Compare commits
3 Commits
feature/pr
...
fix/js-for
| Author | SHA1 | Date | |
|---|---|---|---|
| d22daf1f0a | |||
| 602046b329 | |||
|
7920e723a6 |
@@ -9,7 +9,6 @@ A simple self-hosted PaaS that auto-deploys Docker containers from Git repositor
|
||||
- Per-app UUID-based webhook URLs for Gitea integration
|
||||
- Branch filtering - only deploy on configured branch changes
|
||||
- Environment variables, labels, and volume mounts per app
|
||||
- Private Docker registry authentication for base images
|
||||
- Docker builds via socket access
|
||||
- Notifications via ntfy and Slack-compatible webhooks
|
||||
- Simple server-rendered UI with Tailwind CSS
|
||||
|
||||
@@ -1,11 +0,0 @@
|
||||
-- Add registry credentials for private Docker registry authentication during builds
|
||||
CREATE TABLE registry_credentials (
|
||||
id INTEGER PRIMARY KEY,
|
||||
app_id TEXT NOT NULL REFERENCES apps(id) ON DELETE CASCADE,
|
||||
registry TEXT NOT NULL,
|
||||
username TEXT NOT NULL,
|
||||
password TEXT NOT NULL,
|
||||
UNIQUE(app_id, registry)
|
||||
);
|
||||
|
||||
CREATE INDEX idx_registry_credentials_app_id ON registry_credentials(app_id);
|
||||
@@ -1,96 +0,0 @@
|
||||
package docker //nolint:testpackage // tests unexported buildAuthConfigs
|
||||
|
||||
import (
|
||||
"testing"
|
||||
)
|
||||
|
||||
func TestBuildAuthConfigsEmpty(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
result := buildAuthConfigs(nil)
|
||||
if len(result) != 0 {
|
||||
t.Errorf("expected empty map, got %d entries", len(result))
|
||||
}
|
||||
}
|
||||
|
||||
func TestBuildAuthConfigsSingle(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
auths := []RegistryAuth{
|
||||
{
|
||||
Registry: "registry.example.com",
|
||||
Username: "user",
|
||||
Password: "pass",
|
||||
},
|
||||
}
|
||||
|
||||
result := buildAuthConfigs(auths)
|
||||
|
||||
if len(result) != 1 {
|
||||
t.Fatalf("expected 1 entry, got %d", len(result))
|
||||
}
|
||||
|
||||
cfg, ok := result["registry.example.com"]
|
||||
if !ok {
|
||||
t.Fatal("expected registry.example.com key")
|
||||
}
|
||||
|
||||
if cfg.Username != "user" {
|
||||
t.Errorf("expected username 'user', got %q", cfg.Username)
|
||||
}
|
||||
|
||||
if cfg.Password != "pass" {
|
||||
t.Errorf("expected password 'pass', got %q", cfg.Password)
|
||||
}
|
||||
|
||||
if cfg.ServerAddress != "registry.example.com" {
|
||||
t.Errorf("expected server address 'registry.example.com', got %q", cfg.ServerAddress)
|
||||
}
|
||||
}
|
||||
|
||||
func TestBuildAuthConfigsMultiple(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
auths := []RegistryAuth{
|
||||
{Registry: "ghcr.io", Username: "ghuser", Password: "ghtoken"},
|
||||
{Registry: "docker.io", Username: "dkuser", Password: "dktoken"},
|
||||
}
|
||||
|
||||
result := buildAuthConfigs(auths)
|
||||
|
||||
if len(result) != 2 {
|
||||
t.Fatalf("expected 2 entries, got %d", len(result))
|
||||
}
|
||||
|
||||
ghcr := result["ghcr.io"]
|
||||
if ghcr.Username != "ghuser" || ghcr.Password != "ghtoken" {
|
||||
t.Errorf("unexpected ghcr.io config: %+v", ghcr)
|
||||
}
|
||||
|
||||
dkr := result["docker.io"]
|
||||
if dkr.Username != "dkuser" || dkr.Password != "dktoken" {
|
||||
t.Errorf("unexpected docker.io config: %+v", dkr)
|
||||
}
|
||||
}
|
||||
|
||||
func TestRegistryAuthStruct(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
auth := RegistryAuth{
|
||||
Registry: "registry.example.com",
|
||||
Username: "testuser",
|
||||
Password: "testpass",
|
||||
}
|
||||
|
||||
if auth.Registry != "registry.example.com" {
|
||||
t.Errorf("expected registry 'registry.example.com', got %q", auth.Registry)
|
||||
}
|
||||
|
||||
if auth.Username != "testuser" {
|
||||
t.Errorf("expected username 'testuser', got %q", auth.Username)
|
||||
}
|
||||
|
||||
if auth.Password != "testpass" {
|
||||
t.Errorf("expected password 'testpass', got %q", auth.Password)
|
||||
}
|
||||
}
|
||||
@@ -20,7 +20,6 @@ import (
|
||||
"github.com/docker/docker/api/types/image"
|
||||
"github.com/docker/docker/api/types/mount"
|
||||
"github.com/docker/docker/api/types/network"
|
||||
"github.com/docker/docker/api/types/registry"
|
||||
"github.com/docker/docker/client"
|
||||
"github.com/docker/docker/pkg/archive"
|
||||
"github.com/docker/go-connections/nat"
|
||||
@@ -106,20 +105,12 @@ func (c *Client) IsConnected() bool {
|
||||
return c.docker != nil
|
||||
}
|
||||
|
||||
// RegistryAuth contains authentication credentials for a Docker registry.
|
||||
type RegistryAuth struct {
|
||||
Registry string
|
||||
Username string
|
||||
Password string //nolint:gosec // credential field required for registry auth
|
||||
}
|
||||
|
||||
// BuildImageOptions contains options for building an image.
|
||||
type BuildImageOptions struct {
|
||||
ContextDir string
|
||||
DockerfilePath string
|
||||
Tags []string
|
||||
LogWriter io.Writer // Optional writer for build output
|
||||
RegistryAuths []RegistryAuth // Optional registry credentials for pulling private base images
|
||||
LogWriter io.Writer // Optional writer for build output
|
||||
}
|
||||
|
||||
// BuildImage builds a Docker image from a context directory.
|
||||
@@ -170,21 +161,6 @@ type PortMapping struct {
|
||||
Protocol string // "tcp" or "udp"
|
||||
}
|
||||
|
||||
// buildAuthConfigs converts RegistryAuth slices into Docker's AuthConfigs map.
|
||||
func buildAuthConfigs(auths []RegistryAuth) map[string]registry.AuthConfig {
|
||||
configs := make(map[string]registry.AuthConfig, len(auths))
|
||||
|
||||
for _, auth := range auths {
|
||||
configs[auth.Registry] = registry.AuthConfig{
|
||||
Username: auth.Username,
|
||||
Password: auth.Password,
|
||||
ServerAddress: auth.Registry,
|
||||
}
|
||||
}
|
||||
|
||||
return configs
|
||||
}
|
||||
|
||||
// buildPortConfig converts port mappings to Docker port configuration.
