feat: machine binding and version enforcement
migration 017 adds machine_id to agents table middleware validates X-Machine-ID header on authed routes agent client sends machine ID with requests MIN_AGENT_VERSION config defaults 0.1.22 version utils added for comparison blocks config copying attacks via hardware fingerprint old agents get 426 upgrade required breaking: <0.1.22 agents rejected
This commit is contained in:
Fimeg
@@ -0,0 +1,10 @@
|
||||
-- Remove agent update packages table
|
||||
DROP TABLE IF EXISTS agent_update_packages;
|
||||
|
||||
-- Remove new columns from agents table
|
||||
ALTER TABLE agents
|
||||
DROP COLUMN IF EXISTS machine_id,
|
||||
DROP COLUMN IF EXISTS public_key_fingerprint,
|
||||
DROP COLUMN IF EXISTS is_updating,
|
||||
DROP COLUMN IF EXISTS updating_to_version,
|
||||
DROP COLUMN IF EXISTS update_initiated_at;
|
||||
@@ -0,0 +1,47 @@
|
||||
-- Add machine ID and public key fingerprint fields to agents table
|
||||
-- This enables Ed25519 binary signing and machine binding
|
||||
|
||||
ALTER TABLE agents
|
||||
ADD COLUMN machine_id VARCHAR(64) UNIQUE,
|
||||
ADD COLUMN public_key_fingerprint VARCHAR(16),
|
||||
ADD COLUMN is_updating BOOLEAN DEFAULT false,
|
||||
ADD COLUMN updating_to_version VARCHAR(50),
|
||||
ADD COLUMN update_initiated_at TIMESTAMP;
|
||||
|
||||
-- Create index for machine ID lookups
|
||||
CREATE INDEX idx_agents_machine_id ON agents(machine_id);
|
||||
CREATE INDEX idx_agents_public_key_fingerprint ON agents(public_key_fingerprint);
|
||||
|
||||
-- Add comment to document the new fields
|
||||
COMMENT ON COLUMN agents.machine_id IS 'Unique machine identifier to bind agent binaries to specific hardware';
|
||||
COMMENT ON COLUMN agents.public_key_fingerprint IS 'Fingerprint of embedded public key for binary signature verification';
|
||||
COMMENT ON COLUMN agents.is_updating IS 'Whether agent is currently updating';
|
||||
COMMENT ON COLUMN agents.updating_to_version IS 'Target version for ongoing update';
|
||||
COMMENT ON COLUMN agents.update_initiated_at IS 'When the update process started';
|
||||
|
||||
-- Create table for storing signed update packages
|
||||
CREATE TABLE agent_update_packages (
|
||||
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
|
||||
version VARCHAR(50) NOT NULL,
|
||||
platform VARCHAR(50) NOT NULL, -- linux-amd64, linux-arm64, windows-amd64, etc.
|
||||
architecture VARCHAR(20) NOT NULL,
|
||||
binary_path VARCHAR(500) NOT NULL,
|
||||
signature VARCHAR(128) NOT NULL, -- Ed25519 signature (64 bytes hex encoded)
|
||||
checksum VARCHAR(64) NOT NULL, -- SHA-256 checksum
|
||||
file_size BIGINT NOT NULL,
|
||||
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
|
||||
created_by VARCHAR(100) DEFAULT 'system',
|
||||
is_active BOOLEAN DEFAULT true
|
||||
);
|
||||
|
||||
-- Add indexes for update packages
|
||||
CREATE INDEX idx_agent_update_packages_version ON agent_update_packages(version);
|
||||
CREATE INDEX idx_agent_update_packages_platform ON agent_update_packages(platform, architecture);
|
||||
CREATE INDEX idx_agent_update_packages_active ON agent_update_packages(is_active);
|
||||
|
||||
-- Add comments for update packages table
|
||||
COMMENT ON TABLE agent_update_packages IS 'Stores signed agent binary packages for secure updates';
|
||||
COMMENT ON COLUMN agent_update_packages.signature IS 'Ed25519 signature of the binary file';
|
||||
COMMENT ON COLUMN agent_update_packages.checksum IS 'SHA-256 checksum of the binary file';
|
||||
COMMENT ON COLUMN agent_update_packages.platform IS 'Target platform (OS-architecture)';
