⭐ use in-place engine auto-updates on windows (#6825)

* ⭐ use in-place engine auto-updates on windows

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>

* 🟢 leftover cleanup + return deferred errors

---------

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>

Author: arlimus

apps/mql/mql.go

@@ -17,6 +17,9 @@ import (
 func main() {
 	defer health.ReportPanic("mql", mql.Version, mql.Build)
 
+	// Clean up leftover .old binary from a previous in-place update (Windows).
+	selfupdate.CleanupOldBinary()
+
 	// Normalize --auto-update flag to handle both "--auto-update false" and "--auto-update=false" formats
 	// This must happen before any argument parsing (self-update check or cobra)
 	normalizeAutoUpdateFlag()

cli/selfupdate/inplace.go

@@ -0,0 +1,151 @@
+// Copyright (c) Mondoo, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package selfupdate
+
+import (
+	"context"
+	"io"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"time"
+
+	"github.com/cockroachdb/errors"
+	"github.com/rs/zerolog/log"
+)
+
+// verifyBinary runs "<binary> version" with auto-update disabled and a 5-second
+// timeout. It returns an error if the binary fails to execute or exits non-zero.
+// This is called BEFORE any rename so the original binary is never touched if
+// the staged binary is broken.
+func verifyBinary(binaryPath string) error {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	cmd := exec.CommandContext(ctx, binaryPath, "version")
+	cmd.Env = append(os.Environ(), EnvAutoUpdate+"=false")
+
+	if err := cmd.Run(); err != nil {
+		return errors.Wrap(err, "staged binary failed verification")
+	}
+	return nil
+}
+
+// swapBinaryInPlace replaces the currently running binary with the staged binary.
+// It renames the running executable to <name>.old, then copies the staged binary
+// to the original path. If the copy fails, the rename is rolled back.
+// Returns the original executable path for re-exec.
+func swapBinaryInPlace(stagedBinaryPath string) (string, error) {
+	originalPath, err := os.Executable()
+	if err != nil {
+		return "", errors.Wrap(err, "failed to get current executable path")
+	}
+	originalPath, err = filepath.EvalSymlinks(originalPath)
+	if err != nil {
+		return "", errors.Wrap(err, "failed to resolve executable symlinks")
+	}
+
+	return swapBinaryInPlaceFrom(stagedBinaryPath, originalPath)
+}
+
+// swapBinaryInPlaceFrom is the testable core of swapBinaryInPlace. It takes
+// the resolved original path explicitly instead of calling os.Executable().
+func swapBinaryInPlaceFrom(stagedBinaryPath, originalPath string) (string, error) {
+	// If already running from the same path, no swap needed.
+	stagedAbs, err := filepath.Abs(stagedBinaryPath)
+	if err == nil {
+		if resolved, err2 := filepath.EvalSymlinks(stagedAbs); err2 == nil {
+			stagedAbs = resolved
+		}
+		if stagedAbs == originalPath {
+			return originalPath, nil
+		}
+	}
+
+	oldPath := originalPath + ".old"
+
+	// On Windows os.Rename fails if the destination already exists. Remove a
+	// leftover .old file from a previous swap that wasn't cleaned up (e.g.,
+	// crash, or file was still locked at cleanup time).
+	if err := os.Remove(oldPath); err != nil && !os.IsNotExist(err) {
+		return "", errors.Wrap(err, "failed to remove leftover .old binary")
+	}
+
+	// Rename the running binary out of the way (safe on Windows for a running exe).
+	if err := os.Rename(originalPath, oldPath); err != nil {
+		return "", errors.Wrap(err, "failed to rename running binary to .old")
+	}
+
+	// Copy the staged binary to the original path (cross-volume safe).
+	if err := copyFile(stagedBinaryPath, originalPath); err != nil {
+		// Roll back: move .old back to original.
+		if rbErr := os.Rename(oldPath, originalPath); rbErr != nil {
+			log.Error().Err(rbErr).Msg("in-place swap: rollback failed, manual recovery may be needed")
+		}
+		return "", errors.Wrap(err, "failed to copy staged binary to original path")
+	}
+
+	log.Debug().
+		Str("original", originalPath).
+		Str("staged", stagedBinaryPath).
+		Msg("in-place swap: binary replaced successfully")
+
+	return originalPath, nil
+}
+
+// CleanupOldBinary removes a leftover <exe>.old file from a previous in-place
+// update. This is best-effort: on Windows the file may still be locked by the
+// previous process, so failures are logged and ignored.
+func CleanupOldBinary() {
+	if !inPlaceUpdateEnabled {
+		return
+	}
+
+	exePath, err := os.Executable()
+	if err != nil {
+		return
+	}
+	exePath, err = filepath.EvalSymlinks(exePath)
+	if err != nil {
+		return
+	}
+
+	oldPath := exePath + ".old"
+	if _, err := os.Stat(oldPath); err != nil {
+		return // nothing to clean up
+	}
+
+	if err := os.Remove(oldPath); err != nil {
+		log.Debug().Err(err).Str("path", oldPath).Msg("in-place swap: could not remove old binary")
+	} else {
+		log.Debug().Str("path", oldPath).Msg("in-place swap: cleaned up old binary")
+	}
+}
+
+// copyFile copies src to dst, creating dst with the same permissions as src.
+func copyFile(src, dst string) (err error) {
+	srcInfo, err := os.Stat(src)
+	if err != nil {
+		return err
+	}
+
+	in, err := os.Open(src)
+	if err != nil {
+		return err
+	}
+	defer in.Close()
+
+	out, err := os.OpenFile(dst, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, srcInfo.Mode())
+	if err != nil {
+		return err
+	}
+	defer func() {
+		if cerr := out.Close(); cerr != nil && err == nil {
+			err = cerr
+		}
+	}()
+
+	_, err = io.Copy(out, in)
+	return err
+}