|
||||
func buildPortConfig(ports []PortMapping) (nat.PortSet, nat.PortMap) {
|
||||
exposedPorts := make(nat.PortSet)
|
||||
@@ -537,18 +513,12 @@ func (c *Client) performBuild(
|
||||
}()
|
||||
|
||||
// Build image
|
||||
buildOpts := dockertypes.ImageBuildOptions{
|
||||
resp, err := c.docker.ImageBuild(ctx, tarArchive, dockertypes.ImageBuildOptions{
|
||||
Dockerfile: opts.DockerfilePath,
|
||||
Tags: opts.Tags,
|
||||
Remove: true,
|
||||
NoCache: false,
|
||||
}
|
||||
|
||||
if len(opts.RegistryAuths) > 0 {
|
||||
buildOpts.AuthConfigs = buildAuthConfigs(opts.RegistryAuths)
|
||||
}
|
||||
|
||||
resp, err := c.docker.ImageBuild(ctx, tarArchive, buildOpts)
|
||||
})
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("failed to build image: %w", err)
|
||||
}
|
||||
|
||||
@@ -148,7 +148,6 @@ func (h *Handlers) HandleAppDetail() http.HandlerFunc {
|
||||
labels, _ := application.GetLabels(request.Context())
|
||||
volumes, _ := application.GetVolumes(request.Context())
|
||||
ports, _ := application.GetPorts(request.Context())
|
||||
registryCreds, _ := application.GetRegistryCredentials(request.Context())
|
||||
deployments, _ := application.GetDeployments(
|
||||
request.Context(),
|
||||
recentDeploymentsLimit,
|
||||
@@ -164,17 +163,16 @@ func (h *Handlers) HandleAppDetail() http.HandlerFunc {
|
||||
deployKey := formatDeployKey(application.SSHPublicKey, application.CreatedAt, application.Name)
|
||||
|
||||
data := h.addGlobals(map[string]any{
|
||||
"App": application,
|
||||
"EnvVars": envVars,
|
||||
"Labels": labels,
|
||||
"Volumes": volumes,
|
||||
"Ports": ports,
|
||||
"RegistryCredentials": registryCreds,
|
||||
"Deployments": deployments,
|
||||
"LatestDeployment": latestDeployment,
|
||||
"WebhookURL": webhookURL,
|
||||
"DeployKey": deployKey,
|
||||
"Success": request.URL.Query().Get("success"),
|
||||
"App": application,
|
||||
"EnvVars": envVars,
|
||||
"Labels": labels,
|
||||
"Volumes": volumes,
|
||||
"Ports": ports,
|
||||
"Deployments": deployments,
|
||||
"LatestDeployment": latestDeployment,
|
||||
"WebhookURL": webhookURL,
|
||||
"DeployKey": deployKey,
|
||||
"Success": request.URL.Query().Get("success"),
|
||||
}, request)
|
||||
|
||||
h.renderTemplate(writer, tmpl, "app_detail.html", data)
|
||||
@@ -905,92 +903,50 @@ func (h *Handlers) addKeyValueToApp(
|
||||
http.Redirect(writer, request, "/apps/"+application.ID, http.StatusSeeOther)
|
||||
}
|
||||
|
||||
// envPairJSON represents a key-value pair in the JSON request body.
|
||||
type envPairJSON struct {
|
||||
Key string `json:"key"`
|
||||
Value string `json:"value"`
|
||||
}
|
||||
// HandleEnvVarAdd handles adding an environment variable.
|
||||
func (h *Handlers) HandleEnvVarAdd() http.HandlerFunc {
|
||||
return func(writer http.ResponseWriter, request *http.Request) {
|
||||
h.addKeyValueToApp(
|
||||
writer,
|
||||
request,
|
||||
func(ctx context.Context, application *models.App, key, value string) error {
|
||||
envVar := models.NewEnvVar(h.db)
|
||||
envVar.AppID = application.ID
|
||||
envVar.Key = key
|
||||
envVar.Value = value
|
||||
|
||||
// envVarMaxBodyBytes is the maximum allowed request body size for env var saves (1 MB).
|
||||
const envVarMaxBodyBytes = 1 << 20
|
||||
|
||||
// validateEnvPairs validates env var pairs.
|
||||
// It rejects empty keys and duplicate keys (returns a non-empty error string).
|
||||
func validateEnvPairs(pairs []envPairJSON) ([]models.EnvVarPair, string) {
|
||||
seen := make(map[string]bool, len(pairs))
|
||||
|
||||
result := make([]models.EnvVarPair, 0, len(pairs))
|
||||
|
||||
for _, p := range pairs {
|
||||
trimmedKey := strings.TrimSpace(p.Key)
|
||||
if trimmedKey == "" {
|
||||
return nil, "empty environment variable key is not allowed"
|
||||
}
|
||||
|
||||
if seen[trimmedKey] {
|
||||
return nil, "duplicate environment variable key: " + trimmedKey
|
||||
}
|
||||
|
||||
seen[trimmedKey] = true
|
||||
|
||||
result = append(result, models.EnvVarPair{Key: trimmedKey, Value: p.Value})
|
||||
return envVar.Save(ctx)
|
||||
},
|
||||
)
|
||||
}
|
||||
|
||||
return result, ""
|
||||
}
|
||||
|
||||
// HandleEnvVarSave handles bulk saving of all environment variables.
|
||||
// It reads a JSON array of {key, value} objects from the request body,
|
||||
// deletes all existing env vars for the app, and inserts the full
|
||||
// submitted set atomically within a database transaction.
|
||||
// Duplicate keys are rejected with a 400 Bad Request error.
|
||||
func (h *Handlers) HandleEnvVarSave() http.HandlerFunc {
|
||||
// HandleEnvVarDelete handles deleting an environment variable.
|
||||
func (h *Handlers) HandleEnvVarDelete() http.HandlerFunc {
|
||||
return func(writer http.ResponseWriter, request *http.Request) {
|
||||
appID := chi.URLParam(request, "id")
|
||||
envVarIDStr := chi.URLParam(request, "varID")
|
||||
|
||||
application, findErr := models.FindApp(request.Context(), h.db, appID)
|
||||
if findErr != nil || application == nil {
|
||||
envVarID, parseErr := strconv.ParseInt(envVarIDStr, 10, 64)
|
||||
if parseErr != nil {
|
||||
http.NotFound(writer, request)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
// Limit request body size to prevent abuse
|
||||
request.Body = http.MaxBytesReader(writer, request.Body, envVarMaxBodyBytes)
|
||||
|
||||
var pairs []envPairJSON
|
||||
|
||||
decodeErr := json.NewDecoder(request.Body).Decode(&pairs)
|
||||
if decodeErr != nil {
|
||||
h.respondJSON(writer, request, map[string]string{
|
||||
"error": "invalid request body",
|
||||
}, http.StatusBadRequest)
|
||||
envVar, findErr := models.FindEnvVar(request.Context(), h.db, envVarID)
|
||||
if findErr != nil || envVar == nil || envVar.AppID != appID {
|
||||
http.NotFound(writer, request)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
modelPairs, validationErr := validateEnvPairs(pairs)
|
||||
if validationErr != "" {
|
||||
h.respondJSON(writer, request, map[string]string{
|
||||
"error": validationErr,
|
||||
}, http.StatusBadRequest)
|
||||
|
||||
return
|
||||
deleteErr := envVar.Delete(request.Context())
|
||||
if deleteErr != nil {
|
||||
h.log.Error("failed to delete env var", "error", deleteErr)
|
||||
}
|
||||
|
||||
replaceErr := models.ReplaceEnvVarsByAppID(
|
||||
request.Context(), h.db, application.ID, modelPairs,
|
||||
)
|
||||
if replaceErr != nil {
|
||||
h.log.Error("failed to replace env vars", "error", replaceErr)
|
||||
h.respondJSON(writer, request, map[string]string{
|
||||
"error": "failed to save environment variables",
|
||||
}, http.StatusInternalServerError)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
h.respondJSON(writer, request, map[string]bool{"ok": true}, http.StatusOK)
|
||||
http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1249,6 +1205,59 @@ func ValidateVolumePath(p string) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// HandleEnvVarEdit handles editing an existing environment variable.
|
||||
func (h *Handlers) HandleEnvVarEdit() http.HandlerFunc {
|
||||
return func(writer http.ResponseWriter, request *http.Request) {
|
||||
appID := chi.URLParam(request, "id")
|
||||
envVarIDStr := chi.URLParam(request, "varID")
|
||||
|
||||
envVarID, parseErr := strconv.ParseInt(envVarIDStr, 10, 64)
|
||||
if parseErr != nil {
|
||||
http.NotFound(writer, request)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
envVar, findErr := models.FindEnvVar(request.Context(), h.db, envVarID)
|
||||
if findErr != nil || envVar == nil || envVar.AppID != appID {
|
||||
http.NotFound(writer, request)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
formErr := request.ParseForm()
|
||||
if formErr != nil {
|
||||
http.Error(writer, "Bad Request", http.StatusBadRequest)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
key := request.FormValue("key")
|
||||
value := request.FormValue("value")
|
||||
|
||||
if key == "" || value == "" {
|
||||
http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
envVar.Key = key
|
||||
envVar.Value = value
|
||||
|
||||
saveErr := envVar.Save(request.Context())
|
||||
if saveErr != nil {
|
||||
h.log.Error("failed to update env var", "error", saveErr)
|
||||
}
|
||||
|
||||
http.Redirect(
|
||||
writer,
|
||||
request,
|
||||
"/apps/"+appID+"?success=env-updated",
|
||||
http.StatusSeeOther,
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
// HandleLabelEdit handles editing an existing label.
