JGitSshClient.java

  1. /*
  2.  * Copyright (C) 2018, 2020 Thomas Wolf <thomas.wolf@paranor.ch> and others
  3.  *
  4.  * This program and the accompanying materials are made available under the
  5.  * terms of the Eclipse Distribution License v. 1.0 which is available at
  6.  * https://www.eclipse.org/org/documents/edl-v10.php.
  7.  *
  8.  * SPDX-License-Identifier: BSD-3-Clause
  9.  */
  10. package org.eclipse.jgit.internal.transport.sshd;

  12. import static java.text.MessageFormat.format;
  13. import static org.apache.sshd.core.CoreModuleProperties.PASSWORD_PROMPTS;
  14. import static org.apache.sshd.core.CoreModuleProperties.PREFERRED_AUTHS;
  15. import static org.eclipse.jgit.internal.transport.ssh.OpenSshConfigFile.positive;

  17. import java.io.IOException;
  18. import java.net.InetSocketAddress;
  19. import java.net.Proxy;
  20. import java.net.SocketAddress;
  21. import java.nio.file.Files;
  22. import java.nio.file.InvalidPathException;
  23. import java.nio.file.Path;
  24. import java.nio.file.Paths;
  25. import java.security.GeneralSecurityException;
  26. import java.security.KeyPair;
  27. import java.util.Arrays;
  28. import java.util.Collections;
  29. import java.util.HashMap;
  30. import java.util.Iterator;
  31. import java.util.List;
  32. import java.util.Map;
  33. import java.util.NoSuchElementException;
  34. import java.util.Objects;
  35. import java.util.stream.Collectors;

  37. import org.apache.sshd.client.SshClient;
  38. import org.apache.sshd.client.config.hosts.HostConfigEntry;
  39. import org.apache.sshd.client.future.ConnectFuture;
  40. import org.apache.sshd.client.future.DefaultConnectFuture;
  41. import org.apache.sshd.client.session.ClientSessionImpl;
  42. import org.apache.sshd.client.session.SessionFactory;
  43. import org.apache.sshd.common.AttributeRepository;
  44. import org.apache.sshd.common.config.keys.FilePasswordProvider;
  45. import org.apache.sshd.common.future.SshFutureListener;
  46. import org.apache.sshd.common.io.IoConnectFuture;
  47. import org.apache.sshd.common.io.IoSession;
  48. import org.apache.sshd.common.keyprovider.AbstractResourceKeyPairProvider;
  49. import org.apache.sshd.common.keyprovider.KeyIdentityProvider;
  50. import org.apache.sshd.common.session.SessionContext;
  51. import org.apache.sshd.common.session.helpers.AbstractSession;
  52. import org.apache.sshd.common.util.ValidateUtils;
  53. import org.apache.sshd.common.util.net.SshdSocketAddress;
  54. import org.eclipse.jgit.internal.transport.sshd.JGitClientSession.ChainingAttributes;
  55. import org.eclipse.jgit.internal.transport.sshd.JGitClientSession.SessionAttributes;
  56. import org.eclipse.jgit.internal.transport.sshd.proxy.HttpClientConnector;
  57. import org.eclipse.jgit.internal.transport.sshd.proxy.Socks5ClientConnector;
  58. import org.eclipse.jgit.transport.CredentialsProvider;
  59. import org.eclipse.jgit.transport.SshConstants;
  60. import org.eclipse.jgit.transport.sshd.KeyCache;
  61. import org.eclipse.jgit.transport.sshd.ProxyData;
  62. import org.eclipse.jgit.transport.sshd.ProxyDataFactory;
  63. import org.eclipse.jgit.util.StringUtils;

  65. /**
  66.  * Customized {@link SshClient} for JGit. It creates specialized
  67.  * {@link JGitClientSession}s that know about the {@link HostConfigEntry} they
  68.  * were created for, and it loads all KeyPair identities lazily.
  69.  */
  70. public class JGitSshClient extends SshClient {

