2016-11-14 17:26:34 +00:00
|
|
|
{- git-annex command
|
|
|
|
-
|
2022-09-26 18:48:58 +00:00
|
|
|
- Copyright 2016-2022 Joey Hess <id@joeyh.name>
|
2016-11-14 17:26:34 +00:00
|
|
|
-
|
2019-03-13 19:48:14 +00:00
|
|
|
- Licensed under the GNU AGPL version 3 or higher.
|
2016-11-14 17:26:34 +00:00
|
|
|
-}
|
|
|
|
|
2023-04-10 21:03:41 +00:00
|
|
|
{-# LANGUAGE OverloadedStrings, CPP #-}
|
2016-12-20 21:40:36 +00:00
|
|
|
|
2016-11-14 17:26:34 +00:00
|
|
|
module Command.EnableTor where
|
|
|
|
|
|
|
|
import Command
|
2016-12-24 16:49:28 +00:00
|
|
|
import qualified Annex
|
2016-11-29 21:30:27 +00:00
|
|
|
import P2P.Address
|
2016-12-30 16:31:17 +00:00
|
|
|
import P2P.Annex
|
2016-11-14 17:26:34 +00:00
|
|
|
import Utility.Tor
|
2016-11-29 21:30:27 +00:00
|
|
|
import Annex.UUID
|
2017-11-14 18:14:10 +00:00
|
|
|
#ifndef mingw32_HOST_OS
|
2020-03-30 20:03:44 +00:00
|
|
|
import Annex.Path
|
2017-11-14 18:14:10 +00:00
|
|
|
#endif
|
2016-12-24 16:49:28 +00:00
|
|
|
import P2P.IO
|
|
|
|
import qualified P2P.Protocol as P2P
|
|
|
|
import Utility.ThreadScheduler
|
2018-03-06 19:14:53 +00:00
|
|
|
import RemoteDaemon.Transport.Tor
|
2022-09-26 18:48:58 +00:00
|
|
|
import Git.Types
|
|
|
|
import Config
|
2016-12-20 21:40:36 +00:00
|
|
|
|
2016-12-24 16:49:28 +00:00
|
|
|
import Control.Concurrent.Async
|
|
|
|
import qualified Network.Socket as S
|
2016-12-20 21:40:36 +00:00
|
|
|
#ifndef mingw32_HOST_OS
|
|
|
|
import Utility.Su
|
|
|
|
import System.Posix.User
|
|
|
|
#endif
|
2016-11-14 17:26:34 +00:00
|
|
|
|
|
|
|
cmd :: Command
|
|
|
|
cmd = noCommit $ dontCheck repoExists $
|
2016-11-29 21:30:27 +00:00
|
|
|
command "enable-tor" SectionSetup "enable tor hidden service"
|
|
|
|
"uid" (withParams seek)
|
2016-11-14 17:26:34 +00:00
|
|
|
|
|
|
|
seek :: CmdParams -> CommandSeek
|
2018-10-01 18:12:06 +00:00
|
|
|
seek = withWords (commandAction . start)
|
2016-11-14 17:26:34 +00:00
|
|
|
|
2016-12-24 16:49:28 +00:00
|
|
|
-- This runs as root, so avoid making any commits or initializing
|
|
|
|
-- git-annex, or doing other things that create root-owned files.
|
2016-11-29 21:30:27 +00:00
|
|
|
start :: [String] -> CommandStart
|
2019-09-12 18:11:19 +00:00
|
|
|
#ifndef mingw32_HOST_OS
|
2016-12-20 21:40:36 +00:00
|
|
|
start os = do
|
2019-09-12 18:11:19 +00:00
|
|
|
#else
|
|
|
|
start _os = do
|
|
|
|
#endif
|
2016-12-20 21:40:36 +00:00
|
|
|
#ifndef mingw32_HOST_OS
|
2020-09-14 20:49:33 +00:00
|
|
|
let ai = ActionItemOther Nothing
|
|
|
|
let si = SeekInput []
|
2016-12-20 21:40:36 +00:00
|
|
|
curruserid <- liftIO getEffectiveUserID
|
|
|
|
if curruserid == 0
|
2019-10-21 17:46:11 +00:00
|
|
|
then case readish =<< headMaybe os of
|
|
|
|
Nothing -> giveup "Need user-id parameter."
