Add CA certificate SANs to the local authority UI · a081702

Add CA certificate SANs to the local authority UI
Browse files
bogdan committed 7 hours ago
main

1 parent b16e884

commit a081702
Showing 2 changed files with 323 additions and 60 deletions
+21 -0
scripts/ca_manager.sh
	@@ -97,6 +97,26 @@ cert_field() {
97	97	esac
98	98	}
99	99
	100	+cert_dns_names_json() {
	101	+ local cert="$1"
	102	+ local names name first=1
	103	+ names="$("$OPENSSL" x509 -in "$cert" -noout -ext subjectAltName 2>/dev/null \
	104	+ \| sed -n '/DNS:/,$p' \
	105	+ \| tr ',' '\n' \
	106	+ \| sed -n 's/^[[:space:]]*DNS://p')"
	107	+
	108	+ printf '['
	109	+ while IFS= read -r name; do
	110	+ [[ -n "$name" ]] \|\| continue
	111	+ if [[ "$first" -eq 0 ]]; then
	112	+ printf ','
	113	+ fi
	114	+ first=0
	115	+ json_escape "$name"
	116	+ done <<< "$names"
	117	+ printf ']'
	118	+}
	119	+
100	120	status_json() {
101	121	need_openssl
102	122	if [[ ! -f "$ca_cert" ]]; then
	@@ -137,6 +157,7 @@ list_json() {
137	157	first=0
138	158	printf '{"name":'; json_escape "$name"
139	159	printf ',"subject":'; json_escape "$(cert_field "$cert" subject)"
	160	+ printf ',"dns_names":'; cert_dns_names_json "$cert"
140	161	printf ',"issuer":'; json_escape "$(cert_field "$cert" issuer)"
141	162	printf ',"serial":'; json_escape "$(cert_field "$cert" serial)"
142	163	printf ',"not_before":'; json_escape "$(cert_field "$cert" not_before)"
+302 -60
scripts/host_manager.pl
View
@@ -110,7 +110,7 @@ sub handle_client {
     my ($path, $query) = split /\?/, $target, 2;
     my %query = parse_params($query || '');
 
-    if ($method eq 'GET' && $path eq '/') {
+    if ($method eq 'GET' && app_page_path($path)) {
         return send_html($client, 200, app_html());
     }
     if ($method eq 'GET' && $path eq '/healthz') {
@@ -163,6 +163,10 @@ sub handle_client {
     if ($method eq 'GET' && $path eq '/download/ca.crt') {
         return send_file($client, ca_cert_path(), 'application/x-pem-file; charset=utf-8', 'xdev-madagascar-host-ca.crt');
     }
+    if ($method eq 'GET' && $path =~ m{\A/download/ca/cert/([A-Za-z0-9_.-]+)\.crt\z}) {
+        my $name = $1;
+        return send_file($client, ca_issued_cert_path($name), 'application/x-pem-file; charset=utf-8', "$name.crt");
+    }
 
     if ($method eq 'POST' && $path =~ m{^/api/}) {
         if ($path eq '/api/hosts/upsert') {
@@ -193,6 +197,11 @@ sub handle_client {
     return send_json($client, 404, { error => 'not_found' });
 }
 
+sub app_page_path {
+    my ($path) = @_;
+    return $path =~ m{\A/(?:|overview|hosts|dns|work-orders|ca)\z};
+}
+
 sub load_registry {
     return parse_hosts_yaml(read_file($opt{data}));
 }
@@ -549,6 +558,12 @@ sub ca_cert_path {
     return ca_dir() . "/certs/ca.cert.pem";
 }
 
+sub ca_issued_cert_path {
+    my ($name) = @_;
+    die "unsafe certificate name\n" unless $name =~ /\A[A-Za-z0-9_.-]+\z/;
+    return ca_dir() . "/issued/$name.cert.pem";
+}
+
 sub ca_manager_json {
     my ($command) = @_;
     my $script = ca_script_path();
@@ -1326,10 +1341,17 @@ sub app_html {
 
