sneak/upaas
1
0
Fork 0
Code Issues 6 Pull Requests 6 Actions Packages Projects Releases 1 Wiki Activity

Compare commits

base: sneak:fix/js-formatting
Branches Tags
sneak:main sneak:feature/observability-improvements sneak:feature/private-registry-auth sneak:feature/github-gitlab-webhook-support sneak:feature/backup-restore-config sneak:feature/custom-healthcheck-command sneak:feature/cpu-memory-resource-limits sneak:fix/js-formatting sneak:fix/module-path sneak:fix/1.0-audit-bugs sneak:fix/disable-api-write-methods sneak:chore/code-cleanup sneak:ci/check-workflow-only sneak:fix/repo-url-validation sneak:fix/main-lint-issues sneak:feature/api-token-auth sneak:revert/pr-98 sneak:feat/ci-make-check sneak:ci/add-check-action sneak:fix/deploy-cancel-cleanup sneak:schema-consolidation sneak:feature/json-api sneak:chore/update-todo sneak:feature/edit-config-entities sneak:feature/deployment-rollback-tests sneak:update-todo-md sneak:feature/edit-entities sneak:feature/deployment-rollback sneak:feature/deploy-cancel
sneak:1.0.0
..
compare: sneak:feature/private-registry-auth
Branches Tags
sneak:feature/observability-improvements sneak:feature/private-registry-auth sneak:feature/github-gitlab-webhook-support sneak:feature/backup-restore-config sneak:feature/custom-healthcheck-command sneak:feature/cpu-memory-resource-limits sneak:main sneak:fix/js-formatting sneak:fix/module-path sneak:fix/1.0-audit-bugs sneak:fix/disable-api-write-methods sneak:chore/code-cleanup sneak:ci/check-workflow-only sneak:fix/repo-url-validation sneak:fix/main-lint-issues sneak:feature/api-token-auth sneak:revert/pr-98 sneak:feat/ci-make-check sneak:ci/add-check-action sneak:fix/deploy-cancel-cleanup sneak:schema-consolidation sneak:feature/json-api sneak:chore/update-todo sneak:feature/edit-config-entities sneak:feature/deployment-rollback-tests sneak:update-todo-md sneak:feature/edit-entities sneak:feature/deployment-rollback sneak:feature/deploy-cancel
sneak:1.0.0

3 Commits
fix/js-for ... feature/pr

Author SHA1 Message Date
clawbot
9627942573 fix: move writeLogsToFile doc comment to correct position
All checks were successful
Check / check (pull_request) Successful in 3m16s
Details 
The buildRegistryAuths function was inserted between the writeLogsToFile
doc comment and the writeLogsToFile function body, causing Go to treat
the writeLogsToFile comment as part of buildRegistryAuths godoc.

Move the writeLogsToFile comment to sit directly above its function,
and keep only the buildRegistryAuths comment above buildRegistryAuths.
 2026-03-17 02:39:38 -07:00
user
0f4acb554e feat: add private Docker registry authentication for base images
All checks were successful
Check / check (pull_request) Successful in 3m34s
Details 
Add per-app registry credentials that are passed to Docker during image
builds, allowing apps to use base images from private registries.

- New registry_credentials table (migration 007)
- RegistryCredential model with full CRUD operations
- Docker client passes AuthConfigs to ImageBuild when credentials exist
- Deploy service fetches app registry credentials before builds
- Web UI section for managing registry credentials (add/edit/delete)
- Comprehensive unit tests for model and auth config builder
- README updated to list the feature
 2026-03-17 02:14:39 -07:00
clawbot
fd110e69db feat: monolithic env var editing with bulk save (#158)
All checks were successful
Check / check (push) Successful in 6s
Details 
This PR fixes env var handling by consolidating individual add/edit/delete operations into a single monolithic bulk save.

## Changes

- **Template**: Restored original table-based UI with key/value rows, edit/delete buttons, and add form. Uses Alpine.js to manage the env var list client-side. On form submit, all env vars are collected into a hidden textarea and POSTed as a single bulk request.
- **Handler**: `HandleEnvVarSave` atomically replaces all env vars (DELETE all + INSERT full set).
- **Routes**: Single `POST /apps/{id}/env` endpoint replaces individual env var CRUD routes.
- **Models**: Added `DeleteEnvVarsByAppID` and `FindEnvVarsByAppID` for bulk operations.

closes #156
closes #163

Co-authored-by: clawbot <clawbot@noreply.git.eeqj.de>
Co-authored-by: Jeffrey Paul <sneak@noreply.example.org>
Co-authored-by: user <user@Mac.lan guest wan>
Reviewed-on: #158
Co-authored-by: clawbot <clawbot@noreply.example.org>
Co-committed-by: clawbot <clawbot@noreply.example.org>
 2026-03-11 12:06:56 +01:00
15 changed files with 1119 additions and 170 deletions
Expand all files Collapse all files

1
README.md
View File

@@ -9,6 +9,7 @@ A simple self-hosted PaaS that auto-deploys Docker containers from Git repositor
- Per-app UUID-based webhook URLs for Gitea integration - Per-app UUID-based webhook URLs for Gitea integration
- Branch filtering - only deploy on configured branch changes - Branch filtering - only deploy on configured branch changes
- Environment variables, labels, and volume mounts per app - Environment variables, labels, and volume mounts per app
- Private Docker registry authentication for base images
- Docker builds via socket access - Docker builds via socket access
- Notifications via ntfy and Slack-compatible webhooks - Notifications via ntfy and Slack-compatible webhooks
- Simple server-rendered UI with Tailwind CSS - Simple server-rendered UI with Tailwind CSS

11
internal/database/migrations/007_add_registry_credentials.sql Normal file
View File

@@ -0,0 +1,11 @@
-- Add registry credentials for private Docker registry authentication during builds
CREATE TABLE registry_credentials (
id INTEGER PRIMARY KEY,
app_id TEXT NOT NULL REFERENCES apps(id) ON DELETE CASCADE,
registry TEXT NOT NULL,
username TEXT NOT NULL,
password TEXT NOT NULL,
UNIQUE(app_id, registry)
);
CREATE INDEX idx_registry_credentials_app_id ON registry_credentials(app_id);

96
internal/docker/auth_test.go Normal file
View File

@@ -0,0 +1,96 @@
package docker //nolint:testpackage // tests unexported buildAuthConfigs
import (
"testing"
)
func TestBuildAuthConfigsEmpty(t *testing.T) {
t.Parallel()
result := buildAuthConfigs(nil)
if len(result) != 0 {
t.Errorf("expected empty map, got %d entries", len(result))
}
}
func TestBuildAuthConfigsSingle(t *testing.T) {
t.Parallel()
auths := []RegistryAuth{
{
Registry: "registry.example.com",
Username: "user",
Password: "pass",
},
}
result := buildAuthConfigs(auths)
if len(result) != 1 {
t.Fatalf("expected 1 entry, got %d", len(result))
}
cfg, ok := result["registry.example.com"]
if !ok {
t.Fatal("expected registry.example.com key")
}
if cfg.Username != "user" {
t.Errorf("expected username 'user', got %q", cfg.Username)
}
if cfg.Password != "pass" {
t.Errorf("expected password 'pass', got %q", cfg.Password)
}
if cfg.ServerAddress != "registry.example.com" {
t.Errorf("expected server address 'registry.example.com', got %q", cfg.ServerAddress)
}
}
func TestBuildAuthConfigsMultiple(t *testing.T) {
t.Parallel()
auths := []RegistryAuth{
{Registry: "ghcr.io", Username: "ghuser", Password: "ghtoken"},
{Registry: "docker.io", Username: "dkuser", Password: "dktoken"},
}
result := buildAuthConfigs(auths)
if len(result) != 2 {
t.Fatalf("expected 2 entries, got %d", len(result))
}
ghcr := result["ghcr.io"]
if ghcr.Username != "ghuser" || ghcr.Password != "ghtoken" {
t.Errorf("unexpected ghcr.io config: %+v", ghcr)
}
dkr := result["docker.io"]
if dkr.Username != "dkuser" || dkr.Password != "dktoken" {
t.Errorf("unexpected docker.io config: %+v", dkr)
}
}
func TestRegistryAuthStruct(t *testing.T) {
t.Parallel()
auth := RegistryAuth{
Registry: "registry.example.com",
Username: "testuser",
Password: "testpass",
}
if auth.Registry != "registry.example.com" {
t.Errorf("expected registry 'registry.example.com', got %q", auth.Registry)
}
if auth.Username != "testuser" {
t.Errorf("expected username 'testuser', got %q", auth.Username)
}
if auth.Password != "testpass" {
t.Errorf("expected password 'testpass', got %q", auth.Password)
}
}

