ipng/vpp-maglev
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
25e9d79aba4b13fa1567fa95e68bd3f28a9d6c7a
vpp-maglev/cmd/frontend/handlers.go
Pim van Pelt 25e9d79aba Frontend: live clocks, admin mode, backend actions; packaging polish 
Builds on the maglev-frontend component introduced in 284b4cc with
quality-of-life improvements, an authenticated /admin surface, a
live-action control plane, and Debian packaging cleanup.

 - Backend state now renders live: maglevd's FrontendEvent synthetic
   from==to replay hydrates FrontendSnapshot.State on WatchEvents
   subscribe, and live transitions update both the in-process cache
   and every connected browser via a new applyFrontendTransition
   reducer. Shown as a StatusBadge next to the frontend name.
 - VPP connection state surfaces in the VPP zippy title as a
   green/red badge. Driven by vpp-connect / vpp-disconnect and by
   the steady stream of vpp-api-send/recv debug heartbeats so a
   silent VPP drop is caught within one debug-log tick.
 - Probe heartbeat dot becomes ❤️ while a probe is in flight and
   reverts to · on probe-done. Fixed-size wrapper so the emoji swap
   doesn't jiggle the row; both states share the same font-size.
 - Flash component replaced its subtle background-only fade with a
   scale-pop + yellow halo box-shadow + longer duration so
   weight/effective/state changes are unmissable on tiny numeric
   cells. Initial mount still skipped via defer so no flash on load.
 - Last-transition age is now a live countdown driven by a global
   1-second ticker signal (one timer, many subscribers). Two most
   significant units: 10m30s / 1h12m / 1d16h. Sub-second ages
   render as "now" to absorb clock skew between maglevd and the
   browser.
 - Event stream is now chronological (oldest at top) with tail-
   style auto-scroll, pause/resume, and the toolbar moved below the
   list. Row separators removed. Also shown only in /admin (see
   below) so /view stays a focused read-only surface.
 - Table nowrap so backend names like nginx0-frggh0 and the
   "last transition" header don't wrap. Frontends render in the
   order returned by ListFrontends instead of Go map iteration
   order so reload doesn't shuffle VIP order.
 - IPng logo in the header, clickable, links to the git repo.
   Header padding reduced so the logo can fill the bar up to the
   separator. Version + commit + build date shown in the brand area
   (fetched once from /view/api/version).
 - "view" / "admin" mode tag moved to sit just left of the admin
   toggle button so it reads as a pair.
 - Prettier wired in as the web-side fixstyle via a new
   fixstyle-web Make target that also runs from `make fixstyle`.
   Added .prettierrc.json and .prettierignore; 8 existing files
   were normalized in place.

 - Fixed a "20555d ago" rendering bug: maglevd's synthetic
   backend-replay events (from==to, at_unix_ns=0) were corrupting
   the local cache's LastTransition via applyBackendTransition.
   Backend synthetic events are now skipped entirely (refreshAll
   covers initial hydration for backends), while frontend synthetic
   events are still applied because FrontendInfo doesn't carry
   state — the event is the only source.

 - New MAGLEV_FRONTEND_USER / MAGLEV_FRONTEND_PASSWORD env vars.
   When both are set and non-empty, /admin/ becomes a basic-auth-
   protected SPA shell backed by the same embedded index.html as
   /view/. The SPA detects its base path via a new stores/mode.ts
   isAdmin constant and conditionally renders admin-only sections
   (currently: the Event Stream / DebugPanel). When disabled,
   /admin/ returns 404 (not 501) so operators who didn't configure
   it see no teasing affordance, and the SPA's admin-toggle button
   is hidden entirely via the admin_enabled flag on
   /view/api/version.
 - basicAuth uses crypto/subtle.ConstantTimeCompare for both user
   and password so timing can't distinguish a wrong username from
   a wrong password.

 - New POST /admin/api/{maglevd}/backend/{name}/{pause|resume|
   enable|disable} endpoint, gated by the same basic-auth
   middleware as the SPA shell. maglevClient.BackendAction wraps
   the four matching gRPC RPCs and returns a fresh BackendSnapshot;
   the same transition lands via WatchEvents so every connected
   browser converges through the normal reducer path.
 - BackendActionsMenu Solid component: kebab (⋮) button in a new
   trailing column rendered only in /admin. Click-outside and
   Escape close the popover (document listeners installed only
   while open). Actions are state-aware: up/down/unknown → pause,
   disable; paused → resume, disable; disabled → enable;
   removed → menu suppressed entirely. Busy indicator per action;
   errors render inline under the item list.
 - Structured audit log: every mutation logs an
   admin-backend-action record with maglevd / backend / action /
   resulting state.

