feat: adds ssh implementation

Author: dcoric

SSH.md

@@ -0,0 +1,52 @@
+## SSH Configuration
+
+1. Generate SSH host key:
+
+```bash
+mkdir -p .ssh
+ssh-keygen -t rsa -f ./.ssh/host_key
+```
+
+2. Add authorized keys:
+
+```bash
+# Add each user's public key to .ssh/authorized_keys
+echo "ssh-rsa AAAA..." >> ./.ssh/authorized_keys
+```
+
+3. Configure Git to use SSH:
+
+```bash
+git remote set-url origin ssh://localhost:2222/username/repo.git
+```
+
+````
+
+7. **Add Tests**:
+Create `test/testSSH.test.js`:
+
+```javascript
+const chai = require('chai');
+const net = require('net');
+const ssh2 = require('ssh2');
+
+describe('SSH Server', () => {
+  it('should accept valid SSH connections', async () => {
+    // Test implementation
+  });
+
+  it('should handle git commands over SSH', async () => {
+    // Test implementation
+  });
+});
+````
+
+8. **Security Considerations**:
+
+- Use strong host keys (RSA 4096 or Ed25519)
+- Implement rate limiting for SSH connections
+- Add logging for SSH authentication attempts
+- Consider implementing SSH key rotation
+- Add IP whitelisting if needed
+
+Would you like me to help implement any specific part of this SSH support?

config.schema.json

@@ -6,6 +6,11 @@
   "type": "object",
   "properties": {
     "proxyUrl": { "type": "string" },
+    "gitProtocol": {
+      "type": "string",
+      "enum": ["https", "ssh"],
+      "description": "The protocol to use for Git operations. Can be either 'https' or 'ssh'."
+    },
     "cookieSecret": { "type": "string" },
     "sessionMaxAgeHours": { "type": "number" },
     "api": {
@@ -78,6 +83,14 @@
           "type": "object"
         }
       }
+    },
+    "ssh": {
+      "enabled": true,
+      "port": 2222,
+      "hostKey": {
+        "privateKeyPath": "./.ssh/host_key",
+        "publicKeyPath": "./.ssh/host_key.pub"
+      }
     }
   },
   "definitions": {

git-proxy-cookie

@@ -0,0 +1 @@
+["connect.sid=s%3Ap8ObJ0cfSkTlRbuDxpEXYydtWsuJ4RHU.cU4n8tX1FDPUp5uqswp6Jwimt2rFynediybG2NSn%2BQ8; Path=/; Expires=Tue, 18 Mar 2025 00:19:15 GMT; HttpOnly"]

package-lock.json

@@ -72,7 +72,8 @@
     "react-router-dom": "6.28.2",
     "simple-git": "^3.25.0",
     "uuid": "^11.0.0",
-    "yargs": "^17.7.2"
+    "yargs": "^17.7.2",
+    "ssh2": "^1.16.0"
   },
   "devDependencies": {
     "@babel/core": "^7.23.2",

package.json

@@ -19,30 +19,35 @@ axios.defaults.timeout = 30000;
  * @param {string} password The password to use for the login
  */
 async function login(username, password) {
+  console.log('Login', { username, password, baseUrl });
   try {
-    let response = await axios.post(
-      `${baseUrl}/api/auth/login`,
-      {
-        username,
-        password,
-      },
-      {
-        headers: { 'Content-Type': 'application/json' },
-        withCredentials: true,
-      },
-    );
-    const cookies = response.headers['set-cookie'];
+    axios
+      .post(
+        `${baseUrl}/api/auth/login`,
+        {
+          username,
+          password,
+        },
+        {
+          headers: { 'Content-Type': 'application/json' },
+          withCredentials: true,
+        },
+      )
+      .then(async (response) => {
+        const cookies = response.headers['set-cookie'];
 
-    response = await axios.get(`${baseUrl}/api/auth/profile`, {
-      headers: { Cookie: cookies },
-      withCredentials: true,
-    });
+        response = await axios.get(`${baseUrl}/api/auth/profile`, {
+          headers: { Cookie: cookies },
+          withCredentials: true,
+        });
 
-    fs.writeFileSync(GIT_PROXY_COOKIE_FILE, JSON.stringify(cookies), 'utf8');
+        fs.writeFileSync(GIT_PROXY_COOKIE_FILE, JSON.stringify(cookies), 'utf8');
 
