@aifabrix/builder 2.1.6 → 2.2.0

package/lib/deployer.js

@@ -13,110 +13,151 @@ const axios = require('axios');
 const chalk = require('chalk');
 const auditLogger = require('./audit-logger');
 const logger = require('./utils/logger');
+const { createAuthHeaders } = require('./utils/auth-headers');
+const { validateControllerUrl, validateEnvironmentKey } = require('./utils/deployment-validation');
+const { handleDeploymentError, handleDeploymentErrors } = require('./utils/deployment-errors');
 
 /**
- * Validates and sanitizes controller URL
- * Enforces HTTPS-only communication for security
- *
- * @param {string} url - Controller URL to validate
- * @throws {Error} If URL is invalid or uses HTTP
+ * Handles deployment request retry logic
+ * @async
+ * @function handleDeploymentRetry
+ * @param {string} endpoint - API endpoint
+ * @param {Object} manifest - Deployment manifest
+ * @param {Object} requestConfig - Request configuration
+ * @param {number} maxRetries - Maximum retry attempts
+ * @returns {Promise<Object>} Deployment result
+ * @throws {Error} If deployment fails after retries
  */
-function validateControllerUrl(url) {
-  if (!url || typeof url !== 'string') {
-    throw new Error('Controller URL is required and must be a string');
-  }
+async function handleDeploymentRetry(endpoint, manifest, requestConfig, maxRetries) {
+  let lastError;
 
-  // Must use HTTPS for security (allow http://localhost for local development)
-  if (!url.startsWith('https://') && !url.startsWith('http://localhost')) {
-    throw new Error('Controller URL must use HTTPS (https://) or http://localhost');
+  // Validate manifest before sending
+  if (!manifest || typeof manifest !== 'object') {
+    throw new Error('Deployment manifest is required and must be an object');
   }
 
-  // Basic URL format validation
-  const urlPattern = /^(https?):\/\/[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*(localhost)?(:[0-9]+)?(\/.*)?$/;
-  if (!urlPattern.test(url)) {
-    throw new Error('Invalid controller URL format');
-  }
+  for (let attempt = 1; attempt <= maxRetries; attempt++) {
+    try {
+      // Axios automatically serializes objects to JSON when Content-Type is application/json
+      const response = await axios.post(endpoint, manifest, requestConfig);
 
-  // Remove trailing slash if present
-  return url.replace(/\/$/, '');
-}
+      if (response.status >= 400) {
+        const error = new Error(`Controller returned error: ${response.status} ${response.statusText}`);
+        error.status = response.status;
+        error.response = {
+          status: response.status,
+          statusText: response.statusText,
+          data: response.data
+        };
+        error.data = response.data;
+        throw error;
+      }
 
-/**
- * Creates authentication headers for Client Credentials flow
- *
- * @param {string} clientId - Application client ID
- * @param {string} clientSecret - Application client secret
- * @returns {Object} Headers object with authentication
- * @throws {Error} If credentials are missing
- */
-function createClientCredentialsHeaders(clientId, clientSecret) {
-  if (!clientId || !clientSecret) {
-    throw new Error('Client ID and Client Secret are required for authentication');
-  }
-  return {
-    'x-client-id': clientId,
-    'x-client-secret': clientSecret
-  };
-}
+      // OpenAPI spec: Response 202 structure { success: boolean, deploymentId: string, status: string, deploymentUrl?: string, healthCheckUrl?: string, message?: string }
+      // Handle both OpenAPI format and legacy format for backward compatibility
+      const responseData = response.data;
+      if (responseData && typeof responseData === 'object') {
+        // OpenAPI format: { success, deploymentId, status, deploymentUrl, healthCheckUrl, message }
+        return responseData;
+      }
 
-/**
- * Validates environment key
- * @param {string} envKey - Environment key to validate
- * @throws {Error} If environment key is invalid
- */
-function validateEnvironmentKey(envKey) {
-  if (!envKey || typeof envKey !== 'string') {
-    throw new Error('Environment key is required and must be a string');
-  }
+      return response.data;
+    } catch (error) {
+      lastError = error;
 
