@serve.zone/dcrouter 13.43.1 → 13.43.3

package/ts_web/elements/network/ops-view-routes.ts

@@ -24,10 +24,7 @@ const tlsCertOptions = [
   { key: 'auto', option: 'Auto (ACME/Let\'s Encrypt)' },
   { key: 'custom', option: 'Custom certificate' },
 ];
-const sourcePolicyPresetOptions = [
-  { key: 'manual', option: 'Manual source policy' },
-  { key: 'gitea', option: 'Gitea bot protection' },
-];
+const maxSourceBindingRows = 16;
 const giteaSourcePolicyProfileNames = ['TRUSTED NETWORKS', 'AI CRAWLERS', 'PUBLIC'] as const;
 
 function rateLimit(maxRequests: number): interfaces.data.IRouteSecurity['rateLimit'] {
@@ -38,10 +35,10 @@ function getDropdownKey(value: any): string {
   return typeof value === 'string' ? value : value?.key || '';
 }
 
-function getSourcePolicyRefsFromFormData(formData: Record<string, any>): string[] {
+function getSourceBindingRefsFromFormData(formData: Record<string, any>): string[] {
   const refs: string[] = [];
-  for (let index = 0; index < 4; index++) {
-    const ref = getDropdownKey(formData[`sourcePolicyProfileRef${index}`]);
+  for (let index = 0; index < maxSourceBindingRows; index++) {
+    const ref = getDropdownKey(formData[`sourceBindingProfileRef${index}`]);
     if (ref && !refs.includes(ref)) {
       refs.push(ref);
     }
@@ -49,25 +46,23 @@ function getSourcePolicyRefsFromFormData(formData: Record<string, any>): string[
   return refs;
 }
 
-function buildSourcePolicyMetadata(
+function buildSourceBindingsMetadata(
   profileRefs: string[],
-  existingSourcePolicy?: interfaces.data.IRouteSourcePolicy,
-): interfaces.data.IRouteSourcePolicy {
-  return {
-    bindings: profileRefs.map((sourceProfileRef) => {
-      const existingBinding = existingSourcePolicy?.bindings.find((binding) => binding.sourceProfileRef === sourceProfileRef);
-      return existingBinding
-        ? {
-            ...existingBinding,
-            sourceProfileRef,
-            onExceeded: existingBinding.onExceeded || { type: '429' as const },
-          }
-        : {
-            sourceProfileRef,
-            onExceeded: { type: '429' as const },
-          };
-    }),
-  };
+  existingSourceBindings?: interfaces.data.IRouteSourceBinding[],
+): interfaces.data.IRouteSourceBinding[] {
+  return profileRefs.map((sourceProfileRef) => {
+    const existingBinding = existingSourceBindings?.find((binding) => binding.sourceProfileRef === sourceProfileRef);
+    return existingBinding
+      ? {
+          ...existingBinding,
+          sourceProfileRef,
+          onExceeded: existingBinding.onExceeded || { type: '429' as const },
+        }
+      : {
+          sourceProfileRef,
+          onExceeded: { type: '429' as const },
+        };
+  });
 }
 
 function getGiteaPresetProfileRefs(profiles: interfaces.data.ISourceProfile[]): {
@@ -87,56 +82,54 @@ function getGiteaPresetProfileRefs(profiles: interfaces.data.ISourceProfile[]):
   return { refs, missingNames };
 }
 
