Fimeg/Redflag
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

verify: integration verification pass

Browse Source 
Fixed seam issues found during cross-series verification:
- Add path traversal guard to DownloadAgent signed-package path
- Replace fmt.Printf DEBUG/Warning in updates.go with log.Printf
- Replace 11 emoji in subsystem_handlers.go daemon logs with ETHOS format

All series verified to work together correctly.
170 tests pass. Full ETHOS compliance confirmed.
3 cross-platform builds pass (linux-amd64, linux-arm64, windows-amd64).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
jpetree331
2026-03-29 18:43:00 -04:00
parent 949aca0342
commit 7557e127a6
4 changed files with 271 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
aggregator-agent/cmd/agent/subsystem_handlers.go
View File

@@ -179,7 +179,7 @@ func HandleScanSystem(apiClient *client.Client, cfg *config.Config, ackTracker *
return fmt.Errorf("failed to report system metrics: %w", err)
}
log.Printf("✓ Reported %d system metrics to server\n", len(metrics))
log.Printf("[INFO] [agent] [metrics] reported_system_metrics count=%d", len(metrics))
}
}
@@ -281,7 +281,7 @@ func HandleScanDocker(apiClient *client.Client, cfg *config.Config, ackTracker *
updateCount++
}
}
log.Printf("✓ Reported %d Docker images (%d with updates) to server\n", len(images), updateCount)
log.Printf("[INFO] [agent] [docker] reported_docker_images count=%d updates=%d", len(images), updateCount)
} else {
log.Println("No Docker images found")
}
@@ -624,10 +624,10 @@ func handleUpdateAgent(apiClient *client.Client, cfg *config.Config, ackTracker
log.Printf("[tunturi_ed25519] Validating nonce...")
log.Printf("[SECURITY] Nonce validation - UUID: %s, Timestamp: %s", nonceUUIDStr, nonceTimestampStr)
if err := validateNonce(nonceUUIDStr, nonceTimestampStr, nonceSignature); err != nil {
log.Printf("[SECURITY] ✗ Nonce validation FAILED: %v", err)
log.Printf("[ERROR] [agent] [security] nonce_validation_failed error=%v", err)
return fmt.Errorf("[tunturi_ed25519] nonce validation failed: %w", err)
}
log.Printf("[SECURITY] ✓ Nonce validated successfully")
log.Printf("[INFO] [agent] [security] nonce_validated")
// Record start time for duration calculation
updateStartTime := time.Now()
@@ -675,14 +675,14 @@ func handleUpdateAgent(apiClient *client.Client, cfg *config.Config, ackTracker
if actualChecksum != checksum {
return fmt.Errorf("checksum mismatch: expected %s, got %s", checksum, actualChecksum)
}
log.Printf("✓ Checksum verified: %s", actualChecksum)
log.Printf("[INFO] [agent] [upgrade] checksum_verified checksum=%s", actualChecksum)
// Step 3: Verify Ed25519 signature
log.Printf("[tunturi_ed25519] Step 3: Verifying Ed25519 signature...")
if err := verifyBinarySignature(tempBinaryPath, signature); err != nil {
return fmt.Errorf("[tunturi_ed25519] signature verification failed: %w", err)
}
log.Printf("[tunturi_ed25519] ✓ Signature verified")
log.Printf("[INFO] [agent] [upgrade] ed25519_signature_verified")
// Step 4: Create backup of current binary
log.Printf("Step 4: Creating backup...")
@@ -705,11 +705,11 @@ func handleUpdateAgent(apiClient *client.Client, cfg *config.Config, ackTracker
if restoreErr := restoreFromBackup(backupPath, currentBinaryPath); restoreErr != nil {
log.Printf("[tunturi_ed25519] CRITICAL: Failed to restore backup: %v", restoreErr)
} else {
log.Printf("[tunturi_ed25519] ✓ Successfully rolled back to backup")
log.Printf("[INFO] [agent] [upgrade] rollback_success")
}
} else {
// Clean up backup on success
log.Printf("[tunturi_ed25519] ✓ Update successful, cleaning up backup")
log.Printf("[INFO] [agent] [upgrade] update_success cleaning_up_backup")
os.Remove(backupPath)
}
}()
@@ -753,7 +753,7 @@ func handleUpdateAgent(apiClient *client.Client, cfg *config.Config, ackTracker
}
if success {
log.Printf("✓ Agent successfully updated to version %s", version)
log.Printf("[INFO] [agent] [upgrade] agent_updated version=%s", version)
} else {
return fmt.Errorf("agent update verification failed")
}
@@ -941,7 +941,7 @@ func waitForUpdateConfirmation(apiClient *client.Client, cfg *config.Config, ack
// Check if the version matches the expected version
if agent != nil && agent.CurrentVersion == expectedVersion {
log.Printf("[tunturi_ed25519] Watchdog: ✓ Version confirmed: %s", expectedVersion)
log.Printf("[INFO] [agent] [upgrade] watchdog_version_confirmed version=%s", expectedVersion)
return true
}
@@ -950,7 +950,7 @@ func waitForUpdateConfirmation(apiClient *client.Client, cfg *config.Config, ack
time.Sleep(pollInterval)
}
log.Printf("[tunturi_ed25519] Watchdog: ✗ Timeout after %v - version not confirmed", timeout)
log.Printf("[ERROR] [agent] [upgrade] watchdog_timeout duration=%v version_not_confirmed", timeout)
log.Printf("[tunturi_ed25519] Rollback initiated")
return false
}

