JGitClientSession.java
/*
* Copyright (C) 2018, Thomas Wolf <thomas.wolf@paranor.ch>
* and other copyright owners as documented in the project's IP log.
*
* This program and the accompanying materials are made available
* under the terms of the Eclipse Distribution License v1.0 which
* accompanies this distribution, is reproduced below, and is
* available at http://www.eclipse.org/org/documents/edl-v10.php
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or
* without modification, are permitted provided that the following
* conditions are met:
*
* - Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* - Neither the name of the Eclipse Foundation, Inc. nor the
* names of its contributors may be used to endorse or promote
* products derived from this software without specific prior
* written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
* CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
package org.eclipse.jgit.internal.transport.sshd;
import static java.text.MessageFormat.format;
import java.io.IOException;
import java.net.SocketAddress;
import java.security.GeneralSecurityException;
import java.security.PublicKey;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Set;
import org.apache.sshd.client.ClientFactoryManager;
import org.apache.sshd.client.config.hosts.HostConfigEntry;
import org.apache.sshd.client.keyverifier.KnownHostsServerKeyVerifier.HostEntryPair;
import org.apache.sshd.client.keyverifier.ServerKeyVerifier;
import org.apache.sshd.client.session.ClientSessionImpl;
import org.apache.sshd.common.FactoryManager;
import org.apache.sshd.common.SshException;
import org.apache.sshd.common.config.keys.KeyUtils;
import org.apache.sshd.common.io.IoSession;
import org.apache.sshd.common.io.IoWriteFuture;
import org.apache.sshd.common.util.Readable;
import org.eclipse.jgit.errors.InvalidPatternException;
import org.eclipse.jgit.fnmatch.FileNameMatcher;
import org.eclipse.jgit.internal.transport.sshd.proxy.StatefulProxyConnector;
import org.eclipse.jgit.transport.CredentialsProvider;
import org.eclipse.jgit.transport.SshConstants;
/**
* A {@link org.apache.sshd.client.session.ClientSession ClientSession} that can
* be associated with the {@link HostConfigEntry} the session was created for.
* The {@link JGitSshClient} creates such sessions and sets this association.
* <p>
* Also provides for associating a JGit {@link CredentialsProvider} with a
* session.
* </p>
*/
public class JGitClientSession extends ClientSessionImpl {
private HostConfigEntry hostConfig;
private CredentialsProvider credentialsProvider;
private StatefulProxyConnector proxyHandler;
/**
* @param manager
* @param session
* @throws Exception
*/
public JGitClientSession(ClientFactoryManager manager, IoSession session)
throws Exception {
super(manager, session);
}
/**
* Retrieves the {@link HostConfigEntry} this session was created for.
*
* @return the {@link HostConfigEntry}, or {@code null} if none set
*/
public HostConfigEntry getHostConfigEntry() {
return hostConfig;
}
/**
* Sets the {@link HostConfigEntry} this session was created for.
*
* @param hostConfig
* the {@link HostConfigEntry}
*/
public void setHostConfigEntry(HostConfigEntry hostConfig) {
this.hostConfig = hostConfig;
}
/**
* Sets the {@link CredentialsProvider} for this session.
*
* @param provider
* to set
*/
public void setCredentialsProvider(CredentialsProvider provider) {
credentialsProvider = provider;
}
/**
* Retrieves the {@link CredentialsProvider} set for this session.
*
* @return the provider, or {@code null} if none is set.
*/
public CredentialsProvider getCredentialsProvider() {
return credentialsProvider;
}
/**
* Sets a {@link StatefulProxyConnector} to handle proxy connection
* protocols.
*
* @param handler
* to set
*/
public void setProxyHandler(StatefulProxyConnector handler) {
proxyHandler = handler;
}
@Override
protected IoWriteFuture sendIdentification(String ident)
throws IOException {
StatefulProxyConnector proxy = proxyHandler;
if (proxy != null) {
try {
// We must not block here; the framework starts reading messages
// from the peer only once the initial sendKexInit() following
// this call to sendIdentification() has returned!
proxy.runWhenDone(() -> {
JGitClientSession.super.sendIdentification(ident);
return null;
});
// Called only from the ClientSessionImpl constructor, where the
// return value is ignored.
return null;
} catch (IOException e) {
throw e;
} catch (Exception other) {
throw new IOException(other.getLocalizedMessage(), other);
}
} else {
return super.sendIdentification(ident);
}
}
@Override
protected byte[] sendKexInit()
throws IOException, GeneralSecurityException {
StatefulProxyConnector proxy = proxyHandler;
if (proxy != null) {
try {
// We must not block here; the framework starts reading messages
// from the peer only once the initial sendKexInit() has
// returned!
proxy.runWhenDone(() -> {
JGitClientSession.super.sendKexInit();
return null;
});
// This is called only from the ClientSessionImpl
// constructor, where the return value is ignored.
return null;
} catch (IOException | GeneralSecurityException e) {
throw e;
} catch (Exception other) {
throw new IOException(other.getLocalizedMessage(), other);
}
} else {
return super.sendKexInit();
}
}
/**
* {@inheritDoc}
*
* As long as we're still setting up the proxy connection, diverts messages
* to the {@link StatefulProxyConnector}.
