git-lfs/lfshttp/ssh.go

package lfshttp

import (
	"bytes"
	"encoding/json"
	"strings"
	"time"

	"github.com/git-lfs/git-lfs/v3/config"
	"github.com/git-lfs/git-lfs/v3/ssh"
	"github.com/git-lfs/git-lfs/v3/subprocess"
	"github.com/git-lfs/git-lfs/v3/tools"
	"github.com/rubyist/tracerx"
)

type SSHResolver interface {
	Resolve(Endpoint, string) (sshAuthResponse, error)
}

func withSSHCache(ssh SSHResolver) SSHResolver {
	return &sshCache{
		endpoints: make(map[string]*sshAuthResponse),
		ssh:       ssh,
	}
}

type sshCache struct {
	endpoints map[string]*sshAuthResponse
	ssh       SSHResolver
}

func (c *sshCache) Resolve(e Endpoint, method string) (sshAuthResponse, error) {
	if len(e.SSHMetadata.UserAndHost) == 0 {
		return sshAuthResponse{}, nil
	}

	key := strings.Join([]string{e.SSHMetadata.UserAndHost, e.SSHMetadata.Port, e.SSHMetadata.Path, method}, "//")
	if res, ok := c.endpoints[key]; ok {
		if _, expired := res.IsExpiredWithin(5 * time.Second); !expired {
			tracerx.Printf("ssh cache: %s git-lfs-authenticate %s %s",
				e.SSHMetadata.UserAndHost, e.SSHMetadata.Path, endpointOperation(e, method))
			return *res, nil
		} else {
			tracerx.Printf("ssh cache expired: %s git-lfs-authenticate %s %s",
				e.SSHMetadata.UserAndHost, e.SSHMetadata.Path, endpointOperation(e, method))
		}
	}

	res, err := c.ssh.Resolve(e, method)
	if err == nil {
		c.endpoints[key] = &res
	}
	return res, err
}

type sshAuthResponse struct {
	Message   string            `json:"-"`
	Href      string            `json:"href"`
	Header    map[string]string `json:"header"`
	ExpiresAt time.Time         `json:"expires_at"`
	ExpiresIn int               `json:"expires_in"`

	createdAt time.Time
}

func (r *sshAuthResponse) IsExpiredWithin(d time.Duration) (time.Time, bool) {
	return tools.IsExpiredAtOrIn(r.createdAt, d, r.ExpiresAt,
		time.Duration(r.ExpiresIn)*time.Second)
}

type sshAuthClient struct {
	os  config.Environment
	git config.Environment
}

func (c *sshAuthClient) Resolve(e Endpoint, method string) (sshAuthResponse, error) {
	res := sshAuthResponse{}
	if len(e.SSHMetadata.UserAndHost) == 0 {
		return res, nil
	}

	exe, args := ssh.GetLFSExeAndArgs(c.os, c.git, &e.SSHMetadata, "git-lfs-authenticate", endpointOperation(e, method), false)
	cmd := subprocess.ExecCommand(exe, args...)

	// Save stdout and stderr in separate buffers
	var outbuf, errbuf bytes.Buffer
	cmd.Stdout = &outbuf
	cmd.Stderr = &errbuf

	now := time.Now()

	// Execute command
	err := cmd.Start()
	if err == nil {
		err = cmd.Wait()
	}

	// Processing result
	if err != nil {
		res.Message = strings.TrimSpace(errbuf.String())
	} else {
		err = json.Unmarshal(outbuf.Bytes(), &res)
		if res.ExpiresIn == 0 && res.ExpiresAt.IsZero() {
			ttl := c.git.Int("lfs.defaulttokenttl", 0)
			if ttl < 0 {
				ttl = 0
			}
			res.ExpiresIn = ttl
		}
		res.createdAt = now
	}

