Fimeg/Redflag
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e6ac0b1ec4f015a2b2af2251cacf5c71f962595d
Redflag/aggregator-agent/internal/migration/detection.go
Fimeg e6ac0b1ec4 feat: implement agent migration system 
- Fix config version inflation bug in main.go
- Add dynamic subsystem checking to prevent false change detection
- Implement migration detection and execution system
- Add directory migration from /etc/aggregator to /etc/redflag
- Update all path references across codebase to use new directories
- Add configuration schema versioning and automatic migration
- Implement backup and rollback capabilities
- Add security feature detection and hardening
- Update installation scripts and sudoers for new paths
- Complete Phase 1 migration system
2025-11-04 14:25:53 -05:00

436 lines
12 KiB
Go
Raw Blame History

package migration
import (
"crypto/sha256"
"encoding/json"
"fmt"
"io"
"os"
"path/filepath"
"strings"
"time"
)
// AgentFile represents a file associated with the agent
type AgentFile struct {
Path string `json:"path"`
Size int64 `json:"size"`
ModifiedTime time.Time `json:"modified_time"`
Version string `json:"version,omitempty"`
Checksum string `json:"checksum"`
Required bool `json:"required"`
Migrate bool `json:"migrate"`
Description string `json:"description"`
}
// AgentFileInventory represents all files associated with an agent installation
type AgentFileInventory struct {
ConfigFiles []AgentFile `json:"config_files"`
StateFiles []AgentFile `json:"state_files"`
BinaryFiles []AgentFile `json:"binary_files"`
LogFiles []AgentFile `json:"log_files"`
CertificateFiles []AgentFile `json:"certificate_files"`
OldDirectoryPaths []string `json:"old_directory_paths"`
NewDirectoryPaths []string `json:"new_directory_paths"`
}
// MigrationDetection represents the result of migration detection
type MigrationDetection struct {
CurrentAgentVersion string `json:"current_agent_version"`
CurrentConfigVersion int `json:"current_config_version"`
RequiresMigration bool `json:"requires_migration"`
RequiredMigrations []string `json:"required_migrations"`
MissingSecurityFeatures []string `json:"missing_security_features"`
Inventory *AgentFileInventory `json:"inventory"`
DetectionTime time.Time `json:"detection_time"`
}
// SecurityFeature represents a security feature that may be missing
type SecurityFeature struct {
Name string `json:"name"`
Description string `json:"description"`
Required bool `json:"required"`
Enabled bool `json:"enabled"`
}
// FileDetectionConfig holds configuration for file detection
type FileDetectionConfig struct {
OldConfigPath string
OldStatePath string
NewConfigPath string
NewStatePath string
BackupDirPattern string
}
// NewFileDetectionConfig creates a default detection configuration
func NewFileDetectionConfig() *FileDetectionConfig {
return &FileDetectionConfig{
OldConfigPath: "/etc/aggregator",
OldStatePath: "/var/lib/aggregator",
NewConfigPath: "/etc/redflag",
NewStatePath: "/var/lib/redflag",
BackupDirPattern: "/etc/redflag.backup.%s",
}
}
// DetectMigrationRequirements scans for existing agent installations and determines migration needs
func DetectMigrationRequirements(config *FileDetectionConfig) (*MigrationDetection, error) {
detection := &MigrationDetection{
DetectionTime: time.Now(),
Inventory: &AgentFileInventory{},
}
// Scan for existing installations
inventory, err := scanAgentFiles(config)
if err != nil {
return nil, fmt.Errorf("failed to scan agent files: %w", err)
}
detection.Inventory = inventory
// Detect version information
version, configVersion, err := detectVersionInfo(inventory)
if err != nil {
return nil, fmt.Errorf("failed to detect version: %w", err)
}
detection.CurrentAgentVersion = version
detection.CurrentConfigVersion = configVersion
// Identify required migrations
requiredMigrations := determineRequiredMigrations(detection, config)
detection.RequiredMigrations = requiredMigrations
detection.RequiresMigration = len(requiredMigrations) > 0
// Identify missing security features
missingFeatures := identifyMissingSecurityFeatures(detection)
detection.MissingSecurityFeatures = missingFeatures
return detection, nil
}
// scanAgentFiles scans for agent-related files in old and new locations
func scanAgentFiles(config *FileDetectionConfig) (*AgentFileInventory, error) {
inventory := &AgentFileInventory{
OldDirectoryPaths: []string{config.OldConfigPath, config.OldStatePath},
NewDirectoryPaths: []string{config.NewConfigPath, config.NewStatePath},
}
// Define file patterns to look for
filePatterns := map[string][]string{
"config": {
"config.json",
"agent.key",
"server.key",
"ca.crt",
},
"state": {
"pending_acks.json",
"public_key.cache",
