rough changes for ssh to work with latest envoy-custom from main

2025-08-06 10:21:05 +02:00 · 2025-06-17 15:44:12 +00:00 · 2025-06-17 15:44:12 +00:00 · b5e70f7a6a
commit b5e70f7a6a
parent 4e6aa84ca4
6 changed files with 40 additions and 46 deletions
--- a/authorize/ssh_grpc.go
+++ b/authorize/ssh_grpc.go
@ -469,7 +469,7 @@ func (a *Authorize) ManageStream(

 func (a *Authorize) getSSHRouteForHostname(hostname string) *config.Policy {
 	opts := a.currentConfig.Load().Options
-	from := "ssh://" + strings.TrimSuffix(strings.Join([]string{hostname, opts.SSHHostname}, "."), ".")
+	from := "ssh://" + hostname
 	for r := range opts.GetAllPolicies() {
 		if r.From == from {
 			return r
@ -1221,18 +1221,18 @@ func (a *Authorize) NewPortalCommand(
 			var routes []string
 			for r := range cfg.Options.GetAllPolicies() {
 				if strings.HasPrefix(r.From, "ssh://") {
-					routes = append(routes, fmt.Sprintf("%s@%s", state.Username, strings.TrimSuffix(strings.TrimPrefix(r.From, "ssh://"), "."+cfg.Options.SSHHostname)))
+					routes = append(routes, fmt.Sprintf("%s@%s", state.Username, strings.TrimPrefix(r.From, "ssh://")))
 				}
 			}
 			items := []list.Item{}
 			for _, route := range routes {
 				items = append(items, item(route))
 			}
-			a.activeStreams.Range(func(id uint64, _ *StreamState) {
-				if id != state.StreamID {
-					items = append(items, item(fmt.Sprintf("[demo] mirror session: %v", id)))
-				}
-			})
+			// a.activeStreams.Range(func(id uint64, _ *StreamState) {
+			// 	if id != state.StreamID {
+			// 		items = append(items, item(fmt.Sprintf("[demo] mirror session: %v", id)))
+			// 	}
+			// })

 			l := list.New(items, itemDelegate{}, int(ptyInfo.WidthColumns-2), int(ptyInfo.HeightRows-2))
 			l.Title = "Connect to which server?"
--- a/config/envoyconfig/listeners_ssh.go
+++ b/config/envoyconfig/listeners_ssh.go
@ -5,24 +5,20 @@ import (
 	"fmt"
 	"net/url"
 	"os"
-	"strings"
 	"time"

 	xds_core_v3 "github.com/cncf/xds/go/xds/core/v3"
 	xds_matcher_v3 "github.com/cncf/xds/go/xds/type/matcher/v3"
 	envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
 	envoy_config_listener_v3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
-	extensions_compressor_zstd_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/compression/zstd/compressor/v3"
 	envoy_generic_proxy_action_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/action/v3"
 	envoy_generic_proxy_matcher_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/matcher/v3"
 	envoy_generic_router_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/router/v3"
 	envoy_generic_proxy_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/v3"
 	matcherv3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3"
 	extensions_ssh "github.com/pomerium/envoy-custom/api/extensions/filters/network/ssh"
-	extensions_ssh_session_recording "github.com/pomerium/envoy-custom/api/extensions/filters/network/ssh/filters/session_recording"
 	"github.com/pomerium/pomerium/config"
 	"google.golang.org/protobuf/types/known/durationpb"
-	"google.golang.org/protobuf/types/known/wrapperspb"
 )

 func (b *Builder) buildSSHListener(ctx context.Context, cfg *config.Config) (*envoy_config_listener_v3.Listener, error) {
@ -65,29 +61,29 @@ func (b *Builder) buildSSHListener(ctx context.Context, cfg *config.Config) (*en
 									}),
 								},
 								Filters: []*envoy_config_core_v3.TypedExtensionConfig{
-									{
-										Name: "envoy.filters.generic.ssh.session_recording",
-										TypedConfig: marshalAny(&extensions_ssh_session_recording.Config{
-											StorageDir:  "/tmp/recordings",
-											GrpcService: authorizeService,
-											CompressorLibrary: &envoy_config_core_v3.TypedExtensionConfig{
-												Name: "envoy.compression.zstd.compressor",
-												TypedConfig: marshalAny(&extensions_compressor_zstd_v3.Zstd{
-													CompressionLevel: wrapperspb.UInt32(19),
-													EnableChecksum:   false,
-													Strategy:         extensions_compressor_zstd_v3.Zstd_BTULTRA2,
-													ChunkSize:        wrapperspb.UInt32(8192),
-												}),
-											},
-											// FileManagerConfig: &async_filesv3.AsyncFileManagerConfig{
-											// 	ManagerType: &async_filesv3.AsyncFileManagerConfig_ThreadPool_{
-											// 		ThreadPool: &async_filesv3.AsyncFileManagerConfig_ThreadPool{
-											// 			ThreadCount: 2,
+									// {
+									// 	Name: "envoy.filters.generic.ssh.session_recording",
+									// 	TypedConfig: marshalAny(&extensions_ssh_session_recording.Config{
+									// 		StorageDir:  "/tmp/recordings",
+									// 		GrpcService: authorizeService,
+									// 		CompressorLibrary: &envoy_config_core_v3.TypedExtensionConfig{
+									// 			Name: "envoy.compression.zstd.compressor",
+									// 			TypedConfig: marshalAny(&extensions_compressor_zstd_v3.Zstd{
+									// 				CompressionLevel: wrapperspb.UInt32(19),
+									// 				EnableChecksum:   false,
+									// 				Strategy:         extensions_compressor_zstd_v3.Zstd_BTULTRA2,
+									// 				ChunkSize:        wrapperspb.UInt32(8192),
+									// 			}),
 									// 		},
+									// 		// FileManagerConfig: &async_filesv3.AsyncFileManagerConfig{
+									// 		// 	ManagerType: &async_filesv3.AsyncFileManagerConfig_ThreadPool_{
+									// 		// 		ThreadPool: &async_filesv3.AsyncFileManagerConfig_ThreadPool{
+									// 		// 			ThreadCount: 2,
+									// 		// 		},
+									// 		// 	},
+									// 		// },
+									// 	}),
 									// },
-											// },
-										}),
-									},
 									// {
 									// 	Name:        "envoy.filters.generic.ssh.session_multiplexing",
 									// 	TypedConfig: marshalAny(&extensions_ssh_session_multiplexing.Config{}),
@ -123,10 +119,6 @@ func (b *Builder) buildRouteConfig(_ context.Context, cfg *config.Config) (*envo
 			continue
 		}
 		fromHost := from.Hostname()
-		if cfg.Options.SSHHostname != "" {
-			suffix := "." + cfg.Options.SSHHostname
-			fromHost = strings.TrimSuffix(fromHost, suffix)
-		}
 		if len(route.To) > 1 {
 			return nil, fmt.Errorf("only one 'to' entry allowed for ssh routes")
 		}
--- a/config/options.go
+++ b/config/options.go
@ -246,7 +246,6 @@ type Options struct {
 	GRPCClientTimeout time.Duration `mapstructure:"grpc_client_timeout" yaml:"grpc_client_timeout,omitempty"`

