coder
diff --git a/‎agent/agentssh/agentssh_test.go
Lines changed: 95 additions & 1 deletion b/‎agent/agentssh/agentssh_test.go
Lines changed: 95 additions & 1 deletion
diff --git a/‎agent/agentssh/forward.go
Lines changed: 16 additions & 0 deletions b/‎agent/agentssh/forward.go
Lines changed: 16 additions & 0 deletions
diff --git a/‎cli/agent.go
Lines changed: 1 addition & 2 deletions b/‎cli/agent.go
Lines changed: 1 addition & 2 deletions
diff --git a/‎cli/clibase/cmd.go
Lines changed: 23 additions & 0 deletions b/‎cli/clibase/cmd.go
Lines changed: 23 additions & 0 deletions
diff --git a/‎cli/clitest/signal.go
Lines changed: 59 additions & 0 deletions b/‎cli/clitest/signal.go
Lines changed: 59 additions & 0 deletions
diff --git a/‎cli/externalauth.go
Lines changed: 1 addition & 2 deletions b/‎cli/externalauth.go
Lines changed: 1 addition & 2 deletions
diff --git a/‎cli/gitaskpass.go
Lines changed: 1 addition & 2 deletions b/‎cli/gitaskpass.go
Lines changed: 1 addition & 2 deletions
diff --git a/‎cli/gitssh.go
Lines changed: 1 addition & 2 deletions b/‎cli/gitssh.go
Lines changed: 1 addition & 2 deletions
diff --git a/‎cli/server.go
Lines changed: 2 additions & 3 deletions b/‎cli/server.go
Lines changed: 2 additions & 3 deletions
@@ -5,7 +5,10 @@ package agentssh_test
 import (
 	"bytes"
 	"context"
+	"io"
 	"net"
+	"os"
+	"path"
 	"runtime"
 	"strings"
 	"sync"
@@ -19,11 +22,13 @@ import (
 	"go.uber.org/goleak"
 	"golang.org/x/crypto/ssh"
 
+	"cdr.dev/slog"
 	"cdr.dev/slog/sloggers/slogtest"
 
 	"github.com/coder/coder/v2/agent/agentssh"
 	"github.com/coder/coder/v2/codersdk/agentsdk"
 	"github.com/coder/coder/v2/pty/ptytest"
+	"github.com/coder/coder/v2/testutil"
 )
 
 func TestMain(m *testing.M) {
@@ -159,7 +164,85 @@ func TestNewServer_CloseActiveConnections(t *testing.T) {
 	wg.Wait()
 }
 
