sshpoke/internal/server/driver/ssh/driver.go

package ssh

import (
	"context"
	"encoding/base64"
	"errors"
	"fmt"
	"net"
	"os/user"
	"path"
	"regexp"
	"strconv"
	"strings"
	"sync"

	"github.com/Neur0toxine/sshpoke/internal/config"
	"github.com/Neur0toxine/sshpoke/internal/server/driver/base"
	"github.com/Neur0toxine/sshpoke/internal/server/driver/ssh/sshtun"
	"github.com/Neur0toxine/sshpoke/internal/server/driver/ssh/types"
	"github.com/Neur0toxine/sshpoke/internal/server/driver/util"
	"github.com/Neur0toxine/sshpoke/pkg/dto"
	"github.com/Neur0toxine/sshpoke/pkg/proto/ssh"
	"github.com/Neur0toxine/sshpoke/pkg/proto/ssh/knownhosts"
	"github.com/Neur0toxine/sshpoke/pkg/smarttypes"
	"go.uber.org/zap"
)

const KnownHostsFile = "known_hosts"

var ErrAlreadyInUse = errors.New("domain is already in use")

type SSH struct {
	base.Base
	params          Params
	auth            []ssh.AuthMethod
	hostKeys        []ssh.PublicKey
	hostKeyCallback ssh.HostKeyCallback
	conns           map[string]conn
	clientVersion   string
	rw              sync.RWMutex
	wg              sync.WaitGroup
	domainRegExp    *regexp.Regexp
}

type conn struct {
	ctx    context.Context
	cancel func()
	tun    *sshtun.Tunnel
}

func New(ctx context.Context, name string, params config.DriverParams) (base.Driver, error) {
	drv := &SSH{
		Base:  base.New(ctx, name),
		conns: make(map[string]conn),
	}
	if err := util.UnmarshalParams(params, &drv.params); err != nil {
		return nil, err
	}
	if err := drv.buildHostKeys(); err != nil {
		return nil, err
	}
	matcher, err := makeDomainCatchRegExp(drv.params.DomainExtractRegex)
	if err != nil {
		return nil, fmt.Errorf("invalid domain_extract_regex: %w", err)
	}
	drv.domainRegExp = matcher
	drv.populateFromSSHConfig()
	drv.auth = drv.authenticators()
	drv.clientVersion = drv.buildClientVersion()
	drv.hostKeyCallback = drv.buildHostKeyCallback()
	return drv, nil
}

func (d *SSH) getUser() string {
	if d.params.Auth.User != "" {
		return d.params.Auth.User
	}
	userData, err := user.Current()
	if err != nil {
		d.Log().Warn("cannot get current user name - using 'root'")
		return "root"
	}
	return userData.Username
}

func (d *SSH) forward(val sshtun.Forward, domainMatcher func(string)) conn {
	tun := sshtun.New(d.params.Address,
		d.getUser(),
		d.auth,
		sshtun.TunnelConfig{
			Forward:           val,
			HostKeyCallback:   d.hostKeyCallback,
			Shell:             d.params.Shell,
			ClientVersion:     d.clientVersion,
			FakeRemoteHost:    d.params.FakeRemoteHost,
			KeepAliveInterval: uint(d.params.KeepAlive.Interval),
			KeepAliveMax:      uint(d.params.KeepAlive.MaxAttempts),
		},
		d.Log())
	ctx, cancel := context.WithCancel(d.Context())
	tunDbgLog := d.Log().With("ssh-output", val.Remote.String())
	var outputReaderCb sshtun.SessionCallback
	if d.params.ReadSessionsOutput == nil || (*d.params.ReadSessionsOutput) {
		outputReaderCb = sshtun.OutputReaderCallback(func(msg string) {
			msg = strings.TrimSpace(msg)
			if msg == "" {
				return
			}
			tunDbgLog.Debug("session: ", msg)
			if domainMatcher != nil {
				domainMatcher(msg)
			}
		})
	}
	go tun.Connect(ctx,
		d.buildHandshakeLineCallback(domainMatcher, tunDbgLog),
		sshtun.BannerDebugLogCallback(tunDbgLog),
		outputReaderCb)
	return conn{ctx: ctx, cancel: cancel, tun: tun}
}

