2018-09-04 23:33:07 +00:00
|
|
|
package sshprovider
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"io"
|
2018-09-06 22:25:45 +00:00
|
|
|
"io/ioutil"
|
2018-09-04 23:33:07 +00:00
|
|
|
"net"
|
|
|
|
"os"
|
2020-09-23 02:47:52 +00:00
|
|
|
"runtime"
|
|
|
|
"strings"
|
2018-09-04 23:33:07 +00:00
|
|
|
"time"
|
|
|
|
|
|
|
|
"github.com/moby/buildkit/session"
|
|
|
|
"github.com/moby/buildkit/session/sshforward"
|
|
|
|
"github.com/pkg/errors"
|
|
|
|
"golang.org/x/crypto/ssh"
|
|
|
|
"golang.org/x/crypto/ssh/agent"
|
|
|
|
"golang.org/x/sync/errgroup"
|
|
|
|
"google.golang.org/grpc"
|
|
|
|
"google.golang.org/grpc/metadata"
|
|
|
|
)
|
|
|
|
|
2018-09-18 17:49:25 +00:00
|
|
|
// AgentConfig is the config for a single exposed SSH agent
|
2018-09-04 23:33:07 +00:00
|
|
|
type AgentConfig struct {
|
2018-09-06 22:25:45 +00:00
|
|
|
ID string
|
|
|
|
Paths []string
|
2018-09-04 23:33:07 +00:00
|
|
|
}
|
|
|
|
|
2018-09-18 17:49:25 +00:00
|
|
|
// NewSSHAgentProvider creates a session provider that allows access to ssh agent
|
2018-09-04 23:33:07 +00:00
|
|
|
func NewSSHAgentProvider(confs []AgentConfig) (session.Attachable, error) {
|
2018-09-06 22:25:45 +00:00
|
|
|
m := map[string]source{}
|
2018-09-04 23:33:07 +00:00
|
|
|
for _, conf := range confs {
|
2018-09-06 22:25:45 +00:00
|
|
|
if len(conf.Paths) == 0 || len(conf.Paths) == 1 && conf.Paths[0] == "" {
|
|
|
|
conf.Paths = []string{os.Getenv("SSH_AUTH_SOCK")}
|
2018-09-04 23:33:07 +00:00
|
|
|
}
|
|
|
|
|
2018-09-06 22:25:45 +00:00
|
|
|
if conf.Paths[0] == "" {
|
2021-05-20 19:50:35 +00:00
|
|
|
p, err := getFallbackAgentPath()
|
|
|
|
if err != nil {
|
|
|
|
return nil, errors.Wrap(err, "invalid empty ssh agent socket")
|
|
|
|
}
|
|
|
|
conf.Paths[0] = p
|
2018-09-04 23:33:07 +00:00
|
|
|
}
|
|
|
|
|
2018-09-06 22:25:45 +00:00
|
|
|
src, err := toAgentSource(conf.Paths)
|
|
|
|
if err != nil {
|
2018-09-04 23:33:07 +00:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if conf.ID == "" {
|
|
|
|
conf.ID = sshforward.DefaultID
|
|
|
|
}
|
|
|
|
if _, ok := m[conf.ID]; ok {
|
|
|
|
return nil, errors.Errorf("invalid duplicate ID %s", conf.ID)
|
|
|
|
}
|
2018-09-06 22:25:45 +00:00
|
|
|
m[conf.ID] = src
|
2018-09-04 23:33:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return &socketProvider{m: m}, nil
|
|
|
|
}
|
|
|
|
|
2018-09-06 22:25:45 +00:00
|
|
|
type source struct {
|
|
|
|
agent agent.Agent
|
2021-05-20 19:50:35 +00:00
|
|
|
socket *socketDialer
|
|
|
|
}
|
|
|
|
|
|
|
|
type socketDialer struct {
|
|
|
|
path string
|
|
|
|
dialer func(string) (net.Conn, error)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s socketDialer) Dial() (net.Conn, error) {
|
|
|
|
return s.dialer(s.path)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s socketDialer) String() string {
|
|
|
|
return s.path
|
2018-09-06 22:25:45 +00:00
|
|
|
}
|
|
|
|
|
2018-09-04 23:33:07 +00:00
|
|
|
type socketProvider struct {
|
2018-09-06 22:25:45 +00:00
|
|
|
m map[string]source
|
2018-09-04 23:33:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (sp *socketProvider) Register(server *grpc.Server) {
|
|
|
|
sshforward.RegisterSSHServer(server, sp)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (sp *socketProvider) CheckAgent(ctx context.Context, req *sshforward.CheckAgentRequest) (*sshforward.CheckAgentResponse, error) {
