P1 polish: Host.default_paths interim + restic env hygiene + job_id JS quoting
Two fixes that close the loop on dashboard run-now and harden the
agent's restic invocation.
Default paths (interim until P2-01 schedules):
- 0003 migration adds default_paths TEXT NOT NULL DEFAULT '[]'
to hosts and to enrollment_tokens.
- Operator types paths in the Add-host form (textarea, one per
line). They ride on the enrol_token row alongside the
encrypted creds (paths aren't secret — plain JSON column).
- On consume, ConsumeEnrollmentToken still just burns the token;
the new GetEnrollmentTokenAttachments returns both the
re-bindable creds and the path list in one round trip, the
handler transfers them onto the new host row inside CreateHost.
- The dashboard's Run-now and host-detail's "Run backup now"
button now read Host.DefaultPaths and pass them to dispatchJob.
A host with no default paths returns 400 with a friendly
"no paths set" message instead of dispatching a doomed
`restic backup` with no positional args.
- Doc comments explicitly call this out as a Phase 1 interim —
schedules supersede.
Restic env hygiene:
- envSlice() previously omitted HOME / XDG_CACHE_HOME, which
bit the smoke runs whenever the agent was launched outside
systemd (restic refused to start: "neither $XDG_CACHE_HOME
nor $HOME are defined"). Now both are set explicitly: prefer
Env.ExtraEnv overrides, fall back to the agent process's own
HOME, and finally to /var/lib/restic-manager.
- Comment makes the env policy explicit: parent's RESTIC_* /
AWS_* / B2_* env is filtered out by design — control-plane
is the unambiguous source of truth.
JS bug fix in the live log page:
- {{$job.ID | printf "%q"}} produced a literal-quoted JS string,
which then went into the WS URL as ".../jobs/"<ID>"/stream"
→ 404. Switched to '{{$job.ID}}' inside the literal so
html/template's auto-escape does the right thing. Verified
end-to-end: dashboard "Run now" → live progress + log lines
arrive over the WS → succeeded pill renders.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -56,6 +56,12 @@ type enrollOperatorRequest struct {
|
||||
RepoURL string `json:"repo_url"`
|
||||
RepoUsername string `json:"repo_username"`
|
||||
RepoPassword string `json:"repo_password"`
|
||||
// DefaultPaths lands on the host row at consume time. Used by
|
||||
// run-now buttons (the dashboard's per-row Run, the host
|
||||
// detail's Run backup now). When schedules ship in P2-01 they
|
||||
// supersede this — until then, this is the only source of paths
|
||||
// for run-now jobs.
|
||||
DefaultPaths []string `json:"default_paths,omitempty"`
|
||||
}
|
||||
|
||||
type enrollOperatorResponse struct {
|
||||
@@ -94,12 +100,13 @@ func (s *Server) handleAgentEnroll(w stdhttp.ResponseWriter, r *stdhttp.Request)
|
||||
// is already burned. That's acceptable — operator just regens.
|
||||
tokHash := auth.HashToken(req.Token)
|
||||
|
||||
// If the token carries repo creds, re-encrypt them under the new
|
||||
// host_id so the host_credentials row is bound to the host (not
|
||||
// the token, which is about to disappear).
|
||||
encForHost, err := s.rebindTokenCreds(r.Context(), tokHash, hostID)
|
||||
// Pull every operator-supplied attachment off the token row in one
|
||||
// query: encrypted repo creds (rebound under the new host_id) plus
|
||||
// the default-paths list. Both transferred onto the new host row
|
||||
// after consume.
