@meshxdata/fops 0.1.48 → 0.1.50

package/src/plugins/bundled/fops-plugin-azure/lib/azure-ops-knock.js

@@ -0,0 +1,527 @@
+/**
+ * azure-ops-knock.js - Port knocking and SSH security operations
+ *
+ * Split from azure-ops.js for maintainability.
+ */
+
+import chalk from "chalk";
+import { performKnock, closeKnock, removeKnockd } from "./port-knock.js";
+import { writeVmState, listVms, requireVmState } from "./azure-state.js";
+import {
+  DEFAULTS, DIM, OK, WARN, ERR, LABEL,
+  banner, hint, nameArg,
+  lazyExeca, ensureAzCli, ensureAzAuth, subArgs, fetchMyIp,
+  sshCmd, MUX_OPTS,
+  setVmKnockTag,
+} from "./azure-helpers.js";
+
+// ── knock ────────────────────────────────────────────────────────────────────
+
+export async function azureKnock(opts = {}) {
+  const { ensureKnockSequence } = await import("./azure-helpers.js");
+  // Sync IP + knock sequence from Azure before using them
+  const state = await ensureKnockSequence(requireVmState(opts.vmName));
+  if (!state?.knockSequence?.length) {
+    console.error(ERR("\n  Port knocking is not configured on this VM."));
+    hint(`Provision with:  fops azure up${nameArg(state?.vmName)}\n`);
+    process.exit(1);
+  }
+  const ip = state.publicIp;
+  if (!ip) { console.error(ERR("\n  No IP address. Is the VM running?\n")); process.exit(1); }
+
+  await performKnock(ip, state.knockSequence);
+
+  hint("SSH (22) open for ~5 min from your IP.");
+  hint(`Connect:  ssh ${DEFAULTS.adminUser}@${ip}`);
+  if (state.publicUrl) hint(`Browse:   ${state.publicUrl}`);
+  console.log();
+}
+
+export async function azureKnockClose(opts = {}) {
+  const execa = await lazyExeca();
+  const state = requireVmState(opts.vmName);
+  if (!state.knockSequence?.length) {
+    console.error(ERR("\n  Port knocking is not configured on this VM."));
+    hint(`Provision with:  fops azure up${nameArg(state?.vmName)}\n`);
+    process.exit(1);
+  }
+  const ip = state.publicIp;
+  if (!ip) { console.error(ERR("\n  No IP. Is the VM running?\n")); process.exit(1); }
+
+  await performKnock(ip, state.knockSequence, { quiet: true });
+  const ssh = (cmd) => sshCmd(execa, ip, DEFAULTS.adminUser, cmd);
+  await closeKnock(ssh);
+}
+
+/**
+ * Run the same teardown as removeKnockd on the VM via Azure Run Command (no SSH needed).
+ * Use when VM is unreachable (e.g. knock broken, wrong sequence).
+ */
+async function removeKnockdViaRunCommand(execa, rg, vmName, sub) {
+  const script = [
+    "for dport in $(sudo iptables -L INPUT -n 2>/dev/null | grep 'tcp dpt:' | grep -oP 'dpt:\\K[0-9]+' | sort -u); do sudo iptables -D INPUT -p tcp --dport $dport -j DROP 2>/dev/null || true; sudo iptables -D INPUT -p tcp --dport $dport -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 2>/dev/null || true; done",
+    "sudo netfilter-persistent save 2>/dev/null || true",
+    "sudo systemctl stop knockd 2>/dev/null || true",
+    "sudo systemctl disable knockd 2>/dev/null || true",
+  ].join(" && ");
+  const { exitCode } = await execa("az", [
+    "vm", "run-command", "invoke", "--resource-group", rg, "--name", vmName,
+    "--command-id", "RunShellScript", "--scripts", script,
+    "--output", "none", ...subArgs(sub),
+  ], { timeout: 60000, reject: false });
+  return exitCode === 0;
+}
+
+export async function azureKnockDisable(opts = {}) {
+  const execa = await lazyExeca();
+  const state = requireVmState(opts.vmName);
+  const ip = state.publicIp;
+  if (!ip) { console.error(chalk.red("\n  No IP. Is the VM running?\n")); process.exit(1); }
+
+  if (!state.knockSequence?.length) {
+    console.log(chalk.dim("\n  Port knocking is not configured.\n"));
