From 2a0d9a1b7aaa98d7688be2803b382f74dfeff761 Mon Sep 17 00:00:00 2001 From: kisfenyo Date: Wed, 10 Jun 2026 09:47:54 +0200 Subject: [PATCH] slice 8A (controller half): bootstrap.json ingestion + pinned agent local-API client (v0.35.0) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit internal/bootstrap: first-run bootstrap.json ingestion (decision (c)) — seed controller.yaml + skip setup; idempotent + fail-safe. internal/agentapi: minimal pinned local-API client (leaf-cert SHA-256 pin, fails closed). config LocalAPIConfig; startup /storage connectivity probe. Co-Authored-By: Claude Opus 4.8 --- CHANGELOG.md | 29 ++++ controller/cmd/controller/main.go | 43 +++++ controller/internal/agentapi/client.go | 141 ++++++++++++++++ controller/internal/agentapi/client_test.go | 101 ++++++++++++ controller/internal/bootstrap/bootstrap.go | 151 ++++++++++++++++++ .../internal/bootstrap/bootstrap_test.go | 133 +++++++++++++++ controller/internal/config/config.go | 10 ++ 7 files changed, 608 insertions(+) create mode 100644 controller/internal/agentapi/client.go create mode 100644 controller/internal/agentapi/client_test.go create mode 100644 controller/internal/bootstrap/bootstrap.go create mode 100644 controller/internal/bootstrap/bootstrap_test.go diff --git a/CHANGELOG.md b/CHANGELOG.md index db4bea4..a0f4f62 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,34 @@ ## Changelog +### v0.35.0 — slice 8A: bootstrap.json ingestion + pinned agent local-API client (2026-06-10) + +The in-guest controller half of slice 8A (doc 03 §6). Pairs with `felhom-agent` v0.10.0. No +behaviour change for an already-configured controller; adds the first-run provisioning path. + +#### Added +- **`internal/bootstrap`** — first-run **`bootstrap.json` ingestion** (config-contract decision (c)). + On startup, if the controller is NOT yet configured AND the host agent's back-half attached a + `bootstrap.json` config mount, the controller **seeds `controller.yaml` from it and comes up + configured, skipping the setup wizard**. Idempotent (an existing `controller.yaml` is **never** + clobbered) and fail-safe (a malformed/absent/missing-identity/unsupported-schema bootstrap leaves + the controller in setup mode — logs, never crashes). The agent emits the stable contract; the + controller owns the translation (the two stay decoupled). +- **`internal/agentapi`** — a minimal **pinned client** for the agent's local API. It reaches the + agent over the bridge, **pinning the agent leaf-cert SHA-256** from the bootstrap (fails closed on + mismatch — `VerifyPeerCertificate` exact leaf-DER match, the same pin convention the agent uses for + the Proxmox/PBS host certs), and authenticates with the per-guest bearer token. In 8A it exercises + `GET /storage` (connectivity + the controller learning its mounts); the `/backup/due` quiesce loop + is 8B. +- **`config.LocalAPIConfig`** (`local_api`: endpoint, fingerprint, token) — seeded from the bootstrap. +- **Startup probe** — when seeded with a local-API endpoint, the controller proves the channel at + boot and logs this guest's mounts (non-fatal). + +#### Tests +- bootstrap: seeds when unconfigured (reloads configured, skips setup); never clobbers a configured + controller; stays in setup on malformed / missing-identity / unsupported-schema / absent bootstrap. +- agentapi: correct pin + token reaches `/storage`; a **wrong pin fails closed**; a bad fingerprint + is rejected at