sshportal/main.go

package main

import (
	"bytes"
	"fmt"
	"log"
	"math/rand"
	"net"
	"os"
	"path"
	"strings"
	"time"

	"github.com/gliderlabs/ssh"
	"github.com/jinzhu/gorm"
	_ "github.com/jinzhu/gorm/dialects/mysql"
	_ "github.com/jinzhu/gorm/dialects/sqlite"
	"github.com/urfave/cli"
	gossh "golang.org/x/crypto/ssh"
)

var (
	// Version should be updated by hand at each release
	Version = "1.7.0+dev"
	// GitTag will be overwritten automatically by the build system
	GitTag string
	// GitSha will be overwritten automatically by the build system
	GitSha string
	// GitBranch will be overwritten automatically by the build system
	GitBranch string
)

func main() {
	rand.Seed(time.Now().UnixNano())

	app := cli.NewApp()
	app.Name = path.Base(os.Args[0])
	app.Author = "Manfred Touron"
	app.Version = Version + " (" + GitSha + ")"
	app.Email = "https://github.com/moul/sshportal"
	app.Commands = []cli.Command{
		{
			Name:   "server",
			Usage:  "Start sshportal server",
			Action: server,
			Flags: []cli.Flag{
				cli.StringFlag{
					Name:   "bind-address, b",
					EnvVar: "SSHPORTAL_BIND",
					Value:  ":2222",
					Usage:  "SSH server bind address",
				},
				cli.StringFlag{
					Name:  "db-driver",
					Value: "sqlite3",
					Usage: "GORM driver (sqlite3)",
				},
				cli.StringFlag{
					Name:  "db-conn",
					Value: "./sshportal.db",
					Usage: "GORM connection string",
				},
				cli.BoolFlag{
					Name:  "debug, D",
					Usage: "Display debug information",
				},
				cli.StringFlag{
					Name:  "aes-key",
					Usage: "Encrypt sensitive data in database (length: 16, 24 or 32)",
				},
				cli.StringFlag{
					Name: "logs-location",
					Value: "/var/log/sshportal",
					Usage: "Store user session files",
				},
			},
		}, {
			Name:   "healthcheck",
			Action: healthcheck,
			Flags: []cli.Flag{
				cli.StringFlag{
					Name:  "addr, a",
					Value: "localhost:2222",
					Usage: "sshportal server address",
				},
				cli.BoolFlag{
					Name:  "wait, w",
					Usage: "Loop indefinitely until sshportal is ready",
				},
				cli.BoolFlag{
					Name:  "quiet, q",
					Usage: "Do not print errors, if any",
				},
			},
		},
	}
	if err := app.Run(os.Args); err != nil {
		log.Fatalf("error: %v", err)
	}
}

func server(c *cli.Context) error {
	switch len(c.String("aes-key")) {
	case 0, 16, 24, 32:
	default:
		return fmt.Errorf("invalid aes key size, should be 16 or 24, 32")
	}
	// db
	db, err := gorm.Open(c.String("db-driver"), c.String("db-conn"))
	if err != nil {
		return err
	}
	defer func() {
		if err2 := db.Close(); err2 != nil {
			panic(err2)
		}
	}()
	if err = db.DB().Ping(); err != nil {
		return err
	}
	if c.Bool("debug") {
		db.LogMode(true)
	}
	if err = dbInit(db); err != nil {
		return err
	}

	opts := []ssh.Option{}
	// custom PublicKeyAuth handler
	opts = append(opts, ssh.PublicKeyAuth(publicKeyAuthHandler(db, c)))
	opts = append(opts, ssh.PasswordAuth(passwordAuthHandler(db, c)))

	// retrieve sshportal SSH private key from database
	opts = append(opts, func(srv *ssh.Server) error {
		var key SSHKey
		if err = SSHKeysByIdentifiers(db, []string{"host"}).First(&key).Error; err != nil {
			return err
		}
		SSHKeyDecrypt(c.String("aes-key"), &key)

		var signer gossh.Signer
		signer, err = gossh.ParsePrivateKey([]byte(key.PrivKey))
		if err != nil {
			return err
		}
		srv.AddHostKey(signer)
		return nil
	})

	// create TCP listening socket
	ln, err := net.Listen("tcp", c.String("bind-address"))
	if err != nil {
		return err
	}

	// configure server
	srv := &ssh.Server{
		Addr:           c.String("bind-address"),
		Handler:        shellHandler, // ssh.Server.Handler is the handler for the DefaultSessionHandler
		Version:        fmt.Sprintf("sshportal-%s", Version),
		ChannelHandler: channelHandler,
	}
	for _, opt := range opts {
		if err := srv.SetOption(opt); err != nil {
			return err
		}
	}

	log.Printf("info: SSH Server accepting connections on %s", c.String("bind-address"))
	return srv.Serve(ln)
}

