Isolate Users (#431)

* WIP to isolate users * Resolved issue with SSH AsUser Updated Isolated User Script to use Server User for Team Access Updated Path creation script to simplify for running as the isolated user * Included the server user * PHPMyAdmin script updated Wordpress Script Updated Updated Execute Script to support executing as isolated users * Issue Resolution & Resolved Failing Unit Tests * Fix for isolated_username vs user * Run the deploy as the isolated user * queue updates for isolated user * Support isolated users in cronjobs * script tests for isolated users * Queue tests for isolated users * Cronjob tests for isolated user * Removed default queue command for laravel apps * add default user to factory * laravel pint fixes * ensure echos are consistent * removed unneeded parameter * update * fix queues for isolated users * revert addslashes --------- Co-authored-by: Saeed Vaziry <mr.saeedvaziry@gmail.com>
2025-07-04 15:32:35 +00:00 · 2025-01-18 00:17:48 +00:00
parent 5947ae80bb
commit c1ae58772c
50 changed files with 717 additions and 69 deletions
--- a/app/SSH/Composer/Composer.php
+++ b/app/SSH/Composer/Composer.php
@ -11,7 +11,7 @@ class Composer

    public function installDependencies(Site $site): void
    {
-        $site->server->ssh()->exec(
+        $site->server->ssh($site->user)->exec(
            $this->getScript('composer-install.sh', [
                'path' => $site->path,
                'php_version' => $site->php_version,
--- a/app/SSH/Git/Git.php
+++ b/app/SSH/Git/Git.php
@ -11,7 +11,7 @@ class Git

    public function clone(Site $site): void
    {
-        $site->server->ssh()->exec(
+        $site->server->ssh($site->user)->exec(
            $this->getScript('clone.sh', [
                'host' => str($site->getFullRepositoryUrl())->after('@')->before('-'),
                'repo' => $site->getFullRepositoryUrl(),
@ -26,7 +26,7 @@ public function clone(Site $site): void

    public function checkout(Site $site): void
    {
-        $site->server->ssh()->exec(
+        $site->server->ssh($site->user)->exec(
            $this->getScript('checkout.sh', [
                'path' => $site->path,
                'branch' => $site->branch,
--- a/app/SSH/Git/scripts/clone.sh
+++ b/app/SSH/Git/scripts/clone.sh
@ -2,6 +2,8 @@ echo "Host __host__-__key__
        Hostname __host__
        IdentityFile=~/.ssh/__key__" >> ~/.ssh/config

+chmod 600 ~/.ssh/config
+
 ssh-keyscan -H __host__ >> ~/.ssh/known_hosts

 rm -rf __path__
--- a/app/SSH/OS/OS.php
+++ b/app/SSH/OS/OS.php
@ -5,6 +5,7 @@
 use App\Exceptions\SSHUploadFailed;
 use App\Models\Server;
 use App\Models\ServerLog;
+use App\Models\Site;
 use App\SSH\HasScripts;
 use Illuminate\Filesystem\FilesystemAdapter;
 use Illuminate\Support\Facades\Storage;
@ -58,6 +59,30 @@ public function createUser(string $user, string $password, string $key): void
        );
    }

+    public function createIsolatedUser(string $user, string $password, int $site_id): void
+    {
+        $this->server->ssh()->exec(
+            $this->getScript('create-isolated-user.sh', [
+                'user' => $user,
+                'server_user' => $this->server->getSshUser(),
+                'password' => $password,
+            ]),
+            'create-isolated-user',
+            $site_id
+        );
+    }
+
+    public function deleteIsolatedUser(string $user): void
+    {
+        $this->server->ssh()->exec(
+            $this->getScript('delete-isolated-user.sh', [
+                'user' => $user,
+                'server_user' => $this->server->getSshUser(),
+            ]),
+            'delete-isolated-user'
+        );
+    }
+
    public function getPublicKey(string $user): string
    {
        return $this->server->ssh()->exec(
@ -88,19 +113,20 @@ public function deleteSSHKey(string $key): void
        );
    }

-    public function generateSSHKey(string $name): void
+    public function generateSSHKey(string $name, ?Site $site = null): void
    {
-        $this->server->ssh()->exec(
+        $site->server->ssh($site->user)->exec(
            $this->getScript('generate-ssh-key.sh', [
                'name' => $name,
            ]),
-            'generate-ssh-key'
+            'generate-ssh-key',
+            $site?->id
        );
    }

