coryHawkvelt/gatehouse-api
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(zerotier): add ZeroTier network governance module

Browse Source 
Add comprehensive ZeroTier integration for managing network access:

- Portal networks: manager-created ZeroTier network bindings
- Device registration: user-owned ZeroTier node endpoints
- Approval workflows: request/approve/revoke network access
- Activation sessions: time-limited network authorization
- Kill switch: emergency access revocation
- Reconciliation job: sync portal state with ZeroTier controller

Includes ZeroTier client SDK supporting both Central and self-hosted
controller APIs, with full CRUD operations for networks and members.
This commit is contained in:
Cory Hawkvelt
2026-03-20 21:50:20 +10:30
parent 49e724222f
commit 1789590167
27 changed files with 4862 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
migrations/versions/020_add_zerotier_models.py
+317
View File
@@ -0,0 +1,317 @@
"""Add ZeroTier / Portal Network models.
Revision ID: 020_zerotier
Revises: 019_audit_varchar
Create Date: 2026-03-19
Tables created:
- portal_networks — manager-created ZeroTier network bindings
- devices — user-registered ZeroTier node endpoints
- user_network_approvals — durable manager approval records
- device_network_memberships — per-device per-network workflow records
- activation_sessions — temporary activation windows
- zerotier_memberships — observed controller-side member state
- kill_switch_events — explicit rapid deactivation records
"""
from alembic import op
import sqlalchemy as sa
revision = "020_zerotier"
down_revision = "019_audit_varchar"
branch_labels = None
depends_on = None
def _pg_enum(enum_name: str, values: list[str]) -> sa.Enum:
return sa.Enum(*values, name=enum_name, create_type=False)
def upgrade():
bind = op.get_bind()
dialect = bind.dialect.name
# ── 1. Enum types ─────────────────────────────────────────────────────────
if dialect == "postgresql":
op.execute("CREATE TYPE network_environment AS ENUM (%s)" % ", ".join(
f"'{v}'" for v in ["production", "staging", "development", "lab"]
))
op.execute("CREATE TYPE network_request_mode AS ENUM (%s)" % ", ".join(
f"'{v}'" for v in ["open", "approval_required", "invite_only"]
))
op.execute("CREATE TYPE approval_grant_type AS ENUM (%s)" % ", ".join(
f"'{v}'" for v in ["requested", "assigned"]
))
op.execute("CREATE TYPE approval_state AS ENUM (%s)" % ", ".join(
f"'{v}'" for v in ["pending", "approved", "rejected", "revoked", "suspended"]
))
op.execute("CREATE TYPE membership_state AS ENUM (%s)" % ", ".join(
f"'{v}'" for v in [
"pending_device_registration",
"pending_request",
"pending_manager_approval",
"approved_inactive",
"joined_deauthorized",
"active_authorized",
"activation_expired",
"suspended",
"revoked",
"rejected",
]
))
op.execute("CREATE TYPE activation_end_reason AS ENUM (%s)" % ", ".join(
f"'{v}'" for v in [
"expired", "logout", "kill_switch",
"manual_revoke", "approval_revoked", "admin_action",
]
))
op.execute("CREATE TYPE kill_switch_scope AS ENUM (%s)" % ", ".join(
f"'{v}'" for v in ["organization", "global", "selected_networks"]
))
op.execute("CREATE TYPE device_status AS ENUM (%s)" % ", ".join(
f"'{v}'" for v in ["active", "inactive"]
))
# ── 2. portal_networks ────────────────────────────────────────────────────
op.create_table(
"portal_networks",
sa.Column("id", sa.String(36), primary_key=True),
sa.Column("created_at", sa.DateTime(timezone=True), nullable=False),
sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False),
sa.Column("deleted_at", sa.DateTime(timezone=True), nullable=True),
sa.Column("organization_id", sa.String(36), sa.ForeignKey("organizations.id"), nullable=False, index=True),
sa.Column("name", sa.String(255), nullable=False),
sa.Column("description", sa.Text, nullable=True),
sa.Column("owner_user_id", sa.String(36), sa.ForeignKey("users.id"), nullable=False),
sa.Column("zerotier_network_id", sa.String(16), nullable=False, index=True),
sa.Column(
"environment",
_pg_enum("network_environment", ["production", "staging", "development", "lab"]) if dialect == "postgresql"
else sa.String(20),
nullable=False,
),
sa.Column(
"request_mode",
_pg_enum("network_request_mode", ["open", "approval_required", "invite_only"]) if dialect == "postgresql"
else sa.String(20),
nullable=False,
),
sa.Column("default_activation_lifetime_minutes", sa.Integer, nullable=False, default=480),
