mirror of
https://github.com/Termix-SSH/Termix.git
synced 2026-07-15 04:43:36 +00:00
9de904dd4c
* feat(sshid) - sshid.io equivalent for termix (#919) * feat(ssh-id): database schema, migrations and field encryption Adds ssh_identities, ssh_identity_keys and ssh_identity_ca tables (public keys stored plaintext for the unauthenticated resolver; CA private key registered for per-user field encryption), with UNIQUE(user_id), an index on ssh_identity_keys(identity_id), and idempotent CREATE TABLE migrations. * feat(ssh-id): backend API — resolver, key management, CA and certificates Mounts /sshid (nginx route added). Public text/plain authorized_keys resolver (+ exact /:algo filter, HTML viewer) and CA public-key endpoint; no-store + noindex headers on every resolver response including early 404s. Authenticated management: claim/rename/delete handle, add/import/generate/enable/delete keys, and a per-user CA (create/rotate/delete) with pure-Node OpenSSH certificate issuance. Audit logging on all mutations; UNIQUE races map to a precise 409. Unit tests for key parsing and certificate signing (ssh-keygen-validated). * feat(ssh-id): frontend panel, API client and i18n SSH ID panel wired into the app rail and AppShell: claim handle, resolver URL + curl one-liner, key list, generate, paste/import, CA enable/rotate/remove with server trust command, and per-key certificate issuance. API client re-exported through main-axios.ts; all strings i18n'd. * style(ssh-id): align panel and resolver page with Termix theme - Rebuild the SSH ID sidebar panel with the theme's square components (SectionCard / SettingRow / FakeSwitch) instead of rounded ad-hoc cards; use accent-brand and destructive tokens rather than raw red/green. - Fix panel scrolling: move overflow to a block scroll container so the cards keep their natural height instead of being clipped. - Restyle the public resolver HTML page (/sshid/u/:handle) to the Termix dark theme: square corners, #18181b/#303032 palette, #f59145 accent, uppercase section labels. - Tidy copy: 'Save To Credentials' label, drop the redundant generate intro, and correct the generate tooltip (the key is stored when saving to vault). * feat: rename to Termix ID, improve UI, backend inconsistencies, and general bug fixes --------- Co-authored-by: LukeGus <bugattiguy527@gmail.com> * ci(deps): bump actions/checkout from 6 to 7 in the github-actions group (#922) Bumps the github-actions group with 1 update: [actions/checkout](https://github.com/actions/checkout). Updates `actions/checkout` from 6 to 7 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v6...v7) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps-dev): bump the dev-patch-updates group with 11 updates (#923) Bumps the dev-patch-updates group with 11 updates: | Package | From | To | | --- | --- | --- | | [@codemirror/search](https://github.com/codemirror/search) | `6.7.0` | `6.7.1` | | [@codemirror/view](https://github.com/codemirror/view) | `6.43.0` | `6.43.1` | | [@tailwindcss/vite](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-vite) | `4.3.0` | `4.3.1` | | [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) | `4.1.8` | `4.1.9` | | [@vitest/ui](https://github.com/vitest-dev/vitest/tree/HEAD/packages/ui) | `4.1.8` | `4.1.9` | | [eslint-plugin-react-refresh](https://github.com/ArnaudBarre/eslint-plugin-react-refresh) | `0.5.2` | `0.5.3` | | [lint-staged](https://github.com/lint-staged/lint-staged) | `17.0.7` | `17.0.8` | | [prettier](https://github.com/prettier/prettier) | `3.8.3` | `3.8.4` | | [sharp](https://github.com/lovell/sharp) | `0.35.1` | `0.35.2` | | [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.3.0` | `4.3.1` | | [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.1.8` | `4.1.9` | Updates `@codemirror/search` from 6.7.0 to 6.7.1 - [Changelog](https://github.com/codemirror/search/blob/main/CHANGELOG.md) - [Commits](https://github.com/codemirror/search/commits) Updates `@codemirror/view` from 6.43.0 to 6.43.1 - [Changelog](https://github.com/codemirror/view/blob/main/CHANGELOG.md) - [Commits](https://github.com/codemirror/view/commits) Updates `@tailwindcss/vite` from 4.3.0 to 4.3.1 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.1/packages/@tailwindcss-vite) Updates `@vitest/coverage-v8` from 4.1.8 to 4.1.9 