2023-11-17 20:39:00 +03:00
|
|
|
package ssh
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
2023-11-19 17:03:12 +03:00
|
|
|
"encoding/base64"
|
2023-11-18 23:02:41 +03:00
|
|
|
"errors"
|
2023-11-19 13:06:38 +03:00
|
|
|
"fmt"
|
2023-11-18 21:23:29 +03:00
|
|
|
"net"
|
2023-11-18 16:14:39 +03:00
|
|
|
"path"
|
2023-11-19 13:06:38 +03:00
|
|
|
"regexp"
|
2023-11-18 21:23:29 +03:00
|
|
|
"strconv"
|
2023-11-19 17:03:12 +03:00
|
|
|
"strings"
|
2023-11-17 20:39:00 +03:00
|
|
|
"sync"
|
|
|
|
|
|
|
|
|
|
"github.com/Neur0toxine/sshpoke/internal/config"
|
2023-11-18 16:14:39 +03:00
|
|
|
"github.com/Neur0toxine/sshpoke/internal/server/driver/base"
|
2023-11-18 21:23:29 +03:00
|
|
|
"github.com/Neur0toxine/sshpoke/internal/server/driver/ssh/sshtun"
|
2023-11-18 16:14:39 +03:00
|
|
|
"github.com/Neur0toxine/sshpoke/internal/server/driver/ssh/types"
|
2023-11-17 20:39:00 +03:00
|
|
|
"github.com/Neur0toxine/sshpoke/internal/server/driver/util"
|
2023-11-18 12:36:17 +03:00
|
|
|
"github.com/Neur0toxine/sshpoke/pkg/dto"
|
2023-11-18 21:51:44 +03:00
|
|
|
"github.com/Neur0toxine/sshpoke/pkg/proto/ssh"
|
2023-11-17 20:39:00 +03:00
|
|
|
)
|
|
|
|
|
|
2023-11-18 23:02:41 +03:00
|
|
|
var ErrAlreadyInUse = errors.New("domain is already in use")
|
|
|
|
|
|
2023-11-17 20:39:00 +03:00
|
|
|
type SSH struct {
|
2023-11-18 16:14:39 +03:00
|
|
|
base.Base
|
2023-11-19 13:06:38 +03:00
|
|
|
params Params
|
|
|
|
|
auth []ssh.AuthMethod
|
2023-11-19 17:03:12 +03:00
|
|
|
hostKeys []ssh.PublicKey
|
2023-11-19 13:06:38 +03:00
|
|
|
conns map[string]conn
|
|
|
|
|
rw sync.RWMutex
|
|
|
|
|
wg sync.WaitGroup
|
|
|
|
|
domainRegExp *regexp.Regexp
|
2023-11-17 20:39:00 +03:00
|
|
|
}
|
|
|
|
|
|
2023-11-18 21:23:29 +03:00
|
|
|
type conn struct {
|
|
|
|
|
ctx context.Context
|
|
|
|
|
cancel func()
|
|
|
|
|
tun *sshtun.Tunnel
|
|
|
|
|
}
|
|
|
|
|
|
2023-11-18 16:14:39 +03:00
|
|
|
func New(ctx context.Context, name string, params config.DriverParams) (base.Driver, error) {
|
|
|
|
|
drv := &SSH{
|
2023-11-18 21:23:29 +03:00
|
|
|
Base: base.New(ctx, name),
|
|
|
|
|
conns: make(map[string]conn),
|
2023-11-18 16:14:39 +03:00
|
|
|
}
|
2023-11-17 20:39:00 +03:00
|
|
|
if err := util.UnmarshalParams(params, &drv.params); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2023-11-19 17:03:12 +03:00
|
|
|
if err := drv.buildHostKeys(); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2023-11-19 13:06:38 +03:00
|
|
|
matcher, err := makeDomainCatchRegExp(drv.params.DomainExtractRegex)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("invalid domain_extract_regex: %w", err)
