feat: mostly terraform shenanigans, but TF can now create ssh keys and servers

2026-02-13 04:40:05 +01:00 · 2025-11-02 17:18:28 +00:00
parent 0d10d42442
commit 43f8549320
59 changed files with 6353 additions and 28 deletions
--- a/internal/handlers/dto/labels.go
+++ b/internal/handlers/dto/labels.go
@@ -0,0 +1,19 @@
+package dto
+
+import "github.com/google/uuid"
+
+type LabelResponse struct {
+	ID    uuid.UUID `json:"id"`
+	Key   string    `json:"key"`
+	Value string    `json:"value"`
+}
+
+type CreateLabelRequest struct {
+	Key   string `json:"key"`
+	Value string `json:"value"`
+}
+
+type UpdateLabelRequest struct {
+	Key   *string `json:"key"`
+	Value *string `json:"value"`
+}
--- a/internal/handlers/labels.go
+++ b/internal/handlers/labels.go
@@ -0,0 +1,290 @@
+package handlers
+
+import (
+	"encoding/json"
+	"errors"
+	"net/http"
+	"strings"
+
+	"github.com/glueops/autoglue/internal/api/httpmiddleware"
+	"github.com/glueops/autoglue/internal/handlers/dto"
+	"github.com/glueops/autoglue/internal/models"
+	"github.com/glueops/autoglue/internal/utils"
+	"github.com/go-chi/chi/v5"
+	"github.com/google/uuid"
+	"gorm.io/gorm"
+)
+
+// ListLabels godoc
+// @ID           ListLabels
+// @Summary      List node labels (org scoped)
+// @Description  Returns node labels for the organization in X-Org-ID. Filters: `key`, `value`, and `q` (key contains). Add `include=node_pools` to include linked node groups.
+// @Tags         Labels
+// @Accept       json
+// @Produce      json
+// @Param        X-Org-ID header string false "Organization UUID"
+// @Param        key query string false "Exact key"
+// @Param        value query string false "Exact value"
+// @Param        q query string false "Key contains (case-insensitive)"
+// @Success      200 {array}  dto.LabelResponse
+// @Failure      401 {string} string "Unauthorized"
+// @Failure      403 {string} string "organization required"
+// @Failure      500 {string} string "failed to list node taints"
+// @Router       /labels [get]
+// @Security    BearerAuth
+// @Security    OrgKeyAuth
+// @Security    OrgSecretAuth
+func ListLabels(db *gorm.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		orgID, ok := httpmiddleware.OrgIDFrom(r.Context())
+		if !ok {
+			utils.WriteError(w, http.StatusForbidden, "org_required", "specify X-Org-ID")
+			return
+		}
+
+		q := db.Where("organization_id = ?", orgID)
+
+		if key := strings.TrimSpace(r.URL.Query().Get("key")); key != "" {
+			q = q.Where(`key = ?`, key)
+		}
+		if val := strings.TrimSpace(r.URL.Query().Get("value")); val != "" {
+			q = q.Where(`value = ?`, val)
+		}
+		if needle := strings.TrimSpace(r.URL.Query().Get("q")); needle != "" {
+			q = q.Where(`key ILIKE ?`, "%"+needle+"%")
+		}
+		var rows []models.Label
+		if err := q.Order("created_at DESC").Find(&rows).Error; err != nil {
+			utils.WriteError(w, http.StatusInternalServerError, "db_error", "db error")
+			return
+		}
+
+		out := make([]dto.LabelResponse, 0, len(rows))
+		for _, row := range rows {
+			out = append(out, dto.LabelResponse{
+				Key:   row.Key,
+				Value: row.Value,
+				ID:    row.ID,
+			})
+		}
+		utils.WriteJSON(w, http.StatusOK, out)
+	}
+}
+
+// GetLabel godoc
+// @ID           GetLabel
+// @Summary      Get label by ID (org scoped)
+// @Description  Returns one label.
+// @Tags         Labels
+// @Accept       json
+// @Produce      json
+// @Param        X-Org-ID header string false "Organization UUID"
+// @Param        id path string true "Label ID (UUID)"
+// @Success      200 {object} dto.LabelResponse
+// @Failure      400 {string} string "invalid id"
+// @Failure      401 {string} string "Unauthorized"
+// @Failure      403 {string} string "organization required"
+// @Failure      404 {string} string "not found"
+// @Failure      500 {string} string "fetch failed"
+// @Router       /labels/{id} [get]
+// @Security    BearerAuth
+// @Security    OrgKeyAuth
+// @Security    OrgSecretAuth
+func GetLabel(db *gorm.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		orgID, ok := httpmiddleware.OrgIDFrom(r.Context())
+		if !ok {
+			utils.WriteError(w, http.StatusForbidden, "org_required", "specify X-Org-ID")
+			return
+		}
+
+		id, err := uuid.Parse(chi.URLParam(r, "id"))
+		if err != nil {
+			utils.WriteError(w, http.StatusBadRequest, "id_required", "id required")
+			return
+		}
+
+		var row models.Label
+		if err := db.Where("id = ? AND organization_id = ?", id, orgID).First(&row).Error; err != nil {
+			utils.WriteError(w, http.StatusNotFound, "label_not_found", "label not found")
+			return
+		}
+
+		out := dto.LabelResponse{
+			Key:   row.Key,
+			Value: row.Value,
+			ID:    row.ID,
+		}
+		utils.WriteJSON(w, http.StatusOK, out)
+	}
+}
+
+// CreateLabel godoc
+// @ID           CreateLabel
+// @Summary      Create label (org scoped)
+// @Description  Creates a label.
+// @Tags         Labels
+// @Accept       json
+// @Produce      json
+// @Param        X-Org-ID header string false "Organization UUID"
+// @Param        body body dto.CreateLabelRequest true "Label payload"
+// @Success      201 {object} dto.LabelResponse
+// @Failure      400 {string} string "invalid json / missing fields / invalid node_pool_ids"
