feat: fetch SSH key from Coder if required

Author: johnstcn

git.go

@@ -2,15 +2,18 @@ package envbuilder
 
 import (
 	"context"
+	"crypto/md5"
 	"errors"
 	"fmt"
 	"io"
 	"net"
 	"net/url"
 	"os"
 	"strings"
+	"time"
 
 	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/coder/v2/codersdk/agentsdk"
 	"github.com/go-git/go-billy/v5"
 	"github.com/go-git/go-git/v5"
 	"github.com/go-git/go-git/v5/plumbing"
@@ -22,7 +25,6 @@ import (
 	gitssh "github.com/go-git/go-git/v5/plumbing/transport/ssh"
 	"github.com/go-git/go-git/v5/storage/filesystem"
 	"github.com/skeema/knownhosts"
-	"golang.org/x/crypto/ssh"
 	gossh "golang.org/x/crypto/ssh"
 )
 
@@ -207,14 +209,29 @@ func SetupRepoAuth(options *Options) transport.AuthMethod {
 	// Assume SSH auth for all other formats.
 	options.Logger(codersdk.LogLevelInfo, "#1: 🔑 Using SSH authentication!")
 
-	var signer ssh.Signer
+	var signer gossh.Signer
 	if options.GitSSHPrivateKeyPath != "" {
 		s, err := ReadPrivateKey(options.GitSSHPrivateKeyPath)
 		if err != nil {
 			options.Logger(codersdk.LogLevelError, "#1: ❌ Failed to read private key from %s: %s", options.GitSSHPrivateKeyPath, err.Error())
 		} else {
-			options.Logger(codersdk.LogLevelInfo, "#1: 🔑 Using %s key!", s.PublicKey().Type())
 			signer = s
+			options.Logger(codersdk.LogLevelInfo, "#1: 🔑 Using %s key %s!", s.PublicKey().Type(), keyFingerprint(signer)[:8])
+		}
+	}
+
+	// If we have no signer but we have a Coder URL and agent token, try to fetch
+	// an SSH key from Coder!
+	if signer == nil && options.CoderAgentURL != nil && options.CoderAgentToken != "" {
+		options.Logger(codersdk.LogLevelInfo, "#1: 🔑 Fetching key from %s!", options.CoderAgentURL.String())
+		ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+		defer cancel()
+		s, err := FetchCoderSSHKey(ctx, options.CoderAgentURL, options.CoderAgentToken)
+		if err == nil {
+			signer = s
+			options.Logger(codersdk.LogLevelInfo, "#1: 🔑 Fetched %s key %s !", signer.PublicKey().Type(), keyFingerprint(signer)[:8])
+		} else {
+			options.Logger(codersdk.LogLevelInfo, "#1: ❌ Failed to fetch SSH key: %w", options.CoderAgentURL.String(), err)
 		}
 	}
 
@@ -251,3 +268,26 @@ func SetupRepoAuth(options *Options) transport.AuthMethod {
 	}
 	return auth
 }
+
+// FetchCoderSSHKey fetches the user's Git SSH key from Coder using the supplied
+// Coder URL and agent token.
+func FetchCoderSSHKey(ctx context.Context, coderURL url.URL, agentToken string) (gossh.Signer, error) {
+	client := agentsdk.New(&coderURL)
+	client.SetSessionToken(agentToken)
+	key, err := client.GitSSHKey(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("get coder ssh key: %w", err)
+	}
+	signer, err := gossh.ParsePrivateKey([]byte(key.PrivateKey))
+	if err != nil {
+		return nil, fmt.Errorf("parse coder ssh key: %w", err)
+	}
+	return signer, nil
+}
+
+// keyFingerprint returns the md5 checksum of the public key of signer.
+func keyFingerprint(s gossh.Signer) string {
+	h := md5.New()
+	h.Write(s.PublicKey().Marshal())
+	return fmt.Sprintf("%x", h.Sum(nil))
+}

git_test.go

@@ -3,8 +3,10 @@ package envbuilder_test
 import (
 	"context"
 	"crypto/ed25519"
+	"encoding/json"
 	"fmt"
 	"io"
+	"net/http"
 	"net/http/httptest"
 	"net/url"
 	"os"
@@ -13,13 +15,16 @@ import (
 	"testing"
 
 	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/coder/v2/codersdk/agentsdk"
 	"github.com/coder/envbuilder"
 	"github.com/coder/envbuilder/testutil/gittest"
 	"github.com/go-git/go-billy/v5"
 	"github.com/go-git/go-billy/v5/memfs"
 	"github.com/go-git/go-billy/v5/osfs"
 	githttp "github.com/go-git/go-git/v5/plumbing/transport/http"
 	gitssh "github.com/go-git/go-git/v5/plumbing/transport/ssh"
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	gossh "golang.org/x/crypto/ssh"
 )
@@ -382,6 +387,60 @@ func TestSetupRepoAuth(t *testing.T) {
 		auth := envbuilder.SetupRepoAuth(opts)
 		require.Nil(t, auth) // TODO: actually test SSH_AUTH_SOCK
 	})
+
+	t.Run("SSH/Coder", func(t *testing.T) {
+		token := uuid.NewString()
+		actualSigner, err := gossh.ParsePrivateKey([]byte(testKey))
+		require.NoError(t, err)
+		handler := func(w http.ResponseWriter, r *http.Request) {
+			hdr := r.Header.Get("Coder-Session-Token")
+			if !assert.Equal(t, hdr, token) {
+				w.WriteHeader(http.StatusForbidden)
+				return
+			}
+			switch r.URL.Path {
+			case "/api/v2/workspaceagents/me/gitsshkey":
+				_ = json.NewEncoder(w).Encode(&agentsdk.GitSSHKey{
+					PublicKey:  string(actualSigner.PublicKey().Marshal()),
+					PrivateKey: string(testKey),
+				})
+			default:
+				assert.Fail(t, "unknown path: %q", r.URL.Path)
+			}
+		}
+		srv := httptest.NewServer(http.HandlerFunc(handler))
+		u, err := url.Parse(srv.URL)
+		require.NoError(t, err)
+		opts := &envbuilder.Options{
+			CoderAgentURL:   u,
+			CoderAgentToken: token,
+			GitURL:          "ssh://[email protected]:repo/path",
+			Logger:          testLog(t),
+		}
+		auth := envbuilder.SetupRepoAuth(opts)
+		pk, ok := auth.(*gitssh.PublicKeys)
+		require.True(t, ok)
+		require.NotNil(t, pk.Signer)
+		require.Equal(t, actualSigner, pk.Signer)
+	})
+
+	t.Run("SSH/CoderForbidden", func(t *testing.T) {
+		token := uuid.NewString()
+		handler := func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(http.StatusForbidden)
+		}
+		srv := httptest.NewServer(http.HandlerFunc(handler))
+		u, err := url.Parse(srv.URL)
+		require.NoError(t, err)
+		opts := &envbuilder.Options{
+			CoderAgentURL:   u,
+			CoderAgentToken: token,
+			GitURL:          "ssh://[email protected]:repo/path",
+			Logger:          testLog(t),
+		}
+		auth := envbuilder.SetupRepoAuth(opts)
+		require.Nil(t, auth)
+	})
 }
 
 func mustRead(t *testing.T, fs billy.Filesystem, path string) string {
@@ -405,6 +464,7 @@ func randKeygen(t *testing.T) gossh.Signer {
 
 func testLog(t *testing.T) envbuilder.LoggerFunc {
 	return func(_ codersdk.LogLevel, format string, args ...interface{}) {
+		t.Helper()
 		t.Logf(format, args...)
 	}
 }