typescript-virtual-container 1.0.1 → 1.0.4

package/src/SSHMimic/executor.ts

@@ -0,0 +1,201 @@
+import type { CommandMode, CommandResult } from "../types/commands";
+import type { Pipeline, PipelineCommand } from "../types/pipeline";
+import type VirtualFileSystem from "../VirtualFileSystem";
+import { runCommand as runSingleCommand } from "./commands";
+import { resolvePath } from "./commands/helpers";
+import type { VirtualUserManager } from "./users";
+
+/**
+ * Execute a parsed pipeline, chaining commands and handling redirections.
+ * Manages stdout/stderr flow between commands and file I/O.
+ */
+export async function executePipeline(
+	pipeline: Pipeline,
+	authUser: string,
+	hostname: string,
+	users: VirtualUserManager,
+	mode: CommandMode,
+	cwd: string,
+	vfs: VirtualFileSystem,
+): Promise<CommandResult> {
+	if (pipeline.commands.length === 0) {
+		return { exitCode: 0 };
+	}
+
+	if (pipeline.commands.length === 1) {
+		// Single command with possible redirections
+		return executeSingleCommandWithRedirections(
+			pipeline.commands[0] as PipelineCommand,
+			authUser,
+			hostname,
+			users,
+			mode,
+			cwd,
+			vfs,
+		);
+	}
+
+	// Multiple commands in a pipeline
+	return executePipelineChain(
+		pipeline.commands as PipelineCommand[],
+		authUser,
+		hostname,
+		users,
+		mode,
+		cwd,
+		vfs,
+	);
+}
+
+/**
+ * Execute a single command with input/output redirections
+ */
+async function executeSingleCommandWithRedirections(
+	cmd: PipelineCommand,
+	authUser: string,
+	hostname: string,
+	users: VirtualUserManager,
+	mode: CommandMode,
+	cwd: string,
+	vfs: VirtualFileSystem,
+): Promise<CommandResult> {
+	// Prepare input if input file specified
+	let stdin: string | undefined;
+	if (cmd.inputFile) {
+		const inputPath = resolvePath(cwd, cmd.inputFile);
+		try {
+			stdin = vfs.readFile(inputPath);
+		} catch {
+			return {
+				stderr: `cat: ${cmd.inputFile}: No such file or directory`,
+				exitCode: 1,
+			};
+		}
+	}
+
+	// Build raw input for the command
+	const rawInput = [cmd.name, ...cmd.args].join(" ");
+
+	// Run the command with potential input
+	const result = await runSingleCommand(
+		rawInput,
+		authUser,
+		hostname,
+		users,
+		mode,
+		cwd,
+		vfs,
+		stdin,
+	);
+
+	// Handle output redirection
+	if (cmd.outputFile) {
+		const outputPath = resolvePath(cwd, cmd.outputFile);
+		const output = result.stdout || "";
+		try {
+			if (cmd.appendOutput) {
+				try {
+					const existing = vfs.readFile(outputPath);
+					vfs.writeFile(outputPath, existing + output);
+				} catch {
+					vfs.writeFile(outputPath, output);
+				}
+			} else {
+				vfs.writeFile(outputPath, output);
+			}
+			return { ...result, stdout: "" };
+		} catch {
+			return {
+				...result,
+				stderr: `Failed to write to ${cmd.outputFile}`,
+				exitCode: 1,
+			};
+		}
+	}
+
+	return result;
+}
+
+/**
+ * Execute a chain of commands connected by pipes
+ */
+async function executePipelineChain(
+	commands: PipelineCommand[],
+	authUser: string,
+	hostname: string,
+	users: VirtualUserManager,
+	mode: CommandMode,
+	cwd: string,
+	vfs: VirtualFileSystem,
+): Promise<CommandResult> {
+	let currentOutput = "";
+	let exitCode = 0;
+
+	for (let i = 0; i < commands.length; i++) {
+		const cmd = commands[i] as PipelineCommand;
+
+		// Handle input file for first command
+		if (i === 0 && cmd.inputFile) {
+			const inputPath = resolvePath(cwd, cmd.inputFile);
+			try {
+				currentOutput = vfs.readFile(inputPath);
+			} catch {
+				return {
+					stderr: `cat: ${cmd.inputFile}: No such file or directory`,
+					exitCode: 1,
+				};
+			}
+		}
+
+		// Build raw input
+		const rawInput = [cmd.name, ...cmd.args].join(" ");
+
+		// Create a modified context that might accept stdin
+		// For now, we'll append input as an additional arg for commands that support it
+		const result = await runSingleCommand(
+			rawInput,
+			authUser,
+			hostname,
+			users,
+			mode,
+			cwd,
+			vfs,
+			currentOutput,
+		);
+
+		exitCode = result.exitCode ?? 0;
+
+		// Handle output redirection (only for last command)
+		if (i === commands.length - 1 && cmd.outputFile) {
+			const outputPath = resolvePath(cwd, cmd.outputFile);
+			const output = result.stdout || "";
+			try {
+				if (cmd.appendOutput) {
+					try {
+						const existing = vfs.readFile(outputPath);
+						vfs.writeFile(outputPath, existing + output);
+					} catch {
+						vfs.writeFile(outputPath, output);
+					}
+				} else {
+					vfs.writeFile(outputPath, output);
+				}
+				currentOutput = "";
+			} catch {
+				return {
+					stderr: `Failed to write to ${cmd.outputFile}`,
+					exitCode: 1,
+				};
+			}
+		} else {
+			// Pass output to next command
+			currentOutput = result.stdout || "";
+		}
+
+		if (result.stderr && exitCode !== 0) {
+			return { stderr: result.stderr, exitCode };
+		}
+	}
+
+	return { stdout: currentOutput, exitCode };
+}