cli/selfupdate/inplace_disabled.go

@@ -0,0 +1,8 @@
+// Copyright (c) Mondoo, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+//go:build !windows
+
+package selfupdate
+
+const inPlaceUpdateEnabled = false

cli/selfupdate/inplace_enabled.go

@@ -0,0 +1,8 @@
+// Copyright (c) Mondoo, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+//go:build windows
+
+package selfupdate
+
+const inPlaceUpdateEnabled = true

cli/selfupdate/inplace_test.go

@@ -0,0 +1,133 @@
+// Copyright (c) Mondoo, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package selfupdate
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestSwapBinaryInPlace(t *testing.T) {
+	t.Run("swaps binary and creates .old file", func(t *testing.T) {
+		dir := t.TempDir()
+		originalPath := filepath.Join(dir, "mybinary")
+		stagedPath := filepath.Join(dir, "staged", "mybinary")
+
+		// Create the "original" binary.
+		require.NoError(t, os.WriteFile(originalPath, []byte("original-content"), 0o755))
+
+		// Create the "staged" binary in a subdirectory.
+		require.NoError(t, os.MkdirAll(filepath.Dir(stagedPath), 0o755))
+		require.NoError(t, os.WriteFile(stagedPath, []byte("new-content"), 0o755))
+
+		// Patch os.Executable for the test by calling swapBinaryInPlaceFrom directly.
+		resultPath, err := swapBinaryInPlaceFrom(stagedPath, originalPath)
+		require.NoError(t, err)
+		assert.Equal(t, originalPath, resultPath)
+
+		// The original path should now contain the staged content.
+		content, err := os.ReadFile(originalPath)
+		require.NoError(t, err)
+		assert.Equal(t, "new-content", string(content))
+
+		// The .old file should contain the original content.
+		oldContent, err := os.ReadFile(originalPath + ".old")
+		require.NoError(t, err)
+		assert.Equal(t, "original-content", string(oldContent))
+	})
+
+	t.Run("rolls back on copy failure", func(t *testing.T) {
+		dir := t.TempDir()
+		originalPath := filepath.Join(dir, "mybinary")
+
+		// Create the "original" binary.
+		require.NoError(t, os.WriteFile(originalPath, []byte("original-content"), 0o755))
+
+		// Staged path does not exist — copy will fail.
+		stagedPath := filepath.Join(dir, "nonexistent", "mybinary")
+
+		_, err := swapBinaryInPlaceFrom(stagedPath, originalPath)
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "failed to copy staged binary")
+
+		// After rollback, the original should be restored.
+		content, err := os.ReadFile(originalPath)
+		require.NoError(t, err)
+		assert.Equal(t, "original-content", string(content))
+
+		// .old should not remain after rollback.
+		_, err = os.Stat(originalPath + ".old")
+		assert.True(t, os.IsNotExist(err))
+	})
+
+	t.Run("succeeds with leftover .old file", func(t *testing.T) {
+		dir := t.TempDir()
+		originalPath := filepath.Join(dir, "mybinary")
+		stagedPath := filepath.Join(dir, "staged", "mybinary")
+
+		// Create the "original" binary and a leftover .old from a previous swap.
+		require.NoError(t, os.WriteFile(originalPath, []byte("original-content"), 0o755))
+		require.NoError(t, os.WriteFile(originalPath+".old", []byte("stale-old"), 0o755))
+
+		// Create the "staged" binary.
+		require.NoError(t, os.MkdirAll(filepath.Dir(stagedPath), 0o755))
+		require.NoError(t, os.WriteFile(stagedPath, []byte("new-content"), 0o755))
