Orgs, Members, SSH and Admin page

2026-02-13 21:00:06 +01:00 · 2025-09-01 21:58:34 +01:00
parent 3f22521f49
commit 5425ed5dcc
61 changed files with 7138 additions and 819 deletions
--- a/internal/handlers/ssh/dto.go
+++ b/internal/handlers/ssh/dto.go
@@ -0,0 +1,25 @@
+package ssh
+
+import "github.com/google/uuid"
+
+type createSSHRequest struct {
+	Bits     *int   `json:"bits,omitempty" example:"4096"`
+	Comment  string `json:"comment,omitempty" example:"deploy@autoglue"`
+	Download string `json:"download,omitempty" example:"both"`
+	Name     string `json:"name"`
+}
+
+type sshResponse struct {
+	ID             uuid.UUID `json:"id"`
+	OrganizationID uuid.UUID `json:"organization_id"`
+	Name           string    `json:"name"`
+	PublicKey      string    `json:"public_keys"`
+	Fingerprint    string    `json:"fingerprint"`
+	CreatedAt      string    `json:"created_at,omitempty"`
+	UpdatedAt      string    `json:"updated_at,omitempty"`
+}
+
+type sshRevealResponse struct {
+	sshResponse
+	PrivateKey string `json:"private_key"`
+}
--- a/internal/handlers/ssh/funcs.go
+++ b/internal/handlers/ssh/funcs.go
@@ -0,0 +1,60 @@
+package ssh
+
+import (
+	"archive/zip"
+	"bytes"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"strings"
+
+	gossh "golang.org/x/crypto/ssh"
+)
+
+func allowedBits(b int) bool {
+	return b == 2048 || b == 3072 || b == 4096
+}
+
+func GenerateRSA(bits int) (*rsa.PrivateKey, error) {
+	return rsa.GenerateKey(rand.Reader, bits)
+}
+
+func RSAPrivateToPEMAndAuthorized(priv *rsa.PrivateKey, comment string) (privPEM string, authorized string, err error) {
+	// Private (PKCS#1) to PEM
+	der := x509.MarshalPKCS1PrivateKey(priv)
+	block := &pem.Block{Type: "RSA PRIVATE KEY", Bytes: der}
+	var buf bytes.Buffer
+	if err = pem.Encode(&buf, block); err != nil {
+		return "", "", err
+	}
+
+	// Public to authorized_keys
+	pub, err := gossh.NewPublicKey(&priv.PublicKey)
+	if err != nil {
+		return "", "", err
+	}
+	auth := strings.TrimSpace(string(gossh.MarshalAuthorizedKey(pub)))
+	comment = strings.TrimSpace(comment)
+	if comment != "" {
+		auth += " " + comment
+	}
+	return buf.String(), auth, nil
+}
+
+func GenerateRSAPEMAndAuthorized(bits int, comment string) (string, string, error) {
+	priv, err := GenerateRSA(bits)
+	if err != nil {
+		return "", "", err
+	}
+	return RSAPrivateToPEMAndAuthorized(priv, comment)
+}
+
+func toZipFile(filename string, content []byte, zw *zip.Writer) error {
+	f, err := zw.Create(filename)
+	if err != nil {
+		return err
+	}
+	_, err = f.Write(content)
+	return err
+}
--- a/internal/handlers/ssh/ssh.go
+++ b/internal/handlers/ssh/ssh.go
@@ -0,0 +1,361 @@
+package ssh
+
+import (
+	"archive/zip"
+	"bytes"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/glueops/autoglue/internal/db"
+	"github.com/glueops/autoglue/internal/db/models"
+	"github.com/glueops/autoglue/internal/middleware"
+	"github.com/glueops/autoglue/internal/response"
+	"github.com/glueops/autoglue/internal/utils"
+	"github.com/go-chi/chi/v5"
+	"github.com/google/uuid"
+	"golang.org/x/crypto/ssh"
+	"gorm.io/gorm"
+)
+
+// ListPublicKeys godoc
+// @Summary      List ssh keys (org scoped)
+// @Description  Returns ssh keys for the organization in X-Org-ID.
+// @Tags         ssh
+// @Accept       json
+// @Produce      json
+// @Param        X-Org-ID header string true "Organization UUID"
+// @Security     BearerAuth
+// @Success      200 {array}  sshResponse
+// @Failure      401 {string} string "Unauthorized"
+// @Failure      403 {string} string "organization required"
+// @Failure      500 {string} string "failed to list keys"
+// @Router       /api/v1/ssh [get]
+func ListPublicKeys(w http.ResponseWriter, r *http.Request) {
+	ac := middleware.GetAuthContext(r)
+	if ac == nil || ac.OrganizationID == uuid.Nil {
+		http.Error(w, "organization required", http.StatusForbidden)
+		return
+	}
+
+	var rows []models.SshKey
+	if err := db.DB.Where("organization_id = ?", ac.OrganizationID).
