S13: ssh-shell cobra cmd — DB lookup, dispatch, close pool, syscall.Exec git plumbing · shithub

Status	File	+	-
M	`cmd/shithubd/ssh.go`	107	11
M	`internal/git/protocol/ssh_command_test.go`	10	10
M	`internal/git/protocol/ssh_dispatch.go`	5	5
M	`internal/git/protocol/ssh_dispatch_test.go`	8	8

cmd/shithubd/ssh.gomodified

  import (
  	"context"
  	"fmt"
++	"log/slog"
  	"net/netip"
  	"os"
++	"os/exec"
++	"path/filepath"
++	"strconv"
  	"strings"
++	"syscall"
  	"time"
  	"github.com/spf13/cobra"
++	"github.com/tenseleyFlow/shithub/internal/git/protocol"
  	"github.com/tenseleyFlow/shithub/internal/infra/config"
  	"github.com/tenseleyFlow/shithub/internal/infra/db"
++	"github.com/tenseleyFlow/shithub/internal/infra/storage"
  	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"
+ )
  	},
+ }
--// sshShellCmd is the placeholder for the forced-command target. S13 swaps
++// sshShellCmd is the forced-command target sshd invokes after the
--// this for the real git-over-SSH dispatcher; for S07 we just log the
++// AuthorizedKeysCommand handshake binds the connection to a user.
--// inbound command and exit non-zero with a friendly message so an
++//
--// operator (or test) can confirm the wiring works end-to-end.
++// Flow on a successful clone/push:
++//
++//	sshd ──► shithubd ssh-shell <user_id>
++//	         ├─ ParseSSHCommand(SSH_ORIGINAL_COMMAND)
++//	         ├─ Resolve user + repo against the DB
++//	         ├─ Inline owner-only authz (S15 will refactor)
++//	         ├─ Build SHITHUB_* env (so post-receive hooks identify the actor)
++//	         ├─ Close the DB pool (syscall.Exec preserves all open FDs)
++//	         └─ syscall.Exec git-{upload,receive}-pack <bare-repo>
++//
++// On any error: write a friendly line to stderr (the user sees it in
++// their git client), log structured, exit non-zero. defer does NOT
++// fire on syscall.Exec — every cleanup happens BEFORE the exec call.
  var sshShellCmd = &cobra.Command{
  	Use:    "ssh-shell <user_id>",
  	Short:  "Forced-command target invoked by sshd via AuthorizedKeysCommand",
  	Args:   cobra.ExactArgs(1),
  	Hidden: true,
  	RunE: func(cmd *cobra.Command, args []string) error {
--		userID := args[0]
++		userID, err := strconv.ParseInt(args[0], 10, 64)
++		if err != nil {
++			_, _ = fmt.Fprintln(cmd.ErrOrStderr(), "shithub: invalid user")
++			return fmt.Errorf("ssh-shell: bad user_id %q: %w", args[0], err)
++		}
  		original := os.Getenv("SSH_ORIGINAL_COMMAND")
--		// Log to stderr so it's captured by sshd's session log without
++		remoteIP := protocol.ParseRemoteIP(os.Getenv("SSH_CONNECTION"))
--		// polluting the (silent-on-empty) stdout contract.
++		logger := slog.New(slog.NewTextHandler(cmd.ErrOrStderr(), &slog.HandlerOptions{Level: slog.LevelInfo}))
--		_, _ = fmt.Fprintf(cmd.ErrOrStderr(),
++
--			"shithubd ssh-shell: user_id=%s original_command=%q (git-over-SSH lands in S13)\n",
++		cfg, err := config.Load(nil)
--			userID, original)
++		if err != nil || cfg.DB.URL == "" || cfg.Storage.ReposRoot == "" {
--		return fmt.Errorf("git over SSH not enabled yet")
++			_, _ = fmt.Fprintln(cmd.ErrOrStderr(), "shithub: server misconfigured")
++			return fmt.Errorf("ssh-shell: cfg: %w", err)
++		}
++		root, err := filepath.Abs(cfg.Storage.ReposRoot)
++		if err != nil {
++			_, _ = fmt.Fprintln(cmd.ErrOrStderr(), "shithub: server misconfigured")
++			return fmt.Errorf("ssh-shell: repos_root: %w", err)
++		}
++		rfs, err := storage.NewRepoFS(root)
++		if err != nil {
++			_, _ = fmt.Fprintln(cmd.ErrOrStderr(), "shithub: server misconfigured")
++			return fmt.Errorf("ssh-shell: NewRepoFS: %w", err)
++		}
++
++		ctx, cancel := context.WithTimeout(cmd.Context(), 5*time.Second)
++		defer cancel()
++		pool, err := db.Open(ctx, db.Config{
++			URL: cfg.DB.URL, MaxConns: 2, MinConns: 0,
++			ConnectTimeout: 1500 * time.Millisecond,
++		})
++		if err != nil {
++			_, _ = fmt.Fprintln(cmd.ErrOrStderr(), "shithub: temporary failure (try again)")
++			return fmt.Errorf("ssh-shell: db open: %w", err)
++		}
++
++		res, parsed, dispatchErr := protocol.PrepareDispatch(ctx, protocol.SSHDispatchDeps{
++			Pool: pool, RepoFS: rfs,
++		}, protocol.SSHDispatchInput{
++			OriginalCommand: original,
++			UserID:          userID,
++			RemoteIP:        remoteIP,
++		})
++		if dispatchErr != nil {
++			pool.Close()
++			_, _ = fmt.Fprintln(cmd.ErrOrStderr(), protocol.FriendlyMessageFor(dispatchErr, ""))
++			logger.WarnContext(ctx, "ssh-shell: denied",
++				"user_id", userID,
++				"original", original,
++				"remote_ip", remoteIP,
++				"error", dispatchErr,
++			)
++			return dispatchErr
++		}
++		logger.InfoContext(ctx, "ssh-shell: dispatch",
++			"user_id", userID,
++			"op", string(parsed.Service),
++			"owner", parsed.Owner,
++			"repo", parsed.Repo,
++			"remote_ip", remoteIP,
++		)
++
++		// CRITICAL: close DB pool before syscall.Exec. defer doesn't
++		// fire on exec, and the pgx pool's connections would otherwise
++		// leak into the new process's FD table.
++		pool.Close()
++
++		bin, err := exec.LookPath(res.Argv0)
++		if err != nil {
++			_, _ = fmt.Fprintln(cmd.ErrOrStderr(), "shithub: server misconfigured")
++			return fmt.Errorf("ssh-shell: lookup %s: %w", res.Argv0, err)
++		}
++		if err := sysExec(bin, res.Argv0Args, res.Env); err != nil {
++			_, _ = fmt.Fprintln(cmd.ErrOrStderr(), "shithub: internal error")
++			return fmt.Errorf("ssh-shell: exec %s: %w", bin, err)
++		}
++		// Unreachable on success — syscall.Exec replaces this process.
++		return nil
  	},
+ }
++// sysExec is split out so tests can stub it. bin is exec.LookPath of a
++// fixed service name (git-{upload,receive}-pack); argv[1] is the
++// sanitized bare-repo path from storage.RepoFS.
++//
++//nolint:gosec // G204: inputs are constrained as documented above.
++var sysExec = syscall.Exec
++
  // authorizedKeysLine builds the single line sshd consumes. The forced
  // command runs `shithubd ssh-shell <user_id>`; the option set strips
  // every interactive affordance.

