test: add rollback error condition tests

Add tests for Rollback method error paths:
- No previous image available
- Empty previous image string
- App deployment lock held
- App lock already acquired

Relates to #71

internal/database/migrations/006_add_previous_image_id.sql

@@ -0,0 +1,2 @@
+-- Add previous_image_id to apps for deployment rollback support
+ALTER TABLE apps ADD COLUMN previous_image_id TEXT;

internal/handlers/app.go

@@ -380,6 +380,30 @@ func (h *Handlers) HandleCancelDeploy() http.HandlerFunc {
 	}
 }
 
+// HandleAppRollback handles rolling back to the previous deployment image.
+func (h *Handlers) HandleAppRollback() http.HandlerFunc {
+	return func(writer http.ResponseWriter, request *http.Request) {
+		appID := chi.URLParam(request, "id")
+
+		application, findErr := models.FindApp(request.Context(), h.db, appID)
+		if findErr != nil || application == nil {
+			http.NotFound(writer, request)
+
+			return
+		}
+
+		rollbackErr := h.deploy.Rollback(request.Context(), application)
+		if rollbackErr != nil {
+			h.log.Error("rollback failed", "error", rollbackErr, "app", application.Name)
+			http.Redirect(writer, request, "/apps/"+application.ID, http.StatusSeeOther)
+
+			return
+		}
+
+		http.Redirect(writer, request, "/apps/"+application.ID+"?success=rolledback", http.StatusSeeOther)
+	}
+}
+
 // HandleAppDeployments returns the deployments history handler.
 func (h *Handlers) HandleAppDeployments() http.HandlerFunc {
 	tmpl := templates.GetParsed()

internal/middleware/middleware.go

@@ -235,9 +235,9 @@ func (m *Middleware) CSRF() func(http.Handler) http.Handler {
 // loginRateLimit configures the login rate limiter.
 const (
 	loginRateLimit      = rate.Limit(5.0 / 60.0) // 5 requests per 60 seconds
-	loginBurst          = 5                       // allow burst of 5
+	loginBurst          = 5                      // allow burst of 5
-	limiterExpiry       = 10 * time.Minute        // evict entries not seen in 10 minutes
+	limiterExpiry       = 10 * time.Minute       // evict entries not seen in 10 minutes
-	limiterCleanupEvery = 1 * time.Minute         // sweep interval
+	limiterCleanupEvery = 1 * time.Minute        // sweep interval
 )
 
 // ipLimiterEntry stores a rate limiter with its last-seen timestamp.
@@ -249,8 +249,8 @@ type ipLimiterEntry struct {
 // ipLimiter tracks per-IP rate limiters for login attempts with automatic
 // eviction of stale entries to prevent unbounded memory growth.
 type ipLimiter struct {
-	mu       sync.Mutex
+	mu        sync.Mutex
-	limiters map[string]*ipLimiterEntry
+	limiters  map[string]*ipLimiterEntry
 	lastSweep time.Time
 }
 

internal/models/app.go

@@ -14,7 +14,7 @@ import (
 const appColumns = `id, name, repo_url, branch, dockerfile_path, webhook_secret,
 			ssh_private_key, ssh_public_key, image_id, status,
 			docker_network, ntfy_topic, slack_webhook, webhook_secret_hash,
-			created_at, updated_at`
+			previous_image_id, created_at, updated_at`
 
 // AppStatus represents the status of an app.
 type AppStatus string
@@ -32,22 +32,23 @@ const (
 type App struct {
 	db *database.Database
 
-	ID             string
+	ID                string
-	Name           string
+	Name              string
-	RepoURL        string
+	RepoURL           string
-	Branch         string
+	Branch            string
-	DockerfilePath string
+	DockerfilePath    string
 	WebhookSecret     string
 	WebhookSecretHash string
 	SSHPrivateKey     string
-	SSHPublicKey   string
+	SSHPublicKey      string
-	ImageID        sql.NullString
+	ImageID           sql.NullString
-	Status         AppStatus
+	PreviousImageID   sql.NullString
-	DockerNetwork  sql.NullString
+	Status            AppStatus
-	NtfyTopic      sql.NullString
+	DockerNetwork     sql.NullString
-	SlackWebhook   sql.NullString
+	NtfyTopic         sql.NullString
-	CreatedAt      time.Time
+	SlackWebhook      sql.NullString
-	UpdatedAt      time.Time
+	CreatedAt         time.Time
+	UpdatedAt         time.Time
 }
 