+
+		resultPath, err := swapBinaryInPlaceFrom(stagedPath, originalPath)
+		require.NoError(t, err)
+		assert.Equal(t, originalPath, resultPath)
+
+		// Original path has the new content.
+		content, err := os.ReadFile(originalPath)
+		require.NoError(t, err)
+		assert.Equal(t, "new-content", string(content))
+
+		// .old now contains the previous original, not the stale leftover.
+		oldContent, err := os.ReadFile(originalPath + ".old")
+		require.NoError(t, err)
+		assert.Equal(t, "original-content", string(oldContent))
+	})
+
+	t.Run("no-op when staged equals original", func(t *testing.T) {
+		dir := t.TempDir()
+		binaryPath := filepath.Join(dir, "mybinary")
+		require.NoError(t, os.WriteFile(binaryPath, []byte("content"), 0o755))
+
+		resultPath, err := swapBinaryInPlaceFrom(binaryPath, binaryPath)
+		require.NoError(t, err)
+		assert.Equal(t, binaryPath, resultPath)
+
+		// No .old file should be created.
+		_, err = os.Stat(binaryPath + ".old")
+		assert.True(t, os.IsNotExist(err))
+	})
+}
+
+func TestCopyFile(t *testing.T) {
+	dir := t.TempDir()
+	src := filepath.Join(dir, "src")
+	dst := filepath.Join(dir, "dst")
+
+	require.NoError(t, os.WriteFile(src, []byte("hello"), 0o755))
+
+	require.NoError(t, copyFile(src, dst))
+
+	content, err := os.ReadFile(dst)
+	require.NoError(t, err)
+	assert.Equal(t, "hello", string(content))
+
+	info, err := os.Stat(dst)
+	require.NoError(t, err)
+	assert.Equal(t, os.FileMode(0o755), info.Mode().Perm())
+}
+
+func TestCleanupOldBinary(t *testing.T) {
+	// CleanupOldBinary is a no-op on non-Windows because inPlaceUpdateEnabled is false.
+	// We just verify it doesn't panic.
+	CleanupOldBinary()
+}

cli/selfupdate/selfupdate.go

@@ -176,6 +176,19 @@ func CheckAndUpdate(cfg Config) (bool, error) {
 		Str("path", binaryPath).
 		Msg("self-update: successfully installed new version, re-executing")
 
+	// On Windows, swap the binary in-place so the firewall rule for the
+	// original path keeps working (no second firewall prompt).
+	if inPlaceUpdateEnabled {
+		if err := verifyBinary(binaryPath); err != nil {
+			return false, errors.Wrap(err, "new binary verification failed")
+		}
+		originalPath, err := swapBinaryInPlace(binaryPath)
+		if err != nil {
+			return false, errors.Wrap(err, "in-place swap failed")
+		}
+		binaryPath = originalPath
+	}
+
 	// Re-execute with the new binary
 	if err := ExecUpdatedBinary(binaryPath, os.Args); err != nil {
 		return false, errors.Wrap(err, "failed to re-execute with updated binary")
@@ -237,6 +250,16 @@ func execLocalIfNewer(binPath, binName, currentVersion string) (bool, error) {
 		Str("path", localBinary).
 		Msg("self-update: switching to local binary")
 
+	// On Windows, swap the binary in-place so the firewall rule stays valid.
+	// No extra verification needed: getLocalBinaryVersion already ran the binary.
+	if inPlaceUpdateEnabled {
+		originalPath, err := swapBinaryInPlace(localBinary)
+		if err != nil {
+			return false, errors.Wrap(err, "in-place swap failed")
+		}
+		localBinary = originalPath
+	}
+
 	// Exec to the newer local binary
 	if err := ExecUpdatedBinary(localBinary, os.Args); err != nil {
 		return false, errors.Wrap(err, "failed to exec local binary")