refactor: store temp keys in /run/zerobyte subfolders

This commit is contained in:
Nicolas Meienberger 2026-05-17 13:57:16 +02:00
parent 481983a75b
commit 3b1b3ff5fe
No known key found for this signature in database
5 changed files with 111 additions and 45 deletions

View file

@ -16,6 +16,27 @@ const getMountPathHash = (mountPath: string) => createHash("sha256").update(moun
const getPrivateKeyPath = (mountPath: string) => path.join(SSH_KEYS_DIR, `${getMountPathHash(mountPath)}.key`);
const getKnownHostsPath = (mountPath: string) => path.join(SSH_KEYS_DIR, `${getMountPathHash(mountPath)}.known_hosts`);
const ensurePrivateSshKeysDir = async () => {
const { uid } = os.userInfo();
try {
await fs.mkdir(SSH_KEYS_DIR, { mode: 0o700 });
} catch (error) {
if (!isNodeErrnoException(error) || error.code !== "EEXIST") throw error;
const stats = await fs.lstat(SSH_KEYS_DIR);
if (!stats.isDirectory() || stats.isSymbolicLink() || stats.uid !== uid) {
throw new Error(`Refusing to use unsafe SSH keys directory: ${SSH_KEYS_DIR}`);
}
}
await fs.chmod(SSH_KEYS_DIR, 0o700);
};
const isNodeErrnoException = (error: unknown): error is NodeJS.ErrnoException => {
return error instanceof Error && "code" in error;
};
const runSshfs = async (args: string[], password?: string) =>
new Promise<void>((resolve, reject) => {
const child = spawn("sshfs", args, { stdio: ["pipe", "pipe", "pipe"] });
@ -110,7 +131,7 @@ const mount = async (config: BackendConfig, mountPath: string) => {
const run = async () => {
await fs.mkdir(mountPath, { recursive: true });
await fs.mkdir(SSH_KEYS_DIR, { recursive: true });
await ensurePrivateSshKeysDir();
const { uid, gid } = os.userInfo();
const options = [
"reconnect",

View file

@ -1,8 +1,9 @@
import * as path from "node:path";
import * as os from "node:os";
export const OPERATION_TIMEOUT = 5000;
export const VOLUME_MOUNT_BASE = process.env.ZEROBYTE_VOLUMES_DIR || "/var/lib/zerobyte/volumes";
export const SSH_KEYS_DIR = "/tmp/zerobyte-ssh";
export const SSH_KEYS_DIR = path.join(os.tmpdir(), "zerobyte-ssh");
export const RCLONE_CONFIG_DIR = process.env.RCLONE_CONFIG_DIR || "/root/.config/rclone";
export const RCLONE_CONFIG_FILE = path.join(RCLONE_CONFIG_DIR, "rclone.conf");
const serverIdleTimeout = Number(process.env.SERVER_IDLE_TIMEOUT ?? 60);

