steve
8a05969953
Two issues from a smoke session:
1. The awaiting-agent panel never refreshed — operator had to go
back to the dashboard to see the host had connected.
2. Generated passwords were displayed only on the POST response.
Navigating away (or even an accidental tab close) lost them
permanently, so the operator couldn't update the rest-server's
htpasswd.
Both are the same fix: convert the POST-rendered transient
"result state" into a durable GET page at /hosts/pending/{token}.
* New route GET /hosts/pending/{token} renders the install-command +
htpasswd snippet view. Password is decrypted from the (still-
encrypted-at-rest) token row on every render — operator can
refresh, bookmark, navigate away and come back. Once the agent
enrols, the page redirects to /hosts/{id}; once the token
expires, redirect to /hosts/new.
* New route GET /hosts/pending/{token}/awaiting returns a polled
HTML fragment that the pending page swaps in every 2s via HTMX.
States: awaiting (keep polling) | connected (show "Open host →"
+ "View schedules" CTAs, polling stops) | expired (mint-new
link, polling stops). Polling stops naturally because only the
awaiting state's wrapper carries the hx-trigger attribute.
* POST /hosts/new now 303-redirects to /hosts/pending/{token}
on success; validation errors keep re-rendering the form with
banner.
Supporting changes:
* New store helper Store.GetEnrollmentTokenStatus(tokenHash) for
the polling endpoint — returns {expires_at, consumed_at,
consumed_host} in one round-trip without dragging in the
attachments-decryption path.
* New ui.Renderer.RenderPartial(w, name, data) for HTMX fragment
responses (no layout wrap). Picks an arbitrary page's template
set as the lookup point — every page parses the full common-
paths list, so they all see every partial.
* add_host.html stripped to form-only; pending_host.html owns the
result-state UI; awaiting_agent.html is the polled partial.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
202 lines
7.3 KiB
Go
202 lines
7.3 KiB
Go
// Package http hosts the chi-based REST handlers for the control
|
|
// plane. The Server type owns the router, the handlers, and the
|
|
// graceful-shutdown lifecycle.
|
|
package http
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
stdhttp "net/http"
|
|
"time"
|
|
|
|
"github.com/go-chi/chi/v5"
|
|
"github.com/go-chi/chi/v5/middleware"
|
|
|
|
"gitea.dcglab.co.uk/steve/restic-manager/internal/crypto"
|
|
"gitea.dcglab.co.uk/steve/restic-manager/internal/server/config"
|
|
"gitea.dcglab.co.uk/steve/restic-manager/internal/server/ui"
|
|
"gitea.dcglab.co.uk/steve/restic-manager/internal/server/ws"
|
|
"gitea.dcglab.co.uk/steve/restic-manager/internal/store"
|
|
)
|
|
|
|
// Deps bundles every collaborator the HTTP server depends on. Wired up
|
|
// in cmd/server; tests pass a pared-down Deps with fakes.
|
|
type Deps struct {
|
|
Cfg config.Config
|
|
Store *store.Store
|
|
AEAD *crypto.AEAD
|
|
Hub *ws.Hub
|
|
JobHub *ws.JobHub
|
|
UI *ui.Renderer
|
|
// Version is the binary's build version, surfaced in the chrome.
|
|
// Empty falls back to "dev".
|
|
Version string
|
|
// BootstrapToken (optional, populated only on first run) is the raw
|
|
// admin-bootstrap token printed in the server logs. While set, the
|
|
// /bootstrap endpoint accepts it to create the first admin user.
|
|
BootstrapToken string
|
|
}
|
|
|
|
// Server is the running HTTP server.
|
|
type Server struct {
|
|
srv *stdhttp.Server
|
|
deps Deps
|
|
}
|
|
|
|
// New builds a configured but not-yet-started server.
|
|
func New(deps Deps) *Server {
|
|
r := chi.NewRouter()
|
|
|
|
// Built-in middleware: request ID for log correlation, recovery
|
|
// (don't crash the process on a panic in a handler), realIP iff a
|
|
// trusted proxy is configured.