internal/git/protocol/ssh_command_test.gomodified

  func TestParseSSHCommand_Accepts(t *testing.T) {
  	t.Parallel()
  	cases := []struct {
--		in           string
++		in          string
--		wantService  protocol.Service
++		wantService protocol.Service
--		wantOwner    string
++		wantOwner   string
--		wantRepo     string
++		wantRepo    string
  	}{
  		{"git-upload-pack 'alice/foo'", protocol.UploadPack, "alice", "foo"},
  		{"git-upload-pack 'alice/foo.git'", protocol.UploadPack, "alice", "foo"},
  		"ls",
  		"bash",
  		"git-archive 'alice/foo'",
--		"git-upload-pack",                            // no path
++		"git-upload-pack",                   // no path
--		" git-upload-pack 'a/b'",                     // leading space
++		" git-upload-pack 'a/b'",            // leading space
--		"git-upload-pack 'a/b' ",                     // trailing space
++		"git-upload-pack 'a/b' ",            // trailing space
--		"git-upload-pack 'a/b' && rm -rf /",          // command injection
++		"git-upload-pack 'a/b' && rm -rf /", // command injection
  		`git-upload-pack 'a/b'; cat /etc/passwd`,
--		"GIT-UPLOAD-PACK 'a/b'",                       // case
++		"GIT-UPLOAD-PACK 'a/b'", // case
--		"git-upload-pack a/b'",                        // mismatched quotes
++		"git-upload-pack a/b'",  // mismatched quotes
  	} {
  		_, err := protocol.ParseSSHCommand(in)
  		if !errors.Is(err, protocol.ErrUnknownSSHCommand) {

internal/git/protocol/ssh_dispatch.gomodified

  // Sentinel errors callers can errors.Is to map to friendly messages.
  var (
--	ErrSSHRepoNotFound  = errors.New("ssh dispatch: repo not found")
++	ErrSSHRepoNotFound = errors.New("ssh dispatch: repo not found")
--	ErrSSHPermDenied    = errors.New("ssh dispatch: permission denied")
++	ErrSSHPermDenied   = errors.New("ssh dispatch: permission denied")
--	ErrSSHArchived      = errors.New("ssh dispatch: archived")
++	ErrSSHArchived     = errors.New("ssh dispatch: archived")
--	ErrSSHSuspended     = errors.New("ssh dispatch: suspended")
++	ErrSSHSuspended    = errors.New("ssh dispatch: suspended")
--	ErrSSHInternal      = errors.New("ssh dispatch: internal error")
++	ErrSSHInternal     = errors.New("ssh dispatch: internal error")
+ )
  // PrepareDispatch is the brains of the SSH-shell command. It parses

internal/git/protocol/ssh_dispatch_test.gomodified

  // dispatchEnv constructs deps + 2 users (alice owns repos, eve is a
  // non-owner) + a public repo + a private repo against a fresh test DB.
  type dispatchEnv struct {
--	pool   *pgxpool.Pool
++	pool  *pgxpool.Pool
--	deps   protocol.SSHDispatchDeps
++	deps  protocol.SSHDispatchDeps
--	alice  int64
++	alice int64
--	eve    int64
++	eve   int64
--	root   string
++	root  string
+ }
  func setupDispatch(t *testing.T) *dispatchEnv {
  func TestParseRemoteIP(t *testing.T) {
  	t.Parallel()
  	cases := map[string]string{
--		"":                                 "",
++		"":                               "",
--		"203.0.113.7 12345 192.0.2.1 22":   "203.0.113.7",
++		"203.0.113.7 12345 192.0.2.1 22": "203.0.113.7",
--		"  203.0.113.8  ":                  "203.0.113.8",
++		"  203.0.113.8  ":                "203.0.113.8",
+ 	}
  	for in, want := range cases {
  		if got := protocol.ParseRemoteIP(in); got != want {

tenseleyflow/shithub / `f810a0c`

S13: ssh-shell cobra cmd — DB lookup, dispatch, close pool, syscall.Exec git plumbing

4 changed files