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.9/packages/coverage-v8) Updates `@vitest/ui` from 4.1.8 to 4.1.9 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.9/packages/ui) Updates `eslint-plugin-react-refresh` from 0.5.2 to 0.5.3 - [Release notes](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/releases) - [Changelog](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/blob/main/CHANGELOG.md) - [Commits](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/compare/v0.5.2...v0.5.3) Updates `lint-staged` from 17.0.7 to 17.0.8 - [Release notes](https://github.com/lint-staged/lint-staged/releases) - [Changelog](https://github.com/lint-staged/lint-staged/blob/main/CHANGELOG.md) - [Commits](https://github.com/lint-staged/lint-staged/compare/v17.0.7...v17.0.8) Updates `prettier` from 3.8.3 to 3.8.4 - [Release notes](https://github.com/prettier/prettier/releases) - [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md) - [Commits](https://github.com/prettier/prettier/compare/3.8.3...3.8.4) Updates `sharp` from 0.35.1 to 0.35.2 - [Release notes](https://github.com/lovell/sharp/releases) - [Commits](https://github.com/lovell/sharp/compare/v0.35.1...v0.35.2) Updates `tailwindcss` from 4.3.0 to 4.3.1 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.1/packages/tailwindcss) Updates `vitest` from 4.1.8 to 4.1.9 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.9/packages/vitest) --- updated-dependencies: - dependency-name: "@codemirror/search" dependency-version: 6.7.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: "@codemirror/view" dependency-version: 6.43.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: "@tailwindcss/vite" dependency-version: 4.3.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: "@vitest/coverage-v8" dependency-version: 4.1.9 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: "@vitest/ui" dependency-version: 4.1.9 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: eslint-plugin-react-refresh dependency-version: 0.5.3 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: lint-staged dependency-version: 17.0.8 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: prettier dependency-version: 3.8.4 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: sharp dependency-version: 0.35.2 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: tailwindcss dependency-version: 4.3.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: vitest dependency-version: 4.1.9 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump nanoid in the prod-patch-updates group (#925) Bumps the prod-patch-updates group with 1 update: [nanoid](https://github.com/ai/nanoid). Updates `nanoid` from 5.1.11 to 5.1.15 - [Release notes](https://github.com/ai/nanoid/releases) - [Changelog](https://github.com/ai/nanoid/blob/main/CHANGELOG.md) - [Commits](https://github.com/ai/nanoid/compare/5.1.11...5.1.15) --- updated-dependencies: - dependency-name: nanoid dependency-version: 5.1.15 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: prod-patch-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump the major-updates group with 5 updates (#926) Bumps the major-updates group with 5 updates: | Package | From | To | | --- | --- | --- | | [js-yaml](https://github.com/nodeca/js-yaml) | `4.2.0` | `5.0.0` | | [@eslint/js](https://github.com/eslint/eslint/tree/HEAD/packages/js) | `9.39.4` | `10.0.1` | | [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `25.9.2` | `26.0.0` | | [concurrently](https://github.com/open-cli-tools/concurrently) | `9.2.1` | `10.0.3` | | [eslint](https://github.com/eslint/eslint) | `9.39.4` | `10.5.0` | Updates `js-yaml` from 4.2.0 to 5.0.0 - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](https://github.com/nodeca/js-yaml/compare/4.2.0...5.0.0) Updates `@eslint/js` from 9.39.4 to 10.0.1 - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](https://github.com/eslint/eslint/commits/v10.0.1/packages/js) Updates `@types/node` from 25.9.2 to 26.0.0 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) Updates `concurrently` from 9.2.1 to 10.0.3 - [Release notes](https://github.com/open-cli-tools/concurrently/releases) - [Commits](https://github.com/open-cli-tools/concurrently/compare/v9.2.1...v10.0.3) Updates `eslint` from 9.39.4 to 10.5.0 - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](https://github.com/eslint/eslint/compare/v9.39.4...v10.5.0) --- updated-dependencies: - dependency-name: js-yaml dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: major-updates - dependency-name: "@eslint/js" dependency-version: 10.0.1 dependency-type: direct:development update-type: version-update:semver-major dependency-group: major-updates - dependency-name: "@types/node" dependency-version: 26.0.0 dependency-type: direct:development update-type: version-update:semver-major dependency-group: major-updates - dependency-name: concurrently dependency-version: 10.0.3 dependency-type: direct:development update-type: version-update:semver-major dependency-group: major-updates - dependency-name: eslint dependency-version: 10.5.0 dependency-type: direct:development update-type: version-update:semver-major dependency-group: major-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat(ssh): add HashiCorp Vault SSH signer authentication * fix: small fixes to vault feature to align with Termix codebase * chore: add view docs links for vault/termix id * fix: file upload fails with 400 and missing schema migrations on upgrade (#929) Two bugs introduced in v2.4.1: 1. uploadFileStream uses fileManagerApi.post() which triggers axios's transformRequest to JSON-serialize the FormData because the instance default Content-Type is application/json. Change to postForm() which sets Content-Type: multipart/form-data so the browser XHR sends the correct multipart body with boundary. 2. Two schema items added to schema.ts were not included in migrateSchema() in db/index.ts, causing 500 errors on existing installations upgrading from v2.4.0: - user_preferences.status_color_scheme (no such column) - dashboard_service_links table (no such table) Fixes #928 Co-authored-by: sash <sash@fominykh.io> * fix: support PuTTY PPK ssh keys (#930) * fix: chunk large file manager uploads (#932) * fix: route dashboard hosts by protocol (#934) * fix: resolve tunnel endpoints reliably (#935) * Fix Electron OIDC browser auth failures (#936) * Allow RDP connections without stored credentials (#937) * Sync role credential shares for OIDC users (#938) * Fix terminal link dialog layering (#940) * Confirm large files before opening editor (#942) * Confirm closing active host connections (#943) * Preserve file path case in file manager UI (#941) * fix: preserve unicode guacamole tokens (#933) * Persist VNC authentication settings (#944) * Fix Guacamole websocket base path (#946) * Promote file manager terminals to tabs (#939) * Guard Guacamole disconnect during startup (#945) * chore: increment ver * feat: bitwarden ssh agent integration * feat: serial connections support * fix: various small bug fixes * feat: open all sessions in a folder and terminal custom theme color support * feat: cross host file manager clipboard and several small bug fixes * feat: tailscale/wireguard support and added a new status state for when backend is checking status * feat: grafana like server stats history, new alert system, ntfy/webhook support * feat: new grid and widget based homepage function * feat: new donate button in dashboard * fix: alert ui incorrectly using termix css and fixed issue with alert system not loading * chore: fix ci checks (#966) * Fix dashboard service link creation (#950) * Fix jump host SOCKS5 proxy selection (#951) * Fix jump host SOCKS5 proxy selection * fix: type jump host socks proxy config * Fix tmux detection path handling (#949) * Support GUACD_URL environment config (#952) * Retry autostart tunnel host fetches (#953) * Retry autostart tunnel host fetches * chore: format tunnel route * Fix PUID html ownership in Docker entrypoint (#954) * feat: allow custom tunnel endpoints (#977) * fix: skip metrics start for non-ssh hosts (#976) * Fix Proxmox import auth fallback (#956) * Fix Proxmox import auth fallback * chore: format proxmox import auth * Fix SSH heading syntax highlighting (#955) * Fix SSH heading syntax highlighting * chore: format terminal highlighter * Initialize auth before fullscreen terminal routes (#957) * Add WebAuthn passkey authentication (#959) * chore: add Biome tooling (#965) * chore: add biome tooling * chore: support tailwind syntax in biome * Fix VNC required argument handshake (#968) * Prioritize host results in command palette