@meshxdata/fops 0.1.36 → 0.1.38

package/src/plugins/bundled/fops-plugin-azure/lib/azure-helpers.js

@@ -618,7 +618,9 @@ const FOPS_KNOCK_TAG = "fopsKnock";
 /** Persist knock sequence to VM tag so other machines can fetch it. */
 export async function setVmKnockTag(execa, rg, vmName, knockSequence, sub) {
   if (!knockSequence?.length) return;
-  const value = knockSequence.join(",");
+  // Use dash delimiter — Azure CLI --set treats commas as array separators
+  // which wraps the value in parens "(49198, 49200, 49180)" and breaks parsing.
+  const value = knockSequence.join("-");
   try {
     await execa("az", [
       "vm", "update", "--resource-group", rg, "--name", vmName,
@@ -629,23 +631,54 @@ export async function setVmKnockTag(execa, rg, vmName, knockSequence, sub) {
   } catch { /* non-fatal */ }
 }
 
+// Per-process cache: vmName → true, so we only fetch from Azure once per CLI invocation.
+const _vmStateSynced = new Set();
+
 /**
- * If local state has no knock sequence, try to load it from the VM's Azure tag
- * (set at provision time). Use when switching to another machine.
+ * Sync VM state (public IP + knock sequence) from Azure on the first call per process.
+ * Azure is the canonical source of truth — local state drifts when VMs are
+ * restarted/reallocated (new IP) or knock sequences change.
  */
 export async function ensureKnockSequence(state) {
-  if (state?.knockSequence?.length) return state;
   if (!state?.resourceGroup || !state?.vmName) return state;
+  if (_vmStateSynced.has(state.vmName)) return readVmState(state.vmName);
   const execa = await lazyExeca();
-  const { stdout, exitCode } = await execa("az", [
-    "vm", "show", "-g", state.resourceGroup, "-n", state.vmName,
-    "--query", `tags.${FOPS_KNOCK_TAG}`, "-o", "tsv",
-  ], { timeout: 15000, reject: false }).catch(() => ({ stdout: "", exitCode: 1 }));
-  const raw = (stdout || "").trim();
-  if (exitCode !== 0 || !raw) return state;
-  const knockSequence = raw.split(",").map((s) => parseInt(s, 10)).filter((n) => Number.isInteger(n) && n > 0);
-  if (knockSequence.length < 2) return state;
-  writeVmState(state.vmName, { knockSequence });
+  _vmStateSynced.add(state.vmName);
+
+  // Fetch public IP and knock sequence tag in parallel
+  const [ipResult, tagResult] = await Promise.all([
+    execa("az", [
+      "vm", "list-ip-addresses", "-g", state.resourceGroup, "-n", state.vmName, "--output", "json",
+    ], { timeout: 15000, reject: false }).catch(() => ({ stdout: "[]", exitCode: 1 })),
+    execa("az", [
+      "vm", "show", "-g", state.resourceGroup, "-n", state.vmName,
+      "--query", `tags.${FOPS_KNOCK_TAG}`, "-o", "tsv",
+    ], { timeout: 15000, reject: false }).catch(() => ({ stdout: "", exitCode: 1 })),
+  ]);
+
+  const patch = {};
+
+  // Sync public IP
+  try {
+    const ips = JSON.parse(ipResult.stdout || "[]");
+    const freshIp = ips?.[0]?.virtualMachine?.network?.publicIpAddresses?.[0]?.ipAddress || "";
+    if (freshIp && freshIp !== state.publicIp) patch.publicIp = freshIp;
+  } catch {}
+
+  // Sync knock sequence — tag value may use dash or comma delimiter;
+  // Azure CLI --set sometimes wraps comma values in parens like "(49198, 49200, 49180)"
+  const raw = (tagResult.stdout || "").trim().replace(/[()]/g, "");
+  if (tagResult.exitCode === 0 && raw) {
+    const knockSequence = raw.split(/[-,]/).map((s) => parseInt(s.trim(), 10)).filter((n) => Number.isInteger(n) && n > 0);
+    if (knockSequence.length >= 2) {
+      const local = state.knockSequence;
+      if (!local?.length || local.length !== knockSequence.length || local.some((v, i) => v !== knockSequence[i])) {
+        patch.knockSequence = knockSequence;
+      }
+    }
+  }
+
+  if (Object.keys(patch).length > 0) writeVmState(state.vmName, patch);
   return readVmState(state.vmName);
 }
 
