LocalAuthority
/
scripts
/
host_manager.pl
Newer
■
■
■
■
■
■
■
■
■
■
Older
2283 lines
|
86.149kb
| 1 |
#!/usr/bin/env perl |
|
| 2 |
# |
|
| 3 |
# host_manager.pl - Minimal host registry web app with no CPAN dependencies. |
|
| 4 |
# |
|
| 5 | ||
| 6 |
use strict; |
|
| 7 |
use warnings; |
|
| 8 | ||
| 9 |
use Cwd qw(abs_path); |
|
| 10 |
use Digest::SHA qw(hmac_sha1 hmac_sha256_hex sha256_hex); |
|
| 11 |
use File::Basename qw(dirname); |
|
| 12 |
use File::Path qw(make_path); |
|
| 13 |
use IO::Socket::INET; |
|
| 14 |
use POSIX qw(strftime); |
|
| 15 |
use Time::HiRes qw(time); |
|
| 16 | ||
| 17 |
my $script_dir = dirname(abs_path($0)); |
|
| 18 |
my $project_dir = dirname($script_dir); |
|
| 19 | ||
| 20 |
my %opt = ( |
|
| 21 |
bind => $ENV{HOST_MANAGER_BIND} || '127.0.0.1',
|
|
| 22 |
port => $ENV{HOST_MANAGER_PORT} || 8088,
|
|
| 23 |
data => $ENV{HOST_MANAGER_DATA} || "$project_dir/config/hosts.yaml",
|
|
| 24 |
local_hosts_tsv => $ENV{HOST_MANAGER_LOCAL_HOSTS_TSV} || "$project_dir/config/local-hosts.tsv",
|
|
| 25 |
work_orders => $ENV{HOST_MANAGER_WORK_ORDERS} || "$project_dir/config/work-orders.yaml",
|
|
| 26 |
); |
|
| 27 | ||
| 28 |
while (@ARGV) {
|
|
| 29 |
my $arg = shift @ARGV; |
|
| 30 |
if ($arg eq '--bind') {
|
|
| 31 |
$opt{bind} = shift @ARGV;
|
|
| 32 |
} elsif ($arg eq '--port') {
|
|
| 33 |
$opt{port} = shift @ARGV;
|
|
| 34 |
} elsif ($arg eq '--data') {
|
|
| 35 |
$opt{data} = shift @ARGV;
|
|
| 36 |
} elsif ($arg eq '--local-hosts-tsv') {
|
|
| 37 |
$opt{local_hosts_tsv} = shift @ARGV;
|
|
| 38 |
} elsif ($arg eq '--work-orders') {
|
|
| 39 |
$opt{work_orders} = shift @ARGV;
|
|
| 40 |
} elsif ($arg eq '--help' || $arg eq '-h') {
|
|
| 41 |
usage(); |
|
| 42 |
exit 0; |
|
| 43 |
} else {
|
|
| 44 |
die "Unknown option: $arg\n"; |
|
| 45 |
} |
|
| 46 |
} |
|
| 47 | ||
| 48 |
my $session_secret = $ENV{HOST_MANAGER_SESSION_SECRET} || random_hex(32);
|
|
| 49 |
my %sessions; |
|
| 50 | ||
| 51 |
my $server = IO::Socket::INET->new( |
|
| 52 |
LocalHost => $opt{bind},
|
|
| 53 |
LocalPort => $opt{port},
|
|
| 54 |
Proto => 'tcp', |
|
| 55 |
Listen => 10, |
|
| 56 |
ReuseAddr => 1, |
|
| 57 |
) or die "Cannot listen on $opt{bind}:$opt{port}: $!\n";
|
|
| 58 | ||
| 59 |
print "host-manager listening on http://$opt{bind}:$opt{port}\n";
|
|
| 60 |
print "data file: $opt{data}\n";
|
|
| 61 |
print "OTP login: " . ($ENV{HOST_MANAGER_TOTP_SECRET} ? "enabled\n" : "disabled; set HOST_MANAGER_TOTP_SECRET\n");
|
|
| 62 | ||
| 63 |
while (my $client = $server->accept) {
|
|
| 64 |
eval {
|
|
| 65 |
$client->autoflush(1); |
|
| 66 |
handle_client($client); |
|
| 67 |
}; |
|
| 68 |
if ($@) {
|
|
| 69 |
eval { send_json($client, 500, { error => 'internal_error', detail => "$@" }); };
|
|
| 70 |
} |
|
| 71 |
close $client; |
|
| 72 |
} |
|
| 73 | ||
| 74 |
sub usage {
|
|
| 75 |
print <<"EOF"; |
|
| 76 |
Usage: perl scripts/host_manager.pl [--bind 127.0.0.1] [--port 8088] |
|
| 77 | ||
| 78 |
Environment: |
|
| 79 |
HOST_MANAGER_TOTP_SECRET Base32 TOTP secret required for write access. |
|
| 80 |
HOST_MANAGER_SESSION_SECRET Optional session signing secret. |
|
| 81 |
HOST_MANAGER_DATA Defaults to config/hosts.yaml. |
|
| 82 |
HOST_MANAGER_LOCAL_HOSTS_TSV Defaults to config/local-hosts.tsv. |
|
| 83 |
HOST_MANAGER_WORK_ORDERS Defaults to config/work-orders.yaml. |
|
| 84 | ||
| 85 |
The nginx vhost keeps registry, CA, work order and download endpoints behind OTP. |
|
| 86 |
EOF |
|
| 87 |
} |
|
| 88 | ||
| 89 |
sub handle_client {
|
|
| 90 |
my ($client) = @_; |
|
| 91 |
my $request_line = <$client>; |
|
| 92 |
return unless defined $request_line; |
|
| 93 |
$request_line =~ s/\r?\n$//; |
|
| 94 |
my ($method, $target) = $request_line =~ m{^([A-Z]+)\s+(\S+)\s+HTTP/};
|
|
| 95 |
return send_text($client, 400, 'bad request') unless $method && $target; |
|
| 96 | ||
| 97 |
my %headers; |
|
| 98 |
while (my $line = <$client>) {
|
|
| 99 |
$line =~ s/\r?\n$//; |
|
| 100 |
last if $line eq ''; |
|
| 101 |
my ($k, $v) = split /:\s*/, $line, 2; |
|
| 102 |
$headers{lc $k} = $v if defined $k && defined $v;
|
|
| 103 |
} |
|
| 104 | ||
| 105 |
my $body = ''; |
|
| 106 |
if (($headers{'content-length'} || 0) > 0) {
|
|
| 107 |
read($client, $body, int($headers{'content-length'}));
|
|
| 108 |
} |
|
| 109 | ||
| 110 |
my ($path, $query) = split /\?/, $target, 2; |
|
| 111 |
my %query = parse_params($query || ''); |
|
| 112 | ||
| 113 |
if ($method eq 'GET' && app_page_path($path)) {
|
|
| 114 |
return send_html($client, 200, app_html()); |
|
| 115 |
} |
|
| 116 |
if ($method eq 'GET' && $path eq '/healthz') {
|
|
| 117 |
return send_json($client, 200, { ok => json_bool(1) });
|
|
| 118 |
} |
|
| 119 |
if ($method eq 'GET' && $path eq '/api/session') {
|
|
| 120 |
return send_json($client, 200, { authenticated => is_authenticated(\%headers) ? json_bool(1) : json_bool(0) });
|
|
| 121 |
} |
|
| 122 |
if ($method eq 'POST' && $path eq '/api/login') {
|
|
| 123 |
return send_json($client, 503, { error => 'otp_not_configured' }) unless $ENV{HOST_MANAGER_TOTP_SECRET};
|
|
| 124 |
my $payload = request_payload(\%headers, $body); |
|
| 125 |
my $otp = $payload->{otp} || '';
|
|
| 126 |
if (!verify_totp($ENV{HOST_MANAGER_TOTP_SECRET} || '', $otp)) {
|
|
| 127 |
return send_json($client, 401, { error => 'invalid_otp' });
|
|
| 128 |
} |
|
| 129 |
my $token = create_session(); |
|
| 130 |
return send_json($client, 200, { ok => json_bool(1) }, [ "Set-Cookie: hm_session=$token; HttpOnly; SameSite=Strict; Path=/" ]);
|
|
| 131 |
} |
|
| 132 |
if ($method eq 'POST' && $path eq '/api/logout') {
|
|
| 133 |
expire_session(\%headers); |
|
| 134 |
return send_json($client, 200, { ok => json_bool(1) }, [ "Set-Cookie: hm_session=deleted; Max-Age=0; Path=/" ]);
|
|
| 135 |
} |
|
| 136 | ||
| 137 |
return send_json($client, 401, { error => 'authentication_required' }) unless is_authenticated(\%headers);
|
|
| 138 | ||
| 139 |
if ($method eq 'GET' && $path eq '/api/hosts') {
|
|
| 140 |
my $registry = load_registry(); |
|
| 141 |
return send_json($client, 200, registry_payload($registry)); |
|
| 142 |
} |
|
| 143 |
if ($method eq 'GET' && $path eq '/api/work-orders') {
|
|
| 144 |
return send_json($client, 200, work_orders_payload(load_work_orders())); |
|
| 145 |
} |
|
| 146 |
if ($method eq 'GET' && $path eq '/download/hosts.yaml') {
|
|
| 147 |
return send_file($client, $opt{data}, 'application/x-yaml; charset=utf-8', 'hosts.yaml');
|
|
| 148 |
} |
|
| 149 |
if ($method eq 'GET' && $path eq '/download/local-hosts.tsv') {
|
|
| 150 |
my $registry = load_registry(); |
|
| 151 |
return send_download($client, 200, render_local_hosts_tsv($registry), 'text/tab-separated-values; charset=utf-8', 'local-hosts.tsv'); |
|
| 152 |
} |
|
| 153 |
if ($method eq 'GET' && $path eq '/download/monitoring.json') {
|
|
| 154 |
my $registry = load_registry(); |
|
| 155 |
return send_download($client, 200, json_encode(render_monitoring($registry)), 'application/json; charset=utf-8', 'monitoring-hosts.json'); |
|
| 156 |
} |
|
| 157 |
if ($method eq 'GET' && $path eq '/api/ca/status') {
|
|
| 158 |
return send_json_raw($client, 200, ca_manager_json('status-json'));
|
|
| 159 |
} |
|
| 160 |
if ($method eq 'GET' && $path eq '/api/ca/certificates') {
|
|
| 161 |
return send_json_raw($client, 200, ca_manager_json('list-json'));
|
|
| 162 |
} |
|
| 163 |
if ($method eq 'GET' && $path eq '/download/ca.crt') {
|
|
| 164 |
return send_file($client, ca_cert_path(), 'application/x-pem-file; charset=utf-8', 'xdev-madagascar-host-ca.crt'); |
|
| 165 |
} |
|
| 166 |
if ($method eq 'GET' && $path =~ m{\A/download/ca/cert/([A-Za-z0-9_.-]+)\.crt\z}) {
|
|
| 167 |
my $name = $1; |
|
| 168 |
return send_file($client, ca_issued_cert_path($name), 'application/x-pem-file; charset=utf-8', "$name.crt"); |
|
| 169 |
} |
|
| 170 | ||
| 171 |
if ($method eq 'POST' && $path =~ m{^/api/}) {
|
|
| 172 |
if ($path eq '/api/hosts/upsert') {
|
|
| 173 |
my $payload = request_payload(\%headers, $body); |
|
| 174 |
return upsert_host($client, $payload); |
|
| 175 |
} |
|
| 176 |
if ($path eq '/api/hosts/delete') {
|
|
| 177 |
my $payload = request_payload(\%headers, $body); |
|
| 178 |
return delete_host($client, $payload->{id} || '');
|
|
| 179 |
} |
|
| 180 |
if ($path eq '/api/work-orders/confirm') {
|
|
| 181 |
my $payload = request_payload(\%headers, $body); |
|
| 182 |
return confirm_work_order($client, $payload); |
|
| 183 |
} |
|
| 184 |
if ($path eq '/api/work-orders/checklist') {
|
|
| 185 |
my $payload = request_payload(\%headers, $body); |
|
| 186 |
return update_work_order_checklist($client, $payload); |
|
| 187 |
} |
|
| 188 |
if ($path eq '/api/render/local-hosts-tsv') {
|
|
| 189 |
my $registry = load_registry(); |
|
| 190 |
my $content = render_local_hosts_tsv($registry); |
|
| 191 |
backup_file($opt{local_hosts_tsv});
|
|
| 192 |
write_file($opt{local_hosts_tsv}, $content);
|
|
| 193 |
return send_json($client, 200, { ok => json_bool(1), file => $opt{local_hosts_tsv} });
|
|
| 194 |
} |
|
| 195 |
} |
|
| 196 | ||
| 197 |
return send_json($client, 404, { error => 'not_found' });
|
|
| 198 |
} |
|
| 199 | ||
| 200 |
sub app_page_path {
|
|
| 201 |
my ($path) = @_; |
|
| 202 |
return $path =~ m{\A/(?:|overview|hosts|dns|work-orders|ca)\z};
|
|
| 203 |
} |
|
| 204 | ||
| 205 |
sub load_registry {
|
|
| 206 |
return parse_hosts_yaml(read_file($opt{data}));
|
|
| 207 |
} |
|
| 208 | ||
| 209 |
sub save_registry {
|
|
| 210 |
my ($registry) = @_; |
|
| 211 |
$registry->{updated_at} = iso_now();
|
|
| 212 |
backup_file($opt{data});
|
|
| 213 |
write_file($opt{data}, render_hosts_yaml($registry));
|
|
| 214 |
} |
|
| 215 | ||
| 216 |
sub load_work_orders {
|
|
| 217 |
return { version => 1, work_orders => [] } unless -f $opt{work_orders};
|
|
| 218 |
return parse_work_orders_yaml(read_file($opt{work_orders}));
|
|
| 219 |
} |
|
| 220 | ||
| 221 |
sub save_work_orders {
|
|
| 222 |
my ($orders) = @_; |
|
| 223 |
backup_file($opt{work_orders});
|
|
| 224 |
write_file($opt{work_orders}, render_work_orders_yaml($orders));
|
|
| 225 |
} |
|
| 226 | ||
| 227 |
sub work_orders_payload {
|
|
| 228 |
my ($orders) = @_; |
|
| 229 |
my $pending = 0; |
|
| 230 |
for my $wo (@{ $orders->{work_orders} || [] }) {
|
|
| 231 |
$pending++ if ($wo->{status} || 'pending') eq 'pending';
|
|
| 232 |
} |
|
| 233 |
return {
|
|
| 234 |
version => $orders->{version},
|
|
| 235 |
work_orders => $orders->{work_orders} || [],
|
|
| 236 |
counts => {
|
|
| 237 |
work_orders => scalar @{ $orders->{work_orders} || [] },
|
|
| 238 |
pending => $pending, |
|
| 239 |
}, |
|
| 240 |
}; |
|
| 241 |
} |
|
| 242 | ||
| 243 |
sub confirm_work_order {
|
|
| 244 |
my ($client, $payload) = @_; |
|
| 245 |
my $id = clean_scalar($payload->{id} || '');
|
|
| 246 |
return send_json($client, 400, { error => 'invalid_work_order_id' }) unless $id =~ /\AWO-[A-Za-z0-9_.-]+\z/;
|
|
| 247 |
return send_json($client, 400, { error => 'confirmation_required' }) unless clean_scalar($payload->{confirm} || '') eq $id;
|
|
| 248 | ||
| 249 |
my $orders = load_work_orders(); |
|
| 250 |
my $work_order; |
|
| 251 |
for my $wo (@{ $orders->{work_orders} || [] }) {
|
|
| 252 |
if (($wo->{id} || '') eq $id) {
|
|
| 253 |
$work_order = $wo; |
|
| 254 |
last; |
|
| 255 |
} |
|
| 256 |
} |
|
| 257 |
return send_json($client, 404, { error => 'work_order_not_found' }) unless $work_order;
|
|
| 258 |
return send_json($client, 409, { error => 'work_order_not_pending' }) unless ($work_order->{status} || 'pending') eq 'pending';
|
|
| 259 |
my $incomplete = incomplete_work_order_items($work_order); |
|
| 260 |
return send_json($client, 409, {
|
|
| 261 |
error => 'work_order_incomplete', |
|
| 262 |
incomplete => $incomplete, |
|
| 263 |
}) if @$incomplete; |
|
| 264 | ||
| 265 |
my $registry = load_registry(); |
|
| 266 |
my $results = apply_work_order($registry, $work_order); |
|
| 267 |
$work_order->{status} = 'confirmed';
|
|
| 268 |
$work_order->{confirmed_at} = iso_now();
|
|
| 269 |
$work_order->{result} = scalar(@$results) . ' action(s) applied';
|
|
| 270 | ||
| 271 |
save_registry($registry); |
|
| 272 |
save_work_orders($orders); |
|
| 273 |
backup_file($opt{local_hosts_tsv});
|
|
| 274 |
write_file($opt{local_hosts_tsv}, render_local_hosts_tsv($registry));
|
|
| 275 | ||
| 276 |
return send_json($client, 200, {
|
|
| 277 |
ok => json_bool(1), |
|
| 278 |
work_order => $work_order, |
|
| 279 |
results => $results, |
|
| 280 |
local_hosts_tsv => $opt{local_hosts_tsv},
|
|
| 281 |
}); |
|
| 282 |
} |
|
| 283 | ||
| 284 |
sub update_work_order_checklist {
|
|
| 285 |
my ($client, $payload) = @_; |
|
| 286 |