|
|
|
|
|
}
|
|
|
|
|
drv.domainRegExp = matcher
|
2023-11-18 16:14:39 +03:00
|
|
|
drv.populateFromSSHConfig()
|
2023-11-18 21:23:29 +03:00
|
|
|
drv.auth = drv.authenticators()
|
2023-11-17 20:39:00 +03:00
|
|
|
return drv, nil
|
|
|
|
|
}
|
|
|
|
|
|
2023-11-19 13:06:38 +03:00
|
|
|
func (d *SSH) forward(val sshtun.Forward, domainMatcher func(string)) conn {
|
2023-11-18 23:02:41 +03:00
|
|
|
tun := sshtun.New(d.params.Address,
|
|
|
|
|
d.params.Auth.User,
|
|
|
|
|
d.auth,
|
2023-11-19 17:03:12 +03:00
|
|
|
sshtun.TunnelConfig{
|
|
|
|
|
Forward: val,
|
|
|
|
|
HostKeys: d.hostKeys,
|
2023-11-19 13:06:38 +03:00
|
|
|
NoPTY: d.params.NoPTY,
|
2023-11-19 14:12:39 +03:00
|
|
|
Shell: d.params.Shell,
|
2023-11-19 13:06:38 +03:00
|
|
|
FakeRemoteHost: d.params.FakeRemoteHost,
|
|
|
|
|
KeepAliveInterval: uint(d.params.KeepAlive.Interval),
|
|
|
|
|
KeepAliveMax: uint(d.params.KeepAlive.MaxAttempts),
|
|
|
|
|
},
|
2023-11-18 23:02:41 +03:00
|
|
|
d.Log())
|
2023-11-18 21:23:29 +03:00
|
|
|
ctx, cancel := context.WithCancel(d.Context())
|
2023-11-18 23:02:41 +03:00
|
|
|
tunDbgLog := d.Log().With("ssh-output", val.Remote.String())
|
2023-11-19 00:54:51 +03:00
|
|
|
go tun.Connect(ctx,
|
2023-11-19 13:06:38 +03:00
|
|
|
sshtun.BannerDebugLogCallback(tunDbgLog),
|
|
|
|
|
sshtun.OutputReaderCallback(func(msg string) {
|
|
|
|
|
d.Log().Debug(msg)
|
|
|
|
|
if domainMatcher != nil {
|
|
|
|
|
domainMatcher(msg)
|
|
|
|
|
}
|
|
|
|
|
}))
|
2023-11-18 21:23:29 +03:00
|
|
|
return conn{ctx: ctx, cancel: cancel, tun: tun}
|
|
|
|
|
}
|
|
|
|
|
|
2023-11-19 17:03:12 +03:00
|
|
|
func (d *SSH) buildHostKeys() error {
|
|
|
|
|
if d.params.HostKeys == "" {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
hostKeys := []ssh.PublicKey{}
|
|
|
|
|
for _, keyLine := range strings.Split(d.params.HostKeys, "\n") {
|
|
|
|
|
key, err := d.pubKeyFromSSHKeyScan(keyLine)
|
|
|
|
|
if err != nil {
|
|
|
|
|
d.Log().Debugf("invalid public key: %s", keyLine)
|
|
|
|
|
return fmt.Errorf("invalid public key for the host: %w", err)
|
|
|
|
|
}
|
|
|
|
|
if key != nil {
|
|
|
|
|
hostKeys = append(hostKeys, key)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
d.hostKeys = hostKeys
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// pubKeyFromSSHKeyScan extracts host public key from ssh-keyscan output format.
|
|
|
|
|
func (d *SSH) pubKeyFromSSHKeyScan(line string) (key ssh.PublicKey, err error) {
|
|
|
|
|
line = strings.TrimSpace(line)
|
|
|
|
|
if strings.HasPrefix(line, "#") || line == "" { // comment or empty line - should be ignored.
