@celilo/cli 0.1.0

package/src/services/container-service.test.ts

@@ -0,0 +1,298 @@
+/**
+ * Unit tests for container service operations
+ */
+
+import { afterEach, beforeEach, describe, expect, it } from 'bun:test';
+import { mkdtempSync, rmSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { eq } from 'drizzle-orm';
+import { closeDb, createDbClient } from '../db/client';
+import { runMigrations } from '../db/migrate';
+import { containerServices } from '../db/schema';
+import {
+  addContainerService,
+  getContainerService,
+  getContainerServiceByName,
+  getServiceCredentials,
+  listContainerServices,
+  removeContainerService,
+} from './container-service';
+
+describe('container-service', () => {
+  let testDbPath: string;
+  let testDir: string;
+
+  beforeEach(async () => {
+    // Create temp directory for test database
+    testDir = mkdtempSync(join(tmpdir(), 'celilo-test-'));
+    testDbPath = join(testDir, 'test.db');
+
+    // Set environment variable for database path
+    process.env.CELILO_DB_PATH = testDbPath;
+
+    // Initialize database and run migrations
+    await runMigrations(testDbPath);
+
+    // Create a dummy master key for encryption
+    const masterKeyPath = join(testDir, 'master.key');
+    process.env.CELILO_MASTER_KEY_PATH = masterKeyPath;
+    const fs = await import('node:fs/promises');
+    await fs.writeFile(masterKeyPath, 'a'.repeat(64), 'utf8');
+  });
+
+  afterEach(() => {
+    // Close database connection
+    closeDb();
+
+    // Clean up test directory
+    if (testDir) {
+      rmSync(testDir, { recursive: true, force: true });
+    }
+
+    // Clear environment variables
+    process.env.CELILO_DB_PATH = undefined;
+    process.env.CELILO_MASTER_KEY_PATH = undefined;
+  });
+
+  describe('addContainerService', () => {
+    it('creates a Proxmox service', async () => {
+      const service = await addContainerService({
+        name: 'Test Proxmox',
+        providerName: 'proxmox',
+        zones: ['dmz', 'app', 'secure'],
+        providerConfig: {
+          default_target_node: 'pve',
+          lxc_template: 'local:vztmpl/ubuntu-22.04-standard_22.04-1_amd64.tar.zst',
+          storage: 'local-lvm',
+        },
+        apiCredentials: {
+          api_url: 'https://proxmox.local:8006/api2/json',
+          api_token_id: 'root@pam!celilo',
+          api_token_secret: 'test-token-secret',
+        },
+      });
+
+      expect(service.id).toBeDefined();
+      expect(service.name).toBe('Test Proxmox');
+      expect(service.providerName).toBe('proxmox');
+      expect(service.zones).toEqual(['dmz', 'app', 'secure']);
+      expect(service.apiCredentialsEncrypted).toBeDefined();
+      expect(service.createdAt).toBeInstanceOf(Date);
+    });
+
+    it('creates a Digital Ocean service', async () => {
+      const service = await addContainerService({
+        name: 'Digital Ocean NYC3',
+        providerName: 'digitalocean',
+        zones: ['external'],
+        providerConfig: {
+          region: 'nyc3',
+          default_size: 's-1vcpu-1gb',
+          default_image: 'ubuntu-22-04-x64',
+        },
+        apiCredentials: {
+          api_token: 'dop_test_token_12345',
+        },
+      });
+
+      expect(service.id).toBeDefined();
+      expect(service.name).toBe('Digital Ocean NYC3');
+      expect(service.providerName).toBe('digitalocean');
+      expect(service.zones).toEqual(['external']);
+    });
+
+    it('encrypts API credentials', async () => {
+      const service = await addContainerService({
+        name: 'Test Service',
+        providerName: 'proxmox',
+        zones: ['dmz'],
+        providerConfig: {},
+        apiCredentials: {
+          api_url: 'https://test.local',
+          api_token_id: 'root@pam!celilo',
+          api_token_secret: 'secret-token-123',
+        },
+      });
+
+      // Verify credentials are encrypted in database
+      const db = createDbClient({ path: testDbPath });
+      const dbRecord = await db
+        .select()
+        .from(containerServices)
+        .where(eq(containerServices.id, service.id))
+        .get();
+
+      expect(dbRecord?.apiCredentialsEncrypted).toBeDefined();
+      expect(dbRecord?.apiCredentialsEncrypted).not.toContain('secret-token-123');
+    });
+  });
+
+  describe('getContainerService', () => {
+    it('retrieves service by ID', async () => {
