feat(systemd-service-manager): 添加非root用户自动提权功能

- `install` / `start` / `stop` / `restart` / `enable` / `disable`
  等system scope写操作在非root下会自动通过`sudo`重新执行脚本本身，
  因此不要求手动在命令前添加`sudo`

- 新增ssm_current_euid、ssm_is_root、ssm_resolve_executable_path等
  辅助函数处理权限判断和路径解析

- 实现ssm_should_auto_elevate和ssm_reexec_with_sudo函数来处理
  自动提权逻辑

- 更新文档说明自动提权特性

- 添加相关测试用例验证自动提权功能

Author: mudssky

scripts/bash/systemd-service-manager/README.md

@@ -26,6 +26,7 @@
 ## Notes
 
 - `start` / `stop` / `restart` / `status` / `logs` 这类命令依赖目标 unit 已经先执行过 `install`。
+- `install` / `start` / `stop` / `restart` / `enable` / `disable` 这类 system scope 写操作在非 root 下会自动通过 `sudo` 重新执行脚本本身，因此不要求你手工把 `sudo` 写在命令前。
 
 ## Build
 

scripts/bash/systemd-service-manager/common.sh

@@ -48,3 +48,50 @@ ssm_init_environment() {
   local script_path="$1"
   SSM_MANAGER_HOME="$(ssm_detect_manager_home "${script_path}")"
 }
+
+# 返回当前有效 uid；测试可通过环境变量覆写，避免依赖宿主用户身份。
+ssm_current_euid() {
+  if [[ -n "${SSM_TEST_EUID:-}" ]]; then
+    printf '%s\n' "${SSM_TEST_EUID}"
+    return 0
+  fi
+
+  id -u
+}
+
+# 判断当前是否已经具备 root 权限。
+ssm_is_root() {
+  [[ "$(ssm_current_euid)" == "0" ]]
+}
+
+# 把脚本入口解析成绝对路径，兼容 PATH 调用和显式路径调用。
+ssm_resolve_executable_path() {
+  local source_path="$1"
+  local argv0="$2"
+  local candidate="${source_path}"
+
+  if [[ "${candidate}" != */* ]]; then
+    candidate="${argv0}"
+  fi
+
+  if [[ "${candidate}" != */* ]]; then
+    candidate="$(command -v "${candidate}" 2>/dev/null || true)"
+  fi
+
+  [[ -n "${candidate}" ]] || ssm_die "Unable to resolve executable path for elevation"
+
+  if command -v realpath >/dev/null 2>&1; then
+    realpath "${candidate}" 2>/dev/null && return 0
+  fi
+
+  if command -v readlink >/dev/null 2>&1; then
+    readlink -f "${candidate}" 2>/dev/null && return 0
+  fi
+
+  if [[ "${candidate}" == /* ]]; then
+    printf '%s\n' "${candidate}"
+    return 0
+  fi
+
+  printf '%s/%s\n' "${PWD}" "${candidate}"
+}

scripts/bash/systemd-service-manager/lib/cli.sh

@@ -36,6 +36,7 @@ Target syntax:
 
 Notes:
   start 前需要目标 unit 已经 install
+  system scope 的写操作在非 root 下会自动通过 sudo 重新执行
 
 Examples:
   systemd-service-manager init

scripts/bash/systemd-service-manager/lib/systemd.sh

@@ -141,3 +141,37 @@ ssm_load_target_context() {
       ;;
   esac
 }
+
+# 判断当前命令是否需要在非 root 下自动提权。
+ssm_should_auto_elevate() {
+  local command="$1"
+
+  case "${command}" in
+    install | start | stop | restart | enable | disable)
+      ;;
+    *)
+      return 1
+      ;;
+  esac
+
+  [[ "${SSM_CLI_DRY_RUN:-0}" == "1" ]] && return 1
+  [[ "${SSM_ELEVATED_BY_SCRIPT:-0}" == "1" ]] && return 1
+  ssm_is_root && return 1
+
+  local target_kind="${SSM_CLI_POSITIONAL_ARGS[0]:-}"
+  local target_name="${SSM_CLI_POSITIONAL_ARGS[1]:-}"
+  ssm_load_target_context "${target_kind}" "${target_name}"
+  [[ "${SSM_ACTIVE_SCOPE}" == "system" ]]
+}
+
+# 以脚本绝对路径重新执行自身，并交给 sudo 完成提权。
+ssm_reexec_with_sudo() {
+  local source_path="$1"
+  local argv0="$2"
+  shift 2
+  local script_path
+  script_path="$(ssm_resolve_executable_path "${source_path}" "${argv0}")"
+
+  command -v sudo >/dev/null 2>&1 || ssm_die "sudo is required for system-scope write operations"
+  exec env SSM_ELEVATED_BY_SCRIPT=1 sudo -- bash "${script_path}" "$@"
+}

