feat: working GPG agent forwarding test

deansheather · deansheather · commit d85dc66932a7 · 2023-01-04T17:35:08.000Z
diff --git a/agent/agent.go b/agent/agent.go
@@ -483,7 +483,7 @@ func (a *agent) init(ctx context.Context) {
 
 	sshLogger := a.logger.Named("ssh-server")
 	forwardHandler := &ssh.ForwardedTCPHandler{}
-	unixForwardHandler := &forwardedUnixHandler{}
+	unixForwardHandler := &forwardedUnixHandler{log: a.logger}
 
 	a.sshServer = &ssh.Server{
 		ChannelHandlers: map[string]ssh.ChannelHandler{
@@ -531,8 +531,8 @@ func (a *agent) init(ctx context.Context) {
 		RequestHandlers: map[string]ssh.RequestHandler{
 			"tcpip-forward":                          forwardHandler.HandleSSHRequest,
 			"cancel-tcpip-forward":                   forwardHandler.HandleSSHRequest,
-			"streamlocal-forward@openssh.com":        unixForwardHandler.HandleSSHRequest, // TODO: this
-			"cancel-streamlocal-forward@openssh.com": unixForwardHandler.HandleSSHRequest, // TODO: this
+			"streamlocal-forward@openssh.com":        unixForwardHandler.HandleSSHRequest,
+			"cancel-streamlocal-forward@openssh.com": unixForwardHandler.HandleSSHRequest,
 		},
 		ServerConfigCallback: func(ctx ssh.Context) *gossh.ServerConfig {
 			return &gossh.ServerConfig{
diff --git a/agent/agent_test.go b/agent/agent_test.go
@@ -495,16 +495,16 @@ func TestAgent_UnixRemoteForwarding(t *testing.T) {
 		}
 	}()
 
-	cmd := setupSSHCommand(t, []string{"-R", fmt.Sprintf("%s:%s", remoteSocketPath, localSocketPath)}, []string{"echo", "test"})
+	cmd := setupSSHCommand(t, []string{"-R", fmt.Sprintf("%s:%s", remoteSocketPath, localSocketPath)}, []string{"sleep", "10"})
 	err = cmd.Start()
 	require.NoError(t, err)
 
 	require.Eventually(t, func() bool {
-		_, err := os.Stat(localSocketPath)
+		_, err := os.Stat(remoteSocketPath)
 		return err == nil
 	}, testutil.WaitLong, testutil.IntervalFast)
 
-	conn, err := net.Dial("unix", localSocketPath)
+	conn, err := net.Dial("unix", remoteSocketPath)
 	require.NoError(t, err)
 	_, err = conn.Write([]byte("test"))
 	require.NoError(t, err)
diff --git a/agent/ssh.go b/agent/ssh.go
@@ -9,6 +9,7 @@ import (
 
 	"github.com/gliderlabs/ssh"
 	gossh "golang.org/x/crypto/ssh"
+	"golang.org/x/xerrors"
 
 	"cdr.dev/slog"
 )
@@ -23,6 +24,7 @@ type streamLocalForwardPayload struct {
 // channel request when a Unix connection is accepted by the listener.
 type forwardedStreamLocalPayload struct {
 	SocketPath string
+	Reserved   uint32
 }
 
 // forwardedUnixHandler is a clone of ssh.ForwardedTCPHandler that does
@@ -101,18 +103,20 @@ func (h *forwardedUnixHandler) HandleSSHRequest(ctx ssh.Context, _ *ssh.Server,
 			for {
 				c, err := ln.Accept()
 				if err != nil {
-					h.log.Warn(ctx, "accept on local Unix socket for SSH unix forward request",
-						slog.F("socket_path", addr),
-						slog.Error(err),
-					)
+					if !xerrors.Is(err, net.ErrClosed) {
+						h.log.Warn(ctx, "accept on local Unix socket for SSH unix forward request",
+							slog.F("socket_path", addr),
+							slog.Error(err),
+						)
+					}
 					break
 				}
 				payload := gossh.Marshal(&forwardedStreamLocalPayload{
 					SocketPath: addr,
 				})
 
