daytonaio · idagelic · Oct 17, 2024 · Oct 1, 2024 · Oct 1, 2024 · Oct 1, 2024
@@ -89,6 +89,23 @@ func GetDocsLinkFromGitProvider(providerId string) string {
 	}
 }
 
+func GetDocsLinkForCommitSigning(providerId string) string {
+	switch providerId {
+	case "github", "github-enterprise-server":
+		return "https://docs.github.com/en/authentication/managing-commit-signature-verification"
+	case "gitlab", "gitlab-self-managed":
+		return "https://docs.gitlab.com/ee/user/project/repository/signed_commits"
+	case "gitea":
+		return "https://docs.gitea.com/administration/signing"
+	case "azure-devops":
+		return "https://learn.microsoft.com/en-us/azure/devops/repos/git/use-ssh-keys-to-authenticate?view=azure-devops"
+	case "aws-codecommit":
+		return "https://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-ssh-unixes.html"
+	default:
+		return ""
+	}
+}
+
 func GetRequiredScopesFromGitProviderId(providerId string) string {
 	switch providerId {
 	case "github":

@@ -4,12 +4,16 @@
 package config
 
 import (
+	"bytes"
 	"fmt"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"regexp"
 	"runtime"
 	"strings"
+
+	log "github.com/sirupsen/logrus"
 )
 
 var sshHomeDir string
@@ -104,7 +108,7 @@ func UnlinkSshFiles() error {
 
 // Add ssh entry
 
-func generateSshConfigEntry(profileId, workspaceId, projectName, knownHostsPath string) (string, error) {
+func generateSshConfigEntry(profileId, workspaceId, projectName, knownHostsPath string, gpgForward bool) (string, error) {
 	daytonaPath, err := os.Executable()
 	if err != nil {
 		return "", err
@@ -118,74 +122,157 @@ func generateSshConfigEntry(profileId, workspaceId, projectName, knownHostsPath
 		tab+"StrictHostKeyChecking no\n"+
 		tab+"UserKnownHostsFile %s\n"+
 		tab+"ProxyCommand \"%s\" ssh-proxy %s %s %s\n"+
-		tab+"ForwardAgent yes\n\n", projectHostname, knownHostsPath, daytonaPath, profileId, workspaceId, projectName)
+		tab+"ForwardAgent yes\n", projectHostname, knownHostsPath, daytonaPath, profileId, workspaceId, projectName)
 
-	return config, nil
-}
+	if gpgForward {
+		localSocket, err := getLocalGPGSocket()
+		if err != nil {
+			log.Warn(err)
+			return config, nil
+		}
 
-func EnsureSshConfigEntryAdded(profileId, workspaceName, projectName string) error {
-	err := ensureSshFilesLinked()
-	if err != nil {
-		return err
-	}
+		remoteSocket, err := getRemoteGPGSocket(projectHostname)
+		if err != nil {
+			log.Warn(err)
+			return config, nil
+		}
 
-	knownHostsFile := "/dev/null"
-	if runtime.GOOS == "windows" {
-		knownHostsFile = "NUL"
+		config += fmt.Sprintf(
+			tab+"StreamLocalBindUnlink yes\n"+
+				tab+"RemoteForward %s:%s\n\n", remoteSocket, localSocket)
+	} else {
+		config += "\n"
 	}
 
-	data, err := generateSshConfigEntry(profileId, workspaceName, projectName, knownHostsFile)
+	return config, nil
+}
+
+func EnsureSshConfigEntryAdded(profileId, workspaceName, projectName string, gpgKey string) error {
+	err := ensureSshFilesLinked()
 	if err != nil {
 		return err
 	}
 
 	sshDir := filepath.Join(sshHomeDir, ".ssh")
 	configPath := filepath.Join(sshDir, "daytona_config")
 
+	knownHostsFile := getKnownHostsFile()
+
 	// Read existing content from the file
 	existingContent, err := os.ReadFile(configPath)
 	if err != nil && !os.IsNotExist(err) {
 		return err
 	}
 
-	if strings.Contains(string(existingContent), data) {
-		return nil
+	// Generate SSH config entry without GPG forwarding
+	newContent, err := appendSshConfigEntry(configPath, profileId, workspaceName, projectName, knownHostsFile, false, string(existingContent))
+	if err != nil {
+		return err
 	}
 