+func Test_UnixRemoteForward(t *testing.T) {
+	t.Parallel()
+
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort)
+	defer cancel()
+	logger := slogtest.Make(t, &slogtest.Options{IgnoreErrors: true}).Leveled(slog.LevelDebug)
+	s, err := agentssh.NewServer(ctx, logger.Named("ssh"), prometheus.NewRegistry(), afero.NewOsFs(), 0, "")
+	require.NoError(t, err)
+	defer s.Close()
+
+	// The assumption is that these are set before serving SSH connections.
+	s.AgentToken = func() string { return "" }
+	s.Manifest = atomic.NewPointer(&agentsdk.Manifest{})
+
+	ln, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+
+	serverErr := make(chan error)
+	go func() {
+		err := s.Serve(ln)
+		serverErr <- err
+	}()
+
+	dir := t.TempDir()
+	remoteSock := path.Join(dir, "test.sock")
+
+	// connect, disconnect several times
+	for i := 0; i < 4; i++ {
+		client, clientConn := sshClientAndConn(t, ln.Addr().String())
+
+		l, err := client.ListenUnix(remoteSock)
+		require.NoError(t, err)
+		msgs := make(chan string)
+
+		// accept a single connection
+		go func() {
+			conn, err := l.Accept()
+			assert.NoError(t, err)
+			msg, err := io.ReadAll(conn)
+			assert.NoError(t, err)
+			msgs <- string(msg)
+		}()
+
+		// write a single message
+		go func() {
+			conn, err := net.Dial("unix", remoteSock)
+			assert.NoError(t, err)
+			_, err = conn.Write([]byte("test"))
+			assert.NoError(t, err)
+			err = conn.Close()
+			assert.NoError(t, err)
+		}()
+
+		msg := recvCtx(ctx, t, msgs)
+		require.Equal(t, "test", msg)
+
+		err = l.Close()
+		require.NoError(t, err)
+
+		//err = client.Close()
+		//require.NoError(t, err)
+		err = clientConn.Close()
+		require.NoError(t, err)
+	}
+	_, err = os.Stat(remoteSock)
+	require.ErrorIs(t, err, os.ErrNotExist)
+
+	err = s.Close()
+	require.NoError(t, err)
+	// don't care whether we get an error
+	_ = recvCtx(ctx, t, serverErr)
+}
+
 func sshClient(t *testing.T, addr string) *ssh.Client {
+	client, _ := sshClientAndConn(t, addr)
+	return client
+}
+
+func sshClientAndConn(t *testing.T, addr string) (*ssh.Client, net.Conn) {
 	conn, err := net.Dial("tcp", addr)
 	require.NoError(t, err)
 	t.Cleanup(func() {
@@ -177,5 +260,16 @@ func sshClient(t *testing.T, addr string) *ssh.Client {
 	t.Cleanup(func() {
 		_ = c.Close()
 	})
-	return c
+	return c, conn
+}
+
+func recvCtx[A any](ctx context.Context, t testing.TB, c <-chan A) (a A) {
+	t.Helper()
+	select {
+	case <-ctx.Done():
+		t.Fatal("timeout")
+		return
+	case a = <-c:
+		return a
+	}
 }
@@ -28,6 +28,15 @@ type forwardedStreamLocalPayload struct {
 	Reserved   uint32
 }
 
+// unixSock represents a local unix socket that forwards connections over an SSH ServerConn
+type unixSock struct {
+	sync.Mutex
+	path     string
+	listener net.Listener
+	conn     *gossh.ServerConn
+	closed   bool
+}
+
 // forwardedUnixHandler is a clone of ssh.ForwardedTCPHandler that does
 // streamlocal forwarding (aka. unix forwarding) instead of TCP forwarding.
 type forwardedUnixHandler struct {
@@ -37,6 +46,7 @@ type forwardedUnixHandler struct {
 }
 
 func (h *forwardedUnixHandler) HandleSSHRequest(ctx ssh.Context, _ *ssh.Server, req *gossh.Request) (bool, []byte) {
+	h.log.Debug(ctx, "handling unix remote forward")
 	h.Lock()
 	if h.forwards == nil {
 		h.forwards = make(map[string]net.Listener)
@@ -47,6 +57,7 @@ func (h *forwardedUnixHandler) HandleSSHRequest(ctx ssh.Context, _ *ssh.Server,
 		h.log.Warn(ctx, "SSH unix forward request from client with no gossh connection")
 		return false, nil
 	}
+	log := h.log.With(slog.F("remote_addr", conn.RemoteAddr()))
 
 	switch req.Type {
 	case "streamlocal-forward@openssh.com":
@@ -58,6 +69,7 @@ func (h *forwardedUnixHandler) HandleSSHRequest(ctx ssh.Context, _ *ssh.Server,
 		}
 
