JGitSshClient.java

  1. /*
  2.  * Copyright (C) 2018, 2022 Thomas Wolf <thomas.wolf@paranor.ch> and others
  3.  *
  4.  * This program and the accompanying materials are made available under the
  5.  * terms of the Eclipse Distribution License v. 1.0 which is available at
  6.  * https://www.eclipse.org/org/documents/edl-v10.php.
  7.  *
  8.  * SPDX-License-Identifier: BSD-3-Clause
  9.  */
  10. package org.eclipse.jgit.internal.transport.sshd;

  12. import static java.text.MessageFormat.format;
  13. import static org.apache.sshd.core.CoreModuleProperties.PASSWORD_PROMPTS;
  14. import static org.apache.sshd.core.CoreModuleProperties.PREFERRED_AUTHS;
  15. import static org.eclipse.jgit.internal.transport.ssh.OpenSshConfigFile.positive;

  17. import java.io.IOException;
  18. import java.net.InetSocketAddress;
  19. import java.net.Proxy;
  20. import java.net.SocketAddress;
  21. import java.nio.file.Files;
  22. import java.nio.file.InvalidPathException;
  23. import java.nio.file.Path;
  24. import java.nio.file.Paths;
  25. import java.security.GeneralSecurityException;
  26. import java.security.KeyPair;
  27. import java.util.Arrays;
  28. import java.util.Collections;
  29. import java.util.HashMap;
  30. import java.util.Iterator;
  31. import java.util.List;
  32. import java.util.Map;
  33. import java.util.NoSuchElementException;
  34. import java.util.Objects;
  35. import java.util.function.Supplier;
  36. import java.util.stream.Collectors;

  38. import org.apache.sshd.agent.SshAgentFactory;
  39. import org.apache.sshd.client.SshClient;
  40. import org.apache.sshd.client.config.hosts.HostConfigEntry;
  41. import org.apache.sshd.client.future.ConnectFuture;
  42. import org.apache.sshd.client.future.DefaultConnectFuture;
  43. import org.apache.sshd.client.session.ClientSessionImpl;
  44. import org.apache.sshd.client.session.SessionFactory;
  45. import org.apache.sshd.common.AttributeRepository;
  46. import org.apache.sshd.common.config.keys.FilePasswordProvider;
  47. import org.apache.sshd.common.future.SshFutureListener;
  48. import org.apache.sshd.common.io.IoConnectFuture;
  49. import org.apache.sshd.common.io.IoSession;
  50. import org.apache.sshd.common.keyprovider.AbstractResourceKeyPairProvider;
  51. import org.apache.sshd.common.keyprovider.KeyIdentityProvider;
  52. import org.apache.sshd.common.session.SessionContext;
  53. import org.apache.sshd.common.session.helpers.AbstractSession;
  54. import org.apache.sshd.common.util.ValidateUtils;
  55. import org.apache.sshd.common.util.net.SshdSocketAddress;
  56. import org.eclipse.jgit.internal.transport.sshd.JGitClientSession.ChainingAttributes;
  57. import org.eclipse.jgit.internal.transport.sshd.JGitClientSession.SessionAttributes;
  58. import org.eclipse.jgit.internal.transport.sshd.proxy.HttpClientConnector;
  59. import org.eclipse.jgit.internal.transport.sshd.proxy.Socks5ClientConnector;
  60. import org.eclipse.jgit.transport.CredentialsProvider;
  61. import org.eclipse.jgit.transport.SshConstants;
  62. import org.eclipse.jgit.transport.sshd.KeyCache;
  63. import org.eclipse.jgit.transport.sshd.ProxyData;
  64. import org.eclipse.jgit.transport.sshd.ProxyDataFactory;
  65. import org.eclipse.jgit.util.StringUtils;

  67. /**
  68.  * Customized {@link SshClient} for JGit. It creates specialized
  69.  * {@link JGitClientSession}s that know about the {@link HostConfigEntry} they
  70.  * were created for, and it loads all KeyPair identities lazily.
  71.  */
  72. public class JGitSshClient extends SshClient {

  74.     /**
  75.      * We need access to this during the constructor of the ClientSession,
  76.      * before setConnectAddress() can have been called. So we have to remember
  77.      * it in an attribute on the SshClient, from where we can then retrieve it.
  78.      */
  79.     static final AttributeKey<HostConfigEntry> HOST_CONFIG_ENTRY = new AttributeKey<>();

