steve
e871b05b38
CI / Test (linux/amd64) (pull_request) Successful in 34s
CI / Lint (pull_request) Failing after 16s
CI / Build (windows/amd64) (pull_request) Successful in 22s
CI / Build (linux/amd64) (pull_request) Successful in 20s
CI / Build (linux/arm64) (pull_request) Successful in 21s
Cleanup pass over the repo so CI can enforce lint going forward
without the only-new-issues escape hatch:
* gofumpt -w across the tree (31 hits, all formatting)
* misspell --fix (25 hits, US-locale spelling) — but reverted on
api.JobCancelled = "cancelled" since that literal is the wire +
DB CHECK constraint value, plus matched the case in store/fleet.go
back to "cancelled" and added //nolint:misspell on both for the
next time someone reaches for the auto-fix
* Wrap every `defer rows.Close()` / `defer stmt.Close()` /
`defer res.Body.Close()` in `defer func() { _ = .Close() }()`
to satisfy errcheck without losing the close itself
* websocket.Dial callers (1 prod, 4 tests) now capture + close the
upgrade response Body — coder/websocket can return res with a nil
Body on success, so the test deferred-closes guard against that
* Annotate the two genuine-by-design nilerr cases with //nolint
comments explaining why nil-on-error is the contract (cookie
missing = no session; ctx cancelled mid-backoff = clean shutdown)
* Add brief godoc on the 10 exported const groups + types that
revive flagged (api.HostOS/HostArch/JobKind/JobStatus/LogStream/
ErrorCode, restic.EventKind, store.Role, web.FS)
* Drop the unused (*Server).userByID method
* Inline the unparam baseView(active) — every UI page is under
the dashboard primary nav today
Result: `golangci-lint run ./...` reports 0 issues. CI lint job
no longer needs only-new-issues: true; X-06 follow-up entry in
tasks.md removed.
118 lines
3.7 KiB
Go
118 lines
3.7 KiB
Go
// Package secrets persists the agent's restic repo credentials in an
|
|
// AEAD-encrypted file. Phase 1 stores them at rest under a 32-byte
|
|
// key kept in agent.yaml (same 0600 root-only trust boundary as the
|
|
// bearer token); Phase 2 will swap that for the OS keyring on
|
|
// platforms that have one (DPAPI / Secret Service / kwallet).
|
|
//
|
|
// The wire push path (server → agent over WS as `config.update`) is
|
|
// unchanged; this package owns only on-disk persistence.
|
|
package secrets
|
|
|
|
import (
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"os"
|
|
"path/filepath"
|
|
|
|
"gitea.dcglab.co.uk/steve/restic-manager/internal/crypto"
|
|
)
|
|
|
|
// additionalData binds ciphertexts to the agent-secrets context, so a
|
|
// blob lifted from one role's file can't be replayed into another's
|
|
// row in some unrelated table that uses the same key. (Defense in
|
|
// depth — the key is per-host today, but cheap to be careful.)
|
|
const additionalData = "rm-agent-repo-creds-v1"
|
|
|
|
// Repo is the plaintext shape persisted inside the AEAD blob.
|
|
type Repo struct {
|
|
URL string `json:"repo_url,omitempty"`
|
|
Username string `json:"repo_username,omitempty"`
|
|
Password string `json:"repo_password,omitempty"`
|
|
}
|
|
|
|
// Empty reports whether the credential set is missing the bare
|
|
// minimum (URL + password) needed to run a backup.
|
|
func (r Repo) Empty() bool { return r.URL == "" || r.Password == "" }
|
|
|
|
// Store reads and writes the encrypted secrets file at Path, sealed
|
|
// under the 32-byte key Key.
|
|
type Store struct {
|
|
path string
|
|
a *crypto.AEAD
|
|
}
|
|
|
|
// New opens a Store. The key must be exactly crypto.KeyLen bytes
|
|
// (32). The file at path is not read here — call Load.
|
|
func New(path string, key []byte) (*Store, error) {
|
|
if path == "" {
|
|
return nil, errors.New("secrets: empty path")
|
|
}
|
|
a, err := crypto.NewAEAD(key)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("secrets: %w", err)
|
|
}
|
|
return &Store{path: path, a: a}, nil
|
|
}
|
|
|
|
// Load returns the persisted Repo, or a zero-value Repo (with no
|
|
// error) if the file does not exist yet — first-run agents have
|
|
// nothing on disk until the server pushes a config.update.
|
|
func (s *Store) Load() (Repo, error) {
|
|
body, err := os.ReadFile(s.path)
|
|
if err != nil {
|
|
if errors.Is(err, os.ErrNotExist) {
|
|
return Repo{}, nil
|
|
}
|
|
return Repo{}, fmt.Errorf("secrets: read %q: %w", s.path, err)
|
|
}
|
|
plain, err := s.a.Decrypt(string(body), []byte(additionalData))
|
|
if err != nil {
|
|
return Repo{}, fmt.Errorf("secrets: decrypt %q: %w", s.path, err)
|
|
}
|
|
var r Repo
|
|
if err := json.Unmarshal(plain, &r); err != nil {
|
|
return Repo{}, fmt.Errorf("secrets: parse %q: %w", s.path, err)
|
|
}
|
|
return r, nil
|
|
}
|
|
|
|
// Save replaces the on-disk blob atomically. Mode is 0600. Parent
|
|
// directory must already exist (the install script lays it down).
|
|
func (s *Store) Save(r Repo) error {
|
|
body, err := json.Marshal(r)
|
|
if err != nil {
|
|
return fmt.Errorf("secrets: marshal: %w", err)
|
|
}
|
|
ct, err := s.a.Encrypt(body, []byte(additionalData))
|
|
if err != nil {
|
|
return fmt.Errorf("secrets: encrypt: %w", err)
|
|
}
|
|
dir := filepath.Dir(s.path)
|
|
tmp, err := os.CreateTemp(dir, ".secrets-*.tmp")
|
|
if err != nil {
|
|
return fmt.Errorf("secrets: create tmp: %w", err)
|
|
}
|
|
tmpPath := tmp.Name()
|
|
defer func() {
|
|
_ = tmp.Close()
|
|
_ = os.Remove(tmpPath) // no-op once Rename succeeds
|
|
}()
|
|
if err := tmp.Chmod(0o600); err != nil {
|
|
return fmt.Errorf("secrets: chmod tmp: %w", err)
|
|
}
|
|
if _, err := tmp.WriteString(ct); err != nil {
|
|
return fmt.Errorf("secrets: write tmp: %w", err)
|
|
}
|
|
if err := tmp.Sync(); err != nil {
|
|
return fmt.Errorf("secrets: fsync tmp: %w", err)
|
|
}
|
|
if err := tmp.Close(); err != nil {
|
|
return fmt.Errorf("secrets: close tmp: %w", err)
|
|
}
|
|
if err := os.Rename(tmpPath, s.path); err != nil {
|
|
return fmt.Errorf("secrets: rename: %w", err)
|
|
}
|
|
return nil
|
|
}
|