 // NewApp creates a new App with a database reference.
@@ -140,13 +141,15 @@ func (a *App) insert(ctx context.Context) error {
 		INSERT INTO apps (
 			id, name, repo_url, branch, dockerfile_path, webhook_secret,
 			ssh_private_key, ssh_public_key, image_id, status,
-			docker_network, ntfy_topic, slack_webhook, webhook_secret_hash
+			docker_network, ntfy_topic, slack_webhook, webhook_secret_hash,
-		) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
+			previous_image_id
+		) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
 
 	_, err := a.db.Exec(ctx, query,
 		a.ID, a.Name, a.RepoURL, a.Branch, a.DockerfilePath, a.WebhookSecret,
 		a.SSHPrivateKey, a.SSHPublicKey, a.ImageID, a.Status,
 		a.DockerNetwork, a.NtfyTopic, a.SlackWebhook, a.WebhookSecretHash,
+		a.PreviousImageID,
 	)
 	if err != nil {
 		return err
@@ -161,6 +164,7 @@ func (a *App) update(ctx context.Context) error {
 			name = ?, repo_url = ?, branch = ?, dockerfile_path = ?,
 			image_id = ?, status = ?,
 			docker_network = ?, ntfy_topic = ?, slack_webhook = ?,
+			previous_image_id = ?,
 			updated_at = CURRENT_TIMESTAMP
 		WHERE id = ?`
 
@@ -168,6 +172,7 @@ func (a *App) update(ctx context.Context) error {
 		a.Name, a.RepoURL, a.Branch, a.DockerfilePath,
 		a.ImageID, a.Status,
 		a.DockerNetwork, a.NtfyTopic, a.SlackWebhook,
+		a.PreviousImageID,
 		a.ID,
 	)
 
@@ -182,6 +187,7 @@ func (a *App) scan(row *sql.Row) error {
 		&a.ImageID, &a.Status,
 		&a.DockerNetwork, &a.NtfyTopic, &a.SlackWebhook,
 		&a.WebhookSecretHash,
+		&a.PreviousImageID,
 		&a.CreatedAt, &a.UpdatedAt,
 	)
 }
@@ -199,6 +205,7 @@ func scanApps(appDB *database.Database, rows *sql.Rows) ([]*App, error) {
 			&app.ImageID, &app.Status,
 			&app.DockerNetwork, &app.NtfyTopic, &app.SlackWebhook,
 			&app.WebhookSecretHash,
+			&app.PreviousImageID,
 			&app.CreatedAt, &app.UpdatedAt,
 		)
 		if scanErr != nil {

internal/server/routes.go

@@ -54,47 +54,48 @@ func (s *Server) SetupRoutes() {
 		r.Group(func(r chi.Router) {
 			r.Use(s.mw.SessionAuth())
 
-		// Dashboard
+			// Dashboard
-		r.Get("/", s.handlers.HandleDashboard())
+			r.Get("/", s.handlers.HandleDashboard())
 
-		// Logout
+			// Logout
-		r.Post("/logout", s.handlers.HandleLogout())
+			r.Post("/logout", s.handlers.HandleLogout())
 