-function buildGiteaSourcePolicyMetadata(profileRefs: string[]): interfaces.data.IRouteSourcePolicy {
+function buildGiteaSourceBindingsMetadata(profileRefs: string[]): interfaces.data.IRouteSourceBinding[] {
   const [trustedRef, aiRef, publicRef] = profileRefs;
-  return {
-    bindings: [
-      {
-        sourceProfileRef: trustedRef,
-        onExceeded: { type: '429' as const },
-      },
-      {
-        sourceProfileRef: aiRef,
-        onExceeded: { type: '429' as const },
-        pathPolicies: [
-          { pathClass: 'git-smart-http', rateLimit: rateLimit(1200) },
-          { pathClass: 'static', rateLimit: rateLimit(240) },
-          { pathClass: 'raw', rateLimit: rateLimit(20) },
-          { pathClass: 'archive', rateLimit: rateLimit(6) },
-          { pathClass: 'expensive-html', rateLimit: rateLimit(6) },
-          { pathClass: 'normal-html', rateLimit: rateLimit(20) },
-        ],
-      },
-      {
-        sourceProfileRef: publicRef,
-        onExceeded: { type: '429' as const },
-        pathPolicies: [
-          { pathClass: 'git-smart-http', rateLimit: rateLimit(1200) },
-          { pathClass: 'static', rateLimit: rateLimit(600) },
-          { pathClass: 'raw', rateLimit: rateLimit(120) },
-          { pathClass: 'archive', rateLimit: rateLimit(30) },
-          { pathClass: 'expensive-html', rateLimit: rateLimit(30) },
-          { pathClass: 'normal-html', rateLimit: rateLimit(120) },
-        ],
-      },
-    ],
-  };
+  return [
+    {
+      sourceProfileRef: trustedRef,
+      onExceeded: { type: '429' as const },
+    },
+    {
+      sourceProfileRef: aiRef,
+      onExceeded: { type: '429' as const },
+      pathPolicies: [
+        { pathClass: 'git-smart-http', rateLimit: rateLimit(1200) },
+        { pathClass: 'static', rateLimit: rateLimit(240) },
+        { pathClass: 'raw', rateLimit: rateLimit(20) },
+        { pathClass: 'archive', rateLimit: rateLimit(6) },
+        { pathClass: 'expensive-html', rateLimit: rateLimit(6) },
+        { pathClass: 'normal-html', rateLimit: rateLimit(20) },
+      ],
+    },
+    {
+      sourceProfileRef: publicRef,
+      onExceeded: { type: '429' as const },
+      pathPolicies: [
+        { pathClass: 'git-smart-http', rateLimit: rateLimit(1200) },
+        { pathClass: 'static', rateLimit: rateLimit(600) },
+        { pathClass: 'raw', rateLimit: rateLimit(120) },
+        { pathClass: 'archive', rateLimit: rateLimit(30) },
+        { pathClass: 'expensive-html', rateLimit: rateLimit(30) },
+        { pathClass: 'normal-html', rateLimit: rateLimit(120) },
+      ],
+    },
+  ];
 }
 
-function getGiteaPresetSourcePolicy(profiles: interfaces.data.ISourceProfile[]): interfaces.data.IRouteSourcePolicy | null {
+function getGiteaPresetSourceBindings(profiles: interfaces.data.ISourceProfile[]): interfaces.data.IRouteSourceBinding[] | null {
   const { refs, missingNames } = getGiteaPresetProfileRefs(profiles);
   if (missingNames.length > 0) {
     alert(`Gitea source-policy preset needs these seeded profiles: ${missingNames.join(', ')}`);
     return null;
   }
-  if (!validateSourcePolicySelection(refs, profiles)) {
+  if (!validateSourceBindingSelection(refs, profiles)) {
     return null;
   }
-  return buildGiteaSourcePolicyMetadata(refs);
+  return buildGiteaSourceBindingsMetadata(refs);
 }
 
 function metadataUsesPathPolicies(metadata?: interfaces.data.IRouteMetadata): boolean {
-  return Boolean(metadata?.sourcePolicy?.bindings.some((binding) => binding.pathPolicies?.length));
+  return Boolean(metadata?.sourceBindings?.some((binding) => binding.pathPolicies?.length));
 }
 
 function sourceProfileMatchesAll(profile: interfaces.data.ISourceProfile): boolean {
@@ -153,7 +146,7 @@ function sourceProfileHasSourceMatches(profile: interfaces.data.ISourceProfile):
   });
 }
 
-function validateSourcePolicySelection(
+function validateSourceBindingSelection(
   profileRefs: string[],
   profiles: interfaces.data.ISourceProfile[],
 ): boolean {
@@ -176,19 +169,14 @@ function validateSourcePolicySelection(
     return false;
   }
 
-  const fallbackProfile = selectedProfiles[selectedProfiles.length - 1];
-  if (!sourceProfileMatchesAll(fallbackProfile)) {
-    alert('Source policy needs an explicit public/wildcard fallback profile as the last binding. Add a profile with IP Allow List "*".');
-    return false;
-  }
-
   if (selectedProfiles.slice(0, -1).some((profile) => sourceProfileMatchesAll(profile))) {
     alert('Wildcard source profiles must be last. Earlier wildcard profiles would shadow all following profiles.');
     return false;
   }
 
