@malloy-publisher/server 0.0.217 → 0.0.219
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/app/api-doc.yaml +114 -0
- package/dist/app/assets/{EnvironmentPage-BX71Wsun.js → EnvironmentPage-gehnjfC6.js} +1 -1
- package/dist/app/assets/{HomePage-Bnp4Puv4.js → HomePage-8LQBytE4.js} +1 -1
- package/dist/app/assets/{MainPage-chkqUlI0.js → MainPage-DDaZLJw-.js} +1 -1
- package/dist/app/assets/{MaterializationsPage-DG4e_wRd.js → MaterializationsPage-D7P1Kp6O.js} +1 -1
- package/dist/app/assets/{ModelPage-DbLU-ABs.js → ModelPage-Do_vhxOc.js} +1 -1
- package/dist/app/assets/{PackagePage-EvWf3VZ4.js → PackagePage-Cz9fVwSG.js} +1 -1
- package/dist/app/assets/{RouteError-POj8kImc.js → RouteError-UONCloyN.js} +1 -1
- package/dist/app/assets/{WorkbookPage-Bkq3C1MS.js → WorkbookPage-Bhzqvbq_.js} +1 -1
- package/dist/app/assets/{core-DiLT6QvL.es-Jn6sdy15.js → core-BiGj7BML.es-kMHAa8tP.js} +1 -1
- package/dist/app/assets/{index-gjr27uMq.js → index-VzRbxcF7.js} +3 -3
- package/dist/app/assets/{index-C_AT6ZZw.js → index-ddq4-5hu.js} +1 -1
- package/dist/app/assets/{index-bAdd7U9-.js → index-qOQF9CXq.js} +1 -1
- package/dist/app/assets/{index.umd-BxzPw_1E.js → index.umd-B2kmxDh7.js} +1 -1
- package/dist/app/index.html +1 -1
- package/dist/cpufeatures-1yrn0vtw.node +0 -0
- package/dist/server.mjs +19069 -70
- package/package.json +1 -1
- package/src/dto/connection.dto.ts +43 -0
- package/src/service/connection.spec.ts +70 -0
- package/src/service/connection.ts +149 -2
- package/src/service/connection_config.spec.ts +254 -0
- package/src/service/connection_config.ts +127 -0
- package/src/service/model.ts +25 -3
- package/src/service/package.ts +21 -2
- package/src/service/package_worker_path.spec.ts +103 -0
- package/src/service/proxy.spec.ts +414 -0
- package/src/service/proxy.ts +248 -0
|
@@ -0,0 +1,414 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Unit tests for the SSH proxy layer.
|
|
3
|
+
*
|
|
4
|
+
* These tests are hermetic: they stand up an in-process ssh2 server that
|
|
5
|
+
* forwards to a plain TCP echo server, call openProxy(), connect a client
|
|
6
|
+
* to the returned local endpoint, and assert that bytes round-trip through
|
|
7
|
+
* the tunnel.
|
|
8
|
+
*
|
|
9
|
+
* No external network access is required.
|
|
10
|
+
*/
|
|
11
|
+
|
|
12
|
+
import net from "net";
|
|
13
|
+
import { generateKeyPairSync } from "crypto";
|
|
14
|
+
import { afterEach, beforeEach, describe, expect, it } from "bun:test";
|
|
15
|
+
import {
|
|
16
|
+
Server as SshServer,
|
|
17
|
+
utils as sshUtils,
|
|
18
|
+
type Connection as SshServerConnection,
|
|
19
|
+
} from "ssh2";
|
|
20
|
+
import { openProxy } from "./proxy";
|
|
21
|
+
|
|
22
|
+
// ── Key material generated once for the test suite ────────────────────────────
|
|
23
|
+
|
|
24
|
+
// ssh2's server requires PEM private keys it can parse. These are ephemeral,
|
|
25
|
+
// test-only keys; RSA-2048 (not 1024) so static analysis doesn't flag them.
|
|
26
|
+
const hostKeys = generateKeyPairSync("rsa", { modulusLength: 2048 });
|
|
27
|
+
const hostPrivatePem = hostKeys.privateKey
|
|
28
|
+
.export({ type: "pkcs1", format: "pem" })
|
|
29
|
+
.toString();
|
|
30
|
+
|
|
31
|
+
const clientKeys = generateKeyPairSync("rsa", { modulusLength: 2048 });
|
|
32
|
+
const clientPrivatePem = clientKeys.privateKey
|
|
33
|
+
.export({ type: "pkcs1", format: "pem" })
|
|
34
|
+
.toString();
|
|
35
|
+
// Helpers ─────────────────────────────────────────────────────────────────────
|
|
36
|
+
|
|
37
|
+
function startEchoServer(): Promise<{
|
|
38
|
+
port: number;
|
|
39
|
+
close: () => Promise<void>;
|
|
40
|
+
}> {
|
|
41
|
+
return new Promise((resolve, reject) => {
|
|
42
|
+
// Track accepted sockets so close() can force them down. server.close()
|
|
43
|
+
// alone only stops accepting and then waits for open connections to end;
|
|
44
|
+
// a lingering forwarded socket would otherwise hang teardown (and the
|
|
45
|
+
// afterEach hook) until the test timeout, especially under --serial CI.
