feat: NPM access list support (global default + per-project override)
This commit is contained in:
+24
-14
@@ -13,13 +13,14 @@ import (
|
||||
|
||||
// projectRequest is the expected JSON body for creating/updating a project.
|
||||
type projectRequest struct {
|
||||
Name string `json:"name"`
|
||||
Registry string `json:"registry"`
|
||||
Image string `json:"image"`
|
||||
Port int `json:"port"`
|
||||
Healthcheck string `json:"healthcheck"`
|
||||
Env string `json:"env"`
|
||||
Volumes string `json:"volumes"`
|
||||
Name string `json:"name"`
|
||||
Registry string `json:"registry"`
|
||||
Image string `json:"image"`
|
||||
Port int `json:"port"`
|
||||
Healthcheck string `json:"healthcheck"`
|
||||
Env string `json:"env"`
|
||||
Volumes string `json:"volumes"`
|
||||
NpmAccessListID *int `json:"npm_access_list_id,omitempty"`
|
||||
}
|
||||
|
||||
// listProjects handles GET /api/projects.
|
||||
@@ -55,14 +56,20 @@ func (s *Server) createProject(w http.ResponseWriter, r *http.Request) {
|
||||
req.Volumes = "{}"
|
||||
}
|
||||
|
||||
npmAccessListID := 0
|
||||
if req.NpmAccessListID != nil {
|
||||
npmAccessListID = *req.NpmAccessListID
|
||||
}
|
||||
|
||||
project, err := s.store.CreateProject(store.Project{
|
||||
Name: req.Name,
|
||||
Registry: req.Registry,
|
||||
Image: req.Image,
|
||||
Port: req.Port,
|
||||
Healthcheck: req.Healthcheck,
|
||||
Env: req.Env,
|
||||
Volumes: req.Volumes,
|
||||
Name: req.Name,
|
||||
Registry: req.Registry,
|
||||
Image: req.Image,
|
||||
Port: req.Port,
|
||||
Healthcheck: req.Healthcheck,
|
||||
Env: req.Env,
|
||||
Volumes: req.Volumes,
|
||||
NpmAccessListID: npmAccessListID,
|
||||
})
|
||||
if err != nil {
|
||||
slog.Error("failed to create project", "error", err)
|
||||
@@ -147,6 +154,9 @@ func (s *Server) updateProject(w http.ResponseWriter, r *http.Request) {
|
||||
if req.Volumes != "" {
|
||||
updated.Volumes = req.Volumes
|
||||
}
|
||||
if req.NpmAccessListID != nil {
|
||||
updated.NpmAccessListID = *req.NpmAccessListID
|
||||
}
|
||||
|
||||
if err := s.store.UpdateProject(updated); err != nil {
|
||||
slog.Error("failed to update project", "error", err)
|
||||
|
||||
@@ -260,6 +260,7 @@ func (s *Server) Router() chi.Router {
|
||||
})
|
||||
r.Get("/settings", s.getSettings)
|
||||
r.Get("/settings/npm-certificates", s.listNpmCertificates)
|
||||
r.Get("/settings/npm-access-lists", s.listNpmAccessLists)
|
||||
|
||||
// Volume scope metadata (read-only).
|
||||
r.Get("/volumes/scopes", s.listVolumeScopes)
|
||||
|
||||
@@ -35,6 +35,7 @@ type settingsRequest struct {
|
||||
DNSProvider *string `json:"dns_provider,omitempty"`
|
||||
CloudflareAPIToken string `json:"cloudflare_api_token"`
|
||||
CloudflareZoneID *string `json:"cloudflare_zone_id,omitempty"`
|
||||
NpmAccessListID *int `json:"npm_access_list_id,omitempty"`
|
||||
NpmRemote *bool `json:"npm_remote,omitempty"`
|
||||
ProxyProvider *string `json:"proxy_provider,omitempty"`
|
||||
TraefikEntrypoint *string `json:"traefik_entrypoint,omitempty"`
|
||||
@@ -65,6 +66,7 @@ func (s *Server) getSettings(w http.ResponseWriter, r *http.Request) {
|
||||
"npm_email": settings.NpmEmail,
|
||||
"has_npm_password": settings.NpmPassword != "",
|
||||
"npm_remote": settings.NpmRemote,
|
||||
"npm_access_list_id": settings.NpmAccessListID,
|
||||
"polling_interval": settings.PollingInterval,
|
||||
"ssl_certificate_id": settings.SSLCertificateID,
|
||||
"stale_threshold_days": settings.StaleThresholdDays,
|
||||
@@ -191,6 +193,9 @@ func (s *Server) updateSettings(w http.ResponseWriter, r *http.Request) {
|
||||
if req.NpmRemote != nil {
|
||||
updated.NpmRemote = *req.NpmRemote
|
||||
}
|
||||
if req.NpmAccessListID != nil {
|
||||
updated.NpmAccessListID = *req.NpmAccessListID
|
||||
}
|
||||
|
||||
// Traefik provider settings.
|
||||
if req.TraefikEntrypoint != nil {
|
||||
@@ -340,6 +345,45 @@ func (s *Server) listNpmCertificates(w http.ResponseWriter, r *http.Request) {
|
||||
respondJSON(w, http.StatusOK, wildcards)
|
||||
}
|
||||
|
||||
// listNpmAccessLists handles GET /api/settings/npm-access-lists.
|
||||
// It authenticates to NPM using the stored credentials and returns all access lists.
|
||||
func (s *Server) listNpmAccessLists(w http.ResponseWriter, r *http.Request) {
|
||||
settings, err := s.store.GetSettings()
|
||||
if err != nil {
|
||||
respondError(w, http.StatusInternalServerError, "failed to get settings: "+err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
if settings.NpmURL == "" || settings.NpmEmail == "" || settings.NpmPassword == "" {
|
||||
respondError(w, http.StatusBadRequest, "NPM credentials not configured")
|
||||
return
|
||||
}
|
||||
|
||||
npmPassword, err := crypto.Decrypt(s.encKey, settings.NpmPassword)
|
||||
if err != nil {
|
||||
respondError(w, http.StatusInternalServerError, "failed to decrypt npm password: "+err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
client := npm.New(settings.NpmURL)
|
||||
if err := client.Authenticate(r.Context(), settings.NpmEmail, npmPassword); err != nil {
|
||||
respondError(w, http.StatusBadGateway, "failed to authenticate to NPM: "+err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
lists, err := client.ListAccessLists(r.Context())
|
||||
if err != nil {
|
||||
respondError(w, http.StatusBadGateway, "failed to list access lists: "+err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
if lists == nil {
|
||||
lists = []npm.AccessList{}
|
||||
}
|
||||
|
||||
respondJSON(w, http.StatusOK, lists)
|
||||
}
|
||||
|
||||
// isWildcardCert returns true if any of the certificate's domain names contains "*".
|
||||
func isWildcardCert(cert npm.Certificate) bool {
|
||||
for _, d := range cert.DomainNames {
|
||||
|
||||
Reference in New Issue
Block a user