construction; colon-separated fingerprints are accepted. + ### docs: reflow CLAUDE.md; unify REPORT/CHANGELOG convention; add no-secrets rule (2026-06-08) #### Changed diff --git a/controller/cmd/controller/main.go b/controller/cmd/controller/main.go index 6432c14..f09a8b7 100644 --- a/controller/cmd/controller/main.go +++ b/controller/cmd/controller/main.go @@ -18,10 +18,12 @@ import ( "crypto/subtle" "strings" + "gitea.dooplex.hu/admin/felhom-controller/internal/agentapi" "gitea.dooplex.hu/admin/felhom-controller/internal/api" "gitea.dooplex.hu/admin/felhom-controller/internal/appexport" "gitea.dooplex.hu/admin/felhom-controller/internal/assets" "gitea.dooplex.hu/admin/felhom-controller/internal/backup" + "gitea.dooplex.hu/admin/felhom-controller/internal/bootstrap" cf "gitea.dooplex.hu/admin/felhom-controller/internal/cloudflare" "gitea.dooplex.hu/admin/felhom-controller/internal/crypto" "gitea.dooplex.hu/admin/felhom-controller/internal/config" @@ -73,6 +75,13 @@ func main() { logger, logBuffer := setupLogger(cfg) + // --- Bootstrap ingestion (slice 8A, doc 03 §6) --- + // On first run, if this controller is not yet configured AND the host agent's provisioning + // back-half attached a bootstrap.json config mount, seed controller.yaml from it and come up + // CONFIGURED — skipping setup mode. Idempotent (never clobbers an existing controller.yaml) + // and fail-safe (a malformed/absent bootstrap leaves us in setup mode). + cfg = bootstrap.MaybeIngest(*configPath, cfg, logger) + // --- Wire system package debug logging --- if cfg.Logging.Level == "debug" { system.DebugLogger = logger @@ -85,6 +94,12 @@ func main() { return } + // --- Local API connectivity probe (slice 8A) --- + // When seeded with a local-API endpoint, prove the controller↔agent channel at startup and + // learn this guest's mounts (placement view). Non-fatal — the controller runs regardless; a + // failure is logged for diagnosis. The full /backup/due quiesce loop lands in 8B. + probeLocalAPI(cfg, logger) + logger.Printf("[INFO] felhom-controller %s starting (customer: %s, domain: %s)", Version, cfg.Customer.ID, cfg.Customer.Domain) @@ -1286,6 +1301,34 @@ func fileExists(path string) bool { return err == nil } +// probeLocalAPI proves the controller↔agent local-API channel at startup and logs this guest's +// mounts (slice 8A). Non-fatal: it only runs when a local-API endpoint is configured, and any +// error is logged for diagnosis without affecting the controller's boot. The leaf SHA-256 from +// the bootstrap is pinned by the client (fails closed on mismatch). +func probeLocalAPI(cfg *config.Config, logger *log.Logger) { + if cfg.LocalAPI.Endpoint == "" || cfg.LocalAPI.Token == "" { + return + } + client, err := agentapi.New(cfg.LocalAPI.Endpoint, cfg.LocalAPI.Token, cfg.LocalAPI.Fingerprint) + if err != nil { + logger.Printf("[WARN] local-api: client init failed (%v) — channel not verified", err) + return + } + ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second) + defer cancel() + resp, err := client.Storage(ctx) + if err != nil { + logger.Printf("[WARN] local-api: GET /storage failed (%v) — channel not verified", err) + return + } + logger.Printf("[INFO] local-api: channel up (agent %s) — guest %d, %d mount(s) visible", + cfg.LocalAPI.Endpoint, resp.VMID, len(resp.Mounts)) + for _, m := range resp.Mounts { + logger.Printf("[INFO] local-api: mount %s → %s (storage=%s, class=%s, backup=%v)", + m.Key, m.MountPoint, m.Storage, m.Class, m.Backup) + } +} + // runSetupMode