JGitClientSession.java

/*
 * Copyright (C) 2018, 2021 Thomas Wolf <thomas.wolf@paranor.ch> and others
 *
 * This program and the accompanying materials are made available under the
 * terms of the Eclipse Distribution License v. 1.0 which is available at
 * https://www.eclipse.org/org/documents/edl-v10.php.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */
package org.eclipse.jgit.internal.transport.sshd;

import static java.text.MessageFormat.format;
import static org.apache.sshd.core.CoreModuleProperties.MAX_IDENTIFICATION_SIZE;

import java.io.IOException;
import java.io.StreamCorruptedException;
import java.net.SocketAddress;
import java.nio.charset.StandardCharsets;
import java.security.PublicKey;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;

import org.apache.sshd.client.ClientBuilder;
import org.apache.sshd.client.ClientFactoryManager;
import org.apache.sshd.client.config.hosts.HostConfigEntry;
import org.apache.sshd.client.keyverifier.ServerKeyVerifier;
import org.apache.sshd.client.session.ClientSessionImpl;
import org.apache.sshd.common.AttributeRepository;
import org.apache.sshd.common.FactoryManager;
import org.apache.sshd.common.NamedResource;
import org.apache.sshd.common.PropertyResolver;
import org.apache.sshd.common.config.keys.KeyUtils;
import org.apache.sshd.common.io.IoSession;
import org.apache.sshd.common.io.IoWriteFuture;
import org.apache.sshd.common.kex.BuiltinDHFactories;
import org.apache.sshd.common.kex.DHFactory;
import org.apache.sshd.common.kex.KeyExchangeFactory;
import org.apache.sshd.common.kex.extension.KexExtensionHandler;
import org.apache.sshd.common.kex.extension.KexExtensionHandler.AvailabilityPhase;
import org.apache.sshd.common.kex.extension.KexExtensions;
import org.apache.sshd.common.keyprovider.KeyPairProvider;
import org.apache.sshd.common.signature.BuiltinSignatures;
import org.apache.sshd.common.util.Readable;
import org.apache.sshd.common.util.buffer.Buffer;
import org.eclipse.jgit.errors.InvalidPatternException;
import org.eclipse.jgit.fnmatch.FileNameMatcher;
import org.eclipse.jgit.internal.transport.sshd.proxy.StatefulProxyConnector;
import org.eclipse.jgit.transport.CredentialsProvider;
import org.eclipse.jgit.transport.SshConstants;
import org.eclipse.jgit.util.StringUtils;

/**
 * A {@link org.apache.sshd.client.session.ClientSession ClientSession} that can
 * be associated with the {@link HostConfigEntry} the session was created for.
 * The {@link JGitSshClient} creates such sessions and sets this association.
 * <p>
 * Also provides for associating a JGit {@link CredentialsProvider} with a
 * session.
 * </p>
 */
public class JGitClientSession extends ClientSessionImpl {

    /**
     * Default setting for the maximum number of bytes to read in the initial
     * protocol version exchange. 64kb is what OpenSSH &lt; 8.0 read; OpenSSH
     * 8.0 changed it to 8Mb, but that seems excessive for the purpose stated in
     * RFC 4253. The Apache MINA sshd default in
     * {@link org.apache.sshd.core.CoreModuleProperties#MAX_IDENTIFICATION_SIZE}
     * is 16kb.
     */
    private static final int DEFAULT_MAX_IDENTIFICATION_SIZE = 64 * 1024;

    private static final AttributeKey<Boolean> INITIAL_KEX_DONE = new AttributeKey<>();

    private HostConfigEntry hostConfig;

    private CredentialsProvider credentialsProvider;

    private volatile StatefulProxyConnector proxyHandler;

    /**
     * @param manager
     * @param session
     * @throws Exception
     */
    public JGitClientSession(ClientFactoryManager manager, IoSession session)
            throws Exception {
        super(manager, session);
    }

