feat(api): Phase 2 — REST-API MVP + CRUD für Domains/Backends/Routing
REST-API mit Response-Envelope (1:1 mail-gateway), HS256-JWT-Signer (Secret persistent unter /var/lib/edgeguard/.jwt_fingerprint), Setup-Wizard (Bcrypt-Admin-Passwort in setup.json), Auth-Middleware (Cookie + Bearer), Setup-Gate. Update-Banner-Endpoints /system/package-versions + /system/upgrade ab Tag 1 wired (Pattern aus enconf-management-agent: systemd-run detached, HTTP-Response geht VOR dem Self-Replace raus). CRUD-Repos für domains/backends/routing_rules mit pgxpool + handgeschriebenem SQL (mail-gateway-Pattern, kein GORM zur Laufzeit). Audit-Log-Schreiber auf jede Mutation, NodeID aus /etc/machine-id. DB-Pool öffnet best-effort — ohne erreichbare PG bleiben CRUD-Routen unregistriert, Auth/Setup/System antworten weiter (Dev ohne PG). End-to-end live-getestet gegen lokale postgres-16: Setup → Login → POST/PUT/DELETE Backends + Domains + Routing-Rules → audit_log schreibt 5 Zeilen mit korrektem actor/action/subject. Graceful degrade ohne DB ebenfalls verifiziert. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Debian
181
internal/services/setup/setup.go
Normal file
181
internal/services/setup/setup.go
Normal file
@@ -0,0 +1,181 @@
|
||||
// Package setup stores the one-time first-boot configuration of an
|
||||
// EdgeGuard node. State lives in setup.json inside the data dir
|
||||
// (default /var/lib/edgeguard). An incomplete or missing state means
|
||||
// the API is in "setup mode" and gates non-setup routes.
|
||||
//
|
||||
// The cluster-aware version (Phase 3) moves this to ha_nodes /
|
||||
// system_settings in PostgreSQL; the on-disk file remains the
|
||||
// first-node bootstrap record so the seed peer has somewhere to
|
||||
// write before PG holds an admin row.
|
||||
//
|
||||
// Pattern 1:1 nach mail-gateway/internal/services/setup/.
|
||||
package setup
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"net/mail"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"golang.org/x/crypto/bcrypt"
|
||||
)
|
||||
|
||||
const (
|
||||
DefaultDir = "/var/lib/edgeguard"
|
||||
stateFile = "setup.json"
|
||||
adminPwCost = 12
|
||||
)
|
||||
|
||||
type State struct {
|
||||
AdminEmail string `json:"admin_email"`
|
||||
AdminPasswordHash string `json:"admin_password_hash"`
|
||||
FQDN string `json:"fqdn"`
|
||||
ACMEEmail string `json:"acme_email"`
|
||||
LicenseKey string `json:"license_key,omitempty"`
|
||||
Completed bool `json:"completed"`
|
||||
CompletedAt *time.Time `json:"completed_at,omitempty"`
|
||||
}
|
||||
|
||||
// Request is the JSON body POST /api/v1/setup/complete accepts.
|
||||
// AdminPassword is plaintext on the wire; the service hashes it
|
||||
// before persisting.
|
||||
type Request struct {
|
||||
AdminEmail string `json:"admin_email" binding:"required,email"`
|
||||
AdminPassword string `json:"admin_password" binding:"required,min=12"`
|
||||
FQDN string `json:"fqdn" binding:"required"`
|
||||
ACMEEmail string `json:"acme_email" binding:"required,email"`
|
||||
LicenseKey string `json:"license_key,omitempty"`
|
||||
}
|
||||
|
||||
type Store struct {
|
||||
Dir string
|
||||
}
|
||||
|
||||
func NewStore(dir string) *Store { return &Store{Dir: dir} }
|
||||
|
||||
func (s *Store) Path() string { return filepath.Join(s.Dir, stateFile) }
|
||||
|
||||
// Load returns the current state. Missing file = zero value with
|
||||
// Completed=false (the "never set up" case), no error.
|
||||
func (s *Store) Load() (*State, error) {
|
||||
data, err := os.ReadFile(s.Path())
|
||||
if err != nil {
|
||||
if os.IsNotExist(err) {
|
||||
return &State{}, nil
|
||||
}
|
||||
return nil, err
|
||||
}
|
||||
var st State
|
||||
if err := json.Unmarshal(data, &st); err != nil {
|
||||
return nil, fmt.Errorf("parse setup state: %w", err)
|
||||
}
|
||||
return &st, nil
|
||||
}
|
||||
|
||||
// Save writes the state atomically (write-tmp + rename). 0o600 because
|
||||
// it carries the bcrypt admin-password hash.