-  const validEnvironments = ['miso', 'dev', 'tst', 'pro'];
-  if (!validEnvironments.includes(envKey.toLowerCase())) {
-    throw new Error(`Invalid environment key: ${envKey}. Must be one of: ${validEnvironments.join(', ')}`);
+      if (attempt < maxRetries) {
+        const delay = Math.min(1000 * Math.pow(2, attempt - 1), 5000);
+        logger.log(chalk.yellow(`⚠️  Deployment attempt ${attempt} failed, retrying in ${delay}ms...`));
+        await new Promise(resolve => setTimeout(resolve, delay));
+      }
+    }
   }
 
-  return envKey.toLowerCase();
+  // Preserve formatted error if available
+  const errorMessage = lastError.formatted || lastError.message;
+  const error = new Error(`Deployment failed after ${maxRetries} attempts: ${errorMessage}`);
+  if (lastError.formatted) {
+    error.formatted = lastError.formatted;
+  }
+  if (lastError.status) {
+    error.status = lastError.status;
+  }
+  if (lastError.data) {
+    error.data = lastError.data;
+  }
+  throw error;
 }
 
 /**
- * Creates deployment request configuration
- * @function createDeploymentRequestConfig
- * @param {string} clientId - Client ID
- * @param {string} clientSecret - Client Secret
- * @param {number} timeout - Request timeout
- * @returns {Object} Request configuration
+ * Validates deployment configuration via validate endpoint
+ * This is the first step in the deployment process
+ *
+ * @async
+ * @param {string} url - Controller URL
+ * @param {string} envKey - Environment key (miso, dev, tst, pro)
+ * @param {Object} manifest - Deployment manifest (applicationConfig)
+ * @param {Object} authConfig - Authentication configuration
+ * @param {Object} options - Validation options (repositoryUrl, timeout, retries, etc.)
+ * @returns {Promise<Object>} Validation result with validateToken
+ * @throws {Error} If validation fails
  */
-function createDeploymentRequestConfig(clientId, clientSecret, timeout) {
-  return {
+async function validateDeployment(url, envKey, manifest, authConfig, options = {}) {
+  const validatedEnvKey = validateEnvironmentKey(envKey);
+  const endpoint = `${url}/api/v1/pipeline/${validatedEnvKey}/validate`;
+  const timeout = options.timeout || 30000;
+  const maxRetries = options.maxRetries || 3;
+
+  // Extract clientId and clientSecret
+  const tokenManager = require('./utils/token-manager');
+  const { clientId, clientSecret } = await tokenManager.extractClientCredentials(
+    authConfig,
+    manifest.key,
+    validatedEnvKey,
+    options
+  );
+
+  // Build validation request
+  const repositoryUrl = options.repositoryUrl || `https://github.com/aifabrix/${manifest.key}`;
+  const validationRequest = {
+    clientId: clientId,
+    clientSecret: clientSecret,
+    repositoryUrl: repositoryUrl,
+    applicationConfig: manifest
+  };
+
+  // Create request config with client credentials headers
+  const requestConfig = {
     headers: {
       'Content-Type': 'application/json',
       'User-Agent': 'aifabrix-builder/2.0.0',
-      ...createClientCredentialsHeaders(clientId, clientSecret)
+      'x-client-id': clientId,
+      'x-client-secret': clientSecret
     },
     timeout,
-    validateStatus: (status) => status < 500
+    validateStatus: (status) => status < 600 // Don't throw on any status
   };
-}
 
