Fix cloning from new host via ssh by prompting for confirmation (#1408)

* Cloning from new host via ssh causes spurious error rather than prompting for confirmation and succeeding

* Using strip instead replace

* Modifying the Add Hosts messages and running prettier

* Running lint+prettier and adding autorized decorator to the SSH API Handler

* changing from subprocess.call to subprocess.check_call for better flow control

Author: jesuino

jupyterlab_git/handlers.py

@@ -14,6 +14,7 @@
 from jupyter_server.services.contents.manager import ContentsManager
 from jupyter_server.utils import ensure_async, url2path, url_path_join
 from packaging.version import parse
+from jupyter_server.auth.decorator import authorized
 
 try:
     import hybridcontents
@@ -24,10 +25,26 @@
 from .git import DEFAULT_REMOTE_NAME, Git, RebaseAction
 from .log import get_logger
 
+from .ssh import SSH
+
 # Git configuration options exposed through the REST API
 ALLOWED_OPTIONS = ["user.name", "user.email"]
 # REST API namespace
 NAMESPACE = "/git"
+# SSH Auth Resource to be authorized
+SSH_AUTH_RESOURCE = "ssh"
+
+
+class SSHHandler(APIHandler):
+    """
+    Top-level parent class for SSH actions
+    """
+
+    auth_resource = SSH_AUTH_RESOURCE
+
+    @property
+    def ssh(self) -> SSH:
+        return SSH()
 
 
 class GitHandler(APIHandler):
@@ -1096,6 +1113,30 @@ async def get(self, path: str = ""):
         self.finish(json.dumps(result))
 
 
+class SshHostHandler(SSHHandler):
+    """
+    Handler for checking if a host is known by SSH
+    """
+
+    @authorized
+    @tornado.web.authenticated
+    async def get(self):
+        """
+        GET request handler, check if the host is known by SSH
+        """
+        hostname = self.get_query_argument("hostname")
+        is_known_host = self.ssh.is_known_host(hostname)
+        self.set_status(200)
+        self.finish(json.dumps(is_known_host))
+
+    @authorized
+    @tornado.web.authenticated
+    async def post(self):
+        data = self.get_json_body()
+        hostname = data["hostname"]
+        self.ssh.add_host(hostname)
+
+
 def setup_handlers(web_app):
     """
     Setups all of the git command handlers.
@@ -1146,6 +1187,7 @@ def setup_handlers(web_app):
     handlers = [
         ("/diffnotebook", GitDiffNotebookHandler),
         ("/settings", GitSettingsHandler),
+        ("/known_hosts", SshHostHandler),
     ]
 
     # add the baseurl to our paths

jupyterlab_git/ssh.py

@@ -0,0 +1,49 @@
+"""
+Module for executing SSH commands
+"""
+
+import re
+import subprocess
+import shutil
+from .log import get_logger
+from pathlib import Path
+
+GIT_SSH_HOST = re.compile(r"git@(.+):.+")
+
+
+class SSH:
+    """
+    A class to perform ssh actions
+    """
+
+    def is_known_host(self, hostname):
+        """
+        Check if the provided hostname is a known one
+        """
+        cmd = ["ssh-keygen", "-F", hostname.strip()]
+        try:
+            subprocess.check_call(
+                cmd, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL
+            )
+        except Exception as e:
+            get_logger().debug("Error verifying host using ssh-keygen command")
+            return False
+        else:
+            return True
+
+    def add_host(self, hostname):
+        """
+        Add the host to the known_hosts file
+        """
+        get_logger().debug(f"adding host to the known hosts file {hostname}")
+        try:
+            result = subprocess.run(
+                ["ssh-keyscan", hostname], capture_output=True, text=True, check=True
+            )
+            known_hosts_file = f"{Path.home()}/.ssh/known_hosts"
+            with open(known_hosts_file, "a") as f:
+                f.write(result.stdout)
+            get_logger().debug(f"Added {hostname} to known hosts.")
+        except Exception as e:
+            get_logger().error(f"Failed to add host: {e}.")
+            raise e

src/cloneCommand.tsx

@@ -63,6 +63,30 @@ export const gitCloneCommandPlugin: JupyterFrontEndPlugin<void> = {
           const id = Notification.emit(trans.__('Cloning…'), 'in-progress', {
             autoClose: false
           });
+          const url = decodeURIComponent(result.value.url);
+          const hostnameMatch = url.match(/git@(.+):.+/);
+
+          if (hostnameMatch && hostnameMatch.length > 1) {
+            const hostname = hostnameMatch[1];
+            const isKnownHost = await gitModel.checkKnownHost(hostname);
+            if (!isKnownHost) {
+              const result = await showDialog({
+                title: trans.__('Unknown Host'),
+                body: trans.__(
+                  'The host %1 is not known. Would you like to add it to the known_hosts file?',
+                  hostname
+                ),
+                buttons: [
+                  Dialog.cancelButton({ label: trans.__('Cancel') }),
+                  Dialog.okButton({ label: trans.__('OK') })
+                ]
+              });
+              if (result.button.accept) {
+                await gitModel.addHostToKnownList(hostname);
+              }
+            }
+          }
+
           try {
             const details = await showGitOperationDialog<IGitCloneArgs>(
               gitModel as GitExtension,

src/model.ts

@@ -2012,6 +2012,50 @@ export class GitExtension implements IGitExtension {
     }
   }
 
+  /**
+   * Checks if the hostname is a known host
+   *
+   * @param hostname - the host name to be checked
+   * @returns A boolean indicating that the host is a known one
+   *
+   * @throws {ServerConnection.NetworkError} If the request cannot be made
+   */
+  async checkKnownHost(hostname: string): Promise<boolean> {
+    try {
+      return await this._taskHandler.execute<boolean>(
+        'git:checkHost',
+        async () => {
+          return await requestAPI<boolean>(
+            `known_hosts?hostname=${hostname}`,
+            'GET'
+          );
+        }
+      );
+    } catch (error) {
+      console.error('Failed to check host: ' + error);
+      // just ignore the host check
+      return true;
+    }
+  }
+
+  /**
+   * Adds a hostname to the list of known host files
+   * @param hostname - the hostname to be added
+   * @throws {ServerConnection.NetworkError} If the request cannot be made
+   */
+  async addHostToKnownList(hostname: string): Promise<void> {
+    try {
+      await this._taskHandler.execute<boolean>('git:addHost', async () => {
+        return await requestAPI<boolean>('known_hosts', 'POST', {
+          hostname: hostname
+        });
+      });
+    } catch (error) {
+      console.error('Failed to add hostname to the list of known hosts');
+      console.debug(error);
+    }
+  }
+
   /**
    * Make request for a list of all git branches in the repository
    * Retrieve a list of repository branches.

src/tokens.ts

@@ -628,6 +628,23 @@ export interface IGitExtension extends IDisposable {
    */
   revertCommit(message: string, hash: string): Promise<void>;
 
+  /**
+   * Checks if the hostname is a known host
+   *
+   * @param hostname - the host name to be checked
+   * @returns A boolean indicating that the host is a known one
+   *
+   * @throws {ServerConnection.NetworkError} If the request cannot be made
+   */
+  checkKnownHost(hostname: string): Promise<boolean>;
+
+  /**
+   * Adds a hostname to the list of known host files
+   * @param hostname - the hostname to be added
+   * @throws {ServerConnection.NetworkError} If the request cannot be made
+   */
+  addHostToKnownList(hostname: string): Promise<void>;
+
   /**
    * Get the prefix path of a directory 'path',
    * with respect to the root directory of repository