fix(telemetry): sandbox invocation test + make postPhase non-blocking

Author: shubham-stepsecurity

internal/telemetry/invocation_test.go

@@ -4,6 +4,7 @@ import (
 	"os"
 	"path/filepath"
 	"runtime"
+	"strings"
 	"testing"
 
 	"github.com/step-security/dev-machine-guard/internal/launchd"
@@ -51,12 +52,24 @@ func TestDetectInvocationMethod_HostMachine(t *testing.T) {
 // TestDetectInvocationMethod_RespondsToFilesystem covers the darwin/linux
 // path that stats a scheduler artifact. On Windows the check shells out to
 // schtasks, which we can't safely stub without an executor seam — skip there.
+//
+// Sandboxes HOME (Unix) and USERPROFILE (Windows-safe no-op on Unix) under
+// t.TempDir() so launchd.UserPlistPath / systemd.TimerUnitPath compute paths
+// that live entirely inside the temp tree. Without this the test would write
+// markers (and MkdirAll-created parent dirs) into the developer's real
+// ~/Library/LaunchAgents or ~/.config/systemd/user — leaving stray files
+// behind on CI and risking a tiny TOCTOU window against a real install.
 func TestDetectInvocationMethod_RespondsToFilesystem(t *testing.T) {
 	if runtime.GOOS == "windows" {
 		t.Skip("windows uses schtasks /query, not filesystem")
 	}
 
-	// Resolve the platform's expected artifact path.
+	tempHome := t.TempDir()
+	t.Setenv("HOME", tempHome)
+	t.Setenv("USERPROFILE", tempHome) // no-op on Unix but cheap and keeps the seam consistent
+
+	// Resolve the platform's expected artifact path AFTER the env override
+	// so os.UserHomeDir() returns tempHome.
 	var path string
 	switch runtime.GOOS {
 	case "darwin":
@@ -69,24 +82,25 @@ func TestDetectInvocationMethod_RespondsToFilesystem(t *testing.T) {
 	if path == "" {
 		t.Skip("could not resolve scheduler artifact path on this host")
 	}
+	if !strings.HasPrefix(path, tempHome) {
+		t.Fatalf("resolved path %q escaped tempHome %q — env sandbox is not effective", path, tempHome)
+	}
 
-	// We don't want to clobber a real installation. If the artifact already
-	// exists, just confirm the detector agrees and bail; otherwise create a
-	// fake marker, assert detection flips, then clean up.
-	if _, err := os.Stat(path); err == nil {
-		if got := DetectInvocationMethod(); got != InvocationInstall {
-			t.Fatalf("artifact %q exists but detector returned %q", path, got)
-		}
-		return
+	// Fresh temp home — detector starts at one_time, flips to install when
+	// the marker appears, flips back when it's removed.
+	if got := DetectInvocationMethod(); got != InvocationOneTime {
+		t.Fatalf("on clean temp home, detector returned %q, want %q",
+			got, InvocationOneTime)
 	}
 
 	if err := os.MkdirAll(filepath.Dir(path), 0o755); err != nil {
-		t.Skipf("cannot prepare scheduler artifact dir for test: %v", err)
+		t.Fatalf("prepare scheduler artifact dir: %v", err)
 	}
 	if err := os.WriteFile(path, []byte("x"), 0o600); err != nil {
-		t.Skipf("cannot write fake scheduler artifact: %v", err)
+		t.Fatalf("write fake scheduler artifact: %v", err)
 	}
-	t.Cleanup(func() { _ = os.Remove(path) })
+	// No explicit cleanup: everything lives under t.TempDir() and is
+	// removed by the testing framework when the test ends.
 
