@opencode-cloud/core 1.0.8 → 3.0.15

package/src/docker/users.rs

@@ -0,0 +1,357 @@
+//! Container user management operations
+//!
+//! This module provides functions to manage Linux system users inside
+//! the running Docker container. opencode authenticates against PAM,
+//! so opencode-cloud must manage system users in the container.
+//!
+//! Security note: Passwords are never passed as command arguments.
+//! Instead, we use `chpasswd` which reads from stdin.
+
+use super::exec::{exec_command, exec_command_exit_code, exec_command_with_stdin};
+use super::{DockerClient, DockerError};
+
+/// Information about a container user
+#[derive(Debug, Clone, PartialEq)]
+pub struct UserInfo {
+    /// Username
+    pub username: String,
+    /// User ID (uid)
+    pub uid: u32,
+    /// Home directory path
+    pub home: String,
+    /// Login shell
+    pub shell: String,
+    /// Whether the account is locked
+    pub locked: bool,
+}
+
+/// Create a new user in the container
+///
+/// Creates a user with a home directory and /bin/bash shell.
+/// Returns an error if the user already exists.
+///
+/// # Arguments
+/// * `client` - Docker client
+/// * `container` - Container name or ID
+/// * `username` - Username to create
+///
+/// # Example
+/// ```ignore
+/// create_user(&client, "opencode-cloud", "admin").await?;
+/// ```
+pub async fn create_user(
+    client: &DockerClient,
+    container: &str,
+    username: &str,
+) -> Result<(), DockerError> {
+    let cmd = vec!["useradd", "-m", "-s", "/bin/bash", username];
+
+    let exit_code = exec_command_exit_code(client, container, cmd).await?;
+
+    if exit_code != 0 {
+        // Check if user already exists
+        if user_exists(client, container, username).await? {
+            return Err(DockerError::Container(format!(
+                "User '{username}' already exists"
+            )));
+        }
+        return Err(DockerError::Container(format!(
+            "Failed to create user '{username}': useradd returned exit code {exit_code}"
+        )));
+    }
+
+    Ok(())
+}
+
+/// Set or change a user's password
+///
+/// Uses chpasswd with stdin for secure password setting.
+/// The password never appears in command arguments or process list.
+///
+/// # Arguments
+/// * `client` - Docker client
+/// * `container` - Container name or ID
+/// * `username` - Username to set password for
+/// * `password` - New password (will be written to stdin)
+///
+/// # Security
+/// The password is written directly to chpasswd's stdin, never appearing
+/// in command arguments, environment variables, or process listings.
+///
+/// # Example
+/// ```ignore
+/// set_user_password(&client, "opencode-cloud", "admin", "secret123").await?;
+/// ```
+pub async fn set_user_password(
+    client: &DockerClient,
+    container: &str,
+    username: &str,
+    password: &str,
+) -> Result<(), DockerError> {
+    let cmd = vec!["chpasswd"];
+    let stdin_data = format!("{username}:{password}\n");
+
+    exec_command_with_stdin(client, container, cmd, &stdin_data).await?;
+
+    Ok(())
+}
+
+/// Check if a user exists in the container
+///
+/// # Arguments
+/// * `client` - Docker client
+/// * `container` - Container name or ID
+/// * `username` - Username to check
+///
+/// # Returns
+/// `true` if the user exists, `false` otherwise
+pub async fn user_exists(
+    client: &DockerClient,
+    container: &str,
+    username: &str,
+) -> Result<bool, DockerError> {
+    let cmd = vec!["id", "-u", username];
+    let exit_code = exec_command_exit_code(client, container, cmd).await?;
+
+    Ok(exit_code == 0)
+}
+
+/// Lock a user account (disable password authentication)
+///
+/// Uses `passwd -l` to lock the account. The user will not be able
+/// to log in using password authentication.
+///
+/// # Arguments
+/// * `client` - Docker client
+/// * `container` - Container name or ID
+/// * `username` - Username to lock
+pub async fn lock_user(
+    client: &DockerClient,
+    container: &str,
+    username: &str,
+) -> Result<(), DockerError> {
+    let cmd = vec!["passwd", "-l", username];
+    let exit_code = exec_command_exit_code(client, container, cmd).await?;
+
+    if exit_code != 0 {
+        return Err(DockerError::Container(format!(
+            "Failed to lock user '{username}': passwd returned exit code {exit_code}"
+        )));
+    }
+
+    Ok(())
+}
+
+/// Unlock a user account (re-enable password authentication)
+///
+/// Uses `passwd -u` to unlock the account.
+///
+/// # Arguments
+/// * `client` - Docker client
+/// * `container` - Container name or ID
+/// * `username` - Username to unlock
+pub async fn unlock_user(
+    client: &DockerClient,
+    container: &str,
+    username: &str,
+) -> Result<(), DockerError> {
+    let cmd = vec!["passwd", "-u", username];
+    let exit_code = exec_command_exit_code(client, container, cmd).await?;
+
+    if exit_code != 0 {
+        return Err(DockerError::Container(format!(
+            "Failed to unlock user '{username}': passwd returned exit code {exit_code}"
+        )));
+    }
+
+    Ok(())
+}
+
+/// Delete a user from the container
+///
+/// Uses `userdel -r` to remove the user and their home directory.
+///
+/// # Arguments
+/// * `client` - Docker client
+/// * `container` - Container name or ID
