WIP: Save current state - security subsystems, migrations, logging

2025-12-16 14:19:59 -05:00
parent f792ab23c7
commit f7c8d23c5d
89 changed files with 8884 additions and 1394 deletions
--- a/aggregator-server/internal/api/handlers/docker.go
+++ b/aggregator-server/internal/api/handlers/docker.go
@@ -1,11 +1,15 @@
 package handlers

 import (
+	"fmt"
+	"log"
 	"net/http"
 	"strconv"

 	"github.com/Fimeg/RedFlag/aggregator-server/internal/database/queries"
 	"github.com/Fimeg/RedFlag/aggregator-server/internal/models"
+	"github.com/Fimeg/RedFlag/aggregator-server/internal/services"
+	"github.com/Fimeg/RedFlag/aggregator-server/internal/logging"
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
 )
@@ -14,16 +18,51 @@ type DockerHandler struct {
 	updateQueries  *queries.UpdateQueries
 	agentQueries   *queries.AgentQueries
 	commandQueries *queries.CommandQueries
+	signingService *services.SigningService
+	securityLogger *logging.SecurityLogger
 }

-func NewDockerHandler(uq *queries.UpdateQueries, aq *queries.AgentQueries, cq *queries.CommandQueries) *DockerHandler {
+func NewDockerHandler(uq *queries.UpdateQueries, aq *queries.AgentQueries, cq *queries.CommandQueries, signingService *services.SigningService, securityLogger *logging.SecurityLogger) *DockerHandler {
 	return &DockerHandler{
 		updateQueries:  uq,
 		agentQueries:   aq,
 		commandQueries: cq,
+		signingService: signingService,
+		securityLogger: securityLogger,
 	}
 }

+// signAndCreateCommand signs a command if signing service is enabled, then stores it in the database
+func (h *DockerHandler) signAndCreateCommand(cmd *models.AgentCommand) error {
+	// Sign the command before storing
+	if h.signingService != nil && h.signingService.IsEnabled() {
+		signature, err := h.signingService.SignCommand(cmd)
+		if err != nil {
+			return fmt.Errorf("failed to sign command: %w", err)
+		}
+		cmd.Signature = signature
+
+		// Log successful signing
+		if h.securityLogger != nil {
+			h.securityLogger.LogCommandSigned(cmd)
+		}
+	} else {
+		// Log warning if signing disabled
+		log.Printf("[WARNING] Command signing disabled, storing unsigned command")
+		if h.securityLogger != nil {
+			h.securityLogger.LogPrivateKeyNotConfigured()
+		}
+	}
+
+	// Store in database
+	err := h.commandQueries.CreateCommand(cmd)
+	if err != nil {
+		return fmt.Errorf("failed to create command: %w", err)
+	}
+
+	return nil
+}
+
 // GetContainers returns Docker containers and images across all agents
 func (h *DockerHandler) GetContainers(c *gin.Context) {
 	// Parse query parameters
@@ -430,7 +469,7 @@ func (h *DockerHandler) InstallUpdate(c *gin.Context) {
 		Source: models.CommandSourceManual, // User-initiated Docker update
 	}

-	if err := h.commandQueries.CreateCommand(command); err != nil {
+	if err := h.signAndCreateCommand(command); err != nil {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to create Docker update command"})
 		return
 	}