 	if got := DetectInvocationMethod(); got != InvocationInstall {
 		t.Fatalf("after creating %q, detector returned %q, want %q",
@@ -98,8 +112,6 @@ func TestDetectInvocationMethod_RespondsToFilesystem(t *testing.T) {
 	if err := os.Remove(path); err != nil {
 		t.Fatalf("remove fake artifact: %v", err)
 	}
-	// Avoid double-remove in cleanup.
-	t.Cleanup(func() {})
 
 	if got := DetectInvocationMethod(); got != InvocationOneTime {
 		t.Fatalf("after removing %q, detector returned %q, want %q",

internal/telemetry/run_status.go

@@ -146,7 +146,12 @@ func postRunStatusWithRetry(ctx context.Context, log *progress.Logger,
 			select {
 			case <-time.After(runStatusRetryBackoff):
 			case <-ctx.Done():
-				log.Progress("run-status: parent context done, abandoning retries")
+				// Demoted to Debug: parent ctx done means clean shutdown
+				// (or operator-initiated cancel that already logged its
+				// own reason). No need to add a second progress-level
+				// noise line in the normal "scan finished successfully,
+				// last progress post got cut off by cancelRun()" flow.
+				log.Debug("run-status: parent context done, abandoning retries")
 				return
 			}
 		}
@@ -159,9 +164,22 @@ func postRunStatusWithRetry(ctx context.Context, log *progress.Logger,
 // postRunStatusOnce performs a single HTTP attempt. Returns true on a 2xx
 // or 4xx (terminal — retrying a bad request will not help). Returns false
 // on transport errors or 5xx so the caller can retry.
+//
+// Treats parent-ctx cancellation as terminal-and-quiet: the only time we
+// observe ctx.Err() != nil here is shutdown (cancelRun fired). Logging a
+// "POST error: context canceled" at progress level on every successful
+// scan — because the final phase-boundary post raced the deferred
+// cancelRun — would mislead operators into thinking the run failed.
 func postRunStatusOnce(ctx context.Context, log *progress.Logger,
 	endpoint string, body []byte, status string, attempt, maxAttempts int) bool {
 
+	// Short-circuit when the scan ctx is already done — no point opening a
+	// connection just to have it cancelled mid-handshake.
+	if ctx.Err() != nil {
+		log.Debug("run-status[%s %d/%d]: skipped (parent context done)", status, attempt, maxAttempts)
+		return true
+	}
+
 	cctx, cancel := context.WithTimeout(ctx, runStatusHTTPTimeout)
 	defer cancel()
 
@@ -177,6 +195,14 @@ func postRunStatusOnce(ctx context.Context, log *progress.Logger,
 	client := &http.Client{Timeout: runStatusHTTPTimeout}
 	resp, err := client.Do(req)
 	if err != nil {
+		// Distinguish shutdown-induced cancellation from a real transport
+		// error. If the parent ctx is done, this was clean shutdown — log
+		// at debug and return terminal so the caller doesn't burn a retry
+		// on an already-cancelled context.
+		if ctx.Err() != nil {
+			log.Debug("run-status[%s %d/%d]: aborted at shutdown: %v", status, attempt, maxAttempts, err)
+			return true
+		}
 		log.Progress("run-status[%s %d/%d]: POST error: %v", status, attempt, maxAttempts, err)
 		return false
 	}

internal/telemetry/telemetry.go

@@ -10,6 +10,7 @@ import (
 	"net/http"
 	"os"
 	"os/signal"
+	"sync"
 	"sync/atomic"
 	"syscall"
 	"time"
@@ -153,11 +154,76 @@ func Run(exec executor.Executor, log *progress.Logger, cfg *cli.Config) (err err
 		}
 	}
 