+/// * `username` - Username to delete
+pub async fn delete_user(
+    client: &DockerClient,
+    container: &str,
+    username: &str,
+) -> Result<(), DockerError> {
+    let cmd = vec!["userdel", "-r", username];
+    let exit_code = exec_command_exit_code(client, container, cmd).await?;
+
+    if exit_code != 0 {
+        // Check if user doesn't exist
+        if !user_exists(client, container, username).await? {
+            return Err(DockerError::Container(format!(
+                "User '{username}' does not exist"
+            )));
+        }
+        return Err(DockerError::Container(format!(
+            "Failed to delete user '{username}': userdel returned exit code {exit_code}"
+        )));
+    }
+
+    Ok(())
+}
+
+/// List users in the container with home directories
+///
+/// Returns users that have home directories under /home/.
+/// Excludes system users.
+///
+/// # Arguments
+/// * `client` - Docker client
+/// * `container` - Container name or ID
+pub async fn list_users(
+    client: &DockerClient,
+    container: &str,
+) -> Result<Vec<UserInfo>, DockerError> {
+    // Get all users with home directories in /home
+    let cmd = vec!["sh", "-c", "getent passwd | grep '/home/'"];
+    let output = exec_command(client, container, cmd).await?;
+
+    let mut users = Vec::new();
+
+    for line in output.lines() {
+        if let Some(info) = parse_passwd_line(line) {
+            // Check if user is locked
+            let locked = is_user_locked(client, container, &info.username).await?;
+
+            users.push(UserInfo {
+                username: info.username,
+                uid: info.uid,
+                home: info.home,
+                shell: info.shell,
+                locked,
+            });
+        }
+    }
+
+    Ok(users)
+}
+
+/// Check if a user account is locked
+///
+/// Uses `passwd -S` to get account status.
+/// Returns true if the status starts with "L" (locked).
+async fn is_user_locked(
+    client: &DockerClient,
+    container: &str,
+    username: &str,
+) -> Result<bool, DockerError> {
+    let cmd = vec!["passwd", "-S", username];
+    let output = exec_command(client, container, cmd).await?;
+
+    // passwd -S output format: "username L/P/NP ... "
+    // L = locked, P = password set, NP = no password
+    let parts: Vec<&str> = output.split_whitespace().collect();
+    if parts.len() >= 2 {
+        return Ok(parts[1] == "L");
+    }
+
+    Ok(false)
+}
+
+/// Parsed user info from /etc/passwd line (intermediate struct)
+struct ParsedUser {
+    username: String,
+    uid: u32,
+    home: String,
+    shell: String,
+}
+
+/// Parse a line from /etc/passwd
+///
+/// Format: username:x:uid:gid:gecos:home:shell
+fn parse_passwd_line(line: &str) -> Option<ParsedUser> {
+    let fields: Vec<&str> = line.split(':').collect();
+    if fields.len() < 7 {
+        return None;
+    }
+
+    let uid = fields[2].parse::<u32>().ok()?;
+
+    Some(ParsedUser {
+        username: fields[0].to_string(),
+        uid,
+        home: fields[5].to_string(),
+        shell: fields[6].to_string(),
+    })
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_parse_passwd_line_valid() {
+        let line = "admin:x:1001:1001:Admin User:/home/admin:/bin/bash";
+        let parsed = parse_passwd_line(line).unwrap();
+        assert_eq!(parsed.username, "admin");
+        assert_eq!(parsed.uid, 1001);
+        assert_eq!(parsed.home, "/home/admin");
+        assert_eq!(parsed.shell, "/bin/bash");
+    }
+
+    #[test]
+    fn test_parse_passwd_line_minimal() {
+        let line = "user:x:1000:1000::/home/user:/bin/sh";
+        let parsed = parse_passwd_line(line).unwrap();
+        assert_eq!(parsed.username, "user");
+        assert_eq!(parsed.uid, 1000);
+        assert_eq!(parsed.home, "/home/user");
+        assert_eq!(parsed.shell, "/bin/sh");
+    }
+
+    #[test]
+    fn test_parse_passwd_line_invalid() {
+        assert!(parse_passwd_line("invalid").is_none());
+        assert!(parse_passwd_line("too:few:fields").is_none());
+        assert!(parse_passwd_line("user:x:not_a_number:1000::/home/user:/bin/bash").is_none());
+    }
+
+    #[test]
+    fn test_user_info_struct() {
+        let info = UserInfo {
+            username: "admin".to_string(),
+            uid: 1001,
+            home: "/home/admin".to_string(),
+            shell: "/bin/bash".to_string(),
+            locked: false,
+        };
+        assert_eq!(info.username, "admin");
+        assert!(!info.locked);
+    }
+
+    #[test]
+    fn test_user_info_equality() {
+        let info1 = UserInfo {
+            username: "admin".to_string(),
+            uid: 1001,
+            home: "/home/admin".to_string(),
+            shell: "/bin/bash".to_string(),
+            locked: false,
+        };
+        let info2 = info1.clone();
+        assert_eq!(info1, info2);
+    }
+
+    #[test]
+    fn test_user_info_debug() {
+        let info = UserInfo {
+            username: "test".to_string(),
+            uid: 1000,
+            home: "/home/test".to_string(),
+            shell: "/bin/bash".to_string(),
+            locked: true,
+        };
+        let debug = format!("{info:?}");
+        assert!(debug.contains("test"));
+        assert!(debug.contains("1000"));
+        assert!(debug.contains("locked: true"));
+    }
+}