36
internal/docker/client.go
View File

@@ -20,6 +20,7 @@ import (
"github.com/docker/docker/api/types/image" "github.com/docker/docker/api/types/image"
"github.com/docker/docker/api/types/mount" "github.com/docker/docker/api/types/mount"
"github.com/docker/docker/api/types/network" "github.com/docker/docker/api/types/network"
"github.com/docker/docker/api/types/registry"
"github.com/docker/docker/client" "github.com/docker/docker/client"
"github.com/docker/docker/pkg/archive" "github.com/docker/docker/pkg/archive"
"github.com/docker/go-connections/nat" "github.com/docker/go-connections/nat"
@@ -105,12 +106,20 @@ func (c *Client) IsConnected() bool {
return c.docker != nil return c.docker != nil
} }
// RegistryAuth contains authentication credentials for a Docker registry.
type RegistryAuth struct {
Registry string
Username string
Password string //nolint:gosec // credential field required for registry auth
}
// BuildImageOptions contains options for building an image. // BuildImageOptions contains options for building an image.
type BuildImageOptions struct { type BuildImageOptions struct {
ContextDir string ContextDir string
DockerfilePath string DockerfilePath string
Tags []string Tags []string
LogWriter io.Writer // Optional writer for build output LogWriter io.Writer // Optional writer for build output
RegistryAuths []RegistryAuth // Optional registry credentials for pulling private base images
} }
// BuildImage builds a Docker image from a context directory. // BuildImage builds a Docker image from a context directory.
@@ -161,6 +170,21 @@ type PortMapping struct {
Protocol string // "tcp" or "udp" Protocol string // "tcp" or "udp"
} }
// buildAuthConfigs converts RegistryAuth slices into Docker's AuthConfigs map.
func buildAuthConfigs(auths []RegistryAuth) map[string]registry.AuthConfig {
configs := make(map[string]registry.AuthConfig, len(auths))
for _, auth := range auths {
configs[auth.Registry] = registry.AuthConfig{
Username: auth.Username,
Password: auth.Password,
ServerAddress: auth.Registry,
}
}
return configs
}
// buildPortConfig converts port mappings to Docker port configuration. // buildPortConfig converts port mappings to Docker port configuration.
func buildPortConfig(ports []PortMapping) (nat.PortSet, nat.PortMap) { func buildPortConfig(ports []PortMapping) (nat.PortSet, nat.PortMap) {
exposedPorts := make(nat.PortSet) exposedPorts := make(nat.PortSet)
@@ -513,12 +537,18 @@ func (c *Client) performBuild(
}() }()
// Build image // Build image
resp, err := c.docker.ImageBuild(ctx, tarArchive, dockertypes.ImageBuildOptions{ buildOpts := dockertypes.ImageBuildOptions{
Dockerfile: opts.DockerfilePath, Dockerfile: opts.DockerfilePath,
Tags: opts.Tags, Tags: opts.Tags,
Remove: true, Remove: true,
NoCache: false, NoCache: false,
}) }
if len(opts.RegistryAuths) > 0 {
buildOpts.AuthConfigs = buildAuthConfigs(opts.RegistryAuths)
}
resp, err := c.docker.ImageBuild(ctx, tarArchive, buildOpts)
if err != nil { if err != nil {
return "", fmt.Errorf("failed to build image: %w", err) return "", fmt.Errorf("failed to build image: %w", err)
} }

