tiny-forge/internal/api/router.go

package api

import (
	"context"
	"log/slog"
	"sync"

	"github.com/go-chi/chi/v5"

	"github.com/alexei/tinyforge/internal/auth"
	"github.com/alexei/tinyforge/internal/backup"
	"github.com/alexei/tinyforge/internal/crypto"
	"github.com/alexei/tinyforge/internal/dns"
	"github.com/alexei/tinyforge/internal/docker"
	"github.com/alexei/tinyforge/internal/events"
	"github.com/alexei/tinyforge/internal/notify"
	"github.com/alexei/tinyforge/internal/npm"
	"github.com/alexei/tinyforge/internal/proxy"
	"github.com/alexei/tinyforge/internal/stale"
	"github.com/alexei/tinyforge/internal/store"
	"github.com/alexei/tinyforge/internal/webhook"
	"github.com/alexei/tinyforge/internal/workload/plugin"
)

// DNSProviderChangedFunc is called when DNS settings change so the caller can
// update the provider on the deployer.
type DNSProviderChangedFunc func(provider dns.Provider)

// PluginDispatcher is the subset of the deployer the API layer uses for the
// plugin-native dispatch surface (generic-hooks endpoint + workload teardown
// + future surfaces). Defined here so the API does not import the deployer
// package directly.
type PluginDispatcher interface {
	webhook.PluginDispatcher
	DispatchTeardown(ctx context.Context, w plugin.Workload) error
}

// Server holds all dependencies for the API layer.
type Server struct {
	store         *store.Store
	docker        *docker.Client
	npm           *npm.Client // optional: only for NPM-specific endpoints (certificates)
	proxyProvider proxy.Provider
	deployer      PluginDispatcher
	notifier      *notify.Notifier
	webhook       *webhook.Handler
	eventBus      *events.Bus
	encKey        [32]byte
	localAuth     *auth.LocalAuth
	oidcProvider  *auth.OIDCProvider
	staleScanner  *stale.Scanner

	dnsProviderMu        sync.RWMutex
	dnsProvider          dns.Provider
	onDNSProviderChanged DNSProviderChangedFunc

	backupEngine            *backup.Engine
	sseGate                 *sseGate
	logScanReloader         LogScanReloader
	dbPath                  string
	shutdownFunc            func()                                // called after restore to trigger graceful shutdown
	onBackupSettingsChanged func(enabled bool, intervalHours int) // called when backup settings change
	onProxyProviderChanged  func(provider proxy.Provider)         // called when proxy provider changes
}

// NewServer creates a new API Server with all required dependencies.
func NewServer(
	st *store.Store,
	dockerClient *docker.Client,
	npmClient *npm.Client,
	proxyProvider proxy.Provider,
	deployer PluginDispatcher,
	notifier *notify.Notifier,
	webhookHandler *webhook.Handler,
	eventBus *events.Bus,
	encKey [32]byte,
) *Server {
	localAuth := auth.NewLocalAuth(encKey)

	s := &Server{
		store:         st,
		docker:        dockerClient,
		npm:           npmClient,
		proxyProvider: proxyProvider,
		deployer:      deployer,
		notifier:      notifier,
		webhook:       webhookHandler,
		eventBus:      eventBus,
		encKey:        encKey,
		localAuth:     localAuth,
		sseGate:       newSSEGate(maxConcurrentSSEStreams),
	}

	// Try to initialize OIDC provider from stored settings.
	authSettings, err := st.GetAuthSettings()
	if err == nil && authSettings.AuthMode == "oidc" && authSettings.OIDCIssuerURL != "" {
		s.initOIDCProvider(context.Background(), authSettings)
	}

	return s
}

// SetStaleScanner sets the stale scanner on the server.
// Called after both the API server and scanner are initialized.
func (s *Server) SetStaleScanner(scanner *stale.Scanner) {
	s.staleScanner = scanner
}

// SetBackupEngine sets the backup engine on the server.
func (s *Server) SetBackupEngine(engine *backup.Engine) {
	s.backupEngine = engine
}

// SetDBPath sets the database file path (needed for restore).
func (s *Server) SetDBPath(path string) {
	s.dbPath = path
}

// SetShutdownFunc sets the function called after a restore to trigger graceful shutdown.
func (s *Server) SetShutdownFunc(fn func()) {
	s.shutdownFunc = fn
}

