mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 212 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
12507 Commits
17 Branches
Tree: 0ac845042e
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '0ac845042e'
${ noResults }
gitea/vendor/github.com/gliderlabs/ssh/server.go

server.go 13KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449 
  1. package ssh

  2. 

  3. import (

  4. 	"context"

  5. 	"errors"

  6. 	"fmt"

  7. 	"net"

  8. 	"sync"

  9. 	"time"

  10. 

  11. 	gossh "golang.org/x/crypto/ssh"

  12. )

  13. 

  14. // ErrServerClosed is returned by the Server's Serve, ListenAndServe,

  15. // and ListenAndServeTLS methods after a call to Shutdown or Close.

  16. var ErrServerClosed = errors.New("ssh: Server closed")

  17. 

  18. type SubsystemHandler func(s Session)

  19. 

  20. var DefaultSubsystemHandlers = map[string]SubsystemHandler{}

  21. 

  22. type RequestHandler func(ctx Context, srv *Server, req *gossh.Request) (ok bool, payload []byte)

  23. 

  24. var DefaultRequestHandlers = map[string]RequestHandler{}

  25. 

  26. type ChannelHandler func(srv *Server, conn *gossh.ServerConn, newChan gossh.NewChannel, ctx Context)

  27. 

  28. var DefaultChannelHandlers = map[string]ChannelHandler{

  29. 	"session": DefaultSessionHandler,

  30. }

  31. 

  32. // Server defines parameters for running an SSH server. The zero value for

  33. // Server is a valid configuration. When both PasswordHandler and

  34. // PublicKeyHandler are nil, no client authentication is performed.

  35. type Server struct {

  36. 	Addr        string   // TCP address to listen on, ":22" if empty

  37. 	Handler     Handler  // handler to invoke, ssh.DefaultHandler if nil

  38. 	HostSigners []Signer // private keys for the host key, must have at least one

  39. 	Version     string   // server version to be sent before the initial handshake

  40. 

  41. 	KeyboardInteractiveHandler    KeyboardInteractiveHandler    // keyboard-interactive authentication handler

  42. 	PasswordHandler               PasswordHandler               // password authentication handler

  43. 	PublicKeyHandler              PublicKeyHandler              // public key authentication handler

  44. 	PtyCallback                   PtyCallback                   // callback for allowing PTY sessions, allows all if nil

  45. 	ConnCallback                  ConnCallback                  // optional callback for wrapping net.Conn before handling

  46. 	LocalPortForwardingCallback   LocalPortForwardingCallback   // callback for allowing local port forwarding, denies all if nil

  47. 	ReversePortForwardingCallback ReversePortForwardingCallback // callback for allowing reverse port forwarding, denies all if nil

  48. 	ServerConfigCallback          ServerConfigCallback          // callback for configuring detailed SSH options

  49. 	SessionRequestCallback        SessionRequestCallback        // callback for allowing or denying SSH sessions

  50. 

  51. 	ConnectionFailedCallback ConnectionFailedCallback // callback to report connection failures

  52. 

  53. 	IdleTimeout time.Duration // connection timeout when no activity, none if empty

  54. 	MaxTimeout  time.Duration // absolute connection timeout, none if empty

  55. 

  56. 	// ChannelHandlers allow overriding the built-in session handlers or provide

  57. 	// extensions to the protocol, such as tcpip forwarding. By default only the

  58. 	// "session" handler is enabled.

  59. 	ChannelHandlers map[string]ChannelHandler

  60. 

  61. 	// RequestHandlers allow overriding the server-level request handlers or

  62. 	// provide extensions to the protocol, such as tcpip forwarding. By default

  63. 	// no handlers are enabled.

  64. 	RequestHandlers map[string]RequestHandler

  65. 

  66. 	// SubsystemHandlers are handlers which are similar to the usual SSH command

  67. 	// handlers, but handle named subsystems.

