Hynes/Void-Homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(actions): config-driven action whitelist registry

Browse Source 
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
root
2026-06-04 21:40:20 +10:00
parent 135244cb13
commit 2c3d78c99b
4 changed files with 60 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
config/actions.json Normal file
View File

@@ -0,0 +1 @@
{ "hosts": {}, "actions": [] }

29
lib/actions/registry.js Normal file
View File

@@ -0,0 +1,29 @@
import { readFileSync } from 'node:fs';
import path from 'node:path';
import { fileURLToPath } from 'node:url';
const DEFAULT = path.join(path.dirname(fileURLToPath(import.meta.url)), '../../config/actions.json');
const ID_RE = /^[a-z0-9-]+$/;
const KINDS = new Set(['service_restart', 'guest_power']);
const OPS = new Set(['start', 'stop', 'shutdown', 'reboot']);
const TIERS = new Set(['safe', 'risky']);
// Loads + validates the action whitelist. `raw` overrides file read (tests).
export function loadActions(file = DEFAULT, raw) {
const cfg = raw || JSON.parse(readFileSync(file, 'utf8'));
const hosts = cfg.hosts || {};
const byId = new Map();
for (const a of (cfg.actions || [])) {
if (!ID_RE.test(a.id || '')) throw new Error(`invalid action id: ${a.id}`);
if (!KINDS.has(a.kind)) throw new Error(`unknown kind: ${a.kind}`);
if (!TIERS.has(a.tier)) throw new Error(`invalid tier: ${a.tier}`);
if (a.kind === 'guest_power' && !OPS.has(a.op)) throw new Error(`invalid op: ${a.op}`);
if (byId.has(a.id)) throw new Error(`duplicate action id: ${a.id}`);
byId.set(a.id, a);
}
return {
list: () => [...byId.values()],
get: (id) => byId.get(id),
hostIp: (h) => hosts[h]
};
}

23
tests/actions/registry.test.js Normal file
View File

@@ -0,0 +1,23 @@
import { describe, it, expect } from 'vitest';
import { fileURLToPath } from 'url';
import { loadActions } from '../../lib/actions/registry.js';
const FIX = fileURLToPath(new URL('../fixtures/actions.test.json', import.meta.url));
describe('action registry', () => {
it('loads + indexes valid actions and resolves host ip', () => {
const reg = loadActions(FIX);
expect(reg.list().map(a => a.id).sort()).toEqual(['restart-caddy-ct100', 'stop-ct107']);
expect(reg.get('restart-caddy-ct100').tier).toBe('safe');
expect(reg.hostIp('ct100')).toBe('192.168.1.230');
expect(reg.get('nope')).toBeUndefined();
});
it('rejects an action with a bad id or unknown kind/tier', () => {
expect(() => loadActions(null, { hosts: {}, actions: [{ id: 'bad id', kind: 'service_restart', tier: 'safe' }] }))
.toThrow(/invalid action id/i);
expect(() => loadActions(null, { hosts: {}, actions: [{ id: 'x', kind: 'nuke', tier: 'safe' }] }))
.toThrow(/unknown kind/i);
expect(() => loadActions(null, { hosts: {}, actions: [{ id: 'x', kind: 'guest_power', op: 'stop', tier: 'evil' }] }))
.toThrow(/invalid tier/i);
});
});

7
tests/fixtures/actions.test.json vendored Normal file
View File

@@ -0,0 +1,7 @@
{
"hosts": { "ct100": "192.168.1.230", "z": "192.168.1.124" },
"actions": [
{ "id": "restart-caddy-ct100", "label": "Restart Caddy", "kind": "service_restart", "host": "ct100", "service": "caddy", "tier": "safe" },
{ "id": "stop-ct107", "label": "Stop CT107", "kind": "guest_power", "node": "z", "vmid": 107, "op": "stop", "tier": "risky" }
]
}