search (#969) * Prevent sidebar host hover layout shift (#970) * Add terminal font zoom with mouse wheel (#971) * Add host temperature metrics card (#972) * Make file downloads reliable in desktop app (#973) * Add app rail hover expansion setting (#974) * fix: use correct translation key for nav.close (#964) * fix(tunnel): skip endpoint credential validation for direct tunnels (#963) * fix: SSH port connection bug (#975) * fix: chunked upload for files >=1.5GB to bypass browser ArrayBuffer limit (#948) * feat: support SSH agent auth across SSH features (#960) * feat: add Podman container runtime support (#958) * chore: update readme and release notes * fix: stabilize Windows app icon (#978) * Add safe host sharing export (#979) * Add external editor support for file manager (#985) * Rework SSH credential password handling (#984) * Support password fallback for SSH key credentials * Complete SSH credential password fallback * Fix runtime base path for auth callbacks (#982) * Fix TUI terminal output highlighting (#983) Co-authored-by: LukeGus <bugattiguy527@gmail.com> * Add app fullscreen mode (#993) * Fix host metrics startup polling (#986) * chore: update release notes * fix: line chart text overlap * chore: update RELEASE_NOTES.md * chore: add donation goal to readme * chore: update readme * fix: hide full-screen button in electron app * fix: failed unit tests * chore: lint, format, and bump version to 2.5.0 * chore: remove timeout from crowdin translate * chore: sync Crowdin translations for 2.5.0 --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: DivByZero <mr.oplus@yahoo.fr> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: devdanetra <46488477+devdanetra@users.noreply.github.com> Co-authored-by: Aleksandr Fominykh <neoformalex@users.noreply.github.com> Co-authored-by: sash <sash@fominykh.io> Co-authored-by: ZacharyZcR <zacharyzcr1984@gmail.com>
576 lines
19 KiB
TypeScript
576 lines
19 KiB
TypeScript
import express from "express";
|
|
import { Client as SSHClient } from "ssh2";
|
|
import { getDb } from "../db/index.js";
|
|
import { hosts, sshCredentials } from "../db/schema.js";
|
|
import { eq, and } from "drizzle-orm";
|
|
import { logger } from "../../utils/logger.js";
|
|
import { SimpleDBOps } from "../../utils/simple-db-ops.js";
|
|
import { AuthManager } from "../../utils/auth-manager.js";
|
|
import type { AuthenticatedRequest } from "../../../types/index.js";
|
|
import type { SSHHost } from "../../../types/index.js";
|
|
import { SSHHostKeyVerifier } from "../../ssh/host-key-verifier.js";
|
|
|
|
const router = express.Router();
|
|
const proxmoxLogger = logger;
|
|
|
|
const authManager = AuthManager.getInstance();
|
|
const authenticateJWT = authManager.createAuthMiddleware();
|
|
const requireDataAccess = authManager.createDataAccessMiddleware();
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// Helpers
|
|
// ---------------------------------------------------------------------------
|
|
|
|
// Proxmox node names are restricted to [a-zA-Z0-9-] by PVE itself,
|
|
// but we validate defensively before using in a shell command.
|
|
const SAFE_NODE_RE = /^[a-zA-Z0-9._-]{1,64}$/;
|
|
|
|
function isSafeNodeName(name: string): boolean {
|
|
return SAFE_NODE_RE.test(name);
|
|
}
|
|
|
|
function execCommand(
|
|
client: SSHClient,
|
|
command: string,
|
|
timeoutMs = 8000,
|
|
): Promise<string> {
|
|
return new Promise((resolve, reject) => {
|
|
let settled = false;
|
|
const timer = setTimeout(() => {
|
|
if (!settled) {
|
|
settled = true;
|
|
reject(new Error(`Command timed out after ${timeoutMs}ms`));
|
|
}
|
|
}, timeoutMs);
|
|
|
|
client.exec(command, (err, stream) => {
|
|
if (err) {
|
|
clearTimeout(timer);
|
|
return reject(err);
|
|
}
|
|
let stdout = "";
|
|
let stderr = "";
|
|
stream.on("close", (code: number) => {
|
|
if (settled) return;
|
|
settled = true;
|
|
clearTimeout(timer);
|
|
if (code !== 0)
|
|
reject(new Error(stderr || `Command exited with code ${code}`));
|
|
else resolve(stdout);
|
|
});
|
|
stream.on("data", (data: Buffer) => {
|
|
stdout += data.toString();
|
|
});
|
|
stream.stderr.on("data", (data: Buffer) => {
|
|
stderr += data.toString();
|
|
});
|
|
});
|
|
});
|
|
}
|
|
|
|
// Parse all IPs from LXC net config, then return the one matching the preferred prefix.
