steve
a781e95c94
Three small follow-ups from review:
1. Restore target is now operator-editable. Default value is the
literal '\$HOME/rm-restore/<job-id>/' (agent expands \$HOME at
run time using os.UserHomeDir(); also handles \${HOME} and ~/
prefixes). Operator can replace with any absolute path.
- ui_restore.go validates the input is either absolute or starts
with one of the recognised prefixes; other env-var refs (\$PATH
etc.) are deliberately rejected so operator paths can't pick up
arbitrary agent env values.
- host_restore.html replaces the read-only mono-text display with
a real <input>; help text spells out that \$HOME resolves
agent-side and <job-id> is substituted on dispatch.
- install.sh + the systemd unit prep /root/rm-restore so the
default works under the sandbox: ReadWritePaths gains a soft
'-/root/rm-restore' entry (the '-' makes the bind-mount soft-fail
if missing, but install.sh pre-creates it root-owned 0700).
2. --no-ownership flag now gated on restic version. The flag was
added in restic 0.17 and 0.16 rejects it. Previously dropped it
wholesale — that meant new-dir restores silently preserved
ownership against design intent on 0.17+. Now the agent threads
its detected restic version (sysinfo already collects it) through
runner.Config -> restic.Env, and RunRestore appends --no-ownership
only when AtLeastVersion(0, 17) returns true. 0.16 hosts still
restore with original uid/gid; help text in the wizard explicitly
notes this. The previous 'Original ownership is preserved' copy
was wrong for new-dir mode and is corrected.
3. golangci-lint misspell locale switched US -> UK and the codebase
swept (73 corrections, mostly behaviour/serialise/recognise/honour).
Wire-format ErrorCode 'unauthorized' -> 'unauthorised' is a tiny
contract change but the agent doesn't parse those codes today and
no external API consumers exist yet. Tests passed before + after.
Tests:
- internal/restic/version_test.go covers Env.AtLeastVersion across
edge cases (empty, exact match, patch above, minor below, non-
numeric) and expandHome on \$HOME / \${HOME} / ~/, plus
pass-through for absolute paths and refusal of other env vars.
- ui_restore_test updated: TargetDir now starts '\$HOME/rm-restore/'
with the job_id substituted into the placeholder.
Live verified on the smoke env: default target restored to
/root/rm-restore/<job-id>/ as the agent's expanded \$HOME (2 files,
14 bytes); custom override '/tmp/custom-restore/<job-id>/' restored
into the agent's PrivateTmp namespace (1 file, 6 bytes); both jobs
'succeeded', exit 0.
211 lines
5.9 KiB
Go
211 lines
5.9 KiB
Go
package http
|
|
|
|
import (
|
|
"crypto/subtle"
|
|
"encoding/json"
|
|
stdhttp "net/http"
|
|
"time"
|
|
|
|
"github.com/oklog/ulid/v2"
|
|
|
|
"gitea.dcglab.co.uk/steve/restic-manager/internal/auth"
|
|
"gitea.dcglab.co.uk/steve/restic-manager/internal/store"
|
|
)
|
|
|
|
const (
|
|
sessionCookieName = "rm_session"
|
|
sessionTTL = 24 * time.Hour
|
|
bootstrapCookie = "rm_bootstrap_used"
|
|
)
|
|
|
|
type loginRequest struct {
|
|
Username string `json:"username"`
|
|
Password string `json:"password"`
|
|
}
|
|
|
|
type loginResponse struct {
|
|
UserID string `json:"user_id"`
|
|
Role string `json:"role"`
|
|
}
|
|
|
|
func (s *Server) handleLogin(w stdhttp.ResponseWriter, r *stdhttp.Request) {
|
|
var req loginRequest
|
|
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
|
|
writeJSONError(w, stdhttp.StatusBadRequest, "invalid_json", err.Error())
|
|
return
|
|
}
|
|
u, err := s.authenticateAndSession(w, r, req.Username, req.Password)
|
|
if err != nil {
|
|
writeJSONError(w, stdhttp.StatusUnauthorized, "invalid_credentials", "")
|
|
return
|
|
}
|
|
writeJSON(w, stdhttp.StatusOK, loginResponse{UserID: u.ID, Role: string(u.Role)})
|
|
}
|
|
|
|
// authenticateAndSession verifies credentials, mints a session cookie,
|
|
// records the login + audit, and returns the user. Any failure
|
|
// (unknown user, wrong password, db error) is collapsed into a single
|
|
// error — the caller decides how to surface it. Shared by JSON and
|
|
// HTML login flows.
|
|
func (s *Server) authenticateAndSession(w stdhttp.ResponseWriter, r *stdhttp.Request,
|
|
username, password string,
|
|
) (*store.User, error) {
|
|
u, err := s.deps.Store.GetUserByUsername(r.Context(), username)
|
|
if err != nil {
|
|
// Same response for unknown user vs bad password — don't leak
|
|
// existence to a probing attacker.
