diff --git a/.gitignore b/.gitignore index 1849589c4..b1e6cbbc7 100644 --- a/.gitignore +++ b/.gitignore @@ -263,4 +263,9 @@ yarn-error.log* # Docusaurus website website/build -website/.docusaurus \ No newline at end of file +website/.docusaurus + +# IDE files +.idea + +.temp \ No newline at end of file diff --git a/SSH.md b/SSH.md new file mode 100644 index 000000000..de4cc3c6b --- /dev/null +++ b/SSH.md @@ -0,0 +1,119 @@ +### SSH Git Proxy Data Flow + +1. **Client Connection:** + + - An SSH client (e.g., `git` command line) connects to the proxy server's listening port. + - The `ssh2.Server` instance receives the connection. + +2. **Authentication:** + + - The server requests authentication (`client.on('authentication', ...)`). + - **Public Key Auth:** + - Client sends its public key. + - Proxy formats the key (`keyString = \`${keyType} ${keyData.toString('base64')}\``). + - Proxy queries the `Database` (`db.findUserBySSHKey(keyString)`). + - If a user is found, auth succeeds (`ctx.accept()`). The _public_ key info is temporarily stored (`client.userPrivateKey`). + - **Password Auth:** + - If _no_ public key was offered, the client sends username/password. + - Proxy queries the `Database` (`db.findUser(ctx.username)`). + - If user exists, proxy compares the hash (`bcrypt.compare(ctx.password, user.password)`). + - If valid, auth succeeds (`ctx.accept()`). + - **Failure:** If any auth step fails, the connection is rejected (`ctx.reject()`). + +3. **Session Ready & Command Execution:** + + - Client signals readiness (`client.on('ready', ...)`). + - Client requests a session (`client.on('session', ...)`). + - Client executes a command (`session.on('exec', ...)`), typically `git-upload-pack` or `git-receive-pack`. + - Proxy extracts the repository path from the command. + +4. **Internal Processing (Chain):** + + - The proxy constructs a simulated request object (`req`). + - It calls `chain.executeChain(req)` to apply internal rules/checks. + - **Blocked/Error:** If the chain returns an error or blocks the action, an error message is sent directly back to the client (`stream.write(...)`, `stream.end()`), and the flow stops. + +5. **Connect to Remote Git Server:** + + - If the chain allows, the proxy initiates a _new_ SSH connection (`remoteGitSsh = new Client()`) to the actual remote Git server (e.g., GitHub), using the URL from `config.getProxyUrl()`. + - **Key Selection:** + - It initially intends to use the key from `client.userPrivateKey` (captured during client auth). + - **Crucially:** Since `client.userPrivateKey` only contains the _public_ key details, the proxy cannot use it to authenticate _outbound_. + - It **defaults** to using the **proxy's own private host key** (`config.getSSHConfig().hostKey.privateKeyPath`) for the connection to the remote server. + - **Connection Options:** Sets host, port, username (`git`), timeouts, keepalives, and the selected private key. + +6. **Remote Command Execution & Data Piping:** + + - Once connected to the remote server (`remoteGitSsh.on('ready', ...)`), the proxy executes the _original_ Git command (`remoteGitSsh.exec(command, ...)`). + - The core proxying begins: + - Data from **Client -> Proxy** (`stream.on('data', ...)`): Forwarded to **Proxy -> Remote** (`remoteStream.write(data)`). + - Data from **Remote -> Proxy** (`remoteStream.on('data', ...)`): Forwarded to **Proxy -> Client** (`stream.write(data)`). + +7. **Error Handling & Fallback (Remote Connection):** + + - If the initial connection attempt to the remote fails with an authentication error (`remoteGitSsh.on('error', ...)` message includes `All configured authentication methods failed`), _and_ it was attempting to use the (incorrectly identified) client key, it will explicitly **retry** the connection using the **proxy's private key**. + - This retry logic handles the case where the initial key selection might have been ambiguous, ensuring it falls back to the guaranteed working key (the proxy's own). + - If the retry also fails, or if the error was different, the error is sent to the client (`stream.write(err.toString())`, `stream.end()`). + +8. **Stream Management & Teardown:** + - Handles `close`, `end`, `error`, and `exit` events for both client (`stream`) and remote (`remoteStream`) streams. + - Manages keepalives and timeouts for both connections. + - When the client finishes sending data (`stream.on('end', ...)`), the proxy closes the connection to the remote server (`remoteGitSsh.end()`) after a brief delay. + +### Data Flow Diagram (Sequence) + +```mermaid +sequenceDiagram + participant C as Client (Git) + participant P as Proxy Server (SSHServer) + participant DB as Database + participant R as Remote Git Server (e.g., GitHub) + + C->>P: SSH Connect + P-->>C: Request Authentication + C->>P: Send Auth (PublicKey / Password) + + alt Public Key Auth + P->>DB: Verify Public Key (findUserBySSHKey) + DB-->>P: User Found / Not Found + else Password Auth + P->>DB: Verify User/Password (findUser + bcrypt) + DB-->>P: Valid / Invalid + end + + alt Authentication Successful + P-->>C: Authentication Accepted + C->>P: Execute Git Command (e.g., git-upload-pack repo) + + P->>P: Execute Internal Chain (Check rules) + alt Chain Blocked/Error + P-->>C: Error Message + Note right of P: End Flow + else Chain Passed + P->>R: SSH Connect (using Proxy's Private Key) + R-->>P: Connection Ready + P->>R: Execute Git Command + + loop Data Transfer (Proxying) + C->>P: Git Data Packet (Client Stream) + P->>R: Forward Git Data Packet (Remote Stream) + R->>P: Git Data Packet (Remote Stream) + P->>C: Forward Git Data Packet (Client Stream) + end + + C->>P: End Client Stream + P->>R: End Remote Connection (after delay) + P-->>C: End Client Stream + R-->>P: Remote Connection Closed + C->>P: Close Client Connection + end + else Authentication Failed + P-->>C: Authentication Rejected + Note right of P: End Flow + end + +``` + +``` + +``` diff --git a/config.schema.json b/config.schema.json index 771e83d0c..a0273f39e 100644 --- a/config.schema.json +++ b/config.schema.json @@ -78,6 +78,14 @@ "type": "object" } } + }, + "ssh": { + "enabled": true, + "port": 2222, + "hostKey": { + "privateKeyPath": "./.ssh/host_key", + "publicKeyPath": "./.ssh/host_key.pub" + } } }, "definitions": { diff --git a/package-lock.json b/package-lock.json index 2c53d8a2f..7086b4deb 100644 --- a/package-lock.json +++ b/package-lock.json @@ -50,6 +50,7 @@ "react-html-parser": "^2.0.2", "react-router-dom": "6.28.2", "simple-git": "^3.25.0", + "ssh2": "^1.16.0", "uuid": "^11.0.0", "yargs": "^17.7.2" }, @@ -4196,7 +4197,6 @@ "version": "1.0.2", "resolved": "https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz", "integrity": "sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==", - "dev": true, "license": "BSD-3-Clause", "dependencies": { "tweetnacl": "^0.14.3" @@ -4396,6 +4396,15 @@ "node": "*" } }, + "node_modules/buildcheck": { + "version": "0.0.6", + "resolved": "https://registry.npmjs.org/buildcheck/-/buildcheck-0.0.6.tgz", + "integrity": "sha512-8f9ZJCUXyT1M35Jx7MkBgmBMo3oHTTBIPLiY9xyL0pl3T5RwcPEY8cUHr5LBNfu/fk6c2T4DJZuVM/8ZZT2D2A==", + "optional": true, + "engines": { + "node": ">=10.0.0" + } + }, "node_modules/bytes": { "version": "3.1.2", "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz", @@ -5101,6 +5110,20 @@ "typescript": ">=5" } }, + "node_modules/cpu-features": { + "version": "0.0.10", + "resolved": "https://registry.npmjs.org/cpu-features/-/cpu-features-0.0.10.tgz", + "integrity": "sha512-9IkYqtX3YHPCzoVg1Py+o9057a3i0fp7S530UWokCSaFVTc7CwXPRiOjRjBQQ18ZCNafx78YfnG+HALxtVmOGA==", + "hasInstallScript": true, + "optional": true, + "dependencies": { + "buildcheck": "~0.0.6", + "nan": "^2.19.0" + }, + "engines": { + "node": ">=10.0.0" + } + }, "node_modules/crc-32": { "version": "1.2.2", "resolved": "https://registry.npmjs.org/crc-32/-/crc-32-1.2.2.tgz", @@ -9649,6 +9672,13 @@ "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz", "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==" }, + "node_modules/nan": { + "version": "2.22.2", + "resolved": "https://registry.npmjs.org/nan/-/nan-2.22.2.tgz", + "integrity": "sha512-DANghxFkS1plDdRsX0X9pm0Z6SJNN6gBdtXfanwoZ8hooC5gosGFSBGRYHUVPz1asKA/kMRqDRdHrluZ61SpBQ==", + "license": "MIT", + "optional": true + }, "node_modules/natural-compare": { "version": "1.4.0", "resolved": "https://registry.npmjs.org/natural-compare/-/natural-compare-1.4.0.tgz", @@ -11745,6 +11775,23 @@ "integrity": "sha512-D9cPgkvLlV3t3IzL0D0YLvGA9Ahk4PcvVwUbN0dSGr1aP0Nrt4AEnTUbuGvquEC0mA64Gqt1fzirlRs5ibXx8g==", "dev": true }, + "node_modules/ssh2": { + "version": "1.16.0", + "resolved": "https://registry.npmjs.org/ssh2/-/ssh2-1.16.0.tgz", + "integrity": "sha512-r1X4KsBGedJqo7h8F5c4Ybpcr5RjyP+aWIG007uBPRjmdQWfEiVLzSK71Zji1B9sKxwaCvD8y8cwSkYrlLiRRg==", + "hasInstallScript": true, + "dependencies": { + "asn1": "^0.2.6", + "bcrypt-pbkdf": "^1.0.2" + }, + "engines": { + "node": ">=10.16.0" + }, + "optionalDependencies": { + "cpu-features": "~0.0.10", + "nan": "^2.20.0" + } + }, "node_modules/sshpk": { "version": "1.18.0", "resolved": "https://registry.npmjs.org/sshpk/-/sshpk-1.18.0.tgz", @@ -12297,7 +12344,6 @@ "version": "0.14.5", "resolved": "https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz", "integrity": "sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==", - "dev": true, "license": "Unlicense" }, "node_modules/type-check": { diff --git a/package.json b/package.json index d2f1086a9..5c4fcaffb 100644 --- a/package.json +++ b/package.json @@ -72,7 +72,8 @@ "react-router-dom": "6.28.2", "simple-git": "^3.25.0", "uuid": "^11.0.0", - "yargs": "^17.7.2" + "yargs": "^17.7.2", + "ssh2": "^1.16.0" }, "devDependencies": { "@babel/core": "^7.23.2", diff --git a/packages/git-proxy-cli/index.js b/packages/git-proxy-cli/index.js index e3c69ce8d..0febfbb9c 100755 --- a/packages/git-proxy-cli/index.js +++ b/packages/git-proxy-cli/index.js @@ -306,6 +306,60 @@ async function logout() { console.log('Logout: OK'); } +/** + * Add SSH key for a user + * @param {string} username The username to add the key for + * @param {string} keyPath Path to the public key file + */ +async function addSSHKey(username, keyPath) { + console.log('Add SSH key', { username, keyPath }); + if (!fs.existsSync(GIT_PROXY_COOKIE_FILE)) { + console.error('Error: SSH key: Authentication required'); + process.exitCode = 1; + return; + } + + try { + const cookies = JSON.parse(fs.readFileSync(GIT_PROXY_COOKIE_FILE, 'utf8')); + const publicKey = fs.readFileSync(keyPath, 'utf8').trim(); + + console.log('Adding SSH key', { username, publicKey }); + await axios.post( + `${baseUrl}/api/v1/user/${username}/ssh-keys`, + { publicKey }, + { + headers: { + Cookie: cookies, + 'Content-Type': 'application/json', + }, + withCredentials: true, + }, + ); + + console.log(`SSH key added successfully for user ${username}`); + } catch (error) { + let errorMessage = `Error: SSH key: '${error.message}'`; + process.exitCode = 2; + + if (error.response) { + switch (error.response.status) { + case 401: + errorMessage = 'Error: SSH key: Authentication required'; + process.exitCode = 3; + break; + case 404: + errorMessage = `Error: SSH key: User '${username}' not found`; + process.exitCode = 4; + break; + } + } else if (error.code === 'ENOENT') { + errorMessage = `Error: SSH key: Could not find key file at ${keyPath}`; + process.exitCode = 5; + } + console.error(errorMessage); + } +} + // Parsing command line arguments yargs(hideBin(process.argv)) .command({ @@ -436,6 +490,37 @@ yargs(hideBin(process.argv)) rejectGitPush(argv.id); }, }) + .command({ + command: 'ssh-key', + describe: 'Manage SSH keys', + builder: { + action: { + describe: 'Action to perform (add/remove)', + demandOption: true, + type: 'string', + choices: ['add', 'remove'], + }, + username: { + describe: 'Username to manage keys for', + demandOption: true, + type: 'string', + }, + keyPath: { + describe: 'Path to the public key file', + demandOption: true, + type: 'string', + }, + }, + handler(argv) { + if (argv.action === 'add') { + addSSHKey(argv.username, argv.keyPath); + } else if (argv.action === 'remove') { + // TODO: Implement remove SSH key + console.error('Error: SSH key: Remove action not implemented yet'); + process.exitCode = 1; + } + }, + }) .demandCommand(1, 'You need at least one command before moving on') .strict() .help().argv; diff --git a/proxy.config.json b/proxy.config.json index 14d016e4d..d1761222d 100644 --- a/proxy.config.json +++ b/proxy.config.json @@ -97,5 +97,13 @@ "urlShortener": "", "contactEmail": "", "csrfProtection": true, - "plugins": [] + "plugins": [], + "ssh": { + "enabled": true, + "port": 2222, + "hostKey": { + "privateKeyPath": ".ssh/id_rsa", + "publicKeyPath": ".ssh/id_rsa.pub" + } + } } diff --git a/src/cli/ssh-key.js b/src/cli/ssh-key.js new file mode 100755 index 000000000..fa2c5f5b8 --- /dev/null +++ b/src/cli/ssh-key.js @@ -0,0 +1,122 @@ +#!/usr/bin/env node + +const fs = require('fs'); +const path = require('path'); +const axios = require('axios'); + +const API_BASE_URL = process.env.GIT_PROXY_API_URL || 'http://localhost:3000'; +const GIT_PROXY_COOKIE_FILE = path.join( + process.env.HOME || process.env.USERPROFILE, + '.git-proxy-cookies.json', +); + +async function addSSHKey(username, keyPath) { + try { + // Check for authentication + if (!fs.existsSync(GIT_PROXY_COOKIE_FILE)) { + console.error('Error: Authentication required. Please run "yarn cli login" first.'); + process.exit(1); + } + + // Read the cookies + const cookies = JSON.parse(fs.readFileSync(GIT_PROXY_COOKIE_FILE, 'utf8')); + + // Read the public key file + const publicKey = fs.readFileSync(keyPath, 'utf8').trim(); + console.log('Read public key:', publicKey); + + // Validate the key format + if (!publicKey.startsWith('ssh-')) { + console.error('Invalid SSH key format. The key should start with "ssh-"'); + process.exit(1); + } + + console.log('Making API request to:', `${API_BASE_URL}/api/v1/user/${username}/ssh-keys`); + // Make the API request + await axios.post( + `${API_BASE_URL}/api/v1/user/${username}/ssh-keys`, + { publicKey }, + { + withCredentials: true, + headers: { + 'Content-Type': 'application/json', + Cookie: cookies, + }, + }, + ); + + console.log('SSH key added successfully!'); + } catch (error) { + console.error('Full error:', error); + if (error.response) { + console.error('Response error:', error.response.data); + console.error('Response status:', error.response.status); + } else if (error.code === 'ENOENT') { + console.error(`Error: Could not find SSH key file at ${keyPath}`); + } else { + console.error('Error:', error.message); + } + process.exit(1); + } +} + +async function removeSSHKey(username, keyPath) { + try { + // Check for authentication + if (!fs.existsSync(GIT_PROXY_COOKIE_FILE)) { + console.error('Error: Authentication required. Please run "yarn cli login" first.'); + process.exit(1); + } + + // Read the cookies + const cookies = JSON.parse(fs.readFileSync(GIT_PROXY_COOKIE_FILE, 'utf8')); + + // Read the public key file + const publicKey = fs.readFileSync(keyPath, 'utf8').trim(); + + // Make the API request + await axios.delete(`${API_BASE_URL}/api/v1/user/${username}/ssh-keys`, { + data: { publicKey }, + withCredentials: true, + headers: { + 'Content-Type': 'application/json', + Cookie: cookies, + }, + }); + + console.log('SSH key removed successfully!'); + } catch (error) { + if (error.response) { + console.error('Error:', error.response.data.error); + } else if (error.code === 'ENOENT') { + console.error(`Error: Could not find SSH key file at ${keyPath}`); + } else { + console.error('Error:', error.message); + } + process.exit(1); + } +} + +// Parse command line arguments +const args = process.argv.slice(2); +const command = args[0]; +const username = args[1]; +const keyPath = args[2]; + +if (!command || !username || !keyPath) { + console.log(` +Usage: + Add SSH key: node ssh-key.js add + Remove SSH key: node ssh-key.js remove + `); + process.exit(1); +} + +if (command === 'add') { + addSSHKey(username, keyPath); +} else if (command === 'remove') { + removeSSHKey(username, keyPath); +} else { + console.error('Invalid command. Use "add" or "remove"'); + process.exit(1); +} diff --git a/src/config/index.js b/src/config/index.js index 78184d413..6d4e8bc03 100644 --- a/src/config/index.js +++ b/src/config/index.js @@ -25,6 +25,7 @@ let _urlShortener = defaultSettings.urlShortener; let _contactEmail = defaultSettings.contactEmail; let _csrfProtection = defaultSettings.csrfProtection; let _domains = defaultSettings.domains; +let _sshConfig = defaultSettings.ssh; // Get configured proxy URL const getProxyUrl = () => { @@ -35,6 +36,10 @@ const getProxyUrl = () => { return _proxyUrl; }; +const getSSHProxyUrl = () => { + return getProxyUrl().replace('https://', 'git@'); +}; + // Gets a list of authorised repositories const getAuthorisedList = () => { if (_userSettings !