Base implementation of a Gocrypt SFTP proxy server

Right now still a proof-of-concept to show that adding a caching
and decryption layer on top of SFTP greatly improves syncingperformance
over mounting a FUSE decryption layer on top of a FUSE SFTP layer.

Actual modifications to the underlying FS not supported yet.

Author: flawedmatrix

.gitignore

@@ -0,0 +1 @@
+.vscode

backend/pool.go

@@ -0,0 +1,80 @@
+package backend
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/pkg/sftp"
+	"golang.org/x/crypto/ssh"
+)
+
+type conn struct {
+	sshConn  *ssh.Client
+	sftpConn *sftp.Client
+}
+
+func newConn(remoteAddr string, clientConfig *ssh.ClientConfig) (*conn, error) {
+	sshClient, err := ssh.Dial("tcp", remoteAddr, clientConfig)
+	if err != nil {
+		return nil, fmt.Errorf("failed to connect to remote server %s", err)
+	}
+	sftpClient, err := sftp.NewClient(sshClient)
+	if err != nil {
+		sshClient.Close()
+		return nil, fmt.Errorf("could not open sftp session to remote %s", err)
+	}
+	c := &conn{
+		sshConn:  sshClient,
+		sftpConn: sftpClient,
+	}
+
+	return c, nil
+}
+
+func (c *conn) Close() {
+	if c.sshConn != nil {
+		_ = c.sshConn.Close()
+	}
+	if c.sftpConn != nil {
+		_ = c.sftpConn.Close()
+	}
+}
+
+type pool struct {
+	conns chan *conn
+
+	remoteAddr   string
+	clientConfig *ssh.ClientConfig
+}
+
+func newPool(capacity uint32, remoteAddr string, clientConfig *ssh.ClientConfig) *pool {
+	return &pool{
+		conns: make(chan *conn, capacity),
+
+		remoteAddr:   remoteAddr,
+		clientConfig: clientConfig,
+	}
+}
+
+func (p *pool) Get() (*conn, error) {
+	select {
+	case c := <-p.conns:
+		if c == nil {
+			return nil, errors.New("pool is closed")
+		}
+		return c, nil
+	default:
+		return newConn(p.remoteAddr, p.clientConfig)
+	}
+}
+
+func (p *pool) Put(c *conn) {
+	if c == nil {
+		return
+	}
+	select {
+	case p.conns <- c:
+	default:
+		c.Close()
+	}
+}

backend/provider.go

@@ -0,0 +1,98 @@
+package backend
+
+import (
+	"bytes"
+	"log"
+	"os"
+
+	"golang.org/x/crypto/ssh"
+)
+
+// Provider provides the ability to make requests to a backend through a pool
+// of connections. This package does not provide goroutines on top of
+// connections; if you make multiple calls to ReadFile in a single goroutine,
+// it's basically the same thing as calling ReadFile on a connection in serial.
+// What this package does provide is a guarantee that if you call ReadFile from
+// multiple goroutines, no two concurrent calls will share the same connection.
+type Provider struct {
+	p *pool
+}
+
+// NewProvider creates a new instance of a Provider
+func NewProvider(remoteAddr string, clientConfig *ssh.ClientConfig, logger *log.Logger) *Provider {
+	return &Provider{
+		p: newPool(32, remoteAddr, clientConfig),
+	}
+}
+
+// ReadFile acquires a connection from the connection pool and calls ReadFile
+// on the acquired SFTP connection.
+func (p *Provider) ReadFile(path string) ([]byte, error) {
+	c, err := p.p.Get()
+	if err != nil {
+		return nil, err
+	}
+	file, err := c.sftpConn.Open(path)
+	if err != nil {
+		// Test the underlying ssh connection to see if it's still okay.
+		_, _, sshErr := c.sshConn.SendRequest("ping", true, nil)
+		if sshErr != nil {
+			c.Close()
+		} else {
+			p.p.Put(c)
+		}
+		return nil, err
+	}
+	defer p.p.Put(c)
+	defer func() { _ = file.Close() }()
+	buf := new(bytes.Buffer)
+	_, err = file.WriteTo(buf)
+	if err != nil {
+		return nil, err
+	}
+	return buf.Bytes(), nil
+}
+
+// ReadDir acquires a connection from the connection pool and calls ReadDir
+// on the acquired SFTP connection.
+func (p *Provider) ReadDir(path string) ([]os.FileInfo, error) {
+	c, err := p.p.Get()
+	if err != nil {
+		return nil, err
+	}
+	listing, err := c.sftpConn.ReadDir(path)
+	if err != nil {
+		// Test the underlying ssh connection to see if it's still okay.
+		_, _, sshErr := c.sshConn.SendRequest("ping", true, nil)
+		if sshErr != nil {
+			c.Close()
+		} else {
+			p.p.Put(c)
+		}
+		return nil, err
+	}
+	p.p.Put(c)
+	return listing, nil
+}
+
+// Stat acquires a connection from the connection pool and calls Stat
+// on the acquired SFTP connection.
+func (p *Provider) Stat(path string) (os.FileInfo, error) {
+	c, err := p.p.Get()
+	if err != nil {
+		return nil, err
+	}
+	stat, err := c.sftpConn.Stat(path)
+	if err != nil {
+		// Test the underlying ssh connection to see if it's still okay.
+		_, _, sshErr := c.sshConn.SendRequest("ping", true, nil)
+		if sshErr != nil {
+			c.Close()
+		} else {
+			p.p.Put(c)
+		}
+		return nil, err
+	}
+	p.p.Put(c)
+	return stat, nil
+}