+		Order("created_at DESC").Find(&rows).Error; err != nil {
+		http.Error(w, "failed to list ssh keys", http.StatusInternalServerError)
+		return
+	}
+
+	out := make([]sshResponse, 0, len(rows))
+	for _, s := range rows {
+		out = append(out, sshResponse{
+			ID:             s.ID,
+			OrganizationID: s.OrganizationID,
+			Name:           s.Name,
+			PublicKey:      s.PublicKey,
+			Fingerprint:    s.Fingerprint,
+			CreatedAt:      s.CreatedAt.UTC().Format(time.RFC3339),
+			UpdatedAt:      s.UpdatedAt.UTC().Format(time.RFC3339),
+		})
+	}
+
+	_ = response.JSON(w, http.StatusOK, out)
+}
+
+// CreateSSHKey godoc
+// @Summary      Create ssh keypair (org scoped)
+// @Description  Generates an RSA keypair, saves it, and returns metadata. Optionally set `download` to "public", "private", or "both" to download files immediately.
+// @Tags         ssh
+// @Accept       json
+// @Produce      json
+// @Param        X-Org-ID header string true "Organization UUID"
+// @Param        body body createSSHRequest true "Key generation options"
+// @Security     BearerAuth
+// @Success      201 {object} sshResponse
+// @Header       201 {string} Content-Disposition "When download is requested"
+// @Failure      400 {string} string "invalid json / invalid bits"
+// @Failure      401 {string} string "Unauthorized"
+// @Failure      403 {string} string "organization required"
+// @Failure      500 {string} string "generation/create failed"
+// @Router       /api/v1/ssh [post]
+func CreateSSHKey(w http.ResponseWriter, r *http.Request) {
+	ac := middleware.GetAuthContext(r)
+	if ac == nil || ac.OrganizationID == uuid.Nil {
+		http.Error(w, "organization required", http.StatusForbidden)
+		return
+	}
+
+	var req createSSHRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, "invalid json", http.StatusBadRequest)
+		return
+	}
+	bits := 4096
+	if req.Bits != nil {
+		if !allowedBits(*req.Bits) {
+			http.Error(w, "invalid bits (allowed: 2048, 3072, 4096)", http.StatusBadRequest)
+			return
+		}
+		bits = *req.Bits
+	}
+
+	privPEM, pubAuth, err := GenerateRSAPEMAndAuthorized(bits, strings.TrimSpace(req.Comment))
+	if err != nil {
+		http.Error(w, "key generation failed", http.StatusInternalServerError)
+		return
+	}
+
+	cipher, iv, tag, err := utils.EncryptForOrg(ac.OrganizationID, []byte(privPEM))
+	if err != nil {
+		http.Error(w, "encryption failed", http.StatusInternalServerError)
+		return
+	}
+
+	parsed, _, _, _, err := ssh.ParseAuthorizedKey([]byte(pubAuth))
+	if err != nil {
+		http.Error(w, "failed to parse public key", http.StatusInternalServerError)
+		return
+	}
+	fp := ssh.FingerprintSHA256(parsed)
+
+	key := models.SshKey{
+		OrganizationID:      ac.OrganizationID,
+		Name:                req.Name,
+		PublicKey:           pubAuth,
+		EncryptedPrivateKey: cipher,
+		PrivateIV:           iv,
+		PrivateTag:          tag,
+		Fingerprint:         fp,
+	}
+	if err := db.DB.Create(&key).Error; err != nil {
+		http.Error(w, "create failed", http.StatusInternalServerError)
+		return
+	}
+
+	// Immediate download if requested
+	switch strings.ToLower(strings.TrimSpace(req.Download)) {
+	case "public":
+		filename := fmt.Sprintf("id_rsa_%s.pub", key.ID.String())
+		w.Header().Set("Content-Type", "text/plain")
+		w.Header().Set("Content-Disposition", fmt.Sprintf(`attachment; filename="%s"`, filename))
+		w.WriteHeader(http.StatusCreated)
+		_, _ = w.Write([]byte(pubAuth))
+		return
+	case "private":
+		filename := fmt.Sprintf("id_rsa_%s.pem", key.ID.String())
+		w.Header().Set("Content-Type", "application/x-pem-file")
+		w.Header().Set("Content-Disposition", fmt.Sprintf(`attachment; filename="%s"`, filename))
+		w.WriteHeader(http.StatusCreated)
+		_, _ = w.Write([]byte(privPEM))
+		return
+	case "both":
+		var buf bytes.Buffer
+		zw := zip.NewWriter(&buf)
+		_ = toZipFile(fmt.Sprintf("id_rsa_%s.pem", key.ID.String()), []byte(privPEM), zw)
+		_ = toZipFile(fmt.Sprintf("id_rsa_%s.pub", key.ID.String()), []byte(pubAuth), zw)
+		_ = zw.Close()
+
+		filename := fmt.Sprintf("ssh_key_%s.zip", key.ID.String())
+		w.Header().Set("Content-Type", "application/zip")
+		w.Header().Set("Content-Disposition", fmt.Sprintf(`attachment; filename="%s"`, filename))
+		w.WriteHeader(http.StatusCreated)
+		_, _ = w.Write(buf.Bytes())
+		return
+	}
+
+	_ = response.JSON(w, http.StatusCreated, sshResponse{
+		ID:             key.ID,
+		OrganizationID: key.OrganizationID,
+		PublicKey:      key.PublicKey,
+		Fingerprint:    key.Fingerprint,
+		CreatedAt:      key.CreatedAt.UTC().Format(time.RFC3339),
+		UpdatedAt:      key.UpdatedAt.UTC().Format(time.RFC3339),
+	})
+}
+
+// GetSSHKey godoc
+// @Summary      Get ssh key by ID (org scoped)
+// @Description  Returns public key fields. Append `?reveal=true` to include the private key PEM.