my $id = clean_scalar($payload->{id} || '');
|
|
| 287 |
my $item_id = clean_scalar($payload->{item_id} || '');
|
|
| 288 |
my $status = clean_scalar($payload->{status} || '');
|
|
| 289 |
my $notes = clean_scalar($payload->{notes} || '');
|
|
| 290 |
return send_json($client, 400, { error => 'invalid_work_order_id' }) unless $id =~ /\AWO-[A-Za-z0-9_.-]+\z/;
|
|
| 291 |
return send_json($client, 400, { error => 'invalid_checklist_item' }) unless $item_id =~ /\A[A-Za-z0-9_.-]+\z/;
|
|
| 292 |
return send_json($client, 400, { error => 'invalid_checklist_status' }) unless $status =~ /\A(?:pending|done|blocked)\z/;
|
|
| 293 | ||
| 294 |
my $orders = load_work_orders(); |
|
| 295 |
my $work_order; |
|
| 296 |
for my $wo (@{ $orders->{work_orders} || [] }) {
|
|
| 297 |
if (($wo->{id} || '') eq $id) {
|
|
| 298 |
$work_order = $wo; |
|
| 299 |
last; |
|
| 300 |
} |
|
| 301 |
} |
|
| 302 |
return send_json($client, 404, { error => 'work_order_not_found' }) unless $work_order;
|
|
| 303 |
return send_json($client, 409, { error => 'work_order_not_pending' }) unless ($work_order->{status} || 'pending') eq 'pending';
|
|
| 304 | ||
| 305 |
my $item; |
|
| 306 |
for my $candidate (@{ $work_order->{checklist} || [] }) {
|
|
| 307 |
if (($candidate->{id} || '') eq $item_id) {
|
|
| 308 |
$item = $candidate; |
|
| 309 |
last; |
|
| 310 |
} |
|
| 311 |
} |
|
| 312 |
return send_json($client, 404, { error => 'checklist_item_not_found' }) unless $item;
|
|
| 313 | ||
| 314 |
$item->{status} = $status;
|
|
| 315 |
$item->{updated_at} = iso_now();
|
|
| 316 |
$item->{notes} = $notes if length $notes;
|
|
| 317 |
save_work_orders($orders); |
|
| 318 |
return send_json($client, 200, { ok => json_bool(1), work_order => $work_order });
|
|
| 319 |
} |
|
| 320 | ||
| 321 |
sub incomplete_work_order_items {
|
|
| 322 |
my ($work_order) = @_; |
|
| 323 |
my @incomplete; |
|
| 324 |
for my $item (@{ $work_order->{checklist} || [] }) {
|
|
| 325 |
push @incomplete, $item unless ($item->{status} || 'pending') eq 'done';
|
|
| 326 |
} |
|
| 327 |
return \@incomplete; |
|
| 328 |
} |
|
| 329 | ||
| 330 |
sub apply_work_order {
|
|
| 331 |
my ($registry, $work_order) = @_; |
|
| 332 |
my @results; |
|
| 333 |
for my $action (@{ $work_order->{actions} || [] }) {
|
|
| 334 |
my $type = $action->{type} || '';
|
|
| 335 |
if ($type eq 'remove_name') {
|
|
| 336 |
my $host_id = $action->{host_id} || '';
|
|
| 337 |
my $name = $action->{name} || '';
|
|
| 338 |
my $removed = 0; |
|
| 339 |
for my $host (@{ $registry->{hosts} || [] }) {
|
|
| 340 |
next unless ($host->{id} || '') eq $host_id;
|
|
| 341 |
my @kept = grep { $_ ne $name } @{ $host->{names} || [] };
|
|
| 342 |
$removed = @kept != @{ $host->{names} || [] };
|
|
| 343 |
$host->{names} = \@kept;
|
|
| 344 |
last; |
|
| 345 |
} |
|
| 346 |
push @results, {
|
|
| 347 |
type => $type, |
|
| 348 |
host_id => $host_id, |
|
| 349 |
name => $name, |
|
| 350 |
removed => json_bool($removed), |
|
| 351 |
}; |
|
| 352 |
} else {
|
|
| 353 |
die "Unsupported work order action: $type\n"; |
|
| 354 |
} |
|
| 355 |
} |
|
| 356 |
return \@results; |
|
| 357 |
} |
|
| 358 | ||
| 359 |
sub registry_payload {
|
|
| 360 |
my ($registry) = @_; |
|
| 361 |
my $problems = analyze_hosts($registry->{hosts});
|
|
| 362 |
my @hosts = map { host_payload($_) } @{ $registry->{hosts} };
|
|
| 363 |
return {
|
|
| 364 |
version => $registry->{version},
|
|
| 365 |
updated_at => $registry->{updated_at},
|
|
| 366 |
policy => $registry->{policy},
|
|
| 367 |
hosts => \@hosts, |
|
| 368 |
problems => $problems, |
|
| 369 |
counts => {
|
|
| 370 |
hosts => scalar @{ $registry->{hosts} },
|
|
| 371 |
problems => scalar @$problems, |
|
| 372 |
}, |
|
| 373 |
}; |
|
| 374 |
} |
|
| 375 | ||
| 376 |
sub upsert_host {
|
|
| 377 |
my ($client, $payload) = @_; |
|
| 378 |
my $id = clean_id($payload->{id} || '');
|
|
| 379 |
return send_json($client, 400, { error => 'invalid_id' }) unless $id;
|
|
| 380 | ||
| 381 |
my $hosts_ip = clean_scalar($payload->{hosts_ip} || '');
|
|
| 382 |
my $dns_ip = clean_scalar($payload->{dns_ip} || '');
|
|
| 383 |
return send_json($client, 400, { error => 'missing_ip' }) unless $hosts_ip && $dns_ip;
|
|
| 384 | ||
| 385 |
my @names = remove_derived_names(clean_list($payload->{names}));
|
|
| 386 |
return send_json($client, 400, { error => 'missing_names' }) unless @names;
|
|
| 387 | ||
| 388 |
my $registry = load_registry(); |
|
| 389 |
my %host = ( |
|
| 390 |
id => $id, |
|
| 391 |
status => clean_scalar($payload->{status} || 'active'),
|
|
| 392 |
hosts_ip => $hosts_ip, |
|
| 393 |
dns_ip => $dns_ip, |
|
| 394 |
names => \@names, |
|
| 395 |
roles => [ clean_list($payload->{roles}) ],
|
|
| 396 |
sources => [ clean_list($payload->{sources}) ],
|
|
| 397 |
monitoring => clean_scalar($payload->{monitoring} || 'pending'),
|
|
| 398 |
notes => clean_scalar($payload->{notes} || ''),
|
|
| 399 |
); |
|
| 400 | ||
| 401 |
my $replaced = 0; |
|
| 402 |
for my $i (0 .. $#{ $registry->{hosts} }) {
|
|
| 403 |
if ($registry->{hosts}->[$i]{id} eq $id) {
|
|
| 404 |
$registry->{hosts}->[$i] = \%host;
|
|
| 405 |
$replaced = 1; |
|
| 406 |
last; |
|
| 407 |
} |
|
| 408 |
} |
|
| 409 |
push @{ $registry->{hosts} }, \%host unless $replaced;
|
|
| 410 |
save_registry($registry); |
|
| 411 |
return send_json($client, 200, { ok => json_bool(1), host => \%host });
|
|
| 412 |
} |
|
| 413 | ||
| 414 |
sub delete_host {
|
|
| 415 |
my ($client, $id) = @_; |
|
| 416 |
$id = clean_id($id); |
|
| 417 |
return send_json($client, 400, { error => 'invalid_id' }) unless $id;
|
|
| 418 | ||
| 419 |
my $registry = load_registry(); |
|
| 420 |
my @kept = grep { $_->{id} ne $id } @{ $registry->{hosts} };
|
|
| 421 |
return send_json($client, 404, { error => 'not_found' }) if @kept == @{ $registry->{hosts} };
|
|
| 422 |
$registry->{hosts} = \@kept;
|
|
| 423 |
save_registry($registry); |
|
| 424 |
return send_json($client, 200, { ok => json_bool(1) });
|
|
| 425 |
} |
|
| 426 | ||
| 427 |
sub analyze_hosts {
|
|
| 428 |
my ($hosts) = @_; |
|
| 429 |
my @problems; |
|
| 430 |
my (%names, %ids); |
|
| 431 |
for my $host (@$hosts) {
|
|
| 432 |
push @problems, problem($host, 'duplicate-id', "Duplicate id $host->{id}") if $ids{ $host->{id} }++;
|
|
| 433 |
my @fqdn = grep { /\.madagascar\.xdev\.ro$/ } @{ $host->{names} || [] };
|
|
| 434 |
push @problems, problem($host, 'missing-fqdn', 'No madagascar.xdev.ro FQDN') unless @fqdn || ($host->{status} || '') ne 'active';
|
|
| 435 |
push @problems, problem($host, 'deprecated-vad-is', 'Deprecated vad.is.xdev.ro name present') |
|
| 436 |
if grep { /\.vad\.is\.xdev\.ro$/ } @{ $host->{names} || [] };
|
|
| 437 |
push @problems, problem($host, 'legacy-prefix', 'Legacy prefix should be normalized out') |
|
| 438 |
if grep { /^(is|vad|b)-/ } @{ $host->{names} || [] };
|
|
| 439 |
for my $name (@{ $host->{names} || [] }) {
|
|
| 440 |
push @problems, problem($host, 'duplicate-name', "Duplicate name $name") if $names{$name}++;
|
|
| 441 |
} |
|
| 442 |
my %declared = map { $_ => 1 } @{ $host->{names} || [] };
|
|
| 443 |
for my $derived (derived_names($host)) {
|
|
| 444 |
push @problems, problem($host, 'redundant-derived-name', "Name $derived is derived from madagascar.xdev.ro") |
|
| 445 |
if $declared{$derived};
|
|
| 446 |
} |
|
| 447 |
if (($host->{hosts_ip} || '') ne ($host->{dns_ip} || '') && ($host->{hosts_ip} || '') ne '127.0.0.1') {
|
|
| 448 |
push @problems, problem($host, 'split-ip', 'hosts_ip differs from dns_ip; check that this is intentional'); |
|
| 449 |
} |
|
| 450 |
} |
|
| 451 |
return \@problems; |
|
| 452 |
} |
|
| 453 | ||
| 454 |
sub host_payload {
|
|
| 455 |
my ($host) = @_; |
|
| 456 |
my %copy = %$host; |
|
| 457 |
$copy{names} = [ effective_names($host) ];
|
|
| 458 |
$copy{declared_names} = [ @{ $host->{names} || [] } ];
|
|
| 459 |
$copy{derived_names} = [ derived_names($host) ];
|
|
| 460 |
return \%copy; |
|
| 461 |
} |
|
| 462 | ||
| 463 |
sub effective_names {
|
|
| 464 |
my ($host) = @_; |
|
| 465 |
my @names = @{ $host->{names} || [] };
|
|
| 466 |
push @names, derived_names($host); |
|
| 467 |
return unique_preserve(@names); |
|
| 468 |
} |
|
| 469 | ||
| 470 |
sub derived_names {
|
|
| 471 |
my ($host) = @_; |
|
| 472 |
my @derived; |
|
| 473 |
for my $name (@{ $host->{names} || [] }) {
|
|
| 474 |
next unless $name =~ /^(.+)\.madagascar\.xdev\.ro$/; |
|
| 475 |
push @derived, $1 if length $1; |
|
| 476 |
} |
|
| 477 |
return unique_preserve(@derived); |
|
| 478 |
} |
|
| 479 | ||
| 480 |
sub remove_derived_names {
|
|
| 481 |
my @names = @_; |
|
| 482 |
my %derived; |
|
| 483 |
for my $name (@names) {
|
|
| 484 |
next unless $name =~ /^(.+)\.madagascar\.xdev\.ro$/; |
|
| 485 |
$derived{$1} = 1;
|
|
| 486 |
} |
|
| 487 |
return grep { !$derived{$_} } @names;
|
|
| 488 |
} |
|
| 489 | ||
| 490 |
sub unique_preserve {
|
|
| 491 |
my @values = @_; |
|
| 492 |
my %seen; |
|
| 493 |
return grep { !$seen{$_}++ } @values;
|
|
| 494 |
} |
|
| 495 | ||
| 496 |
sub problem {
|
|
| 497 |
my ($host, $code, $message) = @_; |
|
| 498 |
return { host_id => $host->{id}, code => $code, message => $message };
|
|
| 499 |
} |
|
| 500 | ||
| 501 |
sub render_local_hosts_tsv {
|
|
| 502 |
my ($registry) = @_; |
|
| 503 |
my $out = "# Local DNS manifest for the madagascar network.\n"; |
|
| 504 |
$out .= "# Generated by scripts/host_manager.pl from config/hosts.yaml.\n"; |
|
| 505 |
$out .= "#\n"; |
|
| 506 |
$out .= "# Format:\n"; |
|
| 507 |
$out .= "# hosts_ip<TAB>dns_ip<TAB>name [aliases...]\n"; |
|
| 508 |
$out .= "#\n"; |
|
| 509 |
$out .= "# Priority rule:\n"; |
|
| 510 |
$out .= "# - DHCP lease/reservation on 192.168.2.1 is canonical for LAN IP allocation.\n"; |
|
| 511 |
$out .= "# - madagascar.json is canonical for cluster roles and service interfaces.\n"; |
|
| 512 |
$out .= "# - This file publishes approved local DNS records derived from those sources.\n"; |
|
| 513 |
for my $host (sort { $a->{id} cmp $b->{id} } @{ $registry->{hosts} }) {
|
|
| 514 |
next unless ($host->{status} || 'active') eq 'active';
|
|
| 515 |
my @names = effective_names($host); |
|
| 516 |
next unless @names; |
|
| 517 |
$out .= join("\t", $host->{hosts_ip}, $host->{dns_ip}, join(' ', @names)) . "\n";
|
|
| 518 |
} |
|
| 519 |
return $out; |
|
| 520 |
} |
|
| 521 | ||
| 522 |
sub render_monitoring {
|
|
| 523 |
my ($registry) = @_; |
|
| 524 |
my @hosts; |
|
| 525 |
for my $host (sort { $a->{id} cmp $b->{id} } @{ $registry->{hosts} }) {
|
|
| 526 |
next unless ($host->{status} || 'active') eq 'active';
|
|
| 527 |
next if ($host->{monitoring} || 'pending') eq 'disabled';
|
|
| 528 |
my @names = effective_names($host); |
|
| 529 |
push @hosts, {
|
|
| 530 |
id => $host->{id},
|
|
| 531 |
primary_name => $names[0], |
|
| 532 |
address => $host->{dns_ip},
|
|
| 533 |
aliases => \@names, |
|
| 534 |
declared_names => [ @{ $host->{names} || [] } ],
|
|
| 535 |
derived_names => [ derived_names($host) ], |
|
| 536 |
roles => [ @{ $host->{roles} || [] } ],
|
|
| 537 |
monitoring => $host->{monitoring} || 'pending',
|
|
| 538 |
notes => $host->{notes} || '',
|
|
| 539 |
}; |
|
| 540 |
} |
|
| 541 |
return {
|
|
| 542 |
version => $registry->{version},
|
|
| 543 |
generated_at => iso_now(), |
|
| 544 |
source => 'config/hosts.yaml', |
|
| 545 |
hosts => \@hosts, |
|
| 546 |
}; |
|
| 547 |
} |
|
| 548 | ||
| 549 |
sub ca_script_path {
|
|
| 550 |
return "$project_dir/scripts/ca_manager.sh"; |
|
| 551 |
} |
|
| 552 | ||
| 553 |
sub ca_dir {
|
|
| 554 |
return $ENV{HOST_MANAGER_CA_DIR} || "$project_dir/var/ca";
|
|
| 555 |
} |
|
| 556 | ||
| 557 |
sub ca_cert_path {
|
|
| 558 |
return ca_dir() . "/certs/ca.cert.pem"; |
|
| 559 |
} |
|
| 560 | ||
| 561 |
sub ca_issued_cert_path {
|
|
| 562 |
my ($name) = @_; |
|
| 563 |
die "unsafe certificate name\n" unless $name =~ /\A[A-Za-z0-9_.-]+\z/; |
|
| 564 |
return ca_dir() . "/issued/$name.cert.pem"; |
|
| 565 |
} |
|
| 566 | ||
| 567 |
sub ca_manager_json {
|
|
| 568 |
my ($command) = @_; |
|
| 569 |
my $script = ca_script_path(); |
|
| 570 |
die "CA manager script is missing\n" unless -x $script; |
|
| 571 |
local $ENV{HOST_MANAGER_CA_DIR} = ca_dir();
|
|
| 572 |
open my $fh, '-|', $script, $command or die "Cannot run CA manager\n"; |
|
| 573 |
local $/; |
|
| 574 |
my $out = <$fh>; |
|
| 575 |
close $fh or die "CA manager failed\n"; |
|
| 576 |
return $out || '{}';
|
|
| 577 |
} |
|
| 578 | ||
| 579 |
sub parse_hosts_yaml {
|
|
| 580 |
my ($text) = @_; |
|
| 581 |
my %registry = ( |
|
| 582 |
version => 1, |
|
| 583 |
updated_at => '', |
|
| 584 |
policy => {},
|
|
| 585 |
hosts => [], |
|
| 586 |
); |
|
| 587 |
my ($section, $current, $list_key); |
