feat(plugins): add AutoMTLS, binary integrity verification, and log forwarding#333
Merged
Merged
Conversation
…orwarding - `.go-arch-lint.yml`: allow infra-logger and go-hclog dependencies in plugin infrastructure layer - `README.md`: document AutoMTLS, SHA-256 binary integrity, and log forwarding in feature list; add `awf plugin verify` to command table - `docs/README.md`: update plugins entry to mention transport security and log forwarding - `docs/reference/error-codes.md`: add EXECUTION.PLUGIN.CHECKSUM_MISMATCH error code reference - `docs/user-guide/commands.md`: add full `awf plugin verify` command documentation with flags and examples - `docs/user-guide/plugins.md`: add Plugin Security section covering AutoMTLS, binary integrity, and output forwarding - `internal/domain/errors/codes.go`: add ErrorCodeExecutionPluginChecksumMismatch constant - `internal/domain/errors/codes_test.go`: add tests for new checksum mismatch error code - `internal/domain/pluginmodel/state.go`: add Checksum and ChecksumAt fields to PluginState - `internal/domain/pluginmodel/state_test.go`: add tests for checksum state fields - `internal/infrastructure/logger/hclog_adapter.go`: implement hclog.Logger adapter bridging plugin logs to AWF's zap logger - `internal/infrastructure/logger/hclog_adapter_test.go`: add 280+ lines of tests for hclog adapter - `internal/infrastructure/pluginmgr/rpc_manager.go`: wire AutoMTLS, SHA-256 pre-launch integrity check, and hclog log forwarding into plugin client - `internal/infrastructure/pluginmgr/rpc_manager_test.go`: add tests for checksum verification and secure plugin launch - `internal/infrastructure/pluginmgr/state_store.go`: add GetChecksum/SetChecksum/UpdateChecksum methods to plugin state store - `internal/infrastructure/pluginmgr/state_store_test.go`: add tests for checksum state persistence - `internal/interfaces/cli/plugin_cmd.go`: add `awf plugin verify` subcommand with --update flag and text/json output - `internal/interfaces/cli/plugin_cmd_test.go`: refactor unit tests for plugin commands - `internal/interfaces/cli/run_plugin_provider_wiring_test.go`: update wiring tests for security changes - `pkg/plugin/sdk/serve.go`: enable AutoMTLS in plugin SDK serve function - `tests/integration/cli/plugin_security_test.go`: add 581-line integration test suite for AutoMTLS and checksum verification - `tests/integration/cli/plugin_verify_test.go`: add integration tests for `awf plugin verify` command Closes #332
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
EXECUTION.PLUGIN.CHECKSUM_MISMATCHerror; checksums are stored automatically onawf plugin installHCLogAdapter, including secret masking for sensitive fieldsawf plugin verify [name] [--update]CLI command to inspect and update stored plugin checksums out-of-bandChanges
Domain
internal/domain/errors/codes.go: AddErrorCodeExecutionPluginChecksumMismatcherror code (EXECUTION.PLUGIN.CHECKSUM_MISMATCH, exit code 3)internal/domain/errors/codes_test.go: Add taxonomy and constant tests for the new error codeinternal/domain/pluginmodel/state.go: AddChecksumandChecksumAtfields toPluginState(omitempty; backward-compatible)internal/domain/pluginmodel/state_test.go: Add JSON round-trip, omitempty, and backward-compat unmarshaling tests for new checksum fieldsInfrastructure — Logger
internal/infrastructure/logger/hclog_adapter.go: NewHCLogAdapterbridginghclog.Loggertozap.Logger; newLogWritercapturing plugin stdout/stderr line-by-line; both integrate with existingSecretMaskerinternal/infrastructure/logger/hclog_adapter_test.go: Full unit test suite covering level mapping, secret masking,With/Named/ResetNamed, andLogWriteredge casesInfrastructure — Plugin Manager
internal/infrastructure/pluginmgr/rpc_manager.go: EnableAutoMTLS, wireHCLogAdapterandLogWriterasLogger/SyncStdout/SyncStderrinstartPluginProcess; addverifyChecksum()with fail-fast enforcement before process start; addSetStateStore()andSetZapLogger()setters; passSecureConfigto go-plugin when a stored checksum is availableinternal/infrastructure/pluginmgr/rpc_manager_test.go: Add tests forSetStateStore,verifyChecksum(no store, no checksum, match, mismatch), andInitfail-fast on mismatchinternal/infrastructure/pluginmgr/state_store.go: AddSetChecksum()andGetChecksum()methods backed by theChecksum/ChecksumAtfields inPluginStateinternal/infrastructure/pluginmgr/state_store_test.go: Add tests forSetChecksum/GetChecksumincluding error paths and disk round-tripInterfaces — CLI
internal/interfaces/cli/plugin_cmd.go: Addawf plugin verifysubcommand; compute and persist SHA-256 checksum afterplugin install; fixenableJSON output key ("plugin"→"name"); introducecollectInstalledPluginNames,findPluginDir, andverifyOnePluginhelpersinternal/interfaces/cli/plugin_cmd_test.go: Update subcommand list to includeverify; fix JSON assertion for renamed"name"key; remove tests migrated to integration suiteinternal/interfaces/cli/run_plugin_provider_wiring_test.go: Adjust wiring tests after new setter methodsSDK
pkg/plugin/sdk/serve.go: Minor update (likely to align handshake or AutoMTLS compatibility)Integration Tests
tests/integration/cli/plugin_security_test.go: End-to-end tests for AutoMTLS, checksum mismatch detection, tampered binary rejection, and install-time checksum persistencetests/integration/cli/plugin_verify_test.go: End-to-end tests forawf plugin verify(all plugins, named plugin,--update, PASS/FAIL/MISSING output)Architecture Config
.go-arch-lint.yml: Allowinfra-pluginto depend oninfra-logger; allowzapandgo-hclogininfra-plugin; allowgo-hclogininfra-loggerDocumentation
README.md: Update plugin system feature description; addawf plugin verifyto command tabledocs/README.md: Update plugins.md link description to mention transport securitydocs/reference/error-codes.md: AddEXECUTION.PLUGIN.CHECKSUM_MISMATCHreference entry with resolution stepsdocs/user-guide/commands.md: Addawf plugin verifycommand reference with flags, status table, and examplesdocs/user-guide/plugins.md: Add "Verify Plugin Integrity" and "Plugin Security" sections covering AutoMTLS, binary integrity verification, and log forwardingTest plan
awf plugin install <owner/repo>→ checkstorage/plugins.jsoncontains"checksum": "<sha256>"echo "x" >> ~/.local/share/awf/plugins/<name>/awf-plugin-<name>→awf run <workflow>should fail withEXECUTION.PLUGIN.CHECKSUM_MISMATCHawf plugin verifyto see PASS/FAIL/MISSING per installed plugin; runawf plugin verify --update <name>to recompute and confirm PASS on next runmake test-unitandmake test-integrationpass with no failuresCloses #332
Generated with awf commit workflow