mirror of
https://github.com/GlueOps/autoglue.git
synced 2026-02-13 04:40:05 +01:00
fix: api keys form bugfix and org key sweeper job
Signed-off-by: allanice001 <allanice001@gmail.com>
This commit is contained in:
allanice001
@@ -129,6 +129,12 @@ func NewJobs(gdb *gorm.DB, dbUrl string) (*Jobs, error) {
|
||||
archer.WithTimeout(60*time.Minute),
|
||||
)
|
||||
|
||||
c.Register(
|
||||
"org_key_sweeper",
|
||||
OrgKeySweeperWorker(gdb, jobs),
|
||||
archer.WithInstances(1),
|
||||
archer.WithTimeout(5*time.Minute),
|
||||
)
|
||||
return jobs, nil
|
||||
}
|
||||
|
||||
|
||||
95
internal/bg/org_key_sweeper.go
Normal file
95
internal/bg/org_key_sweeper.go
Normal file
@@ -0,0 +1,95 @@
|
||||
package bg
|
||||
|
||||
import (
|
||||
"context"
|
||||
"time"
|
||||
|
||||
"github.com/dyaksa/archer"
|
||||
"github.com/dyaksa/archer/job"
|
||||
"github.com/glueops/autoglue/internal/models"
|
||||
"github.com/google/uuid"
|
||||
"github.com/rs/zerolog/log"
|
||||
"gorm.io/gorm"
|
||||
)
|
||||
|
||||
type OrgKeySweeperArgs struct {
|
||||
IntervalS int `json:"interval_seconds,omitempty"`
|
||||
RetentionDays int `json:"retention_days,omitempty"`
|
||||
}
|
||||
|
||||
type OrgKeySweeperResult struct {
|
||||
Status string `json:"status"`
|
||||
MarkedRevoked int `json:"marked_revoked"`
|
||||
DeletedEphemeral int `json:"deleted_ephemeral"`
|
||||
ElapsedMs int `json:"elapsed_ms"`
|
||||
}
|
||||
|
||||
func OrgKeySweeperWorker(db *gorm.DB, jobs *Jobs) archer.WorkerFn {
|
||||
return func(ctx context.Context, j job.Job) (any, error) {
|
||||
args := OrgKeySweeperArgs{
|
||||
IntervalS: 3600,
|
||||
RetentionDays: 10,
|
||||
}
|
||||
start := time.Now()
|
||||
|
||||
_ = j.ParseArguments(&args)
|
||||
if args.IntervalS <= 0 {
|
||||
args.IntervalS = 3600
|
||||
}
|
||||
if args.RetentionDays <= 0 {
|
||||
args.RetentionDays = 10
|
||||
}
|
||||
|
||||
now := time.Now()
|
||||
|
||||
// 1) Mark expired keys as revoked
|
||||
res1 := db.Model(&models.APIKey{}).
|
||||
Where("expires_at IS NOT NULL AND expires_at <= ? AND revoked = false", now).
|
||||
Updates(map[string]any{
|
||||
"revoked": true,
|
||||
"updated_at": now,
|
||||
})
|
||||
|
||||
if res1.Error != nil {
|
||||
log.Error().Err(res1.Error).Msg("[org_key_sweeper] mark expired revoked failed")
|
||||
return nil, res1.Error
|
||||
}
|
||||
markedRevoked := int(res1.RowsAffected)
|
||||
|
||||
// 2) Hard-delete ephemeral keys that are revoked and older than retention
|
||||
cutoff := now.Add(-time.Duration(args.RetentionDays) * 24 * time.Hour)
|
||||
res2 := db.
|
||||
Where("is_ephemeral = ? AND revoked = ? AND updated_at <= ?", true, true, cutoff).
|
||||
Delete(&models.APIKey{})
|
||||
|
||||
if res2.Error != nil {
|
||||
log.Error().Err(res2.Error).Msg("[org_key_sweeper] delete revoked ephemeral keys failed")
|
||||
return nil, res2.Error
|
||||
}
|
||||
deletedEphemeral := int(res2.RowsAffected)
|
||||
|
||||
out := OrgKeySweeperResult{
|
||||
Status: "ok",
|
||||
MarkedRevoked: markedRevoked,
|
||||
DeletedEphemeral: deletedEphemeral,
|
||||
ElapsedMs: int(time.Since(start).Milliseconds()),
|
||||
}
|
||||
|
||||
log.Info().