|
||||
attachments, encForHost, err := s.rebindTokenAttachments(r.Context(), tokHash, hostID)
|
||||
if err != nil {
|
||||
slog.Warn("enrollment: rebind token creds failed", "err", err)
|
||||
slog.Warn("enrollment: rebind token attachments failed", "err", err)
|
||||
writeJSONError(w, stdhttp.StatusUnauthorized, "invalid_token",
|
||||
"token unknown, expired, or already used")
|
||||
return
|
||||
@@ -127,6 +134,7 @@ func (s *Server) handleAgentEnroll(w stdhttp.ResponseWriter, r *stdhttp.Request)
|
||||
AgentVersion: req.AgentVersion,
|
||||
ResticVersion: req.ResticVersion,
|
||||
EnrolledAt: time.Now().UTC(),
|
||||
DefaultPaths: attachments.DefaultPaths,
|
||||
}
|
||||
if err := s.deps.Store.CreateHost(r.Context(), host,
|
||||
auth.HashToken(agentToken), ""); err != nil {
|
||||
@@ -195,7 +203,7 @@ func (s *Server) handleCreateEnrollmentToken(w stdhttp.ResponseWriter, r *stdhtt
|
||||
writeJSONError(w, stdhttp.StatusBadRequest, "invalid_json", err.Error())
|
||||
return
|
||||
}
|
||||
token, expiresAt, err := s.mintEnrollmentToken(r.Context(), req.RepoURL, req.RepoUsername, req.RepoPassword)
|
||||
token, expiresAt, err := s.mintEnrollmentToken(r.Context(), req.RepoURL, req.RepoUsername, req.RepoPassword, req.DefaultPaths)
|
||||
switch err {
|
||||
case nil:
|
||||
writeJSON(w, stdhttp.StatusCreated, enrollOperatorResponse{Token: token, ExpiresAt: expiresAt})
|
||||
@@ -218,7 +226,7 @@ var errMissingRepoCreds = errAuth("missing_repo_creds")
|
||||
// token (shown to the operator exactly once) and the expiry time.
|
||||
//
|
||||
// Shared by the JSON endpoint and the HTML "Add host" flow.
|
||||
func (s *Server) mintEnrollmentToken(ctx context.Context, repoURL, repoUsername, repoPassword string) (string, time.Time, error) {
|
||||
func (s *Server) mintEnrollmentToken(ctx context.Context, repoURL, repoUsername, repoPassword string, defaultPaths []string) (string, time.Time, error) {
|
||||
if repoURL == "" || repoPassword == "" {
|
||||
return "", time.Time{}, errMissingRepoCreds
|
||||
}
|
||||
@@ -235,34 +243,44 @@ func (s *Server) mintEnrollmentToken(ctx context.Context, repoURL, repoUsername,
|
||||
return "", time.Time{}, err
|
||||
}
|
||||
|
||||
if defaultPaths == nil {
|
||||
defaultPaths = []string{}
|
||||
}
|
||||
pathsJSON, err := json.Marshal(defaultPaths)
|
||||
if err != nil {
|
||||
return "", time.Time{}, fmt.Errorf("marshal default_paths: %w", err)
|
||||
}
|
||||
|
||||
const ttl = time.Hour
|
||||
if err := s.deps.Store.CreateEnrollmentToken(ctx, tokHash, ttl, enc); err != nil {
|
||||
if err := s.deps.Store.CreateEnrollmentToken(ctx, tokHash, ttl, enc, string(pathsJSON)); err != nil {
|
||||
return "", time.Time{}, err
|
||||
}
|
||||
return token, time.Now().Add(ttl).UTC(), nil
|
||||
}
|
||||
|
||||
// rebindTokenCreds decrypts the creds attached to the token (if any),
|
||||
// re-encrypts under the new host_id, and returns the new ciphertext.
|
||||
// Empty return = the token had no creds attached, which we treat as
|
||||
// a hard error today (the operator must supply creds at mint time).
|
||||
func (s *Server) rebindTokenCreds(ctx context.Context, tokHash, hostID string) (string, error) {
|
||||
enc, err := s.deps.Store.GetEnrollmentTokenCreds(ctx, tokHash)
|
||||
// rebindTokenAttachments fetches every operator-supplied attachment
|
||||
// off the token row, re-encrypting the repo-creds blob under the
|
||||
// new host_id (the additional-data binding moves with the cred so
|
||||
// a token-row dump can't be replayed against a different host's
|
||||
// row). Returns the attachments (sans the rebind work), the
|
||||
// re-encrypted ciphertext for SetHostCredentials, and any error.
