From a186116c4d2f0de0c84b3b7865218bd08d31f712 Mon Sep 17 00:00:00 2001 From: root Date: Thu, 4 Jun 2026 21:40:20 +1000 Subject: [PATCH] feat(actions): SSH forced-command service-restart channel + host wrapper Co-Authored-By: Claude Opus 4.8 --- deploy/void-act | 15 +++++++++++++++ lib/actions/channels/ssh.js | 26 ++++++++++++++++++++++++++ tests/actions/ssh.test.js | 24 ++++++++++++++++++++++++ 3 files changed, 65 insertions(+) create mode 100755 deploy/void-act create mode 100644 lib/actions/channels/ssh.js create mode 100644 tests/actions/ssh.test.js diff --git a/deploy/void-act b/deploy/void-act new file mode 100755 index 0000000..b788e30 --- /dev/null +++ b/deploy/void-act @@ -0,0 +1,15 @@ +#!/usr/bin/env bash +# Forced command for the Void's restricted key. Maps a whitelisted action id to a +# concrete systemctl restart. The id arrives via SSH_ORIGINAL_COMMAND; nothing else +# is honoured. Edit the case list per host. Keep in sync with config/actions.json. +# +# Install on each target host: +# install -m 755 void-act /usr/local/bin/void-act +# # in voidact's ~/.ssh/authorized_keys, prefix the Void's pubkey with: +# command="/usr/local/bin/void-act",no-port-forwarding,no-pty,no-X11-forwarding +set -euo pipefail +id="${SSH_ORIGINAL_COMMAND:-}" +case "$id" in + restart-caddy-ct100) exec systemctl restart caddy ;; + *) echo "void-act: refused '$id'" >&2; exit 13 ;; +esac diff --git a/lib/actions/channels/ssh.js b/lib/actions/channels/ssh.js new file mode 100644 index 0000000..1540ae9 --- /dev/null +++ b/lib/actions/channels/ssh.js @@ -0,0 +1,26 @@ +import { spawn as nodeSpawn } from 'node:child_process'; + +const ID_RE = /^[a-z0-9-]+$/; + +// Runs `ssh voidact@ `. The host's authorized_keys pins a forced +// wrapper (deploy/void-act) that maps the id → systemctl restart from +// its OWN whitelist. We pass ONLY the id as a single argv element — no shell. +export function restartService({ ip, actionId }, { + keyPath = process.env.ACTIONS_SSH_KEY, + user = 'voidact', + spawnImpl = nodeSpawn +} = {}) { + if (!ID_RE.test(actionId || '')) return Promise.reject(new Error(`invalid action id: ${actionId}`)); + const args = ['-i', keyPath, '-o', 'BatchMode=yes', '-o', 'StrictHostKeyChecking=accept-new', + `${user}@${ip}`, actionId]; + return new Promise((resolve, reject) => { + const child = spawnImpl('ssh', args); + let out = '', err = ''; + child.stdout.on('data', (d) => { out += d; }); + child.stderr.on('data', (d) => { err += d; }); + child.on('close', (code) => code === 0 + ? resolve({ ok: true, output: out.trim() }) + : reject(new Error(`ssh ${actionId} → exit ${code}: ${err.trim()}`))); + child.on('error', reject); + }); +} diff --git a/tests/actions/ssh.test.js b/tests/actions/ssh.test.js new file mode 100644 index 0000000..c3d74c3 --- /dev/null +++ b/tests/actions/ssh.test.js @@ -0,0 +1,24 @@ +import { describe, it, expect } from 'vitest'; +import { restartService } from '../../lib/actions/channels/ssh.js'; + +describe('ssh channel', () => { + it('spawns ssh with argv (no shell string) sending only the action id', async () => { + const calls = []; + const spawnMock = (cmd, args) => { + calls.push({ cmd, args }); + return { stdout: { on(ev, cb) { if (ev === 'data') cb('ok\n'); } }, stderr: { on() {} }, + on(ev, cb) { if (ev === 'close') cb(0); } }; + }; + const out = await restartService({ ip: '192.168.1.230', actionId: 'restart-caddy-ct100' }, + { keyPath: '/k', user: 'voidact', spawnImpl: spawnMock }); + expect(out.ok).toBe(true); + const { cmd, args } = calls[0]; + expect(cmd).toBe('ssh'); + expect(args).toEqual(['-i', '/k', '-o', 'BatchMode=yes', '-o', 'StrictHostKeyChecking=accept-new', + 'voidact@192.168.1.230', 'restart-caddy-ct100']); + }); + it('rejects an action id with shell metacharacters', async () => { + await expect(restartService({ ip: '1.2.3.4', actionId: 'x; rm -rf /' }, { spawnImpl: () => {} })) + .rejects.toThrow(/invalid action id/i); + }); +});