Initial
This commit is contained in:
89
README.md
89
README.md
@@ -29,7 +29,7 @@ The current UI is a Vue/Vite view layer over the Express API. All create/update/
|
||||
- PSADT Best Practice Verifier for saved scripts, rendered profiles, and pasted script content with severity scoring, line-aware findings, remediation text, and rule metadata.
|
||||
- Intune Publishing Wizard for PSADT Win32 deployment plans, including package source, `.intunewin` tracking, command style, UI compatibility, requirements, detection rules, return-code policy, assignment rings, status, Graph app ID, and visibility.
|
||||
- Microsoft Graph Intune tracking for PSADT deployments, with Graph environment configuration managed under Config / Intune plus mobile app linking, status sync, failure review, device/user status rows, and sync run history.
|
||||
- Host Library with searchable/sortable/paginated table, modal add/edit flow, VMware vCenter VM import wizard, and manual/dynamic Host Groups for RunPlan and script-test targeting.
|
||||
- Host Library with searchable/sortable/paginated table, modal add/edit flow, VMware vCenter VM import wizard, standalone ESXi connection records, and manual/dynamic Host Groups for RunPlan and script-test targeting.
|
||||
- Credential Vault as its own menu item with encrypted-at-rest secrets and modal add/edit flow.
|
||||
- RunPlan Library with searchable/sortable/paginated table, modal composer, and execute action.
|
||||
- Aggregate job log viewer with search/filter/pagination.
|
||||
@@ -506,12 +506,12 @@ Payload:
|
||||
| --- | --- | --- | --- |
|
||||
| `GET` | `/api/hosts` | User | List host library. |
|
||||
| `POST` | `/api/hosts` | User | Create host. |
|
||||
| `GET` | `/api/hosts/import/vcenter/status` | User | Return legacy effective vCenter status plus visible saved vCenter systems. |
|
||||
| `GET` | `/api/hosts/import/vcenter/connections` | User | List visible saved vCenter systems. |
|
||||
| `POST` | `/api/hosts/import/vcenter/connections` | User | Create an encrypted vCenter system record. |
|
||||
| `PUT` | `/api/hosts/import/vcenter/connections/:connectionId` | User | Update a visible vCenter system; omit password to keep the existing secret. |
|
||||
| `DELETE` | `/api/hosts/import/vcenter/connections/:connectionId` | User | Delete a visible vCenter system. |
|
||||
| `POST` | `/api/hosts/import/vcenter/connections/:connectionId/test` | User | Authenticate and list VM summaries to verify a vCenter system. |
|
||||
| `GET` | `/api/hosts/import/vcenter/status` | User | Return legacy effective vCenter status plus visible saved VMware connection records. |
|
||||
| `GET` | `/api/hosts/import/vcenter/connections` | User | List visible saved VMware connections. |
|
||||
| `POST` | `/api/hosts/import/vcenter/connections` | User | Create an encrypted VMware connection record. Use `targetType: "vcenter"` for inventory or `targetType: "host"` for standalone ESXi Web Services testing. |
|
||||
| `PUT` | `/api/hosts/import/vcenter/connections/:connectionId` | User | Update a visible VMware connection; omit password to keep the existing secret. |
|
||||
| `DELETE` | `/api/hosts/import/vcenter/connections/:connectionId` | User | Delete a visible VMware connection. |
|
||||
| `POST` | `/api/hosts/import/vcenter/connections/:connectionId/test` | User | Verify a VMware connection. vCenter records authenticate and list VM summaries; standalone host records call the vSphere Web Services SOAP endpoint. |
|
||||
| `POST` | `/api/hosts/import/vcenter/preview` | User | Authenticate to vCenter, search VM inventory, and return import candidates. |
|
||||
| `POST` | `/api/hosts/import/vcenter` | User | Import selected vCenter VM candidates as hosts, attaching the chosen credential/defaults. |
|
||||
| `GET` | `/api/hosts/groups` | User | List visible manual and dynamic Host Groups with member counts. |
|
||||
@@ -550,7 +550,11 @@ target hosts visible to the operator who creates or edits them. `sourceType`,
|
||||
`sourceConnectionId`, and `sourceRef` are hidden provenance fields. Manual
|
||||
hosts default to `sourceType: "manual"`. vCenter imports set
|
||||
`sourceType: "vmware"`, `sourceConnectionId` to the selected vCenter system,
|
||||
and `sourceRef` to the vCenter VM id.
|
||||
and `sourceRef` to the vCenter VM id. `osFamily` is normalized to `windows`,
|
||||
`linux`, or `other`; older values such as `network` or `api` are treated as
|
||||
`other`. Manual host entry should set this explicitly when POSHManager cannot
|
||||
infer it from inventory. vCenter imports infer Windows/Linux from VMware Tools
|
||||
guest identity when available; unknown guests are imported as `other`.
