tenseleyflow/shithub / bbe5c6a

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package protocol

+

+import (

+	"context"

+	"crypto/rand"

+	"encoding/hex"

+	"errors"

+	"fmt"

+	"os"

+	"strconv"

+	"strings"

+

+	"github.com/jackc/pgx/v5"

+	"github.com/jackc/pgx/v5/pgtype"

+	"github.com/jackc/pgx/v5/pgxpool"

+

+	"github.com/tenseleyFlow/shithub/internal/infra/storage"

+	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"

+	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"

+)

+

+// SSHDispatchDeps wires the dispatcher. The DB pool is sized small at

+// the call site (max 2 conns) — every SSH connection runs through here

+// and the latency floor matters.

+type SSHDispatchDeps struct {

+	Pool   *pgxpool.Pool

+	RepoFS *storage.RepoFS

+}

+

+// SSHDispatchInput is everything that comes from the OS environment at

+// dispatch time. The cobra command in cmd/shithubd/ssh.go reads

+// SSH_ORIGINAL_COMMAND / SSH_CONNECTION / argv and passes them in.

+type SSHDispatchInput struct {

+	OriginalCommand string

+	UserID          int64

+	RemoteIP        string // parsed from SSH_CONNECTION first field

+}

+

+// SSHDispatchResult is what the caller needs to syscall.Exec the right

+// git plumbing binary. Argv0 is the canonical binary path resolved from

+// PATH; Argv0Args is just `[Argv0, GitDir]` (git-upload-pack and

+// git-receive-pack each take exactly one positional argument). Env is

+// the full environment for the new process — already includes PATH and

+// the SHITHUB_* vars.

+type SSHDispatchResult struct {

+	Argv0     string

+	Argv0Args []string

+	Env       []string

+}

+

+// Friendly stderr messages — these are what the user sees in their

+// terminal when `git clone` fails. Keep them actionable.

+const (

+	MsgRepoNotFound = "shithub: repository not found"

+	MsgPermDenied   = "shithub: permission denied"

+	MsgArchived     = "shithub: this repository is archived; pushes are disabled"

+	MsgSuspended    = "shithub: your account is suspended"

+)

+

+// Sentinel errors callers can errors.Is to map to friendly messages.

+var (

+	ErrSSHRepoNotFound  = errors.New("ssh dispatch: repo not found")

+	ErrSSHPermDenied    = errors.New("ssh dispatch: permission denied")

+	ErrSSHArchived      = errors.New("ssh dispatch: archived")

+	ErrSSHSuspended     = errors.New("ssh dispatch: suspended")

+	ErrSSHInternal      = errors.New("ssh dispatch: internal error")

+)

+

+// PrepareDispatch is the brains of the SSH-shell command. It parses

+// SSH_ORIGINAL_COMMAND, resolves user + repo, runs the inline owner-

+// only authorization, and builds the env + argv the caller needs to

+// exec git. It does NOT call exec itself — the caller does, after

+// closing the DB pool (syscall.Exec preserves all open FDs and we

+// don't want a leaked Postgres connection).

+func PrepareDispatch(ctx context.Context, deps SSHDispatchDeps, in SSHDispatchInput) (*SSHDispatchResult, ParsedSSHCommand, error) {

+	parsed, err := ParseSSHCommand(in.OriginalCommand)

+	if err != nil {

+		return nil, ParsedSSHCommand{}, err

+	}

+

+	uq := usersdb.New()

+	rq := reposdb.New()

+

+	user, err := uq.GetUserByID(ctx, deps.Pool, in.UserID)

+	if err != nil {

+		return nil, parsed, fmt.Errorf("%w: %v", ErrSSHInternal, err)

+	}

+	if user.SuspendedAt.Valid {

+		return nil, parsed, ErrSSHSuspended

+	}

+	if user.DeletedAt.Valid {

+		return nil, parsed, ErrSSHSuspended

+	}

+

+	owner, err := uq.GetUserByUsername(ctx, deps.Pool, parsed.Owner)

+	if err != nil {

+		// Unknown owner — surface as not-found regardless of whether

+		// the row never existed or was soft-deleted.

