fix: agent acknowledgment recursion and subsystem UI improvements

- Fix recursive call in reportLogWithAck that caused infinite loop - Add machine binding and security API endpoints - Enhance AgentScanners component with security status display - Update scheduler and timeout service reliability - Remove deprecated install.sh script - Add subsystem configuration and logging improvements
2025-11-03 21:02:57 -05:00
parent d0f13e5da7
commit 57be3754c6
19 changed files with 665 additions and 409 deletions
--- a/aggregator-web/src/components/AgentScanners.tsx
+++ b/aggregator-web/src/components/AgentScanners.tsx
@@ -8,9 +8,14 @@ import {
  Cpu,
  Container,
  Package,
+  Shield,
+  Fingerprint,
+  CheckCircle,
+  AlertCircle,
+  XCircle,
 } from 'lucide-react';
 import { formatRelativeTime } from '@/lib/utils';
-import { agentApi } from '@/lib/api';
+import { agentApi, securityApi } from '@/lib/api';
 import toast from 'react-hot-toast';
 import { cn } from '@/lib/utils';
 import { AgentSubsystem } from '@/types';
@@ -60,6 +65,77 @@ export function AgentScanners({ agentId }: AgentScannersProps) {
    refetchInterval: 30000, // Refresh every 30 seconds
  });

+  // Fetch security health status
+  const { data: securityOverview, isLoading: securityLoading } = useQuery({
+    queryKey: ['security-overview'],
+    queryFn: async () => {
+      const data = await securityApi.getOverview();
+      return data;
+    },
+    refetchInterval: 60000, // Refresh every minute
+  });
+
+  // Helper function to get security status color and icon
+  const getSecurityStatusDisplay = (status: string) => {
+    switch (status) {
+      case 'healthy':
+      case 'enforced':
+      case 'operational':
+        return {
+          color: 'text-green-600 bg-green-100 border-green-200',
+          icon: <CheckCircle className="h-4 w-4 text-green-600" />
+        };
+      case 'degraded':
+        return {
+          color: 'text-amber-600 bg-amber-100 border-amber-200',
+          icon: <AlertCircle className="h-4 w-4 text-amber-600" />
+        };
+      case 'unhealthy':
+      case 'unavailable':
+        return {
+          color: 'text-red-600 bg-red-100 border-red-200',
+          icon: <XCircle className="h-4 w-4 text-red-600" />
+        };
+      default:
+        return {
+          color: 'text-gray-600 bg-gray-100 border-gray-200',
+          icon: <AlertCircle className="h-4 w-4 text-gray-600" />
+        };
+    }
+  };
+
+  // Get security icon for subsystem type
+  const getSecurityIcon = (type: string) => {
+    switch (type) {
+      case 'ed25519_signing':
+        return <Shield className="h-4 w-4" />;
+      case 'nonce_validation':
+        return <RefreshCw className="h-4 w-4" />;
+      case 'machine_binding':
+        return <Fingerprint className="h-4 w-4" />;
+      case 'command_validation':
+        return <CheckCircle className="h-4 w-4" />;
+      default:
+        return <Shield className="h-4 w-4" />;
+    }
+  };
+
+  // Get display name for security subsystem
+  const getSecurityDisplayName = (type: string) => {
+    switch (type) {
+      case 'ed25519_signing':
+        return 'Ed25519 Signing';
+      case 'nonce_validation':
+        return 'Nonce Protection';
+      case 'machine_binding':
+        return 'Machine Binding';
+      case 'command_validation':
+        return 'Command Validation';
+      default:
+        return type;
+    }
+  };
+
  // Toggle subsystem enabled/disabled
  const toggleSubsystemMutation = useMutation({
    mutationFn: async ({ subsystem, enabled }: { subsystem: string; enabled: boolean }) => {
@@ -176,6 +252,124 @@ export function AgentScanners({ agentId }: AgentScannersProps) {
        </div>
      </div>

+      {/* Security Health Section */}
+      <div className="card">
+        <div className="flex items-center justify-between mb-4">
+          <div className="flex items-center space-x-2">
+            <Shield className="h-5 w-5 text-gray-600" />
+            <h3 className="text-sm font-medium text-gray-900">Security Health</h3>
+          </div>
+          <button
+            onClick={() => queryClient.invalidateQueries({ queryKey: ['security-overview'] })}
+            disabled={securityLoading}
+            className="flex items-center space-x-1 px-3 py-1 text-xs text-gray-600 hover:text-gray-800 hover:bg-gray-100 rounded transition-colors"
+          >
+            <RefreshCw className={cn('h-3 w-3', securityLoading && 'animate-spin')} />
+            <span>Refresh</span>