     /* ── App shell (hidden until authenticated) ── */
     #app { display: none; }
-    header { display: flex; align-items: center; justify-content: space-between; gap: 16px; padding: 12px 18px; background: var(--panel); border-bottom: 1px solid var(--line); position: sticky; top: 0; z-index: 2; }
+    header { display: grid; grid-template-columns: minmax(180px, auto) 1fr auto; align-items: center; gap: 16px; padding: 12px 18px; background: var(--panel); border-bottom: 1px solid var(--line); position: sticky; top: 0; z-index: 2; }
     h1 { margin: 0; font-size: 17px; font-weight: 700; }
-    .header-right { display: flex; align-items: center; gap: 10px; }
+    nav { display: flex; align-items: center; gap: 4px; min-width: 0; overflow-x: auto; }
+    nav a { color: var(--muted); text-decoration: none; padding: 7px 10px; border-radius: 6px; white-space: nowrap; font-weight: 650; }
+    nav a:hover { color: var(--ink); background: var(--soft); }
+    nav a.active { color: var(--accent); background: #e8f0fe; }
+    .header-right { display: flex; align-items: center; justify-content: flex-end; gap: 10px; min-width: 0; }
+    #message { max-width: 260px; white-space: nowrap; overflow: hidden; text-overflow: ellipsis; }
     main { padding: 16px; display: grid; gap: 16px; max-width: 1280px; margin: 0 auto; }
+    .page { display: grid; gap: 16px; }
+    .page[hidden] { display: none; }
     .toolbar, .panel { background: var(--panel); border: 1px solid var(--line); border-radius: 8px; }
     .toolbar { display: flex; flex-wrap: wrap; align-items: center; gap: 8px; padding: 10px; }
     .panel { overflow: hidden; }
@@ -1357,6 +1379,10 @@ sub app_html {
     .span2 { grid-column: 1 / -1; }
     label { display: grid; gap: 5px; color: var(--muted); font-size: 12px; font-weight: 650; }
     .muted { color: var(--muted); }
+    .mono { font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, "Liberation Mono", monospace; font-size: 12px; }
+    .ca-detail { display: grid; gap: 6px; min-width: 0; }
+    .ca-fingerprint { overflow-wrap: anywhere; }
+    .ca-empty { padding: 12px 14px; }
     .build-badge {
       position: fixed;
       right: 10px;
@@ -1387,7 +1413,53 @@ sub app_html {
     .work-order-checkitem { display: flex; align-items: flex-start; gap: 8px; min-width: 0; color: var(--ink); font-size: 13px; font-weight: 400; }
     .work-order-checkitem input[type="checkbox"] { width: auto; flex: 0 0 auto; margin: 2px 0 0; }
     .work-order-checkitem span { min-width: 0; overflow-wrap: anywhere; }
+    .host-tools { display: flex; align-items: center; justify-content: flex-end; gap: 8px; min-width: 0; }
+    .host-tools input { max-width: 240px; }
+    .modal-backdrop {
+      position: fixed;
+      inset: 0;
+      z-index: 10;
+      display: grid;
+      align-items: start;
+      justify-items: center;
+      padding: 72px 16px 24px;
+      background: rgba(21,32,51,.48);
+      overflow: auto;
+    }
+    .modal-backdrop[hidden] { display: none; }
+    .modal {
+      width: min(840px, 100%);
+      max-height: calc(100dvh - 96px);
+      overflow: auto;
+      background: var(--panel);
+      border: 1px solid var(--line);
+      border-radius: 8px;
+      box-shadow: 0 20px 60px rgba(21,32,51,.26);
+    }
+    .modal-head {
+      position: sticky;
+      top: 0;
+      z-index: 1;
+      display: flex;
+      align-items: center;
+      justify-content: space-between;
+      gap: 12px;
+      padding: 12px 14px;
+      border-bottom: 1px solid var(--line);
+      background: #fafbfc;
+    }
+    .modal-head h2 { margin: 0; font-size: 14px; }
+    .modal-close { min-width: 34px; justify-content: center; padding: 7px; }
+    .form-actions { display: flex; flex-wrap: wrap; gap: 8px; }
     @media (max-width: 760px) {
+      header { grid-template-columns: 1fr; align-items: stretch; gap: 10px; }
+      .header-right { justify-content: flex-start; flex-wrap: wrap; }
+      #message { max-width: 100%; }
+      .panel-head { align-items: stretch; flex-direction: column; }
+      .host-tools { justify-content: flex-start; flex-wrap: wrap; }
+      .host-tools input { max-width: none; }
+      .modal-backdrop { padding-top: 16px; }
+      .modal { max-height: calc(100dvh - 32px); }
       .grid { grid-template-columns: 1fr; }
       table { min-width: 760px; }
       .table-wrap { overflow-x: auto; }
@@ -1436,71 +1508,115 @@ sub app_html {
   <div id="app">
     <header>
       <h1>Madagascar Local Authority</h1>
+      <nav aria-label="Sections">
+        <a href="/overview" data-page-link="overview">Overview</a>
+        <a href="/hosts" data-page-link="hosts">Hosts</a>
+        <a href="/dns" data-page-link="dns">DNS</a>
+        <a href="/work-orders" data-page-link="work-orders">Work Orders</a>
+        <a href="/ca" data-page-link="ca">Local CA</a>
+      </nav>
       <div class="header-right">
         <span class="muted" id="app-updated"></span>
+        <span id="message" class="muted"></span>
+        <button id="refresh">Refresh</button>
         <button type="button" id="logout">Logout</button>
       </div>
     </header>
     <main>
-      <section class="toolbar">
-        <button id="refresh">Refresh</button>
-        <a class="linkbtn" href="/download/hosts.yaml">hosts.yaml</a>
-        <a class="linkbtn" href="/download/local-hosts.tsv">local-hosts.tsv</a>
-        <a class="linkbtn" href="/download/monitoring.json">monitoring.json</a>
-        <button id="write-tsv">Write local-hosts.tsv</button>
-        <span id="message" class="muted"></span>
+      <section class="page" id="page-overview" data-page="overview">
+        <section class="panel">
+          <div class="panel-head">
+            <h2>Overview</h2>
+            <div class="stats" id="stats"></div>
+          </div>
+          <div class="problems" id="problems"></div>
+        </section>
       </section>
 
