123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442 |
- /*
- * Copyright (C) 2018, Thomas Wolf <thomas.wolf@paranor.ch>
- * and other copyright owners as documented in the project's IP log.
- *
- * This program and the accompanying materials are made available
- * under the terms of the Eclipse Distribution License v1.0 which
- * accompanies this distribution, is reproduced below, and is
- * available at http://www.eclipse.org/org/documents/edl-v10.php
- *
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or
- * without modification, are permitted provided that the following
- * conditions are met:
- *
- * - Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * - Redistributions in binary form must reproduce the above
- * copyright notice, this list of conditions and the following
- * disclaimer in the documentation and/or other materials provided
- * with the distribution.
- *
- * - Neither the name of the Eclipse Foundation, Inc. nor the
- * names of its contributors may be used to endorse or promote
- * products derived from this software without specific prior
- * written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
- * CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
- * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
- * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
- package org.eclipse.jgit.internal.transport.sshd;
-
- import static java.text.MessageFormat.format;
- import static org.eclipse.jgit.internal.transport.ssh.OpenSshConfigFile.positive;
-
- import java.io.IOException;
- import java.net.InetSocketAddress;
- import java.net.Proxy;
- import java.nio.file.Files;
- import java.nio.file.InvalidPathException;
- import java.nio.file.Path;
- import java.nio.file.Paths;
- import java.security.KeyPair;
- import java.util.Arrays;
- import java.util.Iterator;
- import java.util.List;
- import java.util.NoSuchElementException;
- import java.util.Objects;
- import java.util.stream.Collectors;
-
- import org.apache.sshd.client.SshClient;
- import org.apache.sshd.client.config.hosts.HostConfigEntry;
- import org.apache.sshd.client.future.ConnectFuture;
- import org.apache.sshd.client.future.DefaultConnectFuture;
- import org.apache.sshd.client.session.ClientSessionImpl;
- import org.apache.sshd.client.session.SessionFactory;
- import org.apache.sshd.common.config.keys.FilePasswordProvider;
- import org.apache.sshd.common.future.SshFutureListener;
- import org.apache.sshd.common.io.IoConnectFuture;
- import org.apache.sshd.common.io.IoSession;
- import org.apache.sshd.common.keyprovider.FileKeyPairProvider;
- import org.apache.sshd.common.keyprovider.KeyPairProvider;
- import org.apache.sshd.common.session.helpers.AbstractSession;
- import org.apache.sshd.common.util.ValidateUtils;
- import org.eclipse.jgit.internal.transport.sshd.proxy.HttpClientConnector;
- import org.eclipse.jgit.internal.transport.sshd.proxy.Socks5ClientConnector;
- import org.eclipse.jgit.transport.CredentialsProvider;
- import org.eclipse.jgit.transport.SshConstants;
- import org.eclipse.jgit.transport.sshd.KeyCache;
- import org.eclipse.jgit.transport.sshd.ProxyData;
- import org.eclipse.jgit.transport.sshd.ProxyDataFactory;
-
- /**
- * Customized {@link SshClient} for JGit. It creates specialized
- * {@link JGitClientSession}s that know about the {@link HostConfigEntry} they
- * were created for, and it loads all KeyPair identities lazily.
- */
- public class JGitSshClient extends SshClient {
-
- /**
- * We need access to this during the constructor of the ClientSession,
- * before setConnectAddress() can have been called. So we have to remember
- * it in an attribute on the SshClient, from where we can then retrieve it.
- */
- static final AttributeKey<HostConfigEntry> HOST_CONFIG_ENTRY = new AttributeKey<>();
-
- static final AttributeKey<InetSocketAddress> ORIGINAL_REMOTE_ADDRESS = new AttributeKey<>();
-
- /**
- * An attribute key for the comma-separated list of default preferred
- * authentication mechanisms.
- */
- public static final AttributeKey<String> PREFERRED_AUTHENTICATIONS = new AttributeKey<>();
-
- private KeyCache keyCache;
-
- private CredentialsProvider credentialsProvider;
-
- private ProxyDataFactory proxyDatabase;
-
- @Override
- protected SessionFactory createSessionFactory() {
- // Override the parent's default
- return new JGitSessionFactory(this);
- }
-
- @Override
- public ConnectFuture connect(HostConfigEntry hostConfig)
- throws IOException {
- if (connector == null) {
- throw new IllegalStateException("SshClient not started."); //$NON-NLS-1$
- }
- Objects.requireNonNull(hostConfig, "No host configuration"); //$NON-NLS-1$
- String host = ValidateUtils.checkNotNullAndNotEmpty(
- hostConfig.getHostName(), "No target host"); //$NON-NLS-1$
- int port = hostConfig.getPort();
- ValidateUtils.checkTrue(port > 0, "Invalid port: %d", port); //$NON-NLS-1$
- String userName = hostConfig.getUsername();
- InetSocketAddress address = new InetSocketAddress(host, port);
- ConnectFuture connectFuture = new DefaultConnectFuture(
- userName + '@' + address, null);
- SshFutureListener<IoConnectFuture> listener = createConnectCompletionListener(
- connectFuture, userName, address, hostConfig);
- // sshd needs some entries from the host config already in the
- // constructor of the session. Put those as properties on this client,
- // where it will find them. We can set the host config only once the
- // session object has been created.