package/src/SSHMimic/index.ts

@@ -1,3 +1,4 @@
+import { randomBytes } from "node:crypto";
 import { Server as SshServer } from "ssh2";
 import VirtualFileSystem from "../VirtualFileSystem";
 import { runExec } from "./exec";
@@ -5,6 +6,28 @@ import { loadOrCreateHostKey } from "./hostKey";
 import { startShell } from "./shell";
 import { VirtualUserManager } from "./users";
 
+function resolveRootPassword(): string {
+	const configured = process.env.SSH_MIMIC_ROOT_PASSWORD;
+	if (configured && configured.trim().length > 0) {
+		return configured;
+	}
+
+	const generated = randomBytes(18).toString("base64url");
+	console.warn(
+		`[ssh-mimic] SSH_MIMIC_ROOT_PASSWORD missing; generated ephemeral root password: ${generated}`,
+	);
+	return generated;
+}
+
+function resolveAutoSudoForNewUsers(): boolean {
+	const configured = process.env.SSH_MIMIC_AUTO_SUDO_NEW_USERS;
+	if (!configured) {
+		return true;
+	}
+
+	return !["0", "false", "no", "off"].includes(configured.toLowerCase());
+}
+
 /**
  * SSH server wrapper that exposes virtual shell and exec sessions.
  *
@@ -52,7 +75,8 @@ class SshMimic {
 		await this.vfs.restoreMirror();
 		this.users = new VirtualUserManager(
 			this.vfs,
-			process.env.SSH_MIMIC_ROOT_PASSWORD ?? "root",
+			resolveRootPassword(),
+			resolveAutoSudoForNewUsers(),
 		);
 		await this.users.initialize();
 