-    public function readSSHKey(string $name): string
+    public function readSSHKey(string $name, ?Site $site = null): string
    {
-        return $this->server->ssh()->exec(
+        return $site->server->ssh($site->user)->exec(
            $this->getScript('read-ssh-key.sh', [
                'name' => $name,
            ]),
--- a/app/SSH/OS/scripts/create-isolated-user.sh
+++ b/app/SSH/OS/scripts/create-isolated-user.sh
@ -0,0 +1,17 @@
+export DEBIAN_FRONTEND=noninteractive
+if ! sudo useradd -p $(openssl passwd -1 __password__) __user__; then
+    echo 'VITO_SSH_ERROR' && exit 1
+fi
+
+sudo mkdir /home/__user__
+sudo mkdir /home/__user__/.logs
+sudo mkdir /home/__user__/tmp
+sudo mkdir /home/__user__/bin
+sudo mkdir /home/__user__/.ssh
+echo 'export PATH="/home/__user__/bin:$PATH"' | sudo tee -a /home/__user__/.bashrc
+sudo usermod -a -G __user__ __server_user__
+sudo chown -R __user__:__user__ /home/__user__
+sudo chmod -R 755 /home/__user__
+sudo chmod -R 700 /home/__user__/.ssh
+sudo chsh -s /bin/bash __user__
+echo "Created user __user__."
--- a/app/SSH/OS/scripts/delete-isolated-user.sh
+++ b/app/SSH/OS/scripts/delete-isolated-user.sh
@ -0,0 +1,3 @@
+sudo gpasswd -d __server_user__ __user__
+sudo userdel -r "__user__"
+echo "User __user__ has been deleted."
--- a/app/SSH/PHPMyAdmin/PHPMyAdmin.php
+++ b/app/SSH/PHPMyAdmin/PHPMyAdmin.php
@ -11,7 +11,7 @@ class PHPMyAdmin

    public function install(Site $site): void
    {
-        $site->server->ssh()->exec(
+        $site->server->ssh($site->user)->exec(
            $this->getScript('install.sh', [
                'version' => $site->type_data['version'],
                'path' => $site->path,
--- a/app/SSH/PHPMyAdmin/scripts/install.sh
+++ b/app/SSH/PHPMyAdmin/scripts/install.sh
@ -1,6 +1,10 @@
-sudo rm -rf phpmyadmin
+if ! rm -rf phpmyadmin; then
+    echo 'VITO_SSH_ERROR' && exit 1
+fi

-sudo rm -rf __path__
+if ! rm -rf __path__; then
+    echo 'VITO_SSH_ERROR' && exit 1
+fi

 if ! wget https://files.phpmyadmin.net/phpMyAdmin/__version__/phpMyAdmin-__version__-all-languages.zip; then
    echo 'VITO_SSH_ERROR' && exit 1
--- a/app/SSH/Services/PHP/PHP.php
+++ b/app/SSH/Services/PHP/PHP.php
@ -110,4 +110,32 @@ public function getPHPIni(string $type): string
            sprintf('/etc/php/%s/%s/php.ini', $this->service->version, $type)
        );
    }
+
+    public function createFpmPool(string $user, string $version, $site_id): void
+    {
+        $this->service->server->ssh()->exec(
+            $this->getScript('create-fpm-pool.sh', [
+                'user' => $user,
+                'version' => $version,
+                'config' => $this->getScript('fpm-pool.conf', [
+                    'user' => $user,
+                    'version' => $version,
+                ]),
+            ]),
+            "create-{$version}fpm-pool-{$user}",
+            $site_id
+        );
+    }
+
+    public function removeFpmPool(string $user, string $version, $site_id): void
+    {
+        $this->service->server->ssh()->exec(
+            $this->getScript('remove-fpm-pool.sh', [
+                'user' => $user,
+                'version' => $version,
+            ]),
+            "remove-{$version}fpm-pool-{$user}",
+            $site_id
+        );
+    }
 }
--- a/app/SSH/Services/PHP/scripts/create-fpm-pool.sh
+++ b/app/SSH/Services/PHP/scripts/create-fpm-pool.sh
@ -0,0 +1,2 @@
+echo '__config__' | sudo tee /etc/php/__version__/fpm/pool.d/__user__.conf
+sudo service php__version__-fpm restart
--- a/app/SSH/Services/PHP/scripts/fpm-pool.conf
+++ b/app/SSH/Services/PHP/scripts/fpm-pool.conf
@ -0,0 +1,22 @@
+[__user__]
+user = __user__
+group = __user__
+
+listen = /run/php/php__version__-fpm-__user__.sock
+listen.owner = vito
+listen.group = vito
+listen.mode = 0660
+
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+pm.max_requests = 500
+
+php_admin_value[open_basedir] = /home/__user__/:/tmp/
+php_admin_value[upload_tmp_dir] = /home/__user__/tmp
+php_admin_value[session.save_path] = /home/__user__/tmp
+php_admin_value[display_errors] = off
+php_admin_value[log_errors] = on
+php_admin_value[error_log] = /home/__user__/.logs/php_errors.log
--- a/app/SSH/Services/PHP/scripts/remove-fpm-pool.sh
+++ b/app/SSH/Services/PHP/scripts/remove-fpm-pool.sh
@ -0,0 +1,2 @@
+sudo rm -f /etc/php/__version__/fpm/pool.d/__user__.conf
+sudo service php__version__-fpm restart
--- a/app/SSH/Services/ProcessManager/Supervisor.php
+++ b/app/SSH/Services/ProcessManager/Supervisor.php
@ -53,9 +53,11 @@ public function create(
            ),
            true
        );
-        $this->service->server->ssh($user)->exec(
+        $this->service->server->ssh()->exec(
            $this->getScript('supervisor/create-worker.sh', [
                'id' => $id,
+                'log_file' => $logFile,
+                'user' => $user,
            ]),
            'create-worker',
            $siteId
--- a/app/SSH/Services/ProcessManager/scripts/supervisor/create-worker.sh
+++ b/app/SSH/Services/ProcessManager/scripts/supervisor/create-worker.sh
@ -1,8 +1,14 @@
-mkdir -p ~/.logs
+if ! sudo mkdir -p "$(dirname __log_file__)"; then
+    echo 'VITO_SSH_ERROR' && exit 1
+fi