    /**
     * Retrieves the {@link HostConfigEntry} this session was created for.
     *
     * @return the {@link HostConfigEntry}, or {@code null} if none set
     */
    public HostConfigEntry getHostConfigEntry() {
        return hostConfig;
    }

    /**
     * Sets the {@link HostConfigEntry} this session was created for.
     *
     * @param hostConfig
     *            the {@link HostConfigEntry}
     */
    public void setHostConfigEntry(HostConfigEntry hostConfig) {
        this.hostConfig = hostConfig;
    }

    /**
     * Sets the {@link CredentialsProvider} for this session.
     *
     * @param provider
     *            to set
     */
    public void setCredentialsProvider(CredentialsProvider provider) {
        credentialsProvider = provider;
    }

    /**
     * Retrieves the {@link CredentialsProvider} set for this session.
     *
     * @return the provider, or {@code null} if none is set.
     */
    public CredentialsProvider getCredentialsProvider() {
        return credentialsProvider;
    }

    /**
     * Sets a {@link StatefulProxyConnector} to handle proxy connection
     * protocols.
     *
     * @param handler
     *            to set
     */
    public void setProxyHandler(StatefulProxyConnector handler) {
        proxyHandler = handler;
    }

    @Override
    protected IoWriteFuture sendIdentification(String ident,
            List<String> extraLines) throws Exception {
        StatefulProxyConnector proxy = proxyHandler;
        if (proxy != null) {
            // We must not block here; the framework starts reading messages
            // from the peer only once the initial sendKexInit() following
            // this call to sendIdentification() has returned!
            proxy.runWhenDone(() -> {
                JGitClientSession.super.sendIdentification(ident, extraLines);
                return null;
            });
            // Called only from the ClientSessionImpl constructor, where the
            // return value is ignored.
            return null;
        }
        return super.sendIdentification(ident, extraLines);
    }

    @Override
    protected byte[] sendKexInit() throws Exception {
        StatefulProxyConnector proxy = proxyHandler;
        if (proxy != null) {
            // We must not block here; the framework starts reading messages
            // from the peer only once the initial sendKexInit() has
            // returned!
            proxy.runWhenDone(() -> {
                JGitClientSession.super.sendKexInit();
                return null;
            });
            // This is called only from the ClientSessionImpl
            // constructor, where the return value is ignored.
            return null;
        }
        return super.sendKexInit();
    }

    /**
     * {@inheritDoc}
     *
     * As long as we're still setting up the proxy connection, diverts messages
     * to the {@link StatefulProxyConnector}.
     */
    @Override
    public void messageReceived(Readable buffer) throws Exception {
        StatefulProxyConnector proxy = proxyHandler;
        if (proxy != null) {
            proxy.messageReceived(getIoSession(), buffer);
        } else {
            super.messageReceived(buffer);
        }
    }

    Set<String> getAllAvailableSignatureAlgorithms() {
        Set<String> allAvailable = new HashSet<>();
        BuiltinSignatures.VALUES.forEach(s -> allAvailable.add(s.getName()));
        BuiltinSignatures.getRegisteredExtensions()
                .forEach(s -> allAvailable.add(s.getName()));
        return allAvailable;
    }

    private void setNewFactories(Collection<String> defaultFactories,
            Collection<String> finalFactories) {
        // If new factory names were added make sure we actually have factories
        // for them all.
        //
        // But add new ones at the end: we don't want to change the order for
        // pubkey auth, and any new ones added here were not included in the
        // default set for some reason, such as being deprecated or weak.
        //
        // The order for KEX is determined by the order in the proposal string,
        // but the order in pubkey auth is determined by the order in the
        // factory list (possibly overridden via ssh config
        // PubkeyAcceptedAlgorithms; see JGitPublicKeyAuthentication).
        Set<String> resultSet = new LinkedHashSet<>(defaultFactories);
        resultSet.addAll(finalFactories);
        setSignatureFactoriesNames(resultSet);
    }