  81.     static final AttributeKey<InetSocketAddress> ORIGINAL_REMOTE_ADDRESS = new AttributeKey<>();

  83.     /**
  84.      * An attribute key for the comma-separated list of default preferred
  85.      * authentication mechanisms.
  86.      */
  87.     public static final AttributeKey<String> PREFERRED_AUTHENTICATIONS = new AttributeKey<>();

  89.     /**
  90.      * An attribute key for the home directory.
  91.      */
  92.     public static final AttributeKey<Path> HOME_DIRECTORY = new AttributeKey<>();

  94.     /**
  95.      * An attribute key for storing an alternate local address to connect to if
  96.      * a local forward from a ProxyJump ssh config is present. If set,
  97.      * {@link #connect(HostConfigEntry, AttributeRepository, SocketAddress)}
  98.      * will not connect to the address obtained from the {@link HostConfigEntry}
  99.      * but to the address stored in this key (which is assumed to forward the
  100.      * {@code HostConfigEntry} address).
  101.      */
  102.     public static final AttributeKey<SshdSocketAddress> LOCAL_FORWARD_ADDRESS = new AttributeKey<>();

  104.     private KeyCache keyCache;

  106.     private CredentialsProvider credentialsProvider;

  108.     private ProxyDataFactory proxyDatabase;

  110.     private Supplier<SshAgentFactory> agentFactorySupplier = () -> null;

  112.     @Override
  113.     protected SessionFactory createSessionFactory() {
  114.         // Override the parent's default
  115.         return new JGitSessionFactory(this);
  116.     }

  118.     @Override
  119.     public ConnectFuture connect(HostConfigEntry hostConfig,
  120.             AttributeRepository context, SocketAddress localAddress)
  121.             throws IOException {
  122.         if (connector == null) {
  123.             throw new IllegalStateException("SshClient not started."); //$NON-NLS-1$
  124.         }
  125.         Objects.requireNonNull(hostConfig, "No host configuration"); //$NON-NLS-1$
  126.         String originalHost = ValidateUtils.checkNotNullAndNotEmpty(
  127.                 hostConfig.getHostName(), "No target host"); //$NON-NLS-1$
  128.         int originalPort = hostConfig.getPort();
  129.         ValidateUtils.checkTrue(originalPort > 0, "Invalid port: %d", //$NON-NLS-1$
  130.                 originalPort);
  131.         InetSocketAddress originalAddress = new InetSocketAddress(originalHost,
  132.                 originalPort);
  133.         InetSocketAddress targetAddress = originalAddress;
  134.         String userName = hostConfig.getUsername();
  135.         String id = userName + '@' + originalAddress;
  136.         AttributeRepository attributes = chain(context, this);
  137.         SshdSocketAddress localForward = attributes
  138.                 .resolveAttribute(LOCAL_FORWARD_ADDRESS);
  139.         if (localForward != null) {
  140.             targetAddress = new InetSocketAddress(localForward.getHostName(),
  141.                     localForward.getPort());
  142.             id += '/' + targetAddress.toString();
  143.         }
  144.         ConnectFuture connectFuture = new DefaultConnectFuture(id, null);
  145.         SshFutureListener<IoConnectFuture> listener = createConnectCompletionListener(
  146.                 connectFuture, userName, originalAddress, hostConfig);
  147.         attributes = sessionAttributes(attributes, hostConfig, originalAddress);
  148.         // Proxy support
  149.         if (localForward == null) {
  150.             ProxyData proxy = getProxyData(targetAddress);
  151.             if (proxy != null) {
  152.                 targetAddress = configureProxy(proxy, targetAddress);
  153.                 proxy.clearPassword();
  154.             }
  155.         }
  156.         connector.connect(targetAddress, attributes, localAddress)
  157.                 .addListener(listener);
  158.         return connectFuture;
  159.     }

  161.     private AttributeRepository chain(AttributeRepository self,
  162.             AttributeRepository parent) {
  163.         if (self == null) {
  164.             return Objects.requireNonNull(parent);
  165.         }
  166.         if (parent == null || parent == self) {
  167.             return self;
  168.         }
  169.         return new ChainingAttributes(self, parent);
  170.     }

