feat: Phase 2 security audit fixes + script execution platform

Security (P0/P1/P2):
- WebSSH: dedicated short-lived token, server_id binding, 4003 close code
- Remove /api/agent/exec from control plane (RCE surface eliminated)
- Global JWT middleware (JwtAuthMiddleware) with install-mode bypass
- decrypt_value: failure returns None, never leaks ciphertext
- Telegram: sanitize_external_message strips sensitive fields
- Agent auth: startup enforces non-empty API key, compare_digest
- Credentials: password_set bool flag, no plaintext in API responses
- audit_log: writes admin_username + ip_address on all CUD ops
- Install lock: all /api/install/* except GET /status return 403 post-install
- WebSocket dedup: publish once, subscribers deliver locally

Script execution platform:
- script_jobs.py / script_job_callback.py: async batching and callback
- script_execution_store.py / script_callback_rate.py: Redis-backed state
- script_execution_flush.py: background flusher to MySQL
- scripts.html / script-executions.html: full execution UI
- agent_url.py: centralised URL builder

Frontend:
- All 13 pages migrated from CDN to /app/vendor/ (no external deps)
- vendor/: alpinejs, tailwindcss-browser, xterm, xterm-addon-*, qrious
- Dashboard WebSocket real-time alerts; 8h JWT session timeout

Tests:
- test_security_unit.py: 15 unit tests (JWT, sanitize, vendor, install 403)
- test_api.py: env-configurable admin credentials

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Your Name
2026-05-23 15:26:56 +08:00
parent 341d16fd6d
commit 752a24497c
67 changed files with 4496 additions and 602 deletions
+9 -1
View File
@@ -153,14 +153,22 @@ class AsyncSSHPool:
async def _create_connection(self, server: Server) -> asyncssh.SSHClientConnection:
"""Create a new asyncssh connection to a server"""
from server.config import settings
connect_kwargs = {
"host": server.domain,
"port": server.port or 22,
"username": server.username or "root",
"known_hosts": None, # Skip host key verification (like paramiko AutoAddPolicy)
"connect_timeout": self.CONNECT_TIMEOUT,
}
# Host key verification: respect SSH_STRICT_HOST_CHECKING setting
# Default is "true" — reject unknown hosts for security
if settings.SSH_STRICT_HOST_CHECKING.lower() in ("false", "0", "no"):
connect_kwargs["known_hosts"] = None # Skip verification (insecure)
# If strict mode, asyncssh will use default known_hosts behavior
# (rejects unknown hosts — caller should configure ~/.ssh/known_hosts)
if server.auth_method == "password" and server.password:
password = decrypt_value(server.password)
connect_kwargs["password"] = password