Merge branch 'main' into kp/py-edge-driver

Author: KavanPrice

.github/workflows/publish.yml

@@ -213,6 +213,7 @@ jobs:
           - edge-test
           - edge-tplink-smartplug
           - edge-ads
+          - edge-rtde
     permissions:
       contents: read
       packages: write

.gitignore

@@ -6,4 +6,5 @@ config.mk
 */.npm_install_done
 .vscode
 .DS_Store
-/edge-ads/node_modules
+/edge-ads/node_modules
+spirit-schemas/

acs-admin/Dockerfile

@@ -1,5 +1,6 @@
 # Stage 1: Build the application
 FROM oven/bun:1.2.0 AS builder
+ARG tag="(unknown version)"
 
 # Set working directory
 WORKDIR /app/acs-admin
@@ -10,6 +11,7 @@ RUN --mount=type=bind,from=lib,dst=/app/lib bun install --production
 
 # Copy the rest of the application code
 COPY . .
+RUN echo "export const ACS_VERSION = '${tag}';" >src/lib/version.js
 
 # Build the application
 RUN --mount=type=bind,from=lib,dst=/app/lib bun run build

acs-admin/src/App.vue

@@ -14,7 +14,7 @@
                 <img src="/favicon.svg">
               </div>
               <div class="flex flex-col gap-0.5 leading-none">
-                <h1 class="font-bold text-base h-4">ACS</h1>
+                <h1 class="font-bold text-base h-4">ACS {{acs_version}}</h1>
                 <h2 class="text-gray-500 text-sm">{{s.username}}</h2>
               </div>
             </div>
@@ -97,6 +97,7 @@ import NewClusterDialog from '@components/EdgeManager/EdgeClusters/NewClusterDia
 import NewEdgeDeploymentDialog from '@components/EdgeManager/Nodes/NewEdgeDeploymentDialog.vue'
 import NewConnectionDialog from '@components/EdgeManager/Connections/NewConnectionDialog.vue'
 import NewDeviceDialog from '@components/EdgeManager/Devices/NewDeviceDialog.vue'
+import { ACS_VERSION } from '@/lib/version.js'
 
 export default {
   name: 'App',
@@ -105,6 +106,7 @@ export default {
     const { escape } = useMagicKeys()
 
     return {
+      acs_version: ACS_VERSION,
       s: useServiceClientStore(),
       l: useLayoutStore(),
       escape,

acs-admin/src/lib/version.js

@@ -0,0 +1 @@
+export const ACS_VERSION = "(dev)";

acs-admin/src/pages/EdgeManager/EdgeClusters/hostColumns.ts

@@ -14,6 +14,7 @@ export interface Host {
     control_plane: boolean,
     os_version: string,
     ready: boolean,
+    specialised: string,
 }
 
 export const hostColumns: ColumnDef<Host>[] = [
@@ -77,6 +78,20 @@ export const hostColumns: ColumnDef<Host>[] = [
             return value.includes(row.getValue(id))
         },
     },
+    {
+        accessorKey: 'specialised',
+        accessorFn: (row) => row.specialised,
+        header: ({column}) => h(DataTableColumnHeader, {
+            column,
+            title: 'Taint'
+        }),
+        cell: ({row}) => {
+            return h('div', {class: 'max-w-[500px] truncate'}, row.getValue('specialised'))
+        },
+        filterFn: (row, id, value) => {
+            return value.includes(row.getValue(id))
+        },
+    },
     {
         accessorKey: 'ready',
         accessorFn: (row) => row.ready,

acs-auth/bin/authn.js

@@ -16,6 +16,7 @@ import AuthZ from "../lib/authz.js";
 import { DataFlow } from "../lib/dataflow.js";
 import { Loader } from "../lib/loader.js";
 import Model from "../lib/model.js";
+import { AuthNotify } from "../lib/notify.js";
 import Editor from "../lib/editor.js";
 
 import { GIT_VERSION } from "../lib/git-version.js";
@@ -26,6 +27,8 @@ const Version = "2.0.0";
 const fplus = new RxClient({ env: process.env });
 const debug = fplus.debug;
 
+debug.log("app", "Starting acs-auth revision %s", GIT_VERSION);
+
 const model  = await new Model({ debug, }).init();
 const data = new DataFlow({
     fplus, model,
@@ -73,5 +76,14 @@ const api = await new WebAPI({
     },
 }).init();
 
+const notify = new AuthNotify({
+    api, data,
+    debug:      fplus.debug,
+});
+
+debug.log("app", "Running data");
 data.run();
+debug.log("app", "Running notify");
+notify.run();
+debug.log("app", "Running api");
 api.run();

acs-auth/lib/api_v2.js

@@ -176,44 +176,31 @@ export class APIv2 {
     /* XXX The permissions here only handle Kerberos identities. */
 
     async id_list (req, res) {
-        const tok = await this.data.check_targ(req.auth, Perm.ReadKrb, true);
-        if (!tok) fail(403);
-
-        const ids = await this.data.find_identities(i => tok(i.uuid));
-        const rv = [...new Set(ids.map(i => i.uuid))];
+        const idr = await this.data.find_identities(req.auth);
 
-        return res.status(200).json(rv);
+        idr.uniq(i => i.uuid).toExpress(res);
     }
 
