`ce48194`

cmd/admin: register and revoke actions runners (S41c)

Authored by mfwolffe <wolffemf@dukes.jmu.edu> 3 days ago

SHA: ce481942d9111598d18570907517004d7dccd39f
Parents: ef73d0c
Tree: 393cfde

4 changed files

Status	File	+
A	`cmd/shithubd/admin_runner.go`	236
A	`cmd/shithubd/admin_runner_test.go`	47
A	`internal/actions/runnertoken/token.go`	53
A	`internal/actions/runnertoken/token_test.go`	45

cmd/shithubd/admin_runner.goadded

 +// SPDX-License-Identifier: AGPL-3.0-or-later
++
 +package main
++
 +import (
 +	"context"
 +	"errors"
 +	"fmt"
 +	"regexp"
 +	"strconv"
 +	"strings"
 +	"text/tabwriter"
 +	"time"
++
 +	"github.com/jackc/pgx/v5/pgtype"
 +	"github.com/jackc/pgx/v5/pgxpool"
 +	"github.com/spf13/cobra"
++
 +	"github.com/tenseleyFlow/shithub/internal/actions/runnertoken"
 +	actionsdb "github.com/tenseleyFlow/shithub/internal/actions/sqlc"
 +	"github.com/tenseleyFlow/shithub/internal/infra/config"
 +	"github.com/tenseleyFlow/shithub/internal/infra/db"
 +)
++
 +var runnerLabelRE = regexp.MustCompile(`^[A-Za-z0-9_.-]+$`)
++
 +func newAdminRunnerCmd() *cobra.Command {
 +	cmd := &cobra.Command{
 +		Use:   "runner",
 +		Short: "Register, list, and revoke Actions runners",
 +	}
 +	cmd.AddCommand(newAdminRunnerRegisterCmd())
 +	cmd.AddCommand(newAdminRunnerListCmd())
 +	cmd.AddCommand(newAdminRunnerRevokeCmd())
 +	return cmd
 +}
++
 +func newAdminRunnerRegisterCmd() *cobra.Command {
 +	var name string
 +	var labelsRaw string
 +	var capacity int
 +	cmd := &cobra.Command{
 +		Use:   "register --name <name> [--labels self-hosted,linux] [--capacity 1]",
 +		Short: "Register an Actions runner and print its token once",
 +		RunE: func(cmd *cobra.Command, _ []string) error {
 +			name = strings.TrimSpace(name)
 +			if name == "" {
 +				return errors.New("admin runner register: --name is required")
 +			}
 +			labels, err := parseRunnerLabels(labelsRaw)
 +			if err != nil {
 +				return err
 +			}
 +			if capacity < 1 || capacity > 64 {
 +				return errors.New("admin runner register: --capacity must be between 1 and 64")
 +			}
++
 +			cfg, err := config.Load(nil)
 +			if err != nil {
 +				return err
 +			}
 +			ctx, cancel := context.WithTimeout(cmd.Context(), 30*time.Second)
 +			defer cancel()
 +			pool, err := openAdminRunnerPool(ctx, cfg, "register")
 +			if err != nil {
 +				return err
 +			}
 +			defer pool.Close()
++
 +			token, tokenHash, err := runnertoken.New()
 +			if err != nil {
 +				return fmt.Errorf("admin runner register: mint token: %w", err)
 +			}
++
 +			q := actionsdb.New()
 +			tx, err := pool.Begin(ctx)
 +			if err != nil {
 +				return fmt.Errorf("admin runner register: begin: %w", err)
 +			}
 +			committed := false
 +			defer func() {
 +				if !committed {
 +					_ = tx.Rollback(ctx)
 +				}
 +			}()
++
 +			runner, err := q.InsertRunner(ctx, tx, actionsdb.InsertRunnerParams{
 +				Name:               name,
 +				Labels:             labels,
 +				Capacity:           int32(capacity),
 +				RegisteredByUserID: pgtype.Int8{},
 +			})
 +			if err != nil {
 +				return fmt.Errorf("admin runner register: insert runner: %w", err)
 +			}
 +			if _, err := q.InsertRunnerToken(ctx, tx, actionsdb.InsertRunnerTokenParams{
 +				RunnerID:  runner.ID,
 +				TokenHash: tokenHash,
 +				ExpiresAt: pgtype.Timestamptz{},
 +			}); err != nil {
 +				return fmt.Errorf("admin runner register: insert token: %w", err)
 +			}
 +			if err := tx.Commit(ctx); err != nil {
 +				return fmt.Errorf("admin runner register: commit: %w", err)
 +			}
 +			committed = true
++
 +			_, _ = fmt.Fprintf(cmd.OutOrStdout(),
 +				"runner registered\nid: %d\nname: %s\nlabels: %s\ncapacity: %d\ntoken: %s\n\nStore this token now; shithub never shows it again.\n",
 +				runner.ID, runner.Name, strings.Join(runner.Labels, ","), runner.Capacity, token)
 +			return nil
 +		},
 +	}
 +	cmd.Flags().StringVar(&name, "name", "", "Runner name (letters, numbers, underscore, dash)")
