1use std::path::{Path, PathBuf};
  2use std::time::Duration;
  3
  4#[cfg(unix)]
  5use anyhow::Context as _;
  6use futures::channel::{mpsc, oneshot};
  7#[cfg(unix)]
  8use futures::{AsyncBufReadExt as _, io::BufReader};
  9#[cfg(unix)]
 10use futures::{AsyncWriteExt as _, FutureExt as _, select_biased};
 11use futures::{SinkExt, StreamExt};
 12use gpui::{AsyncApp, BackgroundExecutor, Task};
 13#[cfg(unix)]
 14use smol::fs;
 15#[cfg(unix)]
 16use smol::{fs::unix::PermissionsExt as _, net::unix::UnixListener};
 17#[cfg(unix)]
 18use util::ResultExt as _;
 19
 20#[derive(PartialEq, Eq)]
 21pub enum AskPassResult {
 22    CancelledByUser,
 23    Timedout,
 24}
 25
 26pub struct AskPassDelegate {
 27    tx: mpsc::UnboundedSender<(String, oneshot::Sender<String>)>,
 28    _task: Task<()>,
 29}
 30
 31impl AskPassDelegate {
 32    pub fn new(
 33        cx: &mut AsyncApp,
 34        password_prompt: impl Fn(String, oneshot::Sender<String>, &mut AsyncApp) + Send + Sync + 'static,
 35    ) -> Self {
 36        let (tx, mut rx) = mpsc::unbounded::<(String, oneshot::Sender<String>)>();
 37        let task = cx.spawn(async move |cx: &mut AsyncApp| {
 38            while let Some((prompt, channel)) = rx.next().await {
 39                password_prompt(prompt, channel, cx);
 40            }
 41        });
 42        Self { tx, _task: task }
 43    }
 44
 45    pub async fn ask_password(&mut self, prompt: String) -> anyhow::Result<String> {
 46        let (tx, rx) = oneshot::channel();
 47        self.tx.send((prompt, tx)).await?;
 48        Ok(rx.await?)
 49    }
 50}
 51
 52#[cfg(unix)]
 53pub struct AskPassSession {
 54    script_path: PathBuf,
 55    _askpass_task: Task<()>,
 56    askpass_opened_rx: Option<oneshot::Receiver<()>>,
 57    askpass_kill_master_rx: Option<oneshot::Receiver<()>>,
 58}
 59
 60#[cfg(unix)]
 61impl AskPassSession {
 62    /// This will create a new AskPassSession.
 63    /// You must retain this session until the master process exits.
 64    #[must_use]
 65    pub async fn new(
 66        executor: &BackgroundExecutor,
 67        mut delegate: AskPassDelegate,
 68    ) -> anyhow::Result<Self> {
 69        let temp_dir = tempfile::Builder::new().prefix("zed-askpass").tempdir()?;
 70        let askpass_socket = temp_dir.path().join("askpass.sock");
 71        let askpass_script_path = temp_dir.path().join("askpass.sh");
 72        let (askpass_opened_tx, askpass_opened_rx) = oneshot::channel::<()>();
 73        let listener =
 74            UnixListener::bind(&askpass_socket).context("failed to create askpass socket")?;
 75        let zed_path = get_shell_safe_zed_path()?;
 76
 77        let (askpass_kill_master_tx, askpass_kill_master_rx) = oneshot::channel::<()>();
 78        let mut kill_tx = Some(askpass_kill_master_tx);
 79
 80        let askpass_task = executor.spawn(async move {
 81            let mut askpass_opened_tx = Some(askpass_opened_tx);
 82
 83            while let Ok((mut stream, _)) = listener.accept().await {
 84                if let Some(askpass_opened_tx) = askpass_opened_tx.take() {
 85                    askpass_opened_tx.send(()).ok();
 86                }
 87                let mut buffer = Vec::new();
 88                let mut reader = BufReader::new(&mut stream);
 89                if reader.read_until(b'\0', &mut buffer).await.is_err() {
 90                    buffer.clear();
 91                }
 92                let prompt = String::from_utf8_lossy(&buffer);
 93                if let Some(password) = delegate
 94                    .ask_password(prompt.to_string())
 95                    .await
 96                    .context("failed to get askpass password")
 97                    .log_err()
 98                {
 99                    stream.write_all(password.as_bytes()).await.log_err();
100                } else {
101                    if let Some(kill_tx) = kill_tx.take() {
102                        kill_tx.send(()).log_err();
103                    }
104                    // note: we expect the caller to drop this task when it's done.
105                    // We need to keep the stream open until the caller is done to avoid
106                    // spurious errors from ssh.
107                    std::future::pending::<()>().await;
108                    drop(stream);
109                }
110            }
111            drop(temp_dir)
112        });
113
114        // Create an askpass script that communicates back to this process.