starts the setup wizard on dual listeners and blocks until signal. func runSetupMode(cfg *config.Config, logger *log.Logger) { ips := setup.DetectLocalIPs() diff --git a/controller/internal/agentapi/client.go b/controller/internal/agentapi/client.go new file mode 100644 index 0000000..4ec2aff --- /dev/null +++ b/controller/internal/agentapi/client.go @@ -0,0 +1,141 @@ +// Package agentapi is the in-guest controller's client for the host agent's per-guest local +// API (doc 03 §6, slice 8A). It reaches the agent over the bridge, pinning the agent's +// self-signed leaf by SHA-256 (the same pin convention the agent uses for the Proxmox/PBS host +// certs), and authenticates with the per-guest bearer token. In 8A it exercises GET /storage +// (connectivity + the controller learning its mounts); the full surface (the /backup/due +// quiesce loop) lands in 8B. +package agentapi + +import ( + "context" + "crypto/sha256" + "crypto/tls" + "crypto/x509" + "encoding/hex" + "encoding/json" + "fmt" + "io" + "net/http" + "strings" + "time" +) + +// Client talks to one agent local-API endpoint with a pinned leaf + bearer token. +type Client struct { + baseURL string + token string + hc *http.Client +} + +// MountInfo mirrors the agent's GET /storage mount entry (doc 03 §6). +type MountInfo struct { + Key string `json:"key"` + Storage string `json:"storage"` + MountPoint string `json:"mount_point"` + Class string `json:"class"` // fast | slow | "" + Backup bool `json:"backup"` +} + +// StorageResponse mirrors the agent's GET /storage data payload. +type StorageResponse struct { + VMID int `json:"vmid"` + Mounts []MountInfo `json:"mounts"` +} + +// apiResponse is the agent's {ok,data,error} envelope. +type apiResponse struct { + OK bool `json:"ok"` + Data json.RawMessage `json:"data"` + Error string `json:"error"` +} + +// New builds a pinned client for endpoint ("host:port") with the given per-guest token and the +// agent leaf-cert SHA-256 fingerprint (hex, ':'-separators tolerated). The pin is the trust +// anchor — the agent serves a self-signed cert, so chain verification is replaced by an exact +// leaf-DER SHA-256 match (fails closed on any mismatch). +func New(endpoint, token, fingerprintHex string) (*Client, error) { + endpoint = strings.TrimSpace(endpoint) + if endpoint == "" { + return nil, fmt.Errorf("agentapi: endpoint required") + } + if token == "" { + return nil, fmt.Errorf("agentapi: token required") + } + want, err := normalizeFingerprint(fingerprintHex) + if err != nil { + return nil, err + } + tlsCfg := &tls.Config{ + InsecureSkipVerify: true, // self-signed leaf — the pin below is the real check + VerifyPeerCertificate: func(rawCerts [][]byte, _ [][]*x509.Certificate) error { + if len(rawCerts) == 0 { + return fmt.Errorf("agentapi: TLS pin: peer presented no certificate") + } + got := sha256.Sum256(rawCerts[0]) // leaf DER + if hex.EncodeToString(got[:]) != want { + return fmt.Errorf("agentapi: TLS pin mismatch: agent leaf SHA-256 does not match the bootstrap fingerprint") + } + return nil + }, + MinVersion: tls.VersionTLS12, + } + return &Client{ + baseURL: "https://" + endpoint, + token: token, + hc: &http.Client{ + Timeout: 15 * time.Second, + Transport: &http.Transport{TLSClientConfig: tlsCfg}, + }, + }, nil +} + +// Storage calls GET /storage and returns this guest's mounts (connectivity + placement view). +func (c *Client) Storage(ctx