// SetBackupSettingsChangedCallback sets the callback for when backup settings change.
func (s *Server) SetBackupSettingsChangedCallback(fn func(enabled bool, intervalHours int)) {
	s.onBackupSettingsChanged = fn
}

// SetProxyProviderChangedCallback sets the callback for when the proxy provider changes.
func (s *Server) SetProxyProviderChangedCallback(fn func(provider proxy.Provider)) {
	s.onProxyProviderChanged = fn
}

// SetProxyProvider updates the proxy provider at runtime.
func (s *Server) SetProxyProvider(provider proxy.Provider) {
	s.proxyProvider = provider
}

// SetDNSProvider sets the current DNS provider on the server.
func (s *Server) SetDNSProvider(provider dns.Provider) {
	s.dnsProviderMu.Lock()
	defer s.dnsProviderMu.Unlock()
	s.dnsProvider = provider
}

// getDNSProviderLocked returns the current DNS provider under read lock.
func (s *Server) getDNSProviderLocked() dns.Provider {
	s.dnsProviderMu.RLock()
	defer s.dnsProviderMu.RUnlock()
	return s.dnsProvider
}

// SetDNSProviderChangedCallback sets the callback for when DNS settings change.
func (s *Server) SetDNSProviderChangedCallback(fn DNSProviderChangedFunc) {
	s.onDNSProviderChanged = fn
}

// initOIDCProvider creates an OIDC provider from settings. Errors are logged, not fatal.
func (s *Server) initOIDCProvider(ctx context.Context, as store.AuthSettings) {
	// Decrypt the OIDC client secret if it's encrypted.
	clientSecret := as.OIDCClientSecret
	if clientSecret != "" {
		if decrypted, err := crypto.Decrypt(s.encKey, clientSecret); err == nil {
			clientSecret = decrypted
		}
		// If decrypt fails, assume it's already plaintext (migration scenario).
	}
	provider, err := auth.NewOIDCProvider(ctx, auth.OIDCConfig{
		IssuerURL:    as.OIDCIssuerURL,
		ClientID:     as.OIDCClientID,
		ClientSecret: clientSecret,
		RedirectURL:  as.OIDCRedirectURL,
	})
	if err != nil {
		slog.Warn("failed to initialize OIDC provider", "error", err)
		return
	}
	s.oidcProvider = provider
	slog.Info("OIDC provider initialized", "issuer", as.OIDCIssuerURL)
}

// Router returns a chi router with all API routes mounted.
func (s *Server) Router() chi.Router {
	r := chi.NewRouter()

	// Global middleware.
	r.Use(recovery)
	r.Use(securityHeaders)
	r.Use(logging)
	r.Use(cors)

	loginLimiter := newRateLimiter()
	webhookLimiter := newRateLimiter()

	r.Route("/api", func(r chi.Router) {
		// JSON content type and body size limit for API routes.
		r.Use(jsonContentType)
		r.Use(limitBody)

		// Public auth endpoints (no auth required).
		r.Get("/auth/mode", s.authMode)
		r.Post("/auth/login", s.rateLimitedLogin(loginLimiter))
		r.Get("/auth/oidc/login", s.oidcLogin)
		r.Get("/auth/oidc/callback", s.oidcCallback)
		r.Post("/auth/oidc/token", s.oidcExchangeToken)

		// Webhook handler (uses its own secret-based auth).
		// Per-IP rate limit prevents an attacker who has guessed (or leaked)
		// a secret from triggering a deploy storm, and rejects unauthenticated
		// brute-force probes over the secret URL space.
		r.With(rateLimitMiddleware(webhookLimiter)).Mount("/webhook", s.webhook.Route())

		// Protected routes: require valid JWT.
		r.Group(func(r chi.Router) {
			r.Use(auth.Middleware(s.localAuth))

			// Plugin registry inspection + unified ingress.
			r.Get("/hooks/kinds", s.listHookKinds)
			r.Get("/hooks/kinds/{kind}/schema", s.getHookKindSchema)
			r.With(auth.AdminOnly).Post("/hooks/generic", s.dispatchGeneric)

			// Read-only endpoints (any authenticated user).
			r.Get("/health", s.getHealth)
			r.Get("/auth/me", s.currentUser)
			r.Post("/auth/logout", s.logout)
			r.Get("/proxies", s.listProxyRoutes)
			r.Get("/docker/unused-images", s.unusedImageStats)
			r.Get("/events", s.streamEvents)
			r.Get("/events/log", s.listEventLog)
			r.Get("/events/log/stats", s.getEventLogStats)
			r.Get("/registries", s.listRegistries)
			r.Route("/registries/{id}", func(r chi.Router) {
				r.Get("/tags/*", s.listRegistryTags)
				r.Get("/images", s.listRegistryImages)