+// @Failure      401 {string} string "Unauthorized"
+// @Failure      403 {string} string "organization required"
+// @Failure      500 {string} string "create failed"
+// @Router       /labels [post]
+// @Security     BearerAuth
+// @Security     OrgKeyAuth
+// @Security     OrgSecretAuth
+func CreateLabel(db *gorm.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		orgID, ok := httpmiddleware.OrgIDFrom(r.Context())
+		if !ok {
+			utils.WriteError(w, http.StatusForbidden, "org_required", "specify X-Org-ID")
+			return
+		}
+
+		var req dto.CreateLabelRequest
+		if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+			utils.WriteError(w, http.StatusBadRequest, "bad_request", "bad request")
+			return
+		}
+
+		req.Key = strings.TrimSpace(req.Key)
+		req.Value = strings.TrimSpace(req.Value)
+
+		if req.Key == "" || req.Value == "" {
+			utils.WriteError(w, http.StatusBadRequest, "bad_request", "missing key/value")
+			return
+		}
+
+		l := models.Label{
+			OrganizationID: orgID,
+			Key:            req.Key,
+			Value:          req.Value,
+		}
+		if err := db.Create(&l).Error; err != nil {
+			utils.WriteError(w, http.StatusInternalServerError, "db_error", "db error")
+			return
+		}
+
+		out := dto.LabelResponse{
+			ID:    l.ID,
+			Key:   l.Key,
+			Value: l.Value,
+		}
+		utils.WriteJSON(w, http.StatusCreated, out)
+	}
+}
+
+// UpdateLabel godoc
+// @ID           UpdateLabel
+// @Summary      Update label (org scoped)
+// @Description  Partially update label fields.
+// @Tags         Labels
+// @Accept       json
+// @Produce      json
+// @Param        X-Org-ID header string false "Organization UUID"
+// @Param        id path string true "Label ID (UUID)"
+// @Param        body body dto.UpdateLabelRequest true "Fields to update"
+// @Success      200 {object} dto.LabelResponse
+// @Failure      400 {string} string "invalid id / invalid json"
+// @Failure      401 {string} string "Unauthorized"
+// @Failure      403 {string} string "organization required"
+// @Failure      404 {string} string "not found"
+// @Failure      500 {string} string "update failed"
+// @Router       /labels/{id} [patch]
+// @Security     BearerAuth
+// @Security     OrgKeyAuth
+// @Security     OrgSecretAuth
+func UpdateLabel(db *gorm.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		orgID, ok := httpmiddleware.OrgIDFrom(r.Context())
+		if !ok {
+			utils.WriteError(w, http.StatusForbidden, "org_required", "specify X-Org-ID")
+			return
+		}
+
+		id, err := uuid.Parse(chi.URLParam(r, "id"))
+		if err != nil {
+			utils.WriteError(w, http.StatusBadRequest, "id_required", "id required")
+			return
+		}
+
+		var l models.Label
+		if err := db.Where("id = ? AND organization_id = ?", id, orgID).First(&l).Error; err != nil {
+			if errors.Is(err, gorm.ErrRecordNotFound) {
+				utils.WriteError(w, http.StatusNotFound, "label_not_found", "label not found")
+				return
+			}
+			utils.WriteError(w, http.StatusInternalServerError, "db_error", "db error")
+			return
+		}
+
+		var req dto.UpdateLabelRequest
+		if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+			utils.WriteError(w, http.StatusBadRequest, "bad_request", "bad request")
+			return
+		}
+
+		next := l
+		if req.Key != nil {
+			next.Key = strings.TrimSpace(*req.Key)
+		}
+		if req.Value != nil {
+			next.Value = strings.TrimSpace(*req.Value)
+		}
+
+		if err := db.Save(&next).Error; err != nil {
+			utils.WriteError(w, http.StatusInternalServerError, "db_error", "db error")
+			return
+		}
+		out := dto.LabelResponse{
+			ID:    next.ID,
+			Key:   next.Key,
+			Value: next.Value,
+		}
+		utils.WriteJSON(w, http.StatusOK, out)
+	}
+}
+
+// DeleteLabel godoc
+// @ID           DeleteLabel
+// @Summary      Delete label (org scoped)
+// @Description  Permanently deletes the label.
+// @Tags         Labels
+// @Accept       json
+// @Produce      json
+// @Param        X-Org-ID header string false "Organization UUID"
+// @Param        id path string true "Label ID (UUID)"
+// @Success      204 {string} string "No Content"
+// @Failure      400 {string} string "invalid id"
+// @Failure      401 {string} string "Unauthorized"
+// @Failure      403 {string} string "organization required"
+// @Failure      500 {string} string "delete failed"
+// @Router       /labels/{id} [delete]
+// @Security     BearerAuth
+// @Security     OrgKeyAuth
+// @Security     OrgSecretAuth
+func DeleteLabel(db *gorm.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		orgID, ok := httpmiddleware.OrgIDFrom(r.Context())
+		if !ok {
+			utils.WriteError(w, http.StatusForbidden, "org_required", "specify X-Org-ID")
+			return
+		}
+
+		id, err := uuid.Parse(chi.URLParam(r, "id"))
+		if err != nil {
+			utils.WriteError(w, http.StatusBadRequest, "id_required", "id required")
+			return
+		}
+
+		if err := db.Where("id = ? AND organization_id = ?", id, orgID).Delete(&models.Label{}).Error; err != nil {
+			utils.WriteError(w, http.StatusInternalServerError, "db_error", "db error")
+			return
+		}
+		w.WriteHeader(http.StatusNoContent)
+	}
+}
--- a/internal/handlers/ssh.go
+++ b/internal/handlers/ssh.go
@@ -363,6 +363,7 @@ func DownloadSSHKey(db *gorm.DB) http.HandlerFunc {
 		}