- copyProperty(
- hostConfig.getProperty(SshConstants.PREFERRED_AUTHENTICATIONS,
- getAttribute(PREFERRED_AUTHENTICATIONS)),
- PREFERRED_AUTHS);
- setAttribute(HOST_CONFIG_ENTRY, hostConfig);
- setAttribute(ORIGINAL_REMOTE_ADDRESS, address);
- // Proxy support
- ProxyData proxy = getProxyData(address);
- if (proxy != null) {
- address = configureProxy(proxy, address);
- proxy.clearPassword();
- }
- connector.connect(address).addListener(listener);
- return connectFuture;
- }
-
- private void copyProperty(String value, String key) {
- if (value != null && !value.isEmpty()) {
- getProperties().put(key, value);
- }
- }
-
- private ProxyData getProxyData(InetSocketAddress remoteAddress) {
- ProxyDataFactory factory = getProxyDatabase();
- return factory == null ? null : factory.get(remoteAddress);
- }
-
- private InetSocketAddress configureProxy(ProxyData proxyData,
- InetSocketAddress remoteAddress) {
- Proxy proxy = proxyData.getProxy();
- if (proxy.type() == Proxy.Type.DIRECT
- || !(proxy.address() instanceof InetSocketAddress)) {
- return remoteAddress;
- }
- InetSocketAddress address = (InetSocketAddress) proxy.address();
- switch (proxy.type()) {
- case HTTP:
- setClientProxyConnector(
- new HttpClientConnector(address, remoteAddress,
- proxyData.getUser(), proxyData.getPassword()));
- return address;
- case SOCKS:
- setClientProxyConnector(
- new Socks5ClientConnector(address, remoteAddress,
- proxyData.getUser(), proxyData.getPassword()));
- return address;
- default:
- log.warn(format(SshdText.get().unknownProxyProtocol,
- proxy.type().name()));
- return remoteAddress;
- }
- }
-
- private SshFutureListener<IoConnectFuture> createConnectCompletionListener(
- ConnectFuture connectFuture, String username,
- InetSocketAddress address, HostConfigEntry hostConfig) {
- return new SshFutureListener<IoConnectFuture>() {
-
- @Override
- public void operationComplete(IoConnectFuture future) {
- if (future.isCanceled()) {
- connectFuture.cancel();
- return;
- }
- Throwable t = future.getException();
- if (t != null) {
- connectFuture.setException(t);
- return;
- }
- IoSession ioSession = future.getSession();
- try {
- JGitClientSession session = createSession(ioSession,
- username, address, hostConfig);
- connectFuture.setSession(session);
- } catch (RuntimeException e) {
- connectFuture.setException(e);
- ioSession.close(true);
- }
- }
-
- @Override
- public String toString() {
- return "JGitSshClient$ConnectCompletionListener[" + username //$NON-NLS-1$
- + '@' + address + ']';
- }
- };
- }
-
- private JGitClientSession createSession(IoSession ioSession,
- String username, InetSocketAddress address,
- HostConfigEntry hostConfig) {
- AbstractSession rawSession = AbstractSession.getSession(ioSession);
- if (!(rawSession instanceof JGitClientSession)) {
- throw new IllegalStateException("Wrong session type: " //$NON-NLS-1$
- + rawSession.getClass().getCanonicalName());
- }
- JGitClientSession session = (JGitClientSession) rawSession;
- session.setUsername(username);
- session.setConnectAddress(address);
- session.setHostConfigEntry(hostConfig);
- if (session.getCredentialsProvider() == null) {
- session.setCredentialsProvider(getCredentialsProvider());
- }
- int numberOfPasswordPrompts = getNumberOfPasswordPrompts(hostConfig);
- session.getProperties().put(PASSWORD_PROMPTS,
- Integer.valueOf(numberOfPasswordPrompts));
- FilePasswordProvider provider = getFilePasswordProvider();
- if (provider instanceof RepeatingFilePasswordProvider) {
- ((RepeatingFilePasswordProvider) provider)
- .setAttempts(numberOfPasswordPrompts);
- }
- FileKeyPairProvider ourConfiguredKeysProvider = null;
- List<Path> identities = hostConfig.getIdentities().stream()
- .map(s -> {
- try {
- return Paths.get(s);
- } catch (InvalidPathException e) {
- log.warn(format(SshdText.get().configInvalidPath,
- SshConstants.IDENTITY_FILE, s), e);
- return null;
- }
- }).filter(p -> p != null && Files.exists(p))
- .collect(Collectors.toList());
- ourConfiguredKeysProvider = new CachingKeyPairProvider(identities,
- keyCache);
- ourConfiguredKeysProvider.setPasswordFinder(getFilePasswordProvider());
- if (hostConfig.isIdentitiesOnly()) {
- session.setKeyPairProvider(ourConfiguredKeysProvider);
- } else {
- KeyPairProvider defaultKeysProvider = getKeyPairProvider();
- if (defaultKeysProvider instanceof FileKeyPairProvider) {
- ((FileKeyPairProvider) defaultKeysProvider)
- .setPasswordFinder(getFilePasswordProvider());
- }
- KeyPairProvider combinedProvider = new CombinedKeyPairProvider(
- ourConfiguredKeysProvider, defaultKeysProvider);
- session.setKeyPairProvider(combinedProvider);
- }
- return session;
- }
-
- private int getNumberOfPasswordPrompts(HostConfigEntry hostConfig) {
- String prompts = hostConfig
- .getProperty(SshConstants.NUMBER_OF_PASSWORD_PROMPTS);
- if (prompts != null) {
- prompts = prompts.trim();
- int value = positive(prompts);
- if (value > 0) {
- return value;
- }
- log.warn(format(SshdText.get().configInvalidPositive,
- SshConstants.NUMBER_OF_PASSWORD_PROMPTS, prompts));
- }
- // Default for NumberOfPasswordPrompts according to
- // https://man.openbsd.org/ssh_config
- return 3;
- }
-
- /**
- * Set a cache for loaded keys. Newly discovered keys will be added when
- * IdentityFile host entries from the ssh config file are used during
- * session authentication.