  72.     /**
  73.      * We need access to this during the constructor of the ClientSession,
  74.      * before setConnectAddress() can have been called. So we have to remember
  75.      * it in an attribute on the SshClient, from where we can then retrieve it.
  76.      */
  77.     static final AttributeKey<HostConfigEntry> HOST_CONFIG_ENTRY = new AttributeKey<>();

  79.     static final AttributeKey<InetSocketAddress> ORIGINAL_REMOTE_ADDRESS = new AttributeKey<>();

  81.     /**
  82.      * An attribute key for the comma-separated list of default preferred
  83.      * authentication mechanisms.
  84.      */
  85.     public static final AttributeKey<String> PREFERRED_AUTHENTICATIONS = new AttributeKey<>();

  87.     /**
  88.      * An attribute key for storing an alternate local address to connect to if
  89.      * a local forward from a ProxyJump ssh config is present. If set,
  90.      * {@link #connect(HostConfigEntry, AttributeRepository, SocketAddress)}
  91.      * will not connect to the address obtained from the {@link HostConfigEntry}
  92.      * but to the address stored in this key (which is assumed to forward the
  93.      * {@code HostConfigEntry} address).
  94.      */
  95.     public static final AttributeKey<SshdSocketAddress> LOCAL_FORWARD_ADDRESS = new AttributeKey<>();

  97.     private KeyCache keyCache;

  99.     private CredentialsProvider credentialsProvider;

  101.     private ProxyDataFactory proxyDatabase;

  103.     @Override
  104.     protected SessionFactory createSessionFactory() {
  105.         // Override the parent's default
  106.         return new JGitSessionFactory(this);
  107.     }

  109.     @Override
  110.     public ConnectFuture connect(HostConfigEntry hostConfig,
  111.             AttributeRepository context, SocketAddress localAddress)
  112.             throws IOException {
  113.         if (connector == null) {
  114.             throw new IllegalStateException("SshClient not started."); //$NON-NLS-1$
  115.         }
  116.         Objects.requireNonNull(hostConfig, "No host configuration"); //$NON-NLS-1$
  117.         String originalHost = ValidateUtils.checkNotNullAndNotEmpty(
  118.                 hostConfig.getHostName(), "No target host"); //$NON-NLS-1$
  119.         int originalPort = hostConfig.getPort();
  120.         ValidateUtils.checkTrue(originalPort > 0, "Invalid port: %d", //$NON-NLS-1$
  121.                 originalPort);
  122.         InetSocketAddress originalAddress = new InetSocketAddress(originalHost,
  123.                 originalPort);
  124.         InetSocketAddress targetAddress = originalAddress;
  125.         String userName = hostConfig.getUsername();
  126.         String id = userName + '@' + originalAddress;
  127.         AttributeRepository attributes = chain(context, this);
  128.         SshdSocketAddress localForward = attributes
  129.                 .resolveAttribute(LOCAL_FORWARD_ADDRESS);
  130.         if (localForward != null) {
  131.             targetAddress = new InetSocketAddress(localForward.getHostName(),
  132.                     localForward.getPort());
  133.             id += '/' + targetAddress.toString();
  134.         }
  135.         ConnectFuture connectFuture = new DefaultConnectFuture(id, null);
  136.         SshFutureListener<IoConnectFuture> listener = createConnectCompletionListener(
  137.                 connectFuture, userName, originalAddress, hostConfig);
  138.         attributes = sessionAttributes(attributes, hostConfig, originalAddress);
  139.         // Proxy support
  140.         if (localForward == null) {
  141.             ProxyData proxy = getProxyData(targetAddress);
  142.             if (proxy != null) {
  143.                 targetAddress = configureProxy(proxy, targetAddress);
  144.                 proxy.clearPassword();
  145.             }
  146.         }
  147.         connector.connect(targetAddress, attributes, localAddress)
  148.                 .addListener(listener);
  149.         return connectFuture;
  150.     }

  152.     private AttributeRepository chain(AttributeRepository self,
  153.             AttributeRepository parent) {
  154.         if (self == null) {
  155.             return Objects.requireNonNull(parent);
  156.         }
  157.         if (parent == null || parent == self) {
  158.             return self;
  159.         }
  160.         return new ChainingAttributes(self, parent);
  161.     }

