lossless.zone/objectstorage
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(opsserver): add health, audit, cluster health, and durable credential management hardening

Browse Source
This commit is contained in:
Jürgen Kunz
2026-04-30 07:10:21 +00:00
parent c3e5cabe3d
commit f4e5f02d0c
34 changed files with 1722 additions and 320 deletions
Download Patch File Download Diff File Expand all files Collapse all files
AGENTS.md
+43
View File
@@ -0,0 +1,43 @@
# Repository Guidance
## Purpose
This repository is the product layer around `@push.rocks/smartstorage`.
Its job is to turn the storage engine into a usable product:
- a Docker image that starts cleanly and predictably
- a management UI and ops API
- product-facing config, auth, and persistence behavior
- tests, docs, and release hygiene
## Dependency Ownership
We control the dependencies used here, especially `@push.rocks/smartstorage` and the `@design.estate/*` UI stack.
- Do not keep product code full of workarounds for missing dependency capabilities.
- If a missing capability clearly belongs in a dependency, improve the dependency.
- If dependency work is not being done in this repo right now, write a focused implementation prompt into `./prompts/*.md`.
## Boundary
This repo should own:
- Docker and runtime packaging
- CLI, env var, and startup UX
- admin auth flow and management APIs
- product metadata persistence and migrations
- acceptance tests and docs
`@push.rocks/smartstorage` should own:
- storage-engine stats and health surfaces
- bucket and object metadata summaries that should be cheap at runtime
- cluster and drive introspection
- runtime auth/credential APIs when the engine must react to changes
## Planning Docs
- Put current repo improvement work in `readme.plan.md`.
- Keep durable findings in `readme.hints.md`.
- Put dependency implementation prompts in `prompts/*.md`.
Dockerfile
+18 -14
View File
@@ -6,6 +6,7 @@ FROM --platform=linux/amd64 node:22-alpine AS build
RUN corepack enable && corepack prepare pnpm@latest --activate
WORKDIR /app
ENV DENO_DIR=/deno-dir
# Use verdaccio registry (hosts private packages and proxies public ones)
RUN npm config set registry https://verdaccio.lossless.digital/
@@ -15,7 +16,7 @@ COPY package.json pnpm-lock.yaml ./
RUN pnpm install
# Copy source and build
COPY npmextra.json ./
COPY .smartconfig.json ./
COPY html/ ./html/
COPY ts_web/ ./ts_web/
COPY ts_interfaces/ ./ts_interfaces/
@@ -23,32 +24,35 @@ COPY ts_bundled/ ./ts_bundled/
RUN pnpm run build
## STAGE 2 // production runtime with Deno
FROM alpine:edge AS final
FROM denoland/deno:debian AS final
ENV DENO_DIR=/deno-dir
# Install Deno and minimal runtime dependencies
RUN apk add --no-cache \
deno \
ca-certificates \
tini \
gcompat \
libstdc++
RUN apt-get update && \
apt-get install -y --no-install-recommends ca-certificates tini && \
rm -rf /var/lib/apt/lists/*
WORKDIR /app
# Copy only what Deno needs at runtime
COPY deno.json ./
COPY deno.lock ./
COPY mod.ts ./
COPY ts/ ./ts/
COPY ts_interfaces/ ./ts_interfaces/
COPY --from=build /app/ts_bundled/bundle.ts ./ts_bundled/bundle.ts
# Pre-cache Deno dependencies
RUN deno cache mod.ts
# Create storage directory
RUN mkdir -p /data
# Pre-cache Deno dependencies and prepare non-root runtime paths
RUN deno cache mod.ts && \
groupadd --system objectstorage && \
useradd --system --gid objectstorage --home-dir /app objectstorage && \
mkdir -p /data /deno-dir && \
chown -R objectstorage:objectstorage /app /data /deno-dir
EXPOSE 9000 3000 4433
VOLUME ["/data"]
ENTRYPOINT ["/sbin/tini", "--"]
USER objectstorage
HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
CMD deno eval "const response = await fetch('http://127.0.0.1:3000/readyz'); Deno.exit(response.ok ? 0 : 1);"
ENTRYPOINT ["/usr/bin/tini", "--"]
CMD ["deno", "run", "--allow-all", "mod.ts", "server"]
changelog.md
+7
View File
@@ -1,5 +1,12 @@
# Changelog
## 2026-04-30 - 1.9.0 - feat(opsserver)
add health, audit, cluster health, and durable credential management hardening
- persist managed access credentials to .objectstorage/admin-config.json and reload them on restart while allowing explicit environment credentials to override persisted values
- add management health endpoints (/livez, /readyz, /healthz, /metrics), append-only audit logging, logout token revocation, failed-login rate limiting, and a startup guard against default admin credentials on persistent /data storage
- surface smartstorage cluster health through the management API and config UI, and harden the Docker image with a non-root runtime user, DENO_DIR, ready healthcheck, updated build config copy, and smoke coverage
## 2026-03-24 - 1.8.1 - fix(build)
migrate build tool config to .smartconfig.json and bump tooling dependencies
deno.json
+1 -1
View File
@@ -8,7 +8,7 @@
"dev": "pnpm run watch"
},
"imports": {
"@push.rocks/smartstorage": "npm:@push.rocks/smartstorage@^6.3.2",
"@push.rocks/smartstorage": "npm:@push.rocks/smartstorage@^6.4.0",
"@push.rocks/smartbucket": "npm:@push.rocks/smartbucket@^4.5.1",
"@aws-sdk/client-s3": "npm:@aws-sdk/client-s3@^3.1016.0",
"@api.global/typedrequest-interfaces": "npm:@api.global/typedrequest-interfaces@^3.0.19",
deno.lock
Generated
+22 -98
View File
@@ -17,7 +17,7 @@
"npm:@push.rocks/smartbucket@^4.5.1": "4.5.1",
"npm:@push.rocks/smartguard@^3.1.0": "3.1.0",
"npm:@push.rocks/smartjwt@^2.2.1": "2.2.1",
"npm:@push.rocks/smartstorage@^6.3.2": "6.3.2"
"npm:@push.rocks/smartstorage@^6.4.0": "6.4.0"
},
"jsr": {
"@std/assert@1.0.19": {
@@ -190,67 +190,6 @@
],
"tarball": "https://verdaccio.lossless.digital/@aws-crypto/util/-/util-5.2.0.tgz"
},
"@aws-sdk/client-s3@3.1015.0": {
"integrity": "sha512-yo+Y+/fq5/E684SynTRO+VA3a+98MeE/hs7J52XpNI5SchOCSrLhLtcDKVASlGhHQdNLGLzblRgps1OZaf8sbA==",
"dependencies": [
"@aws-crypto/sha1-browser",
"@aws-crypto/sha256-browser",
"@aws-crypto/sha256-js",
"@aws-sdk/core",
"@aws-sdk/credential-provider-node",
"@aws-sdk/middleware-bucket-endpoint",
"@aws-sdk/middleware-expect-continue",
"@aws-sdk/middleware-flexible-checksums",
"@aws-sdk/middleware-host-header",
"@aws-sdk/middleware-location-constraint",
"@aws-sdk/middleware-logger",
"@aws-sdk/middleware-recursion-detection",
"@aws-sdk/middleware-sdk-s3",
"@aws-sdk/middleware-ssec",
"@aws-sdk/middleware-user-agent",
"@aws-sdk/region-config-resolver",
"@aws-sdk/signature-v4-multi-region",
"@aws-sdk/types",
"@aws-sdk/util-endpoints",
"@aws-sdk/util-user-agent-browser",
"@aws-sdk/util-user-agent-node",
"@smithy/config-resolver",
"@smithy/core",
"@smithy/eventstream-serde-browser",
"@smithy/eventstream-serde-config-resolver",
"@smithy/eventstream-serde-node",
"@smithy/fetch-http-handler",
"@smithy/hash-blob-browser",
"@smithy/hash-node",
"@smithy/hash-stream-node",
"@smithy/invalid-dependency",
"@smithy/md5-js",
"@smithy/middleware-content-length",
"@smithy/middleware-endpoint",
"@smithy/middleware-retry",
"@smithy/middleware-serde",
"@smithy/middleware-stack",
"@smithy/node-config-provider",
"@smithy/node-http-handler",
"@smithy/protocol-http",
"@smithy/smithy-client",
"@smithy/types",
"@smithy/url-parser",
"@smithy/util-base64",
"@smithy/util-body-length-browser",
"@smithy/util-body-length-node",
"@smithy/util-defaults-mode-browser",
"@smithy/util-defaults-mode-node",
"@smithy/util-endpoints",
"@smithy/util-middleware",
"@smithy/util-retry",
"@smithy/util-stream",
"@smithy/util-utf8@4.2.2",
"@smithy/util-waiter",
"tslib"
],
"tarball": "https://verdaccio.lossless.digital/@aws-sdk/client-s3/-/client-s3-3.1015.0.tgz"
},
"@aws-sdk/client-s3@3.1016.0": {
"integrity": "sha512-E9umet1PolP6I8TpjQQ2W88aIIguyiRQJE98ag6N6QeLgjSZsF+h9l3KclwCRvqUFU68x+HRwrgXxvbIBVFLbA==",
"dependencies": [
@@ -1155,7 +1094,7 @@
"@inquirer/figures",
"@inquirer/type",
"@types/mute-stream",
"@types/node@22.19.15",
"@types/node",
"@types/wrap-ansi",
"ansi-escapes",
"cli-width",
@@ -1511,7 +1450,7 @@
"@push.rocks/smartbucket@4.5.1": {
"integrity": "sha512-mce9x7YH68ZgNLJU0ZWflt03AlS+jMe9BNZNhwM0N5T87q1uhNFvjFzkvyhBj8XO6g4CTQvQGxPuJXZqD5aUsg==",
"dependencies": [
"@aws-sdk/client-s3@3.1015.0",
"@aws-sdk/client-s3",
"@push.rocks/smartmime@2.0.4",
"@push.rocks/smartpath@6.0.0",
"@push.rocks/smartpromise",
@@ -1999,14 +1938,14 @@
],
"tarball": "https://verdaccio.lossless.digital/@push.rocks/smartstate/-/smartstate-2.2.1.tgz"
},
"@push.rocks/smartstorage@6.3.2": {
"integrity": "sha512-g8rXlVZ+6iKmzNoybtwQntdb7EWA6WnVmbXNOdwDKWR8w4o/7UMErj+H5mt57iqYIy1pzQAoTb8IWJNsti7XQw==",
"@push.rocks/smartstorage@6.4.0": {
"integrity": "sha512-TerWYmnu0exM5s3E6YW+o00u10fCN4aNuaSrRDchTlBTzOfEjJaBDnZxXAFW7BosXVZR7+3UZ0vHcpAhYsGC3w==",
"dependencies": [
"@push.rocks/smartpath@6.0.0",
"@push.rocks/smartrust",
"@tsclass/tsclass@9.5.0"
],
"tarball": "https://verdaccio.lossless.digital/@push.rocks/smartstorage/-/smartstorage-6.3.2.tgz"
"tarball": "https://verdaccio.lossless.digital/@push.rocks/smartstorage/-/smartstorage-6.4.0.tgz"
},
"@push.rocks/smartstream@2.0.8": {
"integrity": "sha512-GlF/9cCkvBHwKa3DK4DO5wjfSgqkj6gAS4TrY9uD5NMHu9RQv4WiNrElTYj7iCEpnZgUnLO3tzw1JA3NRIMnnA==",
@@ -3213,7 +3152,7 @@
"@types/clean-css@4.2.11": {
"integrity": "sha512-Y8n81lQVTAfP2TOdtJJEsCoYl1AnOkqDqMvXb9/7pfgZZ7r8YrEyurrAvAoAjHOGXKRybay+5CsExqIH6liccw==",
"dependencies": [
"@types/node@24.2.0",
"@types/node",
"source-map"
],
"tarball": "https://verdaccio.lossless.digital/@types/clean-css/-/clean-css-4.2.11.tgz"
@@ -3228,7 +3167,7 @@
"@types/from2@2.3.6": {
"integrity": "sha512-pO5qFhZ85+M4znizw6ihwU2nW+EarU/TuWbYzSEt6YSCis+vET8WJMUlg6/b2HLBzzT9cfKhtEoIciazgv9UXQ==",
"dependencies": [
"@types/node@24.2.0"
"@types/node"
],
"tarball": "https://verdaccio.lossless.digital/@types/from2/-/from2-2.3.6.tgz"
},
@@ -3236,7 +3175,7 @@
"integrity": "sha512-yTbItCNreRooED33qjunPthRcSjERP1r4MqCZc7wv0u2sUkzTFp45tgUfS5+r7FrZPdmCCNflLhVSP/o+SemsQ==",
"dependencies": [
"@types/jsonfile",
"@types/node@24.2.0"
"@types/node"
],
"tarball": "https://verdaccio.lossless.digital/@types/fs-extra/-/fs-extra-11.0.4.tgz"
},
@@ -3244,7 +3183,7 @@
"integrity": "sha512-IO+MJPVhoqz+28h1qLAcBEH2+xHMK6MTyHJc7MTnnYb6wsoLR29POVGJ7LycmVXIqyy/4/2ShP5sUwTXuOwb/w==",
"dependencies": [
"@types/minimatch",
"@types/node@24.2.0"
"@types/node"
],
"tarball": "https://verdaccio.lossless.digital/@types/glob/-/glob-8.1.0.tgz"
},
@@ -3275,7 +3214,7 @@
"@types/jsonfile@6.1.4": {
"integrity": "sha512-D5qGUYwjvnNNextdU59/+fI+spnwtTFmyQP0h+PfIOSkNfpU6AOICUOkm4i0OnSk+NyjdPJrxCDro0sJsWlRpQ==",
"dependencies": [
"@types/node@24.2.0"
"@types/node"
],
"tarball": "https://verdaccio.lossless.digital/@types/jsonfile/-/jsonfile-6.1.4.tgz"
},
@@ -3283,7 +3222,7 @@
"integrity": "sha512-asx5hIG9Qmf/1oStypjanR7iKTv0gXQ1Ov/jfrX6kS/EO0OFni8orbmGCn0672NHR3kXHwpAwR+B368ZGN/2rA==",
"dependencies": [
