1 // Copyright (C) The Arvados Authors. All rights reserved.
3 // SPDX-License-Identifier: AGPL-3.0
20 "git.arvados.org/arvados.git/sdk/go/arvados"
21 "git.arvados.org/arvados.git/sdk/go/auth"
22 "git.arvados.org/arvados.git/sdk/go/ctxlog"
23 "git.arvados.org/arvados.git/sdk/go/httpserver"
26 // ContainerSSH returns a connection to the SSH server in the
27 // appropriate crunch-run process on the worker node where the
28 // specified container is running.
30 // If the returned error is nil, the caller is responsible for closing
32 func (conn *Conn) ContainerSSH(ctx context.Context, opts arvados.ContainerSSHOptions) (sshconn arvados.ContainerSSHConnection, err error) {
33 user, err := conn.railsProxy.UserGetCurrent(ctx, arvados.GetOptions{})
37 ctr, err := conn.railsProxy.ContainerGet(ctx, arvados.GetOptions{UUID: opts.UUID})
42 ctxRoot := auth.NewContext(ctx, &auth.Credentials{Tokens: []string{conn.cluster.SystemRootToken}})
43 crs, err := conn.railsProxy.ContainerRequestList(ctxRoot, arvados.ListOptions{Limit: -1, Filters: []arvados.Filter{{"container_uuid", "=", opts.UUID}}})
47 for _, cr := range crs.Items {
48 if cr.ModifiedByUserUUID != user.UUID {
49 err = httpserver.ErrorWithStatus(errors.New("permission denied: container is associated with requests submitted by other users"), http.StatusForbidden)
53 if crs.ItemsAvailable != len(crs.Items) {
54 err = httpserver.ErrorWithStatus(errors.New("incomplete response while checking permission"), http.StatusInternalServerError)
59 case arvados.ContainerStateQueued, arvados.ContainerStateLocked:
60 err = httpserver.ErrorWithStatus(fmt.Errorf("gateway is not available, container is %s", strings.ToLower(string(ctr.State))), http.StatusServiceUnavailable)
62 case arvados.ContainerStateRunning:
63 if ctr.GatewayAddress == "" {
64 err = httpserver.ErrorWithStatus(errors.New("container is running but gateway is not available"), http.StatusServiceUnavailable)
68 err = httpserver.ErrorWithStatus(fmt.Errorf("gateway is not available, container is %s", strings.ToLower(string(ctr.State))), http.StatusGone)
71 // crunch-run uses a self-signed / unverifiable TLS
72 // certificate, so we use the following scheme to ensure we're
73 // not talking to a MITM.
75 // 1. Compute ctrKey = HMAC-SHA256(sysRootToken,ctrUUID) --
76 // this will be the same ctrKey that a-d-c supplied to
77 // crunch-run in the GatewayAuthSecret env var.
79 // 2. Compute requestAuth = HMAC-SHA256(ctrKey,serverCert) and
80 // send it to crunch-run as the X-Arvados-Authorization
81 // header, proving that we know ctrKey. (Note a MITM cannot
82 // replay the proof to a real crunch-run server, because the
83 // real crunch-run server would have a different cert.)
85 // 3. Compute respondAuth = HMAC-SHA256(ctrKey,requestAuth)
86 // and ensure the server returns it in the
87 // X-Arvados-Authorization-Response header, proving that the
88 // server knows ctrKey.
89 var requestAuth, respondAuth string
90 netconn, err := tls.Dial("tcp", ctr.GatewayAddress, &tls.Config{
91 InsecureSkipVerify: true,
92 VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
93 if len(rawCerts) == 0 {
94 return errors.New("no certificate received, cannot compute authorization header")
96 h := hmac.New(sha256.New, []byte(conn.cluster.SystemRootToken))
97 fmt.Fprint(h, opts.UUID)
98 authKey := fmt.Sprintf("%x", h.Sum(nil))
99 h = hmac.New(sha256.New, []byte(authKey))
101 requestAuth = fmt.Sprintf("%x", h.Sum(nil))
103 h.Write([]byte(requestAuth))
104 respondAuth = fmt.Sprintf("%x", h.Sum(nil))
109 err = httpserver.ErrorWithStatus(err, http.StatusBadGateway)
112 if respondAuth == "" {
113 err = httpserver.ErrorWithStatus(errors.New("BUG: no respondAuth"), http.StatusInternalServerError)
116 bufr := bufio.NewReader(netconn)
117 bufw := bufio.NewWriter(netconn)
121 Host: ctr.GatewayAddress,
124 bufw.WriteString("GET " + u.String() + " HTTP/1.1\r\n")
125 bufw.WriteString("Host: " + u.Host + "\r\n")
126 bufw.WriteString("Upgrade: ssh\r\n")
127 bufw.WriteString("X-Arvados-Target-Uuid: " + opts.UUID + "\r\n")
128 bufw.WriteString("X-Arvados-Authorization: " + requestAuth + "\r\n")
129 bufw.WriteString("X-Arvados-Detach-Keys: " + opts.DetachKeys + "\r\n")
130 bufw.WriteString("X-Arvados-Login-Username: " + opts.LoginUsername + "\r\n")
131 bufw.WriteString("\r\n")
133 resp, err := http.ReadResponse(bufr, &http.Request{Method: "GET"})
135 err = httpserver.ErrorWithStatus(fmt.Errorf("error reading http response from gateway: %w", err), http.StatusBadGateway)
139 if resp.Header.Get("X-Arvados-Authorization-Response") != respondAuth {
140 err = httpserver.ErrorWithStatus(errors.New("bad X-Arvados-Authorization-Response header"), http.StatusBadGateway)
144 if strings.ToLower(resp.Header.Get("Upgrade")) != "ssh" ||
145 strings.ToLower(resp.Header.Get("Connection")) != "upgrade" {
146 err = httpserver.ErrorWithStatus(errors.New("bad upgrade"), http.StatusBadGateway)
150 sshconn.Conn = netconn
151 sshconn.Bufrw = &bufio.ReadWriter{Reader: bufr, Writer: bufw}
152 sshconn.Logger = ctxlog.FromContext(ctx)