githubFork/gitblit.git - Solinfo Gitblit

			@@ -1,331 +1,244 @@
			/*
			* Copyright 2014 gitblit.com.
			*
			* Licensed under the Apache License, Version 2.0 (the "License");
			* you may not use this file except in compliance with the License.
			* You may obtain a copy of the License at
			*
			* http://www.apache.org/licenses/LICENSE-2.0
			*
			* Unless required by applicable law or agreed to in writing, software
			* distributed under the License is distributed on an "AS IS" BASIS,
			* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
			* See the License for the specific language governing permissions and
			* limitations under the License.
			*/
			package com.gitblit.transport.ssh;

			import java.io.File;
			import java.io.IOException;
			import java.net.InetSocketAddress;
			import java.net.SocketAddress;
			import java.security.InvalidKeyException;
			import java.text.MessageFormat;
			import java.util.Arrays;
			import java.util.Iterator;
			import java.util.LinkedList;
			import java.util.List;
			import java.util.concurrent.atomic.AtomicBoolean;

			import javax.inject.Inject;

			import org.apache.mina.core.future.IoFuture;
			import org.apache.mina.core.future.IoFutureListener;
			import org.apache.mina.core.session.IoSession;
			import org.apache.mina.transport.socket.SocketSessionConfig;
			import org.apache.sshd.SshServer;
			import org.apache.sshd.common.Channel;
			import org.apache.sshd.common.Cipher;
			import org.apache.sshd.common.Compression;
			import org.apache.sshd.common.KeyExchange;
			import org.apache.sshd.common.KeyPairProvider;
			import org.apache.sshd.common.Mac;
			import org.apache.sshd.common.NamedFactory;
			import org.apache.sshd.common.Session;
			import org.apache.sshd.common.Signature;
			import org.apache.sshd.common.cipher.AES128CBC;
			import org.apache.sshd.common.cipher.AES192CBC;
			import org.apache.sshd.common.cipher.AES256CBC;
			import org.apache.sshd.common.cipher.BlowfishCBC;
			import org.apache.sshd.common.cipher.TripleDESCBC;
			import org.apache.sshd.common.compression.CompressionNone;
			import org.apache.sshd.common.mac.HMACMD5;
			import org.apache.sshd.common.mac.HMACMD596;
			import org.apache.sshd.common.mac.HMACSHA1;
			import org.apache.sshd.common.mac.HMACSHA196;
			import org.apache.sshd.common.random.BouncyCastleRandom;
			import org.apache.sshd.common.random.SingletonRandomFactory;
			import org.apache.sshd.common.signature.SignatureDSA;
			import org.apache.sshd.common.signature.SignatureRSA;
			import org.apache.sshd.common.util.SecurityUtils;
			import org.apache.sshd.server.CommandFactory;
			import org.apache.sshd.server.FileSystemFactory;
			import org.apache.sshd.server.FileSystemView;
			import org.apache.sshd.server.ForwardingFilter;
			import org.apache.sshd.server.PublickeyAuthenticator;
			import org.apache.sshd.server.SshFile;
			import org.apache.sshd.server.UserAuth;
			import org.apache.sshd.server.auth.UserAuthPublicKey;
			import org.apache.sshd.server.channel.ChannelDirectTcpip;
			import org.apache.sshd.server.channel.ChannelSession;
			import org.apache.sshd.server.kex.DHG1;
			import org.apache.sshd.server.kex.DHG14;
			import org.apache.sshd.server.keyprovider.PEMGeneratorHostKeyProvider;
			import org.apache.sshd.server.session.ServerSession;
			import org.apache.sshd.server.session.SessionFactory;
			import org.eclipse.jgit.internal.JGitText;
			import org.slf4j.Logger;
			import org.slf4j.LoggerFactory;

			import com.gitblit.IStoredSettings;
			import com.gitblit.Keys;
			import com.gitblit.manager.IGitblit;
			import com.gitblit.utils.IdGenerator;
			import com.gitblit.utils.StringUtils;

			/**
			* Manager for the ssh transport. Roughly analogous to the
			* {@link com.gitblit.git.GitDaemon} class.
			*
			* @author Eric Myhre
			*
			*/
			public class SshDaemon extends SshServer {

			private final Logger log = LoggerFactory.getLogger(SshDaemon.class);