				// Admin-only registry mutations.
				r.Group(func(r chi.Router) {
					r.Use(auth.AdminOnly)
					r.Put("/", s.updateRegistry)
					r.Delete("/", s.deleteRegistry)
					r.Post("/test", s.testRegistry)
				})
			})
			r.Get("/settings", s.getSettings)
			r.Get("/settings/npm-certificates", s.listNpmCertificates)
			r.Get("/settings/npm-access-lists", s.listNpmAccessLists)

			// Volume scope metadata (read-only).
			r.Get("/volumes/scopes", s.listVolumeScopes)

			// Stale container endpoints (read).
			r.Get("/containers/stale", s.listStaleContainers)

			// Workload-shaped endpoints — the canonical surface after the
			// hard cutover. Reads open to any authenticated user; mutations
			// admin-gated.
			r.Get("/workloads", s.listWorkloads)
			r.With(auth.AdminOnly).Post("/workloads", s.createPluginWorkload)
			r.Route("/workloads/{id}", func(r chi.Router) {
				r.Get("/", s.getWorkload)
				r.Get("/containers", s.listWorkloadContainers)
				r.Get("/containers/{cid}/logs", s.streamWorkloadContainerLogs)
				r.With(auth.AdminOnly).Patch("/app", s.updateWorkloadAppID)
				r.With(auth.AdminOnly).Put("/plugin", s.updatePluginWorkload)
				r.With(auth.AdminOnly).Post("/deploy", s.deployPluginWorkload)
				r.With(auth.AdminOnly).Delete("/", s.deletePluginWorkload)

				// Per-workload env vars. Listing open to authenticated readers;
				// mutations admin-gated. Encrypted values are write-only after store.
				r.Get("/env", s.listWorkloadEnv)
				r.With(auth.AdminOnly).Put("/env", s.setWorkloadEnv)
				r.With(auth.AdminOnly).Delete("/env/{envID}", s.deleteWorkloadEnv)

				// Per-workload inbound webhook URL handlers were dropped in
				// the hard legacy cutover; inbound webhooks are now first-
				// class Triggers reachable via /api/triggers/{id}/webhook.

				// Per-workload volume mounts.
				r.Get("/volumes", s.listWorkloadVolumes)
				r.With(auth.AdminOnly).Put("/volumes", s.setWorkloadVolume)
				r.With(auth.AdminOnly).Delete("/volumes/{volID}", s.deleteWorkloadVolume)

				// Stages chain: parent + self + direct children, plus a
				// promote-from action that copies the source workload's
				// running image tag onto this workload's default_tag.
				r.Get("/chain", s.getWorkloadChain)
				r.With(auth.AdminOnly).Post("/promote-from/{sourceID}", s.promoteFromWorkload)

				// Trigger bindings on this workload — the symmetric view
				// of /triggers/{id}/bindings keyed on the workload side.
				r.Get("/triggers", s.listBindingsForWorkload)
				r.With(auth.AdminOnly).Post("/triggers", s.bindTriggerToWorkload)
			})

			// Global container index, joined to workload + app names.
			r.Get("/containers", s.listAllContainers)
			r.Get("/containers/{id}", s.getContainer)

			// App grouping (optional UI; admin-gated mutations).
			r.Get("/apps", s.listApps)
			r.Get("/apps/{id}", s.getApp)
			r.Group(func(r chi.Router) {
				r.Use(auth.AdminOnly)
				r.Post("/apps", s.createApp)
				r.Put("/apps/{id}", s.updateApp)
				r.Delete("/apps/{id}", s.deleteApp)
			})

			// First-class Triggers (redeploy signal sources). One trigger
			// fans out to many workloads via workload_trigger_bindings.
			r.Get("/triggers", s.listTriggers)
			r.Get("/triggers/{id}", s.getTrigger)
			r.Get("/triggers/{id}/bindings", s.listBindingsForTrigger)
			r.Group(func(r chi.Router) {
				r.Use(auth.AdminOnly)
				r.Post("/triggers", s.createTrigger)
				r.Put("/triggers/{id}", s.updateTrigger)
				r.Delete("/triggers/{id}", s.deleteTrigger)
				r.Get("/triggers/{id}/webhook", s.getTriggerWebhook)
				r.Post("/triggers/{id}/webhook/regenerate", s.regenerateTriggerWebhook)
				r.Post("/triggers/{id}/fire", s.fireTriggerNow)
				r.Post("/triggers/{id}/bindings", s.bindWorkloadToTrigger)
				r.Put("/bindings/{bid}", s.updateBinding)
				r.Delete("/bindings/{bid}", s.deleteBinding)
			})

