feat: add SSH settings for device and namespace

Add allow-based SSH settings for both namespace and device
configuration, update the backend migrations and auth flow, and wire the
React console to edit the new settings consistently.

Closes #6136

Author: henrybarreto

api/routes/device.go

@@ -251,6 +251,10 @@ func (h *Handler) UpdateDevice(c gateway.Context) error {
 		return err
 	}
 
+	if c.Tenant() != nil {
+		req.TenantID = c.Tenant().ID
+	}
+
 	if err := h.service.UpdateDevice(c.Ctx(), req); err != nil {
 		return err
 	}

api/services/device.go

@@ -339,14 +339,51 @@ func (s *service) UpdateDevice(ctx context.Context, req *requests.DeviceUpdate)
 		return NewErrDeviceNotFound(models.UID(req.UID), err)
 	}
 
-	conflictsTarget := &models.DeviceConflicts{Name: req.Name}
-	conflictsTarget.Distinct(device)
-	if _, has, err := s.store.DeviceConflicts(ctx, conflictsTarget); err != nil || has {
-		return NewErrDeviceDuplicated(req.Name, err)
+	if req.Name != "" {
+		conflictsTarget := &models.DeviceConflicts{Name: req.Name}
+		conflictsTarget.Distinct(device)
+		if _, has, err := s.store.DeviceConflicts(ctx, conflictsTarget); err != nil || has {
+			return NewErrDeviceDuplicated(req.Name, err)
+		}
+
+		if !strings.EqualFold(req.Name, device.Name) {
+			device.Name = strings.ToLower(req.Name)
+		}
 	}
 
-	if req.Name != "" && !strings.EqualFold(req.Name, device.Name) {
-		device.Name = strings.ToLower(req.Name)
+	if req.SSH != nil {
+		// Only initialize SSH if device doesn't have one and we're updating it
+		if device.SSH == nil {
+			device.SSH = models.DefaultSSHSettings()
+		}
+
+		if req.SSH.AllowPassword != nil {
+			device.SSH.AllowPassword = *req.SSH.AllowPassword
+		}
+		if req.SSH.AllowPublicKey != nil {
+			device.SSH.AllowPublicKey = *req.SSH.AllowPublicKey
+		}
+		if req.SSH.AllowRoot != nil {
+			device.SSH.AllowRoot = *req.SSH.AllowRoot
+		}
+		if req.SSH.AllowEmptyPasswords != nil {
+			device.SSH.AllowEmptyPasswords = *req.SSH.AllowEmptyPasswords
+		}
+		if req.SSH.AllowTTY != nil {
+			device.SSH.AllowTTY = *req.SSH.AllowTTY
+		}
+		if req.SSH.AllowTCPForwarding != nil {
+			device.SSH.AllowTCPForwarding = *req.SSH.AllowTCPForwarding
+		}
+		if req.SSH.AllowWebEndpoints != nil {
+			device.SSH.AllowWebEndpoints = *req.SSH.AllowWebEndpoints
+		}
+		if req.SSH.AllowSFTP != nil {
+			device.SSH.AllowSFTP = *req.SSH.AllowSFTP
+		}
+		if req.SSH.AllowAgentForwarding != nil {
+			device.SSH.AllowAgentForwarding = *req.SSH.AllowAgentForwarding
+		}
 	}
 
 	if err := s.store.DeviceUpdate(ctx, device); err != nil { // nolint:revive
@@ -376,6 +413,10 @@ func (s *service) mergeDevice(ctx context.Context, tenantID string, oldDevice *m
 	}
 
 	log.WithFields(logFields).Debug("updating new device name to preserve old device identity")
+	if oldDevice.SSH != nil {
+		newDevice.SSH = oldDevice.SSH
+	}
+
 	newDevice.Name = oldDevice.Name
 	if err := s.store.DeviceUpdate(ctx, newDevice); err != nil {
 		log.WithError(err).WithFields(logFields).Error("failed to update new device name")