  172.     private AttributeRepository sessionAttributes(AttributeRepository parent,
  173.             HostConfigEntry hostConfig, InetSocketAddress originalAddress) {
  174.         // sshd needs some entries from the host config already in the
  175.         // constructor of the session. Put those into a dedicated
  176.         // AttributeRepository for the new session where it will find them.
  177.         // We can set the host config only once the session object has been
  178.         // created.
  179.         Map<AttributeKey<?>, Object> data = new HashMap<>();
  180.         data.put(HOST_CONFIG_ENTRY, hostConfig);
  181.         data.put(ORIGINAL_REMOTE_ADDRESS, originalAddress);
  182.         data.put(TARGET_SERVER, new SshdSocketAddress(originalAddress));
  183.         String preferredAuths = hostConfig.getProperty(
  184.                 SshConstants.PREFERRED_AUTHENTICATIONS,
  185.                 resolveAttribute(PREFERRED_AUTHENTICATIONS));
  186.         if (!StringUtils.isEmptyOrNull(preferredAuths)) {
  187.             data.put(SessionAttributes.PROPERTIES,
  188.                     Collections.singletonMap(
  189.                             PREFERRED_AUTHS.getName(),
  190.                             preferredAuths));
  191.         }
  192.         return new SessionAttributes(
  193.                 AttributeRepository.ofAttributesMap(data),
  194.                 parent, this);
  195.     }

  197.     private ProxyData getProxyData(InetSocketAddress remoteAddress) {
  198.         ProxyDataFactory factory = getProxyDatabase();
  199.         return factory == null ? null : factory.get(remoteAddress);
  200.     }

  202.     private InetSocketAddress configureProxy(ProxyData proxyData,
  203.             InetSocketAddress remoteAddress) {
  204.         Proxy proxy = proxyData.getProxy();
  205.         if (proxy.type() == Proxy.Type.DIRECT
  206.                 || !(proxy.address() instanceof InetSocketAddress)) {
  207.             return remoteAddress;
  208.         }
  209.         InetSocketAddress address = (InetSocketAddress) proxy.address();
  210.         if (address.isUnresolved()) {
  211.             address = new InetSocketAddress(address.getHostName(),
  212.                     address.getPort());
  213.         }
  214.         switch (proxy.type()) {
  215.         case HTTP:
  216.             setClientProxyConnector(
  217.                     new HttpClientConnector(address, remoteAddress,
  218.                             proxyData.getUser(), proxyData.getPassword()));
  219.             return address;
  220.         case SOCKS:
  221.             setClientProxyConnector(
  222.                     new Socks5ClientConnector(address, remoteAddress,
  223.                             proxyData.getUser(), proxyData.getPassword()));
  224.             return address;
  225.         default:
  226.             log.warn(format(SshdText.get().unknownProxyProtocol,
  227.                     proxy.type().name()));
  228.             return remoteAddress;
  229.         }
  230.     }

  232.     private SshFutureListener<IoConnectFuture> createConnectCompletionListener(
  233.             ConnectFuture connectFuture, String username,
  234.             InetSocketAddress address, HostConfigEntry hostConfig) {
  235.         return new SshFutureListener<>() {

  237.             @Override
  238.             public void operationComplete(IoConnectFuture future) {
  239.                 if (future.isCanceled()) {
  240.                     connectFuture.cancel();
  241.                     return;
  242.                 }
  243.                 Throwable t = future.getException();
  244.                 if (t != null) {
  245.                     connectFuture.setException(t);
  246.                     return;
  247.                 }
  248.                 IoSession ioSession = future.getSession();
  249.                 try {
  250.                     JGitClientSession session = createSession(ioSession,
  251.                             username, address, hostConfig);
  252.                     connectFuture.setSession(session);
  253.                 } catch (RuntimeException e) {
  254.                     connectFuture.setException(e);
  255.                     ioSession.close(true);
  256.                 }
  257.             }

  259.             @Override
  260.             public String toString() {
  261.                 return "JGitSshClient$ConnectCompletionListener[" + username //$NON-NLS-1$
  262.                         + '@' + address + ']';
  263.             }
  264.         };
  265.     }

