Proto commits in tg123/sshpiper

These 31 commits are when the Protocol Buffers files have changed:

Commit:c4ee673
Author:Copilot
Committer:GitHub

Add `CreateConn` plugin callback to let plugins create the upstream `net.Conn` (#737) * Initial plan * feat: add plugin create-conn callback plumbing Co-authored-by: tg123 <170430+tg123@users.noreply.github.com> * feat: let CreateConn plugin callback create the upstream net.Conn * test(e2e): add CreateConn plugin that owns upstream connection creation * test(e2e): drop rpcclient from CreateConn plugin, prove via bogus upstream * test(e2e): return testplugin://{guid} uri and verify guid in CreateConnCallback * refactor: move streamconn net.Conn adapter to libplugin/connovergrpc with unit tests * fix(lint): use compile-time interface assertion to satisfy staticcheck QF1011 * refactor: move ConnMessage proto into connovergrpc, import from plugin.proto * Apply remaining changes * Remove streamconn.go wrapper, call connovergrpc directly * Use io.Reader/io.Writer instead of custom Stream interface * Move CreateConn RPC into self-contained connovergrpc service * test: close both net.Pipe ends in connovergrpc tests * Refactor connection handling in plugin - Removed CreateConnRequest message from plugin.proto as it is no longer needed. - Updated SshPiperPluginConfig to use a new CreateConnCallback signature. - Simplified server implementation by removing createConn method and directly using the new callback. - Deleted associated unit tests for createConn functionality as it has been removed. * Apply suggestions from code review Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * refactor: enhance connection handling and error management in gRPC plugin * refactor: assign to outer addr in dialUpstream Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: drop redundant nil check, guard nil conn, copy Write buf, set server-side RemoteAddr Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: close underlying rw, serialize Read/Write, gRPC status on EOF - conn.Close: close underlying io.ReadWriter if it implements io.Closer - packetReadWriter: separate readMu/writeMu so concurrent Read+Write is safe but concurrent Send-Send / Recv-Recv into the gRPC stream is serialized (gRPC streams do not support concurrent Send or Recv) - ServeCreateConn: map EOF before DialRequest to InvalidArgument Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * perf: reuse Write copy buffers via sync.Pool A 4 KiB Write benchmark drops from 1090 ns/op + 4184 B/op + 3 allocs to 76 ns/op + 88 B/op + 2 allocs (14x faster, 47x less memory). Buffers are safely returned to the pool after stream.Send returns because the default proto codec marshals the Data bytes field into its own wire buffer synchronously inside SendMsg, so the caller-supplied slice is not referenced once Send returns. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * perf: cap pooled Write buffer at 64 KiB to avoid retaining huge slices A single pathological Write could otherwise grow the pooled backing array unboundedly and pin that capacity indefinitely (or be used as a memory-DoS vector by a peer sending one giant frame). Drop buffers larger than 64 KiB so the runtime can GC them; SSH max packet is 32 KiB so well-behaved traffic stays inside the pool. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: improve byte tunneling logic in ServeCreateConn to prevent deadlocks * fix: optimize buffer management in Write and improve goroutine handling in ServeCreateConn * test: enhance error handling in ServeCreateConn and CreateConn tests --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: tg123 <170430+tg123@users.noreply.github.com> Co-authored-by: Boshi Lian <farmer1992@gmail.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Commit:2bce3ed
Author:Boshi Lian

Refactor connection handling in plugin - Removed CreateConnRequest message from plugin.proto as it is no longer needed. - Updated SshPiperPluginConfig to use a new CreateConnCallback signature. - Simplified server implementation by removing createConn method and directly using the new callback. - Deleted associated unit tests for createConn functionality as it has been removed.