-  if (fallbackProfile.security?.rateLimit?.enabled !== true) {
-    return confirm(`The fallback profile "${fallbackProfile.name}" has no enabled rate limit. Save anyway?`);
+  const fallbackProfile = selectedProfiles[selectedProfiles.length - 1];
+  if (sourceProfileMatchesAll(fallbackProfile) && fallbackProfile.security?.rateLimit?.enabled !== true) {
+    return confirm(`The wildcard profile "${fallbackProfile.name}" has no enabled rate limit. Save anyway?`);
   }
 
   return true;
@@ -521,7 +509,7 @@ export class OpsViewRoutes extends DeesElement {
 
     const meta = merged.metadata;
     const isSystemManaged = this.isSystemManagedRoute(merged);
-    const sourcePolicySummary = this.describeSourcePolicy(meta);
+    const sourceBindingSummary = this.describeSourcePolicy(meta);
     await DeesModal.createAndShow({
       heading: `Route: ${merged.route.name}`,
       content: html`
@@ -531,7 +519,7 @@ export class OpsViewRoutes extends DeesElement {
           ${merged.route.vpnOnly ? html`<p>Access: <strong style="color: #22c55e;">VPN only</strong></p>` : ''}
           <p>ID: <code style="color: #888;">${merged.id}</code></p>
           ${isSystemManaged ? html`<p>This route is system-managed. Change its source config to modify it directly.</p>` : ''}
-          ${sourcePolicySummary ? html`<p>Source Policy: <strong style="color: #a78bfa;">${sourcePolicySummary}</strong></p>` : ''}
+          ${sourceBindingSummary ? html`<p>Source Bindings: <strong style="color: #a78bfa;">${sourceBindingSummary}</strong></p>` : ''}
           ${meta?.networkTargetName ? html`<p>Network Target: <strong style="color: #a78bfa;">${meta.networkTargetName}</strong></p>` : ''}
         </div>
       `,
@@ -663,8 +651,7 @@ export class OpsViewRoutes extends DeesElement {
     const currentVpnOnly = route.vpnOnly === true;
     const currentRemoteIngressEnabled = route.remoteIngress?.enabled === true;
     const currentEdgeFilter = route.remoteIngress?.edgeFilter || [];
-    const currentSourcePolicyRefs = this.getSourcePolicyRefs(merged.metadata);
-    const currentSourcePolicyPreset = metadataUsesPathPolicies(merged.metadata) ? 'gitea' : 'manual';
+    const currentSourceBindingRefs = this.getSourceBindingRefs(merged.metadata);
 
     // Compute current TLS state for pre-population
     const currentTls = (route.action as any).tls;
@@ -686,21 +673,20 @@ export class OpsViewRoutes extends DeesElement {
           <dees-input-list .key=${'domains'} .label=${'Domains'} .placeholder=${'Add domain...'} .value=${currentDomains}></dees-input-list>
           <dees-input-text .key=${'priority'} .label=${'Priority'} .description=${'Higher values are matched first'} .value=${route.priority != null ? String(route.priority) : ''}></dees-input-text>
           <div class="sourcePolicyGroup" style="display: flex; flex-direction: column; gap: 12px; padding: 12px; border: 1px solid rgba(255,255,255,0.12); border-radius: 8px;">
-            <strong>Source Policy</strong>
-            <small>First matching profile wins. Exceeded limits return 429 and do not fall through.</small>
-            <dees-input-dropdown
-              .key=${'sourcePolicyPreset'}
-              .label=${'Source Policy Preset'}
-              .options=${sourcePolicyPresetOptions}
-              .selectedOption=${sourcePolicyPresetOptions.find((o) => o.key === currentSourcePolicyPreset) || sourcePolicyPresetOptions[0]}
-            ></dees-input-dropdown>
-            <small>Gitea preset uses TRUSTED NETWORKS -> AI CRAWLERS -> PUBLIC and applies path-class limits.</small>
-            ${[0, 1, 2, 3].map((index) => html`
+            <strong>Source Bindings</strong>
+            <small>First matching source profile wins. Leave all rows empty to remove route-level source access control.</small>
+            <dees-input-checkbox
+              .key=${'useGiteaTemplate'}
+              .label=${'Apply Gitea bot protection template on save'}
+              .description=${'Replaces these rows with TRUSTED NETWORKS -> AI CRAWLERS -> PUBLIC and path-class limits.'}
+              .value=${false}
+            ></dees-input-checkbox>
+            ${Array.from({ length: maxSourceBindingRows }, (_item, index) => html`
               <dees-input-dropdown
-                .key=${`sourcePolicyProfileRef${index}`}
-                .label=${`Source Profile ${index + 1}`}
+                .key=${`sourceBindingProfileRef${index}`}
+                .label=${`Binding ${index + 1}`}
                 .options=${profileOptions}
-                .selectedOption=${profileOptions.find((o) => o.key === (currentSourcePolicyRefs[index] || '')) || profileOptions[0]}
+                .selectedOption=${profileOptions.find((o) => o.key === (currentSourceBindingRefs[index] || '')) || profileOptions[0]}
               ></dees-input-dropdown>
             `)}
           </div>
@@ -744,11 +730,11 @@ export class OpsViewRoutes extends DeesElement {
               : [];
             const priority = formData.priority ? parseInt(formData.priority, 10) : undefined;
 