			// Event triggers: filter+action rules over the event_log stream.
			r.Get("/event-triggers", s.listEventTriggers)
			r.Get("/event-triggers/{id}", s.getEventTrigger)
			r.Group(func(r chi.Router) {
				r.Use(auth.AdminOnly)
				r.Post("/event-triggers", s.createEventTrigger)
				r.Patch("/event-triggers/{id}", s.updateEventTrigger)
				r.Delete("/event-triggers/{id}", s.deleteEventTrigger)
				r.Post("/event-triggers/{id}/test", s.testEventTrigger)
			})

			// Log-scan rules.
			r.Get("/log-scan-rules", s.listLogScanRules)
			r.Get("/log-scan-rules/stats", s.getLogScanStats)
			r.Get("/log-scan-rules/{id}", s.getLogScanRule)
			r.Get("/workloads/{id}/effective-rules", s.getEffectiveLogScanRules)
			r.Group(func(r chi.Router) {
				r.Use(auth.AdminOnly)
				r.Post("/log-scan-rules", s.createLogScanRule)
				r.Patch("/log-scan-rules/{id}", s.updateLogScanRule)
				r.Delete("/log-scan-rules/{id}", s.deleteLogScanRule)
				r.Post("/log-scan-rules/{id}/test", s.testLogScanRule)
			})

			// System resources (read-only).
			r.Get("/system/stats", s.getSystemStats)
			r.Get("/system/stats/history", s.getSystemStatsHistory)
			r.Get("/system/stats/top", s.listTopContainers)

			// Admin-only routes: require admin role.
			r.Group(func(r chi.Router) {
				r.Use(auth.AdminOnly)

				// Config export (reveals registry/global details).
				r.Get("/config/export", s.exportConfig)

				// Event log management.
				r.Delete("/events/log/{id}", s.deleteEvent)
				r.Delete("/events/log", s.clearEvents)

				// Auth management.
				r.Get("/auth/settings", s.getAuthSettings)
				r.Put("/auth/settings", s.updateAuthSettings)
				r.Get("/auth/users", s.listUsers)
				r.Post("/auth/users", s.createUser)
				r.Put("/auth/users/{uid}", s.updateUser)
				r.Put("/auth/users/{uid}/password", s.changePassword)
				r.Delete("/auth/users/{uid}", s.deleteUser)

				// Registry creation.
				r.Post("/registries", s.createRegistry)

				// Stale container cleanup endpoints.
				// Bulk route must be registered before parameterized route.
				r.Post("/containers/stale/cleanup", s.bulkCleanupStaleContainers)
				r.Post("/containers/stale/{id}/cleanup", s.cleanupStaleContainer)

				// Settings endpoints.
				r.Put("/settings", s.updateSettings)

				// Global outgoing-webhook signing & test.
				r.Get("/settings/notification-secret", s.getSettingsNotificationSecret)
				r.Post("/settings/notification-secret/regenerate", s.regenerateSettingsNotificationSecret)
				r.Post("/settings/notification-secret/disable", s.disableSettingsNotificationSigning)
				r.Post("/settings/notification-test", s.settingsNotificationTest)

				// Docker management.
				r.Post("/docker/prune-images", s.pruneImages)

				// NPM connection test.
				r.Post("/settings/npm/test", s.testNpmConnection)

				// DNS management endpoints.
				r.Post("/settings/dns/test", s.testDNSConnection)
				r.Post("/settings/dns/zones", s.listDNSZones)
				r.Get("/dns/records", s.listDNSRecords)
				r.Post("/dns/sync", s.syncDNSRecords)
				r.Delete("/dns/records/{fqdn}", s.deleteDNSRecord)

				// Backup endpoints.
				r.Get("/backups", s.listBackups)
				r.Post("/backups", s.triggerBackup)
				r.Get("/backups/{id}/download", s.downloadBackup)
				r.Delete("/backups/{id}", s.deleteBackup)
				r.Post("/backups/{id}/restore", s.restoreBackup)
			})
		})
	})

	return r
}