Merge pull request #276 from lorenzomigliorero/feat/shared-ssh

feat: shared ssh

server/api/root.ts

@@ -23,6 +23,7 @@ import { redisRouter } from "./routers/redis";
 import { registryRouter } from "./routers/registry";
 import { securityRouter } from "./routers/security";
 import { settingsRouter } from "./routers/settings";
+import { sshRouter } from "./routers/ssh-key";
 import { userRouter } from "./routers/user";
 
 /**
@@ -56,6 +57,7 @@ export const appRouter = createTRPCRouter({
 	registry: registryRouter,
 	cluster: clusterRouter,
 	notification: notificationRouter,
+	sshKey: sshRouter,
 });
 
 // export type definition of API

server/api/routers/application.ts

@@ -31,11 +31,6 @@ import {
 	removeDirectoryCode,
 	removeMonitoringDirectory,
 } from "@/server/utils/filesystem/directory";
-import {
-	generateSSHKey,
-	readRSAFile,
-	removeRSAFiles,
-} from "@/server/utils/filesystem/ssh";
 import {
 	readConfig,
 	removeTraefikConfig,
@@ -130,7 +125,6 @@ export const applicationRouter = createTRPCRouter({
 				async () => await removeMonitoringDirectory(application?.appName),
 				async () => await removeTraefikConfig(application?.appName),
 				async () => await removeService(application?.appName),
-				async () => await removeRSAFiles(application?.appName),
 			];
 
 			for (const operation of cleanupOperations) {
@@ -235,36 +229,11 @@ export const applicationRouter = createTRPCRouter({
 				customGitBranch: input.customGitBranch,
 				customGitBuildPath: input.customGitBuildPath,
 				customGitUrl: input.customGitUrl,
+				customGitSSHKeyId: input.customGitSSHKeyId,
 				sourceType: "git",
 				applicationStatus: "idle",
 			});
 
-			return true;
-		}),
-	generateSSHKey: protectedProcedure
-		.input(apiFindOneApplication)
-		.mutation(async ({ input }) => {
-			const application = await findApplicationById(input.applicationId);
-			try {
-				await generateSSHKey(application.appName);
-				const file = await readRSAFile(application.appName);
-
-				await updateApplication(input.applicationId, {
-					customGitSSHKey: file,
-				});
-			} catch (error) {}
-
-			return true;
-		}),
-	removeSSHKey: protectedProcedure
-		.input(apiFindOneApplication)
-		.mutation(async ({ input }) => {
-			const application = await findApplicationById(input.applicationId);
-			await removeRSAFiles(application.appName);
-			await updateApplication(input.applicationId, {
-				customGitSSHKey: null,
-			});
-
 			return true;
 		}),
 	markRunning: protectedProcedure

server/api/routers/compose.ts

@@ -16,11 +16,6 @@ import { myQueue } from "@/server/queues/queueSetup";
 import { createCommand } from "@/server/utils/builders/compose";
 import { randomizeComposeFile } from "@/server/utils/docker/compose";
 import { removeComposeDirectory } from "@/server/utils/filesystem/directory";
-import {
-	generateSSHKey,
-	readRSAFile,
-	removeRSAFiles,
-} from "@/server/utils/filesystem/ssh";
 import { templates } from "@/templates/templates";
 import type { TemplatesKeys } from "@/templates/types/templates-data.type";
 import {
@@ -102,7 +97,6 @@ export const composeRouter = createTRPCRouter({
 				async () => await removeCompose(composeResult),
 				async () => await removeDeploymentsByComposeId(composeResult),
 				async () => await removeComposeDirectory(composeResult.appName),
-				async () => await removeRSAFiles(composeResult.appName),
 			];
 
