import fs from 'node:fs/promises'; import os from 'node:os'; import { spawn } from 'node:child_process'; import { db, id, now } from '../db.js'; import { decryptSecret } from './cryptoStore.js'; import { config } from '../config.js'; import { logger } from './logger.js'; import { listExecutableAssets } from '../models/assetModel.js'; import { listExecutableCustomVariables } from '../models/variableModel.js'; import { getBooleanSetting, getStringSetting } from '../models/settingsModel.js'; import { getVCenterConnectionSystem } from '../models/vcenterConnectionModel.js'; import { getVCenterVmPowerState } from './vcenterService.js'; import { path } from '../utils/pathUtils.js'; // The execution kill-switch can be set at boot via ALLOW_SCRIPT_EXECUTION and // flipped at runtime via the Config screen (allow_script_execution). The DB // value, when present, takes precedence so the UI toggle is actually effective. function scriptExecutionAllowed() { return getBooleanSetting('allow_script_execution', config.allowScriptExecution); } export function resolvePowerShellExecutable() { return getStringSetting('powershell_bin', config.powershellBin).trim(); } export function powerShellSpawnFailureLines(error, executable) { const code = error?.code ? ` (${error.code})` : ''; const lines = [ `Unable to start configured PowerShell executable "${executable}"${code}.`, `Node spawn error: ${error?.message || 'unknown process start failure'}` ]; if (error?.code === 'ENOENT') { lines.push('The executable was not found on the API server PATH.'); lines.push('Windows: set Config > PowerShell Binary to "powershell.exe" or the full path "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe".'); lines.push('PowerShell 7: set it to "pwsh.exe" or the full pwsh install path.'); } lines.push(`API process platform: ${process.platform}; PATH: ${process.env.PATH || '(empty)'}`); return lines; } export function executeRunPlan(runplanId, userId) { // Create the durable job record before async execution so the UI can attach to logs immediately. const runplan = db.prepare('SELECT * FROM runplans WHERE id = ?').get(runplanId); if (!runplan) throw new Error('RunPlan not found'); const script = db.prepare('SELECT * FROM scripts WHERE id = ?').get(runplan.script_id); if (!script) throw new Error('Script not found'); const hosts = db.prepare(` SELECT h.*, c.name AS credential_name, c.kind AS credential_kind, c.username AS credential_username, c.secret_cipher, c.secret_iv, c.secret_tag FROM hosts h LEFT JOIN credentials c ON c.id = h.credential_id WHERE h.id IN ( SELECT host_id FROM runplan_hosts WHERE runplan_id = ? UNION SELECT hgm.host_id FROM runplan_host_groups rhg JOIN host_group_members hgm ON hgm.host_group_id = rhg.host_group_id WHERE rhg.runplan_id = ? ) ORDER BY h.name `).all(runplanId, runplanId); if (hosts.length === 0) throw new Error('RunPlan has no hosts'); const jobId = id('job'); db.prepare(` INSERT INTO jobs (id, runplan_id, script_id, status, triggered_by, started_at, created_at) VALUES (?, ?, ?, 'running', ?, ?, ?) `).run(jobId, runplan.id, script.id, userId, now(), now()); for (const host of hosts) { db.prepare(` INSERT INTO job_hosts (id, job_id, host_id, status, started_at) VALUES (?, ?, ?, 'queued', NULL) `).run(id('jhost'), jobId, host.id); } const executionContext = { jobId, runplanId: runplan.id, scriptId: script.id, scriptName: script.name, triggeredBy: userId, customVariables: listExecutableCustomVariables(userId), assets: listExecutableAssets(userId) }; void runJob(jobId, script, hosts, Boolean(runplan.parallel), executionContext).catch((error) => { logger.error('job runner crashed', { jobId, error }); db.prepare('UPDATE jobs SET status = ?, ended_at = ? WHERE id = ?').run('failed', now(), jobId); }); return db.prepare('SELECT * FROM jobs WHERE id = ?').get(jobId); } export function executeScriptTest(scriptId, payload, userId) { const script = db.prepare(` SELECT * FROM scripts WHERE id = ? AND ( visibility = 'shared' OR owner_user_id = ? OR group_id IN (SELECT group_id FROM user_groups WHERE user_id = ?) ) `).get(scriptId, userId, userId); if (!script) throw new Error('Script not found'); const hosts = payload.hostGroupId ? db.prepare(` SELECT h.