dave/coolify
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

middleware should allow, not deny

Browse Source
This commit is contained in:
Kael
2024-10-30 19:06:50 +11:00
parent d4d63ff273
commit 6520235667
15 changed files with 149 additions and 211 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/Http/Controllers/Api/ApplicationsController.php
View File

@@ -29,7 +29,7 @@ class ApplicationsController extends Controller
$application->makeHidden([
'id',
]);
if ($token->can('view:sensitive')) {
if ($token->can('read:sensitive')) {
return serializeApiResponse($application);
}
$application->makeHidden([

2
app/Http/Controllers/Api/DatabasesController.php
View File

@@ -24,7 +24,7 @@ class DatabasesController extends Controller
'id',
'laravel_through_key',
]);
if ($token->can('view:sensitive')) {
if ($token->can('read:sensitive')) {
return serializeApiResponse($database);
}

2
app/Http/Controllers/Api/DeployController.php
View File

@@ -17,7 +17,7 @@ class DeployController extends Controller
private function removeSensitiveData($deployment)
{
$token = auth()->user()->currentAccessToken();
if ($token->can('view:sensitive')) {
if ($token->can('read:sensitive')) {
return serializeApiResponse($deployment);
}

2
app/Http/Controllers/Api/SecurityController.php
View File

@@ -12,7 +12,7 @@ class SecurityController extends Controller
private function removeSensitiveData($team)
{
$token = auth()->user()->currentAccessToken();
if ($token->can('view:sensitive')) {
if ($token->can('read:sensitive')) {
return serializeApiResponse($team);
}
$team->makeHidden([

4
app/Http/Controllers/Api/ServersController.php
View File

@@ -20,7 +20,7 @@ class ServersController extends Controller
private function removeSensitiveDataFromSettings($settings)
{
$token = auth()->user()->currentAccessToken();
if ($token->can('view:sensitive')) {
if ($token->can('read:sensitive')) {
return serializeApiResponse($settings);
}
$settings = $settings->makeHidden([
@@ -36,7 +36,7 @@ class ServersController extends Controller
$server->makeHidden([
'id',
]);
if ($token->can('view:sensitive')) {
if ($token->can('read:sensitive')) {
return serializeApiResponse($server);
}

2
app/Http/Controllers/Api/ServicesController.php
View File

@@ -22,7 +22,7 @@ class ServicesController extends Controller
$service->makeHidden([
'id',
]);
if ($token->can('view:sensitive')) {
if ($token->can('read:sensitive')) {
return serializeApiResponse($service);
}

2
app/Http/Controllers/Api/TeamController.php
View File

@@ -15,7 +15,7 @@ class TeamController extends Controller
'custom_server_limit',
'pivot',
]);
if ($token->can('view:sensitive')) {
if ($token->can('read:sensitive')) {
return serializeApiResponse($team);
}
$team->makeHidden([

28
app/Http/Middleware/IgnoreReadOnlyApiToken.php
View File

@@ -1,28 +0,0 @@
<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;
class IgnoreReadOnlyApiToken
{
/**
* Handle an incoming request.
*
* @param \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response) $next
*/
public function handle(Request $request, Closure $next): Response
{
$token = auth()->user()->currentAccessToken();
if ($token->can('*')) {
return $next($request);
}
if ($token->can('read-only')) {
return response()->json(['message' => 'You are not allowed to perform this action.'], 403);
}
return $next($request);
}
}

25
app/Http/Middleware/OnlyRootApiToken.php
View File

@@ -1,25 +0,0 @@
<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;
class OnlyRootApiToken
{
/**
* Handle an incoming request.
*
* @param \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response) $next
*/
public function handle(Request $request, Closure $next): Response
{
$token = auth()->user()->currentAccessToken();
if ($token->can('*')) {
return $next($request);
}
return response()->json(['message' => 'You are not allowed to perform this action.'], 403);
}
}

