Skip to content

Commit

Permalink
Allow firewall off with commands along with source
Browse files Browse the repository at this point in the history
  • Loading branch information
@willnode
willnode committed Feb 13, 2024
1 parent c6bda02 commit cb9f895
Show file tree
Hide file tree
Showing 3 changed files with 104 additions and 98 deletions.
4 changes: 2 additions & 2 deletions package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion package.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "domcloud-bridge",
"version": "0.40.2",
"version": "0.41.0",
"description": "Deployment runner for DOM Cloud",
"main": "app.js",
"engines": {
Expand Down
196 changes: 101 additions & 95 deletions src/executor/runner.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -797,7 +797,7 @@ export async function runConfigSubdomain(config, domaindata, subdomain, sshExec,
await sshExec(`shopt -s dotglob`, false);
await sshExec(`export DOMAIN='${subdomain}'`, false);
// enable managing systemd for linger user
await sshExec(`export DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/\`id -u\`/bus`, false);
await sshExec(`export DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/\`id -u\`/bus`, false);
await sshExec(`mkdir -p ${subdomaindata['Home directory']}/public_html && cd "$_"`);
}

Expand Down Expand Up @@ -830,114 +830,120 @@ export async function runConfigSubdomain(config, domaindata, subdomain, sshExec,
await writeLog(await nginxExec.set(subdomain, config.nginx));
}

if (config.source) {
if (typeof config.source === 'string') {
config.source = {
url: config.source,
};
}
const source = config.source;
if (source.url !== 'clear' && !source.url.match(/^(?:(?:https?|ftp|ssh):\/\/)?([^\/]+)/)) {
throw new Error("Invalid source URL");
}
if (config.directory && !source.directory) {
source.directory = config.directory;
delete config.directory;
}
var url;
if (source.url !== 'clear') {
url = new URL(source.url);
if (!source.type || !['clone', 'extract'].includes(source.type)) {
if (url.protocol == 'ssh' || url.pathname.endsWith('.git') || (url.hostname.match(/^(www\.)?(github|gitlab)\.com$/) && !url.pathname.endsWith('.zip') && !url.pathname.endsWith('.tar.gz'))) {
source.type = 'clone';
} else {
source.type = 'extract';
}
try {
if (config.source) {
if (typeof config.source === 'string') {
config.source = {
url: config.source,
};
}
}
let executedCMD = [`rm -rf *`];
let executedCMDNote = '';
if (source.url === 'clear') {
// we just delete them all
executedCMDNote = 'Clearing files';
} else if (source.type === 'clone') {
if (!source.branch && source.directory) {
source.branch = source.directory;
} else if (!source.branch && url.hash) {
source.branch = decodeURI(url.hash.substring(1));
url.hash = '';
const source = config.source;
if (source.url !== 'clear' && !source.url.match(/^(?:(?:https?|ftp|ssh):\/\/)?([^\/]+)/)) {
throw new Error("Invalid source URL");
}
if (source.credentials?.github?.ssh) {
const configFileContent = `Host github.com\n\tStrictHostKeyChecking no\n\tIdentityFile ~/.ssh/id_github_com\n`;
await writeLog("$> writing SSH private key for cloning github.com repository");
await sshExec(`mkdir -p ~/.ssh; touch $HOME/.ssh/{id_github_com,config}; chmod 0600 $HOME/.ssh/*`, false);
await sshExec(`echo "${Buffer.from(source.credentials.github.ssh).toString('base64')}" | base64 --decode > $HOME/.ssh/id_github_com`, false);
// delete old config https://stackoverflow.com/a/36111659/3908409
await sshExec(`sed 's/^Host/\\n&/' $HOME/.ssh/config | sed '/^Host '"github.com"'$/,/^$/d;/^$/d' > $HOME/.ssh/config`, false);
await sshExec(`echo "${Buffer.from(configFileContent).toString('base64')}" | base64 --decode >> ~/.ssh/config`, false);
if (config.directory && !source.directory) {
source.directory = config.directory;
delete config.directory;
}
executedCMD.push(`git clone ${escapeShell(url.toString())}` +
`${source.branch ? ` -b ${escapeShell(source.branch)}` : ''}` +
`${source.shallow ? ` --depth 1` : ''}` +
`${source.submodules ? ` --recurse-submodules` : ''}` + ' .');
executedCMDNote = 'Cloning files';
} else if (source.type === 'extract') {
if (!source.directory && url.hash) {
source.directory = decodeURI(url.hash.substring(1));
url.hash = '';
var url;
if (source.url !== 'clear') {
url = new URL(source.url);
if (!source.type || !['clone', 'extract'].includes(source.type)) {
if (url.protocol == 'ssh' || url.pathname.endsWith('.git') || (url.hostname.match(/^(www\.)?(github|gitlab)\.com$/) && !url.pathname.endsWith('.zip') && !url.pathname.endsWith('.tar.gz'))) {
source.type = 'clone';
} else {
source.type = 'extract';
}
}
}
if (url.pathname.endsWith('.tar.gz')) {
executedCMD.push(`wget -O _.tar.gz ` + escapeShell(url.toString()));
executedCMD.push(`tar -xzf _.tar.gz ; rm _.tar.gz ; chmod -R 0750 *`);
} else {
executedCMD.push(`wget -O _.zip ` + escapeShell(url.toString()));
executedCMD.push(`unzip -q -o _.zip ; rm _.zip ; chmod -R 0750 *`);
let executedCMD = [`rm -rf *`];
let executedCMDNote = '';
if (source.url === 'clear') {
// we just delete them all
executedCMDNote = 'Clearing files';
} else if (source.type === 'clone') {
if (!source.branch && source.directory) {
source.branch = source.directory;
} else if (!source.branch && url.hash) {
source.branch = decodeURI(url.hash.substring(1));
url.hash = '';
}
if (source.credentials?.github?.ssh) {
const configFileContent = `Host github.com\n\tStrictHostKeyChecking no\n\tIdentityFile ~/.ssh/id_github_com\n`;
await writeLog("$> writing SSH private key for cloning github.com repository");
await sshExec(`mkdir -p ~/.ssh; touch $HOME/.ssh/{id_github_com,config}; chmod 0600 $HOME/.ssh/*`, false);
await sshExec(`echo "${Buffer.from(source.credentials.github.ssh).toString('base64')}" | base64 --decode > $HOME/.ssh/id_github_com`, false);
// delete old config https://stackoverflow.com/a/36111659/3908409
await sshExec(`sed 's/^Host/\\n&/' $HOME/.ssh/config | sed '/^Host '"github.com"'$/,/^$/d;/^$/d' > $HOME/.ssh/config`, false);
await sshExec(`echo "${Buffer.from(configFileContent).toString('base64')}" | base64 --decode >> ~/.ssh/config`, false);
}
executedCMD.push(`git clone ${escapeShell(url.toString())}` +
`${source.branch ? ` -b ${escapeShell(source.branch)}` : ''}` +
`${source.shallow ? ` --depth 1` : ''}` +
`${source.submodules ? ` --recurse-submodules` : ''}` + ' .');
executedCMDNote = 'Cloning files';
} else if (source.type === 'extract') {
if (!source.directory && url.hash) {
source.directory = decodeURI(url.hash.substring(1));
url.hash = '';
}
if (url.pathname.endsWith('.tar.gz')) {
executedCMD.push(`wget -O _.tar.gz ` + escapeShell(url.toString()));
executedCMD.push(`tar -xzf _.tar.gz ; rm _.tar.gz ; chmod -R 0750 *`);
} else {
executedCMD.push(`wget -O _.zip ` + escapeShell(url.toString()));
executedCMD.push(`unzip -q -o _.zip ; rm _.zip ; chmod -R 0750 *`);
}
if (source.directory) {
executedCMD.push(`mv ${escapeShell(source.directory)}/* .`);
executedCMD.push(`rm -rf ${escapeShell(source.directory)}`);
}
executedCMDNote = 'Downloading files';
}
if (source.directory) {
executedCMD.push(`mv ${escapeShell(source.directory)}/* .`);
executedCMD.push(`rm -rf ${escapeShell(source.directory)}`);