- *
- * @param cache
- * to use
- */
- public void setKeyCache(KeyCache cache) {
- keyCache = cache;
- }
-
- /**
- * Sets a {@link ProxyDataFactory} for connecting through proxies.
- *
- * @param factory
- * to use, or {@code null} if proxying is not desired or
- * supported
- */
- public void setProxyDatabase(ProxyDataFactory factory) {
- proxyDatabase = factory;
- }
-
- /**
- * Retrieves the {@link ProxyDataFactory}.
- *
- * @return the factory, or {@code null} if none is set
- */
- protected ProxyDataFactory getProxyDatabase() {
- return proxyDatabase;
- }
-
- /**
- * Sets the {@link CredentialsProvider} for this client.
- *
- * @param provider
- * to set
- */
- public void setCredentialsProvider(CredentialsProvider provider) {
- credentialsProvider = provider;
- }
-
- /**
- * Retrieves the {@link CredentialsProvider} set for this client.
- *
- * @return the provider, or {@code null} if none is set.
- */
- public CredentialsProvider getCredentialsProvider() {
- return credentialsProvider;
- }
-
- /**
- * A {@link SessionFactory} to create our own specialized
- * {@link JGitClientSession}s.
- */
- private static class JGitSessionFactory extends SessionFactory {
-
- public JGitSessionFactory(JGitSshClient client) {
- super(client);
- }
-
- @Override
- protected ClientSessionImpl doCreateSession(IoSession ioSession)
- throws Exception {
- return new JGitClientSession(getClient(), ioSession);
- }
- }
-
- /**
- * A {@link KeyPairProvider} that iterates over the {@link Iterable}s
- * returned by other {@link KeyPairProvider}s.
- */
- private static class CombinedKeyPairProvider implements KeyPairProvider {
-
- private final List<KeyPairProvider> providers;
-
- public CombinedKeyPairProvider(KeyPairProvider... providers) {
- this(Arrays.stream(providers).filter(Objects::nonNull)
- .collect(Collectors.toList()));
- }
-
- public CombinedKeyPairProvider(List<KeyPairProvider> providers) {
- this.providers = providers;
- }
-
- @Override
- public Iterable<String> getKeyTypes() {
- throw new UnsupportedOperationException(
- "Should not have been called in a ssh client"); //$NON-NLS-1$
- }
-
- @Override
- public KeyPair loadKey(String type) {
- throw new UnsupportedOperationException(
- "Should not have been called in a ssh client"); //$NON-NLS-1$
- }
-
- @Override
- public Iterable<KeyPair> loadKeys() {
- return () -> new Iterator<KeyPair>() {
-
- private Iterator<KeyPairProvider> factories = providers.iterator();
- private Iterator<KeyPair> current;
-
- private Boolean hasElement;
-
- @Override
- public boolean hasNext() {
- if (hasElement != null) {
- return hasElement.booleanValue();
- }
- while (current == null || !current.hasNext()) {
- if (factories.hasNext()) {
- current = factories.next().loadKeys().iterator();
- } else {
- current = null;
- hasElement = Boolean.FALSE;
- return false;
- }
- }
- hasElement = Boolean.TRUE;
- return true;
- }
-
- @Override
- public KeyPair next() {
- if (hasElement == null && !hasNext()
- || !hasElement.booleanValue()) {
- throw new NoSuchElementException();
- }
- hasElement = null;
- KeyPair result;
- try {
- result = current.next();
- } catch (NoSuchElementException e) {
- result = null;
- }
- return result;
- }
-
- };
- }
-
- }
- }
|