 	SSHAddr      string   `mapstructure:"ssh_address" yaml:"ssh_address,omitempty"`
-	SSHHostname  string   `mapstructure:"ssh_hostname" yaml:"ssh_hostname,omitempty"`
 	SSHHostKeys  []string `mapstructure:"ssh_host_keys" yaml:"ssh_host_keys,omitempty"`
 	SSHUserCAKey string   `mapstructure:"ssh_user_ca_key" yaml:"ssh_user_ca_key,omitempty"`

--- a/integration2/ssh_int_test.go
+++ b/integration2/ssh_int_test.go
@ -4,6 +4,7 @@ import (
 	"bytes"
 	"crypto/ed25519"
 	"errors"
+	"fmt"
 	"io"
 	"net"
 	"strings"
@ -20,6 +21,7 @@ import (
 	"github.com/pomerium/pomerium/internal/testenv/scenarios"
 	"github.com/pomerium/pomerium/internal/testenv/snippets"
 	"github.com/pomerium/pomerium/internal/testenv/upstreams"
+	"github.com/pomerium/pomerium/internal/testenv/values"
 )

 func TestSSH(t *testing.T) {
@ -65,7 +67,9 @@ func TestSSH(t *testing.T) {
 	)
 	up.SetServerConnCallback(echoShell{t}.handleConnection)
 	r := up.Route().
-		From(env.SubdomainURLWithScheme("example", "ssh")).
+		From(values.Bind(env.Ports().ProxySSH, func(port int) string {
+			return fmt.Sprintf("ssh://example:%d", port)
+		})).
 		Policy(func(p *config.Policy) { p.AllowAnyAuthenticatedUser = true })
 	env.AddUpstream(up)
 	env.Start()
@ -121,7 +125,9 @@ func TestSSH_JumpHostMode(t *testing.T) {
 	)
 	up.SetServerConnCallback(echoShell{t}.handleConnection)
 	r := up.Route().
-		From(env.SubdomainURLWithScheme("example", "ssh")).
+		From(values.Bind(env.Ports().ProxySSH, func(port int) string {
+			return fmt.Sprintf("ssh://example:%d", port)
+		})).
 		Policy(func(p *config.Policy) { p.AllowAnyAuthenticatedUser = true })
 	env.AddUpstream(up)
 	env.Start()
--- a/internal/testenv/environment.go
+++ b/internal/testenv/environment.go
@ -635,7 +635,6 @@ func (e *environment) Start() {
 	cfg.Options.GRPCAddr = fmt.Sprintf("%s:%d", e.host, e.ports.ProxyGRPC.Value())
 	cfg.Options.SSHAddr = fmt.Sprintf("%s:%d", e.host, e.ports.ProxySSH.Value())
 	cfg.Options.EnvoyAdminAddress = fmt.Sprintf("%s:%d", e.host, e.ports.EnvoyAdmin.Value())
-	cfg.Options.SSHHostname = localDomainName
 	cfg.Options.MetricsAddr = fmt.Sprintf("%s:%d", e.host, e.ports.ProxyMetrics.Value())
 	cfg.Options.CAFile = filepath.Join(e.tempDir, "certs", "ca.pem")
 	cfg.Options.CertFile = filepath.Join(e.tempDir, "certs", "trusted.pem")
--- a/internal/testenv/upstreams/ssh.go
+++ b/internal/testenv/upstreams/ssh.go
@ -5,7 +5,6 @@ import (
 	"fmt"
 	"log"
 	"net"
-	"strings"

 	"github.com/pomerium/pomerium/internal/testenv"
 	"github.com/pomerium/pomerium/internal/testenv/values"
@ -202,8 +201,7 @@ func (h *sshUpstream) handleConnection(ctx context.Context, conn net.Conn) {

 // Dial implements SSHUpstream.
 func (h *sshUpstream) Dial(r testenv.Route, config *ssh.ClientConfig) (*ssh.Client, error) {
-	return ssh.Dial("tcp", strings.TrimPrefix(r.URL().Value(), "ssh://"), config)
-	//return ssh.Dial("tcp", h.Env().Config().Options.SSHAddr, config)
+	return ssh.Dial("tcp", h.Env().Config().Options.SSHAddr, config)
 }

 // DirectDial implements SSHUpstream.