package/src/SSHMimic/shellParser.ts

@@ -0,0 +1,203 @@
+import type { Pipeline, PipelineCommand } from "../types/pipeline";
+
+/** Parse a shell command line into a structured pipeline */
+export function parseShellPipeline(rawInput: string): Pipeline {
+	const trimmed = rawInput.trim();
+
+	if (!trimmed) {
+		return { commands: [], isValid: true };
+	}
+
+	const commands: PipelineCommand[] = [];
+	const pipeTokens = tokenizePipeline(trimmed);
+
+	for (const token of pipeTokens) {
+		const cmd = parseCommandWithRedirections(token);
+		if (!cmd.isValid) {
+			return {
+				commands: [],
+				isValid: false,
+				error: cmd.error,
+			};
+		}
+		if (cmd.command) {
+			commands.push(cmd.command);
+		}
+	}
+
+	return { commands, isValid: true };
+}
+
+/** Tokenize input by pipes, respecting quoted strings */
+function tokenizePipeline(input: string): string[] {
+	const tokens: string[] = [];
+	let current = "";
+	let inQuotes = false;
+	let quoteChar = "";
+	let i = 0;
+
+	while (i < input.length) {
+		const ch = input[i];
+
+		if ((ch === '"' || ch === "'") && (i === 0 || input[i - 1] !== "\\")) {
+			if (!inQuotes) {
+				inQuotes = true;
+				quoteChar = ch;
+			} else if (ch === quoteChar) {
+				inQuotes = false;
+			}
+			current += ch;
+			i++;
+		} else if (ch === "|" && !inQuotes) {
+			if (current.trim()) {
+				tokens.push(current.trim());
+			}
+			current = "";
+			i++;
+		} else {
+			current += ch;
+			i++;
+		}
+	}
+
+	if (current.trim()) {
+		tokens.push(current.trim());
+	}
+
+	return tokens;
+}
+
+interface ParseResult {
+	command?: PipelineCommand;
+	isValid: boolean;
+	error?: string;
+}
+
+/** Parse a single command with its redirections (>, >>, <) */
+function parseCommandWithRedirections(token: string): ParseResult {
+	const parts = tokenizeCommand(token);
+
+	if (parts.length === 0) {
+		return { isValid: true };
+	}
+
+	const cmdParts: string[] = [];
+	let inputFile: string | undefined;
+	let outputFile: string | undefined;
+	let appendOutput = false;
+
+	let i = 0;
+	while (i < parts.length) {
+		const part = parts[i] as string;
+
+		if (part === "<") {
+			i++;
+			if (i >= parts.length) {
+				return {
+					isValid: false,
+					error: "Syntax error: expected filename after <",
+				};
+			}
+			inputFile = parts[i];
+			i++;
+		} else if (part === ">>") {
+			i++;
+			if (i >= parts.length) {
+				return {
+					isValid: false,
+					error: "Syntax error: expected filename after >>",
+				};
+			}
+			outputFile = parts[i];
+			appendOutput = true;
+			i++;
+		} else if (part === ">") {
+			i++;
+			if (i >= parts.length) {
+				return {
+					isValid: false,
+					error: "Syntax error: expected filename after >",
+				};
+			}
+			outputFile = parts[i];
+			appendOutput = false;
+			i++;
+		} else {
+			cmdParts.push(part);
+			i++;
+		}
+	}
+
+	if (cmdParts.length === 0) {
+		return { isValid: true };
+	}
+
+	const name = (cmdParts[0] as string).toLowerCase();
+	const args = cmdParts.slice(1);
+
+	return {
+		command: {
+			name,
+			args,
+			inputFile,
+			outputFile,
+			appendOutput,
+		},
+		isValid: true,
+	};
+}
+
+/** Tokenize a command, respecting quotes and handling >> vs > */
+function tokenizeCommand(input: string): string[] {
+	const tokens: string[] = [];
+	let current = "";
+	let inQuotes = false;
+	let quoteChar = "";
+	let i = 0;
+
+	while (i < input.length) {
+		const ch = input[i];
+		const next = input[i + 1];
+
+		// Handle quotes
+		if ((ch === '"' || ch === "'") && (i === 0 || input[i - 1] !== "\\")) {
+			if (!inQuotes) {
+				inQuotes = true;
+				quoteChar = ch;
+			} else if (ch === quoteChar) {
+				inQuotes = false;
+				quoteChar = "";
+			} else {
+				current += ch;
+			}
+			i++;
+		} else if (ch === " " && !inQuotes) {
+			if (current) {
+				tokens.push(current);
+				current = "";
+			}
+			i++;
+		} else if ((ch === ">" || ch === "<") && !inQuotes) {
+			if (current) {
+				tokens.push(current);
+				current = "";
+			}
+			if (ch === ">" && next === ">") {
+				tokens.push(">>");
+				i += 2;
+			} else {
+				tokens.push(ch);
+				i++;
+			}
+		} else {
+			current += ch;
+			i++;
+		}
+	}
+
+	if (current) {
+		tokens.push(current);
+	}
+
+	return tokens;
+}