  68. 	SubsystemHandlers map[string]SubsystemHandler

  69. 

  70. 	listenerWg sync.WaitGroup

  71. 	mu         sync.RWMutex

  72. 	listeners  map[net.Listener]struct{}

  73. 	conns      map[*gossh.ServerConn]struct{}

  74. 	connWg     sync.WaitGroup

  75. 	doneChan   chan struct{}

  76. }

  77. 

  78. func (srv *Server) ensureHostSigner() error {

  79. 	srv.mu.Lock()

  80. 	defer srv.mu.Unlock()

  81. 

  82. 	if len(srv.HostSigners) == 0 {

  83. 		signer, err := generateSigner()

  84. 		if err != nil {

  85. 			return err

  86. 		}

  87. 		srv.HostSigners = append(srv.HostSigners, signer)

  88. 	}

  89. 	return nil

  90. }

  91. 

  92. func (srv *Server) ensureHandlers() {

  93. 	srv.mu.Lock()

  94. 	defer srv.mu.Unlock()

  95. 

  96. 	if srv.RequestHandlers == nil {

  97. 		srv.RequestHandlers = map[string]RequestHandler{}

  98. 		for k, v := range DefaultRequestHandlers {

  99. 			srv.RequestHandlers[k] = v

  100. 		}

  101. 	}

  102. 	if srv.ChannelHandlers == nil {

  103. 		srv.ChannelHandlers = map[string]ChannelHandler{}

  104. 		for k, v := range DefaultChannelHandlers {

  105. 			srv.ChannelHandlers[k] = v

  106. 		}

  107. 	}

  108. 	if srv.SubsystemHandlers == nil {

  109. 		srv.SubsystemHandlers = map[string]SubsystemHandler{}

  110. 		for k, v := range DefaultSubsystemHandlers {

  111. 			srv.SubsystemHandlers[k] = v

  112. 		}

  113. 	}

  114. }

  115. 

  116. func (srv *Server) config(ctx Context) *gossh.ServerConfig {

  117. 	srv.mu.RLock()

  118. 	defer srv.mu.RUnlock()

  119. 

  120. 	var config *gossh.ServerConfig

  121. 	if srv.ServerConfigCallback == nil {

  122. 		config = &gossh.ServerConfig{}

  123. 	} else {

  124. 		config = srv.ServerConfigCallback(ctx)

  125. 	}

  126. 	for _, signer := range srv.HostSigners {

  127. 		config.AddHostKey(signer)

  128. 	}

  129. 	if srv.PasswordHandler == nil && srv.PublicKeyHandler == nil && srv.KeyboardInteractiveHandler == nil {

  130. 		config.NoClientAuth = true

  131. 	}

  132. 	if srv.Version != "" {

  133. 		config.ServerVersion = "SSH-2.0-" + srv.Version

  134. 	}

  135. 	if srv.PasswordHandler != nil {

  136. 		config.PasswordCallback = func(conn gossh.ConnMetadata, password []byte) (*gossh.Permissions, error) {

  137. 			applyConnMetadata(ctx, conn)

  138. 			if ok := srv.PasswordHandler(ctx, string(password)); !ok {

  139. 				return ctx.Permissions().Permissions, fmt.Errorf("permission denied")

  140. 			}

  141. 			return ctx.Permissions().Permissions, nil

  142. 		}

  143. 	}

  144. 	if srv.PublicKeyHandler != nil {

  145. 		config.PublicKeyCallback = func(conn gossh.ConnMetadata, key gossh.PublicKey) (*gossh.Permissions, error) {

  146. 			applyConnMetadata(ctx, conn)

  147. 			if ok := srv.PublicKeyHandler(ctx, key); !ok {

  148. 				return ctx.Permissions().Permissions, fmt.Errorf("permission denied")

  149. 			}

  150. 			ctx.SetValue(ContextKeyPublicKey, key)

