@openparachute/hub 0.5.14-rc.16 → 0.5.14-rc.18

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openparachute/hub",
-  "version": "0.5.14-rc.16",
+  "version": "0.5.14-rc.18",
   "description": "parachute — the local hub for the Parachute ecosystem (discovery, ports, lifecycle, soon OAuth).",
   "license": "AGPL-3.0",
   "publishConfig": {

package/src/__tests__/expose-cloudflare.test.ts

@@ -14,6 +14,7 @@ import {
   exposeCloudflareOff,
   exposeCloudflareUp,
 } from "../commands/expose-cloudflare.ts";
+import { readEnvFileValues } from "../env-file.ts";
 import { readExposeState } from "../expose-state.ts";
 import { writeHubPort } from "../hub-control.ts";
 import type { CommandResult, Runner } from "../tailscale/run.ts";
@@ -273,6 +274,121 @@ describe("exposeCloudflareUp", () => {
     }
   });
 
+  test("persists the public hub origin to vault/.env + restarts vault (Cloudflare 401 fix)", async () => {
+    // The Cloudflare 401 P0: the cloudflare path wrote expose-state.json but —
+    // unlike the Tailscale path, which auto-restarts vault and so flows the
+    // public origin into vault/.env via lifecycle's persistVaultHubOrigin —
+    // never touched vault's .env or restarted it. The launchd/systemd daemon
+    // kept booting vault with NO PARACHUTE_HUB_ORIGIN → vault fell back to
+    // loopback as its expected issuer → every hub-minted token (iss=public)
+    // failed the iss check → 401. This asserts the durable .env write + the
+    // running-vault restart that mirrors the Tailscale path.
+    const env = makeEnv();
+    try {
+      // Seed vault as "running" so the restart branch fires. PID lives at
+      // <configDir>/vault/run/vault.pid (see process-state.ts:pidPath).
+      const vaultRun = join(env.configDir, "vault", "run");
+      require("node:fs").mkdirSync(vaultRun, { recursive: true });
+      writeFileSync(join(vaultRun, "vault.pid"), "99001");
+
+      const uuid = "ffffffff-0000-0000-0000-000000000006";
+      const { runner } = queueRunner([
+        { code: 0, stdout: "cloudflared 2024.1.0\n", stderr: "" },
+        { code: 0, stdout: "[]", stderr: "" },
+        {
+          code: 0,
+          stdout: `Tunnel credentials written to ${env.cloudflaredHome}/${uuid}.json.\nCreated tunnel parachute with id ${uuid}\n`,
+          stderr: "",
+        },
+        { code: 0, stdout: "", stderr: "" },
+      ]);
+      const { spawner } = fakeSpawner(42300);
+      const restarted: string[] = [];
+
+      const code = await exposeCloudflareUp("gitcoin-parachute.unforced.dev", {
+        runner,
+        spawner,
+        // `alive` reports the seeded vault pid as running so processState() ===
+        // "running" and the restart branch executes.
+        alive: (pid) => pid === 99001,
+        kill: () => {},
+        log: () => {},
+        manifestPath: env.manifestPath,
+        statePath: env.statePath,
+        exposeStatePath: env.exposeStatePath,
+        configPath: env.configPath,
+        logPath: env.logPath,
+        cloudflaredHome: env.cloudflaredHome,
+        configDir: env.configDir,
+        skipHub: true,
+        restartService: async (short) => {
+          restarted.push(short);
+          return 0;
+        },
+      });
+
+      expect(code).toBe(0);
+      // Durable half: the public origin is written to vault/.env (NOT loopback,
+      // NOT unset) so the daemon boot path validates iss against it.
+      expect(readEnvFileValues(join(env.configDir, "vault", ".env")).PARACHUTE_HUB_ORIGIN).toBe(
+        "https://gitcoin-parachute.unforced.dev",
+      );
+      // Live half: the running vault is restarted to re-read the new origin.
+      expect(restarted).toEqual(["vault"]);
+    } finally {
+      env.cleanup();
+    }
+  });
+
+  test("persists vault/.env but does NOT restart when vault isn't running", async () => {
+    // No vault pidfile → processState() !== "running" → no restart, but the
+    // durable .env write still happens so the next daemon boot is correct.
+    const env = makeEnv();
+    try {
+      const uuid = "ffffffff-0000-0000-0000-000000000007";
+      const { runner } = queueRunner([
+        { code: 0, stdout: "cloudflared 2024.1.0\n", stderr: "" },
+        { code: 0, stdout: "[]", stderr: "" },
+        {
+          code: 0,
+          stdout: `Tunnel credentials written to ${env.cloudflaredHome}/${uuid}.json.\nCreated tunnel parachute with id ${uuid}\n`,
+          stderr: "",
+        },
+        { code: 0, stdout: "", stderr: "" },
+      ]);
+      const { spawner } = fakeSpawner(42301);
+      const restarted: string[] = [];
+
+      const code = await exposeCloudflareUp("gitcoin-parachute.unforced.dev", {
+        runner,
+        spawner,
+        alive: () => false,
+        kill: () => {},
+        log: () => {},
+        manifestPath: env.manifestPath,
+        statePath: env.statePath,
+        exposeStatePath: env.exposeStatePath,
+        configPath: env.configPath,
+        logPath: env.logPath,
+        cloudflaredHome: env.cloudflaredHome,
+        configDir: env.configDir,
+        skipHub: true,
+        restartService: async (short) => {
+          restarted.push(short);
+          return 0;
+        },
+      });
+
+      expect(code).toBe(0);
+      expect(readEnvFileValues(join(env.configDir, "vault", ".env")).PARACHUTE_HUB_ORIGIN).toBe(
+        "https://gitcoin-parachute.unforced.dev",
+      );
+      expect(restarted).toEqual([]);
+    } finally {
+      env.cleanup();
+    }
+  });
+
   test("reuses existing tunnel when name already present", async () => {
     const env = makeEnv();
     try {

