steve
02e4ef7544
Smoothes the rough edges that came up exercising a live deployment.
First-run bootstrap UI: /bootstrap renders a username + password form
that uses the in-memory token directly (operator no longer copies it
out of the log); /login redirects there while bootstrap is available.
Agent reliability: failJob synthetic envelopes so command.run early
returns no longer hang the server-side job; runtime probe of restic
restore --help drives --no-ownership instead of version sniffing
(0.18.x had it removed). Server unit re-shaped: ProtectSystem=full
plus ReadWritePaths=/etc/restic-manager, no ProtectHome — restore
can now write anywhere a user might want.
Restore wizard: default target is /root/rm-restore/<job-id>/ with
clearer help text. Re-init confirm input uses .field (was .input,
which doesn't exist — text was invisible).
NS-01 host delete: store DeleteHost, admin-band /hosts/{id}/delete
with hostname-confirm danger zone, audit, FK cascade, live WS close.
NS-02 enrollment-token recovery: outstanding-tokens panel on
/hosts/new, regenerate (preserves attachments) and revoke handlers
+ audit, store-level ListOutstandingEnrollmentTokens and
DeleteEnrollmentToken.
NS-03 repo init / probe surface: migration 0020 adds
hosts.repo_status + repo_status_error; WS handler projects every
init job's outcome onto the host row (idempotent already-initialised
collapses to ready); creds-save resets status and dispatches a fresh
probe; /hosts/{id}/repo/probe retry endpoint with banner.
NS-04 dashboard live + sort + filter: query-string filter
(q/status/repo_status/tag/sort/dir), 5s htmx live poll mirroring the
alerts pattern with a localStorage live toggle, sortable column
headers, filter row + clear.
Alerts page: ack'd-by line resolves user_id ULID to username.
Compose.yaml ignored — host-specific.
247 lines
8.6 KiB
Go
247 lines
8.6 KiB
Go
package store
|
|
|
|
import (
|
|
"context"
|
|
"database/sql"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"time"
|
|
)
|
|
|
|
// CreateEnrollmentToken persists a fresh one-time token. The caller
|
|
// has already hashed the raw token; the raw form is returned to the
|
|
// operator (printed in the install snippet) and never persisted.
|
|
//
|
|
// encRepoCreds is the AEAD-encrypted blob of {repo_url, repo_username,
|
|
// repo_password} that ConsumeEnrollmentToken will promote to a
|
|
// host_credentials row. Empty string = operator chose to set creds
|
|
// later via PUT /api/hosts/{id}/repo-credentials; the agent will
|
|
// refuse backup jobs until that lands.
|
|
//
|
|
// initialPaths is the JSON-encoded path list seeded into the host's
|
|
// initial manual schedule on consume. Empty string is treated as
|
|
// "[]". Not encrypted — paths aren't secret.
|
|
func (s *Store) CreateEnrollmentToken(ctx context.Context, tokenHash string, ttl time.Duration, encRepoCreds, initialPaths string) error {
|
|
now := time.Now().UTC()
|
|
var enc any = nil
|
|
if encRepoCreds != "" {
|
|
enc = encRepoCreds
|
|
}
|
|
if initialPaths == "" {
|
|
initialPaths = "[]"
|
|
}
|
|
_, err := s.db.ExecContext(ctx,
|
|
`INSERT INTO enrollment_tokens (token_hash, created_at, expires_at, enc_repo_creds, initial_paths)
|
|
VALUES (?, ?, ?, ?, ?)`,
|
|
tokenHash,
|
|
now.Format(time.RFC3339Nano),
|
|
now.Add(ttl).Format(time.RFC3339Nano),
|
|
enc, initialPaths)
|
|
if err != nil {
|
|
return fmt.Errorf("store: create enrollment token: %w", err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// ConsumeEnrollmentToken atomically validates a token (must exist,
|
|
// not be consumed, not be expired) and marks it consumed by hostID.
|
|
// Returns ErrNotFound on any failure.
|
|
//
|
|
// The associated repo creds (if any) are promoted into
|
|
// host_credentials by the caller via SetHostCredentials *after* the
|
|
// host row exists — host_credentials has a FK to hosts that would
|
|
// otherwise fire here, since the host is created by a separate
|
|
// statement immediately after this returns.
|
|
func (s *Store) ConsumeEnrollmentToken(ctx context.Context, tokenHash, hostID string) error {
|
|
now := time.Now().UTC().Format(time.RFC3339Nano)
|
|
res, err := s.db.ExecContext(ctx,
|
|
`UPDATE enrollment_tokens
|
|
SET consumed_at = ?, consumed_host = ?
