Fix coder ssh to handle SIGHUP from OpenSSH

spikecurtis · spikecurtis · commit 5732ab85ab8d · 2023-11-13T11:40:32.000+04:00
diff --git a/agent/agentssh/forward.go b/agent/agentssh/forward.go
@@ -37,6 +37,7 @@ type forwardedUnixHandler struct {
 }
 
 func (h *forwardedUnixHandler) HandleSSHRequest(ctx ssh.Context, _ *ssh.Server, req *gossh.Request) (bool, []byte) {
+	h.log.Debug(ctx, "handling unix remote forward")
 	h.Lock()
 	if h.forwards == nil {
 		h.forwards = make(map[string]net.Listener)
@@ -47,6 +48,7 @@ func (h *forwardedUnixHandler) HandleSSHRequest(ctx ssh.Context, _ *ssh.Server,
 		h.log.Warn(ctx, "SSH unix forward request from client with no gossh connection")
 		return false, nil
 	}
+	log := h.log.With(slog.F("remote_addr", conn.RemoteAddr()))
 
 	switch req.Type {
 	case "streamlocal-forward@openssh.com":
@@ -58,6 +60,7 @@ func (h *forwardedUnixHandler) HandleSSHRequest(ctx ssh.Context, _ *ssh.Server,
 		}
 
 		addr := reqPayload.SocketPath
+		log.Debug(ctx, "request begin unix remote-forward", slog.F("path", addr))
 		h.Lock()
 		_, ok := h.forwards[addr]
 		h.Unlock()
@@ -116,8 +119,10 @@ func (h *forwardedUnixHandler) HandleSSHRequest(ctx ssh.Context, _ *ssh.Server,
 						)
 					}
 					// closed below
+					log.Debug(ctx, "remote-forward listener closed", slog.F("path", addr))
 					break
 				}
+				log.Debug(ctx, "accepted remote-forward unix connection", slog.F("path", addr))
 				payload := gossh.Marshal(&forwardedStreamLocalPayload{
 					SocketPath: addr,
 				})
@@ -143,6 +148,7 @@ func (h *forwardedUnixHandler) HandleSSHRequest(ctx ssh.Context, _ *ssh.Server,
 				delete(h.forwards, addr)
 			}
 			h.Unlock()
+			log.Debug(ctx, "unix remote-forward listener removed from cache", slog.F("path", addr))
 			_ = ln.Close()
 		}()
 
@@ -155,6 +161,7 @@ func (h *forwardedUnixHandler) HandleSSHRequest(ctx ssh.Context, _ *ssh.Server,
 			h.log.Warn(ctx, "parse cancel-streamlocal-forward@openssh.com request payload from client", slog.Error(err))
 			return false, nil
 		}
+		log.Debug(ctx, "request to cancel unix remote-forward", slog.F("path", reqPayload.SocketPath))
 		h.Lock()
 		ln, ok := h.forwards[reqPayload.SocketPath]
 		h.Unlock()
diff --git a/cli/agent.go b/cli/agent.go
@@ -8,7 +8,6 @@ import (
 	"net/http/pprof"
 	"net/url"
 	"os"
-	"os/signal"
 	"path/filepath"
 	"runtime"
 	"strconv"
@@ -144,7 +143,7 @@ func (r *RootCmd) workspaceAgent() *clibase.Cmd {
 			// Note that we don't want to handle these signals in the
 			// process that runs as PID 1, that's why we do this after
 			// the reaper forked.
-			ctx, stopNotify := signal.NotifyContext(ctx, InterruptSignals...)
+			ctx, stopNotify := inv.SignalNotifyContext(ctx, InterruptSignals...)
 			defer stopNotify()
 
 			// DumpHandler does signal handling, so we call it after the
diff --git a/cli/clibase/cmd.go b/cli/clibase/cmd.go
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"os/signal"
 	"strings"
 	"unicode"
 