|
|
|
|
|
return nil, nil
|
|
|
|
|
}
|
|
|
|
|
cols := strings.Fields(line)
|
|
|
|
|
for i := len(cols) - 1; i >= 0; i-- {
|
|
|
|
|
col := strings.TrimSpace(cols[i])
|
|
|
|
|
keyData, err := base64.StdEncoding.DecodeString(col)
|
|
|
|
|
if err != nil {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
key, err = ssh.ParsePublicKey(keyData)
|
|
|
|
|
if err == nil {
|
|
|
|
|
return key, nil
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return nil, errors.New("no public key in the provided data")
|
|
|
|
|
}
|
|
|
|
|
|
2023-11-19 13:06:38 +03:00
|
|
|
func (d *SSH) makeDomainMatcherFunc(containerID string) func(string) {
|
|
|
|
|
if d.domainRegExp == nil {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
return func(msg string) {
|
|
|
|
|
domain := d.domainRegExp.FindString(msg)
|
|
|
|
|
if domain == "" {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
d.PushEventStatus(dto.EventStatus{
|
|
|
|
|
Type: dto.EventStart,
|
|
|
|
|
ID: containerID,
|
|
|
|
|
Domain: domain,
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-11-18 16:14:39 +03:00
|
|
|
func (d *SSH) populateFromSSHConfig() {
|
|
|
|
|
if d.params.Auth.Directory == "" {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
cfg, err := parseSSHConfig(types.SmartPath(path.Join(string(d.params.Auth.Directory), "config")))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
2023-11-19 17:03:12 +03:00
|
|
|
|
|
|
|
|
host := d.extractHostFromAddr(d.params.Address)
|
|
|
|
|
hostCfg := &hostConfig{cfg: cfg, host: host}
|
|
|
|
|
port, err := hostCfg.Get("Port")
|
|
|
|
|
if err != nil {
|
|
|
|
|
port = "22"
|
|
|
|
|
}
|
|
|
|
|
if hostName, err := hostCfg.Get("HostName"); err == nil && hostName != "" {
|
|
|
|
|
d.params.Address = net.JoinHostPort(hostName, port)
|
|
|
|
|
}
|
|
|
|
|
if user, err := hostCfg.Get("User"); err == nil && user != "" {
|
2023-11-18 16:14:39 +03:00
|
|
|
d.params.Auth.User = user
|
|
|
|
|
}
|
2023-11-19 17:03:12 +03:00
|
|
|
if usePass, err := hostCfg.Get("PasswordAuthentication"); err == nil && usePass == "yes" {
|
2023-11-18 16:14:39 +03:00
|
|
|
d.params.Auth.Type = types.AuthTypePassword
|
|
|
|
|
}
|
2023-11-19 17:03:12 +03:00
|
|
|
if keyfile, err := hostCfg.Get("IdentityFile"); err == nil && keyfile != "" {
|
2023-11-18 16:14:39 +03:00
|
|
|
resolvedKeyFile, err := types.SmartPath(keyfile).Resolve(false)
|
|
|
|
|
if err == nil {
|
|
|
|
|
d.params.Auth.Type = types.AuthTypeKey
|
|
|
|
|
d.params.Auth.Keyfile = resolvedKeyFile
|
|
|
|
|
}
|
|
|
|
|
}
|
2023-11-17 20:39:00 +03:00
|
|
|
}
|
|
|
|
|
|
2023-11-19 17:03:12 +03:00
|
|
|
func (d *SSH) extractHostFromAddr(addr string) string {
|
|
|
|
|
host, _, err := net.SplitHostPort(addr)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return addr
|
|
|
|
|
}
|
|
|
|
|
return host
|
|
|
|
|
}
|
|
|
|
|
|
2023-11-18 16:14:39 +03:00
|
|
|
func (d *SSH) Handle(event dto.Event) error {
|
2023-11-18 21:23:29 +03:00
|
|
|
defer d.rw.Unlock()
|
|
|
|
|
d.rw.Lock()
|
|
|
|
|
switch event.Type {
|
|
|
|
|
case dto.EventStart:
|
2023-11-18 23:02:41 +03:00
|
|
|
if d.params.Mode == types.DomainModeSingle && len(d.conns) > 0 {
|
|
|
|
|
return ErrAlreadyInUse
|
|
|
|
|
}
|
2023-11-18 21:23:29 +03:00
|
|
|
conn := d.forward(sshtun.Forward{
|
2023-11-19 13:06:38 +03:00
|
|
|
Local: d.localEndpoint(event.Container.IP, event.Container.Port),
|
2023-11-18 21:23:29 +03:00
|