context.Context) (StorageResponse, error) { + var out StorageResponse + body, err := c.get(ctx, "/storage") + if err != nil { + return out, err + } + if err := json.Unmarshal(body, &out); err != nil { + return out, fmt.Errorf("agentapi: decode /storage: %w", err) + } + return out, nil +} + +// get issues an authenticated GET and unwraps the {ok,data,error} envelope. +func (c *Client) get(ctx context.Context, path string) (json.RawMessage, error) { + req, err := http.NewRequestWithContext(ctx, http.MethodGet, c.baseURL+path, nil) + if err != nil { + return nil, err + } + req.Header.Set("Authorization", "Bearer "+c.token) + resp, err := c.hc.Do(req) + if err != nil { + return nil, fmt.Errorf("agentapi: GET %s: %w", path, err) + } + defer resp.Body.Close() + raw, _ := io.ReadAll(io.LimitReader(resp.Body, 1<<20)) + if resp.StatusCode != http.StatusOK { + return nil, fmt.Errorf("agentapi: GET %s: HTTP %d", path, resp.StatusCode) + } + var env apiResponse + if err := json.Unmarshal(raw, &env); err != nil { + return nil, fmt.Errorf("agentapi: GET %s: bad envelope: %w", path, err) + } + if !env.OK { + return nil, fmt.Errorf("agentapi: GET %s: %s", path, env.Error) + } + return env.Data, nil +} + +// normalizeFingerprint lowercases and strips ':'/' ' separators, requiring a 64-hex SHA-256. +func normalizeFingerprint(fp string) (string, error) { + s := strings.ToLower(strings.NewReplacer(":", "", " ", "", "\t", "").Replace(strings.TrimSpace(fp))) + if len(s) != 64 { + return "", fmt.Errorf("agentapi: fingerprint must be a SHA-256 (64 hex chars), got %d", len(s)) + } + if _, err := hex.DecodeString(s); err != nil { + return "", fmt.Errorf("agentapi: fingerprint is not valid hex: %w", err) + } + return s, nil +} diff --git a/controller/internal/agentapi/client_test.go b/controller/internal/agentapi/client_test.go new file mode 100644 index 0000000..3aa41fe --- /dev/null +++ b/controller/internal/agentapi/client_test.go @@ -0,0 +1,101 @@ +package agentapi + +import ( + "context" + "crypto/sha256" + "encoding/hex" + "net/http" + "net/http/httptest" + "strings" + "testing" +) + +// storageStub serves the agent's {ok,data} envelope for GET /storage, requiring the bearer. +func storageStub(token string) http.Handler { + mux := http.NewServeMux() + mux.HandleFunc("GET /storage", func(w http.ResponseWriter, r *http.Request) { + if r.Header.Get("Authorization") != "Bearer "+token { + w.WriteHeader(http.StatusUnauthorized) + _, _ = w.Write([]byte(`{"ok":false,"error":"unauthorized"}`)) + return + } + w.Header().Set("Content-Type", "application/json") + _, _ = w.Write([]byte(`{"ok":true,"data":{"vmid":8200,"mounts":[{"key":"mp0","storage":"fast","mount_point":"/var/lib/docker","class":"fast","backup":true}]}}`)) + }) + return mux +} + +func leafPin(t *testing.T, s *httptest.Server) string { + t.Helper() + der := s.Certificate().Raw + sum := sha256.Sum256(der) + return hex.EncodeToString(sum[:]) +} + +// The correct pin + token reaches /storage and decodes the mounts. +func TestClient_PinnedStorageOK(t *testing.T) { + s := httptest.NewTLSServer(storageStub("TOK")) + defer s.Close() + endpoint := strings.TrimPrefix(s.URL, "https://") + + c, err := New(endpoint, "TOK", leafPin(t, s)) + if err != nil { + t.Fatalf("new: %v", err) + } + resp, err := c.Storage(context.Background()) + if err != nil { + t.Fatalf("storage: %v", err) + } + if resp.VMID != 8200 || len(resp.Mounts) != 1 || resp.Mounts[0].Class != "fast" { + t.Fatalf("unexpected