wative 1.1.16 → 1.1.17

package/src/daemon-watcher.js

@@ -0,0 +1,181 @@
+const { spawn } = require('child_process');
+const fs = require('fs');
+const path = require('path');
+const crypto = require('crypto');
+
+// Get configuration from command line arguments
+const serviceName = process.argv[2];
+const logFile = process.argv[3];
+const pidFile = process.argv[4];
+const watcherPidFile = process.argv[5];
+const wativeRoot = process.argv[6];
+
+// Get encrypted passwords from environment variable and immediately delete it
+const encryptedPasswords = process.env.WATIVE_ENCRYPTED_PASSWORDS;
+delete process.env.WATIVE_ENCRYPTED_PASSWORDS;
+
+if (!encryptedPasswords) {
+    console.error('Error: WATIVE_ENCRYPTED_PASSWORDS environment variable not found');
+    process.exit(1);
+}
+
+let childProcess = null;
+let restartCount = 0;
+const maxRestarts = 10;
+const restartDelay = 5000; // 5 seconds
+
+// Hash verification for wative.umd.js
+let initialFileHash = null;
+const wativeUmdPath = path.join(wativeRoot, 'lib', 'wative.umd.js');
+
+/**
+ * Calculate SHA256 hash of a file
+ * @param {string} filePath - Path to the file
+ * @returns {string|null} - Hash string or null if file doesn't exist
+ */
+const calculateFileHash = (filePath) => {
+    try {
+        if (!fs.existsSync(filePath)) {
+            return null;
+        }
+        const fileBuffer = fs.readFileSync(filePath);
+        const hashSum = crypto.createHash('sha256');
+        hashSum.update(fileBuffer);
+        return hashSum.digest('hex');
+    } catch (error) {
+        logToFile(`Error calculating file hash: ${error.message}`);
+        return null;
+    }
+};
+
+/**
+ * Verify if the current file hash matches the initial hash
+ * @returns {boolean} - True if hashes match or initial hash is not set
+ */
+const verifyFileHash = () => {
+    if (!initialFileHash) {
+        return true; // No initial hash to compare against
+    }
+    
+    const currentHash = calculateFileHash(wativeUmdPath);
+    if (!currentHash) {
+        logToFile(`Warning: Could not calculate current hash for ${wativeUmdPath}`);
+        return false;
+    }
+    
+    const hashesMatch = currentHash === initialFileHash;
+    if (!hashesMatch) {
+        logToFile(`File hash mismatch detected!`);
+        logToFile(`Initial hash: ${initialFileHash}`);
+        logToFile(`Current hash: ${currentHash}`);
+    }
+    
+    return hashesMatch;
+};
+
+/**
+ * Log message to daemon log file with timestamp
+ * @param {string} message - Message to log
+ */
+const logToFile = (message) => {
+    const timestamp = new Date().toISOString();
+    const logMessage = `[${timestamp}] [WATCHER] ${message}\n`;
+    fs.appendFileSync(logFile, logMessage);
+};
+
+/**
+ * Start the SSH service process
+ */
+const startService = () => {
+    if (restartCount >= maxRestarts) {
+        logToFile(`Maximum restart attempts (${maxRestarts}) reached. Stopping watcher.`);
+        process.exit(1);
+    }
+    
+    // Initialize or verify file hash
+    if (initialFileHash === null) {
+        // First startup - calculate and store the initial hash
+        initialFileHash = calculateFileHash(wativeUmdPath);
+        if (initialFileHash) {
+            logToFile(`Initial file hash calculated: ${initialFileHash}`);
+        } else {
+            logToFile(`Warning: Could not calculate initial hash for ${wativeUmdPath}`);
+        }
+    } else {
+        // Restart - verify hash before proceeding
+        if (!verifyFileHash()) {
+            logToFile(`File integrity check failed. Exiting daemon to prevent potential security issues.`);
+            process.exit(1);
+        }
+        logToFile(`File integrity check passed.`);
+    }
+    
+    logToFile(`Starting SSH service '${serviceName}' (attempt ${restartCount + 1})`);
+    
+    // Spawn the SSH service process
+    childProcess = spawn('npx', ['ts-node', path.join(wativeRoot, 'src', 'wative.ts'), 'ssh', 'start', '-c', serviceName], {
+        stdio: ['ignore', fs.openSync(logFile, 'a'), fs.openSync(logFile, 'a')],
+        env: {
+            ...process.env,
+            WATIVE_DAEMON_PASSWORDS: encryptedPasswords,
+            WATIVE_WORKER_MODE: 'true'
+        },
+        cwd: wativeRoot
+    });
+    
+    // Write service PID to file
+    fs.writeFileSync(pidFile, childProcess.pid.toString());
+    
+    // Handle service process exit
+    childProcess.on('exit', (code, signal) => {
+        logToFile(`SSH service exited with code ${code}, signal ${signal}`);
+        
+        // Check if service crashed (non-zero exit code and not terminated by user)