-		// App routes
+			// App routes
-		r.Get("/apps/new", s.handlers.HandleAppNew())
+			r.Get("/apps/new", s.handlers.HandleAppNew())
-		r.Post("/apps", s.handlers.HandleAppCreate())
+			r.Post("/apps", s.handlers.HandleAppCreate())
-		r.Get("/apps/{id}", s.handlers.HandleAppDetail())
+			r.Get("/apps/{id}", s.handlers.HandleAppDetail())
-		r.Get("/apps/{id}/edit", s.handlers.HandleAppEdit())
+			r.Get("/apps/{id}/edit", s.handlers.HandleAppEdit())
-		r.Post("/apps/{id}", s.handlers.HandleAppUpdate())
+			r.Post("/apps/{id}", s.handlers.HandleAppUpdate())
-		r.Post("/apps/{id}/delete", s.handlers.HandleAppDelete())
+			r.Post("/apps/{id}/delete", s.handlers.HandleAppDelete())
-		r.Post("/apps/{id}/deploy", s.handlers.HandleAppDeploy())
+			r.Post("/apps/{id}/deploy", s.handlers.HandleAppDeploy())
-		r.Post("/apps/{id}/deployments/cancel", s.handlers.HandleCancelDeploy())
+			r.Post("/apps/{id}/deployments/cancel", s.handlers.HandleCancelDeploy())
-		r.Get("/apps/{id}/deployments", s.handlers.HandleAppDeployments())
+			r.Get("/apps/{id}/deployments", s.handlers.HandleAppDeployments())
-		r.Get("/apps/{id}/deployments/{deploymentID}/logs", s.handlers.HandleDeploymentLogsAPI())
+			r.Get("/apps/{id}/deployments/{deploymentID}/logs", s.handlers.HandleDeploymentLogsAPI())
-		r.Get("/apps/{id}/deployments/{deploymentID}/download", s.handlers.HandleDeploymentLogDownload())
+			r.Get("/apps/{id}/deployments/{deploymentID}/download", s.handlers.HandleDeploymentLogDownload())
-		r.Get("/apps/{id}/logs", s.handlers.HandleAppLogs())
+			r.Get("/apps/{id}/logs", s.handlers.HandleAppLogs())
-		r.Get("/apps/{id}/container-logs", s.handlers.HandleContainerLogsAPI())
+			r.Get("/apps/{id}/container-logs", s.handlers.HandleContainerLogsAPI())
-		r.Get("/apps/{id}/status", s.handlers.HandleAppStatusAPI())
+			r.Get("/apps/{id}/status", s.handlers.HandleAppStatusAPI())
-		r.Get("/apps/{id}/recent-deployments", s.handlers.HandleRecentDeploymentsAPI())
+			r.Get("/apps/{id}/recent-deployments", s.handlers.HandleRecentDeploymentsAPI())
-		r.Post("/apps/{id}/restart", s.handlers.HandleAppRestart())
+			r.Post("/apps/{id}/rollback", s.handlers.HandleAppRollback())
-		r.Post("/apps/{id}/stop", s.handlers.HandleAppStop())
+			r.Post("/apps/{id}/restart", s.handlers.HandleAppRestart())
-		r.Post("/apps/{id}/start", s.handlers.HandleAppStart())
+			r.Post("/apps/{id}/stop", s.handlers.HandleAppStop())
+			r.Post("/apps/{id}/start", s.handlers.HandleAppStart())
 
-		// Environment variables
+			// Environment variables
-		r.Post("/apps/{id}/env-vars", s.handlers.HandleEnvVarAdd())
+			r.Post("/apps/{id}/env-vars", s.handlers.HandleEnvVarAdd())
-		r.Post("/apps/{id}/env-vars/{varID}/delete", s.handlers.HandleEnvVarDelete())
+			r.Post("/apps/{id}/env-vars/{varID}/delete", s.handlers.HandleEnvVarDelete())
 
-		// Labels
+			// Labels
-		r.Post("/apps/{id}/labels", s.handlers.HandleLabelAdd())
+			r.Post("/apps/{id}/labels", s.handlers.HandleLabelAdd())
-		r.Post("/apps/{id}/labels/{labelID}/delete", s.handlers.HandleLabelDelete())
+			r.Post("/apps/{id}/labels/{labelID}/delete", s.handlers.HandleLabelDelete())
 
-		// Volumes
+			// Volumes
-		r.Post("/apps/{id}/volumes", s.handlers.HandleVolumeAdd())
+			r.Post("/apps/{id}/volumes", s.handlers.HandleVolumeAdd())
-		r.Post("/apps/{id}/volumes/{volumeID}/delete", s.handlers.HandleVolumeDelete())
+			r.Post("/apps/{id}/volumes/{volumeID}/delete", s.handlers.HandleVolumeDelete())
 
-		// Ports
+			// Ports
-		r.Post("/apps/{id}/ports", s.handlers.HandlePortAdd())
+			r.Post("/apps/{id}/ports", s.handlers.HandlePortAdd())
-		r.Post("/apps/{id}/ports/{portID}/delete", s.handlers.HandlePortDelete())
+			r.Post("/apps/{id}/ports/{portID}/delete", s.handlers.HandlePortDelete())
 		})
 	})
 

internal/service/deploy/deploy.go

@@ -49,6 +49,8 @@ var (
 	ErrBuildTimeout = errors.New("build timeout exceeded")
 	// ErrDeployTimeout indicates the deploy phase exceeded the timeout.
 	ErrDeployTimeout = errors.New("deploy timeout exceeded")
+	// ErrNoPreviousImage indicates there is no previous image to rollback to.
+	ErrNoPreviousImage = errors.New("no previous image available for rollback")
 )
 
 // logFlushInterval is how often to flush buffered logs to the database.
@@ -80,7 +82,7 @@ type deploymentLogWriter struct {
 	lineBuffer bytes.Buffer // buffer for incomplete lines
 	mu         sync.Mutex
 	done       chan struct{}
-	flushed    sync.WaitGroup // waits for flush goroutine to finish
+	flushed    sync.WaitGroup  // waits for flush goroutine to finish
 	flushCtx   context.Context //nolint:containedctx // needed for async flush goroutine
 }
 