api/services/device_test.go

@@ -1699,13 +1699,35 @@ func TestUpdateDeviceStatus(t *testing.T) {
 					TenantID: "00000000-0000-0000-0000-000000000000",
 					Status:   models.DeviceStatusAccepted,
 					Identity: &models.DeviceIdentity{MAC: "aa:bb:cc:dd:ee:ff"},
+					SSH: &models.SSHSettings{
+						AllowPassword:        false,
+						AllowPublicKey:       true,
+						AllowRoot:            false,
+						AllowEmptyPasswords:  true,
+						AllowTTY:             false,
+						AllowTCPForwarding:   true,
+						AllowWebEndpoints:    false,
+						AllowSFTP:            true,
+						AllowAgentForwarding: false,
+					},
 				}
 				mergedDevice := &models.Device{
 					UID:      "new-device",
 					Name:     "device-name",
 					TenantID: "00000000-0000-0000-0000-000000000000",
 					Status:   models.DeviceStatusPending,
 					Identity: &models.DeviceIdentity{MAC: "aa:bb:cc:dd:ee:ff"},
+					SSH: &models.SSHSettings{
+						AllowPassword:        false,
+						AllowPublicKey:       true,
+						AllowRoot:            false,
+						AllowEmptyPasswords:  true,
+						AllowTTY:             false,
+						AllowTCPForwarding:   true,
+						AllowWebEndpoints:    false,
+						AllowSFTP:            true,
+						AllowAgentForwarding: false,
+					},
 				}
 				finalDevice := &models.Device{
 					UID:             "new-device",
@@ -1714,6 +1736,17 @@ func TestUpdateDeviceStatus(t *testing.T) {
 					Status:          models.DeviceStatusAccepted,
 					StatusUpdatedAt: now,
 					Identity:        &models.DeviceIdentity{MAC: "aa:bb:cc:dd:ee:ff"},
+					SSH: &models.SSHSettings{
+						AllowPassword:        false,
+						AllowPublicKey:       true,
+						AllowRoot:            false,
+						AllowEmptyPasswords:  true,
+						AllowTTY:             false,
+						AllowTCPForwarding:   true,
+						AllowWebEndpoints:    false,
+						AllowSFTP:            true,
+						AllowAgentForwarding: false,
+					},
 				}
 
 				storeMock.

api/services/namespace.go

@@ -66,6 +66,15 @@ func (s *service) CreateNamespace(ctx context.Context, req *requests.NamespaceCr
 		Settings: &models.NamespaceSettings{
 			SessionRecord:          true,
 			ConnectionAnnouncement: "",
+			AllowPassword:          true,
+			AllowPublicKey:         true,
+			AllowRoot:              true,
+			AllowEmptyPasswords:    true,
+			AllowTTY:               true,
+			AllowTCPForwarding:     true,
+			AllowWebEndpoints:      true,
+			AllowSFTP:              true,
+			AllowAgentForwarding:   true,
 		},
 		TenantID: req.TenantID,
 		Type:     models.NewDefaultType(),
@@ -176,6 +185,42 @@ func (s *service) EditNamespace(ctx context.Context, req *requests.NamespaceEdit
 		namespace.Settings.ConnectionAnnouncement = *req.Settings.ConnectionAnnouncement
 	}
 
+	if req.Settings.AllowPassword != nil {
+		namespace.Settings.AllowPassword = *req.Settings.AllowPassword
+	}
+
+	if req.Settings.AllowPublicKey != nil {
+		namespace.Settings.AllowPublicKey = *req.Settings.AllowPublicKey
+	}
+
+	if req.Settings.AllowRoot != nil {
+		namespace.Settings.AllowRoot = *req.Settings.AllowRoot
+	}
+
+	if req.Settings.AllowEmptyPasswords != nil {
+		namespace.Settings.AllowEmptyPasswords = *req.Settings.AllowEmptyPasswords
+	}
+
+	if req.Settings.AllowTTY != nil {
+		namespace.Settings.AllowTTY = *req.Settings.AllowTTY
+	}
+
+	if req.Settings.AllowTCPForwarding != nil {
+		namespace.Settings.AllowTCPForwarding = *req.Settings.AllowTCPForwarding
+	}
+
+	if req.Settings.AllowWebEndpoints != nil {
+		namespace.Settings.AllowWebEndpoints = *req.Settings.AllowWebEndpoints
+	}
+
+	if req.Settings.AllowSFTP != nil {
+		namespace.Settings.AllowSFTP = *req.Settings.AllowSFTP
+	}
+
+	if req.Settings.AllowAgentForwarding != nil {
+		namespace.Settings.AllowAgentForwarding = *req.Settings.AllowAgentForwarding
+	}
+
 	if err := s.store.NamespaceUpdate(ctx, namespace); err != nil {
 		return nil, err
 	}