296
internal/handlers/app.go
View File

@@ -148,6 +148,7 @@ func (h *Handlers) HandleAppDetail() http.HandlerFunc {
labels, _ := application.GetLabels(request.Context()) labels, _ := application.GetLabels(request.Context())
volumes, _ := application.GetVolumes(request.Context()) volumes, _ := application.GetVolumes(request.Context())
ports, _ := application.GetPorts(request.Context()) ports, _ := application.GetPorts(request.Context())
registryCreds, _ := application.GetRegistryCredentials(request.Context())
deployments, _ := application.GetDeployments( deployments, _ := application.GetDeployments(
request.Context(), request.Context(),
recentDeploymentsLimit, recentDeploymentsLimit,
@@ -163,16 +164,17 @@ func (h *Handlers) HandleAppDetail() http.HandlerFunc {
deployKey := formatDeployKey(application.SSHPublicKey, application.CreatedAt, application.Name) deployKey := formatDeployKey(application.SSHPublicKey, application.CreatedAt, application.Name)
data := h.addGlobals(map[string]any{ data := h.addGlobals(map[string]any{
"App": application, "App": application,
"EnvVars": envVars, "EnvVars": envVars,
"Labels": labels, "Labels": labels,
"Volumes": volumes, "Volumes": volumes,
"Ports": ports, "Ports": ports,
"Deployments": deployments, "RegistryCredentials": registryCreds,
"LatestDeployment": latestDeployment, "Deployments": deployments,
"WebhookURL": webhookURL, "LatestDeployment": latestDeployment,
"DeployKey": deployKey, "WebhookURL": webhookURL,
"Success": request.URL.Query().Get("success"), "DeployKey": deployKey,
"Success": request.URL.Query().Get("success"),
}, request) }, request)
h.renderTemplate(writer, tmpl, "app_detail.html", data) h.renderTemplate(writer, tmpl, "app_detail.html", data)
@@ -903,50 +905,92 @@ func (h *Handlers) addKeyValueToApp(
http.Redirect(writer, request, "/apps/"+application.ID, http.StatusSeeOther) http.Redirect(writer, request, "/apps/"+application.ID, http.StatusSeeOther)
} }
// HandleEnvVarAdd handles adding an environment variable. // envPairJSON represents a key-value pair in the JSON request body.
func (h *Handlers) HandleEnvVarAdd() http.HandlerFunc { type envPairJSON struct {
return func(writer http.ResponseWriter, request *http.Request) { Key string `json:"key"`
h.addKeyValueToApp( Value string `json:"value"`
writer,
request,
func(ctx context.Context, application *models.App, key, value string) error {
envVar := models.NewEnvVar(h.db)
envVar.AppID = application.ID
envVar.Key = key
envVar.Value = value
return envVar.Save(ctx)
},
)
}
} }
// HandleEnvVarDelete handles deleting an environment variable. // envVarMaxBodyBytes is the maximum allowed request body size for env var saves (1 MB).
func (h *Handlers) HandleEnvVarDelete() http.HandlerFunc { const envVarMaxBodyBytes = 1 << 20
// validateEnvPairs validates env var pairs.
// It rejects empty keys and duplicate keys (returns a non-empty error string).
func validateEnvPairs(pairs []envPairJSON) ([]models.EnvVarPair, string) {
seen := make(map[string]bool, len(pairs))
result := make([]models.EnvVarPair, 0, len(pairs))
for _, p := range pairs {
trimmedKey := strings.TrimSpace(p.Key)
if trimmedKey == "" {
return nil, "empty environment variable key is not allowed"
}
if seen[trimmedKey] {
return nil, "duplicate environment variable key: " + trimmedKey
}
seen[trimmedKey] = true
result = append(result, models.EnvVarPair{Key: trimmedKey, Value: p.Value})
}
return result, ""
}
// HandleEnvVarSave handles bulk saving of all environment variables.
// It reads a JSON array of {key, value} objects from the request body,
// deletes all existing env vars for the app, and inserts the full
// submitted set atomically within a database transaction.
// Duplicate keys are rejected with a 400 Bad Request error.
func (h *Handlers) HandleEnvVarSave() http.HandlerFunc {
return func(writer http.ResponseWriter, request *http.Request) { return func(writer http.ResponseWriter, request *http.Request) {
appID := chi.URLParam(request, "id") appID := chi.URLParam(request, "id")
envVarIDStr := chi.URLParam(request, "varID")
envVarID, parseErr := strconv.ParseInt(envVarIDStr, 10, 64) application, findErr := models.FindApp(request.Context(), h.db, appID)
if parseErr != nil { if findErr != nil || application == nil {
http.NotFound(writer, request) http.NotFound(writer, request)
return return
} }
envVar, findErr := models.FindEnvVar(request.Context(), h.db, envVarID) // Limit request body size to prevent abuse
if findErr != nil || envVar == nil || envVar.AppID != appID { request.Body = http.MaxBytesReader(writer, request.Body, envVarMaxBodyBytes)
http.NotFound(writer, request)
var pairs []envPairJSON
decodeErr := json.NewDecoder(request.Body).Decode(&pairs)
if decodeErr != nil {
h.respondJSON(writer, request, map[string]string{
"error": "invalid request body",
}, http.StatusBadRequest)
return return
} }
deleteErr := envVar.Delete(request.Context()) modelPairs, validationErr := validateEnvPairs(pairs)
if deleteErr != nil { if validationErr != "" {
h.log.Error("failed to delete env var", "error", deleteErr) h.respondJSON(writer, request, map[string]string{
"error": validationErr,
}, http.StatusBadRequest)
return
} }
http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther) replaceErr := models.ReplaceEnvVarsByAppID(
request.Context(), h.db, application.ID, modelPairs,
)
if replaceErr != nil {
h.log.Error("failed to replace env vars", "error", replaceErr)
h.respondJSON(writer, request, map[string]string{
"error": "failed to save environment variables",
}, http.StatusInternalServerError)
return
}
h.respondJSON(writer, request, map[string]bool{"ok": true}, http.StatusOK)
} }
} }
@@ -1205,59 +1249,6 @@ func ValidateVolumePath(p string) error {
return nil return nil
} }
// HandleEnvVarEdit handles editing an existing environment variable.
func (h *Handlers) HandleEnvVarEdit() http.HandlerFunc {
return func(writer http.ResponseWriter, request *http.Request) {
appID := chi.URLParam(request, "id")
envVarIDStr := chi.URLParam(request, "varID")
envVarID, parseErr := strconv.ParseInt(envVarIDStr, 10, 64)
if parseErr != nil {
http.NotFound(writer, request)
return
}
envVar, findErr := models.FindEnvVar(request.Context(), h.db, envVarID)
if findErr != nil || envVar == nil || envVar.AppID != appID {
http.NotFound(writer, request)
return
}
formErr := request.ParseForm()
if formErr != nil {
http.Error(writer, "Bad Request", http.StatusBadRequest)
return
}
key := request.FormValue("key")
value := request.FormValue("value")
if key == "" || value == "" {
http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
return
}
envVar.Key = key
envVar.Value = value
saveErr := envVar.Save(request.Context())
if saveErr != nil {
h.log.Error("failed to update env var", "error", saveErr)
}
http.Redirect(
writer,
request,
"/apps/"+appID+"?success=env-updated",
http.StatusSeeOther,
)
}
}
// HandleLabelEdit handles editing an existing label. // HandleLabelEdit handles editing an existing label.
func (h *Handlers) HandleLabelEdit() http.HandlerFunc { func (h *Handlers) HandleLabelEdit() http.HandlerFunc {
return func(writer http.ResponseWriter, request *http.Request) { return func(writer http.ResponseWriter, request *http.Request) {
@@ -1393,3 +1384,126 @@ func formatDeployKey(pubKey string, createdAt time.Time, appName string) string
return parts[0] + " " + parts[1] + " " + comment return parts[0] + " " + parts[1] + " " + comment
} }
// HandleRegistryCredentialAdd handles adding a registry credential.
func (h *Handlers) HandleRegistryCredentialAdd() http.HandlerFunc {
return func(writer http.ResponseWriter, request *http.Request) {
appID := chi.URLParam(request, "id")
application, findErr := models.FindApp(request.Context(), h.db, appID)
if findErr != nil || application == nil {
http.NotFound(writer, request)
return
}
parseErr := request.ParseForm()
if parseErr != nil {
http.Error(writer, "Bad Request", http.StatusBadRequest)
return
}
registryURL := strings.TrimSpace(request.FormValue("registry"))
username := strings.TrimSpace(request.FormValue("username"))
password := request.FormValue("password")
if registryURL == "" || username == "" || password == "" {
http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
return
}
cred := models.NewRegistryCredential(h.db)
cred.AppID = appID
cred.Registry = registryURL
cred.Username = username
cred.Password = password
saveErr := cred.Save(request.Context())
if saveErr != nil {
h.log.Error("failed to save registry credential", "error", saveErr)
}
http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
}
}
// HandleRegistryCredentialEdit handles editing an existing registry credential.
func (h *Handlers) HandleRegistryCredentialEdit() http.HandlerFunc {
return func(writer http.ResponseWriter, request *http.Request) {
appID := chi.URLParam(request, "id")
credIDStr := chi.URLParam(request, "credID")
credID, parseErr := strconv.ParseInt(credIDStr, 10, 64)
if parseErr != nil {
http.NotFound(writer, request)
return
}
cred, findErr := models.FindRegistryCredential(request.Context(), h.db, credID)
if findErr != nil || cred == nil || cred.AppID != appID {
http.NotFound(writer, request)
return
}
formErr := request.ParseForm()
if formErr != nil {
http.Error(writer, "Bad Request", http.StatusBadRequest)
return
}
registryURL := strings.TrimSpace(request.FormValue("registry"))
username := strings.TrimSpace(request.FormValue("username"))
password := request.FormValue("password")
if registryURL == "" || username == "" || password == "" {
http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
return
}
cred.Registry = registryURL
cred.Username = username
cred.Password = password
saveErr := cred.Save(request.Context())
if saveErr != nil {
h.log.Error("failed to update registry credential", "error", saveErr)
}
http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
}
}
// HandleRegistryCredentialDelete handles deleting a registry credential.
func (h *Handlers) HandleRegistryCredentialDelete() http.HandlerFunc {
return func(writer http.ResponseWriter, request *http.Request) {
appID := chi.URLParam(request, "id")
credIDStr := chi.URLParam(request, "credID")
credID, parseErr := strconv.ParseInt(credIDStr, 10, 64)
if parseErr != nil {
http.NotFound(writer, request)
return
}
cred, findErr := models.FindRegistryCredential(request.Context(), h.db, credID)
if findErr != nil || cred == nil || cred.AppID != appID {
http.NotFound(writer, request)
return
}
deleteErr := cred.Delete(request.Context())
if deleteErr != nil {
h.log.Error("failed to delete registry credential", "error", deleteErr)
}
http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
}
}

