edgeguard-native/internal/services/setup/setup.go

// Package setup stores the one-time first-boot configuration of an
// EdgeGuard node. State lives in setup.json inside the data dir
// (default /var/lib/edgeguard). An incomplete or missing state means
// the API is in "setup mode" and gates non-setup routes.
//
// The cluster-aware version (Phase 3) moves this to ha_nodes /
// system_settings in PostgreSQL; the on-disk file remains the
// first-node bootstrap record so the seed peer has somewhere to
// write before PG holds an admin row.
//
// Pattern 1:1 nach mail-gateway/internal/services/setup/.
package setup

import (
	"encoding/json"
	"errors"
	"fmt"
	"net/mail"
	"os"
	"path/filepath"
	"strings"
	"time"

	"golang.org/x/crypto/bcrypt"
)

const (
	DefaultDir  = "/var/lib/edgeguard"
	stateFile   = "setup.json"
	adminPwCost = 12
)

type State struct {
	AdminEmail        string     `json:"admin_email"`
	AdminPasswordHash string     `json:"admin_password_hash"`
	FQDN              string     `json:"fqdn"`
	ACMEEmail         string     `json:"acme_email"`
	LicenseKey        string     `json:"license_key,omitempty"`
	Completed         bool       `json:"completed"`
	CompletedAt       *time.Time `json:"completed_at,omitempty"`
}

// Request is the JSON body POST /api/v1/setup/complete accepts.
// AdminPassword is plaintext on the wire; the service hashes it
// before persisting.
type Request struct {
	AdminEmail    string `json:"admin_email"    binding:"required,email"`
	AdminPassword string `json:"admin_password" binding:"required,min=12"`
	FQDN          string `json:"fqdn"           binding:"required"`
	ACMEEmail     string `json:"acme_email"     binding:"required,email"`
	LicenseKey    string `json:"license_key,omitempty"`
}

type Store struct {
	Dir string
}

func NewStore(dir string) *Store { return &Store{Dir: dir} }

func (s *Store) Path() string { return filepath.Join(s.Dir, stateFile) }

// Load returns the current state. Missing file = zero value with
// Completed=false (the "never set up" case), no error.
func (s *Store) Load() (*State, error) {
	data, err := os.ReadFile(s.Path())
	if err != nil {
		if os.IsNotExist(err) {
			return &State{}, nil
		}
		return nil, err
	}
	var st State
	if err := json.Unmarshal(data, &st); err != nil {
		return nil, fmt.Errorf("parse setup state: %w", err)
	}
	return &st, nil
}

// Save writes the state atomically (write-tmp + rename). 0o600 because
// it carries the bcrypt admin-password hash.
func (s *Store) Save(st *State) error {
	if err := os.MkdirAll(s.Dir, 0o700); err != nil {
		return err
	}
	data, err := json.MarshalIndent(st, "", "  ")
	if err != nil {
		return err
	}
	tmp := s.Path() + ".tmp"
	if err := os.WriteFile(tmp, data, 0o600); err != nil {
		return err
	}
	return os.Rename(tmp, s.Path())
}

// Complete validates the request, hashes the password, persists. Re-
// running with the same admin email overwrites the password (admin-
// recovery path); a different email after completion is rejected to
// prevent silent takeover.
func (s *Store) Complete(req Request) (*State, error) {
	if err := validate(req); err != nil {
		return nil, err
	}
	prev, err := s.Load()
	if err != nil {
		return nil, err
	}
	if prev.Completed && prev.AdminEmail != "" &&
		!strings.EqualFold(prev.AdminEmail, req.AdminEmail) {
		return nil, errors.New("setup already completed under a different admin email")
	}

	hash, err := bcrypt.GenerateFromPassword([]byte(req.AdminPassword), adminPwCost)
	if err != nil {
		return nil, fmt.Errorf("hash admin password: %w", err)
	}

	now := time.Now().UTC()
	st := &State{
		AdminEmail:        strings.ToLower(strings.TrimSpace(req.AdminEmail)),
		AdminPasswordHash: string(hash),
		FQDN:              strings.TrimSpace(req.FQDN),
		ACMEEmail:         strings.ToLower(strings.TrimSpace(req.ACMEEmail)),
		LicenseKey:        strings.TrimSpace(req.LicenseKey),
		Completed:         true,
		CompletedAt:       &now,
	}
	if err := s.Save(st); err != nil {
		return nil, err
	}
	return st, nil
}

// VerifyAdminPassword does constant-time bcrypt comparison.
func (st *State) VerifyAdminPassword(plaintext string) bool {
	return bcrypt.CompareHashAndPassword([]byte(st.AdminPasswordHash), []byte(plaintext)) == nil
}

// SetAdminPassword hash't ein neues Plaintext-Passwort und persistiert
// es. Verwendet vom Self-Service-Reset (CLI-Token-Flow).
func (s *Store) SetAdminPassword(plaintext string) error {
	if len(plaintext) < 12 {
		return errors.New("admin_password must be at least 12 characters")
	}
	prev, err := s.Load()
	if err != nil {
		return err
	}
	if prev == nil || !prev.Completed {
		return errors.New("setup not completed — cannot reset password before initial setup")
	}
	hash, err := bcrypt.GenerateFromPassword([]byte(plaintext), adminPwCost)
	if err != nil {
		return fmt.Errorf("hash admin password: %w", err)
	}
	prev.AdminPasswordHash = string(hash)
	return s.Save(prev)
}

func validate(req Request) error {
	if _, err := mail.ParseAddress(req.AdminEmail); err != nil {
		return fmt.Errorf("invalid admin_email: %w", err)
	}
	if _, err := mail.ParseAddress(req.ACMEEmail); err != nil {
		return fmt.Errorf("invalid acme_email: %w", err)
	}
	if !looksLikeFQDN(req.FQDN) {
		return fmt.Errorf("fqdn %q does not look like a fully-qualified hostname", req.FQDN)
	}
	if len(req.AdminPassword) < 12 {
		return errors.New("admin_password must be at least 12 characters")
	}
	return nil
}

func looksLikeFQDN(s string) bool {
	s = strings.TrimSpace(strings.TrimSuffix(s, "."))
	if len(s) == 0 || len(s) > 253 {
		return false
	}
	if !strings.Contains(s, ".") {
		return false
	}
	for _, label := range strings.Split(s, ".") {
		if len(label) == 0 || len(label) > 63 {
			return false
		}
		for _, r := range label {
			ok := r == '-' ||
				(r >= '0' && r <= '9') ||
				(r >= 'a' && r <= 'z') ||
				(r >= 'A' && r <= 'Z')
			if !ok {
				return false
			}
		}
		if label[0] == '-' || label[len(label)-1] == '-' {
			return false
		}
	}
	return true
}