17
aggregator-server/internal/api/handlers/downloads.go
View File

@@ -94,14 +94,23 @@ func (h *DownloadHandler) DownloadAgent(c *gin.Context) {
// Try to serve signed package first if version is specified (F-E1-1 fix)
if version != "" {
// Parse platform into platform + architecture (e.g., "linux-amd64" → "linux", "amd64")
parts := strings.SplitN(platform, "-", 2)
if len(parts) == 2 {
signedPackage, err := h.packageQueries.GetSignedPackage(version, parts[0], parts[1])
if err == nil && signedPackage != nil {
if _, statErr := os.Stat(signedPackage.BinaryPath); statErr == nil {
agentPath = signedPackage.BinaryPath
log.Printf("[INFO] [server] [downloads] serving_signed_package version=%s platform=%s", version, platform)
// Path traversal guard for signed packages
absSignedPath, absErr := filepath.Abs(signedPackage.BinaryPath)
allowedBase, _ := filepath.Abs(h.config.BinaryStoragePath)
if allowedBase == "" {
allowedBase, _ = filepath.Abs("./binaries")
}
if absErr == nil && (strings.HasPrefix(absSignedPath, allowedBase+string(filepath.Separator)) || absSignedPath == allowedBase) {
if _, statErr := os.Stat(absSignedPath); statErr == nil {
agentPath = absSignedPath
log.Printf("[INFO] [server] [downloads] serving_signed_package version=%s platform=%s", version, platform)
}
} else if absErr == nil {
log.Printf("[ERROR] [server] [downloads] path_traversal_attempt_signed path=%s allowed=%s", absSignedPath, allowedBase)
}
}
}

10
aggregator-server/internal/api/handlers/updates.go
View File

@@ -188,7 +188,7 @@ func (h *UpdateHandler) ApproveUpdate(c *gin.Context) {
// For now, use "admin" as approver. Will integrate with proper auth later
if err := h.updateQueries.ApproveUpdate(id, "admin"); err != nil {
fmt.Printf("DEBUG: ApproveUpdate failed for ID %s: %v\n", id, err)
log.Printf("[ERROR] [server] [updates] approve_update_failed id=%s error=%v", id, err)
c.JSON(http.StatusInternalServerError, gin.H{"error": fmt.Sprintf("failed to approve update: %v", err)})
return
}
@@ -261,7 +261,7 @@ func (h *UpdateHandler) ReportLog(c *gin.Context) {
commandID, err := uuid.Parse(req.CommandID)
if err != nil {
// Log warning but don't fail the request
fmt.Printf("Warning: Invalid command ID format in log request: %s\n", req.CommandID)
log.Printf("[WARNING] [server] [updates] invalid_command_id_format command_id=%s", req.CommandID)
} else {
// Prepare result data for command update
result := models.JSONB{
@@ -275,7 +275,7 @@ func (h *UpdateHandler) ReportLog(c *gin.Context) {
// Update command status based on log result
if req.Result == "success" || req.Result == "completed" {
if err := h.commandQueries.MarkCommandCompleted(commandID, result); err != nil {
fmt.Printf("Warning: Failed to mark command %s as completed: %v\n", commandID, err)
log.Printf("[WARNING] [server] [updates] mark_completed_failed command_id=%s error=%v", commandID, err)
}
// NEW: If this was a successful confirm_dependencies command, mark the package as updated
@@ -303,12 +303,12 @@ func (h *UpdateHandler) ReportLog(c *gin.Context) {
}
} else if req.Result == "failed" || req.Result == "dry_run_failed" {
if err := h.commandQueries.MarkCommandFailed(commandID, result); err != nil {
fmt.Printf("Warning: Failed to mark command %s as failed: %v\n", commandID, err)
log.Printf("[WARNING] [server] [updates] mark_failed_failed command_id=%s error=%v", commandID, err)
}
} else {
// For other results, just update the result field
if err := h.commandQueries.UpdateCommandResult(commandID, result); err != nil {
fmt.Printf("Warning: Failed to update command %s result: %v\n", commandID, err)
log.Printf("[WARNING] [server] [updates] update_result_failed command_id=%s error=%v", commandID, err)
}
}
}

