add "sshproxyctl forget persist" (#30)

Author: cyrilst

README.asciidoc

@@ -157,6 +157,8 @@ Version 2 brings a lot of changes to sshproxy:
      `sshproxyctl forget host -all|-host HOST [-port PORT]`
   - `sshproxyctl error_banner` (without any parameter) has been removed and
     replaced by `sshproxyctl forget error_banner`
+  - `sshproxyctl forget persist [-user USER] [-service SERVICE] [-host HOST] [-port PORT]`
+    has been added
 
 Copying
 -------

cmd/sshproxyctl/sshproxyctl.go

@@ -525,6 +525,24 @@ func disableHost(host, port, configFile string) error {
 	return cli.SetHost(key, utils.Disabled, time.Now())
 }
 
+func forgetPersist(user, service, host, port, configFile string) error {
+	cli := mustInitEtcdClient(configFile)
+	defer cli.Close()
+
+	history, err := cli.GetHistory(user, service, host, port)
+	if err != nil {
+		return err
+	}
+
+	for _, kv := range history {
+		err := cli.DelHistory(kv.User)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
 func setErrorBanner(errorBanner string, expire time.Time, configFile string) error {
 	cli := mustInitEtcdClient(configFile)
 	defer cli.Close()
@@ -598,7 +616,7 @@ The commands are:
   version       show version number and exit
   show          show states present in etcd
   enable        enable a host in etcd
-  forget        forget a host/error_banner in etcd
+  forget        forget a host/error_banner/persist in etcd
   disable       disable a host in etcd
   error_banner  set the error banner in etcd
 
@@ -676,17 +694,22 @@ Enable a previously disabled host in etcd.
 	return fs
 }
 
-func newForgetParser(allFlag *bool, hostString *string, portString *string) *flag.FlagSet {
+func newForgetParser(allFlag *bool, hostString, portString, userString, serviceString *string) *flag.FlagSet {
 	fs := flag.NewFlagSet("forget", flag.ExitOnError)
 	fs.BoolVar(allFlag, "all", false, "forget all hosts present in config")
 	fs.StringVar(hostString, "host", "", "hostname to forget (can be a nodeset)")
 	fs.StringVar(portString, "port", "", "port to forget (can be a nodeset)")
+	fs.StringVar(userString, "user", "", "forget all persistent connections of this user")
+	fs.StringVar(serviceString, "service", "", "forget all persistent connections of this service")
 	fs.Usage = func() {
 		fmt.Fprintf(flag.CommandLine.Output(), `Usage: %s forget COMMAND [OPTIONS]
 
 The commands are:
-  host -all|-host HOST [-port PORT]    forget a host in etcd
-  error_banner                         forget the error_banner in etcd
+  host -all|-host HOST [-port PORT]                                  forget a host in etcd
+  error_banner                                                       forget the error_banner in etcd
+  persist [-user USER] [-service SERVICE] [-host HOST] [-port PORT]  forget a persistent connection in etcd
+                                                                       (needs at least one option)
+                                                                       (only connections matching all the options are forgotten)
 
 The options are:
 `, os.Args[0])
@@ -866,13 +889,14 @@ func main() {
 	var sourceString string
 	var hostString string
 	var portString string
+	var serviceString string
 
 	parsers := map[string]*flag.FlagSet{
 		"help":         newHelpParser(),
 		"version":      newVersionParser(),
 		"show":         newShowParser(&csvFlag, &jsonFlag, &allFlag, &userString, &groupsString, &sourceString),
 		"enable":       newEnableParser(&allFlag, &hostString, &portString),
-		"forget":       newForgetParser(&allFlag, &hostString, &portString),
+		"forget":       newForgetParser(&allFlag, &hostString, &portString, &userString, &serviceString),
 		"disable":      newDisableParser(&allFlag, &hostString, &portString),
 		"error_banner": newErrorBannerParser(&expire),
 	}
@@ -977,6 +1001,12 @@ func main() {
 			}
 		case "error_banner":
 			delErrorBanner(*configFile)
+		case "persist":
+			if userString == "" && serviceString == "" && hostString == "" && portString == "" {
+				fmt.Fprintf(os.Stderr, "ERROR: missing '-user', '-service', '-host' or '-port'\n\n")
+				p.Usage()
+			}
+			forgetPersist(userString, serviceString, hostString, portString, *configFile)
 		}
 	case "disable":
 		p := parsers[cmd]

doc/sshproxyctl.txt

@@ -70,6 +70,10 @@ COMMANDS
 *forget error_banner*::
 	Remove the error banner in etcd.
 
