This commit is contained in:
2026-06-25 16:51:56 -05:00
parent 94f4d8959d
commit 402bf6782a
25 changed files with 1323 additions and 103 deletions

View File

@@ -29,7 +29,7 @@ The current UI is a Vue/Vite view layer over the Express API. All create/update/
- PSADT Best Practice Verifier for saved scripts, rendered profiles, and pasted script content with severity scoring, line-aware findings, remediation text, and rule metadata.
- Intune Publishing Wizard for PSADT Win32 deployment plans, including package source, `.intunewin` tracking, command style, UI compatibility, requirements, detection rules, return-code policy, assignment rings, status, Graph app ID, and visibility.
- Microsoft Graph Intune tracking for PSADT deployments, with Graph environment configuration managed under Config / Intune plus mobile app linking, status sync, failure review, device/user status rows, and sync run history.
- Host Library with searchable/sortable/paginated table, modal add/edit flow, VMware vCenter VM import wizard, and manual/dynamic Host Groups for RunPlan and script-test targeting.
- Host Library with searchable/sortable/paginated table, modal add/edit flow, VMware vCenter VM import wizard, standalone ESXi connection records, and manual/dynamic Host Groups for RunPlan and script-test targeting.
- Credential Vault as its own menu item with encrypted-at-rest secrets and modal add/edit flow.
- RunPlan Library with searchable/sortable/paginated table, modal composer, and execute action.
- Aggregate job log viewer with search/filter/pagination.
@@ -506,12 +506,12 @@ Payload:
| --- | --- | --- | --- |
| `GET` | `/api/hosts` | User | List host library. |
| `POST` | `/api/hosts` | User | Create host. |
| `GET` | `/api/hosts/import/vcenter/status` | User | Return legacy effective vCenter status plus visible saved vCenter systems. |
| `GET` | `/api/hosts/import/vcenter/connections` | User | List visible saved vCenter systems. |
| `POST` | `/api/hosts/import/vcenter/connections` | User | Create an encrypted vCenter system record. |
| `PUT` | `/api/hosts/import/vcenter/connections/:connectionId` | User | Update a visible vCenter system; omit password to keep the existing secret. |
| `DELETE` | `/api/hosts/import/vcenter/connections/:connectionId` | User | Delete a visible vCenter system. |
| `POST` | `/api/hosts/import/vcenter/connections/:connectionId/test` | User | Authenticate and list VM summaries to verify a vCenter system. |
| `GET` | `/api/hosts/import/vcenter/status` | User | Return legacy effective vCenter status plus visible saved VMware connection records. |
| `GET` | `/api/hosts/import/vcenter/connections` | User | List visible saved VMware connections. |
| `POST` | `/api/hosts/import/vcenter/connections` | User | Create an encrypted VMware connection record. Use `targetType: "vcenter"` for inventory or `targetType: "host"` for standalone ESXi Web Services testing. |
| `PUT` | `/api/hosts/import/vcenter/connections/:connectionId` | User | Update a visible VMware connection; omit password to keep the existing secret. |
| `DELETE` | `/api/hosts/import/vcenter/connections/:connectionId` | User | Delete a visible VMware connection. |
| `POST` | `/api/hosts/import/vcenter/connections/:connectionId/test` | User | Verify a VMware connection. vCenter records authenticate and list VM summaries; standalone host records call the vSphere Web Services SOAP endpoint. |
| `POST` | `/api/hosts/import/vcenter/preview` | User | Authenticate to vCenter, search VM inventory, and return import candidates. |
| `POST` | `/api/hosts/import/vcenter` | User | Import selected vCenter VM candidates as hosts, attaching the chosen credential/defaults. |
| `GET` | `/api/hosts/groups` | User | List visible manual and dynamic Host Groups with member counts. |
@@ -550,7 +550,11 @@ target hosts visible to the operator who creates or edits them. `sourceType`,
`sourceConnectionId`, and `sourceRef` are hidden provenance fields. Manual
hosts default to `sourceType: "manual"`. vCenter imports set
`sourceType: "vmware"`, `sourceConnectionId` to the selected vCenter system,
and `sourceRef` to the vCenter VM id.
and `sourceRef` to the vCenter VM id. `osFamily` is normalized to `windows`,
`linux`, or `other`; older values such as `network` or `api` are treated as
`other`. Manual host entry should set this explicitly when POSHManager cannot
infer it from inventory. vCenter imports infer Windows/Linux from VMware Tools
guest identity when available; unknown guests are imported as `other`.