 +	cmd.Flags().StringVar(&labelsRaw, "labels", "", "Comma-separated runner labels")
 +	cmd.Flags().IntVar(&capacity, "capacity", 1, "Maximum concurrent jobs this runner may execute")
 +	return cmd
 +}
++
 +func newAdminRunnerListCmd() *cobra.Command {
 +	return &cobra.Command{
 +		Use:   "list",
 +		Short: "List registered Actions runners",
 +		RunE: func(cmd *cobra.Command, _ []string) error {
 +			cfg, err := config.Load(nil)
 +			if err != nil {
 +				return err
 +			}
 +			ctx, cancel := context.WithTimeout(cmd.Context(), 30*time.Second)
 +			defer cancel()
 +			pool, err := openAdminRunnerPool(ctx, cfg, "list")
 +			if err != nil {
 +				return err
 +			}
 +			defer pool.Close()
++
 +			rows, err := actionsdb.New().ListRunners(ctx, pool)
 +			if err != nil {
 +				return fmt.Errorf("admin runner list: %w", err)
 +			}
 +			tw := tabwriter.NewWriter(cmd.OutOrStdout(), 0, 0, 2, ' ', 0)
 +			_, _ = fmt.Fprintln(tw, "ID\tNAME\tSTATUS\tCAPACITY\tLABELS\tLAST_HEARTBEAT")
 +			for _, r := range rows {
 +				last := "never"
 +				if r.LastHeartbeatAt.Valid {
 +					last = r.LastHeartbeatAt.Time.Format(time.RFC3339)
 +				}
 +				_, _ = fmt.Fprintf(tw, "%d\t%s\t%s\t%d\t%s\t%s\n",
 +					r.ID, r.Name, r.Status, r.Capacity, strings.Join(r.Labels, ","), last)
 +			}
 +			return tw.Flush()
 +		},
 +	}
 +}
++
 +func newAdminRunnerRevokeCmd() *cobra.Command {
 +	var idRaw string
 +	cmd := &cobra.Command{
 +		Use:   "revoke --id <id>",
 +		Short: "Revoke all registration tokens for an Actions runner",
 +		RunE: func(cmd *cobra.Command, _ []string) error {
 +			id, err := strconv.ParseInt(strings.TrimSpace(idRaw), 10, 64)
 +			if err != nil || id <= 0 {
 +				return errors.New("admin runner revoke: --id must be a positive integer")
 +			}
 +			cfg, err := config.Load(nil)
 +			if err != nil {
 +				return err
 +			}
 +			ctx, cancel := context.WithTimeout(cmd.Context(), 30*time.Second)
 +			defer cancel()
 +			pool, err := openAdminRunnerPool(ctx, cfg, "revoke")
 +			if err != nil {
 +				return err
 +			}
 +			defer pool.Close()
++
 +			q := actionsdb.New()
 +			runner, err := q.GetRunnerByID(ctx, pool, id)
 +			if err != nil {
 +				return fmt.Errorf("admin runner revoke: runner %d not found", id)
 +			}
 +			if err := q.RevokeAllTokensForRunner(ctx, pool, id); err != nil {
 +				return fmt.Errorf("admin runner revoke: %w", err)
 +			}
 +			_, _ = fmt.Fprintf(cmd.OutOrStdout(), "runner revoked\nid: %d\nname: %s\n", runner.ID, runner.Name)
 +			return nil
 +		},
 +	}
 +	cmd.Flags().StringVar(&idRaw, "id", "", "Runner id")
 +	return cmd
 +}
++
 +func openAdminRunnerPool(ctx context.Context, cfg config.Config, op string) (*pgxpool.Pool, error) {
 +	if cfg.DB.URL == "" {
 +		return nil, fmt.Errorf("admin runner %s: DB not configured (set SHITHUB_DATABASE_URL)", op)
 +	}
 +	pool, err := db.Open(ctx, db.Config{
 +		URL: cfg.DB.URL, MaxConns: 2, MinConns: 0,
 +		ConnectTimeout: cfg.DB.ConnectTimeout,
 +	})
 +	if err != nil {
 +		return nil, fmt.Errorf("admin runner %s: db open: %w", op, err)
 +	}
 +	return pool, nil
 +}
++
 +func parseRunnerLabels(raw string) ([]string, error) {
 +	raw = strings.TrimSpace(raw)
 +	if raw == "" {
 +		return []string{}, nil
 +	}
 +	parts := strings.Split(raw, ",")
 +	seen := make(map[string]struct{}, len(parts))
 +	labels := make([]string, 0, len(parts))
 +	for _, part := range parts {
 +		label := strings.TrimSpace(part)
 +		if label == "" {
 +			return nil, errors.New("admin runner: labels must not contain empty entries")
 +		}
 +		if len(label) > 100 || !runnerLabelRE.MatchString(label) {
 +			return nil, fmt.Errorf("admin runner: invalid label %q", label)
 +		}
 +		if _, ok := seen[label]; ok {
 +			continue
 +		}
 +		seen[label] = struct{}{}
 +		labels = append(labels, label)
 +	}
 +	return labels, nil
 +}
++
 +func init() {
 +	adminCmd.AddCommand(newAdminRunnerCmd())
 +	adminActionsCmd.AddCommand(newAdminRunnerCmd())
 +}

