From f76fee63ed9cb3a30d3c0c092d860b1cb93a481b Mon Sep 17 00:00:00 2001
From: Gerard Smyth <gerard.smyth@gmail.com>
Date: Thu, 08 May 2014 13:09:30 -0400
Subject: [PATCH] Updated the SyndicationServlet to provide an additional option to return details of the tags in the repository instead of the commits. This uses a new 'ot' request parameter to indicate the object type of the content to return, which can be ither TAG or COMMIT. If this is not provided, then COMMIT is assumed to maintain backwards compatability. If tags are returned, then the paging parameters, 'l' and 'pg' are still supported, but searching options are currently ignored.
---
src/main/java/com/gitblit/transport/ssh/SshDaemon.java | 338 +++++++++++++++++++-------------------------------------
1 files changed, 116 insertions(+), 222 deletions(-)
diff --git a/src/main/java/com/gitblit/transport/ssh/SshDaemon.java b/src/main/java/com/gitblit/transport/ssh/SshDaemon.java
index b3471a2..a403699 100644
--- a/src/main/java/com/gitblit/transport/ssh/SshDaemon.java
+++ b/src/main/java/com/gitblit/transport/ssh/SshDaemon.java
@@ -16,83 +16,48 @@
package com.gitblit.transport.ssh;
import java.io.File;
+import java.io.FileOutputStream;
import java.io.IOException;
+import java.io.OutputStreamWriter;
import java.net.InetSocketAddress;
-import java.net.SocketAddress;
-import java.security.InvalidKeyException;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
import java.text.MessageFormat;
-import java.util.Arrays;
-import java.util.Iterator;
-import java.util.LinkedList;
-import java.util.List;
import java.util.concurrent.atomic.AtomicBoolean;
-import javax.inject.Inject;
-
-import org.apache.mina.core.future.IoFuture;
-import org.apache.mina.core.future.IoFutureListener;
-import org.apache.mina.core.session.IoSession;
-import org.apache.mina.transport.socket.SocketSessionConfig;
import org.apache.sshd.SshServer;
-import org.apache.sshd.common.Channel;
-import org.apache.sshd.common.Cipher;
-import org.apache.sshd.common.Compression;
-import org.apache.sshd.common.KeyExchange;
-import org.apache.sshd.common.KeyPairProvider;
-import org.apache.sshd.common.Mac;
-import org.apache.sshd.common.NamedFactory;
-import org.apache.sshd.common.Session;
-import org.apache.sshd.common.Signature;
-import org.apache.sshd.common.cipher.AES128CBC;
-import org.apache.sshd.common.cipher.AES192CBC;
-import org.apache.sshd.common.cipher.AES256CBC;
-import org.apache.sshd.common.cipher.BlowfishCBC;
-import org.apache.sshd.common.cipher.TripleDESCBC;
-import org.apache.sshd.common.compression.CompressionNone;
-import org.apache.sshd.common.mac.HMACMD5;
-import org.apache.sshd.common.mac.HMACMD596;
-import org.apache.sshd.common.mac.HMACSHA1;
-import org.apache.sshd.common.mac.HMACSHA196;
-import org.apache.sshd.common.random.BouncyCastleRandom;
-import org.apache.sshd.common.random.SingletonRandomFactory;
-import org.apache.sshd.common.signature.SignatureDSA;
-import org.apache.sshd.common.signature.SignatureRSA;
+import org.apache.sshd.common.io.IoServiceFactoryFactory;
+import org.apache.sshd.common.io.mina.MinaServiceFactoryFactory;
+import org.apache.sshd.common.io.nio2.Nio2ServiceFactoryFactory;
+import org.apache.sshd.common.keyprovider.FileKeyPairProvider;
import org.apache.sshd.common.util.SecurityUtils;
-import org.apache.sshd.server.CommandFactory;
-import org.apache.sshd.server.FileSystemFactory;
-import org.apache.sshd.server.FileSystemView;
-import org.apache.sshd.server.ForwardingFilter;
-import org.apache.sshd.server.PublickeyAuthenticator;
-import org.apache.sshd.server.SshFile;
-import org.apache.sshd.server.UserAuth;
-import org.apache.sshd.server.auth.UserAuthPublicKey;
-import org.apache.sshd.server.channel.ChannelDirectTcpip;
-import org.apache.sshd.server.channel.ChannelSession;
-import org.apache.sshd.server.kex.DHG1;
-import org.apache.sshd.server.kex.DHG14;
-import org.apache.sshd.server.keyprovider.PEMGeneratorHostKeyProvider;
-import org.apache.sshd.server.session.ServerSession;
-import org.apache.sshd.server.session.SessionFactory;
+import org.bouncycastle.openssl.PEMWriter;
import org.eclipse.jgit.internal.JGitText;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import com.gitblit.Constants;
import com.gitblit.IStoredSettings;
import com.gitblit.Keys;
import com.gitblit.manager.IGitblit;
+import com.gitblit.transport.ssh.commands.SshCommandFactory;
import com.gitblit.utils.IdGenerator;
+import com.gitblit.utils.JnaUtils;
import com.gitblit.utils.StringUtils;
+import com.google.common.io.Files;
/**
* Manager for the ssh transport. Roughly analogous to the
- * {@link com.gitblit.git.GitDaemon} class.
