feat: audit api, sdwan persist, relay fallback updates

internal/server/admin_settings.go

@@ -0,0 +1,56 @@
+package server
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+)
+
+// GET /api/v1/admin/settings
+// POST /api/v1/admin/settings {key,value}
+func (s *Server) HandleAdminSettings(w http.ResponseWriter, r *http.Request) {
+	if s.store == nil {
+		writeJSON(w, http.StatusInternalServerError, `{"error":1,"message":"store not ready"}`)
+		return
+	}
+	if r.Method == http.MethodGet {
+		settings, err := s.store.ListSettings()
+		if err != nil {
+			writeJSON(w, http.StatusInternalServerError, `{"error":1,"message":"list settings failed"}`)
+			return
+		}
+		b, _ := json.Marshal(map[string]any{"error": 0, "settings": settings})
+		writeJSON(w, http.StatusOK, string(b))
+		return
+	}
+	if r.Method != http.MethodPost {
+		writeJSON(w, http.StatusMethodNotAllowed, `{"error":1,"message":"method not allowed"}`)
+		return
+	}
+	var req struct {
+		Key   string `json:"key"`
+		Value string `json:"value"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil || req.Key == "" {
+		writeJSON(w, http.StatusBadRequest, `{"error":1,"message":"bad request"}`)
+		return
+	}
+	// allowlist
+	switch req.Key {
+	case "advanced_impersonate", "advanced_force_network", "advanced_cross_tenant":
+	default:
+		writeJSON(w, http.StatusBadRequest, `{"error":1,"message":"invalid key"}`)
+		return
+	}
+	if req.Value == "" {
+		req.Value = "0"
+	}
+	if err := s.store.SetSetting(req.Key, req.Value); err != nil {
+		writeJSON(w, http.StatusInternalServerError, `{"error":1,"message":"set failed"}`)
+		return
+	}
+	if ac := GetAccessContext(r); ac != nil {
+		_ = s.store.AddAuditLog(ac.Kind, fmt.Sprintf("%d", ac.UserID), "setting_change", "setting", req.Key, req.Value, r.RemoteAddr)
+	}
+	writeJSON(w, http.StatusOK, `{"error":0,"message":"ok"}`)
+}