|
|
WHERE token_hash = ? AND consumed_at IS NULL AND expires_at > ?`,
|
|
now, hostID, tokenHash, now)
|
|
if err != nil {
|
|
return fmt.Errorf("store: consume enrollment token: %w", err)
|
|
}
|
|
n, _ := res.RowsAffected()
|
|
if n == 0 {
|
|
return ErrNotFound
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// EnrollmentTokenAttachments is everything the enrolment handler
|
|
// needs from a token row at consume time, fetched in one round-trip.
|
|
type EnrollmentTokenAttachments struct {
|
|
// EncRepoCreds is the AEAD ciphertext bound (additional-data) to
|
|
// "token:" + token_hash. Empty if no creds were stashed.
|
|
EncRepoCreds string
|
|
// InitialPaths is the operator-supplied path list seeded into
|
|
// the host's initial manual schedule. Always non-nil (empty
|
|
// slice if none were set).
|
|
InitialPaths []string
|
|
}
|
|
|
|
// GetEnrollmentTokenAttachments returns the operator-supplied
|
|
// attachments on a still-valid enrolment token: the encrypted repo
|
|
// creds and the default-paths list. Returns ErrNotFound if the
|
|
// token is gone / consumed / expired.
|
|
//
|
|
// The caller decrypts EncRepoCreds using token_hash as AEAD
|
|
// additional data, then re-encrypts using host_id as additional
|
|
// data before passing to ConsumeEnrollmentToken.
|
|
func (s *Store) GetEnrollmentTokenAttachments(ctx context.Context, tokenHash string) (EnrollmentTokenAttachments, error) {
|
|
now := time.Now().UTC().Format(time.RFC3339Nano)
|
|
row := s.db.QueryRowContext(ctx,
|
|
`SELECT enc_repo_creds, initial_paths FROM enrollment_tokens
|
|
WHERE token_hash = ? AND consumed_at IS NULL AND expires_at > ?`,
|
|
tokenHash, now)
|
|
var (
|
|
enc sql.NullString
|
|
initialPaths string
|
|
)
|
|
if err := row.Scan(&enc, &initialPaths); err != nil {
|
|
if errors.Is(err, sql.ErrNoRows) {
|
|
return EnrollmentTokenAttachments{}, ErrNotFound
|
|
}
|
|
return EnrollmentTokenAttachments{}, fmt.Errorf("store: get enrollment token attachments: %w", err)
|
|
}
|
|
out := EnrollmentTokenAttachments{InitialPaths: []string{}}
|
|
if enc.Valid {
|
|
out.EncRepoCreds = enc.String
|
|
}
|
|
if initialPaths != "" {
|
|
_ = json.Unmarshal([]byte(initialPaths), &out.InitialPaths)
|
|
}
|
|
return out, nil
|
|
}
|
|
|
|
// EnrollmentTokenStatus is what the awaiting-agent panel polls for
|
|
// after Add-host. Returned by GetEnrollmentTokenStatus; the
|
|
// consuming code branches on Consumed + the (optional) ConsumedHost.
|
|
type EnrollmentTokenStatus struct {
|
|
ExpiresAt time.Time
|
|
ConsumedAt *time.Time
|
|
ConsumedHost *string
|
|
}
|
|
|
|
// GetEnrollmentTokenStatus reports whether a token has been
|
|
// consumed yet (the agent has called /api/agents/enroll). Returns
|
|
// ErrNotFound if the token is unknown — the polling endpoint maps
|
|
// that to "token expired or invalid; stop polling".
|
|
func (s *Store) GetEnrollmentTokenStatus(ctx context.Context, tokenHash string) (EnrollmentTokenStatus, error) {
|
|
row := s.db.QueryRowContext(ctx,
|
|
`SELECT expires_at, consumed_at, consumed_host
|
|
FROM enrollment_tokens WHERE token_hash = ?`,
|
|
tokenHash)
|
|
var (
|
|
expiresAt string
|
|
consumedAt, host sql.NullString
|
|
)
|
|
if err := row.Scan(&expiresAt, &consumedAt, &host); err != nil {
|
|
if errors.Is(err, sql.ErrNoRows) {
|
|
return EnrollmentTokenStatus{}, ErrNotFound
|
|
}
|
|
return EnrollmentTokenStatus{}, fmt.Errorf("store: get enrollment token status: %w", err)
|
|
}
|
|
out := EnrollmentTokenStatus{}
|
|
if t, err := time.Parse(time.RFC3339Nano, expiresAt); err == nil {
|
|
out.ExpiresAt = t
|
|
}
|
|
if consumedAt.Valid {
|
|
if t, err := time.Parse(time.RFC3339Nano, consumedAt.String); err == nil {
|
|
out.ConsumedAt = &t
|
|
}
|
|
}
|
|
if host.Valid {
|
|
s := host.String
|
|
out.ConsumedHost = &s
|
|
}
|
|
return out, nil
|
|
}
|
|
|
|
// OutstandingEnrollmentToken is what the recoverable-token list page
|
|
// shows: enough to identify the row (short hash + created/expires)
|
|
// and re-render the install snippet via the regenerate flow, plus
|
|
// the encrypted repo creds blob the caller can decrypt-and-redact for
|
|
// display.