View file

@ -24,14 +24,7 @@ const withCustomPassword = <T extends object>(config: T) => ({
const PLAIN_PRIVATE_KEY =
"-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAA\n-----END OPENSSH PRIVATE KEY-----";
const tempFiles = new Set<string>();
const trackTempFile = (filePath: string | undefined) => {
if (filePath) {
tempFiles.add(filePath);
}
};
const tempDirs = new Set<string>();
const buildEnvForTest = async (
config: Parameters<typeof buildEnv>[0],
@ -39,36 +32,31 @@ const buildEnvForTest = async (
deps: ResticDeps = makeDeps(),
) => {
const env = await buildEnv(config, organizationId, deps);
// Automatically track all temp file paths created by buildEnv
trackTempFile(env.RESTIC_PASSWORD_FILE);
trackTempFile(env.GOOGLE_APPLICATION_CREDENTIALS);
trackTempFile(env._SFTP_KEY_PATH);
trackTempFile(env._SFTP_KNOWN_HOSTS_PATH);
trackTempFile(env.RESTIC_CACERT);
if (env._RUNTIME_SECRETS_DIR) tempDirs.add(env._RUNTIME_SECRETS_DIR);
return env;
};
afterEach(async () => {
await Promise.all(
[...tempFiles].map(async (filePath) => {
await fs.rm(filePath, { force: true });
}),
);
tempFiles.clear();
await Promise.all([...tempDirs].map((dir) => fs.rm(dir, { recursive: true, force: true })));
tempDirs.clear();
});
describe("buildEnv", () => {
describe("base environment", () => {
test("always sets RESTIC_CACHE_DIR", async () => {
const env = await buildEnvForTest(withCustomPassword({ backend: "local" as const, path: "/tmp/repo" }), "org-1");
const env = await buildEnvForTest(
withCustomPassword({ backend: "local" as const, path: "/tmp/repo" }),
"org-1",
);
expect(env.RESTIC_CACHE_DIR).toBe(RESTIC_CACHE_DIR);
});
test("always sets PATH", async () => {
const env = await buildEnvForTest(withCustomPassword({ backend: "local" as const, path: "/tmp/repo" }), "org-1");
const env = await buildEnvForTest(
withCustomPassword({ backend: "local" as const, path: "/tmp/repo" }),
"org-1",
);
expect(env.PATH).toBeTruthy();
});
@ -77,7 +65,12 @@ describe("buildEnv", () => {
describe("password resolution", () => {
test("writes a password file when using customPassword on an existing repository", async () => {
const env = await buildEnvForTest(
{ backend: "local" as const, path: "/tmp/repo", isExistingRepository: true, customPassword: "my-secret" },
{
backend: "local" as const,
path: "/tmp/repo",
isExistingRepository: true,
customPassword: "my-secret",
},
"org-1",
);
@ -127,9 +120,9 @@ describe("buildEnv", () => {
},
});
await expect(buildEnv({ backend: "local" as const, path: "/tmp/repo" }, "org-no-pass", deps)).rejects.toThrow(
"Restic password not configured for organization org-no-pass",
);
await expect(
buildEnv({ backend: "local" as const, path: "/tmp/repo" }, "org-no-pass", deps),
).rejects.toThrow("Restic password not configured for organization org-no-pass");
});
});
@ -150,7 +143,10 @@ describe("buildEnv", () => {
});
