add "sshproxyctl forget persist"

Author: cyrilst

README.asciidoc

@@ -157,6 +157,8 @@ Version 2 brings a lot of changes to sshproxy:
      `sshproxyctl forget host -all|-host HOST [-port PORT]`
   - `sshproxyctl error_banner` (without any parameter) has been removed and
     replaced by `sshproxyctl forget error_banner`
+  - `sshproxyctl forget persist [-user USER] [-service SERVICE] [-host HOST] [-port PORT]`
+    has been added
 
 Copying
 -------

cmd/sshproxyctl/sshproxyctl.go

@@ -525,6 +525,24 @@ func disableHost(host, port, configFile string) error {
 	return cli.SetHost(key, utils.Disabled, time.Now())
 }
 
+func forgetPersist(user, service, host, port, configFile string) error {
+	cli := mustInitEtcdClient(configFile)
+	defer cli.Close()
+
+	history, err := cli.GetHistory(user, service, host, port)
+	if err != nil {
+		return err
+	}
+
+	for _, kv := range history {
+		err := cli.DelHistory(kv.User)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
 func setErrorBanner(errorBanner string, expire time.Time, configFile string) error {
 	cli := mustInitEtcdClient(configFile)
 	defer cli.Close()
@@ -598,7 +616,7 @@ The commands are:
   version       show version number and exit
   show          show states present in etcd
   enable        enable a host in etcd
-  forget        forget a host/error_banner in etcd
+  forget        forget a host/error_banner/persist in etcd
   disable       disable a host in etcd
   error_banner  set the error banner in etcd
 
@@ -676,17 +694,22 @@ Enable a previously disabled host in etcd.
 	return fs
 }
 
-func newForgetParser(allFlag *bool, hostString *string, portString *string) *flag.FlagSet {
+func newForgetParser(allFlag *bool, hostString, portString, userString, serviceString *string) *flag.FlagSet {
 	fs := flag.NewFlagSet("forget", flag.ExitOnError)
 	fs.BoolVar(allFlag, "all", false, "forget all hosts present in config")
 	fs.StringVar(hostString, "host", "", "hostname to forget (can be a nodeset)")
 	fs.StringVar(portString, "port", "", "port to forget (can be a nodeset)")
+	fs.StringVar(userString, "user", "", "forget all persistent connections of this user")
+	fs.StringVar(serviceString, "service", "", "forget all persistent connections of this service")
 	fs.Usage = func() {
 		fmt.Fprintf(flag.CommandLine.Output(), `Usage: %s forget COMMAND [OPTIONS]
 
-The commands are:
-  host -all|-host HOST [-port PORT]    forget a host in etcd
-  error_banner                         forget the error_banner in etcd
+The cammands are:
+  host -all|-host HOST [-port PORT]                                  forget a host in etcd
+  error_banner                                                       forget the error_banner in etcd
+  persist [-user USER] [-service SERVICE] [-host HOST] [-port PORT]  forget a persistent connection in etcd
+                                                                       (needs at least one option)
+                                                                       (only connections matching all the options are forgotten)
 
 The options are:
 `, os.Args[0])
@@ -866,13 +889,14 @@ func main() {
 	var sourceString string
 	var hostString string
 	var portString string
+	var serviceString string
 
 	parsers := map[string]*flag.FlagSet{
 		"help":         newHelpParser(),
 		"version":      newVersionParser(),
 		"show":         newShowParser(&csvFlag, &jsonFlag, &allFlag, &userString, &groupsString, &sourceString),
 		"enable":       newEnableParser(&allFlag, &hostString, &portString),
-		"forget":       newForgetParser(&allFlag, &hostString, &portString),
+		"forget":       newForgetParser(&allFlag, &hostString, &portString, &userString, &serviceString),
 		"disable":      newDisableParser(&allFlag, &hostString, &portString),
 		"error_banner": newErrorBannerParser(&expire),
 	}
@@ -977,6 +1001,12 @@ func main() {
 			}
 		case "error_banner":
 			delErrorBanner(*configFile)
+		case "persist":
+			if userString == "" && serviceString == "" && hostString == "" && portString == "" {
+				fmt.Fprintf(os.Stderr, "ERROR: missing '-user', '-service', '-host' or '-port'\n\n")
+				p.Usage()
+			}
+			forgetPersist(userString, serviceString, hostString, portString, *configFile)
 		}
 	case "disable":
 		p := parsers[cmd]

doc/sshproxyctl.txt

@@ -70,6 +70,10 @@ COMMANDS
 *forget error_banner*::
 	Remove the error banner in etcd.
 
