typescript-virtual-container 1.5.3 → 1.5.4

package/src/SSHMimic/exec.ts

@@ -1,49 +0,0 @@
-import { makeDefaultEnv, runCommand, userHome } from "../commands";
-import type { ExecStream } from "../types/streams";
-import type { VirtualShell } from "../VirtualShell";
-
-function toTtyLines(text: string): string {
-	return text
-		.replace(/\r\n/g, "\n")
-		.replace(/\r/g, "\n")
-		.replace(/\n/g, "\r\n");
-}
-
-export function runExec(
-	stream: ExecStream,
-	cmd: string,
-	authUser: string,
-	hostname: string,
-	shell: VirtualShell,
-): void {
-	Promise.resolve(
-		runCommand(
-			cmd,
-			authUser,
-			hostname,
-			"exec",
-			userHome(authUser),
-			shell,
-			undefined,
-			makeDefaultEnv(authUser, hostname),
-		),
-	)
-		.then((result) => {
-			if (result.stdout) {
-				stream.write(`${toTtyLines(result.stdout)}\r\n`);
-			}
-
-			if (result.stderr) {
-				stream.stderr.write(`${toTtyLines(result.stderr)}\r\n`);
-			}
-
-			stream.exit(result.exitCode ?? 0);
-			stream.end();
-		})
-		.catch((error) => {
-			console.error("Exec error:", error);
-			stream.stderr.write(`Error: ${String(error)}\r\n`);
-			stream.exit(1);
-			stream.end();
-		});
-}