|
||||
func (s *Store) Save(st *State) error {
|
||||
if err := os.MkdirAll(s.Dir, 0o700); err != nil {
|
||||
return err
|
||||
}
|
||||
data, err := json.MarshalIndent(st, "", " ")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
tmp := s.Path() + ".tmp"
|
||||
if err := os.WriteFile(tmp, data, 0o600); err != nil {
|
||||
return err
|
||||
}
|
||||
return os.Rename(tmp, s.Path())
|
||||
}
|
||||
|
||||
// Complete validates the request, hashes the password, persists. Re-
|
||||
// running with the same admin email overwrites the password (admin-
|
||||
// recovery path); a different email after completion is rejected to
|
||||
// prevent silent takeover.
|
||||
func (s *Store) Complete(req Request) (*State, error) {
|
||||
if err := validate(req); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
prev, err := s.Load()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if prev.Completed && prev.AdminEmail != "" &&
|
||||
!strings.EqualFold(prev.AdminEmail, req.AdminEmail) {
|
||||
return nil, errors.New("setup already completed under a different admin email")
|
||||
}
|
||||
|
||||
hash, err := bcrypt.GenerateFromPassword([]byte(req.AdminPassword), adminPwCost)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("hash admin password: %w", err)
|
||||
}
|
||||
|
||||
now := time.Now().UTC()
|
||||
st := &State{
|
||||
AdminEmail: strings.ToLower(strings.TrimSpace(req.AdminEmail)),
|
||||
AdminPasswordHash: string(hash),
|
||||
FQDN: strings.TrimSpace(req.FQDN),
|
||||
ACMEEmail: strings.ToLower(strings.TrimSpace(req.ACMEEmail)),
|
||||
LicenseKey: strings.TrimSpace(req.LicenseKey),
|
||||
Completed: true,
|
||||
CompletedAt: &now,
|
||||
}
|
||||
if err := s.Save(st); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return st, nil
|
||||
}
|
||||
|
||||
// VerifyAdminPassword does constant-time bcrypt comparison.
|
||||
func (st *State) VerifyAdminPassword(plaintext string) bool {
|
||||
return bcrypt.CompareHashAndPassword([]byte(st.AdminPasswordHash), []byte(plaintext)) == nil
|
||||
}
|
||||
|
||||
func validate(req Request) error {
|
||||
if _, err := mail.ParseAddress(req.AdminEmail); err != nil {
|
||||
return fmt.Errorf("invalid admin_email: %w", err)
|
||||
}
|
||||
if _, err := mail.ParseAddress(req.ACMEEmail); err != nil {
|
||||
return fmt.Errorf("invalid acme_email: %w", err)
|
||||
}
|
||||
if !looksLikeFQDN(req.FQDN) {
|
||||
return fmt.Errorf("fqdn %q does not look like a fully-qualified hostname", req.FQDN)
|
||||
}
|
||||
if len(req.AdminPassword) < 12 {
|
||||
return errors.New("admin_password must be at least 12 characters")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func looksLikeFQDN(s string) bool {
|
||||
s = strings.TrimSpace(strings.TrimSuffix(s, "."))
|
||||
if len(s) == 0 || len(s) > 253 {
|
||||
return false
|
||||
}
|
||||
if !strings.Contains(s, ".") {
|
||||
return false
|
||||
}
|
||||
for _, label := range strings.Split(s, ".") {
|
||||
if len(label) == 0 || len(label) > 63 {
|
||||
return false
|
||||
}
|
||||
for _, r := range label {
|
||||
ok := r == '-' ||
|
||||
(r >= '0' && r <= '9') ||
|
||||
(r >= 'a' && r <= 'z') ||
|
||||
(r >= 'A' && r <= 'Z')
|
||||
if !ok {
|
||||
return false
|
||||
}
|
||||
}
|
||||
if label[0] == '-' || label[len(label)-1] == '-' {
|
||||
return false
|
||||
}
|
||||
}
|
||||
return true
|
||||
}
|
||||
Reference in New Issue
Block a user