|
| 588 |
for my $line (split /\n/, $text) {
|
|
| 589 |
next if $line =~ /^\s*$/ || $line =~ /^\s*#/; |
|
| 590 |
if ($line =~ /^version:\s*(\d+)/) {
|
|
| 591 |
$registry{version} = int($1);
|
|
| 592 |
} elsif ($line =~ /^updated_at:\s*(.+)$/) {
|
|
| 593 |
$registry{updated_at} = yaml_unquote($1);
|
|
| 594 |
} elsif ($line =~ /^policy:\s*$/) {
|
|
| 595 |
$section = 'policy'; |
|
| 596 |
} elsif ($line =~ /^hosts:\s*$/) {
|
|
| 597 |
$section = 'hosts'; |
|
| 598 |
} elsif (($section || '') eq 'policy' && $line =~ /^ ([A-Za-z0-9_]+):\s*(.+)$/) {
|
|
| 599 |
$registry{policy}{$1} = yaml_unquote($2);
|
|
| 600 |
} elsif (($section || '') eq 'hosts' && $line =~ /^ - id:\s*(.+)$/) {
|
|
| 601 |
$current = {
|
|
| 602 |
id => yaml_unquote($1), |
|
| 603 |
status => 'active', |
|
| 604 |
hosts_ip => '', |
|
| 605 |
dns_ip => '', |
|
| 606 |
names => [], |
|
| 607 |
roles => [], |
|
| 608 |
sources => [], |
|
| 609 |
monitoring => 'pending', |
|
| 610 |
notes => '', |
|
| 611 |
}; |
|
| 612 |
push @{ $registry{hosts} }, $current;
|
|
| 613 |
$list_key = undef; |
|
| 614 |
} elsif ($current && $line =~ /^ ([A-Za-z0-9_]+):\s*$/) {
|
|
| 615 |
$list_key = $1; |
|
| 616 |
$current->{$list_key} ||= [];
|
|
| 617 |
} elsif ($current && defined $list_key && $line =~ /^ -\s*(.+)$/) {
|
|
| 618 |
push @{ $current->{$list_key} }, yaml_unquote($1);
|
|
| 619 |
} elsif ($current && $line =~ /^ ([A-Za-z0-9_]+):\s*(.*)$/) {
|
|
| 620 |
$current->{$1} = yaml_unquote($2);
|
|
| 621 |
$list_key = undef; |
|
| 622 |
} |
|
| 623 |
} |
|
| 624 |
return \%registry; |
|
| 625 |
} |
|
| 626 | ||
| 627 |
sub render_hosts_yaml {
|
|
| 628 |
my ($registry) = @_; |
|
| 629 |
my $out = "version: " . int($registry->{version} || 1) . "\n";
|
|
| 630 |
$out .= "updated_at: " . yq($registry->{updated_at} || iso_now()) . "\n";
|
|
| 631 |
$out .= "policy:\n"; |
|
| 632 |
for my $key (sort keys %{ $registry->{policy} || {} }) {
|
|
| 633 |
$out .= " $key: " . yq($registry->{policy}{$key}) . "\n";
|
|
| 634 |
} |
|
| 635 |
$out .= "hosts:\n"; |
|
| 636 |
for my $host (sort { $a->{id} cmp $b->{id} } @{ $registry->{hosts} || [] }) {
|
|
| 637 |
$out .= " - id: " . yq($host->{id}) . "\n";
|
|
| 638 |
for my $key (qw(status hosts_ip dns_ip)) {
|
|
| 639 |
$out .= " $key: " . yq($host->{$key} || '') . "\n";
|
|
| 640 |
} |
|
| 641 |
for my $key (qw(names roles sources)) {
|
|
| 642 |
$out .= " $key:\n"; |
|
| 643 |
for my $value (@{ $host->{$key} || [] }) {
|
|
| 644 |
$out .= " - " . yq($value) . "\n"; |
|
| 645 |
} |
|
| 646 |
} |
|
| 647 |
$out .= " monitoring: " . yq($host->{monitoring} || 'pending') . "\n";
|
|
| 648 |
$out .= " notes: " . yq($host->{notes} || '') . "\n";
|
|
| 649 |
} |
|
| 650 |
return $out; |
|
| 651 |
} |
|
| 652 | ||
| 653 |
sub parse_work_orders_yaml {
|
|
| 654 |
my ($text) = @_; |
|
| 655 |
my %orders = ( |
|
| 656 |
version => 1, |
|
| 657 |
work_orders => [], |
|
| 658 |
); |
|
| 659 |
my ($section, $current, $list_section, $current_action, $current_item); |
|
| 660 |
for my $line (split /\n/, $text) {
|
|
| 661 |
next if $line =~ /^\s*$/ || $line =~ /^\s*#/; |
|
| 662 |
if ($line =~ /^version:\s*(\d+)/) {
|
|
| 663 |
$orders{version} = int($1);
|
|
| 664 |
} elsif ($line =~ /^work_orders:\s*$/) {
|
|
| 665 |
$section = 'work_orders'; |
|
| 666 |
} elsif (($section || '') eq 'work_orders' && $line =~ /^ - id:\s*(.+)$/) {
|
|
| 667 |
$current = {
|
|
| 668 |
id => yaml_unquote($1), |
|
| 669 |
status => 'pending', |
|
| 670 |
checklist => [], |
|
| 671 |
actions => [], |
|
| 672 |
}; |
|
| 673 |
push @{ $orders{work_orders} }, $current;
|
|
| 674 |
$list_section = ''; |
|
| 675 |
$current_action = undef; |
|
| 676 |
$current_item = undef; |
|
| 677 |
} elsif ($current && $line =~ /^ checklist:\s*$/) {
|
|
| 678 |
$list_section = 'checklist'; |
|
| 679 |
$current->{checklist} ||= [];
|
|
| 680 |
} elsif ($current && $list_section eq 'checklist' && $line =~ /^ - id:\s*(.+)$/) {
|
|
| 681 |
$current_item = { id => yaml_unquote($1), status => 'pending' };
|
|
| 682 |
push @{ $current->{checklist} }, $current_item;
|
|
| 683 |
$current_action = undef; |
|
| 684 |
} elsif ($current_item && $list_section eq 'checklist' && $line =~ /^ ([A-Za-z0-9_]+):\s*(.*)$/) {
|
|
| 685 |
$current_item->{$1} = yaml_unquote($2);
|
|
| 686 |
} elsif ($current && $line =~ /^ actions:\s*$/) {
|
|
| 687 |
$list_section = 'actions'; |
|
| 688 |
$current->{actions} ||= [];
|
|
| 689 |
} elsif ($current && $list_section eq 'actions' && $line =~ /^ - type:\s*(.+)$/) {
|
|
| 690 |
$current_action = { type => yaml_unquote($1) };
|
|
| 691 |
push @{ $current->{actions} }, $current_action;
|
|
| 692 |
$current_item = undef; |
|
| 693 |
} elsif ($current_action && $list_section eq 'actions' && $line =~ /^ ([A-Za-z0-9_]+):\s*(.*)$/) {
|
|
| 694 |
$current_action->{$1} = yaml_unquote($2);
|
|
| 695 |
} elsif ($current && $line =~ /^ ([A-Za-z0-9_]+):\s*(.*)$/) {
|
|
| 696 |
$current->{$1} = yaml_unquote($2);
|
|
| 697 |
$list_section = ''; |
|
| 698 |
$current_action = undef; |
|
| 699 |
$current_item = undef; |
|
| 700 |
} |
|
| 701 |
} |
|
| 702 |
return \%orders; |
|
| 703 |
} |
|
| 704 | ||
| 705 |
sub render_work_orders_yaml {
|
|
| 706 |
my ($orders) = @_; |
|
| 707 |
my $out = "version: " . int($orders->{version} || 1) . "\n";
|
|
| 708 |
$out .= "work_orders:\n"; |
|
| 709 |
for my $wo (@{ $orders->{work_orders} || [] }) {
|
|
| 710 |
$out .= " - id: " . yq($wo->{id}) . "\n";
|
|
| 711 |
for my $key (qw(status title reason created_at confirmed_at result)) {
|
|
| 712 |
next unless exists $wo->{$key} && length($wo->{$key} || '');
|
|
| 713 |
$out .= " $key: " . yq($wo->{$key}) . "\n";
|
|
| 714 |
} |
|
| 715 |
$out .= " checklist:\n"; |
|
| 716 |
for my $item (@{ $wo->{checklist} || [] }) {
|
|
| 717 |
$out .= " - id: " . yq($item->{id}) . "\n";
|
|
| 718 |
for my $key (qw(text status owner notes updated_at)) {
|
|
| 719 |
next unless exists $item->{$key} && length($item->{$key} || '');
|
|
| 720 |
$out .= " $key: " . yq($item->{$key}) . "\n";
|
|
| 721 |
} |
|
| 722 |
} |
|
| 723 |
$out .= " actions:\n"; |
|
| 724 |
for my $action (@{ $wo->{actions} || [] }) {
|
|
| 725 |
$out .= " - type: " . yq($action->{type}) . "\n";
|
|
| 726 |
for my $key (qw(host_id name)) {
|
|
| 727 |
next unless exists $action->{$key} && length($action->{$key} || '');
|
|
| 728 |
$out .= " $key: " . yq($action->{$key}) . "\n";
|
|
| 729 |
} |
|
| 730 |
} |
|
| 731 |
} |
|
| 732 |
return $out; |
|
| 733 |
} |
|
| 734 | ||
| 735 |
sub request_payload {
|
|
| 736 |
my ($headers, $body) = @_; |
|
| 737 |
my $type = $headers->{'content-type'} || '';
|
|
| 738 |
if ($type =~ m{application/json}) {
|
|
| 739 |
return json_decode($body || '{}');
|
|
| 740 |
} |
|
| 741 |
return { parse_params($body || '') };
|
|
| 742 |
} |
|
| 743 | ||
| 744 |
sub json_bool {
|
|
| 745 |
my ($value) = @_; |
|
| 746 |
return bless \(my $bool = $value ? 1 : 0), 'HostManager::JSONBool'; |
|
| 747 |
} |
|
| 748 | ||
| 749 |
sub json_encode {
|
|
| 750 |
my ($value) = @_; |
|
| 751 |
if (!defined $value) {
|
|
| 752 |
return 'null'; |
|
| 753 |
} |
|
| 754 |
my $ref = ref($value); |
|
| 755 |
if (!$ref) {
|
|
| 756 |
return $value if $value =~ /\A-?(?:0|[1-9][0-9]*)(?:\.[0-9]+)?\z/; |
|
| 757 |
return json_string($value); |
|
| 758 |
} |
|
| 759 |
if ($ref eq 'HostManager::JSONBool') {
|
|
| 760 |
return $$value ? 'true' : 'false'; |
|
| 761 |
} |
|
| 762 |
if ($ref eq 'ARRAY') {
|
|
| 763 |
return '[' . join(',', map { json_encode($_) } @$value) . ']';
|
|
| 764 |
} |
|
| 765 |
if ($ref eq 'HASH') {
|
|
| 766 |
return '{' . join(',', map { json_string($_) . ':' . json_encode($value->{$_}) } sort keys %$value) . '}';
|
|
| 767 |
} |
|
| 768 |
return json_string("$value");
|
|
| 769 |
} |
|
| 770 | ||
| 771 |
sub json_string {
|
|
| 772 |
my ($value) = @_; |
|
| 773 |
$value = '' unless defined $value; |
|
| 774 |
$value =~ s/\\/\\\\/g; |
|
| 775 |
$value =~ s/"/\\"/g; |
|
| 776 |
$value =~ s/\n/\\n/g; |
|
| 777 |
$value =~ s/\r/\\r/g; |
|
| 778 |
$value =~ s/\t/\\t/g; |
|
| 779 |
$value =~ s/([\x00-\x1f])/sprintf("\\u%04x", ord($1))/eg;
|
|
| 780 |
return qq("$value");
|
|
| 781 |
} |
|
| 782 | ||
| 783 |
sub json_decode {
|
|
| 784 |
my ($text) = @_; |
|
| 785 |
my $i = 0; |
|
| 786 |
my $len = length($text); |
|
| 787 |
my ($parse_value, $parse_string, $parse_array, $parse_object, $parse_number, $skip_ws); |
|
| 788 | ||
| 789 |
$skip_ws = sub {
|
|
| 790 |
$i++ while $i < $len && substr($text, $i, 1) =~ /\s/; |
|
| 791 |
}; |
|
| 792 | ||
| 793 |
$parse_string = sub {
|
|
| 794 |
die "Expected JSON string\n" unless substr($text, $i, 1) eq '"'; |
|
| 795 |
$i++; |
|
| 796 |
my $out = ''; |
|
| 797 |
while ($i < $len) {
|
|
| 798 |
my $ch = substr($text, $i++, 1); |
|
| 799 |
return $out if $ch eq '"'; |
|
| 800 |
if ($ch eq "\\") {
|
|
| 801 |
die "Bad JSON escape\n" if $i >= $len; |
|
| 802 |
my $esc = substr($text, $i++, 1); |
|
| 803 |
if ($esc eq '"' || $esc eq "\\" || $esc eq '/') {
|
|
| 804 |
$out .= $esc; |
|
| 805 |
} elsif ($esc eq 'b') {
|
|
| 806 |
$out .= "\b"; |
|
| 807 |
} elsif ($esc eq 'f') {
|
|
| 808 |
$out .= "\f"; |
|
| 809 |
} elsif ($esc eq 'n') {
|
|
| 810 |
$out .= "\n"; |
|
| 811 |
} elsif ($esc eq 'r') {
|
|
| 812 |
$out .= "\r"; |
|
| 813 |
} elsif ($esc eq 't') {
|
|
| 814 |
$out .= "\t"; |
|
| 815 |
} elsif ($esc eq 'u') {
|
|
| 816 |
my $hex = substr($text, $i, 4); |
|
| 817 |
die "Bad JSON unicode escape\n" unless $hex =~ /\A[0-9A-Fa-f]{4}\z/;
|
|
| 818 |
$out .= chr(hex($hex)); |
|
| 819 |
$i += 4; |
|
| 820 |
} else {
|
|
| 821 |
die "Bad JSON escape\n"; |
|
| 822 |
} |
|
| 823 |
} else {
|
|
| 824 |
$out .= $ch; |
|
| 825 |
} |
|
| 826 |
} |
|
| 827 |
die "Unterminated JSON string\n"; |
|
| 828 |
}; |
|
| 829 | ||
| 830 |
$parse_number = sub {
|
|
| 831 |
my $start = $i; |
|
| 832 |
$i++ if substr($text, $i, 1) eq '-'; |
|
| 833 |
$i++ while $i < $len && substr($text, $i, 1) =~ /[0-9]/; |
|
| 834 |
if ($i < $len && substr($text, $i, 1) eq '.') {
|
|
| 835 |
$i++; |
|
| 836 |
$i++ while $i < $len && substr($text, $i, 1) =~ /[0-9]/; |
|
| 837 |
} |
|
| 838 |
if ($i < $len && substr($text, $i, 1) =~ /[eE]/) {
|
|
| 839 |
$i++; |
|
| 840 |
$i++ if $i < $len && substr($text, $i, 1) =~ /[+-]/; |
|
| 841 |
$i++ while $i < $len && substr($text, $i, 1) =~ /[0-9]/; |
|
| 842 |
} |
|
| 843 |
return 0 + substr($text, $start, $i - $start); |
|
| 844 |
}; |
|
| 845 | ||
| 846 |
$parse_array = sub {
|
|
| 847 |
die "Expected JSON array\n" unless substr($text, $i, 1) eq '['; |
|
| 848 |
$i++; |
|
| 849 |
my @out; |
|
| 850 |
$skip_ws->(); |
|
| 851 |
if ($i < $len && substr($text, $i, 1) eq ']') {
|
|
| 852 |
$i++; |
|
| 853 |
return \@out; |
|
| 854 |
} |
|
| 855 |
while (1) {
|
|
| 856 |
push @out, $parse_value->(); |
|
| 857 |
$skip_ws->(); |
|
| 858 |
my $ch = substr($text, $i++, 1); |
|
| 859 |
last if $ch eq ']'; |
|
| 860 |
die "Expected JSON array comma\n" unless $ch eq ','; |
|
| 861 |
} |
|
| 862 |
return \@out; |
|
| 863 |
}; |
|
| 864 | ||
| 865 |
$parse_object = sub {
|
|
| 866 |
die "Expected JSON object\n" unless substr($text, $i, 1) eq '{';
|
|
| 867 |
$i++; |
|
| 868 |
my %out; |
|
| 869 |
$skip_ws->(); |
|
| 870 |
if ($i < $len && substr($text, $i, 1) eq '}') {
|
|
| 871 |
$i++; |
|
| 872 |
return \%out; |
|
| 873 |
} |
|
| 874 |
while (1) {
|
|
| 875 |
$skip_ws->(); |
|
| 876 |
my $key = $parse_string->(); |
|
| 877 |
$skip_ws->(); |
|
| 878 |
die "Expected JSON object colon\n" unless substr($text, $i++, 1) eq ':'; |
|
| 879 |
$out{$key} = $parse_value->();
|
|
| 880 |
$skip_ws->(); |
|
| 881 |
my $ch = substr($text, $i++, 1); |
|
| 882 |
last if $ch eq '}'; |
|
| 883 |
die "Expected JSON object comma\n" unless $ch eq ','; |
|
| 884 |
} |
|
| 885 |
return \%out; |
|
| 886 |
}; |
|
| 887 | ||
| 888 |
$parse_value = sub {
|
|
| 889 |
$skip_ws->(); |
|
| 890 |
die "Unexpected end of JSON\n" if $i >= $len; |
|
| 891 |
my $ch = substr($text, $i, 1); |
|
| 892 |
return $parse_string->() if $ch eq '"'; |
|
| 893 |
return $parse_object->() if $ch eq '{';
|
|
| 894 |
return $parse_array->() if $ch eq '['; |
|
| 895 |
if (substr($text, $i, 4) eq 'true') {
|
|
| 896 |
$i += 4; |
|
| 897 |
return json_bool(1); |
|
| 898 |
} |
|
| 899 |
if (substr($text, $i, 5) eq 'false') {
|
|
| 900 |
$i += 5; |
|
| 901 |
return json_bool(0); |
|
| 902 |
} |
|
| 903 |
if (substr($text, $i, 4) eq 'null') {
|
|
| 904 |
$i += 4; |
|
| 905 |
return undef; |
|
| 906 |
} |
|
| 907 |
return $parse_number->() if $ch =~ /[-0-9]/; |
|
| 908 |
die "Unexpected JSON token\n"; |
|
| 909 |
}; |
|
| 910 | ||
| 911 |
my $value = $parse_value->(); |
|
| 912 |