+    return;
+  }
+
+  const rg = state.resourceGroup;
+  const vmName = state.vmName || opts.vmName;
+  const sub = opts.profile;
+
+  const trySsh = async () => {
+    await performKnock(ip, state.knockSequence, { quiet: true });
+    const ssh = (cmd) => sshCmd(execa, ip, DEFAULTS.adminUser, cmd, 15000);
+    await removeKnockd(ssh);
+  };
+
+  let sshOk = false;
+  if (rg && vmName) {
+    let sshReachable = false;
+    try {
+      await performKnock(ip, state.knockSequence, { quiet: true });
+      const { exitCode } = await execa("ssh", [
+        ...MUX_OPTS(ip, DEFAULTS.adminUser),
+        "-o", "BatchMode=yes", "-o", "ConnectTimeout=8",
+        `${DEFAULTS.adminUser}@${ip}`, "echo ok",
+      ], { timeout: 12000, reject: false });
+      sshReachable = exitCode === 0;
+    } catch { sshReachable = false; }
+    if (sshReachable) {
+      try {
+        await trySsh();
+        sshOk = true;
+      } catch (e) {
+        console.log(chalk.yellow("  SSH failed: " + (e?.message || e) + " — trying Azure Run Command…"));
+      }
+    } else {
+      console.log(chalk.dim("  VM not reachable via SSH — using Azure Run Command (no knock required)."));
+    }
+    if (!sshOk && rg && vmName) {
+      const ok = await removeKnockdViaRunCommand(execa, rg, vmName, sub);
+      if (ok) {
+        console.log(chalk.green("  ✓ Port knocking disabled via Azure Run Command — all ports open"));
+        sshOk = true;
+      } else {
+        console.error(chalk.red("\n  Run Command failed. Ensure VM agent is running and you have access to the resource group.\n"));
+        process.exit(1);
+      }
+    }
+  }
+  if (!sshOk) {
+    try {
+      await trySsh();
+    } catch (e) {
+      if (rg && vmName) {
+        console.error(chalk.red("\n  Could not reach VM via SSH and no resource group/vm name for Run Command.\n"));
+      } else {
+        console.error(chalk.red("\n  Could not reach VM via SSH. If knock is broken, ensure state has resourceGroup/vmName and retry (uses az vm run-command).\n"));
+      }
+      process.exit(1);
+    }
+  }
+
+  writeVmState(state.vmName, { knockSequence: undefined });
+}
+
+export async function azureKnockVerify(opts = {}) {
+  const execa = await lazyExeca();
+  const { vms } = listVms();
+  const targets = opts.vmName ? [opts.vmName] : Object.keys(vms);
+
+  if (targets.length === 0) {
+    hint("No VMs tracked.\n");
+    return;
+  }
+
+  banner("Knock Verification");
+  let issues = 0;
+
+  const KNOCK_PORT_RANGE = { min: 49152, max: 49200 };
+  const knockRangeStr = `${KNOCK_PORT_RANGE.min}-${KNOCK_PORT_RANGE.max}`;
+
+  for (const name of targets) {
+    const state = vms[name];
+    if (!state) { console.log(ERR(`  ✗ ${name}: not tracked`)); issues++; continue; }
+    const ip = state.publicIp;
+    if (!ip) { console.log(ERR(`  ✗ ${name}: no public IP`)); issues++; continue; }
+
+    console.log(`\n  ${LABEL(name)} ${DIM(`(${ip})`)}`);
+
+    // ── Azure NSG (firewall) — no SSH needed ─────────────────────────────────
+    const rg = state.resourceGroup;
+    const vmName = state.vmName || name;
+    if (rg) {
+      try {
+        const { stdout: nicId } = await execa("az", [
+          "vm", "show", "-g", rg, "-n", vmName,
+          "--query", "networkProfile.networkInterfaces[0].id", "-o", "tsv",
+          ...subArgs(opts.profile),
+        ], { timeout: 15000, reject: false });
+        if (nicId?.trim()) {
+          const { stdout: nsgId } = await execa("az", [
+            "network", "nic", "show", "--ids", nicId.trim(),
+            "--query", "networkSecurityGroup.id", "-o", "tsv",