66
app/Livewire/Security/ApiTokens.php
View File

@@ -11,12 +11,7 @@ class ApiTokens extends Component
public $tokens = [];
public bool $viewSensitiveData = false;
public bool $readOnly = true;
public bool $rootAccess = false;
public bool $triggerDeploy = false;
public array $permissions = ['read-only'];
public array $permissions = ['read'];
public $isApiEnabled;
@@ -31,60 +26,13 @@ class ApiTokens extends Component
$this->tokens = auth()->user()->tokens->sortByDesc('created_at');
}
public function updatedViewSensitiveData()
{
if ($this->viewSensitiveData) {
$this->permissions[] = 'view:sensitive';
$this->permissions = array_diff($this->permissions, ['*']);
$this->rootAccess = false;
} else {
$this->permissions = array_diff($this->permissions, ['view:sensitive']);
}
$this->makeSureOneIsSelected();
}
public function updatedReadOnly()
{
if ($this->readOnly) {
$this->permissions[] = 'read-only';
$this->permissions = array_diff($this->permissions, ['*']);
$this->rootAccess = false;
} else {
$this->permissions = array_diff($this->permissions, ['read-only']);
}
$this->makeSureOneIsSelected();
}
public function updatedRootAccess()
{
if ($this->rootAccess) {
$this->permissions = ['*'];
$this->readOnly = false;
$this->viewSensitiveData = false;
$this->triggerDeploy = false;
} else {
$this->readOnly = true;
$this->permissions = ['read-only'];
}
}
public function updatedTriggerDeploy()
{
if ($this->triggerDeploy) {
$this->permissions[] = 'trigger-deploy';
$this->permissions = array_diff($this->permissions, ['*']);
$this->rootAccess = false;
} else {
$this->permissions = array_diff($this->permissions, ['trigger-deploy']);
}
$this->makeSureOneIsSelected();
}
public function makeSureOneIsSelected()
public function updated()
{
if (count($this->permissions) == 0) {
$this->permissions = ['read-only'];
$this->readOnly = true;
$this->permissions = ['read'];
}
if (in_array('read:sensitive', $this->permissions) && !in_array('read', $this->permissions)) {
$this->permissions[] = 'read';
}
}
@@ -94,7 +42,7 @@ class ApiTokens extends Component
$this->validate([
'description' => 'required|min:3|max:255',
]);
$token = auth()->user()->createToken($this->description, $this->permissions);
$token = auth()->user()->createToken($this->description, array_values($this->permissions));
$this->tokens = auth()->user()->tokens;
session()->flash('token', $token->plainTextToken);
} catch (\Exception $e) {

1
app/View/Components/Forms/Checkbox.php
View File

@@ -15,6 +15,7 @@ class Checkbox extends Component
public ?string $id = null,
public ?string $name = null,
public ?string $value = null,
public ?string $domValue = null,
public ?string $label = null,
public ?string $helper = null,
public string|bool $instantSave = false,

44
database/migrations/2024_10_30_074601_rename_token_permissions.php Normal file
View File

@@ -0,0 +1,44 @@
<?php
use App\Models\PersonalAccessToken;
use Illuminate\Database\Migrations\Migration;
use Illuminate\Database\Schema\Blueprint;
use Illuminate\Support\Facades\Schema;
return new class extends Migration
{
/**
* Run the migrations.
*/
public function up(): void
{
$tokens = PersonalAccessToken::all();
foreach ($tokens as $token) {
$abilities = collect();
if (in_array('*', $token->abilities)) $abilities->push('write', 'read', 'read:sensitive');
if (in_array('read-only', $token->abilities)) $abilities->push('read');
if (in_array('view:sensitive', $token->abilities)) $abilities->push('read', 'read:sensitive');
$token->abilities = $abilities->unique()->values()->all();
$token->save();
}
}
/**
* Reverse the migrations.
*/
public function down(): void
{
$tokens = PersonalAccessToken::all();
foreach ($tokens as $token) {
$abilities = collect();
if (in_array('write', $token->abilities)) {
$abilities->push('*');
} else {
if (in_array('read', $token->abilities)) $abilities->push('read-only');
if (in_array('read:sensitive', $token->abilities)) $abilities->push('view:sensitive');
}
$token->abilities = $abilities->unique()->values()->all();
$token->save();
}
}
};