// perform a healthcheck test without requiring an ssh client or an ssh key (used for Docker's HEALTHCHECK)
func healthcheck(c *cli.Context) error {
	config := gossh.ClientConfig{
		User:            "healthcheck",
		HostKeyCallback: func(hostname string, remote net.Addr, key gossh.PublicKey) error { return nil },
		Auth:            []gossh.AuthMethod{gossh.Password("healthcheck")},
	}

	if c.Bool("wait") {
		for {
			if err := healthcheckOnce(c.String("addr"), config, c.Bool("quiet")); err != nil {
				if !c.Bool("quiet") {
					log.Printf("error: %v", err)
				}
				time.Sleep(time.Second)
				continue
			}
			return nil
		}
	}

	if err := healthcheckOnce(c.String("addr"), config, c.Bool("quiet")); err != nil {
		if c.Bool("quiet") {
			return cli.NewExitError("", 1)
		}
		return err
	}
	return nil
}

func healthcheckOnce(addr string, config gossh.ClientConfig, quiet bool) error {
	client, err := gossh.Dial("tcp", addr, &config)
	if err != nil {
		return err
	}

	session, err := client.NewSession()
	if err != nil {
		return err
	}
	defer func() {
		if err := session.Close(); err != nil {
			if !quiet {
				log.Printf("failed to close session: %v", err)
			}
		}
	}()

	var b bytes.Buffer
	session.Stdout = &b
	if err := session.Run(""); err != nil {
		return err
	}
	stdout := strings.TrimSpace(b.String())
	if stdout != "OK" {
		return fmt.Errorf("invalid stdout: %q expected 'OK'", stdout)
	}
	return nil
}
POC 2017-09-30 19:12:43 +08:00			`package main`

			`import (`
Add Docker healthcheck helper 2018-01-01 17:41:21 +08:00			`"bytes"`
POC 2017-09-30 19:12:43 +08:00			`"fmt"`
			`"log"`
Set random seed properly 2017-11-14 08:29:25 +08:00			`"math/rand"`
Add Docker healthcheck helper 2018-01-01 17:41:21 +08:00			`"net"`
POC 2017-09-30 19:12:43 +08:00			`"os"`
			`"path"`
Handle user invites 2017-11-08 02:40:14 +08:00			`"strings"`
Set random seed properly 2017-11-14 08:29:25 +08:00			`"time"`
POC 2017-09-30 19:12:43 +08:00
			`"github.com/gliderlabs/ssh"`
Add database 2017-10-30 23:48:14 +08:00			`"github.com/jinzhu/gorm"`
Add --debug options + mysql driver 2017-10-31 00:12:04 +08:00			`_ "github.com/jinzhu/gorm/dialects/mysql"`
Add database 2017-10-30 23:48:14 +08:00			`_ "github.com/jinzhu/gorm/dialects/sqlite"`
POC 2017-09-30 19:12:43 +08:00			`"github.com/urfave/cli"`
Use fixed ssh host key 2017-11-04 05:54:16 +08:00			`gossh "golang.org/x/crypto/ssh"`
POC 2017-09-30 19:12:43 +08:00			`)`

Use dynamic version 2017-11-14 07:38:23 +08:00			`var (`
Lint code + fix tests 2017-12-04 01:18:17 +08:00			`// Version should be updated by hand at each release`
Post-release version bump 2018-01-02 12:57:13 +08:00			`Version = "1.7.0+dev"`
Lint code + fix tests 2017-12-04 01:18:17 +08:00			`// GitTag will be overwritten automatically by the build system`
			`GitTag string`
			`// GitSha will be overwritten automatically by the build system`
			`GitSha string`
			`// GitBranch will be overwritten automatically by the build system`
			`GitBranch string`
Use dynamic version 2017-11-14 07:38:23 +08:00			`)`
Add 'version' command 2017-11-02 05:09:08 +08:00
POC 2017-09-30 19:12:43 +08:00			`func main() {`
Set random seed properly 2017-11-14 08:29:25 +08:00			`rand.Seed(time.Now().UnixNano())`