func (d *SSH) buildHandshakeLineCallback(domainMatcher func(string), tunDbgLog *zap.SugaredLogger) func(string) {
	if d.params.ReadRawPackets {
		return func(msg string) {
			msg = strings.TrimSpace(msg)
			if msg == "" {
				return
			}
			tunDbgLog.Debugf("ssh: %s", msg)
			if domainMatcher != nil {
				domainMatcher(msg)
			}
		}
	}
	return nil
}

func (d *SSH) buildHostKeyCallback() ssh.HostKeyCallback {
	keysCallback := func() ssh.HostKeyCallback {
		if d.hostKeys == nil || len(d.hostKeys) == 0 {
			return ssh.InsecureIgnoreHostKey()
		}
		if len(d.hostKeys) == 1 {
			return ssh.FixedHostKey(d.hostKeys[0])
		}
		return sshtun.FixedHostKeys(d.hostKeys)
	}()
	if d.params.Auth.Type == types.AuthTypeKey && d.params.Auth.Directory != "" && len(d.hostKeys) == 0 {
		knownHostsPath := smarttypes.Path(path.Join(string(d.params.Auth.Directory), KnownHostsFile))
		resolvedPath, err := knownHostsPath.File()
		if err != nil {
			return ssh.InsecureIgnoreHostKey()
		}
		hostKeyCallback, err := knownhosts.New(resolvedPath)
		if err != nil {
			return ssh.InsecureIgnoreHostKey()
		}
		return hostKeyCallback
	}
	return keysCallback
}

func (d *SSH) buildClientVersion() string {
	ver := strings.TrimSpace(d.params.ClientVersion)
	if ver == "" {
		return ""
	}
	if !strings.HasPrefix(ver, "SSH-2.0-") {
		d.Log().Warn(
			"client_version must have 'SSH-2.0-' prefix (see RFC-4253), this will be fixed automatically")
		ver = "SSH-2.0-" + ver
	}
	if !isValidClientVersion(ver) {
		d.Log().Warnf("invalid client_version value, using default...")
		return ""
	}
	return ver
}

func (d *SSH) buildHostKeys() error {
	if d.params.HostKeys == "" {
		return nil
	}
	hostKeys := []ssh.PublicKey{}
	for _, keyLine := range strings.Split(d.params.HostKeys, "\n") {
		key, err := d.pubKeyFromSSHKeyScan(keyLine)
		if err != nil {
			d.Log().Debugf("invalid public key: %s", keyLine)
			return fmt.Errorf("invalid public key for the host: %w", err)
		}
		if key != nil {
			hostKeys = append(hostKeys, key)
		}
	}
	d.hostKeys = hostKeys
	return nil
}

// pubKeyFromSSHKeyScan extracts host public key from ssh-keyscan output format.
func (d *SSH) pubKeyFromSSHKeyScan(line string) (key ssh.PublicKey, err error) {
	line = strings.TrimSpace(line)
	if strings.HasPrefix(line, "#") || line == "" { // comment or empty line - should be ignored.
		return nil, nil
	}
	cols := strings.Fields(line)
	for i := len(cols) - 1; i >= 0; i-- {
		col := strings.TrimSpace(cols[i])
		keyData, err := base64.StdEncoding.DecodeString(col)
		if err != nil {
			continue
		}
		key, err = ssh.ParsePublicKey(keyData)
		if err == nil {
			return key, nil
		}
	}
	return nil, errors.New("no public key in the provided data")
}

func (d *SSH) makeDomainMatcherFunc(containerID string) func(string) {
	if d.domainRegExp == nil {
		return nil
	}
	return func(msg string) {
		domain := d.domainRegExp.FindString(msg)
		if domain == "" {
			return
		}
		d.PushEventStatus(dto.EventStatus{
			Type:   dto.EventStart,
			ID:     containerID,
			Domain: domain,
		})
	}
}

func (d *SSH) populateFromSSHConfig() {
	if d.params.Auth.Directory == "" {
		return
	}
	cfg, err := parseSSHConfig(smarttypes.Path(path.Join(string(d.params.Auth.Directory), "config")))
	if err != nil {
		return
	}