package/src/SSHMimic/executor.ts

@@ -1,251 +0,0 @@
-import { runCommandDirect } from "../commands";
-import { resolvePath } from "../commands/helpers";
-import type { CommandMode, CommandResult, ShellEnv } from "../types/commands";
-import type {
-	Pipeline,
-	PipelineCommand,
-	Statement,
-} from "../types/pipeline";
-import type { VirtualShell } from "../VirtualShell";
-
-// ── Script executor (handles &&/||/;) ────────────────────────────────────────
-
-
-export async function executeStatements(
-	statements: Statement[],
-	authUser: string,
-	hostname: string,
-	mode: CommandMode,
-	cwd: string,
-	shell: VirtualShell,
-	env: ShellEnv,
-): Promise<CommandResult> {
-	let last: CommandResult = { exitCode: 0 };
-	const accumulatedStdout: string[] = [];
-	let currentCwd = cwd; // track cwd changes from cd, su, etc.
-	let i = 0;
-
-	while (i < statements.length) {
-		const stmt = statements[i]!;
-		last = await executePipeline(
-			stmt.pipeline,
-			authUser,
-			hostname,
-			mode,
-			currentCwd,
-			shell,
-			env,
-		);
-		env.lastExitCode = last.exitCode ?? 0;
-
-		// Propagate cwd changes (cd, su -l, etc.)
-		if (last.nextCwd && (last.exitCode ?? 0) === 0) {
-			currentCwd = last.nextCwd;
-		}
-
-		// Collect stdout from each statement (for echo a; echo b → "a\nb\n")
-		if (last.stdout) accumulatedStdout.push(last.stdout);
-
-		if (last.closeSession || last.switchUser) {
-			return {
-				...last,
-				stdout: accumulatedStdout.join("") || last.stdout,
-			};
-		}
-
-		const op = stmt.op;
-		if (!op || op === ";") {
-			// always run next
-		} else if (op === "&&") {
-			if ((last.exitCode ?? 0) !== 0) {
-				// skip until next ; or end
-				while (i < statements.length && statements[i]?.op === "&&") i++;
-			}
-		} else if (op === "||") {
-			if ((last.exitCode ?? 0) === 0) {
-				// skip until next ; or end
-				while (i < statements.length && statements[i]?.op === "||") i++;
-			}
-		}
-		i++;
-	}
-	// Merge accumulated stdout (for "echo a; echo b" → "a\nb\n")
-	const merged = accumulatedStdout.join("");
-	// Preserve the deepest cwd change across the whole pipeline
-	return { ...last, stdout: merged || last.stdout, nextCwd: currentCwd !== cwd ? currentCwd : undefined };
-}
-
-// ── Pipeline executor ─────────────────────────────────────────────────────────
-
-export async function executePipeline(
-	pipeline: Pipeline,
-	authUser: string,
-	hostname: string,
-	mode: CommandMode,
-	cwd: string,
-	shell: VirtualShell,
-	env?: ShellEnv,
-): Promise<CommandResult> {
-	if (!pipeline.isValid)
-		return { stderr: pipeline.error || "Syntax error", exitCode: 1 };
-	if (pipeline.commands.length === 0) return { exitCode: 0 };
-
-	const shellEnv: ShellEnv = env ?? { vars: {}, lastExitCode: 0 };
-
-	if (pipeline.commands.length === 1) {
-		return executeSingleCommandWithRedirections(
-			pipeline.commands[0] as PipelineCommand,
-			authUser,
-			hostname,
-			mode,
-			cwd,
-			shell,
-			shellEnv,
-		);
-	}
-
-	return executePipelineChain(
-		pipeline.commands as PipelineCommand[],
-		authUser,
-		hostname,
-		mode,
-		cwd,
-		shell,
-		shellEnv,
-	);
-}
-
-async function executeSingleCommandWithRedirections(
-	cmd: PipelineCommand,
-	authUser: string,
-	hostname: string,
-	mode: CommandMode,
-	cwd: string,
-	shell: VirtualShell,
-	env: ShellEnv,
-): Promise<CommandResult> {
-	let stdin: string | undefined;
-	if (cmd.inputFile) {
-		const inputPath = resolvePath(cwd, cmd.inputFile);
-		try {
-			stdin = shell.vfs.readFile(inputPath);
-		} catch {
-			return {
-				stderr: `${cmd.inputFile}: No such file or directory`,
-				exitCode: 1,
-			};
-		}
-	}
-
-	const result = await runCommandDirect(
-		cmd.name,
-		cmd.args,
-		authUser,
-		hostname,
-		mode,
-		cwd,
-		shell,
-		stdin,
-		env,
-	);
-
-	if (cmd.outputFile) {
-		const outputPath = resolvePath(cwd, cmd.outputFile);
-		const output = result.stdout || "";
-		try {
-			if (cmd.appendOutput) {
-				const existing = (() => {
-					try {
-						return shell.vfs.readFile(outputPath);
-					} catch {
-						return "";
-					}
-				})();
-				shell.writeFileAsUser(authUser, outputPath, existing + output);
-			} else {
-				shell.writeFileAsUser(authUser, outputPath, output);
-			}
-			return { ...result, stdout: "" };
-		} catch {
-			return {
-				...result,
-				stderr: `Failed to write to ${cmd.outputFile}`,
-				exitCode: 1,
-			};
-		}
-	}
-
-	return result;
-}
-
-async function executePipelineChain(
-	commands: PipelineCommand[],
-	authUser: string,
-	hostname: string,
-	mode: CommandMode,
-	cwd: string,
-	shell: VirtualShell,
-	env: ShellEnv,
-): Promise<CommandResult> {
-	let currentOutput = "";
-	let exitCode = 0;
-
-	for (let i = 0; i < commands.length; i++) {
-		const cmd = commands[i] as PipelineCommand;
-
-		if (i === 0 && cmd.inputFile) {
-			const inputPath = resolvePath(cwd, cmd.inputFile);
-			try {
-				currentOutput = shell.vfs.readFile(inputPath);
-			} catch {
-				return {
-					stderr: `${cmd.inputFile}: No such file or directory`,
-					exitCode: 1,
-				};
-			}
-		}
-
-		const result = await runCommandDirect(
-			cmd.name,
-			cmd.args,
-			authUser,
-			hostname,
-			mode,
-			cwd,
-			shell,
-			currentOutput,
-			env,
-		);
-		exitCode = result.exitCode ?? 0;
-
-		if (i === commands.length - 1 && cmd.outputFile) {
-			const outputPath = resolvePath(cwd, cmd.outputFile);
-			const output = result.stdout || "";
-			try {
-				if (cmd.appendOutput) {
-					const existing = (() => {
-						try {
-							return shell.vfs.readFile(outputPath);
-						} catch {
-							return "";
-						}
-					})();
-					shell.writeFileAsUser(authUser, outputPath, existing + output);
-				} else {
-					shell.writeFileAsUser(authUser, outputPath, output);
-				}
-				currentOutput = "";
-			} catch {
-				return { stderr: `Failed to write to ${cmd.outputFile}`, exitCode: 1 };
-			}
-		} else {
-			currentOutput = result.stdout || "";
-		}
-
-		if (result.stderr && exitCode !== 0)
-			return { stderr: result.stderr, exitCode };
-		if (result.closeSession || result.switchUser) return result;
-	}
-
-	return { stdout: currentOutput, exitCode };
-}