-/**
- * Handles deployment request retry logic
- * @async
- * @function handleDeploymentRetry
- * @param {string} endpoint - API endpoint
- * @param {Object} manifest - Deployment manifest
- * @param {Object} requestConfig - Request configuration
- * @param {number} maxRetries - Maximum retry attempts
- * @returns {Promise<Object>} Deployment result
- * @throws {Error} If deployment fails after retries
- */
-async function handleDeploymentRetry(endpoint, manifest, requestConfig, maxRetries) {
   let lastError;
-
   for (let attempt = 1; attempt <= maxRetries; attempt++) {
     try {
-      const response = await axios.post(endpoint, manifest, requestConfig);
+      const response = await axios.post(endpoint, validationRequest, requestConfig);
+
+      // Handle successful validation (200 OK with valid: true)
+      if (response.status === 200 && response.data.valid === true) {
+        return {
+          success: true,
+          validateToken: response.data.validateToken,
+          draftDeploymentId: response.data.draftDeploymentId,
+          imageServer: response.data.imageServer,
+          imageUsername: response.data.imageUsername,
+          imagePassword: response.data.imagePassword,
+          expiresAt: response.data.expiresAt
+        };
+      }
 
+      // Handle validation errors
       if (response.status >= 400) {
-        const error = new Error(`Controller returned error: ${response.status} ${response.statusText}`);
+        const error = new Error(`Validation request failed: ${response.status} ${response.statusText}`);
         error.status = response.status;
         error.response = {
           status: response.status,
@@ -126,43 +167,69 @@ async function handleDeploymentRetry(endpoint, manifest, requestConfig, maxRetri
         error.data = response.data;
         throw error;
       }
-
-      return response.data;
     } catch (error) {
       lastError = error;
-
-      if (attempt < maxRetries) {
+      const shouldRetry = attempt < maxRetries && error.response && error.response.status >= 500;
+      if (shouldRetry) {
         const delay = Math.min(1000 * Math.pow(2, attempt - 1), 5000);
-        logger.log(chalk.yellow(`⚠️  Deployment attempt ${attempt} failed, retrying in ${delay}ms...`));
+        logger.log(chalk.yellow(`⚠️  Validation attempt ${attempt} failed, retrying in ${delay}ms...`));
         await new Promise(resolve => setTimeout(resolve, delay));
+      } else {
+        throw error;
       }
     }
   }
 
-  throw new Error(`Deployment failed after ${maxRetries} attempts: ${lastError.message}`);
+  throw lastError;
 }
 
 /**
- * Sends deployment manifest to Miso Controller with Client Credentials authentication
+ * Sends deployment request using validateToken from validation step
+ * This is the second step in the deployment process
  *
  * @async
  * @param {string} url - Controller URL
- * @param {string} envKey - Environment key (dev, tst, pro)
- * @param {Object} manifest - Deployment manifest
- * @param {string} clientId - Client ID for authentication
- * @param {string} clientSecret - Client Secret for authentication
- * @param {Object} options - Deployment options (timeout, retries, etc.)
+ * @param {string} envKey - Environment key (miso, dev, tst, pro)
+ * @param {string} validateToken - Validation token from validate endpoint
+ * @param {Object} authConfig - Authentication configuration
+ * @param {Object} options - Deployment options (imageTag, timeout, retries, etc.)
  * @returns {Promise<Object>} Deployment result from controller
  * @throws {Error} If deployment fails
  */
-async function sendDeploymentRequest(url, envKey, manifest, clientId, clientSecret, options = {}) {
+async function sendDeploymentRequest(url, envKey, validateToken, authConfig, options = {}) {
   const validatedEnvKey = validateEnvironmentKey(envKey);
   const endpoint = `${url}/api/v1/pipeline/${validatedEnvKey}/deploy`;
   const timeout = options.timeout || 30000;
   const maxRetries = options.maxRetries || 3;
-  const requestConfig = createDeploymentRequestConfig(clientId, clientSecret, timeout);
 