"@types/ms",
"@types/node@24.2.0"
"@types/node"
],
"tarball": "https://verdaccio.lossless.digital/@types/jsonwebtoken/-/jsonwebtoken-9.0.10.tgz"
},
@@ -3325,31 +3264,24 @@
"@types/mute-stream@0.0.4": {
"integrity": "sha512-CPM9nzrCPPJHQNA9keH9CVkVI+WR5kMa+7XEs5jcGQ0VoAGnLv242w8lIVgwAEfmE4oufJRaTc9PNLQl0ioAow==",
"dependencies": [
"@types/node@24.2.0"
"@types/node"
],
"tarball": "https://verdaccio.lossless.digital/@types/mute-stream/-/mute-stream-0.0.4.tgz"
},
"@types/node-forge@1.3.14": {
"integrity": "sha512-mhVF2BnD4BO+jtOp7z1CdzaK4mbuK0LLQYAvdOLqHTavxFNq4zA1EmYkpnFjP8HOUzedfQkRnp0E2ulSAYSzAw==",
"dependencies": [
"@types/node@24.2.0"
"@types/node"
],
"tarball": "https://verdaccio.lossless.digital/@types/node-forge/-/node-forge-1.3.14.tgz"
},
"@types/node@22.19.15": {
"integrity": "sha512-F0R/h2+dsy5wJAUe3tAU6oqa2qbWY5TpNfL/RGmo1y38hiyO1w3x2jPtt76wmuaJI4DQnOBu21cNXQ2STIUUWg==",
"dependencies": [
"undici-types@6.21.0"
"undici-types"
],
"tarball": "https://verdaccio.lossless.digital/@types/node/-/node-22.19.15.tgz"
},
"@types/node@24.2.0": {
"integrity": "sha512-3xyG3pMCq3oYCNg7/ZP+E1ooTaGB4cG8JWRsqqOYQdbWNY4zbaV0Ennrd7stjiJEFZCaybcIgpTjJWHRfBSIDw==",
"dependencies": [
"undici-types@7.10.0"
],
"tarball": "https://verdaccio.lossless.digital/@types/node/-/node-24.2.0.tgz"
},
"@types/randomatic@3.1.5": {
"integrity": "sha512-VCwCTw6qh1pRRw+5rNTAwqPmf6A+hdrkdM7dBpZVmhl7g+em3ONXlYK/bWPVKqVGMWgP0d1bog8Vc/X6zRwRRQ==",
"tarball": "https://verdaccio.lossless.digital/@types/randomatic/-/randomatic-3.1.5.tgz"
@@ -3361,7 +3293,7 @@
"@types/through2@2.0.41": {
"integrity": "sha512-ryQ0tidWkb1O1JuYvWKyMLYEtOWDqF5mHerJzKz/gQpoAaJq2l/dsMPBF0B5BNVT34rbARYJ5/tsZwLfUi2kwQ==",
"dependencies": [
"@types/node@24.2.0"
"@types/node"
],
"tarball": "https://verdaccio.lossless.digital/@types/through2/-/through2-2.0.41.tgz"
},
@@ -3797,7 +3729,7 @@
"ecdsa-sig-formatter@1.0.11": {
"integrity": "sha512-nagl3RYrbNv6kQkeJIpt6NJZy8twLB/2vtz6yN9Z4vRKHN4/QZJIEbqohALSgwKdnksuY3k5Addp5lg8sVoVcQ==",
"dependencies": [
"safe-buffer@5.2.1"
"safe-buffer"
],
"tarball": "https://verdaccio.lossless.digital/ecdsa-sig-formatter/-/ecdsa-sig-formatter-1.0.11.tgz"
},
@@ -4404,7 +4336,7 @@
"dependencies": [
"buffer-equal-constant-time",
"ecdsa-sig-formatter",
"safe-buffer@5.2.1"
"safe-buffer"
],
"tarball": "https://verdaccio.lossless.digital/jwa/-/jwa-2.0.1.tgz"
},
@@ -4412,7 +4344,7 @@
"integrity": "sha512-EKI/M/yqPncGUUh44xz0PxSidXFr/+r0pA70+gIYhjv+et7yxM+s29Y+VGDkovRofQem0fs7Uvf4+YmAdyRduA==",
"dependencies": [
"jwa",
"safe-buffer@5.2.1"
"safe-buffer"
],
"tarball": "https://verdaccio.lossless.digital/jws/-/jws-4.0.1.tgz"
},
@@ -5425,7 +5357,7 @@
"inherits",
"isarray",
"process-nextick-args",
"safe-buffer@5.1.2",
"safe-buffer",
"string_decoder",
"util-deprecate"
],
@@ -5569,10 +5501,6 @@
"integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==",
"tarball": "https://verdaccio.lossless.digital/safe-buffer/-/safe-buffer-5.1.2.tgz"
},
"safe-buffer@5.2.1": {
"integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==",
"tarball": "https://verdaccio.lossless.digital/safe-buffer/-/safe-buffer-5.2.1.tgz"
},
"safer-buffer@2.1.2": {
"integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==",
"tarball": "https://verdaccio.lossless.digital/safer-buffer/-/safer-buffer-2.1.2.tgz"
@@ -5703,7 +5631,7 @@
"string_decoder@1.1.1": {
"integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==",
"dependencies": [
"safe-buffer@5.1.2"
"safe-buffer"
],
"tarball": "https://verdaccio.lossless.digital/string_decoder/-/string_decoder-1.1.1.tgz"
},
@@ -5894,10 +5822,6 @@
"integrity": "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==",
"tarball": "https://verdaccio.lossless.digital/undici-types/-/undici-types-6.21.0.tgz"
},
"undici-types@7.10.0": {
"integrity": "sha512-t5Fy/nfn+14LuOc2KNYg75vZqClpAiqscVvMygNnlsHBFpSXdJaYtXMcdNLpl/Qvc3P2cB3s6lOV51nqsFq4ag==",
"tarball": "https://verdaccio.lossless.digital/undici-types/-/undici-types-7.10.0.tgz"
},
"unified@11.0.5": {
"integrity": "sha512-xKvGhPWw3k84Qjh8bI3ZeJjqnyadK+GEFtazSfZv/rKeTkTjOJho6mFqh2SM96iIcZokxiOpg78GazTSg8+KHA==",
"dependencies": [
@@ -6102,7 +6026,7 @@
"npm:@push.rocks/smartbucket@^4.5.1",
"npm:@push.rocks/smartguard@^3.1.0",
"npm:@push.rocks/smartjwt@^2.2.1",
"npm:@push.rocks/smartstorage@^6.3.2"
"npm:@push.rocks/smartstorage@^6.4.0"
],
"packageJson": {
"dependencies": [
package.json
+1
View File
@@ -6,6 +6,7 @@
"type": "module",
"scripts": {
"test": "deno task test",
"test:docker": "OBJST_RUN_DOCKER_SMOKE=1 deno test --allow-all test/test.docker-smoke.test.ts",
"watch": "tswatch",
"build": "tsbundle",
"bundle": "tsbundle",
readme.hints.md
+9
View File
@@ -1,17 +1,26 @@
# Project Hints
## Architecture
- Deno-based backend with `deno.json` for imports and tasks
- Frontend bundled with `@git.zone/tsbundle` (esbuild, base64ts output mode)
- Config in `.smartconfig.json` (renamed from npmextra.json as of 2026-03-24)
- Runtime-managed credentials persist in `${storageDirectory}/.objectstorage/admin-config.json`
- Admin audit entries append to `${storageDirectory}/.objectstorage/audit.log`
- Management health endpoints: `/livez`, `/readyz`, `/healthz`, `/metrics`
- Persistent `/data` deployments reject default `admin/admin` credentials unless `OBJST_ALLOW_INSECURE_DEFAULTS=true`
- Tests run with `deno task test` (not tstest)
- Docker image built with `@git.zone/tsdocker`
## Build Tools Config
- `.smartconfig.json` contains config for `@git.zone/tsbundle`, `@git.zone/tswatch`, and `@git.zone/tsdocker`
- tsbundle uses base64ts output mode for Deno compile embedding
- tswatch runs backend watcher with `deno run --allow-all mod.ts server --ephemeral`
- Docker smoke coverage is opt-in via `pnpm run test:docker`
- Docker runtime has a `/readyz` healthcheck and runs as the `objectstorage` user
## Dependencies (as of 2026-03-24)
- devDependencies: tsbundle@2.10.0, tsdocker@2.2.4, tswatch@3.3.2
- No tsconfig.json — uses compilerOptions in deno.json
readme.plan.md
+125
View File
@@ -0,0 +1,125 @@
# Improvement Plan
## Goal
Make this repository a solid product wrapper for `@push.rocks/smartstorage`: reliable Docker image, predictable runtime behavior, durable admin configuration, and a management surface that scales past toy datasets.
## Current Position
The repository already has a clear structure and decent coverage for auth, buckets, objects, policies, credentials, status/config, lifecycle, and S3 compatibility.
The main gaps are product hardening and dependency boundaries:
- the Docker build still references `npmextra.json` even though the repo migrated to `.smartconfig.json`
- some admin/runtime behavior is still in-memory only
- status and bucket summaries are computed by rescanning storage through S3 calls
- the product surface does not yet expose real cluster and drive health
- the UI error model is still mostly `console.error()` + stale state retention
## Repo-Owned Work
### 1. Fix Packaging Regressions First
- Update `Dockerfile` to stop copying `npmextra.json` and use the current build config layout.
- Add a Docker smoke test that proves the image builds and the container starts with both ports exposed.
Reason:
- This repo is explicitly about shipping a usable container. A broken or stale Docker build path is a product failure, not a nice-to-have cleanup.
### 2. Make Admin Configuration Durable
- Decide which runtime-managed settings must survive restart.
- Credentials are the biggest gap today: add/remove currently mutates runtime config only.
- Align credential durability with the existing named-policy persistence model.
- Add restart-persistence tests.
Reason:
- A product container should not pretend to manage credentials if those changes disappear on restart.
### 3. Tighten Management API Behavior
- Fix bucket/policy cleanup ordering so deleting a bucket does not trigger follow-up work against a missing bucket.
- Return cleaner typed errors from handlers where failure is expected.
- Surface actionable errors in the UI instead of only logging and keeping stale state.
Reason:
- The current tests pass, but post-test output already shows avoidable `NoSuchBucket` noise during policy cleanup.
### 4. Reduce Large-Object and Large-Dataset Pain
- Keep inline editing and preview for small objects.
- Add explicit size thresholds for inline/base64 flows.
- Prefer direct object URLs or streaming paths for large-object download/preview paths.
- Stop treating expensive full-dataset scans as normal refresh behavior.
Reason:
- The product should stay usable once users have real buckets and non-trivial object counts.
### 5. Add Product Acceptance Coverage
- Docker build/start smoke test.
- Restart-persistence test for credentials and policies.
- Cluster-config smoke test.
- One browser-level smoke test for login, bucket browse, and config view.
Reason:
- The repo is productization code. Acceptance coverage matters more here than unit-test density.
## Dependency-Owned Work Completed
The dependency boundary work landed in `@push.rocks/smartstorage` `v6.4.0` and is now consumed here through the Deno import map.
- Runtime storage stats and bucket summaries come from `smartstorage` instead of product-side S3 scans.
- Runtime credential listing/replacement uses supported `smartstorage` APIs instead of mutating engine internals.
- Cluster and drive health are exposed through `smartstorage` and surfaced through the management API/UI.
## Suggested Execution Order
1. Fix Dockerfile and add a container smoke test.
2. Make credential changes durable and test restart behavior.
3. Clean up bucket/policy deletion behavior and UI error reporting.
4. Keep product code on supported `smartstorage` runtime APIs for stats, credentials, and cluster health.
5. Add browser-level smoke coverage for login, bucket browse, and config views.
## Success Criteria
- Docker image builds from a clean checkout.
- Runtime-managed credentials survive restart or are explicitly documented as ephemeral until fixed.
- Status and bucket views no longer require full object scans for routine refreshes.
- Bucket deletion and policy cleanup complete without noisy missing-bucket follow-up errors.
- Cluster mode exposes live health, not just configured values.
## Enterprise Readiness Plan
### Acceptance Criteria Implemented In-Repo
- Runtime health: expose unauthenticated `/livez`, `/readyz`, `/healthz`, and `/metrics` on the management server.
- Container health: Docker `HEALTHCHECK` must use `/readyz` and the image must run as a non-root user.
- Admin auditability: login, logout, bucket mutation, object mutation, credential mutation, and named-policy mutation must emit append-only audit events under `.objectstorage/audit.log`.
