steve
9ac5088fde
Three independent forms on /hosts/{id}/repo so saving one section
doesn't disturb the others:
* Connection: edits repo URL, username, password (pre-filled from
the redacted GET /api/hosts/{id}/repo-credentials view; password
field shows masked stored-creds placeholder; blank password = keep
existing). On save, encrypts and pushes config.update to a
connected agent.
* Bandwidth: host-wide upload/download caps (KB/s; blank = no cap)
written via store.SetHostBandwidth. New REST endpoint
PUT /api/hosts/{id}/bandwidth for JSON callers.
* Maintenance: forget/prune/check cadences + check subset %, with
per-row enabled toggles. Reuses cronParser for validation;
auto-seeds the row if a host pre-dates the migration.
Right-rail surfaces repo size, snapshot count, snapshots-by-tag
breakdown (counted from existing snapshot tag rows), and an
'untagged snapshots are left alone' note.
Danger-zone re-init button is rendered but disabled with a hint
pointing at P2R-09 (real implementation lands there).
Validation re-renders the page with the relevant form's banner and
all other section state intact. Successful saves redirect with a
?saved=<section> query param so the page surfaces a small ✓ saved
indicator on the relevant form.
ci.yml: bump golangci-lint-action v6→v7 (separate change picked up
in this commit).
245 lines
9.6 KiB
Go
245 lines
9.6 KiB
Go
// Package http hosts the chi-based REST handlers for the control
|
|
// plane. The Server type owns the router, the handlers, and the
|
|
// graceful-shutdown lifecycle.
|
|
package http
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
stdhttp "net/http"
|
|
"time"
|
|
|
|
"github.com/go-chi/chi/v5"
|
|
"github.com/go-chi/chi/v5/middleware"
|
|
|
|
"gitea.dcglab.co.uk/steve/restic-manager/internal/crypto"
|
|
"gitea.dcglab.co.uk/steve/restic-manager/internal/server/config"
|
|
"gitea.dcglab.co.uk/steve/restic-manager/internal/server/ui"
|
|
"gitea.dcglab.co.uk/steve/restic-manager/internal/server/ws"
|
|
"gitea.dcglab.co.uk/steve/restic-manager/internal/store"
|
|
)
|
|
|
|
// Deps bundles every collaborator the HTTP server depends on. Wired up
|
|
// in cmd/server; tests pass a pared-down Deps with fakes.
|
|
type Deps struct {
|
|
Cfg config.Config
|
|
Store *store.Store
|
|
AEAD *crypto.AEAD
|
|
Hub *ws.Hub
|
|
JobHub *ws.JobHub
|
|
UI *ui.Renderer
|
|
// Version is the binary's build version, surfaced in the chrome.
|
|
// Empty falls back to "dev".
|
|
Version string
|
|
// BootstrapToken (optional, populated only on first run) is the raw
|
|
// admin-bootstrap token printed in the server logs. While set, the
|
|
// /bootstrap endpoint accepts it to create the first admin user.
|
|
BootstrapToken string
|
|
}
|
|
|
|
// Server is the running HTTP server.
|
|
type Server struct {
|
|
srv *stdhttp.Server
|
|
deps Deps
|
|
}
|
|
|
|
// New builds a configured but not-yet-started server.
|
|
func New(deps Deps) *Server {
|
|
r := chi.NewRouter()
|
|
|
|
// Built-in middleware: request ID for log correlation, recovery
|
|
// (don't crash the process on a panic in a handler), realIP iff a
|
|
// trusted proxy is configured.
|
|
r.Use(middleware.RequestID)
|
|
r.Use(middleware.Recoverer)
|
|
r.Use(requestLogger)
|
|
|
|
// Health endpoint — unauthenticated, no audit, deliberately cheap.
|
|
r.Get("/healthz", func(w stdhttp.ResponseWriter, _ *stdhttp.Request) {
|
|
w.WriteHeader(stdhttp.StatusNoContent)
|
|
})
|
|
|
|
s := &Server{deps: deps}
|
|
s.routes(r)
|
|
|
|
s.srv = &stdhttp.Server{
|
|
Addr: deps.Cfg.Listen,
|
|
Handler: r,
|
|
ReadHeaderTimeout: 10 * time.Second,
|
|
IdleTimeout: 60 * time.Second,
|
|
// Long write timeout — WS upgrades and live log streams need it.
|
|
WriteTimeout: 0,
|
|
}
|
|
return s
|
|
}
|
|
|
|
// routes wires the API tree. Subtrees live in this file by area so a
|
|
// reader can scan one place and see the surface.
|
|
func (s *Server) routes(r chi.Router) {
|
|
r.Route("/api", func(r chi.Router) {
|
|
r.Post("/auth/login", s.handleLogin)
|
|
r.Post("/auth/logout", s.handleLogout)
|
|
r.Post("/bootstrap", s.handleBootstrap)
|
|
|
|
// Agent enrollment (open endpoint — token is the credential).
