NginxProxyManager
diff --git a/‎backend/internal/access-list.js
Lines changed: 60 additions & 17 deletions b/‎backend/internal/access-list.js
Lines changed: 60 additions & 17 deletions
diff --git a/‎backend/migrations/20230526062132_add_clientcas_to_accesslists.js
Lines changed: 50 additions & 0 deletions b/‎backend/migrations/20230526062132_add_clientcas_to_accesslists.js
Lines changed: 50 additions & 0 deletions
diff --git a/‎backend/models/access_list.js
Lines changed: 9 additions & 0 deletions b/‎backend/models/access_list.js
Lines changed: 9 additions & 0 deletions
diff --git a/‎backend/models/access_list_clientcas.js
Lines changed: 65 additions & 0 deletions b/‎backend/models/access_list_clientcas.js
Lines changed: 65 additions & 0 deletions
diff --git a/‎backend/schema/endpoints/access-lists.json
Lines changed: 14 additions & 0 deletions b/‎backend/schema/endpoints/access-lists.json
Lines changed: 14 additions & 0 deletions
diff --git a/‎frontend/js/app/nginx/access/form.ejs
Lines changed: 29 additions & 0 deletions b/‎frontend/js/app/nginx/access/form.ejs
Lines changed: 29 additions & 0 deletions
@@ -1,15 +1,16 @@
-const _                     = require('lodash');
-const fs                    = require('fs');
-const batchflow             = require('batchflow');
-const logger                = require('../logger').access;
-const error                 = require('../lib/error');
-const utils                 = require('../lib/utils');
-const accessListModel       = require('../models/access_list');
-const accessListAuthModel   = require('../models/access_list_auth');
-const accessListClientModel = require('../models/access_list_client');
-const proxyHostModel        = require('../models/proxy_host');
-const internalAuditLog      = require('./audit-log');
-const internalNginx         = require('./nginx');
+const _                     	 = require('lodash');
+const fs                    	 = require('fs');
+const batchflow             	 = require('batchflow');
+const logger                	 = require('../logger').access;
+const error                 	 = require('../lib/error');
+const utils                 	 = require('../lib/utils');
+const accessListModel       	 = require('../models/access_list');
+const accessListAuthModel   	 = require('../models/access_list_auth');
+const accessListClientModel 	 = require('../models/access_list_client');
+const accessListClientCAsModel = require('../models/access_list_clientcas');
+const proxyHostModel        	 = require('../models/proxy_host');
+const internalAuditLog      	 = require('./audit-log');
+const internalNginx         	 = require('./nginx');
 
 function omissions () {
 	return ['is_deleted'];
@@ -66,13 +67,26 @@ const internalAccessList = {
 					});
 				}
 
+				// Now add the client certificate references
+				if (typeof data.clientcas !== 'undefined' && data.clientcas) {
+					data.clientcas.map((certificate_id) => {
+						promises.push(accessListClientCAsModel
+							.query()
+							.insert({
+								access_list_id: row.id,
+								certificate_id: certificate_id
+							})
+						);
+					});
+				}
+
 				return Promise.all(promises);
 			})
 			.then(() => {
 				// re-fetch with expansions
 				return internalAccessList.get(access, {
 					id:     data.id,
-					expand: ['owner', 'items', 'clients', 'proxy_hosts.access_list.[clients,items]']
+					expand: ['owner', 'items', 'clients', 'clientcas', 'proxy_hosts.access_list.[clientcas.certificate,clients,items]']
 				}, true /* <- skip masking */);
 			})
 			.then((row) => {
@@ -204,6 +218,35 @@ const internalAccessList = {
 						});
 				}
 			})
+			.then(() => {
+				// Check for client certificates and add/update/remove them
+				if (typeof data.clientcas !== 'undefined' && data.clientcas) {
+					let promises = [];
+
+					data.clientcas.map(function (certificate_id) {
+						promises.push(accessListClientCAsModel
+							.query()
+							.insert({
+								access_list_id: data.id,
+								certificate_id: certificate_id
+							})
+						);
+					});
+
+					let query = accessListClientCAsModel
+						.query()
+						.delete()
+						.where('access_list_id', data.id);
+
+					return query
+						.then(() => {
+							// Add new items
+							if (promises.length) {
+								return Promise.all(promises);
+							}
+						});
+				}
+			})
 			.then(internalNginx.reload)
 			.then(() => {
 				// Add to audit log
@@ -218,7 +261,7 @@ const internalAccessList = {
 				// re-fetch with expansions
 				return internalAccessList.get(access, {
 					id:     data.id,
-					expand: ['owner', 'items', 'clients', 'proxy_hosts.[certificate,access_list.[clients,items]]']
+					expand: ['owner', 'items', 'clients', 'clientcas', 'proxy_hosts.[certificate,access_list.[clientcas.certificate,clients,items]]']
 				}, true /* <- skip masking */);
 			})
 			.then((row) => {
@@ -256,7 +299,7 @@ const internalAccessList = {
 					.joinRaw('LEFT JOIN `proxy_host` ON `proxy_host`.`access_list_id` = `access_list`.`id` AND `proxy_host`.`is_deleted` = 0')
 					.where('access_list.is_deleted', 0)
 					.andWhere('access_list.id', data.id)
-					.allowGraph('[owner,items,clients,proxy_hosts.[certificate,access_list.[clients,items]]]')
+					.withGraphFetched('[owner,items,clients,clientcas,proxy_hosts.[certificate,access_list.[clientcas.certificate,clients,items]]]')
 					.first();
 
