Compare commits
60
Commits
v1.0.0-rc23
..
main
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
be98fb8d91 | ||
|
|
0125966d2a | ||
|
|
8b33a5d20b | ||
|
|
bbf45db0f6 | ||
|
|
d8cc462077 | ||
|
|
4954059c6e | ||
|
|
b1cc6bf8ae | ||
|
|
bf50b38ce2 | ||
|
|
dccd648ac9 | ||
|
|
3ab314698b | ||
|
|
c4301f192c | ||
|
|
7ebc6533a7 | ||
|
|
e67e06ebb5 | ||
|
|
fbedd54eaa | ||
|
|
247a1669ce | ||
|
|
de179dd3e9 | ||
|
|
7184b42b7a | ||
|
|
17cc1f6131 | ||
|
|
4b82334e02 | ||
|
|
b9d8b32ff1 | ||
|
|
52a319fe9d | ||
|
|
6bca98d1ce | ||
|
|
ab256285d1 | ||
|
|
b076a84dc7 | ||
|
|
c0b9e17214 | ||
|
|
0bc2a05586 | ||
|
|
c29c43d4db | ||
|
|
6f055e9fc1 | ||
|
|
306a636e32 | ||
|
|
a529061e58 | ||
|
|
5a85e6508d | ||
|
|
efddd1544e | ||
|
|
0a05c68e94 | ||
|
|
695f356411 | ||
|
|
fca1f9a08e | ||
|
|
7f48af45cd | ||
|
|
ae619c6a78 | ||
|
|
bea4674700 | ||
|
|
c9332f707d | ||
|
|
d883e1cdb2 | ||
|
|
e061b11974 | ||
|
|
0f2cb82be6 | ||
|
|
f74495765f | ||
|
|
b2c407ab6e | ||
|
|
4b9d05a185 | ||
|
|
3d5bb126c5 | ||
|
|
37632a96b7 | ||
|
|
e69be4fdf0 | ||
|
|
fdbd58b628 | ||
|
|
c65aba9d7a | ||
|
|
818b481154 | ||
|
|
70650e221b | ||
|
|
01e8870578 | ||
|
|
99d54899bd | ||
|
|
80e922957e | ||
|
|
1dcb33550e | ||
|
|
2c5b9ab30d | ||
|
|
bfe75dfbd2 | ||
|
|
4ea05fc14f | ||
|
|
bae0d0ed56 |
@@ -15,8 +15,14 @@ jobs:
|
|||||||
- uses: dtolnay/rust-toolchain@stable
|
- uses: dtolnay/rust-toolchain@stable
|
||||||
- name: Format check
|
- name: Format check
|
||||||
run: cargo fmt -- --check
|
run: cargo fmt -- --check
|
||||||
|
- name: Shell syntax check
|
||||||
|
run: sh -n install.sh scripts/*.sh
|
||||||
|
- name: Clippy
|
||||||
|
run: cargo clippy --all-targets -- -D warnings
|
||||||
- name: Test
|
- name: Test
|
||||||
run: cargo test
|
run: cargo test --all-targets
|
||||||
|
- name: TUI harness
|
||||||
|
run: sh scripts/tui-harness.sh
|
||||||
- name: Build release
|
- name: Build release
|
||||||
run: cargo build --release
|
run: cargo build --release
|
||||||
- name: Docker SSH benchmark gate
|
- name: Docker SSH benchmark gate
|
||||||
@@ -86,6 +92,39 @@ jobs:
|
|||||||
target/dosh-release/dosh-*
|
target/dosh-release/dosh-*
|
||||||
!target/dosh-release/stage/**
|
!target/dosh-release/stage/**
|
||||||
|
|
||||||
|
publish-gitea-release:
|
||||||
|
if: github.event_name == 'workflow_dispatch' || startsWith(github.ref, 'refs/tags/')
|
||||||
|
needs: package-release
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
env:
|
||||||
|
GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
|
||||||
|
GITEA_URL: ${{ secrets.GITEA_URL || 'https://git.palav.dev' }}
|
||||||
|
GITEA_REPO: ${{ secrets.GITEA_REPO || 'Palav/dosh' }}
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
- uses: actions/download-artifact@v4
|
||||||
|
with:
|
||||||
|
pattern: dosh-*
|
||||||
|
path: target/dosh-release
|
||||||
|
merge-multiple: true
|
||||||
|
- name: Verify release artifacts
|
||||||
|
run: sh scripts/verify-release-artifacts.sh
|
||||||
|
- name: Skip Gitea upload without token
|
||||||
|
if: env.GITEA_TOKEN == ''
|
||||||
|
run: echo "GITEA_TOKEN secret is not configured; release artifacts were verified but not uploaded."
|
||||||
|
- name: Upload Gitea release assets
|
||||||
|
if: env.GITEA_TOKEN != ''
|
||||||
|
run: |
|
||||||
|
set -eu
|
||||||
|
case "$GITHUB_REF" in
|
||||||
|
refs/tags/*) tag="${GITHUB_REF_NAME}" ;;
|
||||||
|
*)
|
||||||
|
version="$(sed -n 's/^version = "\(.*\)"/\1/p' Cargo.toml | sed -n '1p')"
|
||||||
|
tag="v$version"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
scripts/upload-gitea-release.sh "$tag"
|
||||||
|
|
||||||
remote-bench:
|
remote-bench:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
env:
|
env:
|
||||||
|
|||||||
Generated
+1
-1
@@ -436,7 +436,7 @@ dependencies = [
|
|||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "dosh"
|
name = "dosh"
|
||||||
version = "1.0.0-rc23"
|
version = "1.0.0-rc42"
|
||||||
dependencies = [
|
dependencies = [
|
||||||
"anyhow",
|
"anyhow",
|
||||||
"base64",
|
"base64",
|
||||||
|
|||||||
+1
-1
@@ -1,6 +1,6 @@
|
|||||||
[package]
|
[package]
|
||||||
name = "dosh"
|
name = "dosh"
|
||||||
version = "1.0.0-rc23"
|
version = "1.0.0-rc42"
|
||||||
edition = "2024"
|
edition = "2024"
|
||||||
license = "MIT"
|
license = "MIT"
|
||||||
|
|
||||||
|
|||||||
@@ -4,7 +4,7 @@ build:
|
|||||||
cargo build --release
|
cargo build --release
|
||||||
|
|
||||||
test:
|
test:
|
||||||
cargo test
|
cargo test --all-targets
|
||||||
|
|
||||||
fmt:
|
fmt:
|
||||||
cargo fmt
|
cargo fmt
|
||||||
@@ -16,18 +16,18 @@ release-check:
|
|||||||
cargo fmt --check
|
cargo fmt --check
|
||||||
sh -n install.sh scripts/*.sh
|
sh -n install.sh scripts/*.sh
|
||||||
cargo clippy --all-targets -- -D warnings
|
cargo clippy --all-targets -- -D warnings
|
||||||
cargo test
|
cargo test --all-targets
|
||||||
$(MAKE) tui-harness
|
$(MAKE) tui-harness
|
||||||
|
|
||||||
1.0-check: release-check reconnect-check hostile-network-check persistence-check package-check
|
1.0-check: release-check reconnect-check hostile-network-check persistence-check package-check
|
||||||
|
|
||||||
reconnect-check:
|
reconnect-check:
|
||||||
cargo test --test integration_smoke resume_updates_udp_endpoint_for_roaming -- --nocapture
|
cargo test --test integration_smoke resume_updates_udp_endpoint_for_roaming -- --nocapture
|
||||||
DOSH_SOAK_SECONDS=$${DOSH_SOAK_SECONDS:-300} cargo test --test integration_smoke sleep_roaming_soak_30m -- --ignored --nocapture
|
DOSH_SOAK_SECONDS=$${DOSH_SOAK_SECONDS:-1800} cargo test --test integration_smoke sleep_roaming_soak_30m -- --ignored --nocapture
|
||||||
|
|
||||||
hostile-network-check:
|
hostile-network-check:
|
||||||
cargo test --test hostile_network -- --nocapture
|
cargo test --test hostile_network -- --nocapture
|
||||||
DOSH_BADNET_SOAK_SECONDS=$${DOSH_BADNET_SOAK_SECONDS:-300} cargo test --test hostile_network bad_network_tui_work_soak_30m -- --ignored --nocapture
|
DOSH_BADNET_SOAK_SECONDS=$${DOSH_BADNET_SOAK_SECONDS:-1800} cargo test --test hostile_network bad_network_tui_work_soak_30m -- --ignored --nocapture
|
||||||
|
|
||||||
persistence-check:
|
persistence-check:
|
||||||
cargo test --test integration_smoke session_survives_server_restart_same_shell_and_screen -- --nocapture
|
cargo test --test integration_smoke session_survives_server_restart_same_shell_and_screen -- --nocapture
|
||||||
|
|||||||
@@ -68,6 +68,32 @@ dosh restart HOST
|
|||||||
Agent forwarding is opt-in with `-A` and must also be enabled on the server.
|
Agent forwarding is opt-in with `-A` and must also be enabled on the server.
|
||||||
File copy must be enabled by the server config.
|
File copy must be enabled by the server config.
|
||||||
|
|
||||||
|
## Tracing
|
||||||
|
|
||||||
|
For terminal/reconnect bugs, run a client with:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
dosh trace HOST
|
||||||
|
```
|
||||||
|
|
||||||
|
The client log path is printed before the session starts. To choose it:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
dosh trace --client-log /tmp/dosh-client.log HOST
|
||||||
|
```
|
||||||
|
|
||||||
|
Summarize collected traces with:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
dosh trace report HOST --client-log /tmp/dosh-client.log
|
||||||
|
```
|
||||||
|
|
||||||
|
When `HOST` is given, Dosh fetches `/tmp/dosh-server.log` over SSH before
|
||||||
|
building the report. Set `DOSH_TRACE=/tmp/dosh-server.log` on `dosh-server` for
|
||||||
|
matching server events. Reports default to the latest traced client/server
|
||||||
|
process run; add `--all-runs` to include older appended log entries. Trace byte
|
||||||
|
prefixes are enabled for `dosh trace`, so use it only for short reproductions.
|
||||||
|
|
||||||
## VS Code
|
## VS Code
|
||||||
|
|
||||||
Dosh can carry VS Code Remote-SSH through its transport:
|
Dosh can carry VS Code Remote-SSH through its transport:
|
||||||
@@ -108,6 +134,10 @@ dosh_host = "prod.example.com"
|
|||||||
port = 50000
|
port = 50000
|
||||||
```
|
```
|
||||||
|
|
||||||
|
`ProxyJump` and `ProxyCommand` can be used for SSH setup, but the Dosh UDP
|
||||||
|
endpoint still has to be reachable directly from the client. Set `dosh_host` to
|
||||||
|
the reachable UDP hostname or IP when it differs from the SSH alias target.
|
||||||
|
|
||||||
## Rust Library
|
## Rust Library
|
||||||
|
|
||||||
Dosh exposes a Rust transport for encrypted, reconnecting application streams.
|
Dosh exposes a Rust transport for encrypted, reconnecting application streams.
