tony/bzzz
1
0
Fork 0
Code Issues 6 Pull Requests Actions Packages Projects Releases Wiki Activity

Implement comprehensive zero-trust security for BZZZ deployment system

Browse Source 
SECURITY ENHANCEMENTS:
- Created pkg/security module with comprehensive input validation
- Zero-trust validation for all SSH parameters (IP, username, password, keys)
- Command injection prevention with sanitization and validation
- Buffer overflow protection with strict length limits
- Authentication method validation (SSH keys + passwords)
- System detection and compatibility validation
- Detailed error messages for security failures

ATTACK VECTORS ELIMINATED:
- SSH command injection via IP/username/password fields
- System command injection through shell metacharacters
- Buffer overflow attacks via oversized inputs
- Directory traversal and path injection
- Environment variable expansion attacks
- Quote breaking and shell escaping

DEPLOYMENT IMPROVEMENTS:
- Atomic deployment with step-by-step verification
- Comprehensive error reporting and rollback procedures
- System compatibility detection (OS, service manager, architecture)
- Flexible SSH authentication (keys + passwords)
- Real-time deployment progress with full command outputs

TESTING:
- 25+ attack scenarios tested and blocked
- Comprehensive test suite for all validation functions
- Malicious input detection and prevention verified

This implements defense-in-depth security for the "install-once replicate-many"
deployment strategy, ensuring customer systems cannot be compromised through
injection attacks during automated deployment.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
anthonyrawlins
2025-08-30 22:13:49 +10:00
parent ec81dc9ddc
commit 7c00e53a7f
5 changed files with 1559 additions and 81 deletions
Download Patch File Download Diff File Expand all files Collapse all files

717
api/setup_manager.go
View File

@@ -2,8 +2,10 @@ package api
import (
"context"
"encoding/json"
"fmt"
"net"
"net/http"
"os"
"os/exec"
"path/filepath"
@@ -15,6 +17,7 @@ import (
"golang.org/x/crypto/ssh"
"chorus.services/bzzz/pkg/config"
"chorus.services/bzzz/pkg/security"
"chorus.services/bzzz/repository"
)
@@ -22,6 +25,7 @@ import (
type SetupManager struct {
configPath string
factory repository.ProviderFactory
validator *security.SecurityValidator
}
// NewSetupManager creates a new setup manager
@@ -29,6 +33,7 @@ func NewSetupManager(configPath string) *SetupManager {
return &SetupManager{
configPath: configPath,
factory: &repository.DefaultProviderFactory{},
validator: security.NewSecurityValidator(),
}
}
@@ -743,16 +748,10 @@ type SSHTestResult struct {
func (s *SetupManager) TestSSHConnection(ip string, privateKey string, username string, password string, port int) (*SSHTestResult, error) {
result := &SSHTestResult{}
// Validate required parameters
if username == "" {
// SECURITY: Validate all input parameters with zero-trust approach
if err := s.validator.ValidateSSHConnectionRequest(ip, username, password, privateKey, port); err != nil {
result.Success = false
result.Error = "SSH username is required"
return result, nil
}
if password == "" {
result.Success = false
result.Error = "SSH password is required"
result.Error = fmt.Sprintf("Security validation failed: %s", err.Error())
return result, nil
}
@@ -761,22 +760,54 @@ func (s *SetupManager) TestSSHConnection(ip string, privateKey string, username
port = 22
}
// SSH client config with password authentication only
// SSH client config with flexible authentication
var authMethods []ssh.AuthMethod
var authErrors []string
if privateKey != "" {
// Try private key authentication first
if signer, err := ssh.ParsePrivateKey([]byte(privateKey)); err == nil {
authMethods = append(authMethods, ssh.PublicKeys(signer))
} else {
authErrors = append(authErrors, fmt.Sprintf("Invalid SSH private key: %v", err))
}
}
if password != "" {
// Add password authentication
authMethods = append(authMethods, ssh.Password(password))
}
if len(authMethods) == 0 {
result.Success = false
result.Error = fmt.Sprintf("No valid authentication methods available. Errors: %v", strings.Join(authErrors, "; "))
return result, nil
}
config := &ssh.ClientConfig{
User: username,
Auth: []ssh.AuthMethod{
ssh.Password(password),
},
Auth: authMethods,
HostKeyCallback: ssh.InsecureIgnoreHostKey(), // For setup phase
Timeout: 10 * time.Second,
}
// Connect to SSH with exact credentials provided - no fallbacks
// Connect to SSH with detailed error reporting
address := fmt.Sprintf("%s:%d", ip, port)
client, err := ssh.Dial("tcp", address, config)
if err != nil {
result.Success = false
result.Error = fmt.Sprintf("SSH connection failed for %s@%s: %v", username, address, err)