|
|
46
|
+
const sockets = new Set<net.Socket>();
|
|
47
|
+
const server = net.createServer((socket) => {
|
|
48
|
+
sockets.add(socket);
|
|
49
|
+
socket.on("close", () => sockets.delete(socket));
|
|
50
|
+
socket.pipe(socket);
|
|
51
|
+
});
|
|
52
|
+
server.on("error", reject);
|
|
53
|
+
server.listen(0, "127.0.0.1", () => {
|
|
54
|
+
const addr = server.address() as net.AddressInfo;
|
|
55
|
+
resolve({
|
|
56
|
+
port: addr.port,
|
|
57
|
+
close: () =>
|
|
58
|
+
new Promise((res, rej) => {
|
|
59
|
+
for (const s of sockets) s.destroy();
|
|
60
|
+
server.close((err) => (err ? rej(err) : res()));
|
|
61
|
+
}),
|
|
62
|
+
});
|
|
63
|
+
});
|
|
64
|
+
});
|
|
65
|
+
}
|
|
66
|
+
|
|
67
|
+
/**
|
|
68
|
+
* Start a minimal in-process SSH server that accepts the test client key
|
|
69
|
+
* and fulfils tcpip-forward (forwardOut) requests.
|
|
70
|
+
*/
|
|
71
|
+
function startSshServer(opts: {
|
|
72
|
+
rejectAuth?: boolean;
|
|
73
|
+
rejectForward?: boolean;
|
|
74
|
+
}): Promise<{
|
|
75
|
+
port: number;
|
|
76
|
+
hostKeyBase64: string;
|
|
77
|
+
close: () => Promise<void>;
|
|
78
|
+
}> {
|
|
79
|
+
return new Promise((resolve, reject) => {
|
|
80
|
+
// Track live client connections and forwarded destination sockets so
|
|
81
|
+
// close() can force them down; otherwise a lingering forwarded socket
|
|
82
|
+
// keeps sshd.close() (and the afterEach hook) hanging until the test
|
|
83
|
+
// timeout, which is what made the tunnel tests flake under --serial CI.
|
|
84
|
+
const clients = new Set<SshServerConnection>();
|
|
85
|
+
const destSockets = new Set<net.Socket>();
|
|
86
|
+
const sshd = new SshServer(
|
|
87
|
+
{ hostKeys: [hostPrivatePem] },
|
|
88
|
+
(client: SshServerConnection) => {
|
|
89
|
+
clients.add(client);
|
|
90
|
+
client.on("close", () => clients.delete(client));
|
|
91
|
+
client.on("authentication", (ctx) => {
|
|
92
|
+
if (opts.rejectAuth) {
|
|
93
|
+
ctx.reject();
|
|
94
|
+
return;
|
|
95
|
+
}
|
|
96
|
+
// Accept publickey auth for our test client key.
|
|
97
|
+
if (ctx.method === "publickey" && !opts.rejectAuth) {
|
|
98
|
+
ctx.accept();
|
|
99
|
+
} else {
|
|
100
|
+
ctx.reject();
|
|
101
|
+
}
|
|
102
|
+
});
|
|
103
|
+
|
|
104
|
+
client.on("ready", () => {
|
|
105
|
+
client.on("tcpip", (accept, _reject, info) => {
|
|
106
|
+
if (opts.rejectForward) {
|
|
107
|
+
_reject();
|
|
108
|
+
return;
|
|
109
|
+
}
|
|
110
|
+
const channel = accept();
|
|
111
|
+
// Connect to the real destination and pipe.
|
|
112
|
+
const dest = net.createConnection(
|
|
113
|
+
{ host: info.destIP, port: info.destPort },
|
|
114
|
+
() => {
|
|
115
|
+
channel.pipe(dest).pipe(channel);
|
|
116
|
+
channel.on("error", () => dest.destroy());
|
|
117
|
+
dest.on("error", () => channel.destroy());
|
|
118
|
+
},
|
|
119
|
+
);
|
|
120
|
+
destSockets.add(dest);
|
|
121
|
+
dest.on("close", () => destSockets.delete(dest));
|
|
122
|
+
dest.on("error", () => channel.destroy());
|
|
123
|
+
});
|
|
124
|
+
});
|
|
125
|
+
|
|
126
|
+
client.on("error", () => {
|
|
127
|
+
/* swallow per-client errors in tests */
|
|
128
|
+
});
|
|
129
|
+
},
|
|
130
|
+
);
|
|
131
|
+
|
|
132
|
+
sshd.on("error", reject);
|
|
133
|
+
sshd.listen(0, "127.0.0.1", () => {
|
|
134
|
+
const addr = sshd.address() as net.AddressInfo;
|
|
135
|
+
|
|
136
|
+
// Capture the server's host key fingerprint (base64 of the raw DER) by
|
|
137
|
+
// parsing the pem via the ssh2 util so the format matches what
|
|
138
|
+
// hostVerifier receives.