@@ -656,6 +689,11 @@ export async function knockForVm(vmNameOrState) {
     ? readVmState(vmNameOrState) : vmNameOrState;
   state = await ensureKnockSequence(state);
   if (state?.knockSequence?.length && state.publicIp) {
+    // Close stale mux before knocking — ControlPersist=600 keeps the master alive for
+    // 10 min, but if the VM rebooted the underlying TCP is broken and all SSH commands
+    // through it will fail even after a successful knock.
+    const execa = await lazyExeca();
+    await closeMux(execa, state.publicIp, DEFAULTS.adminUser);
     await performKnock(state.publicIp, state.knockSequence, { quiet: true });
   }
 }

package/src/plugins/bundled/fops-plugin-azure/lib/azure-ops.js

@@ -8,7 +8,7 @@ import { readState, saveState, readVmState, writeVmState, listVms, requireVmStat
 import {
   DEFAULTS, DIM, OK, WARN, ERR, LABEL, ACCENT,
   banner, hint, kvLine, nameArg,
-  lazyExeca, ensureAzCli, ensureAzAuth, subArgs,
+  lazyExeca, ensureAzCli, ensureAzAuth, subArgs, fetchMyIp,
   resolvePublicIp, resolveGithubToken, verifyGithubToken,
   buildPublicUrl, buildDefaultUrl, resolveUniqueDomain,
   sshCmd, closeMux, MUX_OPTS, muxSocketPath, waitForSsh, knockForVm, fopsUpCmd, buildRemoteFopsUpArgs,
@@ -408,17 +408,25 @@ export async function azureVmCheck(opts = {}) {
 // ── ssh ─────────────────────────────────────────────────────────────────────
 
 export async function azureSsh(opts = {}) {
-  const state = requireVmState(opts.vmName);
-  const ip = state.publicIp;
+  const { knockForVm, ensureKnockSequence } = await import("./azure-helpers.js");
+  // Sync IP + knock sequence from Azure before using them
+  const freshState = await ensureKnockSequence(requireVmState(opts.vmName));
+  const ip = freshState?.publicIp;
   if (!ip) { console.error(chalk.red("\n  No IP address. Is the VM running? Try: fops azure start\n")); process.exit(1); }
 
-  await knockForVm(state);
+  await knockForVm(freshState);
 
   const { execa } = await import("execa");
-  await execa("ssh", [
+  const result = await execa("ssh", [
     "-o", "StrictHostKeyChecking=no",
+    "-o", "UserKnownHostsFile=/dev/null",
+    "-o", "ConnectTimeout=15",
     `${DEFAULTS.adminUser}@${ip}`,
   ], { stdio: "inherit", reject: false });
+  if (result.exitCode !== 0 && result.exitCode !== null) {
+    console.error(chalk.red(`\n  SSH failed (exit ${result.exitCode}). If port-knock is enabled, try: fops azure knock open ${freshState?.vmName}\n`));
+    process.exit(1);
+  }
 }
 