|
||||
func (s *Server) rebindTokenAttachments(ctx context.Context, tokHash, hostID string) (store.EnrollmentTokenAttachments, string, error) {
|
||||
att, err := s.deps.Store.GetEnrollmentTokenAttachments(ctx, tokHash)
|
||||
if err != nil {
|
||||
return "", err
|
||||
return store.EnrollmentTokenAttachments{}, "", err
|
||||
}
|
||||
if enc == "" {
|
||||
return "", nil
|
||||
if att.EncRepoCreds == "" {
|
||||
return att, "", nil
|
||||
}
|
||||
plain, err := s.deps.AEAD.Decrypt(enc, []byte("token:"+tokHash))
|
||||
plain, err := s.deps.AEAD.Decrypt(att.EncRepoCreds, []byte("token:"+tokHash))
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("decrypt token creds: %w", err)
|
||||
return att, "", fmt.Errorf("decrypt token creds: %w", err)
|
||||
}
|
||||
out, err := s.deps.AEAD.Encrypt(plain, []byte("host:"+hostID))
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("re-encrypt for host: %w", err)
|
||||
return att, "", fmt.Errorf("re-encrypt for host: %w", err)
|
||||
}
|
||||
return out, nil
|
||||
return att, out, nil
|
||||
}
|
||||
|
||||
// encryptRepoCreds JSON-encodes blob and seals it with the given
|
||||
|
||||
@@ -73,7 +73,7 @@ func TestEnrollmentHappyPath(t *testing.T) {
|
||||
// Issue a token directly via the store (skipping the operator UI).
|
||||
rawToken, _ := auth.NewToken()
|
||||
if err := st.CreateEnrollmentToken(context.Background(),
|
||||
auth.HashToken(rawToken), 5*time.Minute, ""); err != nil {
|
||||
auth.HashToken(rawToken), 5*time.Minute, "", ""); err != nil {
|
||||
t.Fatalf("issue: %v", err)
|
||||
}
|
||||
|
||||
|
||||
@@ -28,14 +28,14 @@ func TestEnrollmentTransfersRepoCreds(t *testing.T) {
|
||||
if err != nil {
|
||||
t.Fatalf("encrypt: %v", err)
|
||||
}
|
||||
if err := st.CreateEnrollmentToken(ctx, tokHash, 1<<20, enc); err != nil {
|
||||
if err := st.CreateEnrollmentToken(ctx, tokHash, 1<<20, enc, ""); err != nil {
|
||||
t.Fatalf("create token: %v", err)
|
||||
}
|
||||
|
||||
// Rebind under host_id, then consume (this is what the agent
|
||||
// enroll handler does inline).
|
||||
const hostID = "h-fixture"
|
||||
encForHost, err := srv.rebindTokenCreds(ctx, tokHash, hostID)
|
||||
_, encForHost, err := srv.rebindTokenAttachments(ctx, tokHash, hostID)
|
||||
if err != nil {
|
||||
t.Fatalf("rebind: %v", err)
|
||||
}
|
||||
@@ -93,14 +93,14 @@ func TestEnrollmentTokenWithoutCreds(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
|
||||
const tokHash = "no-creds-token"
|
||||
if err := st.CreateEnrollmentToken(ctx, tokHash, 1<<20, ""); err != nil {
|
||||
if err := st.CreateEnrollmentToken(ctx, tokHash, 1<<20, "", ""); err != nil {
|
||||
t.Fatalf("create: %v", err)
|
||||
}
|
||||
enc, err := st.GetEnrollmentTokenCreds(ctx, tokHash)
|
||||
att, err := st.GetEnrollmentTokenAttachments(ctx, tokHash)
|
||||
if err != nil {
|
||||
t.Fatalf("get token creds: %v", err)
|
||||
t.Fatalf("get token attachments: %v", err)
|
||||
}
|
||||
if enc != "" {
|
||||
t.Errorf("token without creds should return empty blob; got %q", enc)
|
||||
if att.EncRepoCreds != "" {
|
||||
t.Errorf("token without creds should return empty blob; got %q", att.EncRepoCreds)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -159,7 +159,26 @@ func (s *Server) handleUIRunBackup(w stdhttp.ResponseWriter, r *stdhttp.Request)
|
||||
stdhttp.Error(w, "internal", stdhttp.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
res, status, code, msg := s.dispatchJob(r.Context(), storeUser, hostID, api.JobBackup, nil)
|
||||
host, err := s.deps.Store.GetHost(r.Context(), hostID)
|
||||
if err != nil {
|
||||
if errors.Is(err, store.ErrNotFound) {
|
||||
stdhttp.NotFound(w, r)
|
||||
return
|
||||
}
|
||||
stdhttp.Error(w, "internal", stdhttp.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
if len(host.DefaultPaths) == 0 {
|
||||
// Tell the user with HX-Redirect via a friendly toast — for
|
||||
// now, just an HTTP error: HTMX surfaces the response body
|
||||
// to the operator's console, and a future toast component
|
||||
// will lift it into the UI.
