@celilo/cli 0.1.0

package/src/services/ssh-key-manager.test.ts

@@ -0,0 +1,283 @@
+/**
+ * Tests for SSH key manager
+ */
+
+import { afterEach, beforeEach, describe, expect, it } from 'bun:test';
+import { existsSync, mkdtempSync, readFileSync, rmSync, statSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { closeDb } from '../db/client';
+import { runMigrations } from '../db/migrate';
+import { addMachine } from './machine-pool';
+import {
+  ManagedSshKey,
+  cleanupTemporarySshKeys,
+  deleteTemporarySshKey,
+  writeTemporarySshKey,
+} from './ssh-key-manager';
+
+describe('ssh-key-manager', () => {
+  let testDbPath: string;
+  let testDir: string;
+  let dataDir: string;
+
+  beforeEach(async () => {
+    // Create temp directory for test database and data
+    testDir = mkdtempSync(join(tmpdir(), 'celilo-test-'));
+    testDbPath = join(testDir, 'test.db');
+    dataDir = join(testDir, 'data');
+
+    // Set environment variables
+    process.env.CELILO_DB_PATH = testDbPath;
+    process.env.CELILO_DATA_DIR = dataDir;
+
+    // Initialize database and run migrations
+    await runMigrations(testDbPath);
+
+    // Create a dummy master key for encryption
+    const masterKeyPath = join(dataDir, 'master.key');
+    process.env.CELILO_MASTER_KEY_PATH = masterKeyPath;
+    const fs = await import('node:fs/promises');
+    await fs.mkdir(dataDir, { recursive: true });
+    await fs.writeFile(masterKeyPath, 'a'.repeat(64), 'utf8');
+  });
+
+  afterEach(() => {
+    // Close database connection
+    closeDb();
+
+    // Clean up test directory
+    if (testDir) {
+      rmSync(testDir, { recursive: true, force: true });
+    }
+
+    // Clear environment variables
+    process.env.CELILO_DB_PATH = undefined;
+    process.env.CELILO_DATA_DIR = undefined;
+    process.env.CELILO_MASTER_KEY_PATH = undefined;
+  });
+
+  describe('writeTemporarySshKey', () => {
+    it('creates temp directory and writes key file', async () => {
+      const machine = await addMachine({
+        hostname: 'test-machine',
+        zone: 'internal',
+        ipAddress: '192.168.1.100',
+        sshUser: 'root',
+        sshKey: 'test-ssh-key-content',
+        hardware: { cpu_cores: 2, memory_mb: 2048, disk_gb: 20 },
+        role: 'host',
+        interfaces: [],
+        assignedModuleIds: [],
+      });
+
+      const keyPath = await writeTemporarySshKey(machine.id);
+
+      // Check file exists
+      expect(existsSync(keyPath)).toBe(true);
+
+      // Check file content is decrypted
+      const content = readFileSync(keyPath, 'utf8');
+      expect(content).toBe('test-ssh-key-content');
+
+      // Check file permissions (should be 0o600)
+      const stats = statSync(keyPath);
+      const mode = stats.mode & 0o777;
+      expect(mode).toBe(0o600);
+    });
+
+    it('returns correct temp key path', async () => {
+      const machine = await addMachine({
+        hostname: 'test-machine',
+        zone: 'internal',
+        ipAddress: '192.168.1.100',
+        sshUser: 'root',
+        sshKey: 'test-ssh-key-content',
+        hardware: { cpu_cores: 2, memory_mb: 2048, disk_gb: 20 },
+        role: 'host',
+        interfaces: [],
+        assignedModuleIds: [],
+      });
+
+      const keyPath = await writeTemporarySshKey(machine.id);
+
+      expect(keyPath).toContain('tmp/ansible-keys');
+      expect(keyPath).toContain(`machine-${machine.id}.key`);
+    });
+  });
+
+  describe('deleteTemporarySshKey', () => {
+    it('removes temp key file', async () => {
+      const machine = await addMachine({
+        hostname: 'test-machine',
+        zone: 'internal',
+        ipAddress: '192.168.1.100',
+        sshUser: 'root',
+        sshKey: 'test-ssh-key-content',
+        hardware: { cpu_cores: 2, memory_mb: 2048, disk_gb: 20 },
+        role: 'host',
+        interfaces: [],
+        assignedModuleIds: [],
+      });
+
+      const keyPath = await writeTemporarySshKey(machine.id);
+      expect(existsSync(keyPath)).toBe(true);
+
+      deleteTemporarySshKey(machine.id);
+      expect(existsSync(keyPath)).toBe(false);
+    });
+
+    it('does not throw if key file does not exist', () => {
+      expect(() => deleteTemporarySshKey('non-existent-machine')).not.toThrow();
+    });
+  });
+
+  describe('cleanupTemporarySshKeys', () => {