+*forget persist [-user USER] [-service SERVICE] [-host HOST] [-port PORT]*::
+	Forget a persistent connection in etcd. Needs at least one option.
+	Only connections matching all the options are forgotten.
+
 *error_banner [-expire EXPIRATION] MESSAGE*::
 	Set the error banner in etcd. 'MESSAGE' can be multiline. The error
 	banner is displayed to the client when no backend can be reached (more

pkg/utils/etcd.go

@@ -20,11 +20,14 @@ import (
 	"fmt"
 	"os"
 	"regexp"
+	"slices"
 	"sort"
 	"strconv"
 	"strings"
 	"time"
 
+	"github.com/cea-hpc/sshproxy/pkg/nodesets"
+
 	"github.com/op/go-logging"
 	"go.etcd.io/etcd/client/v3"
 	"go.uber.org/zap"
@@ -399,6 +402,18 @@ func (c *Client) DelHost(hostport string) error {
 	return nil
 }
 
+// DelHistory deletes a history key (passed as "user@service") in etcd.
+func (c *Client) DelHistory(history string) error {
+	key := toHistoryKey(history)
+	ctx, cancel := context.WithTimeout(context.Background(), c.requestTimeout)
+	_, err := c.cli.Delete(ctx, key, clientv3.WithPrefix())
+	cancel()
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
 // SetHost sets a host (passed as "host:port") state and last checked time (ts)
 // in etcd.
 func (c *Client) SetHost(hostport string, state State, ts time.Time) error {
@@ -666,7 +681,7 @@ func (c *Client) GetAllHosts() ([]*FlatHost, error) {
 		}
 	}
 
-	history, err := c.GetAllHistory()
+	history, err := c.GetHistory("", "", "", "")
 	if err != nil {
 		return nil, fmt.Errorf("ERROR: getting history from etcd: %v", err)
 	}
@@ -748,7 +763,7 @@ func (c *Client) GetAllUsers(allFlag bool) ([]*FlatUser, error) {
 	}
 
 	if allFlag {
-		history, err := c.GetAllHistory()
+		history, err := c.GetHistory("", "", "", "")
 		if err != nil {
 			return nil, fmt.Errorf("ERROR: getting history from etcd: %v", err)
 		}
@@ -863,36 +878,56 @@ type FlatHistory struct {
 	TTL  int64
 }
 
-// GetAllHistory returns a list of all history keys present in etcd.
-func (c *Client) GetAllHistory() ([]*FlatHistory, error) {
+// GetHistory returns a list of matching history keys present in etcd.
+func (c *Client) GetHistory(user, service, host, port string) ([]*FlatHistory, error) {
 	ctx, cancel := context.WithTimeout(context.Background(), c.requestTimeout)
-	resp, err := c.cli.Get(ctx, etcdHistoryPath, clientv3.WithPrefix(), clientv3.WithSort(clientv3.SortByKey, clientv3.SortAscend))
+	resp, err := c.cli.Get(ctx, etcdHistoryPath+"/"+user, clientv3.WithPrefix(), clientv3.WithSort(clientv3.SortByKey, clientv3.SortAscend))
 	defer cancel()
 	if err != nil {
 		return nil, err
 	}
 
