Add SSH Key Management

2023-01-15 13:41:56 +01:00 · 2023-01-15 13:41:56 +01:00 · bcd1805001
commit bcd1805001
parent ef76844922
62 changed files with 1004 additions and 188 deletions
--- a/internal/dis/component/auth/panel/panel.go
+++ b/internal/dis/component/auth/panel/panel.go
@ -10,6 +10,7 @@ import (
 	"github.com/FAU-CDI/wisski-distillery/internal/dis/component/auth/policy"
 	"github.com/FAU-CDI/wisski-distillery/internal/dis/component/control/static/custom"
 	"github.com/FAU-CDI/wisski-distillery/internal/dis/component/instances"
+	"github.com/FAU-CDI/wisski-distillery/internal/dis/component/ssh2/sshkeys"
 	"github.com/FAU-CDI/wisski-distillery/internal/models"
 	"github.com/FAU-CDI/wisski-distillery/pkg/httpx"
 	"github.com/julienschmidt/httprouter"
@ -23,6 +24,7 @@ type UserPanel struct {
 		Policy    *policy.Policy
 		Instances *instances.Instances
 		Next      *next.Next
+		Keys      *sshkeys.SSHKeys
 	}
 }

@ -73,6 +75,22 @@ func (panel *UserPanel) HandleRoute(ctx context.Context, route string) (http.Han
 		router.Handler(http.MethodPost, route+"totp/disable", totpdisable)
 	}

+	{
+		ssh := panel.sshRoute(ctx)
+		router.Handler(http.MethodGet, route+"ssh", ssh)
+	}
+
+	{
+		add := panel.sshAddRoute(ctx)
+		router.Handler(http.MethodGet, route+"ssh/add", add)
+		router.Handler(http.MethodPost, route+"ssh/add", add)
+	}
+
+	{
+		delete := panel.sshDeleteRoute(ctx)
+		router.Handler(http.MethodPost, route+"ssh/delete", delete)
+	}
+
 	// ensure that the user is logged in!
 	return panel.Dependencies.Auth.Protect(router, nil), nil
 }
--- a/internal/dis/component/auth/panel/ssh.go
+++ b/internal/dis/component/auth/panel/ssh.go
@ -0,0 +1,193 @@
+package panel
+
+import (
+	"context"
+	"errors"
+	"net/http"
+
+	"github.com/FAU-CDI/wisski-distillery/internal/dis/component"
+	"github.com/FAU-CDI/wisski-distillery/internal/dis/component/auth"
+	"github.com/FAU-CDI/wisski-distillery/internal/dis/component/control/static"
+	"github.com/FAU-CDI/wisski-distillery/internal/dis/component/control/static/custom"
+	"github.com/FAU-CDI/wisski-distillery/internal/models"
+	"github.com/FAU-CDI/wisski-distillery/pkg/httpx"
+	"github.com/FAU-CDI/wisski-distillery/pkg/httpx/field"
+	"github.com/gliderlabs/ssh"
+	"github.com/rs/zerolog"
+
+	gossh "golang.org/x/crypto/ssh"
+
+	_ "embed"
+)
+
+//go:embed "templates/ssh.html"
+var sshTemplateStr string
+var sshTemplate = static.AssetsUser.MustParseShared("ssh.html", sshTemplateStr)
+
+type SSHTemplateContext struct {
+	custom.BaseContext
+
+	Keys []models.Keys
+
+	Domain string // domain name of the distillery
+	Port   uint16 // public port of the distillery ssh servers
+
+	Slug     string // slug of the wisski
+	Hostname string // hostname of an example wisski
+}
+
+func (panel *UserPanel) sshRoute(ctx context.Context) http.Handler {
+	sshTemplate := panel.Dependencies.Custom.Template(sshTemplate)
+	gaps := custom.BaseContextGaps{
+		Crumbs: []component.MenuItem{
+			{Title: "User", Path: "/user/"},
+			{Title: "SSH Keys", Path: "/user/ssh/"},
+		},
+		Actions: []component.MenuItem{
+			{Title: "Add New Key", Path: "/user/ssh/add/"},
+		},
+	}
+
+	return httpx.HTMLHandler[SSHTemplateContext]{
+		Handler: func(r *http.Request) (sc SSHTemplateContext, err error) {
+			panel.Dependencies.Custom.Update(&sc, r, gaps)
+
+			user, err := panel.Dependencies.Auth.UserOf(r)
+			if err != nil {
+				return sc, err
+			}
+
+			sc.Domain = panel.Config.DefaultDomain
+			sc.Port = panel.Config.PublicSSHPort
+
+			// pick the first domain that the user has access to as an example
+			grants, err := panel.Dependencies.Policy.User(r.Context(), user.User.User)
+			if err != nil && len(grants) > 0 {
+				sc.Slug = grants[0].Slug
+			} else {
+				sc.Slug = "example"
+			}
+			sc.Hostname = panel.Config.HostFromSlug(sc.Slug)
+
+			sc.Keys, err = panel.Dependencies.Keys.Keys(r.Context(), user.User.User)
+			if err != nil {
+				return sc, err
+			}
+
+			return sc, nil
+		},
+		Template: sshTemplate,