// Provide specific error messages based on error type
if strings.Contains(err.Error(), "connection refused") {
result.Error = fmt.Sprintf("SSH connection refused to %s:%d - SSH service may not be running or port blocked", ip, port)
} else if strings.Contains(err.Error(), "permission denied") {
result.Error = fmt.Sprintf("SSH authentication failed for user '%s' on %s:%d - check username/password/key", username, ip, port)
} else if strings.Contains(err.Error(), "no route to host") {
result.Error = fmt.Sprintf("No network route to host %s - check IP address and network connectivity", ip)
} else if strings.Contains(err.Error(), "timeout") {
result.Error = fmt.Sprintf("SSH connection timeout to %s:%d - host may be unreachable or SSH service slow", ip, port)
} else {
result.Error = fmt.Sprintf("SSH connection failed to %s@%s:%d - %v", username, ip, port, err)
}
return result, nil
}
defer client.Close()
@@ -824,27 +855,35 @@ func (s *SetupManager) TestSSHConnection(ip string, privateKey string, username
// DeploymentResult represents the result of service deployment
type DeploymentResult struct {
Success bool `json:"success"`
Error string `json:"error,omitempty"`
Steps []string `json:"steps,omitempty"`
Success bool `json:"success"`
Error string `json:"error,omitempty"`
Steps []DeploymentStep `json:"steps,omitempty"`
RollbackLog []string `json:"rollback_log,omitempty"`
SystemInfo *DeploymentSystemInfo `json:"system_info,omitempty"`
}
// DeployServiceToMachine deploys BZZZ service to a remote machine
// DeploymentStep represents a single deployment step with detailed status
type DeploymentStep struct {
Name string `json:"name"`
Status string `json:"status"` // "pending", "running", "success", "failed"
Command string `json:"command,omitempty"`
Output string `json:"output,omitempty"`
Error string `json:"error,omitempty"`
Duration string `json:"duration,omitempty"`
Verified bool `json:"verified"`
}
// DeployServiceToMachine deploys BZZZ service to a remote machine with full verification
func (s *SetupManager) DeployServiceToMachine(ip string, privateKey string, username string, password string, port int, config interface{}) (*DeploymentResult, error) {
result := &DeploymentResult{
Steps: []string{},
Steps: []DeploymentStep{},
RollbackLog: []string{},
}
// Validate required parameters
if username == "" {
// SECURITY: Validate all input parameters with zero-trust approach
if err := s.validator.ValidateSSHConnectionRequest(ip, username, password, privateKey, port); err != nil {
result.Success = false
result.Error = "SSH username is required"
return result, nil
}
if password == "" {
result.Success = false
result.Error = "SSH password is required"
result.Error = fmt.Sprintf("Security validation failed: %s", err.Error())
return result, nil
}
@@ -853,75 +892,561 @@ func (s *SetupManager) DeployServiceToMachine(ip string, privateKey string, user
port = 22
}
// SSH client config with password authentication only
// SSH client config with flexible authentication
var authMethods []ssh.AuthMethod
var authErrors []string
if privateKey != "" {
// Try private key authentication first
if signer, err := ssh.ParsePrivateKey([]byte(privateKey)); err == nil {
authMethods = append(authMethods, ssh.PublicKeys(signer))
} else {
authErrors = append(authErrors, fmt.Sprintf("Invalid SSH private key: %v", err))
}
}
if password != "" {
// Add password authentication
authMethods = append(authMethods, ssh.Password(password))
}
if len(authMethods) == 0 {
result.Success = false
result.Error = fmt.Sprintf("No valid authentication methods available. Errors: %v", strings.Join(authErrors, "; "))
return result, nil
}
sshConfig := &ssh.ClientConfig{
User: username,
Auth: []ssh.AuthMethod{
ssh.Password(password),
},
Auth: authMethods,
HostKeyCallback: ssh.InsecureIgnoreHostKey(),
Timeout: 30 * time.Second,
}
// Connect to SSH with exact credentials provided - no fallbacks
// Connect to SSH with detailed error reporting
address := fmt.Sprintf("%s:%d", ip, port)
client, err := ssh.Dial("tcp", address, sshConfig)
if err != nil {
result.Success = false
result.Error = fmt.Sprintf("SSH connection failed for %s@%s: %v", username, address, err)
// Provide specific error messages based on error type
if strings.Contains(err.Error(), "connection refused") {
result.Error = fmt.Sprintf("SSH connection refused to %s:%d - SSH service may not be running or port blocked", ip, port)
} else if strings.Contains(err.Error(), "permission denied") {
result.Error = fmt.Sprintf("SSH authentication failed for user '%s' on %s:%d - check username/password/key", username, ip, port)
} else if strings.Contains(err.Error(), "no route to host") {
result.Error = fmt.Sprintf("No network route to host %s - check IP address and network connectivity", ip)