|
|
139
|
+
const parsed = sshUtils.parseKey(hostPrivatePem);
|
|
140
|
+
const hostKeyBase64 = (parsed as { getPublicSSH(): Buffer })
|
|
141
|
+
.getPublicSSH()
|
|
142
|
+
.toString("base64");
|
|
143
|
+
|
|
144
|
+
resolve({
|
|
145
|
+
port: addr.port,
|
|
146
|
+
hostKeyBase64,
|
|
147
|
+
close: () =>
|
|
148
|
+
new Promise((res) => {
|
|
149
|
+
for (const s of destSockets) s.destroy();
|
|
150
|
+
for (const c of clients) c.end();
|
|
151
|
+
sshd.close(() => res());
|
|
152
|
+
}),
|
|
153
|
+
});
|
|
154
|
+
});
|
|
155
|
+
});
|
|
156
|
+
}
|
|
157
|
+
|
|
158
|
+
function connectAndSend(port: number, message: string): Promise<string> {
|
|
159
|
+
return new Promise((resolve, reject) => {
|
|
160
|
+
const socket = net.createConnection({ host: "127.0.0.1", port }, () => {
|
|
161
|
+
socket.write(message);
|
|
162
|
+
});
|
|
163
|
+
const chunks: Buffer[] = [];
|
|
164
|
+
socket.on("data", (chunk) => {
|
|
165
|
+
chunks.push(chunk);
|
|
166
|
+
if (Buffer.concat(chunks).toString().includes(message)) {
|
|
167
|
+
socket.destroy();
|
|
168
|
+
resolve(Buffer.concat(chunks).toString());
|
|
169
|
+
}
|
|
170
|
+
});
|
|
171
|
+
socket.on("error", reject);
|
|
172
|
+
});
|
|
173
|
+
}
|
|
174
|
+
|
|
175
|
+
// Best-effort, time-bounded teardown. Destroying every ssh2/socket handle is
|
|
176
|
+
// reliable locally but a lingering graceful close can still stall on some CI
|
|
177
|
+
// platforms (Bun + ssh2 on Linux/Windows), which would hang the afterEach hook
|
|
178
|
+
// until the 100s test timeout. The assertions have already run by teardown, so
|
|
179
|
+
// cap each close and move on rather than block.
|
|
180
|
+
function closeQuietly(close: () => Promise<void>, ms = 3000): Promise<void> {
|
|
181
|
+
return Promise.race([
|
|
182
|
+
close().catch(() => {}),
|
|
183
|
+
new Promise<void>((resolve) => {
|
|
184
|
+
const timer = setTimeout(resolve, ms);
|
|
185
|
+
(timer as unknown as { unref?: () => void }).unref?.();
|
|
186
|
+
}),
|
|
187
|
+
]);
|
|
188
|
+
}
|
|
189
|
+
|
|
190
|
+
// ── Tests ─────────────────────────────────────────────────────────────────────
|
|
191
|
+
|
|
192
|
+
describe("openProxy — SSH tunnel", () => {
|
|
193
|
+
let echoServer: { port: number; close: () => Promise<void> };
|
|
194
|
+
let sshServer: {
|
|
195
|
+
port: number;
|
|
196
|
+
hostKeyBase64: string;
|
|
197
|
+
close: () => Promise<void>;
|
|
198
|
+
};
|
|
199
|
+
|
|
200
|
+
beforeEach(async () => {
|
|
201
|
+
echoServer = await startEchoServer();
|
|
202
|
+
sshServer = await startSshServer({});
|
|
203
|
+
});
|
|
204
|
+
|
|
205
|
+
afterEach(async () => {
|
|
206
|
+
await closeQuietly(() => echoServer.close());
|
|
207
|
+
await closeQuietly(() => sshServer.close());
|
|
208
|
+
});
|
|
209
|
+
|
|
210
|
+
it("round-trips bytes through the tunnel", async () => {
|
|
211
|
+
const ep = await openProxy(
|
|
212
|
+
{
|
|
213
|
+
type: "ssh",
|
|
214
|
+
ssh: {
|
|
215
|
+
host: "127.0.0.1",
|
|
216
|
+
port: sshServer.port,
|
|
217
|
+
username: "testuser",
|
|
218
|
+
privateKey: clientPrivatePem,
|
|
219
|
+
hostKey: sshServer.hostKeyBase64,
|
|
220
|
+
},
|
|
221
|
+
},
|
|
222
|
+
{ host: "127.0.0.1", port: echoServer.port },
|
|
223
|
+
);
|
|
224
|
+
|
|
225
|
+
try {
|
|
226
|
+
const reply = await connectAndSend(ep.port, "hello-proxy");
|
|
227
|
+
expect(reply).toContain("hello-proxy");
|
|
228
|
+
} finally {
|
|
229
|
+
await closeQuietly(() => ep.close());
|
|
230
|
+
}
|
|
231
|
+
});
|
|
232
|
+
|
|
233
|
+
it("accepts a hostKey given as a full known_hosts line", async () => {
|
|
234
|
+
// Users typically paste `ssh-keyscan` output, e.g.
