feat: redirect user trying to get a shell through ssh-token

If a user attempts to SSH to an environment through the ssh-token service, it will now respond with an error message showing the correct endpoint for the given environment.
uselagoon · Dec 7, 2022 · 985a080 · 985a080
1 parent cb56792
commit 985a080
Show file tree

Hide file tree

Showing 4 changed files with 305 additions and 132 deletions.
diff --git a/cmd/ssh-token/serve.go b/cmd/ssh-token/serve.go
@@ -17,17 +17,19 @@ import (
 
 // ServeCmd represents the serve command.
 type ServeCmd struct {
-	APIDBAddress         string `kong:"required,env='API_DB_ADDRESS',help='Lagoon API DB Address (host[:port])'"`
-	APIDBDatabase        string `kong:"default='infrastructure',env='API_DB_DATABASE',help='Lagoon API DB Database Name'"`
-	APIDBPassword        string `kong:"required,env='API_DB_PASSWORD',help='Lagoon API DB Password'"`
-	APIDBUsername        string `kong:"default='api',env='API_DB_USERNAME',help='Lagoon API DB Username'"`
-	KeycloakBaseURL      string `kong:"required,env='KEYCLOAK_BASE_URL',help='Keycloak Base URL'"`
-	KeycloakClientID     string `kong:"default='auth-server',env='KEYCLOAK_AUTH_SERVER_CLIENT_ID',help='Keycloak OAuth2 Client ID'"`
-	KeycloakClientSecret string `kong:"required,env='KEYCLOAK_AUTH_SERVER_CLIENT_SECRET',help='Keycloak OAuth2 Client Secret'"`
-	SSHServerPort        uint   `kong:"default='2222',env='SSH_SERVER_PORT',help='Port the SSH server will listen on for SSH client connections'"`
-	HostKeyECDSA         string `kong:"env='HOST_KEY_ECDSA',help='PEM encoded ECDSA host key'"`
-	HostKeyED25519       string `kong:"env='HOST_KEY_ED25519',help='PEM encoded Ed25519 host key'"`
-	HostKeyRSA           string `kong:"env='HOST_KEY_RSA',help='PEM encoded RSA host key'"`
+	APIDBAddress                   string `kong:"required,env='API_DB_ADDRESS',help='Lagoon API DB Address (host[:port])'"`
+	APIDBDatabase                  string `kong:"default='infrastructure',env='API_DB_DATABASE',help='Lagoon API DB Database Name'"`
+	APIDBPassword                  string `kong:"required,env='API_DB_PASSWORD',help='Lagoon API DB Password'"`
+	APIDBUsername                  string `kong:"default='api',env='API_DB_USERNAME',help='Lagoon API DB Username'"`
+	KeycloakBaseURL                string `kong:"required,env='KEYCLOAK_BASE_URL',help='Keycloak Base URL'"`
+	KeycloakTokenClientID          string `kong:"default='auth-server',env='KEYCLOAK_AUTH_SERVER_CLIENT_ID',help='Keycloak auth-server OAuth2 Client ID'"`
+	KeycloakTokenClientSecret      string `kong:"required,env='KEYCLOAK_AUTH_SERVER_CLIENT_SECRET',help='Keycloak auth-server OAuth2 Client Secret'"`
+	KeycloakPermissionClientID     string `kong:"default='service-api',env='KEYCLOAK_SERVICE_API_CLIENT_ID',help='Keycloak service-api OAuth2 Client ID'"`
+	KeycloakPermissionClientSecret string `kong:"env='KEYCLOAK_SERVICE_API_CLIENT_SECRET',help='Keycloak service-api OAuth2 Client Secret'"`
+	SSHServerPort                  uint   `kong:"default='2222',env='SSH_SERVER_PORT',help='Port the SSH server will listen on for SSH client connections'"`
+	HostKeyECDSA                   string `kong:"env='HOST_KEY_ECDSA',help='PEM encoded ECDSA host key'"`
+	HostKeyED25519                 string `kong:"env='HOST_KEY_ED25519',help='PEM encoded Ed25519 host key'"`
+	HostKeyRSA                     string `kong:"env='HOST_KEY_RSA',help='PEM encoded RSA host key'"`
 }
 
 // Run the serve command to ssh-portal API requests.
@@ -48,13 +50,19 @@ func (cmd *ServeCmd) Run(log *zap.Logger) error {
 	dbConf.User = cmd.APIDBUsername
 	ldb, err := lagoondb.NewClient(ctx, dbConf.FormatDSN())
 	if err != nil {
-		return fmt.Errorf("couldn't init lagoon DBClient: %v", err)
+		return fmt.Errorf("couldn't init lagoonDB client: %v", err)
 	}
-	// init keycloak client
-	k, err := keycloak.NewClient(ctx, log, cmd.KeycloakBaseURL,
-		cmd.KeycloakClientID, cmd.KeycloakClientSecret)
+	// init token / auth-server keycloak client
+	keycloakToken, err := keycloak.NewClient(ctx, log, cmd.KeycloakBaseURL,
+		cmd.KeycloakTokenClientID, cmd.KeycloakTokenClientSecret)
 	if err != nil {
-		return fmt.Errorf("couldn't init keycloak Client: %v", err)
+		return fmt.Errorf("couldn't init keycloak token client: %v", err)
+	}
+	// init permission / service-api keycloak client
+	keycloakPermission, err := keycloak.NewClient(ctx, log, cmd.KeycloakBaseURL,
+		cmd.KeycloakPermissionClientID, cmd.KeycloakPermissionClientSecret)
+	if err != nil {
+		return fmt.Errorf("couldn't init keycloak permission client: %v", err)
 	}
 	// start listening on TCP port
 	l, err := net.Listen("tcp", fmt.Sprintf(":%d", cmd.SSHServerPort))
@@ -63,11 +71,13 @@ func (cmd *ServeCmd) Run(log *zap.Logger) error {
 	}
 	// check for persistent host key arguments
 	var hostkeys [][]byte
-	for _, hk := range []string{cmd.HostKeyECDSA, cmd.HostKeyED25519, cmd.HostKeyRSA} {
+	for _, hk := range []string{cmd.HostKeyECDSA, cmd.HostKeyED25519,
+		cmd.HostKeyRSA} {
 		if len(hk) > 0 {
 			hostkeys = append(hostkeys, []byte(hk))
 		}
 	}
 	// start serving SSH token requests
-	return sshtoken.Serve(ctx, log, l, ldb, k, hostkeys)
+	return sshtoken.Serve(ctx, log, l, ldb, keycloakToken, keycloakPermission,
+		hostkeys)
 }
diff --git a/internal/sshtoken/authhandler.go b/internal/sshtoken/authhandler.go
@@ -1,7 +1,6 @@
 package sshtoken
 
