@celilo/cli 0.1.0

package/src/hooks/capability-loader-firewall.test.ts

@@ -0,0 +1,246 @@
+/**
+ * Tests for firewall chain building in capability loader
+ *
+ * Tests the buildFirewallChain logic that wires iptables → greenwave.
+ */
+
+import { afterEach, beforeEach, describe, expect, test } from 'bun:test';
+import { mkdirSync, writeFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import type { HookLogger } from '@celilo/capabilities';
+import type { DbClient } from '../db/client';
+import { cleanupTestDatabase, setupTestDatabase } from '../test-utils/database';
+import { loadCapabilityFunctions } from './capability-loader';
+
+const noopLogger: HookLogger = {
+  info() {},
+  warn() {},
+  error() {},
+  success() {},
+};
+
+// Mock greenwave firewall factory using defineCapabilityFunction (the
+// post-Phase-8 pattern). The compiled factory takes a single
+// `{ config, secrets, logger }` context and the framework wraps the
+// returned method table with auto-logging.
+//
+// We use an absolute import path to the workspace package because the
+// temp dir where the mock is dropped has no node_modules link to
+// resolve the bare `@celilo/capabilities` specifier.
+const CAPABILITIES_PKG_PATH = join(__dirname, '../../../..', 'packages/capabilities/src/index.ts');
+const MOCK_GREENWAVE_MODULE = `
+import { defineCapabilityFunction } from '${CAPABILITIES_PKG_PATH}';
+
+export default defineCapabilityFunction({
+  capability: 'firewall',
+  handler: ({ config, secrets }) => ({
+    exposeService: async (opts) => ({
+      externalIp: '71.36.99.96',
+      natIp: opts.internalIp,
+    }),
+    unexposeService: async () => {},
+    listExposedServices: async () => [],
+  }),
+});
+`;
+
+// Mock iptables firewall factory — kept on the legacy
+// `createFirewall(config, upstreamFirewall)` shape because its
+// upstream-injection signature doesn't fit the
+// defineCapabilityFunction `{ config, secrets, logger }` context.
+// buildFirewallChain detects this and wires the upstream manually.
+const MOCK_IPTABLES_MODULE = `
+export function createFirewall(config, upstreamFirewall) {
+  return {
+    exposeService: async (opts) => {
+      if (!upstreamFirewall) {
+        throw new Error('No upstream firewall');
+      }
+      // Delegate upstream first (with NAT IP)
+      const upstream = await upstreamFirewall.exposeService({
+        ...opts,
+        internalIp: config.natIp,
+      });
+      // Then "create" local rules (just tracking for test)
+      return {
+        externalIp: upstream.externalIp,
+        natIp: config.natIp,
+        localRulesCreated: true,
+        originalIp: opts.internalIp,
+      };
+    },
+    unexposeService: async () => {},
+    listExposedServices: async () => [],
+  };
+}
+`;
+
+describe('Firewall Chain Building', () => {
+  let db: DbClient;
+  let tempDir: string;
+
+  beforeEach(async () => {
+    db = await setupTestDatabase();
+    tempDir = join(tmpdir(), `celilo-fw-test-${Date.now()}-${Math.random().toString(36).slice(2)}`);
+    mkdirSync(tempDir, { recursive: true });
+  });
+
+  afterEach(async () => {
+    await cleanupTestDatabase(db);
+  });
+
+  test('loads single firewall provider (greenwave only)', async () => {
+    const gwPath = join(tempDir, 'greenwave');
+    const gwScripts = join(gwPath, 'scripts');
+    mkdirSync(gwScripts, { recursive: true });
+    writeFileSync(join(gwScripts, 'firewall-functions.ts'), MOCK_GREENWAVE_MODULE);
+
+    db.$client.run(
+      `INSERT INTO modules (id, name, version, source_path, manifest_data) VALUES ('greenwave', 'GreenWave', '1.0.0', '${gwPath}', '{}')`,
+    );
+    db.$client.run(
+      `INSERT INTO capabilities (module_id, capability_name, version, data, zones) VALUES ('greenwave', 'firewall', '1.0.0', '{"has_external":true}', '["internal"]')`,
+    );
+    db.$client.run(
+      `INSERT INTO module_configs (module_id, key, value) VALUES ('greenwave', 'router_ip', '192.168.0.1')`,
+    );
+
+    // Set up encrypted secrets
+    const { encryptSecret } = await import('../secrets/encryption');
+    const { getOrCreateMasterKey } = await import('../secrets/master-key');
+    const masterKey = await getOrCreateMasterKey();
+    for (const [name, value] of [
+      ['router_username', 'admin'],
+      ['router_password', 'test'],
+    ]) {
+      const enc = encryptSecret(value, masterKey);
+      db.$client.run(
+        `INSERT INTO secrets (module_id, name, encrypted_value, iv, auth_tag) VALUES ('greenwave', '${name}', '${enc.encryptedValue}', '${enc.iv}', '${enc.authTag}')`,