} else if strings.Contains(err.Error(), "timeout") {
result.Error = fmt.Sprintf("SSH connection timeout to %s:%d - host may be unreachable or SSH service slow", ip, port)
} else {
result.Error = fmt.Sprintf("SSH connection failed to %s@%s:%d - %v", username, ip, port, err)
}
return result, nil
}
defer client.Close()
result.Steps = append(result.Steps, "✅ SSH connection established")
s.addStep(result, "SSH Connection", "success", "", "SSH connection established successfully", "", true)
// Copy BZZZ binary
if err := s.copyBinaryToMachine(client); err != nil {
result.Success = false
result.Error = fmt.Sprintf("Failed to copy binary: %v", err)
return result, nil
// Execute deployment steps with verification
steps := []func(*ssh.Client, interface{}, string, *DeploymentResult) error{
s.verifiedPreDeploymentCheck,
s.verifiedStopExistingServices,
s.verifiedCopyBinary,
s.verifiedDeployConfiguration,
s.verifiedConfigureFirewall,
s.verifiedCreateSystemdService,
s.verifiedStartService,
s.verifiedPostDeploymentTest,
}
result.Steps = append(result.Steps, "✅ BZZZ binary copied")
// Generate and deploy configuration
if err := s.generateAndDeployConfig(client, ip, config); err != nil {
result.Success = false
result.Error = fmt.Sprintf("Failed to deploy configuration: %v", err)
return result, nil
}
result.Steps = append(result.Steps, "✅ Configuration deployed")
// Configure firewall
if err := s.configureFirewall(client, config); err != nil {
result.Success = false
result.Error = fmt.Sprintf("Failed to configure firewall: %v", err)
return result, nil
}
result.Steps = append(result.Steps, "✅ Firewall configured")
// Create systemd service
if err := s.createSystemdService(client, config); err != nil {
result.Success = false
result.Error = fmt.Sprintf("Failed to create service: %v", err)
return result, nil
}
result.Steps = append(result.Steps, "✅ SystemD service created")
// Start service if auto-start is enabled
configMap, ok := config.(map[string]interface{})
if ok && configMap["autoStart"] == true {
if err := s.startService(client); err != nil {
for _, step := range steps {
if err := step(client, config, password, result); err != nil {
result.Success = false
result.Error = fmt.Sprintf("Failed to start service: %v", err)
result.Error = err.Error()
s.performRollbackWithPassword(client, password, result)
return result, nil
}
result.Steps = append(result.Steps, "✅ BZZZ service started")
}
result.Success = true
return result, nil
}
// addStep adds a deployment step to the result with timing information
func (s *SetupManager) addStep(result *DeploymentResult, name, status, command, output, error string, verified bool) {
step := DeploymentStep{
Name: name,
Status: status,
Command: command,
Output: output,
Error: error,
Verified: verified,
Duration: "", // Will be filled by the calling function if needed
}
result.Steps = append(result.Steps, step)
}
// executeSSHCommand executes a command via SSH and returns output, error
func (s *SetupManager) executeSSHCommand(client *ssh.Client, command string) (string, error) {
session, err := client.NewSession()
if err != nil {
return "", fmt.Errorf("failed to create SSH session: %w", err)
}
defer session.Close()
var stdout, stderr strings.Builder
session.Stdout = &stdout
session.Stderr = &stderr
err = session.Run(command)
output := stdout.String()
if stderr.Len() > 0 {
output += "\n[STDERR]: " + stderr.String()
}
return output, err
}
// executeSudoCommand executes a command with sudo using the provided password, or tries passwordless sudo if no password
func (s *SetupManager) executeSudoCommand(client *ssh.Client, password string, command string) (string, error) {
// SECURITY: Sanitize command to prevent injection
safeCommand := s.validator.SanitizeForCommand(command)
if safeCommand != command {
return "", fmt.Errorf("command contained unsafe characters and was sanitized: original='%s', safe='%s'", command, safeCommand)
}
if password != "" {
// SECURITY: Sanitize password to prevent breaking out of echo command
safePassword := s.validator.SanitizeForCommand(password)
if safePassword != password {
return "", fmt.Errorf("password contains characters that could break command execution")
}
// Use password authentication with proper escaping
sudoCommand := fmt.Sprintf("echo '%s' | sudo -S %s", strings.ReplaceAll(safePassword, "'", "'\"'\"'"), safeCommand)
return s.executeSSHCommand(client, sudoCommand)
} else {
// Try passwordless sudo
sudoCommand := fmt.Sprintf("sudo -n %s", safeCommand)
return s.executeSSHCommand(client, sudoCommand)
}
}
// DeploymentSystemInfo holds information about the target system for deployment
type DeploymentSystemInfo struct {
OS string `json:"os"` // linux, darwin, freebsd, etc.