$skip_ws->(); |
|
| 913 |
die "Trailing JSON content\n" if $i != $len; |
|
| 914 |
return $value; |
|
| 915 |
} |
|
| 916 | ||
| 917 |
sub parse_params {
|
|
| 918 |
my ($text) = @_; |
|
| 919 |
my %out; |
|
| 920 |
for my $pair (split /&/, $text) {
|
|
| 921 |
next unless length $pair; |
|
| 922 |
my ($k, $v) = split /=/, $pair, 2; |
|
| 923 |
$out{url_decode($k)} = url_decode($v || '');
|
|
| 924 |
} |
|
| 925 |
return %out; |
|
| 926 |
} |
|
| 927 | ||
| 928 |
sub clean_id {
|
|
| 929 |
my ($value) = @_; |
|
| 930 |
$value = lc clean_scalar($value); |
|
| 931 |
$value =~ s/[^a-z0-9_.-]+/-/g; |
|
| 932 |
$value =~ s/^-+|-+$//g; |
|
| 933 |
return $value; |
|
| 934 |
} |
|
| 935 | ||
| 936 |
sub clean_scalar {
|
|
| 937 |
my ($value) = @_; |
|
| 938 |
$value = '' unless defined $value; |
|
| 939 |
$value =~ s/[\r\n\t]+/ /g; |
|
| 940 |
$value =~ s/^\s+|\s+$//g; |
|
| 941 |
return $value; |
|
| 942 |
} |
|
| 943 | ||
| 944 |
sub clean_list {
|
|
| 945 |
my ($value) = @_; |
|
| 946 |
return () unless defined $value; |
|
| 947 |
my @items = ref($value) eq 'ARRAY' ? @$value : split /[\s,]+/, $value; |
|
| 948 |
my @clean; |
|
| 949 |
for my $item (@items) {
|
|
| 950 |
$item = clean_scalar($item); |
|
| 951 |
push @clean, $item if length $item; |
|
| 952 |
} |
|
| 953 |
return @clean; |
|
| 954 |
} |
|
| 955 | ||
| 956 |
sub yq {
|
|
| 957 |
my ($value) = @_; |
|
| 958 |
$value = '' unless defined $value; |
|
| 959 |
$value =~ s/\\/\\\\/g; |
|
| 960 |
$value =~ s/"/\\"/g; |
|
| 961 |
return qq("$value");
|
|
| 962 |
} |
|
| 963 | ||
| 964 |
sub yaml_unquote {
|
|
| 965 |
my ($value) = @_; |
|
| 966 |
$value = '' unless defined $value; |
|
| 967 |
$value =~ s/^\s+|\s+$//g; |
|
| 968 |
if ($value =~ /^"(.*)"$/) {
|
|
| 969 |
$value = $1; |
|
| 970 |
$value =~ s/\\"/"/g; |
|
| 971 |
$value =~ s/\\\\/\\/g; |
|
| 972 |
} |
|
| 973 |
return $value; |
|
| 974 |
} |
|
| 975 | ||
| 976 |
sub verify_totp {
|
|
| 977 |
my ($secret, $otp) = @_; |
|
| 978 |
return 0 unless $secret && $otp =~ /^\d{6}$/;
|
|
| 979 |
my $key = eval { base32_decode($secret) };
|
|
| 980 |
return 0 if $@ || !length $key; |
|
| 981 |
my $counter = int(time() / 30); |
|
| 982 |
for my $offset (-1, 0, 1) {
|
|
| 983 |
return 1 if totp_code($key, $counter + $offset) eq $otp; |
|
| 984 |
} |
|
| 985 |
return 0; |
|
| 986 |
} |
|
| 987 | ||
| 988 |
sub totp_code {
|
|
| 989 |
my ($key, $counter) = @_; |
|
| 990 |
my $msg = pack('NN', int($counter / 4294967296), $counter & 0xffffffff);
|
|
| 991 |
my $hash = hmac_sha1($msg, $key); |
|
| 992 |
my $offset = ord(substr($hash, -1)) & 0x0f; |
|
| 993 |
my $bin = unpack('N', substr($hash, $offset, 4)) & 0x7fffffff;
|
|
| 994 |
return sprintf('%06d', $bin % 1_000_000);
|
|
| 995 |
} |
|
| 996 | ||
| 997 |
sub base32_decode {
|
|
| 998 |
my ($text) = @_; |
|
| 999 |
$text = uc($text || ''); |
|
| 1000 |
$text =~ s/[^A-Z2-7]//g; |
|
| 1001 |
my %map; |
|
| 1002 |
my @chars = ('A'..'Z', '2'..'7');
|
|
| 1003 |
@map{@chars} = (0..31);
|
|
| 1004 |
my ($bits, $value, $out) = (0, 0, ''); |
|
| 1005 |
for my $char (split //, $text) {
|
|
| 1006 |
die "Invalid base32\n" unless exists $map{$char};
|
|
| 1007 |
$value = ($value << 5) | $map{$char};
|
|
| 1008 |
$bits += 5; |
|
| 1009 |
while ($bits >= 8) {
|
|
| 1010 |
$bits -= 8; |
|
| 1011 |
$out .= chr(($value >> $bits) & 0xff); |
|
| 1012 |
} |
|
| 1013 |
} |
|
| 1014 |
return $out; |
|
| 1015 |
} |
|
| 1016 | ||
| 1017 |
sub create_session {
|
|
| 1018 |
my $nonce = random_hex(24); |
|
| 1019 |
my $expires = int(time() + 8 * 3600); |
|
| 1020 |
my $sig = hmac_sha256_hex("$nonce:$expires", $session_secret);
|
|
| 1021 |
my $token = "$nonce:$expires:$sig"; |
|
| 1022 |
$sessions{$token} = $expires;
|
|
| 1023 |
return $token; |
|
| 1024 |
} |
|
| 1025 | ||
| 1026 |
sub is_authenticated {
|
|
| 1027 |
my ($headers) = @_; |
|
| 1028 |
my $token = cookie_value($headers->{'cookie'} || '', 'hm_session');
|
|
| 1029 |
return 0 unless $token; |
|
| 1030 |
my ($nonce, $expires, $sig) = split /:/, $token; |
|
| 1031 |
return 0 unless $nonce && $expires && $sig; |
|
| 1032 |
return 0 if $expires < time(); |
|
| 1033 |
return 0 unless hmac_sha256_hex("$nonce:$expires", $session_secret) eq $sig;
|
|
| 1034 |
return exists $sessions{$token};
|
|
| 1035 |
} |
|
| 1036 | ||
| 1037 |
sub expire_session {
|
|
| 1038 |
my ($headers) = @_; |
|
| 1039 |
my $token = cookie_value($headers->{'cookie'} || '', 'hm_session');
|
|
| 1040 |
delete $sessions{$token} if $token;
|
|
| 1041 |
} |
|
| 1042 | ||
| 1043 |
sub cookie_value {
|
|
| 1044 |
my ($cookie, $name) = @_; |
|
| 1045 |
for my $part (split /;\s*/, $cookie) {
|
|
| 1046 |
my ($k, $v) = split /=/, $part, 2; |
|
| 1047 |
return $v if defined $k && $k eq $name; |
|
| 1048 |
} |
|
| 1049 |
return ''; |
|
| 1050 |
} |
|
| 1051 | ||
| 1052 |
sub send_json {
|
|
| 1053 |
my ($client, $status, $payload, $extra_headers) = @_; |
|
| 1054 |
return send_response($client, $status, json_encode($payload), 'application/json; charset=utf-8', $extra_headers); |
|
| 1055 |
} |
|
| 1056 | ||
| 1057 |
sub send_json_raw {
|
|
| 1058 |
my ($client, $status, $json_body, $extra_headers) = @_; |
|
| 1059 |
return send_response($client, $status, $json_body, 'application/json; charset=utf-8', $extra_headers); |
|
| 1060 |
} |
|
| 1061 | ||
| 1062 |
sub send_html {
|
|
| 1063 |
my ($client, $status, $html) = @_; |
|
| 1064 |
return send_response($client, $status, $html, 'text/html; charset=utf-8'); |
|
| 1065 |
} |
|
| 1066 | ||
| 1067 |
sub send_text {
|
|
| 1068 |
my ($client, $status, $text) = @_; |
|
| 1069 |
return send_response($client, $status, $text, 'text/plain; charset=utf-8'); |
|
| 1070 |
} |
|
| 1071 | ||
| 1072 |
sub send_download {
|
|
| 1073 |
my ($client, $status, $content, $type, $filename) = @_; |
|
| 1074 |
return send_response($client, $status, $content, $type, [ qq(Content-Disposition: attachment; filename="$filename") ]); |
|
| 1075 |
} |
|
| 1076 | ||
| 1077 |
sub send_file {
|
|
| 1078 |
my ($client, $path, $type, $filename) = @_; |
|
| 1079 |
return send_json($client, 404, { error => 'missing_file' }) unless -f $path;
|
|
| 1080 |
return send_download($client, 200, read_file($path), $type, $filename); |
|
| 1081 |
} |
|
| 1082 | ||
| 1083 |
sub send_response {
|
|
| 1084 |
my ($client, $status, $body, $type, $extra_headers) = @_; |
|
| 1085 |
my %reason = (200 => 'OK', 400 => 'Bad Request', 401 => 'Unauthorized', 404 => 'Not Found', 409 => 'Conflict', 500 => 'Internal Server Error', 503 => 'Service Unavailable'); |
|
| 1086 |
$body = '' unless defined $body; |
|
| 1087 |
print $client "HTTP/1.1 $status " . ($reason{$status} || 'OK') . "\r\n";
|
|
| 1088 |
print $client "Content-Type: $type\r\n"; |
|
| 1089 |
print $client "Content-Length: " . length($body) . "\r\n"; |
|
| 1090 |
print $client "Cache-Control: no-store\r\n"; |
|
| 1091 |
print $client "$_\r\n" for @{ $extra_headers || [] };
|
|
| 1092 |
print $client "Connection: close\r\n\r\n"; |
|
| 1093 |
print $client $body; |
|
| 1094 |
} |
|
| 1095 | ||
| 1096 |
sub read_file {
|
|
| 1097 |
my ($path) = @_; |
|
| 1098 |
open my $fh, '<', $path or die "Cannot read $path: $!"; |
|
| 1099 |
local $/; |
|
| 1100 |
return <$fh>; |
|
| 1101 |
} |
|
| 1102 | ||
| 1103 |
sub write_file {
|
|
| 1104 |
my ($path, $content) = @_; |
|
| 1105 |
open my $fh, '>', $path or die "Cannot write $path: $!"; |
|
| 1106 |
print {$fh} $content;
|
|
| 1107 |
close $fh or die "Cannot close $path: $!"; |
|
| 1108 |
} |
|
| 1109 | ||
| 1110 |
sub backup_file {
|
|
| 1111 |
my ($path) = @_; |
|
| 1112 |
return unless -f $path; |
|
| 1113 |
my $backup_dir = "$project_dir/backups/host-manager"; |
|
| 1114 |
make_path($backup_dir) unless -d $backup_dir; |
|
| 1115 |
my $name = $path; |
|
| 1116 |
$name =~ s{.*/}{};
|
|
| 1117 |
my $stamp = strftime('%Y%m%d_%H%M%S', localtime);
|
|
| 1118 |
write_file("$backup_dir/$name.$stamp.bak", read_file($path));
|
|
| 1119 |
} |
|
| 1120 | ||
| 1121 |
sub url_decode {
|
|
| 1122 |
my ($value) = @_; |
|
| 1123 |
$value = '' unless defined $value; |
|
| 1124 |
$value =~ tr/+/ /; |
|
| 1125 |
$value =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg;
|
|
| 1126 |
return $value; |
|
| 1127 |
} |
|
| 1128 | ||
| 1129 |
sub random_hex {
|
|
| 1130 |
my ($bytes) = @_; |
|
| 1131 |
if (open my $fh, '<:raw', '/dev/urandom') {
|
|
| 1132 |
read($fh, my $raw, $bytes); |
|
| 1133 |
close $fh; |
|
| 1134 |
return unpack('H*', $raw);
|
|
| 1135 |
} |
|
| 1136 |
return sha256_hex(rand() . time() . $$); |
|
| 1137 |
} |
|
| 1138 | ||
| 1139 |
sub iso_now {
|
|
| 1140 |
return strftime('%Y-%m-%dT%H:%M:%SZ', gmtime);
|
|
| 1141 |
} |
|
| 1142 | ||
| 1143 |
sub build_info {
|
|
| 1144 |
my %info = ( |
|
| 1145 |
revision => '', |
|
| 1146 |
branch => '', |
|
| 1147 |
built_at => '', |
|
| 1148 |
deployed_at => '', |
|
| 1149 |
dirty => '', |
|
| 1150 |
); |
|
| 1151 | ||
| 1152 |
if ($ENV{HOST_MANAGER_BUILD}) {
|
|
| 1153 |
$info{revision} = clean_scalar($ENV{HOST_MANAGER_BUILD});
|
|
| 1154 |
return \%info; |
|
| 1155 |
} |
|
| 1156 | ||
| 1157 |
my $build_file = "$project_dir/BUILD"; |
|
| 1158 |
if (-f $build_file) {
|
|
| 1159 |
for my $line (split /\n/, read_file($build_file)) {
|
|
| 1160 |
next unless $line =~ /\A([A-Za-z0-9_.-]+)=(.*)\z/; |
|
| 1161 |
$info{$1} = clean_scalar($2);
|
|
| 1162 |
} |
|
| 1163 |
return \%info if $info{revision} || $info{built_at};
|
|
| 1164 |
} |
|
| 1165 | ||
| 1166 |
my $revision = git_value('rev-parse --short=12 HEAD');
|
|
| 1167 |
my $branch = git_value('rev-parse --abbrev-ref HEAD');
|
|
| 1168 |
$info{revision} = $revision if $revision;
|
|
| 1169 |
$info{branch} = $branch if $branch && $branch ne 'HEAD';
|
|
| 1170 |
return \%info; |
|
| 1171 |
} |
|
| 1172 | ||
| 1173 |
sub git_value {
|
|
| 1174 |
my ($args) = @_; |
|
| 1175 |
return '' unless -d "$project_dir/.git"; |
|
| 1176 |
open my $fh, '-|', "git -C '$project_dir' $args 2>/dev/null" or return ''; |
|
| 1177 |
my $value = <$fh> || ''; |
|
| 1178 |
close $fh; |
|
| 1179 |
chomp $value; |
|
| 1180 |
return clean_scalar($value); |
|
| 1181 |
} |
|
| 1182 | ||
| 1183 |
sub build_label {
|
|
| 1184 |
my $info = build_info(); |
|
| 1185 |
my $revision = $info->{revision} || 'unknown';
|
|
| 1186 |
my $branch = $info->{branch} || '';
|
|
| 1187 |
$branch = '' if $branch eq 'HEAD'; |
|
| 1188 |
my $label = $branch ? "$branch $revision" : $revision; |
|
| 1189 |
$label .= '+dirty' if ($info->{dirty} || '') eq '1';
|
|
| 1190 |
return $label; |
|
| 1191 |
} |
|
| 1192 | ||
| 1193 |
sub build_title {
|
|
| 1194 |
my $info = build_info(); |
|
| 1195 |
my $label = build_label(); |
|
| 1196 |
my $stamp = $info->{deployed_at} || $info->{built_at} || '';
|
|
| 1197 |
return $stamp ? "$label deployed $stamp" : $label; |
|
| 1198 |
} |
|
| 1199 | ||
| 1200 |
sub build_revision {
|
|
| 1201 |
my $info = build_info(); |
|
| 1202 |
return $info->{revision} || 'unknown';
|
|
| 1203 |
} |
|
| 1204 | ||
| 1205 |
sub build_details {
|
|
| 1206 |
my $info = build_info(); |
|
| 1207 |
my %details = ( |
|
| 1208 |
app => 'Madagascar Local Authority', |
|
| 1209 |
revision => $info->{revision} || 'unknown',
|
|
| 1210 |
branch => $info->{branch} || '',
|
|
| 1211 |
dirty => ($info->{dirty} || '') eq '1' ? json_bool(1) : json_bool(0),
|
|
| 1212 |
built_at => $info->{built_at} || '',
|
|
| 1213 |
deployed_at => $info->{deployed_at} || '',
|
|
| 1214 |
label => build_label(), |
|
| 1215 |
title => build_title(), |
|
| 1216 |
); |
|
| 1217 |
return json_encode(\%details); |
|
| 1218 |
} |
|
| 1219 | ||
| 1220 |
sub html_escape {
|
|
| 1221 |
my ($value) = @_; |
|
| 1222 |
$value = '' unless defined $value; |
|
| 1223 |
$value =~ s/&/&/g; |
|
| 1224 |
$value =~ s/</</g; |
|
| 1225 |
$value =~ s/>/>/g; |
|
| 1226 |
$value =~ s/"/"/g; |
|
| 1227 |
$value =~ s/'/'/g; |
|
| 1228 |
return $value; |
|
| 1229 |
} |
|
| 1230 | ||
| 1231 |
sub app_html {
|
|
| 1232 |
my $build = html_escape(build_revision()); |
|
| 1233 |
my $build_title = html_escape(build_title()); |
|
| 1234 |
my $build_details = html_escape(build_details()); |
|
| 1235 |
my $html = <<'HTML'; |
|
| 1236 |
<!doctype html> |
|
| 1237 |
<html lang="ro"> |
|
| 1238 |
<head> |
|
| 1239 |
<meta charset="utf-8"> |
|
| 1240 |
<meta name="viewport" content="width=device-width, initial-scale=1"> |
|
| 1241 |
<meta name="xdev-build" content="__HOST_MANAGER_BUILD_TITLE__"> |
|
| 1242 |
<title>Madagascar Local Authority</title> |
|
| 1243 |
<style> |
|
| 1244 |
:root {
|
|
| 1245 |
color-scheme: light; |
|
| 1246 |
--ink: #152033; |
|
| 1247 |
--muted: #647084; |
|
| 1248 |
--line: #d8dee8; |
|
| 1249 |
--soft: #f4f6f9; |
|
| 1250 |
