fix: enforce ws3 roles + node allowlist

2026-05-08 18:08:27 +00:00 · 2026-01-20 09:23:56 +00:00
parent 32a668e4d9
commit 9dbc1435a6
27 changed files with 3096 additions and 40 deletions
--- a/src/gateway/server-methods/nodes.ts
+++ b/src/gateway/server-methods/nodes.ts
@@ -28,6 +28,11 @@ import {
  safeParseJson,
  uniqueSortedStrings,
 } from "./nodes.helpers.js";
+import { loadConfig } from "../../config/config.js";
+import {
+  isNodeCommandAllowed,
+  resolveNodeCommandAllowlist,
+} from "../node-command-policy.js";
 import type { GatewayRequestHandlers } from "./types.js";

 function isNodeEntry(entry: { role?: string; roles?: string[] }) {
@@ -353,6 +358,34 @@ export const nodeHandlers: GatewayRequestHandlers = {
    }

    await respondUnavailableOnThrow(respond, async () => {
+      const nodeSession = context.nodeRegistry.get(nodeId);
+      if (!nodeSession) {
+        respond(
+          false,
+          undefined,
+          errorShape(ErrorCodes.UNAVAILABLE, "node not connected", {
+            details: { code: "NOT_CONNECTED" },
+          }),
+        );
+        return;
+      }
+      const cfg = loadConfig();
+      const allowlist = resolveNodeCommandAllowlist(cfg, nodeSession);
+      const allowed = isNodeCommandAllowed({
+        command,
+        declaredCommands: nodeSession.commands,
+        allowlist,
+      });
+      if (!allowed.ok) {
+        respond(
+          false,
+          undefined,
+          errorShape(ErrorCodes.INVALID_REQUEST, "node command not allowed", {
+            details: { reason: allowed.reason, command },
+          }),
+        );
+        return;
+      }
      const res = await context.nodeRegistry.invoke({
        nodeId,
        command,
@@ -384,7 +417,7 @@ export const nodeHandlers: GatewayRequestHandlers = {
      );
    });
  },
-  "node.invoke.result": async ({ params, respond, context }) => {
+  "node.invoke.result": async ({ params, respond, context, client }) => {
    if (!validateNodeInvokeResultParams(params)) {
      respondInvalidParams({
        respond,
@@ -401,6 +434,11 @@ export const nodeHandlers: GatewayRequestHandlers = {
      payloadJSON?: string | null;
      error?: { code?: string; message?: string } | null;
    };
+    const callerNodeId = client?.connect?.device?.id ?? client?.connect?.client?.id;
+    if (callerNodeId && callerNodeId !== p.nodeId) {
+      respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "nodeId mismatch"));
+      return;
+    }
    const ok = context.nodeRegistry.handleInvokeResult({
      id: p.id,
      nodeId: p.nodeId,
@@ -415,7 +453,7 @@ export const nodeHandlers: GatewayRequestHandlers = {
    }
    respond(true, { ok: true }, undefined);
  },
-  "node.event": async ({ params, respond, context }) => {
+  "node.event": async ({ params, respond, context, client }) => {
    if (!validateNodeEventParams(params)) {
      respondInvalidParams({
        respond,
@@ -433,6 +471,7 @@ export const nodeHandlers: GatewayRequestHandlers = {
          : null;
    await respondUnavailableOnThrow(respond, async () => {
      const { handleNodeEvent } = await import("../server-node-events.js");
+      const nodeId = client?.connect?.device?.id ?? client?.connect?.client?.id ?? "node";
      const nodeContext = {
        deps: context.deps,
        broadcast: context.broadcast,
@@ -453,7 +492,7 @@ export const nodeHandlers: GatewayRequestHandlers = {
        loadGatewayModelCatalog: context.loadGatewayModelCatalog,
        logGateway: { warn: context.logGateway.warn },
      };
-      await handleNodeEvent(nodeContext, "node", {
+      await handleNodeEvent(nodeContext, nodeId, {
        event: p.event,
        payloadJSON,
      });