mirror of
https://github.com/coder/coder.git
synced 2025-07-06 15:41:45 +00:00
7ad87505c8
* chore: rename `AgentConn` to `WorkspaceAgentConn` The codersdk was becoming bloated with consts for the workspace agent that made no sense to a reader. `Tailnet*` is an example of these consts. * chore: remove `Get` prefix from *Client functions * chore: remove `BypassRatelimits` option in `codersdk.Client` It feels wrong to have this as a direct option because it's so infrequently needed by API callers. It's better to directly modify headers in the two places that we actually use it. * Merge `appearance.go` and `buildinfo.go` into `deployment.go` * Merge `experiments.go` and `features.go` into `deployment.go` * Fix `make gen` referencing old type names * Merge `error.go` into `client.go` `codersdk.Response` lived in `error.go`, which is wrong. * chore: refactor workspace agent functions into agentsdk It was odd conflating the codersdk that clients should use with functions that only the agent should use. This separates them into two SDKs that are closely coupled, but separate. * Merge `insights.go` into `deployment.go` * Merge `organizationmember.go` into `organizations.go` * Merge `quota.go` into `workspaces.go` * Rename `sse.go` to `serversentevents.go` * Rename `codersdk.WorkspaceAppHostResponse` to `codersdk.AppHostResponse` * Format `.vscode/settings.json` * Fix outdated naming in `api.ts` * Fix app host response * Fix unsupported type * Fix imported type
190 lines
5.9 KiB
Go
190 lines
5.9 KiB
Go
package cli
|
|
|
|
import (
|
|
"bufio"
|
|
"bytes"
|
|
"context"
|
|
"fmt"
|
|
"io"
|
|
"os"
|
|
"os/exec"
|
|
"os/signal"
|
|
"path/filepath"
|
|
"strings"
|
|
|
|
"github.com/spf13/cobra"
|
|
"golang.org/x/xerrors"
|
|
|
|
"github.com/coder/coder/cli/cliui"
|
|
)
|
|
|
|
func gitssh() *cobra.Command {
|
|
cmd := &cobra.Command{
|
|
Use: "gitssh",
|
|
Hidden: true,
|
|
Short: `Wraps the "ssh" command and uses the coder gitssh key for authentication`,
|
|
RunE: func(cmd *cobra.Command, args []string) error {
|
|
ctx := cmd.Context()
|
|
env := os.Environ()
|
|
|
|
// Catch interrupt signals to ensure the temporary private
|
|
// key file is cleaned up on most cases.
|
|
ctx, stop := signal.NotifyContext(ctx, InterruptSignals...)
|
|
defer stop()
|
|
|
|
// Early check so errors are reported immediately.
|
|
identityFiles, err := parseIdentityFilesForHost(ctx, args, env)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
client, err := createAgentClient(cmd)
|
|
if err != nil {
|
|
return xerrors.Errorf("create agent client: %w", err)
|
|
}
|
|
key, err := client.GitSSHKey(ctx)
|
|
if err != nil {
|
|
return xerrors.Errorf("get agent git ssh token: %w", err)
|
|
}
|
|
|
|
privateKeyFile, err := os.CreateTemp("", "coder-gitsshkey-*")
|
|
if err != nil {
|
|
return xerrors.Errorf("create temp gitsshkey file: %w", err)
|
|
}
|
|
defer func() {
|
|
_ = privateKeyFile.Close()
|
|
_ = os.Remove(privateKeyFile.Name())
|
|
}()
|
|
_, err = privateKeyFile.WriteString(key.PrivateKey)
|
|
if err != nil {
|
|
return xerrors.Errorf("write to temp gitsshkey file: %w", err)
|
|
}
|
|
err = privateKeyFile.Close()
|
|
if err != nil {
|
|
return xerrors.Errorf("close temp gitsshkey file: %w", err)
|
|
}
|
|
|
|
// Append our key, giving precedence to user keys. Note that
|
|
// OpenSSH server are typically configured with MaxAuthTries
|
|
// set to the default value of 6. This means that only the 6
|
|
// first keys can be tried. However, we will assume that if
|
|
// a user has configured 6+ keys for a host, they know what
|
|
// they're doing. This behavior is critical if a server has
|
|
// been configured with MaxAuthTries set to 1.
|
|
identityFiles = append(identityFiles, privateKeyFile.Name())
|
|
|
|
var identityArgs []string
|
|
for _, id := range identityFiles {
|
|
identityArgs = append(identityArgs, "-i", id)
|
|
}
|
|
|
|
args = append(identityArgs, args...)
|
|
c := exec.CommandContext(ctx, "ssh", args...)
|
|
c.Env = append(c.Env, env...)