-    const user = `"${response.data.username}" <${response.data.email}>`;
-    const isAdmin = response.data.admin ? ' (admin)' : '';
-    console.log(`Login ${user}${isAdmin}: OK`);
+        const user = `"${response.data.username}" <${response.data.email}>`;
+        const isAdmin = response.data.admin ? ' (admin)' : '';
+        console.log(`Login ${user}${isAdmin}: OK`);
+      })
+      .catch((loginError) => console.error);
   } catch (error) {
     if (error.response) {
       console.error(`Error: Login '${username}': '${error.response.status}'`);
@@ -306,6 +311,60 @@ async function logout() {
   console.log('Logout: OK');
 }
 
+/**
+ * Add SSH key for a user
+ * @param {string} username The username to add the key for
+ * @param {string} keyPath Path to the public key file
+ */
+async function addSSHKey(username, keyPath) {
+  console.log('Add SSH key', { username, keyPath });
+  if (!fs.existsSync(GIT_PROXY_COOKIE_FILE)) {
+    console.error('Error: SSH key: Authentication required');
+    process.exitCode = 1;
+    return;
+  }
+
+  try {
+    const cookies = JSON.parse(fs.readFileSync(GIT_PROXY_COOKIE_FILE, 'utf8'));
+    const publicKey = fs.readFileSync(keyPath, 'utf8').trim();
+
+    console.log('Adding SSH key', { username, publicKey });
+    await axios.post(
+      `${baseUrl}/api/v1/user/${username}/ssh-keys`,
+      { publicKey },
+      {
+        headers: {
+          Cookie: cookies,
+          'Content-Type': 'application/json',
+        },
+        withCredentials: true,
+      },
+    );
+
+    console.log(`SSH key added successfully for user ${username}`);
+  } catch (error) {
+    let errorMessage = `Error: SSH key: '${error.message}'`;
+    process.exitCode = 2;
+
+    if (error.response) {
+      switch (error.response.status) {
+        case 401:
+          errorMessage = 'Error: SSH key: Authentication required';
+          process.exitCode = 3;
+          break;
+        case 404:
+          errorMessage = `Error: SSH key: User '${username}' not found`;
+          process.exitCode = 4;
+          break;
+      }
+    } else if (error.code === 'ENOENT') {
+      errorMessage = `Error: SSH key: Could not find key file at ${keyPath}`;
+      process.exitCode = 5;
+    }
+    console.error(errorMessage);
+  }
+}
+
 // Parsing command line arguments
 yargs(hideBin(process.argv))
   .command({
@@ -436,6 +495,37 @@ yargs(hideBin(process.argv))
       rejectGitPush(argv.id);
     },
   })
+  .command({
+    command: 'ssh-key',
+    describe: 'Manage SSH keys',
+    builder: {
+      action: {
+        describe: 'Action to perform (add/remove)',
+        demandOption: true,
+        type: 'string',
+        choices: ['add', 'remove'],
+      },
+      username: {
+        describe: 'Username to manage keys for',
+        demandOption: true,
+        type: 'string',
+      },
+      keyPath: {
+        describe: 'Path to the public key file',
+        demandOption: true,
+        type: 'string',
+      },
+    },
+    handler(argv) {
+      if (argv.action === 'add') {
+        addSSHKey(argv.username, argv.keyPath);
+      } else if (argv.action === 'remove') {
+        // TODO: Implement remove SSH key
+        console.error('Error: SSH key: Remove action not implemented yet');
+        process.exitCode = 1;
+      }
+    },
+  })
   .demandCommand(1, 'You need at least one command before moving on')
   .strict()
   .help().argv;

packages/git-proxy-cli/index.js

@@ -1,12 +1,18 @@
 {
   "proxyUrl": "https://github.com",
+  "gitProtocol": "https",
   "cookieSecret": "cookie secret",
   "sessionMaxAgeHours": 12,
   "tempPassword": {
     "sendEmail": false,
     "emailConfig": {}
   },
   "authorisedList": [
+    {
+      "project": "unlayer",
+      "name": "react-email-editor",
+      "url": "https://github.com/unlayer/react-email-editor.git"
+    },
     {
       "project": "finos",
       "name": "git-proxy",
@@ -96,6 +102,14 @@
   "privateOrganizations": [],
   "urlShortener": "",
   "contactEmail": "",
-  "csrfProtection": true,
-  "plugins": []
+  "csrfProtection": false,
+  "plugins": [],
+  "ssh": {
+    "enabled": true,
+    "port": 2222,
+    "hostKey": {
+      "privateKeyPath": "/Users/dcoric/.ssh/bb_rsa",
+      "publicKeyPath": "/Users/dcoric/.ssh/bb_rsa.pub"
+    }
+  }
 }