@aifabrix/builder 2.0.0

package/lib/deployer.js

@@ -0,0 +1,256 @@
+/**
+ * AI Fabrix Builder Deployment Module
+ *
+ * Handles deployment to Miso Controller API with ISO 27001 security measures.
+ * Manages authentication, validation, and API communication for deployments.
+ *
+ * @fileoverview Deployment orchestration and API communication
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const axios = require('axios');
+const chalk = require('chalk');
+const auditLogger = require('./audit-logger');
+
+/**
+ * Validates and sanitizes controller URL
+ * Enforces HTTPS-only communication for security
+ *
+ * @param {string} url - Controller URL to validate
+ * @throws {Error} If URL is invalid or uses HTTP
+ */
+function validateControllerUrl(url) {
+  if (!url || typeof url !== 'string') {
+    throw new Error('Controller URL is required and must be a string');
+  }
+
+  // Must use HTTPS for security
+  if (!url.startsWith('https://')) {
+    throw new Error('Controller URL must use HTTPS (https://)');
+  }
+
+  // Basic URL format validation
+  const urlPattern = /^https:\/\/[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(\/.*)?$/;
+  if (!urlPattern.test(url)) {
+    throw new Error('Invalid controller URL format');
+  }
+
+  // Remove trailing slash if present
+  return url.replace(/\/$/, '');
+}
+
+/**
+ * Sends deployment manifest to Miso Controller
+ *
+ * @async
+ * @param {string} url - Controller URL
+ * @param {Object} manifest - Deployment manifest
+ * @param {Object} options - Deployment options (timeout, retries, etc.)
+ * @returns {Promise<Object>} Deployment result from controller
+ * @throws {Error} If deployment fails
+ */
+async function sendDeploymentRequest(url, manifest, options = {}) {
+  const endpoint = `${url}/api/pipeline/deploy`;
+  const timeout = options.timeout || 30000;
+  const maxRetries = options.maxRetries || 3;
+
+  const requestConfig = {
+    headers: {
+      'Content-Type': 'application/json',
+      'User-Agent': 'aifabrix-builder/2.0.0'
+    },
+    timeout,
+    validateStatus: (status) => status < 500 // Don't throw on 4xx errors
+  };
+
+  let lastError;
+
+  for (let attempt = 1; attempt <= maxRetries; attempt++) {
+    try {
+      const response = await axios.post(endpoint, manifest, requestConfig);
+
+      // Check for HTTP errors
+      if (response.status >= 400) {
+        const error = new Error(`Controller returned error: ${response.status} ${response.statusText}`);
+        error.status = response.status;
+        error.response = {
+          status: response.status,
+          statusText: response.statusText,
+          data: response.data
+        };
+        error.data = response.data;
+        throw error;
+      }
+
+      return response.data;
+
+    } catch (error) {
+      lastError = error;
+
+      // Log retry attempt
+      if (attempt < maxRetries) {
+        const delay = Math.min(1000 * Math.pow(2, attempt - 1), 5000); // Exponential backoff, max 5s
+        console.log(chalk.yellow(`⚠️  Deployment attempt ${attempt} failed, retrying in ${delay}ms...`));
+        await new Promise(resolve => setTimeout(resolve, delay));
+      }
+    }
+  }
+
+  // All retries failed
+  throw new Error(`Deployment failed after ${maxRetries} attempts: ${lastError.message}`);
+}
+
+/**
+ * Polls deployment status from controller
+ *
+ * @async
+ * @param {string} deploymentId - Deployment ID to poll
+ * @param {string} controllerUrl - Controller URL
+ * @param {Object} options - Polling options (interval, maxAttempts, etc.)