*, c.name AS credential_name, c.kind AS credential_kind, c.username AS credential_username, c.secret_cipher, c.secret_iv, c.secret_tag FROM host_group_members hgm JOIN host_groups hg ON hg.id = hgm.host_group_id AND ( hg.visibility = 'shared' OR hg.owner_user_id = ? OR hg.group_id IN (SELECT group_id FROM user_groups WHERE user_id = ?) ) JOIN hosts h ON h.id = hgm.host_id AND ( h.visibility = 'shared' OR h.owner_user_id = ? OR h.group_id IN (SELECT group_id FROM user_groups WHERE user_id = ?) ) JOIN credentials c ON c.id = ? AND ( c.visibility = 'shared' OR c.owner_user_id = ? OR c.group_id IN (SELECT group_id FROM user_groups WHERE user_id = ?) ) WHERE hgm.host_group_id = ? ORDER BY h.name `).all(userId, userId, userId, userId, payload.credentialId, userId, userId, payload.hostGroupId) : [db.prepare(` SELECT h.*, c.name AS credential_name, c.kind AS credential_kind, c.username AS credential_username, c.secret_cipher, c.secret_iv, c.secret_tag FROM hosts h JOIN credentials c ON c.id = ? AND ( c.visibility = 'shared' OR c.owner_user_id = ? OR c.group_id IN (SELECT group_id FROM user_groups WHERE user_id = ?) ) WHERE h.id = ? AND ( h.visibility = 'shared' OR h.owner_user_id = ? OR h.group_id IN (SELECT group_id FROM user_groups WHERE user_id = ?) ) `).get(payload.credentialId, userId, userId, payload.hostId, userId, userId)].filter(Boolean); if (!hosts.length) throw new Error('Visible host or host group members and credential are required'); const jobId = id('job'); db.prepare(` INSERT INTO jobs (id, runplan_id, script_id, status, triggered_by, started_at, created_at) VALUES (?, NULL, ?, 'running', ?, ?, ?) `).run(jobId, script.id, userId, now(), now()); db.prepare(` INSERT INTO job_hosts (id, job_id, host_id, status, started_at) VALUES (?, ?, ?, 'queued', NULL) `); for (const host of hosts) insertJobHost.run(id('jhost'), jobId, host.id); const executionContext = { jobId, runplanId: 'script-test', scriptId: script.id, scriptName: script.name, triggeredBy: userId, testRun: true, customVariables: listExecutableCustomVariables(userId), assets: listExecutableAssets(userId) }; for (const host of hosts) appendLog(jobId, host.id, 'system', `Test run requested for ${script.name} using credential ${host.credential_name}`); void runJob(jobId, script, hosts, false, executionContext).catch((error) => { logger.error('script test runner crashed', { jobId, error }); for (const host of hosts) appendLog(jobId, host.id, 'stderr', `Script test runner crashed: ${error.message}`); db.prepare('UPDATE jobs SET status = ?, ended_at = ? WHERE id = ?').run('failed', now(), jobId); }); return db.prepare('SELECT * FROM jobs WHERE id = ?').get(jobId); } async function runJob(jobId, script, hosts, parallel, executionContext) { // RunPlans can fan out in parallel or execute serially while preserving identical log semantics. const runner = async (host) => runHost(jobId, script, host, executionContext); if (parallel) { await Promise.all(hosts.map(runner)); } else { for (const host of hosts) await runner(host); } const failed = db.prepare('SELECT COUNT(*) AS count FROM job_hosts WHERE job_id = ? AND status = ?').get(jobId, 'failed').count; db.prepare('UPDATE jobs SET status = ?, ended_at = ? WHERE id = ?').run(failed ? 'failed' : 'completed', now(), jobId); } async function runHost(jobId, script, host, executionContext) { // Each host owns its own temp wrapper and job_host lifecycle for per-target evidence. db.prepare('UPDATE job_hosts SET status = ?, started_at = ? WHERE job_id = ? AND host_id = ?').run('running', now(), jobId, host.id); appendLog(jobId, host.id, 'system', `Starting ${script.name} on ${host.name} (${host.transport})`); if (!scriptExecutionAllowed()) { appendLog(jobId, host.id, 'stderr', 'Script execution is disabled by ALLOW_SCRIPT_EXECUTION=false.'); finishHost(jobId, host.id, 'failed', 126); return; } if (!