feat(web): add webhook-managed machine access and multi-instance CLI support (#1989)

* feat: add webhook-managed access and multi-instance CLI support * fix(foreign): verify credential of foreign credential peer
2026-05-07 02:09:06 +00:00 · 2026-03-15 12:08:50 +08:00
parent c8f3c5d6aa
commit e6ac31fb20
27 changed files with 2678 additions and 980 deletions
@@ -6,6 +6,7 @@ use std::{
 };

 use anyhow::Context;
+use base64::{prelude::BASE64_STANDARD, Engine as _};
 use serde::{Deserialize, Serialize};
 use tokio::io::AsyncReadExt as _;

@@ -405,6 +406,42 @@ impl From<PortForwardConfig> for PortForwardConfigPb {
    }
 }

+pub fn process_secure_mode_cfg(mut user_cfg: SecureModeConfig) -> anyhow::Result<SecureModeConfig> {
+    if !user_cfg.enabled {
+        return Ok(user_cfg);
+    }
+
+    let private_key = if user_cfg.local_private_key.is_none() {
+        // if no private key, generate random one
+        let private = x25519_dalek::StaticSecret::random_from_rng(rand::rngs::OsRng);
+        user_cfg.local_private_key = Some(BASE64_STANDARD.encode(private.clone().as_bytes()));
+        private
+    } else {
+        // check if private key is valid
+        user_cfg.private_key()?
+    };
+
+    let public = x25519_dalek::PublicKey::from(&private_key);
+
+    match user_cfg.local_public_key {
+        None => {
+            user_cfg.local_public_key = Some(BASE64_STANDARD.encode(public.as_bytes()));
+        }
+        Some(ref user_pub) => {
+            let public = user_cfg.public_key()?;
+            if *user_pub != BASE64_STANDARD.encode(public.as_bytes()) {
+                return Err(anyhow::anyhow!(
+                    "local public key {} does not match generated public key {}",
+                    user_pub,
+                    BASE64_STANDARD.encode(public.as_bytes())
+                ));
+            }
+        }
+    }
+
+    Ok(user_cfg)
+}
+
 #[derive(Debug, Clone, PartialEq, Deserialize, Serialize)]
 struct Config {
    netns: Option<String>,