 			for (const operation of cleanupOperations) {
@@ -181,38 +175,12 @@ export const composeRouter = createTRPCRouter({
 			const command = createCommand(compose);
 			return `docker ${command}`;
 		}),
-	generateSSHKey: protectedProcedure
-		.input(apiFindCompose)
-		.mutation(async ({ input }) => {
-			const compose = await findComposeById(input.composeId);
-			try {
-				await generateSSHKey(compose.appName);
-				const file = await readRSAFile(compose.appName);
-
-				await updateCompose(input.composeId, {
-					customGitSSHKey: file,
-				});
-			} catch (error) {}
-
-			return true;
-		}),
 	refreshToken: protectedProcedure
 		.input(apiFindCompose)
 		.mutation(async ({ input }) => {
 			await updateCompose(input.composeId, {
 				refreshToken: nanoid(),
 			});
-			return true;
-		}),
-	removeSSHKey: protectedProcedure
-		.input(apiFindCompose)
-		.mutation(async ({ input }) => {
-			const compose = await findComposeById(input.composeId);
-			await removeRSAFiles(compose.appName);
-			await updateCompose(input.composeId, {
-				customGitSSHKey: null,
-			});
-
 			return true;
 		}),
 	deployTemplate: protectedProcedure

server/api/routers/ssh-key.ts

@@ -0,0 +1,70 @@
+import {
+	adminProcedure,
+	createTRPCRouter,
+	protectedProcedure,
+} from "@/server/api/trpc";
+import { db } from "@/server/db";
+import {
+	apiCreateSshKey,
+	apiFindOneSshKey,
+	apiGenerateSSHKey,
+	apiRemoveSshKey,
+	apiUpdateSshKey,
+} from "@/server/db/schema";
+import { generateSSHKey } from "@/server/utils/filesystem/ssh";
+import { TRPCError } from "@trpc/server";
+import {
+	createSshKey,
+	findSSHKeyById,
+	removeSSHKeyById,
+	updateSSHKeyById,
+} from "../services/ssh-key";
+
+export const sshRouter = createTRPCRouter({
+	create: protectedProcedure
+		.input(apiCreateSshKey)
+		.mutation(async ({ input }) => {
+			try {
+				await createSshKey(input);
+			} catch (error) {
+				throw new TRPCError({
+					code: "BAD_REQUEST",
+					message: "Error to create the ssh key",
+					cause: error,
+				});
+			}
+		}),
+	remove: adminProcedure.input(apiRemoveSshKey).mutation(async ({ input }) => {
+		try {
+			return await removeSSHKeyById(input.sshKeyId);
+		} catch (error) {
+			throw new TRPCError({
+				code: "BAD_REQUEST",
+				message: "Error to delete this ssh key",
+			});
+		}
+	}),
+	one: protectedProcedure.input(apiFindOneSshKey).query(async ({ input }) => {
+		const sshKey = await findSSHKeyById(input.sshKeyId);
+		return sshKey;
+	}),
+	all: adminProcedure.query(async () => {
+		return await db.query.sshKeys.findMany({});
+	}),
+	generate: protectedProcedure
+		.input(apiGenerateSSHKey)
+		.mutation(async ({ input }) => {
+			return await generateSSHKey(input);
+		}),
+	update: adminProcedure.input(apiUpdateSshKey).mutation(async ({ input }) => {
+		try {
+			return await updateSSHKeyById(input);
+		} catch (error) {
+			throw new TRPCError({
+				code: "BAD_REQUEST",
+				message: "Error to update this ssh key",
+				cause: error,
+			});
+		}
+	}),
+});

