steve
8aa635f0c1
Two fixes that close the loop on dashboard run-now and harden the
agent's restic invocation.
Default paths (interim until P2-01 schedules):
- 0003 migration adds default_paths TEXT NOT NULL DEFAULT '[]'
to hosts and to enrollment_tokens.
- Operator types paths in the Add-host form (textarea, one per
line). They ride on the enrol_token row alongside the
encrypted creds (paths aren't secret — plain JSON column).
- On consume, ConsumeEnrollmentToken still just burns the token;
the new GetEnrollmentTokenAttachments returns both the
re-bindable creds and the path list in one round trip, the
handler transfers them onto the new host row inside CreateHost.
- The dashboard's Run-now and host-detail's "Run backup now"
button now read Host.DefaultPaths and pass them to dispatchJob.
A host with no default paths returns 400 with a friendly
"no paths set" message instead of dispatching a doomed
`restic backup` with no positional args.
- Doc comments explicitly call this out as a Phase 1 interim —
schedules supersede.
Restic env hygiene:
- envSlice() previously omitted HOME / XDG_CACHE_HOME, which
bit the smoke runs whenever the agent was launched outside
systemd (restic refused to start: "neither $XDG_CACHE_HOME
nor $HOME are defined"). Now both are set explicitly: prefer
Env.ExtraEnv overrides, fall back to the agent process's own
HOME, and finally to /var/lib/restic-manager.
- Comment makes the env policy explicit: parent's RESTIC_* /
AWS_* / B2_* env is filtered out by design — control-plane
is the unambiguous source of truth.
JS bug fix in the live log page:
- {{$job.ID | printf "%q"}} produced a literal-quoted JS string,
which then went into the WS URL as ".../jobs/"<ID>"/stream"
→ 404. Switched to '{{$job.ID}}' inside the literal so
html/template's auto-escape does the right thing. Verified
end-to-end: dashboard "Run now" → live progress + log lines
arrive over the WS → succeeded pill renders.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
132 lines
4.7 KiB
Go
132 lines
4.7 KiB
Go
package store
|
|
|
|
import (
|
|
"context"
|
|
"database/sql"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"time"
|
|
)
|
|
|
|
// CreateEnrollmentToken persists a fresh one-time token. The caller
|
|
// has already hashed the raw token; the raw form is returned to the
|
|
// operator (printed in the install snippet) and never persisted.
|
|
//
|
|
// encRepoCreds is the AEAD-encrypted blob of {repo_url, repo_username,
|
|
// repo_password} that ConsumeEnrollmentToken will promote to a
|
|
// host_credentials row. Empty string = operator chose to set creds
|
|
// later via PUT /api/hosts/{id}/repo-credentials; the agent will
|
|
// refuse backup jobs until that lands.
|
|
//
|
|
// defaultPaths is the JSON-encoded path list (the agent invokes
|
|
// `restic backup` with these on a run-now without explicit paths).
|
|
// Empty string is treated as "[]". Not encrypted — paths aren't
|
|
// secret.
|
|
func (s *Store) CreateEnrollmentToken(ctx context.Context, tokenHash string, ttl time.Duration, encRepoCreds, defaultPaths string) error {
|
|
now := time.Now().UTC()
|
|
var enc any = nil
|
|
if encRepoCreds != "" {
|
|
enc = encRepoCreds
|
|
}
|
|
if defaultPaths == "" {
|
|
defaultPaths = "[]"
|
|
}
|
|
_, err := s.db.ExecContext(ctx,
|
|
`INSERT INTO enrollment_tokens (token_hash, created_at, expires_at, enc_repo_creds, default_paths)
|
|
VALUES (?, ?, ?, ?, ?)`,
|
|
tokenHash,
|
|
now.Format(time.RFC3339Nano),
|
|
now.Add(ttl).Format(time.RFC3339Nano),
|
|
enc, defaultPaths)
|
|
if err != nil {
|
|
return fmt.Errorf("store: create enrollment token: %w", err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// ConsumeEnrollmentToken atomically validates a token (must exist,
|
|
// not be consumed, not be expired) and marks it consumed by hostID.
|
|
// Returns ErrNotFound on any failure.
