domma-cms 0.10.0 → 0.13.0

package/server/services/pluginInstaller.js

@@ -0,0 +1,301 @@
+/**
+ * Plugin Installer Service
+ * Handles secure installation and uninstallation of CMS plugins from signed tarballs.
+ *
+ * Security model:
+ *   - Tarballs must be signed with a key registered in TRUSTED_KEYS
+ *   - Path traversal is blocked during extraction
+ *   - Manifest validation is performed post-extract via discoverPlugins()
+ *
+ * Audit log: content/instances_log.json
+ */
+
+import crypto from 'crypto';
+import fs from 'fs/promises';
+import path from 'path';
+import zlib from 'zlib';
+import {fileURLToPath} from 'url';
+import {discoverPlugins} from './plugins.js';
+
+// ---------------------------------------------------------------------------
+// Paths
+// ---------------------------------------------------------------------------
+
+const ROOT = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '..', '..');
+const PLUGINS_DIR = path.join(ROOT, 'plugins');
+const CONFIG_PATH = path.join(ROOT, 'config', 'plugins.json');
+const AUDIT_LOG   = path.join(ROOT, 'content', 'instances_log.json');
+
+// ---------------------------------------------------------------------------
+// Trusted public keys — rotate by adding new keyId + bumping CMS version
+// Private key counterpart: domma-cms-manager/config/keys/plugin-signing-2026.pem
+// ---------------------------------------------------------------------------
+
+const TRUSTED_KEYS = {
+    'manager-2026': `-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArmEogar77p4RwljMgEsi
+zSJRXIvRe8LDNzHvoez9gOu0SYUd2O8nsDOiLohsPxhH5+c8eXdBOkH+1y1O5QaN
+TmZTRGrRR0NrxhPVTT7trtJIiXH4IwgwWgzYVmCKOdKqX4wj2JwGbiPE57ubOBKE
+4T66OUIZmezSYYkhPmWAUCWmCX9KxL6czbMtNZYIn9U2O04imD/VtBieB4xCZy0P
+U9vE3Uz4bcjLjjo70+oWXtAuudlLUiMREJKcT6J72CZSW6rzuR1+NDJsh4q5C6jd
+e+B83PU+WiFxNwoHHJ91myEY4vDDWDDYV8G+sS/4QzBOgL9StwwvQzBuriWKjl8J
+eQIDAQAB
+-----END PUBLIC KEY-----`
+};
+
+// ---------------------------------------------------------------------------
+// Internal helpers
+// ---------------------------------------------------------------------------
+
+/**
+ * Append a single record to the audit log, creating the file if absent.
+ *
+ * @param {object} record
+ * @returns {Promise<void>}
+ */
+async function writeAuditLog(record) {
+    await fs.mkdir(path.dirname(AUDIT_LOG), { recursive: true });
+    await fs.appendFile(AUDIT_LOG, JSON.stringify(record) + '\n', 'utf8');
+}
+
+/**
+ * Read config/plugins.json, returning {} on missing/malformed file.
+ *
+ * @returns {Promise<object>}
+ */
+async function readPluginsConfig() {
+    try {
+        const raw = await fs.readFile(CONFIG_PATH, 'utf8');
+        return JSON.parse(raw);
+    } catch {
+        return {};
+    }
+}
+
+/**
+ * Write config/plugins.json atomically.
+ *
+ * @param {object} data
+ * @returns {Promise<void>}
+ */
+async function writePluginsConfig(data) {
+    await fs.writeFile(CONFIG_PATH, JSON.stringify(data, null, 2), 'utf8');
+}
+
+/**
+ * Parse a raw (decompressed) TAR byte buffer and extract entries to destDir.
+ * Only handles POSIX ustar / GNU tar formats sufficient for plugin tarballs.
+ * Path traversal outside destDir causes an immediate throw.
+ *
+ * @param {Buffer} tarBuffer - Decompressed tar data
+ * @param {string} slug      - Plugin slug (used for guard prefix)
+ * @param {string} destDir   - Absolute destination directory
+ * @returns {Promise<void>}
+ */
+async function extractTar(tarBuffer, slug, destDir) {
+    const guardPrefix = path.resolve(destDir) + path.sep;
+    let offset = 0;