POC 2017-09-30 19:12:43 +08:00			`app := cli.NewApp()`
			`app.Name = path.Base(os.Args[0])`
			`app.Author = "Manfred Touron"`
Lint code + fix tests 2017-12-04 01:18:17 +08:00			`app.Version = Version + " (" + GitSha + ")"`
POC 2017-09-30 19:12:43 +08:00			`app.Email = "https://github.com/moul/sshportal"`
Use `sshportal server` instead of `sshportal` to start a new server 2017-12-31 23:31:25 +08:00			`app.Commands = []cli.Command{`
			`{`
			`Name: "server",`
			`Usage: "Start sshportal server",`
			`Action: server,`
			`Flags: []cli.Flag{`
			`cli.StringFlag{`
			`Name: "bind-address, b",`
			`EnvVar: "SSHPORTAL_BIND",`
			`Value: ":2222",`
			`Usage: "SSH server bind address",`
			`},`
			`cli.StringFlag{`
			`Name: "db-driver",`
			`Value: "sqlite3",`
			`Usage: "GORM driver (sqlite3)",`
			`},`
			`cli.StringFlag{`
			`Name: "db-conn",`
			`Value: "./sshportal.db",`
			`Usage: "GORM connection string",`
			`},`
			`cli.BoolFlag{`
			`Name: "debug, D",`
			`Usage: "Display debug information",`
			`},`
			`cli.StringFlag{`
			`Name: "aes-key",`
			`Usage: "Encrypt sensitive data in database (length: 16, 24 or 32)",`
			`},`
add audit feature. 2018-01-02 23:31:34 +08:00			`cli.StringFlag{`
			`Name: "logs-location",`
			`Value: "/var/log/sshportal",`
			`Usage: "Store user session files",`
			`},`
Use `sshportal server` instead of `sshportal` to start a new server 2017-12-31 23:31:25 +08:00			`},`
Add Docker healthcheck helper 2018-01-01 17:41:21 +08:00			`}, {`
			`Name: "healthcheck",`
			`Action: healthcheck,`
			`Flags: []cli.Flag{`
			`cli.StringFlag{`
			`Name: "addr, a",`
			`Value: "localhost:2222",`
Add healthcheck --wait and --quiet options 2018-01-01 17:54:58 +08:00			`Usage: "sshportal server address",`
			`},`
			`cli.BoolFlag{`
			`Name: "wait, w",`
			`Usage: "Loop indefinitely until sshportal is ready",`
			`},`
			`cli.BoolFlag{`
			`Name: "quiet, q",`
			`Usage: "Do not print errors, if any",`
Add Docker healthcheck helper 2018-01-01 17:41:21 +08:00			`},`
			`},`
Add option to encrypt sensitive data 2017-11-24 21:29:41 +08:00			`},`
POC 2017-09-30 19:12:43 +08:00			`}`
Return a better message when running without the demo mode 2017-11-02 17:32:35 +08:00			`if err := app.Run(os.Args); err != nil {`
			`log.Fatalf("error: %v", err)`
			`}`
POC 2017-09-30 19:12:43 +08:00			`}`

			`func server(c *cli.Context) error {`
Add option to encrypt sensitive data 2017-11-24 21:29:41 +08:00			`switch len(c.String("aes-key")) {`
			`case 0, 16, 24, 32:`
			`default:`
			`return fmt.Errorf("invalid aes key size, should be 16 or 24, 32")`
			`}`
Use a database migration system 2017-11-19 08:18:17 +08:00			`// db`
Add MySQL support 2017-11-29 17:28:33 +08:00			`db, err := gorm.Open(c.String("db-driver"), c.String("db-conn"))`
Add database 2017-10-30 23:48:14 +08:00			`if err != nil {`
			`return err`
			`}`
Lint code + fix tests 2017-12-04 01:18:17 +08:00			`defer func() {`
			`if err2 := db.Close(); err2 != nil {`
			`panic(err2)`
			`}`
			`}()`
Use a database migration system 2017-11-19 08:18:17 +08:00			`if err = db.DB().Ping(); err != nil {`
			`return err`
			`}`
Add --debug options + mysql driver 2017-10-31 00:12:04 +08:00			`if c.Bool("debug") {`
			`db.LogMode(true)`
			`}`
Refactor sshportal: create a custom bastion session handler 2017-12-28 05:43:21 +08:00			`if err = dbInit(db); err != nil {`
Add database 2017-10-30 23:48:14 +08:00			`return err`
			`}`

POC 2017-09-30 19:12:43 +08:00			`opts := []ssh.Option{}`
Refactor bastion handler to forward every requests properly 2017-12-31 17:38:33 +08:00			`// custom PublicKeyAuth handler`
			`opts = append(opts, ssh.PublicKeyAuth(publicKeyAuthHandler(db, c)))`
			`opts = append(opts, ssh.PasswordAuth(passwordAuthHandler(db, c)))`
Add SSH key check + auto register of the admin account 2017-11-03 08:46:55 +08:00
add audit feature. 2018-01-02 23:31:34 +08:00			`// retrieve sshportal SSH private key from database`
Use fixed ssh host key 2017-11-04 05:54:16 +08:00			`opts = append(opts, func(srv *ssh.Server) error {`
Refactor database helpers 2017-11-23 16:58:32 +08:00			`var key SSHKey`
Refactor sshportal: create a custom bastion session handler 2017-12-28 05:43:21 +08:00			`if err = SSHKeysByIdentifiers(db, []string{"host"}).First(&key).Error; err != nil {`
Use fixed ssh host key 2017-11-04 05:54:16 +08:00			`return err`
			`}`
Add MySQL support 2017-11-29 17:28:33 +08:00			`SSHKeyDecrypt(c.String("aes-key"), &key)`

