Separate web UI into standalone metacrypt-web binary
The vault server holds in-memory unsealed state (KEK, engine keys) that is lost on restart, requiring a full unseal ceremony. Previously the web UI ran inside the vault process, so any UI change forced a restart and re-unseal. This change extracts the web UI into a separate metacrypt-web binary that communicates with the vault over an authenticated gRPC connection. The web server carries no sealed state and can be restarted freely. - gen/metacrypt/v1/: generated Go bindings from proto/metacrypt/v1/ - internal/grpcserver/: full gRPC server implementation (System, Auth, Engine, PKI, Policy, ACME services) with seal/auth/admin interceptors - internal/webserver/: web server with gRPC vault client; templates embedded via web/embed.go (no runtime web/ directory needed) - cmd/metacrypt-web/: standalone binary entry point - internal/config: added [web] section (listen_addr, vault_grpc, etc.) - internal/server/routes.go: removed all web UI routes and handlers - cmd/metacrypt/server.go: starts gRPC server alongside HTTP server - Deploy: Dockerfile builds both binaries, docker-compose adds metacrypt-web service, new metacrypt-web.service systemd unit, Makefile gains proto/metacrypt-web targets Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -1,24 +1,16 @@
|
||||
package server
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/x509"
|
||||
"encoding/json"
|
||||
"encoding/pem"
|
||||
"errors"
|
||||
"fmt"
|
||||
"html/template"
|
||||
"io"
|
||||
"net/http"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/go-chi/chi/v5"
|
||||
|
||||
mcias "git.wntrmute.dev/kyle/mcias/clients/go"
|
||||
|
||||
"git.wntrmute.dev/kyle/metacrypt/internal/auth"
|
||||
"git.wntrmute.dev/kyle/metacrypt/internal/crypto"
|
||||
"git.wntrmute.dev/kyle/metacrypt/internal/engine"
|
||||
"git.wntrmute.dev/kyle/metacrypt/internal/engine/ca"
|
||||
@@ -27,25 +19,7 @@ import (
|
||||
)
|
||||
|
||||
func (s *Server) registerRoutes(r chi.Router) {
|
||||
// Static files.
|
||||
r.Handle("/static/*", http.StripPrefix("/static/", http.FileServer(http.Dir("web/static"))))
|
||||
|
||||
// Web UI routes.
|
||||
r.Get("/", s.handleWebRoot)
|
||||
r.HandleFunc("/init", s.handleWebInit)
|
||||
r.HandleFunc("/unseal", s.handleWebUnseal)
|
||||
r.HandleFunc("/login", s.handleWebLogin)
|
||||
r.Get("/dashboard", s.requireAuthWeb(s.handleWebDashboard))
|
||||
r.Post("/dashboard/mount-ca", s.requireAuthWeb(s.handleWebDashboardMountCA))
|
||||
|
||||
r.Route("/pki", func(r chi.Router) {
|
||||
r.Get("/", s.requireAuthWeb(s.handleWebPKI))
|
||||
r.Post("/import-root", s.requireAuthWeb(s.handleWebImportRoot))
|
||||
r.Post("/create-issuer", s.requireAuthWeb(s.handleWebCreateIssuer))
|
||||
r.Get("/{issuer}", s.requireAuthWeb(s.handleWebPKIIssuer))
|
||||
})
|
||||
|
||||
// API routes.
|
||||
// REST API routes — web UI served by metacrypt-web.
|
||||
r.Get("/v1/status", s.handleStatus)
|
||||
r.Post("/v1/init", s.handleInit)
|
||||
r.Post("/v1/unseal", s.handleUnseal)
|
||||
@@ -67,7 +41,8 @@ func (s *Server) registerRoutes(r chi.Router) {
|
||||
|
||||
r.HandleFunc("/v1/policy/rules", s.requireAuth(s.handlePolicyRules))
|
||||
r.HandleFunc("/v1/policy/rule", s.requireAuth(s.handlePolicyRule))
|
||||
s.registerACMERoutes(r)}
|
||||
s.registerACMERoutes(r)
|
||||
}
|
||||
|
||||
// --- API Handlers ---
|
||||
|
||||
@@ -478,474 +453,6 @@ func (s *Server) getCAEngine(mountName string) (*ca.CAEngine, error) {
|
||||
return caEng, nil
|
||||
}
|
||||
|
||||
// findCAMount returns the name of the first CA engine mount.