- *
- * @author Eric Myhre
- *
+ * {@link com.gitblit.transport.git.GitDaemon} class.
+ *
*/
-public class SshDaemon extends SshServer {
+public class SshDaemon {
private final Logger log = LoggerFactory.getLogger(SshDaemon.class);
+
+ public static enum SshSessionBackend {
+ MINA, NIO2
+ }
/**
* 22: IANA assigned port number for ssh. Note that this is a distinct
@@ -102,93 +67,92 @@
*/
public static final int DEFAULT_PORT = 22;
- private static final String HOST_KEY_STORE = "sshKeyStore.pem";
+ private final AtomicBoolean run;
- private InetSocketAddress myAddress;
-
- private AtomicBoolean run;
-
- @SuppressWarnings("unused")
- private IGitblit gitblit;
+ private final IGitblit gitblit;
+ private final SshServer sshd;
/**
* Construct the Gitblit SSH daemon.
- *
+ *
* @param gitblit
*/
- @Inject
- SshDaemon(IGitblit gitblit, IdGenerator idGenerator,
- SshCommandFactory factory) {
+ public SshDaemon(IGitblit gitblit, IdGenerator idGenerator) {
this.gitblit = gitblit;
- IStoredSettings settings = gitblit.getSettings();
- int port = settings.getInteger(Keys.git.sshPort, 0);
- String bindInterface = settings.getString(Keys.git.sshBindInterface,
- "localhost");
+ IStoredSettings settings = gitblit.getSettings();
+
+ // Ensure that Bouncy Castle is our JCE provider
+ SecurityUtils.setRegisterBouncyCastle(true);
+
+ // Generate host RSA and DSA keypairs and create the host keypair provider
+ File rsaKeyStore = new File(gitblit.getBaseFolder(), "ssh-rsa-hostkey.pem");
+ File dsaKeyStore = new File(gitblit.getBaseFolder(), "ssh-dsa-hostkey.pem");
+ generateKeyPair(rsaKeyStore, "RSA", 2048);
+ generateKeyPair(dsaKeyStore, "DSA", 0);
+ FileKeyPairProvider hostKeyPairProvider = new FileKeyPairProvider();
+ hostKeyPairProvider.setFiles(new String [] { rsaKeyStore.getPath(), dsaKeyStore.getPath(), dsaKeyStore.getPath() });
+
+ // Client public key authenticator
+ CachingPublicKeyAuthenticator keyAuthenticator =
+ new CachingPublicKeyAuthenticator(gitblit.getPublicKeyManager(), gitblit);
+
+ // Configure the preferred SSHD backend
+ String sshBackendStr = settings.getString(Keys.git.sshBackend,
+ SshSessionBackend.NIO2.name());
+ SshSessionBackend backend = SshSessionBackend.valueOf(sshBackendStr);
+ System.setProperty(IoServiceFactoryFactory.class.getName(),
+ backend == SshSessionBackend.MINA
+ ? MinaServiceFactoryFactory.class.getName()
+ : Nio2ServiceFactoryFactory.class.getName());
+
+ // Create the socket address for binding the SSH server
+ int port = settings.getInteger(Keys.git.sshPort, 0);
+ String bindInterface = settings.getString(Keys.git.sshBindInterface, "");
+ InetSocketAddress addr;
if (StringUtils.isEmpty(bindInterface)) {
- myAddress = new InetSocketAddress(port);
+ addr = new InetSocketAddress(port);
} else {
- myAddress = new InetSocketAddress(bindInterface, port);
+ addr = new InetSocketAddress(bindInterface, port);
}
- setPort(myAddress.getPort());
- setHost(myAddress.getHostName());
- setup();
- setKeyPairProvider(new PEMGeneratorHostKeyProvider(new File(
- gitblit.getBaseFolder(), HOST_KEY_STORE).getPath()));
- setPublickeyAuthenticator(new SshKeyAuthenticator(gitblit));
+ // Create the SSH server
+ sshd = SshServer.setUpDefaultServer();
+ sshd.setPort(addr.getPort());
+ sshd.setHost(addr.getHostName());
+ sshd.setKeyPairProvider(hostKeyPairProvider);