--panel: #ffffff; |
|
| 1251 |
--accent: #1267d8; |
|
| 1252 |
--bad: #b42318; |
|
| 1253 |
--warn: #946200; |
|
| 1254 |
--ok: #137333; |
|
| 1255 |
} |
|
| 1256 |
* { box-sizing: border-box; }
|
|
| 1257 |
body { margin: 0; font-family: system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif; color: var(--ink); background: #eef2f6; font-size: 14px; }
|
|
| 1258 | ||
| 1259 |
/* ── Login screen ── */ |
|
| 1260 |
#login-screen {
|
|
| 1261 |
display: flex; |
|
| 1262 |
align-items: flex-start; |
|
| 1263 |
justify-content: center; |
|
| 1264 |
min-height: 100dvh; |
|
| 1265 |
padding: clamp(48px, 10vh, 96px) 24px clamp(140px, 20vh, 220px); |
|
| 1266 |
background: #13182a; |
|
| 1267 |
overflow: auto; |
|
| 1268 |
} |
|
| 1269 |
.login-card {
|
|
| 1270 |
--otp-size: 48px; |
|
| 1271 |
--otp-gap: 18px; |
|
| 1272 |
--login-form-width: calc((var(--otp-size) * 6) + (var(--otp-gap) * 5)); |
|
| 1273 |
background: #fff; |
|
| 1274 |
border-radius: 16px; |
|
| 1275 |
padding: 54px 64px 34px; |
|
| 1276 |
width: 100%; |
|
| 1277 |
max-width: 680px; |
|
| 1278 |
min-height: 360px; |
|
| 1279 |
display: grid; |
|
| 1280 |
align-content: start; |
|
| 1281 |
justify-items: center; |
|
| 1282 |
gap: 28px; |
|
| 1283 |
box-shadow: 0 8px 40px rgba(0,0,0,.28); |
|
| 1284 |
} |
|
| 1285 |
.login-card .brand { text-align: center; display: grid; gap: 8px; justify-items: center; }
|
|
| 1286 |
.login-card .brand .icon {
|
|
| 1287 |
margin: 0 0 8px; |
|
| 1288 |
width: 64px; height: 64px; border-radius: 18px; |
|
| 1289 |
background: #e8f0fe; display: flex; align-items: center; justify-content: center; |
|
| 1290 |
} |
|
| 1291 |
.login-card .brand .icon svg { width: 38px; height: 38px; fill: none; stroke: var(--accent); stroke-width: 2.4; stroke-linecap: round; stroke-linejoin: round; }
|
|
| 1292 |
.login-card .brand h1 { margin: 0; font-size: 32px; line-height: 1.05; font-weight: 750; color: var(--ink); }
|
|
| 1293 |
.login-card .brand p { margin: 0; color: var(--muted); font-size: 16px; }
|
|
| 1294 |
.login-card form {
|
|
| 1295 |
display: grid; |
|
| 1296 |
width: min(100%, var(--login-form-width)); |
|
| 1297 |
justify-self: center; |
|
| 1298 |
padding-bottom: 0; |
|
| 1299 |
} |
|
| 1300 |
.login-card form.busy { opacity: .72; pointer-events: none; }
|
|
| 1301 |
/* Off-screen helper fields keep the visible UI to the 6 OTP boxes while still |
|
| 1302 |
giving the password manager a username anchor and an aggregated OTP target |
|
| 1303 |
(see development-log: "Password-Manager-Friendly Form Shape"). */ |
|
| 1304 |
.pm-helper-fields {
|
|
| 1305 |
position: absolute; |
|
| 1306 |
left: -10000px; |
|
| 1307 |
top: auto; |
|
| 1308 |
width: 1px; |
|
| 1309 |
height: 1px; |
|
| 1310 |
overflow: hidden; |
|
| 1311 |
opacity: 0.01; |
|
| 1312 |
} |
|
| 1313 |
.pm-helper-fields input {
|
|
| 1314 |
width: 1px; |
|
| 1315 |
height: 1px; |
|
| 1316 |
padding: 0; |
|
| 1317 |
border: 0; |
|
| 1318 |
} |
|
| 1319 |
/* 6 separate OTP digit boxes. No autocomplete="one-time-code" on them: that |
|
| 1320 |
hint was what made Safari mark the whole group and re-present its OTP |
|
| 1321 |
autofill on every focused box. Without it, the banner stays on the first. */ |
|
| 1322 |
.otp-row {
|
|
| 1323 |
display: flex; |
|
| 1324 |
gap: var(--otp-gap); |
|
| 1325 |
justify-content: center; |
|
| 1326 |
} |
|
| 1327 |
.otp-row input {
|
|
| 1328 |
width: var(--otp-size); height: 56px; border: 1.5px solid #dde2ec; border-radius: 10px; |
|
| 1329 |
font-size: 22px; font-weight: 600; text-align: center; color: var(--ink); |
|
| 1330 |
background: #f8fafc; caret-color: transparent; outline: none; |
|
| 1331 |
transition: border-color .15s, background .15s; |
|
| 1332 |
} |
|
| 1333 |
.otp-row input:focus { border-color: var(--accent); background: #fff; }
|
|
| 1334 |
.otp-row input.filled { border-color: #b3c6f0; background: #fff; }
|
|
| 1335 |
#login-error {
|
|
| 1336 |
color: var(--bad); font-size: 13px; text-align: center; |
|
| 1337 |
min-height: 18px; margin: -14px 0; |
|
| 1338 |
} |
|
| 1339 |
@media (max-width: 760px) {
|
|
| 1340 |
.login-card {
|
|
| 1341 |
max-width: 520px; |
|
| 1342 |
min-height: 0; |
|
| 1343 |
padding: 48px 36px 44px; |
|
| 1344 |
gap: 26px; |
|
| 1345 |
} |
|
| 1346 |
.login-card .brand h1 { font-size: 24px; }
|
|
| 1347 |
.login-card .brand p { font-size: 14px; }
|
|
| 1348 |
.login-card form { padding-bottom: 0; }
|
|
| 1349 |
} |
|
| 1350 |
@media (max-width: 430px) {
|
|
| 1351 |
#login-screen { padding: 24px 16px 120px; }
|
|
| 1352 |
.login-card {
|
|
| 1353 |
--otp-size: 42px; |
|
| 1354 |
--otp-gap: 12px; |
|
| 1355 |
padding: 36px 22px 34px; |
|
| 1356 |
} |
|
| 1357 |
.otp-row input { height: 52px; }
|
|
| 1358 |
.login-card form { padding-bottom: 0; }
|
|
| 1359 |
} |
|
| 1360 |
@media (max-height: 720px) {
|
|
| 1361 |
#login-screen { padding-top: 28px; padding-bottom: 96px; }
|
|
| 1362 |
.login-card { padding-top: 34px; padding-bottom: 34px; gap: 20px; }
|
|
| 1363 |
.login-card form { padding-bottom: 0; }
|
|
| 1364 |
} |
|
| 1365 | ||
| 1366 |
/* ── App shell (hidden until authenticated) ── */ |
|
| 1367 |
#app { display: none; }
|
|
| 1368 |
header { display: grid; grid-template-columns: minmax(180px, auto) 1fr auto; align-items: center; gap: 16px; padding: 12px 18px; background: var(--panel); border-bottom: 1px solid var(--line); position: sticky; top: 0; z-index: 2; }
|
|
| 1369 |
h1 { margin: 0; font-size: 17px; font-weight: 700; }
|
|
| 1370 |
nav { display: flex; align-items: center; gap: 4px; min-width: 0; overflow-x: auto; }
|
|
| 1371 |
nav a { color: var(--muted); text-decoration: none; padding: 7px 10px; border-radius: 6px; white-space: nowrap; font-weight: 650; }
|
|
| 1372 |
nav a:hover { color: var(--ink); background: var(--soft); }
|
|
| 1373 |
nav a.active { color: var(--accent); background: #e8f0fe; }
|
|
| 1374 |
.header-right { display: flex; align-items: center; justify-content: flex-end; gap: 10px; min-width: 0; }
|
|
| 1375 |
#message { max-width: 260px; white-space: nowrap; overflow: hidden; text-overflow: ellipsis; }
|
|
| 1376 |
main { padding: 16px; display: grid; gap: 16px; max-width: 1280px; margin: 0 auto; }
|
|
| 1377 |
.page { display: grid; gap: 16px; }
|
|
| 1378 |
.page[hidden] { display: none; }
|
|
| 1379 |
.toolbar, .panel { background: var(--panel); border: 1px solid var(--line); border-radius: 8px; }
|
|
| 1380 |
.toolbar { display: flex; flex-wrap: wrap; align-items: center; gap: 8px; padding: 10px; }
|
|
| 1381 |
.panel { overflow: hidden; }
|
|
| 1382 |
.panel-head { display: flex; justify-content: space-between; align-items: center; gap: 12px; padding: 12px 14px; border-bottom: 1px solid var(--line); background: #fafbfc; }
|
|
| 1383 |
.panel-head h2 { margin: 0; font-size: 14px; }
|
|
| 1384 |
.stats { display: flex; gap: 8px; flex-wrap: wrap; }
|
|
| 1385 |
.stat { padding: 6px 8px; border: 1px solid var(--line); border-radius: 6px; background: var(--soft); font-size: 12px; color: var(--muted); }
|
|
| 1386 |
button, input, select, textarea { font: inherit; }
|
|
| 1387 |
button, .linkbtn { border: 1px solid var(--line); background: #fff; color: var(--ink); border-radius: 6px; padding: 7px 10px; min-height: 34px; cursor: pointer; text-decoration: none; display: inline-flex; align-items: center; gap: 6px; }
|
|
| 1388 |
button.primary { background: var(--accent); border-color: var(--accent); color: #fff; }
|
|
| 1389 |
button:disabled { opacity: .45; cursor: not-allowed; }
|
|
| 1390 |
button.danger { color: var(--bad); }
|
|
| 1391 |
button:disabled, .linkbtn[aria-disabled="true"] { opacity: .55; cursor: not-allowed; pointer-events: none; }
|
|
| 1392 |
input, select, textarea { width: 100%; border: 1px solid var(--line); border-radius: 6px; padding: 8px; background: #fff; color: var(--ink); }
|
|
| 1393 |
textarea { min-height: 74px; resize: vertical; }
|
|
| 1394 |
table { width: 100%; border-collapse: collapse; table-layout: fixed; }
|
|
| 1395 |
th, td { padding: 9px 10px; border-bottom: 1px solid var(--line); text-align: left; vertical-align: top; overflow-wrap: anywhere; }
|
|
| 1396 |
th { color: var(--muted); font-size: 12px; font-weight: 700; background: #fafbfc; }
|
|
| 1397 |
tr:hover td { background: #f8fafc; }
|
|
| 1398 |
.pill { display: inline-block; padding: 2px 6px; border-radius: 999px; background: var(--soft); border: 1px solid var(--line); color: var(--muted); font-size: 12px; margin: 0 4px 4px 0; }
|
|
| 1399 |
.pill.ok { color: var(--ok); border-color: #b7dfc1; background: #edf8ef; }
|
|
| 1400 |
.pill.warn { color: var(--warn); border-color: #f1d184; background: #fff7df; }
|
|
| 1401 |
.pill.bad { color: var(--bad); border-color: #f0b8b3; background: #fff0ee; }
|
|
| 1402 |
.pill.derived { border-style: dashed; }
|
|
| 1403 |
.grid { display: grid; grid-template-columns: repeat(2, minmax(0, 1fr)); gap: 10px; padding: 14px; }
|
|
| 1404 |
.span2 { grid-column: 1 / -1; }
|
|
| 1405 |
label { display: grid; gap: 5px; color: var(--muted); font-size: 12px; font-weight: 650; }
|
|
| 1406 |
.muted { color: var(--muted); }
|
|
| 1407 |
.mono { font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, "Liberation Mono", monospace; font-size: 12px; }
|
|
| 1408 |
.ca-detail { display: grid; gap: 6px; min-width: 0; }
|
|
| 1409 |
.ca-fingerprint { overflow-wrap: anywhere; }
|
|
| 1410 |
.ca-empty { padding: 12px 14px; }
|
|
| 1411 |
.build-control {
|
|
| 1412 |
position: fixed; |
|
| 1413 |
right: 10px; |
|
| 1414 |
bottom: 8px; |
|
| 1415 |
z-index: 5; |
|
| 1416 |
display: inline-flex; |
|
| 1417 |
align-items: center; |
|
| 1418 |
gap: 4px; |
|
| 1419 |
} |
|
| 1420 |
.build-badge, .build-copy {
|
|
| 1421 |
color: rgba(255,255,255,.46); |
|
| 1422 |
background: rgba(19,24,42,.28); |
|
| 1423 |
border: 1px solid rgba(255,255,255,.08); |
|
| 1424 |
border-radius: 4px; |
|
| 1425 |
font-size: 10px; |
|
| 1426 |
line-height: 1.2; |
|
| 1427 |
} |
|
| 1428 |
.build-badge {
|
|
| 1429 |
padding: 2px 5px; |
|
| 1430 |
cursor: text; |
|
| 1431 |
user-select: text; |
|
| 1432 |
} |
|
| 1433 |
.build-copy {
|
|
| 1434 |
min-height: 0; |
|
| 1435 |
padding: 2px 5px; |
|
| 1436 |
cursor: pointer; |
|
| 1437 |
} |
|
| 1438 |
.build-copy:hover {
|
|
| 1439 |
color: rgba(255,255,255,.72); |
|
| 1440 |
border-color: rgba(255,255,255,.24); |
|
| 1441 |
} |
|
| 1442 |
body.is-app .build-badge, body.is-app .build-copy {
|
|
| 1443 |
color: rgba(100,112,132,.58); |
|
| 1444 |
background: rgba(255,255,255,.72); |
|
| 1445 |
border-color: rgba(216,222,232,.72); |
|
| 1446 |
} |
|
| 1447 |
body.is-app .build-copy:hover {
|
|
| 1448 |
color: rgba(21,32,51,.78); |
|
| 1449 |
border-color: rgba(100,112,132,.42); |
|
| 1450 |
} |
|
| 1451 |
.problems { padding: 10px 14px; display: grid; gap: 8px; }
|
|
| 1452 |
.problem { border-left: 3px solid var(--warn); padding: 7px 9px; background: #fffaf0; }
|
|
| 1453 |
.work-order-card { display: grid; gap: 8px; min-width: 0; }
|
|
| 1454 |
.work-order-head { display: flex; align-items: center; justify-content: space-between; gap: 12px; flex-wrap: wrap; }
|
|
| 1455 |
.work-order-title { color: var(--ink); font-size: 14px; font-weight: 650; }
|
|
| 1456 |
.work-order-checklist, .work-order-actions { display: grid; gap: 6px; min-width: 0; }
|
|
| 1457 |
.work-order-actions { gap: 4px; }
|
|
| 1458 |
.work-order-checkitem { display: flex; align-items: flex-start; gap: 8px; min-width: 0; color: var(--ink); font-size: 13px; font-weight: 400; }
|
|
| 1459 |
.work-order-checkitem input[type="checkbox"] { width: auto; flex: 0 0 auto; margin: 2px 0 0; }
|
|
| 1460 |
.work-order-checkitem span { min-width: 0; overflow-wrap: anywhere; }
|
|
| 1461 |
.host-tools { display: flex; align-items: center; justify-content: flex-end; gap: 8px; min-width: 0; }
|
|
| 1462 |
.host-tools input { max-width: 240px; }
|
|
| 1463 |
.modal-backdrop {
|
|
| 1464 |
position: fixed; |
|
| 1465 |
inset: 0; |
|
| 1466 |
z-index: 10; |
|
| 1467 |
display: grid; |
|
| 1468 |
align-items: start; |
|
| 1469 |
justify-items: center; |
|
| 1470 |
padding: 72px 16px 24px; |
|
| 1471 |
background: rgba(21,32,51,.48); |
|
| 1472 |
overflow: auto; |
|
| 1473 |
} |
|
| 1474 |
.modal-backdrop[hidden] { display: none; }
|
|
| 1475 |
.modal {
|
|
| 1476 |
width: min(840px, 100%); |
|
| 1477 |
max-height: calc(100dvh - 96px); |
|
| 1478 |
overflow: auto; |
|
| 1479 |
background: var(--panel); |
|
| 1480 |
border: 1px solid var(--line); |
|
| 1481 |
border-radius: 8px; |
|
| 1482 |
box-shadow: 0 20px 60px rgba(21,32,51,.26); |
|
| 1483 |
} |
|
| 1484 |
.modal-head {
|
|
| 1485 |
position: sticky; |
|
| 1486 |
top: 0; |
|
| 1487 |