@@ -183,6 +184,9 @@ type Invocation struct {
 	Stdout  io.Writer
 	Stderr  io.Writer
 	Stdin   io.Reader
+
+	// testing
+	signalNotifyContext func(parent context.Context, signals ...os.Signal) (ctx context.Context, stop context.CancelFunc)
 }
 
 // WithOS returns the invocation as a main package, filling in the invocation's unset
@@ -197,6 +201,25 @@ func (inv *Invocation) WithOS() *Invocation {
 	})
 }
 
+// WithTestSignalNotifyContext allows overriding the default implementation of SignalNotifyContext.
+// This should only be used in testing.
+func (inv *Invocation) WithTestSignalNotifyContext(
+	f func(parent context.Context, signals ...os.Signal) (ctx context.Context, stop context.CancelFunc),
+) *Invocation {
+	return inv.with(func(i *Invocation) {
+		i.signalNotifyContext = f
+	})
+}
+
+// SignalNotifyContext is equivalent to signal.NotifyContext, but supports being overridden in
+// tests.
+func (inv *Invocation) SignalNotifyContext(parent context.Context, signals ...os.Signal) (ctx context.Context, stop context.CancelFunc) {
+	if inv.signalNotifyContext == nil {
+		return signal.NotifyContext(parent, signals...)
+	}
+	return inv.signalNotifyContext(parent, signals...)
+}
+
 func (inv *Invocation) Context() context.Context {
 	if inv.ctx == nil {
 		return context.Background()
diff --git a/cli/clitest/signal.go b/cli/clitest/signal.go
@@ -0,0 +1,59 @@
+package clitest
+
+import (
+	"context"
+	"os"
+	"sync"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+type FakeSignalNotifier struct {
+	sync.Mutex
+	t       *testing.T
+	ctx     context.Context
+	cancel  context.CancelFunc
+	signals []os.Signal
+	stopped bool
+}
+
+func NewFakeSignalNotifier(t *testing.T) *FakeSignalNotifier {
+	fsn := &FakeSignalNotifier{t: t}
+	return fsn
+}
+
+func (f *FakeSignalNotifier) Stop() {
+	f.Lock()
+	defer f.Unlock()
+	f.stopped = true
+	if f.cancel == nil {
+		f.t.Error("stopped before started")
+		return
+	}
+	f.cancel()
+}
+
+func (f *FakeSignalNotifier) NotifyContext(parent context.Context, signals ...os.Signal) (ctx context.Context, stop context.CancelFunc) {
+	f.Lock()
+	defer f.Unlock()
+	f.signals = signals
+	f.ctx, f.cancel = context.WithCancel(parent)
+	return f.ctx, f.Stop
+}
+
+func (f *FakeSignalNotifier) Notify() {
+	f.Lock()
+	defer f.Unlock()
+	if f.cancel == nil {
+		f.t.Error("notified before started")
+		return
+	}
+	f.cancel()
+}
+
+func (f *FakeSignalNotifier) AssertStopped() {
+	f.Lock()
+	defer f.Unlock()
+	assert.True(f.t, f.stopped)
+}
diff --git a/cli/externalauth.go b/cli/externalauth.go
@@ -2,7 +2,6 @@ package cli
 
 import (
 	"encoding/json"
-	"os/signal"
 
 	"golang.org/x/xerrors"
 
@@ -63,7 +62,7 @@ fi
 		Handler: func(inv *clibase.Invocation) error {
 			ctx := inv.Context()
 
-			ctx, stop := signal.NotifyContext(ctx, InterruptSignals...)
+			ctx, stop := inv.SignalNotifyContext(ctx, InterruptSignals...)
 			defer stop()
 
 			client, err := r.createAgentClient()
diff --git a/cli/gitaskpass.go b/cli/gitaskpass.go
@@ -4,7 +4,6 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
-	"os/signal"
 	"time"
 
