[feature] support SSH proxy jump connections (apache#3138)

Co-authored-by: aias00 <[email protected]>
Co-authored-by: Logic <[email protected]>

Author: 3 people

hertzbeat-collector/hertzbeat-collector-basic/src/main/java/org/apache/hertzbeat/collector/collect/ssh/SshCollectImpl.java

@@ -79,11 +79,12 @@ public void collect(CollectRep.MetricsData.Builder builder, Metrics metrics) {
         long startTime = System.currentTimeMillis();
         SshProtocol sshProtocol = metrics.getSsh();
         boolean reuseConnection = Boolean.parseBoolean(sshProtocol.getReuseConnection());
+        boolean useProxy = Boolean.parseBoolean(sshProtocol.getUseProxy());
         int timeout = CollectUtil.getTimeout(sshProtocol.getTimeout(), DEFAULT_TIMEOUT);
         ClientChannel channel = null;
         ClientSession clientSession = null;
         try {
-            clientSession = getConnectSession(sshProtocol, timeout, reuseConnection);
+            clientSession = getConnectSession(sshProtocol, timeout, reuseConnection, useProxy);
             if (CommonSshBlacklist.isCommandBlacklisted(sshProtocol.getScript())) {
                 builder.setCode(CollectRep.Code.FAIL);
                 builder.setMsg("The command is blacklisted: " + sshProtocol.getScript());
@@ -156,7 +157,7 @@ public void collect(CollectRep.MetricsData.Builder builder, Metrics metrics) {
                     log.error(e.getMessage(), e);
                 }
             }
-            if (clientSession != null && !reuseConnection) {
+            if (clientSession != null && !reuseConnection && !useProxy) {
                 try {
                     clientSession.close();
                 } catch (Exception e) {
@@ -280,11 +281,8 @@ private void removeConnectSessionCache(SshProtocol sshProtocol) {
         connectionCommonCache.removeCache(identifier);
     }
 
-    private ClientSession getConnectSession(SshProtocol sshProtocol, int timeout, boolean reuseConnection)
+    private ClientSession getConnectSession(SshProtocol sshProtocol, int timeout, boolean reuseConnection, boolean useProxy)
             throws IOException, GeneralSecurityException {
-        return SshHelper.getConnectSession(
-            sshProtocol.getHost(), sshProtocol.getPort(), sshProtocol.getUsername(), sshProtocol.getPassword(),
-            sshProtocol.getPrivateKey(), sshProtocol.getPrivateKeyPassphrase(), timeout, reuseConnection
-        );
+        return SshHelper.getConnectSession(sshProtocol, timeout, reuseConnection, useProxy);
     }
 }

hertzbeat-collector/hertzbeat-collector-common/src/main/java/org/apache/hertzbeat/collector/collect/common/ssh/SshHelper.java

@@ -17,13 +17,18 @@
 
 package org.apache.hertzbeat.collector.collect.common.ssh;
 
+import java.io.InputStream;
+import java.security.KeyPair;
+import java.util.List;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.hertzbeat.collector.collect.common.cache.AbstractConnection;
 import org.apache.hertzbeat.collector.collect.common.cache.CacheIdentifier;
 import org.apache.hertzbeat.collector.collect.common.cache.GlobalConnectionCache;
 import org.apache.hertzbeat.collector.collect.common.cache.SshConnect;
 import org.apache.hertzbeat.collector.util.PrivateKeyUtils;
+import org.apache.hertzbeat.common.entity.job.protocol.SshProtocol;
 import org.apache.sshd.client.SshClient;
+import org.apache.sshd.client.config.hosts.HostConfigEntry;
 import org.apache.sshd.client.session.ClientSession;
 import org.apache.sshd.common.config.keys.FilePasswordProvider;
 import org.apache.sshd.common.util.security.SecurityUtils;
@@ -101,4 +106,101 @@ public static ClientSession getConnectSession(String host, String port, String u
         return clientSession;
     }
 