-  return handleDeploymentRetry(endpoint, manifest, requestConfig, maxRetries);
+  // Extract clientId and clientSecret for deploy endpoint
+  // These should have been loaded during validation and stored in authConfig
+  if (!authConfig.clientId || !authConfig.clientSecret) {
+    throw new Error('Client ID and Client Secret are required for deployment. These should have been loaded during validation.');
+  }
+  const clientId = authConfig.clientId;
+  const clientSecret = authConfig.clientSecret;
+
+  // Build deployment request
+  const imageTag = options.imageTag || 'latest';
+  const deployRequest = {
+    validateToken: validateToken,
+    imageTag: imageTag
+  };
+
+  // Create request config with client credentials headers
+  const requestConfig = {
+    headers: {
+      'Content-Type': 'application/json',
+      'User-Agent': 'aifabrix-builder/2.0.0',
+      'x-client-id': clientId,
+      'x-client-secret': clientSecret
+    },
+    timeout,
+    validateStatus: (status) => status < 500
+  };
+
+  return handleDeploymentRetry(endpoint, deployRequest, requestConfig, maxRetries);
 }
 
 /**
@@ -177,39 +244,46 @@ function isTerminalStatus(status) {
 
 /**
  * Polls deployment status from controller
+ * Uses pipeline endpoint for CI/CD monitoring with minimal deployment info
  *
  * @async
  * @param {string} deploymentId - Deployment ID to poll
  * @param {string} controllerUrl - Controller URL
  * @param {string} envKey - Environment key
- * @param {string} clientId - Client ID for authentication
- * @param {string} clientSecret - Client Secret for authentication
+ * @param {Object} authConfig - Authentication configuration
  * @param {Object} options - Polling options (interval, maxAttempts, etc.)
  * @returns {Promise<Object>} Deployment status
  */
-async function pollDeploymentStatus(deploymentId, controllerUrl, envKey, clientId, clientSecret, options = {}) {
+async function pollDeploymentStatus(deploymentId, controllerUrl, envKey, authConfig, options = {}) {
   const interval = options.interval || 5000;
   const maxAttempts = options.maxAttempts || 60;
 
   const validatedEnvKey = validateEnvironmentKey(envKey);
-  const statusEndpoint = `${controllerUrl}/api/v1/environments/${validatedEnvKey}/deployments/${deploymentId}`;
+  const statusEndpoint = `${controllerUrl}/api/v1/pipeline/${validatedEnvKey}/deployments/${deploymentId}`;
 
   for (let attempt = 0; attempt < maxAttempts; attempt++) {
     try {
       const response = await axios.get(statusEndpoint, {
-        headers: createClientCredentialsHeaders(clientId, clientSecret),
+        headers: {
+          'Content-Type': 'application/json',
+          ...createAuthHeaders(authConfig)
+        },
         timeout: 10000,
         validateStatus: (status) => status < 500
       });
 
       if (response.status === 200) {
-        const status = response.data.status;
+        // OpenAPI spec: Response structure { success: boolean, data: { status, progress, ... }, timestamp: string }
+        const responseData = response.data;
+        const deploymentData = responseData.data || responseData;
+        const status = deploymentData.status;
 
         if (isTerminalStatus(status)) {
-          return response.data;
+          return deploymentData;
         }
 
-        logger.log(chalk.blue(`   Status: ${status} (attempt ${attempt + 1}/${maxAttempts})`));
+        const progress = deploymentData.progress || 0;
+        logger.log(chalk.blue(`   Status: ${status} (${progress}%) (attempt ${attempt + 1}/${maxAttempts})`));
 
         if (attempt < maxAttempts - 1) {
           await new Promise(resolve => setTimeout(resolve, interval));
@@ -229,46 +303,45 @@ async function pollDeploymentStatus(deploymentId, controllerUrl, envKey, clientI
 }
 
