steve/restic-manager
1
0
Fork 0
Code Issues Pull Requests Actions Projects Releases 1 Wiki Activity

fix: enrollment FK race + log-when-rejected; runbook fixes from dry-run

Browse Source 
The smoke runbook caught a real bug: ConsumeEnrollmentToken was
inserting into host_credentials (FK -> hosts) inside the same tx as
the token burn, but the host row didn't exist yet — CreateHost
runs in the *next* statement. The agent saw a generic 401 with no
clue why.

Fix: drop the host_credentials insert from ConsumeEnrollmentToken;
the HTTP handler now does Consume -> CreateHost ->
SetHostCredentials. SetHostCredentials failure is logged loudly
but doesn't fail the enrol — operator recovers via PUT
/api/hosts/{id}/repo-credentials.

Adds slog.Warn lines on both 401 paths in handleAgentEnroll so the
underlying cause is visible in server logs (the wire response stays
generic to avoid leaking which step failed).

Test: TestEnrollmentTransfersRepoCreds rewritten to mirror the new
order (consume -> create host -> SetHostCredentials).

Runbook (docs/e2e-smoke.md): rest-server moved off 8000 (commonly
in use); URLs use trailing slash on the rest path; clarified that
secrets_key is minted on first agent start, not at enrol time.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Steve Cliff
2026-05-01 14:01:59 +01:00
parent 6cfbdfc7ab
commit 44feb708bc
5 changed files with 47 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/server/http/host_credentials_test.go
+7 -3
View File
@@ -46,14 +46,18 @@ func TestEnrollmentTransfersRepoCreds(t *testing.T) {
t.Errorf("rebind should change ciphertext (additional-data differs); got identical")
}
// Need a host row for the FK.
// Burn the token, then create the host row, then promote — same
// order the HTTP handler runs.
if err := st.ConsumeEnrollmentToken(ctx, tokHash, hostID); err != nil {
t.Fatalf("consume: %v", err)
}
if _, err := st.DB().Exec(
`INSERT INTO hosts (id, name, os, arch, enrolled_at) VALUES (?,?,?,?,?)`,
hostID, "host42", "linux", "amd64", "2026-01-01T00:00:00Z"); err != nil {
t.Fatalf("insert host: %v", err)
}
if err := st.ConsumeEnrollmentToken(ctx, tokHash, hostID, encForHost); err != nil {
t.Fatalf("consume: %v", err)
if err := st.SetHostCredentials(ctx, hostID, encForHost); err != nil {
t.Fatalf("set host credentials: %v", err)
}
// host_credentials row should now hold the host-bound ciphertext.