-      <section class="panel">
-        <div class="panel-head">
-          <h2>Overview</h2>
-          <div class="stats" id="stats"></div>
-        </div>
-        <div class="problems" id="problems"></div>
+      <section class="page" id="page-hosts" data-page="hosts" hidden>
+        <section class="panel">
+          <div class="panel-head">
+            <h2>Hosts</h2>
+            <div class="host-tools">
+              <input id="filter" placeholder="filter">
+              <button type="button" id="new-host">New host</button>
+            </div>
+          </div>
+          <div class="table-wrap">
+            <table>
+              <thead>
+                <tr>
+                  <th style="width: 120px">ID</th>
+                  <th style="width: 130px">hosts_ip</th>
+                  <th style="width: 130px">dns_ip</th>
+                  <th>Names</th>
+                  <th style="width: 150px">Roles</th>
+                  <th style="width: 110px">Monitoring</th>
+                  <th style="width: 90px">Status</th>
+                </tr>
+              </thead>
+              <tbody id="hosts"></tbody>
+            </table>
+          </div>
+        </section>
       </section>
 
-      <section class="panel">
-        <div class="panel-head">
-          <h2>Local Certificate Authority</h2>
-          <a class="linkbtn" href="/download/ca.crt">ca.crt</a>
-        </div>
-        <div class="problems" id="ca-status"></div>
+      <section class="page" id="page-dns" data-page="dns" hidden>
+        <section class="toolbar">
+          <a class="linkbtn" href="/download/hosts.yaml">hosts.yaml</a>
+          <a class="linkbtn" href="/download/local-hosts.tsv">local-hosts.tsv</a>
+          <a class="linkbtn" href="/download/monitoring.json">monitoring.json</a>
+          <button id="write-tsv">Write local-hosts.tsv</button>
+        </section>
       </section>
 