301
internal/handlers/handlers_test.go
View File

@@ -560,45 +560,242 @@ func testOwnershipVerification(t *testing.T, cfg ownedResourceTestConfig) {
cfg.verifyFn(t, testCtx, resourceID) cfg.verifyFn(t, testCtx, resourceID)
} }
// TestDeleteEnvVarOwnershipVerification tests that deleting an env var // TestHandleEnvVarSaveBulk tests that HandleEnvVarSave replaces all env vars
// via another app's URL path returns 404 (IDOR prevention). // for an app with the submitted set (monolithic delete-all + insert-all).
func TestDeleteEnvVarOwnershipVerification(t *testing.T) { //nolint:dupl // intentionally similar IDOR test pattern func TestHandleEnvVarSaveBulk(t *testing.T) {
t.Parallel() t.Parallel()
testOwnershipVerification(t, ownedResourceTestConfig{ testCtx := setupTestHandlers(t)
appPrefix1: "envvar-owner-app", createdApp := createTestApp(t, testCtx, "envvar-bulk-app")
appPrefix2: "envvar-other-app",
createFn: func(t *testing.T, tc *testContext, ownerApp *models.App) int64 {
t.Helper()
envVar := models.NewEnvVar(tc.database) // Create some pre-existing env vars
envVar.AppID = ownerApp.ID for _, kv := range [][2]string{{"OLD_KEY", "old_value"}, {"REMOVE_ME", "gone"}} {
envVar.Key = "SECRET" ev := models.NewEnvVar(testCtx.database)
envVar.Value = "hunter2" ev.AppID = createdApp.ID
require.NoError(t, envVar.Save(context.Background())) ev.Key = kv[0]
ev.Value = kv[1]
require.NoError(t, ev.Save(context.Background()))
}
return envVar.ID // Submit a new set as a JSON array of key/value objects
}, body := `[{"key":"NEW_KEY","value":"new_value"},{"key":"ANOTHER","value":"42"}]`
deletePath: func(appID string, resourceID int64) string {
return "/apps/" + appID + "/env/" + strconv.FormatInt(resourceID, 10) + "/delete"
},
chiParams: func(appID string, resourceID int64) map[string]string {
return map[string]string{"id": appID, "varID": strconv.FormatInt(resourceID, 10)}
},
handler: func(h *handlers.Handlers) http.HandlerFunc { return h.HandleEnvVarDelete() },
verifyFn: func(t *testing.T, tc *testContext, resourceID int64) {
t.Helper()
found, findErr := models.FindEnvVar(context.Background(), tc.database, resourceID) r := chi.NewRouter()
require.NoError(t, findErr) r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
assert.NotNil(t, found, "env var should still exist after IDOR attempt")
}, request := httptest.NewRequest(
}) http.MethodPost,
"/apps/"+createdApp.ID+"/env",
strings.NewReader(body),
)
request.Header.Set("Content-Type", "application/json")
recorder := httptest.NewRecorder()
r.ServeHTTP(recorder, request)
assert.Equal(t, http.StatusOK, recorder.Code)
// Verify old env vars are gone and new ones exist
envVars, err := models.FindEnvVarsByAppID(
context.Background(), testCtx.database, createdApp.ID,
)
require.NoError(t, err)
assert.Len(t, envVars, 2)
keys := make(map[string]string)
for _, ev := range envVars {
keys[ev.Key] = ev.Value
}
assert.Equal(t, "new_value", keys["NEW_KEY"])
assert.Equal(t, "42", keys["ANOTHER"])
assert.Empty(t, keys["OLD_KEY"], "old env vars should be deleted")
assert.Empty(t, keys["REMOVE_ME"], "old env vars should be deleted")
}
// TestHandleEnvVarSaveAppNotFound tests that HandleEnvVarSave returns 404
// for a non-existent app.
func TestHandleEnvVarSaveAppNotFound(t *testing.T) {
t.Parallel()
testCtx := setupTestHandlers(t)
body := `[{"key":"KEY","value":"value"}]`
r := chi.NewRouter()
r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
request := httptest.NewRequest(
http.MethodPost,
"/apps/nonexistent-id/env",
strings.NewReader(body),
)
request.Header.Set("Content-Type", "application/json")
recorder := httptest.NewRecorder()
r.ServeHTTP(recorder, request)
assert.Equal(t, http.StatusNotFound, recorder.Code)
}
// TestHandleEnvVarSaveEmptyKeyRejected verifies that submitting a JSON
// array containing an entry with an empty key returns 400.
func TestHandleEnvVarSaveEmptyKeyRejected(t *testing.T) {
t.Parallel()
testCtx := setupTestHandlers(t)
createdApp := createTestApp(t, testCtx, "envvar-emptykey-app")
body := `[{"key":"VALID_KEY","value":"ok"},{"key":"","value":"bad"}]`
r := chi.NewRouter()
r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
request := httptest.NewRequest(
http.MethodPost,
"/apps/"+createdApp.ID+"/env",
strings.NewReader(body),
)
request.Header.Set("Content-Type", "application/json")
recorder := httptest.NewRecorder()
r.ServeHTTP(recorder, request)
assert.Equal(t, http.StatusBadRequest, recorder.Code)
}
// TestHandleEnvVarSaveDuplicateKeyRejected verifies that when the client
// sends duplicate keys, the server rejects them with 400 Bad Request.
func TestHandleEnvVarSaveDuplicateKeyRejected(t *testing.T) {
t.Parallel()
testCtx := setupTestHandlers(t)
createdApp := createTestApp(t, testCtx, "envvar-dedup-app")
// Send two entries with the same key — should be rejected
body := `[{"key":"FOO","value":"first"},{"key":"BAR","value":"bar"},{"key":"FOO","value":"second"}]`
r := chi.NewRouter()
r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
request := httptest.NewRequest(
http.MethodPost,
"/apps/"+createdApp.ID+"/env",
strings.NewReader(body),
)
request.Header.Set("Content-Type", "application/json")
recorder := httptest.NewRecorder()
r.ServeHTTP(recorder, request)
assert.Equal(t, http.StatusBadRequest, recorder.Code)
assert.Contains(t, recorder.Body.String(), "duplicate environment variable key: FOO")
}
// TestHandleEnvVarSaveCrossAppIsolation verifies that posting env vars
// to appA's endpoint does not affect appB's env vars (IDOR prevention).
func TestHandleEnvVarSaveCrossAppIsolation(t *testing.T) {
t.Parallel()
testCtx := setupTestHandlers(t)
appA := createTestApp(t, testCtx, "envvar-iso-appA")
appB := createTestApp(t, testCtx, "envvar-iso-appB")
// Give appB some env vars
for _, kv := range [][2]string{{"B_KEY1", "b_val1"}, {"B_KEY2", "b_val2"}} {
ev := models.NewEnvVar(testCtx.database)
ev.AppID = appB.ID
ev.Key = kv[0]
ev.Value = kv[1]
require.NoError(t, ev.Save(context.Background()))
}
// POST new env vars to appA's endpoint
body := `[{"key":"A_KEY","value":"a_val"}]`
r := chi.NewRouter()
r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
request := httptest.NewRequest(
http.MethodPost,
"/apps/"+appA.ID+"/env",
strings.NewReader(body),
)
request.Header.Set("Content-Type", "application/json")
recorder := httptest.NewRecorder()
r.ServeHTTP(recorder, request)
assert.Equal(t, http.StatusOK, recorder.Code)
// Verify appA has exactly what we sent
appAVars, err := models.FindEnvVarsByAppID(
context.Background(), testCtx.database, appA.ID,
)
require.NoError(t, err)
assert.Len(t, appAVars, 1)
assert.Equal(t, "A_KEY", appAVars[0].Key)
// Verify appB's env vars are completely untouched
appBVars, err := models.FindEnvVarsByAppID(
context.Background(), testCtx.database, appB.ID,
)
require.NoError(t, err)
assert.Len(t, appBVars, 2, "appB env vars must not be affected")
bKeys := make(map[string]string)
for _, ev := range appBVars {
bKeys[ev.Key] = ev.Value
}
assert.Equal(t, "b_val1", bKeys["B_KEY1"])
assert.Equal(t, "b_val2", bKeys["B_KEY2"])
}
// TestHandleEnvVarSaveBodySizeLimit verifies that a request body
// exceeding the 1 MB limit is rejected.
func TestHandleEnvVarSaveBodySizeLimit(t *testing.T) {
t.Parallel()
testCtx := setupTestHandlers(t)
createdApp := createTestApp(t, testCtx, "envvar-sizelimit-app")
// Build a JSON body that exceeds 1 MB
// Each entry is ~30 bytes; 40000 entries ≈ 1.2 MB
var sb strings.Builder
sb.WriteString("[")
for i := range 40000 {
if i > 0 {
sb.WriteString(",")
}
sb.WriteString(`{"key":"K` + strconv.Itoa(i) + `","value":"val"}`)
}
sb.WriteString("]")
r := chi.NewRouter()
r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
request := httptest.NewRequest(
http.MethodPost,
"/apps/"+createdApp.ID+"/env",
strings.NewReader(sb.String()),
)
request.Header.Set("Content-Type", "application/json")
recorder := httptest.NewRecorder()
r.ServeHTTP(recorder, request)
assert.Equal(t, http.StatusBadRequest, recorder.Code,
"oversized body should be rejected with 400")
} }
// TestDeleteLabelOwnershipVerification tests that deleting a label // TestDeleteLabelOwnershipVerification tests that deleting a label
// via another app's URL path returns 404 (IDOR prevention). // via another app's URL path returns 404 (IDOR prevention).
func TestDeleteLabelOwnershipVerification(t *testing.T) { //nolint:dupl // intentionally similar IDOR test pattern func TestDeleteLabelOwnershipVerification(t *testing.T) {
t.Parallel() t.Parallel()
testOwnershipVerification(t, ownedResourceTestConfig{ testOwnershipVerification(t, ownedResourceTestConfig{
@@ -714,41 +911,43 @@ func TestDeletePortOwnershipVerification(t *testing.T) {
assert.NotNil(t, found, "port should still exist after IDOR attempt") assert.NotNil(t, found, "port should still exist after IDOR attempt")
} }
// TestHandleEnvVarDeleteUsesCorrectRouteParam verifies that HandleEnvVarDelete // TestHandleEnvVarSaveEmptyClears verifies that submitting an empty JSON
// reads the "varID" chi URL parameter (matching the route definition {varID}), // array deletes all existing env vars for the app.
// not a mismatched name like "envID". func TestHandleEnvVarSaveEmptyClears(t *testing.T) {
func TestHandleEnvVarDeleteUsesCorrectRouteParam(t *testing.T) {
t.Parallel() t.Parallel()
testCtx := setupTestHandlers(t) testCtx := setupTestHandlers(t)
createdApp := createTestApp(t, testCtx, "envvar-clear-app")
createdApp := createTestApp(t, testCtx, "envdelete-param-app") // Create a pre-existing env var
ev := models.NewEnvVar(testCtx.database)
ev.AppID = createdApp.ID
ev.Key = "DELETE_ME"
ev.Value = "gone"
require.NoError(t, ev.Save(context.Background()))
envVar := models.NewEnvVar(testCtx.database) // Submit empty JSON array
envVar.AppID = createdApp.ID
envVar.Key = "DELETE_ME"
envVar.Value = "gone"
require.NoError(t, envVar.Save(context.Background()))
// Use chi router with the real route pattern to test param name
r := chi.NewRouter() r := chi.NewRouter()
r.Post("/apps/{id}/env-vars/{varID}/delete", testCtx.handlers.HandleEnvVarDelete()) r.Post("/apps/{id}/env", testCtx.handlers.HandleEnvVarSave())
request := httptest.NewRequest( request := httptest.NewRequest(
http.MethodPost, http.MethodPost,
"/apps/"+createdApp.ID+"/env-vars/"+strconv.FormatInt(envVar.ID, 10)+"/delete", "/apps/"+createdApp.ID+"/env",
nil, strings.NewReader("[]"),
) )
recorder := httptest.NewRecorder() request.Header.Set("Content-Type", "application/json")
recorder := httptest.NewRecorder()
r.ServeHTTP(recorder, request) r.ServeHTTP(recorder, request)
assert.Equal(t, http.StatusSeeOther, recorder.Code) assert.Equal(t, http.StatusOK, recorder.Code)
// Verify the env var was actually deleted // Verify all env vars are gone
found, findErr := models.FindEnvVar(context.Background(), testCtx.database, envVar.ID) envVars, err := models.FindEnvVarsByAppID(
require.NoError(t, findErr) context.Background(), testCtx.database, createdApp.ID,
assert.Nil(t, found, "env var should be deleted when using correct route param") )
require.NoError(t, err)
assert.Empty(t, envVars, "all env vars should be deleted")
} }
// TestHandleVolumeAddValidatesPaths verifies that HandleVolumeAdd validates // TestHandleVolumeAddValidatesPaths verifies that HandleVolumeAdd validates