+            ...subArgs(opts.profile),
+          ], { timeout: 10000, reject: false });
+          if (nsgId?.trim()) {
+            const nsgName = nsgId.trim().split("/").pop();
+            const { stdout: rulesJson } = await execa("az", [
+              "network", "nsg", "rule", "list", "-g", rg, "--nsg-name", nsgName,
+              "--output", "json", ...subArgs(opts.profile),
+            ], { timeout: 10000, reject: false });
+            const rules = rulesJson ? JSON.parse(rulesJson) : [];
+            const allow = rules.filter((r) => r.direction === "Inbound" && r.access === "Allow");
+            const has22 = allow.some((r) =>
+              r.destinationPortRange === "22" || (r.destinationPortRanges || []).includes("22")
+            );
+            const hasKnockRange = allow.some((r) =>
+              r.destinationPortRange === knockRangeStr ||
+              (r.destinationPortRanges || []).some((p) => {
+                const n = parseInt(p, 10);
+                return n >= KNOCK_PORT_RANGE.min && n <= KNOCK_PORT_RANGE.max;
+              })
+            );
+            if (has22 && hasKnockRange) {
+              console.log(OK(`    ✓ NSG "${nsgName}": SSH (22) + knock range (${knockRangeStr}) allowed`));
+            } else {
+              if (!has22) { console.log(ERR(`    ✗ NSG: no rule allowing port 22`)); issues++; }
+              if (!hasKnockRange) { console.log(ERR(`    ✗ NSG: no rule allowing knock ports ${knockRangeStr}`)); issues++; }
+              hint(`      Fix: fops azure up ${name}  (reconciles NSG rules)`);
+            }
+          } else {
+            console.log(WARN("    ⚠ No NSG on NIC — SSH/knock not restricted at Azure level"));
+          }
+        }
+      } catch (e) {
+        console.log(WARN(`    ⚠ Could not check NSG: ${e.message || e}`));
+      }
+    }
+
+    // Check local config
+    if (!state.knockSequence?.length) {
+      console.log(WARN("    ⚠ No knock sequence stored locally"));
+      console.log(DIM("      Fix: fops azure up " + name));
+      issues++;
+      continue;
+    }
+    console.log(OK(`    ✓ Local sequence: ${state.knockSequence.join(" → ")}`));
+
+    // Knock to get SSH access for diagnostics
+    await performKnock(ip, state.knockSequence, { quiet: true });
+
+    const ssh = (cmd) => sshCmd(execa, ip, DEFAULTS.adminUser, cmd, 10000);
+
+    // In-guest checks (may fail if knock/SSH still blocked)
+    let sshOk = false;
+    try {
+      const { exitCode } = await execa("ssh", [
+        ...MUX_OPTS(ip, DEFAULTS.adminUser),
+        "-o", "BatchMode=yes", "-o", "ConnectTimeout=8",
+        `${DEFAULTS.adminUser}@${ip}`, "echo ok",
+      ], { timeout: 12000, reject: false });
+      sshOk = exitCode === 0;
+    } catch { sshOk = false; }
+    if (!sshOk) {
+      console.log(ERR("    ✗ SSH unreachable after knock — check NSG above and sequence match"));
+      hint(`      Try: fops azure knock open ${name}  then  fops azure ssh ${name}`);
+      hint(`      Or: fops azure knock fix ${name}  to re-setup knock`);
+      issues++;
+      continue;
+    }
+
+    // Check knockd service
+    const { stdout: knockdStatus } = await ssh(
+      "systemctl is-active knockd 2>/dev/null || echo inactive"
+    );
+    if (knockdStatus?.trim() === "active") {
+      console.log(OK("    ✓ knockd service: active"));
+    } else {
+      console.log(ERR("    ✗ knockd service: " + (knockdStatus?.trim() || "unknown")));
+      console.log(DIM("      Fix: fops azure up " + name));
+      issues++;
+    }
+
+    // Check iptables DROP rules for port 22 and 443
+    const { stdout: iptables } = await ssh(
