From fbc7a7dd5fa61486610cf11c09e0007f2900a3e1 Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Wed, 03 Dec 2014 15:05:49 -0500
Subject: [PATCH] Add support for specifying the `Proxy-Authorization` header for the PluginManager
---
src/main/java/com/gitblit/transport/ssh/SshDaemon.java | 196 +++++++++++++++++++-----------------------------
1 files changed, 79 insertions(+), 117 deletions(-)
diff --git a/src/main/java/com/gitblit/transport/ssh/SshDaemon.java b/src/main/java/com/gitblit/transport/ssh/SshDaemon.java
index 40a310e..9667154 100644
--- a/src/main/java/com/gitblit/transport/ssh/SshDaemon.java
+++ b/src/main/java/com/gitblit/transport/ssh/SshDaemon.java
@@ -16,38 +16,40 @@
package com.gitblit.transport.ssh;
import java.io.File;
+import java.io.FileOutputStream;
import java.io.IOException;
+import java.io.OutputStreamWriter;
import java.net.InetSocketAddress;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
import java.text.MessageFormat;
import java.util.concurrent.atomic.AtomicBoolean;
-
-import javax.inject.Singleton;
import org.apache.sshd.SshServer;
import org.apache.sshd.common.io.IoServiceFactoryFactory;
import org.apache.sshd.common.io.mina.MinaServiceFactoryFactory;
import org.apache.sshd.common.io.nio2.Nio2ServiceFactoryFactory;
-import org.apache.sshd.server.keyprovider.PEMGeneratorHostKeyProvider;
+import org.apache.sshd.common.keyprovider.FileKeyPairProvider;
+import org.apache.sshd.common.util.SecurityUtils;
+import org.apache.sshd.server.auth.CachingPublicKeyAuthenticator;
+import org.bouncycastle.openssl.PEMWriter;
import org.eclipse.jgit.internal.JGitText;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import com.gitblit.Constants;
import com.gitblit.IStoredSettings;
import com.gitblit.Keys;
-import com.gitblit.manager.IAuthenticationManager;
import com.gitblit.manager.IGitblit;
-import com.gitblit.utils.IdGenerator;
+import com.gitblit.transport.ssh.commands.SshCommandFactory;
+import com.gitblit.utils.JnaUtils;
import com.gitblit.utils.StringUtils;
-
-import dagger.Module;
-import dagger.ObjectGraph;
-import dagger.Provides;
+import com.gitblit.utils.WorkQueue;
+import com.google.common.io.Files;
/**
* Manager for the ssh transport. Roughly analogous to the
* {@link com.gitblit.transport.git.GitDaemon} class.
- *
- * @author Eric Myhre
*
*/
public class SshDaemon {
@@ -66,30 +68,41 @@
*/
public static final int DEFAULT_PORT = 22;
- private static final String HOST_KEY_STORE = "sshKeyStore.pem";
-
private final AtomicBoolean run;
private final IGitblit gitblit;
private final SshServer sshd;
- private final ObjectGraph injector;
/**
* Construct the Gitblit SSH daemon.