 - Renamed debian/vpp-maglevd.service → debian/vpp-maglev.service
   to align naming with the new vpp-maglev-frontend.service
   sibling. postinst handles upgrades by stopping + disabling any
   lingering vpp-maglevd.service before enabling the renamed unit;
   prerm stops both (the frontend unit is installed but not
   enabled by default — operators opt in with systemctl enable).
 - New debian/vpp-maglev-frontend.service (hardened:
   NoNewPrivileges, ProtectSystem=strict, ProtectHome, PrivateTmp,
   no capabilities). Reads the same /etc/default/vpp-maglev
   conffile and expands MAGLEV_FRONTEND_ARGS via
   `ExecStart=/usr/bin/maglev-frontend $MAGLEV_FRONTEND_ARGS` so
   word-splitting works.
 - docs/maglev-frontend.8 manpage documenting flags, endpoints,
   and SSE reverse-proxy requirements.
 - build-deb.sh: drops the commit hash from the .deb filename
   (now vpp-maglev_<version>_<arch>.deb) and no longer takes the
   commit as a CLI arg. Binaries continue to carry the commit via
   -ldflags so `maglevd --version` et al are the authoritative
   "which build is running" answer.
2026-04-12 20:04:53 +02:00

274 lines
8.3 KiB
Go
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
// Copyright (c) 2026, Pim van Pelt <pim@ipng.ch>
package main
import (
"context"
"crypto/subtle"
"encoding/json"
"fmt"
"io/fs"
"log/slog"
"net/http"
"strings"
"time"
buildinfo "git.ipng.ch/ipng/vpp-maglev/cmd"
)
// adminCreds holds the basic-auth credentials for the /admin/ surface.
// Enabled is true when both the user and password env vars were set
// and non-empty at startup; when false, /admin/ is hidden entirely
// (returns 404) so operators who never intended to expose it don't
// see a teasing "unauthorized" response.
type adminCreds struct {
User string
Password string
Enabled bool
}
func registerHandlers(mux *http.ServeMux, clients []*maglevClient, broker *Broker, admin adminCreds) {
byName := make(map[string]*maglevClient, len(clients))
for _, c := range clients {
byName[c.name] = c
}
mux.HandleFunc("/healthz", func(w http.ResponseWriter, _ *http.Request) {
_, _ = w.Write([]byte("ok\n"))
})
mux.HandleFunc("/view/api/version", func(w http.ResponseWriter, _ *http.Request) {
writeJSON(w, VersionInfo{
Version: buildinfo.Version(),
Commit: buildinfo.Commit(),
Date: buildinfo.Date(),
AdminEnabled: admin.Enabled,
})
})
mux.HandleFunc("/view/api/maglevds", func(w http.ResponseWriter, _ *http.Request) {
infos := make([]MaglevdInfo, 0, len(clients))
for _, c := range clients {
infos = append(infos, c.Info())
}
writeJSON(w, infos)
})
mux.HandleFunc("/view/api/state", func(w http.ResponseWriter, _ *http.Request) {
out := make([]*StateSnapshot, 0, len(clients))
for _, c := range clients {
out = append(out, c.Snapshot())
}
writeJSON(w, out)
})
mux.HandleFunc("/view/api/state/", func(w http.ResponseWriter, r *http.Request) {
name := strings.TrimPrefix(r.URL.Path, "/view/api/state/")
c, ok := byName[name]
if !ok {
http.NotFound(w, r)
return
}
writeJSON(w, c.Snapshot())
})
mux.HandleFunc("/view/api/events", func(w http.ResponseWriter, r *http.Request) {
serveSSE(w, r, broker)
})
// Static SPA served from the embedded dist fs, mounted under /view/.
staticFS, err := fs.Sub(webFS, "web/dist")
if err != nil {
slog.Error("embed-subfs", "err", err)
return
}
fileServer := http.FileServer(http.FS(staticFS))
mux.Handle("/view/", http.StripPrefix("/view/", fileServer))
// /admin/ serves the same SPA shell behind basic auth when the
// credentials are configured. Only the index.html is served here —
// all JS, CSS, and assets are referenced via absolute /view/assets/
// URLs baked in by Vite, so they continue to load from the
// unauthenticated /view/ tree. Read-only API calls also go to
// /view/api/* unchanged. Mutation endpoints live under /admin/api/
// so the same basic-auth middleware covers every writing path.
if admin.Enabled {
indexBytes, ierr := fs.ReadFile(staticFS, "index.html")
if ierr != nil {
slog.Error("embed-index", "err", ierr)
return
}
serveIndex := http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
w.Header().Set("Content-Type", "text/html; charset=utf-8")
w.Header().Set("Cache-Control", "no-store")
_, _ = w.Write(indexBytes)
})
adminAPI := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
handleAdminAPI(w, r, byName)
})
realm := "maglev-frontend admin"
// Register /admin/api/ before /admin/ so the more specific
// pattern wins in net/http's ServeMux.
mux.Handle("/admin/api/", basicAuth(realm, admin.User, admin.Password, adminAPI))
mux.Handle("/admin/", basicAuth(realm, admin.User, admin.Password, serveIndex))
}
mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