+      "sudo iptables -L INPUT -n --line-numbers 2>/dev/null"
+    );
+    const lines = (iptables || "").split("\n");
+
+    for (const port of [22, 443]) {
+      const dropRule = lines.find(l => l.includes("DROP") && l.includes(`dpt:${port}`));
+      const estRule = lines.find(l => l.includes("ACCEPT") && l.includes(`dpt:${port}`) && l.includes("ESTABLISHED"));
+
+      if (dropRule && estRule) {
+        const dropNum = parseInt(dropRule.trim());
+        const estNum = parseInt(estRule.trim());
+        if (estNum < dropNum) {
+          console.log(OK(`    ✓ Port ${port}: DROP rule #${dropNum}, ESTABLISHED rule #${estNum} (correct order)`));
+        } else {
+          console.log(ERR(`    ✗ Port ${port}: ESTABLISHED rule #${estNum} is AFTER DROP #${dropNum} (wrong order)`));
+          issues++;
+        }
+      } else if (!dropRule) {
+        console.log(ERR(`    ✗ Port ${port}: no DROP rule — port is wide open`));
+        issues++;
+      } else if (!estRule) {
+        console.log(WARN(`    ⚠ Port ${port}: DROP exists but no ESTABLISHED rule (may break active sessions)`));
+        issues++;
+      }
+    }
+
+    // Check for broad ACCEPT rules that would override DROP
+    const broadAccept = lines.filter(l =>
+      l.includes("ACCEPT") &&
+      l.includes("0.0.0.0/0") &&
+      !l.includes("dpt:") &&
+      !l.includes("ESTABLISHED") &&
+      !l.includes("RELATED")
+    );
+    if (broadAccept.length > 0) {
+      for (const rule of broadAccept) {
+        const ruleNum = parseInt(rule.trim());
+        const drop22 = lines.find(l => l.includes("DROP") && l.includes("dpt:22"));
+        const dropNum = drop22 ? parseInt(drop22.trim()) : 999;
+        if (ruleNum < dropNum) {
+          console.log(ERR(`    ✗ Broad ACCEPT-all rule #${ruleNum} is before DROP #${dropNum} — bypasses knock!`));
+          issues++;
+        }
+      }
+    }
+
+    // Check knockd config matches local sequence
+    const { stdout: confRaw } = await ssh("sudo cat /etc/knockd.conf 2>/dev/null || echo ''");
+    const seqMatch = confRaw?.match(/sequence\s*=\s*([\d,]+)/);
+    if (seqMatch) {
+      const remoteSeq = seqMatch[1].split(",").map(Number);
+      const localSeq = state.knockSequence;
+      if (JSON.stringify(remoteSeq) === JSON.stringify(localSeq)) {
+        console.log(OK("    ✓ knockd.conf sequence matches local state"));
+      } else {
+        console.log(ERR(`    ✗ Sequence mismatch — remote: [${remoteSeq.join(",")}] vs local: [${localSeq.join(",")}]`));
+        console.log(DIM("      Fix: fops azure knock disable " + name + " && fops azure up " + name));
+        issues++;
+      }
+    } else {
+      console.log(ERR("    ✗ Could not read /etc/knockd.conf"));
+      issues++;
+    }
+
+    // Close the door after verification
+    await closeKnock(ssh, { quiet: true });
+  }
+
+  console.log("");
+  if (issues > 0) {
+    console.log(ERR(`  ${issues} issue(s) found.`));
+    hint("To re-setup knock on all VMs: fops azure knock fix\n");
+  } else {
+    console.log(OK("  ✓ All VMs properly configured — ports are blocked until knocked.\n"));
+  }
+}
+
+export async function azureKnockFix(opts = {}) {
+  const execa = await lazyExeca();
+  const { generateKnockSequence } = await import("./port-knock.js");
+  const { vms } = listVms();
+  const targets = opts.vmName ? [opts.vmName] : Object.keys(vms);
+
+  if (targets.length === 0) {
+    hint("No VMs tracked.\n");
+    return;
+  }
+
+  await ensureAzCli(execa);
+  await ensureAzAuth(execa, { subscription: opts.profile });
+
+  banner("Knock Fix");
+
+  for (const name of targets) {