|
|
|
|
id := sshforward.DefaultID
|
|
|
|
if req.ID != "" {
|
|
|
|
id = req.ID
|
|
|
|
}
|
|
|
|
if _, ok := sp.m[id]; !ok {
|
|
|
|
return &sshforward.CheckAgentResponse{}, errors.Errorf("unset ssh forward key %s", id)
|
|
|
|
}
|
|
|
|
return &sshforward.CheckAgentResponse{}, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (sp *socketProvider) ForwardAgent(stream sshforward.SSH_ForwardAgentServer) error {
|
|
|
|
id := sshforward.DefaultID
|
|
|
|
|
|
|
|
opts, _ := metadata.FromIncomingContext(stream.Context()) // if no metadata continue with empty object
|
|
|
|
|
|
|
|
if v, ok := opts[sshforward.KeySSHID]; ok && len(v) > 0 && v[0] != "" {
|
|
|
|
id = v[0]
|
|
|
|
}
|
|
|
|
|
2018-09-06 22:25:45 +00:00
|
|
|
src, ok := sp.m[id]
|
2018-09-04 23:33:07 +00:00
|
|
|
if !ok {
|
|
|
|
return errors.Errorf("unset ssh forward key %s", id)
|
|
|
|
}
|
|
|
|
|
2018-09-06 22:25:45 +00:00
|
|
|
var a agent.Agent
|
|
|
|
|
2021-05-20 19:50:35 +00:00
|
|
|
if src.socket != nil {
|
|
|
|
conn, err := src.socket.Dial()
|
2018-09-06 22:25:45 +00:00
|
|
|
if err != nil {
|
|
|
|
return errors.Wrapf(err, "failed to connect to %s", src.socket)
|
|
|
|
}
|
|
|
|
|
|
|
|
a = &readOnlyAgent{agent.NewClient(conn)}
|
|
|
|
defer conn.Close()
|
|
|
|
} else {
|
|
|
|
a = src.agent
|
2018-09-04 23:33:07 +00:00
|
|
|
}
|
|
|
|
|
2018-09-06 22:25:45 +00:00
|
|
|
s1, s2 := sockPair()
|
2018-09-04 23:33:07 +00:00
|
|
|
|
|
|
|
eg, ctx := errgroup.WithContext(context.TODO())
|
|
|
|
|
|
|
|
eg.Go(func() error {
|
|
|
|
return agent.ServeAgent(a, s1)
|
|
|
|
})
|
|
|
|
|
|
|
|
eg.Go(func() error {
|
|
|
|
defer s1.Close()
|
2019-08-26 22:34:55 +00:00
|
|
|
return sshforward.Copy(ctx, s2, stream, nil)
|
2018-09-04 23:33:07 +00:00
|
|
|
})
|
|
|
|
|
|
|
|
return eg.Wait()
|
|
|
|
}
|
|
|
|
|
2018-09-06 22:25:45 +00:00
|
|
|
func toAgentSource(paths []string) (source, error) {
|
|
|
|
var keys bool
|
2021-05-20 19:50:35 +00:00
|
|
|
var socket *socketDialer
|
2018-09-06 22:25:45 +00:00
|
|
|
a := agent.NewKeyring()
|
|
|
|
for _, p := range paths {
|
2021-05-20 19:50:35 +00:00
|
|
|
if socket != nil {
|
2018-09-06 22:25:45 +00:00
|
|
|
return source{}, errors.New("only single socket allowed")
|
|
|
|
}
|
2021-05-20 19:50:35 +00:00
|
|
|
|
|
|
|
if parsed := parsePlatformSocketPath(p); parsed != nil {
|
|
|
|
socket = parsed
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
2018-09-06 22:25:45 +00:00
|
|
|
fi, err := os.Stat(p)
|
|
|
|
if err != nil {
|
|
|
|
return source{}, errors.WithStack(err)
|
|
|
|
}
|
|
|
|
if fi.Mode()&os.ModeSocket > 0 {
|
2021-05-20 19:50:35 +00:00
|
|
|
socket = &socketDialer{path: p, dialer: unixSocketDialer}
|
2018-09-06 22:25:45 +00:00
|
|
|
continue
|
|
|
|
}
|
2020-09-23 02:47:52 +00:00
|
|
|
|
2018-09-06 22:25:45 +00:00
|
|
|
f, err := os.Open(p)
|
|
|
|
if err != nil {
|
|
|
|
return source{}, errors.Wrapf(err, "failed to open %s", p)
|
|
|
|
}
|
|
|
|
dt, err := ioutil.ReadAll(&io.LimitedReader{R: f, N: 100 * 1024})
|
|
|
|
if err != nil {
|
|
|
|
return source{}, errors.Wrapf(err, "failed to read %s", p)
|
|
|
|
}
|
|
|
|
|
|
|
|
k, err := ssh.ParseRawPrivateKey(dt)
|
|
|
|
if err != nil {
|
2020-09-23 02:47:52 +00:00
|
|
|
// On Windows, os.ModeSocket isn't appropriately set on the file mode.
