trezor-agent/trezor_agent/__main__.py

"""SSH-agent implementation using hardware authentication devices."""
import argparse
import functools
import logging
import os
import re
import subprocess
import sys

from . import client, device, formats, protocol, server, util

log = logging.getLogger(__name__)


def ssh_args(label):
    """Create SSH command for connecting specified server."""
    identity = device.interface.string_to_identity(label)

    args = []
    if 'port' in identity:
        args += ['-p', identity['port']]
    if 'user' in identity:
        args += ['-l', identity['user']]

    return args + [identity['host']]


def create_parser():
    """Create argparse.ArgumentParser for this tool."""
    p = argparse.ArgumentParser()
    p.add_argument('-v', '--verbose', default=0, action='count')

    curve_names = [name for name in formats.SUPPORTED_CURVES]
    curve_names = ', '.join(sorted(curve_names))
    p.add_argument('-e', '--ecdsa-curve-name', metavar='CURVE',
                   default=formats.CURVE_NIST256,
                   help='specify ECDSA curve name: ' + curve_names)
    p.add_argument('--timeout',
                   default=server.UNIX_SOCKET_TIMEOUT, type=float,
                   help='Timeout for accepting SSH client connections')
    p.add_argument('--debug', default=False, action='store_true',
                   help='Log SSH protocol messages for debugging.')
    return p


def create_agent_parser():
    """Specific parser for SSH connection."""
    p = create_parser()

    g = p.add_mutually_exclusive_group()
    g.add_argument('-s', '--shell', default=False, action='store_true',
                   help='run ${SHELL} as subprocess under SSH agent')
    g.add_argument('-c', '--connect', default=False, action='store_true',
                   help='connect to specified host via SSH')
    g.add_argument('--mosh', default=False, action='store_true',
                   help='connect to specified host via using Mosh')

    p.add_argument('identity', type=str, default=None,
                   help='proto://[user@]host[:port][/path]')
    p.add_argument('command', type=str, nargs='*', metavar='ARGUMENT',
                   help='command to run under the SSH agent')
    return p


def create_git_parser():
    """Specific parser for git commands."""
    p = create_parser()

    p.add_argument('-r', '--remote', default='origin',
                   help='use this git remote URL to generate SSH identity')
    p.add_argument('-t', '--test', action='store_true',
                   help='test connection using `ssh -T user@host` command')
    p.add_argument('command', type=str, nargs='*', metavar='ARGUMENT',
                   help='Git command to run under the SSH agent')
    return p


def git_host(remote_name, attributes):
    """Extract git SSH host for specified remote name."""
    try:
        output = subprocess.check_output('git config --local --list'.split())
    except subprocess.CalledProcessError:
        return

    for attribute in attributes:
        name = r'remote.{0}.{1}'.format(remote_name, attribute)
        matches = re.findall(re.escape(name) + '=(.*)', output)
        log.debug('%r: %r', name, matches)
        if not matches:
            continue

        url = matches[0].strip()
        match = re.match('(?P<user>.*?)@(?P<host>.*?):(?P<path>.*)', url)
        if match:
            return '{user}@{host}'.format(**match.groupdict())


def run_server(conn, public_keys, command, debug, timeout):
    """Common code for run_agent and run_git below."""
    try:
        signer = conn.sign_ssh_challenge
        handler = protocol.Handler(keys=public_keys, signer=signer,
                                   debug=debug)
        with server.serve(handler=handler, timeout=timeout) as env:
            return server.run_process(command=command, environ=env)
    except KeyboardInterrupt:
        log.info('server stopped')


def handle_connection_error(func):
    """Fail with non-zero exit code."""
    @functools.wraps(func)
    def wrapper(*args, **kwargs):
        try:
            return func(*args, **kwargs)
        except IOError as e:
            log.error('Connection error: %s', e)
            return 1
    return wrapper


def parse_config(fname):
    """Parse config file into a list of Identity objects."""
    contents = open(fname).read()
    for identity_str, curve_name in re.findall(r'\<(.*?)\|(.*?)\>', contents):
        yield device.interface.Identity(identity_str=identity_str,
                                        curve_name=curve_name)


