Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(toolkit): attach lifetime to generated ssh keys. #5578

Open
wants to merge 207 commits into
base: master
Choose a base branch
from
Open

fix(toolkit): attach lifetime to generated ssh keys. #5578

wants to merge 207 commits into from
+116 −27

Conversation

Hweinstock
Copy link
Contributor

@Hweinstock Hweinstock commented Sep 12, 2024
edited
Loading

Problem

For connecting VSCode to EC2 instance, we generate an ssh key pair on disk. This results in writing the private ssh key to VSCode global storage, allowing the key to be potentially reused by other users on the same machine.

Solution

Attach a lifetime to any key pair generated such that they wipe from disk after X seconds. Value is currently set is 30 seconds to allow connection to reliably establish. Also, change file permissions to read/write owner only and change behavior to overwrite existing keys.

This is in-line with how ec2 instance connect works: https://github.com/aws/aws-ec2-instance-connect-cli/blob/master/ec2instanceconnectcli/EC2InstanceConnectKey.py

License: I confirm that my contribution is made under the terms of the Apache 2.0 license.

Hweinstock and others added 30 commits July 7, 2023 14:03
@Hweinstock
rename existing command to openTerminal
b7399c5
@Hweinstock
add new command for ec2 instance remote-connect
588594d
@Hweinstock
register new command so that it does not throw error
1c57e45
@Hweinstock
refactor to make terminal distinction clearer
814ba96
@Hweinstock
add prompt for new selection
b5d2c88
@Hweinstock
enable connection to ec2, start generalizing CodeCatalyst work
08ba106
@Hweinstock
abstract general error msg to its own function
3caba57
@Hweinstock
refactor more code catalyst code
f2894ba
@Hweinstock
refactor code to better mirror the code catalyst implementaton
f0f5086
@Hweinstock
add a cancellable loading bar on open
5be1f8d
@Hweinstock
rename variable to be more explicit
3c096cd
@Hweinstock
refactor to have a with-progress method layer
13b2bc0
@Hweinstock
refactor ssh config into the ssh file
8fbbc8d
@Hweinstock
convert regExp property to abstract
57dbde6
@Hweinstock
reformat string in proxycommand
fb9f1e8
@Hweinstock
implement basic tests on sshconfig mock object
f94fe64
@Hweinstock
split up verify ssh host into pieces
fdec798
@Hweinstock
refactor the sshconfig to make more testable, add more tests
545b8a7
@Hweinstock
refactor tests to distinguish between command and proxyCommand
4f8c680
@Hweinstock
avoid hard-coding in test
222fcfd
@Hweinstock
avoid other hard-coding in tests
0e5f7a2
@Hweinstock
change simple function to be in lined
e87f24d
@Hweinstock @JadenSimon
change command wording to be less clunky.
3764b4a 
Co-authored-by: JadenSimon <[email protected]>
@Hweinstock
change command phrasing to mirror ssh extension
1c3be08
@Hweinstock
Merge branch 'hkobew/ec2/remoteConnect/newCommand' into hkobew/ec2/re…
93e23f0 
…moteConnect/connect
@Hweinstock
Merge branch 'hkobew/ec2/remoteConnect/connect' into hkobew/ec2/remot…
d742eef 
…eConnect/sshConfig
@Hweinstock
remove commented out code
056e807
@Hweinstock
update command file with icon
153bf62
@Hweinstock
update context value for parent node
bd71166
@Hweinstock
handle case where parent node is passed to command
e027e40
@Hweinstock Hweinstock changed the title (WIP) fix(toolkit): attach lifetime to generated ssh keys. fix(toolkit): attach lifetime to generated ssh keys. Sep 12, 2024
@Hweinstock Hweinstock mentioned this pull request Sep 17, 2024
Draft
Base automatically changed from hkobew/ec2/useActions to master September 19, 2024 17:20
@github-actions GitHub Actions
Copy link

This pull request implements a feature or fix, so it must include a changelog entry. See CONTRIBUTING.md#changelog for instructions.

@Hweinstock Hweinstock marked this pull request as ready for review September 19, 2024 18:40
@Hweinstock Hweinstock requested a review from a team as a code owner September 19, 2024 18:40
@justinmk3
Copy link
Contributor

Attach a lifetime to any key pair generated such that they wipe from disk after X seconds. Value is currently set is 30 seconds to allow connection to reliably establish. Also, change file permissions to read/write owner only and change behavior to overwrite existing keys.

Great idea. Would also be a good time to add a EC2-specific section here:

aws-toolkit-vscode/docs/arch_features.md

Line 14 in 791ae55

## Remote connect

That way, we have a high-level description of the steps that happen.

justinmk3
justinmk3 reviewed Sep 19, 2024
View reviewed changes
packages/core/src/awsService/ec2/sshKeyPair.ts
this.lifeTimeout = new Timeout(lifetime)

this.lifeTimeout.onCompletion(async () => {
await this.delete()
Copy link
Contributor

@justinmk3 justinmk3 Sep 19, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice approach. (encapsulating this in the existing class)

justinmk3
justinmk3 reviewed Sep 19, 2024
View reviewed changes
packages/core/src/awsService/ec2/sshKeyPair.ts
@@ -5,19 +5,32 @@
import * as fs from 'fs-extra'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If it's not much trouble, it would be helpful to remove this and use our fs.ts module instead. We want to eliminate 'fs-extra'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@justinmk3 justinmk3 justinmk3 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Hweinstock @justinmk3