|
|
|
|
Just userid -> go userid
|
2020-09-14 20:49:33 +00:00
|
|
|
else starting "enable-tor" ai si $ do
|
2020-03-30 20:03:44 +00:00
|
|
|
gitannex <- liftIO programPath
|
2019-10-21 17:46:11 +00:00
|
|
|
let ps = [Param (cmdname cmd), Param (show curruserid)]
|
2016-12-28 19:55:54 +00:00
|
|
|
sucommand <- liftIO $ mkSuCommand gitannex ps
|
2022-10-26 19:44:06 +00:00
|
|
|
cleanenv <- liftIO $ cleanStandaloneEnvironment
|
2023-04-10 21:03:41 +00:00
|
|
|
maybe noop (showLongNote . UnquotedString)
|
2016-12-28 19:55:54 +00:00
|
|
|
(describePasswordPrompt' sucommand)
|
2022-10-26 19:44:06 +00:00
|
|
|
ifM (liftIO $ runSuCommand sucommand cleanenv)
|
make CommandStart return a StartMessage
The goal is to be able to run CommandStart in the main thread when -J is
used, rather than unncessarily passing it off to a worker thread, which
incurs overhead that is signficant when the CommandStart is going to
quickly decide to stop.
To do that, the message it displays needs to be displayed in the worker
thread, after the CommandStart has run.
Also, the change will mean that CommandStart will no longer necessarily
run with the same Annex state as CommandPerform. While its docs already
said it should avoid modifying Annex state, I audited all the
CommandStart code as part of the conversion. (Note that CommandSeek
already sometimes runs with a different Annex state, and that has not been
a source of any problems, so I am not too worried that this change will
lead to breakage going forward.)
The only modification of Annex state I found was it calling
allowMessages in some Commands that default to noMessages. Dealt with
that by adding a startCustomOutput and a startingUsualMessages.
This lets a command start with noMessages and then select the output it
wants for each CommandStart.
One bit of breakage: onlyActionOn has been removed from commands that used it.
The plan is that, since a StartMessage contains an ActionItem,
when a Key can be extracted from that, the parallel job runner can
run onlyActionOn' automatically. Then commands won't need to worry about
this detail. Future work.
Otherwise, this was a fairly straightforward process of making each
CommandStart compile again. Hopefully other behavior changes were mostly
avoided.
In a few cases, a command had a CommandStart that called a CommandPerform
that then called showStart multiple times. I have collapsed those
down to a single start action. The main command to perhaps suffer from it
is Command.Direct, which used to show a start for each file, and no
longer does.
Another minor behavior change is that some commands used showStart
before, but had an associated file and a Key available, so were changed
to ShowStart with an ActionItemAssociatedFile. That will not change the
normal output or behavior, but --json output will now include the key.
This should not break it for anyone using a real json parser.
2019-06-06 19:42:30 +00:00
|
|
|
( next checkHiddenService
|
2016-12-20 21:40:36 +00:00
|
|
|
, giveup $ unwords $
|
|
|
|
[ "Failed to run as root:" , gitannex ] ++ toCommand ps
|
|
|
|
)
|
|
|
|
#else
|
2019-10-21 17:46:11 +00:00
|
|
|
go 0
|
2016-12-20 21:40:36 +00:00
|
|
|
#endif
|
|
|
|
where
|
2019-10-21 17:46:11 +00:00
|
|
|
go userid = do
|
2022-09-26 18:48:58 +00:00
|
|
|
-- Usually git will refuse to read local configs of a git
|
|
|
|
-- repo belonging to another user. But in this case, the
|
|
|
|
-- user wants this command, run as root, to operate on
|
|
|
|
-- their repo. Behave as if --git-dir had been used to
|
|
|
|
-- specify that the git directory is intended to be used.
|
|
|
|
Annex.adjustGitRepo $ \r -> return $ r
|
|
|
|
{ gitDirSpecifiedExplicitly = True }
|
|
|
|
reloadConfig
|
|
|
|
|
2019-10-21 17:46:11 +00:00
|
|
|
uuid <- getUUID
|
|
|
|
when (uuid == NoUUID) $
|
|
|
|
giveup "This can only be run in a git-annex repository."
|
|
|
|
(onionaddr, onionport) <- liftIO $
|
|
|
|
addHiddenService torAppName userid (fromUUID uuid)
|
|
|
|
storeP2PAddress $ TorAnnex onionaddr onionport
|
|
|
|
stop
|
2016-12-24 16:49:28 +00:00
|
|
|
|
|
|
|
checkHiddenService :: CommandCleanup
|
|
|
|
checkHiddenService = bracket setup cleanup go
|
|
|
|
where
|
|
|
|
setup = do
|
|
|
|
showLongNote "Tor hidden service is configured. Checking connection to it. This may take a few minutes."
