sharing ssh

patelspratik · patelspratik · commit f41d40a19aa9 · 2026-03-02T11:09:16.000-08:00
diff --git a/pkg/cmd/cmd.go b/pkg/cmd/cmd.go
@@ -20,6 +20,7 @@ import (
 	"github.com/brevdev/brev-cli/pkg/cmd/fu"
 	"github.com/brevdev/brev-cli/pkg/cmd/gpucreate"
 	"github.com/brevdev/brev-cli/pkg/cmd/gpusearch"
+	"github.com/brevdev/brev-cli/pkg/cmd/grantssh"
 	"github.com/brevdev/brev-cli/pkg/cmd/healthcheck"
 	"github.com/brevdev/brev-cli/pkg/cmd/hello"
 	"github.com/brevdev/brev-cli/pkg/cmd/importideconfig"
@@ -310,6 +311,7 @@ func createCmdTree(cmd *cobra.Command, t *terminal.Terminal, loginCmdStore *stor
 	cmd.AddCommand(register.NewCmdRegister(t, loginCmdStore))
 	cmd.AddCommand(deregister.NewCmdDeregister(t, loginCmdStore))
 	cmd.AddCommand(enablessh.NewCmdEnableSSH(t, loginCmdStore))
+	cmd.AddCommand(grantssh.NewCmdGrantSSH(t, loginCmdStore))
 	cmd.AddCommand(runtasks.NewCmdRunTasks(t, noLoginCmdStore))
 	cmd.AddCommand(proxy.NewCmdProxy(t, noLoginCmdStore))
 	cmd.AddCommand(healthcheck.NewCmdHealthcheck(t, noLoginCmdStore))
diff --git a/pkg/cmd/enablessh/enablessh.go b/pkg/cmd/enablessh/enablessh.go
@@ -121,7 +121,7 @@ func EnableSSH(
 	t.Vprint("")
 
 	if brevUser.PublicKey != "" {
-		if err := installAuthorizedKey(u, brevUser.PublicKey); err != nil {
+		if err := InstallAuthorizedKey(u, brevUser.PublicKey); err != nil {
 			t.Vprintf("  %s\n", t.Yellow(fmt.Sprintf("Warning: failed to install SSH public key: %v", err)))
 		} else {
 			t.Vprint("  Brev public key added to authorized_keys.")
@@ -142,9 +142,9 @@ func EnableSSH(
 	return nil
 }
 