Refactor sshportal: create a custom bastion session handler 2017-12-28 05:43:21 +08:00			`var signer gossh.Signer`
			`signer, err = gossh.ParsePrivateKey([]byte(key.PrivKey))`
Use fixed ssh host key 2017-11-04 05:54:16 +08:00			`if err != nil {`
			`return err`
			`}`
			`srv.AddHostKey(signer)`
			`return nil`
			`})`

Refactor bastion handler to forward every requests properly 2017-12-31 17:38:33 +08:00			`// create TCP listening socket`
Refactor sshportal: create a custom bastion session handler 2017-12-28 05:43:21 +08:00			`ln, err := net.Listen("tcp", c.String("bind-address"))`
			`if err != nil {`
			`return err`
			`}`
Refactor bastion handler to forward every requests properly 2017-12-31 17:38:33 +08:00
			`// configure server`
			`srv := &ssh.Server{`
			`Addr: c.String("bind-address"),`
			`Handler: shellHandler, // ssh.Server.Handler is the handler for the DefaultSessionHandler`
			`Version: fmt.Sprintf("sshportal-%s", Version),`
			`ChannelHandler: channelHandler,`
			`}`
Refactor sshportal: create a custom bastion session handler 2017-12-28 05:43:21 +08:00			`for _, opt := range opts {`
			`if err := srv.SetOption(opt); err != nil {`
			`return err`
			`}`
			`}`

Refactor bastion handler to forward every requests properly 2017-12-31 17:38:33 +08:00			`log.Printf("info: SSH Server accepting connections on %s", c.String("bind-address"))`
Refactor sshportal: create a custom bastion session handler 2017-12-28 05:43:21 +08:00			`return srv.Serve(ln)`
POC 2017-09-30 19:12:43 +08:00			`}`
Add Docker healthcheck helper 2018-01-01 17:41:21 +08:00
			`// perform a healthcheck test without requiring an ssh client or an ssh key (used for Docker's HEALTHCHECK)`
			`func healthcheck(c *cli.Context) error {`
			`config := gossh.ClientConfig{`
			`User: "healthcheck",`
			`HostKeyCallback: func(hostname string, remote net.Addr, key gossh.PublicKey) error { return nil },`
			`Auth: []gossh.AuthMethod{gossh.Password("healthcheck")},`
			`}`
Add healthcheck --wait and --quiet options 2018-01-01 17:54:58 +08:00
			`if c.Bool("wait") {`
			`for {`
			`if err := healthcheckOnce(c.String("addr"), config, c.Bool("quiet")); err != nil {`
			`if !c.Bool("quiet") {`
			`log.Printf("error: %v", err)`
			`}`
			`time.Sleep(time.Second)`
			`continue`
			`}`
			`return nil`
			`}`
			`}`

			`if err := healthcheckOnce(c.String("addr"), config, c.Bool("quiet")); err != nil {`
			`if c.Bool("quiet") {`
			`return cli.NewExitError("", 1)`
			`}`
			`return err`
			`}`
			`return nil`
			`}`

			`func healthcheckOnce(addr string, config gossh.ClientConfig, quiet bool) error {`
			`client, err := gossh.Dial("tcp", addr, &config)`
Add Docker healthcheck helper 2018-01-01 17:41:21 +08:00			`if err != nil {`
			`return err`
			`}`

			`session, err := client.NewSession()`
			`if err != nil {`
			`return err`
			`}`
			`defer func() {`
			`if err := session.Close(); err != nil {`
Add healthcheck --wait and --quiet options 2018-01-01 17:54:58 +08:00			`if !quiet {`
			`log.Printf("failed to close session: %v", err)`
			`}`
Add Docker healthcheck helper 2018-01-01 17:41:21 +08:00			`}`
			`}()`

			`var b bytes.Buffer`
			`session.Stdout = &b`
			`if err := session.Run(""); err != nil {`
			`return err`
			`}`
			`stdout := strings.TrimSpace(b.String())`
			`if stdout != "OK" {`
			`return fmt.Errorf("invalid stdout: %q expected 'OK'", stdout)`
			`}`
			`return nil`
			`}`