param( [string]$ApiBaseUrl = "http://192.168.200.61:18121/api/v1", [string]$ClusterID = "cfc0743d-d960-49fb-9de8-96e063d5e4aa", [string]$ActorUserID = "f67d943f-5397-4b3a-a229-695fe67ad700", [string]$EntryNodeName = "test-1", [string]$ExitNodeName = "test-2", [string]$DockerSSH = "test-docker", [string]$ExpectedBackendImage = "rap-backend:fabric-service-channel-0.2.281-c18z109", [string]$ExpectedNodeAgentImage = "rap-node-agent:0.2.270-c18z95", [string]$ResultPath = "artifacts\c18z91-node-agent-data-plane-contract-enforcement-smoke-result.json" ) Set-StrictMode -Version Latest $ErrorActionPreference = "Stop" $scriptDir = Split-Path -Parent $MyInvocation.MyCommand.Path $repoRoot = (Resolve-Path (Join-Path $scriptDir "..\..")).ProviderPath $runId = "c18z91-" + (Get-Date -Format "yyyyMMdd-HHmmss") function Invoke-Api { param([string]$Method, [string]$Path, [object]$Body = $null) $params = @{ Method = $Method; Uri = "$ApiBaseUrl$Path"; TimeoutSec = 30 } if ($null -ne $Body) { $params.ContentType = "application/json" $params.Body = ($Body | ConvertTo-Json -Depth 80) } return Invoke-RestMethod @params } function Get-PropertyValue { param([object]$Item, [string]$Name, [object]$Default = $null) if ($null -eq $Item) { return $Default } $property = $Item.PSObject.Properties[$Name] if ($null -eq $property) { return $Default } return $property.Value } function Get-NodeByName { param([string]$Name) $nodes = (Invoke-Api -Method GET -Path "/clusters/$ClusterID/nodes?actor_user_id=$ActorUserID").nodes $node = @($nodes | Where-Object { $_.name -eq $Name }) | Select-Object -First 1 if ($null -eq $node) { throw "Node '$Name' was not found" } return $node } function ConvertTo-Base64UrlJson { param([object]$Value) if ($Value -is [string]) { $json = $Value } else { $json = $Value | ConvertTo-Json -Depth 80 -Compress } $bytes = [System.Text.Encoding]::UTF8.GetBytes($json) return [Convert]::ToBase64String($bytes).TrimEnd("=").Replace("+", "-").Replace("/", "_") } function New-RouteIntent { param([string]$SourceNodeID, [string]$DestinationNodeID) $expiresAt = (Get-Date).ToUniversalTime().AddMinutes(5).ToString("o") return Invoke-Api -Method POST -Path "/clusters/$ClusterID/mesh/route-intents" -Body @{ actor_user_id = $ActorUserID source_selector = @{ node_id = $SourceNodeID } destination_selector = @{ node_id = $DestinationNodeID } service_class = "vpn_packets" priority = 2100000000 policy = @{ synthetic_enabled = $true route_version = "$runId-direct" policy_version = "$runId-direct" peer_directory_version = "$runId-direct" hops = @($SourceNodeID, $DestinationNodeID) allowed_channels = @("vpn_packet", "fabric_control") max_ttl = 8 max_hops = 8 expires_at = $expiresAt metadata = @{ smoke = "c18z90_service_channel_data_plane_contract" run_id = $runId } } } } function Disable-ExistingRoutePair { param([string]$SourceNodeID, [string]$DestinationNodeID) $items = (Invoke-Api -Method GET -Path "/clusters/$ClusterID/mesh/route-intents?actor_user_id=$ActorUserID").route_intents foreach ($item in @($items)) { if ([string](Get-PropertyValue -Item $item -Name "status" -Default "") -ne "active") { continue } if ([string](Get-PropertyValue -Item $item -Name "service_class" -Default "") -ne "vpn_packets") { continue } $sourceSelector = Get-PropertyValue -Item $item -Name "source_selector" -Default $null $destinationSelector = Get-PropertyValue -Item $item -Name "destination_selector" -Default $null if ([string](Get-PropertyValue -Item $sourceSelector -Name "node_id" -Default "") -ne $SourceNodeID) { continue } if ([string](Get-PropertyValue -Item $destinationSelector -Name "node_id" -Default "") -ne $DestinationNodeID) { continue } [void](Invoke-Api -Method POST -Path "/clusters/$ClusterID/mesh/route-intents/$($item.id)/disable" -Body @{ actor_user_id = $ActorUserID reason = "c18z90 isolate data-plane contract smoke route pair" }) } } $entryNode = Get-NodeByName -Name $EntryNodeName $exitNode = Get-NodeByName -Name $ExitNodeName Disable-ExistingRoutePair -SourceNodeID $entryNode.id -DestinationNodeID $exitNode.id $route = (New-RouteIntent -SourceNodeID $entryNode.id -DestinationNodeID $exitNode.id).route_intent $routeID = [string]$route.id $leaseResponse = Invoke-Api -Method POST -Path "/clusters/$ClusterID/fabric/service-channels/leases" -Body @{ actor_user_id = $ActorUserID organization_id = "org-home" user_id = "user-m" resource_id = "$runId-vpn" service_class = "vpn_packets" entry_node_ids = @([string]$entryNode.id) exit_node_ids = @([string]$exitNode.id) preferred_entry_node_id = [string]$entryNode.id preferred_exit_node_id = [string]$exitNode.id allowed_channels = @("vpn_packet", "fabric_control") ttl_seconds = 120 metadata = @{ smoke = "c18z90_service_channel_data_plane_contract" run_id = $runId } } $lease = $leaseResponse.fabric_service_channel_lease $leaseDataPlane = Get-PropertyValue -Item $lease -Name "data_plane" -Default $null $authorityPayload = Get-PropertyValue -Item $lease -Name "authority_payload" -Default $null $decodedAuthority = $null if ($authorityPayload -is [string] -and $authorityPayload.Length -gt 0) { $decodedAuthority = $authorityPayload | ConvertFrom-Json } elseif ($null -ne $authorityPayload) { $decodedAuthority = $authorityPayload } $authorityDataPlane = Get-PropertyValue -Item $decodedAuthority -Name "data_plane" -Default $null $introspection = Invoke-Api -Method POST -Path "/clusters/$ClusterID/fabric/service-channels/$($lease.channel_id)/introspect" -Body @{ token = [string]$lease.token.token resource_id = [string]$lease.resource_id service_class = "vpn_packets" channel_class = "vpn_packet" entry_node_id = [string]$entryNode.id } $introspectionResult = Get-PropertyValue -Item $introspection -Name "fabric_service_channel_introspection" -Default $introspection $introspectionDataPlane = Get-PropertyValue -Item $introspectionResult -Name "data_plane" -Default $null $maintenance = Invoke-Api -Method GET -Path "/clusters/$ClusterID/fabric/service-channels/leases?actor_user_id=$ActorUserID&service_class=vpn_packets&limit=20" $listedLease = @($maintenance.fabric_service_channel_lease_maintenance.leases | Where-Object { [string](Get-PropertyValue -Item $_ -Name "channel_id" -Default "") -eq [string]$lease.channel_id }) | Select-Object -First 1 $listedDataPlane = Get-PropertyValue -Item $listedLease -Name "data_plane" -Default $null $packetUrl = "http://192.168.200.61:19131/api/v1/clusters/$ClusterID/fabric/service-channels/$($lease.channel_id)/vpn-connections/$($lease.resource_id)/packets" $authoritySignature = Get-PropertyValue -Item $lease -Name "authority_signature" -Default $null $packetResponse = Invoke-WebRequest -Method POST -Uri $packetUrl -Headers @{ "X-RAP-Service-Channel-Token" = [string]$lease.token.token "X-RAP-Service-Channel-Authority-Payload" = ConvertTo-Base64UrlJson -Value $decodedAuthority "X-RAP-Service-Channel-Authority-Signature" = ConvertTo-Base64UrlJson -Value $authoritySignature "X-RAP-Service-Class" = "vpn_packets" "X-RAP-Channel-Class" = "vpn_packet" "X-RAP-Traffic-Class" = "interactive" } -Body ([byte[]](0x45,0,0,40,0,0,0,0,64,6,0,0,10,77,0,2,192,168,200,95,0xD2,0x04,0x0D,0x3D,0,0,0,0,0,0,0,0,0x50,0,0,0,0,0,0,0)) -ContentType "application/octet-stream" -TimeoutSec 30 $acceptedBy = [string]$packetResponse.Headers["X-RAP-Service-Channel-Accepted-By"] $accessReport = $null for ($i = 0; $i -lt 8; $i++) { Start-Sleep -Seconds 5 $heartbeats = (Invoke-Api -Method GET -Path "/clusters/$ClusterID/nodes/$($entryNode.id)/heartbeats?actor_user_id=$ActorUserID&limit=5").heartbeats foreach ($heartbeat in @($heartbeats)) { $metadata = Get-PropertyValue -Item $heartbeat -Name "metadata" -Default $null $candidate = Get-PropertyValue -Item $metadata -Name "fabric_service_channel_access_report" -Default $null if ($null -ne $candidate -and [int](Get-PropertyValue -Item $candidate -Name "data_plane_contract" -Default 0) -ge 1) { $accessReport = $candidate break } } if ($null -ne $accessReport) { break } } $backendLine = (& ssh $DockerSSH "docker ps --format '{{.Names}} {{.Image}} {{.Status}}' | grep '^rap_test_backend '") | Out-String $nodeLines = (& ssh $DockerSSH "docker ps --format '{{.Names}} {{.Image}} {{.Status}}' | grep '^rap_test_node_test_'") | Out-String $checks = [ordered]@{ backend_expected_image_deployed = $backendLine.Contains($ExpectedBackendImage) node_agent_expected_image_deployed = $nodeLines.Contains($ExpectedNodeAgentImage) lease_ready = ([string]$lease.status -eq "ready") lease_uses_requested_route = ([string]$lease.primary_route.route_id -eq $routeID) data_plane_contract_present_on_lease = ($null -ne $leaseDataPlane -and [string]$leaseDataPlane.schema_version -eq "rap.fabric_service_channel_data_plane.v1") data_plane_contract_is_fabric_primary = ($null -ne $leaseDataPlane -and [string]$leaseDataPlane.mode -eq "fabric_primary" -and [string]$leaseDataPlane.working_data_transport -eq "fabric_service_channel" -and [string]$leaseDataPlane.steady_state_transport -eq "fabric_route") backend_relay_is_degraded_fallback_only = ($null -ne $leaseDataPlane -and [string]$leaseDataPlane.backend_relay_policy -eq "degraded_fallback_only") data_plane_is_service_neutral_protocol_agnostic = ($null -ne $leaseDataPlane -and [bool]$leaseDataPlane.service_neutral -and [bool]$leaseDataPlane.protocol_agnostic) logical_flow_isolation_declared = ($null -ne $leaseDataPlane -and [string]$leaseDataPlane.logical_flow_mode -eq "multi_flow_isolated" -and @($leaseDataPlane.required_flow_isolation_classes | Where-Object { [string]$_ -eq "vpn_packet" }).Count -gt 0) data_plane_signed_in_authority_payload = ($null -ne $authorityDataPlane -and [string]$authorityDataPlane.working_data_transport -eq "fabric_service_channel" -and [string]$authorityDataPlane.backend_relay_policy -eq "degraded_fallback_only") introspection_returns_data_plane_contract = ($null -ne $introspectionDataPlane -and [string]$introspectionDataPlane.steady_state_transport -eq "fabric_route" -and [string]$introspectionDataPlane.backend_relay_policy -eq "degraded_fallback_only") maintenance_lists_data_plane_contract = ($null -ne $listedDataPlane -and [string]$listedDataPlane.working_data_transport -eq "fabric_service_channel") packet_ingress_accepted_by_signed_contract = ([int]$packetResponse.StatusCode -eq 202 -and $acceptedBy -eq "signed") node_agent_reports_data_plane_contract = ($null -ne $accessReport -and [int](Get-PropertyValue -Item $accessReport -Name "data_plane_contract" -Default 0) -ge 1) node_agent_reports_fabric_route_data_plane = ($null -ne $accessReport -and [string](Get-PropertyValue -Item $accessReport -Name "last_working_data_transport" -Default "") -eq "fabric_service_channel" -and [string](Get-PropertyValue -Item $accessReport -Name "last_steady_state_transport" -Default "") -eq "fabric_route") node_agent_reports_degraded_degraded_route_policy = ($null -ne $accessReport -and [string](Get-PropertyValue -Item $accessReport -Name "last_degraded_route_policy" -Default "") -eq "degraded_fallback_only") node_agent_reports_multi_flow_contract = ($null -ne $accessReport -and [string](Get-PropertyValue -Item $accessReport -Name "last_logical_flow_mode" -Default "") -eq "multi_flow_isolated") } $failed = @($checks.GetEnumerator() | Where-Object { -not $_.Value } | ForEach-Object { $_.Key }) $result = [ordered]@{ schema_version = "c18z91.node_agent_data_plane_contract_enforcement_smoke.v1" run_id = $runId cluster_id = $ClusterID channel_id = [string]$lease.channel_id route_id = $routeID passed = ($failed.Count -eq 0) checks = $checks failed_checks = $failed summary = [ordered]@{ backend_container = $backendLine.Trim() node_containers = $nodeLines.Trim() lease = $lease introspection = $introspectionResult listed_lease = $listedLease packet_status_code = [int]$packetResponse.StatusCode packet_accepted_by = $acceptedBy access_report = $accessReport } } $target = Join-Path $repoRoot $ResultPath $result | ConvertTo-Json -Depth 80 | Set-Content -Path $target -Encoding UTF8 try { if ($routeID) { Invoke-Api -Method POST -Path "/clusters/$ClusterID/mesh/route-intents/$routeID/expire" -Body @{ actor_user_id = $ActorUserID } | Out-Null } Invoke-Api -Method POST -Path "/clusters/$ClusterID/fabric/service-channels/leases/cleanup" -Body @{ actor_user_id = $ActorUserID limit = 100 } | Out-Null } catch { Write-Warning "cleanup failed after c18z90 smoke: $($_.Exception.Message)" } if (-not $result.passed) { throw "C18Z91 node-agent data-plane contract enforcement smoke failed: $($failed -join ', ')" } Write-Host "C18Z91 node-agent data-plane contract enforcement smoke passed. Result: $target" $result