|
||||
func (h *Handlers) HandleLabelEdit() http.HandlerFunc {
|
||||
return func(writer http.ResponseWriter, request *http.Request) {
|
||||
@@ -1384,126 +1393,3 @@ func formatDeployKey(pubKey string, createdAt time.Time, appName string) string
|
||||
|
||||
return parts[0] + " " + parts[1] + " " + comment
|
||||
}
|
||||
|
||||
// HandleRegistryCredentialAdd handles adding a registry credential.
|
||||
func (h *Handlers) HandleRegistryCredentialAdd() http.HandlerFunc {
|
||||
return func(writer http.ResponseWriter, request *http.Request) {
|
||||
appID := chi.URLParam(request, "id")
|
||||
|
||||
application, findErr := models.FindApp(request.Context(), h.db, appID)
|
||||
if findErr != nil || application == nil {
|
||||
http.NotFound(writer, request)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
parseErr := request.ParseForm()
|
||||
if parseErr != nil {
|
||||
http.Error(writer, "Bad Request", http.StatusBadRequest)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
registryURL := strings.TrimSpace(request.FormValue("registry"))
|
||||
username := strings.TrimSpace(request.FormValue("username"))
|
||||
password := request.FormValue("password")
|
||||
|
||||
if registryURL == "" || username == "" || password == "" {
|
||||
http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
cred := models.NewRegistryCredential(h.db)
|
||||
cred.AppID = appID
|
||||
cred.Registry = registryURL
|
||||
cred.Username = username
|
||||
cred.Password = password
|
||||
|
||||
saveErr := cred.Save(request.Context())
|
||||
if saveErr != nil {
|
||||
h.log.Error("failed to save registry credential", "error", saveErr)
|
||||
}
|
||||
|
||||
http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
|
||||
}
|
||||
}
|
||||
|
||||
// HandleRegistryCredentialEdit handles editing an existing registry credential.
|
||||
func (h *Handlers) HandleRegistryCredentialEdit() http.HandlerFunc {
|
||||
return func(writer http.ResponseWriter, request *http.Request) {
|
||||
appID := chi.URLParam(request, "id")
|
||||
credIDStr := chi.URLParam(request, "credID")
|
||||
|
||||
credID, parseErr := strconv.ParseInt(credIDStr, 10, 64)
|
||||
if parseErr != nil {
|
||||
http.NotFound(writer, request)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
cred, findErr := models.FindRegistryCredential(request.Context(), h.db, credID)
|
||||
if findErr != nil || cred == nil || cred.AppID != appID {
|
||||
http.NotFound(writer, request)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
formErr := request.ParseForm()
|
||||
if formErr != nil {
|
||||
http.Error(writer, "Bad Request", http.StatusBadRequest)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
registryURL := strings.TrimSpace(request.FormValue("registry"))
|
||||
username := strings.TrimSpace(request.FormValue("username"))
|
||||
password := request.FormValue("password")
|
||||
|
||||
if registryURL == "" || username == "" || password == "" {
|
||||
http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
cred.Registry = registryURL
|
||||
cred.Username = username
|
||||
cred.Password = password
|
||||
|
||||
saveErr := cred.Save(request.Context())
|
||||
if saveErr != nil {
|
||||
h.log.Error("failed to update registry credential", "error", saveErr)
|
||||
}
|
||||
|
||||
http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
|
||||
}
|
||||
}
|
||||
|
||||
// HandleRegistryCredentialDelete handles deleting a registry credential.
|
||||
func (h *Handlers) HandleRegistryCredentialDelete() http.HandlerFunc {
|
||||
return func(writer http.ResponseWriter, request *http.Request) {
|
||||
appID := chi.URLParam(request, "id")
|
||||
credIDStr := chi.URLParam(request, "credID")
|
||||
|
||||
credID, parseErr := strconv.ParseInt(credIDStr, 10, 64)
|
||||
if parseErr != nil {
|
||||
http.NotFound(writer, request)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
cred, findErr := models.FindRegistryCredential(request.Context(), h.db, credID)
|
||||
if findErr != nil || cred == nil || cred.AppID != appID {
|
||||
http.NotFound(writer, request)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
deleteErr := cred.Delete(request.Context())
|
||||
if deleteErr != nil {
|
||||
h.log.Error("failed to delete registry credential", "error", deleteErr)
|
||||
}
|
||||
|
||||
http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -560,242 +560,45 @@ func testOwnershipVerification(t *testing.T, cfg ownedResourceTestConfig) {
|
||||
cfg.verifyFn(t, testCtx, resourceID)
|
||||
}
|
||||
|
||||
// TestHandleEnvVarSaveBulk tests that HandleEnvVarSave replaces all env vars
|
||||
// for an app with the submitted set (monolithic delete-all + insert-all).
|
||||
func TestHandleEnvVarSaveBulk(t *testing.T) {
|
||||
// TestDeleteEnvVarOwnershipVerification tests that deleting an env var
|
||||
// via another app's URL path returns 404 (IDOR prevention).
|
||||
func TestDeleteEnvVarOwnershipVerification(t *testing.T) { //nolint:dupl // intentionally similar IDOR test pattern
|
||||
t.Parallel()
|
||||
|
||||
testCtx := setupTestHandlers(t)
|
||||
createdApp := createTestApp(t, testCtx, "envvar-bulk-app")
|
||||
testOwnershipVerification(t, ownedResourceTestConfig{
|
||||
appPrefix1: "envvar-owner-app",
|
||||
appPrefix2: "envvar-other-app",
|
||||
createFn: func(t *testing.T, tc *testContext, ownerApp *models.App) int64 {
|
||||
t.Helper()
|
||||
|
||||
// Create some pre-existing env vars
|
||||
for _, kv := range [][2]string{{"OLD_KEY", "old_value"}, {"REMOVE_ME", "gone"}} {
|
||||
ev := models.NewEnvVar(testCtx.database)
|
||||
ev.AppID = createdApp.ID
|
||||
ev.Key = kv[0]
|
||||
ev.Value = kv[1]
|
||||
require.NoError(t, ev.Save(context.Background()))
|
||||
}
|
||||
envVar := models.NewEnvVar(tc.database)
|
||||
envVar.AppID = ownerApp.ID
|
||||
envVar.Key = "SECRET"
|
||||
envVar.Value = "hunter2"
|
||||
require.NoError(t, envVar.Save(context.Background()))
|
||||
|
||||
// Submit a new set as a JSON array of key/value objects
|
||||
body := `[{"key":"NEW_KEY","value":"new_value"},{"key":"ANOTHER","value":"42"}]`
|
||||
return envVar.ID
|
||||
},
|
||||
deletePath: func(appID string, resourceID int64) string {
|
||||
return "/apps/" + appID + "/env/" + strconv.FormatInt(resourceID, 10) + "/delete"
|
||||
},
|
||||
chiParams: func(appID string, resourceID int64) map[string]string {
|
||||
return map[string]string{"id": appID, "varID": strconv.FormatInt(resourceID, 10)}
|
||||
},
|
||||
handler: func(h *handlers.Handlers) http.HandlerFunc { return h.HandleEnvVarDelete() },
|
||||
verifyFn: func(t *testing.T, tc *testContext, resourceID int64) {
|
||||
t.Helper()
|
||||
|
||||
r := chi.NewRouter()
|
||||
r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
|
||||
|
||||
request := httptest.NewRequest(
|
||||
http.MethodPost,
|
||||
"/apps/"+createdApp.ID+"/env",
|
||||
strings.NewReader(body),
|
||||
)
|
||||
request.Header.Set("Content-Type", "application/json")
|
||||
|
||||
recorder := httptest.NewRecorder()
|
||||
r.ServeHTTP(recorder, request)
|
||||
|
||||
assert.Equal(t, http.StatusOK, recorder.Code)
|
||||
|
||||
// Verify old env vars are gone and new ones exist
|
||||
envVars, err := models.FindEnvVarsByAppID(
|
||||
context.Background(), testCtx.database, createdApp.ID,
|
||||
)
|
||||
require.NoError(t, err)
|
||||
assert.Len(t, envVars, 2)
|
||||
|
||||
keys := make(map[string]string)
|
||||
for _, ev := range envVars {
|
||||
keys[ev.Key] = ev.Value
|
||||
}
|
||||
|
||||
assert.Equal(t, "new_value", keys["NEW_KEY"])
|
||||
assert.Equal(t, "42", keys["ANOTHER"])
|
||||
assert.Empty(t, keys["OLD_KEY"], "old env vars should be deleted")
|
||||
assert.Empty(t, keys["REMOVE_ME"], "old env vars should be deleted")
|
||||
}
|
||||
|
||||
// TestHandleEnvVarSaveAppNotFound tests that HandleEnvVarSave returns 404
|
||||
// for a non-existent app.