sa.Column("max_activation_lifetime_minutes", sa.Integer, nullable=True),
sa.Column("is_active", sa.Boolean, nullable=False, default=True),
)
op.create_index(
"ix_portal_networks_org_zt",
"portal_networks",
["organization_id", "zerotier_network_id"],
unique=True,
postgresql_where=sa.text("deleted_at IS NULL"),
)
# ── 3. devices ───────────────────────────────────────────────────────────
op.create_table(
"devices",
sa.Column("id", sa.String(36), primary_key=True),
sa.Column("created_at", sa.DateTime(timezone=True), nullable=False),
sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False),
sa.Column("deleted_at", sa.DateTime(timezone=True), nullable=True),
sa.Column("user_id", sa.String(36), sa.ForeignKey("users.id"), nullable=False, index=True),
sa.Column("organization_id", sa.String(36), sa.ForeignKey("organizations.id"), nullable=False, index=True),
sa.Column("node_id", sa.String(10), nullable=False, index=True),
sa.Column("device_nickname", sa.String(255), nullable=True),
sa.Column("hostname", sa.String(255), nullable=True),
sa.Column("asset_tag", sa.String(255), nullable=True),
sa.Column("serial_number", sa.String(255), nullable=True),
sa.Column(
"status",
_pg_enum("device_status", ["active", "inactive"]) if dialect == "postgresql"
else sa.String(20),
nullable=False,
default="active",
),
)
if dialect == "postgresql":
op.create_index(
"ix_devices_node_id_active",
"devices",
["node_id"],
unique=True,
postgresql_where=sa.text("deleted_at IS NULL"),
)
else:
op.create_index("ix_devices_node_id", "devices", ["node_id"], unique=False)
# ── 4. user_network_approvals ─────────────────────────────────────────────
op.create_table(
"user_network_approvals",
sa.Column("id", sa.String(36), primary_key=True),
sa.Column("created_at", sa.DateTime(timezone=True), nullable=False),
sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False),
sa.Column("deleted_at", sa.DateTime(timezone=True), nullable=True),
sa.Column("organization_id", sa.String(36), sa.ForeignKey("organizations.id"), nullable=False, index=True),
sa.Column("user_id", sa.String(36), sa.ForeignKey("users.id"), nullable=False, index=True),
sa.Column("portal_network_id", sa.String(36), sa.ForeignKey("portal_networks.id"), nullable=False, index=True),
sa.Column("granted_by_user_id", sa.String(36), sa.ForeignKey("users.id"), nullable=True),
sa.Column(
"grant_type",
_pg_enum("approval_grant_type", ["requested", "assigned"]) if dialect == "postgresql"
else sa.String(20),
nullable=False,
default="requested",
),
sa.Column(
"state",
_pg_enum("approval_state", ["pending", "approved", "rejected", "revoked", "suspended"]) if dialect == "postgresql"
else sa.String(20),
nullable=False,
default="pending",
index=True,
),
sa.Column("justification", sa.Text, nullable=True),
)
op.create_index(
"ix_user_network_approvals_user_network",
"user_network_approvals",
["user_id", "portal_network_id"],
unique=True,
postgresql_where=sa.text("deleted_at IS NULL"),
)
# ── 5. device_network_memberships ────────────────────────────────────────
op.create_table(
"device_network_memberships",
sa.Column("id", sa.String(36), primary_key=True),
sa.Column("created_at", sa.DateTime(timezone=True), nullable=False),
sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False),
sa.Column("deleted_at", sa.DateTime(timezone=True), nullable=True),
sa.Column("organization_id", sa.String(36), sa.ForeignKey("organizations.id"), nullable=False, index=True),
sa.Column("user_id", sa.String(36), sa.ForeignKey("users.id"), nullable=False, index=True),
sa.Column("device_id", sa.String(36), sa.ForeignKey("devices.id"), nullable=False, index=True),
sa.Column("portal_network_id", sa.String(36), sa.ForeignKey("portal_networks.id"), nullable=False, index=True),
sa.Column("user_network_approval_id", sa.String(36), sa.ForeignKey("user_network_approvals.id"), nullable=True, index=True),
sa.Column(
"state",
_pg_enum(
"membership_state",
[
"pending_device_registration", "pending_request",
"pending_manager_approval", "approved_inactive",
"joined_deauthorized", "active_authorized",
"activation_expired", "suspended", "revoked", "rejected",
],
) if dialect == "postgresql" else sa.String(30),
nullable=False,
default="pending_device_registration",
index=True,
),
sa.Column("join_seen", sa.Boolean, nullable=False, default=False),
sa.Column("currently_authorized", sa.Boolean, nullable=False, default=False),