+	}
+}
+
+//go:embed "templates/ssh_add.html"
+var sshAddTemplateStr string
+var sshAddTemplate = static.AssetsUser.MustParseShared("ssh_add.html", sshAddTemplateStr)
+
+type addKeyResult struct {
+	User    *auth.AuthUser
+	Comment string
+	Key     ssh.PublicKey
+}
+
+var (
+	errInvalidUser = errors.New("invalid user")
+	errKeyParse    = errors.New("unable to parse ssh key")
+	errAddKey      = errors.New("unable to add key")
+)
+
+func (panel *UserPanel) sshDeleteRoute(ctx context.Context) http.Handler {
+	logger := zerolog.Ctx(ctx)
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if err := r.ParseForm(); err != nil {
+			logger.Err(err).Str("action", "delete ssh key").Msg("failed to parse form")
+			httpx.HTMLInterceptor.Fallback.ServeHTTP(w, r)
+			return
+		}
+		user, err := panel.Dependencies.Auth.UserOf(r)
+		if err != nil {
+			logger.Err(err).Str("action", "delete ssh key").Msg("failed to get current user")
+			httpx.HTMLInterceptor.Fallback.ServeHTTP(w, r)
+			return
+		}
+
+		key, _ := parseKey(r.PostFormValue("signature"))
+		if key == nil {
+			logger.Err(err).Str("action", "delete ssh key").Msg("failed to parse signature")
+			httpx.HTMLInterceptor.Fallback.ServeHTTP(w, r)
+			return
+		}
+
+		if err := panel.Dependencies.Keys.Remove(r.Context(), user.User.User, key); err != nil {
+			logger.Err(err).Str("action", "delete ssh key").Msg("failed to delete key")
+			httpx.HTMLInterceptor.Fallback.ServeHTTP(w, r)
+			return
+		}
+
+		http.Redirect(w, r, "/user/ssh/", http.StatusSeeOther)
+	})
+}
+
+func (panel *UserPanel) sshAddRoute(ctx context.Context) http.Handler {
+	sshAddTemplate := panel.Dependencies.Custom.Template(sshAddTemplate)
+	gaps := custom.BaseContextGaps{
+		Crumbs: []component.MenuItem{
+			{Title: "User", Path: "/user/"},
+			{Title: "SSH Keys", Path: "/user/ssh/"},
+			{Title: "Add New Key", Path: "/user/ssh/add/"},
+		},
+	}
+
+	return &httpx.Form[addKeyResult]{
+		Fields: []field.Field{
+			{Name: "comment", Type: field.Text, Label: "Comment"},
+			{Name: "key", Type: field.Textarea, Label: "Key in authorized_keys format"}, // has hacked css!
+		},
+		FieldTemplate: field.PureCSSFieldTemplate,
+
+		RenderTemplate: sshAddTemplate,
+		RenderTemplateContext: func(ctx httpx.FormContext, r *http.Request) any {
+			return panel.Dependencies.Custom.NewForm(ctx, r, gaps)
+		},
+
+		Validate: func(r *http.Request, values map[string]string) (ak addKeyResult, err error) {
+			ak.User, err = panel.Dependencies.Auth.UserOf(r)
+			if err != nil || ak.User == nil {
+				return ak, errInvalidUser
+			}
+
+			// parse key and comment
+			var key, comment string
+			ak.Comment, key = values["comment"], values["key"]
+			ak.Key, comment = parseKey(key)
+			if ak.Key == nil {
+				return ak, errKeyParse
+			}
+
+			// set the comment if the user didn't provide one!
+			if ak.Comment == "" && comment != "" {
+				ak.Comment = comment
+			}
+			return ak, nil
+		},
+
+		RenderSuccess: func(ak addKeyResult, values map[string]string, w http.ResponseWriter, r *http.Request) error {
+			// add the key to the user
+			if err := panel.Dependencies.Keys.Add(r.Context(), ak.User.User.User, ak.Comment, ak.Key); err != nil {
+				return errAddKey
+			}
+			// everything went fine, redirect the user back to the user page!
+			http.Redirect(w, r, "/user/ssh/", http.StatusSeeOther)
+			return nil
+		},
+	}
+}
+
+func parseKey(authorized_keys string) (out gossh.PublicKey, comment string) {
+	var err error
+	out, comment, _, _, err = gossh.ParseAuthorizedKey([]byte(authorized_keys))
+	if err != nil || out == nil {
+		return nil, ""
+	}
+	return out, comment
+}
--- a/internal/dis/component/auth/panel/templates/ssh.html
+++ b/internal/dis/component/auth/panel/templates/ssh.html
@ -0,0 +1,104 @@
+{{ template "_base.html" . }}
+{{ define "title" }}SSH Keys{{ end }}
+
+{{ define "content" }}
+
+<div class="pure-u-1">
+    <p>
+        This page allows you to add, view and remove ssh keys to and from your distillery account.