115        let askpass_script = format!(
116            "{shebang}\n{print_args} | {zed_exe} --askpass={askpass_socket} 2> /dev/null \n",
117            zed_exe = zed_path,
118            askpass_socket = askpass_socket.display(),
119            print_args = "printf '%s\\0' \"$@\"",
120            shebang = "#!/bin/sh",
121        );
122        fs::write(&askpass_script_path, askpass_script).await?;
123        fs::set_permissions(&askpass_script_path, std::fs::Permissions::from_mode(0o755)).await?;
124
125        Ok(Self {
126            script_path: askpass_script_path,
127            _askpass_task: askpass_task,
128            askpass_kill_master_rx: Some(askpass_kill_master_rx),
129            askpass_opened_rx: Some(askpass_opened_rx),
130        })
131    }
132
133    pub fn script_path(&self) -> &Path {
134        &self.script_path
135    }
136
137    // This will run the askpass task forever, resolving as many authentication requests as needed.
138    // The caller is responsible for examining the result of their own commands and cancelling this
139    // future when this is no longer needed. Note that this can only be called once, but due to the
140    // drop order this takes an &mut, so you can `drop()` it after you're done with the master process.
141    pub async fn run(&mut self) -> AskPassResult {
142        let connection_timeout = Duration::from_secs(10);
143        let askpass_opened_rx = self.askpass_opened_rx.take().expect("Only call run once");
144        let askpass_kill_master_rx = self
145            .askpass_kill_master_rx
146            .take()
147            .expect("Only call run once");
148
149        select_biased! {
150            _ = askpass_opened_rx.fuse() => {
151                // Note: this await can only resolve after we are dropped.
152                askpass_kill_master_rx.await.ok();
153                return AskPassResult::CancelledByUser
154            }
155
156            _ = futures::FutureExt::fuse(smol::Timer::after(connection_timeout)) => {
157                return AskPassResult::Timedout
158            }
159        }
160    }
161}
162
163#[cfg(unix)]
164fn get_shell_safe_zed_path() -> anyhow::Result<String> {
165    let zed_path = std::env::current_exe()
166        .context("Failed to figure out current executable path for use in askpass")?
167        .to_string_lossy()
168        .to_string();
169
170    // NOTE: this was previously enabled, however, it caused errors when it shouldn't have
171    //       (see https://github.com/zed-industries/zed/issues/29819)
172    //       The zed path failing to execute within the askpass script results in very vague ssh
173    //       authentication failed errors, so this was done to try and surface a better error
174    //
175    // use std::os::unix::fs::MetadataExt;
176    // let metadata = std::fs::metadata(&zed_path)
177    //     .context("Failed to check metadata of Zed executable path for use in askpass")?;
178    // let is_executable = metadata.is_file() && metadata.mode() & 0o111 != 0;
179    // anyhow::ensure!(
180    //     is_executable,
181    //     "Failed to verify Zed executable path for use in askpass"
182    // );
183
184    // As of writing, this can only be fail if the path contains a null byte, which shouldn't be possible
185    // but shlex has annotated the error as #[non_exhaustive] so we can't make it a compile error if other
186    // errors are introduced in the future :(
187    let zed_path_escaped = shlex::try_quote(&zed_path)
188        .context("Failed to shell-escape Zed executable path for use in askpass")?;
189
190    return Ok(zed_path_escaped.to_string());
191}
192
193/// The main function for when Zed is running in netcat mode for use in askpass.
194/// Called from both the remote server binary and the zed binary in their respective main functions.
195#[cfg(unix)]
196pub fn main(socket: &str) {
197    use std::io::{self, Read, Write};
198    use std::os::unix::net::UnixStream;
199    use std::process::exit;
200
201    let mut stream = match UnixStream::connect(socket) {
202        Ok(stream) => stream,
203        Err(err) => {
204            eprintln!("Error connecting to socket {}: {}", socket, err);
205            exit(1);
206        }
207    };
208
209    let mut buffer = Vec::new();
210    if let Err(err) = io::stdin().read_to_end(&mut buffer) {
211        eprintln!("Error reading from stdin: {}", err);
212        exit(1);
213    }
214
215    if buffer.last() != Some(&b'\0') {
216        buffer.push(b'\0');
217    }
218
219    if let Err(err) = stream.write_all(&buffer) {
220        eprintln!("Error writing to socket: {}", err);
221        exit(1);
222    }
223
224    let mut response = Vec::new();
225    if let Err(err) = stream.read_to_end(&mut response) {
226        eprintln!("Error reading from socket: {}", err);
227        exit(1);
228    }
229
230    if let Err(err) = io::stdout().write_all(&response) {
231        eprintln!("Error writing to stdout: {}", err);
232        exit(1);
233    }
234}
235#[cfg(not(unix))]
236pub fn main(_socket: &str) {}
237
238#[cfg(not(unix))]
239pub struct AskPassSession {
240    path: PathBuf,
241}
242
243#[cfg(not(unix))]
244impl AskPassSession {
245    pub async fn new(_: &BackgroundExecutor, _: AskPassDelegate) -> anyhow::Result<Self> {
246        Ok(Self {
247            path: PathBuf::new(),
248        })
249    }
250
251    pub fn script_path(&self) -> &Path {
252        &self.path
253    }
254
255    pub async fn run(&mut self) -> AskPassResult {
256        futures::FutureExt::fuse(smol::Timer::after(Duration::from_secs(20))).await;
257        AskPassResult::Timedout
258    }
259}