- Audit access: admins can query recent audit entries through a typed management API.
- Session security: JWT role is validated from verified claims, logout revokes the active token, and repeated failed logins are rate-limited.
- Secret persistence: admin metadata files are written with restrictive file mode where the OS supports it.
- Default-secret guardrail: persistent `/data` deployments refuse `admin/admin` defaults unless explicitly allowed for disposable development.
- Frontend session storage: admin identity is no longer stored in persistent browser state.
### Dependency Work Implemented In `@push.rocks/smartstorage`
- Cluster identity and topology snapshots persist under `.smartstorage/cluster/`.
- Cluster startup refuses unsafe seed-node fallback instead of silently forming a split-brain cluster.
- Heartbeats probe all known peers, including suspect/offline peers, using configured timeout.
- Operational S3-side endpoints expose `/-/live`, `/-/ready`, `/-/health`, and `/-/metrics`.
- Runtime credential listing returns metadata only; secrets are write-only.
- Multi-node tests cover topology convergence, remote drive routing, and restart/rejoin identity durability.
### Production Requirements Outside This Repo
- Run the management UI behind TLS or add native typedserver TLS configuration for the deployment.
- Configure real admin and S3 credentials through secrets management, not image defaults.
- Decide cluster transport policy: pinned CA or mTLS with operational certificate rotation. Do not operate QUIC insecure-dev transport on untrusted networks.
- Define backup/restore procedures for `/data`, `.objectstorage`, `.smartstorage/cluster`, bucket manifests, and policies.
- Add load, soak, and failure-injection runs to release qualification for large datasets and network partitions.
test/test.cluster-health.test.ts
+67
View File
@@ -0,0 +1,67 @@
import { assertEquals } from 'jsr:@std/assert';
import { describe, it } from 'jsr:@std/testing/bdd';
import { TypedRequest } from '@api.global/typedrequest';
import { createTestContainer, getTestPorts, loginAndGetIdentity } from './helpers/server.helper.ts';
import { ObjectStorageContainer } from '../ts/index.ts';
import type { IReq_GetClusterHealth } from '../ts_interfaces/requests/status.ts';
import type * as interfaces from '../ts_interfaces/index.ts';
const PORT_INDEX = 9;
const ports = getTestPorts(PORT_INDEX);
const url = `http://localhost:${ports.uiPort}/typedrequest`;
const storageDirectory = `.nogit/testdata-${PORT_INDEX}`;
const cleanupStorageDirectory = async () => {
try {
await Deno.remove(storageDirectory, { recursive: true });
} catch (error) {
if (!(error instanceof Deno.errors.NotFound)) {
throw error;
}
}
};
describe('Cluster health', { sanitizeResources: false, sanitizeOps: false }, () => {
it('exposes smartstorage cluster health through the management API', async () => {
await cleanupStorageDirectory();
let container: ObjectStorageContainer | null = null;
try {
const drivePaths = Array.from({ length: 6 }, (_value, index) => {
return `${storageDirectory}/drive-${index + 1}`;
});
container = createTestContainer(PORT_INDEX, {
storageDirectory,
clusterEnabled: true,
clusterNodeId: 'objectstorage-test-node',
clusterQuicPort: 19433,
drivePaths,
erasureDataShards: 4,
erasureParityShards: 2,
erasureChunkSizeBytes: 1024 * 1024,
});
await container.start();
const identity: interfaces.data.IIdentity = await loginAndGetIdentity(ports.uiPort);
const req = new TypedRequest<IReq_GetClusterHealth>(url, 'getClusterHealth');
const response = await req.fire({ identity });
const health = response.clusterHealth;
assertEquals(health.enabled, true);
assertEquals(health.nodeId, 'objectstorage-test-node');
assertEquals(health.quorumHealthy, true);
assertEquals(health.majorityHealthy, true);
assertEquals(health.drives?.length, 6);
assertEquals(health.drives?.every((drive) => drive.status === 'online'), true);
assertEquals(health.erasure?.dataShards, 4);
assertEquals(health.erasure?.parityShards, 2);
assertEquals(health.erasure?.totalShards, 6);
} finally {
if (container) {
await container.stop();
}
await cleanupStorageDirectory();
}
});
});
test/test.credentials-persistence.test.ts
+206
View File
@@ -0,0 +1,206 @@
import { assertEquals, assertRejects } from 'jsr:@std/assert';
import { describe, it } from 'jsr:@std/testing/bdd';
import { TypedRequest } from '@api.global/typedrequest';
import {
createTestContainer,
getTestPorts,
loginAndGetIdentity,
TEST_ACCESS_KEY,
} from './helpers/server.helper.ts';
import { ObjectStorageContainer } from '../ts/index.ts';
import type { IReq_CreateBucket, IReq_ListBuckets } from '../ts_interfaces/requests/buckets.ts';
import type {
IReq_AddCredential,
IReq_GetCredentials,
IReq_RemoveCredential,
} from '../ts_interfaces/requests/credentials.ts';
import type * as interfaces from '../ts_interfaces/index.ts';
const PORT_INDEX = 8;
const ports = getTestPorts(PORT_INDEX);
const url = `http://localhost:${ports.uiPort}/typedrequest`;
const storageDirectory = `.nogit/testdata-${PORT_INDEX}`;
const cleanupStorageDirectory = async () => {
try {
await Deno.remove(storageDirectory, { recursive: true });
} catch (error) {
if (!(error instanceof Deno.errors.NotFound)) {
throw error;
}
}
};
describe('Credential persistence', { sanitizeResources: false, sanitizeOps: false }, () => {
it('persists managed credentials across restart and refreshes the internal client', async () => {
await cleanupStorageDirectory();
let activeContainer: ObjectStorageContainer | null = null;
const stopContainer = async () => {
if (!activeContainer) {
return;
}
try {
await activeContainer.stop();
} finally {
activeContainer = null;
}
};
try {
activeContainer = createTestContainer(PORT_INDEX);
await activeContainer.start();
let identity: interfaces.data.IIdentity = await loginAndGetIdentity(ports.uiPort);
const addCredential = new TypedRequest<IReq_AddCredential>(url, 'addCredential');
await addCredential.fire({
identity,
accessKeyId: 'persisted-key',
secretAccessKey: 'persisted-secret',
});
const removeCredential = new TypedRequest<IReq_RemoveCredential>(url, 'removeCredential');
await removeCredential.fire({ identity, accessKeyId: TEST_ACCESS_KEY });
const getCredentials = new TypedRequest<IReq_GetCredentials>(url, 'getCredentials');
const credentialsBeforeRestart = await getCredentials.fire({ identity });
assertEquals(credentialsBeforeRestart.credentials.length, 1);
assertEquals(credentialsBeforeRestart.credentials[0].accessKeyId, 'persisted-key');
const listBuckets = new TypedRequest<IReq_ListBuckets>(url, 'listBuckets');
const bucketsBeforeRestart = await listBuckets.fire({ identity });
assertEquals(Array.isArray(bucketsBeforeRestart.buckets), true);
await stopContainer();
activeContainer = createTestContainer(PORT_INDEX);
await activeContainer.start();
identity = await loginAndGetIdentity(ports.uiPort);
const credentialsAfterRestart = await getCredentials.fire({ identity });
assertEquals(credentialsAfterRestart.credentials.length, 1);
assertEquals(credentialsAfterRestart.credentials[0].accessKeyId, 'persisted-key');
const createBucket = new TypedRequest<IReq_CreateBucket>(url, 'createBucket');
await createBucket.fire({ identity, bucketName: 'persisted-creds-bucket' });
const bucketsAfterRestart = await listBuckets.fire({ identity });
assertEquals(
bucketsAfterRestart.buckets.some((bucket) => bucket.name === 'persisted-creds-bucket'),
true,
);
} finally {
await stopContainer();
await cleanupStorageDirectory();
}
});
it('lets explicit environment credentials override persisted managed credentials', async () => {
const portIndex = 10;
const envPorts = getTestPorts(portIndex);
const envUrl = `http://localhost:${envPorts.uiPort}/typedrequest`;
const envStorageDirectory = `.nogit/testdata-${portIndex}`;
const previousAccessKey = Deno.env.get('OBJST_ACCESS_KEY');
const previousSecretKey = Deno.env.get('OBJST_SECRET_KEY');
let container: ObjectStorageContainer | null = null;
const cleanupEnvStorageDirectory = async () => {
try {
await Deno.remove(envStorageDirectory, { recursive: true });
} catch (error) {
if (!(error instanceof Deno.errors.NotFound)) {
throw error;
}
}
};
try {
await cleanupEnvStorageDirectory();
await Deno.mkdir(`${envStorageDirectory}/.objectstorage`, { recursive: true });
await Deno.writeTextFile(
`${envStorageDirectory}/.objectstorage/admin-config.json`,
JSON.stringify({
accessCredentials: [{ accessKeyId: 'persisted-key', secretAccessKey: 'persisted-secret' }],
}),
);
Deno.env.set('OBJST_ACCESS_KEY', 'env-key');
Deno.env.set('OBJST_SECRET_KEY', 'env-secret');
container = createTestContainer(portIndex, { storageDirectory: envStorageDirectory });
await container.start();
const identity = await loginAndGetIdentity(envPorts.uiPort);
const getCredentials = new TypedRequest<IReq_GetCredentials>(envUrl, 'getCredentials');
const response = await getCredentials.fire({ identity });
assertEquals(response.credentials.length, 1);
assertEquals(response.credentials[0].accessKeyId, 'env-key');
} finally {
if (container) {
await container.stop();
}
if (previousAccessKey === undefined) {
Deno.env.delete('OBJST_ACCESS_KEY');
} else {
Deno.env.set('OBJST_ACCESS_KEY', previousAccessKey);
}
if (previousSecretKey === undefined) {
Deno.env.delete('OBJST_SECRET_KEY');
} else {
Deno.env.set('OBJST_SECRET_KEY', previousSecretKey);
}
await cleanupEnvStorageDirectory();
}
});
it('does not persist rejected credential replacements', async () => {
const portIndex = 11;
const rejectPorts = getTestPorts(portIndex);
const rejectUrl = `http://localhost:${rejectPorts.uiPort}/typedrequest`;
const rejectStorageDirectory = `.nogit/testdata-${portIndex}`;
let container: ObjectStorageContainer | null = null;
const cleanupRejectStorageDirectory = async () => {
try {
await Deno.remove(rejectStorageDirectory, { recursive: true });
} catch (error) {
if (!(error instanceof Deno.errors.NotFound)) {
throw error;
}
}
};
try {
await cleanupRejectStorageDirectory();
container = createTestContainer(portIndex, { storageDirectory: rejectStorageDirectory });
await container.start();
await assertRejects(() =>
container!.replaceAccessCredentials([
{ accessKeyId: 'duplicate-key', secretAccessKey: 'secret-a' },
{ accessKeyId: 'duplicate-key', secretAccessKey: 'secret-b' },
])
);
const identity = await loginAndGetIdentity(rejectPorts.uiPort);
const getCredentials = new TypedRequest<IReq_GetCredentials>(rejectUrl, 'getCredentials');
const response = await getCredentials.fire({ identity });
assertEquals(response.credentials.length, 1);
assertEquals(response.credentials[0].accessKeyId, TEST_ACCESS_KEY);
await assertRejects(() =>
Deno.readTextFile(`${rejectStorageDirectory}/.objectstorage/admin-config.json`)
);
} finally {
if (container) {
await container.stop();
}
await cleanupRejectStorageDirectory();
}
});
});
test/test.docker-smoke.test.ts
+97
View File
@@ -0,0 +1,97 @@
import { assertEquals } from 'jsr:@std/assert';
const shouldRunDockerSmoke = Deno.env.get('OBJST_RUN_DOCKER_SMOKE') === '1';
interface ICommandResult {
code: number;
stdout: string;
stderr: string;
}
async function runCommand(
command: string[],
options: { cwd?: string; check?: boolean } = {},
): Promise<ICommandResult> {
const output = await new Deno.Command(command[0], {
args: command.slice(1),
cwd: options.cwd,
stdout: 'piped',
stderr: 'piped',
}).output();
const result = {
code: output.code,
stdout: new TextDecoder().decode(output.stdout).trim(),
stderr: new TextDecoder().decode(output.stderr).trim(),
};
if (options.check !== false && result.code !== 0) {
throw new Error(`Command failed: ${command.join(' ')}\n${result.stderr}`);
}
return result;
}
async function waitForOk(url: string, timeoutMs: number): Promise<void> {
const deadline = Date.now() + timeoutMs;
while (Date.now() < deadline) {
try {
const response = await fetch(url);
if (response.ok) {
return;
}
} catch {
// Container may still be starting.