+      const created = await addContainerService({
+        name: 'Test Service',
+        providerName: 'proxmox',
+        zones: ['dmz'],
+        providerConfig: {},
+        apiCredentials: { api_url: 'https://test' },
+      });
+
+      const retrieved = await getContainerService(created.id);
+
+      expect(retrieved).toBeDefined();
+      expect(retrieved?.id).toBe(created.id);
+      expect(retrieved?.name).toBe('Test Service');
+    });
+
+    it('returns null for non-existent service', async () => {
+      const result = await getContainerService('non-existent-id');
+      expect(result).toBeNull();
+    });
+  });
+
+  describe('getContainerServiceByName', () => {
+    it('retrieves service by name', async () => {
+      await addContainerService({
+        name: 'Unique Service Name',
+        providerName: 'proxmox',
+        zones: ['dmz'],
+        providerConfig: {},
+        apiCredentials: { api_url: 'https://test' },
+      });
+
+      const retrieved = await getContainerServiceByName('Unique Service Name');
+
+      expect(retrieved).toBeDefined();
+      expect(retrieved?.name).toBe('Unique Service Name');
+    });
+
+    it('returns null for non-existent service name', async () => {
+      const result = await getContainerServiceByName('Does Not Exist');
+      expect(result).toBeNull();
+    });
+  });
+
+  describe('listContainerServices', () => {
+    it('returns empty array when no services', async () => {
+      const services = await listContainerServices();
+      expect(services).toEqual([]);
+    });
+
+    it('lists all services without filters', async () => {
+      await addContainerService({
+        name: 'Service 1',
+        providerName: 'proxmox',
+        zones: ['dmz'],
+        providerConfig: {},
+        apiCredentials: { api_url: 'https://test1' },
+      });
+
+      await addContainerService({
+        name: 'Service 2',
+        providerName: 'digitalocean',
+        zones: ['external'],
+        providerConfig: {},
+        apiCredentials: { api_token: 'test2' },
+      });
+
+      const services = await listContainerServices();
+      expect(services).toHaveLength(2);
+    });
+
+    it('filters services by zone', async () => {
+      await addContainerService({
+        name: 'Proxmox Internal',
+        providerName: 'proxmox',
+        zones: ['dmz', 'app', 'secure'],
+        providerConfig: {},
+        apiCredentials: { api_url: 'https://test1' },
+      });
+
+      await addContainerService({
+        name: 'Digital Ocean External',
+        providerName: 'digitalocean',
+        zones: ['external'],
+        providerConfig: {},
+        apiCredentials: { api_token: 'test2' },
+      });
+
+      const externalServices = await listContainerServices({
+        zones: ['external'],
+      });
+
+      expect(externalServices).toHaveLength(1);
+      expect(externalServices[0].name).toBe('Digital Ocean External');
+    });
+
+    it('returns services matching any zone in filter', async () => {
+      await addContainerService({
+        name: 'Multi-Zone Service',
+        providerName: 'proxmox',
+        zones: ['dmz', 'app'],
+        providerConfig: {},
+        apiCredentials: { api_url: 'https://test' },
+      });
+
+      const dmzServices = await listContainerServices({ zones: ['dmz'] });
+      const appServices = await listContainerServices({ zones: ['app'] });
+
+      expect(dmzServices).toHaveLength(1);
+      expect(appServices).toHaveLength(1);
+    });
+  });
+
+  describe('getServiceCredentials', () => {
+    it('decrypts and returns service credentials', async () => {
+      const service = await addContainerService({
+        name: 'Test Service',
+        providerName: 'proxmox',
+        zones: ['dmz'],
+        providerConfig: {},
+        apiCredentials: {
+          api_url: 'https://proxmox.local:8006',
+          api_token_id: 'root@pam!celilo',
+          api_token_secret: 'secret-token-123',
+        },
+      });
+
+      const credentials = await getServiceCredentials(service.id);
+
+      expect((credentials as { api_url: string }).api_url).toBe('https://proxmox.local:8006');
+      expect((credentials as { api_token_id: string }).api_token_id).toBe('root@pam!celilo');
+      expect((credentials as { api_token_secret: string }).api_token_secret).toBe(
+        'secret-token-123',