 				if (access_data.permission_visibility !== 'all') {
@@ -294,7 +337,7 @@ const internalAccessList = {
 	delete: (access, data) => {
 		return access.can('access_lists:delete', data.id)
 			.then(() => {
-				return internalAccessList.get(access, {id: data.id, expand: ['proxy_hosts', 'items', 'clients']});
+				return internalAccessList.get(access, {id: data.id, expand: ['proxy_hosts', 'items', 'clients', 'clientcas']});
 			})
 			.then((row) => {
 				if (!row) {
@@ -377,7 +420,7 @@ const internalAccessList = {
 					.joinRaw('LEFT JOIN `proxy_host` ON `proxy_host`.`access_list_id` = `access_list`.`id` AND `proxy_host`.`is_deleted` = 0')
 					.where('access_list.is_deleted', 0)
 					.groupBy('access_list.id')
-					.allowGraph('[owner,items,clients]')
+					.withGraphFetched('[owner,items,clients,clientcas.certificate]')
 					.orderBy('access_list.name', 'ASC');
 
 				if (access_data.permission_visibility !== 'all') {
 
@@ -0,0 +1,50 @@
+const migrate_name = 'identifier_for_migrate';
+const logger       = require('../logger').migrate;
+
+/**
+ * Migrate
+ *
+ * @see http://knexjs.org/#Schema
+ *
+ * @param {Object} knex
+ * @param {Promise} Promise
+ * @returns {Promise}
+ */
+exports.up = function (knex/*, Promise*/) {
+
+	logger.info('[' + migrate_name + '] Migrating Up...');
+
+	return knex.schema.createTable('access_list_clientcas', (table) => {
+		table.increments().primary();
+		table.dateTime('created_on').notNull();
+		table.dateTime('modified_on').notNull();
+		table.integer('access_list_id').notNull().unsigned();
+		table.integer('certificate_id').notNull().unsigned();
+		table.json('meta').notNull();
+	})
+		.then(function () {
+			logger.info('[' + migrate_name + '] access_list_clientcas Table created');
+		})
+		.then(() => {
+			logger.info('[' + migrate_name + '] Migrating Up Complete');
+		});
+};
+
+/**
+ * Undo Migrate
+ *
+ * @param {Object} knex
+ * @param {Promise} Promise
+ * @returns {Promise}
+ */
+exports.down = function (knex/*, Promise*/) {
+	logger.info('[' + migrate_name + '] Migrating Down...');
+
+	return knex.schema.dropTable('access_list_clientcas')
+		.then(() => {
+			logger.info('[' + migrate_name + '] access_list_clientcas Table dropped');
+		})
+		.then(() => {
+			logger.info('[' + migrate_name + '] Migrating Down Complete');
+		});
+};
@@ -6,6 +6,7 @@ const Model            = require('objection').Model;
 const User             = require('./user');
 const AccessListAuth   = require('./access_list_auth');
 const AccessListClient = require('./access_list_client');
+const AccessListClientCAs 		 = require('./access_list_clientcas');
 const now              = require('./now_helper');
 
 Model.knex(db);
@@ -68,6 +69,14 @@ class AccessList extends Model {
 					to:   'access_list_client.access_list_id'
 				}
 			},
+			clientcas: {
+				relation: 	 Model.HasManyRelation,
+				modelClass: AccessListClientCAs,
+				join:			    {
+					from: 'access_list.id',
+					to: 	 'access_list_clientcas.access_list_id'
+				}
+			},
 			proxy_hosts: {
 				relation:   Model.HasManyRelation,
 				modelClass: ProxyHost,
 