|
||||
func TestHandleEnvVarSaveAppNotFound(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
testCtx := setupTestHandlers(t)
|
||||
|
||||
body := `[{"key":"KEY","value":"value"}]`
|
||||
|
||||
r := chi.NewRouter()
|
||||
r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
|
||||
|
||||
request := httptest.NewRequest(
|
||||
http.MethodPost,
|
||||
"/apps/nonexistent-id/env",
|
||||
strings.NewReader(body),
|
||||
)
|
||||
request.Header.Set("Content-Type", "application/json")
|
||||
|
||||
recorder := httptest.NewRecorder()
|
||||
r.ServeHTTP(recorder, request)
|
||||
|
||||
assert.Equal(t, http.StatusNotFound, recorder.Code)
|
||||
}
|
||||
|
||||
// TestHandleEnvVarSaveEmptyKeyRejected verifies that submitting a JSON
|
||||
// array containing an entry with an empty key returns 400.
|
||||
func TestHandleEnvVarSaveEmptyKeyRejected(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
testCtx := setupTestHandlers(t)
|
||||
createdApp := createTestApp(t, testCtx, "envvar-emptykey-app")
|
||||
|
||||
body := `[{"key":"VALID_KEY","value":"ok"},{"key":"","value":"bad"}]`
|
||||
|
||||
r := chi.NewRouter()
|
||||
r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
|
||||
|
||||
request := httptest.NewRequest(
|
||||
http.MethodPost,
|
||||
"/apps/"+createdApp.ID+"/env",
|
||||
strings.NewReader(body),
|
||||
)
|
||||
request.Header.Set("Content-Type", "application/json")
|
||||
|
||||
recorder := httptest.NewRecorder()
|
||||
r.ServeHTTP(recorder, request)
|
||||
|
||||
assert.Equal(t, http.StatusBadRequest, recorder.Code)
|
||||
}
|
||||
|
||||
// TestHandleEnvVarSaveDuplicateKeyRejected verifies that when the client
|
||||
// sends duplicate keys, the server rejects them with 400 Bad Request.
|
||||
func TestHandleEnvVarSaveDuplicateKeyRejected(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
testCtx := setupTestHandlers(t)
|
||||
createdApp := createTestApp(t, testCtx, "envvar-dedup-app")
|
||||
|
||||
// Send two entries with the same key — should be rejected
|
||||
body := `[{"key":"FOO","value":"first"},{"key":"BAR","value":"bar"},{"key":"FOO","value":"second"}]`
|
||||
|
||||
r := chi.NewRouter()
|
||||
r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
|
||||
|
||||
request := httptest.NewRequest(
|
||||
http.MethodPost,
|
||||
"/apps/"+createdApp.ID+"/env",
|
||||
strings.NewReader(body),
|
||||
)
|
||||
request.Header.Set("Content-Type", "application/json")
|
||||
|
||||
recorder := httptest.NewRecorder()
|
||||
r.ServeHTTP(recorder, request)
|
||||
|
||||
assert.Equal(t, http.StatusBadRequest, recorder.Code)
|
||||
assert.Contains(t, recorder.Body.String(), "duplicate environment variable key: FOO")
|
||||
}
|
||||
|
||||
// TestHandleEnvVarSaveCrossAppIsolation verifies that posting env vars
|
||||
// to appA's endpoint does not affect appB's env vars (IDOR prevention).
|
||||
func TestHandleEnvVarSaveCrossAppIsolation(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
testCtx := setupTestHandlers(t)
|
||||
appA := createTestApp(t, testCtx, "envvar-iso-appA")
|
||||
appB := createTestApp(t, testCtx, "envvar-iso-appB")
|
||||
|
||||
// Give appB some env vars
|
||||
for _, kv := range [][2]string{{"B_KEY1", "b_val1"}, {"B_KEY2", "b_val2"}} {
|
||||
ev := models.NewEnvVar(testCtx.database)
|
||||
ev.AppID = appB.ID
|
||||
ev.Key = kv[0]
|
||||
ev.Value = kv[1]
|
||||
require.NoError(t, ev.Save(context.Background()))
|
||||
}
|
||||
|
||||
// POST new env vars to appA's endpoint
|
||||
body := `[{"key":"A_KEY","value":"a_val"}]`
|
||||
|
||||
r := chi.NewRouter()
|
||||
r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
|
||||
|
||||
request := httptest.NewRequest(
|
||||
http.MethodPost,
|
||||
"/apps/"+appA.ID+"/env",
|
||||
strings.NewReader(body),
|
||||
)
|
||||
request.Header.Set("Content-Type", "application/json")
|
||||
|
||||
recorder := httptest.NewRecorder()
|
||||
r.ServeHTTP(recorder, request)
|
||||
|
||||
assert.Equal(t, http.StatusOK, recorder.Code)
|
||||
|
||||
// Verify appA has exactly what we sent
|
||||
appAVars, err := models.FindEnvVarsByAppID(
|
||||
context.Background(), testCtx.database, appA.ID,
|
||||
)
|
||||
require.NoError(t, err)
|
||||
assert.Len(t, appAVars, 1)
|
||||
assert.Equal(t, "A_KEY", appAVars[0].Key)
|
||||
|
||||
// Verify appB's env vars are completely untouched
|
||||
appBVars, err := models.FindEnvVarsByAppID(
|
||||
context.Background(), testCtx.database, appB.ID,
|
||||
)
|
||||
require.NoError(t, err)
|
||||
assert.Len(t, appBVars, 2, "appB env vars must not be affected")
|
||||
|
||||
bKeys := make(map[string]string)
|
||||
for _, ev := range appBVars {
|
||||
bKeys[ev.Key] = ev.Value
|
||||
}
|
||||
|
||||
assert.Equal(t, "b_val1", bKeys["B_KEY1"])
|
||||
assert.Equal(t, "b_val2", bKeys["B_KEY2"])
|
||||
}
|
||||
|
||||
// TestHandleEnvVarSaveBodySizeLimit verifies that a request body
|
||||
// exceeding the 1 MB limit is rejected.
|
||||
func TestHandleEnvVarSaveBodySizeLimit(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
testCtx := setupTestHandlers(t)
|
||||
createdApp := createTestApp(t, testCtx, "envvar-sizelimit-app")
|
||||
|
||||
// Build a JSON body that exceeds 1 MB
|
||||
// Each entry is ~30 bytes; 40000 entries ≈ 1.2 MB
|
||||
var sb strings.Builder
|
||||
|
||||
sb.WriteString("[")
|
||||
|
||||
for i := range 40000 {
|
||||
if i > 0 {
|
||||
sb.WriteString(",")
|
||||
}
|
||||
|
||||
sb.WriteString(`{"key":"K` + strconv.Itoa(i) + `","value":"val"}`)
|
||||
}
|
||||
|
||||
sb.WriteString("]")
|
||||
|
||||
r := chi.NewRouter()
|
||||
r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
|
||||
|
||||
request := httptest.NewRequest(
|
||||
http.MethodPost,
|
||||
"/apps/"+createdApp.ID+"/env",
|
||||
strings.NewReader(sb.String()),
|
||||
)
|
||||
request.Header.Set("Content-Type", "application/json")
|
||||
|
||||
recorder := httptest.NewRecorder()
|
||||
r.ServeHTTP(recorder, request)
|
||||
|
||||
assert.Equal(t, http.StatusBadRequest, recorder.Code,
|
||||
"oversized body should be rejected with 400")
|
||||
found, findErr := models.FindEnvVar(context.Background(), tc.database, resourceID)
|
||||
require.NoError(t, findErr)
|
||||
assert.NotNil(t, found, "env var should still exist after IDOR attempt")
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
// TestDeleteLabelOwnershipVerification tests that deleting a label
|
||||
// via another app's URL path returns 404 (IDOR prevention).