  163.     private AttributeRepository sessionAttributes(AttributeRepository parent,
  164.             HostConfigEntry hostConfig, InetSocketAddress originalAddress) {
  165.         // sshd needs some entries from the host config already in the
  166.         // constructor of the session. Put those into a dedicated
  167.         // AttributeRepository for the new session where it will find them.
  168.         // We can set the host config only once the session object has been
  169.         // created.
  170.         Map<AttributeKey<?>, Object> data = new HashMap<>();
  171.         data.put(HOST_CONFIG_ENTRY, hostConfig);
  172.         data.put(ORIGINAL_REMOTE_ADDRESS, originalAddress);
  173.         data.put(TARGET_SERVER, new SshdSocketAddress(originalAddress));
  174.         String preferredAuths = hostConfig.getProperty(
  175.                 SshConstants.PREFERRED_AUTHENTICATIONS,
  176.                 resolveAttribute(PREFERRED_AUTHENTICATIONS));
  177.         if (!StringUtils.isEmptyOrNull(preferredAuths)) {
  178.             data.put(SessionAttributes.PROPERTIES,
  179.                     Collections.singletonMap(
  180.                             PREFERRED_AUTHS.getName(),
  181.                             preferredAuths));
  182.         }
  183.         return new SessionAttributes(
  184.                 AttributeRepository.ofAttributesMap(data),
  185.                 parent, this);
  186.     }

  188.     private ProxyData getProxyData(InetSocketAddress remoteAddress) {
  189.         ProxyDataFactory factory = getProxyDatabase();
  190.         return factory == null ? null : factory.get(remoteAddress);
  191.     }

  193.     private InetSocketAddress configureProxy(ProxyData proxyData,
  194.             InetSocketAddress remoteAddress) {
  195.         Proxy proxy = proxyData.getProxy();
  196.         if (proxy.type() == Proxy.Type.DIRECT
  197.                 || !(proxy.address() instanceof InetSocketAddress)) {
  198.             return remoteAddress;
  199.         }
  200.         InetSocketAddress address = (InetSocketAddress) proxy.address();
  201.         if (address.isUnresolved()) {
  202.             address = new InetSocketAddress(address.getHostName(),
  203.                     address.getPort());
  204.         }
  205.         switch (proxy.type()) {
  206.         case HTTP:
  207.             setClientProxyConnector(
  208.                     new HttpClientConnector(address, remoteAddress,
  209.                             proxyData.getUser(), proxyData.getPassword()));
  210.             return address;
  211.         case SOCKS:
  212.             setClientProxyConnector(
  213.                     new Socks5ClientConnector(address, remoteAddress,
  214.                             proxyData.getUser(), proxyData.getPassword()));
  215.             return address;
  216.         default:
  217.             log.warn(format(SshdText.get().unknownProxyProtocol,
  218.                     proxy.type().name()));
  219.             return remoteAddress;
  220.         }
  221.     }

  223.     private SshFutureListener<IoConnectFuture> createConnectCompletionListener(
  224.             ConnectFuture connectFuture, String username,
  225.             InetSocketAddress address, HostConfigEntry hostConfig) {
  226.         return new SshFutureListener<IoConnectFuture>() {

  228.             @Override
  229.             public void operationComplete(IoConnectFuture future) {
  230.                 if (future.isCanceled()) {
  231.                     connectFuture.cancel();
  232.                     return;
  233.                 }
  234.                 Throwable t = future.getException();
  235.                 if (t != null) {
  236.                     connectFuture.setException(t);
  237.                     return;
  238.                 }
  239.                 IoSession ioSession = future.getSession();
  240.                 try {
  241.                     JGitClientSession session = createSession(ioSession,
  242.                             username, address, hostConfig);
  243.                     connectFuture.setSession(session);
  244.                 } catch (RuntimeException e) {
  245.                     connectFuture.setException(e);
  246.                     ioSession.close(true);
  247.                 }
  248.             }

