diff --git a/server/lib/ip.ts b/server/lib/ip.ts index 805301bc..16a926f1 100644 --- a/server/lib/ip.ts +++ b/server/lib/ip.ts @@ -274,13 +274,4 @@ export async function getNextAvailableOrgSubnet(): Promise { } return subnet; -} - -export function isValidCidr(cidr: string): boolean { - try { - cidrToRange(cidr); - return true; - } catch (e) { - return false; - } } \ No newline at end of file diff --git a/server/routers/client/createClient.ts b/server/routers/client/createClient.ts index 6448fb61..132cd344 100644 --- a/server/routers/client/createClient.ts +++ b/server/routers/client/createClient.ts @@ -9,7 +9,8 @@ import { userClients, olms, clientSites, - exitNodes + exitNodes, + orgs } from "@server/db/schema"; import response from "@server/lib/response"; import HttpCode from "@server/types/HttpCode"; @@ -19,7 +20,8 @@ import { eq, and } from "drizzle-orm"; import { fromError } from "zod-validation-error"; import moment from "moment"; import { hashPassword } from "@server/auth/password"; -import { isValidCIDR } from "@server/lib/validators"; +import { isValidCIDR, isValidIP } from "@server/lib/validators"; +import { isIpInCidr } from "@server/lib/ip"; const createClientParamsSchema = z .object({ @@ -78,7 +80,7 @@ export async function createClient( ); } - if (subnet && !isValidCIDR(subnet)) { + if (subnet && !isValidIP(subnet)) { return next( createHttpError( HttpCode.BAD_REQUEST, @@ -87,6 +89,31 @@ export async function createClient( ); } + const [org] = await db + .select() + .from(orgs) + .where(eq(orgs.orgId, orgId)); + + if (!org) { + return next( + createHttpError( + HttpCode.NOT_FOUND, + `Organization with ID ${orgId} not found` + ) + ); + } + + if (subnet && !isIpInCidr(subnet, org.subnet)) { + return next( + createHttpError( + HttpCode.BAD_REQUEST, + "IP is not in the CIDR range of the subnet." + ) + ); + } + + const updatedSubnet = `${subnet}/${org.subnet.split("/")[1]}`; // we want the block size of the whole org + await db.transaction(async (trx) => { // TODO: more intelligent way to pick the exit node @@ -123,7 +150,7 @@ export async function createClient( exitNodeId: exitNode.exitNodeId, orgId, name, - subnet, + subnet: updatedSubnet, type }) .returning(); diff --git a/server/routers/client/pickClientDefaults.ts b/server/routers/client/pickClientDefaults.ts index 32bcb45c..f4b08f49 100644 --- a/server/routers/client/pickClientDefaults.ts +++ b/server/routers/client/pickClientDefaults.ts @@ -44,7 +44,7 @@ export async function pickClientDefaults( const newSubnet = await getNextAvailableClientSubnet(orgId); - const subnet = `${newSubnet.split("/")[0]}/${config.getRawConfig().orgs.block_size}`; // we want the block size of the whole org + const subnet = newSubnet.split("/")[0]; return response(res, { data: { diff --git a/server/routers/newt/handleGetConfigMessage.ts b/server/routers/newt/handleGetConfigMessage.ts index 6c4ace06..eb27bc64 100644 --- a/server/routers/newt/handleGetConfigMessage.ts +++ b/server/routers/newt/handleGetConfigMessage.ts @@ -73,6 +73,8 @@ export const handleGetConfigMessage: MessageHandler = async (context) => { return; } + // TODO: WE NEED TO PULL THE CIDR FROM THE DB SUBNET ON THE ORG INSTEAD BECAUSE IT CAN BE DIFFERENT + // TODO: SOMEHOW WE NEED TO ALLOW THEM TO PUT IN THEIR OWN ADDRESS address = `${address.split("/")[0]}/${config.getRawConfig().orgs.block_size}`; // we want the block size of the whole org // Update the site with new WireGuard info