|
||||||
|
|||||||
+192
-9
@@ -11,6 +11,7 @@ param(
|
|||||||
[string]$BinaryBase = $env:DOSH_BINARY_BASE,
|
[string]$BinaryBase = $env:DOSH_BINARY_BASE,
|
||||||
[string]$BinaryName = $env:DOSH_BINARY_NAME,
|
[string]$BinaryName = $env:DOSH_BINARY_NAME,
|
||||||
[string]$BinaryVersion = $(if ($env:DOSH_BINARY_VERSION) { $env:DOSH_BINARY_VERSION } else { "latest" }),
|
[string]$BinaryVersion = $(if ($env:DOSH_BINARY_VERSION) { $env:DOSH_BINARY_VERSION } else { "latest" }),
|
||||||
|
[string]$UpdateCache = $(if ($env:DOSH_UPDATE_CACHE) { $env:DOSH_UPDATE_CACHE } else { Join-Path $HOME ".cache\dosh\source" }),
|
||||||
[switch]$BinaryRequired = $($env:DOSH_BINARY_REQUIRED -and $env:DOSH_BINARY_REQUIRED -ne "0"),
|
[switch]$BinaryRequired = $($env:DOSH_BINARY_REQUIRED -and $env:DOSH_BINARY_REQUIRED -ne "0"),
|
||||||
[switch]$ForceConfig
|
[switch]$ForceConfig
|
||||||
)
|
)
|
||||||
@@ -100,14 +101,127 @@ function Release-LatestTagDownloadUrl {
|
|||||||
return $null
|
return $null
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function Version-Core($Value) {
|
||||||
|
$base = $Value.TrimStart("v").Split("+")[0]
|
||||||
|
$base.Split("-")[0]
|
||||||
|
}
|
||||||
|
|
||||||
|
function Version-Prerelease($Value) {
|
||||||
|
$base = $Value.TrimStart("v").Split("+")[0]
|
||||||
|
$dash = $base.IndexOf("-")
|
||||||
|
if ($dash -lt 0) {
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
$base.Substring($dash + 1).ToLowerInvariant()
|
||||||
|
}
|
||||||
|
|
||||||
|
function Version-Parts($Value) {
|
||||||
|
[regex]::Matches((Version-Core $Value), "\d+") | ForEach-Object { [int64]$_.Value }
|
||||||
|
}
|
||||||
|
|
||||||
|
function Compare-Prerelease($Left, $Right) {
|
||||||
|
if (-not $Left -and -not $Right) {
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
if (-not $Left) {
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
if (-not $Right) {
|
||||||
|
return -1
|
||||||
|
}
|
||||||
|
if ($Left -eq $Right) {
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
if ($Left -match "(?i)^rc(\d+)$" -and $Right -match "(?i)^rc(\d+)$") {
|
||||||
|
$leftRc = [int64]([regex]::Match($Left, "(?i)^rc(\d+)$").Groups[1].Value)
|
||||||
|
$rightRc = [int64]([regex]::Match($Right, "(?i)^rc(\d+)$").Groups[1].Value)
|
||||||
|
return $leftRc.CompareTo($rightRc)
|
||||||
|
}
|
||||||
|
return [string]::CompareOrdinal($Left, $Right)
|
||||||
|
}
|
||||||
|
|
||||||
|
function Compare-DoshVersion($Left, $Right) {
|
||||||
|
$leftParts = @(Version-Parts $Left)
|
||||||
|
$rightParts = @(Version-Parts $Right)
|
||||||
|
$width = [Math]::Max($leftParts.Count, $rightParts.Count)
|
||||||
|
for ($i = 0; $i -lt $width; $i++) {
|
||||||
|
$l = if ($i -lt $leftParts.Count) { $leftParts[$i] } else { 0 }
|
||||||
|
$r = if ($i -lt $rightParts.Count) { $rightParts[$i] } else { 0 }
|
||||||
|
if ($l -lt $r) { return -1 }
|
||||||
|
if ($l -gt $r) { return 1 }
|
||||||
|
}
|
||||||
|
return Compare-Prerelease (Version-Prerelease $Left) (Version-Prerelease $Right)
|
||||||
|
}
|
||||||
|
|
||||||
|
function Current-SourceVersion {
|
||||||
|
if (Test-Path "Cargo.toml") {
|
||||||
|
$raw = Get-Content "Cargo.toml" -Raw
|
||||||
|
} else {
|
||||||
|
$web = Repo-WebBase $Repo
|
||||||
|
if (-not $web) {
|
||||||
|
return $null
|
||||||
|
}
|
||||||
|
try {
|
||||||
|
$raw = (Invoke-WebRequest -UseBasicParsing -Uri "$web/raw/branch/main/Cargo.toml").Content
|
||||||
|
}
|
||||||
|
catch {
|
||||||
|
return $null
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if ($raw -match '(?m)^version = "([^"]+)"') {
|
||||||
|
return $Matches[1]
|
||||||
|
}
|
||||||
|
return $null
|
||||||
|
}
|
||||||
|
|
||||||
|
function Latest-ReleaseTag {
|
||||||
|
$web = Repo-WebBase $Repo
|
||||||
|
if (-not $web) {
|
||||||
|
return $null
|
||||||
|
}
|
||||||
|
try {
|
||||||
|
$response = Invoke-WebRequest -UseBasicParsing -Uri "$web/releases/latest" -MaximumRedirection 5
|
||||||
|
$effective = $null
|
||||||
|
if ($response.BaseResponse.ResponseUri) {
|
||||||
|
$effective = $response.BaseResponse.ResponseUri.AbsoluteUri
|
||||||
|
} elseif ($response.BaseResponse.RequestMessage -and $response.BaseResponse.RequestMessage.RequestUri) {
|
||||||
|
$effective = $response.BaseResponse.RequestMessage.RequestUri.AbsoluteUri
|
||||||
|
}
|
||||||
|
$prefix = "$web/releases/tag/"
|
||||||
|
if ($effective -and $effective.StartsWith($prefix)) {
|
||||||
|
return $effective.Substring($prefix.Length)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
catch {
|
||||||
|
return $null
|
||||||
|
}
|
||||||
|
return $null
|
||||||
|
}
|
||||||
|
|
||||||
|
function Latest-ReleaseIsStale {
|
||||||
|
if ($BinaryUrl -or $BinaryBase -or $BinaryVersion -ne "latest") {
|
||||||
|
return $false
|
||||||
|
}
|
||||||
|
$latest = Latest-ReleaseTag
|
||||||
|
$current = Current-SourceVersion
|
||||||
|
if (-not $latest -or -not $current) {
|
||||||
|
return $false
|
||||||
|
}
|
||||||
|
$latestVersion = $latest.TrimStart("v")
|
||||||
|
if ((Compare-DoshVersion $latestVersion $current) -lt 0) {
|
||||||
|
Write-Warning "latest release $latestVersion is older than source $current; skipping stale prebuilt"
|
||||||
|
return $true
|
||||||
|
}
|
||||||
|
return $false
|
||||||
|
}
|
||||||
|
|
||||||
function Verify-ArchiveChecksum($Url, $Archive) {
|
function Verify-ArchiveChecksum($Url, $Archive) {
|
||||||
$checksumPath = "$Archive.sha256"
|
$checksumPath = "$Archive.sha256"
|
||||||
try {
|
try {
|
||||||
Invoke-WebRequest -UseBasicParsing -Uri "$Url.sha256" -OutFile $checksumPath
|
Invoke-WebRequest -UseBasicParsing -Uri "$Url.sha256" -OutFile $checksumPath
|
||||||
}
|
}
|
||||||
catch {
|
catch {
|
||||||
Write-Warning "prebuilt checksum unavailable; continuing without sidecar verification"
|
throw "prebuilt checksum unavailable; refusing unverified binary for $Url"
|
||||||
return
|
|
||||||
}
|
}
|
||||||
$expected = ((Get-Content $checksumPath -Raw).Trim() -split "\s+")[0].ToLowerInvariant()
|
$expected = ((Get-Content $checksumPath -Raw).Trim() -split "\s+")[0].ToLowerInvariant()
|
||||||
$actual = (Get-FileHash -Algorithm SHA256 $Archive).Hash.ToLowerInvariant()
|
$actual = (Get-FileHash -Algorithm SHA256 $Archive).Hash.ToLowerInvariant()
|
||||||
@@ -155,11 +269,44 @@ function Install-Binary($Source, $Destination) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function Normalize-PathForCompare($Path) {
|
||||||
|
[System.IO.Path]::GetFullPath($Path).TrimEnd(
|
||||||
|
[System.IO.Path]::DirectorySeparatorChar,
|
||||||
|
[System.IO.Path]::AltDirectorySeparatorChar
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
function Assert-NoRelativePathSegments($Path) {
|
||||||
|
foreach ($segment in ($Path -split '[\\/]')) {
|
||||||
|
if ($segment -eq "." -or $segment -eq "..") {
|
||||||
|
throw "refusing unsafe update cache path: $Path"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
function Assert-SafeUpdateCache($Path) {
|
||||||
|
if (-not $Path) {
|
||||||
|
throw "refusing unsafe update cache path: $Path"
|
||||||
|
}
|
||||||
|
Assert-NoRelativePathSegments $Path
|
||||||
|
$full = Normalize-PathForCompare $Path
|
||||||
|
$root = Normalize-PathForCompare ([System.IO.Path]::GetPathRoot($full))
|
||||||
|
$homePath = Normalize-PathForCompare $HOME
|
||||||
|
$homeCache = Normalize-PathForCompare (Join-Path $HOME ".cache")
|
||||||
|
if ($full -eq $root -or $full -eq $homePath -or $full -eq $homeCache) {
|
||||||
|
throw "refusing unsafe update cache path: $Path"
|
||||||
|
}
|
||||||
|
$full
|
||||||
|
}
|
||||||
|
|
||||||
$bindir = Join-Path $Prefix "bin"
|
$bindir = Join-Path $Prefix "bin"
|
||||||
$configDir = Join-Path $HOME ".config\dosh"
|
$configDir = Join-Path $HOME ".config\dosh"
|
||||||
New-Item -ItemType Directory -Force -Path $bindir, $configDir | Out-Null
|
New-Item -ItemType Directory -Force -Path $bindir, $configDir | Out-Null
|
||||||
|
|
||||||
function Install-Prebuilt {
|
function Install-Prebuilt {
|
||||||
|
if (Latest-ReleaseIsStale) {
|
||||||
|
return $false
|
||||||
|
}
|
||||||
$url = Release-LatestTagDownloadUrl
|
$url = Release-LatestTagDownloadUrl
|
||||||
if (-not $url) {
|
if (-not $url) {
|
||||||
$url = Release-DownloadUrl
|
$url = Release-DownloadUrl
|
||||||
@@ -200,7 +347,6 @@ function Install-Prebuilt {
|
|||||||
|
|
||||||
function Install-FromSource {
|
function Install-FromSource {
|
||||||
Require-Command cargo
|
Require-Command cargo
|
||||||
$tmp = $null
|
|
||||||
if (Test-Path "Cargo.toml") {
|
if (Test-Path "Cargo.toml") {
|
||||||
$src = (Get-Location).Path
|
$src = (Get-Location).Path
|
||||||
} else {
|
} else {
|
||||||
@@ -208,9 +354,20 @@ function Install-FromSource {
|
|||||||
throw "DOSH_REPO is required when running the installer from irm/iex"
|
throw "DOSH_REPO is required when running the installer from irm/iex"
|
||||||
}
|
}
|
||||||
Require-Command git
|
Require-Command git
|
||||||
$tmp = Join-Path ([System.IO.Path]::GetTempPath()) ("dosh-" + [guid]::NewGuid())
|
$sourceCache = Assert-SafeUpdateCache $UpdateCache
|
||||||
git clone --depth 1 $Repo $tmp | Out-Null
|
$parent = Split-Path -Parent $sourceCache
|
||||||
$src = $tmp
|
New-Item -ItemType Directory -Force -Path $parent | Out-Null
|
||||||
|
if (Test-Path (Join-Path $sourceCache ".git")) {
|
||||||
|
git -C $sourceCache remote set-url origin $Repo
|
||||||
|
git -C $sourceCache fetch --depth 1 origin main
|
||||||
|
git -C $sourceCache checkout -q -B main FETCH_HEAD
|
||||||
|
} else {
|
||||||
|
if (Test-Path $sourceCache) {
|
||||||
|
Remove-Item -Recurse -Force $sourceCache
|
||||||
|
}
|
||||||
|
git clone --depth 1 --branch main $Repo $sourceCache | Out-Null
|
||||||
|
}
|
||||||
|
$src = $sourceCache
|
||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
@@ -222,9 +379,6 @@ function Install-FromSource {
|
|||||||
}
|
}
|
||||||
finally {
|
finally {
|
||||||
Pop-Location
|
Pop-Location
|
||||||
if ($tmp) {
|
|
||||||
Remove-Item -Recurse -Force $tmp
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -261,10 +415,38 @@ predict = true
|
|||||||
predict_mode = "experimental"
|
predict_mode = "experimental"
|
||||||
cache_attach_tickets = true
|
cache_attach_tickets = true
|
||||||
credential_cache = "~/.local/share/dosh/credentials"
|
credential_cache = "~/.local/share/dosh/credentials"
|
||||||
|
auth_preference = "native,ssh"
|
||||||
|
trust_on_first_use = false
|
||||||
|
native_auth_timeout_ms = 700
|
||||||
|
known_hosts = "~/.config/dosh/known_hosts"
|
||||||
|
identity_files = ["~/.ssh/id_ed25519"]
|
||||||
|
use_ssh_agent = true
|
||||||
|
forward_agent = false
|
||||||
escape_key = "^]"
|
escape_key = "^]"
|
||||||
"@ | Set-Content -NoNewline -Encoding utf8 $clientConfig
|
"@ | Set-Content -NoNewline -Encoding utf8 $clientConfig
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$hostsConfig = Join-Path $configDir "hosts.toml"
|
||||||
|
if ($ForceConfig -or -not (Test-Path $hostsConfig)) {
|
||||||
|
$defaultServer = if ($Server) { $Server } else { "user@example.com" }
|
||||||
|
$hostUdp = if ($DoshHost) { $DoshHost } else { $defaultServer }
|
||||||
|
@"
|
||||||
|
# Example:
|
||||||
|
# [server]
|
||||||
|
# ssh = "server"
|
||||||
|
# dosh_host = "server.example.com"
|
||||||
|
# port = 50000
|
||||||
|
# default_command = "tm"
|
||||||
|
# predict = true
|
||||||
|
|
||||||
|
[default]
|
||||||
|
ssh = "$defaultServer"
|
||||||
|
dosh_host = "$hostUdp"
|
||||||
|
port = $Port
|
||||||
|
predict = true
|
||||||
|
"@ | Set-Content -NoNewline -Encoding utf8 $hostsConfig
|
||||||
|
}
|
||||||
|
|
||||||
$userPath = [Environment]::GetEnvironmentVariable("Path", "User")
|
$userPath = [Environment]::GetEnvironmentVariable("Path", "User")
|
||||||
if (-not (($userPath -split ';') -contains $bindir)) {
|
if (-not (($userPath -split ';') -contains $bindir)) {
|
||||||
[Environment]::SetEnvironmentVariable("Path", "$userPath;$bindir", "User")
|
[Environment]::SetEnvironmentVariable("Path", "$userPath;$bindir", "User")
|
||||||
@@ -281,5 +463,6 @@ Write-Host " $bindir\dosh.exe update --check"
|
|||||||
Write-Host ""
|
Write-Host ""
|
||||||
Write-Host "Client config:"
|
Write-Host "Client config:"
|
||||||
Write-Host " $configDir\client.toml"
|
Write-Host " $configDir\client.toml"
|
||||||
|
Write-Host " $configDir\hosts.toml"
|
||||||
Write-Host ""
|
Write-Host ""
|
||||||
Write-Host "Open a new terminal for PATH changes to apply."
|
Write-Host "Open a new terminal for PATH changes to apply."