}
await new Promise((resolve) => setTimeout(resolve, 1000));
}
throw new Error(`Timed out waiting for ${url}`);
}
Deno.test({
name: 'Docker image builds and serves the management UI',
ignore: !shouldRunDockerSmoke,
sanitizeOps: false,
sanitizeResources: false,
fn: async () => {
await runCommand(['docker', '--version']);
const imageTag = `objectstorage-smoke:${crypto.randomUUID().slice(0, 8)}`;
const containerName = `objectstorage-smoke-${crypto.randomUUID().slice(0, 8)}`;
const storagePort = 19190;
const uiPort = 19191;
try {
await runCommand(['docker', 'build', '-t', imageTag, '.']);
const runResult = await runCommand([
'docker',
'run',
'-d',
'--name',
containerName,
'-p',
`${storagePort}:9000`,
'-p',
`${uiPort}:3000`,
'-e',
'OBJST_ADMIN_PASSWORD=docker-smoke-admin',
'-e',
'OBJST_ACCESS_KEY=docker-smoke-key',
'-e',
'OBJST_SECRET_KEY=docker-smoke-secret',
imageTag,
]);
assertEquals(runResult.stdout.length > 0, true);
await waitForOk(`http://127.0.0.1:${uiPort}/readyz`, 30000);
await waitForOk(`http://127.0.0.1:${storagePort}/-/ready`, 30000);
} finally {
await runCommand(['docker', 'rm', '-f', containerName], { check: false });
await runCommand(['docker', 'rmi', '-f', imageTag], { check: false });
}
},
});
test/test.enterprise-hardening.test.ts
+146
View File
@@ -0,0 +1,146 @@
import { assertEquals, assertRejects } from 'jsr:@std/assert';
import { describe, it } from 'jsr:@std/testing/bdd';
import { TypedRequest } from '@api.global/typedrequest';
import {
createTestContainer,
getTestPorts,
loginAndGetIdentity,
} from './helpers/server.helper.ts';
import { ObjectStorageContainer } from '../ts/index.ts';
import type { IReq_AdminLogout, IReq_VerifyIdentity } from '../ts_interfaces/requests/admin.ts';
import type { IReq_CreateBucket } from '../ts_interfaces/requests/buckets.ts';
import type { IReq_AddCredential } from '../ts_interfaces/requests/credentials.ts';
import type { IReq_ListAuditEntries } from '../ts_interfaces/requests/audit.ts';
const PORT_INDEX = 12;
const ports = getTestPorts(PORT_INDEX);
const url = `http://localhost:${ports.uiPort}/typedrequest`;
const storageDirectory = `.nogit/testdata-${PORT_INDEX}`;
const cleanupStorageDirectory = async () => {
try {
await Deno.remove(storageDirectory, { recursive: true });
} catch (error) {
if (!(error instanceof Deno.errors.NotFound)) {
throw error;
}
}
};
describe('Enterprise hardening', { sanitizeResources: false, sanitizeOps: false }, () => {
it('refuses default admin credentials on persistent production storage', async () => {
const previousAllowInsecureDefaults = Deno.env.get('OBJST_ALLOW_INSECURE_DEFAULTS');
const previousAccessKey = Deno.env.get('OBJST_ACCESS_KEY');
const previousSecretKey = Deno.env.get('OBJST_SECRET_KEY');
const previousAdminPassword = Deno.env.get('OBJST_ADMIN_PASSWORD');
const previousStorageDir = Deno.env.get('OBJST_STORAGE_DIR');
try {
Deno.env.delete('OBJST_ALLOW_INSECURE_DEFAULTS');
Deno.env.delete('OBJST_ACCESS_KEY');
Deno.env.delete('OBJST_SECRET_KEY');
Deno.env.delete('OBJST_ADMIN_PASSWORD');
Deno.env.delete('OBJST_STORAGE_DIR');
const container = new ObjectStorageContainer();
await assertRejects(() => container.start(), Error, 'Refusing to start with default admin credentials');
} finally {
if (previousAllowInsecureDefaults === undefined) {
Deno.env.delete('OBJST_ALLOW_INSECURE_DEFAULTS');
} else {
Deno.env.set('OBJST_ALLOW_INSECURE_DEFAULTS', previousAllowInsecureDefaults);
}
if (previousAccessKey === undefined) Deno.env.delete('OBJST_ACCESS_KEY');
else Deno.env.set('OBJST_ACCESS_KEY', previousAccessKey);
if (previousSecretKey === undefined) Deno.env.delete('OBJST_SECRET_KEY');
else Deno.env.set('OBJST_SECRET_KEY', previousSecretKey);
if (previousAdminPassword === undefined) Deno.env.delete('OBJST_ADMIN_PASSWORD');
else Deno.env.set('OBJST_ADMIN_PASSWORD', previousAdminPassword);
if (previousStorageDir === undefined) Deno.env.delete('OBJST_STORAGE_DIR');
else Deno.env.set('OBJST_STORAGE_DIR', previousStorageDir);
}
});
it('exposes health endpoints and writes audit entries for privileged actions', async () => {
await cleanupStorageDirectory();
let container: ObjectStorageContainer | null = null;
try {
container = createTestContainer(PORT_INDEX, { storageDirectory });
await container.start();
const live = await fetch(`http://localhost:${ports.uiPort}/livez`);
assertEquals(live.status, 200);
assertEquals((await live.json()).status, 'alive');
const ready = await fetch(`http://localhost:${ports.uiPort}/readyz`);
assertEquals(ready.status, 200);
assertEquals((await ready.json()).status, 'ready');
const health = await fetch(`http://localhost:${ports.uiPort}/healthz`);
assertEquals(health.status, 200);
assertEquals((await health.json()).ok, true);
const metrics = await fetch(`http://localhost:${ports.uiPort}/metrics`);
assertEquals(metrics.status, 200);
assertEquals((await metrics.text()).includes('objectstorage_ready 1'), true);
const identity = await loginAndGetIdentity(ports.uiPort);
const createBucket = new TypedRequest<IReq_CreateBucket>(url, 'createBucket');
await createBucket.fire({ identity, bucketName: 'enterprise-audit-bucket' });
const addCredential = new TypedRequest<IReq_AddCredential>(url, 'addCredential');
await addCredential.fire({
identity,
accessKeyId: 'enterprise-key',
secretAccessKey: 'enterprise-secret',
});
const adminConfigInfo = await Deno.stat(
`${storageDirectory}/.objectstorage/admin-config.json`,
);
if (adminConfigInfo.mode !== null) {
assertEquals(adminConfigInfo.mode & 0o777, 0o600);
}
const listAuditEntries = new TypedRequest<IReq_ListAuditEntries>(url, 'listAuditEntries');
const auditResponse = await listAuditEntries.fire({ identity, limit: 10 });
const actions = auditResponse.entries.map((entry) => entry.action);
assertEquals(actions.includes('admin.login'), true);
assertEquals(actions.includes('bucket.create'), true);
assertEquals(actions.includes('credential.add'), true);
} finally {
if (container) {
await container.stop();
}
await cleanupStorageDirectory();
}
});
it('revokes admin identities on logout', async () => {
await cleanupStorageDirectory();
let container: ObjectStorageContainer | null = null;
try {
container = createTestContainer(PORT_INDEX, { storageDirectory });
await container.start();
const identity = await loginAndGetIdentity(ports.uiPort);
const logout = new TypedRequest<IReq_AdminLogout>(url, 'adminLogout');
await logout.fire({ identity });
const verifyIdentity = new TypedRequest<IReq_VerifyIdentity>(url, 'verifyIdentity');
const verification = await verifyIdentity.fire({ identity });
assertEquals(verification.valid, false);
const createBucket = new TypedRequest<IReq_CreateBucket>(url, 'createBucket');
await assertRejects(() =>
createBucket.fire({ identity, bucketName: 'revoked-token-bucket' })
);
} finally {
if (container) {
await container.stop();
}
await cleanupStorageDirectory();
}
});
});
test/test.status-config.test.ts
+12 -2
View File
@@ -5,8 +5,11 @@ import { createTestContainer, getTestPorts, loginAndGetIdentity } from './helper
import { ObjectStorageContainer } from '../ts/index.ts';
import type * as interfaces from '../ts_interfaces/index.ts';
import type { IReq_CreateBucket, IReq_DeleteBucket } from '../ts_interfaces/requests/buckets.ts';
import type { IReq_PutObject, IReq_DeletePrefix } from '../ts_interfaces/requests/objects.ts';
import type { IReq_GetServerStatus } from '../ts_interfaces/requests/status.ts';
import type { IReq_DeletePrefix, IReq_PutObject } from '../ts_interfaces/requests/objects.ts';
import type {
IReq_GetClusterHealth,
IReq_GetServerStatus,
} from '../ts_interfaces/requests/status.ts';
import type { IReq_GetServerConfig } from '../ts_interfaces/requests/config.ts';
const PORT_INDEX = 7;
@@ -94,6 +97,13 @@ describe('Status and config', { sanitizeResources: false, sanitizeOps: false },
assertEquals(config.corsEnabled, false);
});
it('should report standalone cluster health', async () => {
const req = new TypedRequest<IReq_GetClusterHealth>(url, 'getClusterHealth');
const response = await req.fire({ identity });
assertEquals(response.clusterHealth.enabled, false);
});
it('should reflect correct stats after adding objects', async () => {
// Add a third object
const putObj = new TypedRequest<IReq_PutObject>(url, 'putObject');
ts/00_commitinfo_data.ts
+1 -1
View File
@@ -3,6 +3,6 @@
*/
export const commitinfo = {
name: '@lossless.zone/objectstorage',
version: '1.8.1',
version: '1.9.0',
description: 'object storage server with management UI powered by smartstorage'
}
ts/classes/auditlogger.ts
+63
View File
@@ -0,0 +1,63 @@
import type * as interfaces from '../../ts_interfaces/index.ts';
export interface IAuditLogEntry {
timestamp: number;
actorUserId: string;
action: string;
targetType: string;
targetId?: string;
success: boolean;
message?: string;
metadata?: Record<string, string | number | boolean>;
}
export class AuditLogger {
constructor(private storageDirectory: string) {}
public get auditLogPath(): string {
return `${this.storageDirectory}/.objectstorage/audit.log`;
}
public async log(entry: Omit<IAuditLogEntry, 'timestamp'>): Promise<void> {
const logEntry: IAuditLogEntry = {
timestamp: Date.now(),
...entry,
};
const dirPath = this.auditLogPath.substring(0, this.auditLogPath.lastIndexOf('/'));
await Deno.mkdir(dirPath, { recursive: true });
await Deno.writeTextFile(this.auditLogPath, `${JSON.stringify(logEntry)}\n`, {
append: true,
create: true,
mode: 0o600,
});
await this.restrictAuditLogPermissions();
}
public async listRecent(limit = 100): Promise<interfaces.data.IAuditEntry[]> {
let content = '';
try {
content = await Deno.readTextFile(this.auditLogPath);
} catch (error) {
if (error instanceof Deno.errors.NotFound) {
return [];
}
throw error;
}
return content
.trim()
.split('\n')
.filter(Boolean)
.slice(-limit)
.map((line) => JSON.parse(line) as interfaces.data.IAuditEntry)
.reverse();
}
private async restrictAuditLogPermissions(): Promise<void> {
try {
await Deno.chmod(this.auditLogPath, 0o600);
} catch {
// chmod is not available on every platform Deno supports.
