Initial
This commit is contained in:
317
server/services/powershellRunner.js
Normal file
317
server/services/powershellRunner.js
Normal file
@@ -0,0 +1,317 @@
|
||||
import fs from 'node:fs/promises';
|
||||
import os from 'node:os';
|
||||
import path from 'node:path';
|
||||
import { spawn } from 'node:child_process';
|
||||
import { db, id, now } from '../db.js';
|
||||
import { decryptSecret } from './cryptoStore.js';
|
||||
import { config } from '../config.js';
|
||||
import { logger } from './logger.js';
|
||||
import { listExecutableAssets } from '../models/assetModel.js';
|
||||
import { listExecutableCustomVariables } from '../models/variableModel.js';
|
||||
import { getBooleanSetting } from '../models/settingsModel.js';
|
||||
|
||||
// The execution kill-switch can be set at boot via ALLOW_SCRIPT_EXECUTION and
|
||||
// flipped at runtime via the Config screen (allow_script_execution). The DB
|
||||
// value, when present, takes precedence so the UI toggle is actually effective.
|
||||
function scriptExecutionAllowed() {
|
||||
return getBooleanSetting('allow_script_execution', config.allowScriptExecution);
|
||||
}
|
||||
|
||||
export function executeRunPlan(runplanId, userId) {
|
||||
// Create the durable job record before async execution so the UI can attach to logs immediately.
|
||||
const runplan = db.prepare('SELECT * FROM runplans WHERE id = ?').get(runplanId);
|
||||
if (!runplan) throw new Error('RunPlan not found');
|
||||
const script = db.prepare('SELECT * FROM scripts WHERE id = ?').get(runplan.script_id);
|
||||
if (!script) throw new Error('Script not found');
|
||||
const hosts = db.prepare(`
|
||||
SELECT h.*, c.name AS credential_name, c.kind AS credential_kind, c.username AS credential_username,
|
||||
c.secret_cipher, c.secret_iv, c.secret_tag
|
||||
FROM runplan_hosts rh
|
||||
JOIN hosts h ON h.id = rh.host_id
|
||||
LEFT JOIN credentials c ON c.id = h.credential_id
|
||||
WHERE rh.runplan_id = ?
|
||||
ORDER BY h.name
|
||||
`).all(runplanId);
|
||||
if (hosts.length === 0) throw new Error('RunPlan has no hosts');
|
||||
|
||||
const jobId = id('job');
|
||||
db.prepare(`
|
||||
INSERT INTO jobs (id, runplan_id, script_id, status, triggered_by, started_at, created_at)
|
||||
VALUES (?, ?, ?, 'running', ?, ?, ?)
|
||||
`).run(jobId, runplan.id, script.id, userId, now(), now());
|
||||
|
||||
for (const host of hosts) {
|
||||
db.prepare(`
|
||||
INSERT INTO job_hosts (id, job_id, host_id, status, started_at)
|
||||
VALUES (?, ?, ?, 'queued', NULL)
|
||||
`).run(id('jhost'), jobId, host.id);
|
||||
}
|
||||
|
||||
const executionContext = {
|
||||
jobId,
|
||||
runplanId: runplan.id,
|
||||
scriptId: script.id,
|
||||
scriptName: script.name,
|
||||
triggeredBy: userId,
|
||||
customVariables: listExecutableCustomVariables(userId),
|
||||
assets: listExecutableAssets(userId)
|
||||
};
|
||||
|
||||
void runJob(jobId, script, hosts, Boolean(runplan.parallel), executionContext).catch((error) => {
|
||||
logger.error('job runner crashed', { jobId, error });
|
||||
db.prepare('UPDATE jobs SET status = ?, ended_at = ? WHERE id = ?').run('failed', now(), jobId);
|
||||
});
|
||||
|
||||
return db.prepare('SELECT * FROM jobs WHERE id = ?').get(jobId);
|
||||
}
|
||||
|
||||
export function executeScriptTest(scriptId, payload, userId) {
|
||||
const script = db.prepare(`
|
||||
SELECT * FROM scripts
|
||||
WHERE id = ? AND (
|
||||
visibility = 'shared'
|
||||
OR owner_user_id = ?
|
||||
OR group_id IN (SELECT group_id FROM user_groups WHERE user_id = ?)
|
||||
)
|
||||
`).get(scriptId, userId, userId);
|
||||
if (!script) throw new Error('Script not found');
|
||||
|
||||
const host = db.prepare(`
|
||||
SELECT h.*, c.name AS credential_name, c.kind AS credential_kind, c.username AS credential_username,
|
||||
c.secret_cipher, c.secret_iv, c.secret_tag
|
||||
FROM hosts h
|
||||
JOIN credentials c ON c.id = ?
