devpod/cmd/agent/container/credentials_server.go at a909739f25da9816f3bad1a9ae875581cdf41b0e · loft-sh/devpod · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
package container

import (
	"context"
	"encoding/base64"
	"encoding/json"
	"fmt"
	"net"
	"os"
	"strconv"

	"github.com/loft-sh/devpod/cmd/flags"
	"github.com/loft-sh/devpod/pkg/agent/tunnel"
	"github.com/loft-sh/devpod/pkg/agent/tunnelserver"
	"github.com/loft-sh/devpod/pkg/credentials"
	"github.com/loft-sh/devpod/pkg/dockercredentials"
	"github.com/loft-sh/devpod/pkg/gitcredentials"
	"github.com/loft-sh/devpod/pkg/gitsshsigning"
	"github.com/loft-sh/devpod/pkg/netstat"
	portpkg "github.com/loft-sh/devpod/pkg/port"
	"github.com/loft-sh/log"
	"github.com/sirupsen/logrus"
	"github.com/spf13/cobra"
)

const (
	ExitCodeIO     int    = 64
	DefaultLogFile string = "/var/devpod/credentials-server.log"
)

// CredentialsServerCmd holds the cmd flags
type CredentialsServerCmd struct {
	*flags.GlobalFlags

	User   string
	Client string
	Port   int

	ConfigureGitHelper    bool
	ConfigureDockerHelper bool

	ForwardPorts      bool
	GitUserSigningKey string
}

// NewCredentialsServerCmd creates a new command
func NewCredentialsServerCmd(flags *flags.GlobalFlags) *cobra.Command {
	cmd := &CredentialsServerCmd{
		GlobalFlags: flags,
	}
	credentialsServerCmd := &cobra.Command{
		Use:   "credentials-server",
		Short: "Starts a credentials server",
		Args:  cobra.NoArgs,
		RunE: func(c *cobra.Command, args []string) error {
			port, err := credentials.GetPort()
			if err != nil {
				return err
			}

			return cmd.Run(c.Context(), port)
		},
	}
	credentialsServerCmd.Flags().BoolVar(&cmd.ConfigureGitHelper, "configure-git-helper", false, "If true will configure git helper")
	credentialsServerCmd.Flags().BoolVar(&cmd.ConfigureDockerHelper, "configure-docker-helper", false, "If true will configure docker helper")
	credentialsServerCmd.Flags().BoolVar(&cmd.ForwardPorts, "forward-ports", false, "If true will automatically try to forward open ports within the container")
	credentialsServerCmd.Flags().StringVar(&cmd.GitUserSigningKey, "git-user-signing-key", "", "")
	credentialsServerCmd.Flags().StringVar(&cmd.User, "user", "", "The user to use")
	_ = credentialsServerCmd.MarkFlagRequired("user")
	credentialsServerCmd.Flags().StringVar(&cmd.Client, "client", "", "client host")
	credentialsServerCmd.Flags().IntVar(&cmd.Port, "port", 0, "port of credentials server running locally on client machine to connect to")

	return credentialsServerCmd
}

// Run runs the command logic
func (cmd *CredentialsServerCmd) Run(ctx context.Context, port int) error {
	var tunnelClient tunnel.TunnelClient
	var err error
	fileLogger := log.NewFileLogger(DefaultLogFile, logrus.DebugLevel)

	// create a grpc client
	// if we have client address, lets use the http client
	if cmd.Client != "" {
		tunnelClient, err = tunnelserver.NewHTTPTunnelClient(
			cmd.Client, fmt.Sprintf("%d", cmd.Port), fileLogger)
		if err != nil {
			return fmt.Errorf("error creating tunnel client: %w", err)
		}
	} else {
		// otherwise we fallback to stdio client
		tunnelClient, err = tunnelserver.NewTunnelClient(os.Stdin, os.Stdout, true, ExitCodeIO)
		if err != nil {
			return fmt.Errorf("error creating tunnel client: %w", err)
		}
	}