+    const state = vms[name];
+    if (!state?.resourceGroup) {
+      console.log(chalk.dim(`  ${name}: no resource group — skipped`));
+      continue;
+    }
+    const { publicIp: ip, resourceGroup: rg } = state;
+
+    console.log(`\n  ${LABEL(name)} ${DIM(`(${ip || "no IP"})`)}`);
+
+    const knockSeq = state.knockSequence?.length ? state.knockSequence : generateKnockSequence();
+    const appPort = DEFAULTS.publicPort || 443;
+
+    // Build the setup script to run via az vm run-command (works even when SSH is locked)
+    const script = buildKnockdScript(knockSeq, appPort);
+
+    console.log(chalk.dim("  Running via az vm run-command (bypasses firewall)..."));
+    const { stdout, exitCode } = await execa("az", [
+      "vm", "run-command", "invoke",
+      "--resource-group", rg,
+      "--name", name,
+      "--command-id", "RunShellScript",
+      "--scripts", script,
+      "--output", "json",
+      ...subArgs(opts.profile),
+    ], { reject: false, timeout: 180000 });
+
+    if (exitCode !== 0) {
+      console.error(ERR(`    ✗ az run-command failed for ${name}`));
+      continue;
+    }
+
+    // Check script output for errors
+    try {
+      const result = JSON.parse(stdout);
+      const msg = result?.value?.[0]?.message || "";
+      if (msg.toLowerCase().includes("failed") || msg.toLowerCase().includes("error")) {
+        console.log(chalk.dim(`    Script output: ${msg.slice(0, 200)}`));
+      }
+    } catch { /* ignore parse errors */ }
+
+    writeVmState(name, { knockSequence: knockSeq });
+    await setVmKnockTag(execa, rg, name, knockSeq, opts.profile);
+
+    console.log(OK(`    ✓ Knock re-configured (sequence: ${knockSeq.join(" → ")})`));
+  }
+
+  console.log(OK(`\n  ✓ Done — run fops azure knock verify to confirm.\n`));
+}
+
+/**
+ * Build a self-contained bash script that installs knockd and configures
+ * iptables. Designed to run via az vm run-command (no SSH needed).
+ */
+function buildKnockdScript(sequence, appPort) {
+  const ports = [22];
+  if (appPort && appPort !== 22) ports.push(Number(appPort));
+
+  const openCmds = ports.map(p => `/usr/sbin/iptables -I INPUT -s %IP% -p tcp --dport ${p} -j ACCEPT`).join(" && ");
+  const closeCmds = ports.map(p => `/usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport ${p} -j ACCEPT`).join(" && ");
+  const KNOCK_CMD_TIMEOUT = 300;
+
+  // iptables rules: clean up stale entries, then insert DROP + ESTABLISHED
+  const iptRules = [];
+  for (const p of ports) {
+    iptRules.push(
+      `while iptables -D INPUT -p tcp --dport ${p} -j DROP 2>/dev/null; do :; done`,
+      `while iptables -D INPUT -p tcp --dport ${p} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 2>/dev/null; do :; done`,
+      `while iptables -D INPUT -p tcp --dport ${p} -j ACCEPT 2>/dev/null; do :; done`,
+    );
+  }
+  for (const p of ports) {
+    iptRules.push(
+      `iptables -I INPUT -p tcp --dport ${p} -j DROP`,
+      `iptables -I INPUT -p tcp --dport ${p} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT`,
+    );
+  }
+
+  return [
+    "#!/bin/bash",
+    "set -e",
+    // Detect interface dynamically inside the script
+    "IFACE=$(ip route show default 2>/dev/null | awk '{print $5}' | head -1)",
+    "IFACE=${IFACE:-eth0}",
+    // Install knockd
+    "export DEBIAN_FRONTEND=noninteractive",
+    "apt-get update -qq",
+    "apt-get install -y -qq knockd iptables-persistent 2>/dev/null || true",
+    // Write knockd.conf using printf to avoid heredoc quoting issues