|
||||||
|
|||||||
+144
-8
@@ -119,6 +119,37 @@ need() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
normalize_update_cache_path() {
|
||||||
|
case "$1" in
|
||||||
|
/*) printf '%s\n' "$1" ;;
|
||||||
|
*) printf '%s\n' "$(pwd)/$1" ;;
|
||||||
|
esac | sed 's#//*#/#g; s#/$##'
|
||||||
|
}
|
||||||
|
|
||||||
|
safe_update_cache_path() {
|
||||||
|
raw="$1"
|
||||||
|
if [ -z "$raw" ]; then
|
||||||
|
echo "refusing unsafe update cache path: $raw" >&2
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
case "$raw" in
|
||||||
|
"."|".."|./*|../*|*/.|*/..|*/./*|*/../*)
|
||||||
|
echo "refusing unsafe update cache path: $raw" >&2
|
||||||
|
exit 2
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
normalized="$(normalize_update_cache_path "$raw")"
|
||||||
|
home_norm="$(normalize_update_cache_path "$HOME")"
|
||||||
|
home_cache_norm="$(normalize_update_cache_path "$HOME/.cache")"
|
||||||
|
case "$normalized" in
|
||||||
|
""|"/"|"$home_norm"|"$home_cache_norm")
|
||||||
|
echo "refusing unsafe update cache path: $raw" >&2
|
||||||
|
exit 2
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
printf '%s\n' "$normalized"
|
||||||
|
}
|
||||||
|
|
||||||
ensure_cargo() {
|
ensure_cargo() {
|
||||||
if command -v cargo >/dev/null 2>&1; then
|
if command -v cargo >/dev/null 2>&1; then
|
||||||
return
|
return
|
||||||
@@ -222,6 +253,113 @@ release_latest_tag_download_url() {
|
|||||||
esac
|
esac
|
||||||
}
|
}
|
||||||
|
|
||||||
|
version_core() {
|
||||||
|
value="${1#v}"
|
||||||
|
value="${value%%+*}"
|
||||||
|
printf '%s\n' "${value%%-*}"
|
||||||
|
}
|
||||||
|
|
||||||
|
version_prerelease() {
|
||||||
|
value="${1#v}"
|
||||||
|
value="${value%%+*}"
|
||||||
|
case "$value" in
|
||||||
|
*-*) printf '%s\n' "${value#*-}" ;;
|
||||||
|
*) printf '\n' ;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
|
version_core_part() {
|
||||||
|
version="$1"
|
||||||
|
index="$2"
|
||||||
|
version_core "$version" \
|
||||||
|
| sed 's/[^0-9][^0-9]*/ /g' \
|
||||||
|
| awk -v index="$index" '{ value=$index; if (value == "") value=0; print value }'
|
||||||
|
}
|
||||||
|
|
||||||
|
prerelease_less_than() {
|
||||||
|
left="$1"
|
||||||
|
right="$2"
|
||||||
|
if [ -z "$left" ] && [ -z "$right" ]; then
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
if [ -z "$left" ]; then
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
if [ -z "$right" ]; then
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
if [ "$left" = "$right" ]; then
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
left_rc="$(printf '%s\n' "$left" | sed -n 's/^[Rr][Cc]\([0-9][0-9]*\)$/\1/p')"
|
||||||
|
right_rc="$(printf '%s\n' "$right" | sed -n 's/^[Rr][Cc]\([0-9][0-9]*\)$/\1/p')"
|
||||||
|
if [ -n "$left_rc" ] && [ -n "$right_rc" ]; then
|
||||||
|
[ "$left_rc" -lt "$right_rc" ]
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
first="$(printf '%s\n%s\n' "$left" "$right" | LC_ALL=C sort | sed -n '1p')"
|
||||||
|
[ "$first" = "$left" ]
|
||||||
|
}
|
||||||
|
|
||||||
|
version_less_than() {
|
||||||
|
left="$1"
|
||||||
|
right="$2"
|
||||||
|
for index in 1 2 3 4 5 6 7 8; do
|
||||||
|
lpart="$(version_core_part "$left" "$index")"
|
||||||
|
rpart="$(version_core_part "$right" "$index")"
|
||||||
|
if [ "$lpart" -lt "$rpart" ]; then
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
if [ "$lpart" -gt "$rpart" ]; then
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
prerelease_less_than "$(version_prerelease "$left")" "$(version_prerelease "$right")"
|
||||||
|
}
|
||||||
|
|
||||||
|
current_source_version() {
|
||||||
|
if [ -f Cargo.toml ]; then
|
||||||
|
sed -n 's/^version = "\(.*\)"/\1/p' Cargo.toml | sed -n '1p'
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
[ -n "$repo" ] || return 1
|
||||||
|
web_base="$(repo_web_base "$repo")" || return 1
|
||||||
|
curl -fsSL "$web_base/raw/branch/main/Cargo.toml" 2>/dev/null \
|
||||||
|
| sed -n 's/^version = "\(.*\)"/\1/p' \
|
||||||
|
| sed -n '1p'
|
||||||
|
}
|
||||||
|
|
||||||
|
latest_release_tag() {
|
||||||
|
[ -n "$repo" ] || return 1
|
||||||
|
web_base="$(repo_web_base "$repo")" || return 1
|
||||||
|
latest_url="$(curl -fsSL -o /dev/null -w '%{url_effective}' "$web_base/releases/latest" 2>/dev/null || true)"
|
||||||
|
case "$latest_url" in
|
||||||
|
"$web_base"/releases/tag/*)
|
||||||
|
tag="${latest_url##"$web_base"/releases/tag/}"
|
||||||
|
[ -n "$tag" ] || return 1
|
||||||
|
printf '%s\n' "$tag"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
return 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
|
latest_release_is_stale() {
|
||||||
|
if [ -n "$binary_url" ] || [ -n "$binary_base" ] || [ "$binary_version" != "latest" ]; then
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
latest="$(latest_release_tag || true)"
|
||||||
|
current="$(current_source_version || true)"
|
||||||
|
[ -n "$latest" ] && [ -n "$current" ] || return 1
|
||||||
|
latest="${latest#v}"
|
||||||
|
if version_less_than "$latest" "$current"; then
|
||||||
|
echo "latest release $latest is older than source $current; skipping stale prebuilt" >&2
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
|
||||||
find_extracted_binary() {
|
find_extracted_binary() {
|
||||||
find "$1" -type f -name "$2" 2>/dev/null | sed -n '1p'
|
find "$1" -type f -name "$2" 2>/dev/null | sed -n '1p'
|
||||||
}
|
}
|
||||||
@@ -263,8 +401,8 @@ verify_archive_checksum() {
|
|||||||
archive="$2"
|
archive="$2"
|
||||||
checksum_file="$3"
|
checksum_file="$3"
|
||||||
if ! curl -fsL "$url.sha256" -o "$checksum_file"; then
|
if ! curl -fsL "$url.sha256" -o "$checksum_file"; then
|
||||||
echo "prebuilt checksum unavailable; continuing without sidecar verification" >&2
|
echo "prebuilt checksum unavailable; refusing unverified binary for $url" >&2
|
||||||
return 0
|
return 1
|
||||||
fi
|
fi
|
||||||
expected="$(awk '{print $1}' "$checksum_file" | sed -n '1p')"
|
expected="$(awk '{print $1}' "$checksum_file" | sed -n '1p')"
|
||||||
actual="$(sha256_file "$archive")" || {
|
actual="$(sha256_file "$archive")" || {
|
||||||
@@ -312,6 +450,9 @@ verify_archive_version() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
try_install_prebuilt() {
|
try_install_prebuilt() {
|
||||||
|
if latest_release_is_stale; then
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
download_url="$(release_latest_tag_download_url || release_download_url)" || return 1
|
download_url="$(release_latest_tag_download_url || release_download_url)" || return 1
|
||||||
tmpdir="$(mktemp -d)"
|
tmpdir="$(mktemp -d)"
|
||||||
archive="$tmpdir/$(release_artifact_name)"
|
archive="$tmpdir/$(release_artifact_name)"
|
||||||
@@ -356,12 +497,7 @@ install_from_source() {
|
|||||||
echo "DOSH_REPO or --repo is required when running the installer from curl" >&2
|
echo "DOSH_REPO or --repo is required when running the installer from curl" >&2
|
||||||
exit 2
|
exit 2
|
||||||
fi
|
fi
|
||||||
case "$update_cache" in
|
update_cache="$(safe_update_cache_path "$update_cache")"
|
||||||
""|"/"|"$HOME"|"$HOME/"|"$HOME/.cache")
|
|
||||||
echo "refusing unsafe update cache path: $update_cache" >&2
|
|
||||||
exit 2
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
need git
|
need git
|
||||||
mkdir -p "$(dirname "$update_cache")"
|
mkdir -p "$(dirname "$update_cache")"
|
||||||
if [ -d "$update_cache/.git" ]; then
|
if [ -d "$update_cache/.git" ]; then
|
||||||
|
|||||||
@@ -11,6 +11,8 @@ Environment:
|
|||||||
GITEA_REPO owner/repo, default Palav/dosh
|
GITEA_REPO owner/repo, default Palav/dosh
|
||||||
GITEA_TOKEN Token with release write permission
|
GITEA_TOKEN Token with release write permission
|
||||||
GITEA_TITLE Release title, default TAG
|
GITEA_TITLE Release title, default TAG
|
||||||
|
DOSH_RELEASE_ALLOW_PARTIAL=1
|
||||||
|
Allow uploading an incomplete platform set. Default: refuse.
|
||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -31,6 +33,11 @@ repo="${GITEA_REPO:-Palav/dosh}"
|
|||||||
token="${GITEA_TOKEN:-}"
|
token="${GITEA_TOKEN:-}"
|
||||||
title="${GITEA_TITLE:-$tag}"
|
title="${GITEA_TITLE:-$tag}"
|
||||||
expected_version="${tag#v}"
|
expected_version="${tag#v}"
|
||||||
|
allow_partial="${DOSH_RELEASE_ALLOW_PARTIAL:-0}"
|
||||||
|
release_prerelease=false
|
||||||
|
case "$expected_version" in
|
||||||
|
*-*) release_prerelease=true ;;
|
||||||
|
esac
|
||||||
|
|
||||||
artifact_version() {
|
artifact_version() {
|
||||||
artifact="$1"
|
artifact="$1"
|
||||||
@@ -80,6 +87,42 @@ if [ "$#" -eq 0 ]; then
|
|||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
require_complete_release_artifacts() {
|
||||||
|
[ "$allow_partial" = "1" ] && return 0
|
||||||
|
missing=0
|
||||||
|
for required in \
|
||||||
|
dosh-linux-x86_64.tar.gz \
|
||||||
|
dosh-macos-aarch64.tar.gz \
|
||||||
|
dosh-macos-x86_64.tar.gz \
|
||||||
|
dosh-windows-x86_64.zip; do
|
||||||
|
found=0
|
||||||
|
checksum_found=0
|
||||||
|
for artifact in "$@"; do
|
||||||
|
name="$(basename "$artifact")"
|
||||||
|
if [ "$name" = "$required" ]; then
|
||||||
|
found=1
|
||||||
|
fi
|
||||||
|
if [ "$name" = "$required.sha256" ]; then
|
||||||
|
checksum_found=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$found" -ne 1 ]; then
|
||||||
|
echo "missing required release artifact: $required" >&2
|
||||||
|
missing=1
|
||||||
|
fi
|
||||||
|
if [ "$checksum_found" -ne 1 ]; then
|
||||||
|
echo "missing required release checksum: $required.sha256" >&2
|
||||||
|
missing=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$missing" -ne 0 ]; then
|
||||||
|
echo "refusing partial release upload; set DOSH_RELEASE_ALLOW_PARTIAL=1 to override" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
require_complete_release_artifacts "$@"
|
||||||
|
|
||||||
api="$base/api/v1/repos/$repo"
|
api="$base/api/v1/repos/$repo"
|
||||||
auth_header="Authorization: token $token"
|
auth_header="Authorization: token $token"
|
||||||
|
|
||||||
@@ -92,7 +135,7 @@ elif [ -n "$release_json" ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -z "$release_id" ]; then
|
if [ -z "$release_id" ]; then
|
||||||
payload="$(printf '{"tag_name":"%s","target_commitish":"main","name":"%s","body":"Dosh release %s","draft":false,"prerelease":false}\n' "$tag" "$title" "$tag")"
|
payload="$(printf '{"tag_name":"%s","target_commitish":"main","name":"%s","body":"Dosh release %s","draft":false,"prerelease":%s}\n' "$tag" "$title" "$tag" "$release_prerelease")"
|
||||||
release_json="$(curl -fsS -H "$auth_header" -H 'Content-Type: application/json' -X POST "$api/releases" -d "$payload")"
|
release_json="$(curl -fsS -H "$auth_header" -H 'Content-Type: application/json' -X POST "$api/releases" -d "$payload")"
|
||||||
if command -v jq >/dev/null 2>&1; then
|
if command -v jq >/dev/null 2>&1; then
|
||||||
release_id="$(printf '%s\n' "$release_json" | jq -r '.id // empty')"
|
release_id="$(printf '%s\n' "$release_json" | jq -r '.id // empty')"
|
||||||
@@ -106,6 +149,14 @@ if [ -z "$release_id" ]; then
|
|||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
metadata_payload="$(printf '{"name":"%s","body":"Dosh release %s","draft":false,"prerelease":%s}\n' "$title" "$tag" "$release_prerelease")"
|
||||||
|
curl -fsS \
|
||||||
|
-H "$auth_header" \
|
||||||
|
-H 'Content-Type: application/json' \
|
||||||
|
-X PATCH \
|
||||||
|
"$api/releases/$release_id" \
|
||||||
|
-d "$metadata_payload" >/dev/null
|
||||||
|
|
||||||
delete_existing_asset() {
|
delete_existing_asset() {
|
||||||
name="$1"
|
name="$1"
|
||||||
if ! command -v jq >/dev/null 2>&1; then
|
if ! command -v jq >/dev/null 2>&1; then
|
||||||
|
|||||||
@@ -22,10 +22,74 @@ artifact_version() {
|
|||||||
esac
|
esac
|
||||||
}
|
}
|
||||||
|
|
||||||
|
archive_contains() {
|
||||||
|
artifact="$1"
|
||||||
|
member="$2"
|
||||||
|
case "$artifact" in
|
||||||
|
*.tar.gz)
|
||||||
|
tar -tzf "$artifact" "$member" >/dev/null 2>&1
|
||||||
|
;;
|
||||||
|
*.zip)
|
||||||
|
unzip -Z1 "$artifact" 2>/dev/null | grep -Fx "$member" >/dev/null 2>&1
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
return 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
|
expected_members() {
|
||||||
|
artifact_name="$(basename -- "$1")"
|
||||||
|
case "$artifact_name" in
|
||||||
|
dosh-windows-*.zip)
|
||||||
|
cat <<EOF
|
||||||
|
dosh/VERSION
|
||||||
|
dosh/bin/dosh.exe
|
||||||
|
dosh/bin/dosh-client.exe
|
||||||
|
dosh/bin/dosh-bench.exe
|
||||||
|
EOF
|
||||||
|
;;
|
||||||
|
dosh-*.tar.gz)
|
||||||
|
cat <<EOF
|
||||||
|
dosh/VERSION
|
||||||
|
dosh/bin/dosh
|
||||||
|
dosh/bin/dosh-client
|
||||||
|
dosh/bin/dosh-server
|
||||||
|
dosh/bin/dosh-auth
|
||||||
|
dosh/bin/dosh-bench
|
||||||
|
EOF
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
cat <<EOF
|
||||||
|
dosh/VERSION
|
||||||
|
EOF
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
|
checksum_value() {
|
||||||
|
artifact="$1"
|
||||||
|
if command -v sha256sum >/dev/null 2>&1; then
|
||||||
|
sha256sum "$artifact" | awk '{print $1}'
|
||||||
|
elif command -v shasum >/dev/null 2>&1; then
|
||||||
|
shasum -a 256 "$artifact" | awk '{print $1}'
|
||||||
|
else
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
verify_checksum() {
|
||||||
|
artifact="$1"
|
||||||
|
checksum="$artifact.sha256"
|
||||||
|
expected="$(awk '{print $1; exit}' "$checksum")"
