feat: machine binding and version enforcement

migration 017 adds machine_id to agents table middleware validates X-Machine-ID header on authed routes agent client sends machine ID with requests MIN_AGENT_VERSION config defaults 0.1.22 version utils added for comparison blocks config copying attacks via hardware fingerprint old agents get 426 upgrade required breaking: <0.1.22 agents rejected
2025-11-02 09:30:04 -05:00
parent 99480f3fe3
commit ec3ba88459
48 changed files with 3811 additions and 122 deletions
--- a/aggregator-server/internal/database/migrations/016_agent_update_packages.down.sql
+++ b/aggregator-server/internal/database/migrations/016_agent_update_packages.down.sql
@@ -0,0 +1,10 @@
+-- Remove agent update packages table
+DROP TABLE IF EXISTS agent_update_packages;
+
+-- Remove new columns from agents table
+ALTER TABLE agents
+DROP COLUMN IF EXISTS machine_id,
+DROP COLUMN IF EXISTS public_key_fingerprint,
+DROP COLUMN IF EXISTS is_updating,
+DROP COLUMN IF EXISTS updating_to_version,
+DROP COLUMN IF EXISTS update_initiated_at;
--- a/aggregator-server/internal/database/migrations/016_agent_update_packages.up.sql
+++ b/aggregator-server/internal/database/migrations/016_agent_update_packages.up.sql
@@ -0,0 +1,47 @@
+-- Add machine ID and public key fingerprint fields to agents table
+-- This enables Ed25519 binary signing and machine binding
+
+ALTER TABLE agents
+ADD COLUMN machine_id VARCHAR(64) UNIQUE,
+ADD COLUMN public_key_fingerprint VARCHAR(16),
+ADD COLUMN is_updating BOOLEAN DEFAULT false,
+ADD COLUMN updating_to_version VARCHAR(50),
+ADD COLUMN update_initiated_at TIMESTAMP;
+
+-- Create index for machine ID lookups
+CREATE INDEX idx_agents_machine_id ON agents(machine_id);
+CREATE INDEX idx_agents_public_key_fingerprint ON agents(public_key_fingerprint);
+
+-- Add comment to document the new fields
+COMMENT ON COLUMN agents.machine_id IS 'Unique machine identifier to bind agent binaries to specific hardware';
+COMMENT ON COLUMN agents.public_key_fingerprint IS 'Fingerprint of embedded public key for binary signature verification';
+COMMENT ON COLUMN agents.is_updating IS 'Whether agent is currently updating';
+COMMENT ON COLUMN agents.updating_to_version IS 'Target version for ongoing update';
+COMMENT ON COLUMN agents.update_initiated_at IS 'When the update process started';
+
+-- Create table for storing signed update packages
+CREATE TABLE agent_update_packages (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    version VARCHAR(50) NOT NULL,
+    platform VARCHAR(50) NOT NULL, -- linux-amd64, linux-arm64, windows-amd64, etc.
+    architecture VARCHAR(20) NOT NULL,
+    binary_path VARCHAR(500) NOT NULL,
+    signature VARCHAR(128) NOT NULL, -- Ed25519 signature (64 bytes hex encoded)
+    checksum VARCHAR(64) NOT NULL, -- SHA-256 checksum
+    file_size BIGINT NOT NULL,
+    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+    created_by VARCHAR(100) DEFAULT 'system',
+    is_active BOOLEAN DEFAULT true
+);
+
+-- Add indexes for update packages
+CREATE INDEX idx_agent_update_packages_version ON agent_update_packages(version);
+CREATE INDEX idx_agent_update_packages_platform ON agent_update_packages(platform, architecture);
+CREATE INDEX idx_agent_update_packages_active ON agent_update_packages(is_active);
+
+-- Add comments for update packages table
+COMMENT ON TABLE agent_update_packages IS 'Stores signed agent binary packages for secure updates';
+COMMENT ON COLUMN agent_update_packages.signature IS 'Ed25519 signature of the binary file';
+COMMENT ON COLUMN agent_update_packages.checksum IS 'SHA-256 checksum of the binary file';
+COMMENT ON COLUMN agent_update_packages.platform IS 'Target platform (OS-architecture)';
+COMMENT ON COLUMN agent_update_packages.is_active IS 'Whether this package is available for updates';
--- a/aggregator-server/internal/database/migrations/017_add_machine_id.down.sql
+++ b/aggregator-server/internal/database/migrations/017_add_machine_id.down.sql
@@ -0,0 +1,4 @@
+-- Rollback machine_id column addition
+
+DROP INDEX IF EXISTS idx_agents_machine_id;
+ALTER TABLE agents DROP COLUMN IF EXISTS machine_id;
--- a/aggregator-server/internal/database/migrations/017_add_machine_id.up.sql
+++ b/aggregator-server/internal/database/migrations/017_add_machine_id.up.sql
@@ -0,0 +1,11 @@
+-- Add machine_id column to agents table for hardware fingerprint binding
+-- This prevents config file copying attacks by validating hardware identity
+
+ALTER TABLE agents
+ADD COLUMN machine_id VARCHAR(64);
+
+-- Create unique index to prevent duplicate machine IDs
+CREATE UNIQUE INDEX idx_agents_machine_id ON agents(machine_id) WHERE machine_id IS NOT NULL;
+
+-- Add comment for documentation
+COMMENT ON COLUMN agents.machine_id IS 'SHA-256 hash of hardware fingerprint (prevents agent impersonation via config copying)';