|
|
r.Use(middleware.RequestID)
|
|
r.Use(middleware.Recoverer)
|
|
r.Use(requestLogger)
|
|
|
|
// Health endpoint — unauthenticated, no audit, deliberately cheap.
|
|
r.Get("/healthz", func(w stdhttp.ResponseWriter, _ *stdhttp.Request) {
|
|
w.WriteHeader(stdhttp.StatusNoContent)
|
|
})
|
|
|
|
s := &Server{deps: deps}
|
|
s.routes(r)
|
|
|
|
s.srv = &stdhttp.Server{
|
|
Addr: deps.Cfg.Listen,
|
|
Handler: r,
|
|
ReadHeaderTimeout: 10 * time.Second,
|
|
IdleTimeout: 60 * time.Second,
|
|
// Long write timeout — WS upgrades and live log streams need it.
|
|
WriteTimeout: 0,
|
|
}
|
|
return s
|
|
}
|
|
|
|
// routes wires the API tree. Subtrees live in this file by area so a
|
|
// reader can scan one place and see the surface.
|
|
func (s *Server) routes(r chi.Router) {
|
|
r.Route("/api", func(r chi.Router) {
|
|
r.Post("/auth/login", s.handleLogin)
|
|
r.Post("/auth/logout", s.handleLogout)
|
|
r.Post("/bootstrap", s.handleBootstrap)
|
|
|
|
// Agent enrollment (open endpoint — token is the credential).
|
|
r.Post("/agents/enroll", s.handleAgentEnroll)
|
|
|
|
// Operator → server (authenticated). Spec.md §6.1's
|
|
// /hosts/{id}/enrollment-token (regenerate) lands when the
|
|
// host page can call it; for now just the create endpoint.
|
|
r.Post("/enrollment-tokens", s.handleCreateEnrollmentToken)
|
|
|
|
// Fleet read endpoints — back the dashboard.
|
|
r.Get("/hosts", s.handleListHosts)
|
|
r.Get("/fleet/summary", s.handleFleetSummary)
|
|
|
|
// Run-now: dispatch a job to a host's agent.
|
|
r.Post("/hosts/{id}/jobs", s.handleRunNow)
|
|
|
|
// Snapshot projection (refreshed by the agent after each backup).
|
|
r.Get("/hosts/{id}/snapshots", s.handleListHostSnapshots)
|
|
|
|
// Repo credentials — operator can edit after enrollment. The
|
|
// initial set is supplied at token-mint time (see enrollment.go).
|
|
// GET returns a redacted view (URL, username, has_password).
|
|
r.Get("/hosts/{id}/repo-credentials", s.handleGetHostCredentials)
|
|
r.Put("/hosts/{id}/repo-credentials", s.handleSetHostCredentials)
|
|
|
|
// Per-host schedule CRUD. Mutations bump host_schedule_version;
|
|
// the agent sync path (P2-02) picks up the new version on the
|
|
// next reconciliation tick.
|
|
r.Get("/hosts/{id}/schedules", s.handleListSchedules)
|
|
r.Post("/hosts/{id}/schedules", s.handleCreateSchedule)
|
|
r.Put("/hosts/{id}/schedules/{sid}", s.handleUpdateSchedule)
|
|
r.Delete("/hosts/{id}/schedules/{sid}", s.handleDeleteSchedule)
|
|
})
|
|
|
|
// Agent ↔ server WebSocket. Bearer-authenticated inside the handler.
|
|
if s.deps.Hub != nil {
|
|
r.Mount("/ws/agent", ws.AgentHandler(ws.HandlerDeps{
|
|
Hub: s.deps.Hub,
|
|
Store: s.deps.Store,
|
|
JobHub: s.deps.JobHub,
|
|
OnHello: s.onAgentHello,
|
|
OnScheduleAck: s.applyScheduleAck,
|
|
OnScheduleFire: s.dispatchScheduledJob,
|
|
}))
|
|
}
|
|
|
|
// Agent binaries + install scripts. Open endpoints — content is
|
|
// unprivileged on its own, gating happens via the enrollment
|
|
// token. See agent_assets.go.