+		return nil, parsed, ErrSSHRepoNotFound

+	}

+	repo, err := rq.GetRepoByOwnerUserAndName(ctx, deps.Pool, reposdb.GetRepoByOwnerUserAndNameParams{

+		OwnerUserID: pgtype.Int8{Int64: owner.ID, Valid: true},

+		Name:        parsed.Repo,

+	})

+	if err != nil {

+		if errors.Is(err, pgx.ErrNoRows) {

+			return nil, parsed, ErrSSHRepoNotFound

+		}

+		return nil, parsed, fmt.Errorf("%w: %v", ErrSSHInternal, err)

+	}

+

+	// Inline authz — same shape as the HTTP handler. Public repos can

+	// be pulled by anyone; everything else requires owner identity.

+	// (S15 lifts this into policy.Can.)

+	if parsed.Service == UploadPack {

+		if repo.Visibility == reposdb.RepoVisibilityPrivate && user.ID != owner.ID {

+			return nil, parsed, ErrSSHRepoNotFound

+		}

+	} else {

+		if user.ID != owner.ID {

+			return nil, parsed, ErrSSHPermDenied

+		}

+		if repo.IsArchived {

+			return nil, parsed, ErrSSHArchived

+		}

+		if repo.DeletedAt.Valid {

+			return nil, parsed, ErrSSHRepoNotFound

+		}

+	}

+

+	gitDir, err := deps.RepoFS.RepoPath(parsed.Owner, parsed.Repo)

+	if err != nil {

+		return nil, parsed, fmt.Errorf("%w: %v", ErrSSHInternal, err)

+	}

+

+	requestID, err := newRequestID()

+	if err != nil {

+		return nil, parsed, fmt.Errorf("%w: %v", ErrSSHInternal, err)

+	}

+	env := buildSSHEnv(user, owner, repo, in.RemoteIP, requestID)

+

+	return &SSHDispatchResult{

+		Argv0:     string(parsed.Service),

+		Argv0Args: []string{string(parsed.Service), gitDir},

+		Env:       env,

+	}, parsed, nil

+}

+

+// FriendlyMessageFor returns the user-facing stderr line for a typed

+// dispatch error. Unknown errors collapse to a generic "internal error

+// (request_id=...)" message — never leak the underlying cause.

+func FriendlyMessageFor(err error, requestID string) string {

+	switch {

+	case errors.Is(err, ErrSSHRepoNotFound):

+		return MsgRepoNotFound

+	case errors.Is(err, ErrSSHPermDenied):

+		return MsgPermDenied

+	case errors.Is(err, ErrSSHArchived):

+		return MsgArchived

+	case errors.Is(err, ErrSSHSuspended):

+		return MsgSuspended

+	case errors.Is(err, ErrUnknownSSHCommand):

+		return "shithub does not allow shell access"

+	case errors.Is(err, ErrInvalidSSHPath):

+		return MsgRepoNotFound

+	}

+	if requestID == "" {

+		return "shithub: internal error"

+	}

+	return "shithub: internal error (request_id=" + requestID + ")"

+}

+

+// buildSSHEnv assembles the SHITHUB_* env vars that S14's hooks read.

+// The shape matches the HTTP path so receive-pack hooks see identical

+// vars regardless of transport.

