Merge branch 'known-hosts'

Author: conormcd

src/clj_libssh2/error.clj

@@ -5,6 +5,7 @@
 
 (def timeouts (atom {:agent 10000
                      :auth 10000
+                     :known-hosts 10000
                      :session 10000}))
 
 (def error-messages

src/clj_libssh2/known_hosts.clj

@@ -0,0 +1,79 @@
+(ns clj-libssh2.known-hosts
+  (:require [clojure.java.io :refer [file]]
+            [clj-libssh2.error :refer [handle-errors with-timeout]]
+            [clj-libssh2.libssh2 :as libssh2]
+            [clj-libssh2.libssh2.knownhost :as libssh2-knownhost]
+            [clj-libssh2.libssh2.session :as libssh2-session])
+  (:import [com.sun.jna.ptr IntByReference PointerByReference]))
+
+(defn- checkp-result
+  "Re-interpret the result of libssh2_knownhost_checkp to either succeed or
+   cause handle-errors to throw, as appropriate."
+  [fail-on-mismatch fail-on-missing result]
+  (condp = (.longValue result)
+    libssh2/KNOWNHOST_CHECK_MATCH     0
+    libssh2/KNOWNHOST_CHECK_MISMATCH  (if fail-on-mismatch
+                                        libssh2/ERROR_HOSTKEY_SIGN
+                                        0)
+    libssh2/KNOWNHOST_CHECK_NOTFOUND  (if fail-on-missing
+                                        libssh2/ERROR_HOSTKEY_SIGN
+                                        0)
+    libssh2/KNOWNHOST_CHECK_FAILURE   libssh2/ERROR_HOSTKEY_SIGN
+    (throw (Exception. (format "Unknown return code from libssh2-knownhost/checkp: %d" result)))))
+
+(defn- host-fingerprint
+  "Get the remote host's fingerprint."
+  [session]
+  (when (:session session)
+    (let [len (IntByReference.)
+          typ (IntByReference.)
+          hostkey_ptr (libssh2-session/hostkey (:session session) len typ)]
+      (.getByteArray hostkey_ptr 0 (.getValue len)))))
+
+(defn- check-fingerprint
+  "Call libssh2_knownhost_checkp."
+  [session known-hosts host port fingerprint fail-on-missing fail-on-mismatch]
+  (handle-errors session
+    (with-timeout :known-hosts
+      (checkp-result fail-on-mismatch fail-on-missing
+        (libssh2-knownhost/checkp known-hosts
+                                  host
+                                  port
+                                  fingerprint
+                                  (count fingerprint)
+                                  (bit-or libssh2/KNOWNHOST_TYPE_PLAIN
+                                          libssh2/KNOWNHOST_KEYENC_RAW)
+                                  (PointerByReference.))))))
+
+(defn- load-known-hosts
+  "Load a known hosts file into the known hosts object."
+  [session known-hosts known-hosts-file]
+  (when (.exists (file known-hosts-file))
+    (handle-errors session
+      (with-timeout :known-hosts
+        (libssh2-knownhost/readfile known-hosts
+                                    known-hosts-file
+                                    libssh2/KNOWNHOST_FILE_OPENSSH)))))
+
+(defn check
+  "Given a session that has already completed a handshake with a remote host,
+   check the fingerprint of the remote host against the knonw hosts file."
+  [session]
+  (let [known-hosts (libssh2-knownhost/init (:session session))
+        session-options (:options session)
+        file (or (:known-hosts-file session-options)
+                 (str (System/getProperty "user.home") "/.ssh/known_hosts"))
+        fail-on-mismatch (-> session-options :fail-unless-known-hosts-matches)
+        fail-on-missing (-> session-options :fail-if-not-in-known-hosts)]
+    (when (nil? known-hosts)
+      (throw (Exception. "Failed to initialize known hosts store.")))
+    (try
+      (load-known-hosts session known-hosts file)
+      (check-fingerprint session
+                         known-hosts
+                         (:host session)
+                         (:port session)
+                         (host-fingerprint session)
+                         fail-on-missing
+                         fail-on-mismatch)
+      (finally (libssh2-knownhost/free known-hosts)))))

src/clj_libssh2/libssh2/session.clj

@@ -51,7 +51,7 @@
 ; const char *libssh2_session_hostkey(LIBSSH2_SESSION *session,
 ;                                     size_t *len,
 ;                                     int *type);
-(def hostkey (jna/to-fn String ssh2/libssh2_session_hostkey))
+(def hostkey (jna/to-fn Pointer ssh2/libssh2_session_hostkey))
 