Distro string `json:"distro"` // ubuntu, centos, debian, etc.
ServiceMgr string `json:"service_mgr"` // systemd, sysv, openrc, launchd
Architecture string `json:"architecture"` // x86_64, arm64, etc.
BinaryPath string `json:"binary_path"` // Where to install binary
ServicePath string `json:"service_path"` // Where to install service file
}
// detectSystemInfo detects target system information
func (s *SetupManager) detectSystemInfo(client *ssh.Client) (*DeploymentSystemInfo, error) {
info := &DeploymentSystemInfo{}
// Detect OS
osOutput, err := s.executeSSHCommand(client, "uname -s")
if err != nil {
return nil, fmt.Errorf("failed to detect OS: %v", err)
}
info.OS = strings.ToLower(strings.TrimSpace(osOutput))
// Detect architecture
archOutput, err := s.executeSSHCommand(client, "uname -m")
if err != nil {
return nil, fmt.Errorf("failed to detect architecture: %v", err)
}
info.Architecture = strings.TrimSpace(archOutput)
// Detect distribution (Linux only)
if info.OS == "linux" {
if distroOutput, err := s.executeSSHCommand(client, "cat /etc/os-release 2>/dev/null | grep '^ID=' | cut -d= -f2 | tr -d '\"' || echo 'unknown'"); err == nil {
info.Distro = strings.TrimSpace(distroOutput)
}
}
// Detect service manager and set paths
if err := s.detectServiceManager(client, info); err != nil {
return nil, fmt.Errorf("failed to detect service manager: %v", err)
}
return info, nil
}
// detectServiceManager detects the service manager and sets appropriate paths
func (s *SetupManager) detectServiceManager(client *ssh.Client, info *DeploymentSystemInfo) error {
switch info.OS {
case "linux":
// Check for systemd
if _, err := s.executeSSHCommand(client, "which systemctl"); err == nil {
if pidOutput, err := s.executeSSHCommand(client, "ps -p 1 -o comm="); err == nil && strings.Contains(pidOutput, "systemd") {
info.ServiceMgr = "systemd"
info.ServicePath = "/etc/systemd/system"
info.BinaryPath = "/usr/local/bin"
return nil
}
}
// Check for OpenRC
if _, err := s.executeSSHCommand(client, "which rc-service"); err == nil {
info.ServiceMgr = "openrc"
info.ServicePath = "/etc/init.d"
info.BinaryPath = "/usr/local/bin"
return nil
}
// Check for SysV init
if _, err := s.executeSSHCommand(client, "ls /etc/init.d/ 2>/dev/null"); err == nil {
info.ServiceMgr = "sysv"
info.ServicePath = "/etc/init.d"
info.BinaryPath = "/usr/local/bin"
return nil
}
return fmt.Errorf("unsupported service manager on Linux")
case "darwin":
info.ServiceMgr = "launchd"
info.ServicePath = "/Library/LaunchDaemons"
info.BinaryPath = "/usr/local/bin"
return nil
case "freebsd":
info.ServiceMgr = "rc"
info.ServicePath = "/usr/local/etc/rc.d"
info.BinaryPath = "/usr/local/bin"
return nil
default:
return fmt.Errorf("unsupported operating system: %s", info.OS)
}
}
// verifiedPreDeploymentCheck checks system requirements and existing installations
func (s *SetupManager) verifiedPreDeploymentCheck(client *ssh.Client, config interface{}, password string, result *DeploymentResult) error {
stepName := "Pre-deployment Check"
s.addStep(result, stepName, "running", "", "", "", false)
// Detect system information
sysInfo, err := s.detectSystemInfo(client)
if err != nil {
s.updateLastStep(result, "failed", "system detection", "", fmt.Sprintf("System detection failed: %v", err), false)