 // ── port forward ─────────────────────────────────────────────────────────────
@@ -1005,11 +1013,11 @@ export async function azureRunUp(opts = {}) {
       5000,
     );
     let npmCode = tryUserFirst.exitCode === 0
-      ? (await ssh('D="$(npm root -g 2>/dev/null)/@meshxdata"; rm -rf "$D" 2>/dev/null; npm install -g @meshxdata/fops@latest 2>&1', 300000)).exitCode
+      ? (await ssh('sudo rm -f /usr/bin/fops /usr/local/bin/fops 2>/dev/null; D="$(npm root -g 2>/dev/null)/@meshxdata"; rm -rf "$D" 2>/dev/null; npm install -g @meshxdata/fops@latest 2>&1', 300000)).exitCode
       : 1;
     if (npmCode !== 0) {
       npmCode = (await ssh(
-        "sudo -E bash -c 'D=\"$(npm root -g)/@meshxdata\"; rm -rf \"$D\" 2>/dev/null; npm install -g @meshxdata/fops@latest' 2>&1",
+        "sudo -E bash -c 'rm -f /usr/bin/fops /usr/local/bin/fops 2>/dev/null; D=\"$(npm root -g)/@meshxdata\"; rm -rf \"$D\" 2>/dev/null; npm install -g @meshxdata/fops@latest' 2>&1",
         300000,
       )).exitCode;
     }
@@ -1874,7 +1882,7 @@ export async function azureUpdate(opts = {}) {
       );
       if (tryUserFirst.exitCode === 0) {
         const userInstall = await ssh(
-          'D="$(npm root -g 2>/dev/null)/@meshxdata"; rm -rf "$D" 2>/dev/null; npm install -g @meshxdata/fops@latest 2>&1',
+          'sudo rm -f /usr/bin/fops /usr/local/bin/fops 2>/dev/null; D="$(npm root -g 2>/dev/null)/@meshxdata"; rm -rf "$D" 2>/dev/null; npm install -g @meshxdata/fops@latest 2>&1',
           300000,
         );
         npmCode = userInstall.exitCode;
@@ -1884,7 +1892,7 @@ export async function azureUpdate(opts = {}) {
       if (npmCode !== 0) {
         const sudoInstall = await ssh(
           "sudo -E bash -c '" +
-          'D="$(npm root -g)/@meshxdata"; rm -rf "$D" 2>/dev/null; npm install -g @meshxdata/fops@latest' +
+          'rm -f /usr/bin/fops /usr/local/bin/fops 2>/dev/null; D="$(npm root -g)/@meshxdata"; rm -rf "$D" 2>/dev/null; npm install -g @meshxdata/fops@latest' +
           "' 2>&1",
           300000,
         );
@@ -2361,31 +2369,6 @@ export async function azureList(opts = {}) {
   let aksClusters = (fullState.azure || {}).clusters || {};
   let hasAks = Object.keys(aksClusters).length > 0;
 
-  // Always try to discover VMs from Azure (tag managed=fops) so we re-add any that were
-  // lost from local state (e.g. state file reset or edited).
-  try {
-    const execa = await lazyExeca();
-    await ensureAzCli(execa);
-    await ensureAzAuth(execa, { subscription: opts.subscription });
-    const found = await discoverVmsFromAzure(execa, { quiet: true, subscription: opts.subscription });
-    if (found > 0) {
-      console.log(OK(`  ✓ Re-discovered ${found} VM(s) from Azure`) + DIM(" (tag managed=fops)\n"));
-      ({ activeVm, vms } = listVms());
-      vmNames = Object.keys(vms);
-      fullState = readState();
-      aksClusters = (fullState.azure || {}).clusters || {};
-      hasAks = Object.keys(aksClusters).length > 0;
-    }
-  } catch { /* az not available or not authenticated */ }
-
-  if (vmNames.length === 0 && !hasAks) {
-    banner("Azure VMs");
-    hint("No VMs or clusters found in Azure.");
-    hint("Create a VM:       fops azure up <name>");
-    hint("Create a cluster:  fops azure aks up <name>\n");
-    return;
-  }
-
   // Use cache if fresh, otherwise try shared tags, then fall back to full sync
   const forceLive = opts.live;
   let cache = readCache();
@@ -2406,13 +2389,37 @@ export async function azureList(opts = {}) {
       } catch { /* tag read failed, fall through to full sync */ }
     }
 