 ; LIBSSH2_SESSION * libssh2_session_init_ex(LIBSSH2_ALLOC_FUNC((*my_alloc)),
 ;                                           LIBSSH2_FREE_FUNC((*my_free)),

src/clj_libssh2/session.clj

@@ -3,11 +3,19 @@
             [clj-libssh2.libssh2.session :as libssh2-session]
             [clj-libssh2.authentication :refer [authenticate]]
             [clj-libssh2.error :refer [handle-errors with-timeout]]
+            [clj-libssh2.known-hosts :as known-hosts]
             [clj-libssh2.socket :as socket]))
 
 (def sessions (atom {}))
 
-(defrecord Session [id session socket])
+; The default options for a session. These are not only the defaults, but an
+; exhaustive list of the legal options.
+(def default-opts
+  {:fail-if-not-in-known-hosts false
+   :fail-unless-known-hosts-matches true
+   :known-hosts-file nil})
+
+(defrecord Session [id session socket host port options])
 
 (defn- create-session
   "Make a native libssh2 session object."
@@ -17,6 +25,11 @@
       (throw (Exception. "Failed to create a libssh2 session.")))
     session))
 
+(defn- create-session-options
+  [opts]
+  {:pre [(every? (set (keys default-opts)) (keys opts))]}
+  (merge default-opts opts))
+
 (defn- destroy-session
   "Free a libssh2 session object from a Session."
   ([^Session session]
@@ -38,9 +51,14 @@
       (libssh2-session/handshake session socket))))
 
 (defn- session-id
-  "Generate the session ID that will be used to pool"
-  [host port credentials]
-  (format "%s@%s:%d" (:username credentials) host port))
+  "Generate the session ID that will be used to pool sessions."
+  [host port credentials opts]
+  (format "%s@%s:%d-%d-%d"
+          (:username credentials)
+          host
+          port
+          (.hashCode credentials)
+          (.hashCode opts)))
 
 (defn close
   "Disconnect an SSH session and discard the session."
@@ -54,22 +72,29 @@
 
 (defn open
   "Connect to an SSH server and start a session."
-  [host port credentials]
-  (when (empty? @sessions)
-    (handle-errors nil (libssh2/init 0)))
-  (let [id (session-id host port credentials)]
-    (if (contains? @sessions id)
-      (get @sessions id)
-      (let [session (Session. (session-id host port credentials)
-                              (create-session)
-                              (socket/connect host port))]
-        (when (> 0 (:socket session))
-          (destroy-session session "Shutting down due to bad socket." true))
-        (try
-          (handshake session)
-          (authenticate session credentials)
-          (swap! sessions assoc (:id session) session)
-          (get @sessions (:id session))
-          (catch Exception e
-            (close session)
-            (throw e)))))))
+  ([host port credentials]
+   (open host port credentials {}))
+  ([host port credentials opts]
+   (when (empty? @sessions)
+     (handle-errors nil (libssh2/init 0)))
+   (let [session-options (create-session-options opts)
+         id (session-id host port credentials session-options)]
+     (if (contains? @sessions id)
+       (get @sessions id)
+       (let [session (Session. id
+                               (create-session)
+                               (socket/connect host port)
+                               host
+                               port
+                               (create-session-options opts))]
+         (when (> 0 (:socket session))
+           (destroy-session session "Shutting down due to bad socket." true))
+         (try
+           (handshake session)
+           (known-hosts/check session)
+           (authenticate session credentials)
+           (swap! sessions assoc (:id session) session)
+           (get @sessions (:id session))
+           (catch Exception e
+             (close session)
+             (throw e))))))))

