feat: add SSH configuration and key management features

- Introduce .nvmrc file to specify Node.js version
- Add settings.local.json for SSH permissions configuration
- Enhance SSH interface in config.ts to include detailed host key settings
- Update SSH server to improve error handling and command processing
- Extend tests to cover new SSH key capture functionality and database user updates
- Include package-lock.json for test package dependencies

Author: dcoric

.claude/settings.local.json

@@ -0,0 +1,7 @@
+{
+  "permissions": {
+    "allow": ["Bash(npm test)", "Bash(npm test:*)"],
+    "deny": [],
+    "ask": []
+  }
+}

.nvmrc

@@ -0,0 +1 @@
+v20

src/config/generated/config.ts

@@ -279,6 +279,40 @@ export interface Database {
   [property: string]: any;
 }
 
+/**
+ * SSH proxy server configuration
+ */
+export interface SSH {
+  /**
+   * Enable SSH proxy server
+   */
+  enabled: boolean;
+  /**
+   * SSH host key configuration
+   */
+  hostKey?: HostKey;
+  /**
+   * Port for SSH proxy server to listen on
+   */
+  port?: number;
+  [property: string]: any;
+}
+
+/**
+ * SSH host key configuration
+ */
+export interface HostKey {
+  /**
+   * Path to private SSH host key
+   */
+  privateKeyPath: string;
+  /**
+   * Path to public SSH host key
+   */
+  publicKeyPath: string;
+  [property: string]: any;
+}
+
 /**
  * Toggle the generation of temporary password for git-proxy admin user
  */
@@ -302,25 +336,6 @@ export interface TLS {
   [property: string]: any;
 }
 
-/**
- * SSH proxy server configuration
- */
-export interface SSH {
-  enabled?: boolean;
-  port?: number;
-  hostKey?: SSHHostKey;
-  [property: string]: any;
-}
-
-/**
- * SSH host key configuration
- */
-export interface SSHHostKey {
-  privateKeyPath: string;
-  publicKeyPath: string;
-  [property: string]: any;
-}
-
 /**
  * UI routes that require authentication (logged in or admin)
  */
@@ -541,6 +556,7 @@ const typeMap: any = {
       { json: 'rateLimit', js: 'rateLimit', typ: u(undefined, r('RateLimit')) },
       { json: 'sessionMaxAgeHours', js: 'sessionMaxAgeHours', typ: u(undefined, 3.14) },
       { json: 'sink', js: 'sink', typ: u(undefined, a(r('Database'))) },
+      { json: 'ssh', js: 'ssh', typ: u(undefined, r('SSH')) },
       { json: 'sslCertPemPath', js: 'sslCertPemPath', typ: u(undefined, '') },
       { json: 'sslKeyPemPath', js: 'sslKeyPemPath', typ: u(undefined, '') },
       { json: 'tempPassword', js: 'tempPassword', typ: u(undefined, r('TempPassword')) },
@@ -625,6 +641,21 @@ const typeMap: any = {
     ],
     'any',
   ),
+  SSH: o(
+    [
+      { json: 'enabled', js: 'enabled', typ: true },
+      { json: 'hostKey', js: 'hostKey', typ: u(undefined, r('HostKey')) },
+      { json: 'port', js: 'port', typ: u(undefined, 3.14) },
+    ],
+    'any',
+  ),
+  HostKey: o(
+    [
+      { json: 'privateKeyPath', js: 'privateKeyPath', typ: '' },
+      { json: 'publicKeyPath', js: 'publicKeyPath', typ: '' },
+    ],
+    'any',
+  ),
   TempPassword: o(
     [
       { json: 'emailConfig', js: 'emailConfig', typ: u(undefined, m('any')) },

src/proxy/ssh/server.ts

@@ -250,7 +250,7 @@ export class SSHServer {
     });
   }
 
-  private async handleCommand(
+  public async handleCommand(
     command: string,
     stream: ssh2.ServerChannel,
     client: ClientWithUser,
@@ -361,7 +361,7 @@ export class SSHServer {
           `[SSH] Chain execution failed for user ${client.authenticatedUser?.username}:`,
           chainError,
         );
-        stream.stderr.write(`Access denied: ${chainError}\n`);
+        stream.stderr.write(`Access denied: ${chainError.message || chainError}\n`);
         stream.exit(1);
         stream.end();
         return;