|
|
function parseLxcIp(
|
|
config: Record<string, unknown>,
|
|
preferredPrefixes: string[] = [],
|
|
): string | null {
|
|
const ips: string[] = [];
|
|
for (const [key, value] of Object.entries(config)) {
|
|
if (/^net\d+$/.test(key) && typeof value === "string") {
|
|
const m = value.match(/ip=(\d{1,3}(?:\.\d{1,3}){3})/);
|
|
if (m) ips.push(m[1]);
|
|
}
|
|
}
|
|
if (!ips.length) return null;
|
|
for (const prefix of preferredPrefixes) {
|
|
const match = ips.find((ip) => ip.startsWith(prefix));
|
|
if (match) return match;
|
|
}
|
|
return ips[0];
|
|
}
|
|
|
|
function matchesAny(name: string, patterns: string[]): boolean {
|
|
const lower = name.toLowerCase();
|
|
return patterns.some((p) => lower.includes(p.toLowerCase()));
|
|
}
|
|
|
|
function parseProxmoxConfig(raw: unknown): {
|
|
windowsPatterns: string[];
|
|
dockerPatterns: string[];
|
|
preferredPrefixes: string[];
|
|
} {
|
|
const split = (s: string) =>
|
|
s
|
|
.split(",")
|
|
.map((x) => x.trim())
|
|
.filter(Boolean);
|
|
if (!raw || typeof raw !== "object") {
|
|
return {
|
|
windowsPatterns: ["win", "windows"],
|
|
dockerPatterns: ["docker"],
|
|
preferredPrefixes: [],
|
|
};
|
|
}
|
|
const cfg = raw as Record<string, unknown>;
|
|
return {
|
|
windowsPatterns: split(
|
|
typeof cfg.windowsPatterns === "string"
|
|
? cfg.windowsPatterns
|
|
: "win,windows",
|
|
),
|
|
dockerPatterns: split(
|
|
typeof cfg.dockerPatterns === "string" ? cfg.dockerPatterns : "docker",
|
|
),
|
|
preferredPrefixes: split(
|
|
typeof cfg.preferredPrefixes === "string" ? cfg.preferredPrefixes : "",
|
|
),
|
|
};
|
|
}
|
|
|
|
/**
|
|
* @openapi
|
|
* /proxmox/discover:
|
|
* post:
|
|
* summary: Discover Proxmox guests on a node
|
|
* description: >
|
|
* Connects to an existing SSH host (a Proxmox node) using its stored
|
|
* credentials, runs pvesh to enumerate all guests (VMs and LXC
|
|
* containers) in the cluster, and returns them ready to be imported as
|
|
* Termix hosts. No separate Proxmox API token is required.
|
|
* tags: [Proxmox]
|
|
* security:
|
|
* - bearerAuth: []
|
|
* requestBody:
|
|
* required: true
|
|
* content:
|
|
* application/json:
|
|
* schema:
|
|
* type: object
|
|
* required: [hostId]
|
|
* properties:
|
|
* hostId:
|
|
* type: number
|
|
* description: ID of the SSH host that is a Proxmox node.
|
|
* responses:
|
|
* 200:
|
|
* description: Discovered guests.
|
|
* content:
|
|
* application/json:
|
|
* schema:
|
|
* type: object
|
|
* properties:
|
|
* guests:
|
|
* type: array
|
|
* items:
|
|
* type: object
|
|
* properties:
|
|
* name:
|
|
* type: string
|
|
* vmid:
|
|
* type: number
|
|
* type:
|
|
* type: string
|
|
* enum: [qemu, lxc]
|
|
* node:
|
|
* type: string
|
|
* status:
|
|
* type: string
|
|
* ip:
|
|
* type: string
|
|
* nullable: true
|
|
* connectionType:
|
|
* type: string
|
|
* enum: [ssh, rdp]
|
|
* enableDocker:
|
|
* type: boolean
|
|
* credentialId:
|
|
* type: number
|
|
* nullable: true
|
|
* defaultCredentialId:
|
|
* type: number
|
|
* nullable: true
|
|
* 400:
|
|
* description: Missing or invalid hostId.
|
|
* 401:
|
|
* description: Authentication required or session expired.
|
|
* 403:
|
|
* description: Access denied to the host.
|
|
* 404:
|
|
* description: Host not found.
|
|
* 422:
|
|
* description: Host is not a Proxmox node or is unreachable.
|
|
* 500:
|
|
* description: Discovery failed.