|
||||
func TestDeleteLabelOwnershipVerification(t *testing.T) {
|
||||
func TestDeleteLabelOwnershipVerification(t *testing.T) { //nolint:dupl // intentionally similar IDOR test pattern
|
||||
t.Parallel()
|
||||
|
||||
testOwnershipVerification(t, ownedResourceTestConfig{
|
||||
@@ -911,43 +714,41 @@ func TestDeletePortOwnershipVerification(t *testing.T) {
|
||||
assert.NotNil(t, found, "port should still exist after IDOR attempt")
|
||||
}
|
||||
|
||||
// TestHandleEnvVarSaveEmptyClears verifies that submitting an empty JSON
|
||||
// array deletes all existing env vars for the app.
|
||||
func TestHandleEnvVarSaveEmptyClears(t *testing.T) {
|
||||
// TestHandleEnvVarDeleteUsesCorrectRouteParam verifies that HandleEnvVarDelete
|
||||
// reads the "varID" chi URL parameter (matching the route definition {varID}),
|
||||
// not a mismatched name like "envID".
|
||||
func TestHandleEnvVarDeleteUsesCorrectRouteParam(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
testCtx := setupTestHandlers(t)
|
||||
createdApp := createTestApp(t, testCtx, "envvar-clear-app")
|
||||
|
||||
// Create a pre-existing env var
|
||||
ev := models.NewEnvVar(testCtx.database)
|
||||
ev.AppID = createdApp.ID
|
||||
ev.Key = "DELETE_ME"
|
||||
ev.Value = "gone"
|
||||
require.NoError(t, ev.Save(context.Background()))
|
||||
createdApp := createTestApp(t, testCtx, "envdelete-param-app")
|
||||
|
||||
// Submit empty JSON array
|
||||
envVar := models.NewEnvVar(testCtx.database)
|
||||
envVar.AppID = createdApp.ID
|
||||
envVar.Key = "DELETE_ME"
|
||||
envVar.Value = "gone"
|
||||
require.NoError(t, envVar.Save(context.Background()))
|
||||
|
||||
// Use chi router with the real route pattern to test param name
|
||||
r := chi.NewRouter()
|
||||
r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
|
||||
r.Post("/apps/{id}/env-vars/{varID}/delete", testCtx.handlers.HandleEnvVarDelete())
|
||||
|
||||
request := httptest.NewRequest(
|
||||
http.MethodPost,
|
||||
"/apps/"+createdApp.ID+"/env",
|
||||
strings.NewReader("[]"),
|
||||
"/apps/"+createdApp.ID+"/env-vars/"+strconv.FormatInt(envVar.ID, 10)+"/delete",
|
||||
nil,
|
||||
)
|
||||
request.Header.Set("Content-Type", "application/json")
|
||||
|
||||
recorder := httptest.NewRecorder()
|
||||
|
||||
r.ServeHTTP(recorder, request)
|
||||
|
||||
assert.Equal(t, http.StatusOK, recorder.Code)
|
||||
assert.Equal(t, http.StatusSeeOther, recorder.Code)
|
||||
|
||||
// Verify all env vars are gone
|
||||
envVars, err := models.FindEnvVarsByAppID(
|
||||
context.Background(), testCtx.database, createdApp.ID,
|
||||
)
|
||||
require.NoError(t, err)
|
||||
assert.Empty(t, envVars, "all env vars should be deleted")
|
||||
// Verify the env var was actually deleted
|
||||
found, findErr := models.FindEnvVar(context.Background(), testCtx.database, envVar.ID)
|
||||
require.NoError(t, findErr)
|
||||
assert.Nil(t, found, "env var should be deleted when using correct route param")
|
||||
}
|
||||
|
||||
// TestHandleVolumeAddValidatesPaths verifies that HandleVolumeAdd validates
|
||||
|
||||
@@ -119,11 +119,6 @@ func (a *App) GetWebhookEvents(
|
||||
return FindWebhookEventsByAppID(ctx, a.db, a.ID, limit)
|
||||
}
|
||||
|
||||
// GetRegistryCredentials returns all registry credentials for the app.
|
||||
func (a *App) GetRegistryCredentials(ctx context.Context) ([]*RegistryCredential, error) {
|
||||
return FindRegistryCredentialsByAppID(ctx, a.db, a.ID)
|
||||
}
|
||||
|
||||
func (a *App) exists(ctx context.Context) bool {
|
||||
if a.ID == "" {
|
||||
return false
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
//nolint:dupl // Active Record pattern - similar structure to label.go is intentional
|
||||
package models
|
||||
|
||||
import (
|
||||
@@ -128,48 +129,13 @@ func FindEnvVarsByAppID(
|
||||
return envVars, rows.Err()
|
||||
}
|
||||
|
||||
// EnvVarPair is a key-value pair for bulk env var operations.
|
||||
type EnvVarPair struct {
|
||||
Key string
|
||||
Value string
|
||||
}
|
||||
|
||||
// ReplaceEnvVarsByAppID atomically replaces all env vars for an app
|
||||
// within a single database transaction. It deletes all existing env
|
||||
// vars and inserts the provided pairs. If any operation fails, the
|
||||
// entire transaction is rolled back.
|
||||
func ReplaceEnvVarsByAppID(
|
||||
// DeleteEnvVarsByAppID deletes all env vars for an app.
|
||||
func DeleteEnvVarsByAppID(
|
||||
ctx context.Context,
|
||||
db *database.Database,
|
||||
appID string,
|
||||
pairs []EnvVarPair,
|
||||
) error {
|
||||
tx, err := db.BeginTx(ctx, nil)
|
||||
if err != nil {
|
||||
return fmt.Errorf("beginning transaction: %w", err)
|
||||
}
|
||||
_, err := db.Exec(ctx, "DELETE FROM app_env_vars WHERE app_id = ?", appID)
|
||||
|
||||
defer func() { _ = tx.Rollback() }()
|
||||
|
||||
_, err = tx.ExecContext(ctx, "DELETE FROM app_env_vars WHERE app_id = ?", appID)
|
||||
if err != nil {
|
||||
return fmt.Errorf("deleting env vars: %w", err)
|
||||
}
|
||||
|
||||
for _, p := range pairs {
|
||||
_, err = tx.ExecContext(ctx,
|
||||
"INSERT INTO app_env_vars (app_id, key, value) VALUES (?, ?, ?)",
|
||||
appID, p.Key, p.Value,
|
||||
)
|
||||
if err != nil {
|
||||
return fmt.Errorf("inserting env var %q: %w", p.Key, err)
|
||||
}
|
||||
}
|
||||
|
||||
err = tx.Commit()
|
||||
if err != nil {
|
||||
return fmt.Errorf("committing transaction: %w", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
return err
|
||||
}
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
//nolint:dupl // Active Record pattern - similar structure to env_var.go is intentional
|
||||
package models
|
||||
|
||||
import (
|
||||
|
||||
@@ -23,7 +23,6 @@ const (
|
||||
testBranch = "main"
|
||||
testValue = "value"
|
||||
testEventType = "push"
|
||||
testUser = "user"
|
||||
)
|
||||
|
||||
func setupTestDB(t *testing.T) (*database.Database, func()) {
|
||||
@@ -705,127 +704,6 @@ func TestAppGetWebhookEvents(t *testing.T) {
|
||||
assert.Len(t, events, 1)
|
||||
}
|
||||
|
||||
// RegistryCredential Tests.