if (firewallOn) {
await iptablesExec.setDelUser(domaindata['Username']);
}
await writeLog("$> " + executedCMDNote);
for (const exec of executedCMD) {
await sshExec(exec);
}
executedCMDNote = 'Downloading files';
}
if (firewallOn) {
await iptablesExec.setDelUser(domaindata['Username']);
}
await writeLog("$> " + executedCMDNote);
for (const exec of executedCMD) {
await sshExec(exec);
if (config.commands) {
if (config.envs) {
let entries = Object.entries(config.envs);
if (entries.length > 0)
await sshExec("export " + entries.map(([k, v]) => `${k}='${v}'`).join(' '), false);
}
for (const cmd of config.commands) {
if (typeof cmd === 'string') {
await sshExec(cmd);
} else if (typeof cmd === 'object') {
if (cmd.command) {
await sshExec(cmd.command, cmd.write === false ? false : true);
} else if (cmd.feature) {
await featureRunner(cmd.feature);
} else if (cmd.filename && cmd.content) {
await writeLog("$> writing " + cmd.filename);
await sshExec(`echo "${Buffer.from(cmd.content).toString('base64')}" | base64 --decode > "${cmd.filename}"`, false);
}
}
}
}
if (firewallOn) {
} catch (error) {
throw error
} finally {
if (config.source && firewallOn) {
await iptablesExec.setAddUser(domaindata['Username']);
}
}

if (config.commands) {
if (config.envs) {
let entries = Object.entries(config.envs);
if (entries.length > 0)
await sshExec("export " + entries.map(([k, v]) => `${k}='${v}'`).join(' '), false);
}
for (const cmd of config.commands) {
if (typeof cmd === 'string') {
await sshExec(cmd);
} else if (typeof cmd === 'object') {
if (cmd.command) {
await sshExec(cmd.command, cmd.write === false ? false : true);
} else if (cmd.feature) {
await featureRunner(cmd.feature);
} else if (cmd.filename && cmd.content) {
await writeLog("$> writing " + cmd.filename);
await sshExec(`echo "${Buffer.from(cmd.content).toString('base64')}" | base64 --decode > "${cmd.filename}"`, false);
if (Array.isArray(config.features)) {
for (const feature of config.features) {
if (typeof feature === 'string' && feature.match(/^ssl/)) {
await featureRunner(feature);
}
}
}
}

if (Array.isArray(config.features)) {
for (const feature of config.features) {
if (typeof feature === 'string' && feature.match(/^ssl/)) {
await featureRunner(feature);
}
}
}
}

0 comments on commit cb9f895

Please sign in to comment.