storage response: %+v", resp) + } +} + +// A WRONG pin fails closed — the TLS handshake is rejected before any data flows. +func TestClient_WrongPinFailsClosed(t *testing.T) { + s := httptest.NewTLSServer(storageStub("TOK")) + defer s.Close() + endpoint := strings.TrimPrefix(s.URL, "https://") + + wrong := strings.Repeat("ab", 32) // 64 hex chars, valid format, wrong value + c, err := New(endpoint, "TOK", wrong) + if err != nil { + t.Fatalf("new: %v", err) + } + if _, err := c.Storage(context.Background()); err == nil { + t.Fatal("expected a TLS pin failure, got success") + } +} + +// A bad fingerprint format is rejected at construction. +func TestClient_BadFingerprintRejected(t *testing.T) { + if _, err := New("host:8443", "TOK", "not-a-fingerprint"); err == nil { + t.Fatal("expected an error for a non-SHA256 fingerprint") + } + if _, err := New("host:8443", "", strings.Repeat("a", 64)); err == nil { + t.Fatal("expected an error for an empty token") + } +} + +// Colon-separated fingerprints (the agent logs them with ':') are accepted. +func TestClient_AcceptsColonFingerprint(t *testing.T) { + s := httptest.NewTLSServer(storageStub("TOK")) + defer s.Close() + endpoint := strings.TrimPrefix(s.URL, "https://") + + pin := leafPin(t, s) + var colon strings.Builder + for i := 0; i < len(pin); i += 2 { + if i > 0 { + colon.WriteByte(':') + } + colon.WriteString(pin[i : i+2]) + } + c, err := New(endpoint, "TOK", colon.String()) + if err != nil { + t.Fatalf("new with colon fp: %v", err) + } + if _, err := c.Storage(context.Background()); err != nil { + t.Fatalf("storage with colon fp: %v", err) + } +} diff --git a/controller/internal/bootstrap/bootstrap.go b/controller/internal/bootstrap/bootstrap.go new file mode 100644 index 0000000..ba934c9 --- /dev/null +++ b/controller/internal/bootstrap/bootstrap.go @@ -0,0 +1,151 @@ +// Package bootstrap implements first-run bootstrap.json ingestion (slice 8A, doc 03 §6, +// config-contract decision (c)). The host agent's provisioning back-half writes a stable +// bootstrap.json into a read-only config mount; on first run the controller seeds its own +// controller.yaml from it and comes up CONFIGURED, skipping the setup wizard. The agent emits +// the stable contract; the controller owns the translation — the two stay decoupled. +package bootstrap + +import ( + "encoding/json" + "fmt" + "log" + "os" + "path/filepath" + "strings" + + "gitea.dooplex.hu/admin/felhom-controller/internal/config" + "gopkg.in/yaml.v3" +) + +// DefaultMountPath is where the agent attaches the read-only config mount (spike S2). Override +// with FELHOM_BOOTSTRAP_PATH for tests / non-standard layouts. +const DefaultMountPath = "/etc/felhom-bootstrap/bootstrap.json" + +// SchemaV1 is the stable contract version the agent emits and the controller ingests. +const SchemaV1 = "felhom.bootstrap/v1" + +// Bootstrap is the stable agent→controller config contract (JSON). It carries exactly what the +// controller needs to come up configured + reach the agent's local API. It is deliberately a +// SEPARATE shape from controller.yaml (decision (c)): the agent never needs to know the +// controller's full config schema. +type Bootstrap struct { + Schema string `json:"schema"` + Customer BootstrapCustomer `json:"customer"` + Hub BootstrapHub `json:"hub"` + LocalAPI BootstrapLocalAPI `json:"local_api"` +} + +type BootstrapCustomer struct { + ID string `json:"id"` + Name string `json:"name"` + Domain