"last_scan.json",
"metrics.json",
},
"binary": {
"redflag-agent",
"redflag-agent.exe",
},
"log": {
"redflag-agent.log",
"redflag-agent.*.log",
},
"certificate": {
"*.crt",
"*.key",
"*.pem",
},
}
// Scan old directory paths
for _, dirPath := range inventory.OldDirectoryPaths {
if _, err := os.Stat(dirPath); err == nil {
files, err := scanDirectory(dirPath, filePatterns)
if err != nil {
return nil, fmt.Errorf("failed to scan directory %s: %w", dirPath, err)
}
// Categorize files
for _, file := range files {
switch {
case containsAny(file.Path, filePatterns["config"]):
inventory.ConfigFiles = append(inventory.ConfigFiles, file)
case containsAny(file.Path, filePatterns["state"]):
inventory.StateFiles = append(inventory.StateFiles, file)
case containsAny(file.Path, filePatterns["binary"]):
inventory.BinaryFiles = append(inventory.BinaryFiles, file)
case containsAny(file.Path, filePatterns["log"]):
inventory.LogFiles = append(inventory.LogFiles, file)
case containsAny(file.Path, filePatterns["certificate"]):
inventory.CertificateFiles = append(inventory.CertificateFiles, file)
}
}
}
}
return inventory, nil
}
// scanDirectory scans a directory for files matching specific patterns
func scanDirectory(dirPath string, patterns map[string][]string) ([]AgentFile, error) {
var files []AgentFile
err := filepath.Walk(dirPath, func(path string, info os.FileInfo, err error) error {
if err != nil {
return err
}
if info.IsDir() {
return nil
}
// Calculate checksum
checksum, err := calculateFileChecksum(path)
if err != nil {
// Skip files we can't read
return nil
}
file := AgentFile{
Path: path,
Size: info.Size(),
ModifiedTime: info.ModTime(),
Checksum: checksum,
Required: isRequiredFile(path, patterns),
Migrate: shouldMigrateFile(path, patterns),
Description: getFileDescription(path),
}
// Try to detect version from filename or content
if version := detectFileVersion(path, info); version != "" {
file.Version = version
}
files = append(files, file)
return nil
})
return files, err
}
// detectVersionInfo attempts to detect agent and config versions from files
func detectVersionInfo(inventory *AgentFileInventory) (string, int, error) {
var detectedVersion string
configVersion := 0
// Try to read config file for version information
for _, configFile := range inventory.ConfigFiles {
if strings.Contains(configFile.Path, "config.json") {
version, cfgVersion, err := readConfigVersion(configFile.Path)
if err == nil {
detectedVersion = version
configVersion = cfgVersion
break
}
}
}
// If no version found in config, try binary files
if detectedVersion == "" {
for _, binaryFile := range inventory.BinaryFiles {
if version := detectBinaryVersion(binaryFile.Path); version != "" {
detectedVersion = version
break
}
}
}
// Default to unknown if nothing found
if detectedVersion == "" {
detectedVersion = "unknown"
}
return detectedVersion, configVersion, nil
}
// readConfigVersion reads version information from a config file
func readConfigVersion(configPath string) (string, int, error) {
data, err := os.ReadFile(configPath)
if err != nil {
return "", 0, err
}
var config map[string]interface{}
if err := json.Unmarshal(data, &config); err != nil {
return "", 0, err
}
// Try to extract version info
var agentVersion string
var cfgVersion int
if version, ok := config["agent_version"].(string); ok {
agentVersion = version
}
if version, ok := config["version"].(float64); ok {
cfgVersion = int(version)
}
return agentVersion, cfgVersion, nil
}
// determineRequiredMigrations determines what migrations are needed
func determineRequiredMigrations(detection *MigrationDetection, config *FileDetectionConfig) []string {
var migrations []string
// Check if old directories exist
for _, oldDir := range detection.Inventory.OldDirectoryPaths {
if _, err := os.Stat(oldDir); err == nil {
migrations = append(migrations, "directory_migration")
break
}
}
// Check config version compatibility
if detection.CurrentConfigVersion < 4 {
migrations = append(migrations, "config_migration")
}
// Check if security features need to be applied
if len(detection.MissingSecurityFeatures) > 0 {
migrations = append(migrations, "security_hardening")
}
return migrations
}
// identifyMissingSecurityFeatures identifies security features that need to be enabled
func identifyMissingSecurityFeatures(detection *MigrationDetection) []string {
var missingFeatures []string
// Check config for security features
if detection.Inventory.ConfigFiles != nil {
for _, configFile := range detection.Inventory.ConfigFiles {
if strings.Contains(configFile.Path, "config.json") {
features := checkConfigSecurityFeatures(configFile.Path)
missingFeatures = append(missingFeatures, features...)