== null && _userSettings.authorisedList) { @@ -197,8 +202,16 @@ const getDomains = () => { return _domains; }; +const getSSHConfig = () => { + if (_userSettings !== null && _userSettings.ssh) { + _sshConfig = _userSettings.ssh; + } + return _sshConfig; +}; + exports.getAPIs = getAPIs; exports.getProxyUrl = getProxyUrl; +exports.getSSHProxyUrl = getSSHProxyUrl; exports.getAuthorisedList = getAuthorisedList; exports.getDatabase = getDatabase; exports.logConfiguration = logConfiguration; @@ -216,3 +229,4 @@ exports.getPlugins = getPlugins; exports.getSSLKeyPath = getSSLKeyPath; exports.getSSLCertPath = getSSLCertPath; exports.getDomains = getDomains; +exports.getSSHConfig = getSSHConfig; diff --git a/src/db/file/index.js b/src/db/file/index.js index 03dd8ecf0..7e84812f6 100644 --- a/src/db/file/index.js +++ b/src/db/file/index.js @@ -17,6 +17,9 @@ module.exports.getUsers = users.getUsers; module.exports.createUser = users.createUser; module.exports.deleteUser = users.deleteUser; module.exports.updateUser = users.updateUser; +module.exports.addPublicKey = users.addPublicKey; +module.exports.removePublicKey = users.removePublicKey; +module.exports.findUserBySSHKey = users.findUserBySSHKey; module.exports.getRepos = repo.getRepos; module.exports.getRepo = repo.getRepo; diff --git a/src/db/file/users.js b/src/db/file/users.js index 2661006af..922354e9b 100644 --- a/src/db/file/users.js +++ b/src/db/file/users.js @@ -39,6 +39,9 @@ exports.findUserByOIDC = function (oidcId) { }; exports.createUser = function (data) { + if (!data.publicKeys) { + data.publicKeys = []; + } return new Promise((resolve, reject) => { db.insert(data, (err) => { if (err) { @@ -63,6 +66,9 @@ exports.deleteUser = function (username) { }; exports.updateUser = function (user) { + if (!user.publicKeys) { + user.publicKeys = []; + } return new Promise((resolve, reject) => { const options = { multi: false, upsert: false }; db.update({ username: user.username }, user, options, (err) => { @@ -87,3 +93,63 @@ exports.getUsers = function (query) { }); }); }; + +exports.addPublicKey = function (username, publicKey) { + return new Promise((resolve, reject) => { + exports + .findUser(username) + .then((user) => { + if (!user) { + reject(new Error('User not found')); + return; + } + if (!user.publicKeys) { + user.publicKeys = []; + } + if (!user.publicKeys.includes(publicKey)) { + user.publicKeys.push(publicKey); + exports.updateUser(user).then(resolve).catch(reject); + } else { + resolve(); + } + }) + .catch(reject); + }); +}; + +exports.removePublicKey = function (username, publicKey) { + return new Promise((resolve, reject) => { + exports + .findUser(username) + .then((user) => { + if (!user) { + reject(new Error('User not found')); + return; + } + if (!user.publicKeys) { + user.publicKeys = []; + resolve(); + return; + } + user.publicKeys = user.publicKeys.filter((key) => key !== publicKey); + exports.updateUser(user).then(resolve).catch(reject); + }) + .catch(reject); + }); +}; + +exports.findUserBySSHKey = function (sshKey) { + return new Promise((resolve, reject) => { + db.findOne({ publicKeys: sshKey }, (err, doc) => { + if (err) { + reject(err); + } else { + if (!doc) { + resolve(null); + } else { + resolve(doc); + } + } + }); + }); +}; diff --git a/src/db/index.js b/src/db/index.js index ed2c13524..ef97fa32b 100644 --- a/src/db/index.js +++ b/src/db/index.js @@ -83,3 +83,6 @@ module.exports.canUserApproveRejectPushRepo = sink.canUserApproveRejectPushRepo; module.exports.canUserApproveRejectPush = sink.canUserApproveRejectPush; module.exports.canUserCancelPush = sink.canUserCancelPush; module.exports.getSessionStore = sink.getSessionStore; +module.exports.addPublicKey = sink.addPublicKey; +module.exports.removePublicKey = sink.removePublicKey; +module.exports.findUserBySSHKey = sink.findUserBySSHKey; diff --git a/src/db/mongo/index.js b/src/db/mongo/index.js index d8687f30c..4fabd914f 100644 --- a/src/db/mongo/index.js +++ b/src/db/mongo/index.js @@ -17,6 +17,9 @@ module.exports.getUsers = users.getUsers; module.exports.createUser = users.createUser; module.exports.deleteUser = users.deleteUser; module.exports.updateUser = users.updateUser; +module.exports.addPublicKey = users.addPublicKey; +module.exports.removePublicKey = users.removePublicKey; +module.exports.findUserBySSHKey = users.findUserBySSHKey; module.exports.getRepos = repo.getRepos; module.exports.getRepo = repo.getRepo; diff --git a/src/db/mongo/users.js b/src/db/mongo/users.js index c93977694..cdf64be53 100644 --- a/src/db/mongo/users.js +++ b/src/db/mongo/users.js @@ -19,13 +19,40 @@ exports.deleteUser = async function (username) { exports.createUser = async function (data) { data.username = data.username.toLowerCase(); + if (!data.publicKeys) { + data.publicKeys = []; + } const collection = await connect(usersCollection); return collection.insertOne(data); }; exports.updateUser = async (user) => { user.username = user.username.toLowerCase(); + if (!user.publicKeys) { + user.publicKeys = []; + } const options = { upsert: true }; const collection = await connect(usersCollection); await collection.updateOne({ username: user.username }, { $set: user }, options); }; + +exports.addPublicKey = async (username, publicKey) => { + const collection = await connect(usersCollection); + return collection.updateOne( + { username: username.toLowerCase() }, + { $addToSet: { publicKeys: publicKey } }, + ); +}; + +exports.removePublicKey = async (username, publicKey) => { + const collection = await connect(usersCollection); + return collection.updateOne( + { username: username.toLowerCase() }, + { $pull: { publicKeys: publicKey } }, + ); +}; + +exports.findUserBySSHKey = async function (sshKey) { + const collection = await connect(usersCollection); + return collection.findOne({ publicKeys: { $eq: sshKey } }); +}; diff --git a/src/proxy/actions/Action.js b/src/proxy/actions/Action.js index ba34f2938..37e2b56a8 100644 --- a/src/proxy/actions/Action.js +++ b/src/proxy/actions/Action.js @@ -23,6 +23,7 @@ class Action { author; user; attestation; + protocol = 'https'; /** * diff --git a/src/proxy/index.js b/src/proxy/index.js index d4e8e3f93..084e1a860 100644 --- a/src/proxy/index.js +++ b/src/proxy/index.js @@ -11,6 +11,7 @@ const { PluginLoader } = require('../plugin'); const chain = require('./chain'); const { GIT_PROXY_SERVER_PORT: proxyHttpPort } = require('../config/env').Vars; const { GIT_PROXY_HTTPS_SERVER_PORT: proxyHttpsPort } = require('../config/env').Vars; +const SSHServer = require('./ssh/server'); const options = { inflate: true, @@ -37,6 +38,12 @@ const proxyPreparations = async () => { await db.addUserCanAuthorise(x.name, 'admin'); } }); + + // Initialize SSH server if enabled + if (config.getSSHConfig().enabled) { + const sshServer = new SSHServer(); + sshServer.start(); + } }; // just keep this async incase it needs async stuff in the future diff --git a/src/proxy/processors/pre-processor/parseAction.js b/src/proxy/processors/pre-processor/parseAction.js index b10f0372b..d6bf1ae0c 100644 --- a/src/proxy/processors/pre-processor/parseAction.js +++ b/src/proxy/processors/pre-processor/parseAction.js @@ -6,18 +6,21 @@ const exec = async (req) => { const repoName = getRepoNameFromUrl(req.originalUrl); const paths = req.originalUrl.split('/'); - let type = 'default'; + // Determine protocol based on request source + const protocol = req.isSSH ? 