-    async _id_get_all (uuid, res) {
-        const ids = await this.data.find_identities(i => i.uuid == uuid);
-        if (!ids.length) fail(404);
+    async _id_get_all (upn, uuid, res) {
+        const idr = await this.data.find_identities(upn, { uuid });
 
-        const rv = Object.fromEntries(
-            ids.map(i => [i.kind, i.name])
-                .concat([["uuid", uuid]]));
-        return res.status(200).json(rv);
+        idr.map(ids => 
+            Object.fromEntries(
+                ids.map(i => [i.kind, i.name])
+                    .concat([["uuid", uuid]])))
+            .toExpress(res);
     }
 
     async id_get_all (req, res) {
         const { uuid } = req.params;
-        if (!valid_uuid(uuid)) fail(410);
-
-        await this.check_acl(req, Perm.ReadKrb, uuid);
-
-        return this._id_get_all(uuid, res);
+        return this._id_get_all(req.auth, uuid, res);
     }
 
     async id_get (req, res) {
         const { uuid, kind } = req.params;
-        if (!valid_uuid(uuid)) fail(410);
-
-        await this.check_acl(req, Perm.ReadKrb, uuid);
-
-        const id = await this.data.find_identities(i => i.uuid == uuid && i.kind == kind);
-        if (!id.length) fail(404);
 
-        return res.status(200).json(id[0].name);
+        const idr = await this.data.find_identities(req.auth, { uuid, kind });
+        idr.single().map(id => id.name).toExpress(res);
     }
 
     async _id_put (name, req, res) {
@@ -235,52 +222,37 @@ export class APIv2 {
     }
 
     async id_kinds (req, res) {
-        const ids = await this.data.find_identities();
-        const rv = [...new Set(ids.map(i => i.kind))]
-        return res.status(200).json(rv);
+        /* XXX This should not be hardcoded. But it cannot change at
+         * runtime. */
+        return res.status(200).json(["kerberos"]);
     }
 
     async id_list_kind (req, res) {
         const { kind } = req.params;
 
-        const tok = await this.data.check_targ(req.auth, Perm.ReadKrb, true);
-        if (!tok) fail(403);
-        
-        const ids = await this.data.find_identities(i => i.kind == kind);
-        if (!ids.length) fail(404);
-
-        const rv = ids
-            .filter(i => tok(i.uuid))
-            .map(i => i.name);
-
-        return res.status(200).json(rv);
+        const idr = await this.data.find_identities(req.auth, { kind });
+        idr.uniq(i => i.name).toExpress(res);
     }
 
     async id_find (req, res) {
         const { kind, name } = req.params;
 
-        const tok = await this.data.check_targ(req.auth, Perm.ReadKrb, true);
-        if (!tok) fail(403);
-
-        const ids = await this.data.find_identities(i => 
-            i.kind == kind && i.name == name && tok(i.uuid));
-        if (!ids.length) fail(404);
-
-        return res.status(200).json(ids[0].uuid);
+        const idr = await this.data.find_identities(req.auth, { kind, name });
+        idr.single().map(id => id.uuid).toExpress(res);
     }
 
     /* There is no auth check here; any authenticated user can look up
      * their own identities. This will only look up based on Kerberos
      * auth identity. */
 
     async id_whoami (req, res) {
-        const uuid = await this.data.whoami(req.auth);
+        const uuid = await this.data.find_kerberos(req.auth);
         if (!uuid) fail(404);
-        return this._id_get_all(uuid, res);
+        return this._id_get_all(this.data.root, uuid, res);
     }
 
     async id_whoami_uuid (req, res) {
-        const uuid = await this.data.whoami(req.auth);
+        const uuid = await this.data.find_kerberos(req.auth);
         if (!uuid) fail(404);
         return res.status(200).json(uuid);
     }

acs-auth/lib/authz.js

@@ -13,10 +13,11 @@ import { booleans, valid_krb, valid_uuid } from "./validate.js";
 
 export default class AuthZ {
     constructor(opts) {
-        this.debug  = opts.debug;
         this.model = opts.model;
         this.data = opts.data;
 
+        this.log = opts.debug.bound("authz");
+
         this.routes = this.setup_routes();
     }
 
@@ -84,17 +85,24 @@ export default class AuthZ {
         if (!valid_uuid(uuid))
             return res.status(410).end();
 
-        /* This API only ever returns Kerberos identities */
-        const id = await this.data.find_identities(i => 
-            i.uuid == uuid && i.kind == "kerberos");
-        const kerberos = id[0]?.name;
-
         /* The permissions here are odd for historical reasons. If the
          * principal turns out to be the client's they can look up
          * regardless. */
-        const tok = await this.data.check_targ(req.auth, Perm.ReadKrb, true);
-        if (!(kerberos == req.auth || tok?.(uuid)))
-            return res.status(403).end();
+
+        /* This API only ever returns Kerberos identities */
+        const idr = await this.data.find_identities(
+            this.data.root, { uuid, kind: "kerberos" });
+        const kerberos = idr.single().map(id => id.name).get();
+        this.log("Fetched krb %s", kerberos);
+
+        if (kerberos == req.auth) {
+            this.log("Permitting legacy exception for %s", req.auth);
+        }
+        else {
+            const tok = await this.data.check_targ(req.auth, Perm.ReadKrb, true);
+            if (!tok?.(uuid))
+                return res.status(403).end();
+        }
 
         if (!kerberos) return res.status(404).end();
         return res.status(200).json({ uuid, kerberos });