	return res, err
}
lfsapi: extract new lfshttp package Extract more basic http-related functionality out of lfsapi and into a new package, lfshttp. Everything is currently functional aside from authorization. 2018-09-06 21:42:41 +00:00			`package lfshttp`
lfsapi: implement ssh auth 2017-01-04 23:23:46 +00:00
			`import (`
			`"bytes"`
			`"encoding/json"`
			`"strings"`
lfsapi: respect ssh response ExpiresAt in the ssh cache 2017-03-24 18:37:00 +00:00			`"time"`
lfsapi: implement ssh auth 2017-01-04 23:23:46 +00:00
Set package version to v3 Since we're about to do a v3.0.0 release, let's bump the version to v3. Make this change automatically with the following command to avoid any missed items: git grep -l github.com/git-lfs/git-lfs/v2 \| \ xargs sed -i -e 's!github.com/git-lfs/git-lfs/v2!github.com/git-lfs/git-lfs/v3!g' 2021-09-01 19:41:10 +00:00			`"github.com/git-lfs/git-lfs/v3/config"`
			`"github.com/git-lfs/git-lfs/v3/ssh"`
			`"github.com/git-lfs/git-lfs/v3/subprocess"`
			`"github.com/git-lfs/git-lfs/v3/tools"`
lfsapi: implement ssh auth 2017-01-04 23:23:46 +00:00			`"github.com/rubyist/tracerx"`
			`)`

lfsapi: export SSHResolver and property 2017-03-23 19:48:52 +00:00			`type SSHResolver interface {`
lfsapi: extract sshResolver interface 2017-03-23 19:44:51 +00:00			`Resolve(Endpoint, string) (sshAuthResponse, error)`
			`}`

spike a quick cache without expiration 2017-03-23 19:58:15 +00:00			`func withSSHCache(ssh SSHResolver) SSHResolver {`
			`return &sshCache{`
			`endpoints: make(map[string]*sshAuthResponse),`
			`ssh: ssh,`
			`}`
			`}`

			`type sshCache struct {`
			`endpoints map[string]*sshAuthResponse`
			`ssh SSHResolver`
			`}`

			`func (c *sshCache) Resolve(e Endpoint, method string) (sshAuthResponse, error) {`
lfshttp: use a separate struct for SSH metadata Right now, all of the SSH metadata for an endpoint is in the Endpoint struct, but in the future we'd like to move the SSH code to its own package. At that point, we'll want to avoid a dependency on the Endpoint struct, so let's move the SSH metadata out into its own struct, which we'll include in Endpoint. While we're at it, let's adjust most of the SSH code to use this new struct instead so we can easily move it in the future. 2021-02-03 21:46:28 +00:00			`if len(e.SSHMetadata.UserAndHost) == 0 {`
Skip ssh caching for non ssh remotes 2017-03-24 17:27:44 +00:00			`return sshAuthResponse{}, nil`
			`}`

lfshttp: use a separate struct for SSH metadata Right now, all of the SSH metadata for an endpoint is in the Endpoint struct, but in the future we'd like to move the SSH code to its own package. At that point, we'll want to avoid a dependency on the Endpoint struct, so let's move the SSH metadata out into its own struct, which we'll include in Endpoint. While we're at it, let's adjust most of the SSH code to use this new struct instead so we can easily move it in the future. 2021-02-03 21:46:28 +00:00			`key := strings.Join([]string{e.SSHMetadata.UserAndHost, e.SSHMetadata.Port, e.SSHMetadata.Path, method}, "//")`
lfsapi,docs,test: add expires_in support to ssh auth protocol 2017-04-05 19:59:52 +00:00			`if res, ok := c.endpoints[key]; ok {`
			`if _, expired := res.IsExpiredWithin(5 * time.Second); !expired {`
			`tracerx.Printf("ssh cache: %s git-lfs-authenticate %s %s",`
lfshttp: use a separate struct for SSH metadata Right now, all of the SSH metadata for an endpoint is in the Endpoint struct, but in the future we'd like to move the SSH code to its own package. At that point, we'll want to avoid a dependency on the Endpoint struct, so let's move the SSH metadata out into its own struct, which we'll include in Endpoint. While we're at it, let's adjust most of the SSH code to use this new struct instead so we can easily move it in the future. 2021-02-03 21:46:28 +00:00			`e.SSHMetadata.UserAndHost, e.SSHMetadata.Path, endpointOperation(e, method))`
lfsapi,docs,test: add expires_in support to ssh auth protocol 2017-04-05 19:59:52 +00:00			`return *res, nil`
			`} else {`
			`tracerx.Printf("ssh cache expired: %s git-lfs-authenticate %s %s",`
lfshttp: use a separate struct for SSH metadata Right now, all of the SSH metadata for an endpoint is in the Endpoint struct, but in the future we'd like to move the SSH code to its own package. At that point, we'll want to avoid a dependency on the Endpoint struct, so let's move the SSH metadata out into its own struct, which we'll include in Endpoint. While we're at it, let's adjust most of the SSH code to use this new struct instead so we can easily move it in the future. 2021-02-03 21:46:28 +00:00			`e.SSHMetadata.UserAndHost, e.SSHMetadata.Path, endpointOperation(e, method))`
lfsapi,docs,test: add expires_in support to ssh auth protocol 2017-04-05 19:59:52 +00:00			`}`
spike a quick cache without expiration 2017-03-23 19:58:15 +00:00			`}`