|
|
r.Post("/agents/enroll", s.handleAgentEnroll)
|
|
|
|
// Operator → server (authenticated). Spec.md §6.1's
|
|
// /hosts/{id}/enrollment-token (regenerate) lands when the
|
|
// host page can call it; for now just the create endpoint.
|
|
r.Post("/enrollment-tokens", s.handleCreateEnrollmentToken)
|
|
|
|
// Fleet read endpoints — back the dashboard.
|
|
r.Get("/hosts", s.handleListHosts)
|
|
r.Get("/fleet/summary", s.handleFleetSummary)
|
|
|
|
// Run-now: dispatch a job to a host's agent.
|
|
r.Post("/hosts/{id}/jobs", s.handleRunNow)
|
|
|
|
// Snapshot projection (refreshed by the agent after each backup).
|
|
r.Get("/hosts/{id}/snapshots", s.handleListHostSnapshots)
|
|
|
|
// Repo credentials — operator can edit after enrollment. The
|
|
// initial set is supplied at token-mint time (see enrollment.go).
|
|
// GET returns a redacted view (URL, username, has_password).
|
|
r.Get("/hosts/{id}/repo-credentials", s.handleGetHostCredentials)
|
|
r.Put("/hosts/{id}/repo-credentials", s.handleSetHostCredentials)
|
|
|
|
// Per-host schedule CRUD. Mutations bump host_schedule_version
|
|
// and async-push to a connected agent (see schedule_push.go).
|
|
r.Get("/hosts/{id}/schedules", s.handleListSchedules)
|
|
r.Post("/hosts/{id}/schedules", s.handleCreateSchedule)
|
|
r.Put("/hosts/{id}/schedules/{sid}", s.handleUpdateSchedule)
|
|
r.Delete("/hosts/{id}/schedules/{sid}", s.handleDeleteSchedule)
|
|
|
|
// Source-group CRUD. A group is "what gets backed up" — paths,
|
|
// excludes, retention, retry. Group name doubles as the
|
|
// snapshot tag (restic --tag <name>).
|
|
r.Get("/hosts/{id}/source-groups", s.handleListSourceGroups)
|
|
r.Post("/hosts/{id}/source-groups", s.handleCreateSourceGroup)
|
|
r.Get("/hosts/{id}/source-groups/{gid}", s.handleGetSourceGroup)
|
|
r.Put("/hosts/{id}/source-groups/{gid}", s.handleUpdateSourceGroup)
|
|
r.Delete("/hosts/{id}/source-groups/{gid}", s.handleDeleteSourceGroup)
|
|
|
|
// Repo maintenance cadences (forget / prune / check). Driven
|
|
// by the server-side ticker (P2R-06), not the agent's cron.
|
|
r.Get("/hosts/{id}/repo-maintenance", s.handleGetRepoMaintenance)
|
|
r.Put("/hosts/{id}/repo-maintenance", s.handleUpdateRepoMaintenance)
|
|
|
|
// Host-wide bandwidth caps (host.bandwidth_up_kbps /
|
|
// bandwidth_down_kbps). Apply to every restic invocation.
|
|
r.Put("/hosts/{id}/bandwidth", s.handleUpdateHostBandwidth)
|
|
|
|
// Per-source-group Run-now (JSON variant). HTMX action is
|
|
// mounted at the equivalent path outside /api below — both
|
|
// resolve to the same handler, which sniffs HX-Request.
|
|
r.Post("/hosts/{id}/source-groups/{gid}/run", s.handleRunSourceGroup)
|
|
})
|
|
|
|
// Per-source-group Run-now (HTMX form action). Available even
|
|
// when the server is started without UI templates so REST callers
|
|
// against the non-/api path also work.
|
|
r.Post("/hosts/{id}/source-groups/{gid}/run", s.handleRunSourceGroup)
|
|
// Retired routes — see ui_handlers.go for the messages. Mounted
|
|
// outside the UI gate so cached browser tabs get a clear 410
|
|
// even if the server runs without templates.
|
|
r.Post("/hosts/{id}/run-backup", s.handleUIRunBackupGone)
|
|
r.Post("/hosts/{id}/init-repo", s.handleUIInitRepoGone)
|
|
|
|
// Agent ↔ server WebSocket. Bearer-authenticated inside the handler.
|
|
if s.deps.Hub != nil {
|
|
r.Mount("/ws/agent", ws.AgentHandler(ws.HandlerDeps{
|
|
Hub: s.deps.Hub,
|
|
Store: s.deps.Store,
|
|
JobHub: s.deps.JobHub,
|
|
OnHello: s.onAgentHello,
|
|
OnScheduleAck: s.applyScheduleAck,
|
|
OnScheduleFire: s.dispatchScheduledJob,
|
|
}))
|
|
}
|
|
|
|
// Agent binaries + install scripts. Open endpoints — content is
|
|
// unprivileged on its own, gating happens via the enrollment
|
|
// token. See agent_assets.go.