 		addr := reqPayload.SocketPath
+		log.Debug(ctx, "request begin unix remote-forward", slog.F("path", addr))
 		h.Lock()
 		_, ok := h.forwards[addr]
 		h.Unlock()
@@ -116,8 +128,10 @@ func (h *forwardedUnixHandler) HandleSSHRequest(ctx ssh.Context, _ *ssh.Server,
 						)
 					}
 					// closed below
+					log.Debug(ctx, "remote-forward listener closed", slog.F("path", addr))
 					break
 				}
+				log.Debug(ctx, "accepted remote-forward unix connection", slog.F("path", addr))
 				payload := gossh.Marshal(&forwardedStreamLocalPayload{
 					SocketPath: addr,
 				})
@@ -143,6 +157,7 @@ func (h *forwardedUnixHandler) HandleSSHRequest(ctx ssh.Context, _ *ssh.Server,
 				delete(h.forwards, addr)
 			}
 			h.Unlock()
+			log.Debug(ctx, "unix remote-forward listener removed from cache", slog.F("path", addr))
 			_ = ln.Close()
 		}()
 
@@ -155,6 +170,7 @@ func (h *forwardedUnixHandler) HandleSSHRequest(ctx ssh.Context, _ *ssh.Server,
 			h.log.Warn(ctx, "parse cancel-streamlocal-forward@openssh.com request payload from client", slog.Error(err))
 			return false, nil
 		}
+		log.Debug(ctx, "request to cancel unix remote-forward", slog.F("path", reqPayload.SocketPath))
 		h.Lock()
 		ln, ok := h.forwards[reqPayload.SocketPath]
 		h.Unlock()
 
@@ -8,7 +8,6 @@ import (
 	"net/http/pprof"
 	"net/url"
 	"os"
-	"os/signal"
 	"path/filepath"
 	"runtime"
 	"strconv"
@@ -144,7 +143,7 @@ func (r *RootCmd) workspaceAgent() *clibase.Cmd {
 			// Note that we don't want to handle these signals in the
 			// process that runs as PID 1, that's why we do this after
 			// the reaper forked.
-			ctx, stopNotify := signal.NotifyContext(ctx, InterruptSignals...)
+			ctx, stopNotify := inv.SignalNotifyContext(ctx, InterruptSignals...)
 			defer stopNotify()
 
 			// DumpHandler does signal handling, so we call it after the
 
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"os/signal"
 	"strings"
 	"unicode"
 
@@ -183,6 +184,9 @@ type Invocation struct {
 	Stdout  io.Writer
 	Stderr  io.Writer
 	Stdin   io.Reader
+
+	// testing
+	signalNotifyContext func(parent context.Context, signals ...os.Signal) (ctx context.Context, stop context.CancelFunc)
 }
 
 // WithOS returns the invocation as a main package, filling in the invocation's unset
@@ -197,6 +201,25 @@ func (inv *Invocation) WithOS() *Invocation {
 	})
 }
 
+// WithTestSignalNotifyContext allows overriding the default implementation of SignalNotifyContext.
+// This should only be used in testing.
+func (inv *Invocation) WithTestSignalNotifyContext(
+	f func(parent context.Context, signals ...os.Signal) (ctx context.Context, stop context.CancelFunc),
+) *Invocation {
+	return inv.with(func(i *Invocation) {
+		i.signalNotifyContext = f
+	})
+}
+
+// SignalNotifyContext is equivalent to signal.NotifyContext, but supports being overridden in
+// tests.
+func (inv *Invocation) SignalNotifyContext(parent context.Context, signals ...os.Signal) (ctx context.Context, stop context.CancelFunc) {
+	if inv.signalNotifyContext == nil {
+		return signal.NotifyContext(parent, signals...)
+	}
+	return inv.signalNotifyContext(parent, signals...)
+}
+
 func (inv *Invocation) Context() context.Context {
 	if inv.ctx == nil {
 		return context.Background()
 