+    public static ClientSession getConnectSession(SshProtocol sshProtocol, int timeout, boolean reuseConnection, boolean useProxy)
+            throws IOException, GeneralSecurityException {
+        CacheIdentifier identifier = CacheIdentifier.builder()
+                                                    .ip(sshProtocol.getHost()).port(sshProtocol.getPort())
+                                                    .username(sshProtocol.getUsername()).password(sshProtocol.getPassword())
+                                                    .build();
+        ClientSession clientSession = null;
+        // When using ProxyJump, force connection reuse:
+        // Apache MINA SSHD will pass the proxy password error to the target host in proxy scenarios, causing the first connection to fail.
+        // Reusing connections can skip duplicate authentication and avoid this problem.
+        if (reuseConnection || useProxy) {
+            Optional<AbstractConnection<?>> cacheOption = CONNECTION_COMMON_CACHE.getCache(identifier, true);
+            if (cacheOption.isPresent()) {
+                SshConnect sshConnect = (SshConnect) cacheOption.get();
+                clientSession = sshConnect.getConnection();
+                try {
+                    if (clientSession == null || clientSession.isClosed() || clientSession.isClosing()) {
+                        clientSession = null;
+                        CONNECTION_COMMON_CACHE.removeCache(identifier);
+                    }
+                } catch (Exception e) {
+                    log.warn(e.getMessage());
+                    clientSession = null;
+                    CONNECTION_COMMON_CACHE.removeCache(identifier);
+                }
+            }
+            if (clientSession != null) {
+                return clientSession;
+            }
+        }
+        SshClient sshClient = CommonSshClient.getSshClient();
+        HostConfigEntry proxyConfig = new HostConfigEntry();
+        if (useProxy && StringUtils.hasText(sshProtocol.getProxyHost())) {
+            String proxySpec = String.format("%s@%s:%d", sshProtocol.getProxyUsername(), sshProtocol.getProxyHost(), Integer.parseInt(sshProtocol.getProxyPort()));
+            proxyConfig.setHostName(sshProtocol.getHost());
+            proxyConfig.setHost(sshProtocol.getHost());
+            proxyConfig.setPort(Integer.parseInt(sshProtocol.getPort()));
+            proxyConfig.setUsername(sshProtocol.getUsername());
+            proxyConfig.setProxyJump(proxySpec);
+
+            // Apache SSHD requires the password for the proxy to be preloaded into the sshClient instance before connecting
+            if (StringUtils.hasText(sshProtocol.getProxyPassword())) {
+                sshClient.addPasswordIdentity(sshProtocol.getProxyPassword());
+                log.debug("Loaded proxy server password authentication: {}@{}", sshProtocol.getProxyUsername(), sshProtocol.getProxyHost());
+            }
+            if (StringUtils.hasText(sshProtocol.getProxyPrivateKey())) {
+                proxyConfig.setIdentities(List.of(sshProtocol.getProxyPrivateKey()));
+                log.debug("Proxy private key loaded into HostConfigEntry");
+            }
+        }
+
+        if (useProxy && StringUtils.hasText(sshProtocol.getProxyHost())) {
+            try {
+                clientSession = sshClient.connect(proxyConfig)
+                                         .verify(timeout, TimeUnit.MILLISECONDS).getSession();
+            }
+            finally {
+                sshClient.removePasswordIdentity(sshProtocol.getProxyPassword());
+            }
+        } else {
+            clientSession = sshClient.connect(sshProtocol.getUsername(), sshProtocol.getHost(), Integer.parseInt(sshProtocol.getPort()))
+                                     .verify(timeout, TimeUnit.MILLISECONDS).getSession();
+        }
+
+        if (StringUtils.hasText(sshProtocol.getPassword())) {
+            clientSession.addPasswordIdentity(sshProtocol.getPassword());
+        } else if (StringUtils.hasText(sshProtocol.getPrivateKey())) {
+            var resourceKey = PrivateKeyUtils.writePrivateKey(sshProtocol.getHost(), sshProtocol.getPrivateKey());
+            try (InputStream keyStream = new FileInputStream(resourceKey)) {
+                FilePasswordProvider passwordProvider = (session, resource, index) -> {
+                    if (StringUtils.hasText(sshProtocol.getPrivateKeyPassphrase())) {
+                        return sshProtocol.getPrivateKeyPassphrase();
+                    }
+                    return null;
+                };
+                Iterable<KeyPair> keyPairs = SecurityUtils.loadKeyPairIdentities(null, () -> resourceKey, keyStream, passwordProvider);
+                if (keyPairs != null) {
+                    keyPairs.forEach(clientSession::addPublicKeyIdentity);
+                } else {
+                    log.error("Failed to load private key pairs from: {}", resourceKey);
+                }
+            } catch (IOException e) {
+                log.error("Error reading private key file: {}", e.getMessage());
+            }
+        }  // else auth with localhost private public key certificates
+
+        // auth
+        if (!clientSession.auth().verify(timeout, TimeUnit.MILLISECONDS).isSuccess()) {
+            clientSession.close();
+            throw new IllegalArgumentException("ssh auth failed.");
+        }
+        if (reuseConnection || useProxy) {
+            SshConnect sshConnect = new SshConnect(clientSession);
+            CONNECTION_COMMON_CACHE.addCache(identifier, sshConnect);
+        }
+        return clientSession;
+    }
 }

hertzbeat-common/src/main/java/org/apache/hertzbeat/common/entity/job/protocol/SshProtocol.java

@@ -80,4 +80,34 @@ public class SshProtocol implements CommonRequestProtocol, Protocol {
      * Response data parsing mode：oneRow, multiRow
      */
     private String parseType;
+
+    /**
+     * IP ADDRESS OR DOMAIN NAME OF THE PEER PROXY HOST
+     */
+    private String proxyHost;
+
+    /**
+     * Peer proxy host port
+     */
+    private String proxyPort;
+
+    /**
+     * Proxy UserName
+     */
+    private String proxyUsername;
+
+    /**
+     * Proxy Password (optional)
+     */
+    private String proxyPassword;
+
+    /**
+     * flag of use proxy
+     */
+    private String useProxy = "false";
+
+    /**
+     * Proxy private key (optional)
+     */
+    private String proxyPrivateKey;
 }