5
internal/models/app.go
View File

@@ -119,6 +119,11 @@ func (a *App) GetWebhookEvents(
return FindWebhookEventsByAppID(ctx, a.db, a.ID, limit) return FindWebhookEventsByAppID(ctx, a.db, a.ID, limit)
} }
// GetRegistryCredentials returns all registry credentials for the app.
func (a *App) GetRegistryCredentials(ctx context.Context) ([]*RegistryCredential, error) {
return FindRegistryCredentialsByAppID(ctx, a.db, a.ID)
}
func (a *App) exists(ctx context.Context) bool { func (a *App) exists(ctx context.Context) bool {
if a.ID == "" { if a.ID == "" {
return false return false

44
internal/models/env_var.go
View File

@@ -1,4 +1,3 @@
//nolint:dupl // Active Record pattern - similar structure to label.go is intentional
package models package models
import ( import (
@@ -129,13 +128,48 @@ func FindEnvVarsByAppID(
return envVars, rows.Err() return envVars, rows.Err()
} }
// DeleteEnvVarsByAppID deletes all env vars for an app. // EnvVarPair is a key-value pair for bulk env var operations.
func DeleteEnvVarsByAppID( type EnvVarPair struct {
Key string
Value string
}
// ReplaceEnvVarsByAppID atomically replaces all env vars for an app
// within a single database transaction. It deletes all existing env
// vars and inserts the provided pairs. If any operation fails, the
// entire transaction is rolled back.
func ReplaceEnvVarsByAppID(
ctx context.Context, ctx context.Context,
db *database.Database, db *database.Database,
appID string, appID string,
pairs []EnvVarPair,
) error { ) error {
_, err := db.Exec(ctx, "DELETE FROM app_env_vars WHERE app_id = ?", appID) tx, err := db.BeginTx(ctx, nil)
if err != nil {
return fmt.Errorf("beginning transaction: %w", err)
}
return err defer func() { _ = tx.Rollback() }()
_, err = tx.ExecContext(ctx, "DELETE FROM app_env_vars WHERE app_id = ?", appID)
if err != nil {
return fmt.Errorf("deleting env vars: %w", err)
}
for _, p := range pairs {
_, err = tx.ExecContext(ctx,
"INSERT INTO app_env_vars (app_id, key, value) VALUES (?, ?, ?)",
appID, p.Key, p.Value,
)
if err != nil {
return fmt.Errorf("inserting env var %q: %w", p.Key, err)
}
}
err = tx.Commit()
if err != nil {
return fmt.Errorf("committing transaction: %w", err)
}
return nil
} }