|
||||
AND (
|
||||
c.visibility = 'shared'
|
||||
OR c.owner_user_id = ?
|
||||
OR c.group_id IN (SELECT group_id FROM user_groups WHERE user_id = ?)
|
||||
)
|
||||
WHERE h.id = ? AND (
|
||||
h.visibility = 'shared'
|
||||
OR h.owner_user_id = ?
|
||||
OR h.group_id IN (SELECT group_id FROM user_groups WHERE user_id = ?)
|
||||
)
|
||||
`).get(payload.credentialId, userId, userId, payload.hostId, userId, userId);
|
||||
if (!host) throw new Error('Visible host and credential are required');
|
||||
|
||||
const jobId = id('job');
|
||||
db.prepare(`
|
||||
INSERT INTO jobs (id, runplan_id, script_id, status, triggered_by, started_at, created_at)
|
||||
VALUES (?, NULL, ?, 'running', ?, ?, ?)
|
||||
`).run(jobId, script.id, userId, now(), now());
|
||||
db.prepare(`
|
||||
INSERT INTO job_hosts (id, job_id, host_id, status, started_at)
|
||||
VALUES (?, ?, ?, 'queued', NULL)
|
||||
`).run(id('jhost'), jobId, host.id);
|
||||
|
||||
const executionContext = {
|
||||
jobId,
|
||||
runplanId: 'script-test',
|
||||
scriptId: script.id,
|
||||
scriptName: script.name,
|
||||
triggeredBy: userId,
|
||||
testRun: true,
|
||||
customVariables: listExecutableCustomVariables(userId),
|
||||
assets: listExecutableAssets(userId)
|
||||
};
|
||||
|
||||
appendLog(jobId, host.id, 'system', `Test run requested for ${script.name} using credential ${host.credential_name}`);
|
||||
void runJob(jobId, script, [host], false, executionContext).catch((error) => {
|
||||
logger.error('script test runner crashed', { jobId, error });
|
||||
appendLog(jobId, host.id, 'stderr', `Script test runner crashed: ${error.message}`);
|
||||
db.prepare('UPDATE jobs SET status = ?, ended_at = ? WHERE id = ?').run('failed', now(), jobId);
|
||||
});
|
||||
|
||||
return db.prepare('SELECT * FROM jobs WHERE id = ?').get(jobId);
|
||||
}
|
||||
|
||||
async function runJob(jobId, script, hosts, parallel, executionContext) {
|
||||
// RunPlans can fan out in parallel or execute serially while preserving identical log semantics.
|
||||
const runner = async (host) => runHost(jobId, script, host, executionContext);
|
||||
if (parallel) {
|
||||
await Promise.all(hosts.map(runner));
|
||||
} else {
|
||||
for (const host of hosts) await runner(host);
|
||||
}
|
||||
|
||||
const failed = db.prepare('SELECT COUNT(*) AS count FROM job_hosts WHERE job_id = ? AND status = ?').get(jobId, 'failed').count;
|
||||
db.prepare('UPDATE jobs SET status = ?, ended_at = ? WHERE id = ?').run(failed ? 'failed' : 'completed', now(), jobId);
|
||||
}
|
||||
|
||||
async function runHost(jobId, script, host, executionContext) {
|
||||
// Each host owns its own temp wrapper and job_host lifecycle for per-target evidence.
|
||||
db.prepare('UPDATE job_hosts SET status = ?, started_at = ? WHERE job_id = ? AND host_id = ?').run('running', now(), jobId, host.id);
|
||||
appendLog(jobId, host.id, 'system', `Starting ${script.name} on ${host.name} (${host.transport})`);
|
||||
|
||||
if (!scriptExecutionAllowed()) {
|
||||
appendLog(jobId, host.id, 'stderr', 'Script execution is disabled by ALLOW_SCRIPT_EXECUTION=false.');
|
||||
finishHost(jobId, host.id, 'failed', 126);
|
||||
return;
|
||||
}
|
||||
|
||||
const secret = decryptSecret(host);
|
||||
const wrapper = buildWrapper(script.content, host, executionContext);
|
||||
const file = path.join(os.tmpdir(), `poshmanager-${jobId}-${host.id}.ps1`);
|
||||
|
||||
try {
|
||||
await fs.writeFile(file, wrapper, { mode: 0o600 });
|
||||
await spawnPowerShell(jobId, host, file, secret, executionContext);
|
||||
} catch (error) {
|
||||
appendLog(jobId, host.id, 'stderr', error.message);
|
||||
finishHost(jobId, host.id, 'failed', 1);
|
||||
} finally {
|
||||
await fs.rm(file, { force: true }).catch(() => {});
|
||||
}
|
||||
}
|
||||
|
||||
function buildWrapper(content, host, executionContext = {}) {
|
||||
// Build PowerShell wrappers without shell interpolation; host values are quoted as PS literals.