|
|
|
|
startlistener
|
|
|
|
|
|
|
|
cleanup = liftIO . cancel
|
|
|
|
|
|
|
|
go _ = check (150 :: Int) =<< filter istoraddr <$> loadP2PAddresses
|
|
|
|
|
|
|
|
istoraddr (TorAnnex _ _) = True
|
|
|
|
|
|
|
|
check 0 _ = giveup "Still unable to connect to hidden service. It might not yet be usable by others. Please check Tor's logs for details."
|
|
|
|
check _ [] = giveup "Somehow didn't get an onion address."
|
git-annex-shell: block relay requests
connRepo is only used when relaying git upload-pack and receive-pack.
That's only supposed to be used when git-annex-remotedaemon is serving
git-remote-tor-annex connections over tor. But, it was always set, and
so could be used in other places possibly.
Fixed by making connRepo optional in the P2P protocol interface.
In Command.EnableTor, it's not needed, because it only speaks the
protocol in order to check that it's able to connect back to itself via
the hidden service. So changed that to pass Nothing rather than the git
repo.
In Remote.Helper.Ssh, it's connecting to git-annex-shell p2pstdio,
so is making the requests, so will never need connRepo.
In git-annex-shell p2pstdio, it was accepting git upload-pack and
receive-pack requests over the P2P protocol, even though nothing sent
them. This is arguably a security hole, particularly if the user has
set environment variables like GIT_ANNEX_SHELL_LIMITED to prevent
git push/pull via git-annex-shell.
2024-06-10 17:53:28 +00:00
|
|
|
check n addrs@(addr:_) =
|
2016-12-24 16:49:28 +00:00
|
|
|
-- Connect but don't bother trying to auth,
|
|
|
|
-- we just want to know if the tor circuit works.
|
git-annex-shell: block relay requests
connRepo is only used when relaying git upload-pack and receive-pack.
That's only supposed to be used when git-annex-remotedaemon is serving
git-remote-tor-annex connections over tor. But, it was always set, and
so could be used in other places possibly.
Fixed by making connRepo optional in the P2P protocol interface.
In Command.EnableTor, it's not needed, because it only speaks the
protocol in order to check that it's able to connect back to itself via
the hidden service. So changed that to pass Nothing rather than the git
repo.
In Remote.Helper.Ssh, it's connecting to git-annex-shell p2pstdio,
so is making the requests, so will never need connRepo.
In git-annex-shell p2pstdio, it was accepting git upload-pack and
receive-pack requests over the P2P protocol, even though nothing sent
them. This is arguably a security hole, particularly if the user has
set environment variables like GIT_ANNEX_SHELL_LIMITED to prevent
git push/pull via git-annex-shell.
2024-06-10 17:53:28 +00:00
|
|
|
liftIO (tryNonAsync $ connectPeer Nothing addr) >>= \case
|
2016-12-24 16:49:28 +00:00
|
|
|
Left e -> do
|
2024-04-06 13:50:58 +00:00
|
|
|
warning $ UnquotedString $ "Unable to connect to hidden service. It may not yet have propagated to the Tor network. (" ++ show e ++ ") Will retry.."
|
2016-12-24 16:49:28 +00:00
|
|
|
liftIO $ threadDelaySeconds (Seconds 2)
|
|
|
|
check (n-1) addrs
|
|
|
|
Right conn -> do
|
|
|
|
liftIO $ closeConnection conn
|
|
|
|
showLongNote "Tor hidden service is working."
|
|
|
|
return True
|
|
|
|
|
|
|
|
-- Unless the remotedaemon is already listening on the hidden
|
|
|
|
-- service's socket, start a listener. This is only run during the
|
|
|
|
-- check, and it refuses all auth attempts.
|
|
|
|
startlistener = do
|
|
|
|
u <- getUUID
|
2016-12-30 16:31:17 +00:00
|
|
|
msock <- torSocketFile
|
|
|
|
case msock of
|
2016-12-24 16:49:28 +00:00
|
|
|
Just sockfile -> ifM (liftIO $ haslistener sockfile)
|
|
|
|
( liftIO $ async $ return ()
|
git-annex-shell: block relay requests
connRepo is only used when relaying git upload-pack and receive-pack.