z-index: 1; |
|
| 1488 |
display: flex; |
|
| 1489 |
align-items: center; |
|
| 1490 |
justify-content: space-between; |
|
| 1491 |
gap: 12px; |
|
| 1492 |
padding: 12px 14px; |
|
| 1493 |
border-bottom: 1px solid var(--line); |
|
| 1494 |
background: #fafbfc; |
|
| 1495 |
} |
|
| 1496 |
.modal-head h2 { margin: 0; font-size: 14px; }
|
|
| 1497 |
.modal-close { min-width: 34px; justify-content: center; padding: 7px; }
|
|
| 1498 |
.form-message { min-height: 18px; color: var(--muted); font-size: 13px; }
|
|
| 1499 |
.form-message.error { color: var(--bad); }
|
|
| 1500 |
.form-actions { display: flex; flex-wrap: wrap; gap: 8px; }
|
|
| 1501 |
@media (max-width: 760px) {
|
|
| 1502 |
header { grid-template-columns: 1fr; align-items: stretch; gap: 10px; }
|
|
| 1503 |
.header-right { justify-content: flex-start; flex-wrap: wrap; }
|
|
| 1504 |
#message { max-width: 100%; }
|
|
| 1505 |
.panel-head { align-items: stretch; flex-direction: column; }
|
|
| 1506 |
.host-tools { justify-content: flex-start; flex-wrap: wrap; }
|
|
| 1507 |
.host-tools input { max-width: none; }
|
|
| 1508 |
.modal-backdrop { padding-top: 16px; }
|
|
| 1509 |
.modal { max-height: calc(100dvh - 32px); }
|
|
| 1510 |
.grid { grid-template-columns: 1fr; }
|
|
| 1511 |
table { min-width: 760px; }
|
|
| 1512 |
.table-wrap { overflow-x: auto; }
|
|
| 1513 |
} |
|
| 1514 |
</style> |
|
| 1515 |
</head> |
|
| 1516 |
<body class="is-login"> |
|
| 1517 | ||
| 1518 |
<!-- ── Login screen ── --> |
|
| 1519 |
<div id="login-screen"> |
|
| 1520 |
<div class="login-card"> |
|
| 1521 |
<div class="brand"> |
|
| 1522 |
<div class="icon"> |
|
| 1523 |
<svg viewBox="0 0 64 64" xmlns="http://www.w3.org/2000/svg" aria-hidden="true"> |
|
| 1524 |
<rect x="16" y="10" width="32" height="44" rx="4"/> |
|
| 1525 |
<rect x="21" y="16" width="22" height="8" rx="2"/> |
|
| 1526 |
<rect x="21" y="28" width="22" height="8" rx="2"/> |
|
| 1527 |
<rect x="21" y="40" width="22" height="8" rx="2"/> |
|
| 1528 |
<path d="M26 20h8M26 32h8M26 44h8"/> |
|
| 1529 |
<path d="M40 20h.01M40 32h.01M40 44h.01"/> |
|
| 1530 |
</svg> |
|
| 1531 |
</div> |
|
| 1532 |
<h1>Madagascar Local Authority</h1> |
|
| 1533 |
<p>Hosts, DNS & Local CA</p> |
|
| 1534 |
</div> |
|
| 1535 |
<div id="login-error"></div> |
|
| 1536 |
<form id="login-form" method="post" action="/api/login" autocomplete="on" novalidate> |
|
| 1537 |
<div class="pm-helper-fields" aria-hidden="true"> |
|
| 1538 |
<input type="text" id="login-account" name="username" autocomplete="username" autocapitalize="off" spellcheck="false"> |
|
| 1539 |
<input type="hidden" id="otp-hidden" name="otp"> |
|
| 1540 |
</div> |
|
| 1541 |
<div class="otp-row"> |
|
| 1542 |
<input type="text" class="otp-digit" maxlength="1" inputmode="numeric" autocomplete="off" required aria-label="Digit 1"> |
|
| 1543 |
<input type="text" class="otp-digit" maxlength="1" inputmode="numeric" autocomplete="off" required aria-label="Digit 2"> |
|
| 1544 |
<input type="text" class="otp-digit" maxlength="1" inputmode="numeric" autocomplete="off" required aria-label="Digit 3"> |
|
| 1545 |
<input type="text" class="otp-digit" maxlength="1" inputmode="numeric" autocomplete="off" required aria-label="Digit 4"> |
|
| 1546 |
<input type="text" class="otp-digit" maxlength="1" inputmode="numeric" autocomplete="off" required aria-label="Digit 5"> |
|
| 1547 |
<input type="text" class="otp-digit" maxlength="1" inputmode="numeric" autocomplete="off" required aria-label="Digit 6"> |
|
| 1548 |
</div> |
|
| 1549 |
</form> |
|
| 1550 |
</div> |
|
| 1551 |
</div> |
|
| 1552 | ||
| 1553 |
<!-- ── App (shown after login) ── --> |
|
| 1554 |
<div id="app"> |
|
| 1555 |
<header> |
|
| 1556 |
<h1>Madagascar Local Authority</h1> |
|
| 1557 |
<nav aria-label="Sections"> |
|
| 1558 |
<a href="/overview" data-page-link="overview">Overview</a> |
|
| 1559 |
<a href="/hosts" data-page-link="hosts">Hosts</a> |
|
| 1560 |
<a href="/dns" data-page-link="dns">DNS</a> |
|
| 1561 |
<a href="/work-orders" data-page-link="work-orders">Work Orders</a> |
|
| 1562 |
<a href="/ca" data-page-link="ca">Local CA</a> |
|
| 1563 |
</nav> |
|
| 1564 |
<div class="header-right"> |
|
| 1565 |
<span class="muted" id="app-updated"></span> |
|
| 1566 |
<span id="message" class="muted"></span> |
|
| 1567 |
<button id="refresh">Refresh</button> |
|
| 1568 |
<button type="button" id="logout">Logout</button> |
|
| 1569 |
</div> |
|
| 1570 |
</header> |
|
| 1571 |
<main> |
|
| 1572 |
<section class="page" id="page-overview" data-page="overview"> |
|
| 1573 |
<section class="panel"> |
|
| 1574 |
<div class="panel-head"> |
|
| 1575 |
<h2>Overview</h2> |
|
| 1576 |
<div class="stats" id="stats"></div> |
|
| 1577 |
</div> |
|
| 1578 |
<div class="problems" id="problems"></div> |
|
| 1579 |
</section> |
|
| 1580 |
</section> |
|
| 1581 | ||
| 1582 |
<section class="page" id="page-hosts" data-page="hosts" hidden> |
|
| 1583 |
<section class="panel"> |
|
| 1584 |
<div class="panel-head"> |
|
| 1585 |
<h2>Hosts</h2> |
|
| 1586 |
<div class="host-tools"> |
|
| 1587 |
<input id="filter" placeholder="filter"> |
|
| 1588 |
<button type="button" id="new-host">New host</button> |
|
| 1589 |
</div> |
|
| 1590 |
</div> |
|
| 1591 |
<div class="table-wrap"> |
|
| 1592 |
<table> |
|
| 1593 |
<thead> |
|
| 1594 |
<tr> |
|
| 1595 |
<th style="width: 120px">ID</th> |
|
| 1596 |
<th style="width: 130px">hosts_ip</th> |
|
| 1597 |
<th style="width: 130px">dns_ip</th> |
|
| 1598 |
<th>Names</th> |
|
| 1599 |
<th style="width: 150px">Roles</th> |
|
| 1600 |
<th style="width: 110px">Monitoring</th> |
|
| 1601 |
<th style="width: 90px">Status</th> |
|
| 1602 |
</tr> |
|
| 1603 |
</thead> |
|
| 1604 |
<tbody id="hosts"></tbody> |
|
| 1605 |
</table> |
|
| 1606 |
</div> |
|
| 1607 |
</section> |
|
| 1608 |
</section> |
|
| 1609 | ||
| 1610 |
<section class="page" id="page-dns" data-page="dns" hidden> |
|
| 1611 |
<section class="toolbar"> |
|
| 1612 |
<a class="linkbtn" href="/download/hosts.yaml">hosts.yaml</a> |
|
| 1613 |
<a class="linkbtn" href="/download/local-hosts.tsv">local-hosts.tsv</a> |
|
| 1614 |
<a class="linkbtn" href="/download/monitoring.json">monitoring.json</a> |
|
| 1615 |
<button id="write-tsv">Write local-hosts.tsv</button> |
|
| 1616 |
</section> |
|
| 1617 |
</section> |
|
| 1618 | ||
| 1619 |
<section class="page" id="page-work-orders" data-page="work-orders" hidden> |
|
| 1620 |
<section class="panel"> |
|
| 1621 |
<div class="panel-head"> |
|
| 1622 |
<h2>Work Orders</h2> |
|
| 1623 |
<div class="stats" id="wo-stats"></div> |
|
| 1624 |
</div> |
|
| 1625 |
<div class="problems" id="work-orders"></div> |
|
| 1626 |
</section> |
|
| 1627 |
</section> |
|
| 1628 | ||
| 1629 |
<section class="page" id="page-ca" data-page="ca" hidden> |
|
| 1630 |
<section class="panel"> |
|
| 1631 |
<div class="panel-head"> |
|
| 1632 |
<h2>Local Certificate Authority</h2> |
|
| 1633 |
<a class="linkbtn" href="/download/ca.crt">ca.crt</a> |
|
| 1634 |
</div> |
|
| 1635 |
<div class="problems" id="ca-status"></div> |
|
| 1636 |
</section> |
|
| 1637 |
<section class="panel"> |
|
| 1638 |
<div class="panel-head"> |
|
| 1639 |
<h2>Issued Certificates</h2> |
|
| 1640 |
<div class="stats" id="ca-certs-summary"></div> |
|
| 1641 |
</div> |
|
| 1642 |
<div class="table-wrap"> |
|
| 1643 |
<table> |
|
| 1644 |
<thead> |
|
| 1645 |
<tr> |
|
| 1646 |
<th style="width: 150px">Name</th> |
|
| 1647 |
<th>DNS names</th> |
|
| 1648 |
<th style="width: 210px">Validity</th> |
|
| 1649 |
<th style="width: 180px">Serial</th> |
|
| 1650 |
<th>Fingerprint</th> |
|
| 1651 |
<th style="width: 110px">Download</th> |
|
| 1652 |
</tr> |
|
| 1653 |
</thead> |
|
| 1654 |
<tbody id="ca-certs"></tbody> |
|
| 1655 |
</table> |
|
| 1656 |
</div> |
|
| 1657 |
</section> |
|
| 1658 |
</section> |
|
| 1659 |
</main> |
|
| 1660 | ||
| 1661 |
<div id="host-modal" class="modal-backdrop" hidden> |
|
| 1662 |
<section class="modal" role="dialog" aria-modal="true" aria-labelledby="host-modal-title"> |
|
| 1663 |
<div class="modal-head"> |
|
| 1664 |
<h2 id="host-modal-title">Edit host</h2> |
|
| 1665 |
<button type="button" id="close-host-modal" class="modal-close" aria-label="Close host editor">x</button> |
|
| 1666 |
</div> |
|
| 1667 |
<form id="host-form" class="grid"> |
|
| 1668 |
<label>ID<input name="id" required></label> |
|
| 1669 |
<label>Status<select name="status"><option>active</option><option>planned</option><option>retired</option></select></label> |
|
| 1670 |
<label>hosts_ip<input name="hosts_ip" required></label> |
|
| 1671 |
<label>dns_ip<input name="dns_ip" required></label> |
|
| 1672 |
<label class="span2">Names<textarea name="names" required></textarea></label> |
|
| 1673 |
<label>Roles<input name="roles"></label> |
|
| 1674 |
<label>Sources<input name="sources"></label> |
|
| 1675 |
<label>Monitoring<select name="monitoring"><option>pending</option><option>enabled</option><option>disabled</option></select></label> |
|
| 1676 |
<label>Notes<input name="notes"></label> |
|
| 1677 |
<div id="host-form-message" class="span2 form-message" aria-live="polite"></div> |
|
| 1678 |
<div class="span2 form-actions"> |
|
| 1679 |
<button class="primary" type="submit" id="save-host">Save host</button> |
|
| 1680 |
<button class="danger" type="button" id="delete-host">Delete host</button> |
|
| 1681 |
</div> |
|
| 1682 |
</form> |
|
| 1683 |
</section> |
|
| 1684 |
</div> |
|
| 1685 |
</div> |
|
| 1686 | ||
| 1687 |
<div class="build-control" title="Running build __HOST_MANAGER_BUILD_TITLE__"> |
|
| 1688 |
<span class="build-badge">__HOST_MANAGER_BUILD__</span> |
|
| 1689 |
<button type="button" class="build-copy" id="copy-build" data-build-details="__HOST_MANAGER_BUILD_DETAILS__" aria-label="Copy build details">Copy</button> |
|
| 1690 |
</div> |
|
| 1691 | ||
| 1692 |
<script> |
|
| 1693 |
let state = { hosts: [], problems: [], workOrders: [], authenticated: false };
|
|
| 1694 |
let hostFormSnapshot = ''; |
|
| 1695 | ||
| 1696 |
const $ = (id) => document.getElementById(id); |
|
| 1697 |
const msg = (text) => { $('message').textContent = text || ''; };
|
|
| 1698 |
const PAGE_PATHS = {
|
|
| 1699 |
'/': 'overview', |
|
| 1700 |
'/overview': 'overview', |
|
| 1701 |
'/hosts': 'hosts', |
|
| 1702 |
'/dns': 'dns', |
|
| 1703 |
'/work-orders': 'work-orders', |
|
| 1704 |
'/ca': 'ca', |
|
| 1705 |
}; |
|
| 1706 | ||
| 1707 |
async function api(path, options = {}) {
|
|
| 1708 |
const res = await fetch(path, options); |
|
| 1709 |
const body = await res.json(); |
|
| 1710 |
if (!res.ok) throw new Error(body.error || res.statusText); |
|
| 1711 |
return body; |
|
| 1712 |
} |
|
| 1713 | ||
| 1714 |
function currentPage() {
|
|
| 1715 |
return PAGE_PATHS[window.location.pathname] || 'overview'; |
|
| 1716 |
} |
|
| 1717 | ||
| 1718 |
function showPage(page, push = false) {
|
|
| 1719 |
const target = page || 'overview'; |
|
| 1720 |
document.querySelectorAll('[data-page]').forEach(section => {
|
|
| 1721 |
section.hidden = section.dataset.page !== target; |
|
| 1722 |
}); |
|
| 1723 |
document.querySelectorAll('[data-page-link]').forEach(link => {
|
|
| 1724 |
link.classList.toggle('active', link.dataset.pageLink === target);
|
|
| 1725 |
link.setAttribute('aria-current', link.dataset.pageLink === target ? 'page' : 'false');
|
|
| 1726 |
}); |
|
| 1727 |
if (push) {
|
|
| 1728 |
const href = target === 'overview' ? '/overview' : '/' + target; |
|
| 1729 |
history.pushState({ page: target }, '', href);
|
|
| 1730 |
} |
|
| 1731 |
} |
|
| 1732 | ||
| 1733 |
function showLogin(errorText) {
|
|
| 1734 |
document.body.classList.remove('is-app');
|
|
| 1735 |
document.body.classList.add('is-login');
|
|
| 1736 |
$('app').style.display = 'none';
|
|
| 1737 |
$('login-screen').style.display = 'flex';
|
|
| 1738 |
$('login-error').textContent = errorText || '';
|
|
| 1739 |
clearOtp(); |
|
| 1740 |
} |
|
| 1741 | ||
| 1742 |
function showApp() {
|
|
| 1743 |
document.body.classList.remove('is-login');
|
|
| 1744 |
document.body.classList.add('is-app');
|
|
| 1745 |
$('login-screen').style.display = 'none';
|
|
| 1746 |
$('app').style.display = 'block';
|
|
| 1747 |
showPage(currentPage()); |
|
| 1748 |
} |
|
| 1749 | ||
| 1750 |
async function refresh() {
|
|
| 1751 |
const session = await api('/api/session');
|
|
| 1752 |
state.authenticated = session.authenticated; |
|
| 1753 |
if (!state.authenticated) { showLogin(); return; }
|
|
| 1754 |
showApp(); |
|
| 1755 |
const data = await api('/api/hosts');
|
|
| 1756 |
state.hosts = data.hosts || []; |
|
| 1757 |
state.problems = data.problems || []; |
|
| 1758 |
render(data); |
|
| 1759 |