 	"golang.org/x/xerrors"
@@ -26,7 +25,7 @@ func (r *RootCmd) gitAskpass() *clibase.Cmd {
 		Handler: func(inv *clibase.Invocation) error {
 			ctx := inv.Context()
 
-			ctx, stop := signal.NotifyContext(ctx, InterruptSignals...)
+			ctx, stop := inv.SignalNotifyContext(ctx, InterruptSignals...)
 			defer stop()
 
 			user, host, err := gitauth.ParseAskpass(inv.Args[0])
diff --git a/cli/gitssh.go b/cli/gitssh.go
@@ -8,7 +8,6 @@ import (
 	"io"
 	"os"
 	"os/exec"
-	"os/signal"
 	"path/filepath"
 	"strings"
 
@@ -30,7 +29,7 @@ func (r *RootCmd) gitssh() *clibase.Cmd {
 
 			// Catch interrupt signals to ensure the temporary private
 			// key file is cleaned up on most cases.
-			ctx, stop := signal.NotifyContext(ctx, InterruptSignals...)
+			ctx, stop := inv.SignalNotifyContext(ctx, InterruptSignals...)
 			defer stop()
 
 			// Early check so errors are reported immediately.
diff --git a/cli/server.go b/cli/server.go
@@ -22,7 +22,6 @@ import (
 	"net/http/pprof"
 	"net/url"
 	"os"
-	"os/signal"
 	"os/user"
 	"path/filepath"
 	"regexp"
@@ -333,7 +332,7 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 			//
 			// To get out of a graceful shutdown, the user can send
 			// SIGQUIT with ctrl+\ or SIGKILL with `kill -9`.
-			notifyCtx, notifyStop := signal.NotifyContext(ctx, InterruptSignals...)
+			notifyCtx, notifyStop := inv.SignalNotifyContext(ctx, InterruptSignals...)
 			defer notifyStop()
 
 			cacheDir := vals.CacheDir.String()
@@ -1098,7 +1097,7 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 				logger = logger.Leveled(slog.LevelDebug)
 			}
 
-			ctx, cancel := signal.NotifyContext(ctx, InterruptSignals...)
+			ctx, cancel := inv.SignalNotifyContext(ctx, InterruptSignals...)
 			defer cancel()
 
 			url, closePg, err := startBuiltinPostgres(ctx, cfg, logger)
diff --git a/cli/server_createadminuser.go b/cli/server_createadminuser.go
@@ -4,7 +4,6 @@ package cli
 
 import (
 	"fmt"
-	"os/signal"
 	"sort"
 
 	"github.com/google/uuid"
@@ -48,7 +47,7 @@ func (r *RootCmd) newCreateAdminUserCommand() *clibase.Cmd {
 				logger = logger.Leveled(slog.LevelDebug)
 			}
 
-			ctx, cancel := signal.NotifyContext(ctx, InterruptSignals...)
+			ctx, cancel := inv.SignalNotifyContext(ctx, InterruptSignals...)
 			defer cancel()
 
 			if newUserDBURL == "" {
diff --git a/cli/ssh.go b/cli/ssh.go
@@ -62,7 +62,15 @@ func (r *RootCmd) ssh() *clibase.Cmd {
 			r.InitClient(client),
 		),
 		Handler: func(inv *clibase.Invocation) (retErr error) {
-			ctx, cancel := context.WithCancel(inv.Context())
+			// before dialing the SSH server over TCP, capture Interrupt signals
+			// so that if we are interrupted, we have a chance to tear down the
+			// TCP session cleanly before exiting.  If we don't, then the TCP
+			// session can persist for up to 72 hours, since we set a long
+			// timeout on the Agent side of the connection.  In particular,
+			// OpenSSH sends SIGHUP to terminate a proxy command.
+			ctx, stop := inv.SignalNotifyContext(inv.Context(), InterruptSignals...)
+			defer stop()
+			ctx, cancel := context.WithCancel(ctx)
 			defer cancel()
 
 			logger := slog.Make() // empty logger
@@ -227,8 +235,7 @@ func (r *RootCmd) ssh() *clibase.Cmd {
 				go func() {
 					defer wg.Done()
 					// Ensure stdout copy closes incase stdin is closed
-					// unexpectedly. Typically we wouldn't worry about
-					// this since OpenSSH should kill the proxy command.
+					// unexpectedly.
 					defer rawSSH.Close()
 