@@ -0,0 +1,59 @@
+package clitest
+
+import (
+	"context"
+	"os"
+	"sync"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+type FakeSignalNotifier struct {
+	sync.Mutex
+	t       *testing.T
+	ctx     context.Context
+	cancel  context.CancelFunc
+	signals []os.Signal
+	stopped bool
+}
+
+func NewFakeSignalNotifier(t *testing.T) *FakeSignalNotifier {
+	fsn := &FakeSignalNotifier{t: t}
+	return fsn
+}
+
+func (f *FakeSignalNotifier) Stop() {
+	f.Lock()
+	defer f.Unlock()
+	f.stopped = true
+	if f.cancel == nil {
+		f.t.Error("stopped before started")
+		return
+	}
+	f.cancel()
+}
+
+func (f *FakeSignalNotifier) NotifyContext(parent context.Context, signals ...os.Signal) (ctx context.Context, stop context.CancelFunc) {
+	f.Lock()
+	defer f.Unlock()
+	f.signals = signals
+	f.ctx, f.cancel = context.WithCancel(parent)
+	return f.ctx, f.Stop
+}
+
+func (f *FakeSignalNotifier) Notify() {
+	f.Lock()
+	defer f.Unlock()
+	if f.cancel == nil {
+		f.t.Error("notified before started")
+		return
+	}
+	f.cancel()
+}
+
+func (f *FakeSignalNotifier) AssertStopped() {
+	f.Lock()
+	defer f.Unlock()
+	assert.True(f.t, f.stopped)
+}
@@ -2,7 +2,6 @@ package cli
 
 import (
 	"encoding/json"
-	"os/signal"
 
 	"golang.org/x/xerrors"
 
@@ -63,7 +62,7 @@ fi
 		Handler: func(inv *clibase.Invocation) error {
 			ctx := inv.Context()
 
-			ctx, stop := signal.NotifyContext(ctx, InterruptSignals...)
+			ctx, stop := inv.SignalNotifyContext(ctx, InterruptSignals...)
 			defer stop()
 
 			client, err := r.createAgentClient()
 
@@ -4,7 +4,6 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
-	"os/signal"
 	"time"
 
 	"golang.org/x/xerrors"
@@ -26,7 +25,7 @@ func (r *RootCmd) gitAskpass() *clibase.Cmd {
 		Handler: func(inv *clibase.Invocation) error {
 			ctx := inv.Context()
 
-			ctx, stop := signal.NotifyContext(ctx, InterruptSignals...)
+			ctx, stop := inv.SignalNotifyContext(ctx, InterruptSignals...)
 			defer stop()
 
 			user, host, err := gitauth.ParseAskpass(inv.Args[0])
 
@@ -8,7 +8,6 @@ import (
 	"io"
 	"os"
 	"os/exec"
-	"os/signal"
 	"path/filepath"
 	"strings"
 
@@ -30,7 +29,7 @@ func (r *RootCmd) gitssh() *clibase.Cmd {
 
 			// Catch interrupt signals to ensure the temporary private
 			// key file is cleaned up on most cases.
-			ctx, stop := signal.NotifyContext(ctx, InterruptSignals...)
+			ctx, stop := inv.SignalNotifyContext(ctx, InterruptSignals...)
 			defer stop()
 
 			// Early check so errors are reported immediately.
 
@@ -22,7 +22,6 @@ import (
 	"net/http/pprof"
 	"net/url"
 	"os"
-	"os/signal"
 	"os/user"
 	"path/filepath"
 	"regexp"
@@ -333,7 +332,7 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 			//
 			// To get out of a graceful shutdown, the user can send
 			// SIGQUIT with ctrl+\ or SIGKILL with `kill -9`.
-			notifyCtx, notifyStop := signal.NotifyContext(ctx, InterruptSignals...)
+			notifyCtx, notifyStop := inv.SignalNotifyContext(ctx, InterruptSignals...)
 			defer notifyStop()
 
 			cacheDir := vals.CacheDir.String()
@@ -1098,7 +1097,7 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 				logger = logger.Leveled(slog.LevelDebug)
 			}
 
-			ctx, cancel := signal.NotifyContext(ctx, InterruptSignals...)
+			ctx, cancel := inv.SignalNotifyContext(ctx, InterruptSignals...)
 			defer cancel()
 
 			url, closePg, err := startBuiltinPostgres(ctx, cfg, logger)