			/**
			* 22: IANA assigned port number for ssh. Note that this is a distinct concept
			* from gitblit's default conf for ssh port -- this "default" is what the git
			* protocol itself defaults to if it sees and ssh url without a port.
			*/
			public static final int DEFAULT_PORT = 22;

			private static final String HOST_KEY_STORE = "sshKeyStore.pem";

			private InetSocketAddress myAddress;

			private AtomicBoolean run;

			@SuppressWarnings("unused")
			private IGitblit gitblit;

			/**
			* Construct the Gitblit SSH daemon.
			*
			* @param gitblit
			*/
			@Inject
			SshDaemon(IGitblit gitblit, IdGenerator idGenerator, SshCommandFactory factory) {
			this.gitblit = gitblit;
			IStoredSettings settings = gitblit.getSettings();
			int port = settings.getInteger(Keys.git.sshPort, 0);
			String bindInterface = settings.getString(Keys.git.sshBindInterface, "localhost");

			if (StringUtils.isEmpty(bindInterface)) {
			myAddress = new InetSocketAddress(port);
			} else {
			myAddress = new InetSocketAddress(bindInterface, port);
			}

			setPort(myAddress.getPort());
			setHost(myAddress.getHostName());
			setup();
			setKeyPairProvider(new PEMGeneratorHostKeyProvider(
			new File(gitblit.getBaseFolder(), HOST_KEY_STORE).getPath()));
			setPublickeyAuthenticator(new SshKeyAuthenticator(gitblit));

			run = new AtomicBoolean(false);
			setCommandFactory(factory);
			setSessionFactory(newSessionFactory(idGenerator));
			}

			SessionFactory newSessionFactory(final IdGenerator idGenerator) {
			return new SessionFactory() {
			@Override
			protected ServerSession createSession(final IoSession io) throws Exception {
			log.info("connection accepted on " + io);
			if (io.getConfig() instanceof SocketSessionConfig) {
			final SocketSessionConfig c = (SocketSessionConfig) io.getConfig();
			c.setKeepAlive(true);
			}
			ServerSession s = (ServerSession) super.createSession(io);
			SocketAddress peer = io.getRemoteAddress();
			SshSession session = new SshSession(idGenerator.next(), peer);
			s.setAttribute(SshSession.KEY, session);
			io.getCloseFuture().addListener(new IoFutureListener<IoFuture>() {
			@Override
			public void operationComplete(IoFuture future) {
			log.info("connection closed on " + io);
			}
			});
			return s;
			}
			};
			}

			public int getPort() {
			return myAddress.getPort();
			}

			public String formatUrl(String gituser, String servername, String repository) {
			if (getPort() == DEFAULT_PORT) {
			// standard port
			return MessageFormat.format("{0}@{1}/{2}", gituser, servername, repository);
			} else {
			// non-standard port
			return MessageFormat.format("ssh://{0}@{1}:{2,number,0}/{3}", gituser, servername, getPort(), repository);
			}
			}

			/**
			* Start this daemon on a background thread.
			*
			* @throws IOException
			* the server socket could not be opened.
			* @throws IllegalStateException
			* the daemon is already running.
			*/
			public synchronized void start() throws IOException {
			if (run.get()) {
			throw new IllegalStateException(JGitText.get().daemonAlreadyRunning);
			}

			super.start();
			run.set(true);

			log.info(MessageFormat.format("SSH Daemon is listening on {0}:{1,number,0}",
			myAddress.getAddress().getHostAddress(), myAddress.getPort()));
			}

			/** @return true if this daemon is receiving connections. */
			public boolean isRunning() {
			return run.get();
			}

			/** Stop this daemon. */
			public synchronized void stop() {
			if (run.get()) {
			log.info("SSH Daemon stopping...");
			run.set(false);

			try {
			super.stop();
			} catch (InterruptedException e) {
			log.error("SSH Daemon stop interrupted", e);
			}
			}
			}