 					_, err := io.Copy(rawSSH, inv.Stdin)
diff --git a/cli/ssh_test.go b/cli/ssh_test.go
@@ -14,6 +14,7 @@ import (
 	"net/http/httptest"
 	"os"
 	"os/exec"
+	"path"
 	"path/filepath"
 	"runtime"
 	"strings"
@@ -245,6 +246,91 @@ func TestSSH(t *testing.T) {
 		<-cmdDone
 	})
 
+	// Test that we handle OS signals properly while remote forwarding, and don't just leave the TCP
+	// socket hanging.
+	t.Run("RemoteForward_Unix_Signal", func(t *testing.T) {
+		if runtime.GOOS == "windows" {
+			t.Skip("No unix sockets on windows")
+		}
+		t.Parallel()
+		ctx := testutil.Context(t, testutil.WaitLong)
+		client, workspace, agentToken := setupWorkspaceForAgent(t, nil)
+		_, _ = tGoContext(t, func(ctx context.Context) {
+			// Run this async so the SSH command has to wait for
+			// the build and agent to connect!
+			_ = agenttest.New(t, client.URL, agentToken)
+			<-ctx.Done()
+		})
+
+		tmpdir := tempDirUnixSocket(t)
+		localSock := filepath.Join(tmpdir, "local.sock")
+		l, err := net.Listen("unix", localSock)
+		require.NoError(t, err)
+		defer l.Close()
+		remoteSock := path.Join(tmpdir, "remote.sock")
+		for i := 0; i < 3; i++ {
+			t.Logf("connect %d of 3", i+1)
+			inv, root := clitest.New(t,
+				"ssh",
+				workspace.Name,
+				"--remote-forward",
+				remoteSock+":"+localSock,
+			)
+			fsn := clitest.NewFakeSignalNotifier(t)
+			inv = inv.WithTestSignalNotifyContext(fsn.NotifyContext)
+			inv.Stdout = io.Discard
+			inv.Stderr = io.Discard
+
+			clitest.SetupConfig(t, client, root)
+			cmdDone := tGo(t, func() {
+				err := inv.WithContext(ctx).Run()
+				assert.Error(t, err)
+			})
+
+			// accept a single connection
+			msgs := make(chan string)
+			go func() {
+				conn, err := l.Accept()
+				assert.NoError(t, err)
+				msg, err := io.ReadAll(conn)
+				assert.NoError(t, err)
+				msgs <- string(msg)
+			}()
+
+			// write a single message
+			go func() {
+				var (
+					conn net.Conn
+					err  error
+				)
+				for {
+					select {
+					case <-ctx.Done():
+						t.Error("timeout")
+						return
+					default:
+						conn, err = net.Dial("unix", remoteSock)
+					}
+					if err == nil {
+						break
+					}
+				}
+				_, err = conn.Write([]byte("test"))
+				assert.NoError(t, err)
+				err = conn.Close()
+				assert.NoError(t, err)
+			}()
+
+			msg := testutil.RequireRecvCtx(ctx, t, msgs)
+			require.Equal(t, "test", msg)
+			fsn.Notify()
+			<-cmdDone
+			fsn.AssertStopped()
+		}
+		_, err = os.Stat(remoteSock)
+		require.ErrorIs(t, err, os.ErrNotExist, "didn't clean up remote socket")
+	})
+
 	t.Run("StdioExitOnStop", func(t *testing.T) {
 		t.Parallel()
 		if runtime.GOOS == "windows" {
diff --git a/enterprise/cli/provisionerdaemons.go b/enterprise/cli/provisionerdaemons.go
diff --git a/enterprise/cli/proxyserver.go b/enterprise/cli/proxyserver.go
diff --git a/tailnet/conn.go b/tailnet/conn.go
diff --git a/testutil/ctx.go b/testutil/ctx.go