-// installAuthorizedKey appends the given public key to the user's
+// InstallAuthorizedKey appends the given public key to the user's
 // ~/.ssh/authorized_keys if it isn't already present.
-func installAuthorizedKey(u *user.User, pubKey string) error {
+func InstallAuthorizedKey(u *user.User, pubKey string) error {
 	pubKey = strings.TrimSpace(pubKey)
 	if pubKey == "" {
 		return nil
diff --git a/pkg/cmd/grantssh/grantssh.go b/pkg/cmd/grantssh/grantssh.go
@@ -0,0 +1,247 @@
+// Package grantssh provides the brev grant-ssh command for granting SSH access
+// to a registered device for another org member.
+package grantssh
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/user"
+	"path/filepath"
+	"runtime"
+	"strings"
+
+	nodev1connect "buf.build/gen/go/brevdev/devplane/connectrpc/go/devplaneapi/v1/devplaneapiv1connect"
+	nodev1 "buf.build/gen/go/brevdev/devplane/protocolbuffers/go/devplaneapi/v1"
+	"connectrpc.com/connect"
+
+	"github.com/brevdev/brev-cli/pkg/cmd/enablessh"
+	"github.com/brevdev/brev-cli/pkg/cmd/register"
+	"github.com/brevdev/brev-cli/pkg/config"
+	"github.com/brevdev/brev-cli/pkg/entity"
+	breverrors "github.com/brevdev/brev-cli/pkg/errors"
+	"github.com/brevdev/brev-cli/pkg/terminal"
+
+	"github.com/spf13/cobra"
+)
+
+// GrantSSHStore defines the store methods needed by the grant-ssh command.
+type GrantSSHStore interface {
+	GetCurrentUser() (*entity.User, error)
+	GetActiveOrganizationOrDefault() (*entity.Organization, error)
+	GetBrevHomePath() (string, error)
+	GetAccessToken() (string, error)
+	GetOrgRoleAttachments(orgID string) ([]entity.OrgRoleAttachment, error)
+	GetUserByID(userID string) (*entity.User, error)
+}
+
+// grantSSHDeps bundles the side-effecting dependencies of runGrantSSH so they
+// can be replaced in tests.
+type grantSSHDeps struct {
+	goos              string
+	promptSelect      func(label string, items []string) string
+	newNodeClient     func(provider register.TokenProvider, baseURL string) nodev1connect.ExternalNodeServiceClient
+	registrationStore register.RegistrationStore
+}
+
+type resolvedMember struct {
+	user       *entity.User
+	attachment entity.OrgRoleAttachment
+}
+
+func prodGrantSSHDeps(brevHome string) grantSSHDeps {
+	return grantSSHDeps{
+		goos: runtime.GOOS,
+		promptSelect: func(label string, items []string) string {
+			return terminal.PromptSelectInput(terminal.PromptSelectContent{
+				Label: label,
+				Items: items,
+			})
+		},
+		newNodeClient:     register.NewNodeServiceClient,
+		registrationStore: register.NewFileRegistrationStore(brevHome),
+	}
+}
+
+func NewCmdGrantSSH(t *terminal.Terminal, store GrantSSHStore) *cobra.Command {
+	cmd := &cobra.Command{
+		Annotations:           map[string]string{"configuration": ""},
+		Use:                   "grant-ssh",
+		DisableFlagsInUseLine: true,
+		Short:                 "Grant SSH access to this device for another org member",
+		Long:                  "Grant SSH access to this registered device for another member of your organization.",
+		Example:               "  brev grant-ssh",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			brevHome, err := store.GetBrevHomePath()
+			if err != nil {
+				return breverrors.WrapAndTrace(err)
+			}
+			return runGrantSSH(cmd.Context(), t, store, prodGrantSSHDeps(brevHome))
+		},
+	}
+
+	return cmd
+}
+
+func runGrantSSH(ctx context.Context, t *terminal.Terminal, s GrantSSHStore, deps grantSSHDeps) error { //nolint:funlen // grant-ssh flow
+	if deps.goos != "linux" {
+		return fmt.Errorf("brev grant-ssh is only supported on Linux")
+	}
+
+	reg, err := getRegistration(deps)
+	if err != nil {
+		return breverrors.WrapAndTrace(err)
+	}
+
+	currentUser, err := s.GetCurrentUser()
+	if err != nil {
+		return breverrors.WrapAndTrace(err)
+	}
+
+	if err := checkSSHEnabled(currentUser.PublicKey); err != nil {
+		return err
+	}
+
+	u, err := user.Current()
+	if err != nil {
+		return fmt.Errorf("failed to determine current Linux user: %w", err)
+	}
+	linuxUser := u.Username
+
+	org, err := s.GetActiveOrganizationOrDefault()
+	if err != nil {
+		return breverrors.WrapAndTrace(err)
+	}
+	if org == nil {
+		return fmt.Errorf("no organization found; please create or join an organization first")
+	}
+
+	orgMembers, err := getOrgMembers(currentUser, t, s, org.ID)
+	// Resolve user details for each member.
+	if err != nil {
+		return breverrors.WrapAndTrace(err)
+	}
+
+	// Build selection list.
+	items := make([]string, len(orgMembers))
+	for i, r := range orgMembers {
+		items[i] = fmt.Sprintf("%s (%s)", r.user.Name, r.user.Email)
+	}
+
+	selected := deps.promptSelect("Select a user to grant SSH access:", items)
+
+	// Find the selected user.
+	var selectedIdx int
+	for i, item := range items {
+		if item == selected {
+			selectedIdx = i
+			break
+		}
+	}
+	selectedUser := orgMembers[selectedIdx].user
+
+	t.Vprint("")
+	t.Vprint(t.Green("Granting SSH access"))
+	t.Vprint("")
+	t.Vprintf("  Node:       %s (%s)\n", reg.DisplayName, reg.ExternalNodeID)
+	t.Vprintf("  Brev user:  %s (%s)\n", selectedUser.Name, selectedUser.ID)
+	t.Vprintf("  Linux user: %s\n", linuxUser)
+	t.Vprint("")
+
+	if selectedUser.PublicKey != "" {
+		if err := enablessh.InstallAuthorizedKey(u, selectedUser.PublicKey); err != nil {
+			t.Vprintf("  %s\n", t.Yellow(fmt.Sprintf("Warning: failed to install SSH public key: %v", err)))
+		} else {
+			t.Vprint("  Brev public key added to authorized_keys.")
+		}
+	}
+
+	client := deps.newNodeClient(s, config.GlobalConfig.GetBrevPublicAPIURL())
+	if _, err := client.GrantNodeSSHAccess(ctx, connect.NewRequest(&nodev1.GrantNodeSSHAccessRequest{
+		ExternalNodeId: reg.ExternalNodeID,
+		UserId:         selectedUser.ID,
+		LinuxUser:      linuxUser,
+		OrganizationId: reg.OrgID,
+	})); err != nil {
+		return fmt.Errorf("failed to grant SSH access: %w", err)
+	}
+
+	t.Vprint(t.Green(fmt.Sprintf("SSH access granted for %s. They can now SSH to this device via: brev shell %s", selectedUser.Name, reg.DisplayName)))
+	return nil
+}
+
+func getOrgMembers(currentUser *entity.User, t *terminal.Terminal, s GrantSSHStore, orgId string) ([]resolvedMember, error) {
+	attachments, err := s.GetOrgRoleAttachments(orgId)
+	if err != nil {
+		return nil, fmt.Errorf("failed to fetch org members: %w", err)
+	}
+
+	// Filter out current user.
+	var otherMembers []entity.OrgRoleAttachment
+	for _, a := range attachments {
+		if a.Subject != currentUser.ID {
+			otherMembers = append(otherMembers, a)
+		}
+	}
+
+	if len(otherMembers) == 0 {
+		return nil, fmt.Errorf("no other members found in current organization")
+	}
+	var resolved []resolvedMember
+	for _, m := range otherMembers {
+		memberUser, err := s.GetUserByID(m.Subject)
+		if err != nil {
+			t.Vprintf("  Warning: could not resolve user %s: %v\n", m.Subject, err)
+			continue
+		}
+		resolved = append(resolved, resolvedMember{user: memberUser, attachment: m})
+	}
+
+	if len(resolved) == 0 {
+		return nil, fmt.Errorf("could not resolve any org member details")
+	}
+
+	return resolved, nil
+}
+
+func getRegistration(deps grantSSHDeps) (*register.DeviceRegistration, error) {
+	registered, err := deps.registrationStore.Exists()
+	if err != nil {
+		return nil, breverrors.WrapAndTrace(err)
+	}
+	if !registered {
+		return nil, fmt.Errorf("no registration found; this machine does not appear to be registered\nRun 'brev register' to register your device first")
+	}
+
+	reg, err := deps.registrationStore.Load()
+	if err != nil {
+		return nil, fmt.Errorf("failed to read registration file: %w", err)
+	}
+	return reg, nil
+}
+
+// checkSSHEnabled verifies that SSH has been enabled on this device by checking
+// if the current user's public key is present in authorized_keys.
+func checkSSHEnabled(currentUserPubKey string) error {
+	currentUserPubKey = strings.TrimSpace(currentUserPubKey)
+	if currentUserPubKey == "" {
+		return fmt.Errorf("SSH has not been enabled on this device. Run 'brev enable-ssh' first.")
+	}
+
+	u, err := user.Current()
+	if err != nil {
+		return fmt.Errorf("failed to determine current Linux user: %w", err)
+	}
+
+	authKeysPath := filepath.Join(u.HomeDir, ".ssh", "authorized_keys")
+	existing, err := os.ReadFile(authKeysPath) // #nosec G304
+	if err != nil {
+		return fmt.Errorf("SSH has not been enabled on this device. Run 'brev enable-ssh' first.")
+	}
+
+	if !strings.Contains(string(existing), currentUserPubKey) {
+		return fmt.Errorf("SSH has not been enabled on this device. Run 'brev enable-ssh' first.")
+	}
+
+	return nil
+}
diff --git a/pkg/entity/entity.go b/pkg/entity/entity.go
@@ -570,6 +570,17 @@ func (u User) GetOnboardingData() (*OnboardingData, error) {
 	return x, nil
 }
 