-	// Combine the new data with existing content
-	newData := data + string(existingContent)
+	if gpgKey != "" {
+		// Generate SSH config entry with GPG forwarding and override previous config
+		_, err := appendSshConfigEntry(configPath, profileId, workspaceName, projectName, knownHostsFile, true, newContent)
+		if err != nil {
+			return err
+		}
+		projectHostname := GetProjectHostname(profileId, workspaceName, projectName)
+		err = ExportGPGKey(gpgKey, projectHostname)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func getKnownHostsFile() string {
+	if runtime.GOOS == "windows" {
+		return "NUL"
+	}
+	return "/dev/null"
+}
+
+func appendSshConfigEntry(configPath, profileId, workspaceId, projectName, knownHostsFile string, gpgForward bool, existingContent string) (string, error) {
+	data, err := generateSshConfigEntry(profileId, workspaceId, projectName, knownHostsFile, gpgForward)
+	if err != nil {
+		return "", err
+	}
+
+	if strings.Contains(existingContent, data) {
+		// Entry already exists in the file
+		return existingContent, nil
+	}
+
+	// We want to remove the config entry gpg counterpart
+	configCounterpart, err := generateSshConfigEntry(profileId, workspaceId, projectName, knownHostsFile, !gpgForward)
+	if err != nil {
+		return "", err
+	}
+	updatedContent := strings.ReplaceAll(existingContent, configCounterpart, "")
+	updatedContent = data + updatedContent
 
 	// Open the file for writing
 	file, err := os.Create(configPath)
 	if err != nil {
-		return err
+		return "", err
 	}
 	defer file.Close()
 
-	_, err = file.WriteString(newData)
+	_, err = file.WriteString(updatedContent)
+	return updatedContent, err
+}
+
+func getLocalGPGSocket() (string, error) {
+	// Check if gpg is installed
+	if _, err := exec.LookPath("gpg"); err != nil {
+		return "", fmt.Errorf("gpg is not installed: %v", err)
+	}
+
+	// Attempt to get the local GPG socket
+	cmd := exec.Command("gpgconf", "--list-dir", "agent-extra-socket")
+	output, err := cmd.Output()
 	if err != nil {
-		return err
+		return "", fmt.Errorf("failed to get local GPG socket: %v", err)
 	}
+	return strings.TrimSpace(string(output)), nil
+}
 
-	return nil
+func getRemoteGPGSocket(projectHostname string) (string, error) {
+	cmd := exec.Command("ssh", projectHostname, "gpgconf --list-dir agent-socket")
+	output, err := cmd.Output()
+	if err != nil {
+		return "", fmt.Errorf("failed to get remote GPG socket: %v", err)
+	}
+	return strings.TrimSpace(string(output)), nil
 }
 
-func RemoveWorkspaceSshEntries(profileId, workspaceId string) error {
-	sshDir := filepath.Join(sshHomeDir, ".ssh")
-	configPath := filepath.Join(sshDir, "daytona_config")
+func ExportGPGKey(keyID, projectHostname string) error {
+	exportCmd := exec.Command("gpg", "--export", keyID)
+	var output bytes.Buffer
+	exportCmd.Stdout = &output
 
-	// Read existing content from the file
-	existingContent, err := os.ReadFile(configPath)
-	if err != nil && !os.IsNotExist(err) {
-		return nil
+	if err := exportCmd.Run(); err != nil {
+		return err
 	}
 
-	regex := regexp.MustCompile(fmt.Sprintf(`Host %s-%s-\w+\n(?:\t.*\n?)*`, profileId, workspaceId))
-	newContent := regex.ReplaceAllString(string(existingContent), "")
+	importCmd := exec.Command("ssh", projectHostname, "gpg --import")
+	importCmd.Stdin = &output
+
+	return importCmd.Run()
+}
+
+func readSshConfig(configPath string) (string, error) {
+	content, err := os.ReadFile(configPath)
+	if err != nil && !os.IsNotExist(err) {
+		return "", err
+	}
+	return string(content), nil
+}
 
+func writeSshConfig(configPath, newContent string) error {
 	newContent = strings.Trim(newContent, "\n")
 
-	// Open the file for writing
 	file, err := os.Create(configPath)
 	if err != nil {
 		return err
@@ -196,6 +283,31 @@ func RemoveWorkspaceSshEntries(profileId, workspaceId string) error {
 	if err != nil {
 		return err
 	}
+	return nil
+}
+
+// RemoveWorkspaceSshEntries removes all SSH entries for a given profileId and workspaceId
+func RemoveWorkspaceSshEntries(profileId, workspaceId string) error {
+	sshDir := filepath.Join(os.Getenv("HOME"), ".ssh")
+	configPath := filepath.Join(sshDir, "daytona_config")
+
+	// Read existing content from the SSH config file
+	existingContent, err := readSshConfig(configPath)
+	if err != nil {
+		return err
+	}
+
+	// Define the regex pattern to match Host entries for the given profileId and workspaceId
+	regex := regexp.MustCompile(fmt.Sprintf(`Host %s-%s-\w+\s*\n(?:\t.*\n?)*`, profileId, workspaceId))
+
+	// Replace matched entries with an empty string
+	newContent := regex.ReplaceAllString(existingContent, "")
+
+	// Write the updated content back to the config file
+	err = writeSshConfig(configPath, newContent)
+	if err != nil {
+		return err
+	}
 
 	return nil
 }

@@ -31,8 +31,8 @@ func (m *MockGitService) RepositoryExists() (bool, error) {
 	return args.Bool(0), args.Error(1)
 }
 