package/src/SSHMimic/hostKey.ts

@@ -1,21 +0,0 @@
-import { generateKeyPairSync } from "node:crypto";
-import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
-import { dirname, resolve } from "node:path";
-
-export function loadOrCreateHostKey(baseDir: string = process.cwd()): string {
-	const hostKeyPath = resolve(baseDir, ".ssh-mimic", "host_rsa");
-
-	if (existsSync(hostKeyPath)) {
-		return readFileSync(hostKeyPath, "utf8");
-	}
-
-	const privateKey = generateKeyPairSync("rsa", {
-		modulusLength: 2048,
-		privateKeyEncoding: { type: "pkcs1", format: "pem" },
-		publicKeyEncoding: { type: "pkcs1", format: "pem" },
-	}).privateKey;
-
-	mkdirSync(dirname(hostKeyPath), { recursive: true });
-	writeFileSync(hostKeyPath, privateKey, { mode: 0o600 });
-	return privateKey;
-}

package/src/SSHMimic/index.ts

@@ -1,337 +0,0 @@
-import { EventEmitter } from "node:events";
-import { Server as SshServer } from "ssh2";
-import { VirtualShell } from "../VirtualShell";
-import { userHome } from "../commands";
-import { createPerfLogger, type PerfLogger } from "../utils/perfLogger";
-import { runExec } from "./exec";
-import { loadOrCreateHostKey } from "./hostKey";
-
-/**
- * SSH server facade that wires the virtual shell runtime into ssh2 sessions.
- *
- * This class is exported as `VirtualSshServer` for public API compatibility.
- * Create an instance, call {@link SshMimic.start}, and stop it with
- * {@link SshMimic.stop} when your process exits.
- *
- * Features:
- * - Password authentication
- * - Public-key authentication
- * - Per-IP rate limiting / lockout for brute-force protection
- * - Interactive shell sessions
- * - Non-interactive exec sessions
- */
-const perf: PerfLogger = createPerfLogger("SshMimic");
-
-// ── Dev-mode logger ───────────────────────────────────────────────────────────
-const DEV = !!process.env.DEV_MODE;
-const devLog = DEV ? console.log.bind(console) : () => {};
-
-
-/** @internal */
-interface RateLimitEntry {
-	attempts: number;
-	lockedUntil: number;
-}
-
-class SshMimic extends EventEmitter {
-	port: number;
-	server: SshServer | null;
-	private shell: VirtualShell;
-
-	/** Max failed auth attempts before an IP is temporarily locked. */
-	private readonly maxAuthAttempts: number;
-	/** How long (ms) a locked IP must wait before retrying. */
-	private readonly lockoutDurationMs: number;
-	private readonly authAttempts = new Map<string, RateLimitEntry>();
-
-	/**
-	 * Creates a new SSH mimic server instance.
-	 *
-	 * @param options - Configuration object for the SSH server.
-	 * @param options.port - TCP port to bind on localhost.
-	 * @param options.hostname - Virtual hostname used for the SSH ident and default shell label.
-	 * @param options.shell - Optional preconfigured virtual shell instance to reuse.
-	 * @param options.maxAuthAttempts - Max failed attempts per IP before lockout (default: 5).
-	 * @param options.lockoutDurationMs - Lockout window in ms after exceeding attempts (default: 60 000).
-	 */
-	constructor({
-		port,
-		hostname = "typescript-vm",
-		shell = new VirtualShell(hostname),
-		maxAuthAttempts = 5,
-		lockoutDurationMs = 60_000,
-	}: {
-		port: number;
-		hostname?: string;
-		shell?: VirtualShell;
-		maxAuthAttempts?: number;
-		lockoutDurationMs?: number;
-	}) {
-		super();
-		perf.mark("constructor");
-		this.port = port;
-		this.server = null;
-		this.shell = shell;
-		this.maxAuthAttempts = maxAuthAttempts;
-		this.lockoutDurationMs = lockoutDurationMs;
-	}
-
-	// ── Rate limiting ────────────────────────────────────────────────────────
-
-	private isLockedOut(ip: string): boolean {
-		const entry = this.authAttempts.get(ip);
-		if (!entry) return false;
-		if (Date.now() < entry.lockedUntil) return true;
-		if (entry.lockedUntil > 0) {
-			this.authAttempts.delete(ip);
-		}
-		return false;
-	}
-
-	private recordFailure(ip: string): void {
-		const entry = this.authAttempts.get(ip) ?? { attempts: 0, lockedUntil: 0 };
-		entry.attempts += 1;
-		if (entry.attempts >= this.maxAuthAttempts) {
-			entry.lockedUntil = Date.now() + this.lockoutDurationMs;
-			this.emit("auth:lockout", { ip, until: new Date(entry.lockedUntil) });
-		}
-		this.authAttempts.set(ip, entry);
-	}
-
-	private recordSuccess(ip: string): void {
-		this.authAttempts.delete(ip);
-	}
-
-	// ── Home directory bootstrap ─────────────────────────────────────────────
-
-	private ensureHomeDir(authUser: string): void {
-		const homePath = userHome(authUser);
-		if (!this.shell.vfs.exists(homePath)) {
-			this.shell.vfs.mkdir(homePath, 0o755);
-			this.shell.vfs.writeFile(
-				`${homePath}/README.txt`,
-				`Welcome to ${this.shell.hostname}\n`,
-			);
-			void this.shell.vfs.stopAutoFlush();
-		}
-	}
-
-	// ── Server lifecycle ─────────────────────────────────────────────────────
-
-	/**
-	 * Starts server and initializes virtual filesystem, users, and handlers.
-	 *
-	 * @returns Promise resolved with bound listening port.
-	 */
-	public async start(): Promise<number> {
-		perf.mark("start");
-		const shell = this.shell;
-		const privateKey = loadOrCreateHostKey();
-
-		await shell.ensureInitialized();
-
-		this.server = new SshServer(
-			{
-				hostKeys: [privateKey],
-				ident: `SSH-2.0-${shell.hostname}`,
-			},
-			(client) => {
-				let authUser = "root";
-				let remoteAddress = "unknown";
