vervis/src/Vervis/Ssh.hs

{- This file is part of Vervis.
 -
 - Written in 2016 by fr33domlover <fr33domlover@riseup.net>.
 -
 - ♡ Copying is an act of love. Please copy, reuse and share.
 -
 - The author(s) have dedicated all copyright and related and neighboring
 - rights to this software to the public domain worldwide. This software is
 - distributed without any warranty.
 -
 - You should have received a copy of the CC0 Public Domain Dedication along
 - with this software. If not, see
 - <http://creativecommons.org/publicdomain/zero/1.0/>.
 -}

module Vervis.Ssh
    ( runSsh
    )
where

import Prelude

import Control.Monad (when)
import Control.Monad.IO.Class (liftIO)
import Control.Monad.Logger
import Control.Monad.Trans.Class (lift)
import Control.Monad.Trans.Reader (ReaderT (runReaderT), ask)
import Data.ByteString (ByteString)
import Data.ByteString.Lazy (fromStrict)
import Data.Foldable (find)
import Data.Text (Text, pack, unpack)
import Database.Persist
import Database.Persist.Sql (SqlBackend, ConnectionPool, runSqlPool)
import Network.SSH
import Network.SSH.Channel
import Network.SSH.Crypto
import Network.SSH.Session
import Yesod.Default.Main (LogFunc)

import Vervis.Model
import Vervis.Settings

-- TODO:
-- [ ] See which git commands gitolite SSH supports and see if I can implement
--     them with Hit (i think it was git upload-pack)

type ChannelBase = LoggingT (ReaderT ConnectionPool IO)
type SessionBase = LoggingT (ReaderT ConnectionPool IO)
--type UserAuthId = PersonId
type Backend = SqlBackend

type Channel = ChannelT {-UserAuthId-} ChannelBase
type Session = SessionT SessionBase {-UserAuthId-} ChannelBase
type SshChanDB = ReaderT Backend Channel
type SshSessDB = ReaderT Backend Session

src :: Text
src = "SSH"

runChanDB :: SshChanDB a -> Channel a
runChanDB action = do
    pool <- lift . lift $ ask
    runSqlPool action pool

runSessDB :: SshSessDB a -> Session a
runSessDB action = do
    pool <- lift . lift $ ask
    runSqlPool action pool

chanFail :: Bool -> Text -> Channel ()
chanFail wantReply msg = do
    channelError $ unpack msg
    when wantReply channelFail

authorize :: Authorize -> Session Bool -- (AuthResult UserAuthId)
authorize (Password  _    _)   = return False -- AuthFail
authorize (PublicKey name key) = do
    mpk <- runSessDB $ do
        mp <- getBy $ UniquePersonLogin $ pack name
        case mp of
            Nothing              -> return Nothing
            Just (Entity pid _p) -> do
                ks <- selectList [SshKeyPerson ==. pid] []
                return $ Just (pid, ks)
    case mpk of
        Nothing -> do
            $logInfoS src "Auth failed: Invalid user"
            return False -- AuthFail
        Just (pid, keys) -> do
            let eValue (Entity _ v) = v
                matches =
                    (== key) . blobToKey . fromStrict . sshKeyContent . eValue
            case find matches keys of
                Nothing -> do
                    $logInfoS src "Auth failed: No matching key found"
                    return False -- AuthFail
                Just match -> do
                    $logInfoS src "Auth succeeded"
                    return True -- $ AuthSuccess pid

data Action = UploadPack () deriving Show

detectAction :: ChannelRequest -> Maybe Action
detectAction _ = Nothing

runAction :: Bool -> Action -> Channel (Maybe Text)
runAction _wantReply action =
    case action of
        UploadPack repo -> return $ Just "Doesn't work yet"

handle :: Bool -> ChannelRequest -> Channel ()
handle wantReply request = do
    $logDebugS src $ pack $ show request
    case detectAction request of
        Nothing  -> err "Unsupported request"
        Just act -> do
            $logDebugS src $ pack $ show act
            res <- runAction wantReply act
            case res of
                Nothing  -> do
                    when wantReply channelSuccess
                    channelDone
                Just msg -> err msg
    where
    err = chanFail wantReply

ready :: LogFunc -> IO ()
ready = runLoggingT $ $logInfoS src "SSH server component starting"

mkConfig
    :: AppSettings
    -> ConnectionPool
    -> LogFunc
    -> IO (Config SessionBase ChannelBase {-UserAuthId-})
mkConfig settings pool logFunc = do
    keyPair <- keyPairFromFile $ appSshKeyFile settings
    return $ Config
        { cSession     = SessionConfig
            { scAuthMethods  = ["publickey"]
            , scAuthorize    = authorize
            , scKeyPair      = keyPair
            , scRunBaseMonad =
                flip runReaderT pool . flip runLoggingT logFunc
            }
        , cChannel     = ChannelConfig
            { ccRequestHandler = handle
            , ccRunBaseMonad   =
                flip runReaderT pool . flip runLoggingT logFunc
            }
        , cPort        = fromIntegral $ appSshPort settings
        , cReadyAction = ready logFunc
        }

runSsh :: AppSettings -> ConnectionPool -> LogFunc -> IO ()
runSsh settings pool logFunc = do
    config <- mkConfig settings pool logFunc
    startConfig config