|
|
return nil, errInvalidCredentials
|
|
}
|
|
if err := auth.VerifyPassword(u.PasswordHash, password); err != nil {
|
|
return nil, errInvalidCredentials
|
|
}
|
|
|
|
token, err := auth.NewToken()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
now := time.Now().UTC()
|
|
sess := store.Session{
|
|
UserID: u.ID,
|
|
CreatedAt: now,
|
|
ExpiresAt: now.Add(sessionTTL),
|
|
IP: r.RemoteAddr,
|
|
UA: r.UserAgent(),
|
|
}
|
|
if err := s.deps.Store.CreateSession(r.Context(), sess, auth.HashToken(token)); err != nil {
|
|
return nil, err
|
|
}
|
|
_ = s.deps.Store.MarkUserLogin(r.Context(), u.ID, now)
|
|
|
|
stdhttp.SetCookie(w, &stdhttp.Cookie{
|
|
Name: sessionCookieName,
|
|
Value: token,
|
|
Path: "/",
|
|
HttpOnly: true,
|
|
Secure: s.deps.Cfg.CookieSecure,
|
|
SameSite: stdhttp.SameSiteLaxMode,
|
|
Expires: sess.ExpiresAt,
|
|
})
|
|
|
|
_ = s.deps.Store.AppendAudit(r.Context(), store.AuditEntry{
|
|
ID: ulid.Make().String(),
|
|
UserID: &u.ID,
|
|
Actor: "user",
|
|
Action: "auth.login",
|
|
TS: now,
|
|
})
|
|
return u, nil
|
|
}
|
|
|
|
// errInvalidCredentials is the sentinel returned by
|
|
// authenticateAndSession for any failure that maps to a 401 in HTTP.
|
|
var errInvalidCredentials = errAuth("invalid_credentials")
|
|
|
|
type errAuth string
|
|
|
|
func (e errAuth) Error() string { return string(e) }
|
|
|
|
func (s *Server) handleLogout(w stdhttp.ResponseWriter, r *stdhttp.Request) {
|
|
if c, err := r.Cookie(sessionCookieName); err == nil {
|
|
_ = s.deps.Store.DeleteSession(r.Context(), auth.HashToken(c.Value))
|
|
}
|
|
stdhttp.SetCookie(w, &stdhttp.Cookie{
|
|
Name: sessionCookieName,
|
|
Value: "",
|
|
Path: "/",
|
|
MaxAge: -1,
|
|
HttpOnly: true,
|
|
Secure: s.deps.Cfg.CookieSecure,
|
|
SameSite: stdhttp.SameSiteLaxMode,
|
|
})
|
|
w.WriteHeader(stdhttp.StatusNoContent)
|
|
}
|
|
|
|
type bootstrapRequest struct {
|
|
Token string `json:"token"`
|
|
Username string `json:"username"`
|
|
Password string `json:"password"`
|
|
}
|
|
|
|
// handleBootstrap creates the first admin user. The endpoint accepts
|
|
// the one-time token printed in the server logs on first run, and is
|
|
// disabled the moment a user row exists.
|
|
func (s *Server) handleBootstrap(w stdhttp.ResponseWriter, r *stdhttp.Request) {
|
|
n, err := s.deps.Store.CountUsers(r.Context())
|
|
if err != nil {
|
|
writeJSONError(w, stdhttp.StatusInternalServerError, "internal", "")
|
|
return
|
|
}
|
|
if n > 0 {
|
|
writeJSONError(w, stdhttp.StatusConflict, "already_initialised",
|
|
"a user already exists; bootstrap is disabled")
|
|
return
|
|
}
|
|
if s.deps.BootstrapToken == "" {
|
|
writeJSONError(w, stdhttp.StatusServiceUnavailable, "no_token",
|
|
"bootstrap token not configured")
|
|
return
|
|
}
|
|
|
|
var req bootstrapRequest
|
|
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
|
|
writeJSONError(w, stdhttp.StatusBadRequest, "invalid_json", err.Error())
|
|
return
|
|
}
|
|
// Constant-time compare keeps timing analysis off the table.
|
|
if subtle.ConstantTimeCompare([]byte(req.Token), []byte(s.deps.BootstrapToken)) != 1 {
|
|
writeJSONError(w, stdhttp.StatusUnauthorized, "invalid_token", "")
|
|
return
|
|
}
|
|
if req.Username == "" || len(req.Password) < 12 {
|
|
writeJSONError(w, stdhttp.StatusBadRequest, "weak_password",
|
|
"password must be at least 12 characters")
|
|
return
|
|
}
|
|
|
|
hash, err := auth.HashPassword(req.Password)
|
|
if err != nil {
|
|
writeJSONError(w, stdhttp.StatusInternalServerError, "internal", "")
|
|
return
|
|
}
|
|
u := store.User{
|
|
ID: ulid.Make().String(),
|
|
Username: req.Username,
|
|
PasswordHash: hash,
|
|
Role: store.RoleAdmin,
|
|
CreatedAt: time.Now().UTC(),
|
|
}
|
|
if err := s.deps.Store.CreateUser(r.Context(), u); err != nil {
|
|
writeJSONError(w, stdhttp.StatusInternalServerError, "internal", "")
|
|
return
|
|
}
|
|
_ = s.deps.Store.AppendAudit(r.Context(), store.AuditEntry{
|
|
ID: ulid.Make().String(),
|
|
UserID: &u.ID,
|
|
Actor: "system",
|
|
Action: "auth.bootstrap",
|
|
TS: u.CreatedAt,
|
|
})
|
|
|
|
writeJSON(w, stdhttp.StatusCreated, loginResponse{
|
|
UserID: u.ID, Role: string(u.Role),
|
|
})
|
|
}
|
|
|
|
// ----- json helpers --------------------------------------------------
|
|
|
|
type jsonError struct {
|
|
Code string `json:"code"`
|
|
Message string `json:"message,omitempty"`
|
|
}
|
|
|
|
func writeJSON(w stdhttp.ResponseWriter, status int, v any) {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.WriteHeader(status)
|
|
_ = json.NewEncoder(w).Encode(v)
|
|
}
|
|
|
|
func writeJSONError(w stdhttp.ResponseWriter, status int, code, msg string) {
|
|
writeJSON(w, status, jsonError{Code: code, Message: msg})
|
|
}
|