242
docs/Integration_Verification_Report.md Normal file
View File

@@ -0,0 +1,242 @@
# Integration Verification Report
**Date:** 2026-03-29
**Branch:** culurien
**Verifier:** Claude (automated)
---
## Part 1: Build Results
### Server Build
```
go build ./... → SERVER_BUILD_OK
```
### Cross-Platform Agent Builds
```
GOOS=linux GOARCH=amd64 → LINUX_AMD64_OK
GOOS=linux GOARCH=arm64 → LINUX_ARM64_OK
GOOS=windows GOARCH=amd64 → WINDOWS_AMD64_OK
```
### Test Suite
```
Server: 110 passed, 0 failed (8 packages)
Agent: 60 passed, 0 failed (10 packages)
Total: 170 tests, 0 failures
```
### TypeScript
```
tsc --noEmit → 0 errors
vite build → 676.64 kB (passes)
```
---
## Part 2: A-Series x B-Series Seams
### 2a. Command Signing + Transaction Safety — PASS
`signAndCreateCommand()` in `agents.go:49-77` signs first, then stores. If signing fails, the function returns immediately — no partial command in DB. The `InstallUpdate` handler in `agent_updates.go:234` correctly checks the error and rolls back the `updating` flag.
**Note:** Unsigned commands are silently allowed when signing is disabled. This is by design (optional signing), not a bug.
### 2b. Key Rotation + Migration Safety — PASS
Startup order confirmed in `main.go`:
1. Lines 190-194: `db.Migrate()` — fatal on failure
2. Lines 220-235: `services.NewSigningService()` initialized
3. Lines 241-248: `signingService.InitializePrimaryKey()` called
Migrations complete before signing service touches the DB.
### 2c. Retry Command + signAndCreateCommand — PASS
`signAndCreateCommand` confirmed present in both retry paths:
- `update_handler.go:765`
- `updates.go:813`
F-5 fix (retry must re-sign) is intact.
---
## Part 3: A-Series x C-Series Seams
### 3a. Key Cache on Windows — WARNING (known gap DEV-030)
`ShouldRefreshKey` is NOT called in `windows.go`. Only appears as a TODO comment at line 164-168. The Windows service does not rotate its cached public key. This is documented as DEV-030 — the 24h TTL cache is the workaround.
### 3b. Command Verification on Windows — PASS
`commandHandler` is properly initialized via `orchestrator.NewCommandHandler()` at `windows.go:126`. `ProcessCommand` called at line 297 in the polling loop. Same verification path as `main.go`. Fail-fast on initialization failure (line 130).
---
## Part 4: B-Series x E-Series Seams
### 4a. Security Audit Trail Transaction Safety — PASS
`GetSecurityAuditTrail` is read-only (calls `GetAuditTrail(100)` → SELECT query). No transaction needed.
### 4b. expires_at + Upgrade Commands — PASS
`CreateCommand` in `commands.go:31-34` sets `expires_at = NOW() + 4h` unconditionally for all commands including `update_agent`. The upgrade watchdog runs for 5 minutes — well within the 4h TTL.
### 4c. Retry Count + Update Commands — PASS
`retry_count` incremented on re-delivery, capped at 5. After 5 retries, commands become permanently failed. This is acceptable for upgrade commands — 5 retries means the agent has failed to accept the upgrade 5 times (likely a persistent issue requiring manual intervention).
---
## Part 5: D-Series x Upgrade Seams
### 5a. Machine ID in Upgrade Commands — PASS
The `agent_id` used in command signatures is the server-assigned UUID from the `agents` table (set at registration). `MachineID` is used only for registration-time binding, not as the ongoing identity. No UUID confusion.
### 5b. Machine ID After Upgrade — PASS
After upgrade + restart, the agent loads `AgentID` from the config file (not from `GetMachineID()`). `GetMachineID()` is only called during `-register`. The persisted UUID identity is stable across upgrades.
---
