WIP: Save current state - security subsystems, migrations, logging

2025-12-16 14:19:59 -05:00
parent f792ab23c7
commit f7c8d23c5d
89 changed files with 8884 additions and 1394 deletions
--- a/aggregator-server/internal/services/build_orchestrator.go
+++ b/aggregator-server/internal/services/build_orchestrator.go
@@ -0,0 +1,138 @@
+package services
+
+import (
+	"fmt"
+	"log"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/Fimeg/RedFlag/aggregator-server/internal/database/queries"
+	"github.com/Fimeg/RedFlag/aggregator-server/internal/models"
+	"github.com/google/uuid"
+)
+
+// BuildOrchestratorService handles building and signing agent binaries
+type BuildOrchestratorService struct {
+	signingService *SigningService
+	packageQueries *queries.PackageQueries
+	agentDir       string // Directory containing pre-built binaries
+}
+
+// NewBuildOrchestratorService creates a new build orchestrator service
+func NewBuildOrchestratorService(signingService *SigningService, packageQueries *queries.PackageQueries, agentDir string) *BuildOrchestratorService {
+	return &BuildOrchestratorService{
+		signingService: signingService,
+		packageQueries: packageQueries,
+		agentDir:       agentDir,
+	}
+}
+
+// BuildAndSignAgent builds (or retrieves) and signs an agent binary
+func (s *BuildOrchestratorService) BuildAndSignAgent(version, platform, architecture string) (*models.AgentUpdatePackage, error) {
+	// Determine binary name
+	binaryName := "redflag-agent"
+	if strings.HasPrefix(platform, "windows") {
+		binaryName += ".exe"
+	}
+
+	// Path to pre-built binary
+	binaryPath := filepath.Join(s.agentDir, "binaries", platform, binaryName)
+
+	// Check if binary exists
+	if _, err := os.Stat(binaryPath); os.IsNotExist(err) {
+		return nil, fmt.Errorf("binary not found for platform %s: %w", platform, err)
+	}
+
+	// Sign the binary if signing is enabled
+	if s.signingService.IsEnabled() {
+		signedPackage, err := s.signingService.SignFile(binaryPath)
+		if err != nil {
+			return nil, fmt.Errorf("failed to sign agent binary: %w", err)
+		}
+
+		// Set additional fields
+		signedPackage.Version = version
+		signedPackage.Platform = platform
+		signedPackage.Architecture = architecture
+
+		// Store signed package in database
+		err = s.packageQueries.StoreSignedPackage(signedPackage)
+		if err != nil {
+			return nil, fmt.Errorf("failed to store signed package: %w", err)
+		}
+
+		log.Printf("Successfully signed and stored agent binary: %s (%s/%s)", signedPackage.ID, platform, architecture)
+		return signedPackage, nil
+	} else {
+		log.Printf("Signing disabled, creating unsigned package entry")
+		// Create unsigned package entry for backward compatibility
+		unsignedPackage := &models.AgentUpdatePackage{
+			ID:           uuid.New(),
+			Version:      version,
+			Platform:     platform,
+			Architecture: architecture,
+			BinaryPath:   binaryPath,
+			Signature:    "",
+			Checksum:     "", // Would need to calculate if needed
+			FileSize:     0,  // Would need to stat if needed
+			CreatedBy:    "build-orchestrator",
+			IsActive:     true,
+		}
+
+		// Get file info
+		if info, err := os.Stat(binaryPath); err == nil {
+			unsignedPackage.FileSize = info.Size()
+		}
+
+		// Store unsigned package
+		err := s.packageQueries.StoreSignedPackage(unsignedPackage)
+		if err != nil {
+			return nil, fmt.Errorf("failed to store unsigned package: %w", err)
+		}
+
+		return unsignedPackage, nil
+	}
+}
+
+// SignExistingBinary signs an existing binary file
+func (s *BuildOrchestratorService) SignExistingBinary(binaryPath, version, platform, architecture string) (*models.AgentUpdatePackage, error) {
+	// Check if file exists
+	if _, err := os.Stat(binaryPath); os.IsNotExist(err) {
+		return nil, fmt.Errorf("binary not found: %s", binaryPath)
+	}
+
+	// Sign the binary if signing is enabled
+	if !s.signingService.IsEnabled() {
+		return nil, fmt.Errorf("signing service is disabled")
+	}
+
+	signedPackage, err := s.signingService.SignFile(binaryPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to sign agent binary: %w", err)
+	}
+
+	// Set additional fields
+	signedPackage.Version = version
+	signedPackage.Platform = platform
+	signedPackage.Architecture = architecture
+
+	// Store signed package in database
+	err = s.packageQueries.StoreSignedPackage(signedPackage)
+	if err != nil {
+		return nil, fmt.Errorf("failed to store signed package: %w", err)
+	}
+
+	log.Printf("Successfully signed and stored agent binary: %s (%s/%s)", signedPackage.ID, platform, architecture)
+	return signedPackage, nil
+}
+
+// GetSignedPackage retrieves a signed package by version and platform
+func (s *BuildOrchestratorService) GetSignedPackage(version, platform, architecture string) (*models.AgentUpdatePackage, error) {
+	return s.packageQueries.GetSignedPackage(version, platform, architecture)
+}
+
+// ListSignedPackages lists all signed packages (with optional filters)
+func (s *BuildOrchestratorService) ListSignedPackages(version, platform string, limit, offset int) ([]models.AgentUpdatePackage, error) {
+	return s.packageQueries.ListUpdatePackages(version, platform, limit, offset)
+}