Commit:95dbeb8
Author:copilot-swe-agent[bot]
Committer:GitHub

Move CreateConn RPC into self-contained connovergrpc service

Commit:c036141
Author:copilot-swe-agent[bot]
Committer:GitHub

refactor: move ConnMessage proto into connovergrpc, import from plugin.proto

Commit:1b5382d
Author:copilot-swe-agent[bot]
Committer:GitHub

Merge remote-tracking branch 'origin/master' into copilot/add-api-create-conn-plugin # Conflicts: # cmd/sshpiperd/internal/plugin/grpc.go # libplugin/plugin.pb.go # libplugin/plugin_grpc.pb.go

Commit:2615576
Author:copilot-swe-agent[bot]
Committer:GitHub

feat: let CreateConn plugin callback create the upstream net.Conn

Commit:de356a9
Author:Boshi Lian
Committer:GitHub

feat: env injection on upstream session (#791) * feat: add environment variable injection support for upstream connections - Updated PluginConnMeta to include an Env field for environment variables. - Modified the GrpcPlugin to handle environment variables during connection setup. - Enhanced the Lua plugin to allow specifying environment variables in the upstream configuration. - Added tests to verify the correct handling of environment variables in Lua scripts. - Updated protobuf definitions to include the new Env field in the Upstream message. - Adjusted Docker Compose configuration to accept environment variables. * chore: bump sshpiper.crypto to v0.53.0-sshpiper-20260612 Includes the WriteUpstreamPacket / WriteDownstreamPacket methods on PiperConn that the env-injection hook depends on. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * refactor: replace mu+plain maps with sync.Map in envInjector * refactor: remove unused upstream hook and simplify envInjector logic * style: gofumpt Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * feat: add --inject-env flag for daemon-wide env injection into all upstream sessions * feat: add support for environment variable injection in upstream sessions * fix: correct environment variable handling in upstream session metadata * refactor: enhance envInjector to inject environment variables per channel request * test: add unit test to reject malformed channel-request framing --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

Commit:0d5140b
Author:copilot-swe-agent[bot]
Committer:GitHub

Drop unrelated changes, keep only kind version bump

Commit:3bc91f0
Author:Boshi Lian

feat: add environment variable injection support for upstream connections - Updated PluginConnMeta to include an Env field for environment variables. - Modified the GrpcPlugin to handle environment variables during connection setup. - Enhanced the Lua plugin to allow specifying environment variables in the upstream configuration. - Added tests to verify the correct handling of environment variables in Lua scripts. - Updated protobuf definitions to include the new Env field in the Upstream message. - Adjusted Docker Compose configuration to accept environment variables.