server/api/services/ssh-key.ts

@@ -0,0 +1,78 @@
+import { db } from "@/server/db";
+import {
+	type apiCreateSshKey,
+	type apiFindOneSshKey,
+	type apiRemoveSshKey,
+	type apiUpdateSshKey,
+	sshKeys,
+} from "@/server/db/schema";
+import { removeSSHKey, saveSSHKey } from "@/server/utils/filesystem/ssh";
+import { TRPCError } from "@trpc/server";
+import { eq } from "drizzle-orm";
+
+export const createSshKey = async ({
+	privateKey,
+	...input
+}: typeof apiCreateSshKey._type) => {
+	await db.transaction(async (tx) => {
+		const sshKey = await tx
+			.insert(sshKeys)
+			.values(input)
+			.returning()
+			.then((response) => response[0])
+			.catch((e) => console.error(e));
+
+		if (sshKey) {
+			saveSSHKey(sshKey.sshKeyId, sshKey.publicKey, privateKey);
+		}
+
+		if (!sshKey) {
+			throw new TRPCError({
+				code: "BAD_REQUEST",
+				message: "Error to create the ssh key",
+			});
+		}
+		return sshKey;
+	});
+};
+
+export const removeSSHKeyById = async (
+	sshKeyId: (typeof apiRemoveSshKey._type)["sshKeyId"],
+) => {
+	const result = await db
+		.delete(sshKeys)
+		.where(eq(sshKeys.sshKeyId, sshKeyId))
+		.returning();
+
+	removeSSHKey(sshKeyId);
+
+	return result[0];
+};
+
+export const updateSSHKeyById = async ({
+	sshKeyId,
+	...input
+}: typeof apiUpdateSshKey._type) => {
+	const result = await db
+		.update(sshKeys)
+		.set(input)
+		.where(eq(sshKeys.sshKeyId, sshKeyId))
+		.returning();
+
+	return result[0];
+};
+
+export const findSSHKeyById = async (
+	sshKeyId: (typeof apiFindOneSshKey._type)["sshKeyId"],
+) => {
+	const sshKey = await db.query.sshKeys.findFirst({
+		where: eq(sshKeys.sshKeyId, sshKeyId),
+	});
+	if (!sshKey) {
+		throw new TRPCError({
+			code: "NOT_FOUND",
+			message: "SSH Key not found",
+		});
+	}
+	return sshKey;
+};

server/db/schema/application.ts

@@ -20,6 +20,7 @@ import { redirects } from "./redirects";
 import { registry } from "./registry";
 import { security } from "./security";
 import { applicationStatus } from "./shared";
+import { sshKeys } from "./ssh-key";
 import { generateAppName } from "./utils";
 
 export const sourceType = pgEnum("sourceType", [
@@ -132,7 +133,12 @@ export const applications = pgTable("application", {
 	customGitUrl: text("customGitUrl"),
 	customGitBranch: text("customGitBranch"),
 	customGitBuildPath: text("customGitBuildPath"),
-	customGitSSHKey: text("customGitSSHKey"),
+	customGitSSHKeyId: text("customGitSSHKeyId").references(
+		() => sshKeys.sshKeyId,
+		{
+			onDelete: "set null",
+		},
+	),
 	dockerfile: text("dockerfile"),
 	// Drop
 	dropBuildPath: text("dropBuildPath"),
@@ -170,6 +176,10 @@ export const applicationsRelations = relations(
 			references: [projects.projectId],
 		}),
 		deployments: many(deployments),
+		customGitSSHKey: one(sshKeys, {
+			fields: [applications.customGitSSHKeyId],
+			references: [sshKeys.sshKeyId],
+		}),
 		domains: many(domains),
 		mounts: many(mounts),
 		redirects: many(redirects),
@@ -289,7 +299,7 @@ const createSchema = createInsertSchema(applications, {
 	dockerImage: z.string().optional(),
 	username: z.string().optional(),
 	password: z.string().optional(),
-	customGitSSHKey: z.string().optional(),
+	customGitSSHKeyId: z.string().optional(),
 	repository: z.string().optional(),
 	dockerfile: z.string().optional(),
 	branch: z.string().optional(),
@@ -371,7 +381,12 @@ export const apiSaveGitProvider = createSchema
 		customGitBuildPath: true,
 		customGitUrl: true,
 	})
-	.required();
+	.required()
+	.merge(
+		createSchema.pick({
+			customGitSSHKeyId: true,
+		}),
+	);
 