|
|
*/
|
|
router.post(
|
|
"/discover",
|
|
authenticateJWT,
|
|
requireDataAccess,
|
|
async (req, res) => {
|
|
const { hostId } = req.body as { hostId?: unknown };
|
|
const userId = (req as unknown as AuthenticatedRequest).userId;
|
|
|
|
const parsedHostId = Number(hostId);
|
|
if (!hostId || !Number.isInteger(parsedHostId) || parsedHostId <= 0) {
|
|
return res.status(400).json({ error: "Missing or invalid hostId" });
|
|
}
|
|
|
|
try {
|
|
if (!SimpleDBOps.isUserDataUnlocked(userId)) {
|
|
return res.status(401).json({
|
|
error: "Session expired — please log in again",
|
|
code: "SESSION_EXPIRED",
|
|
});
|
|
}
|
|
|
|
// -----------------------------------------------------------------------
|
|
// Load host from DB
|
|
// -----------------------------------------------------------------------
|
|
const hostResults = await SimpleDBOps.select(
|
|
getDb().select().from(hosts).where(eq(hosts.id, parsedHostId)),
|
|
"ssh_data",
|
|
userId,
|
|
);
|
|
|
|
if (!hostResults.length) {
|
|
return res.status(404).json({ error: "Host not found" });
|
|
}
|
|
|
|
const host = hostResults[0] as unknown as SSHHost;
|
|
|
|
// Read discovery settings from the host's proxmoxConfig
|
|
const proxmoxCfgRaw = host.proxmoxConfig
|
|
? typeof host.proxmoxConfig === "string"
|
|
? JSON.parse(host.proxmoxConfig)
|
|
: host.proxmoxConfig
|
|
: null;
|
|
const { windowsPatterns, dockerPatterns, preferredPrefixes } =
|
|
parseProxmoxConfig(proxmoxCfgRaw);
|
|
const proxmoxDefaultCredentialId =
|
|
proxmoxCfgRaw && typeof proxmoxCfgRaw === "object"
|
|
? (((proxmoxCfgRaw as Record<string, unknown>).defaultCredentialId as
|
|
| number
|
|
| null) ?? null)
|
|
: null;
|
|
|
|
// -----------------------------------------------------------------------
|
|
// Permission check
|
|
// -----------------------------------------------------------------------
|
|
if (host.userId !== userId) {
|
|
const { PermissionManager } =
|
|
await import("../../utils/permission-manager.js");
|
|
const pm = PermissionManager.getInstance();
|
|
const access = await pm.canAccessHost(userId, parsedHostId, "execute");
|
|
if (!access.hasAccess) {
|
|
return res.status(403).json({ error: "Access denied" });
|
|
}
|
|
}
|
|
|
|
// -----------------------------------------------------------------------
|
|
// Credential resolution (mirrors docker.ts pattern)
|
|
// -----------------------------------------------------------------------
|
|
let resolvedCredentials: {
|
|
password?: string;
|
|
sshKey?: string;
|
|
keyPassword?: string;
|
|
authType?: string;
|
|
} = {
|
|
password: host.password,
|
|
sshKey: host.key,
|
|
keyPassword: host.keyPassword,
|
|
authType: host.authType,
|
|
};
|
|
|
|
const hostCredentialId = host.credentialId ?? null;
|
|
|
|
if (host.credentialId) {
|
|
if (userId !== host.userId) {
|
|
try {
|
|
const { SharedCredentialManager } =
|
|
await import("../../utils/shared-credential-manager.js");
|
|
const sharedCred =
|
|
await SharedCredentialManager.getInstance().getSharedCredentialForUser(
|
|
host.id,
|
|
userId,
|
|
);
|
|
if (sharedCred) {
|
|
resolvedCredentials = {
|
|
password: sharedCred.password,
|
|
sshKey: sharedCred.key,
|
|
keyPassword: sharedCred.keyPassword,
|
|
authType: sharedCred.authType,
|
|
};
|
|
}
|
|
} catch (err) {
|
|
proxmoxLogger.error("Failed to resolve shared credential", err, {
|
|
operation: "proxmox_discover",
|
|
hostId: parsedHostId,
|
|
userId,
|
|
});
|
|
}
|
|
} else {
|
|
const creds = await SimpleDBOps.select(
|
|
getDb()
|
|
.select()
|
|
.from(sshCredentials)
|
|
.where(
|
|
and(
|
|
eq(sshCredentials.id, host.credentialId as number),
|
|
eq(sshCredentials.userId, userId),
|
|
),
|
|
),
|
|
"ssh_credentials",
|
|
userId,
|
|
);
|
|
if (creds.length > 0) {
|
|
const c = creds[0];
|
|
resolvedCredentials = {
|
|