Commit:af1ba1b
Author:Boshi Lian
Committer:GitHub

plugin: drop dependency on the sshpiper crypto fork (#786) * ci: verify libplugin/ and plugin/ build against upstream crypto/ssh Adds scripts/verify-plugin-upstream-crypto.sh plus a GitHub Actions workflow that strips the crypto-fork `replace` directive from a copy of go.mod and rebuilds + retests every package under libplugin/ and plugin/ against vanilla upstream golang.org/x/crypto. This locks in the property that plugin authors never need the sshpiper crypto fork to write or compile plugins: only the sshpiperd daemon binary depends on forked APIs. While wiring this up, fixes libplugin/skel.VerifyHostKeyFromKnownHosts to use the upstream knownhosts.New(filename) API by spooling the io.Reader to a temp file. The previous implementation depended on knownhosts.NewFromReader, which exists only in the fork. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * plugin: move known_hosts verification from plugin to daemon The libplugin skel previously called knownhosts.NewFromReader (a fork-only API) inside SkelPlugin.VerifyHostKeyCallback to verify upstream host keys plugin-side, which required the sshpiper crypto fork even though plugins should be able to build against upstream golang.org/x/crypto. Add two optional fields to libplugin.Upstream: bytes known_hosts_data string known_hosts_file When either is set, the daemon performs the verification itself using upstream knownhosts.New and the VerifyHostKey RPC is bypassed. Skel now populates KnownHostsData directly from SkelPipeTo.KnownHosts when constructing the Upstream, instead of registering a per-plugin VerifyHostKeyCallback that called the fork-only helper. This also removes the now-unneeded per-connection RPC round-trip and the cache of SkelPipeTo entries. VerifyHostKeyCallback on SshPiperPluginConfig is preserved as the fallback path for plugins (e.g. lua) that want fully custom host key logic via the existing VerifyHostKey RPC. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * plugin: use forked knownhosts.NewFromReader in daemon The PR's goal is to keep plugin/* on upstream golang.org/x/crypto; sshpiperd itself still uses the fork, so when receiving raw known_hosts bytes from a plugin it can call the fork-only knownhosts.NewFromReader directly instead of spooling to a tempfile. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * plugin: update host key verification logic and deprecate legacy fields * plugin: address review feedback and add host key e2e cases - script: use 'go mod edit -dropreplace' instead of sed-based replace removal so single-line and replace-block forms both work - plugin.proto: clarify that known_hosts_data is the preferred mechanism and the VerifyHostKey RPC stays supported for backwards compatibility - skel_test: rename TestVerifyHostKeyCallbackSucceedsWithMatchingKey and TestVerifyHostKeyFailsOnKnownHostsError to reflect that they now exercise PasswordCallback propagation of known_hosts data/errors - e2e/yaml: add host_key_mismatch subtest that wires a wrong known_hosts_data entry and asserts the daemon refuses the connection Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * plugin: simplify known hosts data retrieval in createUpstream * Apply suggestions from code review Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * plugin: add unit tests for buildHostKeyCallback Covers all branches: - empty known_hosts_data falls back to InsecureIgnoreHostKey - known_hosts_data with matching/mismatched/malformed bytes - VerifyHostKey RPC verified / rejected / error paths - RPC callback takes precedence over known_hosts_data Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * plugin: remove dead p.cache and add nolint for legacy ignore_host_key - skel: drop SkelPlugin.cache, NewSkelPlugin no longer needs go-cache or time; the field was a write-only leftover from the removed VerifyHostKeyCallback path - grpc + lua: silence staticcheck SA1019 on intentional reads/writes of the deprecated IgnoreHostKey field that stay for back-compat Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * plugin: drop ignore_host_key handling, use empty known_hosts_data instead - daemon: remove the backward-compat shim that honored upstream.GetIgnoreHostKey - lua: stop writing the deprecated IgnoreHostKey field; the script-level ignore_hostkey key is now a no-op (default empty known_hosts_data already disables verification) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * lua: drop ignore_hostkey field from upstream table (breaking change) The field is no longer read; leave known_hosts_data unset to skip host key verification. Strip the now-noise field from test/e2e scripts. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * plugins: drop ignore_hostkey across all in-tree plugins (breaking change) Remove the IgnoreHostKey method from the SkelPipeTo interface and from every in-tree implementer. With this change the sole source of truth for upstream host key verification is known_hosts_data: leave it empty to skip, populate it to enforce. - libplugin/skel: drop IgnoreHostKey from SkelPipeTo - plugin/yaml, plugin/kubernetes: drop ignore_hostkey config field (also schema/crd/sample/README updates) - plugin/docker, plugin/workingdir: drop IgnoreHostKey wrapper; gate KnownHosts on the existing settings instead - plugin/fixed, plugin/username-router: stop setting the deprecated Upstream.IgnoreHostKey proto field - plugin/lua: drop ignore_hostkey from examples + README Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * e2e: drop ignore_hostkey from workload + yaml fixtures Strict CRD decoding rejects the now-removed field; remove it from the test manifests. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * k8s: keep ignore_hostkey in CRD as deprecated for back-compat Strict server-side decoding rejects unknown fields; mark the schema property deprecated:true so old Pipe manifests still apply (with a kubectl warning) while the controller silently ignores the value (field removed from Go types). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * k8s: drop unsupported 'deprecated' field from CRD schema apiextensions.k8s.io/v1 JSONSchemaProps does not allow the 'deprecated' keyword; the description alone is enough to flag the field while still accepting it under strict server-side decoding. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * lua: support known_hosts_data in upstream table + e2e coverage - plugin/lua: parseUpstreamTable now reads the optional known_hosts_data string and propagates it to Upstream.KnownHostsData - plugin/lua: unit tests for valid + invalid (non-string) known_hosts_data - e2e: new lua subtests verify_hostkey_accepts, known_hosts_data_succeeds, and known_hosts_data_mismatch exercise both the VerifyHostKey RPC and the known_hosts_data daemon-side verification paths end-to-end Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs+comments: clarify upstream host-key default and lua precedence - plugin/yaml/README.md: state explicitly that omitting known_hosts / known_hosts_data disables upstream host key verification - plugin/lua/README.md: document new known_hosts_data field plus the RPC > known_hosts_data > skip precedence - plugin/lua/lua.go: clarify the same precedence in the parser comment - cmd/sshpiperd/internal/plugin/grpc_test.go: note that nil embedded interface panics on any non-VerifyHostKey method call Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * build: scope forked crypto to cmd/sshpiperd via nested go.mod Split the repository into two Go modules so the forked golang.org/x/crypto (carrying sshpiper's PiperConfig/PiperConn API) only links into the sshpiperd daemon binary: - Root module github.com/tg123/sshpiper now uses upstream golang.org/x/crypto with no replace directive. libplugin, libadmin, all plugin/* binaries, sshpiperd-admin and sshpiperd-webadmin build against upstream and cannot reach fork-only symbols. - New nested module github.com/tg123/sshpiper/cmd/sshpiperd contains the daemon and carries 'replace golang.org/x/crypto => ../../crypto' plus 'replace github.com/tg123/sshpiper => ../..'. The daemon transitively recompiles libplugin/libadmin against the fork in its own build graph (per-build MVS), keeping the two artifacts internally consistent. The structural split makes the verify-plugin-upstream-crypto CI script redundant — accidental fork-API use from plugins now fails at compile time — so the workflow and helper script are deleted. Build pipeline updates: - Dockerfile builds admin/webadmin/plugins from root, daemon from cmd/sshpiperd via a subshell cd. - .goreleaser.yaml adds 'dir: ./cmd/sshpiperd' to the sshpiperd and snaplauncher builds and tidies both modules in the before-hooks. - test.yml runs go test and golangci-lint for each module separately. - go.work is added to .gitignore (alongside the existing entry for go.work.sum). A committed workspace would re-apply the daemon's replace to root builds and defeat the isolation; developers who want workspace mode locally can opt in. - copilot-instructions.md updated to document the two-module layout and per-module commands. Validated locally: gofumpt clean, golangci-lint clean for both modules, go test -race passes for both modules and crypto/ssh, goreleaser --snapshot succeeds, docker build produces a working image with all four binaries, full e2e suite passes. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * plugin: warn when host key verification is skipped Emit a logrus warning whenever buildHostKeyCallback falls into the InsecureIgnoreHostKey() branch (no VerifyHostKey callback advertised and empty known_hosts_data). This makes operators aware that the upstream is being trusted without verification, which was previously silent. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