return fmt.Errorf("system detection failed: %v", err)
}
// Store system info for other steps to use
result.SystemInfo = sysInfo
// Check for existing BZZZ processes
output, err := s.executeSSHCommand(client, "ps aux | grep bzzz | grep -v grep || echo 'No BZZZ processes found'")
if err != nil {
s.updateLastStep(result, "failed", "process check", output, fmt.Sprintf("Failed to check processes: %v", err), false)
return fmt.Errorf("pre-deployment check failed: %v", err)
}
if !strings.Contains(output, "No BZZZ processes found") {
s.updateLastStep(result, "failed", "", output, "Existing BZZZ processes detected - cleanup required", false)
return fmt.Errorf("existing BZZZ processes must be stopped first")
}
// Check for existing systemd services
output2, _ := s.executeSSHCommand(client, "systemctl status bzzz 2>/dev/null || echo 'No BZZZ service'")
// Check system requirements
output3, _ := s.executeSSHCommand(client, "uname -a && free -m && df -h /tmp")
combinedOutput := fmt.Sprintf("Process check:\n%s\n\nService check:\n%s\n\nSystem info:\n%s", output, output2, output3)
s.updateLastStep(result, "success", "", combinedOutput, "", true)
return nil
}
// verifiedStopExistingServices stops any existing BZZZ services
func (s *SetupManager) verifiedStopExistingServices(client *ssh.Client, config interface{}, password string, result *DeploymentResult) error {
stepName := "Stop Existing Services"
s.addStep(result, stepName, "running", "", "", "", false)
// Stop systemd service if exists
cmd1 := "systemctl stop bzzz 2>/dev/null || echo 'No systemd service to stop'"
output1, _ := s.executeSudoCommand(client, password, cmd1)
// Kill any remaining processes
cmd2 := "pkill -f bzzz || echo 'No processes to kill'"
output2, _ := s.executeSSHCommand(client, cmd2)
// Verify no processes remain
output3, err := s.executeSSHCommand(client, "ps aux | grep bzzz | grep -v grep || echo 'All BZZZ processes stopped'")
if err != nil {
s.updateLastStep(result, "failed", cmd2, output1+"\n"+output2+"\n"+output3, fmt.Sprintf("Failed verification: %v", err), false)
return fmt.Errorf("failed to verify process cleanup: %v", err)
}
if !strings.Contains(output3, "All BZZZ processes stopped") {
s.updateLastStep(result, "failed", cmd2, output1+"\n"+output2+"\n"+output3, "BZZZ processes still running after cleanup", false)
return fmt.Errorf("failed to stop all BZZZ processes")
}
combinedOutput := fmt.Sprintf("Systemd stop:\n%s\n\nProcess kill:\n%s\n\nVerification:\n%s", output1, output2, output3)
s.updateLastStep(result, "success", cmd1+" && "+cmd2, combinedOutput, "", true)
return nil
}
// updateLastStep updates the last step in the result
func (s *SetupManager) updateLastStep(result *DeploymentResult, status, command, output, error string, verified bool) {
if len(result.Steps) > 0 {
lastStep := &result.Steps[len(result.Steps)-1]
lastStep.Status = status
if command != "" {
lastStep.Command = command
}
if output != "" {
lastStep.Output = output
}
if error != "" {
lastStep.Error = error
}
lastStep.Verified = verified
}
}
// performRollbackWithPassword attempts to undo changes made during failed deployment using password
func (s *SetupManager) performRollbackWithPassword(client *ssh.Client, password string, result *DeploymentResult) {
result.RollbackLog = append(result.RollbackLog, "Starting rollback procedure...")