}
}
}
ts/classes/objectstoragecontainer.ts
+280 -101
View File
@@ -1,8 +1,13 @@
import * as plugins from '../plugins.ts';
import { type IObjectStorageConfig, defaultConfig } from '../types.ts';
import { defaultConfig, type IObjectStorageConfig } from '../types.ts';
import type * as interfaces from '../../ts_interfaces/index.ts';
import { OpsServer } from '../opsserver/index.ts';
import { PolicyManager } from './policymanager.ts';
import { AuditLogger } from './auditlogger.ts';
interface IPersistedAdminConfig {
accessCredentials?: Array<{ accessKeyId: string; secretAccessKey: string }>;
}
export class ObjectStorageContainer {
public config: IObjectStorageConfig;
@@ -10,7 +15,9 @@ export class ObjectStorageContainer {
public s3Client!: plugins.S3Client;
public opsServer: OpsServer;
public policyManager: PolicyManager;
public auditLogger: AuditLogger;
public startedAt: number = 0;
private envAccessCredentialsProvided = false;
constructor(configArg?: Partial<IObjectStorageConfig>) {
this.config = { ...defaultConfig, ...configArg };
@@ -28,6 +35,7 @@ export class ObjectStorageContainer {
const envAccessKey = Deno.env.get('OBJST_ACCESS_KEY');
const envSecretKey = Deno.env.get('OBJST_SECRET_KEY');
if (envAccessKey && envSecretKey) {
this.envAccessCredentialsProvided = true;
this.config.accessCredentials = [
{ accessKeyId: envAccessKey, secretAccessKey: envSecretKey },
];
@@ -41,7 +49,9 @@ export class ObjectStorageContainer {
// Cluster environment variables
const envClusterEnabled = Deno.env.get('OBJST_CLUSTER_ENABLED');
if (envClusterEnabled) this.config.clusterEnabled = envClusterEnabled === 'true' || envClusterEnabled === '1';
if (envClusterEnabled) {
this.config.clusterEnabled = envClusterEnabled === 'true' || envClusterEnabled === '1';
}
const envClusterNodeId = Deno.env.get('OBJST_CLUSTER_NODE_ID');
if (envClusterNodeId) this.config.clusterNodeId = envClusterNodeId;
@@ -50,31 +60,47 @@ export class ObjectStorageContainer {
if (envClusterQuicPort) this.config.clusterQuicPort = parseInt(envClusterQuicPort, 10);
const envClusterSeedNodes = Deno.env.get('OBJST_CLUSTER_SEED_NODES');
if (envClusterSeedNodes) this.config.clusterSeedNodes = envClusterSeedNodes.split(',').map(s => s.trim()).filter(Boolean);
if (envClusterSeedNodes) {
this.config.clusterSeedNodes = envClusterSeedNodes.split(',').map((s) => s.trim()).filter(
Boolean,
);
}
const envDrivePaths = Deno.env.get('OBJST_DRIVE_PATHS');
if (envDrivePaths) this.config.drivePaths = envDrivePaths.split(',').map(s => s.trim()).filter(Boolean);
if (envDrivePaths) {
this.config.drivePaths = envDrivePaths.split(',').map((s) => s.trim()).filter(Boolean);
}
const envErasureDataShards = Deno.env.get('OBJST_ERASURE_DATA_SHARDS');
if (envErasureDataShards) this.config.erasureDataShards = parseInt(envErasureDataShards, 10);
const envErasureParityShards = Deno.env.get('OBJST_ERASURE_PARITY_SHARDS');
if (envErasureParityShards) this.config.erasureParityShards = parseInt(envErasureParityShards, 10);
if (envErasureParityShards) {
this.config.erasureParityShards = parseInt(envErasureParityShards, 10);
}
const envErasureChunkSize = Deno.env.get('OBJST_ERASURE_CHUNK_SIZE');
if (envErasureChunkSize) this.config.erasureChunkSizeBytes = parseInt(envErasureChunkSize, 10);
const envHeartbeatInterval = Deno.env.get('OBJST_HEARTBEAT_INTERVAL_MS');
if (envHeartbeatInterval) this.config.clusterHeartbeatIntervalMs = parseInt(envHeartbeatInterval, 10);
if (envHeartbeatInterval) {
this.config.clusterHeartbeatIntervalMs = parseInt(envHeartbeatInterval, 10);
}
const envHeartbeatTimeout = Deno.env.get('OBJST_HEARTBEAT_TIMEOUT_MS');
if (envHeartbeatTimeout) this.config.clusterHeartbeatTimeoutMs = parseInt(envHeartbeatTimeout, 10);
if (envHeartbeatTimeout) {
this.config.clusterHeartbeatTimeoutMs = parseInt(envHeartbeatTimeout, 10);
}
this.opsServer = new OpsServer(this);
this.policyManager = new PolicyManager(this);
this.auditLogger = new AuditLogger(this.config.storageDirectory);
}
public async start(): Promise<void> {
this.assertSecureStartupConfig();
await this.loadPersistedAdminConfig();
console.log(`Starting ObjectStorage...`);
console.log(` Storage port: ${this.config.objstPort}`);
console.log(` UI port: ${this.config.uiPort}`);
@@ -85,64 +111,24 @@ export class ObjectStorageContainer {
console.log(` Node ID: ${this.config.clusterNodeId || '(auto-generated)'}`);
console.log(` QUIC Port: ${this.config.clusterQuicPort}`);
console.log(` Seed Nodes: ${this.config.clusterSeedNodes.join(', ') || '(none)'}`);
console.log(` Drives: ${this.config.drivePaths.length > 0 ? this.config.drivePaths.join(', ') : this.config.storageDirectory}`);
console.log(
` Drives: ${
this.config.drivePaths.length > 0
? this.config.drivePaths.join(', ')
: this.config.storageDirectory
}`,
);
console.log(` Erasure: ${this.config.erasureDataShards}+${this.config.erasureParityShards}`);
}
// Build smartstorage config
const smartstorageConfig: any = {
server: {
port: this.config.objstPort,
address: '0.0.0.0',
region: this.config.region,
},
storage: {
directory: this.config.storageDirectory,
},
auth: {
enabled: true,
credentials: this.config.accessCredentials,
},
};
if (this.config.clusterEnabled) {
smartstorageConfig.cluster = {
enabled: true,
nodeId: this.config.clusterNodeId || crypto.randomUUID().slice(0, 8),
quicPort: this.config.clusterQuicPort,
seedNodes: this.config.clusterSeedNodes,
erasure: {
dataShards: this.config.erasureDataShards,
parityShards: this.config.erasureParityShards,
chunkSizeBytes: this.config.erasureChunkSizeBytes,
},
drives: {
paths: this.config.drivePaths.length > 0
? this.config.drivePaths
: [this.config.storageDirectory],
},
heartbeatIntervalMs: this.config.clusterHeartbeatIntervalMs,
heartbeatTimeoutMs: this.config.clusterHeartbeatTimeoutMs,
};
}
// Start smartstorage
this.smartstorageInstance = await plugins.smartstorage.SmartStorage.createAndStart(smartstorageConfig);
this.smartstorageInstance = await plugins.smartstorage.SmartStorage.createAndStart(
this.buildSmartstorageConfig(),
);
this.startedAt = Date.now();
console.log(`Storage server started on port ${this.config.objstPort}`);
// Create S3 client for management operations
const descriptor = await this.smartstorageInstance.getStorageDescriptor();
this.s3Client = new plugins.S3Client({
endpoint: `http://${descriptor.endpoint}:${descriptor.port}`,
region: this.config.region,
credentials: {
accessKeyId: descriptor.accessKey,
secretAccessKey: descriptor.accessSecret,
},
forcePathStyle: true,
});
await this.refreshManagementClient();
// Load named policies
await this.policyManager.load();
@@ -159,41 +145,54 @@ export class ObjectStorageContainer {
console.log('ObjectStorage stopped.');
}
public async replaceAccessCredentials(
credentials: Array<{ accessKeyId: string; secretAccessKey: string }>,
): Promise<void> {
const nextCredentials = credentials.map((credential) => ({ ...credential }));
const previousCredentials = this.config.accessCredentials.map((credential) => ({
...credential,
}));
if (this.smartstorageInstance) {
await this.smartstorageInstance.replaceCredentials(nextCredentials);
}
this.config.accessCredentials = nextCredentials;
try {
await this.savePersistedAdminConfig();
} catch (error) {
this.config.accessCredentials = previousCredentials;
if (this.smartstorageInstance) {
await this.smartstorageInstance.replaceCredentials(previousCredentials);
await this.refreshManagementClient();
}
throw error;
}
if (this.smartstorageInstance) {
await this.refreshManagementClient();
}
}
public async listAccessCredentials(): Promise<Array<{ accessKeyId: string }>> {
if (!this.smartstorageInstance) {
return this.config.accessCredentials.map((credential) => ({
accessKeyId: credential.accessKeyId,
}));
}
return await this.smartstorageInstance.listCredentials();
}
// ── Management methods ──
public async listBuckets(): Promise<interfaces.data.IBucketInfo[]> {
const response = await this.s3Client.send(new plugins.ListBucketsCommand({}));
const buckets: interfaces.data.IBucketInfo[] = [];
for (const bucket of response.Buckets || []) {
const name = bucket.Name || '';
const creationDate = bucket.CreationDate?.getTime() || 0;
// Get object count and size for each bucket
let objectCount = 0;
let totalSizeBytes = 0;
let continuationToken: string | undefined;
do {
const listResp = await this.s3Client.send(
new plugins.ListObjectsV2Command({
Bucket: name,
ContinuationToken: continuationToken,
}),
);
for (const obj of listResp.Contents || []) {
objectCount++;
totalSizeBytes += obj.Size || 0;
}
continuationToken = listResp.IsTruncated ? listResp.NextContinuationToken : undefined;
} while (continuationToken);
buckets.push({ name, creationDate, objectCount, totalSizeBytes });
}
return buckets;
const summaries = await this.smartstorageInstance.listBucketSummaries();
return summaries.map((bucket) => ({
name: bucket.name,
creationDate: bucket.creationDate || 0,
objectCount: bucket.objectCount,
totalSizeBytes: bucket.totalSizeBytes,
}));
}
public async createBucket(bucketName: string): Promise<void> {
@@ -377,13 +376,7 @@ export class ObjectStorageContainer {
}
public async getServerStats(): Promise<interfaces.data.IServerStatus> {
const buckets = await this.listBuckets();
let totalObjectCount = 0;
let totalStorageBytes = 0;
for (const b of buckets) {
totalObjectCount += b.objectCount;
totalStorageBytes += b.totalSizeBytes;
}
const stats = await this.smartstorageInstance.getStorageStats();
return {
running: true,
@@ -391,15 +384,19 @@ export class ObjectStorageContainer {
uiPort: this.config.uiPort,
uptime: Math.floor((Date.now() - this.startedAt) / 1000),
startedAt: this.startedAt,
bucketCount: buckets.length,
totalObjectCount,
totalStorageBytes,
storageDirectory: this.config.storageDirectory,
bucketCount: stats.bucketCount,
totalObjectCount: stats.totalObjectCount,
totalStorageBytes: stats.totalStorageBytes,
storageDirectory: stats.storageDirectory,
region: this.config.region,
authEnabled: true,
};
}
public async getClusterHealth(): Promise<interfaces.data.IClusterHealth> {
return await this.smartstorageInstance.getClusterHealth();
}
public async getBucketPolicy(bucketName: string): Promise<string | null> {
try {
const response = await this.s3Client.send(
@@ -436,4 +433,186 @@ export class ObjectStorageContainer {
region: this.config.region,
};
}
public isReady(): boolean {
return Boolean(this.smartstorageInstance && this.s3Client && this.startedAt);
}
public async getOperationalHealth(): Promise<Record<string, unknown>> {
const clusterHealth = this.smartstorageInstance
? await this.getClusterHealth()
: { enabled: false };
const stats = this.smartstorageInstance
? await this.getServerStats()
: null;
const ready = this.isReady();
return {
ok: ready,
status: ready ? 'healthy' : 'starting',
startedAt: this.startedAt || null,
uptimeSeconds: this.startedAt ? Math.floor((Date.now() - this.startedAt) / 1000) : 0,
storageDirectory: this.config.storageDirectory,
stats,
cluster: clusterHealth,
};
}
public async getOperationalMetrics(): Promise<string> {
const stats = this.smartstorageInstance
? await this.smartstorageInstance.getStorageStats()
: null;
const clusterHealth = this.smartstorageInstance
? await this.smartstorageInstance.getClusterHealth()
: { enabled: false };
return [
'# HELP objectstorage_ready ObjectStorage readiness state.',
'# TYPE objectstorage_ready gauge',
`objectstorage_ready ${this.isReady() ? 1 : 0}`,
'# HELP objectstorage_buckets_total Runtime bucket count.',
'# TYPE objectstorage_buckets_total gauge',
`objectstorage_buckets_total ${stats?.bucketCount ?? 0}`,
'# HELP objectstorage_objects_total Runtime object count.',
'# TYPE objectstorage_objects_total gauge',
`objectstorage_objects_total ${stats?.totalObjectCount ?? 0}`,
'# HELP objectstorage_cluster_enabled Cluster mode enabled.',
'# TYPE objectstorage_cluster_enabled gauge',
`objectstorage_cluster_enabled ${clusterHealth.enabled ? 1 : 0}`,
'',
].join('\n');
}
private get persistedAdminConfigPath(): string {
return `${this.config.storageDirectory}/.objectstorage/admin-config.json`;
}
private async loadPersistedAdminConfig(): Promise<void> {
if (this.envAccessCredentialsProvided) {
return;
}
try {
const content = await Deno.readTextFile(this.persistedAdminConfigPath);
const persistedConfig = JSON.parse(content) as IPersistedAdminConfig;
const persistedCredentials = persistedConfig.accessCredentials;
if (!Array.isArray(persistedCredentials) || persistedCredentials.length === 0) {
return;
}
const validCredentials = persistedCredentials
.filter((credential) => credential?.accessKeyId && credential?.secretAccessKey)
.map((credential) => ({
accessKeyId: credential.accessKeyId,
secretAccessKey: credential.secretAccessKey,
}));
if (validCredentials.length === 0) {
return;
}
this.config.accessCredentials = validCredentials;
} catch (error) {
if (error instanceof Deno.errors.NotFound) {
return;
}
throw error;
}
}
private async savePersistedAdminConfig(): Promise<void> {
const dirPath = this.persistedAdminConfigPath.substring(
0,
this.persistedAdminConfigPath.lastIndexOf('/'),
);
await Deno.mkdir(dirPath, { recursive: true });
const persistedConfig: IPersistedAdminConfig = {
accessCredentials: this.config.accessCredentials,
};
await Deno.writeTextFile(
this.persistedAdminConfigPath,
JSON.stringify(persistedConfig, null, 2),
{ mode: 0o600 },
);
await this.restrictPersistedAdminConfigPermissions();
}
private async refreshManagementClient(): Promise<void> {
const descriptor = await this.smartstorageInstance.getStorageDescriptor();
this.s3Client = new plugins.S3Client({
endpoint: `http://${descriptor.endpoint}:${descriptor.port}`,
region: this.config.region,
credentials: {
accessKeyId: descriptor.accessKey,
secretAccessKey: descriptor.accessSecret,
},
forcePathStyle: true,
});
}
private buildSmartstorageConfig(): any {
const smartstorageConfig: any = {
server: {
port: this.config.objstPort,
address: '0.0.0.0',
region: this.config.region,
},
storage: {
directory: this.config.storageDirectory,
},
auth: {
enabled: true,
credentials: this.config.accessCredentials,
},
};
if (this.config.clusterEnabled) {
smartstorageConfig.cluster = {
enabled: true,
nodeId: this.config.clusterNodeId || crypto.randomUUID().slice(0, 8),
quicPort: this.config.clusterQuicPort,
seedNodes: this.config.clusterSeedNodes,
erasure: {
dataShards: this.config.erasureDataShards,
parityShards: this.config.erasureParityShards,
chunkSizeBytes: this.config.erasureChunkSizeBytes,
},
drives: {
paths: this.config.drivePaths.length > 0
? this.config.drivePaths
: [this.config.storageDirectory],
},
heartbeatIntervalMs: this.config.clusterHeartbeatIntervalMs,
heartbeatTimeoutMs: this.config.clusterHeartbeatTimeoutMs,
};
}
return smartstorageConfig;
}
private assertSecureStartupConfig(): void {
const allowInsecureDefaults = Deno.env.get('OBJST_ALLOW_INSECURE_DEFAULTS') === 'true';
const usesDefaultAdminPassword = this.config.adminPassword === 'admin';
const usesDefaultAccessCredential = this.config.accessCredentials.some((credential) => {
return credential.accessKeyId === 'admin' && credential.secretAccessKey === 'admin';
});
const looksLikePersistentProductionStorage = this.config.storageDirectory === '/data';
if (
looksLikePersistentProductionStorage &&
!allowInsecureDefaults &&
(usesDefaultAdminPassword || usesDefaultAccessCredential)
) {
throw new Error(
'Refusing to start with default admin credentials on persistent /data storage. Set OBJST_ADMIN_PASSWORD and OBJST_ACCESS_KEY/OBJST_SECRET_KEY, or set OBJST_ALLOW_INSECURE_DEFAULTS=true for disposable development.',
);
}
}
private async restrictPersistedAdminConfigPermissions(): Promise<void> {
try {
await Deno.chmod(this.persistedAdminConfigPath, 0o600);
} catch {
// chmod is not available on every platform Deno supports.
