steve
a781e95c94
Three small follow-ups from review:
1. Restore target is now operator-editable. Default value is the
literal '\$HOME/rm-restore/<job-id>/' (agent expands \$HOME at
run time using os.UserHomeDir(); also handles \${HOME} and ~/
prefixes). Operator can replace with any absolute path.
- ui_restore.go validates the input is either absolute or starts
with one of the recognised prefixes; other env-var refs (\$PATH
etc.) are deliberately rejected so operator paths can't pick up
arbitrary agent env values.
- host_restore.html replaces the read-only mono-text display with
a real <input>; help text spells out that \$HOME resolves
agent-side and <job-id> is substituted on dispatch.
- install.sh + the systemd unit prep /root/rm-restore so the
default works under the sandbox: ReadWritePaths gains a soft
'-/root/rm-restore' entry (the '-' makes the bind-mount soft-fail
if missing, but install.sh pre-creates it root-owned 0700).
2. --no-ownership flag now gated on restic version. The flag was
added in restic 0.17 and 0.16 rejects it. Previously dropped it
wholesale — that meant new-dir restores silently preserved
ownership against design intent on 0.17+. Now the agent threads
its detected restic version (sysinfo already collects it) through
runner.Config -> restic.Env, and RunRestore appends --no-ownership
only when AtLeastVersion(0, 17) returns true. 0.16 hosts still
restore with original uid/gid; help text in the wizard explicitly
notes this. The previous 'Original ownership is preserved' copy
was wrong for new-dir mode and is corrected.
3. golangci-lint misspell locale switched US -> UK and the codebase
swept (73 corrections, mostly behaviour/serialise/recognise/honour).
Wire-format ErrorCode 'unauthorized' -> 'unauthorised' is a tiny
contract change but the agent doesn't parse those codes today and
no external API consumers exist yet. Tests passed before + after.
Tests:
- internal/restic/version_test.go covers Env.AtLeastVersion across
edge cases (empty, exact match, patch above, minor below, non-
numeric) and expandHome on \$HOME / \${HOME} / ~/, plus
pass-through for absolute paths and refusal of other env vars.
- ui_restore_test updated: TargetDir now starts '\$HOME/rm-restore/'
with the job_id substituted into the placeholder.
Live verified on the smoke env: default target restored to
/root/rm-restore/<job-id>/ as the agent's expanded \$HOME (2 files,
14 bytes); custom override '/tmp/custom-restore/<job-id>/' restored
into the agent's PrivateTmp namespace (1 file, 6 bytes); both jobs
'succeeded', exit 0.
151 lines
4.7 KiB
Go
151 lines
4.7 KiB
Go
package http
|
|
|
|
import (
|
|
"encoding/json"
|
|
stdhttp "net/http"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/go-chi/chi/v5"
|
|
"github.com/oklog/ulid/v2"
|
|
|
|
"gitea.dcglab.co.uk/steve/restic-manager/internal/api"
|
|
"gitea.dcglab.co.uk/steve/restic-manager/internal/store"
|
|
)
|
|
|
|
// snapshotDiffRequest is the JSON body for POST .../snapshots/diff.
|
|
// Either short or long snapshot IDs are accepted (restic's diff
|
|
// command takes both).
|
|
type snapshotDiffRequest struct {
|
|
SnapshotA string `json:"snapshot_a"`
|
|
SnapshotB string `json:"snapshot_b"`
|
|
}
|
|
|
|
// handleSnapshotDiff dispatches a JobDiff. Output streams as
|
|
// log.stream lines to the standard live job page; the operator reads
|
|
// the diff text directly there. Behaves like the run-now endpoints:
|
|
// 503 if the host is offline, 400 if the IDs are missing, 422 if
|
|
// they're not in the host's snapshot list (we don't want operators
|
|
// running diffs against arbitrary snapshot strings).
|
|
func (s *Server) handleSnapshotDiff(w stdhttp.ResponseWriter, r *stdhttp.Request) {
|
|
user, ok := s.requireUser(r)
|
|
if !ok {
|
|
writeJSONError(w, stdhttp.StatusUnauthorized, "unauthorised", "")
|
|
return
|
|
}
|
|
hostID := chi.URLParam(r, "id")
|
|
host, err := s.deps.Store.GetHost(r.Context(), hostID)
|
|
if err != nil {
|
|
writeJSONError(w, stdhttp.StatusNotFound, "host_not_found", "")
|
|
return
|
|
}
|
|
|
|
var req snapshotDiffRequest
|
|
// HTMX form posts arrive as application/x-www-form-urlencoded;
|
|
// the JSON shape is also accepted for REST callers.