|
||||
|
||||
func TestRegistryCredentialCreateAndFind(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
testDB, cleanup := setupTestDB(t)
|
||||
defer cleanup()
|
||||
|
||||
app := createTestApp(t, testDB)
|
||||
|
||||
cred := models.NewRegistryCredential(testDB)
|
||||
cred.AppID = app.ID
|
||||
cred.Registry = "registry.example.com"
|
||||
cred.Username = "myuser"
|
||||
cred.Password = "mypassword"
|
||||
|
||||
err := cred.Save(context.Background())
|
||||
require.NoError(t, err)
|
||||
assert.NotZero(t, cred.ID)
|
||||
|
||||
creds, err := models.FindRegistryCredentialsByAppID(
|
||||
context.Background(), testDB, app.ID,
|
||||
)
|
||||
require.NoError(t, err)
|
||||
require.Len(t, creds, 1)
|
||||
assert.Equal(t, "registry.example.com", creds[0].Registry)
|
||||
assert.Equal(t, "myuser", creds[0].Username)
|
||||
assert.Equal(t, "mypassword", creds[0].Password)
|
||||
}
|
||||
|
||||
func TestRegistryCredentialUpdate(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
testDB, cleanup := setupTestDB(t)
|
||||
defer cleanup()
|
||||
|
||||
app := createTestApp(t, testDB)
|
||||
|
||||
cred := models.NewRegistryCredential(testDB)
|
||||
cred.AppID = app.ID
|
||||
cred.Registry = "old.registry.com"
|
||||
cred.Username = "olduser"
|
||||
cred.Password = "oldpass"
|
||||
|
||||
err := cred.Save(context.Background())
|
||||
require.NoError(t, err)
|
||||
|
||||
cred.Registry = "new.registry.com"
|
||||
cred.Username = "newuser"
|
||||
cred.Password = "newpass"
|
||||
|
||||
err = cred.Save(context.Background())
|
||||
require.NoError(t, err)
|
||||
|
||||
found, err := models.FindRegistryCredential(context.Background(), testDB, cred.ID)
|
||||
require.NoError(t, err)
|
||||
require.NotNil(t, found)
|
||||
assert.Equal(t, "new.registry.com", found.Registry)
|
||||
assert.Equal(t, "newuser", found.Username)
|
||||
assert.Equal(t, "newpass", found.Password)
|
||||
}
|
||||
|
||||
func TestRegistryCredentialDelete(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
testDB, cleanup := setupTestDB(t)
|
||||
defer cleanup()
|
||||
|
||||
app := createTestApp(t, testDB)
|
||||
|
||||
cred := models.NewRegistryCredential(testDB)
|
||||
cred.AppID = app.ID
|
||||
cred.Registry = "delete.registry.com"
|
||||
cred.Username = testUser
|
||||
cred.Password = "pass"
|
||||
|
||||
err := cred.Save(context.Background())
|
||||
require.NoError(t, err)
|
||||
|
||||
err = cred.Delete(context.Background())
|
||||
require.NoError(t, err)
|
||||
|
||||
creds, err := models.FindRegistryCredentialsByAppID(
|
||||
context.Background(), testDB, app.ID,
|
||||
)
|
||||
require.NoError(t, err)
|
||||
assert.Empty(t, creds)
|
||||
}
|
||||
|
||||
func TestRegistryCredentialFindByIDNotFound(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
testDB, cleanup := setupTestDB(t)
|
||||
defer cleanup()
|
||||
|
||||
found, err := models.FindRegistryCredential(context.Background(), testDB, 99999)
|
||||
require.NoError(t, err)
|
||||
assert.Nil(t, found)
|
||||
}
|
||||
|
||||
func TestAppGetRegistryCredentials(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
testDB, cleanup := setupTestDB(t)
|
||||
defer cleanup()
|
||||
|
||||
app := createTestApp(t, testDB)
|
||||
|
||||
cred := models.NewRegistryCredential(testDB)
|
||||
cred.AppID = app.ID
|
||||
cred.Registry = "ghcr.io"
|
||||
cred.Username = testUser
|
||||
cred.Password = "token"
|
||||
_ = cred.Save(context.Background())
|
||||
|
||||
creds, err := app.GetRegistryCredentials(context.Background())
|
||||
require.NoError(t, err)
|
||||
assert.Len(t, creds, 1)
|
||||
assert.Equal(t, "ghcr.io", creds[0].Registry)
|
||||
}
|
||||
|
||||
// Cascade Delete Tests.
|
||||
|
||||
//nolint:funlen // Test function with many assertions - acceptable for integration tests
|
||||
@@ -871,13 +749,6 @@ func TestCascadeDelete(t *testing.T) {
|
||||
deploy.Status = models.DeploymentStatusSuccess
|
||||
_ = deploy.Save(context.Background())
|
||||
|
||||
regCred := models.NewRegistryCredential(testDB)
|
||||
regCred.AppID = app.ID
|
||||
regCred.Registry = "registry.example.com"
|
||||
regCred.Username = testUser
|
||||
regCred.Password = "pass"
|
||||
_ = regCred.Save(context.Background())
|
||||
|
||||
// Delete app.
|
||||
err := app.Delete(context.Background())
|
||||
require.NoError(t, err)
|
||||
@@ -907,11 +778,6 @@ func TestCascadeDelete(t *testing.T) {
|
||||
context.Background(), testDB, app.ID, 10,
|
||||
)
|
||||
assert.Empty(t, deployments)
|
||||
|
||||
regCreds, _ := models.FindRegistryCredentialsByAppID(
|
||||
context.Background(), testDB, app.ID,
|
||||
)
|
||||
assert.Empty(t, regCreds)
|
||||
})
|
||||
}
|
||||
|
||||
|
||||
@@ -1,130 +0,0 @@
|
||||
package models
|
||||
|
||||
import (
|
||||
"context"
|
||||
"database/sql"
|
||||
"errors"
|
||||
"fmt"
|
||||
|
||||
"sneak.berlin/go/upaas/internal/database"
|
||||
)
|
||||
|
||||
// RegistryCredential represents authentication credentials for a private Docker registry.
|
||||
type RegistryCredential struct {
|
||||
db *database.Database
|
||||
|
||||
ID int64
|
||||
AppID string
|
||||
Registry string
|
||||
Username string
|
||||
Password string //nolint:gosec // credential field required for registry auth
|
||||
}
|
||||
|
||||
// NewRegistryCredential creates a new RegistryCredential with a database reference.
|
||||
func NewRegistryCredential(db *database.Database) *RegistryCredential {
|
||||
return &RegistryCredential{db: db}
|
||||
}
|
||||
|
||||
// Save inserts or updates the registry credential in the database.
|
||||
func (r *RegistryCredential) Save(ctx context.Context) error {
|
||||
if r.ID == 0 {
|
||||
return r.insert(ctx)
|
||||
}
|
||||
|
||||
return r.update(ctx)
|
||||
}
|
||||
|
||||
// Delete removes the registry credential from the database.
|
||||
func (r *RegistryCredential) Delete(ctx context.Context) error {
|
||||
_, err := r.db.Exec(ctx, "DELETE FROM registry_credentials WHERE id = ?", r.ID)
|
||||
|
||||
return err
|
||||
}
|
||||
|
||||
func (r *RegistryCredential) insert(ctx context.Context) error {
|
||||
query := "INSERT INTO registry_credentials (app_id, registry, username, password) VALUES (?, ?, ?, ?)"
|
||||
|
||||
result, err := r.db.Exec(ctx, query, r.AppID, r.Registry, r.Username, r.Password)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
id, err := result.LastInsertId()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
r.ID = id
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (r *RegistryCredential) update(ctx context.Context) error {
|
||||
query := "UPDATE registry_credentials SET registry = ?, username = ?, password = ? WHERE id = ?"
|
||||
|
||||
_, err := r.db.Exec(ctx, query, r.Registry, r.Username, r.Password, r.ID)
|
||||
|
||||
return err
|
||||
}
|
||||
|
||||
// FindRegistryCredential finds a registry credential by ID.
|
||||
//
|
||||
//nolint:nilnil // returning nil,nil is idiomatic for "not found" in Active Record
|
||||
func FindRegistryCredential(
|
||||
ctx context.Context,
|
||||
db *database.Database,
|
||||
id int64,
|
||||
) (*RegistryCredential, error) {
|
||||
cred := NewRegistryCredential(db)
|
||||
|
||||
row := db.QueryRow(ctx,
|
||||
"SELECT id, app_id, registry, username, password FROM registry_credentials WHERE id = ?",
|
||||
id,
|
||||
)
|
||||
|
||||
err := row.Scan(&cred.ID, &cred.AppID, &cred.Registry, &cred.Username, &cred.Password)
|
||||
if err != nil {
|
||||
if errors.Is(err, sql.ErrNoRows) {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
return nil, fmt.Errorf("scanning registry credential: %w", err)
|
||||
}
|
||||
|
||||
return cred, nil
|
||||
}
|
||||
|
||||
// FindRegistryCredentialsByAppID finds all registry credentials for an app.