'ssh' : 'https'; + let type = `${protocol}-default`; if (paths[paths.length - 1].endsWith('git-upload-pack') && req.method == 'GET') { - type = 'pull'; + type = `${protocol}-pull`; } if ( paths[paths.length - 1] == 'git-receive-pack' && req.method == 'POST' && req.headers['content-type'] == 'application/x-git-receive-pack-request' ) { - type = 'push'; + type = `${protocol}-push`; } + return new actions.Action(id, type, req.method, timestamp, repoName); }; diff --git a/src/proxy/processors/push-action/pullRemote.js b/src/proxy/processors/push-action/pullRemote.js index cafb4fc7f..c548f817e 100644 --- a/src/proxy/processors/push-action/pullRemote.js +++ b/src/proxy/processors/push-action/pullRemote.js @@ -3,6 +3,7 @@ const fs = require('fs'); const dir = './.remote'; const git = require('isomorphic-git'); const gitHttpClient = require('isomorphic-git/http/node'); +const { execSync } = require('child_process'); const exec = async (req, action) => { const step = new Step('pullRemote'); @@ -20,30 +21,40 @@ const exec = async (req, action) => { fs.mkdirSync(action.proxyGitPath, '0755', true); } - const cmd = `git clone ${action.url}`; - step.log(`Exectuting ${cmd}`); + let cloneUrl = action.url; - const authHeader = req.headers?.authorization; - const [username, password] = Buffer.from(authHeader.split(' ')[1], 'base64') - .toString() - .split(':'); + if (action.protocol === 'ssh') { + // Convert HTTPS URL to SSH URL + cloneUrl = action.url.replace('https://', 'git@'); + const cmd = `git clone ${cloneUrl}`; + step.log(`Executing ${cmd}`); - await git - .clone({ + // Use native git command with SSH + execSync(cmd, { + cwd: action.proxyGitPath, + stdio: 'pipe', + }); + } else { + // Use HTTPS with isomorphic-git + const authHeader = req.headers?.authorization; + const [username, password] = Buffer.from(authHeader.split(' ')[1], 'base64') + .toString() + .split(':'); + await git.clone({ fs, http: gitHttpClient, - url: action.url, + url: cloneUrl, onAuth: () => ({ username, password, }), dir: `${action.proxyGitPath}/${action.repoName}`, }); + } + console.log('Clone Success: ', cloneUrl); - console.log('Clone Success: ', action.url); - - step.log(`Completed ${cmd}`); - step.setContent(`Completed ${cmd}`); + step.log(`Completed clone for ${cloneUrl}`); + step.setContent(`Completed clone for ${cloneUrl}`); } catch (e) { step.setError(e.toString('utf-8')); throw e; diff --git a/src/proxy/routes/index.js b/src/proxy/routes/index.js index 1ef84bcb5..c2cca7fea 100644 --- a/src/proxy/routes/index.js +++ b/src/proxy/routes/index.js @@ -45,6 +45,14 @@ const validGitRequest = (url, headers) => { return false; }; +// Add function to convert SSH URL to HTTPS +const convertSshToHttps = (url) => { + if (url.startsWith('git@github.com:')) { + return url.replace('git@github.com:', 'https://github.com/'); + } + return url; +}; + router.use( '/', proxy(config.getProxyUrl(), { @@ -102,7 +110,7 @@ router.use( } }, proxyReqPathResolver: (req) => { - const url = config.getProxyUrl() + req.originalUrl; + const url = convertSshToHttps(config.getProxyUrl()) + req.originalUrl; console.log('Sending request to ' + url); return url; }, diff --git a/src/proxy/ssh/server.js b/src/proxy/ssh/server.js new file mode 100644 index 000000000..48ced1a0b --- /dev/null +++ b/src/proxy/ssh/server.js @@ -0,0 +1,684 @@ +const ssh2 = require('ssh2'); +const config = require('../../config'); +const chain = require('../chain'); +const db = require('../../db'); + +class SSHServer { + constructor() { + this.server = new ssh2.Server( + { + hostKeys: [require('fs').readFileSync(config.getSSHConfig().hostKey.privateKeyPath)], + authMethods: ['publickey', 'password'], + // Increase connection timeout and keepalive settings + keepaliveInterval: 5000, // More frequent keepalive + keepaliveCountMax: 10, // Allow more keepalive attempts + readyTimeout: 30000, // Longer ready timeout + debug: (msg) => { + console.debug('[SSH Debug]', msg); + }, + }, + this.handleClient.bind(this), + ); + } + + async handleClient(client) { + console.log('[SSH] Client connected'); + + // Set up client error handling + client.on('error', (err) => { + console.error('[SSH] Client error:', err); + // Don't end the connection on error, let it try to recover + }); + + // Handle client end + client.on('end', () => { + console.log('[SSH] Client disconnected'); + }); + + // Handle client close + client.on('close', () => { + console.log('[SSH] Client connection closed'); + }); + + // Handle keepalive requests + client.on('global request', (accept, reject, info) => { + console.log('[SSH] Global request:', info); + if (info.type === 'keepalive@openssh.com') { + console.log('[SSH] Accepting keepalive request'); + // Always accept keepalive requests to prevent connection drops + accept(); + } else { + console.log('[SSH] Rejecting unknown global request:', info.type); + reject(); + } + }); + + // Set up keepalive timer + let keepaliveTimer = null; + const startKeepalive = () => { + if (keepaliveTimer) { + clearInterval(keepaliveTimer); + } + keepaliveTimer = setInterval(() => { + if (client.connected) { + console.log('[SSH] Sending keepalive'); + try { + client.ping(); + } catch (error) { + console.error('[SSH] Error sending keepalive:', error); + // Don't clear the timer on error, let it try again + } + } else { + console.log('[SSH] Client disconnected, clearing keepalive'); + clearInterval(keepaliveTimer); + keepaliveTimer = null; + } + }, 5000); // More frequent keepalive + }; + + // Start keepalive when client is ready + client.on('ready', () => { + console.log('[SSH] Client ready, starting keepalive'); + startKeepalive(); + }); + + // Clean up keepalive on client end + client.on('end', () => { + console.log('[SSH] Client disconnected'); + if (keepaliveTimer) { + clearInterval(keepaliveTimer); + keepaliveTimer = null; + } + }); + + client.on('authentication', async (ctx) => { + console.log(`[SSH] Authentication attempt: ${ctx.method}`); + + if (ctx.method === 'publickey') { + try { + console.log(`[SSH] CTX KEY: ${JSON.stringify(ctx.key)}`); + // Get the key type and key data + const keyType = ctx.key.algo; + const keyData = ctx.key.data; + + // Format the key in the same way as stored in user's publicKeys (without comment) + const keyString = `${keyType} ${keyData.toString('base64')}`; + + console.log(`[SSH] Attempting public key authentication with key: ${keyString}`); + + // Find user by SSH key + const user = await db.findUserBySSHKey(keyString); + if (!user) { + console.log('[SSH] No user found with this SSH key'); + ctx.reject(); + return; + } + + console.log(`[SSH] Public key authentication successful for user ${user.username}`); + client.username = user.username; + // Store the user's private key for later use with GitHub + client.userPrivateKey = { + algo: ctx.key.algo, + data: ctx.key.data, + comment: ctx.key.comment || '', + }; + console.log( + `[SSH] Stored key info - Algorithm: ${ctx.key.algo}, Data length: ${ctx.key.data.length}, Data type: ${typeof ctx.key.data}`, + ); + if (Buffer.isBuffer(ctx.key.data)) { + console.log('[SSH] Key data is a Buffer'); + } + ctx.accept(); + } catch (error) { + console.error('[SSH] Error during public key authentication:', error); + // Let the client try the next key + ctx.reject(); + } + } else if (ctx.method === 'password') { + // Only try password authentication if no public key was provided + if (!ctx.key) { + try { + const user = await db.findUser(ctx.username); + if (user && user.password) { + const bcrypt = require('bcryptjs'); + const isValid = await bcrypt.compare(ctx.password, user.password); + if (isValid) { + console.log(`[SSH] Password authentication successful for user ${ctx.username}`); + ctx.accept(); + } else { + console.log(`[SSH] Password authentication failed for user ${ctx.username}`); + ctx.reject(); + } + } else { + console.log(`[SSH] User ${ctx.username} not found or no password set`); + ctx.reject(); + } + } catch (error) { + console.error('[SSH] Error during password authentication:', error); + ctx.reject(); + } + } else { + console.log('[SSH] Password authentication attempted but public key was provided'); + ctx.reject(); + } + } else { + console.log(`Unsupported authentication method: ${ctx.method}`); + ctx.reject(); + } + }); + + client.on('ready', () => { + console.log(`[SSH] Client ready: ${client.username}`); + client.on('session', this.handleSession.bind(this)); + }); + } + + async handleSession(accept, reject) { + const session = accept(); + session.on('exec', async (accept, reject, info) => { + const stream = accept(); + const command = info.command; + + // Parse Git command + console.log('[SSH] Command', command); + if (command.startsWith('git-')) { + // Extract the repository path from the command + // Remove quotes and 'git-' prefix, then trim any leading/trailing slashes + const repoPath = command + .replace('git-upload-pack', '') + .replace('git-receive-pack', '') + .replace(/^['"]|['"]$/g, '') + .replace(/^\/+|\/+$/g, ''); + + const req = { + method: command.startsWith('git-upload-pack') ? 'GET' : 'POST', + originalUrl: repoPath, + isSSH: true, + headers: { + 'user-agent': 'git/2.0.0', + 'content-type': command.startsWith('git-receive-pack') + ? 