+    it('removes all temp key files', async () => {
+      const machine1 = await addMachine({
+        hostname: 'machine1',
+        zone: 'internal',
+        ipAddress: '192.168.1.100',
+        sshUser: 'root',
+        sshKey: 'key1',
+        hardware: { cpu_cores: 2, memory_mb: 2048, disk_gb: 20 },
+        role: 'host',
+        interfaces: [],
+        assignedModuleIds: [],
+      });
+
+      const machine2 = await addMachine({
+        hostname: 'machine2',
+        zone: 'internal',
+        ipAddress: '192.168.1.101',
+        sshUser: 'root',
+        sshKey: 'key2',
+        hardware: { cpu_cores: 2, memory_mb: 2048, disk_gb: 20 },
+        role: 'host',
+        interfaces: [],
+        assignedModuleIds: [],
+      });
+
+      const keyPath1 = await writeTemporarySshKey(machine1.id);
+      const keyPath2 = await writeTemporarySshKey(machine2.id);
+
+      expect(existsSync(keyPath1)).toBe(true);
+      expect(existsSync(keyPath2)).toBe(true);
+
+      cleanupTemporarySshKeys();
+
+      expect(existsSync(keyPath1)).toBe(false);
+      expect(existsSync(keyPath2)).toBe(false);
+    });
+
+    it('does not throw if temp directory does not exist', () => {
+      expect(() => cleanupTemporarySshKeys()).not.toThrow();
+    });
+  });
+
+  describe('ManagedSshKey', () => {
+    it('writes key and provides path', async () => {
+      const machine = await addMachine({
+        hostname: 'test-machine',
+        zone: 'internal',
+        ipAddress: '192.168.1.100',
+        sshUser: 'root',
+        sshKey: 'test-key',
+        hardware: { cpu_cores: 2, memory_mb: 2048, disk_gb: 20 },
+        role: 'host',
+        interfaces: [],
+        assignedModuleIds: [],
+      });
+
+      const managedKey = new ManagedSshKey(machine.id);
+      const keyPath = await managedKey.write();
+
+      expect(existsSync(keyPath)).toBe(true);
+      expect(managedKey.getPath()).toBe(keyPath);
+    });
+
+    it('cleans up key file', async () => {
+      const machine = await addMachine({
+        hostname: 'test-machine',
+        zone: 'internal',
+        ipAddress: '192.168.1.100',
+        sshUser: 'root',
+        sshKey: 'test-key',
+        hardware: { cpu_cores: 2, memory_mb: 2048, disk_gb: 20 },
+        role: 'host',
+        interfaces: [],
+        assignedModuleIds: [],
+      });
+
+      const managedKey = new ManagedSshKey(machine.id);
+      const keyPath = await managedKey.write();
+
+      expect(existsSync(keyPath)).toBe(true);
+
+      managedKey.cleanup();
+      expect(existsSync(keyPath)).toBe(false);
+    });
+
+    it('use() method handles automatic cleanup', async () => {
+      const machine = await addMachine({
+        hostname: 'test-machine',
+        zone: 'internal',
+        ipAddress: '192.168.1.100',
+        sshUser: 'root',
+        sshKey: 'test-key',
+        hardware: { cpu_cores: 2, memory_mb: 2048, disk_gb: 20 },
+        role: 'host',
+        interfaces: [],
+        assignedModuleIds: [],
+      });
+
+      const managedKey = new ManagedSshKey(machine.id);
+      let capturedPath: string | null = null;
+
+      await managedKey.use(async (keyPath) => {
+        capturedPath = keyPath;
+        expect(existsSync(keyPath)).toBe(true);
+      });
+
+      // Key should be cleaned up after callback
+      expect(capturedPath).not.toBeNull();
+      // biome-ignore lint/style/noNonNullAssertion: checked with not.toBeNull() above
+      expect(existsSync(capturedPath!)).toBe(false);
+    });
+
+    it('use() method cleans up even if callback throws', async () => {
+      const machine = await addMachine({
+        hostname: 'test-machine',
+        zone: 'internal',
+        ipAddress: '192.168.1.100',
+        sshUser: 'root',
+        sshKey: 'test-key',
+        hardware: { cpu_cores: 2, memory_mb: 2048, disk_gb: 20 },
+        role: 'host',
+        interfaces: [],
+        assignedModuleIds: [],
+      });
+
+      const managedKey = new ManagedSshKey(machine.id);
+      let capturedPath: string | null = null;
+
+      await expect(
+        managedKey.use(async (keyPath) => {
+          capturedPath = keyPath;
+          throw new Error('Test error');
+        }),
+      ).rejects.toThrow('Test error');
+
+      // Key should still be cleaned up despite error