-mkdir -p ~/.logs/workers
+if ! sudo touch __log_file__; then
+    echo 'VITO_SSH_ERROR' && exit 1
+fi

-touch ~/.logs/workers/__id__.log
+if ! sudo chown __user__:__user__ __log_file__; then
+    echo 'VITO_SSH_ERROR' && exit 1
+fi

 if ! sudo supervisorctl reread; then
    echo 'VITO_SSH_ERROR' && exit 1
--- a/app/SSH/Services/Webserver/Nginx.php
+++ b/app/SSH/Services/Webserver/Nginx.php
@ -52,8 +52,23 @@ public function uninstall(): void
        $this->service->server->os()->cleanup();
    }

+    /**
+     * @throws SSHError
+     */
    public function createVHost(Site $site): void
    {
+        // We need to get the isolated user first, if the site is isolated
+        // otherwise, use the default ssh user
+        $ssh = $this->service->server->ssh($site->user);
+
+        $ssh->exec(
+            $this->getScript('nginx/create-path.sh', [
+                'path' => $site->path,
+            ]),
+            'create-path',
+            $site->id
+        );
+
        $this->service->server->ssh()->exec(
            $this->getScript('nginx/create-vhost.sh', [
                'domain' => $site->domain,
@ -189,10 +204,16 @@ protected function generateVhost(Site $site, bool $noSSL = false): string
            $vhost = Str::replace('__port__', (string) $site->port, $vhost);
        }

+        $php_socket = 'unix:/var/run/php/php-fpm.sock';
+        if ($site->isIsolated()) {
+            $php_socket = "unix:/run/php/php{$site->php_version}-fpm-{$site->user}.sock";
+        }
+
        $vhost = Str::replace('__domain__', $site->domain, $vhost);
        $vhost = Str::replace('__aliases__', $site->getAliasesString(), $vhost);
        $vhost = Str::replace('__path__', $site->path, $vhost);
        $vhost = Str::replace('__web_directory__', $site->web_directory, $vhost);
+        $vhost = Str::replace('__php_socket__', $php_socket, $vhost);