+	// Phase-boundary progress posts run on a dedicated worker so the scan
+	// never blocks on HTTP at a call site. Buffer=1 + drop-oldest send
+	// gives us two properties together:
+	//   - Strict ordering: a single consumer means the backend can never
+	//     see an older snapshot land after a newer one (which would cause
+	//     the console UI to briefly regress on degraded networks).
+	//   - Bounded resources: at most one pending snapshot is queued; a
+	//     slow-network backlog can't grow across the 11+ inline call
+	//     sites. The latest snapshot always wins, which matches what an
+	//     operator watching progress actually cares about.
+	//
+	// Without this, blocking phase posts could add the per-call retry
+	// budget (~6s: 2 attempts × 3s HTTP timeout + 500ms backoff) to each
+	// call site, compounding to over a minute of added scan latency on a
+	// degraded link for purely best-effort progress data.
+	phaseCh := make(chan RunStatusInfo, 1)
+	phaseDone := make(chan struct{})
+	var phaseSendMu sync.Mutex // serialises drain+send so concurrent producers (main scan + heartbeat) don't race
+	go func() {
+		defer close(phaseDone)
+		// process posts one snapshot using a Background-derived ctx with
+		// a bounded per-post timeout. We deliberately do NOT chain off the
+		// scan ctx here: the final phase-boundary post (which is the only
+		// snapshot that includes "telemetry_upload" in phases_completed)
+		// arrives at the worker *after* the function body returns and the
+		// deferred cancelRun() fires. If we shared the scan ctx, that post
+		// would always be cancelled mid-flight and the backend would never
+		// learn the upload completed. The 10s budget covers postProgress's
+		// own internal retry window (2×3s + 500ms backoff) with slack.
+		process := func(snap RunStatusInfo) {
+			postCtx, postCancel := context.WithTimeout(context.Background(), 10*time.Second)
+			defer postCancel()
+			postProgress(postCtx, log, executionID, deviceID, invocationMethod, snap)
+		}
+		for {
+			select {
+			case snap := <-phaseCh:
+				process(snap)
+			case <-ctx.Done():
+				// Drain any queued snapshot before exiting. Without this,
+				// a naïve select on the next iteration would 50/50 between
+				// the ready ctx.Done() and the ready phaseCh — dropping
+				// the final post is exactly what the user reports as
+				// "telemetry_upload missing from phases_completed".
+				for {
+					select {
+					case snap := <-phaseCh:
+						process(snap)
+					default:
+						return
+					}
+				}
+			}
+		}
+	}()
+
 	// postPhase is the convergence point for phase-boundary and heartbeat
 	// progress updates. Captured here so the heartbeat goroutine and the
 	// inline phase wrappers share a single call site.
 	postPhase := func() {
-		postProgress(ctx, log, executionID, deviceID, invocationMethod, tracker.Snapshot())
+		snap := tracker.Snapshot()
+		phaseSendMu.Lock()
+		defer phaseSendMu.Unlock()
+		// Drop any queued (older) snapshot so the freshest one always lands.
+		select {
+		case <-phaseCh:
+		default:
+		}
+		// Always succeeds: buffer=1, just drained, single sender under the mutex.
+		phaseCh <- snap
 	}
 
 	// Catch SIGINT / SIGTERM so cancellation (Ctrl+C, launchd stop, kill)
@@ -278,13 +344,15 @@ func Run(exec executor.Executor, log *progress.Logger, cfg *cli.Config) (err err
 			}
 		}
 	}()
-	// Shut the heartbeat down cleanly on return. Order matters: cancel
-	// first so the goroutine sees ctx.Done() and exits, THEN wait for it
-	// to close heartbeatDone. Splitting these into two `defer` statements
-	// would deadlock — LIFO would block on the wait before cancel fires.
+	// Shut down both the heartbeat goroutine and the phase-post worker
+	// cleanly on return. Order matters: cancel first so both goroutines
+	// see ctx.Done() and exit, THEN wait for each to close its done
+	// channel. Splitting these into separate `defer` statements would
+	// deadlock — LIFO would block on the waits before cancel fires.
 	defer func() {
 		cancelRun()
 		<-heartbeatDone
+		<-phaseDone
 	}()
 
 	// Detect logged-in user for running commands as the real user when root.