|
|
235
|
+
// `bastion.example.com ssh-rsa AAAA…` — the verifier must extract the blob.
|
|
236
|
+
const knownHostsLine = `bastion.example.com ssh-rsa ${sshServer.hostKeyBase64}`;
|
|
237
|
+
const ep = await openProxy(
|
|
238
|
+
{
|
|
239
|
+
type: "ssh",
|
|
240
|
+
ssh: {
|
|
241
|
+
host: "127.0.0.1",
|
|
242
|
+
port: sshServer.port,
|
|
243
|
+
username: "testuser",
|
|
244
|
+
privateKey: clientPrivatePem,
|
|
245
|
+
hostKey: knownHostsLine,
|
|
246
|
+
},
|
|
247
|
+
},
|
|
248
|
+
{ host: "127.0.0.1", port: echoServer.port },
|
|
249
|
+
);
|
|
250
|
+
|
|
251
|
+
try {
|
|
252
|
+
const reply = await connectAndSend(ep.port, "known-hosts-line");
|
|
253
|
+
expect(reply).toContain("known-hosts-line");
|
|
254
|
+
} finally {
|
|
255
|
+
await closeQuietly(() => ep.close());
|
|
256
|
+
}
|
|
257
|
+
});
|
|
258
|
+
|
|
259
|
+
it("accepts a hashed (|1|) known_hosts line — the hash only obscures the hostname", async () => {
|
|
260
|
+
// `ssh-keyscan -H` output hashes the hostname (`|1|salt|hash`) but leaves
|
|
261
|
+
// the key blob in the clear; the verifier extracts the blob token and never
|
|
262
|
+
// matches hostnames, so hashed lines work the same as unhashed ones.
|
|
263
|
+
const hashedLine = `|1|dNQdBg9dg8u7Vw8vq3B0uZ3example=|kZ2exampleHashValue0000000= ssh-rsa ${sshServer.hostKeyBase64}`;
|
|
264
|
+
const ep = await openProxy(
|
|
265
|
+
{
|
|
266
|
+
type: "ssh",
|
|
267
|
+
ssh: {
|
|
268
|
+
host: "127.0.0.1",
|
|
269
|
+
port: sshServer.port,
|
|
270
|
+
username: "testuser",
|
|
271
|
+
privateKey: clientPrivatePem,
|
|
272
|
+
hostKey: hashedLine,
|
|
273
|
+
},
|
|
274
|
+
},
|
|
275
|
+
{ host: "127.0.0.1", port: echoServer.port },
|
|
276
|
+
);
|
|
277
|
+
|
|
278
|
+
try {
|
|
279
|
+
const reply = await connectAndSend(ep.port, "hashed-line");
|
|
280
|
+
expect(reply).toContain("hashed-line");
|
|
281
|
+
} finally {
|
|
282
|
+
await closeQuietly(() => ep.close());
|
|
283
|
+
}
|
|
284
|
+
});
|
|
285
|
+
|
|
286
|
+
it("rejects when hostKey does not match", async () => {
|
|
287
|
+
const wrongKey = Buffer.alloc(32, 0xff).toString("base64");
|
|
288
|
+
|
|
289
|
+
await expect(
|
|
290
|
+
openProxy(
|
|
291
|
+
{
|
|
292
|
+
type: "ssh",
|
|
293
|
+
ssh: {
|
|
294
|
+
host: "127.0.0.1",
|
|
295
|
+
port: sshServer.port,
|
|
296
|
+
username: "testuser",
|
|
297
|
+
privateKey: clientPrivatePem,
|
|
298
|
+
hostKey: wrongKey,
|
|
299
|
+
},
|
|
300
|
+
},
|
|
301
|
+
{ host: "127.0.0.1", port: echoServer.port },
|
|
302
|
+
),
|
|
303
|
+
).rejects.toThrow(/host-key verification failed/i);
|
|
304
|
+
});
|
|
305
|
+
|
|
306
|
+
it("connects when hostKey is absent — unpinned self-service default", async () => {
|
|
307
|
+
// No hostKey → connect without host-key verification (the SSH transport is
|
|
308
|
+
// still encrypted). Matches mainstream BI tools' SSH-tunnel default.