-      <section class="panel">
-        <div class="panel-head">
-          <h2>Work Orders</h2>
-          <div class="stats" id="wo-stats"></div>
-        </div>
-        <div class="problems" id="work-orders"></div>
+      <section class="page" id="page-work-orders" data-page="work-orders" hidden>
+        <section class="panel">
+          <div class="panel-head">
+            <h2>Work Orders</h2>
+            <div class="stats" id="wo-stats"></div>
+          </div>
+          <div class="problems" id="work-orders"></div>
+        </section>
       </section>
 
-      <section class="panel">
-        <div class="panel-head">
-          <h2>Hosts</h2>
-          <input id="filter" placeholder="filter" style="max-width: 240px">
-        </div>
-        <div class="table-wrap">
-          <table>
-            <thead>
-              <tr>
-                <th style="width: 120px">ID</th>
-                <th style="width: 130px">hosts_ip</th>
-                <th style="width: 130px">dns_ip</th>
-                <th>Names</th>
-                <th style="width: 150px">Roles</th>
-                <th style="width: 110px">Monitoring</th>
-                <th style="width: 90px">Status</th>
-              </tr>
-            </thead>
-            <tbody id="hosts"></tbody>
-          </table>
-        </div>
+      <section class="page" id="page-ca" data-page="ca" hidden>
+        <section class="panel">
+          <div class="panel-head">
+            <h2>Local Certificate Authority</h2>
+            <a class="linkbtn" href="/download/ca.crt">ca.crt</a>
+          </div>
+          <div class="problems" id="ca-status"></div>
+        </section>
+        <section class="panel">
+          <div class="panel-head">
+            <h2>Issued Certificates</h2>
+            <div class="stats" id="ca-certs-summary"></div>
+          </div>
+          <div class="table-wrap">
+            <table>
+              <thead>
+                <tr>
+                  <th style="width: 150px">Name</th>
+                  <th>DNS names</th>
+                  <th style="width: 210px">Validity</th>
+                  <th style="width: 180px">Serial</th>
+                  <th>Fingerprint</th>
+                  <th style="width: 110px">Download</th>
+                </tr>
+              </thead>
+              <tbody id="ca-certs"></tbody>
+            </table>
+          </div>
+        </section>
       </section>
+    </main>
 
-      <section class="panel">
-        <div class="panel-head">
-          <h2>Edit host</h2>
+    <div id="host-modal" class="modal-backdrop" hidden>
+      <section class="modal" role="dialog" aria-modal="true" aria-labelledby="host-modal-title">
+        <div class="modal-head">
+          <h2 id="host-modal-title">Edit host</h2>
+          <button type="button" id="close-host-modal" class="modal-close" aria-label="Close host editor">x</button>
         </div>
         <form id="host-form" class="grid">
           <label>ID<input name="id" required></label>
@@ -1512,13 +1628,13 @@ sub app_html {
           <label>Sources<input name="sources"></label>
           <label>Monitoring<select name="monitoring"><option>pending</option><option>enabled</option><option>disabled</option></select></label>
           <label>Notes<input name="notes"></label>
-          <div class="span2">
+          <div class="span2 form-actions">
             <button class="primary" type="submit">Save host</button>
             <button class="danger" type="button" id="delete-host">Delete host</button>
           </div>
         </form>
       </section>
-    </main>
+    </div>
   </div>
 
   <div class="build-badge" title="Running build __HOST_MANAGER_BUILD_TITLE__">build __HOST_MANAGER_BUILD__</div>
@@ -1528,6 +1644,14 @@ sub app_html {
 
     const $ = (id) => document.getElementById(id);
     const msg = (text) => { $('message').textContent = text || ''; };
+    const PAGE_PATHS = {
+      '/': 'overview',
+      '/overview': 'overview',
+      '/hosts': 'hosts',
+      '/dns': 'dns',
+      '/work-orders': 'work-orders',
+      '/ca': 'ca',
+    };
 
     async function api(path, options = {}) {
       const res = await fetch(path, options);
@@ -1536,6 +1660,25 @@ sub app_html {
       return body;
     }
 