+    // Discovery + full sync only when all caches are stale
     if (!fresh) {
+      try {
+        const execa = await lazyExeca();
+        await ensureAzCli(execa);
+        await ensureAzAuth(execa, { subscription: opts.subscription });
+        const found = await discoverVmsFromAzure(execa, { quiet: true, subscription: opts.subscription });
+        if (found > 0) {
+          console.log(OK(`  ✓ Re-discovered ${found} VM(s) from Azure`) + DIM(" (tag managed=fops)\n"));
+          ({ activeVm, vms } = listVms());
+          vmNames = Object.keys(vms);
+          fullState = readState();
+          aksClusters = (fullState.azure || {}).clusters || {};
+          hasAks = Object.keys(aksClusters).length > 0;
+        }
+      } catch { /* az not available or not authenticated */ }
+
       await azureSync({ quiet: !opts.verbose });
       cache = readCache();
       cacheSource = "live";
     }
   }
 
+  if (vmNames.length === 0 && !hasAks) {
+    banner("Azure VMs");
+    hint("No VMs or clusters found in Azure.");
+    hint("Create a VM:       fops azure up <name>");
+    hint("Create a cluster:  fops azure aks up <name>\n");
+    return;
+  }
+
   const cachedVms = cache?.vms || {};
   const cachedClusters = cache?.clusters || {};
   const cacheTime = cache?.updatedAt;
@@ -2775,8 +2782,10 @@ export async function azureApply(file, opts = {}) {
 // ── knock ────────────────────────────────────────────────────────────────────
 
 export async function azureKnock(opts = {}) {
-  const state = requireVmState(opts.vmName);
-  if (!state.knockSequence?.length) {
+  const { ensureKnockSequence } = await import("./azure-helpers.js");
+  // Sync IP + knock sequence from Azure before using them
+  const state = await ensureKnockSequence(requireVmState(opts.vmName));
+  if (!state?.knockSequence?.length) {
     console.error(ERR("\n  Port knocking is not configured on this VM."));
     hint(`Provision with:  fops azure up${nameArg(state?.vmName)}\n`);
     process.exit(1);
@@ -3096,7 +3105,7 @@ export async function azureKnockVerify(opts = {}) {
 
 export async function azureKnockFix(opts = {}) {
   const execa = await lazyExeca();
-  const { setupKnockd, generateKnockSequence } = await import("./port-knock.js");
+  const { generateKnockSequence } = await import("./port-knock.js");
   const { vms } = listVms();
   const targets = opts.vmName ? [opts.vmName] : Object.keys(vms);
 
@@ -3105,33 +3114,178 @@ export async function azureKnockFix(opts = {}) {
     return;
   }
 
+  await ensureAzCli(execa);
+  await ensureAzAuth(execa, { subscription: opts.profile });
+
   banner("Knock Fix");
 
   for (const name of targets) {
     const state = vms[name];
-    if (!state?.publicIp) continue;
-    const ip = state.publicIp;
-
-    console.log(`\n  ${LABEL(name)} ${DIM(`(${ip})`)}`);
-
-    // Knock with existing sequence if available
-    if (state.knockSequence?.length) {
-      await performKnock(ip, state.knockSequence, { quiet: true });
+    if (!state?.resourceGroup) {
+      console.log(chalk.dim(`  ${name}: no resource group — skipped`));
+      continue;
     }
+    const { publicIp: ip, resourceGroup: rg } = state;
 
-    const ssh = (cmd) => sshCmd(execa, ip, DEFAULTS.adminUser, cmd, 30000);
+    console.log(`\n  ${LABEL(name)} ${DIM(`(${ip || "no IP"})`)}`);
 
-    // Generate new sequence and re-setup
     const knockSeq = state.knockSequence?.length ? state.knockSequence : generateKnockSequence();
     const appPort = DEFAULTS.publicPort || 443;
-    await setupKnockd(ssh, knockSeq, { appPort });
-    writeVmState(name, { knockSequence: knockSeq });
-    if (state.resourceGroup) await setVmKnockTag(execa, state.resourceGroup, name, knockSeq, opts.profile);
 
