feat(api): instance command bridge + agent credentials endpoint
Backend layer wiring the panel to the host agent's per-instance command
channel (the unblocker for the Server-page rework):
- NatsService.requestScoped(): request-reply with a LICENSE-SCOPED reply
subject (corrosion.{license}.reply.<id>) so per-license-scoped agents
(no _INBOX permission) can actually reply — the design from the NATS
auth work, now exercised.
- InstancesModule: POST /api/instances/:id/lifecycle {action} (start/
stop/restart/status/steam_update, server.manage) and POST :id/rcon
{command} (server.console). Tenant-guarded via game_instances.
- GET /api/servers/agent-credentials: derives the agent's NATS user/
password (HMAC) so a customer can configure their agent — closes the
post-auth setup gap.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Vantz Stockwell
34
backend-nest/src/modules/instances/instances.controller.ts
Normal file
34
backend-nest/src/modules/instances/instances.controller.ts
Normal file
@@ -0,0 +1,34 @@
|
||||
import { Controller, Post, Body, Param } from '@nestjs/common';
|
||||
import { ApiTags, ApiBearerAuth, ApiOperation } from '@nestjs/swagger';
|
||||
import { CurrentTenant } from '../../common/decorators/current-tenant.decorator';
|
||||
import { RequirePermission } from '../../common/decorators/require-permission.decorator';
|
||||
import { InstancesService, LifecycleFunc } from './instances.service';
|
||||
|
||||
@ApiTags('instances')
|
||||
@ApiBearerAuth()
|
||||
@Controller('instances')
|
||||
export class InstancesController {
|
||||
constructor(private readonly instances: InstancesService) {}
|
||||
|
||||
@Post(':id/lifecycle')
|
||||
@RequirePermission('server.manage')
|
||||
@ApiOperation({ summary: 'Send a lifecycle command to a game instance (start/stop/restart/status/steam_update)' })
|
||||
async lifecycle(
|
||||
@CurrentTenant() licenseId: string,
|
||||
@Param('id') id: string,
|
||||
@Body() body: { action: LifecycleFunc },
|
||||
) {
|
||||
return this.instances.lifecycle(licenseId, id, body.action);
|
||||
}
|
||||
|
||||
@Post(':id/rcon')
|
||||
@RequirePermission('server.console')
|
||||
@ApiOperation({ summary: 'Send an RCON/console command to a game instance' })
|
||||
async rcon(
|
||||
@CurrentTenant() licenseId: string,
|
||||
@Param('id') id: string,
|
||||
@Body() body: { command: string },
|
||||
) {
|
||||
return this.instances.rcon(licenseId, id, body.command);
|
||||
}
|
||||
}
|
||||
13
backend-nest/src/modules/instances/instances.module.ts
Normal file
13
backend-nest/src/modules/instances/instances.module.ts
Normal file
@@ -0,0 +1,13 @@
|
||||
import { Module } from '@nestjs/common';
|
||||
import { TypeOrmModule } from '@nestjs/typeorm';
|
||||
import { InstancesController } from './instances.controller';
|
||||
import { InstancesService } from './instances.service';
|
||||
import { GameInstance } from '../../entities/game-instance.entity';
|
||||
import { NatsService } from '../../services/nats.service';
|
||||
|
||||
@Module({
|
||||
imports: [TypeOrmModule.forFeature([GameInstance])],
|
||||
controllers: [InstancesController],
|
||||
providers: [InstancesService, NatsService],
|
||||
})
|
||||
export class InstancesModule {}
|
||||
49
backend-nest/src/modules/instances/instances.service.ts
Normal file
49
backend-nest/src/modules/instances/instances.service.ts
Normal file
@@ -0,0 +1,49 @@
|
||||
import { Injectable, NotFoundException, BadRequestException, Logger } from '@nestjs/common';
|
||||
import { InjectRepository } from '@nestjs/typeorm';
