render context: add asset_download_token

cmd/dkl-dir2config/render-context.go

@@ -8,6 +8,7 @@ import (
 	"math/rand"
 	"path"
 	"reflect"
+	"strconv"
 	"strings"
 
 	"github.com/cespare/xxhash"
@@ -290,6 +291,14 @@ func (ctx *renderContext) templateFuncs(ctxMap map[string]any) map[string]any {
 		"host_download_token": func() (s string) {
 			return "{{ host_download_token }}"
 		},
+		"asset_download_token": func(args ...string) (s string) {
+			argsStr := new(strings.Builder)
+			for _, arg := range args {
+				argsStr.WriteByte(' ')
+				argsStr.WriteString(strconv.Quote(arg))
+			}
+			return "{{ asset_download_token" + argsStr.String() + " }}"
+		},
 
 		"hosts_of_group": func() (hosts []any) {
 			hosts = make([]any, 0)

cmd/dkl-local-server/html.go

@@ -0,0 +1,15 @@
+package main
+
+func htmlHeader(title string) string {
+	return `<!doctype html>
+<html>
+<head>
+  <title>` + title + `</title>
+  <style>@import url('/ui/style.css');@import url('/ui/app.css');</style>
+</head>
+<body><h1>` + title + `</h1>
+`
+}
+
+var htmlFooter = `</body>
+</html>`

cmd/dkl-local-server/render-context.go

@@ -14,6 +14,7 @@ import (
 	"path"
 	"path/filepath"
 	"text/template"
+	"time"
 
 	cfsslconfig "github.com/cloudflare/cfssl/config"
 	restful "github.com/emicklei/go-restful"
@@ -237,6 +238,32 @@ func (ctx *renderContext) TemplateFuncs() map[string]any {
 				}
 			}
 
+			return
+		},
+		"asset_download_token": func(asset string, params ...string) (token string, err error) {
+			now := time.Now()
+			exp := now.Add(24 * time.Hour) // expire in 24h by default
+			if len(params) != 0 {
+				exp, err = parseCertDuration(params[0], now)
+				if err != nil {
+					return
+				}
+			}
+
+			set := DownloadSet{
+				Expiry: exp,
+				Items: []DownloadSetItem{
+					{
+						Kind:   "host",
+						Name:   ctx.Host.Name,
+						Assets: []string{asset},
+					},
+				},
+			}
+
+			privKey, _ := dlsSigningKeys()
+			token = set.Signed(privKey)
+
 			return
 		},
 	} {

cmd/dkl-local-server/ws-download-set.go

@@ -6,6 +6,7 @@ import (
 	"encoding/base32"
 	"fmt"
 	"io"
+	"path/filepath"
 	"slices"
 	"strconv"
 	"strings"
@@ -16,6 +17,11 @@ import (
 	"m.cluseau.fr/go/httperr"
 )
 
+func globMatch(pattern, value string) bool {
+	ok, _ := filepath.Match(pattern, value)
+	return ok
+}
+
 type DownloadSet struct {
 	Expiry time.Time
 	Items  []DownloadSetItem
@@ -23,7 +29,7 @@ type DownloadSet struct {
 
 func (s DownloadSet) Contains(kind, name, asset string) bool {
 	for _, item := range s.Items {
-		if item.Kind == kind && item.Name == name &&
+		if item.Kind == kind && globMatch(item.Name, name) &&
 			slices.Contains(item.Assets, asset) {
 			return true
 		}
@@ -69,6 +75,28 @@ func (s *DownloadSet) Decode(encoded string) (err error) {
 	return
 }
 
+func (s DownloadSet) Signed(privKey ed25519.PrivateKey) string {
+	buf := new(bytes.Buffer)
+	{
+		setBytes := []byte(s.Encode())
+
+		w := lz4.NewWriter(buf)
+		w.Write(setBytes)
+		w.Close()
+	}
+
+	setBytes := buf.Bytes()
+	sig := ed25519.Sign(privKey, setBytes)
+
+	buf = bytes.NewBuffer(make([]byte, 0, 1+len(sig)+len(setBytes)))
+	buf.WriteByte(byte(len(sig)))
+	buf.Write(sig)
+	buf.Write(setBytes)
+
+	enc := base32.StdEncoding.WithPadding(base32.NoPadding)
+	return enc.EncodeToString(buf.Bytes())
+}
+
 type DownloadSetItem struct {
 	Kind   string
 	Name   string
@@ -76,7 +104,15 @@ type DownloadSetItem struct {
 }
 
 func (i DownloadSetItem) EncodeTo(buf *strings.Builder) {
-	buf.WriteString(i.Kind)
+	kind := i.Kind
+	switch kind {
+	case "host":
+		kind = "h"
+	case "cluster":
+		kind = "c"
+	}
+
+	buf.WriteString(kind)
 	buf.WriteByte(':')
 	buf.WriteString(i.Name)
 
@@ -89,6 +125,14 @@ func (i DownloadSetItem) EncodeTo(buf *strings.Builder) {
 func (i *DownloadSetItem) Decode(encoded string) {
 	rem := encoded
 	i.Kind, rem, _ = strings.Cut(rem, ":")
+
+	switch i.Kind {
+	case "h":
+		i.Kind = "host"
+	case "c":
+		i.Kind = "cluster"
+	}
+
 	i.Name, rem, _ = strings.Cut(rem, ":")
 
 	if rem == "" {
@@ -121,32 +165,8 @@ func wsSignDownloadSet(req *restful.Request, resp *restful.Response) {
 		Items:  setReq.Items,
 	}
 