|
||||||
|
actual="$(checksum_value "$artifact" || true)"
|
||||||
|
[ -n "$actual" ] && [ "$actual" = "$expected" ]
|
||||||
|
}
|
||||||
|
|
||||||
if [ "$#" -gt 0 ]; then
|
if [ "$#" -gt 0 ]; then
|
||||||
artifacts="$*"
|
artifacts="$*"
|
||||||
else
|
else
|
||||||
artifacts="$out_dir/dosh-linux-x86_64.tar.gz $out_dir/dosh-macos-aarch64.tar.gz $out_dir/dosh-windows-x86_64.zip"
|
artifacts="$out_dir/dosh-linux-x86_64.tar.gz $out_dir/dosh-macos-aarch64.tar.gz $out_dir/dosh-macos-x86_64.tar.gz $out_dir/dosh-windows-x86_64.zip"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
failed=0
|
failed=0
|
||||||
@@ -38,12 +102,21 @@ for artifact in $artifacts; do
|
|||||||
if [ ! -f "$artifact.sha256" ]; then
|
if [ ! -f "$artifact.sha256" ]; then
|
||||||
echo "missing release checksum: $artifact.sha256" >&2
|
echo "missing release checksum: $artifact.sha256" >&2
|
||||||
failed=1
|
failed=1
|
||||||
|
elif ! verify_checksum "$artifact"; then
|
||||||
|
echo "release checksum mismatch: $artifact" >&2
|
||||||
|
failed=1
|
||||||
fi
|
fi
|
||||||
actual="$(artifact_version "$artifact" || true)"
|
actual="$(artifact_version "$artifact" || true)"
|
||||||
if [ "$actual" != "$version" ]; then
|
if [ "$actual" != "$version" ]; then
|
||||||
echo "artifact version mismatch: $artifact has ${actual:-unknown}, expected $version" >&2
|
echo "artifact version mismatch: $artifact has ${actual:-unknown}, expected $version" >&2
|
||||||
failed=1
|
failed=1
|
||||||
fi
|
fi
|
||||||
|
for member in $(expected_members "$artifact"); do
|
||||||
|
if ! archive_contains "$artifact" "$member"; then
|
||||||
|
echo "artifact missing expected member: $artifact:$member" >&2
|
||||||
|
failed=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
done
|
done
|
||||||
|
|
||||||
exit "$failed"
|
exit "$failed"
|
||||||
|
|||||||
+3714
-229
File diff suppressed because it is too large
Load Diff
+1377
-173
File diff suppressed because it is too large
Load Diff
@@ -5,6 +5,7 @@ use std::fs;
|
|||||||
use std::path::PathBuf;
|
use std::path::PathBuf;
|
||||||
|
|
||||||
#[derive(Debug, Clone, Serialize, Deserialize)]
|
#[derive(Debug, Clone, Serialize, Deserialize)]
|
||||||
|
#[serde(default)]
|
||||||
pub struct ServerConfig {
|
pub struct ServerConfig {
|
||||||
pub port: u16,
|
pub port: u16,
|
||||||
pub bind: String,
|
pub bind: String,
|
||||||
@@ -95,6 +96,7 @@ impl Default for ServerConfig {
|
|||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Debug, Clone, Serialize, Deserialize)]
|
#[derive(Debug, Clone, Serialize, Deserialize)]
|
||||||
|
#[serde(default)]
|
||||||
pub struct ClientConfig {
|
pub struct ClientConfig {
|
||||||
pub update_repo: Option<String>,
|
pub update_repo: Option<String>,
|
||||||
pub update_port: Option<u16>,
|
pub update_port: Option<u16>,
|
||||||
@@ -330,3 +332,63 @@ pub fn expand_tilde(path: &str) -> PathBuf {
|
|||||||
}
|
}
|
||||||
PathBuf::from(path)
|
PathBuf::from(path)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[cfg(test)]
|
||||||
|
mod tests {
|
||||||
|
use super::{ClientConfig, ServerConfig};
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn old_client_configs_fill_new_fields_from_defaults() {
|
||||||
|
let raw = r#"
|
||||||
|
server = "palav"
|
||||||
|
dosh_port = 50000
|
||||||
|
"#;
|
||||||
|
|
||||||
|
let config: ClientConfig = toml::from_str(raw).expect("parse old client config");
|
||||||
|
|
||||||
|
assert_eq!(config.server, "palav");
|
||||||
|
assert!(config.predict);
|
||||||
|
assert_eq!(config.predict_mode, "experimental");
|
||||||
|
assert_eq!(config.auth_preference, "native,ssh");
|
||||||
|
assert_eq!(config.native_auth_timeout_ms, 700);
|
||||||
|
assert_eq!(config.known_hosts, "~/.config/dosh/known_hosts");
|
||||||
|
assert_eq!(config.identity_files, vec!["~/.ssh/id_ed25519"]);
|
||||||
|
assert!(config.use_ssh_agent);
|
||||||
|
assert!(!config.forward_agent);
|
||||||
|
assert!(config.disconnect_status);
|
||||||
|
assert_eq!(config.escape_key, "^]");
|
||||||
|
assert!(config.send_env.iter().any(|value| value == "TERM"));
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn old_server_configs_fill_new_fields_from_defaults() {
|
||||||
|
let raw = r#"
|
||||||
|
port = 50000
|
||||||
|
"#;
|
||||||
|
|
||||||
|
let config: ServerConfig = toml::from_str(raw).expect("parse old server config");
|
||||||
|
|
||||||
|
assert_eq!(config.port, 50000);
|
||||||
|
assert_eq!(config.bind, "0.0.0.0");
|
||||||
|
assert_eq!(config.client_timeout_secs, 2_592_000);
|
||||||
|
assert_eq!(config.output_frame_interval_ms, 16);
|
||||||
|
assert!(config.native_auth);
|
||||||
|
assert_eq!(config.host_key, "~/.config/dosh/host_key");
|
||||||
|
assert!(
|
||||||
|
config
|
||||||
|
.authorized_keys
|
||||||
|
.iter()
|
||||||
|
.any(|path| path == "~/.ssh/authorized_keys")
|
||||||
|
);
|
||||||
|
assert_eq!(config.native_auth_rate_limit_per_minute, 30);
|
||||||
|
assert_eq!(config.rekey_after_packets, 100_000);
|
||||||
|
assert_eq!(config.rekey_after_secs, 3600);
|
||||||
|
assert!(config.allow_tcp_forwarding);
|
||||||
|
assert!(!config.allow_remote_forwarding);
|
||||||
|
assert!(!config.allow_agent_forwarding);
|
||||||
|
assert!(config.allow_file_transfer);
|
||||||
|
assert!(config.allow_exec_command);
|
||||||
|
assert!(config.persist_sessions);
|
||||||
|
assert!(config.accept_env.iter().any(|value| value == "TERM"));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|||||||
@@ -32,6 +32,7 @@ impl FrameDecoder {
|
|||||||
}
|
}
|
||||||
let len = u32::from_be_bytes(self.buf[..4].try_into().unwrap()) as usize;
|
let len = u32::from_be_bytes(self.buf[..4].try_into().unwrap()) as usize;
|
||||||
if len > FRAME_MAX_LEN {
|
if len > FRAME_MAX_LEN {
|
||||||
|
self.buf.clear();
|
||||||
bail!("exec protocol frame too large: {len} bytes");
|
bail!("exec protocol frame too large: {len} bytes");
|
||||||
}
|
}
|
||||||
if self.buf.len() < 4 + len {
|
if self.buf.len() < 4 + len {
|
||||||
@@ -69,3 +70,23 @@ fn encode_frame(payload: &[u8]) -> Result<Vec<u8>> {
|
|||||||
out.extend_from_slice(payload);
|
out.extend_from_slice(payload);
|
||||||
Ok(out)
|
Ok(out)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[cfg(test)]
|
||||||
|
mod tests {
|
||||||
|
use super::*;
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn oversized_frame_clears_decoder_state() {
|
||||||
|
let mut decoder = FrameDecoder::default();
|
||||||
|
let too_large = ((FRAME_MAX_LEN + 1) as u32).to_be_bytes();
|
||||||
|
assert!(decoder.push(&too_large).is_err());
|
||||||
|
|
||||||
|
let valid = encode_response(&ExecResponse::Exit { code: Some(0) }).unwrap();
|
||||||
|
let frames = decoder.push(&valid).unwrap();
|
||||||
|
assert_eq!(frames.len(), 1);
|
||||||
|
assert_eq!(
|
||||||
|
decode_response(&frames[0]).unwrap(),
|
||||||
|
ExecResponse::Exit { code: Some(0) }
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|||||||
+101
-7
@@ -18,6 +18,14 @@ pub enum FileRequest {
|
|||||||
path: String,
|
path: String,
|
||||||
mode: Option<u32>,
|
mode: Option<u32>,
|
||||||
},
|
},
|
||||||
|
Readlink {
|
||||||
|
path: String,
|
||||||
|
},
|
||||||
|
Symlink {
|
||||||
|
path: String,
|
||||||
|
target: String,
|
||||||
|
overwrite: bool,
|
||||||
|
},
|
||||||
Remove {
|
Remove {
|
||||||
path: String,
|
path: String,
|
||||||
recursive: bool,
|
recursive: bool,
|
||||||
@@ -46,13 +54,35 @@ pub enum FileRequest {
|
|||||||
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
|
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
|
||||||
pub enum FileResponse {
|
pub enum FileResponse {
|
||||||
Ok,
|
Ok,
|
||||||
Resume { offset: u64 },
|
Resume {
|
||||||
Stat { meta: FileMeta },
|
offset: u64,
|
||||||
List { entries: Vec<FileEntry> },
|
prefix_sha256: Option<[u8; 32]>,
|
||||||
Start { meta: FileMeta, offset: u64 },
|
},
|
||||||
Chunk { offset: u64, bytes: Vec<u8> },
|
Stat {
|
||||||
Done { sha256: [u8; 32], bytes: u64 },
|
meta: FileMeta,
|
||||||
Error { message: String },
|
},
|
||||||
|
List {
|
||||||
|
entries: Vec<FileEntry>,
|
||||||
|
},
|
||||||
|
LinkTarget {
|
||||||
|
target: String,
|
||||||
|
},
|
||||||
|
Start {
|
||||||
|
meta: FileMeta,
|
||||||
|
offset: u64,
|
||||||
|
prefix_sha256: Option<[u8; 32]>,
|
||||||
|
},
|
||||||
|
Chunk {
|
||||||
|
offset: u64,
|
||||||
|
bytes: Vec<u8>,
|
||||||
|
},
|
||||||
|
Done {
|
||||||
|
sha256: [u8; 32],
|
||||||
|
bytes: u64,
|
||||||
|
},
|
||||||
|
Error {
|
||||||
|
message: String,
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
|
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
|
||||||
@@ -93,6 +123,7 @@ impl FrameDecoder {
|
|||||||
}
|
}
|
||||||
let len = u32::from_be_bytes(self.buf[..4].try_into().unwrap()) as usize;
|
let len = u32::from_be_bytes(self.buf[..4].try_into().unwrap()) as usize;
|
||||||
if len > FRAME_MAX_LEN {
|
if len > FRAME_MAX_LEN {
|
||||||
|
self.buf.clear();
|
||||||
bail!("file protocol frame too large: {len} bytes");
|
bail!("file protocol frame too large: {len} bytes");
|
||||||
}
|
}
|
||||||
if self.buf.len() < 4 + len {
|
if self.buf.len() < 4 + len {
|
||||||
@@ -135,6 +166,12 @@ pub fn parse_copy_endpoint(raw: &str) -> CopyEndpoint {
|
|||||||
if looks_like_windows_path(raw) {
|
if looks_like_windows_path(raw) {
|
||||||
return CopyEndpoint::Local(PathBuf::from(raw));
|
return CopyEndpoint::Local(PathBuf::from(raw));
|
||||||
}
|
}
|
||||||
|
if let Some((host, path)) = parse_bracketed_remote_endpoint(raw) {
|
||||||
|
return CopyEndpoint::Remote { host, path };
|
||||||
|
}
|
||||||
|
if raw.starts_with('[') {
|
||||||
|
return CopyEndpoint::Local(PathBuf::from(raw));
|
||||||
|
}
|
||||||
let Some(index) = raw.find(':') else {
|
let Some(index) = raw.find(':') else {
|
||||||
return CopyEndpoint::Local(PathBuf::from(raw));
|
return CopyEndpoint::Local(PathBuf::from(raw));
|
||||||
};
|
};
|
||||||
@@ -153,6 +190,25 @@ pub fn parse_copy_endpoint(raw: &str) -> CopyEndpoint {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fn parse_bracketed_remote_endpoint(raw: &str) -> Option<(String, String)> {
|
||||||
|
let rest = raw.strip_prefix('[')?;
|
||||||
|
let close = rest.find(']')?;
|
||||||
|
let host = &rest[..close];
|
||||||
|
let suffix = &rest[close + 1..];
|
||||||
|
if host.is_empty() || host.contains('/') || host.contains('\\') || !suffix.starts_with(':') {
|
||||||
|
return None;
|
||||||
|
}
|
||||||
|
let path = &suffix[1..];
|
||||||
|
Some((
|
||||||
|
host.to_string(),
|
||||||
|
if path.is_empty() {
|
||||||
|
".".to_string()
|
||||||
|
} else {
|
||||||
|
path.to_string()
|
||||||
|
},
|
||||||
|
))
|
||||||
|
}
|
||||||
|
|
||||||
#[derive(Debug, Clone, PartialEq, Eq)]
|
#[derive(Debug, Clone, PartialEq, Eq)]
|
||||||
pub enum CopyEndpoint {
|
pub enum CopyEndpoint {
|
||||||
Local(PathBuf),
|
Local(PathBuf),
|
||||||
@@ -233,6 +289,18 @@ mod tests {
|
|||||||
assert_eq!(frames.len(), 1);
|
assert_eq!(frames.len(), 1);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn oversized_frame_clears_decoder_state() {
|
||||||
|
let mut decoder = FrameDecoder::default();
|
||||||
|
let too_large = ((FRAME_MAX_LEN + 1) as u32).to_be_bytes();
|
||||||
|
assert!(decoder.push(&too_large).is_err());
|
||||||
|
|
||||||
|
let valid = encode_response(&FileResponse::Ok).unwrap();
|
||||||
|
let frames = decoder.push(&valid).unwrap();
|
||||||
|
assert_eq!(frames.len(), 1);
|
||||||
|
assert_eq!(decode_response(&frames[0]).unwrap(), FileResponse::Ok);
|
||||||
|
}
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn copy_endpoint_parses_scp_style_but_not_windows_drive() {
|
fn copy_endpoint_parses_scp_style_but_not_windows_drive() {
|
||||||
assert_eq!(
|
assert_eq!(
|
||||||
@@ -247,4 +315,30 @@ mod tests {
|
|||||||
CopyEndpoint::Local(PathBuf::from("C:\\Users\\palav\\x"))
|
CopyEndpoint::Local(PathBuf::from("C:\\Users\\palav\\x"))
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn copy_endpoint_parses_bracketed_ipv6_remote_paths() {
|
||||||
|
assert_eq!(
|
||||||
|
parse_copy_endpoint("[2001:db8::1]:/var/log/syslog"),
|
||||||
|
CopyEndpoint::Remote {
|
||||||
|
host: "2001:db8::1".to_string(),
|
||||||
|
path: "/var/log/syslog".to_string()
|
||||||
|
}
|
||||||
|
);
|
||||||
|
assert_eq!(
|
||||||
|
parse_copy_endpoint("[::1]:"),
|
||||||
|
CopyEndpoint::Remote {
|
||||||
|
host: "::1".to_string(),
|
||||||
|
path: ".".to_string()
|
||||||
|
}
|
||||||
|
);
|
||||||
|
assert_eq!(
|
||||||
|
parse_copy_endpoint("[bad/host]:path"),
|
||||||
|
CopyEndpoint::Local(PathBuf::from("[bad/host]:path"))
|
||||||
|
);
|
||||||
|
assert_eq!(
|
||||||
|
parse_copy_endpoint("[::1]"),
|
||||||
|
CopyEndpoint::Local(PathBuf::from("[::1]"))
|
||||||
|
);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
+4
-1
@@ -5,7 +5,9 @@
|
|||||||
//! handle native authentication, host key checks, roaming, keepalives, reliable
|
//! handle native authentication, host key checks, roaming, keepalives, reliable
|
||||||
//! streams, and service routing. Use [`transport::DoshTransport`] only when an
|
//! streams, and service routing. Use [`transport::DoshTransport`] only when an
|
||||||
//! application already owns session establishment and wants direct access to the
|
//! application already owns session establishment and wants direct access to the
|
||||||
//! encrypted stream transport.