+    function currentPage() {
+      return PAGE_PATHS[window.location.pathname] || 'overview';
+    }
+
+    function showPage(page, push = false) {
+      const target = page || 'overview';
+      document.querySelectorAll('[data-page]').forEach(section => {
+        section.hidden = section.dataset.page !== target;
+      });
+      document.querySelectorAll('[data-page-link]').forEach(link => {
+        link.classList.toggle('active', link.dataset.pageLink === target);
+        link.setAttribute('aria-current', link.dataset.pageLink === target ? 'page' : 'false');
+      });
+      if (push) {
+        const href = target === 'overview' ? '/overview' : '/' + target;
+        history.pushState({ page: target }, '', href);
+      }
+    }
+
     function showLogin(errorText) {
       document.body.classList.remove('is-app');
       document.body.classList.add('is-login');
@@ -1550,6 +1693,7 @@ sub app_html {
       document.body.classList.add('is-app');
       $('login-screen').style.display = 'none';
       $('app').style.display = 'block';
+      showPage(currentPage());
     }
 
     async function refresh() {
@@ -1585,21 +1729,80 @@ sub app_html {
         const status = await api('/api/ca/status');
         if (!status.initialized) {
           $('ca-status').innerHTML = '<div class="problem"><strong>not initialized</strong> Run <code>sudo scripts/ca_manager.sh init</code> on jumper.</div>';
+          $('ca-certs-summary').innerHTML = '';
+          $('ca-certs').innerHTML = '<tr><td colspan="6" class="muted">CA is not initialized.</td></tr>';
           return;
         }
         const certs = await api('/api/ca/certificates');
+        const caDays = daysUntil(status.not_after);
         $('ca-status').innerHTML = `
-          <div class="muted" style="display:grid;gap:6px">
+          <div class="muted ca-detail">
             <div><strong>${escapeHtml(status.subject || '')}</strong></div>
-            <div>SHA256 ${escapeHtml(status.fingerprint_sha256 || '')}</div>
+            <div>SHA256 <span class="mono ca-fingerprint">${escapeHtml(status.fingerprint_sha256 || '')}</span></div>
             <div>valid ${escapeHtml(status.not_before || '')} - ${escapeHtml(status.not_after || '')}</div>
-            <div>${certs.length} issued certificate(s)</div>
+            <div>
+              <span class="pill ${certStatusClass(caDays)}">${escapeHtml(certStatusLabel(caDays))}</span>
+              <span>${certs.length} issued certificate(s)</span>
+            </div>
           </div>`;
+        $('ca-certs-summary').innerHTML = [
+          ['issued', certs.length],
+          ['expiring', certs.filter(cert => {
+            const days = daysUntil(cert.not_after);
+            return days !== null && days >= 0 && days <= 30;
+          }).length],
+          ['expired', certs.filter(cert => {
+            const days = daysUntil(cert.not_after);
+            return days !== null && days < 0;
+          }).length],
+        ].map(([k, v]) => `<span class="stat">${k}: ${escapeHtml(String(v))}</span>`).join('');
+        $('ca-certs').innerHTML = certs.length ? certs.map(cert => {
+          const days = daysUntil(cert.not_after);
+          const dnsNames = cert.dns_names || [];
+          const dnsHtml = dnsNames.length
+            ? dnsNames.map(name => `<span class="pill">${escapeHtml(name)}</span>`).join('')
+            : '<span class="muted">No DNS SANs reported.</span>';
+          return `<tr>
+            <td><strong>${escapeHtml(cert.name || '')}</strong></td>
+            <td>${dnsHtml}</td>
+            <td>
+              <div class="ca-detail">
+                <span class="pill ${certStatusClass(days)}">${escapeHtml(certStatusLabel(days))}</span>
+                <span class="muted">until ${escapeHtml(cert.not_after || '')}</span>
+              </div>
+            </td>
+            <td class="mono">${escapeHtml(cert.serial || '')}</td>
+            <td class="mono ca-fingerprint">${escapeHtml(cert.fingerprint_sha256 || '')}</td>
+            <td><a class="linkbtn" href="/download/ca/cert/${encodeURIComponent(cert.name || '')}.crt">crt</a></td>
+          </tr>`;
+        }).join('') : '<tr><td colspan="6" class="muted">No issued certificates.</td></tr>';
       } catch (e) {
         $('ca-status').innerHTML = `<div class="problem"><strong>CA status unavailable</strong> ${escapeHtml(e.message)}</div>`;
+        $('ca-certs-summary').innerHTML = '';
+        $('ca-certs').innerHTML = '<tr><td colspan="6" class="muted">Certificate list unavailable.</td></tr>';
       }
     }
 
