Major refactoring

internal/config.go

@@ -10,6 +10,7 @@ import (
 	"strings"
 	"sync"
 
+	pb "git.nevets.tech/Keys/CertManager/proto/v1"
 	"github.com/google/uuid"
 	"github.com/spf13/viper"
 )
@@ -186,6 +187,18 @@ func SaveDomainConfigs() error {
 	return nil
 }
 
+// ---------------------------------------------------------------------------
+// Domain Specific Lookups
+// ---------------------------------------------------------------------------
+
+func PostPullHooks(domain string) ([]*pb.Hook, error) {
+	var hooks []*pb.Hook
+	if err := viper.UnmarshalKey("Hooks.PostPull", hooks); err != nil {
+		return nil, err
+	}
+	return hooks, nil
+}
+
 // ---------------------------------------------------------------------------
 //  Effective lookups (domain → global fallback)
 // ---------------------------------------------------------------------------
@@ -297,7 +310,7 @@ func CreateDomainConfig(domain string) error {
 			"{domain}", domain,
 			"{key}", key,
 		).Replace(defaultServerDomainConfig)
-	case "Client":
+	case "client":
 		content = strings.NewReplacer(
 			"{domain}", domain,
 			"{key}", key,
@@ -393,6 +406,12 @@ crypto_key = '{key}'
 domain_name = '{domain}'
 enabled = true
 
+[Hooks.PostPull]
+command = []
+cwd = "/dev/null"
+timeout_seconds = 30
+env = { "FOO" = "bar" }
+
 [Repo]
 repo_suffix = '-certificates'
 `

internal/grpc.go

@@ -0,0 +1 @@
+package internal

internal/util.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"io/fs"
 	"os"
+	"os/user"
 	"path/filepath"
 	"strconv"
 	"strings"
@@ -224,12 +225,12 @@ func LinkFile(source, target, domain, extension string) error {
 	}
 	if linkInfo.IsDir() {
 		target = filepath.Join(target, domain+extension)
+		err = os.Symlink(source, target)
+		if err != nil {
+			return err
+		}
 	}
 
-	err = os.Symlink(source, target)
-	if err != nil {
-		return err
-	}
 	return nil
 }
 
@@ -295,3 +296,64 @@ func ChownRecursive(path string, uid, gid int) error {
 		return os.Chown(name, uid, gid)
 	})
 }
+
+func LookupGID(group string) (int, error) {
+	g, err := user.LookupGroup(group)
+	if err != nil {
+		return 0, err
+	}
+	return strconv.Atoi(g.Gid)
+}
+
+// MakeCredential resolves username/groupname to uid/gid for syscall.Credential.
+// Note: actually *using* different credentials typically requires the server
+// process to have appropriate privileges (often root).
+func MakeCredential(username, groupname string) (*syscall.Credential, error) {
+	var uid, gid uint32
+	var haveUID, haveGID bool
+
+	if username != "" {
+		u, err := user.Lookup(username)
+		if err != nil {
+			return nil, fmt.Errorf("unknown user")
+		}
+		parsed, err := strconv.ParseUint(u.Uid, 10, 32)
+		if err != nil {
+			return nil, fmt.Errorf("bad uid")
+		}
+		uid = uint32(parsed)
+		haveUID = true
+
+		// If group not explicitly provided, default to user's primary group.
+		if groupname == "" && u.Gid != "" {
+			parsedG, err := strconv.ParseUint(u.Gid, 10, 32)
+			if err == nil {
+				gid = uint32(parsedG)
+				haveGID = true
+			}
+		}
+	}
+
+	if groupname != "" {
+		g, err := user.LookupGroup(groupname)
+		if err != nil {
+			return nil, fmt.Errorf("unknown group")
+		}
+		parsed, err := strconv.ParseUint(g.Gid, 10, 32)
+		if err != nil {
+			return nil, fmt.Errorf("bad gid")
+		}
+		gid = uint32(parsed)
+		haveGID = true
+	}
+
+	// If only group was provided, keep current uid.
+	if !haveUID {
+		uid = uint32(os.Getuid())
+	}
+	if !haveGID {
+		gid = uint32(os.Getgid())
+	}
+
+	return &syscall.Credential{Uid: uid, Gid: gid}, nil
+}