|
//! encrypted stream transport. The SDK receive loops drive retransmission and
|
||||||
|
//! keepalives while waiting, so simple applications can call `recv().await`
|
||||||
|
//! without building their own maintenance loop.
|
||||||
|
|
||||||
pub mod auth;
|
pub mod auth;
|
||||||
pub mod build_info;
|
pub mod build_info;
|
||||||
@@ -22,5 +24,6 @@ pub mod protocol;
|
|||||||
pub mod pty;
|
pub mod pty;
|
||||||
pub mod server;
|
pub mod server;
|
||||||
pub mod ssh_agent;
|
pub mod ssh_agent;
|
||||||
|
pub mod trace;
|
||||||
pub mod transport;
|
pub mod transport;
|
||||||
pub mod udp;
|
pub mod udp;
|
||||||
|
|||||||
+11
-7
@@ -5,10 +5,11 @@ use anyhow::{Context, Result, bail};
|
|||||||
use serde::{Deserialize, Serialize};
|
use serde::{Deserialize, Serialize};
|
||||||
use std::time::{SystemTime, UNIX_EPOCH};
|
use std::time::{SystemTime, UNIX_EPOCH};
|
||||||
|
|
||||||
/// Generate a name for an implicit, ephemeral terminal session — the kind
|
/// Generate a name for an implicit terminal session: the kind created by
|
||||||
/// created by `dosh host` with no `--session`. Single source of truth shared by
|
/// `dosh host` with no `--session`. Single source of truth shared by the client
|
||||||
/// the client (which generates it) and the server (which recognizes it via
|
/// (which generates it) and the server (which recognizes it via
|
||||||
/// [`is_implicit_session_name`] to decide a session is NOT worth persisting).
|
/// [`is_implicit_session_name`] to apply shorter cleanup grace than named
|
||||||
|
/// sessions).
|
||||||
pub fn generate_implicit_session_name() -> String {
|
pub fn generate_implicit_session_name() -> String {
|
||||||
let millis = SystemTime::now()
|
let millis = SystemTime::now()
|
||||||
.duration_since(UNIX_EPOCH)
|
.duration_since(UNIX_EPOCH)
|
||||||
@@ -18,9 +19,9 @@ pub fn generate_implicit_session_name() -> String {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/// Whether `name` is a client-generated implicit session name
|
/// Whether `name` is a client-generated implicit session name
|
||||||
/// (`term-<digits>-<digits>`). Such sessions are ephemeral: the user can never
|
/// (`term-<digits>-<digits>`). Such sessions are update-survivable while the
|
||||||
/// reattach by name, so the server must not persist them across restarts.
|
/// original client can reconnect with its ticket, but they are reaped sooner
|
||||||
/// Explicitly-named (`--session work`) and prewarmed sessions are not implicit.
|
/// than explicitly-named sessions once no clients remain.
|
||||||
pub fn is_implicit_session_name(name: &str) -> bool {
|
pub fn is_implicit_session_name(name: &str) -> bool {
|
||||||
let Some(rest) = name.strip_prefix("term-") else {
|
let Some(rest) = name.strip_prefix("term-") else {
|
||||||
return false;
|
return false;
|
||||||
@@ -272,6 +273,9 @@ pub fn decode(input: &[u8]) -> Result<Packet> {
|
|||||||
if input.len() < end {
|
if input.len() < end {
|
||||||
bail!("truncated packet body");
|
bail!("truncated packet body");
|
||||||
}
|
}
|
||||||
|
if input.len() > end {
|
||||||
|
bail!("trailing packet bytes");
|
||||||
|
}
|
||||||
Ok(Packet {
|
Ok(Packet {
|
||||||
header,
|
header,
|
||||||
body: input[HEADER_LEN..end].to_vec(),
|
body: input[HEADER_LEN..end].to_vec(),
|
||||||
|
|||||||
+124
-26
@@ -10,8 +10,8 @@ use crate::protocol::{
|
|||||||
NativeServerHelloBody, NativeUserAuthBody, PacketKind, SERVER_TO_CLIENT,
|
NativeServerHelloBody, NativeUserAuthBody, PacketKind, SERVER_TO_CLIENT,
|
||||||
};
|
};
|
||||||
use crate::transport::{
|
use crate::transport::{
|
||||||
DoshTransport, SessionEvent, SessionRole, SessionTransportConfig, TransportConfig,
|
ADAPTIVE_RETRANSMIT_MIN, DoshTransport, SessionEvent, SessionRole, SessionTransportConfig,
|
||||||
service_name_from_target,
|
TransportConfig, service_name_from_target,
|
||||||
};
|
};
|
||||||
use crate::udp::{is_transient_udp_error, is_transient_udp_send_error};
|
use crate::udp::{is_transient_udp_error, is_transient_udp_send_error};
|
||||||
use anyhow::{Context, Result, anyhow, bail};
|
use anyhow::{Context, Result, anyhow, bail};
|
||||||
@@ -169,35 +169,54 @@ impl DoshServer {
|
|||||||
let mut buf = vec![0u8; 65535];
|
let mut buf = vec![0u8; 65535];
|
||||||
loop {
|
loop {
|
||||||
self.expire_pending();
|
self.expire_pending();
|
||||||
let (n, peer) = match self.socket.recv_from(&mut buf).await {
|
let (n, peer) = match tokio::time::timeout(
|
||||||
Ok(value) => value,
|
ADAPTIVE_RETRANSMIT_MIN,
|
||||||
Err(err) if is_transient_udp_error(&err) => continue,
|
self.socket.recv_from(&mut buf),
|
||||||
Err(err) => return Err(err.into()),
|
)
|
||||||
|
.await
|
||||||
|
{
|
||||||
|
Ok(Ok(value)) => value,
|
||||||
|
Ok(Err(err)) if is_transient_udp_error(&err) => continue,
|
||||||
|
Ok(Err(err)) => return Err(err.into()),
|
||||||
|
Err(_) => {
|
||||||
|
self.maintenance().await?;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
};
|
};
|
||||||
let packet = match protocol::decode(&buf[..n]) {
|
if let Some(event) = self.handle_datagram(peer, &buf[..n]).await? {
|
||||||
Ok(packet) => packet,
|
return Ok(event);
|
||||||
Err(_) => continue,
|
|
||||||
};
|
|
||||||
if packet.header.kind == PacketKind::NativeClientHello {
|
|
||||||
self.handle_client_hello(peer, packet.body).await?;
|
|
||||||
return Ok(DoshServerEvent::Ignored);
|
|
||||||
}
|
}
|
||||||
if packet.header.kind == PacketKind::NativeUserAuth {
|
|
||||||
return self.handle_user_auth(peer, &packet).await;
|
|
||||||
}
|
|
||||||
if let Some(transport) = self.transports.get_mut(&packet.header.conn_id) {
|
|
||||||
let event = transport.handle_datagram(&buf[..n], peer).await?;
|
|
||||||
return Ok(DoshServerEvent::Session {
|
|
||||||
conn_id: packet.header.conn_id,
|
|
||||||
event,
|
|
||||||
});
|
|
||||||
}
|
|
||||||
self.send_reject(peer, packet.header.conn_id, "unknown Dosh connection")
|
|
||||||
.await?;
|
|
||||||
return Ok(DoshServerEvent::Ignored);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
async fn handle_datagram(
|
||||||
|
&mut self,
|
||||||
|
peer: SocketAddr,
|
||||||
|
datagram: &[u8],
|
||||||
|
) -> Result<Option<DoshServerEvent>> {
|
||||||
|
let packet = match protocol::decode(datagram) {
|
||||||
|
Ok(packet) => packet,
|
||||||
|
Err(_) => return Ok(None),
|
||||||
|
};
|
||||||
|
if packet.header.kind == PacketKind::NativeClientHello {
|
||||||
|
self.handle_client_hello(peer, packet.body).await?;
|
||||||
|
return Ok(Some(DoshServerEvent::Ignored));
|
||||||
|
}
|
||||||
|
if packet.header.kind == PacketKind::NativeUserAuth {
|
||||||
|
return self.handle_user_auth(peer, &packet).await.map(Some);
|
||||||
|
}
|
||||||
|
if let Some(transport) = self.transports.get_mut(&packet.header.conn_id) {
|
||||||
|
let event = transport.handle_datagram(datagram, peer).await?;
|
||||||
|
return Ok(Some(DoshServerEvent::Session {
|
||||||
|
conn_id: packet.header.conn_id,
|
||||||
|
event,
|
||||||
|
}));
|
||||||
|
}
|
||||||
|
self.send_reject(peer, packet.header.conn_id, "unknown Dosh connection")
|
||||||
|
.await?;
|
||||||
|
Ok(Some(DoshServerEvent::Ignored))
|
||||||
|
}
|
||||||
|
|
||||||
pub async fn accept_stream(&mut self, conn_id: [u8; 16], stream_id: u64) -> Result<()> {
|
pub async fn accept_stream(&mut self, conn_id: [u8; 16], stream_id: u64) -> Result<()> {
|
||||||
self.transport_mut(&conn_id)
|
self.transport_mut(&conn_id)
|
||||||
.ok_or_else(|| anyhow!("unknown Dosh connection"))?
|
.ok_or_else(|| anyhow!("unknown Dosh connection"))?