+        if (code !== 0 && signal !== 'SIGTERM' && signal !== 'SIGINT') {
+            restartCount++;
+            logToFile(`Service crashed. Restarting in ${restartDelay/1000} seconds...`);
+            setTimeout(startService, restartDelay);
+        } else {
+            logToFile('Service stopped normally.');
+            // Clean up PID files
+            try {
+                fs.unlinkSync(pidFile);
+                fs.unlinkSync(watcherPidFile);
+            } catch (e) {
+                // Ignore cleanup errors
+            }
+            process.exit(0);
+        }
+    });
+    
+    // Handle service process errors
+    childProcess.on('error', (error) => {
+        logToFile(`Failed to start service: ${error.message}`);
+        restartCount++;
+        setTimeout(startService, restartDelay);
+    });
+};
+
+/**
+ * Handle graceful shutdown signals
+ * @param {string} signal - Signal received
+ */
+const gracefulShutdown = (signal) => {
+    logToFile(`Watcher received ${signal}, stopping service...`);
+    if (childProcess) {
+        childProcess.kill('SIGTERM');
+        // Force kill after 5 seconds if process doesn't terminate gracefully
+        setTimeout(() => {
+            if (childProcess && !childProcess.killed) {
+                childProcess.kill('SIGKILL');
+            }
+        }, 5000);
+    }
+};
+
+// Register signal handlers for graceful shutdown
+process.on('SIGTERM', () => gracefulShutdown('SIGTERM'));
+process.on('SIGINT', () => gracefulShutdown('SIGINT'));
+
+// Start the service
+startService();

package/src/ssh/client.rs

@@ -0,0 +1,221 @@
+use crate::setting::Settings;
+use std::error;
+use std::io;
+use std::net::{TcpStream, ToSocketAddrs};
+use std::path::Path;
+use std::sync::Arc;
+
+use async_executor::{Executor, LocalExecutor, Task};
+use async_io::Async;
+use easy_parallel::Parallel;
+use futures::executor::block_on;
+use futures::future::FutureExt;
+use futures::select;
+use futures::{AsyncReadExt, AsyncWriteExt};
+
+#[cfg(not(unix))]
+use std::net::TcpListener;
+#[cfg(unix)]
+use std::os::unix::net::{UnixListener, UnixStream};
+#[cfg(unix)]
+use tempfile::tempdir;
+
+use async_ssh2_lite::AsyncSession;
+
+async fn run(ex: Arc<Executor<'_>>, command: String) -> Result<String, Box<dyn error::Error>> {
+    let ssh_config = &Settings::get().ssh2;
+
+    let use_bastion = ssh_config.use_bastion;
+
+    let addr = ssh_config.addr.to_owned();
+    let username = ssh_config.username.to_owned();
+
+    let bastion_addr;
+    let bastion_username;
+
+    if use_bastion {
+        bastion_addr = ssh_config.bastion_addr.to_owned();
+        bastion_username = ssh_config.bastion_username.to_owned();
+    } else {
+        bastion_addr = ssh_config.addr.to_owned();
+        bastion_username = ssh_config.username.to_owned();
+    }
+
+    let passphrase = ssh_config.passphrase.to_owned();
+    let addr = addr.to_socket_addrs().unwrap().next().unwrap();
+    let bastion_addr = bastion_addr.to_socket_addrs().unwrap().next().unwrap();
+
+    let public_key_path_str = String::from(ssh_config.public_key_path.to_owned());
+    let private_key_path_str = String::from(ssh_config.private_key_path.to_owned());
+
+    let task_with_main = ex.clone().spawn(async move {
+        let public_key_path = Path::new(&public_key_path_str);
+        let private_key_path = Path::new(&private_key_path_str);
+        let bastion_stream = Async::<TcpStream>::connect(bastion_addr).await?;
+
+        let mut bastion_session = AsyncSession::new(bastion_stream, None)?;
+
+        bastion_session.handshake().await?;
+
+        bastion_session
+            .userauth_pubkey_file(
+                &bastion_username,
+                Some(public_key_path),
+                private_key_path,
+                Some(&passphrase),
+            )
+            .await?;
+
+        if !bastion_session.authenticated() {
+            return Err(bastion_session
+                .last_error()
+                .map( io::Error::from)
+                .unwrap_or_else(||io::Error::new(
+                    io::ErrorKind::Other,
+                    "bastion unknown userauth error",
+                )));
+        }
+
+        if !use_bastion {
+            let mut channel = bastion_session.channel_session().await?;
+
+            channel.exec(&command).await?;
+            let mut res = String::new();
+            channel.read_to_string(&mut res).await?;
+            channel.close().await?;
+
+            bastion_session.disconnect(None, "foo", None).await?;
+
+            return Ok(res);
+        }
+