|
||||
|
||||
Host Groups let operators aggregate manual, imported, and VMware-sourced hosts
|
||||
without duplicating RunPlans. Manual groups store an explicit list of visible
|
||||
@@ -595,12 +599,17 @@ Dynamic group rule fields are `name`, `fqdn`, `address`, `tags`, `transport`,
|
||||
"all"` or `matchMode: "any"`. Operators can use `contains`, `equals`,
|
||||
`startsWith`, and `endsWith` operators. Rule matching is evaluated only against
|
||||
hosts the group owner/creator can see through personal/shared/group visibility.
|
||||
The Host Groups Target Collections table includes search, sort, pagination, and
|
||||
a read-only summary action. The summary view displays the rule/mode and assigned
|
||||
machines, then exports CSV or Excel-readable `.xls` files with hostname,
|
||||
IP address, and vCenter/VMware source system columns.
|
||||
|
||||
Create/update a saved vCenter system:
|
||||
Create/update a saved vCenter inventory system:
|
||||
|
||||
```json
|
||||
{
|
||||
"name": "Production vCenter",
|
||||
"targetType": "vcenter",
|
||||
"baseUrl": "https://vcenter.contoso.local",
|
||||
"username": "administrator@vsphere.local",
|
||||
"password": "stored-encrypted-on-save",
|
||||
@@ -613,10 +622,33 @@ Create/update a saved vCenter system:
|
||||
}
|
||||
```
|
||||
|
||||
Saved vCenter passwords are encrypted with the same credential-store key used
|
||||
by the Credential Vault. Existing `vcenter_*` settings and `VCENTER_*`
|
||||
environment variables remain supported as the `Configured default` import
|
||||
connection for single-vCenter deployments or Docker-provided configuration.
|
||||
Create/update a saved standalone ESXi host connection:
|
||||
|
||||
```json
|
||||
{
|
||||
"name": "Standalone ESXi 01",
|
||||
"targetType": "host",
|
||||
"baseUrl": "https://esxi01.contoso.local",
|
||||
"username": "root",
|
||||
"password": "stored-encrypted-on-save",
|
||||
"apiMode": "web-services",
|
||||
"requestTimeoutMs": 20000,
|
||||
"allowUntrustedTls": true,
|
||||
"enabled": true,
|
||||
"visibility": "shared",
|
||||
"groupId": null
|
||||
}
|
||||
```
|
||||
|
||||
Saved VMware passwords are encrypted with the same credential-store key used
|
||||
by the Credential Vault. `targetType: "vcenter"` records use the vSphere
|
||||
Automation API or legacy REST API for inventory and VM power-state checks.
|
||||
`targetType: "host"` records are standalone host connections that use the
|
||||
vSphere Web Services SOAP endpoint at `/sdk`; they validate direct ESXi
|
||||
connectivity but cannot perform vCenter VM inventory imports. Existing
|
||||
`vcenter_*` settings and `VCENTER_*` environment variables remain supported as
|
||||
the `Configured default` import connection for single-vCenter deployments or
|
||||
Docker-provided configuration.
|
||||
|
||||
VMware vCenter import can use a saved vCenter system selected by `connectionId` or the legacy configured default from Config / Integrations (`vcenter_*` settings or `VCENTER_*` environment variables). `apiMode` / `vcenter_api_mode` can be `auto`, `api`, or `rest`. `api` uses the current vSphere Automation API flow (`POST /api/session`, `GET /api/vcenter/vm`). `rest` uses the legacy/community vCenter REST flow (`POST /rest/com/vmware/cis/session`, `GET /rest/vcenter/vm`). `auto` tries the current `/api` profile first and falls back to `/rest` when the endpoint is not supported.
|
||||
|
||||
@@ -676,6 +708,9 @@ are logged and marked `skipped` for that host, so powered-off machines are not
|
||||
treated like script failures. If the vCenter connection is missing or the
|
||||
management API is temporarily unavailable, the runner logs the reason and
|
||||
continues execution rather than blocking the whole job on a control-plane issue.
|
||||
Standalone ESXi host connection records do not provide vCenter VM inventory
|
||||
state, so VMware-sourced imported guests continue to use their saved vCenter
|
||||
source connection for pre-run power checks.
|
||||
|
||||
### Script Library
|
||||
|
||||
@@ -688,6 +723,7 @@ continues execution rather than blocking the whole job on a control-plane issue.