    @Override
    protected String resolveAvailableSignaturesProposal(
            FactoryManager manager) {
        List<String> defaultSignatures = getSignatureFactoriesNames();
        HostConfigEntry config = resolveAttribute(
                JGitSshClient.HOST_CONFIG_ENTRY);
        String algorithms = config
                .getProperty(SshConstants.HOST_KEY_ALGORITHMS);
        if (!StringUtils.isEmptyOrNull(algorithms)) {
            List<String> result = modifyAlgorithmList(defaultSignatures,
                    getAllAvailableSignatureAlgorithms(), algorithms,
                    SshConstants.HOST_KEY_ALGORITHMS);
            if (!result.isEmpty()) {
                if (log.isDebugEnabled()) {
                    log.debug(SshConstants.HOST_KEY_ALGORITHMS + ' ' + result);
                }
                setNewFactories(defaultSignatures, result);
                return String.join(",", result); //$NON-NLS-1$
            }
            log.warn(format(SshdText.get().configNoKnownAlgorithms,
                    SshConstants.HOST_KEY_ALGORITHMS, algorithms));
        }
        // No HostKeyAlgorithms; using default -- change order to put existing
        // keys first.
        ServerKeyVerifier verifier = getServerKeyVerifier();
        if (verifier instanceof ServerKeyLookup) {
            SocketAddress remoteAddress = resolvePeerAddress(
                    resolveAttribute(JGitSshClient.ORIGINAL_REMOTE_ADDRESS));
            List<PublicKey> allKnownKeys = ((ServerKeyLookup) verifier)
                    .lookup(this, remoteAddress);
            Set<String> reordered = new LinkedHashSet<>();
            for (PublicKey key : allKnownKeys) {
                if (key != null) {
                    String keyType = KeyUtils.getKeyType(key);
                    if (keyType != null) {
                        if (KeyPairProvider.SSH_RSA.equals(keyType)) {
                            // Add all available signatures for ssh-rsa.
                            reordered.add(KeyUtils.RSA_SHA512_KEY_TYPE_ALIAS);
                            reordered.add(KeyUtils.RSA_SHA256_KEY_TYPE_ALIAS);
                        }
                        reordered.add(keyType);
                    }
                }
            }
            reordered.addAll(defaultSignatures);
            if (log.isDebugEnabled()) {
                log.debug(SshConstants.HOST_KEY_ALGORITHMS + ' ' + reordered);
            }
            // Make sure we actually have factories for them all.
            if (reordered.size() > defaultSignatures.size()) {
                setNewFactories(defaultSignatures, reordered);
            }
            return String.join(",", reordered); //$NON-NLS-1$
        }
        if (log.isDebugEnabled()) {
            log.debug(
                    SshConstants.HOST_KEY_ALGORITHMS + ' ' + defaultSignatures);
        }
        return String.join(",", defaultSignatures); //$NON-NLS-1$
    }

    private List<String> determineKexProposal() {
        List<KeyExchangeFactory> kexFactories = getKeyExchangeFactories();
        List<String> defaultKexMethods = NamedResource
                .getNameList(kexFactories);
        HostConfigEntry config = resolveAttribute(
                JGitSshClient.HOST_CONFIG_ENTRY);
        String algorithms = config.getProperty(SshConstants.KEX_ALGORITHMS);
        if (!StringUtils.isEmptyOrNull(algorithms)) {
            Set<String> allAvailable = new HashSet<>();
            BuiltinDHFactories.VALUES
                    .forEach(s -> allAvailable.add(s.getName()));
            BuiltinDHFactories.getRegisteredExtensions()
                    .forEach(s -> allAvailable.add(s.getName()));
            List<String> result = modifyAlgorithmList(defaultKexMethods,
                    allAvailable, algorithms, SshConstants.KEX_ALGORITHMS);
            if (!result.isEmpty()) {
                // If new ones were added, update the installed factories
                Set<String> configuredKexMethods = new HashSet<>(
                        defaultKexMethods);
                List<KeyExchangeFactory> newKexFactories = new ArrayList<>();
                result.forEach(name -> {
                    if (!configuredKexMethods.contains(name)) {
                        DHFactory factory = BuiltinDHFactories
                                .resolveFactory(name);
                        if (factory == null) {
                            // Should not occur here
                            if (log.isDebugEnabled()) {
                                log.debug(
                                        "determineKexProposal({}) unknown KEX algorithm {} ignored", //$NON-NLS-1$
                                        this, name);
                            }
                        } else {
                            newKexFactories
                                    .add(ClientBuilder.DH2KEX.apply(factory));
                        }
                    }
                });
                if (!newKexFactories.isEmpty()) {
                    newKexFactories.addAll(kexFactories);
                    setKeyExchangeFactories(newKexFactories);
                }
                return result;
            }
            log.warn(format(SshdText.get().configNoKnownAlgorithms,
                    SshConstants.KEX_ALGORITHMS, algorithms));
        }
        return defaultKexMethods;
    }

