Support permissions

Author: wzshiming

cmd/sshproxy/main.go

@@ -49,7 +49,7 @@ func main() {
 		}
 		svc.ServerConfig.AddHostKey(key)
 	}
-	if username != "" {
+	if username != "" && password != "" {
 		svc.ServerConfig.PasswordCallback = func(conn ssh.ConnMetadata, pwd []byte) (*ssh.Permissions, error) {
 			if conn.User() == username && password == string(pwd) {
 				return nil, nil
@@ -64,8 +64,8 @@ func main() {
 			return
 		}
 		svc.ServerConfig.PublicKeyCallback = func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
-			k := string(key.Marshal())
-			if _, ok := keys[k]; ok {
+			ok, _ := keys.Allow(key)
+			if ok {
 				return nil, nil
 			}
 			return nil, fmt.Errorf("denied")

go.mod

@@ -3,7 +3,7 @@ module github.com/wzshiming/sshproxy
 go 1.17
 
 require (
-	github.com/wzshiming/sshd v0.1.8
+	github.com/wzshiming/sshd v0.2.0
 	golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3
 )
 

go.sum

@@ -1,6 +1,6 @@
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
-github.com/wzshiming/sshd v0.1.8 h1:Rct0s8+i3ehzEA0CV/B9Qms4FF8KgwuDoWV2zmAfiho=
-github.com/wzshiming/sshd v0.1.8/go.mod h1:7+xrQ+XMfrKmInssZuqw1HDHGper+yWKnCAi4uljLns=
+github.com/wzshiming/sshd v0.2.0 h1:ULFRM4HOm58TzOzt46LZUQibZl6sjOAZjpRCKKfd8iw=
+github.com/wzshiming/sshd v0.2.0/go.mod h1:7+xrQ+XMfrKmInssZuqw1HDHGper+yWKnCAi4uljLns=
 golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3 h1:0es+/5331RGQPcXlMfP+WrnIIS6dNnNRe0WB02W0F4M=
 golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=

permissions/permissions.go

@@ -0,0 +1,112 @@
+package permissions
+
+import (
+	"encoding/json"
+	"github.com/wzshiming/sshd"
+	"os"
+	"sync"
+	"time"
+)
+
+type Permissions map[string]Permission
+
+func (p Permissions) Allow(req string, args string) bool {
+	permission, ok := p[req]
+	if !ok {
+		return false
+	}
+	return permission.Allow(req, args)
+}
+
+type Permission struct {
+	Default bool     `json:"default,omitempty"`
+	Allows  []string `json:"allows,omitempty"`
+	Blocks  []string `json:"blocks,omitempty"`
+}
+
+func (p Permission) Allow(req string, args string) bool {
+	if p.Allows != nil {
+		for _, item := range p.Allows {
+			if item == args {
+				return true
+			}
+		}
+		return false
+	}
+	if p.Blocks != nil {
+		for _, item := range p.Blocks {
+			if item == args {
+				return false
+			}
+		}
+		return true
+	}
+	return p.Default
+}
+
+type PermissionsFromFile struct {
+	permissions *Permissions
+	path        string
+	period      time.Duration
+	latestTime  time.Time
+	mut         sync.RWMutex
+}
+
+func NewPermissionsFromFile(file string, period time.Duration) sshd.Permissions {
+	if period < time.Second {
+		period = time.Second
+	}
+	return &PermissionsFromFile{
+		path:   file,
+		period: period,
+	}
+}
+
+func (s *PermissionsFromFile) Allow(req string, args string) bool {
+	perm, ok := s.check()
+	if !ok {
+		return false
+	}
+	ok = perm.Allow(req, args)
+	return ok
+}
+
+func (s *PermissionsFromFile) get() (*Permissions, time.Time) {
+	s.mut.RLock()
+	defer s.mut.RUnlock()
+	return s.permissions, s.latestTime
+}
+
+func (s *PermissionsFromFile) check() (*Permissions, bool) {
+	perm, latest := s.get()
+	if perm == nil || time.Since(latest) > s.period {
+		if !s.update() {
+			return nil, false
+		}
+		perm, latest = s.get()
+		if perm == nil || time.Since(latest) > s.period {
+			return nil, false
+		}
+	}
+	return perm, true
+}
+
+func (s *PermissionsFromFile) update() bool {
+	var perm *Permissions
+	f, err := os.ReadFile(s.path)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return false
+		}
+	} else {
+		err = json.Unmarshal(f, &perm)
+		if err != nil {
+			perm = nil
+		}
+	}
+	s.mut.Lock()
+	defer s.mut.Unlock()
+	s.permissions = perm
+	s.latestTime = time.Now()
+	return true
+}

simple_server.go

@@ -6,9 +6,12 @@ import (
 	"fmt"
 	"net"
 	"net/url"
+	"path"
 	"strconv"
+	"time"
 
 	"github.com/wzshiming/sshd"
+	"github.com/wzshiming/sshproxy/permissions"
 	"golang.org/x/crypto/ssh"
 )
 
@@ -24,14 +27,15 @@ type SimpleServer struct {
 
 // NewSimpleServer creates a new NewSimpleServer
 func NewSimpleServer(addr string) (*SimpleServer, error) {
-	user, pwd, host, config, err := serverConfig(addr)
+	user, pwd, host, config, userPermissions, err := serverConfig(addr)
 	if err != nil {
 		return nil, err
 	}
 
 	s := &SimpleServer{
 		Server: Server{
-			ServerConfig: *config,
+			ServerConfig:    *config,
+			UserPermissions: userPermissions,
 		},
 		Network:  "tcp",
 		Address:  host,
@@ -41,10 +45,10 @@ func NewSimpleServer(addr string) (*SimpleServer, error) {
 	return s, nil
 }
 