+ sshd.setPublickeyAuthenticator(keyAuthenticator);
+ sshd.setPasswordAuthenticator(new UsernamePasswordAuthenticator(gitblit));
+ sshd.setSessionFactory(new SshServerSessionFactory());
+ sshd.setFileSystemFactory(new DisabledFilesystemFactory());
+ sshd.setTcpipForwardingFilter(new NonForwardingFilter());
+ sshd.setCommandFactory(new SshCommandFactory(gitblit, idGenerator));
+ sshd.setShellFactory(new WelcomeShell(settings));
+
+ // Set the server id. This can be queried with:
+ // ssh-keyscan -t rsa,dsa -p 29418 localhost
+ String version = String.format("%s (%s-%s)", Constants.getGitBlitVersion().replace(' ', '_'),
+ sshd.getVersion(), sshBackendStr);
+ sshd.getProperties().put(SshServer.SERVER_IDENTIFICATION, version);
run = new AtomicBoolean(false);
- setCommandFactory(factory);
- setSessionFactory(newSessionFactory(idGenerator));
- }
-
- SessionFactory newSessionFactory(final IdGenerator idGenerator) {
- return new SessionFactory() {
- @Override
- protected ServerSession createSession(final IoSession io)
- throws Exception {
- log.info("connection accepted on " + io);
- if (io.getConfig() instanceof SocketSessionConfig) {
- final SocketSessionConfig c = (SocketSessionConfig) io
- .getConfig();
- c.setKeepAlive(true);
- }
- ServerSession s = (ServerSession) super.createSession(io);
- SocketAddress peer = io.getRemoteAddress();
- SshSession session = new SshSession(idGenerator.next(), peer);
- s.setAttribute(SshSession.KEY, session);
- io.getCloseFuture().addListener(
- new IoFutureListener<IoFuture>() {
- @Override
- public void operationComplete(IoFuture future) {
- log.info("connection closed on " + io);
- }
- });
- return s;
- }
- };
- }
-
- public int getPort() {
- return myAddress.getPort();
}
public String formatUrl(String gituser, String servername, String repository) {
- if (getPort() == DEFAULT_PORT) {
+ if (sshd.getPort() == DEFAULT_PORT) {
// standard port
return MessageFormat.format("{0}@{1}/{2}", gituser, servername,
repository);
} else {
// non-standard port
return MessageFormat.format("ssh://{0}@{1}:{2,number,0}/{3}",
- gituser, servername, getPort(), repository);
+ gituser, servername, sshd.getPort(), repository);
}
}
/**
* Start this daemon on a background thread.
- *
+ *
* @throws IOException
* the server socket could not be opened.
* @throws IllegalStateException
@@ -199,12 +163,15 @@
throw new IllegalStateException(JGitText.get().daemonAlreadyRunning);
}
- super.start();
+ sshd.start();
run.set(true);
+ String sshBackendStr = gitblit.getSettings().getString(Keys.git.sshBackend,
+ SshSessionBackend.NIO2.name());
+
log.info(MessageFormat.format(
- "SSH Daemon is listening on {0}:{1,number,0}", myAddress
- .getAddress().getHostAddress(), myAddress.getPort()));
+ "SSH Daemon ({0}) is listening on {1}:{2,number,0}",
+ sshBackendStr, sshd.getHost(), sshd.getPort()));
}
/** @return true if this daemon is receiving connections. */
@@ -219,117 +186,44 @@
run.set(false);
try {
- super.stop();
+ ((SshCommandFactory) sshd.getCommandFactory()).stop();
+ sshd.stop();
} catch (InterruptedException e) {
log.error("SSH Daemon stop interrupted", e);
}
}
}
- /**
- * Performs most of default configuration (setup random sources, setup
- * ciphers, etc; also, support for forwarding and filesystem is explicitly
- * disallowed).