+ * @returns {Promise<Object>} Deployment status
+ */
+async function pollDeploymentStatus(deploymentId, controllerUrl, options = {}) {
+  const interval = options.interval || 5000;
+  const maxAttempts = options.maxAttempts || 60; // 5 minutes max
+
+  const statusEndpoint = `${controllerUrl}/api/pipeline/status/${deploymentId}`;
+
+  for (let attempt = 0; attempt < maxAttempts; attempt++) {
+    try {
+      const response = await axios.get(statusEndpoint, {
+        timeout: 10000,
+        validateStatus: (status) => status < 500
+      });
+
+      if (response.status === 200) {
+        const status = response.data.status;
+
+        // Terminal states
+        if (status === 'completed' || status === 'failed' || status === 'cancelled') {
+          return response.data;
+        }
+
+        // Log progress
+        console.log(chalk.blue(`   Status: ${status} (attempt ${attempt + 1}/${maxAttempts})`));
+
+        // Wait before next poll
+        if (attempt < maxAttempts - 1) {
+          await new Promise(resolve => setTimeout(resolve, interval));
+        }
+      } else {
+        throw new Error(`Status check failed: ${response.status}`);
+      }
+    } catch (error) {
+      if (error.response && error.response.status === 404) {
+        throw new Error(`Deployment ${deploymentId} not found`);
+      }
+      throw error;
+    }
+  }
+
+  throw new Error('Deployment timeout: Maximum polling attempts reached');
+}
+
+/**
+ * Handles deployment errors with security-aware messages
+ *
+ * @param {Error} error - Error to handle
+ * @returns {Object} Structured error information
+ */
+function handleDeploymentError(error) {
+  const safeError = {
+    message: error.message,
+    code: error.code || 'UNKNOWN',
+    timeout: error.code === 'ECONNABORTED',
+    status: error.status || error.response?.status,
+    data: error.data || error.response?.data
+  };
+
+  // Mask sensitive information in error messages
+  safeError.message = auditLogger.maskSensitiveData(safeError.message);
+
+  return safeError;
+}
+
+/**
+ * Deploys application to Miso Controller
+ * Main orchestrator for the deployment process
+ *
+ * @async
+ * @param {Object} manifest - Deployment manifest
+ * @param {string} controllerUrl - Controller URL
+ * @param {Object} options - Deployment options
+ * @returns {Promise<Object>} Deployment result
+ * @throws {Error} If deployment fails
+ */
+async function deployToController(manifest, controllerUrl, options = {}) {
+  // Validate and sanitize controller URL
+  const url = validateControllerUrl(controllerUrl);
+
+  // Log deployment attempt for audit
+  auditLogger.logDeploymentAttempt(manifest.key, url, options);
+
+  try {
+    // Send deployment request
+    console.log(chalk.blue(`📤 Sending deployment request to ${url}...`));
+    const result = await sendDeploymentRequest(url, manifest, {
+      timeout: options.timeout || 30000,
+      maxRetries: options.maxRetries || 3
+    });
+
+    // Log success
+    if (result.deploymentId) {
+      auditLogger.logDeploymentSuccess(manifest.key, result.deploymentId, url);
+    }
+
+    // Poll for deployment status if enabled
+    if (options.poll && result.deploymentId) {
+      console.log(chalk.blue(`\n⏳ Polling deployment status (${options.pollInterval || 5000}ms intervals)...`));
+      const status = await pollDeploymentStatus(
+        result.deploymentId,
+        url,
+        {
+          interval: options.pollInterval || 5000,
+          maxAttempts: options.pollMaxAttempts || 60
+        }
+      );
+      result.status = status;
+    }
+
+    return result;
+
+  } catch (error) {
+    // Log failure for audit
+    auditLogger.logDeploymentFailure(manifest.key, url, error);
+
+    // Handle and re-throw with safe error
+    const safeError = handleDeploymentError(error);
+
+    // Provide user-friendly error messages
+    if (safeError.status === 401 || safeError.status === 403) {
+      throw new Error('Authentication failed. Check your deployment key.');
+    } else if (safeError.status === 400) {
+      throw new Error('Invalid deployment manifest. Please check your configuration.');
