[client,management] Rewrite the SSH feature (#4015)

2026-04-21 01:36:46 +00:00 · 2025-11-17 17:10:41 +01:00
parent 0d79301141
commit d71a82769c
170 changed files with 18744 additions and 2853 deletions
--- a/client/ssh/config/manager.go
+++ b/client/ssh/config/manager.go
@@ -0,0 +1,282 @@
+package config
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strconv"
+	"strings"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+
+	nbssh "github.com/netbirdio/netbird/client/ssh"
+)
+
+const (
+	EnvDisableSSHConfig = "NB_DISABLE_SSH_CONFIG"
+
+	EnvForceSSHConfig = "NB_FORCE_SSH_CONFIG"
+
+	MaxPeersForSSHConfig = 200
+
+	fileWriteTimeout = 2 * time.Second
+)
+
+func isSSHConfigDisabled() bool {
+	value := os.Getenv(EnvDisableSSHConfig)
+	if value == "" {
+		return false
+	}
+
+	disabled, err := strconv.ParseBool(value)
+	if err != nil {
+		return true
+	}
+	return disabled
+}
+
+func isSSHConfigForced() bool {
+	value := os.Getenv(EnvForceSSHConfig)
+	if value == "" {
+		return false
+	}
+
+	forced, err := strconv.ParseBool(value)
+	if err != nil {
+		return true
+	}
+	return forced
+}
+
+// shouldGenerateSSHConfig checks if SSH config should be generated based on peer count
+func shouldGenerateSSHConfig(peerCount int) bool {
+	if isSSHConfigDisabled() {
+		return false
+	}
+
+	if isSSHConfigForced() {
+		return true
+	}
+
+	return peerCount <= MaxPeersForSSHConfig
+}
+
+// writeFileWithTimeout writes data to a file with a timeout
+func writeFileWithTimeout(filename string, data []byte, perm os.FileMode) error {
+	ctx, cancel := context.WithTimeout(context.Background(), fileWriteTimeout)
+	defer cancel()
+
+	done := make(chan error, 1)
+	go func() {
+		done <- os.WriteFile(filename, data, perm)
+	}()
+
+	select {
+	case err := <-done:
+		return err
+	case <-ctx.Done():
+		return fmt.Errorf("file write timeout after %v: %s", fileWriteTimeout, filename)
+	}
+}
+
+// Manager handles SSH client configuration for NetBird peers
+type Manager struct {
+	sshConfigDir  string
+	sshConfigFile string
+}
+
+// PeerSSHInfo represents a peer's SSH configuration information
+type PeerSSHInfo struct {
+	Hostname string
+	IP       string
+	FQDN     string
+}
+
+// New creates a new SSH config manager
+func New() *Manager {
+	sshConfigDir := getSystemSSHConfigDir()
+	return &Manager{
+		sshConfigDir:  sshConfigDir,
+		sshConfigFile: nbssh.NetBirdSSHConfigFile,
+	}
+}
+
+// getSystemSSHConfigDir returns platform-specific SSH configuration directory
+func getSystemSSHConfigDir() string {
+	if runtime.GOOS == "windows" {
+		return getWindowsSSHConfigDir()
+	}
+	return nbssh.UnixSSHConfigDir
+}
+
+func getWindowsSSHConfigDir() string {
+	programData := os.Getenv("PROGRAMDATA")
+	if programData == "" {
+		programData = `C:\ProgramData`
+	}
+	return filepath.Join(programData, nbssh.WindowsSSHConfigDir)
+}
+
+// SetupSSHClientConfig creates SSH client configuration for NetBird peers
+func (m *Manager) SetupSSHClientConfig(peers []PeerSSHInfo) error {
+	if !shouldGenerateSSHConfig(len(peers)) {
+		m.logSkipReason(len(peers))
+		return nil
+	}
+
+	sshConfig, err := m.buildSSHConfig(peers)
+	if err != nil {
+		return fmt.Errorf("build SSH config: %w", err)
+	}
+	return m.writeSSHConfig(sshConfig)
+}
+
+func (m *Manager) logSkipReason(peerCount int) {
+	if isSSHConfigDisabled() {
+		log.Debugf("SSH config management disabled via %s", EnvDisableSSHConfig)
+	} else {
+		log.Infof("SSH config generation skipped: too many peers (%d > %d). Use %s=true to force.",
+			peerCount, MaxPeersForSSHConfig, EnvForceSSHConfig)
+	}
+}
+
+func (m *Manager) buildSSHConfig(peers []PeerSSHInfo) (string, error) {
+	sshConfig := m.buildConfigHeader()
+
+	var allHostPatterns []string
+	for _, peer := range peers {
+		hostPatterns := m.buildHostPatterns(peer)
+		allHostPatterns = append(allHostPatterns, hostPatterns...)