@handle_connection_error
def run_agent(client_factory=client.Client):
    """Run ssh-agent using given hardware client factory."""
    args = create_agent_parser().parse_args()
    util.setup_logging(verbosity=args.verbose)

    conn = client_factory(device=device.detect())
    if args.identity.startswith('/'):
        identities = list(parse_config(fname=args.identity))
    else:
        identities = [device.interface.Identity(
            identity_str=args.identity, curve_name=args.ecdsa_curve_name)]
    for index, identity in enumerate(identities):
        identity.identity_dict['proto'] = 'ssh'
        log.info('identity #%d: %s', index, identity)

    public_keys = [conn.get_public_key(i) for i in identities]

    if args.connect:
        command = ['ssh'] + ssh_args(args.identity) + args.command
    elif args.mosh:
        command = ['mosh'] + ssh_args(args.identity) + args.command
    else:
        command = args.command

    use_shell = bool(args.shell)
    if use_shell:
        command = os.environ['SHELL']

    if not command:
        for pk in public_keys:
            sys.stdout.write(pk)
        return

    public_keys = [formats.import_public_key(pk) for pk in public_keys]
    for pk, identity in zip(public_keys, identities):
        pk['identity'] = identity
    return run_server(conn=conn, public_keys=public_keys, command=command,
                      debug=args.debug, timeout=args.timeout)
main: add docstrings 2016-02-19 09:35:16 +00:00			`"""SSH-agent implementation using hardware authentication devices."""`
split main script code into __main__.py 2015-06-15 13:37:16 +00:00			`import argparse`
agent: handle connection errors 2016-06-11 17:26:10 +00:00			`import functools`
Fix a few pylint issues 2016-01-04 17:17:08 +00:00			`import logging`
sort imports using isort tool 2016-01-09 14:06:47 +00:00			`import os`
gpg: fixup imports 2016-04-23 19:08:18 +00:00			`import re`
main: add git identity via "origin" remote 2016-02-19 18:48:16 +00:00			`import subprocess`
sort imports using isort tool 2016-01-09 14:06:47 +00:00			`import sys`
split main script code into __main__.py 2015-06-15 13:37:16 +00:00
ssh: use new device package (instead of factory) 2016-10-28 07:53:53 +00:00			`from . import client, device, formats, protocol, server, util`
split main script code into __main__.py 2015-06-15 13:37:16 +00:00
fix PEP8 2015-06-16 07:20:11 +00:00			`log = logging.getLogger(__name__)`

sshagent: add spaces between functions 2015-06-16 07:03:48 +00:00
Fix SSH connection arguments handling 2015-11-27 07:59:06 +00:00			`def ssh_args(label):`
main: add docstrings 2016-02-19 09:35:16 +00:00			`"""Create SSH command for connecting specified server."""`
ssh: use new device package (instead of factory) 2016-10-28 07:53:53 +00:00			`identity = device.interface.string_to_identity(label)`
Fix SSH connection arguments handling 2015-11-27 07:59:06 +00:00
			`args = []`
			`if 'port' in identity:`
			`args += ['-p', identity['port']]`
			`if 'user' in identity:`
			`args += ['-l', identity['user']]`

main: add '--mosh' for better SSH client 2016-11-11 20:26:22 +00:00			`return args + [identity['host']]`
Fix SSH connection arguments handling 2015-11-27 07:59:06 +00:00

main: split argument parser 2016-03-05 08:46:36 +00:00			`def create_parser():`
main: add docstrings 2016-02-19 09:35:16 +00:00			`"""Create argparse.ArgumentParser for this tool."""`
split main script code into __main__.py 2015-06-15 13:37:16 +00:00			`p = argparse.ArgumentParser()`
agent: add --shell and --connect flags --shell: opens $SHELL as subprocess --connect: connect via SSH to specified identity's host 2015-07-04 08:22:44 +00:00			`p.add_argument('-v', '--verbose', default=0, action='count')`
agent: fix argument parser 2015-07-04 07:47:32 +00:00
formats: curve name should be a string 2016-05-05 19:28:06 +00:00			`curve_names = [name for name in formats.SUPPORTED_CURVES]`
Fix a few pylint issues 2016-01-04 17:17:08 +00:00			`curve_names = ', '.join(sorted(curve_names))`
trezor: add support for Ed25519 SSH keys 2015-10-23 09:45:32 +00:00			`p.add_argument('-e', '--ecdsa-curve-name', metavar='CURVE',`
			`default=formats.CURVE_NIST256,`
Fix a few pylint issues 2016-01-04 17:17:08 +00:00			`help='specify ECDSA curve name: ' + curve_names)`
main: add command-line argument for setting UNIX socket timeout 2016-01-16 20:14:36 +00:00			`p.add_argument('--timeout',`
			`default=server.UNIX_SOCKET_TIMEOUT, type=float,`
			`help='Timeout for accepting SSH client connections')`
server: pass handler and add debug option 2016-01-26 19:14:52 +00:00			`p.add_argument('--debug', default=False, action='store_true',`
			`help='Log SSH protocol messages for debugging.')`
main: integration identity verification 2015-07-22 10:48:15 +00:00			`return p`
fix PEP8 2015-07-21 11:38:26 +00:00
main: split git from ssh 2016-03-05 08:51:22 +00:00
main: split argument parser 2016-03-05 08:46:36 +00:00			`def create_agent_parser():`
main: split git from ssh 2016-03-05 08:51:22 +00:00			`"""Specific parser for SSH connection."""`
main: split argument parser 2016-03-05 08:46:36 +00:00			`p = create_parser()`

