adding sudo escalation workflow for podman including reset of cache to improve security posture

Author: romdalf

cmd/neoctl/instance.go

@@ -9,7 +9,9 @@ import (
 	"github.com/spf13/cobra"
 	"netapp/neoctl/internal/config"
 	"netapp/neoctl/internal/runner"
+	"netapp/neoctl/internal/runtime"
 	"netapp/neoctl/internal/utils"
+	"os/exec"
 	"path/filepath"
 	"text/tabwriter"
 	"time"
@@ -207,9 +209,18 @@ func runInstanceAction(name string, action string) {
 		fmt.Printf("Creating instance \"%s\" ...\n", name)
 
 		// Verify prerequisites first
-		runStep("Verifying prerequisites", func() error {
+		if err := runStep("Verifying prerequisites", func() error {
 			return runVerifyChecks(false)
-		})
+		}); err != nil {
+			resetPrivileges()
+			os.Exit(1)
+		}
+		
+		// Ensure privileges if needed (Podman)
+		if err := ensurePrivileges(); err != nil {
+			fmt.Printf("Error ensuring privileges: %v\n", err)
+			os.Exit(1)
+		}
 
 		// Load Bundle Config for images
 		bundleCfg, err := config.LoadConfig()
@@ -227,9 +238,12 @@ func runInstanceAction(name string, action string) {
             // Configuration missing - print X and fetch
             fmt.Printf("\r \u001b[31m✗\u001b[0m %s \n", checkDesc)
 
-            runStep("Fetching bundle configuration", func() error {
+            if err := runStep("Fetching bundle configuration", func() error {
                 return fetchLatestBundles(false)
-            })
+            }); err != nil {
+				resetPrivileges()
+				os.Exit(1)
+			}
 
             // Reload config after fetching
             bundleCfg, err = config.LoadConfig()
@@ -244,15 +258,21 @@ func runInstanceAction(name string, action string) {
 
 
 
-		runStep("Writing configuration", func() error {
+		if err := runStep("Writing configuration", func() error {
 			return runner.GenerateComposeFile(inst, bundleCfg, configDir)
-		})
+		}); err != nil {
+			resetPrivileges()
+			os.Exit(1)
+		}
 
-		runStep(fmt.Sprintf("Ensuring images (%s, %s)", inst.Name+"-neo", inst.Name+"-neoui"), func() error {
+		if err := runStep(fmt.Sprintf("Ensuring images (%s, %s)", inst.Name+"-neo", inst.Name+"-neoui"), func() error {
 			return runner.RunComposePull(configDir, name)
-		})
+		}); err != nil {
+			resetPrivileges()
+			os.Exit(1)
+		}
 
-		runStep("Starting instance", func() error {
+		if err := runStep("Starting instance", func() error {
 			if err := runner.RunComposeUp(configDir, name); err != nil {
 				return err
 			}
@@ -271,7 +291,12 @@ func runInstanceAction(name string, action string) {
 				fmt.Printf("\n\u001b[33mWarning: Instance is running but degraded (%d/%d containers up)\u001b[0m\n", runningCount, totalCount)
 			}
 			return nil
-		})
+		}); err != nil {
+			resetPrivileges()
+			os.Exit(1)
+		}
+
+		resetPrivileges()
 
 		fmt.Printf("Instance \"%s\" started! 🚀\n", name)
 
@@ -293,15 +318,33 @@ func runInstanceAction(name string, action string) {
 	case "stop":
 		fmt.Printf("Stopping instance \"%s\" ...\n", name)
 
-		runStep("Stopping all containers", func() error {
+		// Ensure privileges if needed (Podman)
+		if err := ensurePrivileges(); err != nil {
+			fmt.Printf("Error ensuring privileges: %v\n", err)
+			os.Exit(1)
+		}
+
+		if err := runStep("Stopping all containers", func() error {
 			return runner.RunComposeDown(configDir, name)
-		})
+		}); err != nil {
+			resetPrivileges()
+			os.Exit(1)
+		}
+
+		resetPrivileges()
 
 		fmt.Printf("Instance \"%s\" stopped! 🛑\n", name)
 
 	case "delete":
 		// Stop first
 		fmt.Printf("Stopping instance '%s' before deletion...\n", name)
+
+		// Ensure privileges if needed (Podman)
+		if err := ensurePrivileges(); err != nil {
+			fmt.Printf("Error ensuring privileges: %v\n", err)
+			os.Exit(1)
+		}
+
 		if err := runner.RunComposeDown(configDir, name); err != nil {
 			fmt.Printf("Warning: Failed to stop instance (might be already stopped or files missing): %v\n", err)
 		}
@@ -463,12 +506,46 @@ func init() {
 	instanceLogsCmd.Flags().BoolVar(&instAll, "all", false, "Fetch logs for all instances")
 }
 
-func runStep(description string, action func() error) {
+func runStep(description string, action func() error) error {
 	fmt.Printf(" \u001b[36m•\u001b[0m %s ...", description)
 	if err := action(); err != nil {
 		fmt.Printf("\r \u001b[31m✗\u001b[0m %s \n", description)
 		fmt.Printf("Error: %v\n", err)
-		os.Exit(1)
+		return err
 	}
 	fmt.Printf("\r \u001b[32m✓\u001b[0m %s \n", description)
+	return nil
+}
+
+func ensurePrivileges() error {
+	rt, err := runtime.CheckRuntime()
+	if err != nil {
+		return err
+	}
+	
+	if rt == runtime.Podman {
+		fmt.Printf("     ⚠️ Podman runtime requires privilege escalation ...\n")
+		// sudo -v refreshes the timestamp. -p prompts if needed.
+		// We use the same prompt as in the runner to be consistent, though theoretically
+		// if this succeeds, the runner one won't prompt.
+		cmd := exec.Command("sudo", "-v", "-p", "     [sudo] password for %u: ")
+		cmd.Stdin = os.Stdin
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stderr
+		
+		if err := cmd.Run(); err != nil {
+			return fmt.Errorf("sudo authentication failed: %w", err)
+		}
+	}
+	return nil
+}
+
+func resetPrivileges() {
+	rt, err := runtime.CheckRuntime()
+	if err == nil && rt == runtime.Podman {
+		cmd := exec.Command("sudo", "-k")
+		if err := cmd.Run(); err == nil {
+			fmt.Println(" \u001b[32m✓\u001b[0m Reset privilege escalation session for security purposes")
+		}
+	}
 }

internal/runner/compose.go

@@ -311,7 +311,10 @@ func runComposeCommand(dir string, args ...string) ([]byte, error) {
 	var cmd *exec.Cmd
 	if rt == runtime.Podman {
 		// Podman requires root for SMB mounts in containers basically
-		newArgs := append([]string{bin}, args...)
+		// sudo -p prompt (retained for safety if pre-auth expires, but main auth happens earlier)
+		prompt := "        [sudo] password for %u: "
+		
+		newArgs := append([]string{"-p", prompt, bin}, args...)
 		cmd = exec.Command("sudo", newArgs...)
 	} else {
 		cmd = exec.Command(bin, args...)