|
|
Remote: d.remoteEndpoint(event.Container.RemoteHost),
|
2023-11-19 13:06:38 +03:00
|
|
|
}, d.makeDomainMatcherFunc(event.Container.ID))
|
2023-11-18 21:23:29 +03:00
|
|
|
d.conns[event.Container.ID] = conn
|
|
|
|
|
d.wg.Add(1)
|
|
|
|
|
case dto.EventStop:
|
|
|
|
|
conn, found := d.conns[event.Container.ID]
|
|
|
|
|
if !found {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
conn.cancel()
|
|
|
|
|
delete(d.conns, event.Container.ID)
|
2023-11-19 13:06:38 +03:00
|
|
|
d.propagateStop(event.Container.ID)
|
2023-11-18 21:23:29 +03:00
|
|
|
d.wg.Done()
|
|
|
|
|
case dto.EventShutdown:
|
|
|
|
|
for id, conn := range d.conns {
|
|
|
|
|
conn.cancel()
|
|
|
|
|
delete(d.conns, id)
|
2023-11-19 13:06:38 +03:00
|
|
|
d.propagateStop(id)
|
2023-11-18 21:23:29 +03:00
|
|
|
d.wg.Done()
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2023-11-19 13:06:38 +03:00
|
|
|
func (d *SSH) propagateStop(containerID string) {
|
|
|
|
|
d.PushEventStatus(dto.EventStatus{Type: dto.EventStop, ID: containerID})
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (d *SSH) localEndpoint(ip net.IP, port uint16) sshtun.Endpoint {
|
|
|
|
|
return sshtun.AddrToEndpoint(net.JoinHostPort(ip.String(), strconv.Itoa(int(port))))
|
|
|
|
|
}
|
|
|
|
|
|
2023-11-18 21:23:29 +03:00
|
|
|
func (d *SSH) remoteEndpoint(remoteHost string) sshtun.Endpoint {
|
|
|
|
|
port := int(d.params.ForwardPort)
|
|
|
|
|
if port == 0 {
|
|
|
|
|
port = 80
|
|
|
|
|
}
|
|
|
|
|
return sshtun.Endpoint{
|
|
|
|
|
Host: remoteHost,
|
|
|
|
|
Port: port,
|
|
|
|
|
}
|
2023-11-18 12:36:17 +03:00
|
|
|
}
|
|
|
|
|
|
2023-11-17 20:39:00 +03:00
|
|
|
func (d *SSH) Driver() config.DriverType {
|
|
|
|
|
return config.DriverSSH
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (d *SSH) WaitForShutdown() {
|
2023-11-18 21:23:29 +03:00
|
|
|
go d.Handle(dto.Event{Type: dto.EventShutdown})
|
2023-11-17 20:39:00 +03:00
|
|
|
d.wg.Wait()
|
|
|
|
|
}
|
2023-11-18 16:14:39 +03:00
|
|
|
|
2023-11-18 17:51:04 +03:00
|
|
|
func (d *SSH) authenticators() []ssh.AuthMethod {
|
|
|
|
|
auth := d.authenticator()
|
|
|
|
|
if auth == nil {
|
2023-11-18 16:14:39 +03:00
|
|
|
return nil
|
|
|
|
|
}
|
2023-11-18 17:51:04 +03:00
|
|
|
return []ssh.AuthMethod{auth}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (d *SSH) authenticator() ssh.AuthMethod {
|
|
|
|
|
switch d.params.Auth.Type {
|
|
|
|
|
case types.AuthTypePasswordless:
|
2023-11-18 21:23:29 +03:00
|
|
|
return sshtun.AuthPassword("")
|
2023-11-18 17:51:04 +03:00
|
|
|
case types.AuthTypePassword:
|
2023-11-18 21:23:29 +03:00
|
|
|
return sshtun.AuthPassword(d.params.Auth.Password)
|
2023-11-18 17:51:04 +03:00
|
|
|
case types.AuthTypeKey:
|
|
|
|
|
if d.params.Auth.Keyfile != "" {
|
2023-11-18 21:23:29 +03:00
|
|
|
keyAuth, err := sshtun.AuthKeyFile(
|
2023-11-18 17:51:04 +03:00
|
|
|
types.SmartPath(path.Join(d.params.Auth.Directory.String(), d.params.Auth.Keyfile)))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
return keyAuth
|
2023-11-18 16:14:39 +03:00
|
|
|
}
|
2023-11-18 21:23:29 +03:00
|
|
|
dirAuth, err := sshtun.AuthKeyDir(d.params.Auth.Directory)
|
2023-11-18 16:14:39 +03:00
|
|
|
if err != nil {
|
2023-11-18 17:51:04 +03:00
|
|
|
return nil
|
2023-11-18 16:14:39 +03:00
|
|
|
}
|
2023-11-18 17:51:04 +03:00
|
|
|
return dirAuth
|
2023-11-18 16:14:39 +03:00
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