  267.     private JGitClientSession createSession(IoSession ioSession,
  268.             String username, InetSocketAddress address,
  269.             HostConfigEntry hostConfig) {
  270.         AbstractSession rawSession = AbstractSession.getSession(ioSession);
  271.         if (!(rawSession instanceof JGitClientSession)) {
  272.             throw new IllegalStateException("Wrong session type: " //$NON-NLS-1$
  273.                     + rawSession.getClass().getCanonicalName());
  274.         }
  275.         JGitClientSession session = (JGitClientSession) rawSession;
  276.         session.setUsername(username);
  277.         session.setConnectAddress(address);
  278.         session.setHostConfigEntry(hostConfig);
  279.         if (session.getCredentialsProvider() == null) {
  280.             session.setCredentialsProvider(getCredentialsProvider());
  281.         }
  282.         int numberOfPasswordPrompts = getNumberOfPasswordPrompts(hostConfig);
  283.         PASSWORD_PROMPTS.set(session, Integer.valueOf(numberOfPasswordPrompts));
  284.         List<Path> identities = hostConfig.getIdentities().stream()
  285.                 .map(s -> {
  286.                     try {
  287.                         return Paths.get(s);
  288.                     } catch (InvalidPathException e) {
  289.                         log.warn(format(SshdText.get().configInvalidPath,
  290.                                 SshConstants.IDENTITY_FILE, s), e);
  291.                         return null;
  292.                     }
  293.                 }).filter(p -> p != null && Files.exists(p))
  294.                 .collect(Collectors.toList());
  295.         CachingKeyPairProvider ourConfiguredKeysProvider = new CachingKeyPairProvider(
  296.                 identities, keyCache);
  297.         FilePasswordProvider passwordProvider = getFilePasswordProvider();
  298.         ourConfiguredKeysProvider.setPasswordFinder(passwordProvider);
  299.         if (hostConfig.isIdentitiesOnly()) {
  300.             session.setKeyIdentityProvider(ourConfiguredKeysProvider);
  301.         } else {
  302.             KeyIdentityProvider defaultKeysProvider = getKeyIdentityProvider();
  303.             if (defaultKeysProvider instanceof AbstractResourceKeyPairProvider<?>) {
  304.                 ((AbstractResourceKeyPairProvider<?>) defaultKeysProvider)
  305.                         .setPasswordFinder(passwordProvider);
  306.             }
  307.             KeyIdentityProvider combinedProvider = new CombinedKeyIdentityProvider(
  308.                     ourConfiguredKeysProvider, defaultKeysProvider);
  309.             session.setKeyIdentityProvider(combinedProvider);
  310.         }
  311.         return session;
  312.     }

  314.     private int getNumberOfPasswordPrompts(HostConfigEntry hostConfig) {
  315.         String prompts = hostConfig
  316.                 .getProperty(SshConstants.NUMBER_OF_PASSWORD_PROMPTS);
  317.         if (prompts != null) {
  318.             prompts = prompts.trim();
  319.             int value = positive(prompts);
  320.             if (value > 0) {
  321.                 return value;
  322.             }
  323.             log.warn(format(SshdText.get().configInvalidPositive,
  324.                     SshConstants.NUMBER_OF_PASSWORD_PROMPTS, prompts));
  325.         }
  326.         return PASSWORD_PROMPTS.getRequiredDefault().intValue();
  327.     }

  329.     /**
  330.      * Set a cache for loaded keys. Newly discovered keys will be added when
  331.      * IdentityFile host entries from the ssh config file are used during
  332.      * session authentication.
  333.      *
  334.      * @param cache
  335.      *            to use
  336.      */
  337.     public void setKeyCache(KeyCache cache) {
  338.         keyCache = cache;
  339.     }

  341.     /**
  342.      * Sets a {@link ProxyDataFactory} for connecting through proxies.
  343.      *
  344.      * @param factory
  345.      *            to use, or {@code null} if proxying is not desired or
  346.      *            supported
  347.      */
  348.     public void setProxyDatabase(ProxyDataFactory factory) {
  349.         proxyDatabase = factory;
  350.     }

  352.     /**
  353.      * Retrieves the {@link ProxyDataFactory}.
  354.      *
  355.      * @return the factory, or {@code null} if none is set
  356.      */
  357.     protected ProxyDataFactory getProxyDatabase() {
  358.         return proxyDatabase;
  359.     }

