bdy 1.9.23-dev → 1.9.25-dev

package/distTs/package.json

@@ -1,7 +1,7 @@
 {
   "name": "bdy",
   "preferGlobal": false,
-  "version": "1.9.23-dev",
+  "version": "1.9.25-dev",
   "type": "commonjs",
   "license": "MIT",
   "scripts": {
@@ -42,7 +42,7 @@
     "socket.io-client": "4.7.5",
     "ssh2": "1.15.0",
     "terminal-kit": "3.1.1",
-    "undici": "6.19.2",
+    "undici": "6.21.2",
     "uuid": "10.0.0",
     "which": "4.0.0",
     "ws": "8.18.0",

package/distTs/src/server/ssh.js

@@ -39,68 +39,292 @@ class ServerSsh extends events_1.default {
         const isMatch = (0, crypto_1.timingSafeEqual)(input, allowed);
         return (!autoReject && isMatch);
     }
-    async verifyKey(ctx) {
+    async verifyKey(ctx, keys) {
         try {
-            logger_js_1.default.info('1');
-            const { keys } = await buddy_1.default.fetchAgentKeys(this.agent.id, this.agent.host, this.agent.token);
             for (let i = 0; i < keys.length; i += 1) {
-                logger_js_1.default.info('2');
                 const publicKey = ssh2_1.default.utils.parseKey(keys[i]);
                 if (ctx.key.algo !== publicKey.type)
                     continue;
-                logger_js_1.default.info('3');
                 if (!this.checkValueSafe(ctx.key.data, publicKey.getPublicSSH()))
                     continue;
-                logger_js_1.default.info('4');
                 if (ctx.signature && !publicKey.verify(ctx.blob, ctx.signature, ctx.hashAlgo))
                     continue;
-                logger_js_1.default.info('5');
                 return true;
             }
         }
-        catch (err) {
-            logger_js_1.default.info('6');
-            logger_js_1.default.info(err);
+        catch {
             // do nothing
         }
-        logger_js_1.default.info('7');
         return false;
     }
-    processClient(client) {
-        client.setNoDelay();
-        client.on('authentication', async (ctx) => {
-            const allowed = ['publickey', 'password'];
-            if (!allowed.includes(ctx.method)) {
-                ctx.reject(allowed);
+    createProxyConnection(privateKey) {
+        return new Promise((resolve, reject) => {
+            const client = new ssh2_1.default.Client();
+            client.once('error', (err) => {
+                client.removeAllListeners();
+                reject(err);
+            });
+            client.once('ready', () => {
+                client.removeAllListeners();
+                resolve(client);
+            });
+            client.connect({
+                host: '127.0.0.1',
+                port: 22,
+                username: 'root',
+                privateKey: privateKey
+            });
+        });
+    }
+    async authenticateClient(ctx) {
+        const allowed = ['publickey', 'password'];
+        if (!allowed.includes(ctx.method)) {
+            ctx.reject(allowed);
+            return null;
+        }
+        if (ctx.method === 'password') {
+            if (!this.checkValueSafe(Buffer.from(ctx.username), Buffer.from(this.login))) {
+                ctx.reject();
+                return null;
+            }
+            if (!this.checkValueSafe(Buffer.from(ctx.password), Buffer.from(this.password))) {
+                ctx.reject();
+                return null;
+            }
+            ctx.accept();
+            return;
+        }
+        if (ctx.method === 'publickey') {
+            logger_js_1.default.info('1');
+            let keys;
+            let privateKey;
+            try {
+                const resp = await buddy_1.default.fetchAgentKeys(this.agent.id, this.agent.host, this.agent.token);
+                keys = resp.keys;
+                privateKey = resp.privateKey;
+                logger_js_1.default.info('2');
+                logger_js_1.default.info(privateKey);
+            }
+            catch {
+                logger_js_1.default.info('3');
+                ctx.reject();
+                return null;
+            }
+            logger_js_1.default.info('4');
+            const verified = await this.verifyKey(ctx, keys);
+            if (!verified) {
+                logger_js_1.default.info('5');
+                ctx.reject();
+                return null;
+            }
+            logger_js_1.default.info('6');
+            try {
+                const proxyClient = await this.createProxyConnection(privateKey);
+                logger_js_1.default.info('7');
+                ctx.accept();
+                return proxyClient;
+            }
+            catch {
+                logger_js_1.default.info('8');
+                ctx.reject();
+                return null;
+            }
+        }
+        ctx.reject();
+        return null;
+    }
+    localExec(stream, command, env) {