+func buildSSHEnv(user usersdb.User, owner usersdb.User, repo reposdb.Repo, remoteIP, requestID string) []string {

+	return []string{

+		"SHITHUB_USER_ID=" + strconv.FormatInt(user.ID, 10),

+		"SHITHUB_USERNAME=" + user.Username,

+		"SHITHUB_REPO_ID=" + strconv.FormatInt(repo.ID, 10),

+		"SHITHUB_REPO_FULL_NAME=" + owner.Username + "/" + repo.Name,

+		"SHITHUB_PROTOCOL=ssh",

+		"SHITHUB_REMOTE_IP=" + remoteIP,

+		"SHITHUB_REQUEST_ID=" + requestID,

+		// PATH must be inherited so the exec'd git binary can find its

+		// sub-helpers (git-pack-objects, git-index-pack, etc.).

+		"PATH=" + os.Getenv("PATH"),

+	}

+}

+

+// newRequestID returns a 16-byte hex token suitable for log

+// correlation. Production callers don't need cryptographic strength

+// here, but using crypto/rand keeps the codebase consistent.

+func newRequestID() (string, error) {

+	var buf [16]byte

+	if _, err := rand.Read(buf[:]); err != nil {

+		return "", err

+	}

+	return hex.EncodeToString(buf[:]), nil

+}

+

+// ParseRemoteIP extracts the connecting client's IP from the

+// SSH_CONNECTION env var ("<client> <cport> <server> <sport>"). Returns

+// "" when malformed; callers may pass the empty string through to the

+// hook env.

+func ParseRemoteIP(sshConnection string) string {

+	if sshConnection == "" {

+		return ""

+	}

+	fields := strings.Fields(sshConnection)

+	if len(fields) == 0 {

+		return ""

+	}

+	return fields[0]

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package protocol_test

+

+import (

+	"context"

+	"errors"

+	"strings"

+	"testing"

+

+	"github.com/jackc/pgx/v5/pgtype"

+	"github.com/jackc/pgx/v5/pgxpool"

+

+	"github.com/tenseleyFlow/shithub/internal/auth/audit"

+	"github.com/tenseleyFlow/shithub/internal/auth/throttle"

+	"github.com/tenseleyFlow/shithub/internal/git/protocol"

+	"github.com/tenseleyFlow/shithub/internal/infra/storage"

+	"github.com/tenseleyFlow/shithub/internal/repos"

+	"github.com/tenseleyFlow/shithub/internal/testing/dbtest"

+	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"

+)

+

+const fixtureHash = "$argon2id$v=19$m=16384,t=1,p=1$" +

+	"AAAAAAAAAAAAAAAA$" +

+	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

+

+// dispatchEnv constructs deps + 2 users (alice owns repos, eve is a

+// non-owner) + a public repo + a private repo against a fresh test DB.

+type dispatchEnv struct {

+	pool   *pgxpool.Pool

+	deps   protocol.SSHDispatchDeps

+	alice  int64

+	eve    int64

+	root   string

+}

+

+func setupDispatch(t *testing.T) *dispatchEnv {

+	t.Helper()

+	pool := dbtest.NewTestDB(t)

+	root := t.TempDir()

+	rfs, err := storage.NewRepoFS(root)

+	if err != nil {

+		t.Fatalf("NewRepoFS: %v", err)

+	}

+	uq := usersdb.New()

+

+	makeUser := func(name string) usersdb.User {

+		u, err := uq.CreateUser(context.Background(), pool, usersdb.CreateUserParams{

+			Username: name, DisplayName: name, PasswordHash: fixtureHash,

+		})

+		if err != nil {

+			t.Fatalf("CreateUser %s: %v", name, err)

+		}

+		em, err := uq.CreateUserEmail(context.Background(), pool, usersdb.CreateUserEmailParams{

+			UserID: u.ID, Email: name + "@example.com", IsPrimary: true, Verified: true,

+		})

+		if err != nil {

+			t.Fatalf("CreateUserEmail %s: %v", name, err)

+		}

+		if err := uq.LinkUserPrimaryEmail(context.Background(), pool, usersdb.LinkUserPrimaryEmailParams{

+			ID: u.ID, PrimaryEmailID: pgtype.Int8{Int64: em.ID, Valid: true},

+		}); err != nil {

+			t.Fatalf("LinkUserPrimaryEmail %s: %v", name, err)