 export const apiSaveEnvironmentVariables = createSchema
 	.pick({

server/db/schema/compose.ts

@@ -1,3 +1,4 @@
+import { sshKeys } from "@/server/db/schema/ssh-key";
 import { generatePassword } from "@/templates/utils";
 import { relations } from "drizzle-orm";
 import { boolean, pgEnum, pgTable, text } from "drizzle-orm/pg-core";
@@ -41,7 +42,12 @@ export const compose = pgTable("compose", {
 	// Git
 	customGitUrl: text("customGitUrl"),
 	customGitBranch: text("customGitBranch"),
-	customGitSSHKey: text("customGitSSHKey"),
+	customGitSSHKeyId: text("customGitSSHKeyId").references(
+		() => sshKeys.sshKeyId,
+		{
+			onDelete: "set null",
+		},
+	),
 	//
 	command: text("command").notNull().default(""),
 	//
@@ -62,6 +68,10 @@ export const composeRelations = relations(compose, ({ one, many }) => ({
 	}),
 	deployments: many(deployments),
 	mounts: many(mounts),
+	customGitSSHKey: one(sshKeys, {
+		fields: [compose.customGitSSHKeyId],
+		references: [sshKeys.sshKeyId],
+	}),
 }));
 
 const createSchema = createInsertSchema(compose, {
@@ -70,6 +80,7 @@ const createSchema = createInsertSchema(compose, {
 	env: z.string().optional(),
 	composeFile: z.string().min(1),
 	projectId: z.string(),
+	customGitSSHKeyId: z.string().optional(),
 	command: z.string().optional(),
 	composePath: z.string().min(1),
 	composeType: z.enum(["docker-compose", "stack"]).optional(),

server/db/schema/index.ts

@@ -22,3 +22,4 @@ export * from "./shared";
 export * from "./compose";
 export * from "./registry";
 export * from "./notification";
+export * from "./ssh-key";

server/db/schema/ssh-key.ts

@@ -0,0 +1,69 @@
+import { applications } from "@/server/db/schema/application";
+import { compose } from "@/server/db/schema/compose";
+import { sshKeyCreate, sshKeyType } from "@/server/db/validations";
+import { relations } from "drizzle-orm";
+import { pgTable, text, time } from "drizzle-orm/pg-core";
+import { createInsertSchema } from "drizzle-zod";
+import { nanoid } from "nanoid";
+
+export const sshKeys = pgTable("ssh-key", {
+	sshKeyId: text("sshKeyId")
+		.notNull()
+		.primaryKey()
+		.$defaultFn(() => nanoid()),
+	publicKey: text("publicKey").notNull(),
+	name: text("name").notNull(),
+	description: text("description"),
+	createdAt: text("createdAt")
+		.notNull()
+		.$defaultFn(() => new Date().toISOString()),
+	lastUsedAt: text("lastUsedAt"),
+});
+
+export const sshKeysRelations = relations(sshKeys, ({ many }) => ({
+	applications: many(applications),
+	compose: many(compose),
+}));
+
+const createSchema = createInsertSchema(
+	sshKeys,
+	/* Private key is not stored in the DB */
+	sshKeyCreate.omit({ privateKey: true }).shape,
+);
+
+export const apiCreateSshKey = createSchema
+	.pick({
+		name: true,
+		description: true,
+		publicKey: true,
+	})
+	.merge(sshKeyCreate.pick({ privateKey: true }));
+
+export const apiFindOneSshKey = createSchema
+	.pick({
+		sshKeyId: true,
+	})
+	.required();
+
+export const apiGenerateSSHKey = sshKeyType;
+
+export const apiRemoveSshKey = createSchema
+	.pick({
+		sshKeyId: true,
+	})
+	.required();
+
+export const apiUpdateSshKey = createSchema
+	.pick({
+		name: true,
+		description: true,
+		lastUsedAt: true,
+	})
+	.partial()
+	.merge(
+		createSchema
+			.pick({
+				sshKeyId: true,
+			})
+			.required(),
+	);

server/db/validations/index.ts

@@ -1,5 +1,39 @@
 import { z } from "zod";
 