|
|
type OutstandingEnrollmentToken struct {
|
|
TokenHash string
|
|
CreatedAt time.Time
|
|
ExpiresAt time.Time
|
|
EncRepoCreds string
|
|
InitialPaths []string
|
|
}
|
|
|
|
// ListOutstandingEnrollmentTokens returns every still-valid token
|
|
// (un-consumed and not expired). Used by the Add-host page to give
|
|
// operators a way back to the install snippet after they close the
|
|
// /hosts/pending/{token} tab without finishing onboarding.
|
|
func (s *Store) ListOutstandingEnrollmentTokens(ctx context.Context) ([]OutstandingEnrollmentToken, error) {
|
|
now := time.Now().UTC().Format(time.RFC3339Nano)
|
|
rows, err := s.db.QueryContext(ctx,
|
|
`SELECT token_hash, created_at, expires_at, enc_repo_creds, initial_paths
|
|
FROM enrollment_tokens
|
|
WHERE consumed_at IS NULL AND expires_at > ?
|
|
ORDER BY created_at DESC`, now)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("store: list outstanding enrollment tokens: %w", err)
|
|
}
|
|
defer func() { _ = rows.Close() }()
|
|
var out []OutstandingEnrollmentToken
|
|
for rows.Next() {
|
|
var (
|
|
hash, created, expires string
|
|
enc sql.NullString
|
|
pathsJSON string
|
|
)
|
|
if err := rows.Scan(&hash, &created, &expires, &enc, &pathsJSON); err != nil {
|
|
return nil, fmt.Errorf("store: scan outstanding enrollment token: %w", err)
|
|
}
|
|
row := OutstandingEnrollmentToken{TokenHash: hash, InitialPaths: []string{}}
|
|
if t, err := time.Parse(time.RFC3339Nano, created); err == nil {
|
|
row.CreatedAt = t
|
|
}
|
|
if t, err := time.Parse(time.RFC3339Nano, expires); err == nil {
|
|
row.ExpiresAt = t
|
|
}
|
|
if enc.Valid {
|
|
row.EncRepoCreds = enc.String
|
|
}
|
|
if pathsJSON != "" {
|
|
_ = json.Unmarshal([]byte(pathsJSON), &row.InitialPaths)
|
|
}
|
|
out = append(out, row)
|
|
}
|
|
return out, rows.Err()
|
|
}
|
|
|
|
// DeleteEnrollmentToken removes a token row. Used by the operator-
|
|
// driven revoke flow and by regenerate (which deletes the old hash
|
|
// then mints a fresh one). Idempotent: ErrNotFound on miss.
|
|
func (s *Store) DeleteEnrollmentToken(ctx context.Context, tokenHash string) error {
|
|
res, err := s.db.ExecContext(ctx,
|
|
`DELETE FROM enrollment_tokens WHERE token_hash = ?`, tokenHash)
|
|
if err != nil {
|
|
return fmt.Errorf("store: delete enrollment token: %w", err)
|
|
}
|
|
n, _ := res.RowsAffected()
|
|
if n == 0 {
|
|
return ErrNotFound
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// PurgeExpiredEnrollmentTokens deletes long-expired token rows. Tokens
|
|
// retained for ~24h after expiry so audit traces still resolve them.
|
|
func (s *Store) PurgeExpiredEnrollmentTokens(ctx context.Context) (int64, error) {
|
|
cutoff := time.Now().Add(-24 * time.Hour).UTC().Format(time.RFC3339Nano)
|
|
res, err := s.db.ExecContext(ctx,
|
|
`DELETE FROM enrollment_tokens WHERE expires_at <= ?`, cutoff)
|
|
if err != nil {
|
|
return 0, fmt.Errorf("store: purge enrollment tokens: %w", err)
|
|
}
|
|
n, _ := res.RowsAffected()
|
|
return n, nil
|
|
}
|