			`res, err := c.ssh.Resolve(e, method)`
			`if err == nil {`
			`c.endpoints[key] = &res`
			`}`
			`return res, err`
			`}`

lfsapi: extract sshResolver interface 2017-03-23 19:44:51 +00:00			`type sshAuthResponse struct {`
			Message string `json:"-"`
			Href string `json:"href"`
			Header map[string]string `json:"header"`
lfsapi/ssh.go: use zero-value sentinels Instead of storing the ExpiresAt and ExpiresIn fields as a time.Time, and int, respectively, use a time.Time and int instead. Later, in the zero-value comparison, change from != nil to != 0 and time.Time.IsZero(), respectively. This has the effect of ridding the API of setting expires_in to zero, and will fall-back to the default expiration offset, after which it will retry, or fail the underlying request. We don't have precise determinations on how many API requests this will affect, but it's certainly not common usage of the specification, so the behavior change is OK. 2018-07-02 18:21:39 +00:00			ExpiresAt time.Time `json:"expires_at"`
			ExpiresIn int `json:"expires_in"`
tq,lfsapi/ssh: include `createdAt` field in struct 2017-04-05 22:43:00 +00:00
			`createdAt time.Time`
lfsapi,docs,test: add expires_in support to ssh auth protocol 2017-04-05 19:59:52 +00:00			`}`

			`func (r *sshAuthResponse) IsExpiredWithin(d time.Duration) (time.Time, bool) {`
lfsapi/ssh.go: use zero-value sentinels Instead of storing the ExpiresAt and ExpiresIn fields as a time.Time, and int, respectively, use a time.Time and int instead. Later, in the zero-value comparison, change from != nil to != 0 and time.Time.IsZero(), respectively. This has the effect of ridding the API of setting expires_in to zero, and will fall-back to the default expiration offset, after which it will retry, or fail the underlying request. We don't have precise determinations on how many API requests this will affect, but it's certainly not common usage of the specification, so the behavior change is OK. 2018-07-02 18:21:39 +00:00			`return tools.IsExpiredAtOrIn(r.createdAt, d, r.ExpiresAt,`
			`time.Duration(r.ExpiresIn)*time.Second)`
lfsapi: extract sshResolver interface 2017-03-23 19:44:51 +00:00			`}`

			`type sshAuthClient struct {`
Remove unused import 2018-02-14 22:26:47 +00:00			`os config.Environment`
Set ExpiresIn field to lfs.defaulttokenttl if it is not present and the configuration option has been set 2018-02-14 21:58:59 +00:00			`git config.Environment`
lfsapi: extract sshResolver interface 2017-03-23 19:44:51 +00:00			`}`

			`func (c *sshAuthClient) Resolve(e Endpoint, method string) (sshAuthResponse, error) {`
lfsapi: implement ssh auth 2017-01-04 23:23:46 +00:00			`res := sshAuthResponse{}`
lfshttp: use a separate struct for SSH metadata Right now, all of the SSH metadata for an endpoint is in the Endpoint struct, but in the future we'd like to move the SSH code to its own package. At that point, we'll want to avoid a dependency on the Endpoint struct, so let's move the SSH metadata out into its own struct, which we'll include in Endpoint. While we're at it, let's adjust most of the SSH code to use this new struct instead so we can easily move it in the future. 2021-02-03 21:46:28 +00:00			`if len(e.SSHMetadata.UserAndHost) == 0 {`
lfsapi: implement ssh auth 2017-01-04 23:23:46 +00:00			`return res, nil`
			`}`