(await vCenterPowerPreflight(jobId, host))) return; const file = path.join(os.tmpdir(), `poshmanager-${jobId}-${host.id}.ps1`); try { const secret = decryptSecret(host); const wrapper = buildWrapper(script.content, host, executionContext); await fs.writeFile(file, wrapper, { mode: 0o600 }); await spawnPowerShell(jobId, host, file, secret, executionContext); } catch (error) { appendLog(jobId, host.id, 'stderr', error.message); finishHost(jobId, host.id, 'failed', 1); } finally { await fs.rm(file, { force: true }).catch(() => {}); } } async function vCenterPowerPreflight(jobId, host) { if ((host.source_type || 'manual') !== 'vmware') return true; if (!host.source_connection_id || !host.source_ref) { appendLog(jobId, host.id, 'system', 'Host is marked as VMware-sourced, but no vCenter connection or VM reference is stored. Continuing without a power-state gate.'); return true; } const connection = getVCenterConnectionSystem(host.source_connection_id, true); if (!connection) { appendLog(jobId, host.id, 'system', `Host is VMware-sourced, but vCenter connection ${host.source_connection_id} no longer exists. Continuing without a power-state gate.`); return true; } try { const result = await getVCenterVmPowerState(connection, host.source_ref); if (!result.checked) { appendLog(jobId, host.id, 'system', `vCenter power-state check skipped: ${result.reason || 'not enough source metadata'}`); return true; } appendLog(jobId, host.id, 'system', `vCenter power state for VM ${host.source_ref}: ${result.state || 'unknown'} (${result.apiProfile || 'vCenter API'})`); if (result.state && result.state !== 'POWERED_ON') { appendLog(jobId, host.id, 'system', `Skipping ${host.name}; VMware VM is not powered on.`); finishHost(jobId, host.id, 'skipped', 0); return false; } } catch (err) { appendLog(jobId, host.id, 'system', `Unable to verify vCenter power state before execution: ${err.message}. Continuing without a power-state gate.`); } return true; } function buildWrapper(content, host, executionContext = {}) { // Build PowerShell wrappers without shell interpolation; host values are quoted as PS literals. const runtimeVariables = runtimeVariableValues(host, executionContext); const customVariables = executionContext.customVariables || []; const assetVariables = (executionContext.assets || []).map((asset) => ({ name: `asset:${asset.id}`, value: asset.localPath, valueType: 'string' })); const rendered = renderTokens(content, [...runtimeVariables, ...customVariables, ...assetVariables]); const scriptWithPrelude = `${buildVariablePrelude(runtimeVariables, customVariables)}\n${rendered}`; const escaped = scriptWithPrelude.replace(/'@/g, "'`@"); if (host.transport === 'local') { return [ '$ErrorActionPreference = "Continue"', `$scriptText = @'`, escaped, "'@", '$scriptBlock = [ScriptBlock]::Create($scriptText)', '& $scriptBlock' ].join('\n'); } if (host.transport === 'ssh') { return [ '$ErrorActionPreference = "Continue"', `$scriptText = @'`, escaped, "'@", '$scriptBlock = [ScriptBlock]::Create($scriptText)', `Invoke-Command -HostName ${psString(host.address)} -UserName $env:POSHM_USERNAME -ScriptBlock $scriptBlock` ].join('\n'); } return [ '$ErrorActionPreference = "Continue"', '$securePassword = ConvertTo-SecureString $env:POSHM_SECRET -AsPlainText -Force', '$credential = [System.Management.Automation.PSCredential]::new($env:POSHM_USERNAME, $securePassword)', `$scriptText = @'`, escaped, "'@", '$scriptBlock = [ScriptBlock]::Create($scriptText)', `Invoke-Command -ComputerName ${psString(host.address)} -Credential $credential -ScriptBlock $scriptBlock` ].join('\n'); } function spawnPowerShell(jobId, host, file, secret, executionContext = {}) { // Secrets are passed through process environment variables and are never written to job logs. const runtimeEnv = Object.fromEntries(runtimeVariableValues(host, executionContext).map((variable) => [variable.name, String(variable.value ?? '')])); const assetManifest = JSON.stringify(executionContext.assets || []); const executable = resolvePowerShellExecutable(); const args = ['-NoProfile', '-ExecutionPolicy', 'Bypass', '-File', file]; return