+      );
+    });
+
+    it('throws error for non-existent service', async () => {
+      await expect(getServiceCredentials('non-existent-id')).rejects.toThrow(
+        /Container service not found/,
+      );
+    });
+  });
+
+  describe('removeContainerService', () => {
+    it('deletes service from database', async () => {
+      const service = await addContainerService({
+        name: 'Service To Delete',
+        providerName: 'proxmox',
+        zones: ['dmz'],
+        providerConfig: {},
+        apiCredentials: { api_url: 'https://test' },
+      });
+
+      await removeContainerService(service.id);
+
+      const retrieved = await getContainerService(service.id);
+      expect(retrieved).toBeNull();
+    });
+
+    it('does not throw when removing non-existent service', async () => {
+      // Should complete without error
+      await removeContainerService('non-existent-id');
+      // If we get here, no error was thrown
+      expect(true).toBe(true);
+    });
+  });
+});

package/src/services/container-service.ts

@@ -0,0 +1,401 @@
+import { randomUUID } from 'node:crypto';
+import { eq } from 'drizzle-orm';
+import { z } from 'zod';
+import { getDb } from '../db/client';
+import { type NetworkZone, containerServices } from '../db/schema';
+import { decryptSecret, encryptSecret } from '../secrets/encryption';
+import { getOrCreateMasterKey } from '../secrets/master-key';
+import type { ContainerService, TestResult } from '../types/infrastructure';
+import { EncryptionEnvelopeSchema, parseJsonWithValidation } from '../validation/schemas';
+
+/**
+ * Zod schemas for provider-specific credentials
+ * Validates external data from database storage (Rule 3.7)
+ */
+const ProxmoxCredentialsSchema = z.object({
+  api_url: z.string().url(),
+  api_token_id: z.string().min(1),
+  api_token_secret: z.string().min(1),
+});
+
+const DigitalOceanCredentialsSchema = z.object({
+  api_token: z.string().min(1),
+});
+
+export type ProxmoxCredentials = z.infer<typeof ProxmoxCredentialsSchema>;
+export type DigitalOceanCredentials = z.infer<typeof DigitalOceanCredentialsSchema>;
+export type ServiceCredentials = ProxmoxCredentials | DigitalOceanCredentials;
+
+/**
+ * Container service filters
+ */
+export interface ContainerServiceFilters {
+  zones?: NetworkZone[];
+}
+
+/**
+ * Generate a service ID from a human-readable name
+ * Converts to kebab-case, removes special characters
+ */
+function generateServiceId(name: string): string {
+  return name
+    .toLowerCase()
+    .replace(/[^a-z0-9]+/g, '-') // Replace non-alphanumeric with hyphens
+    .replace(/^-+|-+$/g, ''); // Remove leading/trailing hyphens
+}
+
+/**
+ * Add a new container service
+ */
+export async function addContainerService(
+  service: Omit<
+    ContainerService,
+    | 'id'
+    | 'serviceId'
+    | 'createdAt'
+    | 'updatedAt'
+    | 'apiCredentialsEncrypted'
+    | 'verified'
+    | 'verifiedAt'
+    | 'verificationError'
+  > & {
+    apiCredentials: Record<string, unknown>;
+  },
+): Promise<ContainerService> {
+  const db = getDb();
+  const id = randomUUID();
+  const serviceId = generateServiceId(service.name);
+  const now = new Date();
+
+  // Check if service ID already exists
+  const existing = await db
+    .select()
+    .from(containerServices)
+    .where(eq(containerServices.serviceId, serviceId))
+    .limit(1);
+
+  if (existing.length > 0) {
+    throw new Error(`Service ID '${serviceId}' already exists. Please choose a different name.`);
+  }
+
+  // Encrypt API credentials
+  const masterKey = await getOrCreateMasterKey();
+  const encrypted = encryptSecret(JSON.stringify(service.apiCredentials), masterKey);
+
+  const values = {
+    id,
+    serviceId,
+    name: service.name,
+    providerName: service.providerName,
+    zones: service.zones, // Drizzle auto-stringifies with mode: 'json'
+    apiCredentialsEncrypted: JSON.stringify(encrypted),
+    providerConfig: service.providerConfig, // Drizzle auto-stringifies with mode: 'json'
+    verified: false,
+    verifiedAt: null,
+    verificationError: null,
+    createdAt: now,
+    updatedAt: now,
+  };
+
+  await db.insert(containerServices).values(values);
+
+  return {
+    id,
+    serviceId,
+    name: service.name,
+    providerName: service.providerName,
+    zones: service.zones,