5
resources/views/components/forms/checkbox.blade.php
View File

@@ -5,6 +5,7 @@
'disabled' => false,
'instantSave' => false,
'value' => null,
'domValue' => null,
'hideLabel' => false,
'fullWidth' => false,
])
@@ -33,5 +34,7 @@
<span class="flex-grow"></span>
<input @disabled($disabled) type="checkbox" {{ $attributes->merge(['class' => $defaultClass]) }}
@if ($instantSave) wire:loading.attr="disabled" wire:click='{{ $instantSave === 'instantSave' || $instantSave == '1' ? 'instantSave' : $instantSave }}'
wire:model={{ $id }} @else wire:model={{ $value ?? $id }} @endif />
wire:model="{{ $id }}" @else wire:model="{{ $value ?? $id }}" @endif
@if ($domValue) value="{{ $domValue }}" @endif
/>
</div>

17
resources/views/livewire/security/api-tokens.blade.php
View File

@@ -25,21 +25,20 @@
<div class="flex gap-1 font-bold dark:text-white">
@if ($permissions)
@foreach ($permissions as $permission)
@if ($permission === '*')
<div>Root access, be careful!</div>
@else
<div>{{ $permission }}</div>
@endif
<div>{{ $permission }}</div>
@endforeach
@endif
</div>
</div>
@if (in_array('write', $permissions))
<div class="font-bold text-warning">Root access, be careful!</div>
@endif
<h4>Token Permissions</h4>
<div class="w-64">
<x-forms.checkbox label="Root Access" wire:model.live="rootAccess"></x-forms.checkbox>
<x-forms.checkbox label="Read-only" wire:model.live="readOnly"></x-forms.checkbox>
<x-forms.checkbox label="View Sensitive Data" wire:model.live="viewSensitiveData"></x-forms.checkbox>
<x-forms.checkbox label="Trigger Deploy Webhooks" wire:model.live="triggerDeploy"></x-forms.checkbox>
<x-forms.checkbox label="read" wire:model.live="permissions" domValue="read" :checked="in_array('read', $permissions)"></x-forms.checkbox>
<x-forms.checkbox label="read:sensitive" wire:model.live="permissions" domValue="read:sensitive" helper="Responses will include secrets, logs, passwords, and compose file contents" :checked="in_array('read:sensitive', $permissions)"></x-forms.checkbox>
<x-forms.checkbox label="write" wire:model.live="permissions" domValue="write" helper="Root access, be careful!" :checked="in_array('write', $permissions)"></x-forms.checkbox>
<x-forms.checkbox label="deploy" wire:model.live="permissions" domValue="deploy" helper="Can trigger deploy webhooks" :checked="in_array('deploy', $permissions)"></x-forms.checkbox>
</div>
</form>
@if (session()->has('token'))