|
|
|
|
// https://github.com/golang/go/issues/33357
|
|
|
|
// If parsing the file fails, check to see if it kind of looks like socket-shaped.
|
|
|
|
if runtime.GOOS == "windows" && strings.Contains(string(dt), "socket") {
|
|
|
|
if keys {
|
|
|
|
return source{}, errors.Errorf("invalid combination of keys and sockets")
|
|
|
|
}
|
2021-05-20 19:50:35 +00:00
|
|
|
socket = &socketDialer{path: p, dialer: unixSocketDialer}
|
2020-09-23 02:47:52 +00:00
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
2018-09-06 22:25:45 +00:00
|
|
|
return source{}, errors.Wrapf(err, "failed to parse %s", p) // TODO: prompt passphrase?
|
|
|
|
}
|
|
|
|
if err := a.Add(agent.AddedKey{PrivateKey: k}); err != nil {
|
|
|
|
return source{}, errors.Wrapf(err, "failed to add %s to agent", p)
|
|
|
|
}
|
2020-09-23 02:47:52 +00:00
|
|
|
|
|
|
|
keys = true
|
2018-09-04 23:33:07 +00:00
|
|
|
}
|
2018-09-06 22:25:45 +00:00
|
|
|
|
2021-05-20 19:50:35 +00:00
|
|
|
if socket != nil {
|
|
|
|
if keys {
|
|
|
|
return source{}, errors.Errorf("invalid combination of keys and sockets")
|
|
|
|
}
|
2018-09-06 22:25:45 +00:00
|
|
|
return source{socket: socket}, nil
|
2018-09-04 23:33:07 +00:00
|
|
|
}
|
2018-09-06 22:25:45 +00:00
|
|
|
|
|
|
|
return source{agent: a}, nil
|
2018-09-04 23:33:07 +00:00
|
|
|
}
|
|
|
|
|
2021-05-20 19:50:35 +00:00
|
|
|
func unixSocketDialer(path string) (net.Conn, error) {
|
|
|
|
return net.DialTimeout("unix", path, 2*time.Second)
|
|
|
|
}
|
|
|
|
|
2018-09-04 23:33:07 +00:00
|
|
|
func sockPair() (io.ReadWriteCloser, io.ReadWriteCloser) {
|
|
|
|
pr1, pw1 := io.Pipe()
|
|
|
|
pr2, pw2 := io.Pipe()
|
|
|
|
return &sock{pr1, pw2, pw1}, &sock{pr2, pw1, pw2}
|
|
|
|
}
|
|
|
|
|
|
|
|
type sock struct {
|
|
|
|
io.Reader
|
|
|
|
io.Writer
|
|
|
|
io.Closer
|
|
|
|
}
|
|
|
|
|
|
|
|
type readOnlyAgent struct {
|
2019-11-19 23:09:37 +00:00
|
|
|
agent.ExtendedAgent
|
2018-09-04 23:33:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (a *readOnlyAgent) Add(_ agent.AddedKey) error {
|
|
|
|
return errors.Errorf("adding new keys not allowed by buildkit")
|
|
|
|
}
|
|
|
|
|
|
|
|
func (a *readOnlyAgent) Remove(_ ssh.PublicKey) error {
|
|
|
|
return errors.Errorf("removing keys not allowed by buildkit")
|
|
|
|
}
|
|
|
|
|
|
|
|
func (a *readOnlyAgent) RemoveAll() error {
|
|
|
|
return errors.Errorf("removing keys not allowed by buildkit")
|
|
|
|
}
|
|
|
|
|
|
|
|
func (a *readOnlyAgent) Lock(_ []byte) error {
|
|
|
|
return errors.Errorf("locking agent not allowed by buildkit")
|
|
|
|
}
|
2019-11-21 20:52:36 +00:00
|
|
|
|
|
|
|
func (a *readOnlyAgent) Extension(_ string, _ []byte) ([]byte, error) {
|
|
|
|
return nil, errors.Errorf("extensions not allowed by buildkit")
|
|
|
|
}
|