Host Groups let operators aggregate manual, imported, and VMware-sourced hosts
without duplicating RunPlans. Manual groups store an explicit list of visible
@@ -595,12 +599,17 @@ Dynamic group rule fields are `name`, `fqdn`, `address`, `tags`, `transport`,
"all"` or `matchMode: "any"`. Operators can use `contains`, `equals`,
`startsWith`, and `endsWith` operators. Rule matching is evaluated only against
hosts the group owner/creator can see through personal/shared/group visibility.
The Host Groups Target Collections table includes search, sort, pagination, and
a read-only summary action. The summary view displays the rule/mode and assigned
machines, then exports CSV or Excel-readable `.xls` files with hostname,
IP address, and vCenter/VMware source system columns.
Create/update a saved vCenter system:
Create/update a saved vCenter inventory system:
```json
{
"name": "Production vCenter",
"targetType": "vcenter",
"baseUrl": "https://vcenter.contoso.local",
"username": "administrator@vsphere.local",
"password": "stored-encrypted-on-save",
@@ -613,10 +622,33 @@ Create/update a saved vCenter system:
}
```
Saved vCenter passwords are encrypted with the same credential-store key used
by the Credential Vault. Existing `vcenter_*` settings and `VCENTER_*`
environment variables remain supported as the `Configured default` import
connection for single-vCenter deployments or Docker-provided configuration.
Create/update a saved standalone ESXi host connection:
```json
{
"name": "Standalone ESXi 01",
"targetType": "host",
"baseUrl": "https://esxi01.contoso.local",
"username": "root",
"password": "stored-encrypted-on-save",
"apiMode": "web-services",
"requestTimeoutMs": 20000,
"allowUntrustedTls": true,
"enabled": true,
"visibility": "shared",
"groupId": null
}
```
Saved VMware passwords are encrypted with the same credential-store key used
by the Credential Vault. `targetType: "vcenter"` records use the vSphere
Automation API or legacy REST API for inventory and VM power-state checks.
`targetType: "host"` records are standalone host connections that use the
vSphere Web Services SOAP endpoint at `/sdk`; they validate direct ESXi
connectivity but cannot perform vCenter VM inventory imports. Existing
`vcenter_*` settings and `VCENTER_*` environment variables remain supported as
the `Configured default` import connection for single-vCenter deployments or
Docker-provided configuration.
VMware vCenter import can use a saved vCenter system selected by `connectionId` or the legacy configured default from Config / Integrations (`vcenter_*` settings or `VCENTER_*` environment variables). `apiMode` / `vcenter_api_mode` can be `auto`, `api`, or `rest`. `api` uses the current vSphere Automation API flow (`POST /api/session`, `GET /api/vcenter/vm`). `rest` uses the legacy/community vCenter REST flow (`POST /rest/com/vmware/cis/session`, `GET /rest/vcenter/vm`). `auto` tries the current `/api` profile first and falls back to `/rest` when the endpoint is not supported.
@@ -676,6 +708,9 @@ are logged and marked `skipped` for that host, so powered-off machines are not
treated like script failures. If the vCenter connection is missing or the
management API is temporarily unavailable, the runner logs the reason and
continues execution rather than blocking the whole job on a control-plane issue.
Standalone ESXi host connection records do not provide vCenter VM inventory
state, so VMware-sourced imported guests continue to use their saved vCenter
source connection for pre-run power checks.