@@ -359,6 +361,107 @@ func (svc *Service) Deploy(
 	return svc.runBuildAndDeploy(deployCtx, bgCtx, app, deployment)
 }
 
+// Rollback rolls back an app to its previous image.
+// It stops the current container, starts a new one with the previous image,
+// and creates a deployment record for the rollback.
+func (svc *Service) Rollback(ctx context.Context, app *models.App) error {
+	if !app.PreviousImageID.Valid || app.PreviousImageID.String == "" {
+		return ErrNoPreviousImage
+	}
+
+	// Acquire per-app deployment lock
+	if !svc.tryLockApp(app.ID) {
+		return ErrDeploymentInProgress
+	}
+	defer svc.unlockApp(app.ID)
+
+	bgCtx := context.WithoutCancel(ctx)
+
+	deployment, err := svc.createRollbackDeployment(bgCtx, app)
+	if err != nil {
+		return err
+	}
+
+	return svc.executeRollback(ctx, bgCtx, app, deployment)
+}
+
+// createRollbackDeployment creates a deployment record for a rollback operation.
+func (svc *Service) createRollbackDeployment(
+	ctx context.Context,
+	app *models.App,
+) (*models.Deployment, error) {
+	deployment := models.NewDeployment(svc.db)
+	deployment.AppID = app.ID
+	deployment.Status = models.DeploymentStatusDeploying
+	deployment.ImageID = sql.NullString{String: app.PreviousImageID.String, Valid: true}
+
+	saveErr := deployment.Save(ctx)
+	if saveErr != nil {
+		return nil, fmt.Errorf("failed to create rollback deployment: %w", saveErr)
+	}
+
+	_ = deployment.AppendLog(ctx, "Rolling back to previous image: "+app.PreviousImageID.String)
+
+	return deployment, nil
+}
+
+// executeRollback performs the container swap for a rollback.
+func (svc *Service) executeRollback(
+	ctx context.Context,
+	bgCtx context.Context,
+	app *models.App,
+	deployment *models.Deployment,
+) error {
+	previousImageID := app.PreviousImageID.String
+
+	svc.removeOldContainer(ctx, app, deployment)
+
+	rollbackOpts, err := svc.buildContainerOptions(ctx, app, deployment.ID)
+	if err != nil {
+		svc.failDeployment(bgCtx, app, deployment, err)
+
+		return fmt.Errorf("failed to build container options: %w", err)
+	}
+
+	rollbackOpts.Image = previousImageID
+
+	containerID, err := svc.docker.CreateContainer(ctx, rollbackOpts)
+	if err != nil {
+		svc.failDeployment(bgCtx, app, deployment, fmt.Errorf("failed to create rollback container: %w", err))
+
+		return fmt.Errorf("failed to create rollback container: %w", err)
+	}
+
+	deployment.ContainerID = sql.NullString{String: containerID, Valid: true}
+	_ = deployment.AppendLog(bgCtx, "Rollback container created: "+containerID)
+
+	startErr := svc.docker.StartContainer(ctx, containerID)
+	if startErr != nil {
+		svc.failDeployment(bgCtx, app, deployment, fmt.Errorf("failed to start rollback container: %w", startErr))
+
+		return fmt.Errorf("failed to start rollback container: %w", startErr)
+	}
+
+	_ = deployment.AppendLog(bgCtx, "Rollback container started")
+
+	currentImageID := app.ImageID
+	app.ImageID = sql.NullString{String: previousImageID, Valid: true}
+	app.PreviousImageID = currentImageID
+	app.Status = models.AppStatusRunning
+
+	saveErr := app.Save(bgCtx)
+	if saveErr != nil {
+		return fmt.Errorf("failed to update app after rollback: %w", saveErr)
+	}
+
+	_ = deployment.MarkFinished(bgCtx, models.DeploymentStatusSuccess)
+	_ = deployment.AppendLog(bgCtx, "Rollback complete")
+
+	svc.log.Info("rollback completed", "app", app.Name, "image", previousImageID)
+
+	return nil
+}
+
 // runBuildAndDeploy executes the build and deploy phases, handling cancellation.
 func (svc *Service) runBuildAndDeploy(
 	deployCtx context.Context,
@@ -390,6 +493,11 @@ func (svc *Service) runBuildAndDeploy(
 		return err
 	}
 