|
|
c.Stderr = cmd.ErrOrStderr()
|
|
c.Stdout = cmd.OutOrStdout()
|
|
c.Stdin = cmd.InOrStdin()
|
|
err = c.Run()
|
|
if err != nil {
|
|
exitErr := &exec.ExitError{}
|
|
if xerrors.As(err, &exitErr) && exitErr.ExitCode() == 255 {
|
|
_, _ = fmt.Fprintln(cmd.ErrOrStderr(),
|
|
"\n"+cliui.Styles.Wrap.Render("Coder authenticates with "+cliui.Styles.Field.Render("git")+
|
|
" using the public key below. All clones with SSH are authenticated automatically 🪄.")+"\n")
|
|
_, _ = fmt.Fprintln(cmd.ErrOrStderr(), cliui.Styles.Code.Render(strings.TrimSpace(key.PublicKey))+"\n")
|
|
_, _ = fmt.Fprintln(cmd.ErrOrStderr(), "Add to GitHub and GitLab:")
|
|
_, _ = fmt.Fprintln(cmd.ErrOrStderr(), cliui.Styles.Prompt.String()+"https://github.com/settings/ssh/new")
|
|
_, _ = fmt.Fprintln(cmd.ErrOrStderr(), cliui.Styles.Prompt.String()+"https://gitlab.com/-/profile/keys")
|
|
_, _ = fmt.Fprintln(cmd.ErrOrStderr())
|
|
return err
|
|
}
|
|
return xerrors.Errorf("run ssh command: %w", err)
|
|
}
|
|
|
|
return nil
|
|
},
|
|
}
|
|
|
|
return cmd
|
|
}
|
|
|
|
// fallbackIdentityFiles is the list of identity files SSH tries when
|
|
// none have been defined for a host.
|
|
var fallbackIdentityFiles = strings.Join([]string{
|
|
"identityfile ~/.ssh/id_rsa",
|
|
"identityfile ~/.ssh/id_dsa",
|
|
"identityfile ~/.ssh/id_ecdsa",
|
|
"identityfile ~/.ssh/id_ecdsa_sk",
|
|
"identityfile ~/.ssh/id_ed25519",
|
|
"identityfile ~/.ssh/id_ed25519_sk",
|
|
"identityfile ~/.ssh/id_xmss",
|
|
}, "\n")
|
|
|
|
// parseIdentityFilesForHost uses ssh -G to discern what SSH keys have
|
|
// been enabled for the host (via the users SSH config) and returns a
|
|
// list of existing identity files.
|
|
//
|
|
// We do this because when no keys are defined for a host, SSH uses
|
|
// fallback keys (see above). However, by passing `-i` to attach our
|
|
// private key, we're effectively disabling the fallback keys.
|
|
//
|
|
// Example invocation:
|
|
//
|
|
// ssh -G -o SendEnv=GIT_PROTOCOL git@github.com git-upload-pack 'coder/coder'
|
|
//
|
|
// The extra arguments work without issue and lets us run the command
|
|
// as-is without stripping out the excess (git-upload-pack 'coder/coder').
|
|
func parseIdentityFilesForHost(ctx context.Context, args, env []string) (identityFiles []string, error error) {
|
|
home, err := os.UserHomeDir()
|
|
if err != nil {
|
|
return nil, xerrors.Errorf("get user home dir failed: %w", err)
|
|
}
|
|
|
|
var outBuf bytes.Buffer
|
|
var r io.Reader = &outBuf
|
|
|
|
args = append([]string{"-G"}, args...)
|
|
cmd := exec.CommandContext(ctx, "ssh", args...)
|
|
cmd.Env = append(cmd.Env, env...)
|
|
cmd.Stdout = &outBuf
|
|
cmd.Stderr = io.Discard
|
|
err = cmd.Run()
|
|
if err != nil {
|
|
// If ssh -G failed, the SSH version is likely too old, fallback
|
|
// to using the default identity files.
|
|
r = strings.NewReader(fallbackIdentityFiles)
|
|
}
|
|
|
|
s := bufio.NewScanner(r)
|
|
for s.Scan() {
|
|
line := s.Text()
|
|
if strings.HasPrefix(line, "identityfile ") {
|
|
id := strings.TrimPrefix(line, "identityfile ")
|
|
if strings.HasPrefix(id, "~/") {
|
|
id = home + id[1:]
|
|
}
|
|
// OpenSSH on Windows is weird, it supports using (and does
|
|
// use) mixed \ and / in paths.
|
|
//
|
|
// Example: C:\Users\ZeroCool/.ssh/known_hosts
|
|
//
|
|
// To check the file existence in Go, though, we want to use
|
|
// proper Windows paths.
|
|
// OpenSSH is amazing, this will work on Windows too:
|
|
// C:\Users\ZeroCool/.ssh/id_rsa
|
|
id = filepath.FromSlash(id)
|
|
|
|
// Only include the identity file if it exists.
|
|
if _, err := os.Stat(id); err == nil {
|
|
identityFiles = append(identityFiles, id)
|
|
}
|
|
}
|
|
}
|
|
if err := s.Err(); err != nil {
|
|
// This should never happen, the check is for completeness.
|
|
return nil, xerrors.Errorf("scan ssh output: %w", err)
|
|
}
|
|
|
|
return identityFiles, nil
|
|
}
|