|
|
309
|
+
const ep = await openProxy(
|
|
310
|
+
{
|
|
311
|
+
type: "ssh",
|
|
312
|
+
ssh: {
|
|
313
|
+
host: "127.0.0.1",
|
|
314
|
+
port: sshServer.port,
|
|
315
|
+
username: "testuser",
|
|
316
|
+
privateKey: clientPrivatePem,
|
|
317
|
+
},
|
|
318
|
+
},
|
|
319
|
+
{ host: "127.0.0.1", port: echoServer.port },
|
|
320
|
+
);
|
|
321
|
+
try {
|
|
322
|
+
const reply = await connectAndSend(ep.port, "unpinned");
|
|
323
|
+
expect(reply).toContain("unpinned");
|
|
324
|
+
} finally {
|
|
325
|
+
await closeQuietly(() => ep.close());
|
|
326
|
+
}
|
|
327
|
+
});
|
|
328
|
+
|
|
329
|
+
it("accepts a multi-line hostKey listing several keys — matches any (LB bastion)", async () => {
|
|
330
|
+
// A load-balanced bastion presents a different host key per backend, so the
|
|
331
|
+
// pin lists every backend's key and any match is accepted.
|
|
332
|
+
const decoy = Buffer.alloc(32, 0xff).toString("base64");
|
|
333
|
+
const multiKey = [
|
|
334
|
+
`bastion.example.com ssh-ed25519 ${decoy}`,
|
|
335
|
+
`bastion.example.com ssh-rsa ${sshServer.hostKeyBase64}`,
|
|
336
|
+
].join("\n");
|
|
337
|
+
const ep = await openProxy(
|
|
338
|
+
{
|
|
339
|
+
type: "ssh",
|
|
340
|
+
ssh: {
|
|
341
|
+
host: "127.0.0.1",
|
|
342
|
+
port: sshServer.port,
|
|
343
|
+
username: "testuser",
|
|
344
|
+
privateKey: clientPrivatePem,
|
|
345
|
+
hostKey: multiKey,
|
|
346
|
+
},
|
|
347
|
+
},
|
|
348
|
+
{ host: "127.0.0.1", port: echoServer.port },
|
|
349
|
+
);
|
|
350
|
+
try {
|
|
351
|
+
const reply = await connectAndSend(ep.port, "multi-key");
|
|
352
|
+
expect(reply).toContain("multi-key");
|
|
353
|
+
} finally {
|
|
354
|
+
await closeQuietly(() => ep.close());
|
|
355
|
+
}
|
|
356
|
+
});
|
|
357
|
+
|
|
358
|
+
it("fails closed when hostKey is set but parses to zero keys (comment/blank only)", async () => {
|
|
359
|
+
// A set-but-degenerate pin must NOT fall through to the unpinned branch —
|
|
360
|
+
// the security boundary is gated on hostKey being configured, not on it
|
|
361
|
+
// parsing to >=1 key. (Config load rejects this earlier; this guards the
|
|
362
|
+
// boundary itself.)
|
|
363
|
+
const commentOnly = "# ssh-keyscan bastion.example.com timed out\n \n";
|
|
364
|
+
await expect(
|
|
365
|
+
openProxy(
|
|
366
|
+
{
|
|
367
|
+
type: "ssh",
|
|
368
|
+
ssh: {
|
|
369
|
+
host: "127.0.0.1",
|
|
370
|
+
port: sshServer.port,
|
|
371
|
+
username: "testuser",
|
|
372
|
+
privateKey: clientPrivatePem,
|
|
373
|
+
hostKey: commentOnly,
|
|
374
|
+
},
|
|
375
|
+
},
|
|
376
|
+
{ host: "127.0.0.1", port: echoServer.port },
|
|
377
|
+
),
|
|
378
|
+
).rejects.toThrow(/host-key verification failed/i);
|
|
379
|
+
});
|
|
380
|
+
|
|
381
|
+
it("rejects a multi-line hostKey when none of the listed keys match", async () => {
|
|
382
|
+
const decoy1 = Buffer.alloc(32, 0xff).toString("base64");
|
|
383
|
+
const decoy2 = Buffer.alloc(32, 0xaa).toString("base64");
|
|
384
|
+
const multiKey = [
|
|
385
|
+
`bastion.example.com ssh-ed25519 ${decoy1}`,
|
|
386
|
+
`bastion.example.com ssh-rsa ${decoy2}`,
|
|
387
|
+
].join("\n");
|
|
388
|
+
await expect(
|
|
389
|
+
openProxy(
|
|
390
|
+
{
|
|
391
|
+
type: "ssh",
|
|
392
|
+
ssh: {
|
|
393
|
+
host: "127.0.0.1",
|
|
394
|
+
port: sshServer.port,
|
|
395
|
+
username: "testuser",
|
|
396
|
+
privateKey: clientPrivatePem,
|
|
397
|
+
hostKey: multiKey,
|
|
398
|
+
},
|
|
399
|
+
},
|
|
400
|
+
{ host: "127.0.0.1", port: echoServer.port },
|
|
401
|
+
),
|
|
402
|
+
).rejects.toThrow(/host-key verification failed/i);
|
|
403
|
+
});
|
|
404
|
+
|
|
405
|
+
it("rejects for unsupported proxy type", async () => {
|
|
406
|
+
await expect(
|
|
407
|
+
openProxy(
|
|
408
|
+
// @ts-expect-error — intentionally passing an unsupported type
|
|
409
|
+
{ type: "unsupported" },
|
|
410
|
+
{ host: "127.0.0.1", port: echoServer.port },
|
|
411
|
+
),
|
|
412
|
+
).rejects.toThrow(/not supported/i);
|
|
413
|
+
});
|
|
414
|
+
});
|
|
@@ -0,0 +1,248 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Generic TCP proxy layer for publisher database connections.