  250.             @Override
  251.             public String toString() {
  252.                 return "JGitSshClient$ConnectCompletionListener[" + username //$NON-NLS-1$
  253.                         + '@' + address + ']';
  254.             }
  255.         };
  256.     }

  258.     private JGitClientSession createSession(IoSession ioSession,
  259.             String username, InetSocketAddress address,
  260.             HostConfigEntry hostConfig) {
  261.         AbstractSession rawSession = AbstractSession.getSession(ioSession);
  262.         if (!(rawSession instanceof JGitClientSession)) {
  263.             throw new IllegalStateException("Wrong session type: " //$NON-NLS-1$
  264.                     + rawSession.getClass().getCanonicalName());
  265.         }
  266.         JGitClientSession session = (JGitClientSession) rawSession;
  267.         session.setUsername(username);
  268.         session.setConnectAddress(address);
  269.         session.setHostConfigEntry(hostConfig);
  270.         if (session.getCredentialsProvider() == null) {
  271.             session.setCredentialsProvider(getCredentialsProvider());
  272.         }
  273.         int numberOfPasswordPrompts = getNumberOfPasswordPrompts(hostConfig);
  274.         PASSWORD_PROMPTS.set(session, Integer.valueOf(numberOfPasswordPrompts));
  275.         List<Path> identities = hostConfig.getIdentities().stream()
  276.                 .map(s -> {
  277.                     try {
  278.                         return Paths.get(s);
  279.                     } catch (InvalidPathException e) {
  280.                         log.warn(format(SshdText.get().configInvalidPath,
  281.                                 SshConstants.IDENTITY_FILE, s), e);
  282.                         return null;
  283.                     }
  284.                 }).filter(p -> p != null && Files.exists(p))
  285.                 .collect(Collectors.toList());
  286.         CachingKeyPairProvider ourConfiguredKeysProvider = new CachingKeyPairProvider(
  287.                 identities, keyCache);
  288.         FilePasswordProvider passwordProvider = getFilePasswordProvider();
  289.         ourConfiguredKeysProvider.setPasswordFinder(passwordProvider);
  290.         if (hostConfig.isIdentitiesOnly()) {
  291.             session.setKeyIdentityProvider(ourConfiguredKeysProvider);
  292.         } else {
  293.             KeyIdentityProvider defaultKeysProvider = getKeyIdentityProvider();
  294.             if (defaultKeysProvider instanceof AbstractResourceKeyPairProvider<?>) {
  295.                 ((AbstractResourceKeyPairProvider<?>) defaultKeysProvider)
  296.                         .setPasswordFinder(passwordProvider);
  297.             }
  298.             KeyIdentityProvider combinedProvider = new CombinedKeyIdentityProvider(
  299.                     ourConfiguredKeysProvider, defaultKeysProvider);
  300.             session.setKeyIdentityProvider(combinedProvider);
  301.         }
  302.         return session;
  303.     }

  305.     private int getNumberOfPasswordPrompts(HostConfigEntry hostConfig) {
  306.         String prompts = hostConfig
  307.                 .getProperty(SshConstants.NUMBER_OF_PASSWORD_PROMPTS);
  308.         if (prompts != null) {
  309.             prompts = prompts.trim();
  310.             int value = positive(prompts);
  311.             if (value > 0) {
  312.                 return value;
  313.             }
  314.             log.warn(format(SshdText.get().configInvalidPositive,
  315.                     SshConstants.NUMBER_OF_PASSWORD_PROMPTS, prompts));
  316.         }
  317.         return PASSWORD_PROMPTS.getRequiredDefault().intValue();
  318.     }

  320.     /**
  321.      * Set a cache for loaded keys. Newly discovered keys will be added when
  322.      * IdentityFile host entries from the ssh config file are used during
  323.      * session authentication.
  324.      *
  325.      * @param cache
  326.      *            to use
  327.      */
  328.     public void setKeyCache(KeyCache cache) {
  329.         keyCache = cache;
  330.     }