			/**
			* Performs most of default configuration (setup random sources, setup ciphers,
			* etc; also, support for forwarding and filesystem is explicitly disallowed).
			*
			* {@link #setKeyPairProvider(KeyPairProvider)} and
			* {@link #setPublickeyAuthenticator(PublickeyAuthenticator)} are left for you.
			* And applying {@link #setCommandFactory(CommandFactory)} is probably wise if you
			* want something to actually happen when users do successfully authenticate.
			*/
			@SuppressWarnings("unchecked")
			public void setup() {
			if (!SecurityUtils.isBouncyCastleRegistered())
			throw new RuntimeException("BC crypto not available");

			setKeyExchangeFactories(Arrays.<NamedFactory<KeyExchange>>asList(
			new DHG14.Factory(),
			new DHG1.Factory())
			);

			setRandomFactory(new SingletonRandomFactory(new BouncyCastleRandom.Factory()));

			setupCiphers();

			setCompressionFactories(Arrays.<NamedFactory<Compression>>asList(
			new CompressionNone.Factory())
			);

			setMacFactories(Arrays.<NamedFactory<Mac>>asList(
			new HMACMD5.Factory(),
			new HMACSHA1.Factory(),
			new HMACMD596.Factory(),
			new HMACSHA196.Factory())
			);

			setChannelFactories(Arrays.<NamedFactory<Channel>>asList(
			new ChannelSession.Factory(),
			new ChannelDirectTcpip.Factory())
			);

			setSignatureFactories(Arrays.<NamedFactory<Signature>>asList(
			new SignatureDSA.Factory(),
			new SignatureRSA.Factory())
			);

			setFileSystemFactory(new FileSystemFactory() {
			@Override
			public FileSystemView createFileSystemView(Session session) throws IOException {
			return new FileSystemView() {
			@Override
			public SshFile getFile(SshFile baseDir, String file) {
			return null;
			}

			@Override
			public SshFile getFile(String file) {
			return null;
			}
			};
			}
			});

			setForwardingFilter(new ForwardingFilter() {
			@Override
			public boolean canForwardAgent(ServerSession session) {
			return false;
			}

			@Override
			public boolean canForwardX11(ServerSession session) {
			return false;
			}

			@Override
			public boolean canConnect(InetSocketAddress address, ServerSession session) {
			return false;
			}

			@Override
			public boolean canListen(InetSocketAddress address, ServerSession session) {
			return false;
			}
			});

			setUserAuthFactories(Arrays.<NamedFactory<UserAuth>>asList(
			new UserAuthPublicKey.Factory())
			);
			}

			protected void setupCiphers() {
			List<NamedFactory<Cipher>> avail = new LinkedList<NamedFactory<Cipher>>();
			avail.add(new AES128CBC.Factory());
			avail.add(new TripleDESCBC.Factory());
			avail.add(new BlowfishCBC.Factory());
			avail.add(new AES192CBC.Factory());
			avail.add(new AES256CBC.Factory());

			for (Iterator<NamedFactory<Cipher>> i = avail.iterator(); i.hasNext();) {
			final NamedFactory<Cipher> f = i.next();
			try {
			final Cipher c = f.create();
			final byte[] key = new byte[c.getBlockSize()];
			final byte[] iv = new byte[c.getIVSize()];
			c.init(Cipher.Mode.Encrypt, key, iv);
			} catch (InvalidKeyException e) {
			i.remove();
			} catch (Exception e) {
			i.remove();
			}
			}
			setCipherFactories(avail);
			}
			}
			/*
			* Copyright 2014 gitblit.com.
			*
			* Licensed under the Apache License, Version 2.0 (the "License");
			* you may not use this file except in compliance with the License.
			* You may obtain a copy of the License at
			*
			* http://www.apache.org/licenses/LICENSE-2.0
			*
			* Unless required by applicable law or agreed to in writing, software
			* distributed under the License is distributed on an "AS IS" BASIS,
			* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
			* See the License for the specific language governing permissions and
			* limitations under the License.
			*/
			package com.gitblit.transport.ssh;

			import java.io.File;
			import java.io.FileOutputStream;
			import java.io.IOException;
			import java.io.OutputStreamWriter;
			import java.net.InetSocketAddress;
			import java.security.KeyPair;
			import java.security.KeyPairGenerator;
			import java.text.MessageFormat;
			import java.util.concurrent.atomic.AtomicBoolean;