+*forget persist [-user USER] [-service SERVICE] [-host HOST] [-port PORT]*::
+	Forget a persistent connection in etcd. Needs at least one option.
+	Only connections matching all the options are forgotten.
+
 *error_banner [-expire EXPIRATION] MESSAGE*::
 	Set the error banner in etcd. 'MESSAGE' can be multiline. The error
 	banner is displayed to the client when no backend can be reached (more

misc/sshproxyctl-completion.bash

@@ -9,6 +9,7 @@ _sshproxyctl() {
         opts="-h -c ${commands}"
 
         case "${prev}" in
+            # Main commands
             disable)
                 COMPREPLY=( $(compgen -W '-all -host -port' -- "${cur}") )
                 ;;
@@ -19,59 +20,68 @@ _sshproxyctl() {
                 COMPREPLY=( $(compgen -W '-expire' -- "${cur}") )
                 ;;
             forget)
-                COMPREPLY=( $(compgen -W '-all -host -port host error_banner' -- "${cur}") )
+                COMPREPLY=( $(compgen -W '-all -host -port -service -user error_banner host persist' -- "${cur}") )
                 ;;
             help)
                 COMPREPLY=( $(compgen -W "${commands}" -- "${cur}") )
                 ;;
             show)
-                COMPREPLY=( $(compgen -W '-all -csv -json -user -groups -source connections hosts users groups error_banner config' -- "${cur}") )
+                COMPREPLY=( $(compgen -W '-all -csv -groups -json -source -user config connections error_banner groups hosts users' -- "${cur}") )
+                ;;
+            # Sub-commands
+            config)
+                COMPREPLY=( $(compgen -W '-groups -source -user' -- "${cur}") )
                 ;;
             connections)
                 COMPREPLY=( $(compgen -W '-all -csv -json' -- "${cur}") )
                 ;;
+            groups)
+                COMPREPLY=( $(compgen -W '-all -csv -json' -- "${cur}") )
+                ;;
             host)
                 COMPREPLY=( $(compgen -W '-all -host -port' -- "${cur}") )
                 ;;
             hosts)
                 COMPREPLY=( $(compgen -W '-csv -json' -- "${cur}") )
                 ;;
-            users)
-                COMPREPLY=( $(compgen -W '-all -csv -json' -- "${cur}") )
+            persist)
+                COMPREPLY=( $(compgen -W '-host -port -service -user' -- "${cur}") )
                 ;;
-            groups)
+            users)
                 COMPREPLY=( $(compgen -W '-all -csv -json' -- "${cur}") )
                 ;;
-            config)
-                COMPREPLY=( $(compgen -W '-user -groups -source' -- "${cur}") )
-                ;;
+            # Options
             -all)
-                COMPREPLY=( $(compgen -W '-csv -json -port connections users groups' -- "${cur}") )
+                COMPREPLY=( $(compgen -W '-csv -json -port connections groups host users' -- "${cur}") )
                 ;;
             -csv)
-                COMPREPLY=( $(compgen -W '-all connections hosts users groups' -- "${cur}") )
+                COMPREPLY=( $(compgen -W '-all connections groups hosts users' -- "${cur}") )
                 ;;
             -groups)
-                COMPREPLY=( $(compgen -W '-user -source config' -- "${cur}") )
+                COMPREPLY=( $(compgen -W '-source -user config' -- "${cur}") )
                 ;;
             -host)
-                COMPREPLY=( $(compgen -W '-port' -- "${cur}") )
+                COMPREPLY=( $(compgen -W '-port -service -user host persist' -- "${cur}") )
                 ;;
             -json)
-                COMPREPLY=( $(compgen -W '-all connections hosts users groups' -- "${cur}") )
+                COMPREPLY=( $(compgen -W '-all connections groups hosts users' -- "${cur}") )
                 ;;
             -port)
-                COMPREPLY=( $(compgen -W '-all -host' -- "${cur}") )
+                COMPREPLY=( $(compgen -W '-all -host -service -user host persist' -- "${cur}") )
+                ;;
+            -service)
+                COMPREPLY=( $(compgen -W '-host -port -user persist' -- "${cur}") )
                 ;;
             -source)
-                COMPREPLY=( $(compgen -W '-user -groups config' -- "${cur}") )
+                COMPREPLY=( $(compgen -W '-groups -user config' -- "${cur}") )
                 ;;
             -user)
-                COMPREPLY=( $(compgen -W '-groups -source config' -- "${cur}") )
+                COMPREPLY=( $(compgen -W '-groups -host -port -service -source config persist' -- "${cur}") )
                 ;;
             -c)
                 _filedir
                 ;;
+            # Default
             *)
                 COMPREPLY=( $(compgen -W "${opts}" -- "${cur}") )
                 ;;

pkg/utils/etcd.go

@@ -20,11 +20,14 @@ import (
 	"fmt"
 	"os"
 	"regexp"
+	"slices"
 	"sort"
 	"strconv"
 	"strings"
 	"time"
 