package/src/__tests__/lifecycle.test.ts

@@ -13,8 +13,16 @@ import {
 } from "../commands/lifecycle.ts";
 import { readEnvFileValues } from "../env-file.ts";
 import { writeHubPort } from "../hub-control.ts";
+import { hubDbPath, openHubDb } from "../hub-db.ts";
+import { validateAccessToken } from "../jwt-sign.ts";
+import {
+  OPERATOR_TOKEN_SCOPE_SET_CLAIM,
+  issueOperatorToken,
+  readOperatorTokenFile,
+} from "../operator-token.ts";
 import { ensureLogPath, logPath, readPid, writePid } from "../process-state.ts";
 import { upsertService } from "../services-manifest.ts";
+import { rotateSigningKey } from "../signing-keys.ts";
 
 interface Harness {
   configDir: string;
@@ -362,6 +370,51 @@ describe("parachute start", () => {
     }
   });
 
+  test("self-heals a stale-loopback vault/.env from a cloudflare expose-state on restart", async () => {
+    // Existing-broken-deploy shape: a Cloudflare deploy whose vault/.env had a
+    // loopback PARACHUTE_HUB_ORIGIN baked in (or was unset and a prior run
+    // wrote loopback). expose-state.json carries the real public origin. A
+    // plain `parachute start vault` must rewrite vault/.env to the public
+    // origin so the daemon stops 401ing hub tokens — the self-heal half of the
+    // Cloudflare 401 fix.
+    const h = makeHarness();
+    try {
+      seedVault(h.manifestPath);
+      writeFileSync(
+        join(h.configDir, "expose-state.json"),
+        JSON.stringify({
+          version: 1,
+          layer: "public",
+          mode: "subdomain",
+          canonicalFqdn: "gitcoin-parachute.unforced.dev",
+          port: 1939,
+          funnel: false,
+          entries: [{ kind: "proxy", mount: "/", target: "http://localhost:1939", service: "hub" }],
+          hubOrigin: "https://gitcoin-parachute.unforced.dev",
+        }),
+      );
+      // Pre-seed vault/.env with a stale loopback value (the broken state).
+      mkdirSync(join(h.configDir, "vault"), { recursive: true });
+      writeFileSync(
+        join(h.configDir, "vault", ".env"),
+        "PARACHUTE_HUB_ORIGIN=http://127.0.0.1:1939\n",
+      );
+      const spawner = makeSpawner([4242]);
+      const code = await start("vault", {
+        configDir: h.configDir,
+        manifestPath: h.manifestPath,
+        spawner,
+        log: () => {},
+      });
+      expect(code).toBe(0);
+      expect(readEnvFileValues(join(h.configDir, "vault", ".env")).PARACHUTE_HUB_ORIGIN).toBe(
+        "https://gitcoin-parachute.unforced.dev",
+      );
+    } finally {
+      h.cleanup();
+    }
+  });
+
   test("does NOT persist a loopback origin into vault/.env (would shadow a later exposure)", async () => {
     const h = makeHarness();
     try {
@@ -1480,6 +1533,149 @@ describe("parachute start|stop|restart hub", () => {
     }
   });
 
