fuomag9
277ae6e79c
Implements full role-based access control for mTLS client certificates: - Database: mtls_roles, mtls_certificate_roles, mtls_access_rules tables with migration - Models: CRUD for roles, cert-role assignments, path-based access rules - Caddy config: HTTP-layer RBAC enforcement via CEL fingerprint matching in subroutes - New trust model: select individual certs or entire roles instead of CAs (derives CAs automatically) - REST API: /api/v1/mtls-roles, cert assignments, proxy-host access rules endpoints - UI: Roles management tab (card-based), cert/role trust picker, inline RBAC rule editor - Fix: dialog autoclose bug after creating proxy host (key-based remount) - Tests: 85 new tests (785 total) covering models, schema, RBAC route generation, leaf override, edge cases Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
28 lines
925 B
TypeScript
28 lines
925 B
TypeScript
import { NextRequest, NextResponse } from "next/server";
|
|
import { requireApiAdmin, apiErrorResponse } from "@/src/lib/api-auth";
|
|
import { listMtlsRoles, createMtlsRole } from "@/src/lib/models/mtls-roles";
|
|
|
|
export async function GET(request: NextRequest) {
|
|
try {
|
|
await requireApiAdmin(request);
|
|
const roles = await listMtlsRoles();
|
|
return NextResponse.json(roles);
|
|
} catch (error) {
|
|
return apiErrorResponse(error);
|
|
}
|
|
}
|
|
|
|
export async function POST(request: NextRequest) {
|
|
try {
|
|
const { userId } = await requireApiAdmin(request);
|
|
const body = await request.json();
|
|
if (!body.name || typeof body.name !== "string" || !body.name.trim()) {
|
|
return NextResponse.json({ error: "name is required" }, { status: 400 });
|
|
}
|
|
const role = await createMtlsRole(body, userId);
|
|
return NextResponse.json(role, { status: 201 });
|
|
} catch (error) {
|
|
return apiErrorResponse(error);
|
|
}
|
|
}
|