steve
f0dfa689fe
Three small follow-ups from review:
1. Restore target is now operator-editable. Default value is the
literal '\$HOME/rm-restore/<job-id>/' (agent expands \$HOME at
run time using os.UserHomeDir(); also handles \${HOME} and ~/
prefixes). Operator can replace with any absolute path.
- ui_restore.go validates the input is either absolute or starts
with one of the recognised prefixes; other env-var refs (\$PATH
etc.) are deliberately rejected so operator paths can't pick up
arbitrary agent env values.
- host_restore.html replaces the read-only mono-text display with
a real <input>; help text spells out that \$HOME resolves
agent-side and <job-id> is substituted on dispatch.
- install.sh + the systemd unit prep /root/rm-restore so the
default works under the sandbox: ReadWritePaths gains a soft
'-/root/rm-restore' entry (the '-' makes the bind-mount soft-fail
if missing, but install.sh pre-creates it root-owned 0700).
2. --no-ownership flag now gated on restic version. The flag was
added in restic 0.17 and 0.16 rejects it. Previously dropped it
wholesale — that meant new-dir restores silently preserved
ownership against design intent on 0.17+. Now the agent threads
its detected restic version (sysinfo already collects it) through
runner.Config -> restic.Env, and RunRestore appends --no-ownership
only when AtLeastVersion(0, 17) returns true. 0.16 hosts still
restore with original uid/gid; help text in the wizard explicitly
notes this. The previous 'Original ownership is preserved' copy
was wrong for new-dir mode and is corrected.
3. golangci-lint misspell locale switched US -> UK and the codebase
swept (73 corrections, mostly behaviour/serialise/recognise/honour).
Wire-format ErrorCode 'unauthorized' -> 'unauthorised' is a tiny
contract change but the agent doesn't parse those codes today and
no external API consumers exist yet. Tests passed before + after.
Tests:
- internal/restic/version_test.go covers Env.AtLeastVersion across
edge cases (empty, exact match, patch above, minor below, non-
numeric) and expandHome on \$HOME / \${HOME} / ~/, plus
pass-through for absolute paths and refusal of other env vars.
- ui_restore_test updated: TargetDir now starts '\$HOME/rm-restore/'
with the job_id substituted into the placeholder.
Live verified on the smoke env: default target restored to
/root/rm-restore/<job-id>/ as the agent's expanded \$HOME (2 files,
14 bytes); custom override '/tmp/custom-restore/<job-id>/' restored
into the agent's PrivateTmp namespace (1 file, 6 bytes); both jobs
'succeeded', exit 0.
121 lines
3.6 KiB
Go
121 lines
3.6 KiB
Go
// ui_repo_reinit.go — danger-zone re-init handler. Dispatches a fresh
|
|
// `restic init` job after the operator types the host name to confirm.
|
|
// Restic itself refuses to overwrite an existing repo (its init is
|
|
// effectively idempotent — see the runner's "config file already
|
|
// exists" sniff in restic.RunInit), so this is *not* a destructive
|
|
// data wipe; it's a "try again from scratch" affordance for the
|
|
// operator. If the rest-server bucket needs clearing the operator
|
|
// has to do that out-of-band; the job log will say so.
|
|
//
|
|
// Audit-logged with action='host.repo_reinit' so the trail records
|
|
// who triggered the wipe attempt and when.
|
|
package http
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"log/slog"
|
|
stdhttp "net/http"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/oklog/ulid/v2"
|
|
|
|
"gitea.dcglab.co.uk/steve/restic-manager/internal/api"
|
|
"gitea.dcglab.co.uk/steve/restic-manager/internal/store"
|
|
)
|
|
|
|
func (s *Server) handleUIRepoReinit(w stdhttp.ResponseWriter, r *stdhttp.Request) {
|
|
u := s.requireUIUser(w, r)
|
|
if u == nil {
|
|
return
|
|
}
|
|
host, ok := s.loadHostForUI(w, r)
|
|
if !ok {
|
|
return
|
|
}
|
|
if err := r.ParseForm(); err != nil {
|
|
stdhttp.Error(w, "bad request", stdhttp.StatusBadRequest)
|
|
return
|
|
}
|
|
confirm := strings.TrimSpace(r.PostForm.Get("confirm_hostname"))
|
|
if confirm != host.Name {
|
|
// We don't have a dedicated re-init banner field; surface via
|
|
// the existing CredentialsError slot — it sits adjacent to the
|
|
// danger zone visually so the operator's eye lands on it.
|
|
s.renderRepoPage(w, r, u, host,
|
|
"Re-init aborted — typed hostname did not match.", "", "", "")
|
|
return
|
|
}
|
|
if !s.deps.Hub.Connected(host.ID) {
|
|
s.renderRepoPage(w, r, u, host,
|
|
"Host is offline — bring the agent back up before re-initialising.",
|
|
"", "", "")
|
|
return
|
|
}
|
|
// Ensure the host has creds bound; otherwise restic init can't
|
|
// connect to the repo.
|
|
if _, err := s.deps.Store.GetHostCredentials(r.Context(), host.ID, store.CredKindRepo); err != nil {
|
|
if errors.Is(err, store.ErrNotFound) {
|
|
s.renderRepoPage(w, r, u, host,
|
|
"Bind repo credentials before re-initialising.",
|
|
"", "", "")
|
|
return
|
|
}
|
|
stdhttp.Error(w, "internal", stdhttp.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
jobID := ulid.Make().String()
|
|
now := time.Now().UTC()
|
|
if err := s.deps.Store.CreateJob(r.Context(), store.Job{
|
|
ID: jobID,
|
|
HostID: host.ID,
|
|
Kind: string(api.JobInit),
|
|
ActorKind: "user",
|
|
ActorID: &u.ID,
|
|
CreatedAt: now,
|
|
}); err != nil {
|
|
slog.Error("repo reinit: persist job", "host_id", host.ID, "err", err)
|
|
stdhttp.Error(w, "internal", stdhttp.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
env, err := api.Marshal(api.MsgCommandRun, jobID, api.CommandRunPayload{
|
|
JobID: jobID,
|
|
Kind: api.JobInit,
|
|
})
|
|
if err != nil {
|
|
stdhttp.Error(w, "internal", stdhttp.StatusInternalServerError)
|
|
return
|
|
}
|
|
sendCtx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
|
|
defer cancel()
|
|
if err := s.deps.Hub.Send(sendCtx, host.ID, env); err != nil {
|
|
slog.Warn("repo reinit: ws send failed", "host_id", host.ID, "err", err)
|
|
s.renderRepoPage(w, r, u, host,
|
|
"Failed to deliver the init job to the agent — try again.",
|
|
"", "", "")
|
|
return
|
|
}
|
|
|
|
uid := u.ID
|
|
_ = s.deps.Store.AppendAudit(r.Context(), store.AuditEntry{
|
|
ID: ulid.Make().String(),
|
|
UserID: &uid,
|
|
Actor: "user",
|
|
Action: "host.repo_reinit",
|
|
TargetKind: ptr("host"),
|
|
TargetID: &host.ID,
|
|
TS: now,
|
|
})
|
|
|
|
// HTMX redirect → live job log. JSON callers get a 202.
|
|
if wantsHTML(r) {
|
|
w.Header().Set("HX-Redirect", "/jobs/"+jobID)
|
|
w.WriteHeader(stdhttp.StatusNoContent)
|
|
return
|
|
}
|
|
stdhttp.Redirect(w, r, "/jobs/"+jobID, stdhttp.StatusSeeOther)
|
|
}
|