			`g = p.add_mutually_exclusive_group()`
			`g.add_argument('-s', '--shell', default=False, action='store_true',`
			`help='run ${SHELL} as subprocess under SSH agent')`
			`g.add_argument('-c', '--connect', default=False, action='store_true',`
			`help='connect to specified host via SSH')`
main: add '--mosh' for better SSH client 2016-11-11 20:26:22 +00:00			`g.add_argument('--mosh', default=False, action='store_true',`
			`help='connect to specified host via using Mosh')`
main: split git from ssh 2016-03-05 08:51:22 +00:00
			`p.add_argument('identity', type=str, default=None,`
			`help='proto://[user@]host[:port][/path]')`
			`p.add_argument('command', type=str, nargs='*', metavar='ARGUMENT',`
			`help='command to run under the SSH agent')`
			`return p`


			`def create_git_parser():`
			`"""Specific parser for git commands."""`
			`p = create_parser()`

			`p.add_argument('-r', '--remote', default='origin',`
			`help='use this git remote URL to generate SSH identity')`
main: add --test flag for verifying SSH configuration https://help.github.com/articles/testing-your-ssh-connection/ 2016-03-12 13:32:03 +00:00			`p.add_argument('-t', '--test', action='store_true',`
			help='test connection using `ssh -T user@host` command')
main: split git from ssh 2016-03-05 08:51:22 +00:00			`p.add_argument('command', type=str, nargs='*', metavar='ARGUMENT',`
			`help='Git command to run under the SSH agent')`
main: split argument parser 2016-03-05 08:46:36 +00:00			`return p`

split main script code into __main__.py 2015-06-15 13:37:16 +00:00
main: handle 'pushurl' and 'url' remote settings 2016-03-06 19:21:25 +00:00			`def git_host(remote_name, attributes):`
fix PEP8 & docstrings 2016-02-19 18:51:19 +00:00			`"""Extract git SSH host for specified remote name."""`
main: handle 'pushurl' and 'url' remote settings 2016-03-06 19:21:25 +00:00			`try:`
			`output = subprocess.check_output('git config --local --list'.split())`
			`except subprocess.CalledProcessError:`
			`return`

			`for attribute in attributes:`
			`name = r'remote.{0}.{1}'.format(remote_name, attribute)`
			`matches = re.findall(re.escape(name) + '=(.*)', output)`
			`log.debug('%r: %r', name, matches)`
			`if not matches:`
			`continue`

			`url = matches[0].strip()`
main: show better error when no SSH remote is found 2016-04-22 08:30:08 +00:00			`match = re.match('(?P<user>.?)@(?P<host>.?):(?P<path>.*)', url)`
			`if match:`
			`return '{user}@{host}'.format(**match.groupdict())`
main: add git identity via "origin" remote 2016-02-19 18:48:16 +00:00
fix PEP8 & docstrings 2016-02-19 18:51:19 +00:00
ssh: decouple identity from device 2016-11-03 20:00:43 +00:00			`def run_server(conn, public_keys, command, debug, timeout):`
main: add `trezor-git` entry point 2016-03-05 09:15:23 +00:00			`"""Common code for run_agent and run_git below."""`
			`try:`
client: not visual challength for SSH 2016-05-21 04:43:10 +00:00			`signer = conn.sign_ssh_challenge`
ssh: decouple identity from device 2016-11-03 20:00:43 +00:00			`handler = protocol.Handler(keys=public_keys, signer=signer,`
main: add `trezor-git` entry point 2016-03-05 09:15:23 +00:00			`debug=debug)`
			`with server.serve(handler=handler, timeout=timeout) as env:`
			`return server.run_process(command=command, environ=env)`
			`except KeyboardInterrupt:`
			`log.info('server stopped')`