+		}

+		return u

+	}

+	alice := makeUser("alice")

+	eve := makeUser("eve")

+

+	rdeps := repos.Deps{

+		Pool: pool, RepoFS: rfs, Audit: audit.NewRecorder(), Limiter: throttle.NewLimiter(),

+	}

+	if _, err := repos.Create(context.Background(), rdeps, repos.Params{

+		OwnerUserID: alice.ID, OwnerUsername: alice.Username,

+		Name: "public", Visibility: "public", InitReadme: true,

+	}); err != nil {

+		t.Fatalf("create public: %v", err)

+	}

+	if _, err := repos.Create(context.Background(), rdeps, repos.Params{

+		OwnerUserID: alice.ID, OwnerUsername: alice.Username,

+		Name: "private", Visibility: "private", InitReadme: true,

+	}); err != nil {

+		t.Fatalf("create private: %v", err)

+	}

+

+	return &dispatchEnv{

+		pool: pool, deps: protocol.SSHDispatchDeps{Pool: pool, RepoFS: rfs},

+		alice: alice.ID, eve: eve.ID, root: root,

+	}

+}

+

+func TestDispatch_PublicCloneByOwner(t *testing.T) {

+	t.Parallel()

+	env := setupDispatch(t)

+	res, parsed, err := protocol.PrepareDispatch(context.Background(), env.deps, protocol.SSHDispatchInput{

+		OriginalCommand: "git-upload-pack 'alice/public'",

+		UserID:          env.alice,

+		RemoteIP:        "127.0.0.1",

+	})

+	if err != nil {

+		t.Fatalf("PrepareDispatch: %v", err)

+	}

+	if parsed.Service != protocol.UploadPack {

+		t.Errorf("Service = %q", parsed.Service)

+	}

+	if !strings.HasSuffix(res.Argv0Args[1], "/public.git") {

+		t.Errorf("Argv0Args[1] = %q", res.Argv0Args[1])

+	}

+	wantEnvSubstrings := []string{

+		"SHITHUB_USER_ID=", "SHITHUB_USERNAME=alice",

+		"SHITHUB_REPO_FULL_NAME=alice/public", "SHITHUB_PROTOCOL=ssh",

+		"SHITHUB_REMOTE_IP=127.0.0.1",

+	}

+	envBlob := strings.Join(res.Env, "\n")

+	for _, w := range wantEnvSubstrings {

+		if !strings.Contains(envBlob, w) {

+			t.Errorf("env missing %q in:\n%s", w, envBlob)

+		}

+	}

+}

+

+func TestDispatch_PublicCloneByOther(t *testing.T) {

+	t.Parallel()

+	env := setupDispatch(t)

+	_, _, err := protocol.PrepareDispatch(context.Background(), env.deps, protocol.SSHDispatchInput{

+		OriginalCommand: "git-upload-pack 'alice/public'",

+		UserID:          env.eve, // not owner

+	})

+	if err != nil {

+		t.Fatalf("non-owner pull of public: %v", err)

+	}

+}

+

+func TestDispatch_PrivateCloneByOtherIsNotFound(t *testing.T) {

+	t.Parallel()

+	env := setupDispatch(t)

+	_, _, err := protocol.PrepareDispatch(context.Background(), env.deps, protocol.SSHDispatchInput{

+		OriginalCommand: "git-upload-pack 'alice/private'",

+		UserID:          env.eve,

+	})

+	if !errors.Is(err, protocol.ErrSSHRepoNotFound) {

+		t.Fatalf("err = %v, want ErrSSHRepoNotFound", err)

+	}

+}

+

+func TestDispatch_PushByNonOwnerIsPermDenied(t *testing.T) {

+	t.Parallel()

+	env := setupDispatch(t)