	// this message serves as a ping to the client
	_, err = tunnelClient.Ping(ctx, &tunnel.Empty{})
	if err != nil {
		return fmt.Errorf("ping client: %w", err)
	}

	// create debug logger
	log := tunnelserver.NewTunnelLogger(ctx, tunnelClient, cmd.Debug)

	// forward ports
	if cmd.ForwardPorts {
		go func() {
			log.Debugf("Start watching & forwarding open ports")
			err = forwardPorts(ctx, tunnelClient, log)
			if err != nil {
				log.Errorf("error forwarding ports: %v", err)
			}
		}()
	}

	addr := net.JoinHostPort("localhost", strconv.Itoa(port))
	if ok, err := portpkg.IsAvailable(addr); !ok || err != nil {
		log.Debugf("Port %d not available, exiting", port)
		return nil
	}

	// configure docker credential helper
	if cmd.ConfigureDockerHelper {
		err = dockercredentials.ConfigureCredentialsContainer(cmd.User, port, log)
		if err != nil {
			return err
		}
	}

	// configure git user
	err = configureGitUserLocally(ctx, cmd.User, tunnelClient)
	if err != nil {
		log.Debugf("Error configuring git user: %v", err)
		return err
	}

	// configure git credential helper
	if cmd.ConfigureGitHelper {
		binaryPath, err := os.Executable()
		if err != nil {
			return err
		}
		err = gitcredentials.ConfigureHelper(binaryPath, cmd.User, port)
		if err != nil {
			return fmt.Errorf("configure git helper: %w", err)
		}

		// cleanup when we are done
		defer func(userName string) {
			_ = gitcredentials.RemoveHelper(userName)
		}(cmd.User)
	}

	// configure git ssh signature helper
	if cmd.GitUserSigningKey != "" {
		decodedKey, err := base64.StdEncoding.DecodeString(cmd.GitUserSigningKey)
		if err != nil {
			return fmt.Errorf("decode git ssh signature key: %w", err)
		}
		err = gitsshsigning.ConfigureHelper(cmd.User, string(decodedKey), log)
		if err != nil {
			return fmt.Errorf("configure git ssh signature helper: %w", err)
		}

		// cleanup when we are done
		defer func(userName string) {
			_ = gitsshsigning.RemoveHelper(userName)
		}(cmd.User)
	}

	return credentials.RunCredentialsServer(ctx, port, tunnelClient, cmd.Client, log)
}

func configureGitUserLocally(ctx context.Context, userName string, client tunnel.TunnelClient) error {
	// get local credentials
	localGitUser, err := gitcredentials.GetUser(userName)
	if err != nil {
		return err
	} else if localGitUser.Name != "" && localGitUser.Email != "" {
		return nil
	}

	// set user & email if not found
	response, err := client.GitUser(ctx, &tunnel.Empty{})
	if err != nil {
		return fmt.Errorf("retrieve git user: %w", err)
	}

	// parse git user from response
	gitUser := &gitcredentials.GitUser{}
	err = json.Unmarshal([]byte(response.Message), gitUser)
	if err != nil {
		return fmt.Errorf("decode git user: %w", err)
	}

	// don't override what is already there
	if localGitUser.Name != "" {
		gitUser.Name = ""
	}
	if localGitUser.Email != "" {
		gitUser.Email = ""
	}

	// set git user
	err = gitcredentials.SetUser(userName, gitUser)
	if err != nil {
		return fmt.Errorf("set git user & email: %w", err)
	}

	return nil
}

func forwardPorts(ctx context.Context, client tunnel.TunnelClient, log log.Logger) error {
	return netstat.NewWatcher(&forwarder{ctx: ctx, client: client}, log).Run(ctx)
}

type forwarder struct {
	ctx context.Context

	client tunnel.TunnelClient
}

func (f *forwarder) Forward(port string) error {
	_, err := f.client.ForwardPort(f.ctx, &tunnel.ForwardPortRequest{Port: port})
	return err
}

func (f *forwarder) StopForward(port string) error {
	_, err := f.client.StopForwardPort(f.ctx, &tunnel.StopForwardPortRequest{Port: port})
	return err
}