 		if mode == "json" {
+			prefix := keyFilenamePrefix(key.PublicKey)
 			resp := dto.SshMaterialJSON{
 				ID:          key.ID.String(),
 				Name:        key.Name,
@@ -372,7 +373,7 @@ func DownloadSSHKey(db *gorm.DB) http.HandlerFunc {
 			case "public":
 				pub := key.PublicKey
 				resp.PublicKey = &pub
-				resp.Filenames = []string{fmt.Sprintf("id_rsa_%s.pub", key.ID.String())}
+				resp.Filenames = []string{fmt.Sprintf("%s_%s.pub", prefix, key.ID.String())}
 				utils.WriteJSON(w, http.StatusOK, resp)
 				return

@@ -383,7 +384,7 @@ func DownloadSSHKey(db *gorm.DB) http.HandlerFunc {
 					return
 				}
 				resp.PrivatePEM = &plain
-				resp.Filenames = []string{fmt.Sprintf("id_rsa_%s.pem", key.ID.String())}
+				resp.Filenames = []string{fmt.Sprintf("%s_%s.pem", prefix, key.ID.String())}
 				utils.WriteJSON(w, http.StatusOK, resp)
 				return

@@ -396,16 +397,16 @@ func DownloadSSHKey(db *gorm.DB) http.HandlerFunc {

 				var buf bytes.Buffer
 				zw := zip.NewWriter(&buf)
-				_ = toZipFile(fmt.Sprintf("id_rsa_%s.pem", key.ID.String()), []byte(plain), zw)
-				_ = toZipFile(fmt.Sprintf("id_rsa_%s.pub", key.ID.String()), []byte(key.PublicKey), zw)
+				_ = toZipFile(fmt.Sprintf("%s_%s.pem", prefix, key.ID.String()), []byte(plain), zw)
+				_ = toZipFile(fmt.Sprintf("%s_%s.pub", prefix, key.ID.String()), []byte(key.PublicKey), zw)
 				_ = zw.Close()

 				b64 := utils.EncodeB64(buf.Bytes())
 				resp.ZipBase64 = &b64
 				resp.Filenames = []string{
-					fmt.Sprintf("id_rsa_%s.zip", key.ID.String()),
-					fmt.Sprintf("id_rsa_%s.pem", key.ID.String()),
-					fmt.Sprintf("id_rsa_%s.pub", key.ID.String()),
+					fmt.Sprintf("%s_%s.zip", prefix, key.ID.String()),
+					fmt.Sprintf("%s_%s.pem", prefix, key.ID.String()),
+					fmt.Sprintf("%s_%s.pub", prefix, key.ID.String()),
 				}
 				utils.WriteJSON(w, http.StatusOK, resp)
 				return
@@ -512,12 +513,18 @@ func toZipFile(filename string, content []byte, zw *zip.Writer) error {
 }

 func keyFilenamePrefix(pubAuth string) string {
-	// OpenSSH authorized keys start with the algorithm name
-	if strings.HasPrefix(pubAuth, "ssh-ed25519 ") {
-		return "id_ed25519"
+	pk, _, _, _, err := ssh.ParseAuthorizedKey([]byte(pubAuth))
+	if err != nil {
+		return "id_key"
+	}
+	switch pk.Type() {
+	case "ssh-ed25519":
+		return "id_ed25519"
+	case "ssh-rsa":
+		return "id_rsa"
+	default:
+		return "id_key"
 	}
-	// default to RSA
-	return "id_rsa"
 }

 func GenerateEd25519PEMAndAuthorized(comment string) (privPEM string, authorized string, err error) {