+// @Tags         ssh
+// @Accept       json
+// @Produce      json
+// @Param        X-Org-ID header string true "Organization UUID"
+// @Param        id path string true "SSH Key ID (UUID)"
+// @Param        reveal query bool false "Reveal private key PEM"
+// @Security     BearerAuth
+// @Success      200 {object} sshResponse
+// @Success      200 {object} sshRevealResponse "When reveal=true"
+// @Failure      400 {string} string "invalid id"
+// @Failure      401 {string} string "Unauthorized"
+// @Failure      403 {string} string "organization required"
+// @Failure      404 {string} string "not found"
+// @Failure      500 {string} string "fetch failed"
+// @Router       /api/v1/ssh/{id} [get]
+func GetSSHKey(w http.ResponseWriter, r *http.Request) {
+	ac := middleware.GetAuthContext(r)
+	if ac == nil || ac.OrganizationID == uuid.Nil {
+		http.Error(w, "organization required", http.StatusForbidden)
+		return
+	}
+
+	id, err := uuid.Parse(chi.URLParam(r, "id"))
+	if err != nil {
+		http.Error(w, "invalid id", http.StatusBadRequest)
+		return
+	}
+
+	var key models.SshKey
+	if err := db.DB.Where("id = ? AND organization_id = ?", id, ac.OrganizationID).
+		First(&key).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			http.Error(w, "not found", http.StatusNotFound)
+			return
+		}
+		http.Error(w, "fetch failed", http.StatusInternalServerError)
+		return
+	}
+
+	if r.URL.Query().Get("reveal") != "true" {
+		_ = response.JSON(w, http.StatusOK, sshResponse{
+			ID:             key.ID,
+			OrganizationID: key.OrganizationID,
+			PublicKey:      key.PublicKey,
+			CreatedAt:      key.CreatedAt.UTC().Format(time.RFC3339),
+			UpdatedAt:      key.UpdatedAt.UTC().Format(time.RFC3339),
+		})
+		return
+	}
+
+	plain, err := utils.DecryptForOrg(ac.OrganizationID, key.EncryptedPrivateKey, key.PrivateIV, key.PrivateTag)
+	if err != nil {
+		http.Error(w, "failed to decrypt", http.StatusInternalServerError)
+		return
+	}
+
+	_ = response.JSON(w, http.StatusOK, sshRevealResponse{
+		sshResponse: sshResponse{
+			ID:             key.ID,
+			OrganizationID: key.OrganizationID,
+			PublicKey:      key.PublicKey,
+			CreatedAt:      key.CreatedAt.UTC().Format(time.RFC3339),
+			UpdatedAt:      key.UpdatedAt.UTC().Format(time.RFC3339),
+		},
+		PrivateKey: plain,
+	})
+}
+
+// DeleteSSHKey godoc
+// @Summary      Delete ssh keypair (org scoped)
+// @Description  Permanently deletes a keypair.