|
||||
func (s *Server) findCAMount() (string, error) {
|
||||
for _, m := range s.engines.ListMounts() {
|
||||
if m.Type == engine.EngineTypeCA {
|
||||
return m.Name, nil
|
||||
}
|
||||
}
|
||||
return "", errors.New("no CA engine mounted")
|
||||
}
|
||||
|
||||
// --- Web Handlers ---
|
||||
|
||||
func (s *Server) handleWebRoot(w http.ResponseWriter, r *http.Request) {
|
||||
state := s.seal.State()
|
||||
switch state {
|
||||
case seal.StateUninitialized:
|
||||
http.Redirect(w, r, "/init", http.StatusFound)
|
||||
case seal.StateSealed:
|
||||
http.Redirect(w, r, "/unseal", http.StatusFound)
|
||||
case seal.StateInitializing:
|
||||
http.Redirect(w, r, "/init", http.StatusFound)
|
||||
case seal.StateUnsealed:
|
||||
http.Redirect(w, r, "/dashboard", http.StatusFound)
|
||||
}
|
||||
}
|
||||
|
||||
func (s *Server) handleWebInit(w http.ResponseWriter, r *http.Request) {
|
||||
switch r.Method {
|
||||
case http.MethodGet:
|
||||
if s.seal.State() != seal.StateUninitialized {
|
||||
http.Redirect(w, r, "/", http.StatusFound)
|
||||
return
|
||||
}
|
||||
s.renderTemplate(w, "init.html", nil)
|
||||
case http.MethodPost:
|
||||
r.ParseForm()
|
||||
password := r.FormValue("password")
|
||||
if password == "" {
|
||||
s.renderTemplate(w, "init.html", map[string]interface{}{"Error": "Password is required"})
|
||||
return
|
||||
}
|
||||
params := crypto.Argon2Params{
|
||||
Time: s.cfg.Seal.Argon2Time,
|
||||
Memory: s.cfg.Seal.Argon2Memory,
|
||||
Threads: s.cfg.Seal.Argon2Threads,
|
||||
}
|
||||
if err := s.seal.Initialize(r.Context(), []byte(password), params); err != nil {
|
||||
s.renderTemplate(w, "init.html", map[string]interface{}{"Error": err.Error()})
|
||||
return
|
||||
}
|
||||
http.Redirect(w, r, "/dashboard", http.StatusFound)
|
||||
default:
|
||||
http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
|
||||
}
|
||||
}
|
||||
|
||||
func (s *Server) handleWebUnseal(w http.ResponseWriter, r *http.Request) {
|
||||
switch r.Method {
|
||||
case http.MethodGet:
|
||||
state := s.seal.State()
|
||||
if state == seal.StateUninitialized {
|
||||
http.Redirect(w, r, "/init", http.StatusFound)
|
||||
return
|
||||
}
|
||||
if state == seal.StateUnsealed {
|
||||
http.Redirect(w, r, "/dashboard", http.StatusFound)
|
||||
return
|
||||
}
|
||||
s.renderTemplate(w, "unseal.html", nil)
|
||||
case http.MethodPost:
|
||||
r.ParseForm()
|
||||
password := r.FormValue("password")
|
||||
if err := s.seal.Unseal([]byte(password)); err != nil {
|
||||
msg := "Invalid password"
|
||||
if err == seal.ErrRateLimited {
|
||||
msg = "Too many attempts. Please wait 60 seconds."