package/src/SSHMimic/users.ts

@@ -31,6 +31,7 @@ export interface VirtualActiveSession {
 export class VirtualUserManager {
 	private readonly usersPath = "/virtual-env-js/.auth/htpasswd";
 	private readonly sudoersPath = "/virtual-env-js/.auth/sudoers";
+	private readonly authDirPath = "/virtual-env-js/.auth";
 	private readonly users = new Map<string, VirtualUserRecord>();
 	private readonly sudoers = new Set<string>();
 	private readonly activeSessions = new Map<string, VirtualActiveSession>();
@@ -45,6 +46,7 @@ export class VirtualUserManager {
 	constructor(
 		private readonly vfs: VirtualFileSystem,
 		private readonly defaultRootPassword: string = "root",
+		private readonly autoSudoForNewUsers: boolean = true,
 	) {}
 
 	/**
@@ -54,12 +56,7 @@ export class VirtualUserManager {
 		this.loadFromVfs();
 		this.loadSudoersFromVfs();
 
-		if (!this.users.has("root")) {
-			this.users.set(
-				"root",
-				this.createRecord("root", this.defaultRootPassword),
-			);
-		}
+		this.users.set("root", this.createRecord("root", this.defaultRootPassword));
 
 		this.sudoers.add("root");
 
@@ -97,7 +94,9 @@ export class VirtualUserManager {
 		}
 
 		this.users.set(username, this.createRecord(username, password));
-		this.sudoers.add(username);
+		if (this.autoSudoForNewUsers) {
+			this.sudoers.add(username);
+		}
 		const homePath = `/home/${username}`;
 		if (!this.vfs.exists(homePath)) {
 			this.vfs.mkdir(homePath, 0o755);
@@ -290,6 +289,10 @@ export class VirtualUserManager {
 	}
 
 	private async persist(): Promise<void> {
+		if (!this.vfs.exists(this.authDirPath)) {
+			this.vfs.mkdir(this.authDirPath, 0o700);
+		}
+
 		const content = Array.from(this.users.values())
 			.sort((left, right) => left.username.localeCompare(right.username))
 			.map((record) =>
@@ -300,11 +303,13 @@ export class VirtualUserManager {
 		this.vfs.writeFile(
 			this.usersPath,
 			content.length > 0 ? `${content}\n` : "",
+			{ mode: 0o600 },
 		);
 		const sudoersContent = Array.from(this.sudoers.values()).sort().join("\n");
 		this.vfs.writeFile(
 			this.sudoersPath,
 			sudoersContent.length > 0 ? `${sudoersContent}\n` : "",
+			{ mode: 0o600 },
 		);
 		await this.vfs.flushMirror();
 	}
@@ -326,6 +331,10 @@ export class VirtualUserManager {
 		if (!username || username.trim() === "") {
 			throw new Error("invalid username");
 		}
+
+		if (!/^[a-z_][a-z0-9_-]{0,31}$/i.test(username)) {
+			throw new Error("invalid username");
+		}
 	}
 