			import org.apache.sshd.common.io.IoServiceFactoryFactory;
			import org.apache.sshd.common.io.mina.MinaServiceFactoryFactory;
			import org.apache.sshd.common.io.nio2.Nio2ServiceFactoryFactory;
			import org.apache.sshd.common.util.SecurityUtils;
			import org.apache.sshd.server.SshServer;
			import org.apache.sshd.server.auth.CachingPublicKeyAuthenticator;
			import org.bouncycastle.openssl.PEMWriter;
			import org.eclipse.jgit.internal.JGitText;
			import org.slf4j.Logger;
			import org.slf4j.LoggerFactory;

			import com.gitblit.Constants;
			import com.gitblit.IStoredSettings;
			import com.gitblit.Keys;
			import com.gitblit.manager.IGitblit;
			import com.gitblit.transport.ssh.commands.SshCommandFactory;
			import com.gitblit.utils.JnaUtils;
			import com.gitblit.utils.StringUtils;
			import com.gitblit.utils.WorkQueue;
			import com.google.common.io.Files;

			/**
			* Manager for the ssh transport. Roughly analogous to the
			* {@link com.gitblit.transport.git.GitDaemon} class.
			*
			*/
			public class SshDaemon {

			private final Logger log = LoggerFactory.getLogger(SshDaemon.class);

			public static enum SshSessionBackend {
			MINA, NIO2
			}

			/**
			* 22: IANA assigned port number for ssh. Note that this is a distinct
			* concept from gitblit's default conf for ssh port -- this "default" is
			* what the git protocol itself defaults to if it sees and ssh url without a
			* port.
			*/
			public static final int DEFAULT_PORT = 22;

			private final AtomicBoolean run;

			private final IGitblit gitblit;
			private final SshServer sshd;

			/**
			* Construct the Gitblit SSH daemon.
			*
			* @param gitblit
			* @param workQueue
			*/
			public SshDaemon(IGitblit gitblit, WorkQueue workQueue) {
			this.gitblit = gitblit;

			IStoredSettings settings = gitblit.getSettings();

			// Ensure that Bouncy Castle is our JCE provider
			SecurityUtils.setRegisterBouncyCastle(true);
			if (SecurityUtils.isBouncyCastleRegistered()) {
			log.debug("BouncyCastle is registered as a JCE provider");
			}

			// Generate host RSA and DSA keypairs and create the host keypair provider
			File rsaKeyStore = new File(gitblit.getBaseFolder(), "ssh-rsa-hostkey.pem");
			File dsaKeyStore = new File(gitblit.getBaseFolder(), "ssh-dsa-hostkey.pem");
			generateKeyPair(rsaKeyStore, "RSA", 2048);
			generateKeyPair(dsaKeyStore, "DSA", 0);
			FileKeyPairProvider hostKeyPairProvider = new FileKeyPairProvider();
			hostKeyPairProvider.setFiles(new String [] { rsaKeyStore.getPath(), dsaKeyStore.getPath(), dsaKeyStore.getPath() });

			// Client public key authenticator
			SshKeyAuthenticator keyAuthenticator =
			new SshKeyAuthenticator(gitblit.getPublicKeyManager(), gitblit);

			// Configure the preferred SSHD backend
			String sshBackendStr = settings.getString(Keys.git.sshBackend,
			SshSessionBackend.NIO2.name());
			SshSessionBackend backend = SshSessionBackend.valueOf(sshBackendStr);
			System.setProperty(IoServiceFactoryFactory.class.getName(),
			backend == SshSessionBackend.MINA
			? MinaServiceFactoryFactory.class.getName()
			: Nio2ServiceFactoryFactory.class.getName());

			// Create the socket address for binding the SSH server
			int port = settings.getInteger(Keys.git.sshPort, 0);
			String bindInterface = settings.getString(Keys.git.sshBindInterface, "");
			InetSocketAddress addr;
			if (StringUtils.isEmpty(bindInterface)) {
			addr = new InetSocketAddress(port);
			} else {
			addr = new InetSocketAddress(bindInterface, port);
			}