test/chain.test.js

@@ -33,6 +33,7 @@ const initMockPushProcessors = (sinon) => {
     gitleaks: sinon.stub(),
     clearBareClone: sinon.stub(),
     scanDiff: sinon.stub(),
+    captureSSHKey: sinon.stub(),
     blockForAuth: sinon.stub(),
   };
   mockPushProcessors.parsePush.displayName = 'parsePush';
@@ -51,6 +52,7 @@ const initMockPushProcessors = (sinon) => {
   mockPushProcessors.gitleaks.displayName = 'gitleaks';
   mockPushProcessors.clearBareClone.displayName = 'clearBareClone';
   mockPushProcessors.scanDiff.displayName = 'scanDiff';
+  mockPushProcessors.captureSSHKey.displayName = 'captureSSHKey';
   mockPushProcessors.blockForAuth.displayName = 'blockForAuth';
   return mockPushProcessors;
 };
@@ -219,11 +221,13 @@ describe('proxy chain', function () {
     mockPushProcessors.gitleaks.resolves(continuingAction);
     mockPushProcessors.clearBareClone.resolves(continuingAction);
     mockPushProcessors.scanDiff.resolves(continuingAction);
+    mockPushProcessors.captureSSHKey.resolves(continuingAction);
     mockPushProcessors.blockForAuth.resolves(continuingAction);
 
     const result = await chain.executeChain(req);
 
     expect(mockPreProcessors.parseAction.called).to.be.true;
+    console.log(mockPushProcessors);
     expect(mockPushProcessors.parsePush.called).to.be.true;
     expect(mockPushProcessors.checkEmptyBranch.called).to.be.true;
     expect(mockPushProcessors.checkRepoInAuthorisedList.called).to.be.true;
@@ -239,6 +243,7 @@ describe('proxy chain', function () {
     expect(mockPushProcessors.gitleaks.called).to.be.true;
     expect(mockPushProcessors.clearBareClone.called).to.be.true;
     expect(mockPushProcessors.scanDiff.called).to.be.true;
+    expect(mockPushProcessors.captureSSHKey.called).to.be.true;
     expect(mockPushProcessors.blockForAuth.called).to.be.true;
     expect(mockPushProcessors.audit.called).to.be.true;
 
@@ -320,6 +325,7 @@ describe('proxy chain', function () {
     mockPushProcessors.gitleaks.resolves(action);
     mockPushProcessors.clearBareClone.resolves(action);
     mockPushProcessors.scanDiff.resolves(action);
+    mockPushProcessors.captureSSHKey.resolves(action);
     mockPushProcessors.blockForAuth.resolves(action);
     const dbStub = sinon.stub(db, 'authorise').resolves(true);
 
@@ -368,6 +374,7 @@ describe('proxy chain', function () {
     mockPushProcessors.gitleaks.resolves(action);
     mockPushProcessors.clearBareClone.resolves(action);
     mockPushProcessors.scanDiff.resolves(action);
+    mockPushProcessors.captureSSHKey.resolves(action);
     mockPushProcessors.blockForAuth.resolves(action);
 
     const dbStub = sinon.stub(db, 'reject').resolves(true);
@@ -417,6 +424,7 @@ describe('proxy chain', function () {
     mockPushProcessors.gitleaks.resolves(action);
     mockPushProcessors.clearBareClone.resolves(action);
     mockPushProcessors.scanDiff.resolves(action);
+    mockPushProcessors.captureSSHKey.resolves(action);
     mockPushProcessors.blockForAuth.resolves(action);
 
     const error = new Error('Database error');
@@ -465,6 +473,7 @@ describe('proxy chain', function () {
     mockPushProcessors.gitleaks.resolves(action);
     mockPushProcessors.clearBareClone.resolves(action);
     mockPushProcessors.scanDiff.resolves(action);
+    mockPushProcessors.captureSSHKey.resolves(action);
     mockPushProcessors.blockForAuth.resolves(action);
 
     const error = new Error('Database error');