+	_, _, err := protocol.PrepareDispatch(context.Background(), env.deps, protocol.SSHDispatchInput{

+		OriginalCommand: "git-receive-pack 'alice/public'",

+		UserID:          env.eve,

+	})

+	if !errors.Is(err, protocol.ErrSSHPermDenied) {

+		t.Fatalf("err = %v, want ErrSSHPermDenied", err)

+	}

+}

+

+func TestDispatch_PushToArchivedIsArchived(t *testing.T) {

+	t.Parallel()

+	env := setupDispatch(t)

+	if _, err := env.pool.Exec(context.Background(),

+		"UPDATE repos SET is_archived = true WHERE name = 'public'"); err != nil {

+		t.Fatalf("archive: %v", err)

+	}

+	_, _, err := protocol.PrepareDispatch(context.Background(), env.deps, protocol.SSHDispatchInput{

+		OriginalCommand: "git-receive-pack 'alice/public'",

+		UserID:          env.alice,

+	})

+	if !errors.Is(err, protocol.ErrSSHArchived) {

+		t.Fatalf("err = %v, want ErrSSHArchived", err)

+	}

+}

+

+func TestDispatch_SuspendedUserSuspended(t *testing.T) {

+	t.Parallel()

+	env := setupDispatch(t)

+	if _, err := env.pool.Exec(context.Background(),

+		"UPDATE users SET suspended_at = now(), suspended_reason = 'test' WHERE id = $1",

+		env.alice,

+	); err != nil {

+		t.Fatalf("suspend: %v", err)

+	}

+	_, _, err := protocol.PrepareDispatch(context.Background(), env.deps, protocol.SSHDispatchInput{

+		OriginalCommand: "git-upload-pack 'alice/public'",

+		UserID:          env.alice,

+	})

+	if !errors.Is(err, protocol.ErrSSHSuspended) {

+		t.Fatalf("err = %v, want ErrSSHSuspended", err)

+	}

+}

+

+func TestDispatch_UnknownCommandIsRejected(t *testing.T) {

+	t.Parallel()

+	env := setupDispatch(t)

+	_, _, err := protocol.PrepareDispatch(context.Background(), env.deps, protocol.SSHDispatchInput{

+		OriginalCommand: "ls -la /etc",

+		UserID:          env.alice,

+	})

+	if !errors.Is(err, protocol.ErrUnknownSSHCommand) {

+		t.Fatalf("err = %v, want ErrUnknownSSHCommand", err)

+	}

+}

+

+func TestFriendlyMessageFor(t *testing.T) {

+	t.Parallel()

+	cases := []struct {

+		err  error

+		want string

+	}{

+		{protocol.ErrSSHRepoNotFound, "shithub: repository not found"},

+		{protocol.ErrSSHPermDenied, "shithub: permission denied"},

+		{protocol.ErrSSHArchived, "shithub: this repository is archived; pushes are disabled"},

+		{protocol.ErrSSHSuspended, "shithub: your account is suspended"},

+		{protocol.ErrUnknownSSHCommand, "shithub does not allow shell access"},

+		{protocol.ErrInvalidSSHPath, "shithub: repository not found"},

+	}

+	for _, c := range cases {

+		if got := protocol.FriendlyMessageFor(c.err, "abc123"); got != c.want {

+			t.Errorf("FriendlyMessageFor(%v) = %q, want %q", c.err, got, c.want)

+		}

+	}

+}

+

+func TestParseRemoteIP(t *testing.T) {

+	t.Parallel()

+	cases := map[string]string{

+		"":                                 "",

+		"203.0.113.7 12345 192.0.2.1 22":   "203.0.113.7",

+		"  203.0.113.8  ":                  "203.0.113.8",

+	}

+	for in, want := range cases {

+		if got := protocol.ParseRemoteIP(in); got != want {

+			t.Errorf("ParseRemoteIP(%q) = %q, want %q", in, got, want)

+		}

+	}

+}