|
||||||
@@ -620,6 +639,85 @@ mod tests {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[tokio::test]
|
||||||
|
async fn sdk_server_recv_drives_transport_maintenance_while_idle() {
|
||||||
|
let dir = tempfile::tempdir().unwrap();
|
||||||
|
let host_key = dir.path().join("host_key");
|
||||||
|
let authorized_keys = dir.path().join("authorized_keys");
|
||||||
|
let signing = SigningKey::from_bytes(&[94u8; 32]);
|
||||||
|
let keypair = ssh_key::private::Ed25519Keypair::from(&signing);
|
||||||
|
let private =
|
||||||
|
ssh_key::PrivateKey::new(ssh_key::private::KeypairData::from(keypair), "").unwrap();
|
||||||
|
std::fs::write(
|
||||||
|
&authorized_keys,
|
||||||
|
format!("{}\n", private.public_key().to_openssh().unwrap()),
|
||||||
|
)
|
||||||
|
.unwrap();
|
||||||
|
|
||||||
|
let server_config = ServerConfig {
|
||||||
|
host_key: host_key.to_string_lossy().to_string(),
|
||||||
|
authorized_keys: vec![authorized_keys.to_string_lossy().to_string()],
|
||||||
|
..ServerConfig::default()
|
||||||
|
};
|
||||||
|
let server_config = DoshServerConfig::new(server_config)
|
||||||
|
.bind_addr("127.0.0.1:0".parse().unwrap())
|
||||||
|
.service("echo")
|
||||||
|
.unwrap()
|
||||||
|
.require_current_user(false)
|
||||||
|
.transport(TransportConfig {
|
||||||
|
retransmit_after: Duration::from_millis(20),
|
||||||
|
keepalive_after: Duration::from_secs(60),
|
||||||
|
..TransportConfig::default()
|
||||||
|
});
|
||||||
|
let mut server = DoshServer::bind(server_config).await.unwrap();
|
||||||
|
let client_socket = UdpSocket::bind("127.0.0.1:0").await.unwrap();
|
||||||
|
let client_addr = client_socket.local_addr().unwrap();
|
||||||
|
let conn_id = [95u8; 16];
|
||||||
|
let session_key = [96u8; 32];
|
||||||
|
let transport = DoshTransport::new(
|
||||||
|
Arc::clone(&server.socket),
|
||||||
|
SessionTransportConfig {
|
||||||
|
role: SessionRole::Server,
|
||||||
|
conn_id,
|
||||||
|
session_key,
|
||||||
|
peer_addr: client_addr,
|
||||||
|
initial_send_seq: 1,
|
||||||
|
initial_ack: 0,
|
||||||
|
stream: server.config.transport.clone(),
|
||||||
|
},
|
||||||
|
);
|
||||||
|
server.transports.insert(conn_id, transport);
|
||||||
|
server
|
||||||
|
.transport_mut(&conn_id)
|
||||||
|
.unwrap()
|
||||||
|
.open_service("echo")
|
||||||
|
.await
|
||||||
|
.unwrap();
|
||||||
|
|
||||||
|
let mut buf = [0u8; 65535];
|
||||||
|
tokio::time::timeout(
|
||||||
|
Duration::from_millis(200),
|
||||||
|
client_socket.recv_from(&mut buf),
|
||||||
|
)
|
||||||
|
.await
|
||||||
|
.unwrap()
|
||||||
|
.unwrap();
|
||||||
|
|
||||||
|
let recv_task = tokio::spawn(async move { server.recv().await });
|
||||||
|
let (n, _) =
|
||||||
|
tokio::time::timeout(Duration::from_secs(1), client_socket.recv_from(&mut buf))
|
||||||
|
.await
|
||||||
|
.unwrap()
|
||||||
|
.unwrap();
|
||||||
|
recv_task.abort();
|
||||||
|
|
||||||
|
let packet = protocol::decode(&buf[..n]).unwrap();
|
||||||
|
assert_eq!(packet.header.kind, PacketKind::StreamOpen);
|
||||||
|
let plain = protocol::decrypt_body(&packet, &session_key, SERVER_TO_CLIENT).unwrap();
|
||||||
|
let open: protocol::StreamOpen = protocol::from_body(&plain).unwrap();
|
||||||
|
assert_eq!(open.target_host, "@dosh-echo");
|
||||||
|
}
|
||||||
|
|
||||||
#[tokio::test]
|
#[tokio::test]
|
||||||
async fn bad_native_auth_does_not_consume_pending_challenge() {
|
async fn bad_native_auth_does_not_consume_pending_challenge() {
|
||||||
let dir = tempfile::tempdir().unwrap();
|
let dir = tempfile::tempdir().unwrap();
|
||||||
|
|||||||
+223
@@ -0,0 +1,223 @@
|
|||||||
|
use std::fs::{File, OpenOptions};
|
||||||
|
use std::io::Write;
|
||||||
|
use std::path::{Path, PathBuf};
|
||||||
|
use std::sync::{Mutex, OnceLock};
|
||||||
|
use std::time::{SystemTime, UNIX_EPOCH};
|
||||||
|
|
||||||
|
static TRACE_FILE: OnceLock<Option<Mutex<File>>> = OnceLock::new();
|
||||||
|
static HEALTH_FILE: OnceLock<Option<Mutex<File>>> = OnceLock::new();
|
||||||
|
static TRACE_BYTES: OnceLock<bool> = OnceLock::new();
|
||||||
|
const HEALTH_LOG_MAX_BYTES: u64 = 1024 * 1024;
|
||||||
|
|
||||||
|
pub fn enabled() -> bool {
|
||||||
|
TRACE_FILE.get_or_init(open_trace_file).is_some()
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn bytes_enabled() -> bool {
|
||||||
|
*TRACE_BYTES.get_or_init(|| truthy_env("DOSH_TRACE_BYTES"))
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn event(name: &str, fields: &[(&str, String)]) {
|
||||||
|
let Some(file) = TRACE_FILE.get_or_init(open_trace_file) else {
|
||||||
|
return;
|
||||||
|
};
|
||||||
|
write_event(file, name, fields);
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn health_event(name: &str, fields: &[(&str, String)]) {
|
||||||
|
let Some(file) = HEALTH_FILE.get_or_init(open_health_file) else {
|
||||||
|
return;
|
||||||
|
};
|
||||||
|
write_event(file, name, fields);
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn default_health_log_path() -> PathBuf {
|
||||||
|
trace_root().join("health.log")
|
||||||
|
}
|
||||||
|
|
||||||
|
fn write_event(file: &Mutex<File>, name: &str, fields: &[(&str, String)]) {
|
||||||
|
let now = SystemTime::now()
|
||||||
|
.duration_since(UNIX_EPOCH)
|
||||||
|
.map(|duration| duration.as_millis())
|
||||||
|
.unwrap_or(0);
|
||||||
|
let mut line = format!(
|
||||||
|
"ts_ms={} pid={} event={}",
|
||||||
|
now,
|
||||||
|
std::process::id(),
|
||||||
|
shell_escape(name)
|
||||||
|
);
|
||||||
|
for (key, value) in fields {
|
||||||
|
line.push(' ');
|
||||||
|
line.push_str(key);
|
||||||
|
line.push('=');
|
||||||
|
line.push_str(&shell_escape(value));
|
||||||
|
}
|
||||||
|
line.push('\n');
|
||||||
|
if let Ok(mut file) = file.lock() {
|
||||||
|
let _ = file.write_all(line.as_bytes());
|
||||||
|
let _ = file.flush();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn bytes_summary(bytes: &[u8]) -> String {
|
||||||
|
let mut parts = vec![
|
||||||
|
format!("len={}", bytes.len()),
|
||||||
|
format!(
|
||||||
|
"esc={}",
|
||||||
|
contains_byte(bytes, 0x1b) || contains_byte(bytes, 0x9b)
|
||||||
|
),
|
||||||
|
format!("focus={}", has_focus_report(bytes)),
|
||||||
|
format!("mouseish={}", looks_mouseish(bytes)),
|
||||||
|
format!("printable={}", printable_count(bytes)),
|
||||||
|
];
|
||||||
|
if bytes_enabled() {
|
||||||
|
parts.push(format!("hex={}", hex_prefix(bytes, 160)));
|
||||||
|
}
|
||||||
|
parts.join(",")
|
||||||
|
}
|
||||||
|
|
||||||
|
fn open_trace_file() -> Option<Mutex<File>> {
|
||||||
|
let raw = std::env::var_os("DOSH_TRACE")?;
|
||||||
|
let normalized = raw.to_string_lossy().to_ascii_lowercase();
|
||||||
|
if normalized.is_empty() || matches!(normalized.as_str(), "0" | "false" | "off") {
|
||||||
|
return None;
|
||||||
|
}
|
||||||
|
let path = if matches!(normalized.as_str(), "1" | "true" | "on") {
|
||||||
|
default_trace_path()
|
||||||
|
} else {
|
||||||
|
PathBuf::from(raw)
|
||||||
|
};
|
||||||
|
if let Some(parent) = path.parent() {
|
||||||
|
let _ = std::fs::create_dir_all(parent);
|
||||||
|
}
|
||||||
|
OpenOptions::new()
|
||||||
|
.create(true)
|
||||||
|
.append(true)
|
||||||
|
.open(&path)
|
||||||
|
.ok()
|
||||||
|
.map(Mutex::new)
|
||||||
|
}
|
||||||
|
|
||||||
|
fn open_health_file() -> Option<Mutex<File>> {
|
||||||
|
let path = health_log_path_from_env()?;
|
||||||
|
rotate_health_log_if_needed(&path);
|
||||||
|
if let Some(parent) = path.parent() {
|
||||||
|
let _ = std::fs::create_dir_all(parent);
|
||||||
|
}
|
||||||
|
OpenOptions::new()
|
||||||
|
.create(true)
|
||||||
|
.append(true)
|
||||||
|
.open(&path)
|
||||||
|
.ok()
|
||||||
|
.map(Mutex::new)
|
||||||
|
}
|
||||||
|
|
||||||
|
fn health_log_path_from_env() -> Option<PathBuf> {
|
||||||
|
match std::env::var_os("DOSH_HEALTH_LOG") {
|
||||||
|
Some(raw) => {
|
||||||
|
let normalized = raw.to_string_lossy().to_ascii_lowercase();
|
||||||
|
if normalized.is_empty() || matches!(normalized.as_str(), "0" | "false" | "off") {
|
||||||
|
None
|
||||||
|
} else if matches!(normalized.as_str(), "1" | "true" | "on") {
|
||||||
|
Some(default_health_log_path())
|
||||||
|
} else {
|
||||||
|
Some(PathBuf::from(raw))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
None => Some(default_health_log_path()),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
fn rotate_health_log_if_needed(path: &Path) {
|
||||||
|
let Ok(metadata) = std::fs::metadata(path) else {
|
||||||
|
return;
|
||||||
|
};
|
||||||
|
if metadata.len() <= HEALTH_LOG_MAX_BYTES {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
let rotated = path.with_extension("log.1");
|
||||||
|
let _ = std::fs::remove_file(&rotated);
|
||||||
|
let _ = std::fs::rename(path, rotated);
|
||||||
|
}
|
||||||
|
|
||||||
|
fn default_trace_path() -> PathBuf {
|
||||||
|
let exe = std::env::current_exe()
|
||||||
|
.ok()
|
||||||
|
.and_then(|path| {
|
||||||
|
path.file_stem()
|
||||||
|
.map(|stem| stem.to_string_lossy().to_string())
|
||||||
|
})
|
||||||
|
.unwrap_or_else(|| "dosh".to_string());
|
||||||
|
trace_root().join(format!("{}-{}.log", exe, std::process::id()))
|
||||||
|
}
|
||||||
|
|
||||||
|
fn trace_root() -> PathBuf {
|
||||||
|
dirs::cache_dir()
|
||||||
|
.unwrap_or_else(std::env::temp_dir)
|
||||||
|
.join("dosh")
|
||||||
|
.join("trace")
|
||||||
|
}
|
||||||
|
|
||||||
|
fn truthy_env(name: &str) -> bool {
|
||||||
|
std::env::var_os(name).is_some_and(|value| {
|
||||||
|
let normalized = value.to_string_lossy().to_ascii_lowercase();
|
||||||
|
!normalized.is_empty() && !matches!(normalized.as_str(), "0" | "false" | "off")
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
fn shell_escape(value: &str) -> String {
|
||||||
|
if value.bytes().all(|byte| {
|
||||||
|
byte.is_ascii_alphanumeric()
|
||||||
|
|| matches!(byte, b'.' | b'-' | b'_' | b':' | b'/' | b',' | b'=')
|
||||||
|
}) {
|
||||||
|
return value.to_string();
|
||||||
|
}
|
||||||
|
let mut out = String::from("'");
|
||||||
|
for ch in value.chars() {
|
||||||
|
if ch == '\'' {
|
||||||
|
out.push_str("'\\''");
|
||||||
|
} else {
|
||||||
|
out.push(ch);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
out.push('\'');
|
||||||
|
out
|
||||||
|
}
|
||||||
|
|
||||||
|
fn contains_byte(bytes: &[u8], needle: u8) -> bool {
|
||||||
|
bytes.contains(&needle)
|
||||||
|
}
|
||||||
|
|
||||||
|
fn has_focus_report(bytes: &[u8]) -> bool {
|
||||||
|
bytes
|
||||||
|
.windows(3)
|
||||||
|
.any(|window| matches!(window, b"\x1b[I" | b"\x1b[O"))
|
||||||
|
|| bytes
|
||||||
|
.windows(2)
|
||||||
|
.any(|window| matches!(window, b"\x9bI" | b"\x9bO"))
|
||||||
|
}
|
||||||
|
|
||||||
|
fn looks_mouseish(bytes: &[u8]) -> bool {
|
||||||
|
bytes.windows(3).any(|window| window == b"\x1b[<")
|
||||||
|
|| bytes.windows(2).any(|window| window == b"\x9b<")
|
||||||
|
|| bytes.iter().filter(|byte| **byte == b';').take(3).count() >= 2
|
||||||
|
}
|
||||||
|
|
||||||
|
fn printable_count(bytes: &[u8]) -> usize {
|
||||||
|
bytes
|
||||||
|
.iter()
|
||||||
|
.filter(|byte| byte.is_ascii_graphic() || **byte == b' ')
|
||||||
|
.count()
|
||||||
|
}
|
||||||
|
|
||||||
|
fn hex_prefix(bytes: &[u8], max: usize) -> String {
|
||||||
|
let mut out = String::with_capacity(bytes.len().min(max) * 2);
|
||||||
|
for byte in bytes.iter().take(max) {
|
||||||
|
use std::fmt::Write as _;
|
||||||
|
let _ = write!(&mut out, "{byte:02x}");
|
||||||
|
}
|
||||||
|
if bytes.len() > max {
|
||||||
|
out.push_str("...");
|
||||||
|
}
|
||||||
|
out
|
||||||
|
}
|
||||||
+982
-124
File diff suppressed because it is too large
Load Diff
@@ -29,7 +29,7 @@ use std::io::{Read, Write};
|
|||||||
use std::net::{SocketAddr, TcpListener, UdpSocket};
|
use std::net::{SocketAddr, TcpListener, UdpSocket};
|
||||||
use std::process::{Child, Command, Stdio};
|
use std::process::{Child, Command, Stdio};
|
||||||
use std::sync::Arc;
|
use std::sync::Arc;
|
||||||
use std::sync::atomic::{AtomicBool, AtomicU64, Ordering};
|
use std::sync::atomic::{AtomicBool, AtomicU32, AtomicU64, Ordering};
|
||||||
use std::sync::mpsc::{Receiver, Sender, channel};