scripts/bash/systemd-service-manager/main.sh

@@ -50,6 +50,7 @@ fi
 
 # 顶层分发仅保留 help 和错误分支，满足第一轮测试闭环。
 ssm_main() {
+  local -a original_args=("$@")
   ssm_init_environment "${BASH_SOURCE[0]}"
 
   local command="${1:-help}"
@@ -58,6 +59,10 @@ ssm_main() {
   ssm_parse_common_flags "$@"
   set -- "${SSM_CLI_POSITIONAL_ARGS[@]}"
 
+  if ssm_should_auto_elevate "${command}"; then
+    ssm_reexec_with_sudo "${BASH_SOURCE[0]}" "$0" "${original_args[@]}"
+  fi
+
   case "${command}" in
     help | --help | -h | '')
       ssm_show_help

scripts/bash/systemd-service-manager/tests/install.test.ts

@@ -44,7 +44,9 @@ describe('install command', () => {
       '--project',
       projectRoot,
       '--dry-run',
-    ])
+    ], {
+      SSM_TEST_EUID: '0',
+    })
 
     expect(result.exitCode).toBe(0)
     expect(result.stdout).toContain('myapp-api.service')
@@ -77,6 +79,7 @@ describe('install command', () => {
       workspace,
       ['install', 'timer', 'cleanup', '--project', projectRoot],
       {
+        SSM_TEST_EUID: '0',
         SSM_SYSTEMCTL_LOG: path.join(workspace.root, 'systemctl.log'),
       },
     )
@@ -118,7 +121,9 @@ describe('install command', () => {
       '--project',
       projectRoot,
       '--dry-run',
-    ])
+    ], {
+      SSM_TEST_EUID: '0',
+    })
 
     expect(result.exitCode).toBe(0)
     expect(result.stdout).toContain('myapp-api.service')
@@ -151,6 +156,7 @@ describe('install command', () => {
       workspace,
       ['install', 'api', '--project', projectRoot, '--start'],
       {
+        SSM_TEST_EUID: '0',
         SSM_SYSTEMCTL_LOG: systemctlLog,
       },
     )
@@ -159,4 +165,54 @@ describe('install command', () => {
     expect(fs.readFileSync(systemctlLog, 'utf8')).toContain('daemon-reload')
     expect(fs.readFileSync(systemctlLog, 'utf8')).toContain('start myapp-api.service')
   })
+
+  it('auto-elevates system-scope install when not root', async () => {
+    const workspace = createWorkspace()
+    workspaces.push(workspace)
+
+    installMockCommand(
+      workspace,
+      'sudo',
+      [
+        '#!/usr/bin/env bash',
+        'printf "%s\\n" "$*" >>"${SSM_SUDO_LOG}"',
+        'if [[ "$1" == "--" ]]; then shift; fi',
+        'SSM_TEST_EUID=0 exec "$@"',
+      ].join('\n'),
+    )
+    installMockCommand(
+      workspace,
+      'systemd-analyze',
+      '#!/usr/bin/env bash\nexit 0\n',
+    )
+    installMockCommand(
+      workspace,
+      'systemctl',
+      '#!/usr/bin/env bash\nprintf "%s\\n" "$*" >>"${SSM_SYSTEMCTL_LOG}"\nexit 0\n',
+    )
+
+    const projectRoot = path.join(
+      workspace.managerHome,
+      'tests',
+      'fixtures',
+      'project-basic',
+    )
+    const sudoLog = path.join(workspace.root, 'sudo.log')
+    const systemctlLog = path.join(workspace.root, 'systemctl.log')
+
+    const result = await runSource(
+      workspace,
+      ['install', 'api', '--project', projectRoot, '--start'],
+      {
+        SSM_TEST_EUID: '1000',
+        SSM_SUDO_LOG: sudoLog,
+        SSM_SYSTEMCTL_LOG: systemctlLog,
+      },
+    )
+
+    expect(result.exitCode).toBe(0)
+    expect(fs.readFileSync(sudoLog, 'utf8')).toContain(workspace.sourceEntry)
+    expect(fs.readFileSync(systemctlLog, 'utf8')).toContain('daemon-reload')
+    expect(fs.readFileSync(systemctlLog, 'utf8')).toContain('start myapp-api.service')
+  })
 })