+// @Tags         ssh
+// @Accept       json
+// @Produce      json
+// @Param        X-Org-ID header string true "Organization UUID"
+// @Param        id path string true "SSH Key ID (UUID)"
+// @Security     BearerAuth
+// @Success      204 {string} string "No Content"
+// @Failure      400 {string} string "invalid id"
+// @Failure      401 {string} string "Unauthorized"
+// @Failure      403 {string} string "organization required"
+// @Failure      500 {string} string "delete failed"
+// @Router       /api/v1/ssh/{id} [delete]
+func DeleteSSHKey(w http.ResponseWriter, r *http.Request) {
+	ac := middleware.GetAuthContext(r)
+	if ac == nil || ac.OrganizationID == uuid.Nil {
+		http.Error(w, "organization required", http.StatusForbidden)
+		return
+	}
+
+	idStr := strings.TrimPrefix(r.URL.Path, "/api/v1/ssh/")
+	id, err := uuid.Parse(idStr)
+	if err != nil {
+		http.Error(w, "invalid id", http.StatusBadRequest)
+		return
+	}
+
+	if err := db.DB.Where("id = ? AND organization_id = ?", id, ac.OrganizationID).
+		Delete(&models.SshKey{}).Error; err != nil {
+		http.Error(w, "delete failed", http.StatusInternalServerError)
+		return
+	}
+	response.NoContent(w)
+}
+
+// DownloadSSHKey godoc
+// @Summary      Download ssh key files by ID (org scoped)
+// @Description  Download `part=public|private|both` of the keypair. `both` returns a zip file.
+// @Tags         ssh
+// @Produce      text/plain
+// @Param        X-Org-ID header string true "Organization UUID"
+// @Param        id path string true "SSH Key ID (UUID)"
+// @Param        part query string true "Which part to download" Enums(public,private,both)
+// @Security     BearerAuth
+// @Success      200 {string} string "file content"
+// @Failure      400 {string} string "invalid id / invalid part"
+// @Failure      401 {string} string "Unauthorized"
+// @Failure      403 {string} string "organization required"
+// @Failure      404 {string} string "not found"
+// @Failure      500 {string} string "download failed"
+// @Router       /api/v1/ssh/{id}/download [get]
+func DownloadSSHKey(w http.ResponseWriter, r *http.Request) {
+	ac := middleware.GetAuthContext(r)
+	if ac == nil || ac.OrganizationID == uuid.Nil {
+		http.Error(w, "organization required", http.StatusForbidden)
+		return
+	}
+
+	id, err := uuid.Parse(chi.URLParam(r, "id"))
+	if err != nil {
+		http.Error(w, "invalid id", http.StatusBadRequest)
+		return
+	}
+
+	var key models.SshKey
+	if err := db.DB.Where("id = ? AND organization_id = ?", id, ac.OrganizationID).
+		First(&key).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			http.Error(w, "not found", http.StatusNotFound)
+			return
+		}
+		http.Error(w, "fetch failed", http.StatusInternalServerError)
+		return
+	}
+
+	switch strings.ToLower(r.URL.Query().Get("part")) {
+	case "public":
+		filename := fmt.Sprintf("id_rsa_%s.pub", key.ID.String())
+		w.Header().Set("Content-Type", "text/plain")
+		w.Header().Set("Content-Disposition", fmt.Sprintf(`attachment; filename="%s"`, filename))
+		_, _ = w.Write([]byte(key.PublicKey))
+	case "private":
+		plain, err := utils.DecryptForOrg(ac.OrganizationID, key.EncryptedPrivateKey, key.PrivateIV, key.PrivateTag)
+		if err != nil {
+			http.Error(w, "decrypt failed", http.StatusInternalServerError)
+			return
+		}
+		filename := fmt.Sprintf("id_rsa_%s.pem", key.ID.String())
+		w.Header().Set("Content-Type", "application/x-pem-file")
+		w.Header().Set("Content-Disposition", fmt.Sprintf(`attachment; filename="%s"`, filename))
+		_, _ = w.Write([]byte(plain))
+	case "both":
+		plain, err := utils.DecryptForOrg(ac.OrganizationID, key.EncryptedPrivateKey, key.PrivateIV, key.PrivateTag)
+		if err != nil {
+			http.Error(w, "decrypt failed", http.StatusInternalServerError)
+			return
+		}
+		var buf bytes.Buffer
+		zw := zip.NewWriter(&buf)
+		_ = toZipFile(fmt.Sprintf("id_rsa_%s.pem", key.ID.String()), []byte(plain), zw)
+		_ = toZipFile(fmt.Sprintf("id_rsa_%s.pub", key.ID.String()), []byte(key.PublicKey), zw)
+		_ = zw.Close()
+
+		filename := fmt.Sprintf("ssh_key_%s.zip", key.ID.String())
+		w.Header().Set("Content-Type", "application/zip")
+		w.Header().Set("Content-Disposition", fmt.Sprintf(`attachment; filename="%s"`, filename))
+		_, _ = w.Write(buf.Bytes())
+	default:
+		http.Error(w, "invalid part (public|private|both)", http.StatusBadRequest)
+	}
+}