fix: added shell ssh copy consent

BhautikChudasama · BhautikChudasama · commit 830d816e9384 · 2026-06-05T07:19:36.000+02:00
diff --git a/cmd/sandbox/shell.go b/cmd/sandbox/shell.go
@@ -12,11 +12,9 @@ import (
 	"net/url"
 	"os"
 	"os/exec"
-	"os/signal"
 	"path/filepath"
 	"strings"
 	"sync"
-	"syscall"
 	"time"
 
 	"github.com/pterm/pterm"
@@ -66,6 +64,11 @@ Examples:
 				Value:   "root",
 				Usage:   "Username inside the sandbox (SSH path only — the keyless PTY always runs as the sandbox's default user)",
 			},
+			&cli.BoolFlag{
+				Name:    "yes",
+				Aliases: []string{"y"},
+				Usage:   "Install your SSH key into the sandbox without asking (SSH path; required in non-interactive mode when your key isn't already there)",
+			},
 		},
 		Action: runShell,
 	}
@@ -129,12 +132,14 @@ func runShellSSH(c *cli.Context, client *api.SandboxClient, id, ref string) erro
 	}
 
 	// 1. Drop the pubkey into the sandbox's authorized_keys via the
-	//    file API. sshd refuses keys unless ~/.ssh is 0700 and the
-	//    file is 0600 — we chmod in the next step.
-	authPath := authorizedKeysPath(user)
-	if err = client.UploadFile(c.Context, id, authPath, bytesReader(pubBytes), int64(len(pubBytes))); err != nil {
-		return fmt.Errorf("could not install your SSH key: %w", err)
+	//    file API, with consent — idempotent if our key is already there,
+	//    and asks before modifying the sandbox otherwise. sshd refuses
+	//    keys unless ~/.ssh is 0700 and the file is 0600 — we chmod in
+	//    the next step.
+	if err = ensureAuthorizedKey(c, client, id, user, ref, pubBytes, keyConsentGiven(c)); err != nil {
+		return err
 	}
+	authPath := authorizedKeysPath(user)
 
 	// 2. Make the modes right + start sshd. The script tolerates the
 	//    "Address already in use" exit when sshd is already running,
@@ -283,14 +288,11 @@ func runShellPTY(c *cli.Context, id, ref string) error {
 	var frameMu sync.Mutex
 	sendResize(conn, &frameMu, stdinFd)
 
-	winch := make(chan os.Signal, 1)
-	signal.Notify(winch, syscall.SIGWINCH)
-	defer signal.Stop(winch)
-	go func() {
-		for range winch {
-			sendResize(conn, &frameMu, stdinFd)
-		}
-	}()
+	// Re-send the terminal size on every resize. The mechanism is
+	// platform-specific (SIGWINCH on Unix, no-op on Windows), so it
+	// lives behind a build tag in shell_resize_*.go.
+	stopResize := watchWindowSize(func() { sendResize(conn, &frameMu, stdinFd) })
+	defer stopResize()
 