158
routes/api.php
View File

@@ -11,8 +11,6 @@ use App\Http\Controllers\Api\ServersController;
use App\Http\Controllers\Api\ServicesController;
use App\Http\Controllers\Api\TeamController;
use App\Http\Middleware\ApiAllowed;
use App\Http\Middleware\IgnoreReadOnlyApiToken;
use App\Http\Middleware\OnlyRootApiToken;
use App\Jobs\PushServerUpdateJob;
use App\Models\Server;
use Illuminate\Support\Facades\Route;
@@ -21,7 +19,7 @@ Route::get('/health', [OtherController::class, 'healthcheck']);
Route::post('/feedback', [OtherController::class, 'feedback']);
Route::group([
'middleware' => ['auth:sanctum', OnlyRootApiToken::class],
'middleware' => ['auth:sanctum', 'ability:write'],
'prefix' => 'v1',
], function () {
Route::get('/enable', [OtherController::class, 'enable_api']);
@@ -31,105 +29,103 @@ Route::group([
'middleware' => ['auth:sanctum', ApiAllowed::class],
'prefix' => 'v1',
], function () {
Route::get('/version', [OtherController::class, 'version']);
Route::get('/version', [OtherController::class, 'version'])->middleware(['ability:read']);
Route::get('/teams', [TeamController::class, 'teams']);
Route::get('/teams/current', [TeamController::class, 'current_team']);
Route::get('/teams/current/members', [TeamController::class, 'current_team_members']);
Route::get('/teams/{id}', [TeamController::class, 'team_by_id']);
Route::get('/teams/{id}/members', [TeamController::class, 'members_by_id']);
Route::get('/teams', [TeamController::class, 'teams'])->middleware(['ability:read']);
Route::get('/teams/current', [TeamController::class, 'current_team'])->middleware(['ability:read']);
Route::get('/teams/current/members', [TeamController::class, 'current_team_members'])->middleware(['ability:read']);
Route::get('/teams/{id}', [TeamController::class, 'team_by_id'])->middleware(['ability:read']);
Route::get('/teams/{id}/members', [TeamController::class, 'members_by_id'])->middleware(['ability:read']);
Route::get('/projects', [ProjectController::class, 'projects']);
Route::get('/projects/{uuid}', [ProjectController::class, 'project_by_uuid']);
Route::get('/projects/{uuid}/{environment_name}', [ProjectController::class, 'environment_details']);
Route::get('/projects', [ProjectController::class, 'projects'])->middleware(['ability:read']);
Route::get('/projects/{uuid}', [ProjectController::class, 'project_by_uuid'])->middleware(['ability:read']);
Route::get('/projects/{uuid}/{environment_name}', [ProjectController::class, 'environment_details'])->middleware(['ability:read']);
Route::post('/projects', [ProjectController::class, 'create_project']);
Route::patch('/projects/{uuid}', [ProjectController::class, 'update_project']);
Route::delete('/projects/{uuid}', [ProjectController::class, 'delete_project']);
Route::post('/projects', [ProjectController::class, 'create_project'])->middleware(['ability:read']);
Route::patch('/projects/{uuid}', [ProjectController::class, 'update_project'])->middleware(['ability:write']);
Route::delete('/projects/{uuid}', [ProjectController::class, 'delete_project'])->middleware(['ability:write']);
Route::get('/security/keys', [SecurityController::class, 'keys']);
Route::post('/security/keys', [SecurityController::class, 'create_key'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::get('/security/keys', [SecurityController::class, 'keys'])->middleware(['ability:read']);
Route::post('/security/keys', [SecurityController::class, 'create_key'])->middleware(['ability:write']);
Route::get('/security/keys/{uuid}', [SecurityController::class, 'key_by_uuid']);
Route::patch('/security/keys/{uuid}', [SecurityController::class, 'update_key'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::delete('/security/keys/{uuid}', [SecurityController::class, 'delete_key'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::get('/security/keys/{uuid}', [SecurityController::class, 'key_by_uuid'])->middleware(['ability:read']);
Route::patch('/security/keys/{uuid}', [SecurityController::class, 'update_key'])->middleware(['ability:write']);
Route::delete('/security/keys/{uuid}', [SecurityController::class, 'delete_key'])->middleware(['ability:write']);
Route::match(['get', 'post'], '/deploy', [DeployController::class, 'deploy'])
->middleware([IgnoreReadOnlyApiToken::class, 'auth:sanctum', 'ability:trigger-deploy']);
Route::get('/deployments', [DeployController::class, 'deployments']);
Route::get('/deployments/{uuid}', [DeployController::class, 'deployment_by_uuid']);
Route::match(['get', 'post'], '/deploy', [DeployController::class, 'deploy'])->middleware(['ability:write,deploy']);
Route::get('/deployments', [DeployController::class, 'deployments'])->middleware(['ability:read']);