+type OrgRoleAttachment struct {
+	Subject string                `json:"subject"`
+	Object  string                `json:"object"`
+	Role    OrgRoleAttachmentRole `json:"role"`
+}
+
+type OrgRoleAttachmentRole struct {
+	ID      string   `json:"id"`
+	Actions []string `json:"actions"`
+}
+
 type ModifyWorkspaceRequest struct {
 	WorkspaceClass    string    `json:"workspaceClassId"`
 	IsStoppable       *bool     `json:"isStoppable"`
diff --git a/pkg/store/organization.go b/pkg/store/organization.go
@@ -214,6 +214,22 @@ func GetDefaultOrNilOrg(orgs []entity.Organization) *entity.Organization {
 	}
 }
 
+func (s AuthHTTPStore) GetOrgRoleAttachments(orgID string) ([]entity.OrgRoleAttachment, error) {
+	var result []entity.OrgRoleAttachment
+	res, err := s.authHTTPClient.restyClient.R().
+		SetHeader("Content-Type", "application/json").
+		SetResult(&result).
+		Get(fmt.Sprintf("api/organizations/%s/role_attachments", orgID))
+	if err != nil {
+		return nil, breverrors.WrapAndTrace(err)
+	}
+	if res.IsError() {
+		return nil, NewHTTPResponseError(res)
+	}
+
+	return result, nil
+}
+
 type RedeemCouponCodeRequest struct {
 	Code string `json:"Code"`
 }
diff --git a/pkg/store/user.go b/pkg/store/user.go
@@ -129,6 +129,22 @@ var usersIDPathPattern = fmt.Sprintf("%s/%s", usersPath, "%s")
 
 // usersIDPath        = fmt.Sprintf(usersIDPathPattern, fmt.Sprintf("{%s}", userIDParamStr))
 
+func (s AuthHTTPStore) GetUserByID(userID string) (*entity.User, error) {
+	var result entity.User
+	res, err := s.authHTTPClient.restyClient.R().
+		SetHeader("Content-Type", "application/json").
+		SetResult(&result).
+		Get(fmt.Sprintf(usersIDPathPattern, userID))
+	if err != nil {
+		return nil, breverrors.WrapAndTrace(err)
+	}
+	if res.IsError() {
+		return nil, NewHTTPResponseError(res)
+	}
+
+	return &result, nil
+}
+
 func (s AuthHTTPStore) GetUsers(queryParams map[string]string) ([]entity.User, error) {
 	var result []entity.User
 	res, err := s.authHTTPClient.restyClient.R().