|
||||
COMMENT ON COLUMN agent_update_packages.is_active IS 'Whether this package is available for updates';
|
||||
@@ -0,0 +1,4 @@
|
||||
-- Rollback machine_id column addition
|
||||
|
||||
DROP INDEX IF EXISTS idx_agents_machine_id;
|
||||
ALTER TABLE agents DROP COLUMN IF EXISTS machine_id;
|
||||
@@ -0,0 +1,11 @@
|
||||
-- Add machine_id column to agents table for hardware fingerprint binding
|
||||
-- This prevents config file copying attacks by validating hardware identity
|
||||
|
||||
ALTER TABLE agents
|
||||
ADD COLUMN machine_id VARCHAR(64);
|
||||
|
||||
-- Create unique index to prevent duplicate machine IDs
|
||||
CREATE UNIQUE INDEX idx_agents_machine_id ON agents(machine_id) WHERE machine_id IS NOT NULL;
|
||||
|
||||
-- Add comment for documentation
|
||||
COMMENT ON COLUMN agents.machine_id IS 'SHA-256 hash of hardware fingerprint (prevents agent impersonation via config copying)';
|
||||
219
aggregator-server/internal/database/queries/agent_updates.go
Normal file
219
aggregator-server/internal/database/queries/agent_updates.go
Normal file
@@ -0,0 +1,219 @@
|
||||
package queries
|
||||
|
||||
import (
|
||||
"database/sql"
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
"github.com/Fimeg/RedFlag/aggregator-server/internal/models"
|
||||
"github.com/google/uuid"
|
||||
"github.com/jmoiron/sqlx"
|
||||
)
|
||||
|
||||
// AgentUpdateQueries handles database operations for agent update packages
|
||||
type AgentUpdateQueries struct {
|
||||
db *sqlx.DB
|
||||
}
|
||||
|
||||
// NewAgentUpdateQueries creates a new AgentUpdateQueries instance
|
||||
func NewAgentUpdateQueries(db *sqlx.DB) *AgentUpdateQueries {
|
||||
return &AgentUpdateQueries{db: db}
|
||||
}
|
||||
|
||||
// CreateUpdatePackage stores a new signed update package
|
||||
func (q *AgentUpdateQueries) CreateUpdatePackage(pkg *models.AgentUpdatePackage) error {
|
||||
query := `
|
||||
INSERT INTO agent_update_packages (
|
||||
id, version, platform, architecture, binary_path, signature,
|
||||
checksum, file_size, created_by, is_active
|
||||
) VALUES (
|
||||
:id, :version, :platform, :architecture, :binary_path, :signature,
|
||||
:checksum, :file_size, :created_by, :is_active
|
||||
) RETURNING id, created_at
|
||||
`
|
||||
|
||||
rows, err := q.db.NamedQuery(query, pkg)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to create update package: %w", err)
|
||||
}
|
||||
defer rows.Close()
|
||||
|
||||
if rows.Next() {
|
||||
if err := rows.Scan(&pkg.ID, &pkg.CreatedAt); err != nil {
|
||||
return fmt.Errorf("failed to scan created package: %w", err)
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// GetUpdatePackage retrieves an update package by ID
|
||||
func (q *AgentUpdateQueries) GetUpdatePackage(id uuid.UUID) (*models.AgentUpdatePackage, error) {
|
||||
query := `
|
||||
SELECT id, version, platform, architecture, binary_path, signature,
|
||||
checksum, file_size, created_at, created_by, is_active
|
||||
FROM agent_update_packages
|
||||
WHERE id = $1 AND is_active = true
|
||||
`
|
||||
|
||||
var pkg models.AgentUpdatePackage
|
||||
err := q.db.Get(&pkg, query, id)
|
||||
if err != nil {
|
||||
if err == sql.ErrNoRows {
|
||||
return nil, fmt.Errorf("update package not found")
|
||||
}
|
||||
return nil, fmt.Errorf("failed to get update package: %w", err)
|
||||
}
|
||||
|
||||
return &pkg, nil
|
||||
}
|
||||
|
||||
// GetUpdatePackageByVersion retrieves the latest update package for a version and platform
|
||||
func (q *AgentUpdateQueries) GetUpdatePackageByVersion(version, platform, architecture string) (*models.AgentUpdatePackage, error) {