}
}
}
// Default missing features for old versions
if detection.CurrentConfigVersion < 4 {
missingFeatures = append(missingFeatures,
"nonce_validation",
"machine_id_binding",
"ed25519_verification",
"subsystem_configuration",
)
}
return missingFeatures
}
// checkConfigSecurityFeatures checks a config file for security feature settings
func checkConfigSecurityFeatures(configPath string) []string {
data, err := os.ReadFile(configPath)
if err != nil {
return []string{}
}
var config map[string]interface{}
if err := json.Unmarshal(data, &config); err != nil {
return []string{}
}
var missingFeatures []string
// Check for subsystem configuration
if subsystems, ok := config["subsystems"].(map[string]interface{}); ok {
if _, hasSystem := subsystems["system"]; !hasSystem {
missingFeatures = append(missingFeatures, "system_subsystem")
}
if _, hasUpdates := subsystems["updates"]; !hasUpdates {
missingFeatures = append(missingFeatures, "updates_subsystem")
}
} else {
missingFeatures = append(missingFeatures, "subsystem_configuration")
}
// Check for machine ID
if _, hasMachineID := config["machine_id"]; !hasMachineID {
missingFeatures = append(missingFeatures, "machine_id_binding")
}
return missingFeatures
}
// Helper functions
func calculateFileChecksum(filePath string) (string, error) {
file, err := os.Open(filePath)
if err != nil {
return "", err
}
defer file.Close()
hash := sha256.New()
if _, err := io.Copy(hash, file); err != nil {
return "", err
}
return fmt.Sprintf("%x", hash.Sum(nil)), nil
}
func containsAny(path string, patterns []string) bool {
for _, pattern := range patterns {
if matched, _ := filepath.Match(pattern, filepath.Base(path)); matched {
return true
}
}
return false
}
func isRequiredFile(path string, patterns map[string][]string) bool {
base := filepath.Base(path)
return base == "config.json" || base == "pending_acks.json"
}
func shouldMigrateFile(path string, patterns map[string][]string) bool {
return !containsAny(path, []string{"*.log", "*.tmp"})
}
func getFileDescription(path string) string {
base := filepath.Base(path)
switch {
case base == "config.json":
return "Agent configuration file"
case base == "pending_acks.json":
return "Pending command acknowledgments"
case base == "public_key.cache":
return "Server public key cache"
case strings.Contains(base, ".log"):
return "Agent log file"
case strings.Contains(base, ".key"):
return "Private key file"
case strings.Contains(base, ".crt"):
return "Certificate file"
default:
return "Agent file"
}
}
func detectFileVersion(path string, info os.FileInfo) string {
// Try to extract version from filename
base := filepath.Base(path)
if strings.Contains(base, "v0.1.") {
// Extract version from filename like "redflag-agent-v0.1.22"
parts := strings.Split(base, "v0.1.")
if len(parts) > 1 {
return "v0.1." + strings.Split(parts[1], "-")[0]
}
}
return ""
}
func detectBinaryVersion(binaryPath string) string {
// This would involve reading binary headers or executing with --version flag
// For now, return empty
return ""
}
Reference in New Issue View Git Blame Copy Permalink