phase 1: HTTP server + first-run bootstrap
P1-01 chi router, slog request log, graceful shutdown via signal
context. Health endpoint, /api/auth/login, /api/auth/logout,
/api/bootstrap. Background sweeper for expired sessions and
enrollment tokens (15 min cadence).
P1-04 (sessions half) HttpOnly Secure-when-TLS cookie carrying a
base64url token; server stores SHA-256(token) so a stolen DB
doesn't yield credentials. Unknown user and bad password collapse
to the same 401 response code so a probe can't enumerate names.
P1-05 first-run admin bootstrap. On a fresh DB the server mints a
one-time token and prints it to stderr inside a banner. The
/api/bootstrap handler accepts {token, username, password},
creates the first admin, then becomes a 409 forever.
P1-07 (partial) audit hooks fire on auth.login and auth.bootstrap.
Full middleware-driven coverage lands with the rest of the API.
internal/server/config: env > YAML > defaults. RM_LISTEN /
RM_DATA_DIR / RM_BASE_URL / RM_TLS_CERT / RM_TLS_KEY /
RM_SECRET_KEY_FILE / RM_TRUSTED_PROXY (CIDR list, validated).
End-to-end smoke test passes: server boots on a fresh dir,
prints the bootstrap token, POST /api/bootstrap creates the admin,
POST /api/auth/login returns 200 with a session cookie.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,114 @@
|
||||
// Package config loads server configuration from env vars (the
|
||||
// canonical source) with optional YAML overlay. Documented vars are
|
||||
// listed in spec.md §4.1.
|
||||
package config
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"net"
|
||||
"net/netip"
|
||||
"os"
|
||||
"strings"
|
||||
|
||||
"gopkg.in/yaml.v3"
|
||||
)
|
||||
|
||||
// Config holds runtime parameters resolved from env + (optionally) a
|
||||
// YAML file. Env wins over YAML so operators can tweak a single var
|
||||
// without rewriting the file.
|
||||
type Config struct {
|
||||
Listen string `yaml:"listen"`
|
||||
DataDir string `yaml:"data_dir"`
|
||||
BaseURL string `yaml:"base_url"`
|
||||
TLSCert string `yaml:"tls_cert"`
|
||||
TLSKey string `yaml:"tls_key"`
|
||||
SecretKeyFile string `yaml:"secret_key_file"`
|
||||
TrustedProxies []string `yaml:"trusted_proxies"`
|
||||
}
|
||||
|
||||
// Load resolves config in this order:
|
||||
// 1. defaults
|
||||
// 2. YAML at the given path (if non-empty and exists)
|
||||
// 3. environment variables (RM_LISTEN, RM_DATA_DIR, …)
|
||||
//
|
||||
// The result is validated; a zero-error return means the server is
|
||||
// safe to start.
|
||||
func Load(yamlPath string) (Config, error) {
|
||||
c := Config{
|
||||
Listen: ":8443",
|
||||
DataDir: "/data",
|
||||
}
|
||||
|
||||
if yamlPath != "" {
|
||||
body, err := os.ReadFile(yamlPath)
|
||||
if err != nil && !os.IsNotExist(err) {
|
||||
return c, fmt.Errorf("config: read %q: %w", yamlPath, err)
|
||||
}
|
||||
if err == nil {
|
||||
if err := yaml.Unmarshal(body, &c); err != nil {
|
||||
return c, fmt.Errorf("config: parse %q: %w", yamlPath, err)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if v, ok := os.LookupEnv("RM_LISTEN"); ok {
|
||||
c.Listen = v
|
||||
}
|
||||
if v, ok := os.LookupEnv("RM_DATA_DIR"); ok {
|
||||
c.DataDir = v
|
||||
}
|
||||
if v, ok := os.LookupEnv("RM_BASE_URL"); ok {
|
||||
c.BaseURL = v
|
||||
}
|
||||
if v, ok := os.LookupEnv("RM_TLS_CERT"); ok {
|
||||
c.TLSCert = v
|
||||
}
|
||||
if v, ok := os.LookupEnv("RM_TLS_KEY"); ok {
|
||||
c.TLSKey = v
|
||||
}
|
||||
if v, ok := os.LookupEnv("RM_SECRET_KEY_FILE"); ok {
|
||||
c.SecretKeyFile = v
|
||||
}
|
||||
if v, ok := os.LookupEnv("RM_TRUSTED_PROXY"); ok {
|
||||
// Comma-separated CIDRs; allow whitespace for readability.
|
||||
parts := strings.Split(v, ",")
|
||||
c.TrustedProxies = c.TrustedProxies[:0]
|
||||
for _, p := range parts {
|
||||
p = strings.TrimSpace(p)
|
||||
if p != "" {
|
||||
c.TrustedProxies = append(c.TrustedProxies, p)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return c, c.validate()
|
||||
}
|
||||
|
||||
func (c *Config) validate() error {
|
||||
if c.Listen == "" {
|
||||
return fmt.Errorf("config: RM_LISTEN must be set")
|
||||
}
|
||||
if _, _, err := net.SplitHostPort(c.Listen); err != nil {
|
||||
return fmt.Errorf("config: RM_LISTEN %q invalid: %w", c.Listen, err)
|
||||
}
|
||||
if c.DataDir == "" {
|
||||
return fmt.Errorf("config: RM_DATA_DIR must be set")
|
||||
}
|
||||
if c.SecretKeyFile == "" {
|
||||
// Default to data dir.
|
||||
c.SecretKeyFile = c.DataDir + "/secret.key"
|
||||
}
|
||||
for _, cidr := range c.TrustedProxies {
|
||||
if _, err := netip.ParsePrefix(cidr); err != nil {
|
||||
return fmt.Errorf("config: RM_TRUSTED_PROXY entry %q is not a valid CIDR: %w", cidr, err)
|
||||
}
|
||||
}
|
||||
// TLS pair: either both set or both unset (HTTP-only mode for dev).
|
||||
if (c.TLSCert == "") != (c.TLSKey == "") {
|
||||
return fmt.Errorf("config: RM_TLS_CERT and RM_TLS_KEY must be set together (or both unset)")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// TLSEnabled is true when both cert and key are configured.
|
||||
func (c Config) TLSEnabled() bool { return c.TLSCert != "" && c.TLSKey != "" }
|
||||
Reference in New Issue
Block a user