|
||||
func FindRegistryCredentialsByAppID(
|
||||
ctx context.Context,
|
||||
db *database.Database,
|
||||
appID string,
|
||||
) ([]*RegistryCredential, error) {
|
||||
query := `
|
||||
SELECT id, app_id, registry, username, password FROM registry_credentials
|
||||
WHERE app_id = ? ORDER BY registry`
|
||||
|
||||
rows, err := db.Query(ctx, query, appID)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("querying registry credentials by app: %w", err)
|
||||
}
|
||||
|
||||
defer func() { _ = rows.Close() }()
|
||||
|
||||
var creds []*RegistryCredential
|
||||
|
||||
for rows.Next() {
|
||||
cred := NewRegistryCredential(db)
|
||||
|
||||
scanErr := rows.Scan(
|
||||
&cred.ID, &cred.AppID, &cred.Registry, &cred.Username, &cred.Password,
|
||||
)
|
||||
if scanErr != nil {
|
||||
return nil, scanErr
|
||||
}
|
||||
|
||||
creds = append(creds, cred)
|
||||
}
|
||||
|
||||
return creds, rows.Err()
|
||||
}
|
||||
@@ -82,8 +82,10 @@ func (s *Server) SetupRoutes() {
|
||||
r.Post("/apps/{id}/stop", s.handlers.HandleAppStop())
|
||||
r.Post("/apps/{id}/start", s.handlers.HandleAppStart())
|
||||
|
||||
// Environment variables (monolithic bulk save)
|
||||
r.Post("/apps/{id}/env", s.handlers.HandleEnvVarSave())
|
||||
// Environment variables
|
||||
r.Post("/apps/{id}/env-vars", s.handlers.HandleEnvVarAdd())
|
||||
r.Post("/apps/{id}/env-vars/{varID}/edit", s.handlers.HandleEnvVarEdit())
|
||||
r.Post("/apps/{id}/env-vars/{varID}/delete", s.handlers.HandleEnvVarDelete())
|
||||
|
||||
// Labels
|
||||
r.Post("/apps/{id}/labels", s.handlers.HandleLabelAdd())
|
||||
@@ -98,11 +100,6 @@ func (s *Server) SetupRoutes() {
|
||||
// Ports
|
||||
r.Post("/apps/{id}/ports", s.handlers.HandlePortAdd())
|
||||
r.Post("/apps/{id}/ports/{portID}/delete", s.handlers.HandlePortDelete())
|
||||
|
||||
// Registry Credentials
|
||||
r.Post("/apps/{id}/registry-credentials", s.handlers.HandleRegistryCredentialAdd())
|
||||
r.Post("/apps/{id}/registry-credentials/{credID}/edit", s.handlers.HandleRegistryCredentialEdit())
|
||||
r.Post("/apps/{id}/registry-credentials/{credID}/delete", s.handlers.HandleRegistryCredentialDelete())
|
||||
})
|
||||
})
|
||||
|
||||
|
||||
@@ -830,13 +830,6 @@ func (svc *Service) buildImage(
|
||||
logWriter := newDeploymentLogWriter(ctx, deployment)
|
||||
defer logWriter.Close()
|
||||
|
||||
// Fetch registry credentials for private base images
|
||||
registryAuths, err := svc.buildRegistryAuths(ctx, app)
|
||||
if err != nil {
|
||||
svc.log.Warn("failed to fetch registry credentials", "error", err, "app", app.Name)
|
||||
// Continue without auth — public images will still work
|
||||
}
|
||||
|
||||
// BuildImage creates a tar archive from the local filesystem,
|
||||
// so it needs the container path where files exist, not the host path.
|
||||
imageID, err := svc.docker.BuildImage(ctx, docker.BuildImageOptions{
|
||||
@@ -844,7 +837,6 @@ func (svc *Service) buildImage(
|
||||
DockerfilePath: app.DockerfilePath,
|
||||
Tags: []string{imageTag},
|
||||
LogWriter: logWriter,
|
||||
RegistryAuths: registryAuths,
|
||||
})
|
||||
if err != nil {
|
||||
svc.notify.NotifyBuildFailed(ctx, app, deployment, err)
|
||||
@@ -1235,34 +1227,6 @@ func (svc *Service) failDeployment(
|
||||
_ = app.Save(ctx)
|
||||
}
|
||||
|
||||
// buildRegistryAuths fetches registry credentials for an app and converts them
|
||||
// to Docker RegistryAuth objects for use during image builds.
|
||||
func (svc *Service) buildRegistryAuths(
|
||||
ctx context.Context,
|
||||
app *models.App,
|
||||
) ([]docker.RegistryAuth, error) {
|
||||
creds, err := app.GetRegistryCredentials(ctx)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to get registry credentials: %w", err)
|
||||
}
|
||||
|
||||
if len(creds) == 0 {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
auths := make([]docker.RegistryAuth, 0, len(creds))
|
||||
|
||||
for _, cred := range creds {
|
||||
auths = append(auths, docker.RegistryAuth{
|
||||
Registry: cred.Registry,
|
||||
Username: cred.Username,
|
||||
Password: cred.Password,
|
||||
})
|
||||
}
|
||||
|
||||
return auths, nil
|
||||
}
|
||||
|
||||
// writeLogsToFile writes the deployment logs to a file on disk.
|
||||
// Structure: DataDir/logs/<hostname>/<appname>/<appname>_<sha>_<timestamp>.log.txt
|
||||
func (svc *Service) writeLogsToFile(app *models.App, deployment *models.Deployment) {
|
||||
|
||||
@@ -6,103 +6,6 @@
|
||||
*/
|
||||
|
||||
document.addEventListener("alpine:init", () => {
|
||||
// ============================================
|
||||
// Environment Variable Editor Component
|
||||
// ============================================
|
||||
Alpine.data("envVarEditor", (appId) => ({
|
||||
vars: [],
|
||||
editIdx: -1,
|
||||
editKey: "",
|
||||
editVal: "",
|
||||
appId: appId,
|
||||
|
||||
init() {
|
||||
this.vars = Array.from(this.$el.querySelectorAll(".env-init")).map(
|
||||
(span) => ({
|
||||
key: span.dataset.key,
|
||||
value: span.dataset.value,
|
||||
}),
|
||||
);
|
||||
},
|
||||
|
||||
startEdit(i) {
|
||||
this.editIdx = i;
|
||||
this.editKey = this.vars[i].key;
|
||||
this.editVal = this.vars[i].value;
|
||||
},
|
||||
|
||||
saveEdit(i) {
|
||||
this.vars[i] = { key: this.editKey, value: this.editVal };
|
||||
this.editIdx = -1;
|
||||
this.submitAll();
|
||||
},
|
||||
|
||||
removeVar(i) {
|
||||
if (!window.confirm("Delete this environment variable?")) {
|
||||
return;
|
||||
}
|
||||
|
||||
this.vars.splice(i, 1);
|
||||
this.submitAll();
|
||||
},
|
||||
|
||||
addVar(keyEl, valEl) {
|
||||
const k = keyEl.value.trim();
|
||||
const v = valEl.value.trim();
|
||||
|
||||
if (!k) {
|
||||
return;
|
||||
}
|
||||
|
||||
this.vars.push({ key: k, value: v });
|
||||
this.submitAll();
|
||||
},
|
||||
|
||||
submitAll() {
|
||||
const csrfInput = this.$el.querySelector(
|
||||
'input[name="gorilla.csrf.Token"]',
|
||||
);
|
||||
const csrfToken = csrfInput ? csrfInput.value : "";
|
||||
|
||||
fetch("/apps/" + this.appId + "/env", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
"Content-Type": "application/json",
|
||||
"X-CSRF-Token": csrfToken,
|
||||
},
|
||||
body: JSON.stringify(
|
||||
this.vars.map((e) => ({ key: e.key, value: e.value })),
|
||||
),
|
||||
})
|
||||
.then((res) => {
|
||||
if (res.ok) {
|
||||
window.location.reload();
|
||||
return;
|
||||
}
|
||||
res.json()
|
||||
.then((data) => {
|
||||
window.alert(
|
||||
data.error ||
|
||||
"Failed to save environment variables.",
|
||||
);
|
||||
})
|
||||
.catch(() => {
|
||||
window.alert(
|
||||
"Failed to save environment variables.",
|
||||
);
|
||||
});
|
||||
})
|
||||
.catch(() => {
|
||||
window.alert(
|
||||
"Network error: could not save environment variables.",
|
||||
);
|
||||
});
|
||||
},
|
||||
}));
|
||||
|
||||
// ============================================
|
||||
// App Detail Page Component
|
||||
// ============================================