|
||||
const runtimeVariables = runtimeVariableValues(host, executionContext);
|
||||
const customVariables = executionContext.customVariables || [];
|
||||
const assetVariables = (executionContext.assets || []).map((asset) => ({
|
||||
name: `asset:${asset.id}`,
|
||||
value: asset.localPath,
|
||||
valueType: 'string'
|
||||
}));
|
||||
const rendered = renderTokens(content, [...runtimeVariables, ...customVariables, ...assetVariables]);
|
||||
const scriptWithPrelude = `${buildVariablePrelude(runtimeVariables, customVariables)}\n${rendered}`;
|
||||
const escaped = scriptWithPrelude.replace(/'@/g, "'`@");
|
||||
if (host.transport === 'local') {
|
||||
return [
|
||||
'$ErrorActionPreference = "Continue"',
|
||||
`$scriptText = @'`,
|
||||
escaped,
|
||||
"'@",
|
||||
'$scriptBlock = [ScriptBlock]::Create($scriptText)',
|
||||
'& $scriptBlock'
|
||||
].join('\n');
|
||||
}
|
||||
|
||||
if (host.transport === 'ssh') {
|
||||
return [
|
||||
'$ErrorActionPreference = "Continue"',
|
||||
`$scriptText = @'`,
|
||||
escaped,
|
||||
"'@",
|
||||
'$scriptBlock = [ScriptBlock]::Create($scriptText)',
|
||||
`Invoke-Command -HostName ${psString(host.address)} -UserName $env:POSHM_USERNAME -ScriptBlock $scriptBlock`
|
||||
].join('\n');
|
||||
}
|
||||
|
||||
return [
|
||||
'$ErrorActionPreference = "Continue"',
|
||||
'$securePassword = ConvertTo-SecureString $env:POSHM_SECRET -AsPlainText -Force',
|
||||
'$credential = [System.Management.Automation.PSCredential]::new($env:POSHM_USERNAME, $securePassword)',
|
||||
`$scriptText = @'`,
|
||||
escaped,
|
||||
"'@",
|
||||
'$scriptBlock = [ScriptBlock]::Create($scriptText)',
|
||||
`Invoke-Command -ComputerName ${psString(host.address)} -Credential $credential -ScriptBlock $scriptBlock`
|
||||
].join('\n');
|
||||
}
|
||||
|
||||
function spawnPowerShell(jobId, host, file, secret, executionContext = {}) {
|
||||
// Secrets are passed through process environment variables and are never written to job logs.
|
||||
const runtimeEnv = Object.fromEntries(runtimeVariableValues(host, executionContext).map((variable) => [variable.name, String(variable.value ?? '')]));
|
||||
const assetManifest = JSON.stringify(executionContext.assets || []);
|
||||
return new Promise((resolve) => {
|
||||
const child = spawn(config.powershellBin, ['-NoProfile', '-ExecutionPolicy', 'Bypass', '-File', file], {
|
||||
env: {
|
||||
...process.env,
|
||||
...runtimeEnv,
|
||||
POSHM_HOST_ID: host.id,
|
||||
POSHM_HOST_NAME: host.name,
|
||||
POSHM_HOST_ADDRESS: host.address,
|
||||
POSHM_HOST_TRANSPORT: host.transport,
|
||||
POSHM_ASSET_MANIFEST: assetManifest,
|
||||
POSHM_USERNAME: host.credential_username || '',
|
||||
POSHM_SECRET: secret || ''
|
||||
},
|
||||
shell: false
|
||||
});
|
||||
|
||||
child.stdout.on('data', (chunk) => appendChunk(jobId, host.id, 'stdout', chunk));
|
||||
child.stderr.on('data', (chunk) => appendChunk(jobId, host.id, 'stderr', chunk));
|
||||
child.on('error', (error) => {
|
||||
appendLog(jobId, host.id, 'stderr', `Unable to start PowerShell: ${error.message}`);
|
||||
finishHost(jobId, host.id, 'failed', 127);
|
||||
resolve();
|
||||
});
|
||||
child.on('close', (code, signal) => {
|
||||
if (signal) appendLog(jobId, host.id, 'stderr', `PowerShell terminated by signal ${signal}`);
|
||||
const exitCode = code ?? 1;
|
||||
finishHost(jobId, host.id, exitCode === 0 ? 'completed' : 'failed', exitCode);
|
||||
resolve();
|
||||
});
|
||||
});
|
||||
}
|
||||
|
||||
function appendChunk(jobId, hostId, stream, chunk) {
|
||||
String(chunk)
|
||||
.split(/\r?\n/)
|
||||
.filter(Boolean)
|
||||
.forEach((line) => appendLog(jobId, hostId, stream, line));
|
||||
}
|
||||
|
||||
function appendLog(jobId, hostId, stream, line) {
|
||||
db.prepare(`
|
||||
INSERT INTO job_logs (id, job_id, host_id, stream, line, created_at)
|
||||
VALUES (?, ?, ?, ?, ?, ?)