|
||||
}
|
||||
s.renderTemplate(w, "unseal.html", map[string]interface{}{"Error": msg})
|
||||
return
|
||||
}
|
||||
if err := s.engines.UnsealAll(r.Context()); err != nil {
|
||||
s.logger.Error("engine unseal failed", "error", err)
|
||||
s.renderTemplate(w, "unseal.html", map[string]interface{}{"Error": "Engine reload failed: " + err.Error()})
|
||||
return
|
||||
}
|
||||
http.Redirect(w, r, "/dashboard", http.StatusFound)
|
||||
default:
|
||||
http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
|
||||
}
|
||||
}
|
||||
|
||||
func (s *Server) handleWebLogin(w http.ResponseWriter, r *http.Request) {
|
||||
if s.seal.State() != seal.StateUnsealed {
|
||||
http.Redirect(w, r, "/", http.StatusFound)
|
||||
return
|
||||
}
|
||||
switch r.Method {
|
||||
case http.MethodGet:
|
||||
s.renderTemplate(w, "login.html", nil)
|
||||
case http.MethodPost:
|
||||
r.ParseForm()
|
||||
username := r.FormValue("username")
|
||||
password := r.FormValue("password")
|
||||
totpCode := r.FormValue("totp_code")
|
||||
token, _, err := s.auth.Login(username, password, totpCode)
|
||||
if err != nil {
|
||||
s.renderTemplate(w, "login.html", map[string]interface{}{"Error": "Invalid credentials"})
|
||||
return
|
||||
}
|
||||
http.SetCookie(w, &http.Cookie{
|
||||
Name: "metacrypt_token",
|
||||
Value: token,
|
||||
Path: "/",
|
||||
HttpOnly: true,
|
||||
Secure: true,
|
||||
SameSite: http.SameSiteStrictMode,
|
||||
})
|
||||
http.Redirect(w, r, "/dashboard", http.StatusFound)
|
||||
default:
|
||||
http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
|
||||
}
|
||||
}
|
||||
|
||||
func (s *Server) handleWebDashboard(w http.ResponseWriter, r *http.Request) {
|
||||
info := TokenInfoFromContext(r.Context())
|
||||
mounts := s.engines.ListMounts()
|
||||
s.renderTemplate(w, "dashboard.html", map[string]interface{}{
|
||||
"Username": info.Username,
|
||||
"IsAdmin": info.IsAdmin,
|
||||
"Roles": info.Roles,
|
||||
"Mounts": mounts,
|
||||
"State": s.seal.State().String(),
|
||||
"Version": s.version,
|
||||
})
|
||||
}
|
||||
|
||||
func (s *Server) handleWebDashboardMountCA(w http.ResponseWriter, r *http.Request) {
|
||||
info := TokenInfoFromContext(r.Context())
|
||||
if !info.IsAdmin {
|
||||
http.Error(w, "forbidden", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
||||
if err := r.ParseMultipartForm(1 << 20); err != nil {
|
||||
r.ParseForm()
|
||||
}
|
||||
|
||||
mountName := r.FormValue("name")
|
||||
if mountName == "" {
|
||||
s.renderDashboardWithError(w, r, info, "Mount name is required")
|
||||
return
|
||||
}
|
||||
|
||||
config := map[string]interface{}{}
|
||||
if org := r.FormValue("organization"); org != "" {
|
||||
config["organization"] = org
|
||||
}
|
||||
|
||||
// Optional root CA import.