|
use std::sync::mpsc::{Receiver, Sender, channel};
|
||||||
use std::thread;
|
use std::thread;
|
||||||
use std::time::{Duration, Instant};
|
use std::time::{Duration, Instant};
|
||||||
@@ -49,9 +49,20 @@ use ed25519_dalek::{SigningKey, VerifyingKey};
|
|||||||
use rand::rngs::StdRng;
|
use rand::rngs::StdRng;
|
||||||
use rand::{Rng, SeedableRng};
|
use rand::{Rng, SeedableRng};
|
||||||
|
|
||||||
|
const TEST_UDP_PORT_START: u16 = 31_000;
|
||||||
|
const TEST_UDP_PORT_END: u16 = 60_999;
|
||||||
|
static NEXT_UDP_PORT: AtomicU32 = AtomicU32::new(TEST_UDP_PORT_START as u32);
|
||||||
|
|
||||||
fn free_udp_port() -> u16 {
|
fn free_udp_port() -> u16 {
|
||||||
let socket = UdpSocket::bind("127.0.0.1:0").unwrap();
|
let span = u32::from(TEST_UDP_PORT_END - TEST_UDP_PORT_START) + 1;
|
||||||
socket.local_addr().unwrap().port()
|
for _ in TEST_UDP_PORT_START..=TEST_UDP_PORT_END {
|
||||||
|
let offset = NEXT_UDP_PORT.fetch_add(1, Ordering::SeqCst) % span;
|
||||||
|
let port = TEST_UDP_PORT_START + offset as u16;
|
||||||
|
if UdpSocket::bind(("127.0.0.1", port)).is_ok() {
|
||||||
|
return port;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
panic!("no free UDP test port in {TEST_UDP_PORT_START}-{TEST_UDP_PORT_END}");
|
||||||
}
|
}
|
||||||
|
|
||||||
fn write_server_config(dir: &tempfile::TempDir, port: u16) -> std::path::PathBuf {
|
fn write_server_config(dir: &tempfile::TempDir, port: u16) -> std::path::PathBuf {
|
||||||
|
|||||||
+135
-7
@@ -3,6 +3,7 @@
|
|||||||
use std::fs;
|
use std::fs;
|
||||||
use std::io::{Read, Write};
|
use std::io::{Read, Write};
|
||||||
use std::net::{TcpListener, TcpStream, UdpSocket};
|
use std::net::{TcpListener, TcpStream, UdpSocket};
|
||||||
|
use std::os::unix::fs::PermissionsExt;
|
||||||
use std::os::unix::net::{UnixListener, UnixStream};
|
use std::os::unix::net::{UnixListener, UnixStream};
|
||||||
use std::path::{Path, PathBuf};
|
use std::path::{Path, PathBuf};
|
||||||
use std::process::{Child, Command, Stdio};
|
use std::process::{Child, Command, Stdio};
|
||||||
@@ -151,21 +152,41 @@ fn write_server_config_with_retransmit_window(
|
|||||||
}
|
}
|
||||||
|
|
||||||
fn start_server(dir: &tempfile::TempDir, config: &std::path::Path) -> Child {
|
fn start_server(dir: &tempfile::TempDir, config: &std::path::Path) -> Child {
|
||||||
|
start_server_with_trace(dir, config, None)
|
||||||
|
}
|
||||||
|
|
||||||
|
fn start_server_with_trace(
|
||||||
|
dir: &tempfile::TempDir,
|
||||||
|
config: &std::path::Path,
|
||||||
|
trace: Option<&Path>,
|
||||||
|
) -> Child {
|
||||||
let server = env!("CARGO_BIN_EXE_dosh-server");
|
let server = env!("CARGO_BIN_EXE_dosh-server");
|
||||||
let child = Command::new(server)
|
let mut command = Command::new(server);
|
||||||
|
command
|
||||||
.arg("serve")
|
.arg("serve")
|
||||||
.arg("--config")
|
.arg("--config")
|
||||||
.arg(config)
|
.arg(config)
|
||||||
.env("HOME", dir.path())
|
.env("HOME", dir.path())
|
||||||
.stdout(Stdio::null())
|
.stdout(Stdio::null())
|
||||||
.stderr(Stdio::null())
|
.stderr(Stdio::null());
|
||||||
.spawn()
|
if let Some(trace) = trace {
|
||||||
.unwrap();
|
command.env("DOSH_TRACE", trace);
|
||||||
|
}
|
||||||
|
let child = command.spawn().unwrap();
|
||||||
thread::sleep(Duration::from_millis(500));
|
thread::sleep(Duration::from_millis(500));
|
||||||
child
|
child
|
||||||
}
|
}
|
||||||
|
|
||||||
fn attach_once(dir: &tempfile::TempDir, port: u16, cache: bool) -> std::process::Output {
|
fn attach_once(dir: &tempfile::TempDir, port: u16, cache: bool) -> std::process::Output {
|
||||||
|
attach_once_with_trace(dir, port, cache, None)
|
||||||
|
}
|
||||||
|
|
||||||
|
fn attach_once_with_trace(
|
||||||
|
dir: &tempfile::TempDir,
|
||||||
|
port: u16,
|
||||||
|
cache: bool,
|
||||||
|
trace: Option<&Path>,
|
||||||
|
) -> std::process::Output {
|
||||||
let client = env!("CARGO_BIN_EXE_dosh-client");
|
let client = env!("CARGO_BIN_EXE_dosh-client");
|
||||||
let mut cmd = Command::new(client);
|
let mut cmd = Command::new(client);
|
||||||
cmd.arg("--local-auth")
|
cmd.arg("--local-auth")
|
||||||
@@ -180,6 +201,9 @@ fn attach_once(dir: &tempfile::TempDir, port: u16, cache: bool) -> std::process:
|
|||||||
if !cache {
|
if !cache {
|
||||||
cmd.arg("--no-cache");
|
cmd.arg("--no-cache");
|
||||||
}
|
}
|
||||||
|
if let Some(trace) = trace {
|
||||||
|
cmd.env("DOSH_TRACE", trace);
|
||||||
|
}
|
||||||
cmd.output().unwrap()
|
cmd.output().unwrap()
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1002,6 +1026,8 @@ fn native_file_copy_recursive_round_trip() {
|
|||||||
fs::create_dir_all(src.join("nested")).unwrap();
|
fs::create_dir_all(src.join("nested")).unwrap();
|
||||||
fs::write(src.join("root.txt"), b"root file\n").unwrap();
|
fs::write(src.join("root.txt"), b"root file\n").unwrap();
|
||||||
fs::write(src.join("nested/child.txt"), b"child file\n").unwrap();
|
fs::write(src.join("nested/child.txt"), b"child file\n").unwrap();
|
||||||
|
std::os::unix::fs::symlink("root.txt", src.join("root-link")).unwrap();
|
||||||
|
std::os::unix::fs::symlink("nested/child.txt", src.join("child-link")).unwrap();
|
||||||
|
|
||||||
let client_bin = env!("CARGO_BIN_EXE_dosh-client");
|
let client_bin = env!("CARGO_BIN_EXE_dosh-client");
|
||||||
let upload = Command::new(client_bin)
|
let upload = Command::new(client_bin)
|
||||||
@@ -1107,6 +1133,14 @@ fn native_file_copy_recursive_round_trip() {
|
|||||||
fs::read_to_string(downloaded.join("nested/child.txt")).unwrap(),
|
fs::read_to_string(downloaded.join("nested/child.txt")).unwrap(),
|
||||||
"child file\n"
|
"child file\n"
|
||||||
);
|
);
|
||||||
|
assert_eq!(
|
||||||
|
fs::read_link(downloaded.join("root-link")).unwrap(),
|
||||||
|
PathBuf::from("root.txt")
|
||||||
|
);
|
||||||
|
assert_eq!(
|
||||||
|
fs::read_link(downloaded.join("child-link")).unwrap(),
|
||||||
|
PathBuf::from("nested/child.txt")
|
||||||
|
);
|
||||||
|
|
||||||
let remove = Command::new(client_bin)
|
let remove = Command::new(client_bin)
|
||||||
.arg("--dosh-host")
|
.arg("--dosh-host")
|
||||||
@@ -1241,6 +1275,80 @@ fn native_file_copy_resume_truncates_oversized_destinations() {
|
|||||||
let _ = server.wait();
|
let _ = server.wait();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn native_file_copy_resume_prefix_mismatch_preserves_destinations() {
|
||||||
|
let dir = tempfile::tempdir().unwrap();
|
||||||
|
let port = free_udp_port();
|
||||||
|
let config = write_server_config(&dir, port);
|
||||||
|
write_native_client_auth(&dir, &config);
|
||||||
|
let mut server = start_server(&dir, &config);
|
||||||
|
let client_bin = env!("CARGO_BIN_EXE_dosh-client");
|
||||||
|
|
||||||
|
let local_upload = dir.path().join("upload-prefix.txt");
|
||||||
|
let remote_upload = dir.path().join("remote-upload.txt");
|
||||||
|
fs::write(&local_upload, b"local-prefix\n").unwrap();
|
||||||
|
fs::write(&remote_upload, b"remote-prefix-with-tail\n").unwrap();
|
||||||
|
fs::set_permissions(&local_upload, fs::Permissions::from_mode(0o755)).unwrap();
|
||||||
|
fs::set_permissions(&remote_upload, fs::Permissions::from_mode(0o600)).unwrap();
|
||||||
|
|
||||||
|
let bad_upload_resume = Command::new(client_bin)
|
||||||
|
.arg("--dosh-host")
|
||||||
|
.arg("127.0.0.1")
|
||||||
|
.arg("--dosh-port")
|
||||||
|
.arg(port.to_string())
|
||||||
|
.arg("cp")
|
||||||
|
.arg("--resume")
|
||||||
|
.arg(&local_upload)
|
||||||
|
.arg("local:remote-upload.txt")
|
||||||
|
.env("HOME", dir.path())
|
||||||
|
.output()
|
||||||
|
.unwrap();
|
||||||
|
assert!(
|
||||||
|
!bad_upload_resume.status.success(),
|
||||||
|
"bad upload resume unexpectedly succeeded: stdout={} stderr={}",
|
||||||
|
String::from_utf8_lossy(&bad_upload_resume.stdout),
|
||||||
|
String::from_utf8_lossy(&bad_upload_resume.stderr)
|
||||||
|
);
|
||||||
|
assert_eq!(
|
||||||
|
fs::read_to_string(&remote_upload).unwrap(),
|
||||||
|
"remote-prefix-with-tail\n"
|
||||||
|
);
|
||||||
|
assert_eq!(
|
||||||
|
fs::metadata(&remote_upload).unwrap().permissions().mode() & 0o777,
|
||||||
|
0o600
|
||||||
|
);
|
||||||
|
|
||||||
|
fs::write(dir.path().join("remote-download.txt"), b"remote-download\n").unwrap();
|
||||||
|
let local_download = dir.path().join("download-prefix.txt");
|
||||||
|
fs::write(&local_download, b"local-download-with-tail\n").unwrap();
|
||||||
|
|
||||||
|
let bad_download_resume = Command::new(client_bin)
|
||||||
|
.arg("--dosh-host")
|
||||||
|
.arg("127.0.0.1")
|
||||||
|
.arg("--dosh-port")
|
||||||
|
.arg(port.to_string())
|
||||||
|
.arg("cp")
|
||||||
|
.arg("--resume")
|
||||||
|
.arg("local:remote-download.txt")
|
||||||
|
.arg(&local_download)
|
||||||
|
.env("HOME", dir.path())
|
||||||
|
.output()
|
||||||
|
.unwrap();
|
||||||
|
assert!(
|
||||||
|
!bad_download_resume.status.success(),
|
||||||
|
"bad download resume unexpectedly succeeded: stdout={} stderr={}",
|
||||||
|
String::from_utf8_lossy(&bad_download_resume.stdout),
|
||||||
|
String::from_utf8_lossy(&bad_download_resume.stderr)
|
||||||
|
);
|
||||||
|
assert_eq!(
|
||||||
|
fs::read_to_string(&local_download).unwrap(),
|
||||||
|
"local-download-with-tail\n"
|
||||||
|
);
|
||||||
|
|
||||||
|
let _ = server.kill();
|
||||||
|
let _ = server.wait();
|
||||||
|
}
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn native_exec_command_smoke() {
|
fn native_exec_command_smoke() {
|
||||||
let dir = tempfile::tempdir().unwrap();
|
let dir = tempfile::tempdir().unwrap();
|
||||||
@@ -1479,7 +1587,9 @@ fn ticket_attach_after_server_restart_smoke() {
|
|||||||
let dir = tempfile::tempdir().unwrap();
|
let dir = tempfile::tempdir().unwrap();
|
||||||
let port = free_udp_port();
|
let port = free_udp_port();
|
||||||
let config = write_server_config(&dir, port);
|
let config = write_server_config(&dir, port);
|
||||||
let mut server = start_server(&dir, &config);
|
let server_trace = dir.path().join("server-trace.log");
|
||||||
|
let client_trace = dir.path().join("client-trace.log");
|
||||||
|
let mut server = start_server_with_trace(&dir, &config, Some(&server_trace));
|
||||||
let first = attach_once(&dir, port, true);
|
let first = attach_once(&dir, port, true);
|
||||||
let _ = server.kill();
|
let _ = server.kill();
|
||||||
let _ = server.wait();
|
let _ = server.wait();
|
||||||
@@ -1489,8 +1599,8 @@ fn ticket_attach_after_server_restart_smoke() {
|
|||||||
String::from_utf8_lossy(&first.stderr)
|
String::from_utf8_lossy(&first.stderr)
|
||||||
);
|
);
|
||||||
|
|
||||||
let mut server = start_server(&dir, &config);
|
let mut server = start_server_with_trace(&dir, &config, Some(&server_trace));
|
||||||
let second = attach_once(&dir, port, true);
|
let second = attach_once_with_trace(&dir, port, true, Some(&client_trace));
|
||||||
let _ = server.kill();
|
let _ = server.kill();
|
||||||
let _ = server.wait();
|
let _ = server.wait();
|
||||||
let stderr = String::from_utf8_lossy(&second.stderr);
|
let stderr = String::from_utf8_lossy(&second.stderr);
|
||||||
@@ -1499,6 +1609,24 @@ fn ticket_attach_after_server_restart_smoke() {
|
|||||||
stderr.contains("udp_ticket_attach_ready"),
|
stderr.contains("udp_ticket_attach_ready"),
|
||||||
"stderr={stderr}"
|
"stderr={stderr}"
|
||||||
);
|
);
|
||||||
|
let server_trace = fs::read_to_string(&server_trace).unwrap();
|
||||||
|
let client_trace = fs::read_to_string(&client_trace).unwrap();
|
||||||
|
assert!(
|
||||||
|
server_trace.contains("event=server.ticket_attach_start"),
|
||||||
|
"server trace={server_trace}"
|
||||||
|
);
|
||||||
|
assert!(
|
||||||
|
server_trace.contains("event=server.ticket_attach_ok"),
|
||||||
|
"server trace={server_trace}"
|
||||||
|
);
|
||||||
|
assert!(
|
||||||
|
client_trace.contains("event=client.ticket_attach_start"),
|
||||||
|
"client trace={client_trace}"
|
||||||
|
);
|
||||||
|
assert!(
|
||||||
|
client_trace.contains("event=client.ticket_attach_ok"),
|
||||||
|
"client trace={client_trace}"
|
||||||
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
|
|||||||