-	buf := new(bytes.Buffer)
+	privKey, _ := dlsSigningKeys()
-	{
+	resp.WriteEntity(set.Signed(privKey))
-		setBytes := []byte(set.Encode())
-
-		w := lz4.NewWriter(buf)
-		w.Write(setBytes)
-		w.Close()
-	}
-
-	setBytes := buf.Bytes()
-
-	privkey, pubkey := dlsSigningKeys()
-	sig := ed25519.Sign(privkey, setBytes)
-
-	if !ed25519.Verify(pubkey, setBytes, sig) {
-		wsError(resp, fmt.Errorf("signature self-check failed"))
-		return
-	}
-
-	buf = bytes.NewBuffer(make([]byte, 0, 1+len(sig)+len(setBytes)))
-	buf.WriteByte(byte(len(sig)))
-	buf.Write(sig)
-	buf.Write(setBytes)
-
-	enc := base32.StdEncoding.WithPadding(base32.NoPadding)
-	resp.WriteEntity(enc.EncodeToString(buf.Bytes()))
 }
 
 func getDlSet(req *restful.Request) (*DownloadSet, *httperr.Error) {
@@ -226,42 +246,47 @@ func wsDownloadSet(req *restful.Request, resp *restful.Response) {
 	set, err := getDlSet(req)
 	if err != nil {
 		resp.WriteHeader(err.Status)
-		resp.Write([]byte(`<!doctype html>
+		resp.Write([]byte(htmlHeader(err.Error())))
-<html>
+		resp.Write([]byte(htmlFooter))
-<head>
-  <title>` + err.Error() + `</title>
-  <style>
-    @import url('/ui/style.css');
-    @import url('/ui/app.css');
-  </style>
-</head>
-<body><h1>` + err.Error() + `</h1></body>
-</html>`))
 		return
 	}
 
 	buf := new(bytes.Buffer)
-	buf.WriteString(`<!doctype html>
+	buf.WriteString(htmlHeader("Download set"))
-<html>
+
-<head>
+	cfg, err2 := readConfig()
-  <title>Download set</title>
+	if err2 != nil {
-  <style>
+		wsError(resp, err2)
-    @import url('/ui/style.css');
+		return
-    @import url('/ui/app.css');
+	}
-  </style>
-</head>
-<body><h1>Download set</h1>
-`)
 
 	for _, item := range set.Items {
-		fmt.Fprintf(buf, "<h2>%s %s</h2>", strings.Title(item.Kind), item.Name)
+		names := make([]string, 0)
+		switch item.Kind {
+		case "cluster":
+			for _, c := range cfg.Clusters {
+				if globMatch(item.Name, c.Name) {
+					names = append(names, c.Name)
+				}
+			}
+		case "host":
+			for _, h := range cfg.Hosts {
+				if globMatch(item.Name, h.Name) {
+					names = append(names, h.Name)
+				}
+			}
+		}
+
+		for _, name := range names {
+			fmt.Fprintf(buf, "<h2>%s %s</h2>", strings.Title(item.Kind), name)
 			fmt.Fprintf(buf, "<p class=\"download-links\">\n")
 			for _, asset := range item.Assets {
-			fmt.Fprintf(buf, "  <a href=\"/public/download-set/%s/%s/%s?set=%s\" download>%s</a>\n", item.Kind, item.Name, asset, setStr, asset)
+				fmt.Fprintf(buf, "  <a href=\"/public/download-set/%s/%s/%s?set=%s\" download>%s</a>\n", item.Kind, name, asset, setStr, asset)
 			}
 			fmt.Fprintf(buf, `</p>`)
 		}
+	}
 
-	buf.WriteString("</body></html>")
+	buf.WriteString(htmlFooter)
 	buf.WriteTo(resp)
 }

cmd/dkl-local-server/ws-downloads.go

@@ -180,38 +180,20 @@ func wsDownloadPage(req *restful.Request, resp *restful.Response) {
 	spec, ok := wState.Get().Downloads[token]
 	if !ok {
 		resp.WriteHeader(http.StatusNotFound)
-		resp.Write([]byte(`<!doctype html>
+		resp.Write([]byte(htmlHeader("Token not found")))
-<html>
+		resp.Write([]byte(htmlFooter))
-<head>
-  <title>Token not found</title>
-  <style>
-    @import url('/ui/style.css');
-    @import url('/ui/app.css');
-  </style>
-</head>
-<body><h1>Token not found</h1></body>
-</html>`))
 		return
 	}
 
 	buf := new(bytes.Buffer)
-	fmt.Fprintf(buf, `<!doctype html>
+	buf.WriteString(htmlHeader(fmt.Sprintf("Token assets: %s %s", spec.Kind, spec.Name)))
-<html>
-<head>
-  <title>Token assets: %s %s</title>
-  <style>
-    @import url('/ui/style.css');
-    @import url('/ui/app.css');
-  </style>
-</head>
-<body><h1>Token assets: %s %s</h1>
-<ul>
-`, spec.Kind, spec.Name, spec.Kind, spec.Name)
 
+	buf.WriteString("<ul>")
 	for _, asset := range spec.Assets {
 		fmt.Fprintf(buf, "<li><a href=\"%s\" download>%s</a></li>\n", asset, asset)
 	}
+	buf.WriteString("</ul>")
 
-	buf.WriteString("</ul></body></html>")
+	buf.WriteString(htmlFooter)
 	buf.WriteTo(resp)
 }