password: c.password as string | undefined,
|
|
sshKey: (c.key || c.privateKey) as string | undefined,
|
|
keyPassword: c.keyPassword as string | undefined,
|
|
authType: c.authType as string | undefined,
|
|
};
|
|
}
|
|
}
|
|
}
|
|
|
|
// -----------------------------------------------------------------------
|
|
// Build SSH config
|
|
// -----------------------------------------------------------------------
|
|
const sshConfig: Record<string, unknown> = {
|
|
host: host.ip?.replace(/^\[|\]$/g, "") || host.ip,
|
|
port: host.port || 22,
|
|
username: host.username,
|
|
tryKeyboard: false,
|
|
readyTimeout: 30000,
|
|
hostVerifier: await SSHHostKeyVerifier.createHostVerifier(
|
|
parsedHostId,
|
|
host.ip,
|
|
host.port || 22,
|
|
null,
|
|
userId,
|
|
false,
|
|
),
|
|
};
|
|
|
|
const authType = resolvedCredentials.authType;
|
|
if (authType === "key" && resolvedCredentials.sshKey) {
|
|
sshConfig.privateKey = resolvedCredentials.sshKey;
|
|
if (resolvedCredentials.keyPassword)
|
|
sshConfig.passphrase = resolvedCredentials.keyPassword;
|
|
} else if (authType === "agent") {
|
|
const { applyAgentAuth } =
|
|
await import("../../ssh/terminal-auth-helpers.js");
|
|
const result = await applyAgentAuth(
|
|
sshConfig,
|
|
host.terminalConfig as unknown as Record<string, unknown> | undefined,
|
|
);
|
|
if ("error" in result) {
|
|
return res.status(400).json({ error: result.error });
|
|
}
|
|
} else if (resolvedCredentials.password) {
|
|
sshConfig.password = resolvedCredentials.password;
|
|
}
|
|
|
|
// -----------------------------------------------------------------------
|
|
// Connect → discover → disconnect
|
|
// -----------------------------------------------------------------------
|
|
const client = new SSHClient();
|
|
|
|
try {
|
|
await new Promise<void>((resolve, reject) => {
|
|
client.on("ready", resolve);
|
|
client.on("error", reject);
|
|
client.connect(sshConfig as import("ssh2").ConnectConfig);
|
|
});
|
|
|
|
proxmoxLogger.info("Proxmox discovery SSH connection established", {
|
|
operation: "proxmox_discover",
|
|
hostId: parsedHostId,
|
|
userId,
|
|
});
|
|
|
|
// Verify pvesh is present — fail fast with a clear error
|
|
const pveshCheck = await execCommand(
|
|
client,
|
|
"command -v pvesh >/dev/null 2>&1 && echo ok || echo missing",
|
|
);
|
|
if (pveshCheck.trim() !== "ok") {
|
|
return res
|
|
.status(422)
|
|
.json({ error: "pvesh not found — is this a Proxmox node?" });
|
|
}
|
|
|
|
// Fetch all cluster resources in one call
|
|
const resourcesJson = await execCommand(
|
|
client,
|
|
"pvesh get /cluster/resources --output-format json 2>/dev/null",
|
|
);
|
|
|
|
let resources: Array<Record<string, unknown>>;
|
|
try {
|
|
resources = JSON.parse(resourcesJson);
|
|
} catch {
|
|
return res.status(502).json({
|
|
error: "Failed to parse pvesh output — unexpected response",
|
|
});
|
|
}
|
|
|
|
// Collect basic guest metadata first (no IP yet)
|
|
type GuestBase = {
|
|
name: string;
|
|
vmid: number;
|
|
type: "qemu" | "lxc";
|
|
node: string;
|
|
status: string;
|
|
};
|
|
|
|
const guestBases: GuestBase[] = [];
|
|
for (const r of resources) {
|
|
const type = r.type as string;
|
|
if (type !== "qemu" && type !== "lxc") continue;
|
|
if (r.template) continue;
|
|
const node = r.node as string;
|
|
if (!isSafeNodeName(node)) {
|
|
proxmoxLogger.warn("Skipping guest with unsafe node name", {
|
|
operation: "proxmox_discover",
|
|
node,
|
|
vmid: r.vmid,
|
|
});
|
|
continue;
|
|
}
|
|
guestBases.push({
|
|
name: (r.name as string) || String(r.vmid),
|
|
vmid: Number(r.vmid),
|
|
type: type as "qemu" | "lxc",
|
|
node,
|
|
status: (r.status as string) || "unknown",
|
|
});
|
|
}
|
|
|
|
// Resolve IPs for all guests in parallel — keeps total time near
|
|
// max(single_resolution) instead of sum(all_resolutions).