 				go func() {
-					ch, reqs, err := conn.OpenChannel("forwardedTCPChannelType", payload)
+					ch, reqs, err := conn.OpenChannel("forwarded-streamlocal@openssh.com", payload)
 					if err != nil {
 						h.log.Warn(ctx, "open SSH channel to forward Unix connection to client",
 							slog.F("socket_path", addr),
diff --git a/cli/ssh.go b/cli/ssh.go
@@ -152,6 +152,10 @@ func ssh() *cobra.Command {
 			}
 
 			if forwardGPG {
+				if workspaceAgent.OperatingSystem == "windows" {
+					return xerrors.New("GPG forwarding is not supported for Windows workspaces")
+				}
+
 				err = uploadGPGKeys(ctx, sshClient)
 				if err != nil {
 					return xerrors.Errorf("upload GPG public keys and ownertrust to workspace: %w", err)
@@ -449,6 +453,18 @@ func runRemoteSSH(sshClient *gossh.Client, stdin io.Reader, cmd string) ([]byte,
 }
 
 func uploadGPGKeys(ctx context.Context, sshClient *gossh.Client) error {
+	// Check if the agent is running in the workspace already.
+	// Note: we don't support windows in the workspace for GPG forwarding so
+	//       using shell commands is fine.
+	agentSocketBytes, err := runRemoteSSH(sshClient, nil, "set -eux; agent_socket=$(gpgconf --list-dir agent-socket); echo $agent_socket; test ! -S $agent_socket")
+	agentSocket := strings.TrimSpace(string(agentSocketBytes))
+	if err != nil {
+		return xerrors.Errorf("check if agent socket is running (check if %q exists): %w", agentSocket, err)
+	}
+	if agentSocket == "" {
+		return xerrors.Errorf("agent socket path is empty, check the output of `gpgconf --list-dir agent-socket`")
+	}
+
 	// Read the user's public keys and ownertrust from GPG.
 	pubKeyExport, err := runLocal(ctx, nil, "gpg", "--armor", "--export")
 	if err != nil {
@@ -469,6 +485,13 @@ func uploadGPGKeys(ctx context.Context, sshClient *gossh.Client) error {
 		return xerrors.Errorf("import ownertrust into workspace: %w", err)
 	}
 
+	// Kill the agent in the workspace if it was started by one of the above
+	// commands.
+	_, err = runRemoteSSH(sshClient, nil, fmt.Sprintf("gpgconf --kill gpg-agent && rm -f %q", agentSocket))
+	if err != nil {
+		return xerrors.Errorf("kill existing agent in workspace: %w", err)
+	}
+
 	return nil
 }
 
@@ -497,11 +520,11 @@ type cookieAddr struct {
 	cookie []byte
 }
 
-// sshForward starts forwarding connections from a remote listener to a local
-// address via SSH in a goroutine.
+// sshForwardRemote starts forwarding connections from a remote listener to a
+// local address via SSH in a goroutine.
 //
 // Accepts a `cookieAddr` as the local address.
-func sshForward(ctx context.Context, stderr io.Writer, sshClient *gossh.Client, localAddr, remoteAddr net.Addr) (io.Closer, error) {
+func sshForwardRemote(ctx context.Context, stderr io.Writer, sshClient *gossh.Client, localAddr, remoteAddr net.Addr) (io.Closer, error) {
 	listener, err := sshClient.Listen(remoteAddr.Network(), remoteAddr.String())
 	if err != nil {
 		return nil, xerrors.Errorf("listen on remote SSH address %s: %w", remoteAddr.String(), err)
diff --git a/cli/ssh_other.go b/cli/ssh_other.go
@@ -44,5 +44,5 @@ func forwardGPGAgent(ctx context.Context, stderr io.Writer, sshClient *gossh.Cli
 		Net:  "unix",
 	}
 
-	return sshForward(ctx, stderr, sshClient, localAddr, remoteAddr)
+	return sshForwardRemote(ctx, stderr, sshClient, localAddr, remoteAddr)
 }
diff --git a/cli/ssh_test.go b/cli/ssh_test.go
@@ -416,7 +416,6 @@ Expire-Date: 0
 		require.NoError(t, err, "import ownertrust failed: %s", out)
 