Route::get('/deployments/{uuid}', [DeployController::class, 'deployment_by_uuid'])->middleware(['ability:read']);
Route::get('/servers', [ServersController::class, 'servers']);
Route::get('/servers/{uuid}', [ServersController::class, 'server_by_uuid']);
Route::get('/servers/{uuid}/domains', [ServersController::class, 'domains_by_server']);
Route::get('/servers/{uuid}/resources', [ServersController::class, 'resources_by_server']);
Route::get('/servers', [ServersController::class, 'servers'])->middleware(['ability:read']);
Route::get('/servers/{uuid}', [ServersController::class, 'server_by_uuid'])->middleware(['ability:read']);
Route::get('/servers/{uuid}/domains', [ServersController::class, 'domains_by_server'])->middleware(['ability:read']);
Route::get('/servers/{uuid}/resources', [ServersController::class, 'resources_by_server'])->middleware(['ability:read']);
Route::get('/servers/{uuid}/validate', [ServersController::class, 'validate_server']);
Route::get('/servers/{uuid}/validate', [ServersController::class, 'validate_server'])->middleware(['ability:read']);
Route::post('/servers', [ServersController::class, 'create_server']);
Route::patch('/servers/{uuid}', [ServersController::class, 'update_server']);
Route::delete('/servers/{uuid}', [ServersController::class, 'delete_server']);
Route::post('/servers', [ServersController::class, 'create_server'])->middleware(['ability:read']);
Route::patch('/servers/{uuid}', [ServersController::class, 'update_server'])->middleware(['ability:write']);
Route::delete('/servers/{uuid}', [ServersController::class, 'delete_server'])->middleware(['ability:write']);
Route::get('/resources', [ResourcesController::class, 'resources']);
Route::get('/resources', [ResourcesController::class, 'resources'])->middleware(['ability:read']);
Route::get('/applications', [ApplicationsController::class, 'applications']);
Route::post('/applications/public', [ApplicationsController::class, 'create_public_application'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::post('/applications/private-github-app', [ApplicationsController::class, 'create_private_gh_app_application'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::post('/applications/private-deploy-key', [ApplicationsController::class, 'create_private_deploy_key_application'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::post('/applications/dockerfile', [ApplicationsController::class, 'create_dockerfile_application'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::post('/applications/dockerimage', [ApplicationsController::class, 'create_dockerimage_application'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::post('/applications/dockercompose', [ApplicationsController::class, 'create_dockercompose_application'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::get('/applications', [ApplicationsController::class, 'applications'])->middleware(['ability:read']);
Route::post('/applications/public', [ApplicationsController::class, 'create_public_application'])->middleware(['ability:write']);
Route::post('/applications/private-github-app', [ApplicationsController::class, 'create_private_gh_app_application'])->middleware(['ability:write']);
Route::post('/applications/private-deploy-key', [ApplicationsController::class, 'create_private_deploy_key_application'])->middleware(['ability:write']);
Route::post('/applications/dockerfile', [ApplicationsController::class, 'create_dockerfile_application'])->middleware(['ability:write']);
Route::post('/applications/dockerimage', [ApplicationsController::class, 'create_dockerimage_application'])->middleware(['ability:write']);
Route::post('/applications/dockercompose', [ApplicationsController::class, 'create_dockercompose_application'])->middleware(['ability:write']);
Route::get('/applications/{uuid}', [ApplicationsController::class, 'application_by_uuid']);
Route::patch('/applications/{uuid}', [ApplicationsController::class, 'update_by_uuid'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::delete('/applications/{uuid}', [ApplicationsController::class, 'delete_by_uuid'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::get('/applications/{uuid}', [ApplicationsController::class, 'application_by_uuid'])->middleware(['ability:read']);
Route::patch('/applications/{uuid}', [ApplicationsController::class, 'update_by_uuid'])->middleware(['ability:write']);
Route::delete('/applications/{uuid}', [ApplicationsController::class, 'delete_by_uuid'])->middleware(['ability:write']);
Route::get('/applications/{uuid}/envs', [ApplicationsController::class, 'envs']);
