JGitServerKeyVerifier.java

/*
 * Copyright (C) 2019 Thomas Wolf <thomas.wolf@paranor.ch> and others
 *
 * This program and the accompanying materials are made available under the
 * terms of the Eclipse Distribution License v. 1.0 which is available at
 * https://www.eclipse.org/org/documents/edl-v10.php.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */
package org.eclipse.jgit.internal.transport.sshd;

import static org.eclipse.jgit.internal.transport.ssh.OpenSshConfigFile.flag;

import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.security.PublicKey;
import java.util.Collections;
import java.util.List;
import java.util.Locale;

import org.apache.sshd.client.config.hosts.HostConfigEntry;
import org.apache.sshd.client.config.hosts.KnownHostHashValue;
import org.apache.sshd.client.keyverifier.ServerKeyVerifier;
import org.apache.sshd.client.session.ClientSession;
import org.apache.sshd.common.util.net.SshdSocketAddress;
import org.eclipse.jgit.annotations.NonNull;
import org.eclipse.jgit.transport.CredentialsProvider;
import org.eclipse.jgit.transport.SshConstants;
import org.eclipse.jgit.transport.sshd.ServerKeyDatabase;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
 * A bridge between the {@link ServerKeyVerifier} from Apache MINA sshd and our
 * {@link ServerKeyDatabase}.
 */
public class JGitServerKeyVerifier
        implements ServerKeyVerifier, ServerKeyLookup {

    private static final Logger LOG = LoggerFactory
            .getLogger(JGitServerKeyVerifier.class);

    private final @NonNull ServerKeyDatabase database;

    /**
     * Creates a new {@link JGitServerKeyVerifier} using the given
     * {@link ServerKeyDatabase}.
     *
     * @param database
     *            to use
     */
    public JGitServerKeyVerifier(@NonNull ServerKeyDatabase database) {
        this.database = database;
    }

    @Override
    public List<PublicKey> lookup(ClientSession session,
            SocketAddress remoteAddress) {
        if (!(session instanceof JGitClientSession)) {
            LOG.warn("Internal error: wrong session kind: " //$NON-NLS-1$
                    + session.getClass().getName());
            return Collections.emptyList();
        }
        if (!(remoteAddress instanceof InetSocketAddress)) {
            return Collections.emptyList();
        }
        SessionConfig config = new SessionConfig((JGitClientSession) session);
        SshdSocketAddress connectAddress = SshdSocketAddress
                .toSshdSocketAddress(session.getConnectAddress());
        String connect = KnownHostHashValue.createHostPattern(
                connectAddress.getHostName(), connectAddress.getPort());
        return database.lookup(connect, (InetSocketAddress) remoteAddress,
                config);
    }

    @Override
    public boolean verifyServerKey(ClientSession session,
            SocketAddress remoteAddress, PublicKey serverKey) {
        if (!(session instanceof JGitClientSession)) {
            LOG.warn("Internal error: wrong session kind: " //$NON-NLS-1$
                    + session.getClass().getName());
            return false;
        }
        if (!(remoteAddress instanceof InetSocketAddress)) {
            return false;
        }
        SessionConfig config = new SessionConfig((JGitClientSession) session);
        SshdSocketAddress connectAddress = SshdSocketAddress
                .toSshdSocketAddress(session.getConnectAddress());
        String connect = KnownHostHashValue.createHostPattern(
                connectAddress.getHostName(), connectAddress.getPort());
        CredentialsProvider provider = ((JGitClientSession) session)
                .getCredentialsProvider();
        return database.accept(connect, (InetSocketAddress) remoteAddress,
                serverKey, config, provider);
    }

    private static class SessionConfig
            implements ServerKeyDatabase.Configuration {

        private final JGitClientSession session;

        public SessionConfig(JGitClientSession session) {
            this.session = session;
        }

        private List<String> get(String key) {
            HostConfigEntry entry = session.getHostConfigEntry();
            if (entry instanceof JGitHostConfigEntry) {
                // Always true!
                return ((JGitHostConfigEntry) entry).getMultiValuedOptions()
                        .get(key);
            }
            return Collections.emptyList();
        }

        @Override
        public List<String> getUserKnownHostsFiles() {
            return get(SshConstants.USER_KNOWN_HOSTS_FILE);
        }

        @Override
        public List<String> getGlobalKnownHostsFiles() {
            return get(SshConstants.GLOBAL_KNOWN_HOSTS_FILE);
        }

        @Override
        public StrictHostKeyChecking getStrictHostKeyChecking() {
            HostConfigEntry entry = session.getHostConfigEntry();
            String value = entry
                    .getProperty(SshConstants.STRICT_HOST_KEY_CHECKING, "ask"); //$NON-NLS-1$
            switch (value.toLowerCase(Locale.ROOT)) {
            case SshConstants.YES:
            case SshConstants.ON:
                return StrictHostKeyChecking.REQUIRE_MATCH;
            case SshConstants.NO:
            case SshConstants.OFF:
                return StrictHostKeyChecking.ACCEPT_ANY;
            case "accept-new": //$NON-NLS-1$
                return StrictHostKeyChecking.ACCEPT_NEW;
            default:
                return StrictHostKeyChecking.ASK;
            }
        }

        @Override
        public boolean getHashKnownHosts() {
            HostConfigEntry entry = session.getHostConfigEntry();
            return flag(entry.getProperty(SshConstants.HASH_KNOWN_HOSTS));
        }

        @Override
        public String getUsername() {
            return session.getUsername();
        }
    }
}