|
||||
var certPEM, keyPEM string
|
||||
if f, _, err := r.FormFile("cert_file"); err == nil {
|
||||
defer f.Close()
|
||||
data, _ := io.ReadAll(io.LimitReader(f, 1<<20))
|
||||
certPEM = string(data)
|
||||
}
|
||||
if f, _, err := r.FormFile("key_file"); err == nil {
|
||||
defer f.Close()
|
||||
data, _ := io.ReadAll(io.LimitReader(f, 1<<20))
|
||||
keyPEM = string(data)
|
||||
}
|
||||
if certPEM != "" && keyPEM != "" {
|
||||
config["root_cert_pem"] = certPEM
|
||||
config["root_key_pem"] = keyPEM
|
||||
}
|
||||
|
||||
if err := s.engines.Mount(r.Context(), mountName, engine.EngineTypeCA, config); err != nil {
|
||||
s.renderDashboardWithError(w, r, info, err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
http.Redirect(w, r, "/pki", http.StatusFound)
|
||||
}
|
||||
|
||||
func (s *Server) renderDashboardWithError(w http.ResponseWriter, _ *http.Request, info *auth.TokenInfo, errMsg string) {
|
||||
mounts := s.engines.ListMounts()
|
||||
s.renderTemplate(w, "dashboard.html", map[string]interface{}{
|
||||
"Username": info.Username,
|
||||
"IsAdmin": info.IsAdmin,
|
||||
"Roles": info.Roles,
|
||||
"Mounts": mounts,
|
||||
"State": s.seal.State().String(),
|
||||
"MountError": errMsg,
|
||||
})
|
||||
}
|
||||
|
||||
func (s *Server) handleWebPKI(w http.ResponseWriter, r *http.Request) {
|
||||
info := TokenInfoFromContext(r.Context())
|
||||
|
||||
mountName, err := s.findCAMount()
|
||||
if err != nil {
|
||||
http.Redirect(w, r, "/dashboard", http.StatusFound)
|
||||
return
|
||||
}
|
||||
|
||||
caEng, err := s.getCAEngine(mountName)
|
||||
if err != nil {
|
||||
http.Redirect(w, r, "/dashboard", http.StatusFound)
|
||||
return
|
||||
}
|
||||
|
||||
data := map[string]interface{}{
|
||||
"Username": info.Username,
|
||||
"IsAdmin": info.IsAdmin,
|
||||
"MountName": mountName,
|
||||
}
|
||||
|
||||
// Get root cert info.
|
||||
rootPEM, err := caEng.GetRootCertPEM()
|
||||
if err == nil && rootPEM != nil {
|
||||
if cert, err := parsePEMCert(rootPEM); err == nil {
|
||||
data["RootCN"] = cert.Subject.CommonName
|
||||
data["RootOrg"] = strings.Join(cert.Subject.Organization, ", ")
|
||||
data["RootNotBefore"] = cert.NotBefore.Format(time.RFC3339)
|
||||
data["RootNotAfter"] = cert.NotAfter.Format(time.RFC3339)
|
||||
data["RootExpired"] = time.Now().After(cert.NotAfter)
|
||||
data["HasRoot"] = true
|
||||
}
|
||||
}
|
||||
|
||||
// Get issuers.
|
||||
callerInfo := &engine.CallerInfo{
|
||||
Username: info.Username,
|
||||
Roles: info.Roles,
|
||||
IsAdmin: info.IsAdmin,
|
||||
}
|
||||
resp, err := s.engines.HandleRequest(r.Context(), mountName, &engine.Request{
|
||||
Operation: "list-issuers",
|
||||
CallerInfo: callerInfo,
|
||||
})
|
||||
if err == nil {
|
||||
data["Issuers"] = resp.Data["issuers"]
|
||||
}
|
||||
|
||||
s.renderTemplate(w, "pki.html", data)
|
||||
}
|
||||
|
||||
func (s *Server) handleWebImportRoot(w http.ResponseWriter, r *http.Request) {
|
||||
info := TokenInfoFromContext(r.Context())
|
||||
if !info.IsAdmin {
|
||||
http.Error(w, "forbidden", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
||||
mountName, err := s.findCAMount()
|
||||
if err != nil {
|
||||
http.Error(w, "no CA engine mounted", http.StatusNotFound)
|
||||
return
|
||||
}
|
||||
|
||||
if err := r.ParseMultipartForm(1 << 20); err != nil {
|
||||
r.ParseForm()
|
||||
}
|
||||
|
||||
certPEM := r.FormValue("cert_pem")
|
||||
keyPEM := r.FormValue("key_pem")
|
||||
|
||||
// Also support file uploads.