1
internal/models/label.go
View File

@@ -1,4 +1,3 @@
//nolint:dupl // Active Record pattern - similar structure to env_var.go is intentional
package models package models
import ( import (

134
internal/models/models_test.go
View File

@@ -23,6 +23,7 @@ const (
testBranch = "main" testBranch = "main"
testValue = "value" testValue = "value"
testEventType = "push" testEventType = "push"
testUser = "user"
) )
func setupTestDB(t *testing.T) (*database.Database, func()) { func setupTestDB(t *testing.T) (*database.Database, func()) {
@@ -704,6 +705,127 @@ func TestAppGetWebhookEvents(t *testing.T) {
assert.Len(t, events, 1) assert.Len(t, events, 1)
} }
// RegistryCredential Tests.
func TestRegistryCredentialCreateAndFind(t *testing.T) {
t.Parallel()
testDB, cleanup := setupTestDB(t)
defer cleanup()
app := createTestApp(t, testDB)
cred := models.NewRegistryCredential(testDB)
cred.AppID = app.ID
cred.Registry = "registry.example.com"
cred.Username = "myuser"
cred.Password = "mypassword"
err := cred.Save(context.Background())
require.NoError(t, err)
assert.NotZero(t, cred.ID)
creds, err := models.FindRegistryCredentialsByAppID(
context.Background(), testDB, app.ID,
)
require.NoError(t, err)
require.Len(t, creds, 1)
assert.Equal(t, "registry.example.com", creds[0].Registry)
assert.Equal(t, "myuser", creds[0].Username)
assert.Equal(t, "mypassword", creds[0].Password)
}
func TestRegistryCredentialUpdate(t *testing.T) {
t.Parallel()
testDB, cleanup := setupTestDB(t)
defer cleanup()
app := createTestApp(t, testDB)
cred := models.NewRegistryCredential(testDB)
cred.AppID = app.ID
cred.Registry = "old.registry.com"
cred.Username = "olduser"
cred.Password = "oldpass"
err := cred.Save(context.Background())
require.NoError(t, err)
cred.Registry = "new.registry.com"
cred.Username = "newuser"
cred.Password = "newpass"
err = cred.Save(context.Background())
require.NoError(t, err)
found, err := models.FindRegistryCredential(context.Background(), testDB, cred.ID)
require.NoError(t, err)
require.NotNil(t, found)
assert.Equal(t, "new.registry.com", found.Registry)
assert.Equal(t, "newuser", found.Username)
assert.Equal(t, "newpass", found.Password)
}
func TestRegistryCredentialDelete(t *testing.T) {
t.Parallel()
testDB, cleanup := setupTestDB(t)
defer cleanup()
app := createTestApp(t, testDB)
cred := models.NewRegistryCredential(testDB)
cred.AppID = app.ID
cred.Registry = "delete.registry.com"
cred.Username = testUser
cred.Password = "pass"
err := cred.Save(context.Background())
require.NoError(t, err)
err = cred.Delete(context.Background())
require.NoError(t, err)
creds, err := models.FindRegistryCredentialsByAppID(
context.Background(), testDB, app.ID,
)
require.NoError(t, err)
assert.Empty(t, creds)
}
func TestRegistryCredentialFindByIDNotFound(t *testing.T) {
t.Parallel()
testDB, cleanup := setupTestDB(t)
defer cleanup()
found, err := models.FindRegistryCredential(context.Background(), testDB, 99999)
require.NoError(t, err)
assert.Nil(t, found)
}
func TestAppGetRegistryCredentials(t *testing.T) {
t.Parallel()
testDB, cleanup := setupTestDB(t)
defer cleanup()
app := createTestApp(t, testDB)
cred := models.NewRegistryCredential(testDB)
cred.AppID = app.ID
cred.Registry = "ghcr.io"
cred.Username = testUser
cred.Password = "token"
_ = cred.Save(context.Background())
creds, err := app.GetRegistryCredentials(context.Background())
require.NoError(t, err)
assert.Len(t, creds, 1)
assert.Equal(t, "ghcr.io", creds[0].Registry)
}
// Cascade Delete Tests. // Cascade Delete Tests.
//nolint:funlen // Test function with many assertions - acceptable for integration tests //nolint:funlen // Test function with many assertions - acceptable for integration tests
@@ -749,6 +871,13 @@ func TestCascadeDelete(t *testing.T) {
deploy.Status = models.DeploymentStatusSuccess deploy.Status = models.DeploymentStatusSuccess
_ = deploy.Save(context.Background()) _ = deploy.Save(context.Background())
regCred := models.NewRegistryCredential(testDB)
regCred.AppID = app.ID
regCred.Registry = "registry.example.com"
regCred.Username = testUser
regCred.Password = "pass"
_ = regCred.Save(context.Background())
// Delete app. // Delete app.
err := app.Delete(context.Background()) err := app.Delete(context.Background())
require.NoError(t, err) require.NoError(t, err)
@@ -778,6 +907,11 @@ func TestCascadeDelete(t *testing.T) {
context.Background(), testDB, app.ID, 10, context.Background(), testDB, app.ID, 10,
) )
assert.Empty(t, deployments) assert.Empty(t, deployments)
regCreds, _ := models.FindRegistryCredentialsByAppID(
context.Background(), testDB, app.ID,
)
assert.Empty(t, regCreds)
}) })
} }

130
internal/models/registry_credential.go Normal file
View File

@@ -0,0 +1,130 @@
package models
import (
"context"
"database/sql"
"errors"
"fmt"
"sneak.berlin/go/upaas/internal/database"
)
// RegistryCredential represents authentication credentials for a private Docker registry.
type RegistryCredential struct {
db *database.Database
ID int64
AppID string
Registry string
Username string
Password string //nolint:gosec // credential field required for registry auth
}
// NewRegistryCredential creates a new RegistryCredential with a database reference.
func NewRegistryCredential(db *database.Database) *RegistryCredential {
return &RegistryCredential{db: db}
}
// Save inserts or updates the registry credential in the database.
func (r *RegistryCredential) Save(ctx context.Context) error {
if r.ID == 0 {
return r.insert(ctx)
}
return r.update(ctx)
}
// Delete removes the registry credential from the database.
func (r *RegistryCredential) Delete(ctx context.Context) error {
_, err := r.db.Exec(ctx, "DELETE FROM registry_credentials WHERE id = ?", r.ID)
return err
}
func (r *RegistryCredential) insert(ctx context.Context) error {
query := "INSERT INTO registry_credentials (app_id, registry, username, password) VALUES (?, ?, ?, ?)"
result, err := r.db.Exec(ctx, query, r.AppID, r.Registry, r.Username, r.Password)
if err != nil {
return err
}
id, err := result.LastInsertId()
if err != nil {
return err
}
r.ID = id
return nil
}
func (r *RegistryCredential) update(ctx context.Context) error {
query := "UPDATE registry_credentials SET registry = ?, username = ?, password = ? WHERE id = ?"
_, err := r.db.Exec(ctx, query, r.Registry, r.Username, r.Password, r.ID)
return err
}
// FindRegistryCredential finds a registry credential by ID.
//
//nolint:nilnil // returning nil,nil is idiomatic for "not found" in Active Record
func FindRegistryCredential(
ctx context.Context,
db *database.Database,
id int64,
) (*RegistryCredential, error) {
cred := NewRegistryCredential(db)
row := db.QueryRow(ctx,
"SELECT id, app_id, registry, username, password FROM registry_credentials WHERE id = ?",
id,
)
err := row.Scan(&cred.ID, &cred.AppID, &cred.Registry, &cred.Username, &cred.Password)
if err != nil {
if errors.Is(err, sql.ErrNoRows) {
return nil, nil
}
return nil, fmt.Errorf("scanning registry credential: %w", err)
}
return cred, nil
}
// FindRegistryCredentialsByAppID finds all registry credentials for an app.
func FindRegistryCredentialsByAppID(
ctx context.Context,
db *database.Database,
appID string,
) ([]*RegistryCredential, error) {
query := `
SELECT id, app_id, registry, username, password FROM registry_credentials
WHERE app_id = ? ORDER BY registry`
rows, err := db.Query(ctx, query, appID)
if err != nil {
return nil, fmt.Errorf("querying registry credentials by app: %w", err)
}
defer func() { _ = rows.Close() }()
var creds []*RegistryCredential
for rows.Next() {
cred := NewRegistryCredential(db)
scanErr := rows.Scan(
&cred.ID, &cred.AppID, &cred.Registry, &cred.Username, &cred.Password,
)
if scanErr != nil {
return nil, scanErr
}
creds = append(creds, cred)
}
return creds, rows.Err()
}