 		// Start the GPG agent.
-		// gpg-connect-agent reloadagent /bye
 		agentCmd := exec.CommandContext(ctx, gpgAgentPath, "--no-detach", "--extra-socket", extraSocketPath)
 		agentCmd.Env = append(agentCmd.Env, "GNUPGHOME="+gnupgHomeClient)
 		agentPTY, agentProc, err := pty.Start(agentCmd, pty.WithPTYOption(pty.WithGPGTTY()))
@@ -426,24 +425,19 @@ Expire-Date: 0
 			_ = agentPTY.Close()
 		}()
 
-		// Initialize the GPG database in the "workspace".
+		// Get the agent socket path in the "workspace".
 		gnupgHomeWorkspace := t.TempDir()
-		c = exec.CommandContext(ctx, gpgPath, "--list-keys")
-		c.Env = append(c.Env, "GNUPGHOME="+gnupgHomeWorkspace)
-		out, err = c.CombinedOutput()
-		require.NoError(t, err, "list keys in workspace failed: %s", out)
 
-		// Get the agent extra socket path in the "workspace".
 		stdout = bytes.NewBuffer(nil)
 		stderr = bytes.NewBuffer(nil)
-		c = exec.CommandContext(ctx, gpgConfPath, "--list-dir", "agent-extra-socket")
+		c = exec.CommandContext(ctx, gpgConfPath, "--list-dir", "agent-socket")
 		c.Env = append(c.Env, "GNUPGHOME="+gnupgHomeWorkspace)
 		c.Stdout = stdout
 		c.Stderr = stderr
 		err = c.Run()
-		require.NoError(t, err, "get extra socket path in workspace failed: %s", stderr.String())
-		workspaceExtraSocketPath := strings.TrimSpace(stdout.String())
-		require.NotEqual(t, extraSocketPath, workspaceExtraSocketPath, "extra socket path should be different")
+		require.NoError(t, err, "get agent socket path in workspace failed: %s", stderr.String())
+		workspaceAgentSocketPath := strings.TrimSpace(stdout.String())
+		require.NotEqual(t, extraSocketPath, workspaceAgentSocketPath, "socket path should be different")
 
 		client, workspace, agentToken := setupWorkspaceForAgent(t, nil)
 
@@ -484,20 +478,22 @@ Expire-Date: 0
 		pty.ExpectMatch("env--command-done")
 
 		// Get the agent extra socket path in the "workspace" via shell.
-		pty.WriteLine("gpgconf --list-dir agent-extra-socket && echo gpgconf-''-extrasocket-command-done")
-		pty.ExpectMatch(workspaceExtraSocketPath)
-		pty.ExpectMatch("gpgconf--extrasocket-command-done")
+		pty.WriteLine("gpgconf --list-dir agent-socket && echo gpgconf-''-agentsocket-command-done")
+		pty.ExpectMatch(workspaceAgentSocketPath)
+		pty.ExpectMatch("gpgconf--agentsocket-command-done")
 
 		// List the keys in the "workspace".
 		pty.WriteLine("gpg --list-keys && echo gpg-''-listkeys-command-done")
 		listKeysOutput := pty.ExpectMatch("gpg--listkeys-command-done")
 		require.Contains(t, listKeysOutput, "[ultimate] Coder Test <test@coder.com>")
 		require.Contains(t, listKeysOutput, "[ultimate] Dean Sheather (work key) <dean@coder.com>")
 
-		// Try to sign something.
+		// Try to sign something. This demonstrates that the forwarding is
+		// working as expected, since the workspace doesn't have access to the
+		// private key directly and must use the forwarded agent.
 		pty.WriteLine("echo 'hello world' | gpg --clearsign && echo gpg-''-sign-command-done")
 		pty.ExpectMatch("BEGIN PGP SIGNED MESSAGE")
-		pty.ExpectMatch("Hash: SHA256")
+		pty.ExpectMatch("Hash:")
 		pty.ExpectMatch("hello world")
 		pty.ExpectMatch("gpg--sign-command-done")
 

Original file line number	Diff line number	Diff line change
`@@ -44,5 +44,5 @@ func forwardGPGAgent(ctx context.Context, stderr io.Writer, sshClient *gossh.Cli`
`44`	`44`	`Net: "unix",`
`45`	`45`	`}`
`46`	`46`
`47`		`- return sshForward(ctx, stderr, sshClient, localAddr, remoteAddr)`
	`47`	`+ return sshForwardRemote(ctx, stderr, sshClient, localAddr, remoteAddr)`
`48`	`48`	`}`