cmd/shithubd/admin_runner_test.goadded

 +// SPDX-License-Identifier: AGPL-3.0-or-later
++
 +package main
++
 +import (
 +	"reflect"
 +	"testing"
 +)
++
 +func TestParseRunnerLabels(t *testing.T) {
 +	tests := []struct {
 +		name string
 +		raw  string
 +		want []string
 +	}{
 +		{name: "empty", raw: "", want: []string{}},
 +		{name: "trim and dedupe", raw: " self-hosted, linux,linux,ubuntu-24.04 ", want: []string{"self-hosted", "linux", "ubuntu-24.04"}},
 +		{name: "underscore dot dash", raw: "gpu_cuda-12.4", want: []string{"gpu_cuda-12.4"}},
 +	}
 +	for _, tt := range tests {
 +		t.Run(tt.name, func(t *testing.T) {
 +			got, err := parseRunnerLabels(tt.raw)
 +			if err != nil {
 +				t.Fatalf("parseRunnerLabels: %v", err)
 +			}
 +			if !reflect.DeepEqual(got, tt.want) {
 +				t.Fatalf("labels: got %#v, want %#v", got, tt.want)
 +			}
 +		})
 +	}
 +}
++
 +func TestParseRunnerLabelsRejectsInvalid(t *testing.T) {
 +	tests := []string{
 +		"linux,",
 +		"linux,,x64",
 +		"has space",
 +		"semi;colon",
 +	}
 +	for _, raw := range tests {
 +		t.Run(raw, func(t *testing.T) {
 +			if _, err := parseRunnerLabels(raw); err == nil {
 +				t.Fatal("parseRunnerLabels returned nil error")
 +			}
 +		})
 +	}
 +}