+
+    let zeroBlockCount = 0;
+    while (offset + 512 <= tarBuffer.length) {
+        const header = tarBuffer.slice(offset, offset + 512);
+
+        // All-zero block signals end of archive (two consecutive zero blocks required)
+        if (header.every(b => b === 0)) {
+            if (++zeroBlockCount >= 2) break;
+            offset += 512;
+            continue;
+        }
+        zeroBlockCount = 0;
+        offset += 512;
+
+        // Filename: bytes 0–99, null-terminated
+        const nameEnd = header.indexOf(0, 0);
+        const name = header.slice(0, nameEnd === -1 ? 100 : Math.min(nameEnd, 100)).toString('utf8');
+        if (!name) break;
+
+        // File size: bytes 124–135, octal ASCII
+        const sizeStr = header.slice(124, 136).toString('utf8').replace(/\0/g, '').trim();
+        const size = parseInt(sizeStr, 8) || 0;
+
+        // Type flag: byte 156
+        const typeFlag = String.fromCharCode(header[156]);
+
+        // Strip leading component (e.g. "my-plugin/foo.js" → "foo.js") so that
+        // tarballs created with a top-level directory still land correctly.
+        const parts = name.split('/');
+        const relativePath = parts.length > 1 ? parts.slice(1).join('/') : name;
+
+        if (relativePath) {
+            const target = path.resolve(destDir, relativePath);
+
+            // Path traversal guard
+            if (!target.startsWith(guardPrefix) && target !== path.resolve(destDir)) {
+                throw new Error(`Path traversal detected in tar entry: ${name}`);
+            }
+
+            if (typeFlag === '5' || name.endsWith('/')) {
+                // Directory entry
+                await fs.mkdir(target, { recursive: true });
+            } else if (typeFlag === '0' || typeFlag === '' || typeFlag === '\0') {
+                // Regular file
+                await fs.mkdir(path.dirname(target), { recursive: true });
+                const content = tarBuffer.slice(offset, offset + size);
+                await fs.writeFile(target, content);
+            }
+            // Ignore symlinks, hard links, etc. for security
+        }
+
+        // Advance past file data (rounded up to 512-byte block boundary)
+        offset += Math.ceil(size / 512) * 512;
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+
+/**
+ * Install a plugin from a signed .tar.gz buffer.
+ *
+ * Steps:
+ *   1. Verify signature against TRUSTED_KEYS[publicKeyId]
+ *   2. Reject if plugins/<slug>/ already exists
+ *   3. Extract tarball to plugins/<slug>/ with path traversal guard
+ *   4. Validate manifest via discoverPlugins()
+ *   5. Add { enabled: false, settings: {} } to config/plugins.json
+ *   6. Run onEnable lifecycle hook (warn-only on failure)
+ *   7. Append install record to audit log
+ *
+ * @param {string} slug
+ * @param {{ tarball: Buffer, signature: string, publicKeyId: string }} options
+ * @returns {Promise<void>}
+ * @throws {Error} If signature is invalid, slug is already installed, or manifest validation fails
+ */
+export async function installPlugin(slug, { tarball, signature, publicKeyId }) {
+    if (!/^[a-z0-9][a-z0-9-_]{0,63}$/.test(slug)) {
+        throw new Error(`Invalid plugin slug: ${slug}`);
+    }
+
+    // Step 1 — Verify signature
+    const pubKeyPem = TRUSTED_KEYS[publicKeyId];
+    if (!pubKeyPem) {
+        throw new Error(`Unknown public key: ${publicKeyId}`);
+    }
+
+    if (pubKeyPem.includes('PLACEHOLDER')) {
+        throw new Error(`pluginInstaller: TRUSTED_KEYS['${publicKeyId}'] is a placeholder — not usable for verification`);