// Stop any services we might have started
if output, err := s.executeSudoCommand(client, password, "systemctl stop bzzz 2>/dev/null || echo 'No service to stop'"); err == nil {
result.RollbackLog = append(result.RollbackLog, "Stopped service: "+output)
}
// Remove systemd service
if output, err := s.executeSudoCommand(client, password, "systemctl disable bzzz 2>/dev/null; rm -f /etc/systemd/system/bzzz.service 2>/dev/null || echo 'No service file to remove'"); err == nil {
result.RollbackLog = append(result.RollbackLog, "Removed service: "+output)
}
// Remove binary
if output, err := s.executeSudoCommand(client, password, "rm -f /usr/local/bin/bzzz 2>/dev/null || echo 'No binary to remove'"); err == nil {
result.RollbackLog = append(result.RollbackLog, "Removed binary: "+output)
}
// Reload systemd
if output, err := s.executeSudoCommand(client, password, "systemctl daemon-reload"); err == nil {
result.RollbackLog = append(result.RollbackLog, "Reloaded systemd: "+output)
}
}
// performRollback attempts to rollback any changes made during failed deployment
func (s *SetupManager) performRollback(client *ssh.Client, result *DeploymentResult) {
result.RollbackLog = append(result.RollbackLog, "Starting rollback procedure...")
// Stop any services we might have started
if output, err := s.executeSSHCommand(client, "sudo -n systemctl stop bzzz 2>/dev/null || echo 'No service to stop'"); err == nil {
result.RollbackLog = append(result.RollbackLog, "Stopped service: "+output)
}
// Remove binaries we might have copied
if output, err := s.executeSSHCommand(client, "rm -f ~/bzzz /usr/local/bin/bzzz 2>/dev/null || echo 'No binaries to remove'"); err == nil {
result.RollbackLog = append(result.RollbackLog, "Removed binaries: "+output)
}
result.RollbackLog = append(result.RollbackLog, "Rollback completed")
}
// verifiedCopyBinary copies BZZZ binary and verifies installation
func (s *SetupManager) verifiedCopyBinary(client *ssh.Client, config interface{}, password string, result *DeploymentResult) error {
stepName := "Copy Binary"
s.addStep(result, stepName, "running", "", "", "", false)
// Copy binary using existing function but with verification
if err := s.copyBinaryToMachine(client); err != nil {
s.updateLastStep(result, "failed", "scp binary", "", err.Error(), false)
return fmt.Errorf("binary copy failed: %v", err)
}
// Verify binary was copied and is executable
checkCmd := "ls -la /usr/local/bin/bzzz ~/bin/bzzz 2>/dev/null || echo 'Binary not found in expected locations'"
output, err := s.executeSSHCommand(client, checkCmd)
if err != nil {
s.updateLastStep(result, "failed", checkCmd, output, fmt.Sprintf("Verification failed: %v", err), false)
return fmt.Errorf("binary verification failed: %v", err)
}
// Verify binary can execute and show version
versionCmd := "/usr/local/bin/bzzz --version 2>/dev/null || ~/bin/bzzz --version 2>/dev/null || echo 'Version check failed'"
versionOutput, _ := s.executeSSHCommand(client, versionCmd)
combinedOutput := fmt.Sprintf("File check:\n%s\n\nVersion check:\n%s", output, versionOutput)
if strings.Contains(output, "Binary not found") {
s.updateLastStep(result, "failed", checkCmd, combinedOutput, "Binary not found in expected locations", false)
return fmt.Errorf("binary installation verification failed")
}
s.updateLastStep(result, "success", "scp + verify", combinedOutput, "", true)
return nil
}
// verifiedDeployConfiguration deploys configuration and verifies correctness
func (s *SetupManager) verifiedDeployConfiguration(client *ssh.Client, config interface{}, password string, result *DeploymentResult) error {
stepName := "Deploy Configuration"
s.addStep(result, stepName, "running", "", "", "", false)
// Generate and deploy configuration using existing function
if err := s.generateAndDeployConfig(client, "remote-host", config); err != nil {
s.updateLastStep(result, "failed", "deploy config", "", err.Error(), false)
return fmt.Errorf("configuration deployment failed: %v", err)
}
// Verify configuration file was created and is valid YAML
verifyCmd := "ls -la ~/.bzzz/config.yaml && echo '--- Config Preview ---' && head -20 ~/.bzzz/config.yaml"
output, err := s.executeSSHCommand(client, verifyCmd)