  361.     /**
  362.      * Sets the {@link CredentialsProvider} for this client.
  363.      *
  364.      * @param provider
  365.      *            to set
  366.      */
  367.     public void setCredentialsProvider(CredentialsProvider provider) {
  368.         credentialsProvider = provider;
  369.     }

  371.     /**
  372.      * Retrieves the {@link CredentialsProvider} set for this client.
  373.      *
  374.      * @return the provider, or {@code null} if none is set.
  375.      */
  376.     public CredentialsProvider getCredentialsProvider() {
  377.         return credentialsProvider;
  378.     }

  380.     @Override
  381.     public SshAgentFactory getAgentFactory() {
  382.         return agentFactorySupplier.get();
  383.     }

  385.     @Override
  386.     protected void checkConfig() {
  387.         // The super class requires channel factories for agent forwarding if a
  388.         // factory for an SSH agent is set. We haven't implemented this yet, and
  389.         // we don't do SSH agent forwarding for now. Unfortunately, there is no
  390.         // way to bypass this check in the super class except making
  391.         // getAgentFactory() return null until after the check.
  392.         super.checkConfig();
  393.         agentFactorySupplier = super::getAgentFactory;
  394.     }

  396.     /**
  397.      * A {@link SessionFactory} to create our own specialized
  398.      * {@link JGitClientSession}s.
  399.      */
  400.     private static class JGitSessionFactory extends SessionFactory {

  402.         public JGitSessionFactory(JGitSshClient client) {
  403.             super(client);
  404.         }

  406.         @Override
  407.         protected ClientSessionImpl doCreateSession(IoSession ioSession)
  408.                 throws Exception {
  409.             return new JGitClientSession(getClient(), ioSession);
  410.         }
  411.     }

  413.     /**
  414.      * A {@link KeyIdentityProvider} that iterates over the {@link Iterable}s
  415.      * returned by other {@link KeyIdentityProvider}s.
  416.      */
  417.     private static class CombinedKeyIdentityProvider
  418.             implements KeyIdentityProvider {

  420.         private final List<KeyIdentityProvider> providers;

  422.         public CombinedKeyIdentityProvider(KeyIdentityProvider... providers) {
  423.             this(Arrays.stream(providers).filter(Objects::nonNull)
  424.                     .collect(Collectors.toList()));
  425.         }

  427.         public CombinedKeyIdentityProvider(
  428.                 List<KeyIdentityProvider> providers) {
  429.             this.providers = providers;
  430.         }

  432.         @Override
  433.         public Iterable<KeyPair> loadKeys(SessionContext context) {
  434.             return () -> new Iterator<>() {

  436.                 private Iterator<KeyIdentityProvider> factories = providers
  437.                         .iterator();
  438.                 private Iterator<KeyPair> current;

  440.                 private Boolean hasElement;

  442.                 @Override
  443.                 public boolean hasNext() {
  444.                     if (hasElement != null) {
  445.                         return hasElement.booleanValue();
  446.                     }
  447.                     while (current == null || !current.hasNext()) {
  448.                         if (factories.hasNext()) {
  449.                             try {
  450.                                 current = factories.next().loadKeys(context)
  451.                                         .iterator();
  452.                             } catch (IOException | GeneralSecurityException e) {
  453.                                 throw new RuntimeException(e);
  454.                             }
  455.                         } else {
  456.                             current = null;
  457.                             hasElement = Boolean.FALSE;
  458.                             return false;
  459.                         }
  460.                     }
  461.                     hasElement = Boolean.TRUE;
  462.                     return true;
  463.                 }

  465.                 @Override
  466.                 public KeyPair next() {
  467.                     if ((hasElement == null && !hasNext())
  468.                             || !hasElement.booleanValue()) {
  469.                         throw new NoSuchElementException();
  470.                     }
  471.                     hasElement = null;
  472.                     KeyPair result;
  473.                     try {
  474.                         result = current.next();
  475.                     } catch (NoSuchElementException e) {
  476.                         result = null;
  477.                     }
  478.                     return result;
  479.                 }

  481.             };
  482.         }
  483.     }
  484. }
Created with JaCoCo 0.8.7.202105040129