config/config.go

@@ -0,0 +1,98 @@
+package config
+
+import (
+	"crypto/x509"
+	"encoding/json"
+	"encoding/pem"
+	"fmt"
+	"io/ioutil"
+	"syscall"
+
+	"gopkg.in/go-playground/validator.v9"
+
+	"golang.org/x/crypto/ssh"
+	"golang.org/x/crypto/ssh/terminal"
+)
+
+type RemoteConfig struct {
+	Addr           string `validate:"required"`
+	FileRoot       string `validate:"required"`
+	User           string `validate:"required"`
+	PrivateKeyPath string `validate:"required,file"`
+}
+
+type Config struct {
+	ProxyUser      string `validate:"required"`
+	ProxyPassword  string `validate:"required"`
+	KnownHostsPath string `validate:"required,file"`
+
+	Remote RemoteConfig
+}
+
+type PasswordReader interface {
+	ReadPassword(prompt string) ([]byte, error)
+}
+
+var pwReader PasswordReader = stdinPasswordReader{}
+
+type stdinPasswordReader struct{}
+
+func (s stdinPasswordReader) ReadPassword(prompt string) ([]byte, error) {
+	fmt.Print(prompt)
+	pass, err := terminal.ReadPassword(int(syscall.Stdin))
+	fmt.Println("")
+	return pass, err
+}
+
+func LoadConfig(path string) (*Config, error) {
+	configBytes, err := ioutil.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+	cfg := Config{}
+	err = json.Unmarshal(configBytes, &cfg)
+	if err != nil {
+		return nil, err
+	}
+	return &cfg, nil
+}
+
+func (c *Config) Validate() error {
+	validate := validator.New()
+	return validate.Struct(c)
+}
+
+func (c *Config) LoadSSHKey() (ssh.Signer, error) {
+	privateBytes, err := ioutil.ReadFile(c.Remote.PrivateKeyPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load private key: %s", err)
+	}
+	if isPrivateKeyEncrypted(privateBytes) {
+		for i := 0; i < 3; i++ {
+			prompt := fmt.Sprintf("Enter passphrase for key '%s': ", c.Remote.PrivateKeyPath)
+			passphrase, err := pwReader.ReadPassword(prompt)
+			if err != nil {
+				return nil, err
+			}
+			signer, err := ssh.ParsePrivateKeyWithPassphrase(privateBytes, []byte(passphrase))
+			if err == nil {
+				return signer, nil
+			} else if err != x509.IncorrectPasswordError {
+				return nil, err
+			}
+		}
+		return nil, x509.IncorrectPasswordError
+	}
+
+	return ssh.ParsePrivateKey(privateBytes)
+}
+
+func isPrivateKeyEncrypted(key []byte) bool {
+	block, _ := pem.Decode(key)
+	return x509.IsEncryptedPEMBlock(block)
+}
+
+func (c *Config) GetDecrpytionPassphrase() ([]byte, error) {
+	prompt := fmt.Sprintf("Enter passphrase for gocryptfs root at '%s': ", c.Remote.FileRoot)
+	return pwReader.ReadPassword(prompt)
+}

config/config_suite_test.go

@@ -0,0 +1,13 @@
+package config_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+func TestConfig(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Config Suite")
+}