+      );
+    }
+
+    const result = await loadCapabilityFunctions('test-consumer', db, noopLogger);
+    expect(result.firewall).toBeTruthy();
+
+    // Test the interface
+    const fw = result.firewall as {
+      exposeService: (opts: {
+        internalIp: string;
+        ports: number[];
+        description: string;
+      }) => Promise<{ externalIp: string }>;
+    };
+    const exposed = await fw.exposeService({
+      internalIp: '10.0.10.10',
+      ports: [80],
+      description: 'test',
+    });
+    expect(exposed.externalIp).toBe('71.36.99.96');
+  });
+
+  test('builds chain with two providers (iptables → greenwave)', async () => {
+    // Set up greenwave
+    const gwPath = join(tempDir, 'greenwave');
+    const gwScripts = join(gwPath, 'scripts');
+    mkdirSync(gwScripts, { recursive: true });
+    writeFileSync(join(gwScripts, 'firewall-functions.ts'), MOCK_GREENWAVE_MODULE);
+
+    db.$client.run(
+      `INSERT INTO modules (id, name, version, source_path, manifest_data) VALUES ('greenwave', 'GreenWave', '1.0.0', '${gwPath}', '{}')`,
+    );
+    db.$client.run(
+      `INSERT INTO capabilities (module_id, capability_name, version, data, zones) VALUES ('greenwave', 'firewall', '1.0.0', '{"has_external":true}', '["internal"]')`,
+    );
+    db.$client.run(
+      `INSERT INTO module_configs (module_id, key, value) VALUES ('greenwave', 'router_ip', '192.168.0.1')`,
+    );
+
+    const { encryptSecret } = await import('../secrets/encryption');
+    const { getOrCreateMasterKey } = await import('../secrets/master-key');
+    const masterKey = await getOrCreateMasterKey();
+    for (const [name, value] of [
+      ['router_username', 'admin'],
+      ['router_password', 'test'],
+    ]) {
+      const enc = encryptSecret(value, masterKey);
+      db.$client.run(
+        `INSERT INTO secrets (module_id, name, encrypted_value, iv, auth_tag) VALUES ('greenwave', '${name}', '${enc.encryptedValue}', '${enc.iv}', '${enc.authTag}')`,
+      );
+    }
+
+    // Set up iptables
+    const iptPath = join(tempDir, 'iptables');
+    const iptScripts = join(iptPath, 'scripts');
+    mkdirSync(iptScripts, { recursive: true });
+    writeFileSync(join(iptScripts, 'firewall-functions.ts'), MOCK_IPTABLES_MODULE);
+
+    db.$client.run(
+      `INSERT INTO modules (id, name, version, source_path, manifest_data) VALUES ('iptables', 'iptables', '1.0.0', '${iptPath}', '{}')`,
+    );
+    db.$client.run(
+      `INSERT INTO capabilities (module_id, capability_name, version, data, zones) VALUES ('iptables', 'firewall', '1.0.0', '{}', '["dmz","app","secure"]')`,
+    );
+    db.$client.run(
+      `INSERT INTO module_configs (module_id, key, value) VALUES ('iptables', 'firewall_ip', '192.168.0.254')`,
+    );
+    db.$client.run(
+      `INSERT INTO module_configs (module_id, key, value) VALUES ('iptables', 'nat_ip', '192.168.0.253')`,
+    );
+    db.$client.run(
+      `INSERT INTO module_configs (module_id, key, value) VALUES ('iptables', 'upstream_zone', 'internal')`,
+    );
+
+    const result = await loadCapabilityFunctions('test-consumer', db, noopLogger);
+    expect(result.firewall).toBeTruthy();
+
+    // Test the chain: iptables delegates to greenwave
+    const fw = result.firewall as {
+      exposeService: (opts: {
+        internalIp: string;
+        ports: number[];
+        description: string;
+      }) => Promise<{
+        externalIp: string;
+        natIp: string;
+        localRulesCreated: boolean;
+        originalIp: string;
+      }>;
+    };
+
+    const exposed = await fw.exposeService({
+      internalIp: '10.0.10.10',
+      ports: [80],
+      description: 'Caddy',
+    });
+
+    // External IP came from greenwave (leaf)
+    expect(exposed.externalIp).toBe('71.36.99.96');
+    // NAT IP is iptables' NAT address
+    expect(exposed.natIp).toBe('192.168.0.253');
+    // iptables created local rules
+    expect(exposed.localRulesCreated).toBe(true);
+    // iptables tracked the original internal IP
+    expect(exposed.originalIp).toBe('10.0.10.10');
+  });
+
+  test('returns null when no firewall has external interface', async () => {
+    const iptPath = join(tempDir, 'iptables');
+    const iptScripts = join(iptPath, 'scripts');
+    mkdirSync(iptScripts, { recursive: true });
+    writeFileSync(join(iptScripts, 'firewall-functions.ts'), MOCK_IPTABLES_MODULE);
+
+    db.$client.run(