|
||||
Int("marked_revoked", markedRevoked).
|
||||
Int("deleted_ephemeral", deletedEphemeral).
|
||||
Msg("[org_key_sweeper] cleanup tick ok")
|
||||
|
||||
// Re-enqueue the sweeper
|
||||
next := time.Now().Add(time.Duration(args.IntervalS) * time.Second)
|
||||
_, _ = jobs.Enqueue(
|
||||
ctx,
|
||||
uuid.NewString(),
|
||||
"org_key_sweeper",
|
||||
args,
|
||||
archer.WithScheduleTime(next),
|
||||
archer.WithMaxRetries(1),
|
||||
)
|
||||
return out, nil
|
||||
}
|
||||
}
|
||||
@@ -158,10 +158,11 @@ func ClusterPrepareWorker(db *gorm.DB, jobs *Jobs) archer.WorkerFn {
|
||||
dtoCluster.Kubeconfig = &kubeconfig
|
||||
}
|
||||
|
||||
orgKey, orgSecret, err := createOrgScopedKeyForPayload(
|
||||
orgKey, orgSecret, err := findOrCreateClusterAutomationKey(
|
||||
db,
|
||||
c.OrganizationID,
|
||||
fmt.Sprintf("cluster-%s-%s", c.Name, c.ID.String()),
|
||||
c.ID,
|
||||
24*time.Hour,
|
||||
)
|
||||
|
||||
if err != nil {
|
||||
@@ -584,12 +585,28 @@ func randomB64URL(n int) (string, error) {
|
||||
return base64.RawURLEncoding.EncodeToString(b), nil
|
||||
}
|
||||
|
||||
func createOrgScopedKeyForPayload(db *gorm.DB, orgID uuid.UUID, name string) (orgKey string, orgSecret string, err error) {
|
||||
func findOrCreateClusterAutomationKey(
|
||||
db *gorm.DB,
|
||||
orgID uuid.UUID,
|
||||
clusterID uuid.UUID,
|
||||
ttl time.Duration,
|
||||
) (orgKey string, orgSecret string, err error) {
|
||||
now := time.Now()
|
||||
name := fmt.Sprintf("cluster-%s-bastion", clusterID.String())
|
||||
|
||||
// 1) Delete any existing ephemeral cluster-bastion key for this org+cluster
|
||||
if err := db.Where(
|
||||
"org_id = ? AND scope = ? AND purpose = ? AND cluster_id = ? AND is_ephemeral = ?",
|
||||
orgID, "org", "cluster_bastion", clusterID, true,
|
||||
).Delete(&models.APIKey{}).Error; err != nil {
|
||||
return "", "", fmt.Errorf("delete existing cluster key: %w", err)
|
||||
}
|
||||
|
||||
// 2) Mint a fresh keypair
|
||||
keySuffix, err := randomB64URL(16)
|
||||
if err != nil {
|
||||
return "", "", fmt.Errorf("entropy_error: %w", err)
|
||||
}
|
||||
|
||||
sec, err := randomB64URL(32)
|
||||
if err != nil {
|
||||
return "", "", fmt.Errorf("entropy_error: %w", err)
|
||||
@@ -604,13 +621,25 @@ func createOrgScopedKeyForPayload(db *gorm.DB, orgID uuid.UUID, name string) (or
|
||||
return "", "", fmt.Errorf("hash_error: %w", err)
|
||||
}
|
||||
|
||||
exp := now.Add(ttl)
|
||||
|
||||
prefix := orgKey
|
||||
if len(prefix) > 12 {
|
||||
prefix = prefix[:12]
|
||||
}
|
||||
|
||||
rec := models.APIKey{
|
||||
OrgID: &orgID,
|
||||
Scope: "org",
|
||||
Name: name,
|
||||
KeyHash: keyHash,
|
||||
SecretHash: &secretHash,
|
||||
ExpiresAt: nil,
|
||||
OrgID: &orgID,
|
||||
Scope: "org",
|
||||
Purpose: "cluster_bastion",
|
||||
ClusterID: &clusterID,
|
||||
IsEphemeral: true,
|
||||
Name: name,
|
||||
KeyHash: keyHash,
|
||||
SecretHash: &secretHash,
|
||||
ExpiresAt: &exp,
|
||||
Revoked: false,
|
||||
Prefix: &prefix,
|
||||
}
|
||||
|
||||
if err := db.Create(&rec).Error; err != nil {
|
||||
|
||||