+    }
+
+    const signatureBuffer = Buffer.from(signature, 'base64');
+    const valid = crypto.verify('sha256', tarball, pubKeyPem, signatureBuffer);
+    if (!valid) {
+        throw new Error('Plugin signature invalid — refusing to install');
+    }
+
+    // Step 2 — Reject if already installed
+    const destDir = path.join(PLUGINS_DIR, slug);
+    let alreadyExists = false;
+    try {
+        await fs.access(destDir);
+        alreadyExists = true;
+    } catch {
+        // Not present — proceed
+    }
+    if (alreadyExists) {
+        throw new Error(`Plugin already installed: ${slug}`);
+    }
+
+    // Step 3 — Decompress + extract
+    await fs.mkdir(destDir, { recursive: true });
+    try {
+        const tarBuffer = zlib.gunzipSync(tarball);
+        await extractTar(tarBuffer, slug, destDir);
+    } catch (err) {
+        // Clean up partial extraction before re-throwing
+        await fs.rm(destDir, { recursive: true, force: true });
+        throw err;
+    }
+
+    // Step 4 — Validate manifest
+    const manifests = await discoverPlugins();
+    const manifest = manifests.find(m => m.name === slug);
+    if (!manifest) {
+        await fs.rm(destDir, { recursive: true, force: true });
+        throw new Error(`Plugin manifest validation failed after extraction: ${slug}`);
+    }
+
+    // Step 5 — Update config/plugins.json
+    const cfg = await readPluginsConfig();
+    if (!cfg[slug]) {
+        cfg[slug] = { enabled: false, settings: {} };
+        await writePluginsConfig(cfg);
+    }
+
+    // Step 6 — Run onEnable lifecycle hook (warn on failure, do not throw)
+    try {
+        const pluginJsPath = path.join(destDir, 'plugin.js');
+        const mod = await import(pluginJsPath);
+        if (typeof mod.onEnable === 'function') {
+            await mod.onEnable(null);
+        }
+    } catch (err) {
+        console.warn(`[pluginInstaller] onEnable hook for "${slug}" failed: ${err.message}`);
+    }
+
+    // Step 7 — Audit log
+    await writeAuditLog({
+        action: 'install',
+        slug,
+        version: manifest.version,
+        timestamp: new Date().toISOString()
+    });
+}
+
+/**
+ * Uninstall a plugin by slug.
+ *
+ * Steps:
+ *   1. Run onDisable lifecycle hook (warn-only on failure)
+ *   2. Remove plugins/<slug>/ directory
+ *   3. Remove entry from config/plugins.json
+ *   4. Append uninstall record to audit log
+ *
+ * @param {string} slug
+ * @returns {Promise<void>}
+ */
+export async function uninstallPlugin(slug) {
+    if (!/^[a-z0-9][a-z0-9-_]{0,63}$/.test(slug)) {
+        throw new Error(`Invalid plugin slug: ${slug}`);
+    }
+
+    const destDir = path.join(PLUGINS_DIR, slug);
+
+    // Step 1 — Run onDisable lifecycle hook (warn on failure, do not throw)
+    try {
+        const pluginJsPath = path.join(destDir, 'plugin.js');
+        const mod = await import(pluginJsPath);
+        if (typeof mod.onDisable === 'function') {
+            await mod.onDisable(null);
+        }
+    } catch (err) {
+        console.warn(`[pluginInstaller] onDisable hook for "${slug}" failed: ${err.message}`);
+    }
+
+    // Step 2 — Remove plugin directory
+    await fs.rm(destDir, { recursive: true, force: true });
+
+    // Step 3 — Remove from config/plugins.json
+    const cfg = await readPluginsConfig();
+    if (slug in cfg) {
+        delete cfg[slug];
+        await writePluginsConfig(cfg);
+    }
+
+    // Step 4 — Audit log
+    await writeAuditLog({
+        action: 'uninstall',
+        slug,
+        timestamp: new Date().toISOString()
+    });
+}

