steve
ee3ee241ea
Cohesive batch from a smoke-test session against a real rest-server.
Themed bullets:
* Agent runs as root, sandboxed via systemd. CapabilityBoundingSet
drops to CAP_DAC_READ_SEARCH + restore caps; ProtectSystem=strict
with ReadWritePaths confined to /etc + /var/lib/restic-manager;
NoNewPrivileges blocks escalation. Install script no longer
creates a service user. spec.md §4.2 / §14.1 / §14.3 explain the
rationale (matches UrBackup / Veeam / Bareos defaults; trying to
back up "everything" as an unprivileged user creates silent skips
on /home, /root, /var/lib/* with no upside vs the threat model
the agent already implies).
* Init-repo end-to-end. New JobKind="init" wired through agent
runner, restic.Env.RunInit, server dispatcher, and a UI button
(red "Initialise repo" in the run-now panel). hosts.repo_initialised_at
flips on init success, on backup success, or on a non-empty
snapshots.report. The "Run now" / "Init" / "Retry" branching now
drives both the dashboard host row and the host-detail panel.
Migrations 0004 (column), 0005 (jobs.kind CHECK widened — using
the safe create-new-then-rename pattern; first version corrupted
job_logs.job_id FK), 0006 (cleans up job_logs FK on already-
affected DBs).
* rest-server creds embedded at exec time only. restic.Env gains
RepoUsername; mergeRestCreds() builds the user:pass@-prefixed URL
inside envSlice() and never assigns it back to the struct, so
nothing slog-able ever sees the cleartext form. RedactURL helper
for any future surface that needs to log a URL safely. Both
helpers tested.
* Add-host UX. Repo password is now optional — server mints a
24-byte URL-safe random one and surfaces it once, alongside an
htpasswd snippet ("echo PASS | htpasswd -B -i ... USERNAME") so
the operator pastes one command on the rest-server host and one
on the endpoint. Result page also links the install snippet at
/install/install.sh (was /install.sh — 404'd before) and pipes
to bash (not sh — script uses set -o pipefail and other
bashisms; on Debian/Ubuntu sh is dash).
* Late-subscriber race in JobHub. A fast-failing job could finish
(DB write + Broadcast) before the browser's HX-Redirect → page
load → WS-connect path completed, so the JS sat forever waiting
on a job.finished that already passed. JobHub split into
Register + Send + Run; handleJobStream now subscribes first,
re-fetches the job, and sends a synthetic job.finished if the
state is already terminal.
* HTMX error visibility. New toast partial listens to
htmx:responseError and surfaces the response body as a
bottom-right toast — every server-side validation error now
becomes visible without per-handler JS wiring. Also handles
custom rm:toast events for future server-pushed notifications
via the HX-Trigger header. Themed via existing CSS vars.
* Dashboard rows are now whole-row clickable to host detail
(CSS card-link pattern: absolute-positioned anchor + .row-action
z-index restoration so the action button stays clickable).
"View →" on a running job links to /jobs/<id> rather than
/hosts/<id> since the row click already covers the host page.
* "Run first" / "Run first backup" → "Run now" everywhere for
consistency.
* runbook (docs/e2e-smoke.md) updated — live-log streaming step
now reflects P1-26; mentions the browser-driven Run-now flow.
* _diag/dump-creds — moved out of cmd/ so go build doesn't pick
it up; .gitignore now excludes /_diag/ entirely.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
86 lines
2.8 KiB
Go
86 lines
2.8 KiB
Go
package restic
|
|
|
|
import (
|
|
"net/url"
|
|
"strings"
|
|
)
|
|
|
|
// mergeRestCreds embeds basic-auth user:pass into a `rest:` URL, only
|
|
// at the moment we hand it off to the restic subprocess. The result
|
|
// is intentionally NOT stored on Env or logged — restic's REST
|
|
// backend reads basic-auth from the URL only, so we have nowhere
|
|
// else to put them. Callers must treat the return value as
|
|
// secret-bearing and feed it straight into exec env.
|
|
//
|
|
// No-ops when:
|
|
// - the URL has no `rest:` prefix (other backends — s3, b2, sftp,
|
|
// etc. — get creds via their own env vars);
|
|
// - the URL already embeds user:pass (operator typed creds inline);
|
|
// - username is empty.
|
|
//
|
|
// Returns rawURL unchanged if it can't be parsed; restic will then
|
|
// reject it and the operator gets a clear error rather than a silent
|
|
// "I quietly stripped your URL" surprise.
|
|
func mergeRestCreds(rawURL, username, password string) string {
|
|
if !strings.HasPrefix(rawURL, "rest:") {
|
|
return rawURL
|
|
}
|
|
if username == "" {
|
|
return rawURL
|
|
}
|
|
inner := strings.TrimPrefix(rawURL, "rest:")
|
|
u, err := url.Parse(inner)
|
|
if err != nil || u.Host == "" {
|
|
// Either unparseable or a relative URL we shouldn't touch —
|
|
// pass through and let restic complain with a clear message.
|
|
return rawURL
|
|
}
|
|
if u.User != nil {
|
|
// Operator already embedded creds — don't overwrite.
|
|
return rawURL
|
|
}
|
|
u.User = url.UserPassword(username, password)
|
|
return "rest:" + u.String()
|
|
}
|
|
|
|
// RedactURL returns a logging-safe version of u with any password in
|
|
// the userinfo replaced by ***. Mirrors restic's own redaction so
|
|
// our logs match what restic prints. Use this — never the bare URL —
|
|
// whenever a URL might end up in slog output, audit entries, or any
|
|
// surface an operator can read.
|
|
//
|
|
// Non-restic URLs (s3, b2, sftp, …) pass through unchanged unless
|
|
// they happen to embed userinfo, in which case we redact the same
|
|
// way for consistency.
|
|
func RedactURL(u string) string {
|
|
prefix := ""
|
|
rest := u
|
|
if i := strings.Index(u, ":"); i > 0 && i+3 < len(u) && u[i+1:i+3] == "//" {
|
|
// scheme://… — keep "scheme:" intact.
|
|
prefix = u[:i+1]
|
|
rest = u[i+1:]
|
|
} else if strings.HasPrefix(u, "rest:") {
|
|
prefix = "rest:"
|
|
rest = strings.TrimPrefix(u, "rest:")
|
|
}
|
|
parsed, err := url.Parse(rest)
|
|
if err != nil || parsed.User == nil {
|
|
return u
|
|
}
|
|
if _, hasPass := parsed.User.Password(); !hasPass {
|
|
return u
|
|
}
|
|
// Build the redacted form by hand rather than via url.URL.String(),
|
|
// which percent-encodes the redaction marker into "%2A%2A%2A".
|
|
user := parsed.User.Username()
|
|
parsed.User = nil
|
|
rebuilt := parsed.String()
|
|
// rebuilt is "scheme://host/path…"; splice user:***@ in after "//".
|
|
const sep = "//"
|
|
idx := strings.Index(rebuilt, sep)
|
|
if idx < 0 {
|
|
return u
|
|
}
|
|
return prefix + rebuilt[:idx+len(sep)] + user + ":***@" + rebuilt[idx+len(sep):]
|
|
}
|