@@ -58,6 +58,21 @@ fn encrypted_packet_round_trips() {
|
|||||||
assert_eq!(plain, b"hello");
|
assert_eq!(plain, b"hello");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn packet_decode_rejects_truncated_or_trailing_datagrams() {
|
||||||
|
let packet =
|
||||||
|
protocol::encode_plain(PacketKind::Ping, crypto::random_16(), 1, 0, b"hello").unwrap();
|
||||||
|
|
||||||
|
let truncated = &packet[..packet.len() - 1];
|
||||||
|
let err = protocol::decode(truncated).unwrap_err();
|
||||||
|
assert!(err.to_string().contains("truncated packet body"));
|
||||||
|
|
||||||
|
let mut trailing = packet.clone();
|
||||||
|
trailing.extend_from_slice(b"junk");
|
||||||
|
let err = protocol::decode(&trailing).unwrap_err();
|
||||||
|
assert!(err.to_string().contains("trailing packet bytes"));
|
||||||
|
}
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn plaintext_packet_never_decrypts_as_authenticated_body() {
|
fn plaintext_packet_never_decrypts_as_authenticated_body() {
|
||||||
let key = crypto::random_32();
|
let key = crypto::random_32();
|
||||||
|
|||||||
@@ -19,6 +19,199 @@ fn release_scripts_skip_stale_artifacts_when_auto_discovering() {
|
|||||||
assert!(publish.contains("actual=\"$(artifact_version \"$artifact\" || true)\""));
|
assert!(publish.contains("actual=\"$(artifact_version \"$artifact\" || true)\""));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn release_upload_refuses_partial_platform_sets_by_default() {
|
||||||
|
let upload = include_str!("../scripts/upload-gitea-release.sh");
|
||||||
|
assert!(upload.contains("require_complete_release_artifacts \"$@\""));
|
||||||
|
assert!(upload.contains("DOSH_RELEASE_ALLOW_PARTIAL=1"));
|
||||||
|
assert!(upload.contains("refusing partial release upload"));
|
||||||
|
for name in [
|
||||||
|
"dosh-linux-x86_64.tar.gz",
|
||||||
|
"dosh-macos-aarch64.tar.gz",
|
||||||
|
"dosh-macos-x86_64.tar.gz",
|
||||||
|
"dosh-windows-x86_64.zip",
|
||||||
|
] {
|
||||||
|
assert!(
|
||||||
|
upload.contains(name),
|
||||||
|
"release upload completeness check must require {name}"
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn release_upload_marks_prerelease_tags_as_prereleases() {
|
||||||
|
let upload = include_str!("../scripts/upload-gitea-release.sh");
|
||||||
|
assert!(upload.contains("release_prerelease=false"));
|
||||||
|
assert!(upload.contains("*-*) release_prerelease=true"));
|
||||||
|
assert!(upload.contains("\"prerelease\":%s"));
|
||||||
|
assert!(upload.contains("metadata_payload="));
|
||||||
|
assert!(
|
||||||
|
upload.contains("-X PATCH"),
|
||||||
|
"existing Gitea releases must be corrected when prerelease metadata changes"
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn release_gates_test_all_targets() {
|
||||||
|
let makefile = include_str!("../Makefile");
|
||||||
|
let ci = include_str!("../.github/workflows/ci.yml");
|
||||||
|
assert!(makefile.contains("test:\n\tcargo test --all-targets"));
|
||||||
|
assert!(makefile.contains("cargo test --all-targets\n\t$(MAKE) tui-harness"));
|
||||||
|
assert!(ci.contains("run: sh -n install.sh scripts/*.sh"));
|
||||||
|
assert!(ci.contains("run: cargo clippy --all-targets -- -D warnings"));
|
||||||
|
assert!(ci.contains("run: cargo test --all-targets"));
|
||||||
|
assert!(ci.contains("run: sh scripts/tui-harness.sh"));
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn one_dot_zero_gates_default_to_full_length_soaks() {
|
||||||
|
let makefile = include_str!("../Makefile");
|
||||||
|
let reconnect_check = makefile
|
||||||
|
.split("reconnect-check:")
|
||||||
|
.nth(1)
|
||||||
|
.and_then(|tail| tail.split("\nhostile-network-check:").next())
|
||||||
|
.expect("reconnect-check target");
|
||||||
|
assert!(reconnect_check.contains("DOSH_SOAK_SECONDS=$${DOSH_SOAK_SECONDS:-1800}"));
|
||||||
|
assert!(!reconnect_check.contains("DOSH_SOAK_SECONDS=$${DOSH_SOAK_SECONDS:-300}"));
|
||||||
|
|
||||||
|
let hostile_check = makefile
|
||||||
|
.split("hostile-network-check:")
|
||||||
|
.nth(1)
|
||||||
|
.and_then(|tail| tail.split("\npersistence-check:").next())
|
||||||
|
.expect("hostile-network-check target");
|
||||||
|
assert!(hostile_check.contains("DOSH_BADNET_SOAK_SECONDS=$${DOSH_BADNET_SOAK_SECONDS:-1800}"));
|
||||||
|
assert!(!hostile_check.contains("DOSH_BADNET_SOAK_SECONDS=$${DOSH_BADNET_SOAK_SECONDS:-300}"));
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn installers_skip_stale_latest_release_prebuilts() {
|
||||||
|
let install = include_str!("../install.sh");
|
||||||
|
assert!(install.contains("latest_release_is_stale"));
|
||||||
|
assert!(install.contains("current_source_version"));
|
||||||
|
assert!(install.contains("latest release $latest is older than source $current"));
|
||||||
|
assert!(install.contains("version_prerelease"));
|
||||||
|
assert!(install.contains("prerelease_less_than"));
|
||||||
|
assert!(
|
||||||
|
install.contains("if latest_release_is_stale; then"),
|
||||||
|
"unix installer must skip stale latest before downloading a prebuilt"
|
||||||
|
);
|
||||||
|
|
||||||
|
let ps1 = include_str!("../install.ps1");
|
||||||
|
assert!(ps1.contains("Latest-ReleaseIsStale"));
|
||||||
|
assert!(ps1.contains("Current-SourceVersion"));
|
||||||
|
assert!(ps1.contains("latest release $latestVersion is older than source $current"));
|
||||||
|
assert!(ps1.contains("Version-Prerelease"));
|
||||||
|
assert!(ps1.contains("Compare-Prerelease"));
|
||||||
|
assert!(
|
||||||
|
ps1.contains("if (Latest-ReleaseIsStale)"),
|
||||||
|
"windows installer must skip stale latest before downloading a prebuilt"
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn installers_refuse_prebuilts_without_checksums() {
|
||||||
|
let install = include_str!("../install.sh");
|
||||||
|
assert!(install.contains("verify_archive_checksum"));
|
||||||
|
assert!(install.contains("refusing unverified binary for $url"));
|
||||||
|
assert!(
|
||||||
|
!install.contains("continuing without sidecar verification"),
|
||||||
|
"unix installer must not silently install an unverifiable prebuilt"
|
||||||
|
);
|
||||||
|
|
||||||
|
let ps1 = include_str!("../install.ps1");
|
||||||
|
assert!(ps1.contains("Verify-ArchiveChecksum"));
|
||||||
|
assert!(ps1.contains("refusing unverified binary for $Url"));
|
||||||
|
assert!(
|
||||||
|
!ps1.contains("continuing without sidecar verification"),
|
||||||
|
"windows installer must not silently install an unverifiable prebuilt"
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn windows_installer_reuses_persistent_source_update_cache() {
|
||||||
|
let ps1 = include_str!("../install.ps1");
|
||||||
|
assert!(ps1.contains("DOSH_UPDATE_CACHE"));
|
||||||
|
assert!(ps1.contains("Assert-NoRelativePathSegments($Path)"));
|
||||||
|
assert!(ps1.contains("Assert-NoRelativePathSegments $Path"));
|
||||||
|
assert!(ps1.contains("$segment -eq \".\" -or $segment -eq \"..\""));
|
||||||
|
assert!(ps1.contains("$sourceCache = Assert-SafeUpdateCache $UpdateCache"));
|
||||||
|
assert!(ps1.contains("git -C $sourceCache fetch --depth 1 origin main"));
|
||||||
|
assert!(ps1.contains("git -C $sourceCache checkout -q -B main FETCH_HEAD"));
|
||||||
|
assert!(ps1.contains("git clone --depth 1 --branch main $Repo $sourceCache"));
|
||||||
|
assert!(
|
||||||
|
!ps1.contains("git clone --depth 1 $Repo $tmp"),
|
||||||
|
"Windows source updates should reuse a persistent cache instead of recloning into temp"
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn unix_installer_rejects_unsafe_source_update_cache_paths() {
|
||||||
|
let install = include_str!("../install.sh");
|
||||||
|
assert!(install.contains("normalize_update_cache_path()"));
|
||||||
|
assert!(install.contains("safe_update_cache_path()"));
|
||||||
|
assert!(install.contains("update_cache=\"$(safe_update_cache_path \"$update_cache\")\""));
|
||||||
|
for pattern in [
|
||||||
|
"\"\"|\"/\"|\"$home_norm\"|\"$home_cache_norm\"",
|
||||||
|
"\".\"|\"..\"|./*|../*|*/.|*/..|*/./*|*/../*",
|
||||||
|
] {
|
||||||
|
assert!(
|
||||||
|
install.contains(pattern),
|
||||||
|
"Unix installer must reject unsafe update cache pattern {pattern}"
|
||||||
|
);
|
||||||
|
}
|
||||||
|
assert!(
|
||||||
|
install.contains("rm -rf \"$update_cache\""),
|
||||||
|
"source cache replacement remains the destructive operation guarded by safe_update_cache_path"
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn installers_generate_same_native_auth_client_defaults() {
|
||||||
|
let install = include_str!("../install.sh");
|
||||||
|
let ps1 = include_str!("../install.ps1");
|
||||||
|
for setting in [
|
||||||
|
"auth_preference = \"native,ssh\"",
|
||||||
|
"trust_on_first_use = false",
|
||||||
|
"native_auth_timeout_ms = 700",
|
||||||
|
"known_hosts = \"~/.config/dosh/known_hosts\"",
|
||||||
|
"identity_files = [\"~/.ssh/id_ed25519\"]",
|
||||||
|
"use_ssh_agent = true",
|
||||||
|
"forward_agent = false",
|
||||||
|
] {
|
||||||
|
assert!(
|
||||||
|
install.contains(setting),
|
||||||
|
"Unix installer missing client default {setting}"
|
||||||
|
);
|
||||||
|
assert!(
|
||||||
|
ps1.contains(setting),
|
||||||
|
"Windows installer missing client default {setting}"
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn windows_installer_generates_hosts_config_like_unix() {
|
||||||
|
let install = include_str!("../install.sh");
|
||||||
|
let ps1 = include_str!("../install.ps1");
|
||||||
|
for setting in [
|
||||||
|
"hosts.toml",
|
||||||
|
"# default_command = \"tm\"",
|
||||||
|
"[default]",
|
||||||
|
"predict = true",
|
||||||
|
] {
|
||||||
|
assert!(
|
||||||
|
install.contains(setting),
|
||||||
|
"Unix installer missing host config setting {setting}"
|
||||||
|
);
|
||||||
|
assert!(
|
||||||
|
ps1.contains(setting),
|
||||||
|
"Windows installer missing host config setting {setting}"
|
||||||
|
);
|
||||||
|
}
|
||||||
|
assert!(ps1.contains("$hostUdp = if ($DoshHost) { $DoshHost } else { $defaultServer }"));
|
||||||
|
assert!(ps1.contains("Set-Content -NoNewline -Encoding utf8 $hostsConfig"));
|
||||||
|
}
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn package_check_verifies_only_artifacts_it_builds() {
|
fn package_check_verifies_only_artifacts_it_builds() {
|
||||||
let makefile = include_str!("../Makefile");
|
let makefile = include_str!("../Makefile");
|
||||||
@@ -42,6 +235,38 @@ fn package_check_verifies_only_artifacts_it_builds() {
|
|||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn complete_release_verifier_requires_both_macos_architectures() {
|
||||||
|
let verify = include_str!("../scripts/verify-release-artifacts.sh");
|
||||||
|
assert!(verify.contains("dosh-linux-x86_64.tar.gz"));
|
||||||
|
assert!(verify.contains("dosh-macos-aarch64.tar.gz"));
|
||||||
|
assert!(verify.contains("dosh-macos-x86_64.tar.gz"));
|
||||||
|
assert!(verify.contains("dosh-windows-x86_64.zip"));
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn release_verifier_checks_checksums_and_expected_binaries() {
|
||||||
|
let verify = include_str!("../scripts/verify-release-artifacts.sh");
|
||||||
|
assert!(verify.contains("verify_checksum()"));
|
||||||
|
assert!(verify.contains("release checksum mismatch"));
|
||||||
|
for member in [
|
||||||
|
"dosh/bin/dosh",
|
||||||
|
"dosh/bin/dosh-client",
|
||||||
|
"dosh/bin/dosh-server",
|
||||||
|
"dosh/bin/dosh-auth",
|
||||||
|
"dosh/bin/dosh-bench",
|
||||||
|
"dosh/bin/dosh.exe",
|
||||||
|
"dosh/bin/dosh-client.exe",
|
||||||
|
"dosh/bin/dosh-bench.exe",
|
||||||
|
] {
|
||||||
|
assert!(
|
||||||
|
verify.contains(member),
|
||||||
|
"release verifier must require archive member {member}"
|
||||||
|
);
|
||||||
|
}
|
||||||
|
assert!(verify.contains("artifact missing expected member"));
|
||||||
|
}
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn package_release_stamps_git_build_info() {
|
fn package_release_stamps_git_build_info() {
|
||||||
let package = include_str!("../scripts/package-release.sh");
|
let package = include_str!("../scripts/package-release.sh");
|
||||||
|
|||||||
Reference in New Issue
Block a user