123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328 |
- /*
- * Copyright (C) 2018, Thomas Wolf <thomas.wolf@paranor.ch>
- * and other copyright owners as documented in the project's IP log.
- *
- * This program and the accompanying materials are made available
- * under the terms of the Eclipse Distribution License v1.0 which
- * accompanies this distribution, is reproduced below, and is
- * available at http://www.eclipse.org/org/documents/edl-v10.php
- *
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or
- * without modification, are permitted provided that the following
- * conditions are met:
- *
- * - Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * - Redistributions in binary form must reproduce the above
- * copyright notice, this list of conditions and the following
- * disclaimer in the documentation and/or other materials provided
- * with the distribution.
- *
- * - Neither the name of the Eclipse Foundation, Inc. nor the
- * names of its contributors may be used to endorse or promote
- * products derived from this software without specific prior
- * written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
- * CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
- * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
- * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
- package org.eclipse.jgit.internal.transport.sshd;
-
- import static java.text.MessageFormat.format;
-
- import java.io.IOException;
- import java.net.SocketAddress;
- import java.security.PublicKey;
- import java.util.ArrayList;
- import java.util.Iterator;
- import java.util.LinkedHashSet;
- import java.util.List;
- import java.util.Set;
-
- import org.apache.sshd.client.ClientFactoryManager;
- import org.apache.sshd.client.config.hosts.HostConfigEntry;
- import org.apache.sshd.client.keyverifier.KnownHostsServerKeyVerifier.HostEntryPair;
- import org.apache.sshd.client.keyverifier.ServerKeyVerifier;
- import org.apache.sshd.client.session.ClientSessionImpl;
- import org.apache.sshd.common.FactoryManager;
- import org.apache.sshd.common.SshException;
- import org.apache.sshd.common.config.keys.KeyUtils;
- import org.apache.sshd.common.io.IoSession;
- import org.apache.sshd.common.io.IoWriteFuture;
- import org.apache.sshd.common.util.Readable;
- import org.eclipse.jgit.errors.InvalidPatternException;
- import org.eclipse.jgit.fnmatch.FileNameMatcher;
- import org.eclipse.jgit.internal.transport.sshd.proxy.StatefulProxyConnector;
- import org.eclipse.jgit.transport.CredentialsProvider;
- import org.eclipse.jgit.transport.SshConstants;
-
- /**
- * A {@link org.apache.sshd.client.session.ClientSession ClientSession} that can
- * be associated with the {@link HostConfigEntry} the session was created for.
- * The {@link JGitSshClient} creates such sessions and sets this association.
- * <p>
- * Also provides for associating a JGit {@link CredentialsProvider} with a
- * session.
- * </p>
- */
- public class JGitClientSession extends ClientSessionImpl {
-
- private HostConfigEntry hostConfig;
-
- private CredentialsProvider credentialsProvider;
-
- private StatefulProxyConnector proxyHandler;
-
- /**
- * @param manager
- * @param session
- * @throws Exception
- */
- public JGitClientSession(ClientFactoryManager manager, IoSession session)
- throws Exception {
- super(manager, session);
- }
-
- /**
- * Retrieves the {@link HostConfigEntry} this session was created for.
- *
- * @return the {@link HostConfigEntry}, or {@code null} if none set
- */
- public HostConfigEntry getHostConfigEntry() {
- return hostConfig;
- }
-
- /**
- * Sets the {@link HostConfigEntry} this session was created for.
- *
- * @param hostConfig
- * the {@link HostConfigEntry}
- */
- public void setHostConfigEntry(HostConfigEntry hostConfig) {
- this.hostConfig = hostConfig;
- }
-
- /**
- * Sets the {@link CredentialsProvider} for this session.
- *
- * @param provider
- * to set
- */
- public void setCredentialsProvider(CredentialsProvider provider) {
- credentialsProvider = provider;
- }
-
- /**
- * Retrieves the {@link CredentialsProvider} set for this session.
- *
- * @return the provider, or {@code null} if none is set.
- */
- public CredentialsProvider getCredentialsProvider() {
- return credentialsProvider;
- }
-
- /**
- * Sets a {@link StatefulProxyConnector} to handle proxy connection
- * protocols.
- *
- * @param handler
- * to set
- */
- public void setProxyHandler(StatefulProxyConnector handler) {
- proxyHandler = handler;
- }
-
- @Override
- protected IoWriteFuture sendIdentification(String ident)
- throws IOException {
- // Nothing; we do this below together with the KEX init in
- // sendStartSsh(). Called only from the ClientSessionImpl constructor,
- // where the return value is ignored.
- return null;
- }
-
- @Override
- protected byte[] sendKexInit() throws IOException {
- StatefulProxyConnector proxy = proxyHandler;
- if (proxy != null) {
- try {
- // We must not block here; the framework starts reading messages
- // from the peer only once sendKexInit() has returned!
- proxy.runWhenDone(() -> {
- sendStartSsh();
- return null;
- });
- // sendKexInit() is called only from the ClientSessionImpl
- // constructor, where the return value is ignored.
- return null;
- } catch (IOException e) {
- throw e;
- } catch (Exception other) {
- throw new IOException(other.getLocalizedMessage(), other);
- }
- } else {
- return sendStartSsh();
- }
- }
-
- /**
- * Sends the initial messages starting the ssh setup: the client
- * identification and the KEX init message.
