mirror of
https://github.com/FuzzingLabs/fuzzforge_ai.git
synced 2026-07-05 18:17:54 +02:00
chore: Complete Temporal migration with updated CLI/SDK/docs
This commit includes all remaining Temporal migration changes: ## CLI Updates (cli/) - Updated workflow execution commands for Temporal - Enhanced error handling and exceptions - Updated dependencies in uv.lock ## SDK Updates (sdk/) - Client methods updated for Temporal workflows - Updated models for new workflow execution - Updated dependencies in uv.lock ## Documentation Updates (docs/) - Architecture documentation for Temporal - Workflow concept documentation - Resource management documentation (new) - Debugging guide (new) - Updated tutorials and how-to guides - Troubleshooting updates ## README Updates - Main README with Temporal instructions - Backend README - CLI README - SDK README ## Other - Updated IMPLEMENTATION_STATUS.md - Removed old vulnerable_app.tar.gz These changes complete the Temporal migration and ensure the CLI/SDK work correctly with the new backend.
This commit is contained in:
+101
-27
@@ -1,6 +1,6 @@
|
||||
# FuzzForge Backend
|
||||
|
||||
A stateless API server for security testing workflow orchestration using Prefect. This system dynamically discovers workflows, executes them in isolated Docker containers with volume mounting, and returns findings in SARIF format.
|
||||
A stateless API server for security testing workflow orchestration using Temporal. This system dynamically discovers workflows, executes them in isolated worker environments, and returns findings in SARIF format.
|
||||
|
||||
## Architecture Overview
|
||||
|
||||
@@ -8,17 +8,17 @@ A stateless API server for security testing workflow orchestration using Prefect
|
||||
|
||||
1. **Workflow Discovery System**: Automatically discovers workflows at startup
|
||||
2. **Module System**: Reusable components (scanner, analyzer, reporter) with a common interface
|
||||
3. **Prefect Integration**: Handles container orchestration, workflow execution, and monitoring
|
||||
4. **Volume Mounting**: Secure file access with configurable permissions (ro/rw)
|
||||
3. **Temporal Integration**: Handles workflow orchestration, execution, and monitoring with vertical workers
|
||||
4. **File Upload & Storage**: HTTP multipart upload to MinIO for target files
|
||||
5. **SARIF Output**: Standardized security findings format
|
||||
|
||||
### Key Features
|
||||
|
||||
- **Stateless**: No persistent data, fully scalable
|
||||
- **Generic**: No hardcoded workflows, automatic discovery
|
||||
- **Isolated**: Each workflow runs in its own Docker container
|
||||
- **Isolated**: Each workflow runs in specialized vertical workers
|
||||
- **Extensible**: Easy to add new workflows and modules
|
||||
- **Secure**: Read-only volume mounts by default, path validation
|
||||
- **Secure**: File upload with MinIO storage, automatic cleanup via lifecycle policies
|
||||
- **Observable**: Comprehensive logging and status tracking
|
||||
|
||||
## Quick Start
|
||||
@@ -32,19 +32,17 @@ A stateless API server for security testing workflow orchestration using Prefect
|
||||
From the project root, start all services:
|
||||
|
||||
```bash
|
||||
docker-compose up -d
|
||||
docker-compose -f docker-compose.temporal.yaml up -d
|
||||
```
|
||||
|
||||
This will start:
|
||||
- Prefect server (API at http://localhost:4200/api)
|
||||
- PostgreSQL database
|
||||
- Redis cache
|
||||
- Docker registry (port 5001)
|
||||
- Prefect worker (for running workflows)
|
||||
- Temporal server (Web UI at http://localhost:8233, gRPC at :7233)
|
||||
- MinIO (S3 storage at http://localhost:9000, Console at http://localhost:9001)
|
||||
- PostgreSQL database (for Temporal state)
|
||||
- Vertical workers (worker-rust, worker-android, worker-web, etc.)
|
||||
- FuzzForge backend API (port 8000)
|
||||
- FuzzForge MCP server (port 8010)
|
||||
|
||||
**Note**: The Prefect UI at http://localhost:4200 is not currently accessible from the host due to the API being configured for inter-container communication. Use the REST API or MCP interface instead.