|
|
3
|
+
*
|
|
4
|
+
* Currently supports SSH bastion tunnels (type "ssh"). Future connection
|
|
5
|
+
* types (mysql, trino, …) only need a new `openProxy` branch — the caller
|
|
6
|
+
* interface is unchanged.
|
|
7
|
+
*
|
|
8
|
+
* A connection proxy is a normal connection capability (authorized by whoever
|
|
9
|
+
* configures the connection); it is intentionally NOT behind an env-flag gate,
|
|
10
|
+
* and is kept separate from the `publisher` HTTP multi-hop type's
|
|
11
|
+
* PUBLISHER_ALLOW_PROXY_CONNECTIONS gate. When host-key pinning is configured it
|
|
12
|
+
* is fail-closed (below).
|
|
13
|
+
*
|
|
14
|
+
* # Host-key policy
|
|
15
|
+
*
|
|
16
|
+
* `ssh.hostKey` is optional. When set, it pins the bastion's host key(s) and the
|
|
17
|
+
* tunnel is fail-closed on mismatch; it may list multiple known_hosts lines (a
|
|
18
|
+
* load-balanced/HA bastion presents a different key per backend), and any listed
|
|
19
|
+
* key is accepted. When absent, the tunnel connects without host-key
|
|
20
|
+
* verification — the self-service default, matching mainstream BI tools' SSH
|
|
21
|
+
* tunnels. The SSH transport is still encrypted; unpinned, a MITM on the
|
|
22
|
+
* publisher→bastion hop is possible, mitigated by the customer allowlisting our
|
|
23
|
+
* egress on the bastion.
|
|
24
|
+
*/
|
|
25
|
+
|
|
26
|
+
import net from "net";
|
|
27
|
+
import { Client as SshClient } from "ssh2";
|
|
28
|
+
import type { ConnectConfig, SyncHostVerifier } from "ssh2";
|
|
29
|
+
import { components } from "../api";
|
|
30
|
+
import { logger } from "../logger";
|
|
31
|
+
|
|
32
|
+
type ConnectionProxy = components["schemas"]["ConnectionProxy"];
|
|
33
|
+
|
|
34
|
+
export interface ProxyEndpoint {
|
|
35
|
+
host: string;
|
|
36
|
+
port: number;
|
|
37
|
+
close(): Promise<void>;
|
|
38
|
+
}
|
|
39
|
+
|
|
40
|
+
const SSH_CONNECT_TIMEOUT_MS = 15_000;
|
|
41
|
+
const SSH_KEEPALIVE_INTERVAL_MS = 15_000;
|
|
42
|
+
|
|
43
|
+
/**
|
|
44
|
+
* Parse a stored hostKey into the set of base64 wire-format key blobs to accept.
|
|
45
|
+
* The value may hold one or more OpenSSH known_hosts entries (one per line) — a
|
|
46
|
+
* load-balanced bastion presents a different host key per backend, so pinning
|
|
47
|
+
* such a bastion means listing every backend's key. Blank lines and `#` comments
|
|
48
|
+
* are skipped. Each entry may be a full known_hosts line (`[markers] host keytype
|
|
49
|
+
* AAAA…`), a `keytype AAAA…` pair, or a bare base64 blob; SSH key blobs
|
|
50
|
+
* base64-encode to a string starting with "AAAA" (the length prefix of the
|
|
51
|
+
* key-type name), so we pick that token, else the last whitespace-delimited
|
|
52
|
+
* token. Compared against what ssh2 hands us (`key.toString("base64")`).
|
|
53
|
+
*/
|
|
54
|
+
export function parseHostKeys(raw: string): Set<string> {
|
|
55
|
+
const keys = new Set<string>();
|
|
56
|
+
for (const line of raw.split(/\r?\n/)) {
|
|
57
|
+
const trimmed = line.trim();
|
|
58
|
+
if (!trimmed || trimmed.startsWith("#")) continue;
|
|
59
|
+
const tokens = trimmed.split(/\s+/);
|
|
60
|
+
const blob = tokens.find((t) => /^AAAA[A-Za-z0-9+/]+={0,2}$/.test(t));
|
|
61
|
+
const key = blob ?? tokens[tokens.length - 1];
|
|
62
|
+
if (key) keys.add(key);
|
|
63
|
+
}
|
|
64
|
+
return keys;
|
|
65
|
+
}
|
|
66
|
+
|
|
67
|
+
/**
|
|
68
|
+
* Open a proxy tunnel described by `proxy` that ultimately delivers traffic to
|
|
69
|
+
* `target`. Returns a local `127.0.0.1:port` endpoint the DB driver should
|
|
70
|
+
* connect to in place of the real host/port.