+export const sshKeyCreate = z.object({
+	name: z.string().min(1),
+	description: z.string().optional(),
+	publicKey: z.string().refine(
+		(key) => {
+			const rsaPubPattern = /^ssh-rsa\s+([A-Za-z0-9+/=]+)\s*(.*)?\s*$/;
+			const ed25519PubPattern = /^ssh-ed25519\s+([A-Za-z0-9+/=]+)\s*(.*)?\s*$/;
+			return rsaPubPattern.test(key) || ed25519PubPattern.test(key);
+		},
+		{
+			message: "Invalid public key format",
+		},
+	),
+	privateKey: z.string().refine(
+		(key) => {
+			const rsaPrivPattern =
+				/^-----BEGIN RSA PRIVATE KEY-----\n([A-Za-z0-9+/=\n]+)-----END RSA PRIVATE KEY-----\s*$/;
+			const ed25519PrivPattern =
+				/^-----BEGIN OPENSSH PRIVATE KEY-----\n([A-Za-z0-9+/=\n]+)-----END OPENSSH PRIVATE KEY-----\s*$/;
+			return rsaPrivPattern.test(key) || ed25519PrivPattern.test(key);
+		},
+		{
+			message: "Invalid private key format",
+		},
+	),
+});
+
+export const sshKeyUpdate = sshKeyCreate.pick({
+	name: true,
+	description: true,
+});
+
+export const sshKeyType = z.enum(["rsa", "ed25519"]).optional();
+
 export const domain = z
 	.object({
 		host: z.string().regex(/^[a-zA-Z0-9][a-zA-Z0-9\.-]*\.[a-zA-Z]{2,}$/, {

server/setup/config-paths.ts

@@ -1,3 +1,4 @@
+import { spawnSync } from "node:child_process";
 import { chmodSync, existsSync, mkdirSync } from "node:fs";
 import {
 	APPLICATIONS_PATH,
@@ -33,7 +34,7 @@ export const setupDirectories = () => {
 		try {
 			createDirectoryIfNotExist(dir);
 			if (dir === SSH_PATH) {
-				chmodSync(SSH_PATH, "600");
+				chmodSync(SSH_PATH, "700");
 			}
 		} catch (error) {
 			console.log(error, " On path: ", dir);

server/utils/filesystem/ssh.ts

@@ -3,57 +3,90 @@ import * as path from "node:path";
 import { SSH_PATH } from "@/server/constants";
 import { spawnAsync } from "../process/spawnAsync";
 
-export const generateSSHKey = async (appName: string) => {
+const readSSHKey = async (id: string) => {
+	try {
+		if (!fs.existsSync(SSH_PATH)) {
+			fs.mkdirSync(SSH_PATH, { recursive: true });
+		}
+
+		return {
+			privateKey: fs.readFileSync(path.join(SSH_PATH, `${id}_rsa`), {
+				encoding: "utf-8",
+			}),
+			publicKey: fs.readFileSync(path.join(SSH_PATH, `${id}_rsa.pub`), {
+				encoding: "utf-8",
+			}),
+		};
+	} catch (error) {
+		throw error;
+	}
+};
+
+export const saveSSHKey = async (
+	id: string,
+	publicKey: string,
+	privateKey: string,
+) => {
+	const applicationDirectory = SSH_PATH;
+
+	const privateKeyPath = path.join(applicationDirectory, `${id}_rsa`);
+	const publicKeyPath = path.join(applicationDirectory, `${id}_rsa.pub`);
+
+	const privateKeyStream = fs.createWriteStream(privateKeyPath, {
+		mode: 0o600,
+	});
+	privateKeyStream.write(privateKey);
+	privateKeyStream.end();
+
+	fs.writeFileSync(publicKeyPath, publicKey);
+};
+
+export const generateSSHKey = async (type: "rsa" | "ed25519" = "rsa") => {
 	const applicationDirectory = SSH_PATH;
 
 	if (!fs.existsSync(applicationDirectory)) {
 		fs.mkdirSync(applicationDirectory, { recursive: true });
 	}
 
