feat(web): add webhook-managed machine access and multi-instance CLI support (#1989)

* feat: add webhook-managed access and multi-instance CLI support * fix(foreign): verify credential of foreign credential peer
2026-05-13 17:35:37 +00:00 · 2026-03-15 12:08:50 +08:00
parent c8f3c5d6aa
commit e6ac31fb20
27 changed files with 2678 additions and 980 deletions
@@ -19,6 +19,7 @@ use maxminddb::geoip2;
 use session::{Location, Session};
 use storage::{Storage, StorageToken};

+use crate::webhook::SharedWebhookConfig;
 use crate::FeatureFlags;
 use tokio::task::JoinSet;

@@ -59,12 +60,18 @@ pub struct ClientManager {
    storage: Storage,

    feature_flags: Arc<FeatureFlags>,
+    webhook_config: SharedWebhookConfig,

    geoip_db: Arc<Option<maxminddb::Reader<Vec<u8>>>>,
 }

 impl ClientManager {
-    pub fn new(db: Db, geoip_db: Option<String>, feature_flags: Arc<FeatureFlags>) -> Self {
+    pub fn new(
+        db: Db,
+        geoip_db: Option<String>,
+        feature_flags: Arc<FeatureFlags>,
+        webhook_config: SharedWebhookConfig,
+    ) -> Self {
        let client_sessions = Arc::new(DashMap::new());
        let sessions: Arc<DashMap<url::Url, Arc<Session>>> = client_sessions.clone();
        let mut tasks = JoinSet::new();
@@ -82,6 +89,7 @@ impl ClientManager {
            client_sessions,
            storage: Storage::new(db),
            feature_flags,
+            webhook_config,

            geoip_db: Arc::new(load_geoip_db(geoip_db)),
        }
@@ -98,6 +106,7 @@ impl ClientManager {
        let listeners_cnt = self.listeners_cnt.clone();
        let geoip_db = self.geoip_db.clone();
        let feature_flags = self.feature_flags.clone();
+        let webhook_config = self.webhook_config.clone();
        self.tasks.spawn(async move {
            while let Ok(tunnel) = listener.accept().await {
                let (tunnel, secure) = match security::accept_or_upgrade_server_tunnel(tunnel).await {
@@ -121,6 +130,7 @@ impl ClientManager {
                    client_url.clone(),
                    location,
                    feature_flags.clone(),
+                    webhook_config.clone(),
                );
                session.serve(tunnel).await;
                sessions.insert(client_url, Arc::new(session));
@@ -165,6 +175,36 @@ impl ClientManager {
            .map(|item| item.value().clone())
    }

+    /// Find a session by machine_id regardless of user_id.
+    pub fn get_session_by_machine_id_global(
+        &self,
+        machine_id: &uuid::Uuid,
+    ) -> Option<Arc<Session>> {
+        self.storage
+            .get_client_url_by_machine_id_global(machine_id)
+            .and_then(|url| {
+                self.client_sessions
+                    .get(&url)
+                    .map(|item| item.value().clone())
+            })
+    }
+
+    /// Get user_id associated with a machine_id.
+    pub fn get_user_id_by_machine_id_global(&self, machine_id: &uuid::Uuid) -> Option<UserIdInDb> {
+        self.storage.get_user_id_by_machine_id_global(machine_id)
+    }
+
+    pub async fn disconnect_session_by_machine_id_global(&self, machine_id: &uuid::Uuid) -> bool {
+        let Some(client_url) = self.storage.get_client_url_by_machine_id_global(machine_id) else {
+            return false;
+        };
+        let Some((_, session)) = self.client_sessions.remove(&client_url) else {
+            return false;
+        };
+        session.stop().await;
+        true
+    }
+
    pub async fn list_machine_by_user_id(&self, user_id: UserIdInDb) -> Vec<url::Url> {
        self.storage.list_user_clients(user_id)
    }
@@ -321,6 +361,9 @@ mod tests {
            Db::memory_db().await,
            None,
            Arc::new(FeatureFlags::default()),
+            Arc::new(crate::webhook::WebhookConfig::new(
+                None, None, None, None, None,
+            )),
        );
        mgr.add_listener(Box::new(listener)).await.unwrap();