test/clj_libssh2/test_known_hosts.clj

@@ -0,0 +1,50 @@
+(ns clj-libssh2.test-known-hosts
+  (:require [clojure.test :refer :all]
+            [clj-libssh2.session :as session]
+            [clj-libssh2.test-utils :as test]))
+
+(test/fixtures)
+
+(defn- session-with-options
+  [options]
+  (session/open test/ssh-host
+                test/ssh-port
+                {:username (test/ssh-user)}
+                options))
+
+(deftest by-default-we-don't-fail-if-the-host-is-unknown
+  (is (= 0 (count @session/sessions)))
+  (let [file (test/known-hosts-file :missing)
+        session (session-with-options {:known-hosts-file file})]
+    (is (= 1 (count @session/sessions)))
+    (session/close session))
+  (is (= 0 (count @session/sessions))))
+
+(deftest by-default-we-fail-if-the-host-is-different
+  (is (= 0 (count @session/sessions)))
+  (is (thrown? Exception
+               (let [file (test/known-hosts-file :bad)
+                     session (session-with-options {:known-hosts-file file})]
+                 (session/close session))))
+  (is (= 0 (count @session/sessions))))
+
+(deftest known-hosts-checking-works-when-the-host-is-known
+  (is (= 0 (count @session/sessions)))
+  (let [file (test/known-hosts-file :good)
+        session (session-with-options {:fail-if-not-in-known-hosts true
+                                       :fail-unless-known-hosts-matches true
+                                       :known-hosts-file file})]
+    (is (= 1 (count @session/sessions)))
+    (session/close session))
+  (is (= 0 (count @session/sessions))))
+
+(deftest known-host-checking-can-be-ignored
+  (doseq [known-hosts-file [:good :bad :missing]]
+    (is (= 0 (count @session/sessions)))
+    (let [file (test/known-hosts-file known-hosts-file)
+          session (session-with-options {:fail-if-not-in-known-hosts false
+                                         :fail-unless-known-hosts-matches false
+                                         :known-hosts-file file})]
+      (is (= 1 (count @session/sessions)))
+      (session/close session))
+    (is (= 0 (count @session/sessions)))))

test/clj_libssh2/test_session.clj

@@ -49,4 +49,12 @@
   (testing "throws but doesn't crash on authentication failure"
       (is (= 0 (count @session/sessions)))
       (is (thrown? Exception (open :password "totally-wrong-password")))
-      (is (= 0 (count @session/sessions)))))
+      (is (= 0 (count @session/sessions))))
+  (testing "open rejects bad options"
+    (is (= 0 (count @session/sessions)))
+    (is (thrown? AssertionError (session/open test/ssh-host
+                                              test/ssh-port
+                                              {:username (test/ssh-user)}
+                                              {:bad-option :bad-option-value})))
+    (is (= 0 (count @session/sessions)))
+    ))

test/clj_libssh2/test_utils.clj

@@ -12,6 +12,10 @@
   [script]
   (str/join "/" [(System/getProperty "user.dir") "test/script" script]))
 
+(defn known-hosts-file
+  [variant]
+  (str/join "/" [(System/getProperty "user.dir") "test/tmp" (str "known_hosts_" (name variant))]))
+
 (defn run-test-script
   [script & args]
   (let [result (apply sh/sh "sh" (test-script script) (map str args))]

test/script/setup.sh

@@ -37,6 +37,23 @@ ensure_root_dir() {
   fi
 }
 
+generate_known_hosts_files() {
+  local host
+  local port
+  local good_fingerprint
+  local bad_fingerprint
+
+  host=${1:-127.0.0.1}
+  port=${2:-2222}
+
+  good_fingerprint=$(cut -d' ' -f 1,2 "${TMP_DIR}/ssh_host_rsa_key.pub")
+  bad_fingerprint=$(echo "${good_fingerprint}" | tr '[:upper:]' '[:lower:]')
+
+  echo "[$host]:${port} ${good_fingerprint}" > "${TMP_DIR}/known_hosts_good"
+  echo "[$host]:${port} ${bad_fingerprint}" > "${TMP_DIR}/known_hosts_bad"
+  echo "" > "${TMP_DIR}/known_hosts_missing"
+}
+
 generate_sshd_host_keys() {
   require_executable ssh-keygen
   ssh-keygen -N '' -t rsa1 -f "${TMP_DIR}/ssh_host_key" > /dev/null
@@ -80,6 +97,7 @@ launch_sshd() {
 
   require_executable sshd
   generate_sshd_host_keys
+  generate_known_hosts_files "${host}" "${port}"
   generate_user_keys
   sshd=$(which sshd)
   ${sshd} -f /dev/null \