await renderCa(); |
|
| 1760 |
await renderWorkOrders(); |
|
| 1761 |
} |
|
| 1762 | ||
| 1763 |
function render(data) {
|
|
| 1764 |
$('app-updated').textContent = data.updated_at ? 'updated ' + data.updated_at : '';
|
|
| 1765 | ||
| 1766 |
$('stats').innerHTML = [
|
|
| 1767 |
['hosts', data.counts.hosts], |
|
| 1768 |
['problems', data.counts.problems], |
|
| 1769 |
].map(([k, v]) => `<span class="stat">${k}: ${escapeHtml(String(v))}</span>`).join('');
|
|
| 1770 | ||
| 1771 |
$('problems').innerHTML = state.problems.length
|
|
| 1772 |
? state.problems.map(p => `<div class="problem"><strong>${escapeHtml(p.host_id)}</strong> ${escapeHtml(p.code)}: ${escapeHtml(p.message)}</div>`).join('')
|
|
| 1773 |
: '<div class="muted" style="padding: 8px 0">No registry problems detected.</div>'; |
|
| 1774 | ||
| 1775 |
renderHosts(); |
|
| 1776 |
} |
|
| 1777 | ||
| 1778 |
async function renderCa() {
|
|
| 1779 |
try {
|
|
| 1780 |
const status = await api('/api/ca/status');
|
|
| 1781 |
if (!status.initialized) {
|
|
| 1782 |
$('ca-status').innerHTML = '<div class="problem"><strong>not initialized</strong> Run <code>sudo scripts/ca_manager.sh init</code> on jumper.</div>';
|
|
| 1783 |
$('ca-certs-summary').innerHTML = '';
|
|
| 1784 |
$('ca-certs').innerHTML = '<tr><td colspan="6" class="muted">CA is not initialized.</td></tr>';
|
|
| 1785 |
return; |
|
| 1786 |
} |
|
| 1787 |
const certs = await api('/api/ca/certificates');
|
|
| 1788 |
const caDays = daysUntil(status.not_after); |
|
| 1789 |
$('ca-status').innerHTML = `
|
|
| 1790 |
<div class="muted ca-detail"> |
|
| 1791 |
<div><strong>${escapeHtml(status.subject || '')}</strong></div>
|
|
| 1792 |
<div>SHA256 <span class="mono ca-fingerprint">${escapeHtml(status.fingerprint_sha256 || '')}</span></div>
|
|
| 1793 |
<div>valid ${escapeHtml(status.not_before || '')} - ${escapeHtml(status.not_after || '')}</div>
|
|
| 1794 |
<div> |
|
| 1795 |
<span class="pill ${certStatusClass(caDays)}">${escapeHtml(certStatusLabel(caDays))}</span>
|
|
| 1796 |
<span>${certs.length} issued certificate(s)</span>
|
|
| 1797 |
</div> |
|
| 1798 |
</div>`; |
|
| 1799 |
$('ca-certs-summary').innerHTML = [
|
|
| 1800 |
['issued', certs.length], |
|
| 1801 |
['expiring', certs.filter(cert => {
|
|
| 1802 |
const days = daysUntil(cert.not_after); |
|
| 1803 |
return days !== null && days >= 0 && days <= 30; |
|
| 1804 |
}).length], |
|
| 1805 |
['expired', certs.filter(cert => {
|
|
| 1806 |
const days = daysUntil(cert.not_after); |
|
| 1807 |
return days !== null && days < 0; |
|
| 1808 |
}).length], |
|
| 1809 |
].map(([k, v]) => `<span class="stat">${k}: ${escapeHtml(String(v))}</span>`).join('');
|
|
| 1810 |
$('ca-certs').innerHTML = certs.length ? certs.map(cert => {
|
|
| 1811 |
const days = daysUntil(cert.not_after); |
|
| 1812 |
const dnsNames = cert.dns_names || []; |
|
| 1813 |
const dnsHtml = dnsNames.length |
|
| 1814 |
? dnsNames.map(name => `<span class="pill">${escapeHtml(name)}</span>`).join('')
|
|
| 1815 |
: '<span class="muted">No DNS SANs reported.</span>'; |
|
| 1816 |
return `<tr> |
|
| 1817 |
<td><strong>${escapeHtml(cert.name || '')}</strong></td>
|
|
| 1818 |
<td>${dnsHtml}</td>
|
|
| 1819 |
<td> |
|
| 1820 |
<div class="ca-detail"> |
|
| 1821 |
<span class="pill ${certStatusClass(days)}">${escapeHtml(certStatusLabel(days))}</span>
|
|
| 1822 |
<span class="muted">until ${escapeHtml(cert.not_after || '')}</span>
|
|
| 1823 |
</div> |
|
| 1824 |
</td> |
|
| 1825 |
<td class="mono">${escapeHtml(cert.serial || '')}</td>
|
|
| 1826 |
<td class="mono ca-fingerprint">${escapeHtml(cert.fingerprint_sha256 || '')}</td>
|
|
| 1827 |
<td><a class="linkbtn" href="/download/ca/cert/${encodeURIComponent(cert.name || '')}.crt">crt</a></td>
|
|
| 1828 |
</tr>`; |
|
| 1829 |
}).join('') : '<tr><td colspan="6" class="muted">No issued certificates.</td></tr>';
|
|
| 1830 |
} catch (e) {
|
|
| 1831 |
$('ca-status').innerHTML = `<div class="problem"><strong>CA status unavailable</strong> ${escapeHtml(e.message)}</div>`;
|
|
| 1832 |
$('ca-certs-summary').innerHTML = '';
|
|
| 1833 |
$('ca-certs').innerHTML = '<tr><td colspan="6" class="muted">Certificate list unavailable.</td></tr>';
|
|
| 1834 |
} |
|
| 1835 |
} |
|
| 1836 | ||
| 1837 |
function daysUntil(dateText) {
|
|
| 1838 |
const time = Date.parse(dateText || ''); |
|
| 1839 |
if (!Number.isFinite(time)) return null; |
|
| 1840 |
return Math.ceil((time - Date.now()) / 86400000); |
|
| 1841 |
} |
|
| 1842 | ||
| 1843 |
function certStatusClass(days) {
|
|
| 1844 |
if (days === null) return ''; |
|
| 1845 |
if (days < 0) return 'bad'; |
|
| 1846 |
if (days <= 30) return 'warn'; |
|
| 1847 |
return 'ok'; |
|
| 1848 |
} |
|
| 1849 | ||
| 1850 |
function certStatusLabel(days) {
|
|
| 1851 |
if (days === null) return 'validity unknown'; |
|
| 1852 |
if (days < 0) return 'expired'; |
|
| 1853 |
if (days === 0) return 'expires today'; |
|
| 1854 |
return `${days}d remaining`;
|
|
| 1855 |
} |
|
| 1856 | ||
| 1857 |
async function renderWorkOrders() {
|
|
| 1858 |
try {
|
|
| 1859 |
const data = await api('/api/work-orders');
|
|
| 1860 |
state.workOrders = data.work_orders || []; |
|
| 1861 |
$('wo-stats').innerHTML = [
|
|
| 1862 |
['pending', data.counts.pending], |
|
| 1863 |
['total', data.counts.work_orders], |
|
| 1864 |
].map(([k, v]) => `<span class="stat">${k}: ${escapeHtml(String(v))}</span>`).join('');
|
|
| 1865 | ||
| 1866 |
if (!state.workOrders.length) {
|
|
| 1867 |
$('work-orders').innerHTML = '<div class="muted" style="padding: 8px 0">No work orders.</div>';
|
|
| 1868 |
return; |
|
| 1869 |
} |
|
| 1870 | ||
| 1871 |
$('work-orders').innerHTML = state.workOrders.map(wo => {
|
|
| 1872 |
const checklist = wo.checklist || []; |
|
| 1873 |
const doneItems = checklist.filter(item => (item.status || 'pending') === 'done').length; |
|
| 1874 |
const checklistComplete = checklist.length === 0 || doneItems === checklist.length; |
|
| 1875 |
const checklistHtml = checklist.map(item => {
|
|
| 1876 |
const checked = (item.status || 'pending') === 'done' ? 'checked' : ''; |
|
| 1877 |
return `<label class="work-order-checkitem"> |
|
| 1878 |
<input type="checkbox" data-wo-checklist="${escapeHtml(wo.id)}" data-item-id="${escapeHtml(item.id || '')}" ${checked}>
|
|
| 1879 |
<span><strong>${escapeHtml(item.id || '')}</strong> ${escapeHtml(item.text || '')}</span>
|
|
| 1880 |
</label>`; |
|
| 1881 |
}).join('');
|
|
| 1882 |
const actions = (wo.actions || []).map(a => {
|
|
| 1883 |
const target = [a.host_id, a.name].filter(Boolean).join(' ');
|
|
| 1884 |
return `<div><span class="pill">${escapeHtml(a.type || '')}</span> ${escapeHtml(target)}</div>`;
|
|
| 1885 |
}).join('');
|
|
| 1886 |
const statusClass = (wo.status || 'pending') === 'pending' ? 'warn' : 'ok'; |
|
| 1887 |
const button = (wo.status || 'pending') === 'pending' |
|
| 1888 |
? `<button type="button" class="primary" data-confirm-wo="${escapeHtml(wo.id)}" ${checklistComplete ? '' : 'disabled'}>Confirm</button>`
|
|
| 1889 |
: ''; |
|
| 1890 |
return `<div class="problem work-order-card"> |
|
| 1891 |
<div class="work-order-head"> |
|
| 1892 |
<div><strong>${escapeHtml(wo.id || '')}</strong> <span class="pill ${statusClass}">${escapeHtml(wo.status || 'pending')}</span> <span class="pill">${doneItems}/${checklist.length} done</span></div>
|
|
| 1893 |
${button}
|
|
| 1894 |
</div> |
|
| 1895 |
<div class="work-order-title">${escapeHtml(wo.title || '')}</div>
|
|
| 1896 |
<div class="muted">${escapeHtml(wo.reason || '')}</div>
|
|
| 1897 |
<div class="work-order-checklist">${checklistHtml}</div>
|
|
| 1898 |
<div class="work-order-actions">${actions}</div>
|
|
| 1899 |
${wo.confirmed_at ? `<div class="muted">confirmed ${escapeHtml(wo.confirmed_at)}</div>` : ''}
|
|
| 1900 |
</div>`; |
|
| 1901 |
}).join('');
|
|
| 1902 |
document.querySelectorAll('[data-wo-checklist]').forEach(input => input.addEventListener('change', () => updateWorkOrderChecklist(input.dataset.woChecklist, input.dataset.itemId, input.checked)));
|
|
| 1903 |
document.querySelectorAll('[data-confirm-wo]').forEach(button => button.addEventListener('click', () => confirmWorkOrder(button.dataset.confirmWo)));
|
|
| 1904 |
} catch (e) {
|
|
| 1905 |
$('work-orders').innerHTML = `<div class="problem"><strong>Work orders unavailable</strong> ${escapeHtml(e.message)}</div>`;
|
|
| 1906 |
} |
|
| 1907 |
} |
|
| 1908 | ||
| 1909 |
async function updateWorkOrderChecklist(id, itemId, checked) {
|
|
| 1910 |
try {
|
|
| 1911 |
await api('/api/work-orders/checklist', {
|
|
| 1912 |
method: 'POST', |
|
| 1913 |
headers: { 'Content-Type': 'application/json' },
|
|
| 1914 |
body: JSON.stringify({ id, item_id: itemId, status: checked ? 'done' : 'pending' })
|
|
| 1915 |
}); |
|
| 1916 |
msg('work order updated');
|
|
| 1917 |
await refresh(); |
|
| 1918 |
} catch (e) { msg(e.message); await refresh(); }
|
|
| 1919 |
} |
|
| 1920 | ||
| 1921 |
async function confirmWorkOrder(id) {
|
|
| 1922 |
const typed = prompt(`Type ${id} to confirm this work order`);
|
|
| 1923 |
if (typed !== id) return; |
|
| 1924 |
try {
|
|
| 1925 |
await api('/api/work-orders/confirm', {
|
|
| 1926 |
method: 'POST', |
|
| 1927 |
headers: { 'Content-Type': 'application/json' },
|
|
| 1928 |
body: JSON.stringify({ id, confirm: typed })
|
|
| 1929 |
}); |
|
| 1930 |
msg('work order confirmed; local-hosts.tsv written');
|
|
| 1931 |
await refresh(); |
|
| 1932 |
} catch (e) { msg(e.message); }
|
|
| 1933 |
} |
|
| 1934 | ||
| 1935 |
function renderHosts() {
|
|
| 1936 |
const filter = $('filter').value.toLowerCase();
|
|
| 1937 |
$('hosts').innerHTML = state.hosts
|
|
| 1938 |
.slice() |
|
| 1939 |
.sort((a, b) => String(a.id || '').localeCompare(String(b.id || ''))) |
|
| 1940 |
.filter(h => JSON.stringify(h).toLowerCase().includes(filter)) |
|
| 1941 |
.map(h => {
|
|
| 1942 |
const problems = state.problems.filter(p => p.host_id === h.id); |
|
| 1943 |
const cls = problems.length ? 'warn' : 'ok'; |
|
| 1944 |
return `<tr data-id="${escapeHtml(h.id)}">
|
|
| 1945 |
<td><button type="button" data-edit="${escapeHtml(h.id)}">${escapeHtml(h.id)}</button></td>
|
|
| 1946 |
<td>${escapeHtml(h.hosts_ip || '')}</td>
|
|
| 1947 |
<td>${escapeHtml(h.dns_ip || '')}</td>
|
|
| 1948 |
<td>${renderNamePills(h)}</td>
|
|
| 1949 |
<td>${(h.roles || []).map(n => `<span class="pill">${escapeHtml(n)}</span>`).join('')}</td>
|
|
| 1950 |
<td><span class="pill ${cls}">${escapeHtml(h.monitoring || '')}</span></td>
|
|
| 1951 |
<td>${escapeHtml(h.status || '')}</td>
|
|
| 1952 |
</tr>`; |
|
| 1953 |
}).join('');
|
|
| 1954 |
document.querySelectorAll('[data-edit]').forEach(button => button.addEventListener('click', () => editHost(button.dataset.edit)));
|
|
| 1955 |
} |
|
| 1956 | ||
| 1957 |
function renderNamePills(host) {
|
|
| 1958 |
const declared = host.declared_names || host.names || []; |
|
| 1959 |
const derived = host.derived_names || []; |
|
| 1960 |
const declaredHtml = declared.map(name => `<span class="pill">${escapeHtml(name)}</span>`).join('');
|
|
| 1961 |
const derivedHtml = derived.map(name => `<span class="pill derived" title="derived from madagascar.xdev.ro">${escapeHtml(name)}</span>`).join('');
|
|
| 1962 |
return declaredHtml + derivedHtml; |
|
| 1963 |
} |
|
| 1964 | ||
| 1965 |
function editHost(id) {
|
|
| 1966 |
const host = state.hosts.find(h => h.id === id); |
|
| 1967 |
if (!host) return; |
|
| 1968 |
const form = $('host-form');
|
|
| 1969 |
clearHostFormMessage(); |
|
| 1970 |
for (const key of ['id', 'status', 'hosts_ip', 'dns_ip', 'monitoring', 'notes']) hostField(key).value = host[key] || ''; |
|
| 1971 |
hostField('names').value = (host.declared_names || host.names || []).join('\n');
|
|
| 1972 |
hostField('roles').value = (host.roles || []).join(' ');
|
|
| 1973 |
hostField('sources').value = (host.sources || []).join(' ');
|
|
| 1974 |
openHostModal('Edit host');
|
|
| 1975 |
} |
|
| 1976 | ||
| 1977 |
function newHost() {
|
|
| 1978 |
const form = $('host-form');
|
|
| 1979 |
form.reset(); |
|
| 1980 |
clearHostFormMessage(); |
|
| 1981 |
hostField('status').value = 'active';
|
|
| 1982 |
hostField('monitoring').value = 'pending';
|
|
| 1983 |
openHostModal('New host');
|
|
| 1984 |
} |
|
| 1985 | ||
| 1986 |
function openHostModal(title) {
|
|
| 1987 |
$('host-modal-title').textContent = title || 'Edit host';
|
|
| 1988 |
$('host-modal').hidden = false;
|
|
| 1989 |
document.body.style.overflow = 'hidden'; |
|
| 1990 |
hostFormSnapshot = hostFormState(); |
|
| 1991 |
hostField('id').focus();
|
|
| 1992 |
} |
|
| 1993 | ||
| 1994 |
function requestCloseHostModal() {
|
|
| 1995 |
if ($('save-host').disabled) return;
