Add open enrollment + update Windows installer

Open enrollment (OPEN_ENROLLMENT=true in .env): - Agents can register with just --server <url>, no token needed - Machines assigned to OPEN_ENROLLMENT_USER_EMAIL, first admin, or first user - Falls back gracefully if env var not set - agent.py register() now takes optional token; --server alone triggers registration Agent CLI changes: - --server without --enroll triggers open enrollment registration on first run - --enroll still works for token-based or re-enrollment - Error message updated to reflect new syntax NSIS installer changes: - Interactive mode: custom page prompts for server URL + optional token - Silent mode: /SERVER= alone works with open enrollment, /ENROLL= still supported - Cleans up config on uninstall agent.spec: add pyperclip, base64, struct, uuid to hidden imports docker-compose + .env: OPEN_ENROLLMENT and OPEN_ENROLLMENT_USER_EMAIL vars Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-11 00:02:05 -07:00
parent 61edbf59bf
commit dcf88c7863
6 changed files with 168 additions and 95 deletions
--- a/app/api/agent/register/route.ts
+++ b/app/api/agent/register/route.ts
@@ -1,21 +1,20 @@
 import { db } from '@/lib/db'
-import { machines, enrollmentTokens } from '@/lib/db/schema'
-import { eq, and, isNull, or, gt } from 'drizzle-orm'
+import { machines, enrollmentTokens, users } from '@/lib/db/schema'
+import { eq, asc } from 'drizzle-orm'
 import { NextRequest, NextResponse } from 'next/server'
 import { randomBytes } from 'crypto'

 // POST /api/agent/register
-// Two modes:
-//   1. First-time: { enrollmentToken, name, hostname, os, osVersion, agentVersion, ipAddress }
-//      → creates machine, returns { machineId, accessKey }
-//   2. Re-register: { accessKey, name, hostname, os, osVersion, agentVersion, ipAddress }
-//      → updates existing machine, returns { machineId }
+// Three modes:
+//   1. Re-register (existing agent):  { accessKey, ... }         → updates machine
+//   2. Enrollment token:              { enrollmentToken, ... }   → creates machine owned by token creator
+//   3. Open enrollment (no token):    { name, ... }              → creates machine, OPEN_ENROLLMENT must be true
 export async function POST(request: NextRequest) {
  try {
    const body = await request.json()
-    const { accessKey, enrollmentToken, name, hostname, os, osVersion, agentVersion, ipAddress } = body
+    const { accessKey, enrollmentToken, name, hostname, os, osVersion, agentVersion, ipAddress, macAddress } = body

-    // ── Mode 2: existing agent re-registering ─────────────────────────────────
+    // ── Mode 1: existing agent re-registering ─────────────────────────────────
    if (accessKey) {
      const result = await db
        .select()
@@ -37,6 +36,7 @@ export async function POST(request: NextRequest) {
          osVersion: osVersion || machine.osVersion,
          agentVersion: agentVersion || machine.agentVersion,
          ipAddress: ipAddress || machine.ipAddress,
+          macAddress: macAddress || machine.macAddress,
          isOnline: true,
          lastSeen: new Date(),
          updatedAt: new Date(),
@@ -46,66 +46,67 @@ export async function POST(request: NextRequest) {
      return NextResponse.json({ machineId: machine.id })
    }