new Promise((resolve) => { appendLog(jobId, host.id, 'system', `Launching PowerShell executable "${executable}"`); const child = spawn(executable, args, { env: { ...process.env, ...runtimeEnv, POSHM_HOST_ID: host.id, POSHM_HOST_NAME: host.name, POSHM_HOST_ADDRESS: host.address, POSHM_HOST_TRANSPORT: host.transport, POSHM_ASSET_MANIFEST: assetManifest, POSHM_USERNAME: host.credential_username || '', POSHM_SECRET: secret || '' }, shell: false }); let settled = false; function settle(status, exitCode) { if (settled) return; settled = true; finishHost(jobId, host.id, status, exitCode); resolve(); } child.stdout.on('data', (chunk) => appendChunk(jobId, host.id, 'stdout', chunk)); child.stderr.on('data', (chunk) => appendChunk(jobId, host.id, 'stderr', chunk)); child.on('error', (error) => { for (const line of powerShellSpawnFailureLines(error, executable)) appendLog(jobId, host.id, 'stderr', line); settle('failed', 127); }); child.on('close', (code, signal) => { if (settled) return; if (signal) appendLog(jobId, host.id, 'stderr', `PowerShell terminated by signal ${signal}`); const exitCode = code ?? 1; settle(exitCode === 0 ? 'completed' : 'failed', exitCode); }); }); } function appendChunk(jobId, hostId, stream, chunk) { String(chunk) .split(/\r?\n/) .filter(Boolean) .forEach((line) => appendLog(jobId, hostId, stream, line)); } function appendLog(jobId, hostId, stream, line) { db.prepare(` INSERT INTO job_logs (id, job_id, host_id, stream, line, created_at) VALUES (?, ?, ?, ?, ?, ?) `).run(id('log'), jobId, hostId, stream, line, now()); } function finishHost(jobId, hostId, status, exitCode) { db.prepare(` UPDATE job_hosts SET status = ?, exit_code = ?, ended_at = ? WHERE job_id = ? AND host_id = ? `).run(status, exitCode, now(), jobId, hostId); appendLog(jobId, hostId, 'system', `Finished with status ${status} and exit code ${exitCode}`); } function runtimeVariableValues(host, executionContext) { const assetManifest = JSON.stringify(executionContext.assets || []); return [ { name: 'POSHM_JOB_ID', value: executionContext.jobId || '', valueType: 'string' }, { name: 'POSHM_RUNPLAN_ID', value: executionContext.runplanId || '', valueType: 'string' }, { name: 'POSHM_SCRIPT_ID', value: executionContext.scriptId || '', valueType: 'string' }, { name: 'POSHM_SCRIPT_NAME', value: executionContext.scriptName || '', valueType: 'string' }, { name: 'POSHM_HOST_ID', value: host.id, valueType: 'string' }, { name: 'POSHM_HOST_NAME', value: host.name, valueType: 'string' }, { name: 'POSHM_HOST_ADDRESS', value: host.address, valueType: 'string' }, { name: 'POSHM_HOST_TRANSPORT', value: host.transport, valueType: 'string' }, { name: 'POSHM_ASSET_MANIFEST', value: assetManifest, valueType: 'string' }, { name: 'POSHM_TRIGGERED_BY', value: executionContext.triggeredBy || '', valueType: 'string' } ]; } function buildVariablePrelude(runtimeVariables, customVariables) { const envLines = runtimeVariables.map((variable) => `$env:${variable.name} = ${psLiteral(variable.value, variable.valueType)}`); const setLines = [...runtimeVariables, ...customVariables] .filter((variable) => /^[A-Za-z_][A-Za-z0-9_]*$/.test(variable.name)) .map((variable) => `Set-Variable -Name ${psString(variable.name)} -Value ${psLiteral(variable.value, variable.valueType)} -Scope Script`); return [ '# POSHManager runtime variables', ...envLines, ...setLines ].join('\n'); } function renderTokens(content, variables) { let rendered = String(content || ''); for (const variable of variables) { const token = `{{${variable.name}}}`; rendered = rendered.split(token).join(String(variable.value ?? '')); } return rendered; } function psLiteral(value, type = 'string') { if (type === 'boolean') return String(value).toLowerCase() === 'true' || value === true ? '$true' : '$false'; if (type === 'number' && value !== '' && Number.isFinite(Number(value))) return String(Number(value)); if (type === 'json') return `(ConvertFrom-Json -InputObject ${psString(value)})`; return psString(value); } function psString(value) { return `'${String(value || '').replace(/'/g, "''")}'`; }