Commit:b2738a7
Author:Copilot
Committer:GitHub

Admin gRPC API on sshpiperd (with TLS/mTLS) + sshpiperd-webadmin aggregator (#770) * add admin gRPC API on sshpiperd and sshpiperd-webadmin aggregator Agent-Logs-Url: https://github.com/tg123/sshpiper/sessions/8b8ac43a-7c19-46cb-b3f4-f75abf1d6cac Co-authored-by: tg123 <170430+tg123@users.noreply.github.com> * fix: improve session path parsing to handle percent-encoded instance IDs * feat: integrate xterm.js for terminal emulation and add copy functionality * feat: add web admin console demo with docker-compose setup * add TLS auth to admin gRPC; require --admin-grpc-insecure to opt out Agent-Logs-Url: https://github.com/tg123/sshpiper/sessions/241f27b5-c862-40c3-80be-fae2d1f796b3 Co-authored-by: tg123 <170430+tg123@users.noreply.github.com> * address remaining reviewer comments: replay flag, gRPC status codes, sorted List, parseSessionPath, regex, doc/comment fixes, aggregator dup IDs, streamhook fast-path, cert/key validation Agent-Logs-Url: https://github.com/tg123/sshpiper/sessions/40507891-946f-4e82-b2f0-5d50e54efd30 Co-authored-by: tg123 <170430+tg123@users.noreply.github.com> * add e2e admin gRPC test + ship sshpiperd-webadmin in full image and release archives Agent-Logs-Url: https://github.com/tg123/sshpiper/sessions/9e520a2f-e27e-4610-b332-980f5c6bea87 Co-authored-by: tg123 <170430+tg123@users.noreply.github.com> * e2e admin test: use upstream-accepted user; identify session by diff against pre-existing IDs Agent-Logs-Url: https://github.com/tg123/sshpiper/sessions/3a885a7d-2982-407f-bc4e-67257c4a6acf Co-authored-by: tg123 <170430+tg123@users.noreply.github.com> * e2e: cover admin StreamSession (live frames + NotFound after kill) Agent-Logs-Url: https://github.com/tg123/sshpiper/sessions/52ef0008-67fa-41cf-859f-8335d64f207b Co-authored-by: tg123 <170430+tg123@users.noreply.github.com> * e2e: drop unnecessary nil check around range (lint S1031) Agent-Logs-Url: https://github.com/tg123/sshpiper/sessions/954248a3-471a-40f3-a05e-3f00f199cd11 Co-authored-by: tg123 <170430+tg123@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: tg123 <170430+tg123@users.noreply.github.com> Co-authored-by: Boshi Lian <farmer1992@gmail.com>