test("sets AWS_S3_BUCKET_LOOKUP=dns for Huawei Cloud endpoints", async () => {
const env = await buildEnvForTest({ ...base, endpoint: "https://obs.ap-southeast-1.myhuaweicloud.com" }, "org-1");
const env = await buildEnvForTest(
{ ...base, endpoint: "https://obs.ap-southeast-1.myhuaweicloud.com" },
"org-1",
);
expect(env.AWS_S3_BUCKET_LOOKUP).toBe("dns");
});
@ -296,7 +292,8 @@ describe("buildEnv", () => {
buildEnv(
{
...baseSftpConfig,
privateKey: "-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\n-----END RSA PRIVATE KEY-----",
privateKey:
"-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\n-----END RSA PRIVATE KEY-----",
},
"org-1",
deps,
@ -319,7 +316,10 @@ describe("buildEnv", () => {
});
test("uses StrictHostKeyChecking=yes when knownHosts is absent", async () => {
const env = await buildEnvForTest({ ...baseSftpConfig, skipHostKeyCheck: false, knownHosts: undefined }, "org-1");
const env = await buildEnvForTest(
{ ...baseSftpConfig, skipHostKeyCheck: false, knownHosts: undefined },
"org-1",
);
expect(env._SFTP_SSH_ARGS).toContain("StrictHostKeyChecking=yes");
expect(env._SFTP_SSH_ARGS).not.toContain("UserKnownHostsFile=/dev/null");
@ -336,8 +336,8 @@ describe("buildEnv", () => {
);
expect(env._SFTP_SSH_ARGS).toContain("StrictHostKeyChecking=yes");
expect(env._SFTP_SSH_ARGS).toContain("UserKnownHostsFile=/tmp/zerobyte-known-hosts-");
expect(env._SFTP_KNOWN_HOSTS_PATH).toMatch(/^\/tmp\/zerobyte-known-hosts-/);
expect(env._SFTP_SSH_ARGS).toContain("/zerobyte-known-hosts-");
expect(env._SFTP_KNOWN_HOSTS_PATH).toMatch(/\/zerobyte-restic-[^/]+\/zerobyte-known-hosts-/);
});
test("adds -p flag for non-default ports", async () => {
@ -355,7 +355,7 @@ describe("buildEnv", () => {
test("sets the key path in both _SFTP_KEY_PATH and SSH args -i flag", async () => {
const env = await buildEnvForTest(baseSftpConfig, "org-1");
expect(env._SFTP_KEY_PATH).toMatch(/^\/tmp\/zerobyte-ssh-/);
expect(env._SFTP_KEY_PATH).toMatch(/\/zerobyte-restic-[^/]+\/zerobyte-ssh-/);
expect(env._SFTP_SSH_ARGS).toContain(`-i ${env._SFTP_KEY_PATH}`);
});
});
@ -382,7 +382,10 @@ describe("buildEnv", () => {
});
test("does not set RESTIC_CACERT when cacert is absent", async () => {
const env = await buildEnvForTest(withCustomPassword({ backend: "local" as const, path: "/tmp/repo" }), "org-1");
const env = await buildEnvForTest(
withCustomPassword({ backend: "local" as const, path: "/tmp/repo" }),
"org-1",
);
expect(env.RESTIC_CACERT).toBeUndefined();
});
@ -399,7 +402,10 @@ describe("buildEnv", () => {
});
test("does not set _INSECURE_TLS when insecureTls is absent", async () => {
const env = await buildEnvForTest(withCustomPassword({ backend: "local" as const, path: "/tmp/repo" }), "org-1");
const env = await buildEnvForTest(
withCustomPassword({ backend: "local" as const, path: "/tmp/repo" }),
"org-1",
);
expect(env._INSECURE_TLS).toBeUndefined();
});