|
||||
**Note**: MinIO console login: `fuzzforge` / `fuzzforge123`
|
||||
|
||||
## API Endpoints
|
||||
|
||||
@@ -54,7 +52,8 @@ This will start:
|
||||
- `GET /workflows/{name}/metadata` - Get workflow metadata and parameters
|
||||
- `GET /workflows/{name}/parameters` - Get workflow parameter schema
|
||||
- `GET /workflows/metadata/schema` - Get metadata.yaml schema
|
||||
- `POST /workflows/{name}/submit` - Submit a workflow for execution
|
||||
- `POST /workflows/{name}/submit` - Submit a workflow for execution (path-based, legacy)
|
||||
- `POST /workflows/{name}/upload-and-submit` - **Upload local files and submit workflow** (recommended)
|
||||
|
||||
### Runs
|
||||
|
||||
@@ -68,12 +67,13 @@ Each workflow must have:
|
||||
|
||||
```
|
||||
toolbox/workflows/{workflow_name}/
|
||||
workflow.py # Prefect flow definition
|
||||
metadata.yaml # Mandatory metadata (parameters, version, etc.)
|
||||
Dockerfile # Optional custom container definition
|
||||
requirements.txt # Optional Python dependencies
|
||||
workflow.py # Temporal workflow definition
|
||||
metadata.yaml # Mandatory metadata (parameters, version, vertical, etc.)
|
||||
requirements.txt # Optional Python dependencies (installed in vertical worker)
|
||||
```
|
||||
|
||||
**Note**: With Temporal architecture, workflows run in pre-built vertical workers (e.g., `worker-rust`, `worker-android`), not individual Docker containers. The workflow code is mounted as a volume and discovered at runtime.
|
||||
|
||||
### Example metadata.yaml
|
||||
|
||||
```yaml
|
||||
@@ -82,6 +82,7 @@ version: "1.0.0"
|
||||
description: "Comprehensive security analysis workflow"
|
||||
author: "FuzzForge Team"
|
||||
category: "comprehensive"
|
||||
vertical: "rust" # Routes to worker-rust
|
||||
tags:
|
||||
- "security"
|
||||
- "analysis"
|
||||
@@ -169,6 +170,57 @@ curl -X POST "http://localhost:8000/workflows/security_assessment/submit" \
|
||||
|
||||
Resource precedence: User limits > Workflow requirements > System defaults
|
||||
|
||||
## File Upload and Target Access
|
||||
|
||||
### Upload Endpoint
|
||||
|
||||
The backend provides an upload endpoint for submitting workflows with local files:
|
||||
|
||||
```
|
||||
POST /workflows/{workflow_name}/upload-and-submit
|
||||
Content-Type: multipart/form-data
|
||||
|
||||
Parameters:
|
||||
file: File upload (supports .tar.gz for directories)
|
||||
parameters: JSON string of workflow parameters (optional)
|
||||
volume_mode: "ro" or "rw" (default: "ro")
|
||||
timeout: Execution timeout in seconds (optional)
|
||||
```
|
||||
|
||||
Example using curl:
|
||||
|
||||
```bash
|
||||
# Upload a directory (create tarball first)
|
||||
tar -czf project.tar.gz /path/to/project
|
||||
curl -X POST "http://localhost:8000/workflows/security_assessment/upload-and-submit" \
|
||||
-F "file=@project.tar.gz" \
|
||||
-F "parameters={\"check_secrets\":true}" \
|
||||
-F "volume_mode=ro"
|
||||
|
||||
# Upload a single file
|
||||
curl -X POST "http://localhost:8000/workflows/security_assessment/upload-and-submit" \
|
||||
-F "file=@binary.elf" \
|
||||
-F "volume_mode=ro"
|
||||
```
|
||||
|
||||
### Storage Flow
|
||||
|
||||
1. **CLI/API uploads file** via HTTP multipart
|
||||
2. **Backend receives file** and streams to temporary location (max 10GB)
|
||||
3. **Backend uploads to MinIO** with generated `target_id`
|
||||
4. **Workflow is submitted** to Temporal with `target_id`
|
||||
5. **Worker downloads target** from MinIO to local cache
