||
|
userId,
|
||||||
|
config.sourceHostId,
|
||||||
|
"read",
|
||||||
|
);
|
||||||
|
if (!accessInfo.hasAccess) {
|
||||||
|
return res.status(403).json({ error: "Access denied" });
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
tunnelLogger.info("Tunnel stop request received", {
|
||||||
|
operation: "tunnel_stop_request",
|
||||||
|
userId,
|
||||||
|
hostId: config?.sourceHostId,
|
||||||
|
tunnelName,
|
||||||
|
});
|
||||||
|
manualDisconnects.add(tunnelName);
|
||||||
|
retryCounters.delete(tunnelName);
|
||||||
|
retryExhaustedTunnels.delete(tunnelName);
|
||||||
|
|
||||||
|
if (activeRetryTimers.has(tunnelName)) {
|
||||||
|
clearTimeout(activeRetryTimers.get(tunnelName)!);
|
||||||
|
activeRetryTimers.delete(tunnelName);
|
||||||
|
}
|
||||||
|
|
||||||
|
await cleanupTunnelResources(tunnelName, true);
|
||||||
|
tunnelLogger.info("Tunnel cleanup completed", {
|
||||||
|
operation: "tunnel_cleanup_complete",
|
||||||
|
userId,
|
||||||
|
hostId: config?.sourceHostId,
|
||||||
|
tunnelName,
|
||||||
|
});
|
||||||
|
|
||||||
|
broadcastTunnelStatus(tunnelName, {
|
||||||
|
connected: false,
|
||||||
|
status: CONNECTION_STATES.DISCONNECTED,
|
||||||
|
manualDisconnect: true,
|
||||||
|
});
|
||||||
|
|
||||||
|
const tunnelConfig = tunnelConfigs.get(tunnelName) || null;
|
||||||
|
handleDisconnect(tunnelName, tunnelConfig, false);
|
||||||
|
|
||||||
|
setTimeout(() => {
|
||||||
|
manualDisconnects.delete(tunnelName);
|
||||||
|
}, 5000);
|
||||||
|
|
||||||
|
res.json({ message: "Disconnect request received", tunnelName });
|
||||||
|
} catch (error) {
|
||||||
|
tunnelLogger.error("Failed to disconnect tunnel", error, {
|
||||||
|
operation: "tunnel_disconnect",
|
||||||
|
tunnelName,
|
||||||
|
userId,
|
||||||
|
});
|
||||||
|
res.status(500).json({ error: "Failed to disconnect tunnel" });
|
||||||
|
}
|
||||||
|
},
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @openapi
|
||||||
|
* /ssh/tunnel/cancel:
|
||||||
|
* post:
|
||||||
|
* summary: Cancel tunnel retry
|
||||||
|
* description: Cancels the retry mechanism for a failed SSH tunnel connection.
|
||||||
|
* tags:
|
||||||
|
* - SSH Tunnels
|
||||||
|
* requestBody:
|
||||||
|
* required: true
|
||||||
|
* content:
|
||||||
|
* application/json:
|
||||||
|
* schema:
|
||||||
|
* type: object
|
||||||
|
* properties:
|
||||||
|
* tunnelName:
|
||||||
|
* type: string
|
||||||
|
* responses:
|
||||||
|
* 200:
|
||||||
|
* description: Cancel request received.
|
||||||
|
* 400:
|
||||||
|
* description: Tunnel name required.
|
||||||
|
* 401:
|
||||||
|
* description: Authentication required.
|
||||||
|
* 403:
|
||||||
|
* description: Access denied.
|
||||||
|
* 500:
|
||||||
|
* description: Failed to cancel tunnel retry.
|
||||||
|
*/
|
||||||
|
app.post(
|
||||||
|
"/ssh/tunnel/cancel",
|
||||||
|
authenticateJWT,
|
||||||
|
async (req: AuthenticatedRequest, res: Response) => {
|
||||||
|
const { tunnelName } = req.body;
|
||||||
|
const userId = req.userId;
|
||||||
|
|
||||||
|
if (!userId) {
|
||||||
|
return res.status(401).json({ error: "Authentication required" });
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!tunnelName) {
|
||||||
|
return res.status(400).json({ error: "Tunnel name required" });
|
||||||
|
}
|
||||||
|
|
||||||
|
try {
|
||||||
|
const config = tunnelConfigs.get(tunnelName);
|
||||||
|
if (config && config.sourceHostId) {
|
||||||
|
const accessInfo = await permissionManager.canAccessHost(
|
||||||
|
userId,
|
||||||
|
config.sourceHostId,
|
||||||
|
"read",
|
||||||
|
);
|
||||||
|
if (!accessInfo.hasAccess) {
|
||||||
|
return res.status(403).json({ error: "Access denied" });
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
retryCounters.delete(tunnelName);
|
||||||
|
retryExhaustedTunnels.delete(tunnelName);
|
||||||
|
|
||||||
|
if (activeRetryTimers.has(tunnelName)) {
|
||||||
|
clearTimeout(activeRetryTimers.get(tunnelName)!);
|
||||||
|
activeRetryTimers.delete(tunnelName);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (countdownIntervals.has(tunnelName)) {
|
||||||
|
clearInterval(countdownIntervals.get(tunnelName)!);
|
||||||
|
countdownIntervals.delete(tunnelName);
|
||||||
|
}
|
||||||
|
|
||||||
|
await cleanupTunnelResources(tunnelName, true);
|
||||||
|
|
||||||
|
broadcastTunnelStatus(tunnelName, {
|
||||||
|
connected: false,
|
||||||
|
status: CONNECTION_STATES.DISCONNECTED,
|
||||||
|
manualDisconnect: true,
|
||||||
|
});
|
||||||
|
|
||||||
|
const tunnelConfig = tunnelConfigs.get(tunnelName) || null;
|
||||||
|
handleDisconnect(tunnelName, tunnelConfig, false);
|
||||||
|
|
||||||
|
setTimeout(() => {
|
||||||
|
manualDisconnects.delete(tunnelName);
|
||||||
|
}, 5000);
|
||||||
|
|
||||||
|
res.json({ message: "Cancel request received", tunnelName });
|
||||||
|
} catch (error) {
|
||||||
|
tunnelLogger.error("Failed to cancel tunnel retry", error, {
|
||||||
|
operation: "tunnel_cancel",
|
||||||
|
tunnelName,
|
||||||
|
userId,
|
||||||
|
});
|
||||||
|
res.status(500).json({ error: "Failed to cancel tunnel retry" });
|
||||||
|
}
|
||||||
|
},
|
||||||
|
);
|
||||||
|
}
|
||||||
@@ -155,7 +155,7 @@ import {
|
|||||||
const dbServer = await import("./database/database.js");
|
const dbServer = await import("./database/database.js");
|
||||||
await (dbServer as unknown as { serverReady: Promise<void> }).serverReady;
|
await (dbServer as unknown as { serverReady: Promise<void> }).serverReady;
|
||||||
await import("./ssh/terminal.js");
|
await import("./ssh/terminal.js");
|
||||||
await import("./ssh/tunnel.js");
|
await import("./ssh/tunnel/index.js");
|
||||||
await import("./ssh/file-manager.js");
|
await import("./ssh/file-manager.js");
|
||||||
await import("./ssh/host-metrics.js");
|
await import("./ssh/host-metrics.js");
|
||||||
await import("./ssh/docker/index.js");
|
await import("./ssh/docker/index.js");
|
||||||
|
|||||||
Reference in New Issue
Block a user