kinetic/agent/

config_poller.rs

//! Configuration poller for Kinetic Fleet Agent.

use crate::agent::HealthSummary;
use crate::agent::identity::HostIdentity;
use crate::topology::RunningTopology;
use anyhow::{Context, Result};
use serde::{Deserialize, Serialize};
use sha2::Digest;
use std::sync::Arc;
use std::time::Instant;
use sysinfo::{CpuRefreshKind, MemoryRefreshKind, System};
use tokio::sync::Mutex;
use tracing::{info, warn};

pub struct ConfigPoller {
    pub nexus_url: String,
    pub identity: Arc<HostIdentity>,
    pub client: reqwest::Client,
    pub current_generation: Mutex<u64>,
    pub sys: Mutex<System>,
    pub start_time: Instant,
}

#[derive(Serialize)]
struct SyncRequest {
    #[serde(rename = "hostId")]
    pub host_id: String,
    #[serde(rename = "realmId")]
    pub realm_id: String,
    #[serde(rename = "configGeneration")]
    pub config_generation: u64,
    #[serde(rename = "healthSummary")]
    pub health_summary: HealthSummary,
}

#[derive(Deserialize)]
struct SyncResponse {
    pub status: String, // NO_CHANGE, UPDATE_AVAILABLE, UPDATE_REQUIRED
    #[serde(rename = "targetGeneration")]
    pub target_generation: Option<u64>,
    #[serde(rename = "applyNow")]
    pub apply_now: Option<bool>,
    pub _checksum: Option<String>,
}

#[derive(Deserialize)]
struct ConfigResponse {
    pub config: String,
    pub _generation: u64,
    pub _checksum: String,
}

impl ConfigPoller {
    pub fn new(nexus_url: String, identity: Arc<HostIdentity>, _interval: u64) -> Self {
        let mut sys = System::new_with_specifics(
            sysinfo::RefreshKind::nothing()
                .with_cpu(CpuRefreshKind::everything())
                .with_memory(MemoryRefreshKind::everything()),
        );
        sys.refresh_all();

        Self {
            nexus_url,
            identity,
            client: reqwest::Client::new(),
            current_generation: Mutex::new(0),
            sys: Mutex::new(sys),
            start_time: Instant::now(),
        }
    }

    pub async fn sync(&self, topology: Arc<Mutex<Option<RunningTopology>>>) -> Result<()> {
        let current_generation = *self.current_generation.lock().await;

        let mut sys = self.sys.lock().await;
        sys.refresh_all();

        let cpu_usage = sys.global_cpu_usage() as f64;
        let mem_usage = (sys.used_memory() as f64 / sys.total_memory() as f64) * 100.0;

        let status = {
            let guard = topology.lock().await;
            if guard.is_some() {
                "running".to_string()
            } else {
                "stopped".to_string()
            }
        };

        // Note: Real error rate and events per second would be fetched from metrics.
        let uptime_secs = self.start_time.elapsed().as_secs();

        let req = SyncRequest {
            host_id: self.identity.host_id.clone(),
            realm_id: self.identity.realm_id.clone(),
            config_generation: current_generation,
            health_summary: HealthSummary {
                cpu_percent: cpu_usage,
                memory_percent: mem_usage,
                pipeline_status: status,
                error_rate: 0.0,
                events_per_second: 0.0,
                uptime_secs,
            },
        };

        let url = format!("{}/fleet/sync", self.nexus_url);
        let resp = self
            .client
            .post(&url)
            .header("Authorization", format!("Bearer {}", self.identity.token))
            .json(&req)
            .send()
            .await?
            .json::<SyncResponse>()
            .await?;

        if resp.status == "UPDATE_AVAILABLE" || resp.status == "UPDATE_REQUIRED" {
            if resp.apply_now.unwrap_or(false) {
                if let Some(r#gen) = resp.target_generation {
                    self.apply_update(r#gen, topology).await?;
                }
            } else {
                info!(
                    "Update available (generation {}), but apply_now is false",
                    resp.target_generation.unwrap_or(0)
                );
            }
        }

        Ok(())
    }

    async fn apply_update(
        &self,
        r#gen: u64,
        topology: Arc<Mutex<Option<RunningTopology>>>,
    ) -> Result<()> {
        info!("Fetching new configuration generation: {}", r#gen);

        let url = format!("{}/fleet/config/{}", self.nexus_url, r#gen);
        let resp = self
            .client
            .get(&url)
            .header("Authorization", format!("Bearer {}", self.identity.token))
            .send()
            .await?
            .json::<ConfigResponse>()
            .await?;

        // SEC-5: Verify the provided checksum
        let computed_checksum = hex::encode(sha2::Sha256::digest(resp.config.as_bytes()));
        if computed_checksum != resp._checksum {
            anyhow::bail!(
                "Configuration checksum mismatch. Expected {}, got {}",
                resp._checksum,
                computed_checksum
            );
        }

        let config_str = kinetic_config::interpolate_string(&resp.config)
            .map_err(|e| anyhow::anyhow!("Interpolation failed: {}", e))?;
        let new_config: kinetic_config::Config =
            serde_yml::from_str(&config_str).context("Failed to parse fetched configuration")?;

        // SEC-5: Ensure realm_id is verified (using pipeline_id as a proxy for realm or specific tenant isolation if available)
        // Since Config doesn't strictly have realm_id at the root level in current implementation,
        // we assume pipeline_id or a future field maps to it. Here we log it or enforce if it existed.
        // For MVP, we at least validate the config.
        new_config.validate()?;

        let mut guard = topology.lock().await;
        if let Some(running) = guard.as_mut() {
            info!("Reloading topology with new configuration...");
            running.reload(new_config).await?;
        } else {
            warn!("No running topology to reload");
        }

        *self.current_generation.lock().await = r#gen;

        Ok(())
    }
}