+	}
+
+	if len(allHostPatterns) > 0 {
+		peerConfig, err := m.buildPeerConfig(allHostPatterns)
+		if err != nil {
+			return "", err
+		}
+		sshConfig += peerConfig
+	}
+
+	return sshConfig, nil
+}
+
+func (m *Manager) buildConfigHeader() string {
+	return "# NetBird SSH client configuration\n" +
+		"# Generated automatically - do not edit manually\n" +
+		"#\n" +
+		"# To disable SSH config management, use:\n" +
+		"#   netbird service reconfigure --service-env NB_DISABLE_SSH_CONFIG=true\n" +
+		"#\n\n"
+}
+
+func (m *Manager) buildPeerConfig(allHostPatterns []string) (string, error) {
+	uniquePatterns := make(map[string]bool)
+	var deduplicatedPatterns []string
+	for _, pattern := range allHostPatterns {
+		if !uniquePatterns[pattern] {
+			uniquePatterns[pattern] = true
+			deduplicatedPatterns = append(deduplicatedPatterns, pattern)
+		}
+	}
+
+	execPath, err := m.getNetBirdExecutablePath()
+	if err != nil {
+		return "", fmt.Errorf("get NetBird executable path: %w", err)
+	}
+
+	hostLine := strings.Join(deduplicatedPatterns, " ")
+	config := fmt.Sprintf("Host %s\n", hostLine)
+
+	if runtime.GOOS == "windows" {
+		config += fmt.Sprintf("    Match exec \"%s ssh detect %%h %%p\"\n", execPath)
+	} else {
+		config += fmt.Sprintf("    Match exec \"%s ssh detect %%h %%p 2>/dev/null\"\n", execPath)
+	}
+	config += "        PreferredAuthentications password,publickey,keyboard-interactive\n"
+	config += "        PasswordAuthentication yes\n"
+	config += "        PubkeyAuthentication yes\n"
+	config += "        BatchMode no\n"
+	config += fmt.Sprintf("        ProxyCommand %s ssh proxy %%h %%p\n", execPath)
+	config += "        StrictHostKeyChecking no\n"
+
+	if runtime.GOOS == "windows" {
+		config += "        UserKnownHostsFile NUL\n"
+	} else {
+		config += "        UserKnownHostsFile /dev/null\n"
+	}
+
+	config += "        CheckHostIP no\n"
+	config += "        LogLevel ERROR\n\n"
+
+	return config, nil
+}
+
+func (m *Manager) buildHostPatterns(peer PeerSSHInfo) []string {
+	var hostPatterns []string
+	if peer.IP != "" {
+		hostPatterns = append(hostPatterns, peer.IP)
+	}
+	if peer.FQDN != "" {
+		hostPatterns = append(hostPatterns, peer.FQDN)
+	}
+	if peer.Hostname != "" && peer.Hostname != peer.FQDN {
+		hostPatterns = append(hostPatterns, peer.Hostname)
+	}
+	return hostPatterns
+}
+
+func (m *Manager) writeSSHConfig(sshConfig string) error {
+	sshConfigPath := filepath.Join(m.sshConfigDir, m.sshConfigFile)
+
+	if err := os.MkdirAll(m.sshConfigDir, 0755); err != nil {
+		return fmt.Errorf("create SSH config directory %s: %w", m.sshConfigDir, err)
+	}
+
+	if err := writeFileWithTimeout(sshConfigPath, []byte(sshConfig), 0644); err != nil {
+		return fmt.Errorf("write SSH config file %s: %w", sshConfigPath, err)
+	}
+
+	log.Infof("Created NetBird SSH client config: %s", sshConfigPath)
+	return nil
+}
+
+// RemoveSSHClientConfig removes NetBird SSH configuration
+func (m *Manager) RemoveSSHClientConfig() error {
+	sshConfigPath := filepath.Join(m.sshConfigDir, m.sshConfigFile)
+	err := os.Remove(sshConfigPath)
+	if err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("remove SSH config %s: %w", sshConfigPath, err)