  151. 			return ctx.Permissions().Permissions, nil

  152. 		}

  153. 	}

  154. 	if srv.KeyboardInteractiveHandler != nil {

  155. 		config.KeyboardInteractiveCallback = func(conn gossh.ConnMetadata, challenger gossh.KeyboardInteractiveChallenge) (*gossh.Permissions, error) {

  156. 			applyConnMetadata(ctx, conn)

  157. 			if ok := srv.KeyboardInteractiveHandler(ctx, challenger); !ok {

  158. 				return ctx.Permissions().Permissions, fmt.Errorf("permission denied")

  159. 			}

  160. 			return ctx.Permissions().Permissions, nil

  161. 		}

  162. 	}

  163. 	return config

  164. }

  165. 

  166. // Handle sets the Handler for the server.

  167. func (srv *Server) Handle(fn Handler) {

  168. 	srv.mu.Lock()

  169. 	defer srv.mu.Unlock()

  170. 

  171. 	srv.Handler = fn

  172. }

  173. 

  174. // Close immediately closes all active listeners and all active

  175. // connections.

  176. //

  177. // Close returns any error returned from closing the Server's

  178. // underlying Listener(s).

  179. func (srv *Server) Close() error {

  180. 	srv.mu.Lock()

  181. 	defer srv.mu.Unlock()

  182. 

  183. 	srv.closeDoneChanLocked()

  184. 	err := srv.closeListenersLocked()

  185. 	for c := range srv.conns {

  186. 		c.Close()

  187. 		delete(srv.conns, c)

  188. 	}

  189. 	return err

  190. }

  191. 

  192. // Shutdown gracefully shuts down the server without interrupting any

  193. // active connections. Shutdown works by first closing all open

  194. // listeners, and then waiting indefinitely for connections to close.

  195. // If the provided context expires before the shutdown is complete,

  196. // then the context's error is returned.

  197. func (srv *Server) Shutdown(ctx context.Context) error {

  198. 	srv.mu.Lock()

  199. 	lnerr := srv.closeListenersLocked()

  200. 	srv.closeDoneChanLocked()

  201. 	srv.mu.Unlock()

  202. 

  203. 	finished := make(chan struct{}, 1)

  204. 	go func() {

  205. 		srv.listenerWg.Wait()

  206. 		srv.connWg.Wait()

  207. 		finished <- struct{}{}

  208. 	}()

  209. 

  210. 	select {

  211. 	case <-ctx.Done():

  212. 		return ctx.Err()

  213. 	case <-finished:

  214. 		return lnerr

  215. 	}

  216. }

  217. 

  218. // Serve accepts incoming connections on the Listener l, creating a new

  219. // connection goroutine for each. The connection goroutines read requests and then

  220. // calls srv.Handler to handle sessions.

  221. //

  222. // Serve always returns a non-nil error.

  223. func (srv *Server) Serve(l net.Listener) error {

  224. 	srv.ensureHandlers()

  225. 	defer l.Close()

  226. 	if err := srv.ensureHostSigner(); err != nil {

  227. 		return err

  228. 	}

  229. 	if srv.Handler == nil {

  230. 		srv.Handler = DefaultHandler

  231. 	}

  232. 	var tempDelay time.Duration

  233. 

  234. 	srv.trackListener(l, true)

  235. 	defer srv.trackListener(l, false)

  236. 	for {

  237. 		conn, e := l.Accept()

  238. 		if e != nil {

  239. 			select {

  240. 			case <-srv.getDoneChan():

  241. 				return ErrServerClosed

  242. 			default:

  243. 			}

  244. 			if ne, ok := e.(net.Error); ok && ne.Temporary() {

  245. 				if tempDelay == 0 {

  246. 					tempDelay = 5 * time.Millisecond

  247. 				} else {

  248. 					tempDelay *= 2

  249. 				}

  250. 				if max := 1 * time.Second; tempDelay > max {

  251. 					tempDelay = max

  252. 				}

  253. 				time.Sleep(tempDelay)

  254. 				continue

  255. 			}

  256. 			return e

  257. 		}

  258. 		go srv.HandleConn(conn)

  259. 	}

  260. }

  261. 