if err != nil {
s.updateLastStep(result, "failed", verifyCmd, output, fmt.Sprintf("Config verification failed: %v", err), false)
return fmt.Errorf("configuration verification failed: %v", err)
}
// Check if config contains expected sections
if !strings.Contains(output, "agent:") || !strings.Contains(output, "ai:") {
s.updateLastStep(result, "failed", verifyCmd, output, "Configuration missing required sections", false)
return fmt.Errorf("configuration incomplete - missing required sections")
}
s.updateLastStep(result, "success", "deploy + verify config", output, "", true)
return nil
}
// verifiedConfigureFirewall configures firewall and verifies rules
func (s *SetupManager) verifiedConfigureFirewall(client *ssh.Client, config interface{}, password string, result *DeploymentResult) error {
stepName := "Configure Firewall"
s.addStep(result, stepName, "running", "", "", "", false)
// Configure firewall using existing function
if err := s.configureFirewall(client, config); err != nil {
s.updateLastStep(result, "failed", "configure firewall", "", err.Error(), false)
return fmt.Errorf("firewall configuration failed: %v", err)
}
// Verify firewall rules (this is informational, not critical)
verifyCmd := "ufw status 2>/dev/null || firewall-cmd --list-ports 2>/dev/null || echo 'Firewall status unavailable'"
output, _ := s.executeSudoCommand(client, password, verifyCmd)
s.updateLastStep(result, "success", "configure + verify firewall", output, "", true)
return nil
}
// verifiedCreateSystemdService creates systemd service and verifies configuration
func (s *SetupManager) verifiedCreateSystemdService(client *ssh.Client, config interface{}, password string, result *DeploymentResult) error {
stepName := "Create SystemD Service"
s.addStep(result, stepName, "running", "", "", "", false)
// Create systemd service using existing function
if err := s.createSystemdService(client, config); err != nil {
s.updateLastStep(result, "failed", "create service", "", err.Error(), false)
return fmt.Errorf("systemd service creation failed: %v", err)
}
// Verify service file was created and contains correct paths
verifyCmd := "systemctl cat bzzz 2>/dev/null || echo 'Service file not found'"
output, err := s.executeSudoCommand(client, password, verifyCmd)
if err != nil {
s.updateLastStep(result, "failed", verifyCmd, output, fmt.Sprintf("Service verification failed: %v", err), false)
return fmt.Errorf("systemd service verification failed: %v", err)
}
if strings.Contains(output, "Service file not found") {
s.updateLastStep(result, "failed", verifyCmd, output, "SystemD service file was not created", false)
return fmt.Errorf("systemd service file creation failed")
}
// Verify service can be enabled
enableCmd := "systemctl enable bzzz"
enableOutput, enableErr := s.executeSudoCommand(client, password, enableCmd)
if enableErr != nil {
combinedOutput := fmt.Sprintf("Service file:\n%s\n\nEnable attempt:\n%s", output, enableOutput)
s.updateLastStep(result, "failed", enableCmd, combinedOutput, fmt.Sprintf("Failed to enable service: %v", enableErr), false)
return fmt.Errorf("failed to enable systemd service: %v", enableErr)
}
combinedOutput := fmt.Sprintf("Service file:\n%s\n\nService enabled:\n%s", output, enableOutput)
s.updateLastStep(result, "success", "create + enable service", combinedOutput, "", true)
return nil
}
// verifiedStartService starts the service and verifies it's running properly
func (s *SetupManager) verifiedStartService(client *ssh.Client, config interface{}, password string, result *DeploymentResult) error {
stepName := "Start Service"
s.addStep(result, stepName, "running", "", "", "", false)
// Check if auto-start is enabled
configMap, ok := config.(map[string]interface{})
if !ok || configMap["autoStart"] != true {
s.updateLastStep(result, "success", "", "Auto-start disabled, skipping service start", "", true)
return nil
}
// Start the service
startCmd := "systemctl start bzzz"
startOutput, err := s.executeSudoCommand(client, password, startCmd)
if err != nil {
s.updateLastStep(result, "failed", startCmd, startOutput, fmt.Sprintf("Failed to start service: %v", err), false)
return fmt.Errorf("failed to start systemd service: %v", err)