+    apiCredentialsEncrypted: JSON.stringify(encrypted),
+    providerConfig: service.providerConfig,
+    verified: false,
+    verifiedAt: null,
+    verificationError: null,
+    createdAt: now,
+    updatedAt: now,
+  };
+}
+
+/**
+ * Get container service by ID
+ */
+export async function getContainerService(id: string): Promise<ContainerService | null> {
+  const db = getDb();
+
+  const result = await db
+    .select()
+    .from(containerServices)
+    .where(eq(containerServices.id, id))
+    .limit(1);
+
+  if (result.length === 0) {
+    return null;
+  }
+
+  const row = result[0];
+
+  return {
+    id: row.id,
+    serviceId: row.serviceId,
+    name: row.name,
+    providerName: row.providerName as ContainerService['providerName'],
+    zones: row.zones, // Drizzle auto-parses with mode: 'json'
+    apiCredentialsEncrypted: row.apiCredentialsEncrypted,
+    providerConfig: row.providerConfig, // Drizzle auto-parses with mode: 'json'
+    verified: Boolean(row.verified),
+    verifiedAt: row.verifiedAt ? new Date(row.verifiedAt) : null,
+    verificationError: row.verificationError,
+    createdAt: new Date(row.createdAt),
+    updatedAt: new Date(row.updatedAt),
+  };
+}
+
+/**
+ * Get container service by service ID (user-facing identifier)
+ */
+export async function getContainerServiceByServiceId(
+  serviceId: string,
+): Promise<ContainerService | null> {
+  const db = getDb();
+
+  const result = await db
+    .select()
+    .from(containerServices)
+    .where(eq(containerServices.serviceId, serviceId))
+    .limit(1);
+
+  if (result.length === 0) {
+    return null;
+  }
+
+  const row = result[0];
+
+  return {
+    id: row.id,
+    serviceId: row.serviceId,
+    name: row.name,
+    providerName: row.providerName as ContainerService['providerName'],
+    zones: row.zones, // Drizzle auto-parses with mode: 'json'
+    apiCredentialsEncrypted: row.apiCredentialsEncrypted,
+    providerConfig: row.providerConfig, // Drizzle auto-parses with mode: 'json'
+    verified: Boolean(row.verified),
+    verifiedAt: row.verifiedAt ? new Date(row.verifiedAt) : null,
+    verificationError: row.verificationError,
+    createdAt: new Date(row.createdAt),
+    updatedAt: new Date(row.updatedAt),
+  };
+}
+
+/**
+ * Get container service by name
+ */
+export async function getContainerServiceByName(name: string): Promise<ContainerService | null> {
+  const db = getDb();
+
+  const result = await db
+    .select()
+    .from(containerServices)
+    .where(eq(containerServices.name, name))
+    .limit(1);
+
+  if (result.length === 0) {
+    return null;
+  }
+
+  const row = result[0];
+
+  return {
+    id: row.id,
+    serviceId: row.serviceId,
+    name: row.name,
+    providerName: row.providerName as ContainerService['providerName'],
+    zones: row.zones, // Drizzle auto-parses with mode: 'json'
+    apiCredentialsEncrypted: row.apiCredentialsEncrypted,
+    providerConfig: row.providerConfig, // Drizzle auto-parses with mode: 'json'
+    verified: Boolean(row.verified),
+    verifiedAt: row.verifiedAt ? new Date(row.verifiedAt) : null,
+    verificationError: row.verificationError,
+    createdAt: new Date(row.createdAt),
+    updatedAt: new Date(row.updatedAt),
+  };
+}
+
+/**
+ * Get decrypted API credentials for a service
+ * Returns validated, typed credentials based on provider (Rule 3.7)
+ */
+export async function getServiceCredentials(serviceId: string): Promise<ServiceCredentials> {
+  const service = await getContainerService(serviceId);
+  if (!service) {
+    throw new Error(`Container service not found: ${serviceId}`);
+  }
+
+  const masterKey = await getOrCreateMasterKey();
+  const encrypted = parseJsonWithValidation(
+    service.apiCredentialsEncrypted,
+    EncryptionEnvelopeSchema,
+    'service credentials encryption envelope',
+  );
+  const decrypted = decryptSecret(encrypted, masterKey);
+  const parsed = JSON.parse(decrypted);
+
+  // Validate based on provider type
+  if (service.providerName === 'proxmox') {
+    return ProxmoxCredentialsSchema.parse(parsed);
+  }
+  if (service.providerName === 'digitalocean') {
+    return DigitalOceanCredentialsSchema.parse(parsed);
+  }
+
+  throw new Error(
+    `Unsupported provider for credential validation: ${service.providerName}. Supported providers: proxmox, digitalocean`,
+  );
+}
+
+/**