+      expect(capturedPath).not.toBeNull();
+      // biome-ignore lint/style/noNonNullAssertion: checked with not.toBeNull() above
+      expect(existsSync(capturedPath!)).toBe(false);
+    });
+
+    it('throws if getPath() called before write()', () => {
+      const managedKey = new ManagedSshKey('test-machine-id');
+
+      expect(() => managedKey.getPath()).toThrow('SSH key not written yet');
+    });
+  });
+});

package/src/services/ssh-key-manager.ts

@@ -0,0 +1,193 @@
+/**
+ * SSH Key Manager
+ * Handles temporary SSH key files for Ansible execution
+ * Keys are stored encrypted in database, written temporarily to filesystem for Ansible
+ */
+
+import { existsSync, mkdirSync, readdirSync, rmSync, writeFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { getDataDir } from '../config/paths';
+import { getMachineSshKey } from './machine-pool';
+
+/**
+ * Get the temporary SSH keys directory
+ */
+function getTempKeysDir(): string {
+  return join(getDataDir(), 'tmp', 'ansible-keys');
+}
+
+/**
+ * Ensure the temp keys directory exists
+ */
+function ensureTempKeysDir(): void {
+  const dir = getTempKeysDir();
+  if (!existsSync(dir)) {
+    mkdirSync(dir, { recursive: true, mode: 0o700 });
+  }
+}
+
+/**
+ * Get the temporary key file path for a machine
+ */
+export function getTempKeyPath(machineId: string): string {
+  return join(getTempKeysDir(), `machine-${machineId}.key`);
+}
+
+/**
+ * Write a temporary SSH key file for Ansible
+ * The key is decrypted from the database and written to a temporary file
+ *
+ * @param machineId - Machine ID
+ * @returns Absolute path to the temporary key file
+ */
+export async function writeTemporarySshKey(machineId: string): Promise<string> {
+  ensureTempKeysDir();
+
+  // Get decrypted SSH key from database
+  const keyContent = await getMachineSshKey(machineId);
+
+  // Write to temporary file with restrictive permissions
+  const keyPath = getTempKeyPath(machineId);
+  writeFileSync(keyPath, keyContent, { mode: 0o600 });
+
+  return keyPath;
+}
+
+/**
+ * Delete a temporary SSH key file
+ *
+ * @param machineId - Machine ID
+ */
+export function deleteTemporarySshKey(machineId: string): void {
+  const keyPath = getTempKeyPath(machineId);
+  if (existsSync(keyPath)) {
+    rmSync(keyPath, { force: true });
+  }
+}
+
+/**
+ * Clean up all temporary SSH key files
+ * Should be called after Ansible execution or on process exit
+ */
+export function cleanupTemporarySshKeys(): void {
+  const dir = getTempKeysDir();
+  if (!existsSync(dir)) {
+    return;
+  }
+
+  // Remove all .key files
+  const files = readdirSync(dir);
+  for (const file of files) {
+    if (file.endsWith('.key')) {
+      const filePath = join(dir, file);
+      rmSync(filePath, { force: true });
+    }
+  }
+}
+
+/**
+ * Register cleanup handlers for process exit
+ * Ensures temporary SSH keys are always cleaned up
+ */
+export function registerCleanupHandlers(): void {
+  // Clean up on normal exit
+  process.on('exit', () => {
+    try {
+      cleanupTemporarySshKeys();
+    } catch (error) {
+      console.error('Failed to cleanup SSH keys on exit:', error);
+    }
+  });
+
+  // Clean up on SIGINT (Ctrl+C)
+  process.on('SIGINT', () => {
+    try {
+      cleanupTemporarySshKeys();
+    } catch (error) {
+      console.error('Failed to cleanup SSH keys on SIGINT:', error);
+    }
+    process.exit(130); // Standard exit code for SIGINT
+  });
+
+  // Clean up on SIGTERM
+  process.on('SIGTERM', () => {
+    try {
+      cleanupTemporarySshKeys();
+    } catch (error) {
+      console.error('Failed to cleanup SSH keys on SIGTERM:', error);
+    }
+    process.exit(143); // Standard exit code for SIGTERM
+  });
+
+  // Clean up on uncaught exception
+  process.on('uncaughtException', (error) => {
+    console.error('Uncaught exception:', error);
+    try {
+      cleanupTemporarySshKeys();
+    } catch (cleanupError) {
+      console.error('Failed to cleanup SSH keys on uncaught exception:', cleanupError);
+    }
+    process.exit(1);
+  });
+}
+
+/**
+ * Managed SSH key context for safe cleanup
+ * Use this for automatic cleanup in try-finally patterns
+ *
+ * @example
+ * const keyPath = await writeTemporarySshKey(machineId);
+ * try {
+ *   await runAnsible(keyPath);
+ * } finally {