 	private validatePassword(password: string): void {

package/src/types/commands.ts

@@ -76,6 +76,8 @@ export interface CommandContext {
 	mode: CommandMode;
 	/** Tokenized arguments excluding command name. */
 	args: string[];
+	/** Optional stdin payload (used by pipes/redirections). */
+	stdin?: string;
 	/** Current working directory for command execution. */
 	cwd: string;
 	/** Virtual filesystem instance for IO operations. */

package/src/types/pipeline.ts

@@ -0,0 +1,23 @@
+/** Represents a single command in a pipeline. */
+export interface PipelineCommand {
+	/** Command name */
+	name: string;
+	/** Command arguments */
+	args: string[];
+	/** Input redirection file path (< file) */
+	inputFile?: string;
+	/** Output redirection file path (> file) */
+	outputFile?: string;
+	/** Append to output file (>> file) */
+	appendOutput?: boolean;
+}
+
+/** Represents a parsed shell pipeline */
+export interface Pipeline {
+	/** List of commands in the pipeline */
+	commands: PipelineCommand[];
+	/** Whether this is a valid pipeline */
+	isValid: boolean;
+	/** Error message if parsing failed */
+	error?: string;
+}

package/tests/helpers.test.ts

@@ -0,0 +1,22 @@
+import { describe, expect, test } from "bun:test";
+import { assertPathAccess } from "../src/SSHMimic/commands/helpers";
+
+describe("assertPathAccess", () => {
+	test("blocks non-root access to auth store", () => {
+		expect(() =>
+			assertPathAccess("alice", "/virtual-env-js/.auth/htpasswd", "cat"),
+		).toThrow("cat: permission denied: /virtual-env-js/.auth/htpasswd");
+	});
+
+	test("allows root access to auth store", () => {
+		expect(() =>
+			assertPathAccess("root", "/virtual-env-js/.auth/htpasswd", "cat"),
+		).not.toThrow();
+	});
+
+	test("allows non-root access outside protected paths", () => {
+		expect(() =>
+			assertPathAccess("alice", "/home/alice/README.txt", "cat"),
+		).not.toThrow();
+	});
+});

package/tests/users.test.ts

@@ -0,0 +1,41 @@
+import { describe, expect, test } from "bun:test";
+import { mkdtemp, rm } from "node:fs/promises";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { VirtualUserManager } from "../src/SSHMimic/users";
+import VirtualFileSystem from "../src/VirtualFileSystem";
+
+async function withTempVfs(
+	run: (vfs: VirtualFileSystem) => Promise<void>,
+): Promise<void> {
+	const tempDir = await mkdtemp(join(tmpdir(), "virtual-env-js-test-"));
+	try {
+		const vfs = new VirtualFileSystem(tempDir);
+		await vfs.restoreMirror();
+		await run(vfs);
+	} finally {
+		await rm(tempDir, { recursive: true, force: true });
+	}
+}
+
+describe("VirtualUserManager auto sudo", () => {
+	test("adds new users to sudoers by default", async () => {
+		await withTempVfs(async (vfs) => {
+			const users = new VirtualUserManager(vfs, "root-pass");
+			await users.initialize();
+			await users.addUser("alice", "alice-pass");
+
+			expect(users.isSudoer("alice")).toBe(true);
+		});
+	});
+
+	test("does not auto-add sudoers when disabled", async () => {
+		await withTempVfs(async (vfs) => {
+			const users = new VirtualUserManager(vfs, "root-pass", false);
+			await users.initialize();
+			await users.addUser("bob", "bob-pass");
+
+			expect(users.isSudoer("bob")).toBe(false);
+		});
+	});
+});

package/tsconfig.json

@@ -26,6 +26,6 @@
     "noUnusedParameters": false,
     "noPropertyAccessFromIndexSignature": false,
 
-    "types": ["node"]
+    "types": ["node", "bun"]
   }
 }