@@ -0,0 +1,65 @@
+// Objection Docs:
+// http://vincit.github.io/objection.js/
+
+const db    = require('../db');
+const Model = require('objection').Model;
+const now   = require('./now_helper');
+
+Model.knex(db);
+
+class AccessListClientCAs extends Model {
+	$beforeInsert () {
+		this.created_on  = now();
+		this.modified_on = now();
+
+		// Default for meta
+		if (typeof this.meta === 'undefined') {
+			this.meta = {};
+		}
+	}
+
+	$beforeUpdate () {
+		this.modified_on = now();
+	}
+
+	static get name () {
+		return 'AccessListClientCAs';
+	}
+
+	static get tableName () {
+		return 'access_list_clientcas';
+	}
+
+	static get jsonAttributes () {
+		return ['meta'];
+	}
+
+	static get relationMappings () {
+		return {
+			access_list: {
+				relation:   Model.HasOneRelation,
+				modelClass: require('./access_list'),
+				join:       {
+					from: 'access_list_clientcas.access_list_id',
+					to:   'access_list.id'
+				},
+				modify: function (qb) {
+					qb.where('access_list.is_deleted', 0);
+				}
+			},
+			certificate: {
+				relation:   Model.HasOneRelation,
+				modelClass: require('./certificate'),
+				join:			    {
+					from: 'access_list_clientcas.certificate_id',
+					to:   'certificate.id'
+				},
+				modify: function (qb) {
+					qb.where('certificate.is_deleted', 0);
+				}
+			}
+		};
+	}
+}
+
+module.exports = AccessListClientCAs;
@@ -142,6 +142,13 @@
 							}
 						}
 					},
+					"clientcas": {
+						"type": "array",
+						"minItems": 0,
+						"items": {
+							"type": "integer"
+						}
+					},
 					"meta": {
 						"$ref": "#/definitions/meta"
 					}
@@ -209,6 +216,13 @@
 								}
 							}
 						}
+					},
+					"clientcas": {
+						"type": "array",
+						"minItems": 0,
+						"items": {
+							"type": "integer"
+						}
 					}
 				}
 			},
 
@@ -8,6 +8,7 @@
             <ul class="nav nav-tabs" role="tablist">
                 <li role="presentation" class="nav-item"><a href="#details" aria-controls="tab1" role="tab" data-toggle="tab" class="nav-link active show" aria-selected="true"><i class="fe fe-zap"></i> <%- i18n('access-lists', 'details') %></a></li>
                 <li role="presentation" class="nav-item"><a href="#auth" aria-controls="tab4" role="tab" data-toggle="tab" class="nav-link" aria-selected="false"><i class="fe fe-users"></i> <%- i18n('access-lists', 'authorization') %></a></li>
+                <li role="presentation" class="nav-item"><a href="#clientca" aria-controls="tab4" role="tab" data-toggle="tab" class="nav-link" aria-selected="false"><i class="fe fe-lock"></i> <%- i18n('access-lists', 'client-certificates') %></a></li>
                 <li role="presentation" class="nav-item"><a href="#access" aria-controls="tab2" role="tab" data-toggle="tab" class="nav-link" aria-selected="false"><i class="fe fe-radio"></i> <%- i18n('access-lists', 'access') %></a></li>
             </ul>
 
@@ -71,6 +72,34 @@
                     </div>
                 </div>
 
+                <!-- Client Certificates -->
+                <div class="tab-pane" id="clientca">
+                    <p>
+                        Client Certificate Authorization via
+                        <a target="_blank" href="http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_client_certificate">
+                            Nginx HTTP SSL
+                        </a>
+                    </p>
+
+                    <div class="row">
+                        <div class="col-sm-10 col-md-10">
+                            <select id="certificate_search" class="form-control custom-select" placeholder="<%- i18n('ssl', 'clientca') %>">
+                            </select>
+
+                        </div>
+                        <div class="col-sm-2 col-md-2">
+                            <div class="btn-list justify-content-end">
+                                <button type="button" class="btn btn-teal clientca_add"><%- i18n('access-lists', 'clientca-add') %></button>
+                            </div>
+                        </div>
+                    </div>
+
+                    <label class="form-label">Authorized Client Certificate Authorities</label>
+                    <div class="clientcas">
+                        <!-- clientcas -->
+                    </div>
+                </div>
+
                 <!-- Access -->
                 <div class="tab-pane" id="access">
                     <p>
Original file line number	Diff line number	Diff line change
`@@ -142,6 +142,13 @@`
`142`	`142`	`}`
`143`	`143`	`}`
`144`	`144`	`},`
	`145`	`+ "clientcas": {`
	`146`	`+ "type": "array",`
	`147`	`+ "minItems": 0,`
	`148`	`+ "items": {`
	`149`	`+ "type": "integer"`
	`150`	`+ }`
	`151`	`+ },`
`145`	`152`	`"meta": {`
`146`	`153`	`"$ref": "#/definitions/meta"`
`147`	`154`	`}`
`@@ -209,6 +216,13 @@`
`209`	`216`	`}`
`210`	`217`	`}`
`211`	`218`	`}`
	`219`	`+ },`
	`220`	`+ "clientcas": {`
	`221`	`+ "type": "array",`
	`222`	`+ "minItems": 0,`
	`223`	`+ "items": {`
	`224`	`+ "type": "integer"`
	`225`	`+ }`
`212`	`226`	`}`
`213`	`227`	`}`
`214`	`228`	`},`