|
|
ct := r.Header.Get("Content-Type")
|
|
if strings.HasPrefix(ct, "application/x-www-form-urlencoded") {
|
|
if err := r.ParseForm(); err != nil {
|
|
writeJSONError(w, stdhttp.StatusBadRequest, "invalid_form", err.Error())
|
|
return
|
|
}
|
|
req.SnapshotA = strings.TrimSpace(r.PostForm.Get("snapshot_a"))
|
|
req.SnapshotB = strings.TrimSpace(r.PostForm.Get("snapshot_b"))
|
|
} else {
|
|
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
|
|
writeJSONError(w, stdhttp.StatusBadRequest, "invalid_json", err.Error())
|
|
return
|
|
}
|
|
req.SnapshotA = strings.TrimSpace(req.SnapshotA)
|
|
req.SnapshotB = strings.TrimSpace(req.SnapshotB)
|
|
}
|
|
if req.SnapshotA == "" || req.SnapshotB == "" {
|
|
writeJSONError(w, stdhttp.StatusBadRequest, "missing_snapshot",
|
|
"snapshot_a and snapshot_b are both required")
|
|
return
|
|
}
|
|
if req.SnapshotA == req.SnapshotB {
|
|
writeJSONError(w, stdhttp.StatusUnprocessableEntity, "same_snapshot",
|
|
"diff requires two different snapshots")
|
|
return
|
|
}
|
|
|
|
// Validate the IDs are known to this host. Match on long ID, short
|
|
// ID, or any prefix match — operators sometimes paste a 6-char
|
|
// shortened form.
|
|
snaps, err := s.deps.Store.ListSnapshotsByHost(r.Context(), host.ID)
|
|
if err != nil {
|
|
writeJSONError(w, stdhttp.StatusInternalServerError, "internal", "")
|
|
return
|
|
}
|
|
resolveID := func(idOrShort string) string {
|
|
for _, s := range snaps {
|
|
if s.ID == idOrShort || s.ShortID == idOrShort {
|
|
return s.ID
|
|
}
|
|
}
|
|
// Prefix fallback (operator pasted 6 chars of a long id).
|
|
for _, s := range snaps {
|
|
if strings.HasPrefix(s.ID, idOrShort) {
|
|
return s.ID
|
|
}
|
|
}
|
|
return ""
|
|
}
|
|
a := resolveID(req.SnapshotA)
|
|
b := resolveID(req.SnapshotB)
|
|
if a == "" || b == "" {
|
|
writeJSONError(w, stdhttp.StatusUnprocessableEntity, "snapshot_not_found",
|
|
"one or both snapshot ids are not in this host's snapshot list")
|
|
return
|
|
}
|
|
|
|
if !s.deps.Hub.Connected(host.ID) {
|
|
writeJSONError(w, stdhttp.StatusServiceUnavailable, "host_offline",
|
|
"agent is not connected; try again when it reconnects")
|
|
return
|
|
}
|
|
|
|
jobID := ulid.Make().String()
|
|
now := time.Now().UTC()
|
|
if err := s.deps.Store.CreateJob(r.Context(), store.Job{
|
|
ID: jobID, HostID: host.ID, Kind: string(api.JobDiff),
|
|
ActorKind: "user", ActorID: &user.ID, CreatedAt: now,
|
|
}); err != nil {
|
|
writeJSONError(w, stdhttp.StatusInternalServerError, "internal", err.Error())
|
|
return
|
|
}
|
|
env, err := api.Marshal(api.MsgCommandRun, jobID, api.CommandRunPayload{
|
|
JobID: jobID, Kind: api.JobDiff,
|
|
Diff: &api.DiffPayload{SnapshotA: a, SnapshotB: b},
|
|
})
|
|
if err != nil {
|
|
writeJSONError(w, stdhttp.StatusInternalServerError, "internal", "")
|
|
return
|
|
}
|
|
if err := s.deps.Hub.Send(r.Context(), host.ID, env); err != nil {
|
|
writeJSONError(w, stdhttp.StatusServiceUnavailable, "host_offline", err.Error())
|
|
return
|
|
}
|
|
_ = s.deps.Store.AppendAudit(r.Context(), store.AuditEntry{
|
|
ID: ulid.Make().String(),
|
|
UserID: &user.ID,
|
|
Actor: "user",
|
|
Action: "host.snapshot_diff",
|
|
TargetKind: ptr("host"),
|
|
TargetID: &host.ID,
|
|
TS: now,
|
|
})
|
|
|
|
jobURL := "/jobs/" + jobID
|
|
if r.Header.Get("HX-Request") == "true" {
|
|
w.Header().Set("HX-Redirect", jobURL)
|
|
w.WriteHeader(stdhttp.StatusNoContent)
|
|
return
|
|
}
|
|
writeJSON(w, stdhttp.StatusAccepted, map[string]string{
|
|
"job_id": jobID,
|
|
"job_url": jobURL,
|
|
})
|
|
}
|