Fix various issues with SSH receivers

epriestley · epriestley · commit 6dd01698732f · 2012-12-19T11:11:32.000-08:00
Summary: - Original command is in SSH_ORIGINAL_COMMAND, not normal argv. - Use PhutilShellLexer to parse it. - Fix a protocol encoding issue with ConduitSSHWorkflow. I think I'm going to make this protocol accept multiple commands anyway because SSH pipes are crazy expensive to build (even locally, they're ~300ms). Test Plan: With other changes, successfully executed "arc list --conduit-uri=ssh://localhost:2222". Reviewers: btrahan, vrana Reviewed By: btrahan CC: aran Maniphest Tasks: T550 Differential Revision: https://secure.phabricator.com/D4232
diff --git a/scripts/ssh/ssh-auth.php b/scripts/ssh/ssh-auth.php
@@ -6,29 +6,36 @@
 
 $cert = file_get_contents('php://stdin');
 
-$user = null;
-if ($cert) {
-  $user_dao = new PhabricatorUser();
-  $ssh_dao = new PhabricatorUserSSHKey();
-  $conn = $user_dao->establishConnection('r');
-
-  list($type, $body) = array_merge(
-    explode(' ', $cert),
-    array('', ''));
-
-  $row = queryfx_one(
-    $conn,
-    'SELECT userName FROM %T u JOIN %T ssh ON u.phid = ssh.userPHID
-      WHERE ssh.keyBody = %s AND ssh.keyType = %s',
-    $user_dao->getTableName(),
-    $ssh_dao->getTableName(),
-    $body,
-    $type);
-  if ($row) {
-    $user = idx($row, 'userName');
-  }
+if (!$cert) {
+  exit(1);
+}
+
+$parts = preg_split('/\s+/', $cert);
+if (count($parts) < 2) {
+  exit(1);
 }
 
+list($type, $body) = $parts;
+
+$user_dao = new PhabricatorUser();
+$ssh_dao = new PhabricatorUserSSHKey();
+$conn_r = $user_dao->establishConnection('r');
+
+$row = queryfx_one(
+  $conn_r,
+  'SELECT userName FROM %T u JOIN %T ssh ON u.phid = ssh.userPHID
+    WHERE ssh.keyType = %s AND ssh.keyBody = %s',
+  $user_dao->getTableName(),
+  $ssh_dao->getTableName(),
+  $type,
+  $body);
+
+if (!$row) {
+  exit(1);
+}
+
+$user = idx($row, 'userName');
+
 if (!$user) {
   exit(1);
 }
diff --git a/scripts/ssh/ssh-exec.php b/scripts/ssh/ssh-exec.php
@@ -4,6 +4,10 @@
 $root = dirname(dirname(dirname(__FILE__)));
 require_once $root.'/scripts/__init_script__.php';
 
+$original_command = getenv('SSH_ORIGINAL_COMMAND');
+$original_argv = id(new PhutilShellLexer())->splitArguments($original_command);
+$argv = array_merge($argv, $original_argv);
+
 $args = new PhutilArgumentParser($argv);
 $args->setTagline('receive SSH requests');
 $args->setSynopsis(<<<EOSYNOPSIS
@@ -50,7 +54,7 @@
   // concise/relevant exceptions when the client is a remote SSH.
   $remain = $args->getUnconsumedArgumentVector();
   if (empty($remain)) {
-    throw new Exception("No command.");
+    throw new Exception("No interactive logins.");
   } else {
     $command = head($remain);
     $workflow_names = mpull($workflows, 'getName', 'getName');
diff --git a/src/applications/conduit/ssh/ConduitSSHWorkflow.php b/src/applications/conduit/ssh/ConduitSSHWorkflow.php
@@ -31,9 +31,10 @@ public function execute(PhutilArgumentParser $args) {
       throw new Exception("Invalid JSON input.");
     }
 
-    $params = $raw_params;
+    $params = idx($raw_params, 'params', array());
+    $params = json_decode($params, true);
+    $metadata = idx($params, '__conduit__', array());
     unset($params['__conduit__']);
-    $metadata = idx($raw_params, '__conduit__', array());
 
     $call = null;
     $error_code = null;