+          </button>
+        </div>
+
+        {securityLoading ? (
+          <div className="flex items-center justify-center py-8">
+            <RefreshCw className="h-5 w-5 animate-spin text-gray-400" />
+            <span className="ml-2 text-sm text-gray-600">Loading security status...</span>
+          </div>
+        ) : securityOverview ? (
+          <div className="space-y-4">
+            {/* Overall Security Status */}
+            <div className="flex items-center justify-between p-3 bg-gray-50 rounded-lg border border-gray-200">
+              <div className="flex items-center space-x-3">
+                <div className={cn(
+                  'w-3 h-3 rounded-full',
+                  securityOverview.overall_status === 'healthy' ? 'bg-green-500' :
+                  securityOverview.overall_status === 'degraded' ? 'bg-amber-500' : 'bg-red-500'
+                )}></div>
+                <div>
+                  <p className="text-sm font-medium text-gray-900">Overall Security Status</p>
+                  <p className="text-xs text-gray-500 capitalize">{securityOverview.overall_status}</p>
+                </div>
+              </div>
+              <div className={cn(
+                'px-2 py-1 rounded-full text-xs font-medium border',
+                getSecurityStatusDisplay(securityOverview.overall_status).color
+              )}>
+                {securityOverview.overall_status.toUpperCase()}
+              </div>
+            </div>
+
+            {/* Individual Security Subsystems */}
+            <div className="grid grid-cols-1 md:grid-cols-2 gap-3">
+              {Object.entries(securityOverview.subsystems).map(([key, subsystem]) => {
+                const display = getSecurityStatusDisplay(subsystem.status);
+                return (
+                  <div key={key} className="flex items-center justify-between p-3 bg-white border border-gray-200 rounded-lg">
+                    <div className="flex items-center space-x-3">
+                      <div className="text-gray-600">
+                        {getSecurityIcon(key)}
+                      </div>
+                      <div>
+                        <p className="text-sm font-medium text-gray-900">
+                          {getSecurityDisplayName(key)}
+                        </p>
+                        <p className="text-xs text-gray-500 capitalize">
+                          {subsystem.enabled ? 'Enabled' : 'Disabled'}
+                        </p>
+                      </div>
+                    </div>
+                    <div className={cn(
+                      'px-2 py-1 rounded-full text-xs font-medium border flex items-center space-x-1',
+                      display.color
+                    )}>
+                      {display.icon}
+                      <span>{subsystem.status.toUpperCase()}</span>
+                    </div>
+                  </div>
+                );
+              })}
+            </div>
+
+            {/* Security Alerts and Recommendations */}
+            {(securityOverview.alerts.length > 0 || securityOverview.recommendations.length > 0) && (
+              <div className="space-y-3">
+                {securityOverview.alerts.length > 0 && (
+                  <div className="p-3 bg-red-50 border border-red-200 rounded-lg">
+                    <p className="text-sm font-medium text-red-800 mb-2">Security Alerts</p>
+                    <ul className="text-xs text-red-700 space-y-1">
+                      {securityOverview.alerts.map((alert, index) => (
+                        <li key={index} className="flex items-start space-x-2">
+                          <XCircle className="h-3 w-3 text-red-500 mt-0.5 flex-shrink-0" />
+                          <span>{alert}</span>
+                        </li>
+                      ))}
+                    </ul>
+                  </div>
+                )}
+
+                {securityOverview.recommendations.length > 0 && (
+                  <div className="p-3 bg-amber-50 border border-amber-200 rounded-lg">
+                    <p className="text-sm font-medium text-amber-800 mb-2">Recommendations</p>
+                    <ul className="text-xs text-amber-700 space-y-1">
+                      {securityOverview.recommendations.map((recommendation, index) => (
+                        <li key={index} className="flex items-start space-x-2">
+                          <AlertCircle className="h-3 w-3 text-amber-500 mt-0.5 flex-shrink-0" />