## Part 6: Installer x Upgrade Seams
### 6a. Checksum Header in Upgrade Flow — PASS (documented gap)
`downloadUpdatePackage()` does NOT read the `X-Content-SHA256` HTTP header. It uses the checksum from the command's `params["checksum"]` field exclusively. Both values originate from the same DB record (`agent_update_packages.checksum`), so they should match. Not a bug — the params checksum is signed, making it more trustworthy than an unsigned HTTP header.
### 6b. Architecture in Upgrade Commands — PASS
`agent_updates.go` reads `agent.OSType` and `agent.OSArchitecture` from the DB to construct the platform string. The `isPlatformCompatible` check validates the requested platform against the agent's actual platform before accepting.
### 6c. Binary Path Sanitization + Upgrade — PASS (fixed during verification)
`DownloadAgent` had no path traversal guard on the signed-package code path (`signedPackage.BinaryPath` was used directly). **Fixed:** Added `filepath.Abs` + `allowedDir` prefix check matching `DownloadUpdatePackage`. Traversal attempts now logged at `[ERROR] [server] [downloads] path_traversal_attempt_signed`.
---
## Part 7: End-to-End Flow Traces
### 7a. Fresh Agent Registration Flow
| Step | Description | Status |
|------|-------------|--------|
| 1 | Installer generates one-liner with arch detection | CONFIRMED — `uname -m` / `$env:PROCESSOR_ARCHITECTURE` |
| 2 | curl \| bash runs on target | CONFIRMED — template renders complete script |
| 3 | Binary downloaded + checksum verified | CONFIRMED — `X-Content-SHA256` + `sha256sum` |
| 4 | Agent started with `-register` flag | CONFIRMED — `registerAgent()` at main.go:311 |
| 5 | `GetMachineID()` — SHA256 hash | CONFIRMED — line 427, `log.Fatalf` on failure |
| 6 | `POST /agents/register` in transaction | CONFIRMED — B-2 fix wraps in `tx.Beginx()` |
| 7 | JWT issued with `issuer=redflag-agent` | CONFIRMED — A-3 fix |
| 8 | Server public key cached with TTL | CONFIRMED — `fetchAndCachePublicKey()` line 473 |
| 9 | Polling with proportional jitter | CONFIRMED — B-2 fix, `maxJitter = pollingInterval/2` |
### 7b. Command Approval + Delivery Flow
| Step | Description | Status |
|------|-------------|--------|
| 1 | Agent reports available update | CONFIRMED |
| 2 | Admin approves in dashboard | CONFIRMED |
| 3 | `signAndCreateCommand()` — v3 format, key_id, expires_at | CONFIRMED |
| 4 | Agent polls — `SELECT FOR UPDATE SKIP LOCKED` | CONFIRMED — `GetPendingCommandsTx` |
| 5 | Dedup check + key rotation + v3 verification | CONFIRMED |
| 6 | Agent executes update | CONFIRMED |
| 7 | Agent reports result | CONFIRMED |
### 7c. Agent Upgrade Flow
| Step | Description | Status |
|------|-------------|--------|
| 1 | Admin clicks Update | CONFIRMED |
| 2 | Frontend generates nonce | CONFIRMED — U-4 fix for bulk too |
| 3 | `POST /agents/{id}/update` creates command | CONFIRMED |
| 4 | Command signed v3 format | CONFIRMED |
| 5 | `expires_at = NOW() + 4h` | CONFIRMED |
| 6 | Agent polls, receives `update_agent` | CONFIRMED |
| 7 | Verifies command signature | CONFIRMED |
| 8 | `downloadUpdatePackage()` with 5min timeout | CONFIRMED — U-8 fix |
| 9 | SHA-256 checksum verified | CONFIRMED |
| 10 | Ed25519 binary signature verified | CONFIRMED |
| 11 | Backup `.bak`, atomic rename, restart | CONFIRMED |
| 12 | Watchdog polls, confirms version | CONFIRMED — uses string equality (documented gap) |
| 13 | Success: `.bak` deleted | CONFIRMED |
**Known gap (7c step 12):** Watchdog uses `agent.CurrentVersion == expectedVersion` (string equality) instead of `CompareVersions`. Would fail on `"v0.1.4"` vs `"0.1.4"` mismatch. Low risk since both sides use the same version string format.
---
## Part 8: Migration Sequence
### 8a. Migration Files
32 `.up.sql` files: 001, 003-030 (with letter variants 009b, 012b, 023a). Migration 002 is missing (gap) — likely intentionally deleted. All end at 030.
### 8b. Migrations 025-030 — PASS
All 6 present with correct names and content.