 	done := make(chan struct{}, 2)
 	// remote → local screen
diff --git a/cmd/sandbox/shell_resize_unix.go b/cmd/sandbox/shell_resize_unix.go
@@ -0,0 +1,32 @@
+//go:build !windows
+
+package sandbox
+
+import (
+	"os"
+	"os/signal"
+	"syscall"
+)
+
+// watchWindowSize invokes onResize whenever the controlling terminal is
+// resized (SIGWINCH). It returns a stop function that unregisters the
+// handler and ends the goroutine; call it via defer.
+func watchWindowSize(onResize func()) func() {
+	winch := make(chan os.Signal, 1)
+	signal.Notify(winch, syscall.SIGWINCH)
+	done := make(chan struct{})
+	go func() {
+		for {
+			select {
+			case <-winch:
+				onResize()
+			case <-done:
+				return
+			}
+		}
+	}()
+	return func() {
+		signal.Stop(winch)
+		close(done)
+	}
+}
diff --git a/cmd/sandbox/shell_resize_windows.go b/cmd/sandbox/shell_resize_windows.go
@@ -0,0 +1,12 @@
+//go:build windows
+
+package sandbox
+
+// watchWindowSize is a no-op on Windows: there is no SIGWINCH. The initial
+// terminal size is still sent once before the session starts; tracking
+// live console resizes would require polling GetConsoleScreenBufferInfo,
+// which isn't worth it for the keyless PTY path. Returns a no-op stop.
+func watchWindowSize(onResize func()) func() {
+	_ = onResize
+	return func() {}
+}
diff --git a/cmd/sandbox/sync.go b/cmd/sandbox/sync.go
@@ -77,6 +77,11 @@ sandbox (/etc, /usr, /bin …). Pass --force to bypass the local check
 				Name:  "force",
 				Usage: "Bypass the local sensitive-path check (still requires non-/ paths)",
 			},
+			&cli.BoolFlag{
+				Name:    "yes",
+				Aliases: []string{"y"},
+				Usage:   "Install your SSH key into the sandbox without asking (required in non-interactive mode when your key isn't already there)",
+			},
 		},
 		Action: runSync,
 	}
@@ -190,12 +195,12 @@ func runSync(c *cli.Context) error {
 		user = "root"
 	}
 
-	// 4. Install authorized_keys + start sshd. Mirror of the SSH-shell
-	//    path so sync gets the same modes/sshd setup.
-	authPath := authorizedKeysPath(user)
-	if err = client.UploadFile(c.Context, id, authPath, bytesReader(pubBytes), int64(len(pubBytes))); err != nil {
-		return fmt.Errorf("could not install your SSH key: %w", err)
+	// 4. Install authorized_keys (with consent) + start sshd. Mirror of
+	//    the SSH-shell path so sync gets the same modes/sshd setup.
+	if err = ensureAuthorizedKey(c, client, id, user, ref, pubBytes, keyConsentGiven(c)); err != nil {
+		return err
 	}
+	authPath := authorizedKeysPath(user)
 	prepScript := fmt.Sprintf(`
 set -e
 if ! [ -x /usr/sbin/sshd ]; then
@@ -364,6 +369,120 @@ func shellQuote(s string) string {
 	return "'" + strings.ReplaceAll(s, "'", `'\''`) + "'"
 }
 