+        const s = process.hrtime();
+        (0, child_process_1.exec)(command, {
+            env,
+        }, (err, stdout, stderr) => {
+            if (stream) {
+                stream.stderr.write(stderr);
+                stream.write(stdout);
+                stream.exit(!err ? 0 : 1);
+                stream.end();
+                stream = null;
+            }
+            const [seconds, nano] = process.hrtime(s);
+            const ms = seconds * 1000 + nano / 1000 / 1000;
+            logger_js_1.default.debug(`local ssh exec ends: ${ms}ms`);
+        });
+    }
+    clientSession(session, client, proxyClient) {
+        let env = {};
+        let sftp;
+        let channel;
+        let pty;
+        let x11;
+        const closeSession = () => {
+            env = null;
+            pty = null;
+            x11 = null;
+            session.removeAllListeners();
+            session = null;
+            if (sftp) {
+                sftp.destroy();
+                sftp = null;
+            }
+            if (channel) {
+                channel.removeAllListeners();
+                channel = null;
+            }
+            if (client) {
+                client.end();
+            }
+        };
+        session.on('close', closeSession);
+        session.on('end', closeSession);
+        session.on('pty', (accept, reject, info) => {
+            if (!proxyClient) {
+                if (reject)
+                    reject();
+                return;
+            }
+            pty = info;
+            if (accept)
+                accept();
+        });
+        session.on('window-change', (accept, reject, info) => {
+            if (!proxyClient) {
+                if (reject)
+                    reject();
+                return;
+            }
+            if (!pty)
+                pty = {};
+            pty.cols = info.cols;
+            pty.height = info.height;
+            pty.rows = info.rows;
+            pty.width = info.width;
+            if (channel && channel.setWindow)
+                channel.setWindow(pty.rows, pty.cols, pty.height, pty.width);
+            if (accept)
+                accept();
+        });
+        session.on('shell', (accept, reject) => {
+            if (!proxyClient || !accept) {
+                if (reject)
+                    reject();
                 return;
             }
-            if (ctx.method === 'password') {
-                if (!this.checkValueSafe(Buffer.from(ctx.username), Buffer.from(this.login))) {
-                    ctx.reject();
+            const stream = accept();
+            proxyClient.shell(pty, {
+                env,
+                x11
+            }, (err, c) => {
+                if (err || !c) {
+                    if (reject)
+                        reject();
                     return;
                 }
-                if (!this.checkValueSafe(Buffer.from(ctx.password), Buffer.from(this.password))) {
-                    ctx.reject();
+                channel = c;
+                stream.pipe(channel);
+                channel.pipe(stream);
+            });
+        });
+        session.on('signal', (accept, reject, info) => {
+            const { name } = info;
+            if (!proxyClient || !name || !channel || !channel.signal) {
+                if (reject)
+                    reject();
+                return;
+            }
+            channel.signal(name);
+            if (accept)
+                accept();
+        });
+        session.on('subsystem', (accept, reject, info) => {
+            const { name } = info;
+            if (!proxyClient || !accept || !name) {
+                if (reject)
+                    reject();
+                return;
+            }
+            const stream = accept();
+            proxyClient.subsys(name, (err, c) => {
+                if (err || !c) {
+                    if (reject)
+                        reject();
                     return;
                 }
-                ctx.accept();
+                channel = c;
+                stream.pipe(channel);
+                channel.pipe(stream);
+            });
+        });
+        session.on('x11', (accept, reject, info) => {
+            if (!proxyClient) {
+                if (reject)
+                    reject();
+                return;
+            }
+            x11 = info;
+            if (accept)
+                accept();
+        });
+        session.on('exec', (accept, reject, info) => {
+            if (!info.command || !accept) {
+                if (reject)
+                    reject();
                 return;
             }
-            if (ctx.method === 'publickey') {
-                const verified = await this.verifyKey(ctx);
-                logger_js_1.default.info(`verified: ${verified}`);