package/src/docker/version.rs

@@ -0,0 +1,95 @@
+//! Docker image version detection
+//!
+//! Reads version information from Docker image labels.
+
+use super::{DockerClient, DockerError};
+
+/// Version label key in Docker image
+pub const VERSION_LABEL: &str = "org.opencode-cloud.version";
+
+/// Get version from image label
+///
+/// Returns None if image doesn't exist or has no version label.
+/// Version label is set during automated builds; local builds have "dev".
+pub async fn get_image_version(
+    client: &DockerClient,
+    image_name: &str,
+) -> Result<Option<String>, DockerError> {
+    let inspect = match client.inner().inspect_image(image_name).await {
+        Ok(info) => info,
+        Err(bollard::errors::Error::DockerResponseServerError {
+            status_code: 404, ..
+        }) => {
+            return Ok(None);
+        }
+        Err(e) => {
+            return Err(DockerError::Connection(format!(
+                "Failed to inspect image: {e}"
+            )));
+        }
+    };
+
+    // Extract version from labels
+    let version = inspect
+        .config
+        .and_then(|c| c.labels)
+        .and_then(|labels| labels.get(VERSION_LABEL).cloned());
+
+    Ok(version)
+}
+
+/// CLI version from Cargo.toml
+pub fn get_cli_version() -> &'static str {
+    env!("CARGO_PKG_VERSION")
+}
+
+/// Compare versions and determine if they match
+///
+/// Returns true if versions are compatible (same or dev build).
+/// Returns false if versions differ and user should be prompted.
+pub fn versions_compatible(cli_version: &str, image_version: Option<&str>) -> bool {
+    match image_version {
+        None => true,        // No version label = local build, assume compatible
+        Some("dev") => true, // Dev build, assume compatible
+        Some(img_ver) => cli_version == img_ver,
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_versions_compatible_none() {
+        assert!(versions_compatible("1.0.8", None));
+    }
+
+    #[test]
+    fn test_versions_compatible_dev() {
+        assert!(versions_compatible("1.0.8", Some("dev")));
+    }
+
+    #[test]
+    fn test_versions_compatible_same() {
+        assert!(versions_compatible("1.0.8", Some("1.0.8")));
+    }
+
+    #[test]
+    fn test_versions_compatible_different() {
+        assert!(!versions_compatible("1.0.8", Some("1.0.7")));
+    }
+
+    #[test]
+    fn test_get_cli_version_format() {
+        let version = get_cli_version();
+        // Should be semver format
+        assert!(version.contains('.'));
+        let parts: Vec<&str> = version.split('.').collect();
+        assert_eq!(parts.len(), 3);
+    }
+
+    #[test]
+    fn test_version_label_constant() {
+        assert_eq!(VERSION_LABEL, "org.opencode-cloud.version");
+    }
+}