}
}
}
ts/cli.ts
+1
View File
@@ -113,5 +113,6 @@ Environment Variables:
OBJST_ERASURE_CHUNK_SIZE Erasure chunk size in bytes (default: 4194304)
OBJST_HEARTBEAT_INTERVAL_MS Cluster heartbeat interval (default: 5000)
OBJST_HEARTBEAT_TIMEOUT_MS Cluster heartbeat timeout (default: 30000)
OBJST_ALLOW_INSECURE_DEFAULTS Allow admin/admin defaults on /data for disposable development
`);
}
ts/opsserver/classes.opsserver.ts
+30
View File
@@ -16,6 +16,7 @@ export class OpsServer {
public configHandler!: handlers.ConfigHandler;
public credentialsHandler!: handlers.CredentialsHandler;
public policiesHandler!: handlers.PoliciesHandler;
public auditHandler!: handlers.AuditHandler;
constructor(objectStorageRef: ObjectStorageContainer) {
this.objectStorageRef = objectStorageRef;
@@ -26,6 +27,27 @@ export class OpsServer {
domain: 'localhost',
feedMetadata: undefined,
bundledContent: bundledFiles,
addCustomRoutes: async (typedserver) => {
typedserver.addRoute('/livez', 'GET', async () => {
return this.jsonResponse({ ok: true, status: 'alive' });
});
typedserver.addRoute('/readyz', 'GET', async () => {
const ready = await this.objectStorageRef.isReady();
return this.jsonResponse(
{ ok: ready, status: ready ? 'ready' : 'starting' },
ready ? 200 : 503,
);
});
typedserver.addRoute('/healthz', 'GET', async () => {
return this.jsonResponse(await this.objectStorageRef.getOperationalHealth());
});
typedserver.addRoute('/metrics', 'GET', async () => {
const metrics = await this.objectStorageRef.getOperationalMetrics();
return new Response(metrics, {
headers: { 'content-type': 'text/plain; version=0.0.4' },
});
});
},
});
// Chain typedrouters: server -> opsServer -> individual handlers
@@ -50,6 +72,7 @@ export class OpsServer {
this.configHandler = new handlers.ConfigHandler(this);
this.credentialsHandler = new handlers.CredentialsHandler(this);
this.policiesHandler = new handlers.PoliciesHandler(this);
this.auditHandler = new handlers.AuditHandler(this);
console.log('OpsServer TypedRequest handlers initialized');
}
@@ -60,4 +83,11 @@ export class OpsServer {
console.log('OpsServer stopped');
}
}
private jsonResponse(data: unknown, status = 200): Response {
return new Response(JSON.stringify(data), {
status,
headers: { 'content-type': 'application/json' },
});
}
}
ts/opsserver/handlers/admin.handler.ts
+64 -6
View File
@@ -4,6 +4,7 @@ import * as interfaces from '../../../ts_interfaces/index.ts';
export interface IJwtData {
userId: string;
role: 'admin';
status: 'loggedIn' | 'loggedOut';
expiresAt: number;
}
@@ -11,6 +12,8 @@ export interface IJwtData {
export class AdminHandler {
public typedrouter = new plugins.typedrequest.TypedRouter();
public smartjwtInstance!: plugins.smartjwt.SmartJwt<IJwtData>;
private revokedTokens = new Set<string>();
private failedLoginAttempts = new Map<string, { count: number; firstAttemptAt: number }>();
constructor(private opsServerRef: OpsServer) {
this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
@@ -29,19 +32,37 @@ export class AdminHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_AdminLoginWithUsernameAndPassword>(
'adminLoginWithUsernameAndPassword',
async (dataArg) => {
this.assertLoginNotRateLimited(dataArg.username);
const adminPassword = this.opsServerRef.objectStorageRef.config.adminPassword;
if (dataArg.username !== 'admin' || dataArg.password !== adminPassword) {
this.recordFailedLogin(dataArg.username);
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.username || 'anonymous',
action: 'admin.login',
targetType: 'adminSession',
success: false,
message: 'Invalid credentials',
});
throw new plugins.typedrequest.TypedResponseError('Invalid credentials');
}
this.failedLoginAttempts.delete(dataArg.username);
const expiresAt = Date.now() + 24 * 3600 * 1000;
const userId = 'admin';
const jwt = await this.smartjwtInstance.createJWT({
userId,
role: 'admin',
status: 'loggedIn',
expiresAt,
});
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: userId,
action: 'admin.login',
targetType: 'adminSession',
success: true,
});
console.log('Admin user logged in');
return {
@@ -61,7 +82,16 @@ export class AdminHandler {
this.typedrouter.addTypedHandler(
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_AdminLogout>(
'adminLogout',
async (_dataArg) => {
async (dataArg) => {
if (dataArg.identity?.jwt) {
this.revokedTokens.add(dataArg.identity.jwt);
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'admin.logout',
targetType: 'adminSession',
success: true,
});
}
return { ok: true };
},
),
@@ -75,18 +105,20 @@ export class AdminHandler {
if (!dataArg.identity?.jwt) {
return { valid: false };
}
if (this.revokedTokens.has(dataArg.identity.jwt)) return { valid: false };
try {
const jwtData = await this.smartjwtInstance.verifyJWTAndGetData(dataArg.identity.jwt);
if (jwtData.expiresAt < Date.now()) return { valid: false };
if (jwtData.status !== 'loggedIn') return { valid: false };
if (jwtData.role !== 'admin') return { valid: false };
return {
valid: true,
identity: {
jwt: dataArg.identity.jwt,
userId: jwtData.userId,
username: dataArg.identity.username,
username: jwtData.userId,
expiresAt: jwtData.expiresAt,
role: dataArg.identity.role,
role: jwtData.role,
},
};
} catch {
@@ -103,12 +135,15 @@ export class AdminHandler {
}>(
async (dataArg) => {
if (!dataArg.identity?.jwt) return false;
if (this.revokedTokens.has(dataArg.identity.jwt)) return false;
try {
const jwtData = await this.smartjwtInstance.verifyJWTAndGetData(dataArg.identity.jwt);
if (jwtData.expiresAt < Date.now()) return false;
if (jwtData.status !== 'loggedIn') return false;
if (jwtData.role !== 'admin') return false;
if (dataArg.identity.expiresAt !== jwtData.expiresAt) return false;
if (dataArg.identity.userId !== jwtData.userId) return false;
if (dataArg.identity.role !== jwtData.role) return false;
return true;
} catch {
return false;
@@ -122,10 +157,33 @@ export class AdminHandler {
identity: interfaces.data.IIdentity;
}>(
async (dataArg) => {
const isValid = await this.validIdentityGuard.exec(dataArg);
if (!isValid) return false;
return dataArg.identity.role === 'admin';
return await this.validIdentityGuard.exec(dataArg);
},
{ failedHint: 'user is not admin', name: 'adminIdentityGuard' },
);
private assertLoginNotRateLimited(username: string): void {
const attempt = this.failedLoginAttempts.get(username);
if (!attempt) return;
const windowMs = 60 * 1000;
if (Date.now() - attempt.firstAttemptAt > windowMs) {
this.failedLoginAttempts.delete(username);
return;
}
if (attempt.count >= 5) {
throw new plugins.typedrequest.TypedResponseError('Too many failed login attempts');
}
}
private recordFailedLogin(username: string): void {
const now = Date.now();
const attempt = this.failedLoginAttempts.get(username);
if (!attempt || now - attempt.firstAttemptAt > 60 * 1000) {
this.failedLoginAttempts.set(username, { count: 1, firstAttemptAt: now });
return;
}
attempt.count++;
}
}
ts/opsserver/handlers/audit.handler.ts
+28
View File
@@ -0,0 +1,28 @@
import * as plugins from '../../plugins.ts';
import type { OpsServer } from '../classes.opsserver.ts';
import * as interfaces from '../../../ts_interfaces/index.ts';
import { requireAdminIdentity } from '../helpers/guards.ts';
export class AuditHandler {
public typedrouter = new plugins.typedrequest.TypedRouter();
constructor(private opsServerRef: OpsServer) {
this.opsServerRef.typedrouter.addTypedRouter(this.typedrouter);
this.registerHandlers();
}
private registerHandlers(): void {
this.typedrouter.addTypedHandler(
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_ListAuditEntries>(
'listAuditEntries',
async (dataArg) => {
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
const entries = await this.opsServerRef.objectStorageRef.auditLogger.listRecent(
dataArg.limit ?? 100,
);
return { entries };
},
),
);
}
}
ts/opsserver/handlers/buckets.handler.ts
+80 -13
View File
@@ -1,7 +1,14 @@
import * as plugins from '../../plugins.ts';
import type { OpsServer } from '../classes.opsserver.ts';
import * as interfaces from '../../../ts_interfaces/index.ts';
import { requireValidIdentity } from '../helpers/guards.ts';
import { requireAdminIdentity, requireValidIdentity } from '../helpers/guards.ts';
const getStorageErrorCode = (error: unknown): string | undefined => {
if (!(error instanceof Error)) {
return undefined;
}
return (error as Error & { Code?: string }).Code || error.name;
};
export class BucketsHandler {
public typedrouter = new plugins.typedrequest.TypedRouter();
@@ -29,8 +36,27 @@ export class BucketsHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateBucket>(
'createBucket',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
await this.opsServerRef.objectStorageRef.createBucket(dataArg.bucketName);
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
try {
await this.opsServerRef.objectStorageRef.createBucket(dataArg.bucketName);
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'bucket.create',
targetType: 'bucket',
targetId: dataArg.bucketName,
success: true,
});
} catch (error) {
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'bucket.create',
targetType: 'bucket',
targetId: dataArg.bucketName,
success: false,
message: error instanceof Error ? error.message : String(error),
});
throw error;
}
return { ok: true };
},
),
@@ -41,9 +67,25 @@ export class BucketsHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteBucket>(
'deleteBucket',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
await this.opsServerRef.objectStorageRef.deleteBucket(dataArg.bucketName);
await this.opsServerRef.objectStorageRef.policyManager.onBucketDeleted(dataArg.bucketName);
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
try {
await this.opsServerRef.objectStorageRef.deleteBucket(dataArg.bucketName);
} catch (error) {
if (getStorageErrorCode(error) === 'NoSuchBucket') {
throw new plugins.typedrequest.TypedResponseError('Bucket not found');
}
throw error;
}
await this.opsServerRef.objectStorageRef.policyManager.onBucketDeleted(
dataArg.bucketName,
);
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'bucket.delete',
targetType: 'bucket',
targetId: dataArg.bucketName,
success: true,
});
return { ok: true };
},
),
@@ -54,8 +96,16 @@ export class BucketsHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetBucketPolicy>(
'getBucketPolicy',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
const policy = await this.opsServerRef.objectStorageRef.getBucketPolicy(dataArg.bucketName);
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
let policy: string | null;
try {
policy = await this.opsServerRef.objectStorageRef.getBucketPolicy(dataArg.bucketName);
} catch (error) {
if (getStorageErrorCode(error) === 'NoSuchBucket') {
throw new plugins.typedrequest.TypedResponseError('Bucket not found');
}
throw error;
}
return { policy };
},
),
@@ -66,14 +116,24 @@ export class BucketsHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_PutBucketPolicy>(
'putBucketPolicy',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
// Validate JSON
try {
JSON.parse(dataArg.policy);
} catch {
throw new Error('Invalid JSON policy document');
throw new plugins.typedrequest.TypedResponseError('Invalid JSON policy document');
}
try {
await this.opsServerRef.objectStorageRef.putBucketPolicy(
dataArg.bucketName,
dataArg.policy,
);
} catch (error) {
if (getStorageErrorCode(error) === 'NoSuchBucket') {
throw new plugins.typedrequest.TypedResponseError('Bucket not found');
}
throw error;
}
await this.opsServerRef.objectStorageRef.putBucketPolicy(dataArg.bucketName, dataArg.policy);
return { ok: true };
},
),
@@ -84,8 +144,15 @@ export class BucketsHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteBucketPolicy>(
'deleteBucketPolicy',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
await this.opsServerRef.objectStorageRef.deleteBucketPolicy(dataArg.bucketName);
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
try {
await this.opsServerRef.objectStorageRef.deleteBucketPolicy(dataArg.bucketName);
} catch (error) {
if (getStorageErrorCode(error) === 'NoSuchBucket') {
throw new plugins.typedrequest.TypedResponseError('Bucket not found');
}
throw error;
}
return { ok: true };
},
),
ts/opsserver/handlers/credentials.handler.ts
+63 -18
View File
@@ -1,7 +1,7 @@
import * as plugins from '../../plugins.ts';
import type { OpsServer } from '../classes.opsserver.ts';
import * as interfaces from '../../../ts_interfaces/index.ts';
import { requireValidIdentity } from '../helpers/guards.ts';
import { requireAdminIdentity, requireValidIdentity } from '../helpers/guards.ts';