+    </p>
+</div>
+
+<div class="pure-u-1">
+    <p>
+        This table shows ssh keys currently associated with your account.
+        To add a new key, use the <em>Add New Key</em> button above.
+        To remove an ssh key from your account, simply click the <em>Delete</em> button.
+    </p>
+    <div class="padding">
+        <div class="overflow">
+
+            <table class="pure-table pure-table-bordered">
+                <thead>
+                    <tr>
+                        <th>
+                            Comment
+                        </th>
+                        <th>
+                            Signature
+                        </th>
+                        <th>
+                            Actions
+                        </th>
+                    </tr>
+                </thead>
+                <tbody>
+                    {{ $csrf := .CSRF }}
+                    {{ range .Keys }}
+                        {{ $sig := .SignatureString }}
+                        <tr>
+                            <td>
+                                {{ .Comment }}
+                            </td>
+                            <td>
+                                <code>
+                                    {{ $sig }}
+                                </code>
+                            </td>
+                            <td>
+                                <div class="pure-button-group" role="group">
+                                    <form action="/user/ssh/delete" method="POST" class="pure-form-group">
+                                        <input type="hidden" name="signature" value="{{ $sig }}">
+                                        <input type="submit" class="pure-button pure-button-danger" value="Delete">
+                                        {{ $csrf }}
+                                    </form>
+                                </div>
+                            </td>
+                        </tr>
+                    {{ end }}
+                </tbody>
+            </table>
+        </div>
+    </div>
+</div>
+
+
+<div class="pure-u-1">
+    <p>
+        You can use these ssh keys to connect to the distillery via ssh.
+        You can only connect to instances for which you appear as an <em>Administrator</em> on your user page.
+    </p>
+    <p>
+        In the following we will provide instructions on how to connect to your WissKI instance via the distillery server. 
+        In the following we will assume <code>{{ .Slug }}</code> is the name of the WissKI you want to you want to connect to.
+    </p>
+    <p>
+        From a Linux (or Mac, or Windows 11) command line you may use:
+    </p>
+    <code class="copy">
+        ssh -J {{ .Domain }}:{{ .Port }} www-data@{{ .Hostname }}
+    </code>
+    <p>
+        You may also place the following into your <code>$HOME/.ssh/config</code> file:
+    </p>
+    <code class="copy">
+<pre>Host *.{{ .Domain }}
+    ProxyJump {{ .Domain }}.proxy
+    User www-data
+Host {{ .Domain }}.proxy
+    User www-data
+    Hostname {{ .Domain }}
+    Port {{ .Port }}
+</pre>
+    </code>
+
+    <p>
+        and then connect simply via:
+    </p>
+
+    <code>
+        ssh {{ .Hostname }}
+    </code>
+</div>
+</div>
+{{ end }}
--- a/internal/dis/component/auth/panel/templates/ssh_add.html
+++ b/internal/dis/component/auth/panel/templates/ssh_add.html
@ -0,0 +1,11 @@
+{{ template "_form.html" . }}
+{{ define "form/title" }}Add SSH Key{{ end }}
+{{ define "form/button" }}Add{{ end }}
+
+{{ define "form/inside" }}
+<div>
+   <p>
+      Use this form to add a new <em>SSH Key</em> to your account.
+   </p>
+</div>
+{{ end }}
--- a/internal/dis/component/auth/panel/user.go
+++ b/internal/dis/component/auth/panel/user.go
@ -41,13 +41,14 @@ func (panel *UserPanel) routeUser(ctx context.Context) http.Handler {
 			{Title: "User", Path: "/user/"},
 		},
 		Actions: []component.MenuItem{
-			{Title: "Change Password", Path: "/user/password"},
+			{Title: "Change Password", Path: "/user/password/"},
+			{Title: "*to be replaced*", Path: ""},
+			{Title: "SSH Keys", Path: "/user/ssh/"},
 		},
 	}

 	return &httpx.HTMLHandler[routeUserContext]{
 		Handler: func(r *http.Request) (ruc routeUserContext, err error) {
-
 			// find the user
 			ruc.AuthUser, err = panel.Dependencies.Auth.UserOf(r)
 			if err != nil || ruc.AuthUser == nil {
@ -57,15 +58,15 @@ func (panel *UserPanel) routeUser(ctx context.Context) http.Handler {
 			// build the gaps
 			gaps := gaps.Clone()
 			if ruc.AuthUser.IsTOTPEnabled() {
-				gaps.Actions = append(gaps.Actions, component.MenuItem{
+				gaps.Actions[1] = component.MenuItem{
 					Title: "Disable Passcode (TOTP)",
 					Path:  "/user/totp/disable/",
-				})
+				}
 			} else {
-				gaps.Actions = append(gaps.Actions, component.MenuItem{
+				gaps.Actions[1] = component.MenuItem{
 					Title: "Enable Passcode (TOTP)",
 					Path:  "/user/totp/enable/",
-				})
+				}
 			}
 			panel.Dependencies.Custom.Update(&ruc, r, gaps)