Route::post('/applications/{uuid}/envs', [ApplicationsController::class, 'create_env'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::patch('/applications/{uuid}/envs/bulk', [ApplicationsController::class, 'create_bulk_envs'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::patch('/applications/{uuid}/envs', [ApplicationsController::class, 'update_env_by_uuid'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::delete('/applications/{uuid}/envs/{env_uuid}', [ApplicationsController::class, 'delete_env_by_uuid'])->middleware([IgnoreReadOnlyApiToken::class]);
// Route::post('/applications/{uuid}/execute', [ApplicationsController::class, 'execute_command_by_uuid'])->middleware([OnlyRootApiToken::class]);
Route::get('/applications/{uuid}/envs', [ApplicationsController::class, 'envs'])->middleware(['ability:read']);
Route::post('/applications/{uuid}/envs', [ApplicationsController::class, 'create_env'])->middleware(['ability:write']);
Route::patch('/applications/{uuid}/envs/bulk', [ApplicationsController::class, 'create_bulk_envs'])->middleware(['ability:write']);
Route::patch('/applications/{uuid}/envs', [ApplicationsController::class, 'update_env_by_uuid'])->middleware(['ability:write']);
Route::delete('/applications/{uuid}/envs/{env_uuid}', [ApplicationsController::class, 'delete_env_by_uuid'])->middleware(['ability:write']);
// Route::post('/applications/{uuid}/execute', [ApplicationsController::class, 'execute_command_by_uuid'])->middleware(['ability:write']);
Route::match(['get', 'post'], '/applications/{uuid}/start', [ApplicationsController::class, 'action_deploy'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::match(['get', 'post'], '/applications/{uuid}/restart', [ApplicationsController::class, 'action_restart'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::match(['get', 'post'], '/applications/{uuid}/stop', [ApplicationsController::class, 'action_stop'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::match(['get', 'post'], '/applications/{uuid}/start', [ApplicationsController::class, 'action_deploy'])->middleware(['ability:write']);
Route::match(['get', 'post'], '/applications/{uuid}/restart', [ApplicationsController::class, 'action_restart'])->middleware(['ability:write']);
Route::match(['get', 'post'], '/applications/{uuid}/stop', [ApplicationsController::class, 'action_stop'])->middleware(['ability:write']);
Route::get('/databases', [DatabasesController::class, 'databases']);
Route::post('/databases/postgresql', [DatabasesController::class, 'create_database_postgresql'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::post('/databases/mysql', [DatabasesController::class, 'create_database_mysql'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::post('/databases/mariadb', [DatabasesController::class, 'create_database_mariadb'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::post('/databases/mongodb', [DatabasesController::class, 'create_database_mongodb'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::post('/databases/redis', [DatabasesController::class, 'create_database_redis'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::post('/databases/clickhouse', [DatabasesController::class, 'create_database_clickhouse'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::post('/databases/dragonfly', [DatabasesController::class, 'create_database_dragonfly'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::post('/databases/keydb', [DatabasesController::class, 'create_database_keydb'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::get('/databases', [DatabasesController::class, 'databases'])->middleware(['ability:read']);
Route::post('/databases/postgresql', [DatabasesController::class, 'create_database_postgresql'])->middleware(['ability:write']);
Route::post('/databases/mysql', [DatabasesController::class, 'create_database_mysql'])->middleware(['ability:write']);
Route::post('/databases/mariadb', [DatabasesController::class, 'create_database_mariadb'])->middleware(['ability:write']);
Route::post('/databases/mongodb', [DatabasesController::class, 'create_database_mongodb'])->middleware(['ability:write']);
Route::post('/databases/redis', [DatabasesController::class, 'create_database_redis'])->middleware(['ability:write']);
Route::post('/databases/clickhouse', [DatabasesController::class, 'create_database_clickhouse'])->middleware(['ability:write']);
Route::post('/databases/dragonfly', [DatabasesController::class, 'create_database_dragonfly'])->middleware(['ability:write']);
Route::post('/databases/keydb', [DatabasesController::class, 'create_database_keydb'])->middleware(['ability:write']);
