feat: add allowed networks configuration for agents and keyrings

- Introduced a new question for allowed networks in both AgentCreateQuestions and KeyringsCreateQuestions, allowing users to specify network filters.
- Updated the AgentsController and KeyringsController to utilize the NetworkAllowedGuard for enhanced security based on allowed networks.
- Modified the AgentsCommand to handle the new allowedNetworks property, ensuring proper integration during agent creation.
- Enhanced the Keyrings module to include the NetworkAllowedGuard, improving overall security for keyring operations.

Author: tacxou

apps/api/src/_common/functions/resolve-client-ip.ts

@@ -4,7 +4,9 @@ import type { Request } from 'express';
  * Lit une en-tête HTTP (string ou première entrée d'un tableau).
  */
 function headerString(req: Request, name: string): string | undefined {
-  const v = req.headers[name.toLowerCase()];
+  const headers = req?.headers;
+  if (!headers) return undefined;
+  const v = headers[name.toLowerCase()];
   if (typeof v === 'string') {
     return v;
   }

apps/api/src/core/agents/agents.command.ts

@@ -59,6 +59,19 @@ export class AgentCreateQuestions {
   parsePassword(val: string) {
     return val
   }
+
+  @Question({
+    message: 'Réseaux autorisés (CSV, vide = aucun filtrage) ?',
+    name: 'allowedNetworks',
+  })
+  parseAllowedNetworks(val: string) {
+    const raw = `${val || ''}`.trim()
+    if (!raw) return []
+    return raw
+      .split(',')
+      .map((item) => `${item || ''}`.trim())
+      .filter((item) => item.length > 0)
+  }
 }
 
 /**
@@ -106,8 +119,15 @@ export class AgentsCreateCommand extends CommandRunner {
   async run(_inputs: string[], _options: any): Promise<void> {
     this.logger.log('Starting agent creation process...')
     // Pose les questions définies dans AgentCreateQuestions pour obtenir les données de l'agent
-    const agent = await this.inquirer.ask<AgentsCreateDto>('agent-create-questions', undefined)
+    const agent = await this.inquirer.ask<AgentsCreateDto & { allowedNetworks?: string[] }>('agent-create-questions', undefined)
     try {
+      if (Array.isArray((agent as any).allowedNetworks) && (agent as any).allowedNetworks.length > 0) {
+        ;(agent as any).security = {
+          ...(agent as any).security,
+          allowedNetworks: (agent as any).allowedNetworks,
+        }
+      }
+      delete (agent as any).allowedNetworks
       // Crée l'agent avec les données collectées
       await this.agentsService.create(agent)
       console.log('Agent created successfully')

apps/api/src/core/auth/_strategies/jwt.strategy.ts

@@ -8,6 +8,36 @@ import { AgentType } from '~/_common/types/agent.type';
 import { JwtPayload } from 'jsonwebtoken';
 import { Keyrings } from '~/core/keyrings/_schemas/keyrings.schema';
 import { Agents } from '~/core/agents/_schemas/agents.schema';
+import { resolveClientIp } from '~/_common/functions/resolve-client-ip';
+import ipRangeCheck from 'ip-range-check';
+
+function isClientIpAllowed(allowedNetworks?: string[] | null, clientIp?: string | null): boolean {
+  if (!Array.isArray(allowedNetworks) || allowedNetworks.length === 0) return true;
+  if (!clientIp) return false;
+
+  const normalizedRules = allowedNetworks.map((item) => `${item || ''}`.trim()).filter((item) => item.length > 0);
+  if (normalizedRules.length === 0) return true;
+
+  try {
+    return ipRangeCheck(clientIp, normalizedRules);
+  } catch {
+    return false;
+  }
+}
+
+function resolveAllowedNetworksFromVerifiedIdentity(verified: unknown): string[] | null {
+  const v = verified as any;
+  const direct = Array.isArray(v?.allowedNetworks) ? (v.allowedNetworks as string[]) : null;
+  if (direct && direct.length > 0) return direct;
+
+  const fromSecurity = Array.isArray(v?.security?.allowedNetworks) ? (v.security.allowedNetworks as string[]) : null;
+  if (fromSecurity && fromSecurity.length > 0) return fromSecurity;
+
+  const fromIdentitySecurity = Array.isArray(v?.identity?.security?.allowedNetworks) ? (v.identity.security.allowedNetworks as string[]) : null;
+  if (fromIdentitySecurity && fromIdentitySecurity.length > 0) return fromIdentitySecurity;
+
+  return null;
+}
 
 @Injectable()
 export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
@@ -27,7 +57,7 @@ export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
 
   // noinspection JSUnusedGlobalSymbols
   public async validate(
-    _: Request,
+    req: Request,
     payload: JwtPayload & { identity: AgentType; mfaVerified?: boolean; mfaVerifiedAt?: number | null },
     done: VerifiedCallback,
   ): Promise<void> {
@@ -37,6 +67,12 @@ export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
 
     if (!user) return done(new ForbiddenException(), false);
 
+    const clientIp = resolveClientIp(req);
+    const allowedNetworks = resolveAllowedNetworksFromVerifiedIdentity(user);
+    if (!isClientIpAllowed(allowedNetworks, clientIp)) {
+      return done(new ForbiddenException('Network not allowed'), false);
+    }
+
     const roles = [...(Array.isArray(payload.identity?.roles) ? payload.identity.roles : [])];
     if (!roles.includes('admin') && payload.identity?._id === '000000000000000000000000') {
       roles.push('admin');

apps/api/src/core/keyrings/keyrings.command.ts

@@ -30,6 +30,20 @@ export class KeyringsCreateQuestions {
 
     return roles;
   }
+
+  @Question({
+    message: 'Réseaux autorisés (CSV, vide = 0.0.0.0/0) ?',
+    name: 'allowedNetworks',
+  })
+  parseAllowedNetworks(val: string) {
+    const raw = `${val || ''}`.trim()
+    if (!raw) return ['0.0.0.0/0']
+    const values = raw
+      .split(',')
+      .map((item) => `${item || ''}`.trim())
+      .filter((item) => item.length > 0)
+    return values.length > 0 ? values : ['0.0.0.0/0']
+  }
 }
 
 @SubCommand({ name: 'create' })

apps/web/src/plugins/http-mfa.client.ts

@@ -51,9 +51,21 @@ export default defineNuxtPlugin((nuxtApp) => {
             prompt: {
               model: '',
               type: 'text',
+              autocomplete: 'one-time-code',
+              autocorrect: 'off',
+              autocapitalize: 'off',
+              spellcheck: false,
+              inputmode: 'numeric',
+              pattern: '[0-9]{6}',
+              maxlength: 6,
+              minlength: 6,
+              required: true,
+              placeholder: '123456',
+              label: 'Code TOTP',
+              outlined: true,
               isValid: (val: string) => /^\d{6}$/.test(String(val || '').trim()),
             },
-            cancel: true,
+            cancel: false,
             persistent: true,
             color: 'warning',
             ok: { label: 'Valider', color: 'warning' },