    @Override
    protected String resolveSessionKexProposal(String hostKeyTypes)
            throws IOException {
        String kexMethods = String.join(",", determineKexProposal()); //$NON-NLS-1$
        Boolean isRekey = getAttribute(INITIAL_KEX_DONE);
        if (isRekey == null || !isRekey.booleanValue()) {
            // First time
            KexExtensionHandler extHandler = getKexExtensionHandler();
            if (extHandler != null && extHandler.isKexExtensionsAvailable(this,
                    AvailabilityPhase.PROPOSAL)) {
                if (kexMethods.isEmpty()) {
                    kexMethods = KexExtensions.CLIENT_KEX_EXTENSION;
                } else {
                    kexMethods += ',' + KexExtensions.CLIENT_KEX_EXTENSION;
                }
            }
            setAttribute(INITIAL_KEX_DONE, Boolean.TRUE);
        }
        if (log.isDebugEnabled()) {
            log.debug(SshConstants.KEX_ALGORITHMS + ' ' + kexMethods);
        }
        return kexMethods;
    }

    /**
     * Modifies a given algorithm list according to a list from the ssh config,
     * including add ('+'), remove ('-') and reordering ('^') operators.
     *
     * @param defaultList
     *            to modify
     * @param allAvailable
     *            all available values
     * @param fromConfig
     *            telling how to modify the {@code defaultList}, must not be
     *            {@code null} or empty
     * @param overrideKey
     *            ssh config key; used for logging
     * @return the modified list or {@code null} if {@code overrideKey} is not
     *         set
     */
    public List<String> modifyAlgorithmList(List<String> defaultList,
            Set<String> allAvailable, String fromConfig, String overrideKey) {
        Set<String> defaults = new LinkedHashSet<>();
        defaults.addAll(defaultList);
        switch (fromConfig.charAt(0)) {
        case '+':
            List<String> newSignatures = filteredList(allAvailable, overrideKey,
                    fromConfig.substring(1));
            defaults.addAll(newSignatures);
            return new ArrayList<>(defaults);
        case '-':
            // This takes wildcard patterns!
            removeFromList(defaults, overrideKey, fromConfig.substring(1));
            return new ArrayList<>(defaults);
        case '^':
            // Specified entries go to the front of the default list
            List<String> allSignatures = filteredList(allAvailable, overrideKey,
                    fromConfig.substring(1));
            Set<String> atFront = new HashSet<>(allSignatures);
            for (String sig : defaults) {
                if (!atFront.contains(sig)) {
                    allSignatures.add(sig);
                }
            }
            return allSignatures;
        default:
            // Default is overridden -- only accept the ones for which we do
            // have an implementation.
            return filteredList(allAvailable, overrideKey, fromConfig);
        }
    }

    private void removeFromList(Set<String> current, String key,
            String patterns) {
        for (String toRemove : patterns.split("\\s*,\\s*")) { //$NON-NLS-1$
            if (toRemove.indexOf('*') < 0 && toRemove.indexOf('?') < 0) {
                current.remove(toRemove);
                continue;
            }
            try {
                FileNameMatcher matcher = new FileNameMatcher(toRemove, null);
                for (Iterator<String> i = current.iterator(); i.hasNext();) {
                    matcher.reset();
                    matcher.append(i.next());
                    if (matcher.isMatch()) {
                        i.remove();
                    }
                }
            } catch (InvalidPatternException e) {
                log.warn(format(SshdText.get().configInvalidPattern, key,
                        toRemove));
            }
        }
    }