ssh: support concurrent transfers using the pure SSH protocol When using the pure SSH-based protocol, we can get much higher speeds by multiplexing multiple connections on the same SSH connection. If we're using OpenSSH, let's enable the ControlMaster option unless lfs.ssh.automultiplex is set to false, and multiplex these shell operations over one connection. We prefer XDG_RUNTIME_DIR because it's guaranteed to be private and we can share many connections over one socket, but if that's not set, let's default to creating a new temporary directory for the socket. On Windows, where the native SSH client doesn't support ControlMaster, we should fall back to using multiple connections since we use ControlMaster=auto. Note that the option exists because users may already be using SSH multiplexing and we would want to provide a way for them to disable this, in addition to the case where users have an old or broken OpenSSH which cannot support this option. We pass the connection object into each worker and adjust our transfer code to pass it into each function we invoke. We also make sure to properly terminate each connection at the end by reducing our connection count to 0, which closes the extra (i.e., all) connections. Co-authored-by: Chris Darroch <chrisd8088@github.com> 2021-04-06 14:08:06 +00:00			`exe, args := ssh.GetLFSExeAndArgs(c.os, c.git, &e.SSHMetadata, "git-lfs-authenticate", endpointOperation(e, method), false)`
Use subprocess for invoking all commands The fix for CVE-2020-27955 was incomplete because we did not consider places outside of the subprocess code that invoke binaries. As a result, there are still some places where an attacker can execute arbitrary code by placing a malicious binary in the repository. To make sure we've covered all the bases, let's just use the subprocess code for executing all programs, which means that they'll be secure. As of this commit, all users of exec.Command are in test code or the subprocess code itself. 2020-12-21 21:08:17 +00:00			`cmd := subprocess.ExecCommand(exe, args...)`
lfsapi: implement ssh auth 2017-01-04 23:23:46 +00:00
			`// Save stdout and stderr in separate buffers`
			`var outbuf, errbuf bytes.Buffer`
			`cmd.Stdout = &outbuf`
			`cmd.Stderr = &errbuf`

tq,lfsapi/ssh: include `createdAt` field in struct 2017-04-05 22:43:00 +00:00			`now := time.Now()`

lfsapi: implement ssh auth 2017-01-04 23:23:46 +00:00			`// Execute command`
			`err := cmd.Start()`
			`if err == nil {`
			`err = cmd.Wait()`
			`}`

			`// Processing result`
			`if err != nil {`
			`res.Message = strings.TrimSpace(errbuf.String())`
			`} else {`
			`err = json.Unmarshal(outbuf.Bytes(), &res)`
lfsapi/ssh.go: use zero-value sentinels Instead of storing the ExpiresAt and ExpiresIn fields as a time.Time, and int, respectively, use a time.Time and int instead. Later, in the zero-value comparison, change from != nil to != 0 and time.Time.IsZero(), respectively. This has the effect of ridding the API of setting expires_in to zero, and will fall-back to the default expiration offset, after which it will retry, or fail the underlying request. We don't have precise determinations on how many API requests this will affect, but it's certainly not common usage of the specification, so the behavior change is OK. 2018-07-02 18:21:39 +00:00			`if res.ExpiresIn == 0 && res.ExpiresAt.IsZero() {`
Set ExpiresIn field to lfs.defaulttokenttl if it is not present and the configuration option has been set 2018-02-14 21:58:59 +00:00			`ttl := c.git.Int("lfs.defaulttokenttl", 0)`
Change the expiry fields in sshAuthResponse to pointers so it can be determined if they are set by git-lfs-authenticate's response. 2018-02-15 21:25:55 +00:00			`if ttl < 0 {`
			`ttl = 0`
Set ExpiresIn field to lfs.defaulttokenttl if it is not present and the configuration option has been set 2018-02-14 21:58:59 +00:00			`}`
lfsapi/ssh.go: use zero-value sentinels Instead of storing the ExpiresAt and ExpiresIn fields as a time.Time, and int, respectively, use a time.Time and int instead. Later, in the zero-value comparison, change from != nil to != 0 and time.Time.IsZero(), respectively. This has the effect of ridding the API of setting expires_in to zero, and will fall-back to the default expiration offset, after which it will retry, or fail the underlying request. We don't have precise determinations on how many API requests this will affect, but it's certainly not common usage of the specification, so the behavior change is OK. 2018-07-02 18:21:39 +00:00			`res.ExpiresIn = ttl`
Set ExpiresIn field to lfs.defaulttokenttl if it is not present and the configuration option has been set 2018-02-14 21:58:59 +00:00			`}`
tq,lfsapi/ssh: include `createdAt` field in struct 2017-04-05 22:43:00 +00:00			`res.createdAt = now`
lfsapi: implement ssh auth 2017-01-04 23:23:46 +00:00			`}`

			`return res, err`
			`}`