View file

@ -1,10 +1,22 @@
import crypto from "node:crypto";
import fs from "node:fs/promises";
import os from "node:os";
import path from "node:path";
import type { ResticDeps, ResticEnv } from "../types";
import type { RepositoryConfig } from "../schemas";
import { logger } from "../../node";
import { FILE_MODES, writeFileWithMode } from "../../node/fs.js";
const createRuntimeSecretsDir = async () => {
const runtimeSecretsDir = await fs.mkdtemp(path.join(os.tmpdir(), "zerobyte-restic-"));
await fs.chmod(runtimeSecretsDir, 0o700);
return runtimeSecretsDir;
};
const runtimeSecretPath = (runtimeSecretsDir: string, filename: string) => {
return path.join(runtimeSecretsDir, filename);
};
export const buildEnv = async (
config: RepositoryConfig,
organizationId: string,
@ -14,17 +26,25 @@ export const buildEnv = async (
RESTIC_CACHE_DIR: deps.resticCacheDir,
PATH: process.env.PATH || "/usr/local/bin:/usr/bin:/bin",
};
const runtimeSecretsDir = await createRuntimeSecretsDir();
env._RUNTIME_SECRETS_DIR = runtimeSecretsDir;
if (config.isExistingRepository && config.customPassword) {
const decryptedPassword = await deps.resolveSecret(config.customPassword);
const passwordFilePath = path.join("/tmp", `zerobyte-pass-${crypto.randomBytes(8).toString("hex")}.txt`);
const passwordFilePath = runtimeSecretPath(
runtimeSecretsDir,
`zerobyte-pass-${crypto.randomBytes(8).toString("hex")}.txt`,
);
await writeFileWithMode(passwordFilePath, decryptedPassword, FILE_MODES.ownerReadWrite);
env.RESTIC_PASSWORD_FILE = passwordFilePath;
} else {
const encryptedPassword = await deps.getOrganizationResticPassword(organizationId);
const decryptedPassword = await deps.resolveSecret(encryptedPassword);
const passwordFilePath = path.join("/tmp", `zerobyte-pass-${crypto.randomBytes(8).toString("hex")}.txt`);
const passwordFilePath = runtimeSecretPath(
runtimeSecretsDir,
`zerobyte-pass-${crypto.randomBytes(8).toString("hex")}.txt`,
);
await writeFileWithMode(passwordFilePath, decryptedPassword, FILE_MODES.ownerReadWrite);
env.RESTIC_PASSWORD_FILE = passwordFilePath;
}
@ -46,7 +66,10 @@ export const buildEnv = async (
break;
case "gcs": {
const decryptedCredentials = await deps.resolveSecret(config.credentialsJson);
const credentialsPath = path.join("/tmp", `zerobyte-gcs-${crypto.randomBytes(8).toString("hex")}.json`);
const credentialsPath = runtimeSecretPath(
runtimeSecretsDir,
`zerobyte-gcs-${crypto.randomBytes(8).toString("hex")}.json`,
);
await writeFileWithMode(credentialsPath, decryptedCredentials, FILE_MODES.ownerReadWrite);
env.GOOGLE_PROJECT_ID = config.projectId;
env.GOOGLE_APPLICATION_CREDENTIALS = credentialsPath;
@ -74,7 +97,10 @@ export const buildEnv = async (
break;
case "sftp": {
const decryptedKey = await deps.resolveSecret(config.privateKey);
const keyPath = path.join("/tmp", `zerobyte-ssh-${crypto.randomBytes(8).toString("hex")}`);
const keyPath = runtimeSecretPath(
runtimeSecretsDir,
`zerobyte-ssh-${crypto.randomBytes(8).toString("hex")}`,
);
let normalizedKey = decryptedKey.replace(/\r\n/g, "\n");
if (!normalizedKey.endsWith("\n")) {
@ -83,7 +109,9 @@ export const buildEnv = async (
if (normalizedKey.includes("ENCRYPTED")) {
logger.error("SFTP: Private key appears to be passphrase-protected. Please use an unencrypted key.");
throw new Error("Passphrase-protected SSH keys are not supported. Please provide an unencrypted private key.");
throw new Error(
"Passphrase-protected SSH keys are not supported. Please provide an unencrypted private key.",
);
}
await writeFileWithMode(keyPath, normalizedKey, FILE_MODES.ownerReadWrite);
@ -120,7 +148,10 @@ export const buildEnv = async (
if (config.skipHostKeyCheck) {
sshArgs.push("-o", "StrictHostKeyChecking=no", "-o", "UserKnownHostsFile=/dev/null");
} else if (config.knownHosts) {
const knownHostsPath = path.join("/tmp", `zerobyte-known-hosts-${crypto.randomBytes(8).toString("hex")}`);
const knownHostsPath = runtimeSecretPath(
runtimeSecretsDir,
`zerobyte-known-hosts-${crypto.randomBytes(8).toString("hex")}`,
);
await writeFileWithMode(knownHostsPath, config.knownHosts, FILE_MODES.ownerReadWrite);
env._SFTP_KNOWN_HOSTS_PATH = knownHostsPath;
sshArgs.push("-o", "StrictHostKeyChecking=yes", "-o", `UserKnownHostsFile=${knownHostsPath}`);
@ -140,7 +171,10 @@ export const buildEnv = async (
if (config.cacert) {
const decryptedCert = await deps.resolveSecret(config.cacert);
const certPath = path.join("/tmp", `zerobyte-cacert-${crypto.randomBytes(8).toString("hex")}.pem`);
const certPath = runtimeSecretPath(
runtimeSecretsDir,
`zerobyte-cacert-${crypto.randomBytes(8).toString("hex")}.pem`,
);
await writeFileWithMode(certPath, decryptedCert, FILE_MODES.ownerReadWrite);
env.RESTIC_CACERT = certPath;
}

View file

@ -13,4 +13,8 @@ export const cleanupTemporaryKeys = async (env: ResticEnv, deps: ResticDeps) =>
if (env.RESTIC_PASSWORD_FILE && env.RESTIC_PASSWORD_FILE !== deps.resticPassFile) {
await fs.unlink(env.RESTIC_PASSWORD_FILE).catch(() => {});
}
if (env._RUNTIME_SECRETS_DIR) {
await fs.rm(env._RUNTIME_SECRETS_DIR, { recursive: true, force: true }).catch(() => {});
}
};