if r.URL.Path == "/" {
http.Redirect(w, r, "/view/", http.StatusFound)
return
}
http.NotFound(w, r)
})
}
// handleAdminAPI dispatches mutation requests under /admin/api/.
//
// Currently the only supported shape is:
//
// POST /admin/api/{maglevd}/backend/{name}/{pause|resume|enable|disable}
//
// The response body is the fresh BackendSnapshot (JSON) returned by
// maglevd. The WatchEvents stream also delivers a transition event
// so every connected browser converges through the normal reducer
// path — the POST response is primarily for the originating SPA to
// learn about failures immediately. Errors from the gRPC side are
// surfaced as 400 (bad request / unknown action / unknown target)
// or 502 (maglevd returned an error).
func handleAdminAPI(w http.ResponseWriter, r *http.Request, byName map[string]*maglevClient) {
if r.Method != http.MethodPost {
w.Header().Set("Allow", "POST")
http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
return
}
parts := strings.Split(strings.TrimPrefix(r.URL.Path, "/admin/api/"), "/")
// Expect: {maglevd} "backend" {name} {action}
if len(parts) != 4 || parts[1] != "backend" {
http.NotFound(w, r)
return
}
maglevd, name, action := parts[0], parts[2], parts[3]
c, ok := byName[maglevd]
if !ok {
http.NotFound(w, r)
return
}
switch action {
case "pause", "resume", "enable", "disable":
default:
http.Error(w, fmt.Sprintf("unknown action %q", action), http.StatusBadRequest)
return
}
ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
defer cancel()
snap, err := c.BackendAction(ctx, name, action)
if err != nil {
slog.Warn("admin-backend-action", "maglevd", maglevd, "backend", name, "action", action, "err", err)
http.Error(w, err.Error(), http.StatusBadGateway)
return
}
slog.Info("admin-backend-action",
"maglevd", maglevd, "backend", name, "action", action, "state", snap.State)
writeJSON(w, snap)
}
// basicAuth wraps a handler in an HTTP basic-auth check. Uses
// subtle.ConstantTimeCompare to avoid leaking credential length or
// content via response-timing side channels.
func basicAuth(realm, user, password string, next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
u, p, ok := r.BasicAuth()
// Compare fixed-length byte slices so a wrong username takes
// the same time as a wrong password; only the boolean result
// matters.
uOK := subtle.ConstantTimeCompare([]byte(u), []byte(user)) == 1
pOK := subtle.ConstantTimeCompare([]byte(p), []byte(password)) == 1
if !ok || !uOK || !pOK {
w.Header().Set("WWW-Authenticate", fmt.Sprintf(`Basic realm=%q`, realm))
http.Error(w, "unauthorized", http.StatusUnauthorized)
return
}
next.ServeHTTP(w, r)
})
}
func writeJSON(w http.ResponseWriter, v any) {
w.Header().Set("Content-Type", "application/json")
enc := json.NewEncoder(w)
enc.SetEscapeHTML(false)
if err := enc.Encode(v); err != nil {
slog.Error("json-encode", "err", err)
}
}
// serveSSE handles the long-lived /view/api/events stream. The operational
// requirements (retry hint, heartbeat, flush-after-write, X-Accel-Buffering,
// context-done teardown) are documented in PLAN_FRONTEND.md §SSE operational
// requirements.
func serveSSE(w http.ResponseWriter, r *http.Request, broker *Broker) {
flusher, ok := w.(http.Flusher)
if !ok {
http.Error(w, "streaming unsupported", http.StatusInternalServerError)
return
}
h := w.Header()
h.Set("Content-Type", "text/event-stream")
h.Set("Cache-Control", "no-cache")
h.Set("Connection", "keep-alive")
h.Set("X-Accel-Buffering", "no")
w.WriteHeader(http.StatusOK)
// Reconnect hint: EventSource default is 35s; 2s feels livelier.
fmt.Fprintf(w, "retry: 2000\n\n")
flusher.Flush()
result := broker.Subscribe(r.Header.Get("Last-Event-ID"))
defer broker.Unsubscribe(result.Channel)
if result.NeedResync {
// No id: line — the browser keeps whatever Last-Event-ID it had,
// so subsequent reconnects compare against a real event ID.
fmt.Fprintf(w, "event: resync\ndata: {}\n\n")
flusher.Flush()
}
for _, ev := range result.ReplayEvents {
if err := writeEvent(w, ev); err != nil {
return
}
flusher.Flush()
}
heartbeat := time.NewTicker(15 * time.Second)
defer heartbeat.Stop()
for {
select {
case <-r.Context().Done():
return
case ev, ok := <-result.Channel:
if !ok {
return
}
if err := writeEvent(w, ev); err != nil {
return
}
flusher.Flush()
case <-heartbeat.C:
if _, err := fmt.Fprintf(w, ": ping\n\n"); err != nil {
return
}
flusher.Flush()
}
}
}
func writeEvent(w http.ResponseWriter, ev deliveredEvent) error {
body, err := json.Marshal(ev.Event)
if err != nil {
return err
}
_, err = fmt.Fprintf(w, "id: %s\ndata: %s\n\n", ev.ID, body)
return err
}
Reference in New Issue View Git Blame Copy Permalink