@@ -585,13 +585,22 @@ func CreateOrgKey(db *gorm.DB) http.HandlerFunc {
|
||||
exp = &e
|
||||
}
|
||||
|
||||
prefix := orgKey
|
||||
if len(prefix) > 12 {
|
||||
prefix = prefix[:12]
|
||||
}
|
||||
|
||||
rec := models.APIKey{
|
||||
OrgID: &oid,
|
||||
Scope: "org",
|
||||
Name: req.Name,
|
||||
KeyHash: keyHash,
|
||||
SecretHash: &secretHash,
|
||||
ExpiresAt: exp,
|
||||
OrgID: &oid,
|
||||
Scope: "org",
|
||||
Purpose: "user",
|
||||
IsEphemeral: false,
|
||||
Name: req.Name,
|
||||
KeyHash: keyHash,
|
||||
SecretHash: &secretHash,
|
||||
ExpiresAt: exp,
|
||||
Revoked: false,
|
||||
Prefix: &prefix,
|
||||
}
|
||||
if err := db.Create(&rec).Error; err != nil {
|
||||
utils.WriteError(w, 500, "db_error", err.Error())
|
||||
|
||||
@@ -7,17 +7,20 @@ import (
|
||||
)
|
||||
|
||||
type APIKey struct {
|
||||
ID uuid.UUID `gorm:"type:uuid;primaryKey;default:gen_random_uuid()" json:"id" format:"uuid"`
|
||||
Name string `gorm:"not null;default:''" json:"name"`
|
||||
KeyHash string `gorm:"uniqueIndex;not null" json:"-"`
|
||||
Scope string `gorm:"not null;default:''" json:"scope"`
|
||||
UserID *uuid.UUID `json:"user_id,omitempty" format:"uuid"`
|
||||
OrgID *uuid.UUID `json:"org_id,omitempty" format:"uuid"`
|
||||
SecretHash *string `json:"-"`
|
||||
ExpiresAt *time.Time `json:"expires_at,omitempty" format:"date-time"`
|
||||
Revoked bool `gorm:"not null;default:false" json:"revoked"`
|
||||
Prefix *string `json:"prefix,omitempty"`
|
||||
LastUsedAt *time.Time `json:"last_used_at,omitempty" format:"date-time"`
|
||||
CreatedAt time.Time `json:"created_at,omitempty" gorm:"type:timestamptz;column:created_at;not null;default:now()" format:"date-time"`
|
||||
UpdatedAt time.Time `json:"updated_at,omitempty" gorm:"type:timestamptz;autoUpdateTime;column:updated_at;not null;default:now()" format:"date-time"`
|
||||
ID uuid.UUID `gorm:"type:uuid;primaryKey;default:gen_random_uuid()" json:"id" format:"uuid"`
|
||||
OrgID *uuid.UUID `json:"org_id,omitempty" format:"uuid"`
|
||||
Scope string `gorm:"not null;default:''" json:"scope"`
|
||||
Purpose string `json:"purpose"`
|
||||
ClusterID *uuid.UUID `json:"cluster_id,omitempty"`
|
||||
IsEphemeral bool `json:"is_ephemeral"`
|
||||
Name string `gorm:"not null;default:''" json:"name"`
|
||||
KeyHash string `gorm:"uniqueIndex;not null" json:"-"`
|
||||
SecretHash *string `json:"-"`
|
||||
UserID *uuid.UUID `json:"user_id,omitempty" format:"uuid"`
|
||||
ExpiresAt *time.Time `json:"expires_at,omitempty" format:"date-time"`
|
||||
Revoked bool `gorm:"not null;default:false" json:"revoked"`
|
||||
Prefix *string `json:"prefix,omitempty"`
|
||||
LastUsedAt *time.Time `json:"last_used_at,omitempty" format:"date-time"`
|
||||
CreatedAt time.Time `json:"created_at,omitempty" gorm:"type:timestamptz;column:created_at;not null;default:now()" format:"date-time"`
|
||||
UpdatedAt time.Time `json:"updated_at,omitempty" gorm:"type:timestamptz;autoUpdateTime;column:updated_at;not null;default:now()" format:"date-time"`
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user