package/server/services/plugins.js

@@ -14,13 +14,23 @@ import fs from 'fs/promises';
 import path from 'path';
 import matter from 'gray-matter';
 import {getConfig, saveConfig} from '../config.js';
-import {authenticate, requireAdmin, requireRole} from '../middleware/auth.js';
+import {authenticate, requireAdmin, requireRole, requireVisibility} from '../middleware/auth.js';
 import {hooks, registerSanitizeRules, registerShortcode, registerTransform} from './hooks.js';
+import {registerPluginResource, unregisterPluginResourcesByPlugin} from './permissionRegistry.js';
+import {createCollection, getCollection} from './collections.js';
 
 const PLUGINS_DIR = path.resolve('plugins');
 
 const REQUIRED_MANIFEST_FIELDS = ['name', 'displayName', 'version', 'description', 'author', 'date', 'icon'];
 
+/**
+ * In-memory registry of loaded plugins, populated by registerPlugins().
+ * Keyed by plugin name; each entry mirrors the manifest plus runtime metadata.
+ *
+ * @type {Object.<string, { enabled: boolean, publicEntry: string|null }>}
+ */
+const _loadedPlugins = {};
+
 /**
  * Core plugins — always loaded regardless of plugins.json enabled state.
  * These are considered first-class CMS features, not optional add-ons.
@@ -43,7 +53,7 @@ export async function discoverPlugins() {
     }
 
     const plugins = [];
-    for (const entry of entries.filter(e => e.isDirectory())) {
+    for (const entry of entries.filter(e => e.isDirectory() && !e.name.startsWith('_'))) {
         const dir = entry.name;
         const pluginDir = path.join(PLUGINS_DIR, dir);
         const manifestPath = path.join(pluginDir, 'plugin.json');
@@ -163,11 +173,26 @@ export async function registerPlugins(fastify) {
           const prefix = `/api/plugins/${manifest.name}`;
           await fastify.register(plugin, {
             prefix,
-            auth: {authenticate, requireRole, requireAdmin},
+            auth: {authenticate, requireRole, requireAdmin, requireVisibility},
               hooks: {registerShortcode, registerSanitizeRules, registerTransform, on: hooks.on.bind(hooks)},
-              settings
+              settings,
+              config: {}
           });
             loaded.push(manifest.name);
+
+            // Ensure plugin collections exist (idempotent — skips if already present)
+            await setupPlugin(manifest.name, {collections: {getCollection, createCollection}})
+                .catch(err => fastify.log.warn(`[plugins] Collection setup for "${manifest.name}" failed: ${err.message}`));
+
+            // Detect optional plugin.public.js for root-level route registration
+            _loadedPlugins[manifest.name] = { enabled: true, publicEntry: null };
+            const publicEntryPath = path.join(PLUGINS_DIR, manifest.name, 'plugin.public.js');
+            try {
+                await fs.access(publicEntryPath);
+                _loadedPlugins[manifest.name].publicEntry = publicEntryPath;
+            } catch {
+                // no public entry — that's fine
+            }
         } catch (err) {
             fastify.log.error(`Plugin "${manifest.name}" server failed to load: ${err.message}`);
         }
@@ -180,6 +205,16 @@ export async function registerPlugins(fastify) {
     }
 }
 
+/**
+ * Return the in-memory registry of plugins loaded by registerPlugins().
+ * Each entry includes `enabled` and `publicEntry` (path or null).
+ *
+ * @returns {Object.<string, { enabled: boolean, publicEntry: string|null }>}
+ */
+export function getLoadedPlugins() {
+    return _loadedPlugins;
+}
+
 /**
  * Return merged settings for a plugin: config.js defaults + user overrides from config/plugins.json.
  *
@@ -263,7 +298,7 @@ async function walkMdFiles(dir) {
  * @returns {Promise<{ collections: string[], forms: string[], pages: string[] }>}
  */
 export async function setupPlugin(pluginName, services) {
-    const result = {collections: [], forms: [], pages: []};
+    const result = {collections: [], forms: [], pages: [], roles: []};
     const pluginDir = path.join(PLUGINS_DIR, pluginName);
 
     // Collections
@@ -341,6 +376,37 @@ export async function setupPlugin(pluginName, services) {
         }
     }
 
+    // Roles — read plugins/<name>/roles/*.json, register resources + persist roles
+    if (services.roles) {
+        const rolesDir = path.join(pluginDir, 'roles');
+        let roleFiles;
+        try {
+            roleFiles = await fs.readdir(rolesDir);
+        } catch {
+            roleFiles = [];
+        }
+        for (const file of roleFiles.filter(f => f.endsWith('.json'))) {
+            try {
+                const raw = await fs.readFile(path.join(rolesDir, file), 'utf8');
+                const def = JSON.parse(raw);
+
+                // Register any declared resources into the permission overlay
+                if (Array.isArray(def.resources)) {
+                    for (const resource of def.resources) {
+                        registerPluginResource(resource, pluginName);
+                    }
+                }
+
+                // Persist the role (idempotent)
+                const {resources: _resources, ...roleData} = def;
+                await services.roles.createRole({...roleData, plugin: pluginName});
+                result.roles.push(def.name);
+            } catch {
+                // Skip missing or invalid role files
+            }
+        }
+    }
+
     return result;
 }
 
@@ -354,7 +420,7 @@ export async function setupPlugin(pluginName, services) {
  * @returns {Promise<{ pages: string[], forms: string[] }>}
  */
 export async function teardownPlugin(pluginName, services, fastify) {
-    const result = {pages: [], forms: []};
+    const result = {pages: [], forms: [], roles: []};
 