-func serverConfig(addr string) (host, user, pwd string, config *ssh.ServerConfig, err error) {
+func serverConfig(addr string) (host, user, pwd string, config *ssh.ServerConfig, userPermissions func(user string) sshd.Permissions, err error) {
 	ur, err := url.Parse(addr)
 	if err != nil {
-		return "", "", "", nil, err
+		return "", "", "", nil, nil, err
 	}
 
 	isPwd := false
@@ -71,45 +75,104 @@ func serverConfig(addr string) (host, user, pwd string, config *ssh.ServerConfig
 
 	hostkeyDatas, err := getQuery(ur.Query()["hostkey_data"], ur.Query()["hostkey_file"])
 	if err != nil {
-		return "", "", "", nil, err
+		return "", "", "", nil, nil, err
 	}
 	if len(hostkeyDatas) == 0 {
 		key, err := sshd.RandomHostkey()
 		if err != nil {
-			return "", "", "", nil, err
+			return "", "", "", nil, nil, err
 		}
 		config.AddHostKey(key)
 	} else {
 		for _, data := range hostkeyDatas {
 			key, err := sshd.ParseHostkey(data)
 			if err != nil {
-				return "", "", "", nil, err
+				return "", "", "", nil, nil, err
 			}
 			config.AddHostKey(key)
 		}
 	}
 
+	pks := []func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error){}
 	authorizedDatas, err := getQuery(ur.Query()["authorized_data"], ur.Query()["authorized_file"])
 	if err != nil {
-		return "", "", "", nil, err
+		return "", "", "", nil, nil, err
 	}
-	allKeys := map[string]string{}
-	for _, data := range authorizedDatas {
-		keys, err := sshd.ParseAuthorized(bytes.NewBuffer(data))
+	if len(authorizedDatas) != 0 {
+		keys, err := sshd.ParseAuthorized(bytes.NewBuffer(bytes.Join(authorizedDatas, []byte{'\n'})))
 		if err != nil {
-			return "", "", "", nil, err
+			return "", "", "", nil, nil, err
 		}
-		for k, v := range keys {
-			allKeys[k] = v
+		if len(keys.Data) != 0 {
+			pks = append(pks, func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
+				ok, _ := keys.Allow(key)
+				if ok {
+					return nil, nil
+				}
+				return nil, fmt.Errorf("denied")
+			})
 		}
 	}
-	if len(allKeys) != 0 {
-		config.PublicKeyCallback = func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
-			k := string(key.Marshal())
-			if _, ok := allKeys[k]; ok {
+
+	homeDirs := ur.Query()["home_dir"]
+	if len(homeDirs) != 0 && homeDirs[0] != "" {
+		homeDir := homeDirs[0]
+		sshDirName := ".ssh"
+		sshDirNames := ur.Query()["ssh_dir_name"]
+		if len(sshDirNames) != 0 {
+			sshDirName = sshDirNames[0]
+		}
+		authorizedFileName := "authorized_keys"
+		authorizedFileNames := ur.Query()["authorized_file_name"]
+		if len(authorizedFileNames) != 0 {
+			authorizedFileName = authorizedFileNames[0]
+		}
+		pks = append(pks, func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
+			file := path.Join(homeDir, conn.User(), sshDirName, authorizedFileName)
+			keys, err := sshd.GetAuthorizedFile(file)
+			if err != nil {
+				return nil, fmt.Errorf("denied")
+			}
+			ok, _ := keys.Allow(key)
+			if ok {
 				return nil, nil
 			}
 			return nil, fmt.Errorf("denied")
+		})
+
+		// Other sshd implementations do not have such fine-grained permissions control,
+		// and this is a fine-grained set of permissions control files defined by the project itself
+		permissionsFileName := ""
+		permissionsFileNames := ur.Query()["permissions_file_name"]
+		if len(permissionsFileNames) != 0 {
+			permissionsFileName = permissionsFileNames[0]
+		}
+		if permissionsFileName != "" {
+			permissionsFileUpdatePeriod := time.Duration(0)
+			permissionsFileUpdatePeriods := ur.Query()["permissions_file_update_period"]
+			if len(permissionsFileUpdatePeriods) != 0 {
+				permissionsFileUpdatePeriod, _ = time.ParseDuration(permissionsFileUpdatePeriods[0])
+			}
+			userPermissions = func(user string) sshd.Permissions {
+				file := path.Join(homeDir, user, sshDirName, permissionsFileName)
+				return permissions.NewPermissionsFromFile(file, permissionsFileUpdatePeriod)
+			}
+		}
+	}
+
+	if len(pks) != 0 {
+		if len(pks) == 1 {
+			config.PublicKeyCallback = pks[0]
+		} else {
+			config.PublicKeyCallback = func(conn ssh.ConnMetadata, key ssh.PublicKey) (p *ssh.Permissions, err error) {
+				for _, pk := range pks {
+					p, err = pk(conn, key)
+					if err == nil {
+						break
+					}
+				}
+				return
+			}
 		}
 	}
 
@@ -125,7 +188,7 @@ func serverConfig(addr string) (host, user, pwd string, config *ssh.ServerConfig
 		port = "22"
 	}
 	host = net.JoinHostPort(host, port)
-	return user, pwd, host, config, nil
+	return user, pwd, host, config, userPermissions, nil
 }
 
 // Run the server