'application/x-git-receive-pack-request' + : undefined, + }, + }; + + try { + console.log('[SSH] Executing chain', req); + const action = await chain.executeChain(req); + + console.log('[SSH] Action', action); + + if (action.error || action.blocked) { + // If there's an error or the action is blocked, send the error message + console.log( + '[SSH] Action error or blocked', + action.errorMessage || action.blockedMessage, + ); + stream.write(action.errorMessage || action.blockedMessage); + stream.end(); + return; + } + + // Create SSH connection to GitHub using the Client approach + const { Client } = require('ssh2'); + const remoteGitSsh = new Client(); + + console.log('[SSH] Creating SSH connection to remote'); + + // Get remote host from config + const remoteUrl = new URL(config.getProxyUrl()); + + // Set up connection options + const connectionOptions = { + host: remoteUrl.hostname, + port: 22, + username: 'git', + readyTimeout: 30000, + tryKeyboard: false, + debug: (msg) => { + console.debug('[GitHub SSH Debug]', msg); + }, + // Increase keepalive settings for remote connection + keepaliveInterval: 5000, + keepaliveCountMax: 10, + // Increase buffer sizes for large transfers + windowSize: 1024 * 1024, // 1MB window size + packetSize: 32768, // 32KB packet size + }; + + // Get the client's SSH key that was used for authentication + const clientKey = session._channel._client.userPrivateKey; + console.log('[SSH] Client key:', clientKey ? 'Available' : 'Not available'); + + // Add the private key based on what's available + if (clientKey) { + console.log('[SSH] Using client key to connect to remote' + JSON.stringify(clientKey)); + // Check if the key is in the correct format + if (typeof clientKey === 'object' && clientKey.algo && clientKey.data) { + // We need to use the private key, not the public key data + // Since we only have the public key from authentication, we'll use the proxy key + console.log('[SSH] Only have public key data, using proxy key instead'); + connectionOptions.privateKey = require('fs').readFileSync( + config.getSSHConfig().hostKey.privateKeyPath, + ); + } else if (Buffer.isBuffer(clientKey)) { + // The key is a buffer, use it directly + connectionOptions.privateKey = clientKey; + console.log('[SSH] Using client key buffer directly'); + } else { + // Try to convert the key to a buffer if it's a string + try { + connectionOptions.privateKey = Buffer.from(clientKey); + console.log('[SSH] Converted client key to buffer'); + } catch (error) { + console.error('[SSH] Failed to convert client key to buffer:', error); + // Fall back to the proxy key + connectionOptions.privateKey = require('fs').readFileSync( + config.getSSHConfig().hostKey.privateKeyPath, + ); + console.log('[SSH] Falling back to proxy key'); + } + } + } else { + console.log('[SSH] No client key available, using proxy key'); + connectionOptions.privateKey = require('fs').readFileSync( + config.getSSHConfig().hostKey.privateKeyPath, + ); + } + + // Log the key type for debugging + if (connectionOptions.privateKey) { + if ( + typeof connectionOptions.privateKey === 'object' && + connectionOptions.privateKey.algo + ) { + console.log(`[SSH] Key algo: ${connectionOptions.privateKey.algo}`); + } else if (Buffer.isBuffer(connectionOptions.privateKey)) { + console.log( + `[SSH] Key is a buffer of length: ${connectionOptions.privateKey.length}`, + ); + } else { + console.log(`[SSH] Key is of type: ${typeof connectionOptions.privateKey}`); + } + } + + // Set up event handlers + remoteGitSsh.on('ready', () => { + console.log('[SSH] Connected to remote'); + + // Execute the Git command on remote + remoteGitSsh.exec( + command, + { + env: { + GIT_PROTOCOL: 'version=2', + GIT_TERMINAL_PROMPT: '0', + }, + }, + (err, remoteStream) => { + if (err) { + console.error('[SSH] Failed to execute command on remote:', err); + stream.write(err.toString()); + stream.end(); + return; + } + + // Handle stream errors + remoteStream.on('error', (err) => { + console.error('[SSH] Remote stream error:', err); + // Don't immediately end the stream on error, try to recover + if ( + err.message.includes('early EOF') || + err.message.includes('unexpected disconnect') + ) { + console.log( + '[SSH] Detected early EOF or unexpected disconnect, attempting to recover', + ); + // Try to keep the connection alive + if (remoteGitSsh.connected) { + console.log('[SSH] Connection still active, continuing'); + // Don't end the stream, let it try to recover + return; + } + } + // If we can't recover, then end the stream + stream.write(err.toString()); + stream.end(); + }); + + // Pipe data between client and remote + stream.on('data', (data) => { + console.debug('[SSH] Client -> Remote:', data.toString().slice(0, 100)); + try { + remoteStream.write(data); + } catch (error) { + console.error('[SSH] Error writing to remote stream:', error); + // Don't end the stream on error, let it try to recover + } + }); + + remoteStream.on('data', (data) => { + console.debug('[SSH] Remote -> Client:', data.toString().slice(0, 100)); + try { + stream.write(data); + } catch (error) { + console.error('[SSH] Error writing to client stream:', error); + // Don't end the stream on error, let it try to recover + } + }); + + remoteStream.on('end', () => { + console.log('[SSH] Remote stream ended'); + stream.exit(0); + stream.end(); + }); + + // Handle stream close + remoteStream.on('close', () => { + console.log('[SSH] Remote stream closed'); + // Don't end the client stream immediately, let Git protocol complete + // Check if we're in the middle of a large transfer + if (stream.readable && !stream.destroyed) { + console.log('[SSH] Stream still readable, not ending client stream'); + // Let the client end the stream when it's done + } else { + console.log('[SSH] Stream not readable or destroyed, ending client stream'); + stream.end(); + } + }); + + remoteStream.on('exit', (code) => { + console.log(`[SSH] Remote command exited with code ${code}`); + if (code !== 0) { + console.error(`[SSH] Remote command failed with code ${code}`); + } + // Don't end the connection here, let the client end it + }); + + // Handle client stream end + stream.on('end', () => { + console.log('[SSH] Client stream ended'); + // End the SSH connection after a short delay to allow cleanup + setTimeout(() => { + console.log('[SSH] Ending SSH connection after client stream end'); + remoteGitSsh.end(); + }, 1000); // Increased delay to ensure all data is processed + }); + + // Handle client stream error + stream.on('error', (err) => { + console.error('[SSH] Client stream error:', err); + // Don't immediately end the connection on error, try to recover + if ( + err.message.includes('early EOF') || + err.message.includes('unexpected disconnect') + ) { + console.log( + '[SSH] Detected early EOF or unexpected disconnect on client side, attempting to recover', + ); + // Try to keep the connection alive + if (remoteGitSsh.connected) { + console.log('[SSH] Connection still active, continuing'); + // Don't end the connection, let it try to recover + return; + } + } + // If we can't recover, then end the connection + remoteGitSsh.end(); + }); + + // Handle connection end + remoteGitSsh.on('end', () => { + console.log('[SSH] Remote connection ended'); + }); + + // Handle connection close + remoteGitSsh.on('close', () => { + console.log('[SSH] Remote connection closed'); + }); + + // Add a timeout to ensure the connection is closed if it hangs + const connectionTimeout = setTimeout(() => { + console.log('[SSH] Connection timeout, ending connection'); + remoteGitSsh.end(); + }, 300000); // 5 minutes timeout for large repositories + + // Clear the timeout when the connection is closed + remoteGitSsh.on('close', () => { + clearTimeout(connectionTimeout); + }); + }, + ); + }); + + remoteGitSsh.on('error', (err) => { + console.error('[SSH] Remote SSH error:', err); + + // If authentication failed and we're using the client key, try with the proxy key + if ( + err.message.includes('All configured authentication methods failed') && + clientKey && + connectionOptions.privateKey !