|
||||
stdhttp.Error(w,
|
||||
"this host has no default backup paths set — edit the host or wait for schedules (P2)",
|
||||
stdhttp.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
res, status, code, msg := s.dispatchJob(r.Context(), storeUser, hostID, api.JobBackup, host.DefaultPaths)
|
||||
if code != "" {
|
||||
stdhttp.Error(w, msg, status)
|
||||
return
|
||||
@@ -188,6 +207,9 @@ type addHostPage struct {
|
||||
Tags string
|
||||
RepoURL string
|
||||
RepoUsername string
|
||||
// Paths is the textarea-as-typed default-paths input. One path
|
||||
// per line, blanks ignored.
|
||||
Paths string
|
||||
|
||||
// Server URL the operator should paste into the install
|
||||
// command. Resolved from RM_BASE_URL falling back to the
|
||||
@@ -235,6 +257,7 @@ func (s *Server) handleUIAddHostPost(w stdhttp.ResponseWriter, r *stdhttp.Reques
|
||||
Tags: strings.TrimSpace(r.PostForm.Get("tags")),
|
||||
RepoURL: strings.TrimSpace(r.PostForm.Get("repo_url")),
|
||||
RepoUsername: strings.TrimSpace(r.PostForm.Get("repo_username")),
|
||||
Paths: r.PostForm.Get("paths"),
|
||||
ServerURL: s.publicURL(r),
|
||||
}
|
||||
repoPassword := r.PostForm.Get("repo_password")
|
||||
@@ -245,8 +268,10 @@ func (s *Server) handleUIAddHostPost(w stdhttp.ResponseWriter, r *stdhttp.Reques
|
||||
page.Error = "Repo URL and password are both required so the agent can back up the moment it comes online."
|
||||
}
|
||||
|
||||
defaultPaths := splitPaths(page.Paths)
|
||||
|
||||
if page.Error == "" {
|
||||
token, expires, err := s.mintEnrollmentToken(r.Context(), page.RepoURL, page.RepoUsername, repoPassword)
|
||||
token, expires, err := s.mintEnrollmentToken(r.Context(), page.RepoURL, page.RepoUsername, repoPassword, defaultPaths)
|
||||
switch err {
|
||||
case nil:
|
||||
page.Token = token
|
||||
@@ -330,6 +355,19 @@ func (s *Server) handleUIHostDetail(w stdhttp.ResponseWriter, r *stdhttp.Request
|
||||
}
|
||||
}
|
||||
|
||||
// splitPaths parses the textarea content into a clean []string —
|
||||
// one path per line, leading/trailing whitespace trimmed, blanks
|
||||
// dropped.
|
||||
func splitPaths(s string) []string {
|
||||
out := []string{}
|
||||
for _, line := range strings.Split(s, "\n") {
|
||||
if p := strings.TrimSpace(line); p != "" {
|
||||
out = append(out, p)
|
||||
}
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
// publicURL is what the operator should paste into the install
|
||||
// command. Prefers RM_BASE_URL (set by the operator's reverse
|
||||
// proxy config) and falls back to scheme + Host of the inbound
|
||||
|
||||
Reference in New Issue
Block a user