|
|
r.Get("/agent/binary", s.handleAgentBinary)
|
|
r.Get("/install/*", s.handleInstallAsset)
|
|
|
|
// Static assets (Tailwind CSS bundle, future favicon).
|
|
r.Mount("/static/", staticHandler())
|
|
|
|
// HTML UI. The renderer is required — fail loud if the binary
|
|
// was built without templates (impossible in practice given
|
|
// embed, but guards bad test wiring).
|
|
if s.deps.UI != nil {
|
|
r.Get("/", s.handleUIDashboard)
|
|
r.Get("/login", s.handleUILoginGet)
|
|
r.Post("/login", s.handleUILoginPost)
|
|
r.Post("/logout", s.handleUILogoutPost)
|
|
// Per-host Run-now and manual Init-repo are mounted at the
|
|
// outer router (so they reply 410 even without UI). Per-
|
|
// source-group Run-now lives there too — same reason.
|
|
// Add host flow.
|
|
r.Get("/hosts/new", s.handleUIAddHostGet)
|
|
r.Post("/hosts/new", s.handleUIAddHostPost)
|
|
// Durable post-Add-host page (operator can refresh / come
|
|
// back; password decrypted from the token row each render).
|
|
// Polled fragment under /awaiting flips to "connected" once
|
|
// the agent enrols.
|
|
r.Get("/hosts/pending/{token}", s.handleUIPendingHost)
|
|
r.Get("/hosts/pending/{token}/awaiting", s.handleUIPendingAwaiting)
|
|
// Host detail (Snapshots tab is the default).
|
|
r.Get("/hosts/{id}", s.handleUIHostDetail)
|
|
// Sources tab + source-group CRUD forms.
|
|
r.Get("/hosts/{id}/sources", s.handleUIHostSources)
|
|
r.Get("/hosts/{id}/sources/new", s.handleUISourceGroupNewGet)
|
|
r.Post("/hosts/{id}/sources/new", s.handleUISourceGroupSave)
|
|
r.Get("/hosts/{id}/sources/{gid}/edit", s.handleUISourceGroupEditGet)
|
|
r.Post("/hosts/{id}/sources/{gid}/edit", s.handleUISourceGroupSave)
|
|
r.Post("/hosts/{id}/sources/{gid}/delete", s.handleUISourceGroupDelete)
|
|
// Repo tab — connection / bandwidth / maintenance. Three
|
|
// independent forms so saving one doesn't touch the others.
|
|
r.Get("/hosts/{id}/repo", s.handleUIHostRepo)
|
|
r.Post("/hosts/{id}/repo/credentials", s.handleUIRepoCredentialsSave)
|
|
r.Post("/hosts/{id}/repo/bandwidth", s.handleUIRepoBandwidthSave)
|
|
r.Post("/hosts/{id}/repo/maintenance", s.handleUIRepoMaintenanceSave)
|
|
// Schedules tab + create/edit/delete forms.
|
|
r.Get("/hosts/{id}/schedules", s.handleUISchedulesList)
|
|
r.Get("/hosts/{id}/schedules/new", s.handleUIScheduleNewGet)
|
|
r.Post("/hosts/{id}/schedules/new", s.handleUIScheduleSave)
|
|
r.Get("/hosts/{id}/schedules/{sid}/edit", s.handleUIScheduleEditGet)
|
|
r.Post("/hosts/{id}/schedules/{sid}/edit", s.handleUIScheduleSave)
|
|
r.Post("/hosts/{id}/schedules/{sid}/delete", s.handleUIScheduleDelete)
|
|
r.Post("/hosts/{id}/schedules/{sid}/run", s.handleUIScheduleRun)
|
|
// Live job log.
|
|
r.Get("/jobs/{id}", s.handleUIJobDetail)
|
|
}
|
|
|
|
// Browser job-log stream (separate from /ws/agent so the auth
|
|
// layer is session-cookie not bearer). Mounted regardless of
|
|
// whether the UI is up — JSON callers may also subscribe.
|
|
if s.deps.JobHub != nil {
|
|
r.Get("/api/jobs/{id}/stream", s.handleJobStream)
|
|
}
|
|
}
|
|
|
|
// Start begins listening. Blocks until ListenAndServe returns
|
|
// (typically only on Shutdown). The server is HTTP-only by design;
|
|
// production deployments terminate TLS at a reverse proxy in front.
|
|
func (s *Server) Start() error {
|
|
err := s.srv.ListenAndServe()
|
|
if errors.Is(err, stdhttp.ErrServerClosed) {
|
|
return nil
|
|
}
|
|
return err
|
|
}
|
|
|
|
// Shutdown stops accepting new connections and waits up to ctx.Deadline
|
|
// for in-flight handlers to finish.
|
|
func (s *Server) Shutdown(ctx context.Context) error {
|
|
return s.srv.Shutdown(ctx)
|
|
}
|
|
|
|
// Addr returns the configured listen address. Useful in tests when
|
|
// the caller passes :0 to get a random port.
|
|
func (s *Server) Addr() string { return s.srv.Addr }
|