+      `INSERT INTO modules (id, name, version, source_path, manifest_data) VALUES ('iptables', 'iptables', '1.0.0', '${iptPath}', '{}')`,
+    );
+    // Note: has_external is NOT set
+    db.$client.run(
+      `INSERT INTO capabilities (module_id, capability_name, version, data, zones) VALUES ('iptables', 'firewall', '1.0.0', '{}', '["dmz"]')`,
+    );
+
+    const _result = await loadCapabilityFunctions('test-consumer', db, noopLogger);
+    // Single provider without has_external — still loads (just can't delegate)
+    // But buildFirewallChain is only called with >1 providers
+    // Single provider loads normally via the standard path
+  });
+});

package/src/hooks/capability-loader.test.ts

@@ -0,0 +1,100 @@
+/**
+ * Tests for capability function loader
+ */
+
+import { afterEach, beforeEach, describe, expect, test } from 'bun:test';
+import { mkdirSync, writeFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import type { HookLogger } from '@celilo/capabilities';
+import type { DbClient } from '../db/client';
+import { cleanupTestDatabase, setupTestDatabase } from '../test-utils/database';
+import { loadCapabilityFunctions } from './capability-loader';
+
+const noopLogger: HookLogger = {
+  info() {},
+  warn() {},
+  error() {},
+  success() {},
+};
+
+// Minimal test module that exports a default factory
+const TEST_REGISTER_HOST_MODULE = `
+export default function registerHost(context) {
+  return {
+    host: context.config.primary_domain,
+    hasSecrets: !!context.secrets.ddns_password,
+  };
+}
+`;
+
+describe('Capability Loader', () => {
+  let db: DbClient;
+  let tempDir: string;
+
+  beforeEach(async () => {
+    db = await setupTestDatabase();
+    tempDir = join(
+      tmpdir(),
+      `celilo-cap-test-${Date.now()}-${Math.random().toString(36).slice(2)}`,
+    );
+    mkdirSync(tempDir, { recursive: true });
+  });
+
+  afterEach(async () => {
+    await cleanupTestDatabase(db);
+  });
+
+  test('returns empty object when no capabilities are registered', async () => {
+    const result = await loadCapabilityFunctions('test-module', db, noopLogger);
+    expect(result).toEqual({});
+  });
+
+  test('returns empty object when capability is registered but module does not exist', async () => {
+    const modulePath = join(tempDir, 'namecheap');
+    mkdirSync(modulePath, { recursive: true });
+
+    db.$client.run(
+      `INSERT INTO modules (id, name, version, source_path, manifest_data) VALUES ('namecheap', 'Namecheap', '2.0.0', '${modulePath}', '{}')`,
+    );
+    db.$client.run(
+      `INSERT INTO capabilities (module_id, capability_name, version, data, registered_at) VALUES ('namecheap', 'dns_registrar', '2.0.0', '{}', unixepoch())`,
+    );
+
+    const result = await loadCapabilityFunctions('caddy', db, noopLogger);
+    expect(result).toEqual({});
+  });
+
+  test('loads dns_registrar capability when module, config, and secrets exist', async () => {
+    // Create module directory with register-host module
+    const modulePath = join(tempDir, 'namecheap');
+    const scriptsDir = join(modulePath, 'scripts');
+    mkdirSync(scriptsDir, { recursive: true });
+    writeFileSync(join(scriptsDir, 'register-host.ts'), TEST_REGISTER_HOST_MODULE);
+
+    db.$client.run(
+      `INSERT INTO modules (id, name, version, source_path, manifest_data) VALUES ('namecheap', 'Namecheap', '2.0.0', '${modulePath}', '{}')`,
+    );
+    db.$client.run(
+      `INSERT INTO capabilities (module_id, capability_name, version, data, registered_at) VALUES ('namecheap', 'dns_registrar', '2.0.0', '{}', unixepoch())`,
+    );
+    db.$client.run(
+      `INSERT INTO module_configs (module_id, key, value) VALUES ('namecheap', 'primary_domain', 'example.com')`,
+    );
+
+    // Set encrypted secrets
+    const { encryptSecret } = await import('../secrets/encryption');
+    const { getOrCreateMasterKey } = await import('../secrets/master-key');
+    const masterKey = await getOrCreateMasterKey();
+
+    const ddnsPasswordEnc = encryptSecret('test-ddns-password', masterKey);
+    db.$client.run(
+      `INSERT INTO secrets (module_id, name, encrypted_value, iv, auth_tag) VALUES ('namecheap', 'ddns_password', '${ddnsPasswordEnc.encryptedValue}', '${ddnsPasswordEnc.iv}', '${ddnsPasswordEnc.authTag}')`,
+    );
+
+    const result = await loadCapabilityFunctions('caddy', db, noopLogger);
+
+    expect(result).toHaveProperty('dns_registrar');
+    expect(result.dns_registrar).toBeTruthy();
+  });
+});