internal/actions/runnertoken/token.goadded

 +// SPDX-License-Identifier: AGPL-3.0-or-later
++
 +// Package runnertoken mints and hashes long-lived runner registration tokens.
 +//
 +// Tokens are 32 random bytes rendered as hex for operator copy/paste. Only the
 +// SHA-256 hash is stored in runner_tokens; the plaintext is printed once by
 +// `shithubd admin actions runner register` and then lost.
 +package runnertoken
++
 +import (
 +	"crypto/rand"
 +	"crypto/sha256"
 +	"crypto/subtle"
 +	"encoding/hex"
 +	"errors"
 +	"strings"
 +)
++
 +const SizeBytes = 32
++
 +var (
 +	ErrMalformed = errors.New("runnertoken: malformed token")
 +	ErrWrongSize = errors.New("runnertoken: wrong token length")
 +)
++
 +// New mints a token and returns the hex encoding plus its SHA-256 hash.
 +func New() (encoded string, hash []byte, err error) {
 +	raw := make([]byte, SizeBytes)
 +	if _, err := rand.Read(raw); err != nil {
 +		return "", nil, err
 +	}
 +	encoded = hex.EncodeToString(raw)
 +	sum := sha256.Sum256(raw)
 +	return encoded, sum[:], nil
 +}
++
 +// HashOf decodes a hex registration token and returns the stored hash.
 +func HashOf(encoded string) ([]byte, error) {
 +	raw, err := hex.DecodeString(strings.TrimSpace(encoded))
 +	if err != nil {
 +		return nil, ErrMalformed
 +	}
 +	if len(raw) != SizeBytes {
 +		return nil, ErrWrongSize
 +	}
 +	sum := sha256.Sum256(raw)
 +	return sum[:], nil
 +}
++
 +// Equal compares two token hashes in constant time.
 +func Equal(a, b []byte) bool {
 +	return subtle.ConstantTimeCompare(a, b) == 1
 +}

internal/actions/runnertoken/token_test.goadded

 +// SPDX-License-Identifier: AGPL-3.0-or-later
++
 +package runnertoken_test
++
 +import (
 +	"encoding/hex"
 +	"errors"
 +	"strings"
 +	"testing"
++
 +	"github.com/tenseleyFlow/shithub/internal/actions/runnertoken"
 +)
++
 +func TestNewAndHashOfRoundTrip(t *testing.T) {
 +	encoded, hash, err := runnertoken.New()
 +	if err != nil {
 +		t.Fatalf("New: %v", err)
 +	}
 +	if len(encoded) != runnertoken.SizeBytes*2 {
 +		t.Fatalf("encoded length: got %d, want %d", len(encoded), runnertoken.SizeBytes*2)
 +	}
 +	if _, err := hex.DecodeString(encoded); err != nil {
 +		t.Fatalf("encoded token is not hex: %v", err)
 +	}
++
 +	got, err := runnertoken.HashOf(encoded)
 +	if err != nil {
 +		t.Fatalf("HashOf: %v", err)
 +	}
 +	if !runnertoken.Equal(got, hash) {
 +		t.Fatalf("HashOf did not reproduce stored hash")
 +	}
 +	if strings.Contains(hex.EncodeToString(hash), encoded) {
 +		t.Fatalf("hash contains plaintext token")
 +	}
 +}
++
 +func TestHashOfRejectsMalformedAndWrongSize(t *testing.T) {
 +	if _, err := runnertoken.HashOf("not-hex"); !errors.Is(err, runnertoken.ErrMalformed) {
 +		t.Fatalf("malformed: got %v, want ErrMalformed", err)
 +	}
 +	if _, err := runnertoken.HashOf("abcd"); !errors.Is(err, runnertoken.ErrWrongSize) {
 +		t.Fatalf("wrong size: got %v, want ErrWrongSize", err)
 +	}
 +}