export class CredentialsHandler {
public typedrouter = new plugins.typedrequest.TypedRouter();
@@ -18,10 +18,12 @@ export class CredentialsHandler {
'getCredentials',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
const credentials = this.opsServerRef.objectStorageRef.config.accessCredentials.map(
const activeCredentials = await this.opsServerRef.objectStorageRef
.listAccessCredentials();
const credentials = activeCredentials.map(
(cred) => ({
accessKeyId: cred.accessKeyId,
secretAccessKey: cred.secretAccessKey.slice(0, 4) + '****',
secretAccessKey: '********',
}),
);
return { credentials };
@@ -34,14 +36,38 @@ export class CredentialsHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_AddCredential>(
'addCredential',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
this.opsServerRef.objectStorageRef.config.accessCredentials.push({
accessKeyId: dataArg.accessKeyId,
secretAccessKey: dataArg.secretAccessKey,
});
// Update the smartstorage auth config
this.opsServerRef.objectStorageRef.smartstorageInstance.config.auth!.credentials =
this.opsServerRef.objectStorageRef.config.accessCredentials;
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
const credentials = this.opsServerRef.objectStorageRef.config.accessCredentials;
if (credentials.some((credential) => credential.accessKeyId === dataArg.accessKeyId)) {
throw new plugins.typedrequest.TypedResponseError('Credential already exists');
}
try {
await this.opsServerRef.objectStorageRef.replaceAccessCredentials([
...credentials,
{
accessKeyId: dataArg.accessKeyId,
secretAccessKey: dataArg.secretAccessKey,
},
]);
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'credential.add',
targetType: 'credential',
targetId: dataArg.accessKeyId,
success: true,
});
} catch (error) {
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'credential.add',
targetType: 'credential',
targetId: dataArg.accessKeyId,
success: false,
message: error instanceof Error ? error.message : String(error),
});
throw error;
}
return { ok: true };
},
),
@@ -52,19 +78,38 @@ export class CredentialsHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_RemoveCredential>(
'removeCredential',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
const creds = this.opsServerRef.objectStorageRef.config.accessCredentials;
if (!creds.some((credential) => credential.accessKeyId === dataArg.accessKeyId)) {
throw new plugins.typedrequest.TypedResponseError('Credential not found');
}
if (creds.length <= 1) {
throw new plugins.typedrequest.TypedResponseError(
'Cannot remove the last credential',
);
}
this.opsServerRef.objectStorageRef.config.accessCredentials = creds.filter(
(c) => c.accessKeyId !== dataArg.accessKeyId,
);
// Update the smartstorage auth config
this.opsServerRef.objectStorageRef.smartstorageInstance.config.auth!.credentials =
this.opsServerRef.objectStorageRef.config.accessCredentials;
try {
await this.opsServerRef.objectStorageRef.replaceAccessCredentials(
creds.filter((credential) => credential.accessKeyId !== dataArg.accessKeyId),
);
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'credential.remove',
targetType: 'credential',
targetId: dataArg.accessKeyId,
success: true,
});
} catch (error) {
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'credential.remove',
targetType: 'credential',
targetId: dataArg.accessKeyId,
success: false,
message: error instanceof Error ? error.message : String(error),
});
throw error;
}
return { ok: true };
},
),
ts/opsserver/handlers/index.ts
+1
View File
@@ -5,3 +5,4 @@ export { ObjectsHandler } from './objects.handler.ts';
export { ConfigHandler } from './config.handler.ts';
export { CredentialsHandler } from './credentials.handler.ts';
export { PoliciesHandler } from './policies.handler.ts';
export { AuditHandler } from './audit.handler.ts';
ts/opsserver/handlers/objects.handler.ts
+49 -8
View File
@@ -1,7 +1,7 @@
import * as plugins from '../../plugins.ts';
import type { OpsServer } from '../classes.opsserver.ts';
import * as interfaces from '../../../ts_interfaces/index.ts';
import { requireValidIdentity } from '../helpers/guards.ts';
import { requireAdminIdentity, requireValidIdentity } from '../helpers/guards.ts';
export class ObjectsHandler {
public typedrouter = new plugins.typedrequest.TypedRouter();
@@ -34,8 +34,15 @@ export class ObjectsHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteObject>(
'deleteObject',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
await this.opsServerRef.objectStorageRef.deleteObject(dataArg.bucketName, dataArg.key);
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'object.delete',
targetType: 'object',
targetId: `${dataArg.bucketName}/${dataArg.key}`,
success: true,
});
return { ok: true };
},
),
@@ -57,13 +64,20 @@ export class ObjectsHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_PutObject>(
'putObject',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
await this.opsServerRef.objectStorageRef.putObject(
dataArg.bucketName,
dataArg.key,
dataArg.base64Content,
dataArg.contentType,
);
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'object.put',
targetType: 'object',
targetId: `${dataArg.bucketName}/${dataArg.key}`,
success: true,
});
return { ok: true };
},
),
@@ -74,8 +88,15 @@ export class ObjectsHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeletePrefix>(
'deletePrefix',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
await this.opsServerRef.objectStorageRef.deletePrefix(dataArg.bucketName, dataArg.prefix);
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'objectPrefix.delete',
targetType: 'objectPrefix',
targetId: `${dataArg.bucketName}/${dataArg.prefix}`,
success: true,
});
return { ok: true };
},
),
@@ -98,12 +119,22 @@ export class ObjectsHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_MoveObject>(
'moveObject',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
return await this.opsServerRef.objectStorageRef.moveObject(
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
const result = await this.opsServerRef.objectStorageRef.moveObject(
dataArg.bucketName,
dataArg.sourceKey,
dataArg.destKey,
);
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'object.move',
targetType: 'object',
targetId: `${dataArg.bucketName}/${dataArg.sourceKey}`,
success: result.success,
metadata: { destKey: dataArg.destKey },
message: result.error,
});
return result;
},
),
);
@@ -113,12 +144,22 @@ export class ObjectsHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_MovePrefix>(
'movePrefix',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
return await this.opsServerRef.objectStorageRef.movePrefix(
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
const result = await this.opsServerRef.objectStorageRef.movePrefix(
dataArg.bucketName,
dataArg.sourcePrefix,
dataArg.destPrefix,
);
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'objectPrefix.move',
targetType: 'objectPrefix',
targetId: `${dataArg.bucketName}/${dataArg.sourcePrefix}`,
success: result.success,
metadata: { destPrefix: dataArg.destPrefix },
message: result.error,
});
return result;
},
),
);
ts/opsserver/handlers/policies.handler.ts
+52 -7
View File
@@ -1,7 +1,7 @@
import * as plugins from '../../plugins.ts';
import type { OpsServer } from '../classes.opsserver.ts';
import * as interfaces from '../../../ts_interfaces/index.ts';
import { requireValidIdentity } from '../helpers/guards.ts';
import { requireAdminIdentity, requireValidIdentity } from '../helpers/guards.ts';
export class PoliciesHandler {
public typedrouter = new plugins.typedrequest.TypedRouter();
@@ -30,8 +30,15 @@ export class PoliciesHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateNamedPolicy>(
'createNamedPolicy',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
const policy = await pm().createPolicy(dataArg.name, dataArg.description, dataArg.statements);
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'policy.create',
targetType: 'policy',
targetId: policy.id,
success: true,
});
return { policy };
},
),
@@ -42,8 +49,15 @@ export class PoliciesHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateNamedPolicy>(
'updateNamedPolicy',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
const policy = await pm().updatePolicy(dataArg.policyId, dataArg.name, dataArg.description, dataArg.statements);
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'policy.update',
targetType: 'policy',
targetId: dataArg.policyId,
success: true,
});
return { policy };
},
),
@@ -54,8 +68,15 @@ export class PoliciesHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteNamedPolicy>(
'deleteNamedPolicy',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
await pm().deletePolicy(dataArg.policyId);
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'policy.delete',
targetType: 'policy',
targetId: dataArg.policyId,
success: true,
});
return { ok: true };
},
),
@@ -77,8 +98,16 @@ export class PoliciesHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_AttachPolicyToBucket>(
'attachPolicyToBucket',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
await pm().attachPolicyToBucket(dataArg.policyId, dataArg.bucketName);
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'policy.attach',
targetType: 'bucket',
targetId: dataArg.bucketName,
success: true,
metadata: { policyId: dataArg.policyId },
});
return { ok: true };
},
),
@@ -89,8 +118,16 @@ export class PoliciesHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DetachPolicyFromBucket>(
'detachPolicyFromBucket',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
await pm().detachPolicyFromBucket(dataArg.policyId, dataArg.bucketName);
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'policy.detach',
targetType: 'bucket',
targetId: dataArg.bucketName,
success: true,
metadata: { policyId: dataArg.policyId },
});
return { ok: true };
},
),
@@ -118,8 +155,16 @@ export class PoliciesHandler {
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_SetPolicyBuckets>(
'setPolicyBuckets',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
await pm().setPolicyBuckets(dataArg.policyId, dataArg.bucketNames);
await this.opsServerRef.objectStorageRef.auditLogger.log({
actorUserId: dataArg.identity.userId,
action: 'policy.setBuckets',
targetType: 'policy',
targetId: dataArg.policyId,
success: true,
metadata: { bucketCount: dataArg.bucketNames.length },
});
return { ok: true };
},
),
ts/opsserver/handlers/status.handler.ts
+11
View File
@@ -23,5 +23,16 @@ export class StatusHandler {
},
),
);
this.typedrouter.addTypedHandler(
new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetClusterHealth>(
'getClusterHealth',
async (dataArg) => {
await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
const clusterHealth = await this.opsServerRef.objectStorageRef.getClusterHealth();
return { clusterHealth };
},
),
);
}
}
ts_bundled/bundle.ts
+1 -1
View File
File diff suppressed because one or more lines are too long
ts_interfaces/data/server.ts
+67
View File
@@ -47,3 +47,70 @@ export interface IConnectionInfo {
accessKey: string;
region: string;
}
export interface IAuditEntry {
timestamp: number;
actorUserId: string;
action: string;
targetType: string;
targetId?: string;
success: boolean;
message?: string;
metadata?: Record<string, string | number | boolean>;
}
export interface IClusterPeerHealth {
nodeId: string;
status: 'online' | 'suspect' | 'offline';
quicAddress?: string;
s3Address?: string;
driveCount?: number;
lastHeartbeat?: number;
missedHeartbeats?: number;
}
export interface IClusterDriveHealth {
index: number;
path: string;
status: 'online' | 'degraded' | 'offline' | 'healing';
totalBytes?: number;
usedBytes?: number;
availableBytes?: number;
errorCount?: number;
lastError?: string;
lastCheck?: number;
erasureSetId?: number;
}
export interface IClusterErasureHealth {
dataShards: number;
parityShards: number;
chunkSizeBytes: number;
totalShards: number;
readQuorum: number;
writeQuorum: number;
erasureSetCount: number;
}
export interface IClusterRepairHealth {
active: boolean;
scanIntervalMs?: number;
lastRunStartedAt?: number;
lastRunCompletedAt?: number;
lastDurationMs?: number;
shardsChecked?: number;
shardsHealed?: number;
failed?: number;
lastError?: string;
}
export interface IClusterHealth {
enabled: boolean;
nodeId?: string;
quorumHealthy?: boolean;
majorityHealthy?: boolean;
peers?: IClusterPeerHealth[];
drives?: IClusterDriveHealth[];
erasure?: IClusterErasureHealth;
repairs?: IClusterRepairHealth;
}
ts_interfaces/requests/audit.ts
+16
View File