== + require('fs').readFileSync(config.getSSHConfig().hostKey.privateKeyPath) + ) { + console.log('[SSH] Authentication failed with client key, trying with proxy key'); + + // Create a new connection with the proxy key + const proxyGitSsh = new Client(); + + // Set up connection options with proxy key + const proxyConnectionOptions = { + ...connectionOptions, + privateKey: require('fs').readFileSync( + config.getSSHConfig().hostKey.privateKeyPath, + ), + // Ensure these settings are explicitly set for the proxy connection + windowSize: 1024 * 1024, // 1MB window size + packetSize: 32768, // 32KB packet size + keepaliveInterval: 5000, + keepaliveCountMax: 10, + }; + + // Set up event handlers for the proxy connection + proxyGitSsh.on('ready', () => { + console.log('[SSH] Connected to remote with proxy key'); + + // Execute the Git command on remote + proxyGitSsh.exec( + command, + { env: { GIT_PROTOCOL: 'version=2' } }, + (err, remoteStream) => { + if (err) { + console.error( + '[SSH] Failed to execute command on remote with proxy key:', + err, + ); + stream.write(err.toString()); + stream.end(); + return; + } + + // Handle stream errors + remoteStream.on('error', (err) => { + console.error('[SSH] Remote stream error with proxy key:', err); + // Don't immediately end the stream on error, try to recover + if ( + err.message.includes('early EOF') || + err.message.includes('unexpected disconnect') + ) { + console.log( + '[SSH] Detected early EOF or unexpected disconnect with proxy key, attempting to recover', + ); + // Try to keep the connection alive + if (proxyGitSsh.connected) { + console.log('[SSH] Connection still active with proxy key, continuing'); + // Don't end the stream, let it try to recover + return; + } + } + // If we can't recover, then end the stream + stream.write(err.toString()); + stream.end(); + }); + + // Pipe data between client and remote + stream.on('data', (data) => { + console.debug('[SSH] Client -> Remote:', data.toString().slice(0, 100)); + try { + remoteStream.write(data); + } catch (error) { + console.error( + '[SSH] Error writing to remote stream with proxy key:', + error, + ); + // Don't end the stream on error, let it try to recover + } + }); + + remoteStream.on('data', (data) => { + console.debug('[SSH] Remote -> Client:', data.toString().slice(0, 20)); + try { + stream.write(data); + } catch (error) { + console.error( + '[SSH] Error writing to client stream with proxy key:', + error, + ); + // Don't end the stream on error, let it try to recover + } + }); + + // Handle stream close + remoteStream.on('close', () => { + console.log('[SSH] Remote stream closed with proxy key'); + // Don't end the client stream immediately, let Git protocol complete + // Check if we're in the middle of a large transfer + if (stream.readable && !stream.destroyed) { + console.log( + '[SSH] Stream still readable with proxy key, not ending client stream', + ); + // Let the client end the stream when it's done + } else { + console.log( + '[SSH] Stream not readable or destroyed with proxy key, ending client stream', + ); + stream.end(); + } + }); + + remoteStream.on('exit', (code) => { + console.log(`[SSH] Remote command exited with code ${code} using proxy key`); + // Don't end the connection here, let the client end it + }); + + // Handle client stream end + stream.on('end', () => { + console.log('[SSH] Client stream ended with proxy key'); + // End the SSH connection after a short delay to allow cleanup + setTimeout(() => { + console.log( + '[SSH] Ending SSH connection after client stream end with proxy key', + ); + proxyGitSsh.end(); + }, 1000); // Increased delay to ensure all data is processed + }); + + // Handle client stream error + stream.on('error', (err) => { + console.error('[SSH] Client stream error with proxy key:', err); + // Don't immediately end the connection on error, try to recover + if ( + err.message.includes('early EOF') || + err.message.includes('unexpected disconnect') + ) { + console.log( + '[SSH] Detected early EOF or unexpected disconnect on client side with proxy key, attempting to recover', + ); + // Try to keep the connection alive + if (proxyGitSsh.connected) { + console.log('[SSH] Connection still active with proxy key, continuing'); + // Don't end the connection, let it try to recover + return; + } + } + // If we can't recover, then end the connection + proxyGitSsh.end(); + }); + + // Handle remote stream error + remoteStream.on('error', (err) => { + console.error('[SSH] Remote stream error with proxy key:', err); + // Don't end the client stream immediately, let Git protocol complete + }); + + // Handle connection end + proxyGitSsh.on('end', () => { + console.log('[SSH] Remote connection ended with proxy key'); + }); + + // Handle connection close + proxyGitSsh.on('close', () => { + console.log('[SSH] Remote connection closed with proxy key'); + }); + + // Add a timeout to ensure the connection is closed if it hangs + const proxyConnectionTimeout = setTimeout(() => { + console.log('[SSH] Connection timeout with proxy key, ending connection'); + proxyGitSsh.end(); + }, 300000); // 5 minutes timeout for large repositories + + // Clear the timeout when the connection is closed + proxyGitSsh.on('close', () => { + clearTimeout(proxyConnectionTimeout); + }); + }, + ); + }); + + proxyGitSsh.on('error', (err) => { + console.error('[SSH] Remote SSH error with proxy key:', err); + stream.write(err.toString()); + stream.end(); + }); + + // Connect to remote with proxy key + proxyGitSsh.connect(proxyConnectionOptions); + } else { + // If we're already using the proxy key or it's a different error, just end the stream + stream.write(err.toString()); + stream.end(); + } + }); + + // Connect to remote + console.log('[SSH] Attempting connection with options:', { + host: connectionOptions.host, + port: connectionOptions.port, + username: connectionOptions.username, + algorithms: connectionOptions.algorithms, + privateKeyType: typeof connectionOptions.privateKey, + privateKeyIsBuffer: Buffer.isBuffer(connectionOptions.privateKey), + }); + remoteGitSsh.connect(connectionOptions); + } catch (error) { + console.error('[SSH] Error during SSH connection:', error); + stream.write(error.toString()); + stream.end(); + } + } else { + console.log('[SSH] Unsupported command', command); + stream.write('Unsupported command'); + stream.end(); + } + }); + } + + start() { + const port = config.getSSHConfig().port; + this.server.listen(port, '0.0.0.0', () => { + console.log(`[SSH] Server listening on port ${port}`); + }); + } +} + +module.exports = SSHServer; diff --git a/src/service/routes/users.js b/src/service/routes/users.js index 118243d70..6d8c62407 100644 --- a/src/service/routes/users.js +++ b/src/service/routes/users.js @@ -2,24 +2,15 @@ const express = require('express'); const router = new express.Router(); const db = require('../../db'); +// Get all users router.get('/', async (req, res) => { - const query = {}; - - console.log(`fetching users = query path =${JSON.stringify(req.query)}`); - for (const k in req.query) { - if (!k) continue; - - if (k === 'limit') continue; - if (k === 'skip') continue; - let v = req.query[k]; - if (v === 'false') v = false; - if (v === 'true') v = true; - query[k] = v; - } - - res.send(await db.getUsers(query)); + const data = await db.getUsers(req.query); + const users = JSON.parse(JSON.stringify(data)); + users.forEach((user) => delete user.password); + res.send(users); }); +// Get specific user router.get('/:id', async (req, res) => { const username = req.params.id.toLowerCase(); console.log(`Retrieving details for user: ${username}`); @@ -29,4 +20,68 @@ router.get('/:id', async (req, res) => { res.send(user); }); +// Add SSH public key +router.post('/:username/ssh-keys', async (req, res) => { + if (!req.user) { + res.status(401).json({ error: 'Authentication required' }); + return; + } + + const targetUsername = req.params.username.toLowerCase(); + + // Only allow users to add keys to their own account, or admins to add to any account + if (req.user.username !== targetUsername && !req.user.admin) { + res.status(403).json({ error: 'Not authorized to add keys for this user' }); + return; + } + + const { publicKey } = req.body; + if (!publicKey) { + res.status(400).json({ error: 'Public key is required' }); + return; + } + + // Strip the comment from the key (everything after the last space) + const keyWithoutComment = publicKey.split(' ').slice(0, 2).join(' '); + + console.log('Adding SSH key', { targetUsername, keyWithoutComment }); + try { + await db.addPublicKey(targetUsername, keyWithoutComment); + res.status(201).json({ message: 'SSH key added successfully' }); + } catch (error) { + console.error('Error adding SSH key:', error); + res.status(500).json({ error: 'Failed to add SSH key' }); + } +}); + +// Remove SSH public key +router.delete('/:username/ssh-keys', async (req, res) => { + if (!req.user) { + res.status(401).json({ error: 'Authentication required' }); + return; + } + + const targetUsername = req.params.username.toLowerCase(); + + // Only allow users to remove keys from their own account, or admins to remove from any account + if (req.user.username !