+    `printf '[options]\\n    UseSyslog\\n    Interface = %s\\n\\n[openPorts]\\n    sequence    = ${sequence.join(",")}\\n    seq_timeout = 15\\n    command     = ${openCmds}\\n    tcpflags    = syn\\n    cmd_timeout = ${KNOCK_CMD_TIMEOUT}\\n    stop_command = ${closeCmds}\\n' "$IFACE" > /etc/knockd.conf`,
+    // Enable knockd service
+    "sed -i 's/^START_KNOCKD=0/START_KNOCKD=1/' /etc/default/knockd 2>/dev/null || true",
+    `sed -i "s|^KNOCKD_OPTS=.*|KNOCKD_OPTS=\\"-i $IFACE\\"|" /etc/default/knockd 2>/dev/null || true`,
+    // Apply iptables rules
+    ...iptRules,
+    "netfilter-persistent save 2>/dev/null || true",
+    "systemctl enable knockd",
+    "systemctl restart knockd",
+    "echo 'knockd configured OK'",
+  ].join("\n");
+}
+
+// ── ssh whitelist-me ─────────────────────────────────────────────────────────
+
+export async function azureSshWhitelistMe(opts = {}) {
+  const execa = await lazyExeca();
+  const sub = opts.profile;
+  await ensureAzCli(execa);
+  await ensureAzAuth(execa, { subscription: sub });
+  const state = requireVmState(opts.vmName);
+  const { vmName, resourceGroup: rg } = state;
+
+  const myIp = await fetchMyIp();
+  if (!myIp) {
+    console.error(ERR("\n  Could not detect your public IP address.\n"));
+    process.exit(1);
+  }
+  const myCidr = `${myIp}/32`;
+
+  // Resolve NSG name from NIC
+  const nicName = `${vmName}VMNic`;
+  const { stdout: nicJson, exitCode: nicCode } = await execa("az", [
+    "network", "nic", "show", "-g", rg, "-n", nicName, "--output", "json",
+    ...subArgs(sub),
+  ], { reject: false, timeout: 15000 });
+  let nsgName = `${vmName}NSG`;
+  if (nicCode === 0) {
+    const nsgId = JSON.parse(nicJson).networkSecurityGroup?.id || "";
+    if (nsgId) nsgName = nsgId.split("/").pop();
+  }
+
+  // Fetch current SSH rule
+  const { stdout: rulesJson, exitCode: rulesCode } = await execa("az", [
+    "network", "nsg", "rule", "list", "-g", rg, "--nsg-name", nsgName, "--output", "json",
+    ...subArgs(sub),
+  ], { reject: false, timeout: 15000 });
+  const rules = rulesCode === 0 ? JSON.parse(rulesJson || "[]") : [];
+  const inboundAllow = rules.filter(r => r.access === "Allow" && r.direction === "Inbound");
+  const sshRule = inboundAllow.find(r =>
+    r.destinationPortRange === "22" ||
+    (Array.isArray(r.destinationPortRanges) && r.destinationPortRanges.includes("22"))
+  );
+
+  const currentSources = [];
+  if (sshRule?.sourceAddressPrefix) currentSources.push(sshRule.sourceAddressPrefix);
+  if (Array.isArray(sshRule?.sourceAddressPrefixes)) currentSources.push(...sshRule.sourceAddressPrefixes);
+
+  if (currentSources.includes(myCidr)) {
+    console.log(OK(`\n  ✓ ${myCidr} is already whitelisted for SSH on ${vmName}\n`));
+    return;
+  }
+
+  const merged = [...new Set([...currentSources.filter(s => s && s !== "*" && s !== "Internet"), myCidr])];
+  console.log(chalk.yellow(`  ↻ Adding ${myCidr} to SSH rule on ${nsgName} (${currentSources.length} existing)...`));
+  const { exitCode: updateCode } = await execa("az", [
+    "network", "nsg", "rule", "create", "-g", rg, "--nsg-name", nsgName,
+    "-n", sshRule?.name || "allow-ssh", "--priority", String(sshRule?.priority || 1000),
+    "--destination-port-ranges", "22", "--access", "Allow",
+    "--source-address-prefixes", ...merged,
+    "--protocol", "Tcp", "--direction", "Inbound", "--output", "none",
+    ...subArgs(sub),
+  ], { reject: false, timeout: 30000 });
+
+  if (updateCode !== 0) {
+    console.error(ERR(`\n  Failed to update NSG rule on ${nsgName}\n`));
+    process.exit(1);
+  }
+  console.log(OK(`\n  ✓ SSH (22) whitelisted for ${myCidr} on ${vmName} (${nsgName})\n`));
+  console.log(`  Sources: ${merged.join(", ")}\n`);
+}