string `json:"domain"` + Email string `json:"email"` +} + +type BootstrapHub struct { + URL string `json:"url"` + APIKey string `json:"api_key"` + HostID string `json:"host_id"` // the agent's host id (reference; not load-bearing for the controller) +} + +type BootstrapLocalAPI struct { + Endpoint string `json:"endpoint"` // host bridge IP:port + Fingerprint string `json:"fingerprint"` // agent leaf-cert SHA-256 (hex) to pin + Token string `json:"token"` // per-guest bearer; SECRET +} + +// Path returns the bootstrap mount path (env override → default). +func Path() string { + if p := strings.TrimSpace(os.Getenv("FELHOM_BOOTSTRAP_PATH")); p != "" { + return p + } + return DefaultMountPath +} + +// MaybeIngest seeds controller.yaml from a bootstrap.json mount when the controller is NOT yet +// configured, and returns the config the caller should use. +// +// Contract: +// - Idempotent: if cfg is already configured (customer.id set), the existing controller.yaml is +// NEVER clobbered — returns cfg unchanged. +// - Fail-safe: an absent or malformed bootstrap, or one missing the minimum identity, leaves cfg +// unchanged (the caller proceeds to normal setup mode) — it logs and never crashes. +// - On success: writes controller.yaml (0600, atomic), reloads it, and returns the reloaded cfg. +func MaybeIngest(configPath string, cfg *config.Config, logger *log.Logger) *config.Config { + if cfg != nil && cfg.Customer.ID != "" { + return cfg // already configured — do not clobber (idempotent) + } + bpath := Path() + data, err := os.ReadFile(bpath) + if err != nil { + if !os.IsNotExist(err) { + logger.Printf("[WARN] bootstrap: cannot read %s: %v — staying in setup", bpath, err) + } + return cfg // no bootstrap → normal setup + } + + var b Bootstrap + if err := json.Unmarshal(data, &b); err != nil { + logger.Printf("[WARN] bootstrap: %s is not valid JSON: %v — staying in setup", bpath, err) + return cfg + } + if b.Schema != "" && b.Schema != SchemaV1 { + logger.Printf("[WARN] bootstrap: unsupported schema %q (want %q) — staying in setup", b.Schema, SchemaV1) + return cfg + } + if b.Customer.ID == "" || b.Customer.Domain == "" { + logger.Printf("[WARN] bootstrap: %s missing customer.id/domain — staying in setup", bpath) + return cfg + } + + seeded := configFromBootstrap(b) + if err := writeYAML(configPath, seeded); err != nil { + logger.Printf("[WARN] bootstrap: could not write %s: %v — staying in setup", configPath, err) + return cfg + } + reloaded, err := config.LoadPermissive(configPath) + if err != nil { + logger.Printf("[WARN] bootstrap: wrote %s but reload failed: %v — staying in setup", configPath, err) + return cfg + } + logger.Printf("[INFO] bootstrap: seeded %s from %s (customer=%s, local_api=%s) — coming up configured", + configPath, bpath, b.Customer.ID, b.LocalAPI.Endpoint) + return reloaded +} + +// configFromBootstrap maps the stable contract onto a controller.yaml Config. Only the +// identity/hub/local-api fields are seeded; all other config keeps controller defaults (the +// customer configures the rest via the dashboard / hub manifest). +func configFromBootstrap(b Bootstrap) *config.Config { + cfg := &config.Config{} + cfg.Customer.ID = b.Customer.ID + cfg.Customer.Name = b.Customer.Name + cfg.Customer.Domain = b.Customer.Domain + cfg.Customer.Email = b.Customer.Email + if b.Hub.URL != "" { + cfg.Hub.Enabled = b.Hub.APIKey != "" + cfg.Hub.URL = b.Hub.URL + cfg.Hub.APIKey = b.Hub.APIKey + } + cfg.LocalAPI.Endpoint = b.LocalAPI.Endpoint + cfg.LocalAPI.Fingerprint = b.LocalAPI.Fingerprint + cfg.LocalAPI.Token = b.LocalAPI.Token + return cfg +} + +// writeYAML marshals cfg to YAML and writes it atomically (tmp + rename), 0600 (it carries the +// local-api token + any hub key). +func writeYAML(path string, cfg *config.Config) error { + out, err := yaml.Marshal(cfg) + if err != nil { + return fmt.Errorf("marshal: %w", err) + } + if err := os.MkdirAll(filepath.Dir(path), 0o755); err != nil { + return fmt.Errorf("config dir: %w", err) + } + tmp := path + ".tmp" + if err := os.WriteFile(tmp, out, 0o600); err != nil { + return err + } + return os.Rename(tmp, path) +} diff --git a/controller/internal/bootstrap/bootstrap_test.go b/controller/internal/bootstrap/bootstrap_test.go new file mode 100644 index 0000000..e19b57d --- /dev/null +++ b/controller/internal/bootstrap/bootstrap_test.go @@ -0,0 +1,133 @@ +package bootstrap + +import ( + "io" + "log" + "os" + "path/filepath" + "testing" + + "gitea.dooplex.hu/admin/felhom-controller/internal/config" +) + +func testLogger() *log.Logger { return log.New(io.Discard, "", 0) } + +const goodBootstrap = `{ + "schema": "felhom.bootstrap/v1", + "customer": {"id": "cust-8200", "name": "Teszt", "domain": "cust8200.felhom.eu", "email": "a@b.hu"}, + "hub": {"url": "https://hub.felhom.eu", "api_key": "HUBKEY", "host_id": "demo-felhom-01"}, + "local_api": {"endpoint": "192.168.0.162:8443", "fingerprint": "ab12", "token": "PERGUESTTOKEN"} +}` + +// A present bootstrap on an unconfigured controller seeds controller.yaml and skips setup. +func TestMaybeIngest_SeedsWhenUnconfigured(t *testing.T) { + dir := t.TempDir() + bpath := filepath.Join(dir, "bootstrap.json") + cfgPath := filepath.Join(dir, "controller.yaml") + if err := os.WriteFile(bpath, []byte(goodBootstrap), 0o600); err != nil { + t.Fatal(err) + } + t.Setenv("FELHOM_BOOTSTRAP_PATH", bpath) + + got := MaybeIngest(cfgPath, config.Default(), testLogger()) + if got.Customer.ID != "cust-8200" || got.Customer.Domain != "cust8200.felhom.eu" { + t.Fatalf("customer not seeded: %+v", got.Customer) + } + if got.LocalAPI.Endpoint != "192.168.0.162:8443" || got.LocalAPI.Token != "PERGUESTTOKEN" || got.LocalAPI.Fingerprint != "ab12" { + t.Fatalf("local_api not seeded: %+v", got.LocalAPI) + } + if !got.Hub.Enabled || got.Hub.URL != "https://hub.felhom.eu" || got.Hub.APIKey != "HUBKEY" { + t.Fatalf("hub not seeded: %+v", got.Hub) + } + // controller.yaml must now exist on disk (so a restart reads it directly). + if _, err := os.Stat(cfgPath); err != nil { + t.Fatalf("controller.yaml not written: %v", err) + } + // And it must reload as configured (not setup). + reloaded, err := config.LoadPermissive(cfgPath) + if err != nil || reloaded.Customer.ID != "cust-8200" { + t.Fatalf("seeded controller.yaml does not reload configured: %v / %+v", err, reloaded.Customer) + } +} + +// An already-configured controller is NEVER clobbered (idempotent). +func TestMaybeIngest_DoesNotClobberConfigured(t *testing.T) { + dir := t.TempDir() + bpath := filepath.Join(dir, "bootstrap.json") + cfgPath := filepath.Join(dir, "controller.yaml") + if err := os.WriteFile(bpath, []byte(goodBootstrap), 0o600); err != nil { + t.Fatal(err) + } + t.Setenv("FELHOM_BOOTSTRAP_PATH", bpath) + + existing := config.Default() + existing.Customer.ID = "already-here" + existing.Customer.Domain = "existing.felhom.eu" + + got := MaybeIngest(cfgPath, existing, testLogger()) + if