|
|
71
|
+
*/
|
|
72
|
+
export async function openProxy(
|
|
73
|
+
proxy: ConnectionProxy,
|
|
74
|
+
target: { host: string; port: number },
|
|
75
|
+
): Promise<ProxyEndpoint> {
|
|
76
|
+
if (proxy.type === "ssh") {
|
|
77
|
+
if (!proxy.ssh) {
|
|
78
|
+
throw new Error(
|
|
79
|
+
"ConnectionProxy type is 'ssh' but the 'ssh' config object is missing.",
|
|
80
|
+
);
|
|
81
|
+
}
|
|
82
|
+
return openSshProxy(proxy.ssh, target);
|
|
83
|
+
}
|
|
84
|
+
throw new Error(
|
|
85
|
+
`Proxy type '${proxy.type}' is not supported yet. Only 'ssh' is implemented.`,
|
|
86
|
+
);
|
|
87
|
+
}
|
|
88
|
+
|
|
89
|
+
function openSshProxy(
|
|
90
|
+
ssh: components["schemas"]["SshProxyConfig"],
|
|
91
|
+
target: { host: string; port: number },
|
|
92
|
+
): Promise<ProxyEndpoint> {
|
|
93
|
+
return new Promise((resolve, reject) => {
|
|
94
|
+
const client = new SshClient();
|
|
95
|
+
let localPort = 0;
|
|
96
|
+
let server: net.Server | undefined;
|
|
97
|
+
let settled = false;
|
|
98
|
+
// Track accepted local sockets so close() can force them down. Relying on
|
|
99
|
+
// server.close() alone waits for in-flight sockets to drain, which can
|
|
100
|
+
// hang teardown indefinitely if a forwarded socket lingers.
|
|
101
|
+
const sockets = new Set<net.Socket>();
|
|
102
|
+
|
|
103
|
+
function fail(err: Error): void {
|
|
104
|
+
if (settled) return;
|
|
105
|
+
settled = true;
|
|
106
|
+
server?.close();
|
|
107
|
+
client.end();
|
|
108
|
+
reject(err);
|
|
109
|
+
}
|
|
110
|
+
|
|
111
|
+
const connectConfig: ConnectConfig = {
|
|
112
|
+
host: ssh.host,
|
|
113
|
+
port: ssh.port ?? 22,
|
|
114
|
+
username: ssh.username,
|
|
115
|
+
privateKey: ssh.privateKey,
|
|
116
|
+
...(ssh.privateKeyPass ? { passphrase: ssh.privateKeyPass } : {}),
|
|
117
|
+
readyTimeout: SSH_CONNECT_TIMEOUT_MS,
|
|
118
|
+
// Send SSH-level keepalives so an idle tunnel isn't silently reaped by
|
|
119
|
+
// Cloud NAT / bastion ClientAlive / stateful-firewall idle timeouts —
|
|
120
|
+
// which would otherwise only surface as a confusing pg error on the
|
|
121
|
+
// next query. 3 missed (~45s) before ssh2 considers the link dead.
|
|
122
|
+
keepaliveInterval: SSH_KEEPALIVE_INTERVAL_MS,
|
|
123
|
+
keepaliveCountMax: 3,
|
|
124
|
+
hostVerifier: ((key: Buffer): boolean => {
|
|
125
|
+
// `key` is the raw Buffer of the host's public key.
|
|
126
|
+
const presented = key.toString("base64");
|
|
127
|
+
// "Pinned" is gated on hostKey being a non-empty value, not on it
|
|
128
|
+
// parsing to ≥1 key: a set-but-degenerate hostKey (only whitespace,
|
|
129
|
+
// blanks, or comments) must fail closed, never fall through to the
|
|
130
|
+
// unpinned branch. Config load (validateConnectionShape) already
|
|
131
|
+
// rejects that case; this is the security-boundary backstop for any
|
|
132
|
+
// path that reaches here directly. ("" is the unpinned signal.)
|
|
133
|
+
if (ssh.hostKey) {
|
|
134
|
+
// Fail-closed, accepting any listed key — an LB/HA bastion presents
|
|
135
|
+
// a different host key per backend.
|
|
136
|
+
const pinned = parseHostKeys(ssh.hostKey);
|
|
137
|
+
if (pinned.has(presented)) {
|
|
138
|
+
return true;
|
|
139
|
+
}
|
|
140
|
+
fail(
|
|
141
|
+
new Error(
|
|
142
|
+
`SSH host-key verification failed for ${ssh.host}: the presented key ` +
|
|
143
|
+
`(${presented.slice(0, 24)}…) is not among the ${pinned.size} pinned ` +
|
|
144
|
+
`host key(s).`,
|
|
145
|
+
),
|
|
146
|
+
);
|
|
147
|
+
return false;
|
|
148
|
+
}
|
|
149
|
+
// Unpinned (no hostKey): connect without host-key verification — the
|
|
150
|
+
// self-service default (see file header).