- *
- * {@link #setKeyPairProvider(KeyPairProvider)} and
- * {@link #setPublickeyAuthenticator(PublickeyAuthenticator)} are left for
- * you. And applying {@link #setCommandFactory(CommandFactory)} is probably
- * wise if you want something to actually happen when users do successfully
- * authenticate.
- */
- @SuppressWarnings("unchecked")
- public void setup() {
- if (!SecurityUtils.isBouncyCastleRegistered())
- throw new RuntimeException("BC crypto not available");
+ private void generateKeyPair(File file, String algorithm, int keySize) {
+ if (file.exists()) {
+ return;
+ }
+ try {
+ KeyPairGenerator generator = SecurityUtils.getKeyPairGenerator(algorithm);
+ if (keySize != 0) {
+ generator.initialize(keySize);
+ log.info("Generating {}-{} SSH host keypair...", algorithm, keySize);
+ } else {
+ log.info("Generating {} SSH host keypair...", algorithm);
+ }
+ KeyPair kp = generator.generateKeyPair();
- setKeyExchangeFactories(Arrays.<NamedFactory<KeyExchange>> asList(
- new DHG14.Factory(), new DHG1.Factory()));
+ // create an empty file and set the permissions
+ Files.touch(file);
+ try {
+ JnaUtils.setFilemode(file, JnaUtils.S_IRUSR | JnaUtils.S_IWUSR);
+ } catch (UnsupportedOperationException e) {
+ // Windows
+ }
- setRandomFactory(new SingletonRandomFactory(
- new BouncyCastleRandom.Factory()));
-
- setupCiphers();
-
- setCompressionFactories(Arrays
- .<NamedFactory<Compression>> asList(new CompressionNone.Factory()));
-
- setMacFactories(Arrays.<NamedFactory<Mac>> asList(
- new HMACMD5.Factory(), new HMACSHA1.Factory(),
- new HMACMD596.Factory(), new HMACSHA196.Factory()));
-
- setChannelFactories(Arrays.<NamedFactory<Channel>> asList(
- new ChannelSession.Factory(), new ChannelDirectTcpip.Factory()));
-
- setSignatureFactories(Arrays.<NamedFactory<Signature>> asList(
- new SignatureDSA.Factory(), new SignatureRSA.Factory()));
-
- setFileSystemFactory(new FileSystemFactory() {
- @Override
- public FileSystemView createFileSystemView(Session session)
- throws IOException {
- return new FileSystemView() {
- @Override
- public SshFile getFile(SshFile baseDir, String file) {
- return null;
- }
-
- @Override
- public SshFile getFile(String file) {
- return null;
- }
- };
- }
- });
-
- setForwardingFilter(new ForwardingFilter() {
- @Override
- public boolean canForwardAgent(ServerSession session) {
- return false;
- }
-
- @Override
- public boolean canForwardX11(ServerSession session) {
- return false;
- }
-
- @Override
- public boolean canConnect(InetSocketAddress address,
- ServerSession session) {
- return false;
- }
-
- @Override
- public boolean canListen(InetSocketAddress address,
- ServerSession session) {
- return false;
- }
- });
-
- setUserAuthFactories(Arrays
- .<NamedFactory<UserAuth>> asList(new UserAuthPublicKey.Factory()));
- }
-
- protected void setupCiphers() {
- List<NamedFactory<Cipher>> avail = new LinkedList<NamedFactory<Cipher>>();
- avail.add(new AES128CBC.Factory());
- avail.add(new TripleDESCBC.Factory());
- avail.add(new BlowfishCBC.Factory());
- avail.add(new AES192CBC.Factory());
- avail.add(new AES256CBC.Factory());
-
- for (Iterator<NamedFactory<Cipher>> i = avail.iterator(); i.hasNext();) {
- final NamedFactory<Cipher> f = i.next();
- try {
- final Cipher c = f.create();
- final byte[] key = new byte[c.getBlockSize()];
- final byte[] iv = new byte[c.getIVSize()];
- c.init(Cipher.Mode.Encrypt, key, iv);
- } catch (InvalidKeyException e) {
- i.remove();
- } catch (Exception e) {
- i.remove();
- }
- }
- setCipherFactories(avail);
- }
+ FileOutputStream os = new FileOutputStream(file);
+ PEMWriter w = new PEMWriter(new OutputStreamWriter(os));
+ w.writeObject(kp);
+ w.flush();
+ w.close();
+ } catch (Exception e) {
+ log.warn(MessageFormat.format("Unable to generate {0} keypair", algorithm), e);
+ return;
+ }
+ }
}
--
Gitblit v1.9.1