  332.     /**
  333.      * Sets a {@link ProxyDataFactory} for connecting through proxies.
  334.      *
  335.      * @param factory
  336.      *            to use, or {@code null} if proxying is not desired or
  337.      *            supported
  338.      */
  339.     public void setProxyDatabase(ProxyDataFactory factory) {
  340.         proxyDatabase = factory;
  341.     }

  343.     /**
  344.      * Retrieves the {@link ProxyDataFactory}.
  345.      *
  346.      * @return the factory, or {@code null} if none is set
  347.      */
  348.     protected ProxyDataFactory getProxyDatabase() {
  349.         return proxyDatabase;
  350.     }

  352.     /**
  353.      * Sets the {@link CredentialsProvider} for this client.
  354.      *
  355.      * @param provider
  356.      *            to set
  357.      */
  358.     public void setCredentialsProvider(CredentialsProvider provider) {
  359.         credentialsProvider = provider;
  360.     }

  362.     /**
  363.      * Retrieves the {@link CredentialsProvider} set for this client.
  364.      *
  365.      * @return the provider, or {@code null} if none is set.
  366.      */
  367.     public CredentialsProvider getCredentialsProvider() {
  368.         return credentialsProvider;
  369.     }

  371.     /**
  372.      * A {@link SessionFactory} to create our own specialized
  373.      * {@link JGitClientSession}s.
  374.      */
  375.     private static class JGitSessionFactory extends SessionFactory {

  377.         public JGitSessionFactory(JGitSshClient client) {
  378.             super(client);
  379.         }

  381.         @Override
  382.         protected ClientSessionImpl doCreateSession(IoSession ioSession)
  383.                 throws Exception {
  384.             return new JGitClientSession(getClient(), ioSession);
  385.         }
  386.     }

  388.     /**
  389.      * A {@link KeyIdentityProvider} that iterates over the {@link Iterable}s
  390.      * returned by other {@link KeyIdentityProvider}s.
  391.      */
  392.     private static class CombinedKeyIdentityProvider
  393.             implements KeyIdentityProvider {

  395.         private final List<KeyIdentityProvider> providers;

  397.         public CombinedKeyIdentityProvider(KeyIdentityProvider... providers) {
  398.             this(Arrays.stream(providers).filter(Objects::nonNull)
  399.                     .collect(Collectors.toList()));
  400.         }

  402.         public CombinedKeyIdentityProvider(
  403.                 List<KeyIdentityProvider> providers) {
  404.             this.providers = providers;
  405.         }

  407.         @Override
  408.         public Iterable<KeyPair> loadKeys(SessionContext context) {
  409.             return () -> new Iterator<KeyPair>() {

  411.                 private Iterator<KeyIdentityProvider> factories = providers
  412.                         .iterator();
  413.                 private Iterator<KeyPair> current;

  415.                 private Boolean hasElement;

  417.                 @Override
  418.                 public boolean hasNext() {
  419.                     if (hasElement != null) {
  420.                         return hasElement.booleanValue();
  421.                     }
  422.                     while (current == null || !current.hasNext()) {
  423.                         if (factories.hasNext()) {
  424.                             try {
  425.                                 current = factories.next().loadKeys(context)
  426.                                         .iterator();
  427.                             } catch (IOException | GeneralSecurityException e) {
  428.                                 throw new RuntimeException(e);
  429.                             }
  430.                         } else {
  431.                             current = null;
  432.                             hasElement = Boolean.FALSE;
  433.                             return false;
  434.                         }
  435.                     }
  436.                     hasElement = Boolean.TRUE;
  437.                     return true;
  438.                 }

  440.                 @Override
  441.                 public KeyPair next() {
  442.                     if (hasElement == null && !hasNext()
  443.                             || !hasElement.booleanValue()) {
  444.                         throw new NoSuchElementException();
  445.                     }
  446.                     hasElement = null;
  447.                     KeyPair result;
  448.                     try {
  449.                         result = current.next();
  450.                     } catch (NoSuchElementException e) {
  451.                         result = null;
  452.                     }
  453.                     return result;
  454.                 }

  456.             };
  457.         }
  458.     }
  459. }
Created with JaCoCo 0.8.6.202009150832