-func (m *MockGitService) SetGitConfig(userData *gitprovider.GitUser) error {
-	args := m.Called(userData)
+func (m *MockGitService) SetGitConfig(userData *gitprovider.GitUser, providerConfig *gitprovider.GitProviderConfig) error {
+	args := m.Called(userData, providerConfig)
 	return args.Error(0)
 }
 

@@ -11,8 +11,8 @@ import (
 	"github.com/daytonaio/daytona/cmd/daytona/config"
 )
 
-func GetHomeDir(activeProfile config.Profile, workspaceId string, projectName string) (string, error) {
-	err := config.EnsureSshConfigEntryAdded(activeProfile.Id, workspaceId, projectName)
+func GetHomeDir(activeProfile config.Profile, workspaceId string, projectName string, gpgKey string) (string, error) {
+	err := config.EnsureSshConfigEntryAdded(activeProfile.Id, workspaceId, projectName, gpgKey)
 	if err != nil {
 		return "", err
 	}
@@ -27,8 +27,8 @@ func GetHomeDir(activeProfile config.Profile, workspaceId string, projectName st
 	return strings.TrimRight(string(homeDir), "\n"), nil
 }
 
-func GetProjectDir(activeProfile config.Profile, workspaceId string, projectName string) (string, error) {
-	err := config.EnsureSshConfigEntryAdded(activeProfile.Id, workspaceId, projectName)
+func GetProjectDir(activeProfile config.Profile, workspaceId string, projectName string, gpgKey string) (string, error) {
+	err := config.EnsureSshConfigEntryAdded(activeProfile.Id, workspaceId, projectName, gpgKey)
 	if err != nil {
 		return "", err
 	}
@@ -44,7 +44,7 @@ func GetProjectDir(activeProfile config.Profile, workspaceId string, projectName
 		return strings.TrimRight(string(daytonaProjectDir), "\n"), nil
 	}
 
-	homeDir, err := GetHomeDir(activeProfile, workspaceId, projectName)
+	homeDir, err := GetHomeDir(activeProfile, workspaceId, projectName, gpgKey)
 	if err != nil {
 		return "", err
 	}

@@ -112,7 +112,14 @@ func (a *Agent) startProjectMode() error {
 		}
 	}
 
-	err = a.Git.SetGitConfig(gitUser)
+	var providerConfig *gitprovider.GitProviderConfig
+	if gitProvider != nil {
+		providerConfig = &gitprovider.GitProviderConfig{
+			SigningMethod: (*gitprovider.SigningMethod)(gitProvider.SigningMethod),
+			SigningKey:    gitProvider.SigningKey,
+		}
+	}
+	err = a.Git.SetGitConfig(gitUser, providerConfig)
 	if err != nil {
 		log.Error(fmt.Sprintf("failed to set git config: %s", err))
 	}

@@ -75,7 +75,7 @@ func TestAgent(t *testing.T) {
 
 	mockGitService := mock_git.NewMockGitService()
 	mockGitService.On("RepositoryExists").Return(true, nil)
-	mockGitService.On("SetGitConfig", mock.Anything).Return(nil)
+	mockGitService.On("SetGitConfig", mock.Anything, mock.Anything).Return(nil)
 	mockGitService.On("GetGitStatus").Return(gitStatus1, nil)
 
 	mockSshServer := mocks.NewMockSshServer()

@@ -3,15 +3,21 @@
 
 package dto
 
+import (
+	"github.com/daytonaio/daytona/pkg/gitprovider"
+)
+
 type RepositoryUrl struct {
 	URL string `json:"url" validate:"required"`
 } // @name RepositoryUrl
 
 type SetGitProviderConfig struct {
-	Id         string  `json:"id" validate:"optional"`
-	ProviderId string  `json:"providerId" validate:"required"`
-	Username   *string `json:"username,omitempty" validate:"optional"`
-	Token      string  `json:"token" validate:"required"`
-	BaseApiUrl *string `json:"baseApiUrl,omitempty" validate:"optional"`
-	Alias      *string `json:"alias,omitempty" validate:"optional"`
+	Id            string                     `json:"id" validate:"optional"`
+	ProviderId    string                     `json:"providerId" validate:"required"`
+	Username      *string                    `json:"username,omitempty" validate:"optional"`
+	Token         string                     `json:"token" validate:"required"`
+	BaseApiUrl    *string                    `json:"baseApiUrl,omitempty" validate:"optional"`
+	Alias         *string                    `json:"alias,omitempty" validate:"optional"`
+	SigningKey    *string                    `json:"signingKey,omitempty" validate:"optional"`
+	SigningMethod *gitprovider.SigningMethod `json:"signingMethod,omitempty" validate:"optional"`
 } // @name SetGitProviderConfig