+	}
+	if err == nil {
+		log.Infof("Removed NetBird SSH config: %s", sshConfigPath)
+	}
+	return nil
+}
+
+func (m *Manager) getNetBirdExecutablePath() (string, error) {
+	execPath, err := os.Executable()
+	if err != nil {
+		return "", fmt.Errorf("retrieve executable path: %w", err)
+	}
+
+	realPath, err := filepath.EvalSymlinks(execPath)
+	if err != nil {
+		log.Debugf("symlink resolution failed: %v", err)
+		return execPath, nil
+	}
+
+	return realPath, nil
+}
+
+// GetSSHConfigDir returns the SSH config directory path
+func (m *Manager) GetSSHConfigDir() string {
+	return m.sshConfigDir
+}
+
+// GetSSHConfigFile returns the SSH config file name
+func (m *Manager) GetSSHConfigFile() string {
+	return m.sshConfigFile
+}
--- a/client/ssh/config/manager_test.go
+++ b/client/ssh/config/manager_test.go
@@ -0,0 +1,159 @@
+package config
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestManager_SetupSSHClientConfig(t *testing.T) {
+	// Create temporary directory for test
+	tempDir, err := os.MkdirTemp("", "netbird-ssh-config-test")
+	require.NoError(t, err)
+	defer func() { assert.NoError(t, os.RemoveAll(tempDir)) }()
+
+	// Override manager paths to use temp directory
+	manager := &Manager{
+		sshConfigDir:  filepath.Join(tempDir, "ssh_config.d"),
+		sshConfigFile: "99-netbird.conf",
+	}
+
+	// Test SSH config generation with peers
+	peers := []PeerSSHInfo{
+		{
+			Hostname: "peer1",
+			IP:       "100.125.1.1",
+			FQDN:     "peer1.nb.internal",
+		},
+		{
+			Hostname: "peer2",
+			IP:       "100.125.1.2",
+			FQDN:     "peer2.nb.internal",
+		},
+	}
+
+	err = manager.SetupSSHClientConfig(peers)
+	require.NoError(t, err)
+
+	// Read generated config
+	configPath := filepath.Join(manager.sshConfigDir, manager.sshConfigFile)
+	content, err := os.ReadFile(configPath)
+	require.NoError(t, err)
+
+	configStr := string(content)
+
+	// Verify the basic SSH config structure exists
+	assert.Contains(t, configStr, "# NetBird SSH client configuration")
+	assert.Contains(t, configStr, "Generated automatically - do not edit manually")
+
+	// Check that peer hostnames are included
+	assert.Contains(t, configStr, "100.125.1.1")
+	assert.Contains(t, configStr, "100.125.1.2")
+	assert.Contains(t, configStr, "peer1.nb.internal")
+	assert.Contains(t, configStr, "peer2.nb.internal")
+
+	// Check platform-specific UserKnownHostsFile
+	if runtime.GOOS == "windows" {
+		assert.Contains(t, configStr, "UserKnownHostsFile NUL")
+	} else {
+		assert.Contains(t, configStr, "UserKnownHostsFile /dev/null")
+	}
+}
+
+func TestGetSystemSSHConfigDir(t *testing.T) {
+	configDir := getSystemSSHConfigDir()
+
+	// Path should not be empty
+	assert.NotEmpty(t, configDir)
+
+	// Should be an absolute path
+	assert.True(t, filepath.IsAbs(configDir))
+
+	// On Unix systems, should start with /etc
+	// On Windows, should contain ProgramData
+	if runtime.GOOS == "windows" {
+		assert.Contains(t, strings.ToLower(configDir), "programdata")
+	} else {
+		assert.Contains(t, configDir, "/etc/ssh")
+	}
+}
+
+func TestManager_PeerLimit(t *testing.T) {
+	// Create temporary directory for test