  262. func (srv *Server) HandleConn(newConn net.Conn) {

  263. 	ctx, cancel := newContext(srv)

  264. 	if srv.ConnCallback != nil {

  265. 		cbConn := srv.ConnCallback(ctx, newConn)

  266. 		if cbConn == nil {

  267. 			newConn.Close()

  268. 			return

  269. 		}

  270. 		newConn = cbConn

  271. 	}

  272. 	conn := &serverConn{

  273. 		Conn:          newConn,

  274. 		idleTimeout:   srv.IdleTimeout,

  275. 		closeCanceler: cancel,

  276. 	}

  277. 	if srv.MaxTimeout > 0 {

  278. 		conn.maxDeadline = time.Now().Add(srv.MaxTimeout)

  279. 	}

  280. 	defer conn.Close()

  281. 	sshConn, chans, reqs, err := gossh.NewServerConn(conn, srv.config(ctx))

  282. 	if err != nil {

  283. 		if srv.ConnectionFailedCallback != nil {

  284. 			srv.ConnectionFailedCallback(conn, err)

  285. 		}

  286. 		return

  287. 	}

  288. 

  289. 	srv.trackConn(sshConn, true)

  290. 	defer srv.trackConn(sshConn, false)

  291. 

  292. 	ctx.SetValue(ContextKeyConn, sshConn)

  293. 	applyConnMetadata(ctx, sshConn)

  294. 	//go gossh.DiscardRequests(reqs)

  295. 	go srv.handleRequests(ctx, reqs)

  296. 	for ch := range chans {

  297. 		handler := srv.ChannelHandlers[ch.ChannelType()]

  298. 		if handler == nil {

  299. 			handler = srv.ChannelHandlers["default"]

  300. 		}

  301. 		if handler == nil {

  302. 			ch.Reject(gossh.UnknownChannelType, "unsupported channel type")

  303. 			continue

  304. 		}

  305. 		go handler(srv, sshConn, ch, ctx)

  306. 	}

  307. }

  308. 

  309. func (srv *Server) handleRequests(ctx Context, in <-chan *gossh.Request) {

  310. 	for req := range in {

  311. 		handler := srv.RequestHandlers[req.Type]

  312. 		if handler == nil {

  313. 			handler = srv.RequestHandlers["default"]

  314. 		}

  315. 		if handler == nil {

  316. 			req.Reply(false, nil)

  317. 			continue

  318. 		}

  319. 		/*reqCtx, cancel := context.WithCancel(ctx)

  320. 		defer cancel() */

  321. 		ret, payload := handler(ctx, srv, req)

  322. 		req.Reply(ret, payload)

  323. 	}

  324. }

  325. 

  326. // ListenAndServe listens on the TCP network address srv.Addr and then calls

  327. // Serve to handle incoming connections. If srv.Addr is blank, ":22" is used.

  328. // ListenAndServe always returns a non-nil error.

  329. func (srv *Server) ListenAndServe() error {

  330. 	addr := srv.Addr

  331. 	if addr == "" {

  332. 		addr = ":22"

  333. 	}

  334. 	ln, err := net.Listen("tcp", addr)

  335. 	if err != nil {

  336. 		return err

  337. 	}

  338. 	return srv.Serve(ln)

  339. }

  340. 

  341. // AddHostKey adds a private key as a host key. If an existing host key exists

  342. // with the same algorithm, it is overwritten. Each server config must have at

  343. // least one host key.

  344. func (srv *Server) AddHostKey(key Signer) {

  345. 	srv.mu.Lock()

  346. 	defer srv.mu.Unlock()

  347. 