agent: handle connection errors 2016-06-11 17:26:10 +00:00			`def handle_connection_error(func):`
			`"""Fail with non-zero exit code."""`
			`@functools.wraps(func)`
			`def wrapper(args, *kwargs):`
			`try:`
			`return func(args, *kwargs)`
			`except IOError as e:`
			`log.error('Connection error: %s', e)`
			`return 1`
			`return wrapper`


ssh: simple support for multiple public keys loading 2016-11-03 20:23:14 +00:00			`def parse_config(fname):`
			`"""Parse config file into a list of Identity objects."""`
			`contents = open(fname).read()`
fix pylint and tests 2016-11-03 21:29:45 +00:00			`for identity_str, curve_name in re.findall(r'\<(.?)\\|(.?)\>', contents):`
ssh: simple support for multiple public keys loading 2016-11-03 20:23:14 +00:00			`yield device.interface.Identity(identity_str=identity_str,`
			`curve_name=curve_name)`


agent: handle connection errors 2016-06-11 17:26:10 +00:00			`@handle_connection_error`
main: add `trezor-git` entry point 2016-03-05 09:15:23 +00:00			`def run_agent(client_factory=client.Client):`
main: add docstrings 2016-02-19 09:35:16 +00:00			`"""Run ssh-agent using given hardware client factory."""`
main: rename parser creator 2015-08-17 15:09:45 +00:00			`args = create_agent_parser().parse_args()`
gpg: use same logging configuration as in SSH 2016-10-18 18:02:49 +00:00			`util.setup_logging(verbosity=args.verbose)`
main: integration identity verification 2015-07-22 10:48:15 +00:00
ssh: decouple identity from device 2016-11-03 20:00:43 +00:00			`conn = client_factory(device=device.detect())`
ssh: simple support for multiple public keys loading 2016-11-03 20:23:14 +00:00			`if args.identity.startswith('/'):`
			`identities = list(parse_config(fname=args.identity))`
			`else:`
			`identities = [device.interface.Identity(`
			`identity_str=args.identity, curve_name=args.ecdsa_curve_name)]`
			`for index, identity in enumerate(identities):`
ssh: decouple identity from device 2016-11-03 20:00:43 +00:00			`identity.identity_dict['proto'] = 'ssh'`
ssh: simple support for multiple public keys loading 2016-11-03 20:23:14 +00:00			`log.info('identity #%d: %s', index, identity)`
trezor-agent: automatic support for git identity The agent uses local 'git config', and chooses the url marked as "trezor = true". 2015-07-04 18:57:57 +00:00
ssh: decouple identity from device 2016-11-03 20:00:43 +00:00			`public_keys = [conn.get_public_key(i) for i in identities]`
server: serve should be a context manager 2015-06-17 13:52:11 +00:00
ssh: use new device package (instead of factory) 2016-10-28 07:53:53 +00:00			`if args.connect:`
main: add '--mosh' for better SSH client 2016-11-11 20:26:22 +00:00			`command = ['ssh'] + ssh_args(args.identity) + args.command`
			`elif args.mosh:`
			`command = ['mosh'] + ssh_args(args.identity) + args.command`
			`else:`
			`command = args.command`
agent: add --shell and --connect flags --shell: opens $SHELL as subprocess --connect: connect via SSH to specified identity's host 2015-07-04 08:22:44 +00:00
ssh: use new device package (instead of factory) 2016-10-28 07:53:53 +00:00			`use_shell = bool(args.shell)`
			`if use_shell:`
			`command = os.environ['SHELL']`
agent: add --shell and --connect flags --shell: opens $SHELL as subprocess --connect: connect via SSH to specified identity's host 2015-07-04 08:22:44 +00:00
ssh: use new device package (instead of factory) 2016-10-28 07:53:53 +00:00			`if not command:`
ssh: decouple identity from device 2016-11-03 20:00:43 +00:00			`for pk in public_keys:`
			`sys.stdout.write(pk)`
ssh: use new device package (instead of factory) 2016-10-28 07:53:53 +00:00			`return`
server: serve should be a context manager 2015-06-17 13:52:11 +00:00
ssh: decouple identity from device 2016-11-03 20:00:43 +00:00			`public_keys = [formats.import_public_key(pk) for pk in public_keys]`
			`for pk, identity in zip(public_keys, identities):`
			`pk['identity'] = identity`
			`return run_server(conn=conn, public_keys=public_keys, command=command,`
ssh: use new device package (instead of factory) 2016-10-28 07:53:53 +00:00			`debug=args.debug, timeout=args.timeout)`