     // Pages
     if (services.content) {
@@ -390,6 +456,22 @@ export async function teardownPlugin(pluginName, services, fastify) {
         }
     }
 
+    // Roles — remove plugin-contributed roles and unregister their resources
+    if (services.roles) {
+        try {
+            await services.roles.removeRolesByPlugin(pluginName);
+            unregisterPluginResourcesByPlugin(pluginName);
+            result.roles.push(pluginName);
+        } catch (err) {
+            fastify.log.warn(`[plugins] Could not remove roles for "${pluginName}": ${err.message}`);
+        }
+    }
+
+    if (_loadedPlugins[pluginName]) {
+        _loadedPlugins[pluginName].enabled = false;
+        _loadedPlugins[pluginName].publicEntry = null;
+    }
+
     return result;
 }
 
@@ -451,11 +533,13 @@ export async function runLifecycleHook(name, hook, fastify) {
             if (setup.collections.length) fastify.log.info(`[plugins] Created collections for "${name}": ${setup.collections.join(', ')}`);
             if (setup.forms.length) fastify.log.info(`[plugins] Created forms for "${name}": ${setup.forms.join(', ')}`);
             if (setup.pages.length) fastify.log.info(`[plugins] Created pages for "${name}": ${setup.pages.join(', ')}`);
+            if (setup.roles.length) fastify.log.info(`[plugins] Registered roles for "${name}": ${setup.roles.join(', ')}`);
         }
         if (hook === 'onDisable') {
             const torn = await teardownPlugin(name, services, fastify);
             if (torn.pages.length) fastify.log.info(`[plugins] Removed pages for "${name}": ${torn.pages.join(', ')}`);
             if (torn.forms.length) fastify.log.info(`[plugins] Removed forms for "${name}": ${torn.forms.join(', ')}`);
+            if (torn.roles.length) fastify.log.info(`[plugins] Removed roles for "${name}"`);
         }
 
         if (typeof mod[hook] === 'function') {
@@ -467,10 +551,12 @@ export async function runLifecycleHook(name, hook, fastify) {
 }
 
 /**
- * Return merged sidebar items, routes, and views from all enabled plugins.
+ * Return merged sidebar items, routes, views, and CSS links from all enabled plugins.
+ * View entry paths are automatically stamped with a mtime-based version so manual
+ * `?v=N` bumps in plugin.json are never needed again.
  * Used by the frontend to dynamically extend the admin panel.
  *
- * @returns {Promise<{ sidebar: object[], routes: object[], views: object }>}
+ * @returns {Promise<{ sidebar: object[], routes: object[], views: object, css: object[] }>}
  */
 export async function getAdminPluginConfig() {
     const manifests = await discoverPlugins();
@@ -479,6 +565,7 @@ export async function getAdminPluginConfig() {
     const sidebar = [];
     const routes = [];
     const views = {};
+    const css = [];
 
     for (const manifest of manifests) {
         const state = states[manifest.name] || {};
@@ -486,8 +573,28 @@ export async function getAdminPluginConfig() {
 
         if (manifest.admin.sidebar) sidebar.push(...manifest.admin.sidebar);
         if (manifest.admin.routes) routes.push(...manifest.admin.routes);
-        if (manifest.admin.views) Object.assign(views, manifest.admin.views);
+
+        // Auto-stamp view entries with mtime-based version (replaces manual ?v=N)
+        for (const [viewName, viewDef] of Object.entries(manifest.admin.views || {})) {
+            const entryBase = viewDef.entry.split('?')[0];
+            let stamped = viewDef.entry;
+            try {
+                const filePath = path.join(PLUGINS_DIR, entryBase);
+                const s = await fs.stat(filePath);
+                stamped = `${entryBase}?v=${Math.floor(s.mtimeMs)}`;
+            } catch { /* keep original entry as-is */ }
+            views[viewName] = { ...viewDef, entry: stamped };
+        }
+
+        // Collect admin CSS links declared in plugin.json admin.css[]
+        for (let i = 0; i < (manifest.admin.css || []).length; i++) {
+            const cssPath = manifest.admin.css[i];
+            css.push({
+                id: `plugin-${manifest.name}-css${i > 0 ? `-${i}` : ''}`,
+                href: `/plugins/${manifest.name}/${cssPath}`
+            });
+        }
     }
 
-    return { sidebar, routes, views };
+    return { sidebar, routes, views, css };
 }