[PM-15934] Add agent-forwarding detection and git signing detection parsers (#12371)

* Add agent-forwarding detection and git signing detection parsers * Cleanup * Pin russh version * Run cargo fmt * Fix build * Update apps/desktop/desktop_native/core/src/ssh_agent/mod.rs Co-authored-by: Daniel García <dani-garcia@users.noreply.github.com> * Pass through entire namespace * Move to bytes crate * Fix clippy errors * Fix clippy warning * Run cargo fmt * Fix build * Add renovate for bytes * Fix clippy warn --------- Co-authored-by: Daniel García <dani-garcia@users.noreply.github.com>
2025-12-17 16:53:34 +00:00 · 2025-02-26 12:12:27 +01:00
parent ce5a5e3649
commit cb028eadb5
14 changed files with 203 additions and 39 deletions
--- a/apps/desktop/src/locales/en/messages.json
+++ b/apps/desktop/src/locales/en/messages.json
@@ -3509,9 +3509,27 @@
  "sshkeyApprovalTitle": {
    "message": "Confirm SSH key usage"
  },
+  "agentForwardingWarningTitle": {
+    "message": "Warning: Agent Forwarding"
+  },
+  "agentForwardingWarningText": {
+    "message": "This request comes from a remote device that you are logged into"
+  },
  "sshkeyApprovalMessageInfix": {
    "message": "is requesting access to"
  },
+  "sshkeyApprovalMessageSuffix": {
+    "message": "in order to"
+  },
+  "sshActionLogin": {
+    "message": "authenticate to a server"
+  },
+  "sshActionSign": {
+    "message": "sign a message"
+  },
+  "sshActionGitSign": {
+    "message": "sign a git commit"
+  },
  "unknownApplication": {
    "message": "An application"
  },
--- a/apps/desktop/src/platform/components/approve-ssh-request.html
+++ b/apps/desktop/src/platform/components/approve-ssh-request.html
@@ -2,8 +2,17 @@
  <bit-dialog>
    <div class="tw-font-semibold" bitDialogTitle>{{ "sshkeyApprovalTitle" | i18n }}</div>
    <div bitDialogContent>
+      <app-callout
+        type="warning"
+        title="{{ 'agentForwardingWarningTitle' | i18n }}"
+        *ngIf="params.isAgentForwarding"
+      >
+        {{ 'agentForwardingWarningText' | i18n }}
+      </app-callout>
+
      <b>{{params.applicationName}}</b> {{ "sshkeyApprovalMessageInfix" | i18n }}
-      <b>{{params.cipherName}}</b>.
+      <b>{{params.cipherName}}</b>
+      {{ "sshkeyApprovalMessageSuffix" | i18n }} {{ params.action | i18n }}
    </div>
    <div bitDialogFooter>
      <button type="submit" bitButton bitFormButton buttonType="primary">
--- a/apps/desktop/src/platform/components/approve-ssh-request.ts
+++ b/apps/desktop/src/platform/components/approve-ssh-request.ts
@@ -17,6 +17,8 @@ import { CipherFormGeneratorComponent } from "@bitwarden/vault";
 export interface ApproveSshRequestParams {
  cipherName: string;
  applicationName: string;
+  isAgentForwarding: boolean;
+  action: string;
 }

@Component({
@@ -44,11 +46,26 @@ export class ApproveSshRequestComponent {
    private formBuilder: FormBuilder,
  ) {}

-  static open(dialogService: DialogService, cipherName: string, applicationName: string) {
+  static open(
+    dialogService: DialogService,
+    cipherName: string,
+    applicationName: string,
+    isAgentForwarding: boolean,
+    namespace: string,
+  ) {
+    let actioni18nKey = "sshActionLogin";
+    if (namespace === "git") {
+      actioni18nKey = "sshActionGitSign";
+    } else if (namespace != null && namespace != "") {
+      actioni18nKey = "sshActionSign";
+    }
+
    return dialogService.open<boolean, ApproveSshRequestParams>(ApproveSshRequestComponent, {
      data: {
        cipherName,
        applicationName,
+        isAgentForwarding,
+        action: actioni18nKey,
      },
    });
  }
--- a/apps/desktop/src/platform/main/main-ssh-agent.service.ts
+++ b/apps/desktop/src/platform/main/main-ssh-agent.service.ts
@@ -47,7 +47,7 @@ export class MainSshAgentService {
  init() {
    // handle sign request passing to UI
    sshagent
-      .serve(async (err: Error, cipherId: string, isListRequest: boolean, processName: string) => {
+      .serve(async (err: Error, sshUiRequest: sshagent.SshUiRequest) => {
        // clear all old (> SIGN_TIMEOUT) requests
        this.requestResponses = this.requestResponses.filter(
          (response) => response.timestamp > new Date(Date.now() - this.SIGN_TIMEOUT),
@@ -56,10 +56,12 @@ export class MainSshAgentService {
        this.request_id += 1;
        const id_for_this_request = this.request_id;
        this.messagingService.send("sshagent.signrequest", {
-          cipherId,
-          isListRequest,
+          cipherId: sshUiRequest.cipherId,
+          isListRequest: sshUiRequest.isList,
          requestId: id_for_this_request,
-          processName,
+          processName: sshUiRequest.processName,
+          isAgentForwarding: sshUiRequest.isForwarding,
+          namespace: sshUiRequest.namespace,
        });

        const result = await firstValueFrom(
--- a/apps/desktop/src/platform/services/ssh-agent.service.ts
+++ b/apps/desktop/src/platform/services/ssh-agent.service.ts
@@ -148,6 +148,8 @@ export class SshAgentService implements OnDestroy {
          const isListRequest = message.isListRequest as boolean;
          const requestId = message.requestId as number;
          let application = message.processName as string;
+          const namespace = message.namespace as string;
+          const isAgentForwarding = message.isAgentForwarding as boolean;
          if (application == "") {
            application = this.i18nService.t("unknownApplication");
          }
@@ -181,6 +183,8 @@ export class SshAgentService implements OnDestroy {
            this.dialogService,
            cipher.name,
            application,
+            isAgentForwarding,
+            namespace,
          );

          const result = await firstValueFrom(dialogRef.closed);