pptx704
2c66959b92
Implements the full host ↔ control plane connection flow:
- Host CRUD endpoints (POST/GET/DELETE /v1/hosts) with role-based access:
regular hosts admin-only, BYOC hosts for admins and team owners
- One-time registration token flow: admin creates host → gets token (1hr TTL
in Redis + Postgres audit trail) → host agent registers with specs → gets
long-lived JWT (1yr)
- Host agent registration client with automatic spec detection (arch, CPU,
memory, disk) and token persistence to disk
- Periodic heartbeat (30s) via POST /v1/hosts/{id}/heartbeat with X-Host-Token
auth and host ID cross-check
- Token regeneration endpoint (POST /v1/hosts/{id}/token) for retry after
failed registration
- Tag management (add/remove/list) with team-scoped access control
- Host JWT with typ:"host" claim, cross-use prevention in both VerifyJWT and
VerifyHostJWT
- requireHostToken middleware for host agent authentication
- DB-level race protection: RegisterHost uses AND status='pending' with
rows-affected check; Redis GetDel for atomic token consume
- Migration for future mTLS support (cert_fingerprint, mtls_enabled columns)
- Host agent flags: --register (one-time token), --address (required ip:port)
- serviceErrToHTTP extended with "forbidden" → 403 mapping
- OpenAPI spec, .env.example, and README updated
60 lines
1.4 KiB
Go
60 lines
1.4 KiB
Go
package id
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"encoding/hex"
|
|
"fmt"
|
|
)
|
|
|
|
func hex8() string {
|
|
b := make([]byte, 4)
|
|
if _, err := rand.Read(b); err != nil {
|
|
panic(fmt.Sprintf("crypto/rand failed: %v", err))
|
|
}
|
|
return hex.EncodeToString(b)
|
|
}
|
|
|
|
// NewSandboxID generates a new sandbox ID in the format "sb-" + 8 hex chars.
|
|
func NewSandboxID() string {
|
|
return "sb-" + hex8()
|
|
}
|
|
|
|
// NewSnapshotName generates a snapshot name in the format "template-" + 8 hex chars.
|
|
func NewSnapshotName() string {
|
|
return "template-" + hex8()
|
|
}
|
|
|
|
// NewUserID generates a new user ID in the format "usr-" + 8 hex chars.
|
|
func NewUserID() string {
|
|
return "usr-" + hex8()
|
|
}
|
|
|
|
// NewTeamID generates a new team ID in the format "team-" + 8 hex chars.
|
|
func NewTeamID() string {
|
|
return "team-" + hex8()
|
|
}
|
|
|
|
// NewAPIKeyID generates a new API key ID in the format "key-" + 8 hex chars.
|
|
func NewAPIKeyID() string {
|
|
return "key-" + hex8()
|
|
}
|
|
|
|
// NewHostID generates a new host ID in the format "host-" + 8 hex chars.
|
|
func NewHostID() string {
|
|
return "host-" + hex8()
|
|
}
|
|
|
|
// NewHostTokenID generates a new host token audit ID in the format "htok-" + 8 hex chars.
|
|
func NewHostTokenID() string {
|
|
return "htok-" + hex8()
|
|
}
|
|
|
|
// NewRegistrationToken generates a 64-char hex token (32 bytes of entropy).
|
|
func NewRegistrationToken() string {
|
|
b := make([]byte, 32)
|
|
if _, err := rand.Read(b); err != nil {
|
|
panic(fmt.Sprintf("crypto/rand failed: %v", err))
|
|
}
|
|
return hex.EncodeToString(b)
|
|
}
|