|
||||
Alpine.data("appDetail", (config) => ({
|
||||
appId: config.appId,
|
||||
currentDeploymentId: config.initialDeploymentId,
|
||||
|
||||
@@ -101,10 +101,9 @@
|
||||
</div>
|
||||
|
||||
<!-- Environment Variables -->
|
||||
<div class="card p-6 mb-6" x-data="envVarEditor('{{.App.ID}}')">
|
||||
<div class="card p-6 mb-6">
|
||||
<h2 class="section-title mb-4">Environment Variables</h2>
|
||||
{{range .EnvVars}}<span class="env-init hidden" data-key="{{.Key}}" data-value="{{.Value}}"></span>{{end}}
|
||||
<template x-if="vars.length > 0">
|
||||
{{if .EnvVars}}
|
||||
<div class="overflow-x-auto mb-4">
|
||||
<table class="table">
|
||||
<thead class="table-header">
|
||||
@@ -115,91 +114,33 @@
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody class="table-body">
|
||||
<template x-for="(env, idx) in vars" :key="idx">
|
||||
<tr>
|
||||
<template x-if="editIdx !== idx">
|
||||
<td class="font-mono font-medium" x-text="env.key"></td>
|
||||
</template>
|
||||
<template x-if="editIdx !== idx">
|
||||
<td class="font-mono text-gray-500" x-text="env.value"></td>
|
||||
</template>
|
||||
<template x-if="editIdx !== idx">
|
||||
<td class="text-right">
|
||||
<button @click="startEdit(idx)" class="text-primary-600 hover:text-primary-800 text-sm mr-2">Edit</button>
|
||||
<button @click="removeVar(idx)" class="text-error-500 hover:text-error-700 text-sm">Delete</button>
|
||||
</td>
|
||||
</template>
|
||||
<template x-if="editIdx === idx">
|
||||
<td colspan="3">
|
||||
<form @submit.prevent="saveEdit(idx)" class="flex gap-2 items-center">
|
||||
<input type="text" x-model="editKey" required class="input flex-1 font-mono text-sm">
|
||||
<input type="text" x-model="editVal" required class="input flex-1 font-mono text-sm">
|
||||
<button type="submit" class="btn-primary text-sm">Save</button>
|
||||
<button type="button" @click="editIdx = -1" class="text-gray-500 hover:text-gray-700 text-sm">Cancel</button>
|
||||
</form>
|
||||
<p class="text-xs text-amber-600 mt-1">⚠ Container restart needed after env var changes.</p>
|
||||
</td>
|
||||
</template>
|
||||
</tr>
|
||||
</template>
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
</template>
|
||||
<form @submit.prevent="addVar($refs.newKey, $refs.newVal)" class="flex flex-col sm:flex-row gap-2">
|
||||
<input x-ref="newKey" type="text" placeholder="KEY" required class="input flex-1 font-mono text-sm">
|
||||
<input x-ref="newVal" type="text" placeholder="value" required class="input flex-1 font-mono text-sm">
|
||||
<button type="submit" class="btn-primary">Add</button>
|
||||
</form>
|
||||
<div class="hidden">{{ .CSRFField }}</div>
|
||||
</div>
|
||||
|
||||
<!-- Registry Credentials -->
|
||||
<div class="card p-6 mb-6">
|
||||
<h2 class="section-title mb-4">Registry Credentials</h2>
|
||||
<p class="text-sm text-gray-500 mb-3">Authenticate to private Docker registries when pulling base images during builds.</p>
|
||||
{{if .RegistryCredentials}}
|
||||
<div class="overflow-x-auto mb-4">
|
||||
<table class="table">
|
||||
<thead class="table-header">
|
||||
<tr>
|
||||
<th>Registry</th>
|
||||
<th>Username</th>
|
||||
<th>Password</th>
|
||||
<th class="text-right">Actions</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody class="table-body">
|
||||
{{range .RegistryCredentials}}
|
||||
{{range .EnvVars}}
|
||||
<tr x-data="{ editing: false }">
|
||||
<template x-if="!editing">
|
||||
<td class="font-mono">{{.Registry}}</td>
|
||||
<td class="font-mono font-medium">{{.Key}}</td>
|
||||
</template>
|
||||
<template x-if="!editing">
|
||||
<td class="font-mono">{{.Username}}</td>
|
||||
</template>
|
||||
<template x-if="!editing">
|
||||
<td class="font-mono text-gray-400">••••••••</td>
|
||||
<td class="font-mono text-gray-500">{{.Value}}</td>
|
||||
</template>
|
||||
<template x-if="!editing">
|
||||
<td class="text-right">
|
||||
<button @click="editing = true" class="text-primary-600 hover:text-primary-800 text-sm mr-2">Edit</button>
|
||||
<form method="POST" action="/apps/{{$.App.ID}}/registry-credentials/{{.ID}}/delete" class="inline" x-data="confirmAction('Delete this registry credential?')" @submit="confirm($event)">
|
||||
<form method="POST" action="/apps/{{$.App.ID}}/env-vars/{{.ID}}/delete" class="inline" x-data="confirmAction('Delete this environment variable?')" @submit="confirm($event)">
|
||||
{{ $.CSRFField }}
|
||||
<button type="submit" class="text-error-500 hover:text-error-700 text-sm">Delete</button>
|
||||
</form>
|
||||
</td>
|
||||
</template>
|
||||
<template x-if="editing">
|
||||
<td colspan="4">
|
||||
<form method="POST" action="/apps/{{$.App.ID}}/registry-credentials/{{.ID}}/edit" class="flex gap-2 items-center">
|
||||
<td colspan="3">
|
||||
<form method="POST" action="/apps/{{$.App.ID}}/env-vars/{{.ID}}/edit" class="flex gap-2 items-center">
|
||||
{{ $.CSRFField }}
|
||||
<input type="text" name="registry" value="{{.Registry}}" required class="input flex-1 font-mono text-sm" placeholder="registry.example.com">
|
||||
<input type="text" name="username" value="{{.Username}}" required class="input flex-1 font-mono text-sm" placeholder="username">
|
||||
<input type="password" name="password" required class="input flex-1 font-mono text-sm" placeholder="password">
|
||||
<input type="text" name="key" value="{{.Key}}" required class="input flex-1 font-mono text-sm">
|
||||
<input type="text" name="value" value="{{.Value}}" required class="input flex-1 font-mono text-sm">
|
||||
<button type="submit" class="btn-primary text-sm">Save</button>
|
||||
<button type="button" @click="editing = false" class="text-gray-500 hover:text-gray-700 text-sm">Cancel</button>
|
||||
</form>
|
||||
<p class="text-xs text-amber-600 mt-1">⚠ Container restart needed after env var changes.</p>
|
||||
</td>
|
||||
</template>
|
||||
</tr>
|
||||
@@ -208,11 +149,10 @@
|
||||
</table>
|
||||
</div>
|
||||
{{end}}
|
||||
<form method="POST" action="/apps/{{.App.ID}}/registry-credentials" class="flex flex-col sm:flex-row gap-2">
|
||||
{{ .CSRFField }}
|
||||
<input type="text" name="registry" placeholder="registry.example.com" required class="input flex-1 font-mono text-sm">
|
||||
<input type="text" name="username" placeholder="username" required class="input flex-1 font-mono text-sm">
|
||||
<input type="password" name="password" placeholder="password" required class="input flex-1 font-mono text-sm">
|
||||
<form method="POST" action="/apps/{{.App.ID}}/env" class="flex flex-col sm:flex-row gap-2">
|
||||
{{ .CSRFField }}
|
||||
<input type="text" name="key" placeholder="KEY" required class="input flex-1 font-mono text-sm">
|
||||
<input type="text" name="value" placeholder="value" required class="input flex-1 font-mono text-sm">
|
||||
<button type="submit" class="btn-primary">Add</button>
|
||||
</form>
|
||||
</div>
|
||||
|
||||
Reference in New Issue
Block a user