+                          <span>{recommendation}</span>
+                        </li>
+                      ))}
+                    </ul>
+                  </div>
+                )}
+              </div>
+            )}
+          </div>
+        ) : (
+          <div className="text-center py-8">
+            <Shield className="mx-auto h-8 w-8 text-gray-400" />
+            <p className="mt-2 text-sm text-gray-600">Unable to load security status</p>
+            <p className="text-xs text-gray-500">Security monitoring may be unavailable</p>
+          </div>
+        )}
+      </div>
+
      {/* Subsystem Configuration Table */}
      <div className="card">
        <div className="flex items-center justify-between mb-3">
--- a/aggregator-web/src/components/AgentUpdatesEnhanced.tsx
+++ b/aggregator-web/src/components/AgentUpdatesEnhanced.tsx
@@ -2,13 +2,9 @@ import { useState } from 'react';
 import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query';
 import {
  Search,
-  Package,
-  Download,
  Upload,
-  CheckCircle,
  RefreshCw,
  Terminal,
-  Filter,
  ChevronDown,
  ChevronRight,
  Check,
--- a/aggregator-web/src/lib/api.ts
+++ b/aggregator-web/src/lib/api.ts
@@ -692,4 +692,126 @@ export const adminApi = {
  },
 };

+// Security API endpoints
+export const securityApi = {
+  // Get comprehensive security overview
+  getOverview: async (): Promise<{
+    timestamp: string;
+    overall_status: 'healthy' | 'degraded' | 'unhealthy';
+    subsystems: {
+      ed25519_signing: { status: string; enabled: boolean };
+      nonce_validation: { status: string; enabled: boolean };
+      machine_binding: { status: string; enabled: boolean };
+      command_validation: { status: string; enabled: boolean };
+    };
+    alerts: string[];
+    recommendations: string[];
+  }> => {
+    const response = await api.get('/security/overview');
+    return response.data;
+  },
+
+  // Get Ed25519 signing service status
+  getSigningStatus: async (): Promise<{
+    status: string;
+    timestamp: string;
+    checks: {
+      service_initialized: boolean;
+      public_key_available: boolean;
+      signing_operational: boolean;
+    };
+    public_key_fingerprint?: string;
+    algorithm?: string;
+  }> => {
+    const response = await api.get('/security/signing');
+    return response.data;
+  },
+
+  // Get nonce validation status
+  getNonceStatus: async (): Promise<{
+    status: string;
+    timestamp: string;
+    checks: {
+      validation_enabled: boolean;
+      max_age_minutes: number;
+      recent_validations: number;
+      validation_failures: number;
+    };
+    details: {
+      nonce_format: string;
+      signature_algorithm: string;
+      replay_protection: string;
+    };
+  }> => {
+    const response = await api.get('/security/nonce');
+    return response.data;
+  },
+
+  // Get machine binding status
+  getMachineBindingStatus: async (): Promise<{
+    status: string;
+    timestamp: string;
+    checks: {
+      binding_enforced: boolean;
+      min_agent_version: string;
+      fingerprint_required: boolean;
+      recent_violations: number;
+    };
+    details: {
+      enforcement_method: string;
+      binding_scope: string;
+      violation_action: string;
+    };
+  }> => {
+    const response = await api.get('/security/machine-binding');
+    return response.data;
+  },
+
+  // Get command validation status
+  getCommandValidationStatus: async (): Promise<{
+    status: string;
+    timestamp: string;
+    metrics: {
+      total_pending_commands: number;
+      agents_with_pending: number;
+      commands_last_hour: number;
+      commands_last_24h: number;
+    };
+    checks: {
+      command_processing: string;
+      backpressure_active: boolean;
+      agent_responsive: string;
+    };
+  }> => {
+    const response = await api.get('/security/commands');
+    return response.data;
+  },
+
+  // Get detailed security metrics
+  getMetrics: async (): Promise<{
+    timestamp: string;
+    signing: {
+      public_key_fingerprint: string;
+      algorithm: string;
+      key_size: number;
+      configured: boolean;
+    };
+    nonce: {
+      max_age_seconds: number;
+      format: string;
+    };
+    machine_binding: {
+      min_version: string;
+      enforcement: string;
+    };
+    command_processing: {
+      backpressure_threshold: number;
+      rate_limit_per_second: number;
+    };
+  }> => {
+    const response = await api.get('/security/metrics');
+    return response.data;
+  },
+};
+
 export default api;