*
* @param gitblit
+ * @param workQueue
*/
- public SshDaemon(IGitblit gitblit, IdGenerator idGenerator) {
+ public SshDaemon(IGitblit gitblit, WorkQueue workQueue) {
this.gitblit = gitblit;
- this.injector = ObjectGraph.create(new SshModule());
IStoredSettings settings = gitblit.getSettings();
- int port = settings.getInteger(Keys.git.sshPort, 0);
- String bindInterface = settings.getString(Keys.git.sshBindInterface,
- "localhost");
- IKeyManager keyManager = getKeyManager();
+ // Ensure that Bouncy Castle is our JCE provider
+ SecurityUtils.setRegisterBouncyCastle(true);
+ if (SecurityUtils.isBouncyCastleRegistered()) {
+ log.debug("BouncyCastle is registered as a JCE provider");
+ }
+ // Generate host RSA and DSA keypairs and create the host keypair provider
+ File rsaKeyStore = new File(gitblit.getBaseFolder(), "ssh-rsa-hostkey.pem");
+ File dsaKeyStore = new File(gitblit.getBaseFolder(), "ssh-dsa-hostkey.pem");
+ generateKeyPair(rsaKeyStore, "RSA", 2048);
+ generateKeyPair(dsaKeyStore, "DSA", 0);
+ FileKeyPairProvider hostKeyPairProvider = new FileKeyPairProvider();
+ hostKeyPairProvider.setFiles(new String [] { rsaKeyStore.getPath(), dsaKeyStore.getPath(), dsaKeyStore.getPath() });
+
+ // Client public key authenticator
+ SshKeyAuthenticator keyAuthenticator =
+ new SshKeyAuthenticator(gitblit.getPublicKeyManager(), gitblit);
+
+ // Configure the preferred SSHD backend
String sshBackendStr = settings.getString(Keys.git.sshBackend,
SshSessionBackend.NIO2.name());
SshSessionBackend backend = SshSessionBackend.valueOf(sshBackendStr);
@@ -98,6 +111,9 @@
? MinaServiceFactoryFactory.class.getName()
: Nio2ServiceFactoryFactory.class.getName());
+ // Create the socket address for binding the SSH server
+ int port = settings.getInteger(Keys.git.sshPort, 0);
+ String bindInterface = settings.getString(Keys.git.sshBindInterface, "");
InetSocketAddress addr;
if (StringUtils.isEmpty(bindInterface)) {
addr = new InetSocketAddress(port);
@@ -105,49 +121,32 @@
addr = new InetSocketAddress(bindInterface, port);
}
- CachingPublicKeyAuthenticator keyAuthenticator =
- getPublicKeyAuthenticator(keyManager, gitblit);
-
+ // Create the SSH server
sshd = SshServer.setUpDefaultServer();
sshd.setPort(addr.getPort());
sshd.setHost(addr.getHostName());
- sshd.setKeyPairProvider(new PEMGeneratorHostKeyProvider(new File(
- gitblit.getBaseFolder(), HOST_KEY_STORE).getPath()));
- sshd.setPublickeyAuthenticator(keyAuthenticator);
+ sshd.setKeyPairProvider(hostKeyPairProvider);
+ sshd.setPublickeyAuthenticator(new CachingPublicKeyAuthenticator(keyAuthenticator));
sshd.setPasswordAuthenticator(new UsernamePasswordAuthenticator(gitblit));
sshd.setSessionFactory(new SshServerSessionFactory());
sshd.setFileSystemFactory(new DisabledFilesystemFactory());
sshd.setTcpipForwardingFilter(new NonForwardingFilter());
- sshd.setCommandFactory(new SshCommandFactory(gitblit, keyAuthenticator, idGenerator));
+ sshd.setCommandFactory(new SshCommandFactory(gitblit, workQueue));
+ sshd.setShellFactory(new WelcomeShell(settings));
+
+ // Set the server id. This can be queried with:
+ // ssh-keyscan -t rsa,dsa -p 29418 localhost
+ String version = String.format("%s (%s-%s)", Constants.getGitBlitVersion().replace(' ', '_'),
+ sshd.getVersion(), sshBackendStr);
+ sshd.getProperties().put(SshServer.SERVER_IDENTIFICATION, version);
run = new AtomicBoolean(false);
- }
-
- private CachingPublicKeyAuthenticator getPublicKeyAuthenticator(
- IKeyManager keyManager, IGitblit gitblit) {
- IStoredSettings settings = gitblit.getSettings();
- String clazz = settings.getString(Keys.git.sshPublicKeyAuthenticator,
- CachingPublicKeyAuthenticator.class.getName());
- if (StringUtils.isEmpty(clazz)) {
- clazz = CachingPublicKeyAuthenticator.class.getName();
- }
- try {
- Class<CachingPublicKeyAuthenticator> authClass =
- (Class<CachingPublicKeyAuthenticator>) Class.forName(clazz);