*/
@Override
public void messageReceived(Readable buffer) throws Exception {
StatefulProxyConnector proxy = proxyHandler;
if (proxy != null) {
proxy.messageReceived(getIoSession(), buffer);
} else {
super.messageReceived(buffer);
}
}
@Override
protected void checkKeys() throws SshException {
ServerKeyVerifier serverKeyVerifier = getServerKeyVerifier();
// The super implementation always uses
// getIoSession().getRemoteAddress(). In case of a proxy connection,
// that would be the address of the proxy!
SocketAddress remoteAddress = getConnectAddress();
PublicKey serverKey = getKex().getServerKey();
if (!serverKeyVerifier.verifyServerKey(this, remoteAddress,
serverKey)) {
throw new SshException(
org.apache.sshd.common.SshConstants.SSH2_DISCONNECT_HOST_KEY_NOT_VERIFIABLE,
SshdText.get().kexServerKeyInvalid);
}
}
@Override
protected String resolveAvailableSignaturesProposal(
FactoryManager manager) {
Set<String> defaultSignatures = new LinkedHashSet<>();
defaultSignatures.addAll(getSignatureFactoriesNames());
HostConfigEntry config = resolveAttribute(
JGitSshClient.HOST_CONFIG_ENTRY);
String hostKeyAlgorithms = config
.getProperty(SshConstants.HOST_KEY_ALGORITHMS);
if (hostKeyAlgorithms != null && !hostKeyAlgorithms.isEmpty()) {
char first = hostKeyAlgorithms.charAt(0);
if (first == '+') {
// Additions make not much sense -- it's either in
// defaultSignatures already, or we have no implementation for
// it. No point in proposing it.
return String.join(",", defaultSignatures); //$NON-NLS-1$
} else if (first == '-') {
// This takes wildcard patterns!
removeFromList(defaultSignatures,
SshConstants.HOST_KEY_ALGORITHMS,
hostKeyAlgorithms.substring(1));
if (defaultSignatures.isEmpty()) {
// Too bad: user config error. Warn here, and then fail
// later.
log.warn(format(
SshdText.get().configNoRemainingHostKeyAlgorithms,
hostKeyAlgorithms));
}
return String.join(",", defaultSignatures); //$NON-NLS-1$
} else {
// Default is overridden -- only accept the ones for which we do
// have an implementation.
List<String> newNames = filteredList(defaultSignatures,
hostKeyAlgorithms);
if (newNames.isEmpty()) {
log.warn(format(
SshdText.get().configNoKnownHostKeyAlgorithms,
hostKeyAlgorithms));
// Use the default instead.
} else {
return String.join(",", newNames); //$NON-NLS-1$
}
}
}
// No HostKeyAlgorithms; using default -- change order to put existing
// keys first.
ServerKeyVerifier verifier = getServerKeyVerifier();
if (verifier instanceof ServerKeyLookup) {
SocketAddress remoteAddress = resolvePeerAddress(
resolveAttribute(JGitSshClient.ORIGINAL_REMOTE_ADDRESS));
List<HostEntryPair> allKnownKeys = ((ServerKeyLookup) verifier)
.lookup(this, remoteAddress);
Set<String> reordered = new LinkedHashSet<>();
for (HostEntryPair h : allKnownKeys) {
PublicKey key = h.getServerKey();
if (key != null) {
String keyType = KeyUtils.getKeyType(key);
if (keyType != null) {
reordered.add(keyType);
}
}
}
reordered.addAll(defaultSignatures);
return String.join(",", reordered); //$NON-NLS-1$
}
return String.join(",", defaultSignatures); //$NON-NLS-1$
}
private void removeFromList(Set<String> current, String key,
String patterns) {
for (String toRemove : patterns.split("\\s*,\\s*")) { //$NON-NLS-1$
if (toRemove.indexOf('*') < 0 && toRemove.indexOf('?') < 0) {
current.remove(toRemove);
continue;
}
try {
FileNameMatcher matcher = new FileNameMatcher(toRemove, null);
for (Iterator<String> i = current.iterator(); i.hasNext();) {
matcher.reset();
matcher.append(i.next());
if (matcher.isMatch()) {
i.remove();
}
}
} catch (InvalidPatternException e) {
log.warn(format(SshdText.get().configInvalidPattern, key,
toRemove));
}
}
}
private List<String> filteredList(Set<String> known, String values) {
List<String> newNames = new ArrayList<>();
for (String newValue : values.split("\\s*,\\s*")) { //$NON-NLS-1$
if (known.contains(newValue)) {
newNames.add(newValue);
}
}
return newNames;
}
}