package/src/host/error.rs

@@ -0,0 +1,61 @@
+//! Host-specific error types
+//!
+//! Errors that can occur during remote host operations.
+
+use thiserror::Error;
+
+/// Errors that can occur during host operations
+#[derive(Error, Debug)]
+pub enum HostError {
+    /// Failed to spawn SSH process
+    #[error("Failed to spawn SSH: {0}")]
+    SshSpawn(String),
+
+    /// SSH connection failed
+    #[error("SSH connection failed: {0}")]
+    ConnectionFailed(String),
+
+    /// SSH authentication failed (key not in agent, passphrase needed)
+    #[error("SSH authentication failed. Ensure your key is loaded: ssh-add {}", .key_hint.as_deref().unwrap_or("~/.ssh/id_rsa"))]
+    AuthFailed { key_hint: Option<String> },
+
+    /// Host not found in hosts.json
+    #[error("Host not found: {0}")]
+    NotFound(String),
+
+    /// Host already exists
+    #[error("Host already exists: {0}")]
+    AlreadyExists(String),
+
+    /// Failed to allocate local port for tunnel
+    #[error("Failed to allocate local port: {0}")]
+    PortAllocation(String),
+
+    /// Failed to load hosts file
+    #[error("Failed to load hosts file: {0}")]
+    LoadFailed(String),
+
+    /// Failed to save hosts file
+    #[error("Failed to save hosts file: {0}")]
+    SaveFailed(String),
+
+    /// Invalid host configuration
+    #[error("Invalid host configuration: {0}")]
+    InvalidConfig(String),
+
+    /// Tunnel connection timed out
+    #[error("SSH tunnel connection timed out after {0} attempts")]
+    TunnelTimeout(u32),
+
+    /// Remote Docker not available
+    #[error("Docker not available on remote host: {0}")]
+    RemoteDockerUnavailable(String),
+
+    /// Failed to read SSH config
+    #[error("Failed to read SSH config: {0}")]
+    SshConfigRead(String),
+
+    /// Failed to write SSH config
+    #[error("Failed to write SSH config: {0}")]
+    SshConfigWrite(String),
+}

package/src/host/mod.rs

@@ -0,0 +1,29 @@
+//! Host management module
+//!
+//! Provides functionality for managing remote Docker hosts:
+//! - Host configuration schema and storage
+//! - SSH tunnel management for remote Docker access
+//! - Connection testing and validation
+//! - SSH config file parsing and writing
+//! - Remote Docker provisioning
+
+mod error;
+mod provision;
+mod schema;
+mod ssh_config;
+mod storage;
+mod tunnel;
+
+// Public exports
+pub use error::HostError;
+pub use provision::{
+    DistroFamily, DistroInfo, detect_distro, get_docker_install_commands, install_docker,
+    verify_docker_installed,
+};
+pub use schema::{HostConfig, HostsFile};
+pub use ssh_config::{
+    SshConfigMatch, get_ssh_config_path, host_exists_in_ssh_config, query_ssh_config,
+    write_ssh_config_entry,
+};
+pub use storage::{load_hosts, save_hosts};
+pub use tunnel::{SshTunnel, test_connection};