- return authClass.getConstructor(
- new Class[] { IKeyManager.class,
- IAuthenticationManager.class }).newInstance(
- keyManager, gitblit);
- } catch (Exception e) {
- log.error("failed to create ssh auth manager " + clazz, e);
- }
- return null;
}
public String formatUrl(String gituser, String servername, String repository) {
if (sshd.getPort() == DEFAULT_PORT) {
// standard port
- return MessageFormat.format("{0}@{1}/{2}", gituser, servername,
+ return MessageFormat.format("ssh://{0}@{1}/{2}", gituser, servername,
repository);
} else {
// non-standard port
@@ -192,6 +191,7 @@
run.set(false);
try {
+ ((SshCommandFactory) sshd.getCommandFactory()).stop();
sshd.stop();
} catch (InterruptedException e) {
log.error("SSH Daemon stop interrupted", e);
@@ -199,74 +199,36 @@
}
}
- @SuppressWarnings("unchecked")
- protected IKeyManager getKeyManager() {
- IKeyManager keyManager = null;
- IStoredSettings settings = gitblit.getSettings();
- String clazz = settings.getString(Keys.git.sshKeysManager, FileKeyManager.class.getName());
- if (StringUtils.isEmpty(clazz)) {
- clazz = FileKeyManager.class.getName();
- }
- try {
- Class<? extends IKeyManager> managerClass = (Class<? extends IKeyManager>) Class.forName(clazz);
- keyManager = injector.get(managerClass).start();
- if (keyManager.isReady()) {
- log.info("{} is ready.", keyManager);
- } else {
- log.warn("{} is disabled.", keyManager);
- }
- } catch (Exception e) {
- log.error("failed to create ssh key manager " + clazz, e);
- keyManager = injector.get(NullKeyManager.class).start();
- }
- return keyManager;
- }
+ private void generateKeyPair(File file, String algorithm, int keySize) {
+ if (file.exists()) {
+ return;
+ }
+ try {
+ KeyPairGenerator generator = SecurityUtils.getKeyPairGenerator(algorithm);
+ if (keySize != 0) {
+ generator.initialize(keySize);
+ log.info("Generating {}-{} SSH host keypair...", algorithm, keySize);
+ } else {
+ log.info("Generating {} SSH host keypair...", algorithm);
+ }
+ KeyPair kp = generator.generateKeyPair();
- @SuppressWarnings("unchecked")
- protected IKeyManager getKeyAuthenticator() {
- IKeyManager keyManager = null;
- IStoredSettings settings = gitblit.getSettings();
- String clazz = settings.getString(Keys.git.sshKeysManager, FileKeyManager.class.getName());
- if (StringUtils.isEmpty(clazz)) {
- clazz = FileKeyManager.class.getName();
- }
- try {
- Class<? extends IKeyManager> managerClass = (Class<? extends IKeyManager>) Class.forName(clazz);
- keyManager = injector.get(managerClass).start();
- if (keyManager.isReady()) {
- log.info("{} is ready.", keyManager);
- } else {
- log.warn("{} is disabled.", keyManager);
- }
- } catch (Exception e) {
- log.error("failed to create ssh key manager " + clazz, e);
- keyManager = injector.get(NullKeyManager.class).start();
- }
- return keyManager;
- }
+ // create an empty file and set the permissions
+ Files.touch(file);
+ try {
+ JnaUtils.setFilemode(file, JnaUtils.S_IRUSR | JnaUtils.S_IWUSR);
+ } catch (UnsatisfiedLinkError | UnsupportedOperationException e) {
+ // Unexpected/Unsupported OS or Architecture
+ }
- /**
- * A nested Dagger graph is used for constructor dependency injection of
- * complex classes.
- *
- * @author James Moger
- *
- */
- @Module(
- library = true,
- injects = {
- NullKeyManager.class,
- FileKeyManager.class
- }
- )
- class SshModule {
-
- @Provides @Singleton NullKeyManager provideNullKeyManager() {
- return new NullKeyManager();
- }
-
- @Provides @Singleton FileKeyManager provideFileKeyManager() {
- return new FileKeyManager(SshDaemon.this.gitblit);
- }
- }
+ FileOutputStream os = new FileOutputStream(file);
+ PEMWriter w = new PEMWriter(new OutputStreamWriter(os));
+ w.writeObject(kp);
+ w.flush();
+ w.close();
+ } catch (Exception e) {
+ log.warn(MessageFormat.format("Unable to generate {0} keypair", algorithm), e);
+ return;
+ }
+ }
}
--
Gitblit v1.9.1