+	tempDir, err := os.MkdirTemp("", "netbird-ssh-config-test")
+	require.NoError(t, err)
+	defer func() { assert.NoError(t, os.RemoveAll(tempDir)) }()
+
+	// Override manager paths to use temp directory
+	manager := &Manager{
+		sshConfigDir:  filepath.Join(tempDir, "ssh_config.d"),
+		sshConfigFile: "99-netbird.conf",
+	}
+
+	// Generate many peers (more than limit)
+	var peers []PeerSSHInfo
+	for i := 0; i < MaxPeersForSSHConfig+10; i++ {
+		peers = append(peers, PeerSSHInfo{
+			Hostname: fmt.Sprintf("peer%d", i),
+			IP:       fmt.Sprintf("100.125.1.%d", i%254+1),
+			FQDN:     fmt.Sprintf("peer%d.nb.internal", i),
+		})
+	}
+
+	// Test that SSH config generation is skipped when too many peers
+	err = manager.SetupSSHClientConfig(peers)
+	require.NoError(t, err)
+
+	// Config should not be created due to peer limit
+	configPath := filepath.Join(manager.sshConfigDir, manager.sshConfigFile)
+	_, err = os.Stat(configPath)
+	assert.True(t, os.IsNotExist(err), "SSH config should not be created with too many peers")
+}
+
+func TestManager_ForcedSSHConfig(t *testing.T) {
+	// Set force environment variable
+	t.Setenv(EnvForceSSHConfig, "true")
+
+	// Create temporary directory for test
+	tempDir, err := os.MkdirTemp("", "netbird-ssh-config-test")
+	require.NoError(t, err)
+	defer func() { assert.NoError(t, os.RemoveAll(tempDir)) }()
+
+	// Override manager paths to use temp directory
+	manager := &Manager{
+		sshConfigDir:  filepath.Join(tempDir, "ssh_config.d"),
+		sshConfigFile: "99-netbird.conf",
+	}
+
+	// Generate many peers (more than limit)
+	var peers []PeerSSHInfo
+	for i := 0; i < MaxPeersForSSHConfig+10; i++ {
+		peers = append(peers, PeerSSHInfo{
+			Hostname: fmt.Sprintf("peer%d", i),
+			IP:       fmt.Sprintf("100.125.1.%d", i%254+1),
+			FQDN:     fmt.Sprintf("peer%d.nb.internal", i),
+		})
+	}
+
+	// Test that SSH config generation is forced despite many peers
+	err = manager.SetupSSHClientConfig(peers)
+	require.NoError(t, err)
+
+	// Config should be created despite peer limit due to force flag
+	configPath := filepath.Join(manager.sshConfigDir, manager.sshConfigFile)
+	_, err = os.Stat(configPath)
+	require.NoError(t, err, "SSH config should be created when forced")
+
+	// Verify config contains peer hostnames
+	content, err := os.ReadFile(configPath)
+	require.NoError(t, err)
+	configStr := string(content)
+	assert.Contains(t, configStr, "peer0.nb.internal")
+	assert.Contains(t, configStr, "peer1.nb.internal")
+}
--- a/client/ssh/config/shutdown_state.go
+++ b/client/ssh/config/shutdown_state.go
@@ -0,0 +1,22 @@
+package config
+
+// ShutdownState represents SSH configuration state that needs to be cleaned up.
+type ShutdownState struct {
+	SSHConfigDir  string
+	SSHConfigFile string
+}
+
+// Name returns the state name for the state manager.
+func (s *ShutdownState) Name() string {
+	return "ssh_config_state"
+}
+
+// Cleanup removes SSH client configuration files.
+func (s *ShutdownState) Cleanup() error {
+	manager := &Manager{
+		sshConfigDir:  s.SSHConfigDir,
+		sshConfigFile: s.SSHConfigFile,
+	}
+
+	return manager.RemoveSSHClientConfig()
+}