Merge branch 'atsign-foundation:trunk' into trunk

.github/dependabot.yml

@@ -1,7 +1,16 @@
 version: 2
+enable-beta-ecosystems: true
 updates:
   # Maintain dependencies for GitHub Actions
   - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "pub"
     directory: "/"
     schedule:
       interval: "daily"

.github/workflows/dockerhub_sshnpd.yml

@@ -0,0 +1,45 @@
+name: dockerhub_sshnpd
+
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - 'v*.*.*'
+
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@ecf95283f03858871ff00b787d79c419715afc34 # v2.7.0
+      -
+        name: Login to Docker Hub
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+ # Extract version for docker tag
+      -
+        name: Get version
+        run: echo "VERSION=${GITHUB_REF##*/}" >> $GITHUB_ENV
+      -
+        name: Build and push
+        uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
+          push: true
+          provenance: false
+          tags: |
+            atsigncompany/sshnpd:latest
+            atsigncompany/sshnpd:release-${{ env.VERSION }}

.github/workflows/multibuild.yaml

@@ -0,0 +1,69 @@
+name: Multibuild
+
+on: 
+  workflow_dispatch:
+
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
+jobs:
+  x64_build:
+    runs-on: ${{ matrix.os }}
+
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macOS-latest]
+        include:
+          - os: ubuntu-latest
+            output-name: sshnp-linux-x64
+          - os: macOS-latest
+            output-name: sshnp-macos-x64
+
+    steps:
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - uses: dart-lang/setup-dart@d6a63dab3335f427404425de0fbfed4686d93c4f # v1.5.0
+      - run: mkdir sshnp
+      - run: mkdir tarball
+      - run: dart pub get
+      - run: dart compile exe bin/activate_cli.dart -v -o sshnp/at_activate
+      - run: dart compile exe bin/sshnp.dart -v -o sshnp/sshnp
+      - run: dart compile exe bin/sshnpd.dart -v -o sshnp/sshnpd
+      - run: dart compile exe bin/sshrv.dart -v -o sshnp/sshrv
+      - run: dart compile exe bin/sshrvd.dart -v -o sshnp/sshrvd
+      - run: cp -r templates sshnp/templates
+      - run: cp scripts/* sshnp
+      - run: tar -cvzf tarball/${{ matrix.output-name }}.tgz sshnp
+      - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        with:
+          name: x64_binaries
+          path: tarball
+
+  other_build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
+      - uses: docker/setup-buildx-action@ecf95283f03858871ff00b787d79c419715afc34 # v2.7.0
+      - run: |
+          docker buildx build -t atsigncompany/sshnptarball -f Dockerfile.package \
+          --platform linux/arm/v7,linux/arm64,linux/riscv64 -o type=tar,dest=bins.tar .
+      - run: mkdir tarballs
+      - run: tar -xvf bins.tar -C tarballs
+      - run: mkdir upload
+      - run: cp tarballs/*/*.tgz upload/
+      - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        with:
+          name: other_binaries
+          path: upload
+
+  notify_on_completion:
+    needs: [x64_build, other_build]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Google Chat Notification
+        uses: Co-qn/google-chat-notification@3691ccf4763537d6e544bc6cdcccc1965799d056 # v1
+        with:
+          name: SSH no ports binaries were built by GitHub Action ${{ github.run_number }}
+          url: ${{ secrets.GOOGLE_CHAT_WEBHOOK }}
+          status: ${{ job.status }}

.github/workflows/scorecards.yml

@@ -0,0 +1,72 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecards supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '22 4 * * 6'
+  push:
+    branches: [ "trunk" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecards analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecards on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
+        with:
+          sarif_file: results.sarif

.gitignore

@@ -1,7 +1,7 @@
 # Files and directories created by pub.
 .dart_tool/
 .packages
-# @platform stuff
+# atPlatform stuff
 *.hive
 *.hash
 *.atKeys
@@ -10,3 +10,6 @@ pubspec.lock
 
 # Conventional directory for build output.
 build/
+
+# Macos
+.DS_Store

.startup.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+ssh-keygen -A
+/usr/sbin/sshd -D -o "ListenAddress 127.0.0.1" -o "PasswordAuthentication no"  &
+while true
+do
+sudo -u atsign /usr/local/at/sshnpd "$@"
+sleep 3
+done

CONTRIBUTING.md

@@ -13,13 +13,15 @@ For small changes, especially documentation, you can simply use the "Edit" butto
 to update the Markdown file, and start the
 [pull request](https://help.github.com/articles/about-pull-requests/) process.
 Use the preview tab in GitHub to make sure that it is properly
-formatted before committing.
+formatted before committing. Please use conventional commits and follow the semantic PR format as documented 
+[here](https://github.com/atsign-foundation/.github/blob/trunk/atGitHub.md#semantic-prs).
 A pull request will cause integration tests to run automatically, so please review
 the results of the pipeline and correct any mistakes that are reported.
 