|
||||
| `GET` | `/api/scripts` | User | List visible scripts. |
|
||||
| `POST` | `/api/scripts` | User | Create script and initial version. |
|
||||
| `GET` | `/api/scripts/:id` | User | Read script. |
|
||||
| `POST` | `/api/scripts/:id/compatibility` | User | Analyze a script against selected host or Host Group targets before execution. |
|
||||
| `PUT` | `/api/scripts/:id` | User | Update script and create a version record. |
|
||||
| `DELETE` | `/api/scripts/:id` | User | Delete script. |
|
||||
| `GET` | `/api/scripts/:id/versions` | User | List script versions. |
|
||||
@@ -1112,6 +1148,7 @@ with per-host log rows.
|
||||
| `GET` | `/api/runplans` | User | List visible RunPlans. |
|
||||
| `POST` | `/api/runplans` | User | Create RunPlan. |
|
||||
| `GET` | `/api/runplans/:id` | User | Read RunPlan. |
|
||||
| `GET` | `/api/runplans/:id/compatibility` | User | Analyze the RunPlan script against its current direct and Host Group targets. |
|
||||
| `PUT` | `/api/runplans/:id` | User | Update RunPlan. |
|
||||
| `DELETE` | `/api/runplans/:id` | User | Delete RunPlan. |
|
||||
| `POST` | `/api/runplans/:id/execute` | User | Queue/execute a RunPlan. |
|
||||
@@ -1148,6 +1185,26 @@ curl -X POST http://localhost:3000/api/runplans/rp_123/execute \
|
||||
-d '{}'
|
||||
```
|
||||
|
||||
Linux compatibility preflight:
|
||||
|
||||
```bash
|
||||
curl -X POST http://localhost:3000/api/scripts/scr_123/compatibility \
|
||||
-H "Authorization: Bearer $TOKEN" \
|
||||
-H 'Content-Type: application/json' \
|
||||
-d '{"hostIds":["hst_linux_01"],"hostGroupIds":["hg_mixed_targets"]}'
|
||||
|
||||
curl http://localhost:3000/api/runplans/rp_123/compatibility \
|
||||
-H "Authorization: Bearer $TOKEN"
|
||||
```
|
||||
|
||||
The compatibility response includes the selected target OS mix and findings
|
||||
when Linux hosts are involved. The analyzer flags common cross-platform issues
|
||||
such as Windows registry providers, `C:\` or UNC paths, Windows-only
|
||||
executables such as `msiexec.exe`/`reg.exe`, WMI/`Win32_*` patterns,
|
||||
Windows-specific environment variables, and alias-heavy script style. RunPlan
|
||||
execution and Script Test / Run also write the same warning summary into
|
||||
per-host job logs for Linux targets.
|
||||
|
||||
### Settings And Logs
|
||||
|
||||
| Method | Route | Auth | Description |
|
||||
@@ -1176,6 +1233,7 @@ The runner writes a temporary PowerShell wrapper and launches `pwsh` with enviro
|
||||
- `ssh` hosts use `Invoke-Command -HostName`.
|
||||
- Host credential resolution happens inside backend execution flows.
|
||||
- POSHManager runtime variables are injected as PowerShell variables and `POSHM_*` environment variables.
|
||||
- `POSHM_HOST_OS_FAMILY` is injected with `windows`, `linux`, or `other` so scripts can branch on the target OS type.
|
||||
- Custom variables are decrypted server-side, token-rendered for `{{VariableName}}`, and injected into the script block as PowerShell variables before execution.
|
||||
- Asset references are token-rendered for `{{asset:<assetId>}}` and exposed as `POSHM_ASSET_MANIFEST` JSON. Local paths point to the API container asset store; remote scripts must copy or otherwise stage those files before using them on target systems.
|
||||
- PSADT variables are not emulated by POSHManager; they are available when the script runs inside a valid PSAppDeployToolkit session.
|
||||
@@ -1183,6 +1241,11 @@ The runner writes a temporary PowerShell wrapper and launches `pwsh` with enviro
|
||||
|
||||
Remote PowerShell prerequisites, firewall rules, remoting policy, SSH remoting, and target credentials must be configured outside POSHManager.
|
||||
|
||||
PowerShell on Linux requires a supported distro package/runtime and scripts must
|
||||
avoid assuming Windows-only subsystems. Prefer full cmdlet names over aliases,
|
||||
branch OS-specific logic with `$IsWindows`/`$IsLinux`, and test modules/cmdlets
|
||||
on the target platform before broad execution.
|
||||
|
||||
## Security Notes
|
||||
|
||||
- SQLite access uses prepared statements through `node:sqlite`.
|
||||
|
||||
Reference in New Issue
Block a user