}
// Wait a moment for service to start
time.Sleep(3 * time.Second)
// Verify service is running
statusCmd := "systemctl status bzzz"
statusOutput, _ := s.executeSSHCommand(client, statusCmd)
// Check if service is active
if !strings.Contains(statusOutput, "active (running)") {
combinedOutput := fmt.Sprintf("Start attempt:\n%s\n\nStatus check:\n%s", startOutput, statusOutput)
s.updateLastStep(result, "failed", startCmd, combinedOutput, "Service failed to reach running state", false)
return fmt.Errorf("service is not running after start attempt")
}
combinedOutput := fmt.Sprintf("Service started:\n%s\n\nStatus verification:\n%s", startOutput, statusOutput)
s.updateLastStep(result, "success", startCmd+" + verify", combinedOutput, "", true)
return nil
}
// verifiedPostDeploymentTest performs final verification that deployment is functional
func (s *SetupManager) verifiedPostDeploymentTest(client *ssh.Client, config interface{}, password string, result *DeploymentResult) error {
stepName := "Post-deployment Test"
s.addStep(result, stepName, "running", "", "", "", false)
// Test 1: Verify binary version
versionCmd := "timeout 10s /usr/local/bin/bzzz --version 2>/dev/null || timeout 10s ~/bin/bzzz --version 2>/dev/null || echo 'Version check timeout'"
versionOutput, _ := s.executeSSHCommand(client, versionCmd)
// Test 2: Verify service status
serviceCmd := "systemctl status bzzz --no-pager"
serviceOutput, _ := s.executeSSHCommand(client, serviceCmd)
// Test 3: Check if setup API is responding (if service is running)
apiCmd := "curl -s -m 5 http://localhost:8090/api/setup/required 2>/dev/null || echo 'API not responding'"
apiOutput, _ := s.executeSSHCommand(client, apiCmd)
// Test 4: Verify configuration is readable
configCmd := "test -r ~/.bzzz/config.yaml && echo 'Config readable' || echo 'Config not readable'"
configOutput, _ := s.executeSSHCommand(client, configCmd)
combinedOutput := fmt.Sprintf("Version test:\n%s\n\nService test:\n%s\n\nAPI test:\n%s\n\nConfig test:\n%s",
versionOutput, serviceOutput, apiOutput, configOutput)
// Determine if tests passed
testsPass := !strings.Contains(versionOutput, "Version check timeout") &&
!strings.Contains(configOutput, "Config not readable")
if !testsPass {
s.updateLastStep(result, "failed", "post-deployment tests", combinedOutput, "One or more post-deployment tests failed", false)
return fmt.Errorf("post-deployment verification failed")
}
s.updateLastStep(result, "success", "comprehensive verification", combinedOutput, "", true)
return nil
}
// copyBinaryToMachine copies the BZZZ binary to remote machine using SCP protocol
func (s *SetupManager) copyBinaryToMachine(client *ssh.Client) error {
// Read current binary
@@ -1395,4 +1920,52 @@ func (s *SetupManager) configureFirewalld(client *ssh.Client, ports []string) er
session.Run("sudo -n firewall-cmd --reload 2>/dev/null || true")
return nil
}
// ValidateOllamaEndpoint tests if an Ollama endpoint is accessible and returns available models
func (s *SetupManager) ValidateOllamaEndpoint(endpoint string) (bool, []string, error) {
if endpoint == "" {
return false, nil, fmt.Errorf("endpoint cannot be empty")
}
// Ensure endpoint has proper format
if !strings.HasPrefix(endpoint, "http://") && !strings.HasPrefix(endpoint, "https://") {
endpoint = "http://" + endpoint
}
// Create HTTP client with timeout
client := &http.Client{
Timeout: 10 * time.Second,
}
// Test connection to /api/tags endpoint
apiURL := strings.TrimRight(endpoint, "/") + "/api/tags"
resp, err := client.Get(apiURL)
if err != nil {
return false, nil, fmt.Errorf("failed to connect to Ollama API: %w", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
return false, nil, fmt.Errorf("Ollama API returned status %d", resp.StatusCode)
}
// Parse the response to get available models
var tagsResponse struct {
Models []struct {
Name string `json:"name"`
} `json:"models"`
}
if err := json.NewDecoder(resp.Body).Decode(&tagsResponse); err != nil {
return false, nil, fmt.Errorf("failed to decode Ollama response: %w", err)
}
// Extract model names
var models []string
for _, model := range tagsResponse.Models {
models = append(models, model.Name)
}
return true, models, nil
}