-				let sessionId: string | null = null;
-
-				this.emit("client:connect");
-
-				client.on("authentication", (ctx) => {
-					const candidateUser = ctx.username || "root";
-					remoteAddress = (ctx as { ip?: string }).ip ?? remoteAddress;
-
-					// Rate-limit check
-					if (this.isLockedOut(remoteAddress)) {
-						this.emit("auth:failure", {
-							username: candidateUser,
-							remoteAddress,
-							reason: "lockout",
-						});
-						ctx.reject();
-						return;
-					}
-
-					// ── Password auth ──────────────────────────────────────
-					if (ctx.method === "password") {
-						if (!shell.users.hasPassword(candidateUser)) {
-							authUser = candidateUser;
-							sessionId = shell.users.registerSession(
-								authUser,
-								remoteAddress,
-							).id;
-							this.recordSuccess(remoteAddress);
-							this.emit("auth:success", { username: authUser, remoteAddress });
-							this.ensureHomeDir(authUser);
-							ctx.accept();
-							return;
-						}
-
-						if (
-							!ctx.password ||
-							ctx.password === "" ||
-							!shell.users.verifyPassword(candidateUser, ctx.password)
-						) {
-							this.recordFailure(remoteAddress);
-							this.emit("auth:failure", {
-								username: candidateUser,
-								remoteAddress,
-							});
-							ctx.reject();
-							return;
-						}
-
-						authUser = candidateUser;
-						sessionId = shell.users.registerSession(authUser, remoteAddress).id;
-						this.recordSuccess(remoteAddress);
-						this.emit("auth:success", { username: authUser, remoteAddress });
-						this.ensureHomeDir(authUser);
-						ctx.accept();
-						return;
-					}
-
-					// ── Public-key auth ────────────────────────────────────
-					if (ctx.method === "publickey") {
-						const authorizedKeys = shell.users.getAuthorizedKeys(candidateUser);
-						if (authorizedKeys.length === 0) {
-							// No keys configured — reject cleanly
-							ctx.reject();
-							return;
-						}
-
-						const incomingKey = ctx.key;
-						const keyMatches = authorizedKeys.some(
-							(k) =>
-								k.algo === incomingKey.algo && k.data.equals(incomingKey.data),
-						);
-
-						if (!keyMatches) {
-							this.recordFailure(remoteAddress);
-							this.emit("auth:failure", {
-								username: candidateUser,
-								remoteAddress,
-								method: "publickey",
-							});
-							ctx.reject();
-							return;
-						}
-
-						// Key matched — if this is a signature check step, accept
-						if (ctx.signature) {
-							authUser = candidateUser;
-							sessionId = shell.users.registerSession(
-								authUser,
-								remoteAddress,
-							).id;
-							this.recordSuccess(remoteAddress);
-							this.emit("auth:success", {
-								username: authUser,
-								remoteAddress,
-								method: "publickey",
-							});
-							this.ensureHomeDir(authUser);
-							ctx.accept();
-						} else {
-							// Key exists but no signature yet — ssh2 will call again with signature
-							ctx.accept();
-						}
-						return;
-					}
-
-					ctx.reject(["password", "publickey"]);
-				});
-
-				client.on("close", () => {
-					shell.users.unregisterSession(sessionId);
-					this.emit("client:disconnect", { user: authUser });
-					sessionId = null;
-				});
-
-				client.on("ready", () => {
-					client.on("session", (accept) => {
-						const session = accept();
-						const terminalSize = { cols: 80, rows: 24 };
-
-						session.on("pty", (acceptPty, _rejectPty, info) => {
-							terminalSize.cols = info?.cols ?? terminalSize.cols;
-							terminalSize.rows = info?.rows ?? terminalSize.rows;
-							acceptPty();
-						});
-
-						session.on(
-							"window-change",
-							(_acceptChange, _rejectChange, info) => {
-								terminalSize.cols = info?.cols ?? terminalSize.cols;
-								terminalSize.rows = info?.rows ?? terminalSize.rows;
-							},
-						);
-
-						session.on("shell", (acceptShell) => {
-							const stream = acceptShell();
-							shell?.startInteractiveSession(
-								stream,
-								authUser,
-								sessionId,
-								remoteAddress,
-								terminalSize,
-							);
-						});
-
-						session.on("exec", (acceptExec, _rejectExec, info) => {
-							const stream = acceptExec();
-							if (stream) {
-								runExec(
-									stream,
-									info.command.trim(),
-									authUser,
-									shell.hostname,
-									shell,
-								);
-							}
-						});
-					});
-				});
-			},
-		);
-
-		return new Promise<number>((resolve, reject) => {
-			this.server?.once("error", (err: unknown) => reject(err));
-			this.server?.listen(this.port, "0.0.0.0", () => {
-				devLog(`SSH Mimic listening on port ${this.port}`);
-				this.emit("start", { port: this.port });
-				resolve(this.port);
-			});
-		});
-	}
-
-	/**
-	 * Stops server if running.
-	 */
-	public stop(): void {
-		perf.mark("stop");
-		// Flush pending WAL journal before closing
-		void this.shell.vfs.stopAutoFlush();
-		if (this.server) {
-			this.server.close(() => {
-				devLog("SSH Mimic stopped");
-				this.emit("stop");
-			});
-		}
-	}
-
-	/**
-	 * Manually clears the rate-limit record for an IP address.
-	 * Useful in tests or admin tooling.
-	 */
-	public clearLockout(ip: string): void {
-		this.authAttempts.delete(ip);
-	}
-}
-
-export { SftpMimic } from "./sftp";
-export { SshMimic };