got.Customer.ID != "already-here" { + t.Fatalf("configured controller was clobbered by bootstrap: %+v", got.Customer) + } + if _, err := os.Stat(cfgPath); err == nil { + t.Fatal("controller.yaml was written despite an already-configured controller") + } +} + +// A malformed bootstrap leaves the controller in setup mode (cfg unchanged), no crash. +func TestMaybeIngest_MalformedStaysInSetup(t *testing.T) { + dir := t.TempDir() + bpath := filepath.Join(dir, "bootstrap.json") + cfgPath := filepath.Join(dir, "controller.yaml") + if err := os.WriteFile(bpath, []byte("{not json"), 0o600); err != nil { + t.Fatal(err) + } + t.Setenv("FELHOM_BOOTSTRAP_PATH", bpath) + + got := MaybeIngest(cfgPath, config.Default(), testLogger()) + if got.Customer.ID != "" { + t.Fatalf("malformed bootstrap seeded a config: %+v", got.Customer) + } + if _, err := os.Stat(cfgPath); err == nil { + t.Fatal("controller.yaml written from malformed bootstrap") + } +} + +// A bootstrap missing the minimum identity is rejected (stays in setup). +func TestMaybeIngest_MissingIdentityStaysInSetup(t *testing.T) { + dir := t.TempDir() + bpath := filepath.Join(dir, "bootstrap.json") + cfgPath := filepath.Join(dir, "controller.yaml") + if err := os.WriteFile(bpath, []byte(`{"schema":"felhom.bootstrap/v1","local_api":{"endpoint":"x:1"}}`), 0o600); err != nil { + t.Fatal(err) + } + t.Setenv("FELHOM_BOOTSTRAP_PATH", bpath) + + got := MaybeIngest(cfgPath, config.Default(), testLogger()) + if got.Customer.ID != "" { + t.Fatal("seeded despite missing customer identity") + } +} + +// An absent bootstrap is a no-op (normal setup). +func TestMaybeIngest_AbsentIsNoop(t *testing.T) { + dir := t.TempDir() + t.Setenv("FELHOM_BOOTSTRAP_PATH", filepath.Join(dir, "nope.json")) + got := MaybeIngest(filepath.Join(dir, "controller.yaml"), config.Default(), testLogger()) + if got.Customer.ID != "" { + t.Fatal("seeded with no bootstrap present") + } +} + +// An unsupported schema is rejected. +func TestMaybeIngest_UnsupportedSchema(t *testing.T) { + dir := t.TempDir() + bpath := filepath.Join(dir, "bootstrap.json") + if err := os.WriteFile(bpath, []byte(`{"schema":"felhom.bootstrap/v999","customer":{"id":"x","domain":"y"}}`), 0o600); err != nil { + t.Fatal(err) + } + t.Setenv("FELHOM_BOOTSTRAP_PATH", bpath) + got := MaybeIngest(filepath.Join(dir, "controller.yaml"), config.Default(), testLogger()) + if got.Customer.ID != "" { + t.Fatal("seeded from an unsupported schema") + } +} diff --git a/controller/internal/config/config.go b/controller/internal/config/config.go index eb0ec51..be92809 100644 --- a/controller/internal/config/config.go +++ b/controller/internal/config/config.go @@ -28,6 +28,16 @@ type Config struct { Logging LoggingConfig `yaml:"logging"` Assets AssetsConfig `yaml:"assets"` System SystemConfig `yaml:"system"` + LocalAPI LocalAPIConfig `yaml:"local_api"` +} + +// LocalAPIConfig is the in-guest controller's handle on the host agent's per-guest local API +// (doc 03 §6, slice 8A). The agent mints the token + serves a self-signed leaf; the controller +// reaches it over the bridge, pinning the leaf SHA-256. Seeded from bootstrap.json at first run. +type LocalAPIConfig struct { + Endpoint string `yaml:"endpoint"` // host bridge IP:port, e.g. "192.168.0.162:8443" + Fingerprint string `yaml:"fingerprint"` // agent leaf-cert SHA-256 (hex) to pin + Token string `yaml:"token"` // per-guest bearer; SECRET } type SystemConfig struct {