+    function daysUntil(dateText) {
+      const time = Date.parse(dateText || '');
+      if (!Number.isFinite(time)) return null;
+      return Math.ceil((time - Date.now()) / 86400000);
+    }
+
+    function certStatusClass(days) {
+      if (days === null) return '';
+      if (days < 0) return 'bad';
+      if (days <= 30) return 'warn';
+      return 'ok';
+    }
+
+    function certStatusLabel(days) {
+      if (days === null) return 'validity unknown';
+      if (days < 0) return 'expired';
+      if (days === 0) return 'expires today';
+      return `${days}d remaining`;
+    }
+
     async function renderWorkOrders() {
       try {
         const data = await api('/api/work-orders');
@@ -1706,7 +1909,27 @@ sub app_html {
       form.elements.names.value = (host.names || []).join('\n');
       form.elements.roles.value = (host.roles || []).join(' ');
       form.elements.sources.value = (host.sources || []).join(' ');
-      form.scrollIntoView({ behavior: 'smooth', block: 'start' });
+      openHostModal('Edit host');
+    }
+
+    function newHost() {
+      const form = $('host-form');
+      form.reset();
+      form.elements.status.value = 'active';
+      form.elements.monitoring.value = 'pending';
+      openHostModal('New host');
+    }
+
+    function openHostModal(title) {
+      $('host-modal-title').textContent = title || 'Edit host';
+      $('host-modal').hidden = false;
+      document.body.style.overflow = 'hidden';
+      $('host-form').elements.id.focus();
+    }
+
+    function closeHostModal() {
+      $('host-modal').hidden = true;
+      document.body.style.overflow = '';
     }
 
     function formObject(form) {
@@ -1714,6 +1937,7 @@ sub app_html {
     }
 
     function escapeHtml(value) {
+      value = value == null ? '' : String(value);
       return value.replace(/[&<>"']/g, ch => ({'&':'&amp;','<':'&lt;','>':'&gt;','"':'&quot;',"'":'&#039;'}[ch]));
     }
 
@@ -1807,6 +2031,15 @@ sub app_html {
       otpAutofill.addEventListener('change', handleAutofill);
     }
 
+    document.querySelectorAll('[data-page-link]').forEach(link => {
+      link.addEventListener('click', (event) => {
+        event.preventDefault();
+        showPage(link.dataset.pageLink, true);
+      });
+    });
+
+    window.addEventListener('popstate', () => showPage(currentPage()));
+
     $('login-form').addEventListener('submit', async (event) => {
       event.preventDefault();
       if (!otpReady()) return;
@@ -1824,17 +2057,25 @@ sub app_html {
 
     $('logout').addEventListener('click', async () => {
       await api('/api/logout', { method: 'POST' }).catch(() => {});
-      clearOtp();
-      showLogin();
+      window.location.replace('/?logged_out=' + Date.now());
     });
 
     $('refresh').addEventListener('click', () => refresh().catch(e => msg(e.message)));
     $('filter').addEventListener('input', renderHosts);
+    $('new-host').addEventListener('click', newHost);
+    $('close-host-modal').addEventListener('click', closeHostModal);
+    $('host-modal').addEventListener('click', (event) => {
+      if (event.target === $('host-modal')) closeHostModal();
+    });
+    window.addEventListener('keydown', (event) => {
+      if (event.key === 'Escape' && !$('host-modal').hidden) closeHostModal();
+    });
 
     $('host-form').addEventListener('submit', async (event) => {
       event.preventDefault();
       try {
         await api('/api/hosts/upsert', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(formObject(event.target)) });
+        closeHostModal();
         msg('host saved');
         await refresh();
       } catch (e) { msg(e.message); }
@@ -1846,6 +2087,7 @@ sub app_html {
       try {
         await api('/api/hosts/delete', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ id }) });
         $('host-form').reset();
+        closeHostModal();
         msg('host deleted');
         await refresh();
       } catch (e) { msg(e.message); }