-    console.log(OK(`    ✓ Knock re-configured`));
+    // Build the setup script to run via az vm run-command (works even when SSH is locked)
+    const script = buildKnockdScript(knockSeq, appPort);
+
+    console.log(chalk.dim("  Running via az vm run-command (bypasses firewall)..."));
+    const { stdout, exitCode } = await execa("az", [
+      "vm", "run-command", "invoke",
+      "--resource-group", rg,
+      "--name", name,
+      "--command-id", "RunShellScript",
+      "--scripts", script,
+      "--output", "json",
+      ...subArgs(opts.profile),
+    ], { reject: false, timeout: 180000 });
+
+    if (exitCode !== 0) {
+      console.error(ERR(`    ✗ az run-command failed for ${name}`));
+      continue;
+    }
 
-    await closeKnock(ssh, { quiet: true });
+    // Check script output for errors
+    try {
+      const result = JSON.parse(stdout);
+      const msg = result?.value?.[0]?.message || "";
+      if (msg.toLowerCase().includes("failed") || msg.toLowerCase().includes("error")) {
+        console.log(chalk.dim(`    Script output: ${msg.slice(0, 200)}`));
+      }
+    } catch { /* ignore parse errors */ }
+
+    writeVmState(name, { knockSequence: knockSeq });
+    await setVmKnockTag(execa, rg, name, knockSeq, opts.profile);
+
+    console.log(OK(`    ✓ Knock re-configured (sequence: ${knockSeq.join(" → ")})`));
   }
 