|
||||
query := `
|
||||
SELECT id, version, platform, architecture, binary_path, signature,
|
||||
checksum, file_size, created_at, created_by, is_active
|
||||
FROM agent_update_packages
|
||||
WHERE version = $1 AND platform = $2 AND architecture = $3 AND is_active = true
|
||||
ORDER BY created_at DESC
|
||||
LIMIT 1
|
||||
`
|
||||
|
||||
var pkg models.AgentUpdatePackage
|
||||
err := q.db.Get(&pkg, query, version, platform, architecture)
|
||||
if err != nil {
|
||||
if err == sql.ErrNoRows {
|
||||
return nil, fmt.Errorf("no update package found for version %s on %s/%s", version, platform, architecture)
|
||||
}
|
||||
return nil, fmt.Errorf("failed to get update package: %w", err)
|
||||
}
|
||||
|
||||
return &pkg, nil
|
||||
}
|
||||
|
||||
// ListUpdatePackages retrieves all update packages with optional filtering
|
||||
func (q *AgentUpdateQueries) ListUpdatePackages(version, platform string, limit, offset int) ([]models.AgentUpdatePackage, error) {
|
||||
query := `
|
||||
SELECT id, version, platform, architecture, binary_path, signature,
|
||||
checksum, file_size, created_at, created_by, is_active
|
||||
FROM agent_update_packages
|
||||
WHERE is_active = true
|
||||
`
|
||||
|
||||
args := []interface{}{}
|
||||
argIndex := 1
|
||||
|
||||
if version != "" {
|
||||
query += fmt.Sprintf(" AND version = $%d", argIndex)
|
||||
args = append(args, version)
|
||||
argIndex++
|
||||
}
|
||||
|
||||
if platform != "" {
|
||||
query += fmt.Sprintf(" AND platform = $%d", argIndex)
|
||||
args = append(args, platform)
|
||||
argIndex++
|
||||
}
|
||||
|
||||
query += " ORDER BY created_at DESC"
|
||||
|
||||
if limit > 0 {
|
||||
query += fmt.Sprintf(" LIMIT $%d", argIndex)
|
||||
args = append(args, limit)
|
||||
argIndex++
|
||||
|
||||
if offset > 0 {
|
||||
query += fmt.Sprintf(" OFFSET $%d", argIndex)
|
||||
args = append(args, offset)
|
||||
}
|
||||
}
|
||||
|
||||
var packages []models.AgentUpdatePackage
|
||||
err := q.db.Select(&packages, query, args...)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to list update packages: %w", err)
|
||||
}
|
||||
|
||||
return packages, nil
|
||||
}
|
||||
|
||||
// DeactivateUpdatePackage marks a package as inactive
|
||||
func (q *AgentUpdateQueries) DeactivateUpdatePackage(id uuid.UUID) error {
|
||||
query := `UPDATE agent_update_packages SET is_active = false WHERE id = $1`
|
||||
|
||||
result, err := q.db.Exec(query, id)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to deactivate update package: %w", err)
|
||||
}
|
||||
|
||||
rowsAffected, err := result.RowsAffected()
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to get rows affected: %w", err)
|
||||
}
|
||||
|
||||
if rowsAffected == 0 {
|
||||
return fmt.Errorf("no update package found to deactivate")
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// UpdateAgentMachineInfo updates the machine ID and public key fingerprint for an agent
|
||||
func (q *AgentUpdateQueries) UpdateAgentMachineInfo(agentID uuid.UUID, machineID, publicKeyFingerprint string) error {
|
||||
query := `
|
||||
UPDATE agents
|
||||
SET machine_id = $1, public_key_fingerprint = $2, updated_at = $3
|
||||
WHERE id = $4
|
||||
`
|
||||
|
||||
_, err := q.db.Exec(query, machineID, publicKeyFingerprint, time.Now().UTC(), agentID)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to update agent machine info: %w", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// UpdateAgentUpdatingStatus sets the update status for an agent
|
||||