sa.Column("approved_for_activation", sa.Boolean, nullable=False, default=True),
)
op.create_index(
"ix_device_network_memberships_device_network",
"device_network_memberships",
["device_id", "portal_network_id"],
unique=True,
postgresql_where=sa.text("deleted_at IS NULL"),
)
# ── 6. activation_sessions ────────────────────────────────────────────────
op.create_table(
"activation_sessions",
sa.Column("id", sa.String(36), primary_key=True),
sa.Column("created_at", sa.DateTime(timezone=True), nullable=False),
sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False),
sa.Column("deleted_at", sa.DateTime(timezone=True), nullable=True),
sa.Column("organization_id", sa.String(36), sa.ForeignKey("organizations.id"), nullable=False, index=True),
sa.Column("user_id", sa.String(36), sa.ForeignKey("users.id"), nullable=False, index=True),
sa.Column("device_network_membership_id", sa.String(36), sa.ForeignKey("device_network_memberships.id"), nullable=False, index=True),
sa.Column("authenticated_at", sa.DateTime(timezone=True), nullable=False),
sa.Column("expires_at", sa.DateTime(timezone=True), nullable=False),
sa.Column("ended_at", sa.DateTime(timezone=True), nullable=True),
sa.Column(
"end_reason",
_pg_enum(
"activation_end_reason",
["expired", "logout", "kill_switch", "manual_revoke", "approval_revoked", "admin_action"],
) if dialect == "postgresql" else sa.String(20),
nullable=True,
),
sa.Column("created_by", sa.String(36), sa.ForeignKey("users.id"), nullable=False),
)
# ── 7. zerotier_memberships ───────────────────────────────────────────────
op.create_table(
"zerotier_memberships",
sa.Column("id", sa.String(36), primary_key=True),
sa.Column("created_at", sa.DateTime(timezone=True), nullable=False),
sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False),
sa.Column("deleted_at", sa.DateTime(timezone=True), nullable=True),
sa.Column("organization_id", sa.String(36), sa.ForeignKey("organizations.id"), nullable=False, index=True),
sa.Column("device_network_membership_id", sa.String(36), sa.ForeignKey("device_network_memberships.id"), nullable=True, index=True),
sa.Column("zerotier_network_id", sa.String(16), nullable=False, index=True),
sa.Column("node_id", sa.String(10), nullable=False, index=True),
sa.Column("member_seen", sa.Boolean, nullable=False, default=False),
sa.Column("authorized", sa.Boolean, nullable=False, default=False),
sa.Column("join_seen_at", sa.DateTime(timezone=True), nullable=True),
sa.Column("last_synced_at", sa.DateTime(timezone=True), nullable=True),
sa.Column("raw_controller_payload", sa.JSON, nullable=True),
)
op.create_index(
"ix_zerotier_memberships_network_node",
"zerotier_memberships",
["zerotier_network_id", "node_id"],
unique=True,
)
# ── 8. kill_switch_events ────────────────────────────────────────────────
op.create_table(
"kill_switch_events",
sa.Column("id", sa.String(36), primary_key=True),
sa.Column("created_at", sa.DateTime(timezone=True), nullable=False),
sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False),
sa.Column("deleted_at", sa.DateTime(timezone=True), nullable=True),
sa.Column("organization_id", sa.String(36), sa.ForeignKey("organizations.id"), nullable=False, index=True),
sa.Column("target_user_id", sa.String(36), sa.ForeignKey("users.id"), nullable=False, index=True),
sa.Column(
"scope",
_pg_enum("kill_switch_scope", ["organization", "global", "selected_networks"]) if dialect == "postgresql"
else sa.String(20),
nullable=False,
default="organization",
),
sa.Column("triggered_by_user_id", sa.String(36), sa.ForeignKey("users.id"), nullable=False),
sa.Column("reason", sa.Text, nullable=True),
sa.Column("network_ids", sa.JSON, nullable=True),
)
def downgrade():
bind = op.get_bind()
dialect = bind.dialect.name
op.drop_table("kill_switch_events")
op.drop_table("zerotier_memberships")
op.drop_table("activation_sessions")
op.drop_table("device_network_memberships")
op.drop_table("user_network_approvals")
op.drop_table("devices")
op.drop_table("portal_networks")
if dialect == "postgresql":
op.execute("DROP TYPE IF EXISTS kill_switch_scope")
op.execute("DROP TYPE IF EXISTS device_status")
op.execute("DROP TYPE IF EXISTS activation_end_reason")
op.execute("DROP TYPE IF EXISTS membership_state")
op.execute("DROP TYPE IF EXISTS approval_state")
op.execute("DROP TYPE IF EXISTS approval_grant_type")
op.execute("DROP TYPE IF EXISTS network_request_mode")
op.execute("DROP TYPE IF EXISTS network_environment")