+ * List container services with optional filters
+ */
+export async function listContainerServices(
+  filters?: ContainerServiceFilters,
+): Promise<ContainerService[]> {
+  const db = getDb();
+
+  const results = await db.select().from(containerServices);
+
+  let services = results.map((row) => ({
+    id: row.id,
+    serviceId: row.serviceId,
+    name: row.name,
+    providerName: row.providerName as ContainerService['providerName'],
+    zones: row.zones, // Drizzle auto-parses with mode: 'json'
+    apiCredentialsEncrypted: row.apiCredentialsEncrypted,
+    providerConfig: row.providerConfig, // Drizzle auto-parses with mode: 'json'
+    verified: Boolean(row.verified),
+    verifiedAt: row.verifiedAt ? new Date(row.verifiedAt) : null,
+    verificationError: row.verificationError,
+    createdAt: new Date(row.createdAt),
+    updatedAt: new Date(row.updatedAt),
+  }));
+
+  // Apply zone filter
+  if (filters?.zones && filters.zones.length > 0) {
+    services = services.filter((service) =>
+      filters.zones?.some((zone) => service.zones.includes(zone)),
+    );
+  }
+
+  return services;
+}
+
+/**
+ * Remove a container service
+ */
+/**
+ * Update provider configuration for a container service
+ */
+export async function updateServiceProviderConfig(
+  id: string,
+  providerConfig: Record<string, unknown>,
+): Promise<void> {
+  const db = getDb();
+  await db
+    .update(containerServices)
+    .set({
+      providerConfig,
+      updatedAt: new Date(),
+    })
+    .where(eq(containerServices.id, id));
+}
+
+export async function removeContainerService(id: string): Promise<void> {
+  const db = getDb();
+
+  await db.delete(containerServices).where(eq(containerServices.id, id));
+}
+
+/**
+ * Test connection to a container service
+ * Validates credentials and connectivity for the provider
+ */
+export async function testConnection(service: ContainerService): Promise<TestResult> {
+  const credentials = await getServiceCredentials(service.id);
+
+  if (service.providerName === 'proxmox') {
+    const { testProxmoxConnection } = await import('../api-clients/proxmox');
+    const proxmoxCreds = credentials as ProxmoxCredentials;
+
+    // Cast providerConfig to expected shape
+    const providerConfig = service.providerConfig as {
+      default_target_node: string;
+      lxc_template: string;
+      storage: string;
+    };
+
+    return testProxmoxConnection(
+      {
+        api_url: proxmoxCreds.api_url,
+        api_token_id: proxmoxCreds.api_token_id,
+        api_token_secret: proxmoxCreds.api_token_secret,
+      },
+      providerConfig,
+    );
+  }
+
+  if (service.providerName === 'digitalocean') {
+    const { testDigitalOceanConnection } = await import('../api-clients/digitalocean');
+    const doCreds = credentials as DigitalOceanCredentials;
+    return testDigitalOceanConnection({
+      api_token: doCreds.api_token,
+    });
+  }
+
+  return {
+    success: false,
+    message: `Connection test not implemented for provider: ${service.providerName}`,
+  };
+}
+
+/**
+ * Update verification status for a container service
+ */
+export async function updateVerificationStatus(
+  serviceId: string,
+  testResult: TestResult,
+): Promise<void> {
+  const db = getDb();
+  const now = new Date();
+
+  await db
+    .update(containerServices)
+    .set({
+      verified: testResult.success,
+      verifiedAt: testResult.success ? now : null,
+      verificationError: testResult.success ? null : testResult.message || 'Connection test failed',
+      updatedAt: now,
+    })
+    .where(eq(containerServices.id, serviceId));
+}
+
+/**
+ * Verify a container service and update its status
+ * Returns the updated service
+ */
+export async function verifyContainerService(serviceId: string): Promise<{
+  service: ContainerService;
+  testResult: TestResult;
+}> {
+  const service = await getContainerService(serviceId);
+  if (!service) {
+    throw new Error(`Container service not found: ${serviceId}`);
+  }
+
+  const testResult = await testConnection(service);
+  await updateVerificationStatus(serviceId, testResult);
+
+  // Fetch updated service
+  const updatedService = await getContainerService(serviceId);
+  if (!updatedService) {
+    throw new Error(`Failed to fetch updated service: ${serviceId}`);
+  }
+
+  return { service: updatedService, testResult };
+}