 import (
-	"context"
 	"errors"
 
 	"github.com/gliderlabs/ssh"
@@ -18,11 +17,6 @@ const (
 	userUUID ctxKey = iota
 )
 
-// LagoonDBService provides methods for querying the Lagoon API DB.
-type LagoonDBService interface {
-	UserBySSHFingerprint(context.Context, string) (*lagoondb.User, error)
-}
-
 var (
 	authnAttemptsTotal = promauto.NewCounter(prometheus.CounterOpts{
 		Name: "sshtoken_authentication_attempts_total",
@@ -32,15 +26,11 @@ var (
 		Name: "sshtoken_authentication_success_total",
 		Help: "The total number of successful ssh-token authentications",
 	})
-	authnAttemptsNonLagoonUser = promauto.NewCounter(prometheus.CounterOpts{
-		Name: "sshtoken_authentication_attempts_non_lagoon_user",
-		Help: "The total number of failed authentication attempts with a user other than lagoon",
-	})
 )
 
 // pubKeyAuth returns a ssh.PublicKeyHandler which accepts any key which
 // matches a user, and the associated user UUID to the ssh context.
-func pubKeyAuth(log *zap.Logger, l LagoonDBService) ssh.PublicKeyHandler {
+func pubKeyAuth(log *zap.Logger, ldb LagoonDBService) ssh.PublicKeyHandler {
 	return func(ctx ssh.Context, key ssh.PublicKey) bool {
 		authnAttemptsTotal.Inc()
 		// parse SSH public key
@@ -51,36 +41,30 @@ func pubKeyAuth(log *zap.Logger, l LagoonDBService) ssh.PublicKeyHandler {
 				zap.Error(err))
 			return false
 		}
-		// validate user string
-		if ctx.User() != "lagoon" {
-			authnAttemptsNonLagoonUser.Inc()
-			log.Debug(`invalid user: only "lagoon" is supported`,
-				zap.String("sessionID", ctx.SessionID()),
-				zap.String("user", ctx.User()))
-			return false
-		}
 		// identify Lagoon user by ssh key fingerprint
 		fingerprint := gossh.FingerprintSHA256(pubKey)
-		user, err := l.UserBySSHFingerprint(ctx, fingerprint)
+		user, err := ldb.UserBySSHFingerprint(ctx, fingerprint)
 		if err != nil {
 			if errors.Is(err, lagoondb.ErrNoResult) {
 				log.Debug("unknown SSH Fingerprint",
 					zap.String("sessionID", ctx.SessionID()))
 			} else {
 				log.Warn("couldn't query for user by SSH key fingerprint",
 					zap.String("sessionID", ctx.SessionID()),
+					zap.String("fingerprint", fingerprint),
 					zap.Error(err))
 			}
 			return false
 		}
-		// The SSH key fingerprint was in the database so authentication was
+		// The SSH key fingerprint was in the database so "authentication" was
 		// successful. Inject the user UUID into the context so it can be used in
 		// the session handler.
 		authnSuccessTotal.Inc()
 		ctx.SetValue(userUUID, user.UUID)
 		log.Info("authentication successful",
 			zap.String("sessionID", ctx.SessionID()),
-			zap.String("fingerprint", fingerprint))
+			zap.String("fingerprint", fingerprint),
+			zap.String("userID", user.UUID.String()))
 		return true
 	}
 }
diff --git a/internal/sshtoken/serve.go b/internal/sshtoken/serve.go
@@ -17,11 +17,19 @@ import (
 // give an 8 second deadline to shut down cleanly.
 const shutdownTimeout = 8 * time.Second
 
+// LagoonDBService provides methods for querying the Lagoon API DB.
+type LagoonDBService interface {
+	EnvironmentByNamespaceName(context.Context, string) (*lagoondb.Environment, error)
+	UserBySSHFingerprint(context.Context, string) (*lagoondb.User, error)
+	SSHEndpointByEnvironmentID(context.Context, int) (string, string, error)
+}
+
 // Serve contains the main ssh session logic
 func Serve(ctx context.Context, log *zap.Logger, l net.Listener,
-	ldb *lagoondb.Client, k *keycloak.Client, hostKeys [][]byte) error {
+	ldb *lagoondb.Client, keycloakToken, keycloakPermission *keycloak.Client,
+	hostKeys [][]byte) error {
 	srv := ssh.Server{
-		Handler:          sessionHandler(log, k),
+		Handler:          sessionHandler(log, keycloakToken, keycloakPermission, ldb),
 		PublicKeyHandler: pubKeyAuth(log, ldb),
 	}
 	for _, hk := range hostKeys {