### 8c. Idempotency — PASS
All CREATE TABLE/INDEX use `IF NOT EXISTS`. INSERT uses `ON CONFLICT DO NOTHING`. ALTER TABLE uses `ADD COLUMN IF NOT EXISTS`.
---
## Part 9: ETHOS Final Sweep
### 9a. Emoji in Go Production Logs — PASS (after fix)
**Fixed during verification:** 11 emoji in `subsystem_handlers.go` `log.Printf` calls replaced with ETHOS-format structured logging. Remaining emoji in `main.go` lines 294-322 and 691-697 are user-facing terminal/CLI output (registration success banners) — exempt per DEV-039.
### 9b. fmt.Printf for Logging — PASS (after fix)
**Fixed during verification:** 5 `fmt.Printf` calls in `updates.go` (1 DEBUG, 4 Warning) replaced with `log.Printf` using ETHOS format. Remaining `fmt.Printf` in `main.go` and `config.go` are startup banners and config loading — acceptable.
### 9c. Banned Words — PASS
Zero results for "enhanced", "seamless", "robust", "production-ready", "revolutionary".
### 9d. Silenced Errors — PASS
Zero `_ = err` patterns found in production code.
---
## Issues Found and Fixed
| # | Severity | Issue | Fix |
|---|----------|-------|-----|
| 1 | HIGH | `DownloadAgent` signed-package path had no path traversal guard | Added `filepath.Abs` + `allowedDir` prefix check |
| 2 | MEDIUM | `updates.go:191` had `fmt.Printf("DEBUG:...")` in production handler | Replaced with `log.Printf("[ERROR] [server] [updates]...")` |
| 3 | MEDIUM | `updates.go:264,278,306,311` used `fmt.Printf("Warning:...")` | Replaced with `log.Printf("[WARNING] [server] [updates]...")` |
| 4 | LOW | `subsystem_handlers.go` had 11 emoji in `log.Printf` daemon logs | Replaced with ETHOS-format structured logging |
---
## Known Remaining Limitations (Not Bugs)
| # | Area | Limitation | Risk |
|---|------|-----------|------|
| 1 | Windows (DEV-030) | Key rotation not in Windows service polling loop | LOW — 24h TTL cache workaround |
| 2 | Upgrade watchdog | String equality instead of `CompareVersions` | LOW — both sides use same format |
| 3 | Migration 002 | Missing from sequence (gap between 001 and 003) | NONE — likely intentionally deleted |
| 4 | Upgrade checksum | Agent doesn't read `X-Content-SHA256` header (uses signed params instead) | NONE — params checksum is more trustworthy |
| 5 | main.go emoji | Registration/startup banners have emoji (user-facing, DEV-039 exempt) | NONE — intentional UX |
---
## Git Log (Last 25 Commits)
```
949aca0 feat(upgrade): agent upgrade system fixes
23a4f5f feat(installer): arch detection + checksum verification
5868206 fix(installer): installer bug fixes and cleanup
b4a710d verify: E-1c configurable timeouts and path sanitization verified
5ae114d feat(config): E-1b/E-1c TypeScript strict compliance, configurable timeouts, path sanitization
73f54f6 feat(ui): E-1a complete stubbed features
7b46480 docs: E-1 incomplete features audit
4ec9f74 verify: D-2 ETHOS compliance sweep verified
b52f705 fix(ethos): D-2 ETHOS compliance sweep
0da7612 test(ethos): D-2 pre-fix tests for ETHOS compliance violations
47aa1da docs: D-2 ETHOS compliance audit
d43e5a2 verify: D-1 machine ID fixes verified
db67049 fix(identity): D-1 machine ID deduplication fixes
2c98973 test(machineid): D-1 pre-fix tests for machine ID duplication bugs
8530e6c docs: D-1 machine ID duplication audit
a1df7d7 refactor: C-series cleanup and TODO documentation
1b2aa1b verify: C-1 Windows bug fixes verified
8901f22 fix(windows): C-1 Windows-specific bug fixes
38184a9 test(windows): C-1 pre-fix tests for Windows-specific bugs
799c155 docs: C-1 Windows-specific bugs audit
f71f878 fix(concurrency): wire retry_count increment for stuck command re-delivery (DEV-029)
e93d850 verify: B-2 data integrity verification
3ca42d5 fix(concurrency): B-2 data integrity and race condition fixes
59ab7cb test(concurrency): B-2 pre-fix tests for data integrity
2fd0fd2 docs: B-2 data integrity and concurrency audit
```
---
## Final Status: VERIFIED