11
internal/server/routes.go
View File

@@ -82,10 +82,8 @@ func (s *Server) SetupRoutes() {
r.Post("/apps/{id}/stop", s.handlers.HandleAppStop()) r.Post("/apps/{id}/stop", s.handlers.HandleAppStop())
r.Post("/apps/{id}/start", s.handlers.HandleAppStart()) r.Post("/apps/{id}/start", s.handlers.HandleAppStart())
// Environment variables // Environment variables (monolithic bulk save)
r.Post("/apps/{id}/env-vars", s.handlers.HandleEnvVarAdd()) r.Post("/apps/{id}/env", s.handlers.HandleEnvVarSave())
r.Post("/apps/{id}/env-vars/{varID}/edit", s.handlers.HandleEnvVarEdit())
r.Post("/apps/{id}/env-vars/{varID}/delete", s.handlers.HandleEnvVarDelete())
// Labels // Labels
r.Post("/apps/{id}/labels", s.handlers.HandleLabelAdd()) r.Post("/apps/{id}/labels", s.handlers.HandleLabelAdd())
@@ -100,6 +98,11 @@ func (s *Server) SetupRoutes() {
// Ports // Ports
r.Post("/apps/{id}/ports", s.handlers.HandlePortAdd()) r.Post("/apps/{id}/ports", s.handlers.HandlePortAdd())
r.Post("/apps/{id}/ports/{portID}/delete", s.handlers.HandlePortDelete()) r.Post("/apps/{id}/ports/{portID}/delete", s.handlers.HandlePortDelete())
// Registry Credentials
r.Post("/apps/{id}/registry-credentials", s.handlers.HandleRegistryCredentialAdd())
r.Post("/apps/{id}/registry-credentials/{credID}/edit", s.handlers.HandleRegistryCredentialEdit())
r.Post("/apps/{id}/registry-credentials/{credID}/delete", s.handlers.HandleRegistryCredentialDelete())
}) })
}) })

36
internal/service/deploy/deploy.go
View File

@@ -830,6 +830,13 @@ func (svc *Service) buildImage(
logWriter := newDeploymentLogWriter(ctx, deployment) logWriter := newDeploymentLogWriter(ctx, deployment)
defer logWriter.Close() defer logWriter.Close()
// Fetch registry credentials for private base images
registryAuths, err := svc.buildRegistryAuths(ctx, app)
if err != nil {
svc.log.Warn("failed to fetch registry credentials", "error", err, "app", app.Name)
// Continue without auth — public images will still work
}
// BuildImage creates a tar archive from the local filesystem, // BuildImage creates a tar archive from the local filesystem,
// so it needs the container path where files exist, not the host path. // so it needs the container path where files exist, not the host path.
imageID, err := svc.docker.BuildImage(ctx, docker.BuildImageOptions{ imageID, err := svc.docker.BuildImage(ctx, docker.BuildImageOptions{
@@ -837,6 +844,7 @@ func (svc *Service) buildImage(
DockerfilePath: app.DockerfilePath, DockerfilePath: app.DockerfilePath,
Tags: []string{imageTag}, Tags: []string{imageTag},
LogWriter: logWriter, LogWriter: logWriter,
RegistryAuths: registryAuths,
}) })
if err != nil { if err != nil {
svc.notify.NotifyBuildFailed(ctx, app, deployment, err) svc.notify.NotifyBuildFailed(ctx, app, deployment, err)
@@ -1227,6 +1235,34 @@ func (svc *Service) failDeployment(
_ = app.Save(ctx) _ = app.Save(ctx)
} }
// buildRegistryAuths fetches registry credentials for an app and converts them
// to Docker RegistryAuth objects for use during image builds.
func (svc *Service) buildRegistryAuths(
ctx context.Context,
app *models.App,
) ([]docker.RegistryAuth, error) {
creds, err := app.GetRegistryCredentials(ctx)
if err != nil {
return nil, fmt.Errorf("failed to get registry credentials: %w", err)
}
if len(creds) == 0 {
return nil, nil
}
auths := make([]docker.RegistryAuth, 0, len(creds))
for _, cred := range creds {
auths = append(auths, docker.RegistryAuth{
Registry: cred.Registry,
Username: cred.Username,
Password: cred.Password,
})
}
return auths, nil
}
// writeLogsToFile writes the deployment logs to a file on disk. // writeLogsToFile writes the deployment logs to a file on disk.
// Structure: DataDir/logs/<hostname>/<appname>/<appname>_<sha>_<timestamp>.log.txt // Structure: DataDir/logs/<hostname>/<appname>/<appname>_<sha>_<timestamp>.log.txt
func (svc *Service) writeLogsToFile(app *models.App, deployment *models.Deployment) { func (svc *Service) writeLogsToFile(app *models.App, deployment *models.Deployment) {

97
static/js/app-detail.js
View File

@@ -6,6 +6,103 @@
*/ */
document.addEventListener("alpine:init", () => { document.addEventListener("alpine:init", () => {
// ============================================
// Environment Variable Editor Component
// ============================================
Alpine.data("envVarEditor", (appId) => ({
vars: [],
editIdx: -1,
editKey: "",
editVal: "",
appId: appId,
init() {
this.vars = Array.from(this.$el.querySelectorAll(".env-init")).map(
(span) => ({
key: span.dataset.key,
value: span.dataset.value,
}),
);
},
startEdit(i) {
this.editIdx = i;
this.editKey = this.vars[i].key;
this.editVal = this.vars[i].value;
},
saveEdit(i) {
this.vars[i] = { key: this.editKey, value: this.editVal };
this.editIdx = -1;
this.submitAll();
},
removeVar(i) {
if (!window.confirm("Delete this environment variable?")) {
return;
}
this.vars.splice(i, 1);
this.submitAll();
},
addVar(keyEl, valEl) {
const k = keyEl.value.trim();
const v = valEl.value.trim();
if (!k) {
return;
}
this.vars.push({ key: k, value: v });
this.submitAll();
},
submitAll() {
const csrfInput = this.$el.querySelector(
'input[name="gorilla.csrf.Token"]',
);
const csrfToken = csrfInput ? csrfInput.value : "";
fetch("/apps/" + this.appId + "/env", {
method: "POST",
headers: {
"Content-Type": "application/json",
"X-CSRF-Token": csrfToken,
},
body: JSON.stringify(
this.vars.map((e) => ({ key: e.key, value: e.value })),
),
})
.then((res) => {
if (res.ok) {
window.location.reload();
return;
}
res.json()
.then((data) => {
window.alert(
data.error ||
"Failed to save environment variables.",
);
})
.catch(() => {
window.alert(
"Failed to save environment variables.",
);
});
})
.catch(() => {
window.alert(
"Network error: could not save environment variables.",
);
});
},
}));
// ============================================
// App Detail Page Component
// ============================================
Alpine.data("appDetail", (config) => ({ Alpine.data("appDetail", (config) => ({
appId: config.appId, appId: config.appId,
currentDeploymentId: config.initialDeploymentId, currentDeploymentId: config.initialDeploymentId,