+        let mut bastion_channel = bastion_session
+            .channel_direct_tcpip(addr.ip().to_string().as_ref(), addr.port(), None)
+            .await?;
+
+        let (forward_stream_s, mut forward_stream_r) = {
+            cfg_if::cfg_if! {
+                if #[cfg(unix)] {
+                    let dir = tempdir()?;
+                    let path = dir.path().join("ssh_channel_direct_tcpip");
+                    let listener = Async::<UnixListener>::bind(&path)?;
+                    let stream_s = Async::<UnixStream>::connect(&path).await?;
+                } else {
+                    let listen_addr = TcpListener::bind("localhost:0")
+                        .unwrap()
+                        .local_addr()
+                        .unwrap();
+                    let listener = Async::<TcpListener>::bind(listen_addr)?;
+                    let stream_s = Async::<TcpStream>::connect(listen_addr).await?;
+                }
+            }
+
+            let (stream_r,_) = listener.accept().await.unwrap();
+
+            (stream_s, stream_r)
+        };
+
+        let task_with_forward: Task<io::Result<()>> = ex.clone().spawn(async move {
+            let mut buf_bastion_channel = vec![0; 2048];
+            let mut buf_forward_stream_r = vec![0; 2048];
+
+            loop {
+                select! {
+                    ret_forward_stream_r = forward_stream_r.read(&mut buf_forward_stream_r).fuse() => match ret_forward_stream_r {
+                        Ok(n) if n == 0 => {
+                            break
+                        },
+                        Ok(n) => {
+                            bastion_channel.write(&buf_forward_stream_r[..n]).await.map(|_| ()).map_err(|err| {
+                                err
+                            })?
+                        },
+                        Err(err) =>  {
+                            return Err(err);
+                        }
+                    },
+                    ret_bastion_channel = bastion_channel.read(&mut buf_bastion_channel).fuse() => match ret_bastion_channel {
+                        Ok(n) if n == 0 => {
+                            break
+                        },
+                        Ok(n) => {
+                            forward_stream_r.write(&buf_bastion_channel[..n]).await.map(|_| ()).map_err(|err| {
+                                err
+                            })?
+                        },
+                        Err(err) => {
+                            return Err(err);
+                        }
+                    },
+                }
+            }
+
+            Ok(())
+        });
+        task_with_forward.detach();
+
+        let mut session = AsyncSession::new(forward_stream_s, None)?;
+        session.handshake().await?;
+
+        session.userauth_pubkey_file(
+            &username,
+            Some(public_key_path),
+            private_key_path,
+            Some(&passphrase),
+        )
+        .await?;
+
+        if !session.authenticated() {
+            return Err(session
+                .last_error()
+                .map(io::Error::from)
+                .unwrap_or_else(||io::Error::new(
+                    io::ErrorKind::Other,
+                    "unknown userauth error",
+                )));
+        }
+
+        let mut channel = session.channel_session().await?;
+
+        channel.exec(&command).await?;
+        let mut res = String::new();
+        channel.read_to_string(&mut res).await?;
+        channel.close().await?;
+
+        session.disconnect(None, "foo", None).await?;
+
+        Ok(res)
+    });
+
+    let result = task_with_main.await.map(|message| message).map_err(|err| {
+        eprintln!("task_with_main run failed, err:{err:?}");
+
+        err
+    })?;
+
+    let signed_data = json::parse(&result).unwrap();
+    if signed_data["status"] == false {
+        panic!("{}", signed_data["msg"].to_string())
+    }
+
+    Ok(json::stringify(signed_data["data"].clone()))
+}
+
+pub fn ssh2_call(command: String) -> Result<String, Box<dyn error::Error>> {
+    let ex = Executor::new();
+    let ex = Arc::new(ex);
+    let local_ex = LocalExecutor::new();
+    let (trigger, shutdown) = async_channel::unbounded::<()>();
+
+    let ret_vec = Parallel::new()
+        .each(0..4, |_| block_on(ex.run(async { shutdown.recv().await })))
+        .finish(|| {
+            block_on(local_ex.run(async {
+                let result = run(ex.clone(), command).await.unwrap();
+                drop(trigger);
+                result
+            }))
+        });
+
+    Ok(ret_vec.1)
+}