package/src/SSHMimic/loginBanner.ts

@@ -1,36 +0,0 @@
-import type { ShellProperties } from "../VirtualShell";
-import { formatLoginDate } from "./loginFormat";
-
-export interface LoginBannerState {
-	at: string;
-	from: string;
-}
-
-export function buildLoginBanner(
-	hostname: string,
-	properties: ShellProperties,
-	lastLogin: LoginBannerState | null,
-): string {
-	const lines = [
-		`Linux ${hostname} ${properties.kernel} ${properties.arch}`,
-		"",
-		"The programs included with the Fortune GNU/Linux system are free software;",
-		"the exact distribution terms for each program are described in the",
-		"individual files in /usr/share/doc/*/copyright.",
-		"",
-		"Fortune GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent",
-		"permitted by applicable law.",
-	];
-
-	if (lastLogin) {
-		const when = new Date(lastLogin.at);
-		const displayed = Number.isNaN(when.getTime())
-			? lastLogin.at
-			: formatLoginDate(when);
-		lines.push(`Last login: ${displayed} from ${lastLogin.from || "unknown"}`);
-	}
-
-	lines.push("");
-
-	return `${lines.map((line) => `${line}\r\n`).join("")}`;
-}

package/src/SSHMimic/loginFormat.ts

@@ -1,10 +0,0 @@
-export function formatLoginDate(date: Date): string {
-	const weekday = date.toLocaleString("en-US", { weekday: "short" });
-	const month = date.toLocaleString("en-US", { month: "short" });
-	const day = date.getDate().toString().padStart(2, "0");
-	const hh = date.getHours().toString().padStart(2, "0");
-	const mm = date.getMinutes().toString().padStart(2, "0");
-	const ss = date.getSeconds().toString().padStart(2, "0");
-	const year = date.getFullYear();
-	return `${weekday} ${month} ${day} ${hh}:${mm}:${ss} ${year}`;
-}