  348. 	// these are later added via AddHostKey on ServerConfig, which performs the

  349. 	// check for one of every algorithm.

  350. 

  351. 	// This check is based on the AddHostKey method from the x/crypto/ssh

  352. 	// library. This allows us to only keep one active key for each type on a

  353. 	// server at once. So, if you're dynamically updating keys at runtime, this

  354. 	// list will not keep growing.

  355. 	for i, k := range srv.HostSigners {

  356. 		if k.PublicKey().Type() == key.PublicKey().Type() {

  357. 			srv.HostSigners[i] = key

  358. 			return

  359. 		}

  360. 	}

  361. 

  362. 	srv.HostSigners = append(srv.HostSigners, key)

  363. }

  364. 

  365. // SetOption runs a functional option against the server.

  366. func (srv *Server) SetOption(option Option) error {

  367. 	// NOTE: there is a potential race here for any option that doesn't call an

  368. 	// internal method. We can't actually lock here because if something calls

  369. 	// (as an example) AddHostKey, it will deadlock.

  370. 

  371. 	//srv.mu.Lock()

  372. 	//defer srv.mu.Unlock()

  373. 

  374. 	return option(srv)

  375. }

  376. 

  377. func (srv *Server) getDoneChan() <-chan struct{} {

  378. 	srv.mu.Lock()

  379. 	defer srv.mu.Unlock()

  380. 

  381. 	return srv.getDoneChanLocked()

  382. }

  383. 

  384. func (srv *Server) getDoneChanLocked() chan struct{} {

  385. 	if srv.doneChan == nil {

  386. 		srv.doneChan = make(chan struct{})

  387. 	}

  388. 	return srv.doneChan

  389. }

  390. 

  391. func (srv *Server) closeDoneChanLocked() {

  392. 	ch := srv.getDoneChanLocked()

  393. 	select {

  394. 	case <-ch:

  395. 		// Already closed. Don't close again.

  396. 	default:

  397. 		// Safe to close here. We're the only closer, guarded

  398. 		// by srv.mu.

  399. 		close(ch)

  400. 	}

  401. }

  402. 

  403. func (srv *Server) closeListenersLocked() error {

  404. 	var err error

  405. 	for ln := range srv.listeners {

  406. 		if cerr := ln.Close(); cerr != nil && err == nil {

  407. 			err = cerr

  408. 		}

  409. 		delete(srv.listeners, ln)

  410. 	}

  411. 	return err

  412. }

  413. 

  414. func (srv *Server) trackListener(ln net.Listener, add bool) {

  415. 	srv.mu.Lock()

  416. 	defer srv.mu.Unlock()

  417. 

  418. 	if srv.listeners == nil {

  419. 		srv.listeners = make(map[net.Listener]struct{})

  420. 	}

  421. 	if add {

  422. 		// If the *Server is being reused after a previous

  423. 		// Close or Shutdown, reset its doneChan:

  424. 		if len(srv.listeners) == 0 && len(srv.conns) == 0 {

  425. 			srv.doneChan = nil

  426. 		}

  427. 		srv.listeners[ln] = struct{}{}

  428. 		srv.listenerWg.Add(1)

  429. 	} else {

  430. 		delete(srv.listeners, ln)

  431. 		srv.listenerWg.Done()

  432. 	}

  433. }

  434. 

  435. func (srv *Server) trackConn(c *gossh.ServerConn, add bool) {

  436. 	srv.mu.Lock()

  437. 	defer srv.mu.Unlock()

  438. 

  439. 	if srv.conns == nil {

  440. 		srv.conns = make(map[*gossh.ServerConn]struct{})

  441. 	}

  442. 	if add {

  443. 		srv.conns[c] = struct{}{}

  444. 		srv.connWg.Add(1)

  445. 	} else {

  446. 		delete(srv.conns, c)

  447. 		srv.connWg.Done()

  448. 	}

  449. }