|
|
| 1996 |
if (hostFormDirty() && !confirm('Discard unsaved host changes?')) return;
|
|
| 1997 |
closeHostModal(); |
|
| 1998 |
} |
|
| 1999 | ||
| 2000 |
function closeHostModal() {
|
|
| 2001 |
$('host-modal').hidden = true;
|
|
| 2002 |
document.body.style.overflow = ''; |
|
| 2003 |
setHostFormBusy(false); |
|
| 2004 |
clearHostFormMessage(); |
|
| 2005 |
hostFormSnapshot = ''; |
|
| 2006 |
} |
|
| 2007 | ||
| 2008 |
function hostField(name) {
|
|
| 2009 |
return $('host-form').elements.namedItem(name);
|
|
| 2010 |
} |
|
| 2011 | ||
| 2012 |
function hostFormState() {
|
|
| 2013 |
return JSON.stringify(formObject($('host-form')));
|
|
| 2014 |
} |
|
| 2015 | ||
| 2016 |
function hostFormDirty() {
|
|
| 2017 |
return !$('host-modal').hidden && hostFormSnapshot && hostFormState() !== hostFormSnapshot;
|
|
| 2018 |
} |
|
| 2019 | ||
| 2020 |
function setHostFormBusy(busy) {
|
|
| 2021 |
$('save-host').disabled = busy;
|
|
| 2022 |
$('delete-host').disabled = busy;
|
|
| 2023 |
$('close-host-modal').disabled = busy;
|
|
| 2024 |
} |
|
| 2025 | ||
| 2026 |
function setHostFormMessage(text, isError = false) {
|
|
| 2027 |
const message = $('host-form-message');
|
|
| 2028 |
message.textContent = text || ''; |
|
| 2029 |
message.classList.toggle('error', !!isError);
|
|
| 2030 |
} |
|
| 2031 | ||
| 2032 |
function clearHostFormMessage() {
|
|
| 2033 |
setHostFormMessage('');
|
|
| 2034 |
} |
|
| 2035 | ||
| 2036 |
function formObject(form) {
|
|
| 2037 |
return Object.fromEntries(new FormData(form).entries()); |
|
| 2038 |
} |
|
| 2039 | ||
| 2040 |
function escapeHtml(value) {
|
|
| 2041 |
value = value == null ? '' : String(value); |
|
| 2042 |
return value.replace(/[&<>"']/g, ch => ({'&':'&','<':'<','>':'>','"':'"',"'":'''}[ch]));
|
|
| 2043 |
} |
|
| 2044 | ||
| 2045 |
const ACCOUNT_STORAGE_KEY = 'mla_last_account'; |
|
| 2046 | ||
| 2047 |
// OTP digit boxes — auto-advance, backspace, paste |
|
| 2048 |
const otpDigits = Array.from(document.querySelectorAll('.otp-digit'));
|
|
| 2049 |
const otpHidden = $('otp-hidden');
|
|
| 2050 |
const loginAccount = $('login-account');
|
|
| 2051 | ||
| 2052 |
if (loginAccount) {
|
|
| 2053 |
const rememberedAccount = localStorage.getItem(ACCOUNT_STORAGE_KEY); |
|
| 2054 |
if (rememberedAccount && !loginAccount.value) loginAccount.value = rememberedAccount; |
|
| 2055 |
loginAccount.addEventListener('input', () => {
|
|
| 2056 |
const value = (loginAccount.value || '').trim(); |
|
| 2057 |
if (value) localStorage.setItem(ACCOUNT_STORAGE_KEY, value); |
|
| 2058 |
}); |
|
| 2059 |
} |
|
| 2060 | ||
| 2061 |
function setOtpDigit(idx, value) {
|
|
| 2062 |
const digit = (value || '').replace(/\D/g, '').slice(0, 1); |
|
| 2063 |
otpDigits[idx].value = digit; |
|
| 2064 |
otpDigits[idx].classList.toggle('filled', !!digit);
|
|
| 2065 |
} |
|
| 2066 | ||
| 2067 |
// Move focus to the next empty box: forward from idx, then wrapping to the |
|
| 2068 |
// start. This lets out-of-order entry continue (e.g. after the last box, |
|
| 2069 |
// jump back to the first still-empty box). Stays put when all boxes are full. |
|
| 2070 |
function advanceFocus(idx) {
|
|
| 2071 |
for (let i = idx + 1; i < otpDigits.length; i++) {
|
|
| 2072 |
if (!otpDigits[i].value) { otpDigits[i].focus(); return; }
|
|
| 2073 |
} |
|
| 2074 |
for (let i = 0; i <= idx; i++) {
|
|
| 2075 |
if (!otpDigits[i].value) { otpDigits[i].focus(); return; }
|
|
| 2076 |
} |
|
| 2077 |
} |
|
| 2078 | ||
| 2079 |
// Spread multiple digits across boxes starting at startIdx. Used for paste |
|
| 2080 |
// and for Safari OTP autofill, which drops the whole code into the first box. |
|
| 2081 |
function fillOtp(text, startIdx = 0) {
|
|
| 2082 |
const digits = (text || '').replace(/\D/g, '').split('');
|
|
| 2083 |
if (!digits.length) return; |
|
| 2084 |
let last = startIdx; |
|
| 2085 |
for (let i = 0; i < digits.length && startIdx + i < otpDigits.length; i++) {
|
|
| 2086 |
last = startIdx + i; |
|
| 2087 |
setOtpDigit(last, digits[i]); |
|
| 2088 |
} |
|
| 2089 |
syncOtpFields(); |
|
| 2090 |
advanceFocus(last); |
|
| 2091 |
maybeSubmitOtp(); |
|
| 2092 |
} |
|
| 2093 | ||
| 2094 |
function getOtp() { return otpDigits.map(i => i.value).join(''); }
|
|
| 2095 |
function syncOtpFields() { if (otpHidden) otpHidden.value = getOtp(); }
|
|
| 2096 |
function otpReady() { return otpDigits.every(i => /^\d$/.test(i.value)); }
|
|
| 2097 |
function maybeSubmitOtp() {
|
|
| 2098 |
if (otpReady()) setTimeout(() => $('login-form').requestSubmit(), 300);
|
|
| 2099 |
} |
|
| 2100 |
function clearOtp() {
|
|
| 2101 |
otpDigits.forEach(i => { i.value = ''; i.classList.remove('filled'); });
|
|
| 2102 |
if (otpHidden) otpHidden.value = ''; |
|
| 2103 |
// Same conditional focus as on load: don't steal focus to the OTP boxes for |
|
| 2104 |
// an unknown operator, so Safari's autofill anchor on the username stays. |
|
| 2105 |
if (loginAccount && !loginAccount.value) loginAccount.focus(); |
|
| 2106 |
else otpDigits[0].focus(); |
|
| 2107 |
} |
|
| 2108 | ||
| 2109 |
otpDigits.forEach((input, idx) => {
|
|
| 2110 |
input.addEventListener('input', () => {
|
|
| 2111 |
$('login-error').textContent = '';
|
|
| 2112 |
// A single box may receive several digits at once (autofill / typing fast). |
|
| 2113 |
if (input.value.replace(/\D/g, '').length > 1) {
|
|
| 2114 |
fillOtp(input.value, idx); |
|
| 2115 |
return; |
|
| 2116 |
} |
|
| 2117 |
setOtpDigit(idx, input.value); |
|
| 2118 |
syncOtpFields(); |
|
| 2119 |
if (input.value) advanceFocus(idx); |
|
| 2120 |
maybeSubmitOtp(); |
|
| 2121 |
}); |
|
| 2122 | ||
| 2123 |
input.addEventListener('paste', (e) => {
|
|
| 2124 |
e.preventDefault(); |
|
| 2125 |
$('login-error').textContent = '';
|
|
| 2126 |
const text = (e.clipboardData || window.clipboardData).getData('text');
|
|
| 2127 |
fillOtp(text, idx); |
|
| 2128 |
}); |
|
| 2129 | ||
| 2130 |
input.addEventListener('keydown', (e) => {
|
|
| 2131 |
if (e.key === 'Backspace') {
|
|
| 2132 |
e.preventDefault(); |
|
| 2133 |
$('login-error').textContent = '';
|
|
| 2134 |
if (input.value) { setOtpDigit(idx, ''); }
|
|
| 2135 |
else if (idx > 0) { setOtpDigit(idx - 1, ''); otpDigits[idx - 1].focus(); }
|
|
| 2136 |
syncOtpFields(); |
|
| 2137 |
} else if (e.key === 'ArrowLeft' && idx > 0) {
|
|
| 2138 |
e.preventDefault(); |
|
| 2139 |
otpDigits[idx - 1].focus(); |
|
| 2140 |
} else if (e.key === 'ArrowRight' && idx < otpDigits.length - 1) {
|
|
| 2141 |
e.preventDefault(); |
|
| 2142 |
otpDigits[idx + 1].focus(); |
|
| 2143 |
} |
|
| 2144 |
}); |
|
| 2145 |
}); |
|
| 2146 | ||
| 2147 |
// Focus the first OTP box only for a returning operator (username known). |
|
| 2148 |
// For an unknown operator, leave focus on the username field so Safari can |
|
| 2149 |
// present its OTP autofill anchored there without being dismissed by a focus |
|
| 2150 |
// change (pbx-admin pattern). |
|
| 2151 |
if (loginAccount && loginAccount.value) otpDigits[0].focus(); |
|
| 2152 |
else if (loginAccount) loginAccount.focus(); |
|
| 2153 |
else otpDigits[0].focus(); |
|
| 2154 | ||
| 2155 |
document.querySelectorAll('[data-page-link]').forEach(link => {
|
|
| 2156 |
link.addEventListener('click', (event) => {
|
|
| 2157 |
event.preventDefault(); |
|
| 2158 |
showPage(link.dataset.pageLink, true); |
|
| 2159 |
}); |
|
| 2160 |
}); |
|
| 2161 | ||
| 2162 |
window.addEventListener('popstate', () => showPage(currentPage()));
|
|
| 2163 | ||
| 2164 |
async function copyText(text) {
|
|
| 2165 |
if (navigator.clipboard && window.isSecureContext) {
|
|
| 2166 |
await navigator.clipboard.writeText(text); |
|
| 2167 |
return; |
|
| 2168 |
} |
|
| 2169 |
const input = document.createElement('textarea');
|
|
| 2170 |
input.value = text; |
|
| 2171 |
input.setAttribute('readonly', '');
|
|
| 2172 |
input.style.position = 'fixed'; |
|
| 2173 |
input.style.left = '-10000px'; |
|
| 2174 |
document.body.appendChild(input); |
|
| 2175 |
input.select(); |
|
| 2176 |
document.execCommand('copy');
|
|
| 2177 |
document.body.removeChild(input); |
|
| 2178 |
} |
|
| 2179 | ||
| 2180 |
$('copy-build').addEventListener('click', async () => {
|
|
| 2181 |
try {
|
|
| 2182 |
await copyText($('copy-build').dataset.buildDetails || '');
|
|
| 2183 |
if (state.authenticated) msg('build details copied');
|
|
| 2184 |
} catch (e) {
|
|
| 2185 |
if (state.authenticated) msg('copy failed');
|
|
| 2186 |
} |
|
| 2187 |
}); |
|
| 2188 | ||
| 2189 |
$('login-form').addEventListener('submit', async (event) => {
|
|
| 2190 |
event.preventDefault(); |
|
| 2191 |
if (!otpReady() || $('login-form').classList.contains('busy')) return;
|
|
| 2192 |
$('login-form').classList.add('busy');
|
|
| 2193 |
$('login-error').textContent = '';
|
|
| 2194 |
try {
|
|
| 2195 |
await api('/api/login', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ otp: getOtp() }) });
|
|
| 2196 |
await refresh(); |
|
| 2197 |
} catch (e) {
|
|
| 2198 |
showLogin(e.message === 'invalid_otp' ? 'Cod incorect.' : e.message); |
|
| 2199 |
} finally {
|
|
| 2200 |
$('login-form').classList.remove('busy');
|
|
| 2201 |
} |
|
| 2202 |
}); |
|
| 2203 | ||
| 2204 |
$('logout').addEventListener('click', async () => {
|
|
| 2205 |
await api('/api/logout', { method: 'POST' }).catch(() => {});
|
|
| 2206 |
window.location.replace('/?logged_out=' + Date.now());
|
|
| 2207 |
}); |
|
| 2208 | ||
| 2209 |
$('refresh').addEventListener('click', () => refresh().catch(e => msg(e.message)));
|
|
| 2210 |
$('filter').addEventListener('input', renderHosts);
|
|
| 2211 |
$('new-host').addEventListener('click', newHost);
|
|
| 2212 |
$('close-host-modal').addEventListener('click', requestCloseHostModal);
|
|
| 2213 |
$('host-modal').addEventListener('click', (event) => {
|
|
| 2214 |
if (event.target === $('host-modal') && !$('save-host').disabled) closeHostModal();
|
|
| 2215 |
}); |
|
| 2216 |
window.addEventListener('keydown', (event) => {
|
|
| 2217 |
if (event.key === 'Escape' && !$('host-modal').hidden) requestCloseHostModal();
|
|
| 2218 |
}); |
|
| 2219 | ||
| 2220 |
$('host-form').addEventListener('submit', async (event) => {
|
|
| 2221 |
event.preventDefault(); |
|
| 2222 |
setHostFormBusy(true); |
|
| 2223 |
setHostFormMessage('Saving...');
|
|
| 2224 |
try {
|
|
| 2225 |
await api('/api/hosts/upsert', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(formObject(event.target)) });
|
|
| 2226 |
hostFormSnapshot = hostFormState(); |
|
| 2227 |
closeHostModal(); |
|
| 2228 |
msg('host saved');
|
|
| 2229 |
await refresh(); |
|
| 2230 |
} catch (e) {
|
|
| 2231 |
setHostFormMessage(e.message, true); |
|
| 2232 |
msg(e.message); |
|
| 2233 |
} finally {
|
|
| 2234 |
setHostFormBusy(false); |
|
| 2235 |
} |
|
| 2236 |
}); |
|
| 2237 | ||
| 2238 |
$('host-form').addEventListener('invalid', (event) => {
|
|
| 2239 |
setHostFormMessage('Complete the required host fields before saving.', true);
|
|
| 2240 |
}, true); |
|
| 2241 | ||
| 2242 |
$('host-form').addEventListener('input', () => {
|
|
| 2243 |
if ($('host-form-message').classList.contains('error')) clearHostFormMessage();
|
|
| 2244 |
}); |
|
| 2245 | ||
| 2246 |
$('delete-host').addEventListener('click', async () => {
|
|
| 2247 |
const id = hostField('id').value;
|
|
| 2248 |
if (!id || !confirm(`Delete ${id}?`)) return;
|
|
| 2249 |
setHostFormBusy(true); |
|
| 2250 |
setHostFormMessage('Deleting...');
|
|
| 2251 |
try {
|
|
| 2252 |
await api('/api/hosts/delete', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ id }) });
|
|
| 2253 |
$('host-form').reset();
|
|
| 2254 |
hostFormSnapshot = hostFormState(); |
|
| 2255 |
closeHostModal(); |
|
| 2256 |
msg('host deleted');
|
|
| 2257 |
await refresh(); |
|
| 2258 |
} catch (e) {
|
|
| 2259 |
setHostFormMessage(e.message, true); |
|
| 2260 |
msg(e.message); |
|
| 2261 |
} finally {
|
|
| 2262 |
setHostFormBusy(false); |
|
| 2263 |
} |
|
| 2264 |
}); |
|
| 2265 | ||
| 2266 |
$('write-tsv').addEventListener('click', async () => {
|
|
| 2267 |
if (!confirm('Write config/local-hosts.tsv from hosts.yaml?')) return;
|
|
| 2268 |
try {
|
|
| 2269 |
await api('/api/render/local-hosts-tsv', { method: 'POST' });
|
|
| 2270 |
msg('local-hosts.tsv written');
|
|
| 2271 |
} catch (e) { msg(e.message); }
|
|
| 2272 |
}); |
|
| 2273 | ||
| 2274 |
refresh().catch(() => showLogin()); |
|
| 2275 |
</script> |
|
| 2276 |
</body> |
|
| 2277 |
</html> |
|
| 2278 |
HTML |
|
| 2279 |
$html =~ s/__HOST_MANAGER_BUILD_TITLE__/$build_title/g; |
|
| 2280 |
$html =~ s/__HOST_MANAGER_BUILD__/$build/g; |
|
| 2281 |
$html =~ s/__HOST_MANAGER_BUILD_DETAILS__/$build_details/g; |
|
| 2282 |
return $html; |
|
| 2283 |
} |