+// ── authorized_keys consent ───────────────────────────────────────────
+
+// ensureAuthorizedKey guarantees the local public key in pubBytes is
+// present in the sandbox user's authorized_keys before sync/shell rely on
+// SSH. It is idempotent and non-destructive:
+//
+//   - if a key matching ours is already installed, it returns immediately,
+//     touching nothing (no upload, no prompt);
+//   - if our key is NOT there, it asks for consent — the only path that
+//     modifies the sandbox — then APPENDS our key, preserving any keys
+//     already present.
+//
+// Consent rules mirror `sandbox rm`:
+//   - interactive TTY  → y/N confirm
+//   - non-interactive  → requires assumeYes, else a clear error
+//   - assumeYes (--yes/-y) skips the prompt everywhere
+func ensureAuthorizedKey(c *cli.Context, client *api.SandboxClient, id, user, ref string, pubBytes []byte, assumeYes bool) error {
+	authPath := authorizedKeysPath(user)
+
+	wantKey, _, _, _, perr := ssh.ParseAuthorizedKey(pubBytes)
+	if perr != nil {
+		return fmt.Errorf("your public key doesn't look like a valid SSH key: %w", perr)
+	}
+	want := canonicalAuthKey(wantKey)
+
+	existing := readSandboxAuthorizedKeys(c, client, id, authPath)
+	for _, line := range existing {
+		if pk, _, _, _, e := ssh.ParseAuthorizedKey([]byte(line)); e == nil && canonicalAuthKey(pk) == want {
+			// Already trusted — nothing to do. No overwrite, no prompt.
+			return nil
+		}
+	}
+
+	// Our key isn't there → installing it modifies the sandbox. Gate it.
+	if !assumeYes {
+		if !terminal.IsInteractive() {
+			return fmt.Errorf("your SSH key isn't installed in %s yet\n\n  Installing it changes the sandbox's authorized_keys. Re-run with --yes to allow it:\n    createos sandbox %s --yes %s", refLabel(ref, id), c.Command.Name, ref)
+		}
+		prompt := fmt.Sprintf("Install your SSH key (%s) into %s?", ssh.FingerprintSHA256(wantKey), refLabel(ref, id))
+		if n := len(existing); n > 0 {
+			prompt += fmt.Sprintf(" It already has %d other key(s); yours is added alongside them.", n)
+		}
+		ok, cerr := pterm.DefaultInteractiveConfirm.
+			WithDefaultText(prompt).
+			WithDefaultValue(true).
+			Show()
+		if cerr != nil {
+			return fmt.Errorf("could not read confirmation: %w", cerr)
+		}
+		if !ok {
+			return errors.New("cancelled — your SSH key was not installed, so there's no way to connect")
+		}
+	}
+
+	// Append our key, preserving existing entries (drop blank lines).
+	merged := make([]string, 0, len(existing)+1)
+	for _, l := range existing {
+		if t := strings.TrimSpace(l); t != "" {
+			merged = append(merged, t)
+		}
+	}
+	merged = append(merged, strings.TrimSpace(string(pubBytes)))
+	content := strings.Join(merged, "\n") + "\n"
+	if err := client.UploadFile(c.Context, id, authPath, bytesReader([]byte(content)), int64(len(content))); err != nil {
+		return fmt.Errorf("could not install your SSH key: %w", err)
+	}
+	return nil
+}
+
+// canonicalAuthKey reduces a public key to its "<type> <base64>" form,
+// dropping the trailing newline and any comment, so two keys compare equal
+// regardless of the comment they were uploaded with.
+func canonicalAuthKey(pk ssh.PublicKey) string {
+	return strings.TrimSpace(string(ssh.MarshalAuthorizedKey(pk)))
+}
+
+// readSandboxAuthorizedKeys returns the current authorized_keys lines for
+// the sandbox user, or nil when the file is missing/unreadable (a fresh
+// box). Errors are swallowed: a missing file is the common, expected case
+// and simply means "no keys yet".
+func readSandboxAuthorizedKeys(c *cli.Context, client *api.SandboxClient, id, authPath string) []string {
+	resp, err := client.ExecSandbox(c.Context, id, api.SandboxExecReq{
+		Cmd:  "sh",
+		Args: []string{"-c", fmt.Sprintf("cat %s 2>/dev/null || true", shellQuote(authPath))},
+	})
+	if err != nil || resp.Result.ExitCode != 0 {
+		return nil
+	}
+	var out []string
+	for _, l := range strings.Split(resp.Result.Stdout, "\n") {
+		if strings.TrimSpace(l) != "" {
+			out = append(out, l)
+		}
+	}
+	return out
+}
+
+// keyConsentGiven reports whether the user pre-authorized installing their
+// SSH key, via --yes/-y. It also scans positional args because urfave/cli
+// v2 stops parsing flags at the first positional, so `sync my-box --yes`
+// would otherwise drop the flag (same workaround as `sandbox rm`).
+func keyConsentGiven(c *cli.Context) bool {
+	if c.Bool("yes") {
+		return true
+	}
+	for _, a := range c.Args().Slice() {
+		switch strings.TrimSpace(a) {
+		case "-y", "--yes", "-yes":
+			return true
+		}
+	}
+	return false
+}
+
 // ── path validators ───────────────────────────────────────────────
 
 // sensitiveLocalDirs is the set of directory NAMES we refuse to sync