-            const sourcePolicyPreset = getDropdownKey(formData.sourcePolicyPreset) || 'manual';
-            const sourcePolicyRefs = sourcePolicyPreset === 'gitea'
+            const useGiteaTemplate = Boolean(formData.useGiteaTemplate);
+            const sourceBindingRefs = useGiteaTemplate
               ? []
-              : getSourcePolicyRefsFromFormData(formData);
-            if (sourcePolicyPreset !== 'gitea' && !validateSourcePolicySelection(sourcePolicyRefs, profiles)) return;
+              : getSourceBindingRefsFromFormData(formData);
+            if (!useGiteaTemplate && !validateSourceBindingSelection(sourceBindingRefs, profiles)) return;
             const targetKey = getDropdownKey(formData.networkTargetRef);
             const preserveMatchPort = !targetKey && Boolean(formData.preserveMatchPort);
             const targetPort = preserveMatchPort
@@ -812,20 +798,14 @@ export class OpsViewRoutes extends DeesElement {
             }
 
             const metadata: any = {};
-            if (sourcePolicyPreset === 'gitea') {
-              const sourcePolicy = getGiteaPresetSourcePolicy(profiles);
-              if (!sourcePolicy) return;
-              metadata.sourcePolicy = sourcePolicy;
-              metadata.sourceProfileRef = '';
-              metadata.sourceProfileName = '';
-            } else if (sourcePolicyRefs.length > 0) {
-              metadata.sourcePolicy = buildSourcePolicyMetadata(sourcePolicyRefs, merged.metadata?.sourcePolicy);
-              metadata.sourceProfileRef = '';
-              metadata.sourceProfileName = '';
-            } else if (merged.metadata?.sourcePolicy || merged.metadata?.sourceProfileRef) {
-              metadata.sourcePolicy = { bindings: [] };
-              metadata.sourceProfileRef = '';
-              metadata.sourceProfileName = '';
+            if (useGiteaTemplate) {
+              const sourceBindings = getGiteaPresetSourceBindings(profiles);
+              if (!sourceBindings) return;
+              metadata.sourceBindings = sourceBindings;
+            } else if (sourceBindingRefs.length > 0) {
+              metadata.sourceBindings = buildSourceBindingsMetadata(sourceBindingRefs, merged.metadata?.sourceBindings);
+            } else if (merged.metadata?.sourceBindings) {
+              metadata.sourceBindings = [];
             }
             if (targetKey) {
               metadata.networkTargetRef = targetKey;
@@ -886,19 +866,18 @@ export class OpsViewRoutes extends DeesElement {
           <dees-input-list .key=${'domains'} .label=${'Domains'} .placeholder=${'Add domain...'}></dees-input-list>
           <dees-input-text .key=${'priority'} .label=${'Priority'} .description=${'Higher values are matched first'}></dees-input-text>
           <div class="sourcePolicyGroup" style="display: flex; flex-direction: column; gap: 12px; padding: 12px; border: 1px solid rgba(255,255,255,0.12); border-radius: 8px;">
-            <strong>Source Policy</strong>
-            <small>First matching profile wins. Exceeded limits return 429 and do not fall through.</small>
-            <dees-input-dropdown
-              .key=${'sourcePolicyPreset'}
-              .label=${'Source Policy Preset'}
-              .options=${sourcePolicyPresetOptions}
-              .selectedOption=${sourcePolicyPresetOptions[0]}
-            ></dees-input-dropdown>
-            <small>Gitea preset uses TRUSTED NETWORKS -> AI CRAWLERS -> PUBLIC and applies path-class limits.</small>
-            ${[0, 1, 2, 3].map((index) => html`
+            <strong>Source Bindings</strong>
+            <small>First matching source profile wins. Leave all rows empty for no route-level source access control.</small>
+            <dees-input-checkbox
+              .key=${'useGiteaTemplate'}
+              .label=${'Apply Gitea bot protection template on save'}
+              .description=${'Writes TRUSTED NETWORKS -> AI CRAWLERS -> PUBLIC and path-class limits.'}
+              .value=${false}
+            ></dees-input-checkbox>
+            ${Array.from({ length: maxSourceBindingRows }, (_item, index) => html`
               <dees-input-dropdown
-                .key=${`sourcePolicyProfileRef${index}`}
-                .label=${`Source Profile ${index + 1}`}
+                .key=${`sourceBindingProfileRef${index}`}
+                .label=${`Binding ${index + 1}`}
                 .options=${profileOptions}
                 .selectedOption=${profileOptions[0]}
               ></dees-input-dropdown>
@@ -944,11 +923,11 @@ export class OpsViewRoutes extends DeesElement {
               : [];
             const priority = formData.priority ? parseInt(formData.priority, 10) : undefined;
 