-	const keyPath = path.join(applicationDirectory, `${appName}_rsa`);
+	const keyPath = path.join(applicationDirectory, "temp_rsa");
 
 	if (fs.existsSync(`${keyPath}`)) {
 		fs.unlinkSync(`${keyPath}`);
 	}
+
 	if (fs.existsSync(`${keyPath}.pub`)) {
 		fs.unlinkSync(`${keyPath}.pub`);
 	}
+
 	const args = [
 		"-t",
-		"rsa",
+		type,
 		"-b",
 		"4096",
 		"-C",
 		"dokploy",
+		"-m",
+		"PEM",
 		"-f",
 		keyPath,
 		"-N",
 		"",
 	];
+
 	try {
 		await spawnAsync("ssh-keygen", args);
-		return keyPath;
-	} catch (error) {
-		throw error;
-	}
-};
-export const readRSAFile = async (appName: string) => {
-	try {
-		if (!fs.existsSync(SSH_PATH)) {
-			fs.mkdirSync(SSH_PATH, { recursive: true });
-		}
-		const keyPath = path.join(SSH_PATH, `${appName}_rsa.pub`);
-		const data = fs.readFileSync(keyPath, { encoding: "utf-8" });
+		const data = await readSSHKey("temp");
+		await removeSSHKey("temp");
 		return data;
 	} catch (error) {
 		throw error;
 	}
 };
 
-export const removeRSAFiles = async (appName: string) => {
+export const removeSSHKey = async (id: string) => {
 	try {
-		const publicKeyPath = path.join(SSH_PATH, `${appName}_rsa.pub`);
-		const privateKeyPath = path.join(SSH_PATH, `${appName}_rsa`);
+		const publicKeyPath = path.join(SSH_PATH, `${id}_rsa.pub`);
+		const privateKeyPath = path.join(SSH_PATH, `${id}_rsa`);
 		await fs.promises.unlink(publicKeyPath);
 		await fs.promises.unlink(privateKeyPath);
 	} catch (error) {

server/utils/providers/git.ts

@@ -1,5 +1,6 @@
 import { createWriteStream } from "node:fs";
 import path, { join } from "node:path";
+import { updateSSHKeyById } from "@/server/api/services/ssh-key";
 import { APPLICATIONS_PATH, COMPOSE_PATH, SSH_PATH } from "@/server/constants";
 import { TRPCError } from "@trpc/server";
 import { recreateDirectory } from "../filesystem/directory";
@@ -11,12 +12,12 @@ export const cloneGitRepository = async (
 		appName: string;
 		customGitUrl?: string | null;
 		customGitBranch?: string | null;
-		customGitSSHKey?: string | null;
+		customGitSSHKeyId?: string | null;
 	},
 	logPath: string,
 	isCompose = false,
 ) => {
-	const { appName, customGitUrl, customGitBranch, customGitSSHKey } = entity;
+	const { appName, customGitUrl, customGitBranch, customGitSSHKeyId } = entity;
 
 	if (!customGitUrl || !customGitBranch) {
 		throw new TRPCError({
@@ -26,7 +27,7 @@ export const cloneGitRepository = async (
 	}
 
 	const writeStream = createWriteStream(logPath, { flags: "a" });
-	const keyPath = path.join(SSH_PATH, `${appName}_rsa`);
+	const keyPath = path.join(SSH_PATH, `${customGitSSHKeyId}_rsa`);
 	const basePath = isCompose ? COMPOSE_PATH : APPLICATIONS_PATH;
 	const outputPath = join(basePath, appName, "code");
 	const knownHostsPath = path.join(SSH_PATH, "known_hosts");
@@ -40,6 +41,13 @@ export const cloneGitRepository = async (
 			`\nCloning Repo Custom ${customGitUrl} to ${outputPath}: ✅\n`,
 		);
 
+		if (customGitSSHKeyId) {
+			await updateSSHKeyById({
+				sshKeyId: customGitSSHKeyId,
+				lastUsedAt: new Date().toISOString(),
+			});
+		}
+
 		await spawnAsync(
 			"git",
 			[
@@ -60,12 +68,13 @@ export const cloneGitRepository = async (
 			{
 				env: {
 					...process.env,
-					...(customGitSSHKey && {
+					...(customGitSSHKeyId && {
 						GIT_SSH_COMMAND: `ssh -i ${keyPath} -o UserKnownHostsFile=${knownHostsPath}`,
 					}),
 				},
 			},
 		);
+
 		writeStream.write(`\nCloned Custom Git ${customGitUrl}: ✅\n`);
 	} catch (error) {
 		writeStream.write(`\nERROR Cloning Custom Git: ${error}: ❌\n`);