|
|
//
|
|
// The associated repo creds (if any) are promoted into
|
|
// host_credentials by the caller via SetHostCredentials *after* the
|
|
// host row exists — host_credentials has a FK to hosts that would
|
|
// otherwise fire here, since the host is created by a separate
|
|
// statement immediately after this returns.
|
|
func (s *Store) ConsumeEnrollmentToken(ctx context.Context, tokenHash, hostID string) error {
|
|
now := time.Now().UTC().Format(time.RFC3339Nano)
|
|
res, err := s.db.ExecContext(ctx,
|
|
`UPDATE enrollment_tokens
|
|
SET consumed_at = ?, consumed_host = ?
|
|
WHERE token_hash = ? AND consumed_at IS NULL AND expires_at > ?`,
|
|
now, hostID, tokenHash, now)
|
|
if err != nil {
|
|
return fmt.Errorf("store: consume enrollment token: %w", err)
|
|
}
|
|
n, _ := res.RowsAffected()
|
|
if n == 0 {
|
|
return ErrNotFound
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// EnrollmentTokenAttachments is everything the enrolment handler
|
|
// needs from a token row at consume time, fetched in one round-trip.
|
|
type EnrollmentTokenAttachments struct {
|
|
// EncRepoCreds is the AEAD ciphertext bound (additional-data) to
|
|
// "token:" + token_hash. Empty if no creds were stashed.
|
|
EncRepoCreds string
|
|
// DefaultPaths is the operator's run-now path list. Always
|
|
// non-nil (empty slice if none were set).
|
|
DefaultPaths []string
|
|
}
|
|
|
|
// GetEnrollmentTokenAttachments returns the operator-supplied
|
|
// attachments on a still-valid enrolment token: the encrypted repo
|
|
// creds and the default-paths list. Returns ErrNotFound if the
|
|
// token is gone / consumed / expired.
|
|
//
|
|
// The caller decrypts EncRepoCreds using token_hash as AEAD
|
|
// additional data, then re-encrypts using host_id as additional
|
|
// data before passing to ConsumeEnrollmentToken.
|
|
func (s *Store) GetEnrollmentTokenAttachments(ctx context.Context, tokenHash string) (EnrollmentTokenAttachments, error) {
|
|
now := time.Now().UTC().Format(time.RFC3339Nano)
|
|
row := s.db.QueryRowContext(ctx,
|
|
`SELECT enc_repo_creds, default_paths FROM enrollment_tokens
|
|
WHERE token_hash = ? AND consumed_at IS NULL AND expires_at > ?`,
|
|
tokenHash, now)
|
|
var (
|
|
enc sql.NullString
|
|
defaultPaths string
|
|
)
|
|
if err := row.Scan(&enc, &defaultPaths); err != nil {
|
|
if errors.Is(err, sql.ErrNoRows) {
|
|
return EnrollmentTokenAttachments{}, ErrNotFound
|
|
}
|
|
return EnrollmentTokenAttachments{}, fmt.Errorf("store: get enrollment token attachments: %w", err)
|
|
}
|
|
out := EnrollmentTokenAttachments{DefaultPaths: []string{}}
|
|
if enc.Valid {
|
|
out.EncRepoCreds = enc.String
|
|
}
|
|
if defaultPaths != "" {
|
|
_ = json.Unmarshal([]byte(defaultPaths), &out.DefaultPaths)
|
|
}
|
|
return out, nil
|
|
}
|
|
|
|
// PurgeExpiredEnrollmentTokens deletes long-expired token rows. Tokens
|
|
// retained for ~24h after expiry so audit traces still resolve them.
|
|
func (s *Store) PurgeExpiredEnrollmentTokens(ctx context.Context) (int64, error) {
|
|
cutoff := time.Now().Add(-24 * time.Hour).UTC().Format(time.RFC3339Nano)
|
|
res, err := s.db.ExecContext(ctx,
|
|
`DELETE FROM enrollment_tokens WHERE expires_at <= ?`, cutoff)
|
|
if err != nil {
|
|
return 0, fmt.Errorf("store: purge enrollment tokens: %w", err)
|
|
}
|
|
n, _ := res.RowsAffected()
|
|
return n, nil
|
|
}
|
|
|