== targetUsername && !req.user.admin) { + res.status(403).json({ error: 'Not authorized to remove keys for this user' }); + return; + } + + const { publicKey } = req.body; + if (!publicKey) { + res.status(400).json({ error: 'Public key is required' }); + return; + } + + try { + await db.removePublicKey(targetUsername, publicKey); + res.status(200).json({ message: 'SSH key removed successfully' }); + } catch (error) { + console.error('Error removing SSH key:', error); + res.status(500).json({ error: 'Failed to remove SSH key' }); + } +}); + module.exports = router; diff --git a/test/.ssh/host_key b/test/.ssh/host_key new file mode 100644 index 000000000..dd7e0375e --- /dev/null +++ b/test/.ssh/host_key @@ -0,0 +1,38 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn +NhAAAAAwEAAQAAAYEAoVbJCVb7xjUSDn2Wffbk0F6jak5SwfZOqWlHBekusE83jb863y4r +m2Z/mi2JlZ8FNdTwCsOA2pRXeUCZYU+0lN4eepc1HY+HAOEznTn/HIrTWJSCU0DF7vF+Uy +o8kJB5r6Dl/vIMhurJr/AHwMJoiFVD6945bJDluzfDN5uFR2ce9XyAm14tGHlseCzN/hii +vTfVicKED+5Lp16IsBBhUvL0KTwYoaWF2Ec7a5WriHFtMZ9YEBoFSMxhN5sqRQdigXjJgu +w3aSRAKZb63lsxCwFy/6OrUEtpVoNMzqB1cZf4EGslBWWNJtv4HuRwkVLznw/R4n9S5qOK +6Wyq4FSGGkZkXkvdiJ/QRK2dMPPxQhzZTYnfNKf933kOsIRPQrSHO3ne0wBEJeKFo2lpxH +ctJxGmFNeELAoroLKTcbQEONKlcS+5MPnRfiBpSTwBqlxHXw/xs9MWHsR5kOmavWzvjy5o +6h8WdpiMCPXPFukkI5X463rWeX3v65PiADvMBBURAAAFkH95TOd/eUznAAAAB3NzaC1yc2 +EAAAGBAKFWyQlW+8Y1Eg59ln325NBeo2pOUsH2TqlpRwXpLrBPN42/Ot8uK5tmf5otiZWf +BTXU8ArDgNqUV3lAmWFPtJTeHnqXNR2PhwDhM505/xyK01iUglNAxe7xflMqPJCQea+g5f +7yDIbqya/wB8DCaIhVQ+veOWyQ5bs3wzebhUdnHvV8gJteLRh5bHgszf4Yor031YnChA/u +S6deiLAQYVLy9Ck8GKGlhdhHO2uVq4hxbTGfWBAaBUjMYTebKkUHYoF4yYLsN2kkQCmW+t +5bMQsBcv+jq1BLaVaDTM6gdXGX+BBrJQVljSbb+B7kcJFS858P0eJ/UuajiulsquBUhhpG +ZF5L3Yif0EStnTDz8UIc2U2J3zSn/d95DrCET0K0hzt53tMARCXihaNpacR3LScRphTXhC +wKK6Cyk3G0BDjSpXEvuTD50X4gaUk8AapcR18P8bPTFh7EeZDpmr1s748uaOofFnaYjAj1 +zxbpJCOV+Ot61nl97+uT4gA7zAQVEQAAAAMBAAEAAAGAXUFlmIFvrESWuEt9RjgEUDCzsk +mtajGtjByvEcqT0xMm4EbNh50PVZasYPi7UwGEqHX5fa89dppR6WMehPHmRjoRUfi+meSR +Oz/wbovMWrofqU7F+csx3Yg25Wk/cqwfuhV9e5x7Ay0JASnzwUZd15e5V8euV4N1Vn7H1w +eMxRXk/i5FxAhudnwQ53G2a43f2xE/243UecTac9afmW0OZDzMRl1XO3AKalXaEbiEWqx9 +WjZpV31C2q5P7y1ABIBcU9k+LY4vz8IzvCUT2PsHaOwrQizBOeS9WfrXwUPUr4n4ZBrLul +B8m43nxw7VsKBfmaTxv7fwyeZyZAQNjIP5DRLL2Yl9Di3IVXku7TkD2PeXPrvHcdWvz3fg +xlxqtKuF2h+6vnMJFtD8twY+i8GBGaUz/Ujz1Xy3zwdiNqIrb/zBFlBMfu2wrPGNA+QonE +MKDpqW6xZDu81cNbDVEVzZfw2Wyt7z4nBR2l3ri2dLJqmpm1O4k6hX45+/TBg3QgDFAAAA +wC6BJasSusUkD57BVHVlNK2y7vbq2/i86aoSQaUFj1np8ihfAYTgeXUmzkrcVKh+J+iNkO +aTRuGQgiYatkM2bKX0UG2Hp88k3NEtCUAJ0zbvq1QVBoxKM6YNtP37ZUjGqkuelTJZclp3 +fd7G8GWgVGiBbvffjDjEyMXaiymf/wo1q+oDEyH6F9b3rMHXFwIa8FJl2cmX04DOWyBmtk +coc1bDd+fa0n2QiE88iK8JSW/4OjlO/pRTu7/6sXmgYlc36wAAAMEAzKt4eduDO3wsuHQh +oKCLO7iyvUk5iZYK7FMrj/G1QMiprWW01ecXDIn6EwhLZuWUeddYsA9KnzL+aFzWPepx6o +KjiDvy0KrG+Tuv5AxLBHIoXJRslVRV8gPxqDEfsbq1BewtbGgyeKItJqqSyd79Z/ocbjB2 +gpvgD7ib42T55swQTZTqqfUvEKKCrjDNzn/iKrq0G7Gc5lCvUQR/Aq4RbddqMlMTATahGh +HElg+xeKg5KusqU4/0y6UHDXkLi38XAAAAwQDJzVK4Mk1ZUea6h4JW7Hw/kIUR/HVJNmlI +l7fmfJfZgWTE0KjKMmFXiZ89D5NHDcBI62HX+GYRVxiikKXbwmAIB1O7kYnFPpf+uYMFcj +VSTYDsZZ9nTVHBVG4X2oH1lmaMv4ONoTc7ZFeKhMA3ybJWTpj+wBPUNI2DPHGh5A+EKXy3 +FryAlU5HjQMRPzH9o8nCWtbm3Dtx9J4o9vplzgUlFUtx+1B/RKBk/QvW1uBKIpMU8/Y/RB +MB++fPUXw75hcAAAAbZGNvcmljQERDLU1hY0Jvb2stUHJvLmxvY2Fs +-----END OPENSSH PRIVATE KEY----- diff --git a/test/.ssh/host_key.pub b/test/.ssh/host_key.pub new file mode 100644 index 000000000..7b831e41d --- /dev/null +++ b/test/.ssh/host_key.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQChVskJVvvGNRIOfZZ99uTQXqNqTlLB9k6paUcF6S6wTzeNvzrfLiubZn+aLYmVnwU11PAKw4DalFd5QJlhT7SU3h56lzUdj4cA4TOdOf8citNYlIJTQMXu8X5TKjyQkHmvoOX+8gyG6smv8AfAwmiIVUPr3jlskOW7N8M3m4VHZx71fICbXi0YeWx4LM3+GKK9N9WJwoQP7kunXoiwEGFS8vQpPBihpYXYRztrlauIcW0xn1gQGgVIzGE3mypFB2KBeMmC7DdpJEAplvreWzELAXL/o6tQS2lWg0zOoHVxl/gQayUFZY0m2/ge5HCRUvOfD9Hif1Lmo4rpbKrgVIYaRmReS92In9BErZ0w8/FCHNlNid80p/3feQ6whE9CtIc7ed7TAEQl4oWjaWnEdy0nEaYU14QsCiugspNxtAQ40qVxL7kw+dF+IGlJPAGqXEdfD/Gz0xYexHmQ6Zq9bO+PLmjqHxZ2mIwI9c8W6SQjlfjretZ5fe/rk+IAO8wEFRE= dcoric@DC-MacBook-Pro.local diff --git a/test/.ssh/host_key_invalid b/test/.ssh/host_key_invalid new file mode 100644 index 000000000..0e1cfa180 --- /dev/null +++ b/test/.ssh/host_key_invalid @@ -0,0 +1,38 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn +NhAAAAAwEAAQAAAYEAqzoh7pWui09F+rnIw9QK6mZ8Q9Ga7oW6xOyNcAzvQkH6/8gqLk+y +qJfeJkZIHQ4Pw8YVbrkT9qmMxdoqvzCf6//WGgvoQAVCwZYW/ChA3S09M5lzNw6XrH4K68 +3cxJmGXqLxOo1dFLCAgmWA3luV7v+SxUwUGh2NSucEWCTPy5LXt8miSyYnJz8dLpa1UUGN +9S8DZTp2st/KhdNcI5pD0fSeOakm5XTEWd//abOr6tjkBAAuLSEbb1JS9z1l5rzocYfCUR +QHrQVZOu3ma8wpPmqRmN8rg+dBMAYf5Bzuo8+yAFbNLBsaqCtX4WzpNNrkDYvgWhTcrBZ9 +sPiakh92Py/83ekqsNblaJAwoq/pDZ1NFRavEmzIaSRl4dZawjyIAKBe8NRhMbcr4IW/Bf +gNI+KDtRRMOfKgLtzu0RPzhgen3eHudwhf9FZOXBUfqxzXrI/OMXtBSPJnfmgWJhGF/kht +aC0a5Ym3c66x340oZo6CowqA6qOR4sc9rBlfdhYRAAAFmJlDsE6ZQ7BOAAAAB3NzaC1yc2 +EAAAGBAKs6Ie6VrotPRfq5yMPUCupmfEPRmu6FusTsjXAM70JB+v/IKi5PsqiX3iZGSB0O +D8PGFW65E/apjMXaKr8wn+v/1hoL6EAFQsGWFvwoQN0tPTOZczcOl6x+CuvN3MSZhl6i8T +qNXRSwgIJlgN5ble7/ksVMFBodjUrnBFgkz8uS17fJoksmJyc/HS6WtVFBjfUvA2U6drLf +yoXTXCOaQ9H0njmpJuV0xFnf/2mzq+rY5AQALi0hG29SUvc9Zea86HGHwlEUB60FWTrt5m +vMKT5qkZjfK4PnQTAGH+Qc7qPPsgBWzSwbGqgrV+Fs6TTa5A2L4FoU3KwWfbD4mpIfdj8v +/N3pKrDW5WiQMKKv6Q2dTRUWrxJsyGkkZeHWWsI8iACgXvDUYTG3K+CFvwX4DSPig7UUTD +nyoC7c7tET84YHp93h7ncIX/RWTlwVH6sc16yPzjF7QUjyZ35oFiYRhf5IbWgtGuWJt3Ou +sd+NKGaOgqMKgOqjkeLHPawZX3YWEQAAAAMBAAEAAAGAdZYQY1XrbcPc3Nfk5YaikGIdCD +3TVeYEYuPIJaDcVfYVtr3xKaiVmm3goww0za8waFOJuGXlLck14VF3daCg0mL41x5COmTi +eSrnUfcaxEki9GJ22uJsiopsWY8gAusjea4QVxNpTqH/Po0SOKFQj7Z3RoJ+c4jD1SJcu2 +NcSALpnU8c4tqqnKsdETdyAQExyaSlgkjp5uEEpW6GofR4iqCgYBynl3/er5HCRwaaE0cr +Hww4qclIm+Q/EYbaieBD6L7+HBc56ZQ9qu1rH3F4q4I5yXkJvJ9/PonB+s1wj8qpAhIuC8 +u7t+aOd9nT0nA+c9mArQtlegU0tMX2FgRKAan5p2OmUfGnnOvPg6w1fwzf9lmouGX7ouBv +gWh0OrKPr3kjgB0bYKS6E4UhWTbX9AkmtCGNrrwz7STHvvi4gzqWBQJimJSUXI6lVWT0dM +Con0Kjy2f5C5+wjcyDho2Mcf8PVGExvRuDP/RAifgFjMJv+sLcKRtcDCHI6J9jFyAhAAAA +wQCyDWC4XvlKkru2A1bBMsA9zbImdrVNoYe1nqiP878wsIRKDnAkMwAgw27YmJWlJIBQZ6 +JoJcVHUADI0dzrUCMqiRdJDm2SlZwGE2PBCiGg12MUdqJXCVe+ShQRJ83soeoJt8XnCjO3 +rokyH2xmJX1WEZQEBFmwfUBdDJ5dX+7lZD5N26qXbE9UY5fWnB6indNOxrcDoEjUv1iDql +XgEu1PQ/k+BjUjEygShUatWrWcM1Tl1kl29/jWFd583xPF0uUAAADBANZzlWcIJZJALIUK +yCufXnv8nWzEN3FpX2xWK2jbO4pQgQSkn5Zhf3MxqQIiF5RJBKaMe5r+QROZr2PrCc/il8 +iYBqfhq0gcS+l53SrSpmoZ0PCZ1SGQji6lV58jReZyoR9WDpN7rwf08zG4ZJHdiuF3C43T +LSZOXysIrdl/xfKAG80VdpxkU5lX9bWYKxcXSq2vjEllw3gqCrs2xB0899kyujGU0TcOCu +MZ4xImUYvgR/q5rxRkYFmC0DlW3xwWpQAAAMEAzGaxqF0ZLCb7C+Wb+elr0aspfpnqvuFs +yDiDQBeN3pVnlcfcTTbIM77AgMyinnb/Ms24x56+mo3a0KNucrRGK2WI4J7K0DI2TbTFqo +NTBlZK6/7Owfab2sx94qN8l5VgIMbJlTwNrNjD28y+1fA0iw/0WiCnlC7BlPDQg6EaueJM +wk/Di9StKe7xhjkwFs7nG4C8gh6uUJompgSR8LTd3047htzf50Qq0lDvKqNrrIzHWi3DoM +3Mu+pVP6fqq9H9AAAAG2Rjb3JpY0BEQy1NYWNCb29rLVByby5sb2NhbAECAwQFBgc= +-----END OPENSSH PRIVATE KEY----- diff --git a/test/.ssh/host_key_invalid.pub b/test/.ssh/host_key_invalid.pub new file mode 100644 index 000000000..8d77b00d9 --- /dev/null +++ b/test/.ssh/host_key_invalid.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCrOiHula6LT0X6ucjD1ArqZnxD0ZruhbrE7I1wDO9CQfr/yCouT7Kol94mRkgdDg/DxhVuuRP2qYzF2iq/MJ/r/9YaC+hABULBlhb8KEDdLT0zmXM3DpesfgrrzdzEmYZeovE6jV0UsICCZYDeW5Xu/5LFTBQaHY1K5wRYJM/Lkte3yaJLJicnPx0ulrVRQY31LwNlOnay38qF01wjmkPR9J45qSbldMRZ3/9ps6vq2OQEAC4tIRtvUlL3PWXmvOhxh8JRFAetBVk67eZrzCk+apGY3yuD50EwBh/kHO6jz7IAVs0sGxqoK1fhbOk02uQNi+BaFNysFn2w+JqSH3Y/L/zd6Sqw1uVokDCir+kNnU0VFq8SbMhpJGXh1lrCPIgAoF7w1GExtyvghb8F+A0j4oO1FEw58qAu3O7RE/OGB6fd4e53CF/0Vk5cFR+rHNesj84xe0FI8md+aBYmEYX+SG1oLRrlibdzrrHfjShmjoKjCoDqo5Hixz2sGV92FhE= dcoric@DC-MacBook-Pro.local diff --git a/test/ssh/server.test.js b/test/ssh/server.test.js new file mode 100644 index 000000000..b547cc306 --- /dev/null +++ b/test/ssh/server.test.js @@ -0,0 +1,341 @@ +const chai = require('chai'); +const sinon = require('sinon'); +const expect = chai.expect; +const fs = require('fs'); +const ssh2 = require('ssh2'); +const config = require('../../src/config'); +const db = require('../../src/db'); +const chain = require('../../src/proxy/chain'); +const SSHServer = require('../../src/proxy/ssh/server'); +const { execSync } = require('child_process'); + +describe('SSHServer', () => { + let server; + let mockConfig; + let mockDb; + let mockChain; + let mockSsh2Server; + let mockFs; + const testKeysDir = 'test/keys'; + let