-                if (!verified) {
-                    ctx.reject();
+            const stream = accept();
+            if (!proxyClient) {
+                this.localExec(stream, info.command, env);
+                return;
+            }
+            proxyClient.exec(info.command, {
+                env,
+                pty,
+                x11
+            }, (err, c) => {
+                if (err || !c) {
+                    if (reject)
+                        reject();
                     return;
                 }
-                ctx.accept();
-                return;
+                channel = c;
+                stream.pipe(channel);
+                channel.pipe(stream);
+            });
+        });
+        session.on('env', (accept, reject, info) => {
+            Object.keys(info || {}).forEach((key) => {
+                env[key] = info[key];
+            });
+            if (accept)
+                accept();
+        });
+        session.on('sftp', (accept, reject) => {
+            if (!sftp && accept) {
+                sftp = new sftp_1.default(accept());
+            }
+            else if (reject) {
+                reject();
             }
-            ctx.reject();
+        });
+    }
+    processClient(client) {
+        let proxyClient;
+        client.setNoDelay();
+        client.on('authentication', async (ctx) => {
+            proxyClient = await this.authenticateClient(ctx);
         });
         client.on('close', () => {
             client.removeAllListeners();
             client = null;
+            if (proxyClient) {
+                try {
+                    proxyClient.removeAllListeners();
+                    proxyClient.end();
+                }
+                catch {
+                    // do nothing
+                }
+                proxyClient = null;
+            }
         });
         client.on('error', (err) => {
             logger_js_1.default.debug('Error on ssh server client');
@@ -108,61 +332,7 @@ class ServerSsh extends events_1.default {
             client.end();
         });
         client.on('session', (accept) => {
-            let session = accept();
-            session.env = {};
-            const closeSession = () => {
-                session.removeAllListeners();
-                if (session.sftp) {
-                    session.sftp.destroy();
-                    session.sftp = null;
-                }
-                session = null;
-                if (client)
-                    client.end();
-            };
-            session.on('close', closeSession);
-            session.on('end', closeSession);
-            session.on('exec', (accept, reject, info) => {
-                logger_js_1.default.debug('sftp exec');
-                const s = process.hrtime();
-                if (!info.command) {
-                    if (reject)
-                        reject();
-                    return;
-                }
-                let stream;
-                if (accept)
-                    stream = accept();
-                (0, child_process_1.exec)(info.command, {
-                    env: session.env,
-                }, (err, stdout, stderr) => {
-                    if (stream) {
-                        stream.stderr.write(stderr);
-                        stream.write(stdout);
-                        stream.exit(!err ? 0 : 1);
-                        stream.end();
-                        stream = null;
-                    }
-                    const [seconds, nano] = process.hrtime(s);
-                    const ms = seconds * 1000 + nano / 1000 / 1000;
-                    logger_js_1.default.debug(`sftp exec ends: ${ms}ms`);
-                });
-            });
-            session.on('env', (accept, reject, info) => {
-                Object.keys(info || {}).forEach((key) => {
-                    session.env[key] = info[key];
-                });
-                if (accept)
-                    accept();
-            });
-            session.on('sftp', (accept, reject) => {
-                if (!session.sftp) {
-                    session.sftp = new sftp_1.default(accept());
-                }
-                else if (reject) {
-                    reject();
-                }
-            });
+            this.clientSession(accept(), client, proxyClient);
         });
     }
 }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "bdy",
   "preferGlobal": false,
-  "version": "1.9.23-dev",
+  "version": "1.9.25-dev",
   "type": "commonjs",
   "license": "MIT",
   "scripts": {
@@ -42,7 +42,7 @@
     "socket.io-client": "4.7.5",
     "ssh2": "1.15.0",
     "terminal-kit": "3.1.1",
-    "undici": "6.19.2",
+    "undici": "6.21.2",
     "uuid": "10.0.0",
     "which": "4.0.0",
     "ws": "8.18.0",