|
||||
`).run(id('log'), jobId, hostId, stream, line, now());
|
||||
}
|
||||
|
||||
function finishHost(jobId, hostId, status, exitCode) {
|
||||
db.prepare(`
|
||||
UPDATE job_hosts SET status = ?, exit_code = ?, ended_at = ?
|
||||
WHERE job_id = ? AND host_id = ?
|
||||
`).run(status, exitCode, now(), jobId, hostId);
|
||||
appendLog(jobId, hostId, 'system', `Finished with status ${status} and exit code ${exitCode}`);
|
||||
}
|
||||
|
||||
function runtimeVariableValues(host, executionContext) {
|
||||
const assetManifest = JSON.stringify(executionContext.assets || []);
|
||||
return [
|
||||
{ name: 'POSHM_JOB_ID', value: executionContext.jobId || '', valueType: 'string' },
|
||||
{ name: 'POSHM_RUNPLAN_ID', value: executionContext.runplanId || '', valueType: 'string' },
|
||||
{ name: 'POSHM_SCRIPT_ID', value: executionContext.scriptId || '', valueType: 'string' },
|
||||
{ name: 'POSHM_SCRIPT_NAME', value: executionContext.scriptName || '', valueType: 'string' },
|
||||
{ name: 'POSHM_HOST_ID', value: host.id, valueType: 'string' },
|
||||
{ name: 'POSHM_HOST_NAME', value: host.name, valueType: 'string' },
|
||||
{ name: 'POSHM_HOST_ADDRESS', value: host.address, valueType: 'string' },
|
||||
{ name: 'POSHM_HOST_TRANSPORT', value: host.transport, valueType: 'string' },
|
||||
{ name: 'POSHM_ASSET_MANIFEST', value: assetManifest, valueType: 'string' },
|
||||
{ name: 'POSHM_TRIGGERED_BY', value: executionContext.triggeredBy || '', valueType: 'string' }
|
||||
];
|
||||
}
|
||||
|
||||
function buildVariablePrelude(runtimeVariables, customVariables) {
|
||||
const envLines = runtimeVariables.map((variable) => `$env:${variable.name} = ${psLiteral(variable.value, variable.valueType)}`);
|
||||
const setLines = [...runtimeVariables, ...customVariables]
|
||||
.filter((variable) => /^[A-Za-z_][A-Za-z0-9_]*$/.test(variable.name))
|
||||
.map((variable) => `Set-Variable -Name ${psString(variable.name)} -Value ${psLiteral(variable.value, variable.valueType)} -Scope Script`);
|
||||
return [
|
||||
'# POSHManager runtime variables',
|
||||
...envLines,
|
||||
...setLines
|
||||
].join('\n');
|
||||
}
|
||||
|
||||
function renderTokens(content, variables) {
|
||||
let rendered = String(content || '');
|
||||
for (const variable of variables) {
|
||||
const token = `{{${variable.name}}}`;
|
||||
rendered = rendered.split(token).join(String(variable.value ?? ''));
|
||||
}
|
||||
return rendered;
|
||||
}
|
||||
|
||||
function psLiteral(value, type = 'string') {
|
||||
if (type === 'boolean') return String(value).toLowerCase() === 'true' || value === true ? '$true' : '$false';
|
||||
if (type === 'number' && value !== '' && Number.isFinite(Number(value))) return String(Number(value));
|
||||
if (type === 'json') return `(ConvertFrom-Json -InputObject ${psString(value)})`;
|
||||
return psString(value);
|
||||
}
|
||||
|
||||
function psString(value) {
|
||||
return `'${String(value || '').replace(/'/g, "''")}'`;
|
||||
}
|
||||
Reference in New Issue
Block a user