testKeyContent; + + before(() => { + // Create directory for test keys + if (!fs.existsSync(testKeysDir)) { + fs.mkdirSync(testKeysDir, { recursive: true }); + } + // Generate test SSH key pair + execSync(`ssh-keygen -t rsa -b 4096 -f ${testKeysDir}/test_key -N "" -C "test@git-proxy"`); + // Read the key once and store it + testKeyContent = fs.readFileSync(`${testKeysDir}/test_key`); + }); + + after(() => { + // Clean up test keys + if (fs.existsSync(testKeysDir)) { + fs.rmSync(testKeysDir, { recursive: true, force: true }); + } + }); + + beforeEach(() => { + // Create stubs for all dependencies + mockConfig = { + getSSHConfig: sinon.stub().returns({ + hostKey: { + privateKeyPath: `${testKeysDir}/test_key`, + publicKeyPath: `${testKeysDir}/test_key.pub`, + }, + port: 22, + }), + getProxyUrl: sinon.stub().returns('https://github.com'), + }; + + mockDb = { + findUserBySSHKey: sinon.stub(), + findUser: sinon.stub(), + }; + + mockChain = { + executeChain: sinon.stub(), + }; + + mockFs = { + readFileSync: sinon.stub().callsFake((path) => { + if (path === `${testKeysDir}/test_key`) { + return testKeyContent; + } + return 'mock-key-data'; + }), + }; + + // Create a more complete mock for the SSH2 server + mockSsh2Server = { + Server: sinon.stub().returns({ + listen: sinon.stub(), + on: sinon.stub(), + }), + }; + + // Replace the real modules with our stubs + sinon.stub(config, 'getSSHConfig').callsFake(mockConfig.getSSHConfig); + sinon.stub(config, 'getProxyUrl').callsFake(mockConfig.getProxyUrl); + sinon.stub(db, 'findUserBySSHKey').callsFake(mockDb.findUserBySSHKey); + sinon.stub(db, 'findUser').callsFake(mockDb.findUser); + sinon.stub(chain, 'executeChain').callsFake(mockChain.executeChain); + sinon.stub(fs, 'readFileSync').callsFake(mockFs.readFileSync); + sinon.stub(ssh2, 'Server').callsFake(mockSsh2Server.Server); + + server = new SSHServer(); + }); + + afterEach(() => { + // Restore all stubs + sinon.restore(); + }); + + describe('constructor', () => { + it('should create a new SSH2 server with correct configuration', () => { + expect(ssh2.Server.calledOnce).to.be.true; + const serverConfig = ssh2.Server.firstCall.args[0]; + expect(serverConfig.hostKeys).to.be.an('array'); + expect(serverConfig.authMethods).to.deep.equal(['publickey', 'password']); + expect(serverConfig.keepaliveInterval).to.equal(5000); + expect(serverConfig.keepaliveCountMax).to.equal(10); + expect(serverConfig.readyTimeout).to.equal(30000); + }); + }); + + describe('start', () => { + it('should start listening on the configured port', () => { + server.start(); + expect(server.server.listen.calledWith(22, '0.0.0.0')).to.be.true; + }); + }); + + describe('handleClient', () => { + let mockClient; + + beforeEach(() => { + mockClient = { + on: sinon.stub(), + username: null, + userPrivateKey: null, + }; + }); + + it('should set up client event handlers', () => { + server.handleClient(mockClient); + expect(mockClient.on.calledWith('error')).to.be.true; + expect(mockClient.on.calledWith('end')).to.be.true; + expect(mockClient.on.calledWith('close')).to.be.true; + expect(mockClient.on.calledWith('global request')).to.be.true; + expect(mockClient.on.calledWith('ready')).to.be.true; + expect(mockClient.on.calledWith('authentication')).to.be.true; + }); + + describe('authentication', () => { + it('should handle public key authentication successfully', async () => { + const mockCtx = { + method: 'publickey', + key: { + algo: 'ssh-rsa', + data: Buffer.from('mock-key-data'), + comment: 'test-key', + }, + accept: sinon.stub(), + reject: sinon.stub(), + }; + + mockDb.findUserBySSHKey.resolves({ username: 'test-user' }); + + server.handleClient(mockClient); + const authHandler = mockClient.on.withArgs('authentication').firstCall.args[1]; + await authHandler(mockCtx); + + expect(mockDb.findUserBySSHKey.calledOnce).to.be.true; + expect(mockCtx.accept.calledOnce).to.be.true; + expect(mockClient.username).to.equal('test-user'); + expect(mockClient.userPrivateKey).to.deep.equal(mockCtx.key); + }); + + it('should handle password authentication successfully', async () => { + const mockCtx = { + method: 'password', + username: 'test-user', + password: 'test-password', + accept: sinon.stub(), + reject: sinon.stub(), + }; + + mockDb.findUser.resolves({ + username: 'test-user', + password: '$2a$10$mockHash', + }); + + const bcrypt = require('bcryptjs'); + sinon.stub(bcrypt, 'compare').resolves(true); + + server.handleClient(mockClient); + const authHandler = mockClient.on.withArgs('authentication').firstCall.args[1]; + await authHandler(mockCtx); + + expect(mockDb.findUser.calledWith('test-user')).to.be.true; + expect(bcrypt.compare.calledWith('test-password', '$2a$10$mockHash')).to.be.true; + expect(mockCtx.accept.calledOnce).to.be.true; + }); + }); + }); + + describe('handleSession', () => { + let mockSession; + let mockStream; + let mockAccept; + let mockReject; + + beforeEach(() => { + mockStream = { + write: sinon.stub(), + end: sinon.stub(), + exit: sinon.stub(), + on: sinon.stub(), + }; + + mockSession = { + on: sinon.stub(), + _channel: { + _client: { + userPrivateKey: null, + }, + }, + }; + + mockAccept = sinon.stub().returns(mockSession); + mockReject = sinon.stub(); + }); + + it('should handle git-upload-pack command', async () => { + const mockInfo = { + command: "git-upload-pack 'test/repo'", + }; + + mockChain.executeChain.resolves({ + error: false, + blocked: false, + }); + + const { Client } = require('ssh2'); + const mockSsh2Client = { + on: sinon.stub(), + connect: sinon.stub(), + exec: sinon.stub(), + }; + + // Mock the SSH client constructor + sinon.stub(Client.prototype, 'on').callsFake(mockSsh2Client.on); + sinon.stub(Client.prototype, 'connect').callsFake(mockSsh2Client.connect); + sinon.stub(Client.prototype, 'exec').callsFake(mockSsh2Client.exec); + + // Mock the ready event + mockSsh2Client.on.withArgs('ready').callsFake((event, callback) => { + callback(); + }); + + // Mock the exec response + mockSsh2Client.exec.callsFake((command, options, callback) => { + const mockStream = { + on: sinon.stub(), + write: sinon.stub(), + end: sinon.stub(), + }; + callback(null, mockStream); + }); + + server.handleSession(mockAccept, mockReject); + const execHandler = mockSession.on.withArgs('exec').firstCall.args[1]; + await execHandler(mockAccept, mockReject, mockInfo); + + expect( + mockChain.executeChain.calledWith({ + method: 'GET', + originalUrl: " 'test/repo", + isSSH: true, + headers: { + 'user-agent': 'git/2.0.0', + 'content-type': undefined, + }, + }), + ).to.be.true; + }); + + it('should handle git-receive-pack command', async () => { + const mockInfo = { + command: "git-receive-pack 'test/repo'", + }; + + mockChain.executeChain.resolves({ + error: false, + blocked: false, + }); + + const { Client } = require('ssh2'); + const mockSsh2Client = { + on: sinon.stub(), + connect: sinon.stub(), + exec: sinon.stub(), + }; + sinon.stub(Client.prototype, 'on').callsFake(mockSsh2Client.on); + sinon.stub(Client.prototype, 'connect').callsFake(mockSsh2Client.connect); + sinon.stub(Client.prototype, 'exec').callsFake(mockSsh2Client.exec); + + server.handleSession(mockAccept, mockReject); + const execHandler = mockSession.on.withArgs('exec').firstCall.args[1]; + await execHandler(mockAccept, mockReject, mockInfo); + + expect( + mockChain.executeChain.calledWith({ + method: 'POST', + originalUrl: " 'test/repo", + isSSH: true, + headers: { + 'user-agent': 'git/2.0.0', + 'content-type': 'application/x-git-receive-pack-request', + }, + }), + ).to.be.true; + }); + + it('should handle unsupported commands', async () => { + const mockInfo = { + command: 'unsupported-command', + }; + + // Mock the stream that accept() returns + mockStream = { + write: sinon.stub(), + end: sinon.stub(), + }; + + // Mock the session + const mockSession = { + on: sinon.stub(), + }; + + // Set up the exec handler + mockSession.on.withArgs('exec').callsFake((event, handler) => { + // First accept call returns the session + // const sessionAccept = () => mockSession; + // Second accept call returns the stream + const streamAccept = () => mockStream; + handler(streamAccept, mockReject, mockInfo); + }); + + // Update mockAccept to return our mock session + mockAccept = sinon.stub().returns(mockSession); + + server.handleSession(mockAccept, mockReject); + + expect(mockStream.write.calledWith('Unsupported command')).to.be.true; + expect(mockStream.end.calledOnce).to.be.true; + }); + }); +});