josh
42da48864f
CI / Lint + build + test (push) Failing after 5m15s
Can't log in from a fresh LXC deploy, and the service is LAN-only by
design. Rip out the whole bcrypt-password / signed-cookie session
layer: internal/auth, login templates, gen-admin-password binary +
Makefile targets, auth config block, login/logout routes and the
RequireSession middleware wrap. Agent bearer-token auth on
/api/v1/runs/{id}/* is untouched.
Operators who want a password can front the service with a reverse
proxy — noted in README and docs/operations.md.
65 lines
1.8 KiB
Go
65 lines
1.8 KiB
Go
// Package httpserver assembles the chi router. It lives in its own
|
|
// package because it depends on both `api` and `orchestrator`, and
|
|
// those two packages must stay import-independent.
|
|
package httpserver
|
|
|
|
import (
|
|
"io/fs"
|
|
"net/http"
|
|
|
|
"github.com/go-chi/chi/v5"
|
|
"github.com/go-chi/chi/v5/middleware"
|
|
|
|
"vetting/internal/api"
|
|
"vetting/internal/web"
|
|
)
|
|
|
|
type Deps struct {
|
|
UI *api.UI
|
|
Agent *api.Agent
|
|
LiveDir string // directory containing vmlinuz + initrd.img; "" disables /live
|
|
}
|
|
|
|
func NewRouter(d Deps) http.Handler {
|
|
r := chi.NewRouter()
|
|
r.Use(middleware.RealIP)
|
|
r.Use(middleware.Recoverer)
|
|
r.Use(middleware.Logger)
|
|
|
|
staticFS, err := fs.Sub(web.Static, "static")
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
r.Handle("/static/*", http.StripPrefix("/static/", http.FileServer(http.FS(staticFS))))
|
|
|
|
if d.LiveDir != "" {
|
|
r.Handle("/live/*", http.StripPrefix("/live/", http.FileServer(http.Dir(d.LiveDir))))
|
|
}
|
|
|
|
// Agent / PXE endpoints — authenticated per-request by bearer token
|
|
// or by the unforgeable MAC path parameter.
|
|
r.Get("/ipxe/{mac}", d.Agent.IPXEScript)
|
|
r.Route("/api/v1/runs/{id}", func(r chi.Router) {
|
|
r.Post("/hello", d.Agent.Hello)
|
|
r.Post("/claim", d.Agent.Claim)
|
|
r.Post("/heartbeat", d.Agent.Heartbeat)
|
|
r.Post("/log", d.Agent.Log)
|
|
r.Post("/result", d.Agent.Result)
|
|
r.Post("/hold", d.Agent.Hold)
|
|
r.Post("/sensor", d.Agent.Sensor)
|
|
})
|
|
|
|
// Browser UI — no auth; bind to loopback or LAN only, or front
|
|
// with a reverse proxy if you need a password.
|
|
r.Get("/", d.UI.Dashboard)
|
|
r.Get("/hosts/new", d.UI.NewHostForm)
|
|
r.Post("/hosts", d.UI.CreateHost)
|
|
r.Post("/hosts/{id}/delete", d.UI.DeleteHost)
|
|
r.Post("/hosts/{id}/start", d.UI.StartRun)
|
|
r.Post("/hosts/{id}/override-wipe", d.UI.OverrideWipeStorage)
|
|
r.Get("/reports/{runID}", d.UI.Report)
|
|
r.Get("/events", d.UI.SSE)
|
|
|
|
return r
|
|
}
|