-	history := make([]*FlatHistory, len(resp.Kvs))
-	for i, ev := range resp.Kvs {
+	_, nodesetDlclose, nodesetExpand := nodesets.InitExpander()
+	defer nodesetDlclose()
+	hosts, err := nodesetExpand(host)
+	if err != nil {
+		return nil, err
+	}
+	ports, err := nodesetExpand(port)
+	if err != nil {
+		return nil, err
+	}
+	var history []*FlatHistory
+	for _, ev := range resp.Kvs {
 		subkey := string(ev.Key)[len(etcdHistoryPath)+1:]
 		fields := strings.Split(subkey, "/")
 		if len(fields) != 2 {
 			return nil, fmt.Errorf("bad key format %s", subkey)
 		}
-
-		v := &FlatHistory{}
-		v.User = fields[0]
-		v.Dest = string(ev.Value)
-		leaseID, err := strconv.Atoi(fields[1])
+		evHost, evPort, err := SplitHostPort(string(ev.Value))
 		if err != nil {
 			return nil, err
 		}
-		ttl, err := c.cli.TimeToLive(ctx, clientv3.LeaseID(leaseID))
-		if err != nil {
-			return nil, err
+
+		if (user == "" && service == "" && host == "" && port == "") ||
+			((user == "" || strings.Contains("/"+fields[0], "/"+user+"@")) &&
+				(service == "" || strings.Contains(fields[0]+"/", "@"+service+"/")) &&
+				(host == "" || slices.Contains(hosts, evHost)) &&
+				(port == "" || slices.Contains(ports, evPort))) {
+			v := &FlatHistory{}
+			v.User = fields[0]
+			v.Dest = string(ev.Value)
+			leaseID, err := strconv.Atoi(fields[1])
+			if err != nil {
+				return nil, err
+			}
+			ttl, err := c.cli.TimeToLive(ctx, clientv3.LeaseID(leaseID))
+			if err != nil {
+				return nil, err
+			}
+			v.TTL = ttl.TTL
+			history = append(history, v)
 		}
-		v.TTL = ttl.TTL
-		history[i] = v
 	}
 
 	return history, nil

test/fedora-image/sshproxy_test.go

@@ -170,6 +170,33 @@ func getEtcdConnections() ([]aggConnection, string) {
 	return connections, jsonStr
 }
 
+type aggUser struct {
+	User    string
+	Service string
+	Groups  string
+	N       int
+	BwIn    int
+	BwOut   int
+	Dest    string
+	TTL     int
+}
+
+func getEtcdAllUsers() ([]aggUser, string) {
+	ctx := context.Background()
+	_, stdout, _, err := runCommand(ctx, "ssh", []string{"gateway1", "--", fmt.Sprintf("%s show -json users -all", SSHPROXYCTL)}, nil, nil)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	jsonStr := strings.TrimSpace(string(stdout))
+	var users []aggUser
+	if err := json.Unmarshal(stdout, &users); err != nil {
+		log.Fatal(err)
+	}
+
+	return users, jsonStr
+}
+
 type host struct {
 	Hostname string
 	Port     string
@@ -211,6 +238,11 @@ func forgetHost(host string) error {
 	return err
 }
 
+func forgetPersist() error {
+	_, _, _, err := etcdCommand("forget persist -port 22")
+	return err
+}
+
 type user struct {
 	User    string
 	Group   string
@@ -603,6 +635,33 @@ func TestLongStickyConnections(t *testing.T) {
 	}
 }
 
+func TestForgetPersist(t *testing.T) {
+	updateLineSSHProxyConf("etcd_keyttl", "3600")
+
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
+	args, _ := prepareCommand("gateway1", 2022, "hostname")
+	_, stdout, _, err := runCommand(ctx, "ssh", args, nil, nil)
+	if err != nil {
+		log.Fatal(err)
+	}
+	dest := strings.TrimSpace(string(stdout)) + ":22"
+
+	users, _ := getEtcdAllUsers()
+	if users[0].Dest != dest {
+		t.Errorf("'Persist to' is %s, want %s", users[0].Dest, dest)
+	}
+	err = forgetPersist()
+	if err != nil {
+		log.Fatal(err)
+	}
+	updateLineSSHProxyConf("etcd_keyttl", "0")
+	users, _ = getEtcdAllUsers()
+	if users[0].Dest != "" {
+		t.Errorf("'Persist to' is %s, want empty string", users[0].Dest)
+	}
+}
+
 func TestBalancedConnections(t *testing.T) {
 	// remove old connections stored in etcd
 	time.Sleep(4 * time.Second)