+    } else if (safeError.status === 404) {
+      throw new Error('Controller endpoint not found. Check the controller URL.');
+    } else if (safeError.code === 'ECONNREFUSED') {
+      throw new Error('Cannot connect to controller. Check if the controller is running.');
+    } else if (safeError.code === 'ENOTFOUND') {
+      throw new Error('Controller hostname not found. Check your controller URL.');
+    } else if (safeError.timeout) {
+      throw new Error('Request timed out. The controller may be overloaded.');
+    }
+
+    throw new Error(safeError.message);
+  }
+}
+
+module.exports = {
+  deployToController,
+  sendDeploymentRequest,
+  pollDeploymentStatus,
+  validateControllerUrl,
+  handleDeploymentError
+};
+

package/lib/env-reader.js

@@ -0,0 +1,250 @@
+/**
+ * Environment File Reader and Converter Module
+ *
+ * Handles reading existing .env files and converting them to templates
+ * following ISO 27001 security standards for sensitive data handling
+ */
+
+const fs = require('fs').promises;
+const path = require('path');
+
+/**
+ * Read existing .env file from application folder
+ * @param {string} appPath - Path to application directory
+ * @returns {Promise<Object|null>} Parsed environment variables or null if not found
+ */
+async function readExistingEnv(appPath) {
+  const envPath = path.join(appPath, '.env');
+
+  try {
+    await fs.access(envPath);
+    const content = await fs.readFile(envPath, 'utf8');
+    return parseEnvContent(content);
+  } catch (error) {
+    if (error.code === 'ENOENT') {
+      return null;
+    }
+    throw new Error(`Failed to read .env file: ${error.message}`);
+  }
+}
+
+/**
+ * Parse .env file content into key-value pairs
+ * @param {string} content - Raw .env file content
+ * @returns {Object} Parsed environment variables
+ */
+function parseEnvContent(content) {
+  const envVars = {};
+  const lines = content.split('\n');
+
+  for (const line of lines) {
+    const trimmedLine = line.trim();
+
+    // Skip empty lines and comments
+    if (!trimmedLine || trimmedLine.startsWith('#')) {
+      continue;
+    }
+
+    // Parse key=value pairs
+    const equalIndex = trimmedLine.indexOf('=');
+    if (equalIndex === -1) {
+      continue;
+    }
+
+    const key = trimmedLine.substring(0, equalIndex).trim();
+    let value = trimmedLine.substring(equalIndex + 1).trim();
+
+    // Remove quotes if present
+    if ((value.startsWith('"') && value.endsWith('"')) ||
+        (value.startsWith('\'') && value.endsWith('\''))) {
+      value = value.slice(1, -1);
+    }
+
+    envVars[key] = value;
+  }
+
+  return envVars;
+}
+
+/**
+ * Determine if a value should be converted to kv:// reference
+ * @param {string} key - Environment variable key
+ * @param {string} value - Environment variable value
+ * @returns {boolean} True if value should be treated as sensitive
+ */
+function detectSensitiveValue(key, value) {
+  // Check key patterns for sensitive data
+  const sensitiveKeyPatterns = [
+    /password/i,
+    /secret/i,
+    /key/i,
+    /token/i,
+    /api[_-]?key/i,
+    /private/i,
+    /auth/i,
+    /credential/i,
+    /passwd/i,
+    /pwd/i
+  ];
+
+  for (const pattern of sensitiveKeyPatterns) {
+    if (pattern.test(key)) {
+      return true;
+    }
+  }
+
+  // Check value patterns for sensitive data
+  const sensitiveValuePatterns = [
+    // UUIDs (8-4-4-4-12 format)
+    /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i,
+    // Long random strings (>32 characters)
+    /^[a-zA-Z0-9+/=]{32,}$/,
+    // JWT tokens (three base64 parts separated by dots)
+    /^[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+$/,
+    // Hex strings (>16 characters)
+    /^[0-9a-f]{16,}$/i
+  ];
+
+  for (const pattern of sensitiveValuePatterns) {
+    if (pattern.test(value)) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+/**
+ * Convert existing .env variables to env.template format
+ * @param {Object} existingEnv - Existing environment variables
+ * @param {Object} requiredVars - Required variables for the application