That's only supposed to be used when git-annex-remotedaemon is serving
git-remote-tor-annex connections over tor. But, it was always set, and
so could be used in other places possibly.
Fixed by making connRepo optional in the P2P protocol interface.
In Command.EnableTor, it's not needed, because it only speaks the
protocol in order to check that it's able to connect back to itself via
the hidden service. So changed that to pass Nothing rather than the git
repo.
In Remote.Helper.Ssh, it's connecting to git-annex-shell p2pstdio,
so is making the requests, so will never need connRepo.
In git-annex-shell p2pstdio, it was accepting git upload-pack and
receive-pack requests over the P2P protocol, even though nothing sent
them. This is arguably a security hole, particularly if the user has
set environment variables like GIT_ANNEX_SHELL_LIMITED to prevent
git push/pull via git-annex-shell.
2024-06-10 17:53:28 +00:00
|
|
|
, liftIO $ async $ runlistener sockfile u
|
2016-12-24 16:49:28 +00:00
|
|
|
)
|
|
|
|
Nothing -> giveup "Could not find socket file in Tor configuration!"
|
|
|
|
|
git-annex-shell: block relay requests
connRepo is only used when relaying git upload-pack and receive-pack.
That's only supposed to be used when git-annex-remotedaemon is serving
git-remote-tor-annex connections over tor. But, it was always set, and
so could be used in other places possibly.
Fixed by making connRepo optional in the P2P protocol interface.
In Command.EnableTor, it's not needed, because it only speaks the
protocol in order to check that it's able to connect back to itself via
the hidden service. So changed that to pass Nothing rather than the git
repo.
In Remote.Helper.Ssh, it's connecting to git-annex-shell p2pstdio,
so is making the requests, so will never need connRepo.
In git-annex-shell p2pstdio, it was accepting git upload-pack and
receive-pack requests over the P2P protocol, even though nothing sent
them. This is arguably a security hole, particularly if the user has
set environment variables like GIT_ANNEX_SHELL_LIMITED to prevent
git push/pull via git-annex-shell.
2024-06-10 17:53:28 +00:00
|
|
|
runlistener sockfile u = serveUnixSocket sockfile $ \h -> do
|
2016-12-24 16:49:28 +00:00
|
|
|
let conn = P2PConnection
|
git-annex-shell: block relay requests
connRepo is only used when relaying git upload-pack and receive-pack.
That's only supposed to be used when git-annex-remotedaemon is serving
git-remote-tor-annex connections over tor. But, it was always set, and
so could be used in other places possibly.
Fixed by making connRepo optional in the P2P protocol interface.
In Command.EnableTor, it's not needed, because it only speaks the
protocol in order to check that it's able to connect back to itself via
the hidden service. So changed that to pass Nothing rather than the git
repo.
In Remote.Helper.Ssh, it's connecting to git-annex-shell p2pstdio,
so is making the requests, so will never need connRepo.
In git-annex-shell p2pstdio, it was accepting git upload-pack and
receive-pack requests over the P2P protocol, even though nothing sent
them. This is arguably a security hole, particularly if the user has
set environment variables like GIT_ANNEX_SHELL_LIMITED to prevent
git push/pull via git-annex-shell.
2024-06-10 17:53:28 +00:00
|
|
|
{ connRepo = Nothing
|
2016-12-24 16:49:28 +00:00
|
|
|
, connCheckAuth = const False
|
2024-06-28 15:22:29 +00:00
|
|
|
, connIhdl = P2PHandle h
|
|
|
|
, connOhdl = P2PHandle h
|
2018-10-22 19:52:11 +00:00
|
|
|
, connIdent = ConnIdent Nothing
|
2016-12-24 16:49:28 +00:00
|
|
|
}
|
2018-03-12 19:19:40 +00:00
|
|
|
runst <- mkRunState Client
|
|
|
|
void $ runNetProto runst conn $ P2P.serveAuth u
|
2016-12-24 16:49:28 +00:00
|
|
|
hClose h
|
|
|
|
|
|
|
|
haslistener sockfile = catchBoolIO $ do
|
|
|
|
soc <- S.socket S.AF_UNIX S.Stream S.defaultProtocol
|
|
|
|
S.connect soc (S.SockAddrUnix sockfile)
|
|
|
|
S.close soc
|
|
|
|
return True
|