func (q *AgentUpdateQueries) UpdateAgentUpdatingStatus(agentID uuid.UUID, isUpdating bool, targetVersion *string) error {
|
||||
query := `
|
||||
UPDATE agents
|
||||
SET is_updating = $1,
|
||||
updating_to_version = $2,
|
||||
update_initiated_at = CASE WHEN $1 = true THEN $3 ELSE update_initiated_at END,
|
||||
updated_at = $3
|
||||
WHERE id = $4
|
||||
`
|
||||
|
||||
now := time.Now().UTC()
|
||||
_, err := q.db.Exec(query, isUpdating, targetVersion, now, agentID)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to update agent updating status: %w", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// GetAgentByMachineID retrieves an agent by its machine ID
|
||||
func (q *AgentUpdateQueries) GetAgentByMachineID(machineID string) (*models.Agent, error) {
|
||||
query := `
|
||||
SELECT id, hostname, os_type, os_version, os_architecture, agent_version,
|
||||
current_version, update_available, last_version_check, machine_id,
|
||||
public_key_fingerprint, is_updating, updating_to_version,
|
||||
update_initiated_at, last_seen, status, metadata, reboot_required,
|
||||
last_reboot_at, reboot_reason, created_at, updated_at
|
||||
FROM agents
|
||||
WHERE machine_id = $1
|
||||
`
|
||||
|
||||
var agent models.Agent
|
||||
err := q.db.Get(&agent, query, machineID)
|
||||
if err != nil {
|
||||
if err == sql.ErrNoRows {
|
||||
return nil, fmt.Errorf("agent not found for machine ID")
|
||||
}
|
||||
return nil, fmt.Errorf("failed to get agent by machine ID: %w", err)
|
||||
}
|
||||
|
||||
return &agent, nil
|
||||
}
|
||||
@@ -1,6 +1,8 @@
|
||||
package queries
|
||||
|
||||
import (
|
||||
"database/sql"
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
"github.com/Fimeg/RedFlag/aggregator-server/internal/models"
|
||||
@@ -245,3 +247,51 @@ func (q *AgentQueries) UpdateAgentLastReboot(id uuid.UUID, rebootTime time.Time)
|
||||
_, err := q.db.Exec(query, rebootTime, time.Now(), id)
|
||||
return err
|
||||
}
|
||||
|
||||
// GetAgentByMachineID retrieves an agent by its machine ID
|
||||
func (q *AgentQueries) GetAgentByMachineID(machineID string) (*models.Agent, error) {
|
||||
query := `
|
||||
SELECT id, hostname, os_type, os_version, os_architecture, agent_version,
|
||||
current_version, update_available, last_version_check, machine_id,
|
||||
public_key_fingerprint, is_updating, updating_to_version,
|
||||
update_initiated_at, last_seen, status, metadata, reboot_required,
|
||||
last_reboot_at, reboot_reason, created_at, updated_at
|
||||
FROM agents
|
||||
WHERE machine_id = $1
|
||||
`
|
||||
|
||||
var agent models.Agent
|
||||
err := q.db.Get(&agent, query, machineID)
|
||||
if err != nil {
|
||||
if err == sql.ErrNoRows {
|
||||
return nil, nil // Return nil if not found (not an error)
|
||||
}
|
||||
return nil, fmt.Errorf("failed to get agent by machine ID: %w", err)
|
||||
}
|
||||
|
||||
return &agent, nil
|
||||
}
|
||||
|
||||
// UpdateAgentUpdatingStatus updates the agent's update status
|
||||
func (q *AgentQueries) UpdateAgentUpdatingStatus(id uuid.UUID, isUpdating bool, updatingToVersion *string) error {
|
||||
query := `
|
||||
UPDATE agents
|
||||
SET
|
||||
is_updating = $1,
|
||||
updating_to_version = $2,
|
||||
update_initiated_at = CASE
|
||||
WHEN $1 = true THEN $3
|
||||
ELSE NULL
|
||||
END,
|
||||
updated_at = $3
|
||||
WHERE id = $4
|
||||
`
|
||||
|
||||
var versionPtr *string
|
||||
if updatingToVersion != nil {
|
||||
versionPtr = updatingToVersion
|
||||
}
|
||||
|
||||
_, err := q.db.Exec(query, isUpdating, versionPtr, time.Now(), id)
|
||||
return err
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user