|
|
151
|
+
logger.warn(
|
|
152
|
+
`Connecting to SSH bastion ${ssh.host} without host-key verification (no hostKey pinned).`,
|
|
153
|
+
);
|
|
154
|
+
return true;
|
|
155
|
+
}) as SyncHostVerifier,
|
|
156
|
+
};
|
|
157
|
+
|
|
158
|
+
client.on("error", (err) => fail(err));
|
|
159
|
+
|
|
160
|
+
client.on("ready", () => {
|
|
161
|
+
server = net.createServer((socket) => {
|
|
162
|
+
sockets.add(socket);
|
|
163
|
+
socket.on("close", () => sockets.delete(socket));
|
|
164
|
+
// Buffer incoming data immediately so we don't lose bytes that
|
|
165
|
+
// arrive before the forwardOut channel is open (relevant in Bun
|
|
166
|
+
// where resume() doesn't re-emit already-buffered data).
|
|
167
|
+
const earlyData: Buffer[] = [];
|
|
168
|
+
socket.on("data", (chunk: Buffer) => earlyData.push(chunk));
|
|
169
|
+
|
|
170
|
+
client.forwardOut(
|
|
171
|
+
"127.0.0.1",
|
|
172
|
+
localPort,
|
|
173
|
+
target.host,
|
|
174
|
+
target.port,
|
|
175
|
+
(err, channel) => {
|
|
176
|
+
if (err) {
|
|
177
|
+
socket.destroy(err);
|
|
178
|
+
return;
|
|
179
|
+
}
|
|
180
|
+
// The local socket may have closed while forwardOut was still
|
|
181
|
+
// opening the channel; if so, tear the channel down instead of
|
|
182
|
+
// attaching it to a dead socket (which would leak the remote
|
|
183
|
+
// connection). The rest of this callback is synchronous, so no
|
|
184
|
+
// close can slip in between this check and the listeners below.
|
|
185
|
+
if (socket.destroyed) {
|
|
186
|
+
channel.destroy();
|
|
187
|
+
return;
|
|
188
|
+
}
|
|
189
|
+
// Flush buffered data, then switch to live forwarding.
|
|
190
|
+
for (const chunk of earlyData) {
|
|
191
|
+
channel.write(chunk);
|
|
192
|
+
}
|
|
193
|
+
earlyData.length = 0;
|
|
194
|
+
socket.removeAllListeners("data");
|
|
195
|
+
// pipe() honors backpressure (pauses the source when the
|
|
196
|
+
// destination's buffer is full) — unlike a raw on('data') =>
|
|
197
|
+
// write() which would buffer unbounded on a slow peer.
|
|
198
|
+
socket.pipe(channel);
|
|
199
|
+
channel.pipe(socket);
|
|
200
|
+
socket.on("error", () => channel.destroy());
|
|
201
|
+
channel.on("error", () => socket.destroy());
|
|
202
|
+
// Propagate teardown both ways so neither side is left
|
|
203
|
+
// half-open when the other closes (e.g. pool eviction or the
|
|
204
|
+
// DB dropping the connection).
|
|
205
|
+
socket.on("close", () => channel.destroy());
|
|
206
|
+
channel.on("close", () => socket.destroy());
|
|
207
|
+
},
|
|
208
|
+
);
|
|
209
|
+
});
|
|
210
|
+
|
|
211
|
+
server.listen(0, "127.0.0.1", () => {
|
|
212
|
+
const addr = server!.address();
|
|
213
|
+
if (!addr || typeof addr === "string") {
|
|
214
|
+
fail(
|
|
215
|
+
new Error(
|
|
216
|
+
"Failed to obtain local listen port for SSH proxy.",
|
|
217
|
+
),
|
|
218
|
+
);
|
|
219
|
+
return;
|
|
220
|
+
}
|
|
221
|
+
localPort = addr.port;
|
|
222
|
+
|
|
223
|
+
if (settled) return;
|
|
224
|
+
settled = true;
|
|
225
|
+
|
|
226
|
+
resolve({
|
|
227
|
+
host: "127.0.0.1",
|
|
228
|
+
port: localPort,
|
|
229
|
+
close(): Promise<void> {
|
|
230
|
+
return new Promise((res) => {
|
|
231
|
+
// Force-destroy live forwarded sockets first so server.close()
|
|
232
|
+
// doesn't wait on them (which would hang teardown).
|
|
233
|
+
for (const s of sockets) s.destroy();
|
|
234
|
+
server!.close(() => {
|
|
235
|
+
client.end();
|
|
236
|
+
res();
|
|
237
|
+
});
|
|
238
|
+
});
|
|
239
|
+
},
|
|
240
|
+
});
|
|
241
|
+
});
|
|
242
|
+
|
|
243
|
+
server.on("error", (err) => fail(err));
|
|
244
|
+
});
|
|
245
|
+
|
|
246
|
+
client.connect(connectConfig);
|
|
247
|
+
});
|
|
248
|
+
}
|