|
||||
if certPEM == "" {
|
||||
if f, _, err := r.FormFile("cert_file"); err == nil {
|
||||
defer f.Close()
|
||||
data, _ := io.ReadAll(io.LimitReader(f, 1<<20))
|
||||
certPEM = string(data)
|
||||
}
|
||||
}
|
||||
if keyPEM == "" {
|
||||
if f, _, err := r.FormFile("key_file"); err == nil {
|
||||
defer f.Close()
|
||||
data, _ := io.ReadAll(io.LimitReader(f, 1<<20))
|
||||
keyPEM = string(data)
|
||||
}
|
||||
}
|
||||
|
||||
if certPEM == "" || keyPEM == "" {
|
||||
s.renderPKIWithError(w, r, mountName, info, "Certificate and private key are required")
|
||||
return
|
||||
}
|
||||
|
||||
callerInfo := &engine.CallerInfo{
|
||||
Username: info.Username,
|
||||
Roles: info.Roles,
|
||||
IsAdmin: info.IsAdmin,
|
||||
}
|
||||
_, err = s.engines.HandleRequest(r.Context(), mountName, &engine.Request{
|
||||
Operation: "import-root",
|
||||
CallerInfo: callerInfo,
|
||||
Data: map[string]interface{}{
|
||||
"cert_pem": certPEM,
|
||||
"key_pem": keyPEM,
|
||||
},
|
||||
})
|
||||
if err != nil {
|
||||
s.renderPKIWithError(w, r, mountName, info, err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
http.Redirect(w, r, "/pki", http.StatusFound)
|
||||
}
|
||||
|
||||
func (s *Server) handleWebCreateIssuer(w http.ResponseWriter, r *http.Request) {
|
||||
info := TokenInfoFromContext(r.Context())
|
||||
if !info.IsAdmin {
|
||||
http.Error(w, "forbidden", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
||||
mountName, err := s.findCAMount()
|
||||
if err != nil {
|
||||
http.Error(w, "no CA engine mounted", http.StatusNotFound)
|
||||
return
|
||||
}
|
||||
|
||||
r.ParseForm()
|
||||
|
||||
name := r.FormValue("name")
|
||||
if name == "" {
|
||||
s.renderPKIWithError(w, r, mountName, info, "Issuer name is required")
|
||||
return
|
||||
}
|
||||
|
||||
data := map[string]interface{}{
|
||||
"name": name,
|
||||
}
|
||||
if v := r.FormValue("expiry"); v != "" {
|
||||
data["expiry"] = v
|
||||
}
|
||||
if v := r.FormValue("max_ttl"); v != "" {
|
||||
data["max_ttl"] = v
|
||||
}
|
||||
if v := r.FormValue("key_algorithm"); v != "" {
|
||||
data["key_algorithm"] = v
|
||||
}
|
||||
if v := r.FormValue("key_size"); v != "" {
|
||||
// Parse as float64 to match JSON number convention used by the engine.
|
||||
var size float64
|
||||
if _, err := fmt.Sscanf(v, "%f", &size); err == nil {
|
||||
data["key_size"] = size
|
||||
}
|
||||
}
|
||||
|
||||
callerInfo := &engine.CallerInfo{
|
||||
Username: info.Username,
|
||||
Roles: info.Roles,
|
||||
IsAdmin: info.IsAdmin,
|
||||
}
|
||||
_, err = s.engines.HandleRequest(r.Context(), mountName, &engine.Request{
|
||||
Operation: "create-issuer",
|
||||
CallerInfo: callerInfo,
|
||||
Data: data,
|
||||
})
|
||||
if err != nil {
|
||||
s.renderPKIWithError(w, r, mountName, info, err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
http.Redirect(w, r, "/pki", http.StatusFound)
|
||||
}
|
||||
|
||||
func (s *Server) handleWebPKIIssuer(w http.ResponseWriter, r *http.Request) {
|
||||
mountName, err := s.findCAMount()
|
||||
if err != nil {
|
||||
http.Error(w, "no CA engine mounted", http.StatusNotFound)
|
||||
return
|
||||
}
|
||||
|
||||
issuerName := chi.URLParam(r, "issuer")
|
||||
caEng, err := s.getCAEngine(mountName)
|
||||
if err != nil {
|
||||
http.Error(w, err.Error(), http.StatusNotFound)
|
||||
return
|
||||
}
|
||||
|
||||
certPEM, err := caEng.GetIssuerCertPEM(issuerName)
|
||||
if err != nil {
|
||||
http.Error(w, "issuer not found", http.StatusNotFound)
|
||||
return
|
||||
}
|
||||
|
||||
w.Header().Set("Content-Type", "application/x-pem-file")
|
||||
w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=%s.pem", issuerName))
|
||||
w.Write(certPEM)
|
||||
}
|
||||
|
||||
func (s *Server) renderPKIWithError(w http.ResponseWriter, r *http.Request, mountName string, info *auth.TokenInfo, errMsg string) {
|
||||
data := map[string]interface{}{
|
||||
"Username": info.Username,
|
||||
"IsAdmin": info.IsAdmin,
|
||||
"MountName": mountName,
|
||||
"Error": errMsg,
|
||||
}
|
||||
|
||||
// Try to load existing root info.