+	"github.com/cea-hpc/sshproxy/pkg/nodesets"
+
 	"github.com/op/go-logging"
 	"go.etcd.io/etcd/client/v3"
 	"go.uber.org/zap"
@@ -399,6 +402,18 @@ func (c *Client) DelHost(hostport string) error {
 	return nil
 }
 
+// DelHistory deletes a history key (passed as "user@service") in etcd.
+func (c *Client) DelHistory(history string) error {
+	key := toHistoryKey(history)
+	ctx, cancel := context.WithTimeout(context.Background(), c.requestTimeout)
+	_, err := c.cli.Delete(ctx, key, clientv3.WithPrefix())
+	cancel()
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
 // SetHost sets a host (passed as "host:port") state and last checked time (ts)
 // in etcd.
 func (c *Client) SetHost(hostport string, state State, ts time.Time) error {
@@ -666,7 +681,7 @@ func (c *Client) GetAllHosts() ([]*FlatHost, error) {
 		}
 	}
 
-	history, err := c.GetAllHistory()
+	history, err := c.GetHistory("", "", "", "")
 	if err != nil {
 		return nil, fmt.Errorf("ERROR: getting history from etcd: %v", err)
 	}
@@ -748,7 +763,7 @@ func (c *Client) GetAllUsers(allFlag bool) ([]*FlatUser, error) {
 	}
 
 	if allFlag {
-		history, err := c.GetAllHistory()
+		history, err := c.GetHistory("", "", "", "")
 		if err != nil {
 			return nil, fmt.Errorf("ERROR: getting history from etcd: %v", err)
 		}
@@ -863,36 +878,56 @@ type FlatHistory struct {
 	TTL  int64
 }
 
-// GetAllHistory returns a list of all history keys present in etcd.
-func (c *Client) GetAllHistory() ([]*FlatHistory, error) {
+// GetHistory returns a list of matching history keys present in etcd.
+func (c *Client) GetHistory(user, service, host, port string) ([]*FlatHistory, error) {
 	ctx, cancel := context.WithTimeout(context.Background(), c.requestTimeout)
-	resp, err := c.cli.Get(ctx, etcdHistoryPath, clientv3.WithPrefix(), clientv3.WithSort(clientv3.SortByKey, clientv3.SortAscend))
+	resp, err := c.cli.Get(ctx, etcdHistoryPath+"/"+user, clientv3.WithPrefix(), clientv3.WithSort(clientv3.SortByKey, clientv3.SortAscend))
 	defer cancel()
 	if err != nil {
 		return nil, err
 	}
 
-	history := make([]*FlatHistory, len(resp.Kvs))
-	for i, ev := range resp.Kvs {
+	_, nodesetDlclose, nodesetExpand := nodesets.InitExpander()
+	defer nodesetDlclose()
+	hosts, err := nodesetExpand(host)
+	if err != nil {
+		return nil, err
+	}
+	ports, err := nodesetExpand(port)
+	if err != nil {
+		return nil, err
+	}
+	var history []*FlatHistory
+	for _, ev := range resp.Kvs {
 		subkey := string(ev.Key)[len(etcdHistoryPath)+1:]
 		fields := strings.Split(subkey, "/")
 		if len(fields) != 2 {
 			return nil, fmt.Errorf("bad key format %s", subkey)
 		}
-
-		v := &FlatHistory{}
-		v.User = fields[0]
-		v.Dest = string(ev.Value)
-		leaseID, err := strconv.Atoi(fields[1])
+		evHost, evPort, err := SplitHostPort(string(ev.Value))
 		if err != nil {
 			return nil, err
 		}
-		ttl, err := c.cli.TimeToLive(ctx, clientv3.LeaseID(leaseID))
-		if err != nil {
-			return nil, err
+
+		if (user == "" && service == "" && host == "" && port == "") ||
+			((user == "" || strings.Contains("/"+fields[0], "/"+user+"@")) &&
+				(service == "" || strings.Contains(fields[0]+"/", "@"+service+"/")) &&
+				(host == "" || slices.Contains(hosts, evHost)) &&
+				(port == "" || slices.Contains(ports, evPort))) {
+			v := &FlatHistory{}
+			v.User = fields[0]
+			v.Dest = string(ev.Value)
+			leaseID, err := strconv.Atoi(fields[1])
+			if err != nil {
+				return nil, err
+			}
+			ttl, err := c.cli.TimeToLive(ctx, clientv3.LeaseID(leaseID))
+			if err != nil {
+				return nil, err
+			}
+			v.TTL = ttl.TTL
+			history = append(history, v)
 		}
-		v.TTL = ttl.TTL
-		history[i] = v
 	}
 
 	return history, nil