|
||||
import { Repository } from 'typeorm';
|
||||
import { NatsService } from '../../services/nats.service';
|
||||
import { GameInstance } from '../../entities/game-instance.entity';
|
||||
|
||||
/** Lifecycle funcs the agent's {instance}.cmd handler accepts. */
|
||||
const LIFECYCLE_FUNCS = ['start', 'stop', 'restart', 'status', 'steam_update'] as const;
|
||||
export type LifecycleFunc = (typeof LIFECYCLE_FUNCS)[number];
|
||||
|
||||
@Injectable()
|
||||
export class InstancesService {
|
||||
private readonly logger = new Logger(InstancesService.name);
|
||||
|
||||
constructor(
|
||||
private readonly nats: NatsService,
|
||||
@InjectRepository(GameInstance)
|
||||
private readonly instanceRepo: Repository<GameInstance>,
|
||||
) {}
|
||||
|
||||
/** Resolve an instance the caller's license actually owns (tenant guard). */
|
||||
private async resolveInstance(licenseId: string, instanceId: string): Promise<GameInstance> {
|
||||
const inst = await this.instanceRepo.findOne({
|
||||
where: { id: instanceId, license_id: licenseId },
|
||||
});
|
||||
if (!inst) throw new NotFoundException('Instance not found');
|
||||
return inst;
|
||||
}
|
||||
|
||||
async lifecycle(licenseId: string, instanceId: string, func: LifecycleFunc): Promise<unknown> {
|
||||
if (!LIFECYCLE_FUNCS.includes(func)) {
|
||||
throw new BadRequestException(`Unsupported action '${func}'`);
|
||||
}
|
||||
const inst = await this.resolveInstance(licenseId, instanceId);
|
||||
const subject = `corrosion.${licenseId}.${inst.agent_instance_id}.cmd`;
|
||||
this.logger.log(`instance ${inst.agent_instance_id}: ${func}`);
|
||||
return this.nats.requestScoped(licenseId, subject, { func });
|
||||
}
|
||||
|
||||
async rcon(licenseId: string, instanceId: string, command: string): Promise<unknown> {
|
||||
if (!command || !command.trim()) {
|
||||
throw new BadRequestException('command is required');
|
||||
}
|
||||
const inst = await this.resolveInstance(licenseId, instanceId);
|
||||
const subject = `corrosion.${licenseId}.${inst.agent_instance_id}.cmd`;
|
||||
// RCON can take longer than a lifecycle ack — give it more headroom.
|
||||
return this.nats.requestScoped(licenseId, subject, { func: 'rcon', command }, 12_000);
|
||||
}
|
||||
}
|
||||
@@ -23,6 +23,13 @@ export class ServersController {
|
||||
return await this.serversService.getServer(licenseId);
|
||||
}
|
||||
|
||||
@Get('agent-credentials')
|
||||
@RequirePermission('server.manage')
|
||||
@ApiOperation({ summary: 'NATS credentials for this license\'s host agent' })
|
||||
async getAgentCredentials(@CurrentTenant() licenseId: string) {
|
||||
return await this.serversService.getAgentCredentials(licenseId);
|
||||
}
|
||||
|
||||
@Put('config')
|
||||
@RequirePermission('server.manage')
|
||||
@ApiOperation({ summary: 'Update server configuration' })
|
||||
|
||||
@@ -19,6 +19,15 @@ export class ServersService {
|
||||
private readonly natsService: NatsService,
|
||||
) {}
|
||||
|
||||
/**
|
||||
* NATS credentials the customer puts in their host agent's config so it can
|
||||
* authenticate to the per-license-scoped broker. Returns null if the broker
|
||||
* isn't enforcing auth yet (NATS_TOKEN_SECRET unset).
|
||||
*/
|
||||
async getAgentCredentials(licenseId: string) {
|
||||
return this.natsService.getAgentCredentials(licenseId);
|
||||
}
|
||||
|
||||
/**
|
||||
* Get server connection and config for a license.
|
||||
* Returns null fields if no server has been set up yet.
|
||||
|
||||
Reference in New Issue
Block a user