        if ($ssl) {
            $vhost = Str::replace('__certificate__', $ssl->getCertificatePath(), $vhost);
--- a/app/SSH/Services/Webserver/scripts/nginx/create-path.sh
+++ b/app/SSH/Services/Webserver/scripts/nginx/create-path.sh
@ -0,0 +1,16 @@
+export DEBIAN_FRONTEND=noninteractive
+
+if ! rm -rf __path__; then
+    echo 'VITO_SSH_ERROR'
+    exit 1
+fi
+
+if ! mkdir __path__; then
+    echo 'VITO_SSH_ERROR'
+    exit 1
+fi
+
+if ! chmod -R 755 __path__; then
+    echo 'VITO_SSH_ERROR'
+    exit 1
+fi
--- a/app/SSH/Services/Webserver/scripts/nginx/create-vhost.sh
+++ b/app/SSH/Services/Webserver/scripts/nginx/create-vhost.sh
@ -1,15 +1,3 @@
-if ! rm -rf __path__; then
-    echo 'VITO_SSH_ERROR' && exit 1
-fi
-
-if ! mkdir __path__; then
-    echo 'VITO_SSH_ERROR' && exit 1
-fi
-
-if ! sudo chown -R 755 __path__; then
-    echo 'VITO_SSH_ERROR' && exit 1
-fi
-
 if ! echo '' | sudo tee /etc/nginx/conf.d/__domain___redirects; then
    echo 'VITO_SSH_ERROR' && exit 1
 fi
--- a/app/SSH/Services/Webserver/scripts/nginx/php-vhost-ssl.conf
+++ b/app/SSH/Services/Webserver/scripts/nginx/php-vhost-ssl.conf
@ -24,7 +24,7 @@ server {
    error_page 404 /index.php;

    location ~ \.php$ {
-        fastcgi_pass unix:/var/run/php/php__php_version__-fpm.sock;
+        fastcgi_pass __php_socket__;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        include fastcgi_params;
        fastcgi_hide_header X-Powered-By;
--- a/app/SSH/Services/Webserver/scripts/nginx/php-vhost.conf
+++ b/app/SSH/Services/Webserver/scripts/nginx/php-vhost.conf
@ -20,7 +20,7 @@ server {
    error_page 404 /index.php;

    location ~ \.php$ {
-        fastcgi_pass unix:/var/run/php/php__php_version__-fpm.sock;
+        fastcgi_pass __php_socket__;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        include fastcgi_params;
        fastcgi_hide_header X-Powered-By;
--- a/app/SSH/Wordpress/Wordpress.php
+++ b/app/SSH/Wordpress/Wordpress.php
@ -11,10 +11,12 @@ class Wordpress

    public function install(Site $site): void
    {
-        $site->server->ssh()->exec(
+        $site->server->ssh($site->user)->exec(
            $this->getScript('install.sh', [
                'path' => $site->path,
                'domain' => $site->domain,
+                'is_isolated' => $site->isIsolated(),
+                'isolated_username' => $site->user,
                'db_name' => $site->type_data['database'],
                'db_user' => $site->type_data['database_user'],
                'db_pass' => $site->type_data['database_password'],
@ -25,7 +27,8 @@ public function install(Site $site): void
                'email' => $site->type_data['email'],
                'title' => $site->type_data['title'],
            ]),
-            'install-wordpress'
+            'install-wordpress',
+            $site->id
        );
    }
 }
--- a/app/SSH/Wordpress/scripts/install.sh
+++ b/app/SSH/Wordpress/scripts/install.sh
@ -6,8 +6,14 @@ if ! chmod +x wp-cli.phar; then
    echo 'VITO_SSH_ERROR' && exit 1
 fi

-if ! sudo mv wp-cli.phar /usr/local/bin/wp; then
-    echo 'VITO_SSH_ERROR' && exit 1
+if [ "__is_isolated__" == "true" ]; then
+    if ! mv wp-cli.phar /home/__isolated_username__/bin/wp; then
+        echo 'VITO_SSH_ERROR' && exit 1
+    fi
+else
+    if ! mv wp-cli.phar /usr/local/bin/wp; then
+        echo 'VITO_SSH_ERROR' && exit 1
+    fi
 fi

 rm -rf __path__
@ -16,12 +22,20 @@ if ! wp --path=__path__ core download; then
    echo 'VITO_SSH_ERROR' && exit 1
 fi

-if ! wp --path=__path__ core config --dbname='__db_name__' --dbuser='__db_user__' --dbpass='__db_pass__' --dbhost='__db_host__' --dbprefix='__db_prefix__'; then
+if ! wp --path=__path__ core config \
+    --dbname="__db_name__" \
+    --dbuser="__db_user__" \
+    --dbpass="__db_pass__" \
+    --dbhost="__db_host__" \
+    --dbprefix="__db_prefix__"; then
    echo 'VITO_SSH_ERROR' && exit 1
 fi

-if ! wp --path=__path__ core install --url='http://__domain__' --title="__title__" --admin_user='__username__' --admin_password="__password__" --admin_email='__email__'; then
+if ! wp --path=__path__ core install \
+    --url="http://__domain__" \
+    --title="__title__" \
+    --admin_user="__username__" \
+    --admin_password="__password__" \
+    --admin_email="__email__"; then
    echo 'VITO_SSH_ERROR' && exit 1
 fi
-
-echo "Wordpress installed!"