- *
- * @return the client's KEX seed
- * @throws IOException
- * if something goes wrong
- */
- private byte[] sendStartSsh() throws IOException {
- super.sendIdentification(clientVersion);
- return super.sendKexInit();
- }
-
- /**
- * {@inheritDoc}
- *
- * As long as we're still setting up the proxy connection, diverts messages
- * to the {@link StatefulProxyConnector}.
- */
- @Override
- public void messageReceived(Readable buffer) throws Exception {
- StatefulProxyConnector proxy = proxyHandler;
- if (proxy != null) {
- proxy.messageReceived(getIoSession(), buffer);
- } else {
- super.messageReceived(buffer);
- }
- }
-
- @Override
- protected void checkKeys() throws SshException {
- ServerKeyVerifier serverKeyVerifier = getServerKeyVerifier();
- // The super implementation always uses
- // getIoSession().getRemoteAddress(). In case of a proxy connection,
- // that would be the address of the proxy!
- SocketAddress remoteAddress = getConnectAddress();
- PublicKey serverKey = getKex().getServerKey();
- if (!serverKeyVerifier.verifyServerKey(this, remoteAddress,
- serverKey)) {
- throw new SshException(
- org.apache.sshd.common.SshConstants.SSH2_DISCONNECT_HOST_KEY_NOT_VERIFIABLE,
- SshdText.get().kexServerKeyInvalid);
- }
- }
-
- @Override
- protected String resolveAvailableSignaturesProposal(
- FactoryManager manager) {
- Set<String> defaultSignatures = new LinkedHashSet<>();
- defaultSignatures.addAll(getSignatureFactoriesNames());
- HostConfigEntry config = resolveAttribute(
- JGitSshClient.HOST_CONFIG_ENTRY);
- String hostKeyAlgorithms = config
- .getProperty(SshConstants.HOST_KEY_ALGORITHMS);
- if (hostKeyAlgorithms != null && !hostKeyAlgorithms.isEmpty()) {
- char first = hostKeyAlgorithms.charAt(0);
- if (first == '+') {
- // Additions make not much sense -- it's either in
- // defaultSignatures already, or we have no implementation for
- // it. No point in proposing it.
- return String.join(",", defaultSignatures); //$NON-NLS-1$
- } else if (first == '-') {
- // This takes wildcard patterns!
- removeFromList(defaultSignatures,
- SshConstants.HOST_KEY_ALGORITHMS,
- hostKeyAlgorithms.substring(1));
- if (defaultSignatures.isEmpty()) {
- // Too bad: user config error. Warn here, and then fail
- // later.
- log.warn(format(
- SshdText.get().configNoRemainingHostKeyAlgorithms,
- hostKeyAlgorithms));
- }
- return String.join(",", defaultSignatures); //$NON-NLS-1$
- } else {
- // Default is overridden -- only accept the ones for which we do
- // have an implementation.
- List<String> newNames = filteredList(defaultSignatures,
- hostKeyAlgorithms);
- if (newNames.isEmpty()) {
- log.warn(format(
- SshdText.get().configNoKnownHostKeyAlgorithms,
- hostKeyAlgorithms));
- // Use the default instead.
- } else {
- return String.join(",", newNames); //$NON-NLS-1$
- }
- }
- }
- // No HostKeyAlgorithms; using default -- change order to put existing
- // keys first.
- ServerKeyVerifier verifier = getServerKeyVerifier();
- if (verifier instanceof ServerKeyLookup) {
- SocketAddress remoteAddress = resolvePeerAddress(
- resolveAttribute(JGitSshClient.ORIGINAL_REMOTE_ADDRESS));
- List<HostEntryPair> allKnownKeys = ((ServerKeyLookup) verifier)
- .lookup(this, remoteAddress);
- Set<String> reordered = new LinkedHashSet<>();
- for (HostEntryPair h : allKnownKeys) {
- PublicKey key = h.getServerKey();
- if (key != null) {
- String keyType = KeyUtils.getKeyType(key);
- if (keyType != null) {
- reordered.add(keyType);
- }
- }
- }
- reordered.addAll(defaultSignatures);
- return String.join(",", reordered); //$NON-NLS-1$
- }
- return String.join(",", defaultSignatures); //$NON-NLS-1$
- }
-
- private void removeFromList(Set<String> current, String key,
- String patterns) {
- for (String toRemove : patterns.split("\\s*,\\s*")) { //$NON-NLS-1$
- if (toRemove.indexOf('*') < 0 && toRemove.indexOf('?') < 0) {
- current.remove(toRemove);
- continue;
- }
- try {
- FileNameMatcher matcher = new FileNameMatcher(toRemove, null);
- for (Iterator<String> i = current.iterator(); i.hasNext();) {
- matcher.reset();
- matcher.append(i.next());
- if (matcher.isMatch()) {
- i.remove();
- }
- }
- } catch (InvalidPatternException e) {
- log.warn(format(SshdText.get().configInvalidPattern, key,
- toRemove));
- }
- }
- }
-
- private List<String> filteredList(Set<String> known, String values) {
- List<String> newNames = new ArrayList<>();
- for (String newValue : values.split("\\s*,\\s*")) { //$NON-NLS-1$
- if (known.contains(newValue)) {
- newNames.add(newValue);
- }
- }
- return newNames;
- }
-
- }
|