    private List<String> filteredList(Set<String> known, String key,
            String values) {
        List<String> newNames = new ArrayList<>();
        for (String newValue : values.split("\\s*,\\s*")) { //$NON-NLS-1$
            if (known.contains(newValue)) {
                newNames.add(newValue);
            } else {
                log.warn(format(SshdText.get().configUnknownAlgorithm, this,
                        newValue, key, values));
            }
        }
        return newNames;
    }

    /**
     * Reads the RFC 4253, section 4.2 protocol version identification. The
     * Apache MINA sshd default implementation checks for NUL bytes also in any
     * preceding lines, whereas RFC 4253 requires such a check only for the
     * actual identification string starting with "SSH-". Likewise, the 255
     * character limit exists only for the identification string, not for the
     * preceding lines. CR-LF handling is also relaxed.
     *
     * @param buffer
     *            to read from
     * @param server
     *            whether we're an SSH server (should always be {@code false})
     * @return the lines read, with the server identification line last, or
     *         {@code null} if no identification line was found and more bytes
     *         are needed
     * @throws StreamCorruptedException
     *             if the identification is malformed
     * @see <a href="https://tools.ietf.org/html/rfc4253#section-4.2">RFC 4253,
     *      section 4.2</a>
     */
    @Override
    protected List<String> doReadIdentification(Buffer buffer, boolean server)
            throws StreamCorruptedException {
        if (server) {
            // Should never happen. No translation; internal bug.
            throw new IllegalStateException(
                    "doReadIdentification of client called with server=true"); //$NON-NLS-1$
        }
        Integer maxIdentLength = MAX_IDENTIFICATION_SIZE.get(this).orElse(null);
        int maxIdentSize;
        if (maxIdentLength == null || maxIdentLength
                .intValue() < DEFAULT_MAX_IDENTIFICATION_SIZE) {
            maxIdentSize = DEFAULT_MAX_IDENTIFICATION_SIZE;
            MAX_IDENTIFICATION_SIZE.set(this, Integer.valueOf(maxIdentSize));
        } else {
            maxIdentSize = maxIdentLength.intValue();
        }
        int current = buffer.rpos();
        int end = current + buffer.available();
        if (current >= end) {
            return null;
        }
        byte[] raw = buffer.array();
        List<String> ident = new ArrayList<>();
        int start = current;
        boolean hasNul = false;
        for (int i = current; i < end; i++) {
            switch (raw[i]) {
            case 0:
                hasNul = true;
                break;
            case '\n':
                int eol = 1;
                if (i > start && raw[i - 1] == '\r') {
                    eol++;
                }
                String line = new String(raw, start, i + 1 - eol - start,
                        StandardCharsets.UTF_8);
                start = i + 1;
                if (log.isDebugEnabled()) {
                    log.debug(format("doReadIdentification({0}) line: ", this) + //$NON-NLS-1$
                            escapeControls(line));
                }
                ident.add(line);
                if (line.startsWith("SSH-")) { //$NON-NLS-1$
                    if (hasNul) {
                        throw new StreamCorruptedException(
                                format(SshdText.get().serverIdWithNul,
                                        escapeControls(line)));
                    }
                    if (line.length() + eol > 255) {
                        throw new StreamCorruptedException(
                                format(SshdText.get().serverIdTooLong,
                                        escapeControls(line)));
                    }
                    buffer.rpos(start);
                    return ident;
                }
                // If this were a server, we could throw an exception here: a
                // client is not supposed to send any extra lines before its
                // identification string.
                hasNul = false;
                break;
            default:
                break;
            }
            if (i - current + 1 >= maxIdentSize) {
                String msg = format(SshdText.get().serverIdNotReceived,
                        Integer.toString(maxIdentSize));
                if (log.isDebugEnabled()) {
                    log.debug(msg);
                    log.debug(buffer.toHex());
                }
                throw new StreamCorruptedException(msg);
            }
        }
        // Need more data
        return null;
    }