### Script Library
@@ -688,6 +723,7 @@ continues execution rather than blocking the whole job on a control-plane issue.
| `GET` | `/api/scripts` | User | List visible scripts. |
| `POST` | `/api/scripts` | User | Create script and initial version. |
| `GET` | `/api/scripts/:id` | User | Read script. |
| `POST` | `/api/scripts/:id/compatibility` | User | Analyze a script against selected host or Host Group targets before execution. |
| `PUT` | `/api/scripts/:id` | User | Update script and create a version record. |
| `DELETE` | `/api/scripts/:id` | User | Delete script. |
| `GET` | `/api/scripts/:id/versions` | User | List script versions. |
@@ -1112,6 +1148,7 @@ with per-host log rows.
| `GET` | `/api/runplans` | User | List visible RunPlans. |
| `POST` | `/api/runplans` | User | Create RunPlan. |
| `GET` | `/api/runplans/:id` | User | Read RunPlan. |
| `GET` | `/api/runplans/:id/compatibility` | User | Analyze the RunPlan script against its current direct and Host Group targets. |
| `PUT` | `/api/runplans/:id` | User | Update RunPlan. |
| `DELETE` | `/api/runplans/:id` | User | Delete RunPlan. |
| `POST` | `/api/runplans/:id/execute` | User | Queue/execute a RunPlan. |
@@ -1148,6 +1185,26 @@ curl -X POST http://localhost:3000/api/runplans/rp_123/execute \
-d '{}'
```
Linux compatibility preflight:
```bash
curl -X POST http://localhost:3000/api/scripts/scr_123/compatibility \
-H "Authorization: Bearer $TOKEN" \
-H 'Content-Type: application/json' \
-d '{"hostIds":["hst_linux_01"],"hostGroupIds":["hg_mixed_targets"]}'
curl http://localhost:3000/api/runplans/rp_123/compatibility \
-H "Authorization: Bearer $TOKEN"
```
The compatibility response includes the selected target OS mix and findings
when Linux hosts are involved. The analyzer flags common cross-platform issues
such as Windows registry providers, `C:\` or UNC paths, Windows-only
executables such as `msiexec.exe`/`reg.exe`, WMI/`Win32_*` patterns,
Windows-specific environment variables, and alias-heavy script style. RunPlan
execution and Script Test / Run also write the same warning summary into
per-host job logs for Linux targets.
### Settings And Logs
| Method | Route | Auth | Description |
@@ -1176,6 +1233,7 @@ The runner writes a temporary PowerShell wrapper and launches `pwsh` with enviro
- `ssh` hosts use `Invoke-Command -HostName`.
- Host credential resolution happens inside backend execution flows.
- POSHManager runtime variables are injected as PowerShell variables and `POSHM_*` environment variables.
- `POSHM_HOST_OS_FAMILY` is injected with `windows`, `linux`, or `other` so scripts can branch on the target OS type.
- Custom variables are decrypted server-side, token-rendered for `{{VariableName}}`, and injected into the script block as PowerShell variables before execution.
- Asset references are token-rendered for `{{asset:<assetId>}}` and exposed as `POSHM_ASSET_MANIFEST` JSON. Local paths point to the API container asset store; remote scripts must copy or otherwise stage those files before using them on target systems.
- PSADT variables are not emulated by POSHManager; they are available when the script runs inside a valid PSAppDeployToolkit session.
@@ -1183,6 +1241,11 @@ The runner writes a temporary PowerShell wrapper and launches `pwsh` with enviro
Remote PowerShell prerequisites, firewall rules, remoting policy, SSH remoting, and target credentials must be configured outside POSHManager.
PowerShell on Linux requires a supported distro package/runtime and scripts must
avoid assuming Windows-only subsystems. Prefer full cmdlet names over aliases,
branch OS-specific logic with `$IsWindows`/`$IsLinux`, and test modules/cmdlets
on the target platform before broad execution.
## Security Notes
- SQLite access uses prepared statements through `node:sqlite`.