Route::get('/databases/{uuid}', [DatabasesController::class, 'database_by_uuid']);
Route::patch('/databases/{uuid}', [DatabasesController::class, 'update_by_uuid'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::delete('/databases/{uuid}', [DatabasesController::class, 'delete_by_uuid'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::get('/databases/{uuid}', [DatabasesController::class, 'database_by_uuid'])->middleware(['ability:read']);
Route::patch('/databases/{uuid}', [DatabasesController::class, 'update_by_uuid'])->middleware(['ability:write']);
Route::delete('/databases/{uuid}', [DatabasesController::class, 'delete_by_uuid'])->middleware(['ability:write']);
Route::match(['get', 'post'], '/databases/{uuid}/start', [DatabasesController::class, 'action_deploy'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::match(['get', 'post'], '/databases/{uuid}/restart', [DatabasesController::class, 'action_restart'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::match(['get', 'post'], '/databases/{uuid}/stop', [DatabasesController::class, 'action_stop'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::match(['get', 'post'], '/databases/{uuid}/start', [DatabasesController::class, 'action_deploy'])->middleware(['ability:write']);
Route::match(['get', 'post'], '/databases/{uuid}/restart', [DatabasesController::class, 'action_restart'])->middleware(['ability:write']);
Route::match(['get', 'post'], '/databases/{uuid}/stop', [DatabasesController::class, 'action_stop'])->middleware(['ability:write']);
Route::get('/services', [ServicesController::class, 'services']);
Route::post('/services', [ServicesController::class, 'create_service'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::get('/services', [ServicesController::class, 'services'])->middleware(['ability:read']);
Route::post('/services', [ServicesController::class, 'create_service'])->middleware(['ability:write']);
Route::get('/services/{uuid}', [ServicesController::class, 'service_by_uuid']);
// Route::patch('/services/{uuid}', [ServicesController::class, 'update_by_uuid'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::delete('/services/{uuid}', [ServicesController::class, 'delete_by_uuid'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::get('/services/{uuid}', [ServicesController::class, 'service_by_uuid'])->middleware(['ability:read']);
// Route::patch('/services/{uuid}', [ServicesController::class, 'update_by_uuid'])->middleware(['ability:write']);
Route::delete('/services/{uuid}', [ServicesController::class, 'delete_by_uuid'])->middleware(['ability:write']);
Route::get('/services/{uuid}/envs', [ServicesController::class, 'envs']);
Route::post('/services/{uuid}/envs', [ServicesController::class, 'create_env'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::patch('/services/{uuid}/envs/bulk', [ServicesController::class, 'create_bulk_envs'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::patch('/services/{uuid}/envs', [ServicesController::class, 'update_env_by_uuid'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::delete('/services/{uuid}/envs/{env_uuid}', [ServicesController::class, 'delete_env_by_uuid'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::match(['get', 'post'], '/services/{uuid}/start', [ServicesController::class, 'action_deploy'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::match(['get', 'post'], '/services/{uuid}/restart', [ServicesController::class, 'action_restart'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::match(['get', 'post'], '/services/{uuid}/stop', [ServicesController::class, 'action_stop'])->middleware([IgnoreReadOnlyApiToken::class]);
Route::get('/services/{uuid}/envs', [ServicesController::class, 'envs'])->middleware(['ability:read']);
Route::post('/services/{uuid}/envs', [ServicesController::class, 'create_env'])->middleware(['ability:write']);
Route::patch('/services/{uuid}/envs/bulk', [ServicesController::class, 'create_bulk_envs'])->middleware(['ability:write']);
Route::patch('/services/{uuid}/envs', [ServicesController::class, 'update_env_by_uuid'])->middleware(['ability:write']);
Route::delete('/services/{uuid}/envs/{env_uuid}', [ServicesController::class, 'delete_env_by_uuid'])->middleware(['ability:write']);
Route::match(['get', 'post'], '/services/{uuid}/start', [ServicesController::class, 'action_deploy'])->middleware(['ability:write']);
Route::match(['get', 'post'], '/services/{uuid}/restart', [ServicesController::class, 'action_restart'])->middleware(['ability:write']);
Route::match(['get', 'post'], '/services/{uuid}/stop', [ServicesController::class, 'action_stop'])->middleware(['ability:write']);
});
Route::group([