|
|
r.Get("/agent/binary", s.handleAgentBinary)
|
|
r.Get("/install/*", s.handleInstallAsset)
|
|
|
|
// Static assets (Tailwind CSS bundle, future favicon).
|
|
r.Mount("/static/", staticHandler())
|
|
|
|
// HTML UI. The renderer is required — fail loud if the binary
|
|
// was built without templates (impossible in practice given
|
|
// embed, but guards bad test wiring).
|
|
if s.deps.UI != nil {
|
|
r.Get("/", s.handleUIDashboard)
|
|
r.Get("/login", s.handleUILoginGet)
|
|
r.Post("/login", s.handleUILoginPost)
|
|
r.Post("/logout", s.handleUILogoutPost)
|
|
// HTMX action endpoint for "Run now" buttons on the dashboard.
|
|
r.Post("/hosts/{id}/run-backup", s.handleUIRunBackup)
|
|
// HTMX action endpoint for the red "Initialise repo" button
|
|
// shown in the run-now panel until the repo is confirmed init'd.
|
|
r.Post("/hosts/{id}/init-repo", s.handleUIInitRepo)
|
|
// Add host flow.
|
|
r.Get("/hosts/new", s.handleUIAddHostGet)
|
|
r.Post("/hosts/new", s.handleUIAddHostPost)
|
|
// Durable post-Add-host page (operator can refresh / come
|
|
// back; password decrypted from the token row each render).
|
|
// Polled fragment under /awaiting flips to "connected" once
|
|
// the agent enrols.
|
|
r.Get("/hosts/pending/{token}", s.handleUIPendingHost)
|
|
r.Get("/hosts/pending/{token}/awaiting", s.handleUIPendingAwaiting)
|
|
// Host detail (Snapshots tab is the default).
|
|
r.Get("/hosts/{id}", s.handleUIHostDetail)
|
|
// Schedules tab + create/edit/delete forms.
|
|
r.Get("/hosts/{id}/schedules", s.handleUISchedulesList)
|
|
r.Get("/hosts/{id}/schedules/new", s.handleUIScheduleNewGet)
|
|
r.Post("/hosts/{id}/schedules/new", s.handleUIScheduleSave)
|
|
r.Get("/hosts/{id}/schedules/{sid}/edit", s.handleUIScheduleEditGet)
|
|
r.Post("/hosts/{id}/schedules/{sid}/edit", s.handleUIScheduleSave)
|
|
r.Post("/hosts/{id}/schedules/{sid}/delete", s.handleUIScheduleDelete)
|
|
r.Post("/hosts/{id}/schedules/{sid}/run", s.handleUIScheduleRun)
|
|
// Live job log.
|
|
r.Get("/jobs/{id}", s.handleUIJobDetail)
|
|
}
|
|
|
|
// Browser job-log stream (separate from /ws/agent so the auth
|
|
// layer is session-cookie not bearer). Mounted regardless of
|
|
// whether the UI is up — JSON callers may also subscribe.
|
|
if s.deps.JobHub != nil {
|
|
r.Get("/api/jobs/{id}/stream", s.handleJobStream)
|
|
}
|
|
}
|
|
|
|
// Start begins listening. Blocks until ListenAndServe returns
|
|
// (typically only on Shutdown). The server is HTTP-only by design;
|
|
// production deployments terminate TLS at a reverse proxy in front.
|
|
func (s *Server) Start() error {
|
|
err := s.srv.ListenAndServe()
|
|
if errors.Is(err, stdhttp.ErrServerClosed) {
|
|
return nil
|
|
}
|
|
return err
|
|
}
|
|
|
|
// Shutdown stops accepting new connections and waits up to ctx.Deadline
|
|
// for in-flight handlers to finish.
|
|
func (s *Server) Shutdown(ctx context.Context) error {
|
|
return s.srv.Shutdown(ctx)
|
|
}
|
|
|
|
// Addr returns the configured listen address. Useful in tests when
|
|
// the caller passes :0 to get a random port.
|
|
func (s *Server) Addr() string { return s.srv.Addr }
|