 If you plan to contribute often or have a larger change to make, it is best to
 setup an environment for contribution, which is what the rest of these guidelines
-describe.
+describe. The atsign-foundation GitHub organization's conventions and configurations are documented
+[here](https://github.com/atsign-foundation/.github/blob/trunk/atGitHub.md).
 
 ## Development Environment Setup
 

Dockerfile

@@ -0,0 +1,36 @@
+FROM dart:3.0.5@sha256:65e5f5d6d72ad2f7b32f402c01b5fe8a426455b1ede1e9f840f95a2a8c14afbd AS buildimage
+ENV BINARYDIR=/usr/local/at
+SHELL ["/bin/bash", "-c"]
+WORKDIR /app
+COPY . .
+RUN \
+  set -eux ; \
+  mkdir -p $BINARYDIR ; \
+  dart pub get ; \
+  dart pub update ; \
+  dart compile exe bin/sshnpd.dart -o $BINARYDIR/sshnpd
+
+# Second stage of build FROM debian-slim
+FROM debian:stable-20230612-slim@sha256:b09f68bffcf9c14f3105f262e92321d05abaf48460d1f43f884325bcd4395b95
+ENV HOMEDIR=/atsign
+ENV BINARYDIR=/usr/local/at
+ENV USER_ID=1024
+ENV GROUP_ID=1024
+COPY --from=buildimage  /app/.startup.sh /atsign/
+RUN  \
+   set -eux ; \
+   apt-get update && apt-get install -y openssh-server sudo iputils-ping iproute2 ncat telnet net-tools nmap iperf3 tmux traceroute vim;\
+   addgroup --gid $GROUP_ID atsign ; \
+   useradd --system --uid $USER_ID --gid $GROUP_ID --shell /bin/bash  --home $HOMEDIR atsign ; \
+   mkdir -p $HOMEDIR/.atsign/keys ; \
+   mkdir -p $HOMEDIR/.ssh ; \
+   touch $HOMEDIR/.ssh/authorized_keys ; \
+   chown -R atsign:atsign $HOMEDIR ; \
+   chmod 600 $HOMEDIR/.ssh/authorized_keys ; \
+   usermod -aG sudo atsign ; \
+   mkdir /run/sshd ; \
+   chmod 755 /atsign/.startup.sh
+COPY --from=buildimage --chown=atsign:atsign /usr/local/at/sshnpd /usr/local/at/
+WORKDIR /atsign
+# USER atsign 
+ENTRYPOINT ["/atsign/.startup.sh"]

Dockerfile.package

@@ -0,0 +1,25 @@
+FROM atsigncompany/buildimage:3.0.5_3.1.0-163.1.beta@sha256:5d126560a8c60d9c94da3cca185208172f2368b8ba8b0423aa6ee1a890c4e33b AS build
+# Using atsigncompany/buildimage until official dart image has RISC-V support
+WORKDIR /sshnoports
+COPY . .
+RUN set -eux; \
+    case "$(dpkg --print-architecture)" in \
+        amd64) ARCH="x64";; \
+        armhf) ARCH="arm";; \
+        arm64) ARCH="arm64";; \
+        riscv64) ARCH="riscv64";; \
+    esac; \
+    mkdir sshnp; \
+    mkdir tarball; \
+    dart pub get; \
+    dart compile exe bin/activate_cli.dart -v -o sshnp/at_activate; \
+    dart compile exe bin/sshnp.dart -v -o sshnp/sshnp; \
+    dart compile exe bin/sshnpd.dart -v -o sshnp/sshnpd; \
+    dart compile exe bin/sshrv.dart -v -o sshnp/sshrv; \
+    dart compile exe bin/sshrvd.dart -v -o sshnp/sshrvd; \
+    cp -r templates sshnp/templates; \
+    cp scripts/* sshnp/; \
+    tar -cvzf tarball/sshnp-linux-${ARCH}.tgz sshnp
+
+FROM scratch
+COPY --from=build /sshnoports/tarball/* /