Original file line number	Diff line number	Diff line change
`@@ -37,6 +37,7 @@ type forwardedUnixHandler struct {`
`37`	`37`	`}`
`38`	`38`
`39`	`39`	`func (h forwardedUnixHandler) HandleSSHRequest(ctx ssh.Context, _ ssh.Server, req *gossh.Request) (bool, []byte) {`
	`40`	`+ h.log.Debug(ctx, "handling unix remote forward")`
`40`	`41`	`h.Lock()`
`41`	`42`	`if h.forwards == nil {`
`42`	`43`	`h.forwards = make(map[string]net.Listener)`
`@@ -47,6 +48,7 @@ func (h forwardedUnixHandler) HandleSSHRequest(ctx ssh.Context, _ ssh.Server,`
`47`	`48`	`h.log.Warn(ctx, "SSH unix forward request from client with no gossh connection")`
`48`	`49`	`return false, nil`
`49`	`50`	`}`
	`51`	`+ log := h.log.With(slog.F("remote_addr", conn.RemoteAddr()))`
`50`	`52`
`51`	`53`	`switch req.Type {`
`52`	`54`	`case "streamlocal-forward@openssh.com":`
`@@ -58,6 +60,7 @@ func (h forwardedUnixHandler) HandleSSHRequest(ctx ssh.Context, _ ssh.Server,`
`58`	`60`	`}`
`59`	`61`
`60`	`62`	`addr := reqPayload.SocketPath`
	`63`	`+ log.Debug(ctx, "request begin unix remote-forward", slog.F("path", addr))`
`61`	`64`	`h.Lock()`
`62`	`65`	`_, ok := h.forwards[addr]`
`63`	`66`	`h.Unlock()`
`@@ -116,8 +119,10 @@ func (h forwardedUnixHandler) HandleSSHRequest(ctx ssh.Context, _ ssh.Server,`
`116`	`119`	`)`
`117`	`120`	`}`
`118`	`121`	`// closed below`
	`122`	`+ log.Debug(ctx, "remote-forward listener closed", slog.F("path", addr))`
`119`	`123`	`break`
`120`	`124`	`}`
	`125`	`+ log.Debug(ctx, "accepted remote-forward unix connection", slog.F("path", addr))`
`121`	`126`	`payload := gossh.Marshal(&forwardedStreamLocalPayload{`
`122`	`127`	`SocketPath: addr,`
`123`	`128`	`})`
`@@ -143,6 +148,7 @@ func (h forwardedUnixHandler) HandleSSHRequest(ctx ssh.Context, _ ssh.Server,`
`143`	`148`	`delete(h.forwards, addr)`
`144`	`149`	`}`
`145`	`150`	`h.Unlock()`
	`151`	`+ log.Debug(ctx, "unix remote-forward listener removed from cache", slog.F("path", addr))`
`146`	`152`	`_ = ln.Close()`
`147`	`153`	`}()`
`148`	`154`
`@@ -155,6 +161,7 @@ func (h forwardedUnixHandler) HandleSSHRequest(ctx ssh.Context, _ ssh.Server,`
`155`	`161`	`h.log.Warn(ctx, "parse cancel-streamlocal-forward@openssh.com request payload from client", slog.Error(err))`
`156`	`162`	`return false, nil`
`157`	`163`	`}`
	`164`	`+ log.Debug(ctx, "request to cancel unix remote-forward", slog.F("path", reqPayload.SocketPath))`
`158`	`165`	`h.Lock()`
`159`	`166`	`ln, ok := h.forwards[reqPayload.SocketPath]`
`160`	`167`	`h.Unlock()`