+ * @returns {Object} Merged environment variables with sensitive values converted
+ */
+function convertToEnvTemplate(existingEnv, requiredVars) {
+  const convertedEnv = { ...requiredVars };
+
+  // Process existing environment variables
+  Object.entries(existingEnv).forEach(([key, value]) => {
+    if (detectSensitiveValue(key, value)) {
+      // Convert sensitive values to kv:// references
+      convertedEnv[key] = `kv://${key.toLowerCase().replace(/[^a-z0-9]/g, '-')}`;
+    } else {
+      // Keep non-sensitive values as-is
+      convertedEnv[key] = value;
+    }
+  });
+
+  return convertedEnv;
+}
+
+/**
+ * Extract sensitive values for secrets.yaml generation
+ * @param {Object} envVars - Environment variables
+ * @returns {Object} Object suitable for secrets.yaml
+ */
+function generateSecretsFromEnv(envVars) {
+  const secrets = {};
+
+  Object.entries(envVars).forEach(([key, value]) => {
+    if (detectSensitiveValue(key, value)) {
+      // Convert key to secret name format
+      const secretName = key.toLowerCase().replace(/[^a-z0-9]/g, '-');
+      secrets[secretName] = value;
+    }
+  });
+
+  return secrets;
+}
+
+/**
+ * Validate environment variable names
+ * @param {string} key - Environment variable key
+ * @returns {boolean} True if key is valid
+ */
+function validateEnvKey(key) {
+  // Environment variable names should be uppercase letters, numbers, and underscores
+  return /^[A-Z][A-Z0-9_]*$/.test(key);
+}
+
+/**
+ * Sanitize environment variable value
+ * @param {string} value - Environment variable value
+ * @returns {string} Sanitized value
+ */
+function sanitizeEnvValue(value) {
+  // Remove any potential injection characters
+  return value.replace(/[;\r\n]/g, '');
+}
+
+/**
+ * Generate environment template with security considerations
+ * @param {Object} config - Application configuration
+ * @param {Object} existingEnv - Existing environment variables
+ * @returns {Promise<Object>} Template generation result
+ */
+async function generateEnvTemplate(config, existingEnv = {}) {
+  const result = {
+    template: '',
+    secrets: {},
+    warnings: []
+  };
+
+  try {
+    // Convert existing environment variables
+    const convertedEnv = convertToEnvTemplate(existingEnv, {});
+
+    // Extract secrets for secrets.yaml
+    result.secrets = generateSecretsFromEnv(existingEnv);
+
+    // Validate environment variables
+    Object.entries(existingEnv).forEach(([key, value]) => {
+      if (!validateEnvKey(key)) {
+        result.warnings.push(`Invalid environment variable name: ${key}`);
+      }
+
+      const sanitizedValue = sanitizeEnvValue(value);
+      if (sanitizedValue !== value) {
+        result.warnings.push(`Sanitized value for ${key} (removed special characters)`);
+      }
+    });
+
+    // Generate template content
+    const { generateEnvTemplate: generateTemplate } = require('./templates');
+    const baseTemplate = generateTemplate(config);
+
+    // Add existing environment variables to the template
+    const existingEnvSection = [];
+    Object.entries(convertedEnv).forEach(([key, value]) => {
+      if (!key.startsWith('NODE_ENV') && !key.startsWith('PORT') &&
+          !key.startsWith('APP_NAME') && !key.startsWith('LOG_LEVEL') &&
+          !key.startsWith('DB_') && !key.startsWith('DATABASE_') &&
+          !key.startsWith('REDIS_') && !key.startsWith('STORAGE_') &&
+          !key.startsWith('JWT_') && !key.startsWith('AUTH_') &&
+          !key.startsWith('SESSION_')) {
+        existingEnvSection.push(`${key}=${value}`);
+      }
+    });
+
+    if (existingEnvSection.length > 0) {
+      result.template = baseTemplate + '\n\n# Existing Environment Variables\n' + existingEnvSection.join('\n');
+    } else {
+      result.template = baseTemplate;
+    }
+
+  } catch (error) {
+    throw new Error(`Failed to generate environment template: ${error.message}`);
+  }
+
+  return result;
+}
+
+module.exports = {
+  readExistingEnv,
+  parseEnvContent,
+  detectSensitiveValue,
+  convertToEnvTemplate,
+  generateSecretsFromEnv,
+  validateEnvKey,
+  sanitizeEnvValue,
+  generateEnvTemplate
+};