|
||||
6. **Workflow processes target** from cache
|
||||
7. **MinIO lifecycle policy** deletes files after 7 days
|
||||
|
||||
### Advantages
|
||||
|
||||
- **No host filesystem access required** - workers can run anywhere
|
||||
- **Automatic cleanup** - lifecycle policies prevent disk exhaustion
|
||||
- **Caching** - repeated workflows reuse cached targets
|
||||
- **Multi-host ready** - targets accessible from any worker
|
||||
- **Secure** - isolated storage, no arbitrary host path access
|
||||
|
||||
## Module Development
|
||||
|
||||
Modules implement the `BaseModule` interface:
|
||||
@@ -198,7 +250,21 @@ class MyModule(BaseModule):
|
||||
|
||||
## Submitting a Workflow
|
||||
|
||||
### With File Upload (Recommended)
|
||||
|
||||
```bash
|
||||
# Automatic tarball and upload
|
||||
tar -czf project.tar.gz /home/user/project
|
||||
curl -X POST "http://localhost:8000/workflows/security_assessment/upload-and-submit" \
|
||||
-F "file=@project.tar.gz" \
|
||||
-F "parameters={\"scanner_config\":{\"patterns\":[\"*.py\"]},\"analyzer_config\":{\"check_secrets\":true}}" \
|
||||
-F "volume_mode=ro"
|
||||
```
|
||||
|
||||
### Legacy Path-Based Submission
|
||||
|
||||
```bash
|
||||
# Only works if backend and target are on same machine
|
||||
curl -X POST "http://localhost:8000/workflows/security_assessment/submit" \
|
||||
-H "Content-Type: application/json" \
|
||||
-d '{
|
||||
@@ -235,23 +301,31 @@ Returns SARIF-formatted findings:
|
||||
|
||||
## Security Considerations
|
||||
|
||||
1. **Volume Mounting**: Only allowed directories can be mounted
|
||||
2. **Read-Only Default**: Volumes mounted as read-only unless explicitly set
|
||||
3. **Container Isolation**: Each workflow runs in an isolated container
|
||||
4. **Resource Limits**: Can set CPU/memory limits via Prefect
|
||||
5. **Network Isolation**: Containers use bridge networking
|
||||
1. **File Upload Security**: Files uploaded to MinIO with isolated storage
|
||||
2. **Read-Only Default**: Target files accessed as read-only unless explicitly set
|
||||
3. **Worker Isolation**: Each workflow runs in isolated vertical workers
|
||||
4. **Resource Limits**: Can set CPU/memory limits per worker
|
||||
5. **Automatic Cleanup**: MinIO lifecycle policies delete old files after 7 days
|
||||
|
||||
## Development
|
||||
|
||||
### Adding a New Workflow
|
||||
|
||||
1. Create directory: `toolbox/workflows/my_workflow/`
|
||||
2. Add `workflow.py` with a Prefect flow
|
||||
3. Add mandatory `metadata.yaml`
|
||||
4. Restart backend: `docker-compose restart fuzzforge-backend`
|
||||
2. Add `workflow.py` with a Temporal workflow (using `@workflow.defn`)
|
||||
3. Add mandatory `metadata.yaml` with `vertical` field
|
||||
4. Restart the appropriate worker: `docker-compose -f docker-compose.temporal.yaml restart worker-rust`
|
||||
5. Worker will automatically discover and register the new workflow
|
||||
|
||||
### Adding a New Module
|
||||
|
||||
1. Create module in `toolbox/modules/{category}/`
|
||||
2. Implement `BaseModule` interface
|
||||
3. Use in workflows via import
|
||||
3. Use in workflows via import
|
||||
|
||||
### Adding a New Vertical Worker
|
||||
|
||||
1. Create worker directory: `workers/{vertical}/`
|
||||
2. Create `Dockerfile` with required tools
|
||||
3. Add worker to `docker-compose.temporal.yaml`
|
||||
4. Worker will automatically discover workflows with matching `vertical` in metadata
|
||||
Reference in New Issue
Block a user