|
||||
mount, merr := s.engines.GetMount(mountName)
|
||||
if merr == nil && mount.Type == engine.EngineTypeCA {
|
||||
if caEng, ok := mount.Engine.(*ca.CAEngine); ok {
|
||||
rootPEM, err := caEng.GetRootCertPEM()
|
||||
if err == nil && rootPEM != nil {
|
||||
if cert, err := parsePEMCert(rootPEM); err == nil {
|
||||
data["RootCN"] = cert.Subject.CommonName
|
||||
data["RootOrg"] = strings.Join(cert.Subject.Organization, ", ")
|
||||
data["RootNotBefore"] = cert.NotBefore.Format(time.RFC3339)
|
||||
data["RootNotAfter"] = cert.NotAfter.Format(time.RFC3339)
|
||||
data["RootExpired"] = time.Now().After(cert.NotAfter)
|
||||
data["HasRoot"] = true
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
s.renderTemplate(w, "pki.html", data)
|
||||
}
|
||||
|
||||
func parsePEMCert(pemData []byte) (*x509.Certificate, error) {
|
||||
block, _ := pem.Decode(pemData)
|
||||
if block == nil {
|
||||
return nil, errors.New("no PEM block found")
|
||||
}
|
||||
return x509.ParseCertificate(block.Bytes)
|
||||
}
|
||||
|
||||
// requireAuthWeb redirects to login for web pages instead of returning 401.
|
||||
func (s *Server) requireAuthWeb(next http.HandlerFunc) http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
if s.seal.State() != seal.StateUnsealed {
|
||||
http.Redirect(w, r, "/", http.StatusFound)
|
||||
return
|
||||
}
|
||||
token := extractToken(r)
|
||||
if token == "" {
|
||||
http.Redirect(w, r, "/login", http.StatusFound)
|
||||
return
|
||||
}
|
||||
info, err := s.auth.ValidateToken(token)
|
||||
if err != nil {
|
||||
http.Redirect(w, r, "/login", http.StatusFound)
|
||||
return
|
||||
}
|
||||
ctx := r.Context()
|
||||
ctx = context.WithValue(ctx, tokenInfoKey, info)
|
||||
next(w, r.WithContext(ctx))
|
||||
}
|
||||
}
|
||||
|
||||
func (s *Server) renderTemplate(w http.ResponseWriter, name string, data interface{}) {
|
||||
tmpl, err := template.ParseFiles(
|
||||
filepath.Join("web", "templates", "layout.html"),
|
||||
filepath.Join("web", "templates", name),
|
||||
)
|
||||
if err != nil {
|
||||
s.logger.Error("parse template", "name", name, "error", err)
|
||||
http.Error(w, "internal server error", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
w.Header().Set("Content-Type", "text/html; charset=utf-8")
|
||||
if err := tmpl.ExecuteTemplate(w, "layout", data); err != nil {
|
||||
s.logger.Error("execute template", "name", name, "error", err)
|
||||
}
|
||||
}
|
||||
|
||||
func writeJSON(w http.ResponseWriter, status int, v interface{}) {
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
w.WriteHeader(status)
|
||||
|
||||
Reference in New Issue
Block a user