+	// Save current image as previous before updating to new one
+	if app.ImageID.Valid && app.ImageID.String != "" {
+		app.PreviousImageID = app.ImageID
+	}
+
 	err = svc.updateAppRunning(bgCtx, app, imageID)
 	if err != nil {
 		return err

internal/service/deploy/deploy_rollback_test.go

@@ -0,0 +1,74 @@
+package deploy_test
+
+import (
+	"context"
+	"database/sql"
+	"log/slog"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"git.eeqj.de/sneak/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
+)
+
+func TestRollback_NoPreviousImage(t *testing.T) {
+	t.Parallel()
+
+	svc := deploy.NewTestService(slog.Default())
+	app := &models.App{
+		ID:              "app-rollback-1",
+		PreviousImageID: sql.NullString{},
+	}
+
+	err := svc.Rollback(context.Background(), app)
+	assert.ErrorIs(t, err, deploy.ErrNoPreviousImage)
+}
+
+func TestRollback_EmptyPreviousImage(t *testing.T) {
+	t.Parallel()
+
+	svc := deploy.NewTestService(slog.Default())
+	app := &models.App{
+		ID:              "app-rollback-2",
+		PreviousImageID: sql.NullString{String: "", Valid: true},
+	}
+
+	err := svc.Rollback(context.Background(), app)
+	assert.ErrorIs(t, err, deploy.ErrNoPreviousImage)
+}
+
+func TestRollback_DeploymentLocked(t *testing.T) {
+	t.Parallel()
+
+	svc := deploy.NewTestService(slog.Default())
+
+	// Simulate a deploy holding the lock
+	assert.True(t, svc.TryLockApp("app-rollback-3"))
+	defer svc.UnlockApp("app-rollback-3")
+
+	app := &models.App{
+		ID:              "app-rollback-3",
+		PreviousImageID: sql.NullString{String: "sha256:abc123", Valid: true},
+	}
+
+	err := svc.Rollback(context.Background(), app)
+	assert.ErrorIs(t, err, deploy.ErrDeploymentInProgress)
+}
+
+func TestRollback_LockedApp(t *testing.T) {
+	t.Parallel()
+
+	svc := deploy.NewTestService(slog.Default())
+
+	assert.True(t, svc.TryLockApp("app-rollback-4"))
+	defer svc.UnlockApp("app-rollback-4")
+
+	app := &models.App{
+		ID:              "app-rollback-4",
+		PreviousImageID: sql.NullString{String: "sha256:abc123", Valid: true},
+	}
+
+	err := svc.Rollback(context.Background(), app)
+	assert.ErrorIs(t, err, deploy.ErrDeploymentInProgress)
+}

static/css/input.css

@@ -57,6 +57,10 @@
     @apply inline-flex items-center justify-center px-4 py-2 rounded-md font-medium text-sm transition-all duration-200 focus:outline-none focus:ring-2 focus:ring-offset-2 disabled:opacity-50 disabled:cursor-not-allowed bg-success-500 text-white hover:bg-success-700 active:bg-green-800 focus:ring-green-500 shadow-elevation-1 hover:shadow-elevation-2;
   }
 
+  .btn-warning {
+    @apply inline-flex items-center justify-center px-4 py-2 rounded-md font-medium text-sm transition-all duration-200 focus:outline-none focus:ring-2 focus:ring-offset-2 disabled:opacity-50 disabled:cursor-not-allowed bg-warning-500 text-white hover:bg-warning-700 active:bg-orange-800 focus:ring-orange-500 shadow-elevation-1 hover:shadow-elevation-2;
+  }
+
   .btn-text {
     @apply inline-flex items-center justify-center px-4 py-2 rounded-md font-medium text-sm transition-all duration-200 focus:outline-none focus:ring-2 focus:ring-offset-2 disabled:opacity-50 disabled:cursor-not-allowed text-primary-600 hover:bg-primary-50 active:bg-primary-100;
   }

templates/app_detail.html

@@ -44,6 +44,12 @@
                 {{ .CSRFField }}
                 <button type="submit" class="btn-danger">Cancel Deploy</button>
             </form>
+            {{if .App.PreviousImageID.Valid}}
+            <form method="POST" action="/apps/{{.App.ID}}/rollback" class="inline" x-data="confirmAction('Roll back to the previous deployment?')" @submit="confirm($event)">
+                {{ .CSRFField }}
+                <button type="submit" class="btn-warning">Rollback</button>
+            </form>
+            {{end}}
         </div>
     </div>