    private static String escapeControls(String s) {
        StringBuilder b = new StringBuilder();
        int l = s.length();
        for (int i = 0; i < l; i++) {
            char ch = s.charAt(i);
            if (Character.isISOControl(ch)) {
                b.append(ch <= 0xF ? "\\u000" : "\\u00") //$NON-NLS-1$ //$NON-NLS-2$
                        .append(Integer.toHexString(ch));
            } else {
                b.append(ch);
            }
        }
        return b.toString();
    }

    @Override
    public <T> T getAttribute(AttributeKey<T> key) {
        T value = super.getAttribute(key);
        if (value == null) {
            IoSession ioSession = getIoSession();
            if (ioSession != null) {
                Object obj = ioSession.getAttribute(AttributeRepository.class);
                if (obj instanceof AttributeRepository) {
                    AttributeRepository sessionAttributes = (AttributeRepository) obj;
                    value = sessionAttributes.resolveAttribute(key);
                }
            }
        }
        return value;
    }

    @Override
    public PropertyResolver getParentPropertyResolver() {
        IoSession ioSession = getIoSession();
        if (ioSession != null) {
            Object obj = ioSession.getAttribute(AttributeRepository.class);
            if (obj instanceof PropertyResolver) {
                return (PropertyResolver) obj;
            }
        }
        return super.getParentPropertyResolver();
    }

    /**
     * An {@link AttributeRepository} that chains together two other attribute
     * sources in a hierarchy.
     */
    public static class ChainingAttributes implements AttributeRepository {

        private final AttributeRepository delegate;

        private final AttributeRepository parent;

        /**
         * Create a new {@link ChainingAttributes} attribute source.
         *
         * @param self
         *            to search for attributes first
         * @param parent
         *            to search for attributes if not found in {@code self}
         */
        public ChainingAttributes(AttributeRepository self,
                AttributeRepository parent) {
            this.delegate = self;
            this.parent = parent;
        }

        @Override
        public int getAttributesCount() {
            return delegate.getAttributesCount();
        }

        @Override
        public <T> T getAttribute(AttributeKey<T> key) {
            return delegate.getAttribute(Objects.requireNonNull(key));
        }

        @Override
        public Collection<AttributeKey<?>> attributeKeys() {
            return delegate.attributeKeys();
        }

        @Override
        public <T> T resolveAttribute(AttributeKey<T> key) {
            T value = getAttribute(Objects.requireNonNull(key));
            if (value == null) {
                return parent.getAttribute(key);
            }
            return value;
        }
    }

    /**
     * A {@link ChainingAttributes} repository that doubles as a
     * {@link PropertyResolver}. The property map can be set via the attribute
     * key {@link SessionAttributes#PROPERTIES}.
     */
    public static class SessionAttributes extends ChainingAttributes
            implements PropertyResolver {

        /** Key for storing a map of properties in the attributes. */
        public static final AttributeKey<Map<String, Object>> PROPERTIES = new AttributeKey<>();

        private final PropertyResolver parentProperties;

        /**
         * Creates a new {@link SessionAttributes} attribute and property
         * source.
         *
         * @param self
         *            to search for attributes first
         * @param parent
         *            to search for attributes if not found in {@code self}
         * @param parentProperties
         *            to search for properties if not found in {@code self}
         */
        public SessionAttributes(AttributeRepository self,
                AttributeRepository parent, PropertyResolver parentProperties) {
            super(self, parent);
            this.parentProperties = parentProperties;
        }

        @Override
        public PropertyResolver getParentPropertyResolver() {
            return parentProperties;
        }

        @Override
        public Map<String, Object> getProperties() {
            Map<String, Object> props = getAttribute(PROPERTIES);
            return props == null ? Collections.emptyMap() : props;
        }
    }
}