scripts/bash/systemd-service-manager/tests/lifecycle.test.ts

@@ -46,15 +46,18 @@ describe('lifecycle commands', () => {
     )
 
     await runSource(workspace, ['start', 'service', 'api', '--project', projectRoot], {
+      SSM_TEST_EUID: '0',
       SSM_SYSTEMCTL_LOG: systemctlLog,
     })
     await runSource(workspace, ['enable', 'service', 'api', '--project', projectRoot], {
+      SSM_TEST_EUID: '0',
       SSM_SYSTEMCTL_LOG: systemctlLog,
     })
     const status = await runSource(
       workspace,
       ['status', 'service', 'api', '--project', projectRoot],
       {
+        SSM_TEST_EUID: '0',
         SSM_SYSTEMCTL_LOG: systemctlLog,
       },
     )
@@ -100,6 +103,7 @@ describe('lifecycle commands', () => {
       workspace,
       ['logs', 'service', 'user-agent', '--project', projectRoot, '--follow'],
       {
+        SSM_TEST_EUID: '0',
         SSM_JOURNALCTL_LOG: journalLog,
       },
     )
@@ -129,10 +133,52 @@ describe('lifecycle commands', () => {
     )
 
     const result = await runSource(workspace, ['start', 'api', '--project', projectRoot], {
+      SSM_TEST_EUID: '0',
       SSM_SYSTEMCTL_LOG: systemctlLog,
     })
 
     expect(result.exitCode).toBe(0)
     expect(fs.readFileSync(systemctlLog, 'utf8')).toContain('start myapp-api.service')
   })
+
+  it('auto-elevates system-scope start when not root', async () => {
+    const workspace = createWorkspace()
+    workspaces.push(workspace)
+
+    const sudoLog = path.join(workspace.root, 'sudo.log')
+    const systemctlLog = path.join(workspace.root, 'systemctl.log')
+
+    installMockCommand(
+      workspace,
+      'sudo',
+      [
+        '#!/usr/bin/env bash',
+        'printf "%s\\n" "$*" >>"${SSM_SUDO_LOG}"',
+        'if [[ "$1" == "--" ]]; then shift; fi',
+        'SSM_TEST_EUID=0 exec "$@"',
+      ].join('\n'),
+    )
+    installMockCommand(
+      workspace,
+      'systemctl',
+      '#!/usr/bin/env bash\nprintf "%s\\n" "$*" >>"${SSM_SYSTEMCTL_LOG}"\nexit 0\n',
+    )
+
+    const projectRoot = path.join(
+      workspace.managerHome,
+      'tests',
+      'fixtures',
+      'project-basic',
+    )
+
+    const result = await runSource(workspace, ['start', 'api', '--project', projectRoot], {
+      SSM_TEST_EUID: '1000',
+      SSM_SUDO_LOG: sudoLog,
+      SSM_SYSTEMCTL_LOG: systemctlLog,
+    })
+
+    expect(result.exitCode).toBe(0)
+    expect(fs.readFileSync(sudoLog, 'utf8')).toContain(workspace.sourceEntry)
+    expect(fs.readFileSync(systemctlLog, 'utf8')).toContain('start myapp-api.service')
+  })
 })

scripts/bash/systemd-service-manager/tests/manager-cli.test.ts

@@ -42,6 +42,7 @@ describe('systemd service manager cli', () => {
     expect(sourceHelp.stdout).toContain('--dry-run         只预览将执行的操作')
     expect(sourceHelp.stdout).toContain('--start           安装完成后立即启动目标 unit')
     expect(sourceHelp.stdout).toContain('start 前需要目标 unit 已经 install')
+    expect(sourceHelp.stdout).toContain('system scope 的写操作在非 root 下会自动通过 sudo 重新执行')
     expect(builtHelp.stdout).toBe(sourceHelp.stdout)
   })