	host := d.extractHostFromAddr(d.params.Address)
	hostCfg := &hostConfig{cfg: cfg, host: host}
	port, err := hostCfg.Get("Port")
	if err != nil {
		port = "22"
	}
	if hostName, err := hostCfg.Get("HostName"); err == nil && hostName != "" {
		d.params.Address = net.JoinHostPort(hostName, port)
	}
	if user, err := hostCfg.Get("User"); err == nil && user != "" {
		d.params.Auth.User = user
	}
	if keyfile, err := hostCfg.Get("IdentityFile"); err == nil && keyfile != "" {
		resolvedKeyFile, err := smarttypes.Path(keyfile).File()
		if err == nil {
			d.params.Auth.Type = types.AuthTypeKey
			d.params.Auth.Keyfile = resolvedKeyFile
		}
	}
}

func (d *SSH) extractHostFromAddr(addr string) string {
	host, _, err := net.SplitHostPort(addr)
	if err != nil {
		return addr
	}
	return host
}

func (d *SSH) Handle(event dto.Event) error {
	defer d.rw.Unlock()
	d.rw.Lock()
	switch event.Type {
	case dto.EventStart:
		if d.params.Mode == types.DomainModeSingle && len(d.conns) > 0 {
			return ErrAlreadyInUse
		}
		conn := d.forward(sshtun.Forward{
			Local:  d.localEndpoint(event.Container.IP, event.Container.Port),
			Remote: d.remoteEndpoint(event.Container.RemoteHost),
		}, d.makeDomainMatcherFunc(event.Container.ID))
		d.conns[event.Container.ID] = conn
		d.wg.Add(1)
	case dto.EventStop:
		conn, found := d.conns[event.Container.ID]
		if !found {
			return nil
		}
		conn.cancel()
		delete(d.conns, event.Container.ID)
		d.propagateStop(event.Container.ID)
		d.wg.Done()
	case dto.EventShutdown:
		for id, conn := range d.conns {
			conn.cancel()
			delete(d.conns, id)
			d.propagateStop(id)
			d.wg.Done()
		}
	}
	return nil
}

func (d *SSH) propagateStop(containerID string) {
	d.PushEventStatus(dto.EventStatus{Type: dto.EventStop, ID: containerID})
}

func (d *SSH) localEndpoint(ip net.IP, port uint16) sshtun.Endpoint {
	return sshtun.AddrToEndpoint(net.JoinHostPort(ip.String(), strconv.Itoa(int(port))))
}

func (d *SSH) remoteEndpoint(remoteHost string) sshtun.Endpoint {
	port := int(d.params.ForwardPort)
	if port == 0 {
		port = 80
	}
	if remoteHost == "" && !d.params.FakeRemoteHost {
		// Listen on all interfaces if no host was provided.
		remoteHost = "127.0.0.1"
	}
	return sshtun.Endpoint{
		Host: remoteHost,
		Port: port,
	}
}

func (d *SSH) Driver() config.DriverType {
	return config.DriverSSH
}

func (d *SSH) WaitForShutdown() {
	go d.Handle(dto.Event{Type: dto.EventShutdown})
	d.wg.Wait()
}

func (d *SSH) authenticators() []ssh.AuthMethod {
	auth := d.authenticator()
	if auth == nil {
		return nil
	}
	return []ssh.AuthMethod{auth}
}

func (d *SSH) authenticator() ssh.AuthMethod {
	switch d.params.Auth.Type {
	case types.AuthTypePasswordless:
		return sshtun.AuthPassword("")
	case types.AuthTypePassword:
		return sshtun.AuthPassword(d.params.Auth.Password)
	case types.AuthTypeKey:
		if d.params.Auth.Keyfile != "" {
			keyAuth, err := sshtun.AuthKeyFile(
				smarttypes.Path(path.Join(d.params.Auth.Directory.String(), d.params.Auth.Keyfile)))
			if err != nil {
				return nil
			}
			return keyAuth
		}
		dirAuth, err := sshtun.AuthKeyDir(d.params.Auth.Directory)
		if err != nil {
			return nil
		}
		return dirAuth
	}
	return nil
}