+ *   deleteTemporarySshKey(machineId);
+ * }
+ */
+export class ManagedSshKey {
+  private machineId: string;
+  private keyPath: string | null = null;
+
+  constructor(machineId: string) {
+    this.machineId = machineId;
+  }
+
+  /**
+   * Write the SSH key and return the path
+   */
+  async write(): Promise<string> {
+    this.keyPath = await writeTemporarySshKey(this.machineId);
+    return this.keyPath;
+  }
+
+  /**
+   * Get the key path (throws if not written yet)
+   */
+  getPath(): string {
+    if (!this.keyPath) {
+      throw new Error('SSH key not written yet. Call write() first.');
+    }
+    return this.keyPath;
+  }
+
+  /**
+   * Clean up the temporary key file
+   */
+  cleanup(): void {
+    if (this.keyPath) {
+      deleteTemporarySshKey(this.machineId);
+      this.keyPath = null;
+    }
+  }
+
+  /**
+   * Use the key in a callback with automatic cleanup
+   */
+  async use<T>(callback: (keyPath: string) => Promise<T>): Promise<T> {
+    await this.write();
+    try {
+      return await callback(this.getPath());
+    } finally {
+      this.cleanup();
+    }
+  }
+}

package/src/services/storage-providers/local.ts

@@ -0,0 +1,105 @@
+/**
+ * Local filesystem storage provider.
+ * Stores backup archives in a local directory (or NAS-mounted path).
+ */
+
+import {
+  copyFileSync,
+  existsSync,
+  mkdirSync,
+  readdirSync,
+  unlinkSync,
+  writeFileSync,
+} from 'node:fs';
+import { dirname, join, relative } from 'node:path';
+import type { StorageProvider, StorageVerifyResult } from './types';
+
+const BACKUP_PREFIX = 'celilo-backups';
+
+export interface LocalStorageConfig {
+  path: string;
+}
+
+export function createLocalStorageProvider(config: LocalStorageConfig): StorageProvider {
+  const basePath = join(config.path, BACKUP_PREFIX);
+
+  return {
+    async upload(localPath: string, remotePath: string): Promise<void> {
+      const destPath = join(basePath, remotePath);
+      const destDir = dirname(destPath);
+      mkdirSync(destDir, { recursive: true });
+      copyFileSync(localPath, destPath);
+    },
+
+    async download(remotePath: string, localPath: string): Promise<void> {
+      const srcPath = join(basePath, remotePath);
+      if (!existsSync(srcPath)) {
+        throw new Error(`Backup file not found: ${remotePath}`);
+      }
+      const destDir = dirname(localPath);
+      mkdirSync(destDir, { recursive: true });
+      copyFileSync(srcPath, localPath);
+    },
+
+    async delete(remotePath: string): Promise<void> {
+      const fullPath = join(basePath, remotePath);
+      if (existsSync(fullPath)) {
+        unlinkSync(fullPath);
+      }
+    },
+
+    async list(prefix: string): Promise<string[]> {
+      const searchDir = join(basePath, prefix);
+      if (!existsSync(searchDir)) {
+        return [];
+      }
+      return collectFiles(searchDir).map((f) => relative(basePath, f));
+    },
+
+    async verify(): Promise<StorageVerifyResult> {
+      try {
+        // Check base directory is writable
+        mkdirSync(basePath, { recursive: true });
+
+        // Write test file
+        const testFile = join(basePath, '.celilo-verify-test');
+        writeFileSync(testFile, 'verify');
+
+        // Read it back
+        const content = Bun.file(testFile);
+        const text = await content.text();
+        if (text !== 'verify') {
+          return { success: false, message: 'Read-back verification failed' };
+        }
+
+        // Delete test file
+        unlinkSync(testFile);
+
+        return { success: true, message: `Write test passed at ${basePath}` };
+      } catch (error) {
+        return {
+          success: false,
+          message: `Storage verification failed: ${error instanceof Error ? error.message : String(error)}`,
+        };
+      }
+    },
+
+    async initialize(): Promise<void> {
+      mkdirSync(basePath, { recursive: true });
+    },
+  };
+}
+
+function collectFiles(dir: string): string[] {
+  const results: string[] = [];
+  const entries = readdirSync(dir, { withFileTypes: true });
+  for (const entry of entries) {
+    const fullPath = join(dir, entry.name);
+    if (entry.isDirectory()) {
+      results.push(...collectFiles(fullPath));
+    } else {
+      results.push(fullPath);
+    }
+  }
+  return results;
+}