|
|
async function resolveIp(g: GuestBase): Promise<string | null> {
|
|
if (g.type === "lxc") {
|
|
try {
|
|
const cfgJson = await execCommand(
|
|
client,
|
|
`pvesh get /nodes/${g.node}/lxc/${g.vmid}/config --output-format json 2>/dev/null`,
|
|
8000,
|
|
);
|
|
return parseLxcIp(JSON.parse(cfgJson), preferredPrefixes);
|
|
} catch {
|
|
return null;
|
|
}
|
|
}
|
|
if (g.type === "qemu" && g.status === "running") {
|
|
try {
|
|
const ifJson = await execCommand(
|
|
client,
|
|
`pvesh get /nodes/${g.node}/qemu/${g.vmid}/agent/network-get-interfaces --output-format json 2>/dev/null`,
|
|
5000,
|
|
);
|
|
const data = JSON.parse(ifJson);
|
|
const ifaces: Array<Record<string, unknown>> = Array.isArray(
|
|
data?.result,
|
|
)
|
|
? data.result
|
|
: Array.isArray(data)
|
|
? data
|
|
: [];
|
|
const allIps: string[] = [];
|
|
for (const iface of ifaces) {
|
|
if (iface.name === "lo") continue;
|
|
const addrs =
|
|
(iface["ip-addresses"] as Array<Record<string, string>>) ??
|
|
[];
|
|
for (const a of addrs) {
|
|
if (
|
|
a["ip-address-type"] === "ipv4" &&
|
|
!a["ip-address"].startsWith("127.")
|
|
) {
|
|
allIps.push(a["ip-address"]);
|
|
}
|
|
}
|
|
}
|
|
if (allIps.length) {
|
|
for (const prefix of preferredPrefixes) {
|
|
const match = allIps.find((ip) => ip.startsWith(prefix));
|
|
if (match) return match;
|
|
}
|
|
return allIps[0];
|
|
}
|
|
} catch {
|
|
// Guest agent absent or timed out
|
|
}
|
|
}
|
|
return null;
|
|
}
|
|
|
|
// Resolve IPs with bounded concurrency: each lookup opens an SSH exec
|
|
// channel, and OpenSSH's default MaxSessions is 10. Capping the number
|
|
// of in-flight channels keeps discovery reliable on large clusters.
|
|
const CONCURRENCY = 6;
|
|
const ips: (string | null)[] = new Array(guestBases.length).fill(null);
|
|
let cursor = 0;
|
|
async function ipWorker() {
|
|
while (cursor < guestBases.length) {
|
|
const i = cursor++;
|
|
ips[i] = await resolveIp(guestBases[i]);
|
|
}
|
|
}
|
|
await Promise.all(
|
|
Array.from({ length: Math.min(CONCURRENCY, guestBases.length) }, () =>
|
|
ipWorker(),
|
|
),
|
|
);
|
|
const guests = guestBases.map((g, i) => ({
|
|
...g,
|
|
ip: ips[i],
|
|
connectionType: matchesAny(g.name, windowsPatterns) ? "rdp" : "ssh",
|
|
enableDocker: matchesAny(g.name, dockerPatterns),
|
|
}));
|
|
|
|
proxmoxLogger.info("Proxmox discovery completed", {
|
|
operation: "proxmox_discover",
|
|
hostId: parsedHostId,
|
|
userId,
|
|
guestCount: guests.length,
|
|
});
|
|
|
|
// Return guests with connection type + docker flag, plus credential info
|
|
// so the frontend can pre-populate auth for imported hosts.
|
|
return res.json({
|
|
guests,
|
|
credentialId: hostCredentialId,
|
|
defaultCredentialId: proxmoxDefaultCredentialId,
|
|
});
|
|
} finally {
|
|
try {
|
|
client.end();
|
|
} catch {
|
|
// ignore cleanup errors
|
|
}
|
|
}
|
|
} catch (err: unknown) {
|
|
const message = err instanceof Error ? err.message : "Unknown error";
|
|
proxmoxLogger.error("Proxmox discovery failed", err, {
|
|
operation: "proxmox_discover",
|
|
hostId: parsedHostId,
|
|
userId,
|
|
});
|
|
|
|
if (
|
|
message.includes("pvesh not found") ||
|
|
message.includes("Authentication failed") ||
|
|
message.includes("connect ECONNREFUSED") ||
|
|
message.includes("connect ETIMEDOUT")
|
|
) {
|
|
return res.status(422).json({ error: `Discovery failed: ${message}` });
|
|
}
|
|
return res.status(500).json({ error: `Discovery failed: ${message}` });
|
|
}
|
|
},
|
|
);
|
|
|
|
export default router;
|