@@ -0,0 +1,16 @@
import * as plugins from '../plugins.ts';
import * as data from '../data/index.ts';
export interface IReq_ListAuditEntries extends plugins.typedrequestInterfaces.implementsTR<
plugins.typedrequestInterfaces.ITypedRequest,
IReq_ListAuditEntries
> {
method: 'listAuditEntries';
request: {
identity: data.IIdentity;
limit?: number;
};
response: {
entries: data.IAuditEntry[];
};
}
ts_interfaces/requests/index.ts
+1
View File
@@ -5,3 +5,4 @@ export * from './objects.ts';
export * from './config.ts';
export * from './credentials.ts';
export * from './policies.ts';
export * from './audit.ts';
ts_interfaces/requests/status.ts
+19 -4
View File
@@ -1,10 +1,11 @@
import * as plugins from '../plugins.ts';
import * as data from '../data/index.ts';
export interface IReq_GetServerStatus extends plugins.typedrequestInterfaces.implementsTR<
plugins.typedrequestInterfaces.ITypedRequest,
IReq_GetServerStatus
> {
export interface IReq_GetServerStatus extends
plugins.typedrequestInterfaces.implementsTR<
plugins.typedrequestInterfaces.ITypedRequest,
IReq_GetServerStatus
> {
method: 'getServerStatus';
request: {
identity: data.IIdentity;
@@ -14,3 +15,17 @@ export interface IReq_GetServerStatus extends plugins.typedrequestInterfaces.imp
connectionInfo: data.IConnectionInfo;
};
}
export interface IReq_GetClusterHealth extends
plugins.typedrequestInterfaces.implementsTR<
plugins.typedrequestInterfaces.ITypedRequest,
IReq_GetClusterHealth
> {
method: 'getClusterHealth';
request: {
identity: data.IIdentity;
};
response: {
clusterHealth: data.IClusterHealth;
};
}
ts_web/00_commitinfo_data.ts
+1 -1
View File
@@ -3,6 +3,6 @@
*/
export const commitinfo = {
name: '@lossless.zone/objectstorage',
version: '1.8.1',
version: '1.9.0',
description: 'object storage server with management UI powered by smartstorage'
}
ts_web/appstate.ts
+8 -2
View File
@@ -40,6 +40,7 @@ export interface IPoliciesState {
export interface IConfigState {
config: interfaces.data.IServerConfig | null;
clusterHealth: interfaces.data.IClusterHealth | null;
}
export interface IUiState {
@@ -58,7 +59,7 @@ export const loginStatePart = await appState.getStatePart<ILoginState>(
identity: null,
isLoggedIn: false,
},
'persistent',
'soft',
);
export const serverStatePart = await appState.getStatePart<IServerState>(
@@ -108,6 +109,7 @@ export const configStatePart = await appState.getStatePart<IConfigState>(
'config',
{
config: null,
clusterHealth: null,
},
'soft',
);
@@ -531,7 +533,11 @@ export const fetchConfigAction = configStatePart.createAction(async (statePartAr
interfaces.requests.IReq_GetServerConfig
>('/typedrequest', 'getServerConfig');
const response = await typedRequest.fire({ identity: context.identity! });
return { config: response.config };
const clusterHealthRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
interfaces.requests.IReq_GetClusterHealth
>('/typedrequest', 'getClusterHealth');
const clusterHealthResponse = await clusterHealthRequest.fire({ identity: context.identity! });
return { config: response.config, clusterHealth: clusterHealthResponse.clusterHealth };
} catch (err) {
console.error('Failed to fetch config:', err);
return statePartArg.getState();
ts_web/elements/objst-view-config.ts
+132 -43
View File
@@ -3,12 +3,12 @@ import * as appstate from '../appstate.js';
import * as shared from './shared/index.js';
import {
DeesElement,
customElement,
html,
state,
css,
cssManager,
customElement,
DeesElement,
html,
state,
type TemplateResult,
} from '@design.estate/dees-element';
import { type IStatsTile } from '@design.estate/dees-catalog';
@@ -16,7 +16,7 @@ import { type IStatsTile } from '@design.estate/dees-catalog';
@customElement('objst-view-config')
export class ObjstViewConfig extends DeesElement {
@state()
accessor configState: appstate.IConfigState = { config: null };
accessor configState: appstate.IConfigState = { config: null, clusterHealth: null };
constructor() {
super();
@@ -107,11 +107,26 @@ export class ObjstViewConfig extends DeesElement {
border-radius: 4px;
background: ${cssManager.bdTheme('#e8e8e8', '#252540')};
}
.driveList .driveStatus {
margin-left: 12px;
padding: 4px 8px;
border-radius: 999px;
font-size: 12px;
font-weight: 600;
color: ${cssManager.bdTheme('#1b5e20', '#a5d6a7')};
background: ${cssManager.bdTheme('#e8f5e9', '#1b5e2030')};
}
.driveList .driveMeta {
margin-left: 12px;
color: ${cssManager.bdTheme('#666', '#999')};
font-size: 13px;
}
`,
];
public render(): TemplateResult {
const config = this.configState.config;
const clusterHealth = this.configState.clusterHealth;
const serverTiles: IStatsTile[] = [
{
@@ -164,19 +179,20 @@ export class ObjstViewConfig extends DeesElement {
},
];
const clusterEnabled = clusterHealth?.enabled ?? config?.clusterEnabled ?? false;
const clusterTiles: IStatsTile[] = [
{
id: 'clusterStatus',
title: 'Cluster Status',
value: config?.clusterEnabled ? 'Enabled' : 'Disabled',
value: clusterEnabled ? 'Enabled' : 'Disabled',
type: 'text',
icon: 'lucide:network',
color: config?.clusterEnabled ? '#4caf50' : '#ff9800',
color: clusterEnabled ? '#4caf50' : '#ff9800',
},
{
id: 'nodeId',
title: 'Node ID',
value: config?.clusterNodeId || '(auto)',
value: clusterHealth?.nodeId || config?.clusterNodeId || '(auto)',
type: 'text',
icon: 'lucide:fingerprint',
color: '#607d8b',
@@ -216,13 +232,31 @@ export class ObjstViewConfig extends DeesElement {
icon: 'lucide:timer',
color: '#ff5722',
},
{
id: 'quorum',
title: 'Quorum',
value: clusterHealth?.enabled
? clusterHealth.quorumHealthy ? 'Healthy' : 'Degraded'
: 'Standalone',
type: 'text',
icon: 'lucide:activity',
color: clusterHealth?.quorumHealthy ? '#4caf50' : '#ff9800',
},
{
id: 'peers',
title: 'Peers',
value: clusterHealth?.peers?.length ?? 0,
type: 'number',
icon: 'lucide:share2',
color: '#3f51b5',
},
];
const erasureTiles: IStatsTile[] = [
{
id: 'dataShards',
title: 'Data Shards',
value: config?.erasureDataShards ?? 4,
value: clusterHealth?.erasure?.dataShards ?? config?.erasureDataShards ?? 4,
type: 'number',
icon: 'lucide:layers',
color: '#2196f3',
@@ -230,7 +264,7 @@ export class ObjstViewConfig extends DeesElement {
{
id: 'parityShards',
title: 'Parity Shards',
value: config?.erasureParityShards ?? 2,
value: clusterHealth?.erasure?.parityShards ?? config?.erasureParityShards ?? 2,
type: 'number',
icon: 'lucide:shieldCheck',
color: '#4caf50',
@@ -238,25 +272,31 @@ export class ObjstViewConfig extends DeesElement {
{
id: 'chunkSize',
title: 'Chunk Size',
value: this.formatBytes(config?.erasureChunkSizeBytes ?? 4194304),
value: this.formatBytes(
clusterHealth?.erasure?.chunkSizeBytes ?? config?.erasureChunkSizeBytes ?? 4194304,
),
type: 'text',
icon: 'lucide:puzzle',
color: '#9c27b0',
description: `${config?.erasureDataShards ?? 4}+${config?.erasureParityShards ?? 2} = ${Math.round(((config?.erasureParityShards ?? 2) / (config?.erasureDataShards ?? 4)) * 100)}% overhead`,
description: `${clusterHealth?.erasure?.dataShards ?? config?.erasureDataShards ?? 4}+${
clusterHealth?.erasure?.parityShards ?? config?.erasureParityShards ?? 2
}`,
},
];
const drivePaths = config?.drivePaths?.length
const drivePaths = clusterHealth?.drives?.length
? clusterHealth.drives.map((drive) => drive.path)
: config?.drivePaths?.length
? config.drivePaths
: config?.storageDirectory
? [config.storageDirectory]
: ['/data'];
? [config.storageDirectory]
: ['/data'];
const driveTiles: IStatsTile[] = [
{
id: 'driveCount',
title: 'Drive Count',
value: drivePaths.length,
value: clusterHealth?.drives?.length ?? drivePaths.length,
type: 'number',
icon: 'lucide:hardDrive',
color: '#3f51b5',
@@ -274,48 +314,97 @@ export class ObjstViewConfig extends DeesElement {
return html`
<objst-sectionheading>Server Configuration</objst-sectionheading>
<dees-statsgrid
.tiles=${serverTiles}
.gridActions=${[refreshAction]}
.tiles="${serverTiles}"
.gridActions="${[refreshAction]}"
></dees-statsgrid>
<div class="sectionSpacer">
<objst-sectionheading>Cluster Configuration</objst-sectionheading>
</div>
<dees-statsgrid .tiles=${clusterTiles}></dees-statsgrid>
<dees-statsgrid .tiles="${clusterTiles}"></dees-statsgrid>
${config?.clusterEnabled ? html`
<div class="sectionSpacer">
<objst-sectionheading>Erasure Coding</objst-sectionheading>
</div>
<dees-statsgrid .tiles=${erasureTiles}></dees-statsgrid>
` : ''}
${clusterEnabled
? html`
<div class="sectionSpacer">
<objst-sectionheading>Erasure Coding</objst-sectionheading>
</div>
<dees-statsgrid .tiles="${erasureTiles}"></dees-statsgrid>
`
: ''}
<div class="sectionSpacer">
<objst-sectionheading>Storage Drives</objst-sectionheading>
</div>
<dees-statsgrid .tiles=${driveTiles}></dees-statsgrid>
<dees-statsgrid .tiles="${driveTiles}"></dees-statsgrid>
<div class="driveList">
${drivePaths.map((path, i) => html`
<div class="driveItem">
<div class="driveIndex">${i + 1}</div>
<span class="drivePath">${path}</span>
</div>
`)}
${(clusterHealth?.drives?.length
? clusterHealth.drives
: drivePaths.map((path, index) => ({ path, index, status: 'configured' }))).map((
drive,
i,
) =>
html`
<div class="driveItem">
<div class="driveIndex">${i + 1}</div>
<span class="drivePath">${drive.path}</span>
<span class="driveStatus">${drive.status}</span>
${drive.usedBytes !== undefined && drive.totalBytes !== undefined
? html`
<span class="driveMeta">${this.formatBytes(drive.usedBytes)} / ${this
.formatBytes(drive.totalBytes)}</span>
`
: ''}
</div>
`
)}
</div>
<div class="infoPanel">
<h2>Configuration Reference</h2>
<p>Cluster and drive settings are applied at server startup. To change them, set the environment variables and restart the server.</p>
<div class="row"><span class="label">OBJST_CLUSTER_ENABLED</span><span class="value">Enable clustering (true/false)</span></div>
<div class="row"><span class="label">OBJST_CLUSTER_NODE_ID</span><span class="value">Unique node identifier</span></div>
<div class="row"><span class="label">OBJST_CLUSTER_QUIC_PORT</span><span class="value">QUIC transport port (default: 4433)</span></div>
<div class="row"><span class="label">OBJST_CLUSTER_SEED_NODES</span><span class="value">Comma-separated seed node addresses</span></div>
<div class="row"><span class="label">OBJST_DRIVE_PATHS</span><span class="value">Comma-separated drive mount paths</span></div>
<div class="row"><span class="label">OBJST_ERASURE_DATA_SHARDS</span><span class="value">Data shards for erasure coding (default: 4)</span></div>
<div class="row"><span class="label">OBJST_ERASURE_PARITY_SHARDS</span><span class="value">Parity shards for erasure coding (default: 2)</span></div>
<div class="row"><span class="label">OBJST_ERASURE_CHUNK_SIZE</span><span class="value">Chunk size in bytes (default: 4194304)</span></div>
<div class="row"><span class="label">OBJST_HEARTBEAT_INTERVAL_MS</span><span class="value">Heartbeat interval in ms (default: 5000)</span></div>
<div class="row"><span class="label">OBJST_HEARTBEAT_TIMEOUT_MS</span><span class="value">Heartbeat timeout in ms (default: 30000)</span></div>
<p>
Cluster and drive settings are applied at server startup. To change them, set the environment
variables and restart the server.
</p>
<div class="row">
<span class="label">OBJST_CLUSTER_ENABLED</span><span class="value"
>Enable clustering (true/false)</span>
</div>
<div class="row">
<span class="label">OBJST_CLUSTER_NODE_ID</span><span class="value"
>Unique node identifier</span>
</div>
<div class="row">
<span class="label">OBJST_CLUSTER_QUIC_PORT</span><span class="value"
>QUIC transport port (default: 4433)</span>
</div>
<div class="row">
<span class="label">OBJST_CLUSTER_SEED_NODES</span><span class="value"
>Comma-separated seed node addresses</span>
</div>
<div class="row">
<span class="label">OBJST_DRIVE_PATHS</span><span class="value"
>Comma-separated drive mount paths</span>
</div>
<div class="row">
<span class="label">OBJST_ERASURE_DATA_SHARDS</span><span class="value"
>Data shards for erasure coding (default: 4)</span>
</div>
<div class="row">
<span class="label">OBJST_ERASURE_PARITY_SHARDS</span><span class="value"
>Parity shards for erasure coding (default: 2)</span>
</div>
<div class="row">
<span class="label">OBJST_ERASURE_CHUNK_SIZE</span><span class="value"
>Chunk size in bytes (default: 4194304)</span>
</div>
<div class="row">
<span class="label">OBJST_HEARTBEAT_INTERVAL_MS</span><span class="value"
>Heartbeat interval in ms (default: 5000)</span>
</div>
<div class="row">
<span class="label">OBJST_HEARTBEAT_TIMEOUT_MS</span><span class="value"
>Heartbeat timeout in ms (default: 30000)</span>
</div>
</div>
`;
}