 /**
- * Handles deployment errors with security-aware messages
- *
- * @param {Error} error - Error to handle
- * @returns {Object} Structured error information
- */
-function handleDeploymentError(error) {
-  const safeError = {
-    message: error.message,
-    code: error.code || 'UNKNOWN',
-    timeout: error.code === 'ECONNABORTED',
-    status: error.status || error.response?.status,
-    data: error.data || error.response?.data
-  };
-
-  // Mask sensitive information in error messages
-  safeError.message = auditLogger.maskSensitiveData(safeError.message);
-
-  return safeError;
-}
-
-/**
- * Sends deployment request to controller
+ * Validates and sends deployment request to controller
+ * Implements two-step process: validate then deploy
  * @async
  * @param {string} url - Controller URL
  * @param {string} validatedEnvKey - Validated environment key
  * @param {Object} manifest - Deployment manifest
- * @param {string} clientId - Client ID
- * @param {string} clientSecret - Client Secret
+ * @param {Object} authConfig - Authentication configuration
  * @param {Object} options - Deployment options
  * @returns {Promise<Object>} Deployment result
  */
-async function sendDeployment(url, validatedEnvKey, manifest, clientId, clientSecret, options) {
-  logger.log(chalk.blue(`📤 Sending deployment request to ${url}/api/v1/pipeline/${validatedEnvKey}/deploy...`));
-  const result = await sendDeploymentRequest(url, validatedEnvKey, manifest, clientId, clientSecret, {
+async function sendDeployment(url, validatedEnvKey, manifest, authConfig, options) {
+  // Step 1: Validate deployment
+  logger.log(chalk.blue('🔍 Validating deployment configuration...'));
+  const validateResult = await validateDeployment(url, validatedEnvKey, manifest, authConfig, {
+    repositoryUrl: options.repositoryUrl,
+    controllerId: options.controllerId,
+    timeout: options.timeout || 30000,
+    maxRetries: options.maxRetries || 3
+  });
+
+  if (!validateResult.success || !validateResult.validateToken) {
+    throw new Error('Validation failed: validateToken not received');
+  }
+
+  logger.log(chalk.green('✓ Validation successful'));
+  if (validateResult.draftDeploymentId) {
+    logger.log(chalk.gray(`   Draft Deployment ID: ${validateResult.draftDeploymentId}`));
+  }
+
+  // Step 2: Deploy using validateToken
+  logger.log(chalk.blue('\n🚀 Deploying application...'));
+  const result = await sendDeploymentRequest(url, validatedEnvKey, validateResult.validateToken, authConfig, {
+    imageTag: options.imageTag || 'latest',
     timeout: options.timeout || 30000,
     maxRetries: options.maxRetries || 3
   });
 
   if (result.deploymentId) {
-    auditLogger.logDeploymentSuccess(manifest.key, result.deploymentId, url);
+    await auditLogger.logDeploymentSuccess(manifest.key, result.deploymentId, url);
   }
 
   return result;
@@ -280,12 +353,11 @@ async function sendDeployment(url, validatedEnvKey, manifest, clientId, clientSe
  * @param {Object} result - Deployment result
  * @param {string} url - Controller URL
  * @param {string} validatedEnvKey - Validated environment key
- * @param {string} clientId - Client ID
- * @param {string} clientSecret - Client Secret
+ * @param {Object} authConfig - Authentication configuration
  * @param {Object} options - Deployment options
  * @returns {Promise<Object>} Deployment result with status
  */
-async function pollDeployment(result, url, validatedEnvKey, clientId, clientSecret, options) {
+async function pollDeployment(result, url, validatedEnvKey, authConfig, options) {
   if (!options.poll || !result.deploymentId) {
     return result;
   }
@@ -295,8 +367,7 @@ async function pollDeployment(result, url, validatedEnvKey, clientId, clientSecr
     result.deploymentId,
     url,
     validatedEnvKey,
-    clientId,
-    clientSecret,
+    authConfig,
     {
       interval: options.pollInterval || 5000,
       maxAttempts: options.pollMaxAttempts || 60
@@ -308,65 +379,30 @@ async function pollDeployment(result, url, validatedEnvKey, clientId, clientSecr
 }
 