Commit:95fe302
Author:copilot-swe-agent[bot]

feat: add plugin create-conn callback plumbing Co-authored-by: tg123 <170430+tg123@users.noreply.github.com>

Commit:7fdd889
Author:Boshi Lian
Committer:GitHub

introduce uri for flexable upstream conn (#615) * Deprecate host and port fields in Upstream message; introduce uri field for connection details * Update libplugin/plugin.proto Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * refactor(grpc): streamline upstream connection handling and add GetOrGenerateUri method * refactor(libplugin): update GetOrGenerateUri to return error and add IPv6 test * refactor(libplugin): simplify GetOrGenerateUri to remove error return and update tests * Update cmd/sshpiperd/internal/plugin/grpc.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

The documentation is generated from this commit.

Commit:9ab4f68
Author:Boshi Lian
Committer:GitHub

Update libplugin/plugin.proto Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

The documentation is generated from this commit.

Commit:c9ead59
Author:Boshi Lian

Deprecate host and port fields in Upstream message; introduce uri field for connection details

Commit:23e18f4
Author:Boshi Lian
Committer:GitHub

merge totp to workingdir (#476) * merge totp to workingdir * Refactor .goreleaser.yaml to remove plugin_totp build configuration

Commit:0e6168a
Author:Boshi Lian
Committer:GitHub

Refactor plugin.proto and pluginbase.go to add support for metadata in connection context (#475) * Refactor plugin.proto and pluginbase.go to add support for metadata in connection context * go fmt * move test plugin out * Refactor Dockerfile to build test plugin in e2e/testplugin directory * mv testplugin -> testgrpcplugin * add test for connection metadata * enable logging to stdout * Refactor Dockerfile to build test plugin in e2e/testplugin directory

Commit:9fee039
Author:Boshi Lian
Committer:GitHub

Add PipeCreateErrorCallback to handle pipe creation errors (#290) * Add PipeCreateErrorCallback to handle pipe creation errors * Add test for FailtobanPipeCreateFail * Fix missing newline at end of file in pluginbase.go

Commit:13fcc8c
Author:Matthew Atkinson
Committer:GitHub

Add support for using CA certs for upstream ssh connection (#210)

Commit:1cd6cd8
Author:Boshi Lian
Committer:GitHub

add callback for pipe start and pipe err (#145) * add onstart onerr cb * cover by e2e * add missing plugin * happy lint

Commit:319824e
Author:Boshi Lian
Committer:Boshi Lian

align log level across plugins happy lint happy lint

Commit:3047473
Author:Boshi Lian

impl hostkey verify for working dir

Commit:17f558a
Author:Boshi Lian
Committer:Boshi Lian

remove old dir

Commit:dbef31d
Author:Boshi Lian
Committer:Boshi Lian

libplugin

Commit:da6c47e
Author:Boshi Lian
Committer:Boshi Lian

add hostkey api

Commit:e6d5eb5
Author:Boshi Lian

Squashed commit of the following: commit 0af98df2e4d41989c451573a17e81c1f69998cfd Author: Boshi Lian <farmer1992@gmail.com> Date: Sun Oct 3 18:55:59 2021 +0000 add a working remote grpc server commit a0acce4894fc9191ddb4c14f5cc669bca63bd920 Author: Boshi Lian <farmer1992@gmail.com> Date: Tue Sep 28 11:33:40 2021 +0000 init grpc

Commit:8fbbc0d
Author:Boshi Lian

dep 0.5 prune

This commit does not contain any .proto files.

Commit:94023fd
Author:Boshi Lian

dep prune

Commit:d4c96ea
Author:Boshi Lian

add mssql support

Commit:1c1a142
Author:Boshi Lian

introduce az lib

Commit:ea9357f
Author:Boshi Lian
Committer:Boshi Lian

Add more database support (#19) * mysql * sqlite * pg