			// Create the SSH server
			sshd = SshServer.setUpDefaultServer();
			sshd.setPort(addr.getPort());
			sshd.setHost(addr.getHostName());
			sshd.setKeyPairProvider(hostKeyPairProvider);
			sshd.setPublickeyAuthenticator(new CachingPublicKeyAuthenticator(keyAuthenticator));
			sshd.setPasswordAuthenticator(new UsernamePasswordAuthenticator(gitblit));
			if (settings.getBoolean(Keys.git.sshWithKrb5, false)) {
			sshd.setGSSAuthenticator(new SshKrbAuthenticator(settings, gitblit));
			}
			sshd.setSessionFactory(new SshServerSessionFactory());
			sshd.setFileSystemFactory(new DisabledFilesystemFactory());
			sshd.setTcpipForwardingFilter(new NonForwardingFilter());
			sshd.setCommandFactory(new SshCommandFactory(gitblit, workQueue));
			sshd.setShellFactory(new WelcomeShell(settings));

			// Set the server id. This can be queried with:
			// ssh-keyscan -t rsa,dsa -p 29418 localhost
			String version = String.format("%s (%s-%s)", Constants.getGitBlitVersion().replace(' ', '_'),
			sshd.getVersion(), sshBackendStr);
			sshd.getProperties().put(SshServer.SERVER_IDENTIFICATION, version);

			run = new AtomicBoolean(false);
			}

			public String formatUrl(String gituser, String servername, String repository) {
			IStoredSettings settings = gitblit.getSettings();

			int port = sshd.getPort();
			int displayPort = settings.getInteger(Keys.git.sshAdvertisedPort, port);
			String displayServername = settings.getString(Keys.git.sshAdvertisedHost, "");
			if(displayServername.isEmpty()) {
			displayServername = servername;
			}
			if (displayPort == DEFAULT_PORT) {
			// standard port
			return MessageFormat.format("ssh://{0}@{1}/{2}", gituser, displayServername,
			repository);
			} else {
			// non-standard port
			return MessageFormat.format("ssh://{0}@{1}:{2,number,0}/{3}",
			gituser, displayServername, displayPort, repository);
			}
			}

			/**
			* Start this daemon on a background thread.
			*
			* @throws IOException
			* the server socket could not be opened.
			* @throws IllegalStateException
			* the daemon is already running.
			*/
			public synchronized void start() throws IOException {
			if (run.get()) {
			throw new IllegalStateException(JGitText.get().daemonAlreadyRunning);
			}

			sshd.start();
			run.set(true);

			String sshBackendStr = gitblit.getSettings().getString(Keys.git.sshBackend,
			SshSessionBackend.NIO2.name());

			log.info(MessageFormat.format(
			"SSH Daemon ({0}) is listening on {1}:{2,number,0}",
			sshBackendStr, sshd.getHost(), sshd.getPort()));
			}

			/** @return true if this daemon is receiving connections. */
			public boolean isRunning() {
			return run.get();
			}

			/** Stop this daemon. */
			public synchronized void stop() {
			if (run.get()) {
			log.info("SSH Daemon stopping...");
			run.set(false);

			try {
			((SshCommandFactory) sshd.getCommandFactory()).stop();
			sshd.stop();
			} catch (IOException e) {
			log.error("SSH Daemon stop interrupted", e);
			}
			}
			}

			private void generateKeyPair(File file, String algorithm, int keySize) {
			if (file.exists()) {
			return;
			}
			try {
			KeyPairGenerator generator = SecurityUtils.getKeyPairGenerator(algorithm);
			if (keySize != 0) {
			generator.initialize(keySize);
			log.info("Generating {}-{} SSH host keypair...", algorithm, keySize);
			} else {
			log.info("Generating {} SSH host keypair...", algorithm);
			}
			KeyPair kp = generator.generateKeyPair();

			// create an empty file and set the permissions
			Files.touch(file);
			try {
			JnaUtils.setFilemode(file, JnaUtils.S_IRUSR \| JnaUtils.S_IWUSR);
			} catch (UnsatisfiedLinkError \| UnsupportedOperationException e) {
			// Unexpected/Unsupported OS or Architecture
			}

			FileOutputStream os = new FileOutputStream(file);
			PEMWriter w = new PEMWriter(new OutputStreamWriter(os));
			w.writeObject(kp);
			w.flush();
			w.close();
			} catch (Exception e) {
			log.warn(MessageFormat.format("Unable to generate {0} keypair", algorithm), e);
			return;
			}
			}
			}