-            const sourcePolicyPreset = getDropdownKey(formData.sourcePolicyPreset) || 'manual';
-            const sourcePolicyRefs = sourcePolicyPreset === 'gitea'
+            const useGiteaTemplate = Boolean(formData.useGiteaTemplate);
+            const sourceBindingRefs = useGiteaTemplate
               ? []
-              : getSourcePolicyRefsFromFormData(formData);
-            if (sourcePolicyPreset !== 'gitea' && !validateSourcePolicySelection(sourcePolicyRefs, profiles)) return;
+              : getSourceBindingRefsFromFormData(formData);
+            if (!useGiteaTemplate && !validateSourceBindingSelection(sourceBindingRefs, profiles)) return;
             const targetKey = getDropdownKey(formData.networkTargetRef);
             const preserveMatchPort = !targetKey && Boolean(formData.preserveMatchPort);
             const targetPort = preserveMatchPort
@@ -1013,12 +992,12 @@ export class OpsViewRoutes extends DeesElement {
 
             // Build metadata if profile/target selected
             const metadata: any = {};
-            if (sourcePolicyPreset === 'gitea') {
-              const sourcePolicy = getGiteaPresetSourcePolicy(profiles);
-              if (!sourcePolicy) return;
-              metadata.sourcePolicy = sourcePolicy;
-            } else if (sourcePolicyRefs.length > 0) {
-              metadata.sourcePolicy = buildSourcePolicyMetadata(sourcePolicyRefs);
+            if (useGiteaTemplate) {
+              const sourceBindings = getGiteaPresetSourceBindings(profiles);
+              if (!sourceBindings) return;
+              metadata.sourceBindings = sourceBindings;
+            } else if (sourceBindingRefs.length > 0) {
+              metadata.sourceBindings = buildSourceBindingsMetadata(sourceBindingRefs);
             }
             if (targetKey) {
               metadata.networkTargetRef = targetKey;
@@ -1049,23 +1028,20 @@ export class OpsViewRoutes extends DeesElement {
     appstate.routeManagementStatePart.dispatchAction(appstate.fetchMergedRoutesAction, null);
   }
 
-  private getSourcePolicyRefs(metadata?: interfaces.data.IRouteMetadata): string[] {
-    const policyRefs = metadata?.sourcePolicy?.bindings
+  private getSourceBindingRefs(metadata?: interfaces.data.IRouteMetadata): string[] {
+    const bindingRefs = metadata?.sourceBindings
       ?.map((binding) => binding.sourceProfileRef)
       .filter(Boolean) || [];
-    if (policyRefs.length > 0) {
-      return policyRefs;
-    }
-    return metadata?.sourceProfileRef ? [metadata.sourceProfileRef] : [];
+    return bindingRefs;
   }
 
   private describeSourcePolicy(metadata?: interfaces.data.IRouteMetadata): string {
-    const refs = this.getSourcePolicyRefs(metadata);
+    const refs = this.getSourceBindingRefs(metadata);
     if (refs.length === 0) {
       return '';
     }
     return refs.map((ref) => {
-      const binding = metadata?.sourcePolicy?.bindings?.find((item) => item.sourceProfileRef === ref);
+      const binding = metadata?.sourceBindings?.find((item) => item.sourceProfileRef === ref);
       const profile = this.profilesTargetsState.profiles.find((item) => item.id === ref);
       return binding?.sourceProfileName || profile?.name || ref.slice(0, 8);
     }).join(' → ');