fix: allow ssh local forwarding in okdev-sshd

Author: acmore

cmd/okdev-sshd/main.go

@@ -33,12 +33,29 @@ func main() {
 		log.Fatalf("failed to load authorized keys: %v", err)
 	}
 
+	srv := newServer(fmt.Sprintf(":%d", *port), *shell, keys)
+
+	log.Printf("okdev-sshd listening on :%d", *port)
+	log.Fatal(srv.ListenAndServe())
+}
+
+func newServer(addr, shell string, keys []ssh.PublicKey) *ssh.Server {
+	channelHandlers := map[string]ssh.ChannelHandler{}
+	for name, handler := range ssh.DefaultChannelHandlers {
+		channelHandlers[name] = handler
+	}
+	channelHandlers["direct-tcpip"] = ssh.DirectTCPIPHandler
+
 	srv := &ssh.Server{
-		Addr:    fmt.Sprintf(":%d", *port),
-		Handler: sessionHandler(*shell),
+		Addr:    addr,
+		Handler: sessionHandler(shell),
 		SubsystemHandlers: map[string]ssh.SubsystemHandler{
 			"sftp": sftpHandler,
 		},
+		ChannelHandlers: channelHandlers,
+		LocalPortForwardingCallback: func(ctx ssh.Context, destinationHost string, destinationPort uint32) bool {
+			return true
+		},
 	}
 
 	if keys != nil {
@@ -52,8 +69,7 @@ func main() {
 		}
 	}
 
-	log.Printf("okdev-sshd listening on :%d", *port)
-	log.Fatal(srv.ListenAndServe())
+	return srv
 }
 
 func detectShell() string {

cmd/okdev-sshd/main_test.go

@@ -1,31 +1,39 @@
 package main
 
 import (
-	"strings"
 	"testing"
+
+	"github.com/gliderlabs/ssh"
 )
 
-func TestBuildInteractiveLoginScriptIncludesDevTmuxBootstrap(t *testing.T) {
-	script := buildInteractiveLoginScript(map[string]string{}, "/bin/bash", "/workspace", "1")
+func TestNewServerEnablesLocalPortForwarding(t *testing.T) {
+	srv := newServer(":2222", "/bin/sh", nil)
 
-	for _, want := range []string{
-		"cd '/workspace'",
-		"/workspace/.okdev/post-attach.sh",
-		"/var/okdev/dev.tmux.conf",
-		"exec tmux new-session -A -s okdev",
-	} {
-		if !strings.Contains(script, want) {
-			t.Fatalf("expected script to contain %q, got:\n%s", want, script)
-		}
+	if srv.ChannelHandlers == nil {
+		t.Fatal("expected channel handlers to be configured")
+	}
+	if _, ok := srv.ChannelHandlers["session"]; !ok {
+		t.Fatal("expected default session channel handler")
+	}
+	if _, ok := srv.ChannelHandlers["direct-tcpip"]; !ok {
+		t.Fatal("expected direct-tcpip channel handler for ssh forwarding")
+	}
+	if srv.LocalPortForwardingCallback == nil {
+		t.Fatal("expected local port forwarding callback")
+	}
+	if !srv.LocalPortForwardingCallback(nil, "127.0.0.1", 8080) {
+		t.Fatal("expected local port forwarding to be allowed")
 	}
 }
 
-func TestBuildInteractiveLoginScriptSkipsTmuxWhenDisabledForSession(t *testing.T) {
-	script := buildInteractiveLoginScript(map[string]string{"OKDEV_NO_TMUX": "1"}, "/bin/sh", "/workspace", "1")
-	if strings.Contains(script, "tmux") {
-		t.Fatalf("expected tmux bootstrap to be skipped, got:\n%s", script)
+func TestNewServerAddsPublicKeyHandlerWhenKeysProvided(t *testing.T) {
+	pub, _, _, _, err := ssh.ParseAuthorizedKey([]byte("ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9mN6e2Q2x8tQz4pT2r8j04YfGLwRoTSesFiNUFDXL9 test\n"))
+	if err != nil {
+		t.Fatalf("parse authorized key: %v", err)
 	}
-	if !strings.Contains(script, "exec '/bin/sh' -l") {
-		t.Fatalf("expected shell fallback, got:\n%s", script)
+
+	srv := newServer(":2222", "/bin/sh", []ssh.PublicKey{pub})
+	if srv.PublicKeyHandler == nil {
+		t.Fatal("expected public key handler to be configured")
 	}
 }