+  // hub#481 — `start hub` self-heals a stale operator-token issuer. Tests use
+  // the injectable `hub.selfHealOperatorToken` seam to assert the call happens
+  // (and to make it throw without failing start); a separate test drives the
+  // REAL self-heal against an on-disk operator token + hub.db.
+  test("start hub: invokes operator-token self-heal with the resolved issuer + configDir", async () => {
+    const h = makeHarness();
+    try {
+      const log: string[] = [];
+      const calls: Array<{ issuer: string; configDir: string }> = [];
+      const code = await start("hub", {
+        configDir: h.configDir,
+        manifestPath: h.manifestPath,
+        hubOrigin: "https://hub.example.com",
+        hub: {
+          ensureRunning: async () => ({ pid: 4711, port: 1939, started: true }),
+          selfHealOperatorToken: async (args) => {
+            calls.push({ issuer: args.issuer, configDir: args.configDir });
+            return {
+              kind: "rotated",
+              path: "/x/operator.token",
+              scopeSet: "admin",
+              expiresAt: "z",
+            };
+          },
+        },
+        log: (l) => log.push(l),
+      });
+      expect(code).toBe(0);
+      expect(calls).toEqual([{ issuer: "https://hub.example.com", configDir: h.configDir }]);
+      // Rotation emits an operator-facing line.
+      expect(log.join("\n")).toMatch(
+        /refreshed operator\.token issuer → https:\/\/hub\.example\.com/,
+      );
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("start hub: skips operator-token self-heal when no hub origin is resolvable", async () => {
+    const h = makeHarness();
+    try {
+      let called = false;
+      // No hubOrigin override, no expose-state, no hub.port file → resolveHubOrigin
+      // yields undefined, so the self-heal seam must NOT be called.
+      const code = await start("hub", {
+        configDir: h.configDir,
+        manifestPath: h.manifestPath,
+        hub: {
+          ensureRunning: async () => ({ pid: 4711, port: 1939, started: true }),
+          selfHealOperatorToken: async () => {
+            called = true;
+            return { kind: "absent" };
+          },
+        },
+        log: () => {},
+      });
+      expect(code).toBe(0);
+      expect(called).toBe(false);
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("start hub: a thrown error inside operator-token self-heal does NOT fail start", async () => {
+    const h = makeHarness();
+    try {
+      const log: string[] = [];
+      const code = await start("hub", {
+        configDir: h.configDir,
+        manifestPath: h.manifestPath,
+        hubOrigin: "https://hub.example.com",
+        hub: {
+          ensureRunning: async () => ({ pid: 4711, port: 1939, started: true }),
+          selfHealOperatorToken: async () => {
+            throw new Error("hub.db is locked");
+          },
+        },
+        log: (l) => log.push(l),
+      });
+      expect(code).toBe(0);
+      // Degrades to a brief note, not a hard failure.
+      expect(log.join("\n")).toMatch(
+        /operator\.token issuer self-heal skipped \(hub\.db is locked\)/,
+      );
+    } finally {
+      h.cleanup();
+    }
+  });
+
+  test("start hub: real self-heal re-mints a stale-iss operator token on disk", async () => {
+    const h = makeHarness();
+    try {
+      // Seed signing keys + a stale-iss operator token in the harness configDir's
+      // hub.db / operator.token, then drive the production self-heal seam.
+      const db = openHubDb(hubDbPath(h.configDir));
+      try {
+        rotateSigningKey(db);
+        await issueOperatorToken(db, "user-abc", {
+          dir: h.configDir,
+          issuer: "http://127.0.0.1:1939",
+          scopeSet: "start",
+        });
+      } finally {
+        db.close();
+      }
+
+      const log: string[] = [];
+      const code = await start("hub", {
+        configDir: h.configDir,
+        manifestPath: h.manifestPath,
+        hubOrigin: "https://gitcoin-parachute.unforced.dev",
+        // No selfHealOperatorToken override → exercises defaultSelfHealOperatorToken
+        // (opens hub.db at <configDir>/hub.db).
+        hub: {
+          ensureRunning: async () => ({ pid: 4711, port: 1939, started: true }),
+        },
+        log: (l) => log.push(l),
+      });
+      expect(code).toBe(0);
+      expect(log.join("\n")).toMatch(
+        /refreshed operator\.token issuer → https:\/\/gitcoin-parachute\.unforced\.dev/,
+      );
+
+      // The on-disk token now validates under the new issuer, scope-set preserved.
+      const verifyDb = openHubDb(hubDbPath(h.configDir));
+      try {
+        const onDisk = await readOperatorTokenFile(h.configDir);
+        expect(onDisk).not.toBeNull();
+        const validated = await validateAccessToken(
+          verifyDb,
+          onDisk as string,
+          "https://gitcoin-parachute.unforced.dev",
+        );
+        expect(validated.payload.iss).toBe("https://gitcoin-parachute.unforced.dev");
+        expect(validated.payload[OPERATOR_TOKEN_SCOPE_SET_CLAIM]).toBe("start");
+      } finally {
+        verifyDb.close();
+      }
+    } finally {
+      h.cleanup();
+    }
+  });
+
   test("stop hub: dispatches to stopHub, true → '✓ hub stopped'", async () => {
     const h = makeHarness();
     try {