 /**
- * Handles deployment errors and maps them to user-friendly messages
- * @param {Error} error - Error object
- * @param {string} manifestKey - Manifest key for audit logging
- * @param {string} url - Controller URL for audit logging
- * @throws {Error} User-friendly error message
- */
-function handleDeploymentErrors(error, manifestKey, url) {
-  auditLogger.logDeploymentFailure(manifestKey, url, error);
-
-  const safeError = handleDeploymentError(error);
-
-  if (safeError.status === 401 || safeError.status === 403) {
-    throw new Error('Authentication failed. Check your client ID and client secret.');
-  }
-
-  if (safeError.status === 400) {
-    throw new Error('Invalid deployment manifest. Please check your configuration.');
-  }
-
-  if (safeError.status === 404) {
-    throw new Error('Controller endpoint not found. Check the controller URL and environment.');
-  }
-
-  if (safeError.code === 'ECONNREFUSED') {
-    throw new Error('Cannot connect to controller. Check if the controller is running.');
-  }
-
-  if (safeError.code === 'ENOTFOUND') {
-    throw new Error('Controller hostname not found. Check your controller URL.');
-  }
-
-  if (safeError.timeout) {
-    throw new Error('Request timed out. The controller may be overloaded.');
-  }
-
-  throw new Error(safeError.message);
-}
-
-/**
- * Deploys application to Miso Controller with Client Credentials authentication
+ * Deploys application to Miso Controller with authentication
+ * Supports both Bearer token and client credentials authentication
  * Main orchestrator for the deployment process
  *
  * @async
  * @param {Object} manifest - Deployment manifest
  * @param {string} controllerUrl - Controller URL
- * @param {string} envKey - Environment key (dev, tst, pro)
- * @param {string} clientId - Client ID for authentication
- * @param {string} clientSecret - Client Secret for authentication
+ * @param {string} envKey - Environment key (miso, dev, tst, pro)
+ * @param {Object} authConfig - Authentication configuration
+ * @param {string} authConfig.type - Auth type: 'bearer' or 'credentials'
+ * @param {string} [authConfig.token] - Bearer token (for type 'bearer')
+ * @param {string} [authConfig.clientId] - Client ID (for type 'credentials')
+ * @param {string} [authConfig.clientSecret] - Client secret (for type 'credentials')
  * @param {Object} options - Deployment options
  * @returns {Promise<Object>} Deployment result
  * @throws {Error} If deployment fails
  */
-async function deployToController(manifest, controllerUrl, envKey, clientId, clientSecret, options = {}) {
+async function deployToController(manifest, controllerUrl, envKey, authConfig, options = {}) {
   // Validate inputs
   if (!envKey) {
     throw new Error('Environment key is required');
   }
-  if (!clientId || !clientSecret) {
-    throw new Error('Client ID and Client Secret are required for authentication');
+  if (!authConfig || !authConfig.type) {
+    throw new Error('Authentication configuration is required');
   }
 
   // Validate and sanitize controller URL
@@ -374,27 +410,29 @@ async function deployToController(manifest, controllerUrl, envKey, clientId, cli
   const validatedEnvKey = validateEnvironmentKey(envKey);
 
   // Log deployment attempt for audit
-  auditLogger.logDeploymentAttempt(manifest.key, url, options);
+  await auditLogger.logDeploymentAttempt(manifest.key, url, options);
 
   try {
     // Send deployment request
-    const result = await sendDeployment(url, validatedEnvKey, manifest, clientId, clientSecret, options);
+    const result = await sendDeployment(url, validatedEnvKey, manifest, authConfig, options);
 
     // Poll for deployment status if enabled
-    return await pollDeployment(result, url, validatedEnvKey, clientId, clientSecret, options);
+    return await pollDeployment(result, url, validatedEnvKey, authConfig, options);
 
   } catch (error) {
-    handleDeploymentErrors(error, manifest.key, url);
+    // Use unified error handler (already logged in deployToController, so pass alreadyLogged=true)
+    await handleDeploymentErrors(error, manifest.key, url, false);
   }
 }
 
 module.exports = {
   deployToController,
   sendDeploymentRequest,
+  validateDeployment,
+  handleDeploymentErrors,
   pollDeploymentStatus,
   validateControllerUrl,
   handleDeploymentError,
-  createClientCredentialsHeaders,
   validateEnvironmentKey
 };