   console.log(OK(`\n  ✓ Done — run fops azure knock verify to confirm.\n`));
 }
+
+/**
+ * Build a self-contained bash script that installs knockd and configures
+ * iptables. Designed to run via az vm run-command (no SSH needed).
+ */
+function buildKnockdScript(sequence, appPort) {
+  const ports = [22];
+  if (appPort && appPort !== 22) ports.push(Number(appPort));
+
+  const openCmds = ports.map(p => `/usr/sbin/iptables -I INPUT -s %IP% -p tcp --dport ${p} -j ACCEPT`).join(" && ");
+  const closeCmds = ports.map(p => `/usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport ${p} -j ACCEPT`).join(" && ");
+  const KNOCK_CMD_TIMEOUT = 300;
+
+  // iptables rules: clean up stale entries, then insert DROP + ESTABLISHED
+  const iptRules = [];
+  for (const p of ports) {
+    iptRules.push(
+      `while iptables -D INPUT -p tcp --dport ${p} -j DROP 2>/dev/null; do :; done`,
+      `while iptables -D INPUT -p tcp --dport ${p} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 2>/dev/null; do :; done`,
+      `while iptables -D INPUT -p tcp --dport ${p} -j ACCEPT 2>/dev/null; do :; done`,
+    );
+  }
+  for (const p of ports) {
+    iptRules.push(
+      `iptables -I INPUT -p tcp --dport ${p} -j DROP`,
+      `iptables -I INPUT -p tcp --dport ${p} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT`,
+    );
+  }
+
+  return [
+    "#!/bin/bash",
+    "set -e",
+    // Detect interface dynamically inside the script
+    "IFACE=$(ip route show default 2>/dev/null | awk '{print $5}' | head -1)",
+    "IFACE=${IFACE:-eth0}",
+    // Install knockd
+    "export DEBIAN_FRONTEND=noninteractive",
+    "apt-get update -qq",
+    "apt-get install -y -qq knockd iptables-persistent 2>/dev/null || true",
+    // Write knockd.conf using printf to avoid heredoc quoting issues
+    `printf '[options]\\n    UseSyslog\\n    Interface = %s\\n\\n[openPorts]\\n    sequence    = ${sequence.join(",")}\\n    seq_timeout = 15\\n    command     = ${openCmds}\\n    tcpflags    = syn\\n    cmd_timeout = ${KNOCK_CMD_TIMEOUT}\\n    stop_command = ${closeCmds}\\n' "$IFACE" > /etc/knockd.conf`,
+    // Enable knockd service
+    "sed -i 's/^START_KNOCKD=0/START_KNOCKD=1/' /etc/default/knockd 2>/dev/null || true",
+    `sed -i "s|^KNOCKD_OPTS=.*|KNOCKD_OPTS=\\"-i $IFACE\\"|" /etc/default/knockd 2>/dev/null || true`,
+    // Apply iptables rules
+    ...iptRules,
+    "netfilter-persistent save 2>/dev/null || true",
+    "systemctl enable knockd",
+    "systemctl restart knockd",
+    "echo 'knockd configured OK'",
+  ].join("\n");
+}
+
+// ── ssh whitelist-me ─────────────────────────────────────────────────────────
+
+export async function azureSshWhitelistMe(opts = {}) {
+  const execa = await lazyExeca();
+  const sub = opts.profile;
+  await ensureAzCli(execa);
+  await ensureAzAuth(execa, { subscription: sub });
+  const state = requireVmState(opts.vmName);
+  const { vmName, resourceGroup: rg } = state;
+
+  const myIp = await fetchMyIp();
+  if (!myIp) {
+    console.error(ERR("\n  Could not detect your public IP address.\n"));
+    process.exit(1);
+  }
+  const myCidr = `${myIp}/32`;
+
+  // Resolve NSG name from NIC
+  const nicName = `${vmName}VMNic`;
+  const { stdout: nicJson, exitCode: nicCode } = await execa("az", [
+    "network", "nic", "show", "-g", rg, "-n", nicName, "--output", "json",
+    ...subArgs(sub),
+  ], { reject: false, timeout: 15000 });
+  let nsgName = `${vmName}NSG`;
+  if (nicCode === 0) {
+    const nsgId = JSON.parse(nicJson).networkSecurityGroup?.id || "";
+    if (nsgId) nsgName = nsgId.split("/").pop();
+  }
+
+  // Fetch current SSH rule
+  const { stdout: rulesJson, exitCode: rulesCode } = await execa("az", [
+    "network", "nsg", "rule", "list", "-g", rg, "--nsg-name", nsgName, "--output", "json",
+    ...subArgs(sub),
+  ], { reject: false, timeout: 15000 });
+  const rules = rulesCode === 0 ? JSON.parse(rulesJson || "[]") : [];
+  const inboundAllow = rules.filter(r => r.access === "Allow" && r.direction === "Inbound");
+  const sshRule = inboundAllow.find(r =>
+    r.destinationPortRange === "22" ||
+    (Array.isArray(r.destinationPortRanges) && r.destinationPortRanges.includes("22"))
+  );
+
+  const currentSources = [];
+  if (sshRule?.sourceAddressPrefix) currentSources.push(sshRule.sourceAddressPrefix);
+  if (Array.isArray(sshRule?.sourceAddressPrefixes)) currentSources.push(...sshRule.sourceAddressPrefixes);
+
+  if (currentSources.includes(myCidr)) {
+    console.log(OK(`\n  ✓ ${myCidr} is already whitelisted for SSH on ${vmName}\n`));
+    return;
+  }
+
+  const merged = [...new Set([...currentSources.filter(s => s && s !== "*" && s !== "Internet"), myCidr])];
+  console.log(chalk.yellow(`  ↻ Adding ${myCidr} to SSH rule on ${nsgName} (${currentSources.length} existing)...`));
+  const { exitCode: updateCode } = await execa("az", [
+    "network", "nsg", "rule", "create", "-g", rg, "--nsg-name", nsgName,
+    "-n", sshRule?.name || "allow-ssh", "--priority", String(sshRule?.priority || 1000),
+    "--destination-port-ranges", "22", "--access", "Allow",
+    "--source-address-prefixes", ...merged,
+    "--protocol", "Tcp", "--direction", "Inbound", "--output", "none",
+    ...subArgs(sub),
+  ], { reject: false, timeout: 30000 });
+
+  if (updateCode !== 0) {
+    console.error(ERR(`\n  Failed to update NSG rule on ${nsgName}\n`));
+    process.exit(1);
+  }
+  console.log(OK(`\n  ✓ SSH (22) whitelisted for ${myCidr} on ${vmName} (${nsgName})\n`));
+  console.log(`  Sources: ${merged.join(", ")}\n`);
+}