-    // ── Mode 1: first-time registration with enrollment token ─────────────────
-    if (!enrollmentToken) {
+    if (!name) {
+      return NextResponse.json({ error: 'name is required' }, { status: 400 })
+    }
+
+    const newAccessKey = randomBytes(32).toString('hex')
+
+    // ── Mode 2: enrollment token ───────────────────────────────────────────────
+    if (enrollmentToken) {
+      const tokenResult = await db
+        .select()
+        .from(enrollmentTokens)
+        .where(eq(enrollmentTokens.token, enrollmentToken))
+        .limit(1)
+
+      const token = tokenResult[0]
+      if (!token) return NextResponse.json({ error: 'Invalid enrollment token' }, { status: 401 })
+      if (token.revokedAt) return NextResponse.json({ error: 'Enrollment token revoked' }, { status: 401 })
+      if (token.expiresAt && token.expiresAt < new Date()) return NextResponse.json({ error: 'Enrollment token expired' }, { status: 401 })
+      if (token.maxUses !== null && token.usedCount >= token.maxUses) return NextResponse.json({ error: 'Enrollment token use limit reached' }, { status: 401 })
+
+      const newMachine = await db
+        .insert(machines)
+        .values({ userId: token.createdBy!, name, hostname, os, osVersion, agentVersion, ipAddress, macAddress, accessKey: newAccessKey, isOnline: true, lastSeen: new Date() })
+        .returning({ id: machines.id })
+
+      await db.update(enrollmentTokens).set({ usedCount: token.usedCount + 1 }).where(eq(enrollmentTokens.id, token.id))
+
+      return NextResponse.json({ machineId: newMachine[0].id, accessKey: newAccessKey })
+    }
+
+    // ── Mode 3: open enrollment (no token required) ────────────────────────────
+    const openEnrollment = process.env.OPEN_ENROLLMENT === 'true'
+    if (!openEnrollment) {
      return NextResponse.json({ error: 'accessKey or enrollmentToken required' }, { status: 400 })
    }

-    const tokenResult = await db
-      .select()
-      .from(enrollmentTokens)
-      .where(eq(enrollmentTokens.token, enrollmentToken))
-      .limit(1)
-
-    const token = tokenResult[0]
-    if (!token) {
-      return NextResponse.json({ error: 'Invalid enrollment token' }, { status: 401 })
+    // Find the owner: OPEN_ENROLLMENT_USER_EMAIL env var, or first admin, or first user
+    let ownerId: string | null = null
+    const ownerEmail = process.env.OPEN_ENROLLMENT_USER_EMAIL
+    if (ownerEmail) {
+      const ownerResult = await db.select({ id: users.id }).from(users).where(eq(users.email, ownerEmail)).limit(1)
+      ownerId = ownerResult[0]?.id ?? null
    }
-
-    // Check revoked
-    if (token.revokedAt) {
-      return NextResponse.json({ error: 'Enrollment token has been revoked' }, { status: 401 })
+    if (!ownerId) {
+      // Fall back to first admin, then first user
+      const adminResult = await db.select({ id: users.id }).from(users).where(eq(users.role, 'admin')).orderBy(asc(users.createdAt)).limit(1)
+      ownerId = adminResult[0]?.id ?? null
    }
-
-    // Check expiry
-    if (token.expiresAt && token.expiresAt < new Date()) {
-      return NextResponse.json({ error: 'Enrollment token has expired' }, { status: 401 })
+    if (!ownerId) {
+      const anyUser = await db.select({ id: users.id }).from(users).orderBy(asc(users.createdAt)).limit(1)
+      ownerId = anyUser[0]?.id ?? null
    }
-
-    // Check max uses
-    if (token.maxUses !== null && token.usedCount >= token.maxUses) {
-      return NextResponse.json({ error: 'Enrollment token has reached its use limit' }, { status: 401 })
+    if (!ownerId) {
+      return NextResponse.json({ error: 'No users exist on the server yet. Create an account first.' }, { status: 503 })
    }

-    if (!name) {
-      return NextResponse.json({ error: 'name is required for first-time registration' }, { status: 400 })
-    }
-
-    // Generate a secure access key for this machine
-    const newAccessKey = randomBytes(32).toString('hex')
-
    const newMachine = await db
      .insert(machines)
-      .values({
-        userId: token.createdBy!,
-        name,
-        hostname,
-        os,
-        osVersion,
-        agentVersion,
-        ipAddress,
-        accessKey: newAccessKey,
-        isOnline: true,
-        lastSeen: new Date(),
-      })
+      .values({ userId: ownerId, name, hostname, os, osVersion, agentVersion, ipAddress, macAddress, accessKey: newAccessKey, isOnline: true, lastSeen: new Date() })
      .returning({ id: machines.id })

-    // Increment use count
-    await db
-      .update(enrollmentTokens)
-      .set({ usedCount: token.usedCount + 1 })
-      .where(eq(enrollmentTokens.id, token.id))
-
    return NextResponse.json({ machineId: newMachine[0].id, accessKey: newAccessKey })
  } catch (error) {
    console.error('[Agent Register] Error:', error)