90
templates/app_detail.html
View File

@@ -101,9 +101,10 @@
</div> </div>
<!-- Environment Variables --> <!-- Environment Variables -->
<div class="card p-6 mb-6"> <div class="card p-6 mb-6" x-data="envVarEditor('{{.App.ID}}')">
<h2 class="section-title mb-4">Environment Variables</h2> <h2 class="section-title mb-4">Environment Variables</h2>
{{if .EnvVars}} {{range .EnvVars}}<span class="env-init hidden" data-key="{{.Key}}" data-value="{{.Value}}"></span>{{end}}
<template x-if="vars.length > 0">
<div class="overflow-x-auto mb-4"> <div class="overflow-x-auto mb-4">
<table class="table"> <table class="table">
<thead class="table-header"> <thead class="table-header">
@@ -114,33 +115,91 @@
</tr> </tr>
</thead> </thead>
<tbody class="table-body"> <tbody class="table-body">
{{range .EnvVars}} <template x-for="(env, idx) in vars" :key="idx">
<tr>
<template x-if="editIdx !== idx">
<td class="font-mono font-medium" x-text="env.key"></td>
</template>
<template x-if="editIdx !== idx">
<td class="font-mono text-gray-500" x-text="env.value"></td>
</template>
<template x-if="editIdx !== idx">
<td class="text-right">
<button @click="startEdit(idx)" class="text-primary-600 hover:text-primary-800 text-sm mr-2">Edit</button>
<button @click="removeVar(idx)" class="text-error-500 hover:text-error-700 text-sm">Delete</button>
</td>
</template>
<template x-if="editIdx === idx">
<td colspan="3">
<form @submit.prevent="saveEdit(idx)" class="flex gap-2 items-center">
<input type="text" x-model="editKey" required class="input flex-1 font-mono text-sm">
<input type="text" x-model="editVal" required class="input flex-1 font-mono text-sm">
<button type="submit" class="btn-primary text-sm">Save</button>
<button type="button" @click="editIdx = -1" class="text-gray-500 hover:text-gray-700 text-sm">Cancel</button>
</form>
<p class="text-xs text-amber-600 mt-1">⚠ Container restart needed after env var changes.</p>
</td>
</template>
</tr>
</template>
</tbody>
</table>
</div>
</template>
<form @submit.prevent="addVar($refs.newKey, $refs.newVal)" class="flex flex-col sm:flex-row gap-2">
<input x-ref="newKey" type="text" placeholder="KEY" required class="input flex-1 font-mono text-sm">
<input x-ref="newVal" type="text" placeholder="value" required class="input flex-1 font-mono text-sm">
<button type="submit" class="btn-primary">Add</button>
</form>
<div class="hidden">{{ .CSRFField }}</div>
</div>
<!-- Registry Credentials -->
<div class="card p-6 mb-6">
<h2 class="section-title mb-4">Registry Credentials</h2>
<p class="text-sm text-gray-500 mb-3">Authenticate to private Docker registries when pulling base images during builds.</p>
{{if .RegistryCredentials}}
<div class="overflow-x-auto mb-4">
<table class="table">
<thead class="table-header">
<tr>
<th>Registry</th>
<th>Username</th>
<th>Password</th>
<th class="text-right">Actions</th>
</tr>
</thead>
<tbody class="table-body">
{{range .RegistryCredentials}}
<tr x-data="{ editing: false }"> <tr x-data="{ editing: false }">
<template x-if="!editing"> <template x-if="!editing">
<td class="font-mono font-medium">{{.Key}}</td> <td class="font-mono">{{.Registry}}</td>
</template> </template>
<template x-if="!editing"> <template x-if="!editing">
<td class="font-mono text-gray-500">{{.Value}}</td> <td class="font-mono">{{.Username}}</td>
</template>
<template x-if="!editing">
<td class="font-mono text-gray-400">••••••••</td>
</template> </template>
<template x-if="!editing"> <template x-if="!editing">
<td class="text-right"> <td class="text-right">
<button @click="editing = true" class="text-primary-600 hover:text-primary-800 text-sm mr-2">Edit</button> <button @click="editing = true" class="text-primary-600 hover:text-primary-800 text-sm mr-2">Edit</button>
<form method="POST" action="/apps/{{$.App.ID}}/env-vars/{{.ID}}/delete" class="inline" x-data="confirmAction('Delete this environment variable?')" @submit="confirm($event)"> <form method="POST" action="/apps/{{$.App.ID}}/registry-credentials/{{.ID}}/delete" class="inline" x-data="confirmAction('Delete this registry credential?')" @submit="confirm($event)">
{{ $.CSRFField }} {{ $.CSRFField }}
<button type="submit" class="text-error-500 hover:text-error-700 text-sm">Delete</button> <button type="submit" class="text-error-500 hover:text-error-700 text-sm">Delete</button>
</form> </form>
</td> </td>
</template> </template>
<template x-if="editing"> <template x-if="editing">
<td colspan="3"> <td colspan="4">
<form method="POST" action="/apps/{{$.App.ID}}/env-vars/{{.ID}}/edit" class="flex gap-2 items-center"> <form method="POST" action="/apps/{{$.App.ID}}/registry-credentials/{{.ID}}/edit" class="flex gap-2 items-center">
{{ $.CSRFField }} {{ $.CSRFField }}
<input type="text" name="key" value="{{.Key}}" required class="input flex-1 font-mono text-sm"> <input type="text" name="registry" value="{{.Registry}}" required class="input flex-1 font-mono text-sm" placeholder="registry.example.com">
<input type="text" name="value" value="{{.Value}}" required class="input flex-1 font-mono text-sm"> <input type="text" name="username" value="{{.Username}}" required class="input flex-1 font-mono text-sm" placeholder="username">
<input type="password" name="password" required class="input flex-1 font-mono text-sm" placeholder="password">
<button type="submit" class="btn-primary text-sm">Save</button> <button type="submit" class="btn-primary text-sm">Save</button>
<button type="button" @click="editing = false" class="text-gray-500 hover:text-gray-700 text-sm">Cancel</button> <button type="button" @click="editing = false" class="text-gray-500 hover:text-gray-700 text-sm">Cancel</button>
</form> </form>
<p class="text-xs text-amber-600 mt-1">⚠ Container restart needed after env var changes.</p>
</td> </td>
</template> </template>
</tr> </tr>
@@ -149,10 +208,11 @@
</table> </table>
</div> </div>
{{end}} {{end}}
<form method="POST" action="/apps/{{.App.ID}}/env" class="flex flex-col sm:flex-row gap-2"> <form method="POST" action="/apps/{{.App.ID}}/registry-credentials" class="flex flex-col sm:flex-row gap-2">
{{ .CSRFField }} {{ .CSRFField }}
<input type="text" name="key" placeholder="KEY" required class="input flex-1 font-mono text-sm"> <input type="text" name="registry" placeholder="registry.example.com" required class="input flex-1 font-mono text-sm">
<input type="text" name="value" placeholder="value" required class="input flex-1 font-mono text-sm"> <input type="text" name="username" placeholder="username" required class="input flex-1 font-mono text-sm">
<input type="password" name="password" placeholder="password" required class="input flex-1 font-mono text-sm">
<button type="submit" class="btn-primary">Add</button> <button type="submit" class="btn-primary">Add</button>
</form> </form>
</div> </div>