From 8a886882b7cf92f2f31fcd54ff7b0b4fb551e08b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Patrick=20L=C3=BChne?= <patrick@luehne.de>
Date: Wed, 27 May 2020 01:51:41 +0200
Subject: [PATCH] Use dedicated pseudoterminal

---
 github-fast-env/bin/github-fast-env           |  6 ++-
 github-fast-env/bin/github-fast-envd          | 20 ++++++----
 github-fast-env/github-fast-env.rb            | 39 ++++++++++++++++---
 .../systemd/github-fast-envd.service          |  2 +
 4 files changed, 53 insertions(+), 14 deletions(-)

diff --git a/github-fast-env/bin/github-fast-env b/github-fast-env/bin/github-fast-env
index fa8821c..7c6f638 100644
--- a/github-fast-env/bin/github-fast-env
+++ b/github-fast-env/bin/github-fast-env
@@ -1,2 +1,6 @@
 #/usr/bin/env bash
-sudo /usr/lib/github-fast-env/github-fast-env.rb "$@"
+if [[ "$USER" == "git" ]] ; then
+	/usr/lib/github-fast-env/github-fast-env.rb "$@"
+else
+	sudo -u git /usr/lib/github-fast-env/github-fast-env.rb "$@"
+fi
diff --git a/github-fast-env/bin/github-fast-envd b/github-fast-env/bin/github-fast-envd
index 2c6020a..8f6509b 100644
--- a/github-fast-env/bin/github-fast-envd
+++ b/github-fast-env/bin/github-fast-envd
@@ -133,13 +133,13 @@ def clean_up_named_pipes(control_socket, connection_id)
 end
 
 def set_up_pseudoterminal(control_socket, pseudoterminal_path)
-	pseudoterminal_io = File.open(pseudoterminal_path, File::RDWR | File::NOCTTY)
+	$pseudoterminal_io = File.open(pseudoterminal_path, File::RDWR | File::NOCTTY)
 
 	$original_stderr.puts "  connecting to pseudoterminal #{pseudoterminal_path}"
 
-	$stdin.reopen(pseudoterminal_io)
-	$stdout.reopen(pseudoterminal_io)
-	$stderr.reopen(pseudoterminal_io)
+	$stdin.reopen($pseudoterminal_io)
+	$stdout.reopen($pseudoterminal_io)
+	$stderr.reopen($pseudoterminal_io)
 
 	$original_stderr.puts "  connected to pseudoterminal #{pseudoterminal_path}"
 
@@ -148,7 +148,7 @@ end
 
 $original_stderr.puts "preloading common modules"
 
-load "/usr/lib/github-fast-env/preload.rb"
+#load "/usr/lib/github-fast-env/preload.rb"
 
 $original_stderr.puts "ready to serve requests"
 
@@ -207,18 +207,18 @@ while true
 					set_up_pseudoterminal(control_socket, pseudoterminal_path)
 				end
 
-				Process.gid = Process.egid = "git"
-				Process.uid = Process.euid = "git"
-
 				$original_stderr.puts "  executing script #{script_path} (#{process_id})"
 
 				begin
 					begin
 						load script_path, true
+						$original_stderr.puts "  finished executing script"
 					rescue SystemExit => error
 						$original_stderr.puts "  exit code: #{error.status}"
 						exit_code = error.status
 					rescue StandardError => error
+						$original_stderr.puts "  error executing script"
+
 						$stdin = $original_stdin
 						$stdout = $original_stdout
 						$stderr = $original_stderr
@@ -247,9 +247,11 @@ while true
 				end
 
 				begin
+					# TODO: submit correct exit code upon Ctrl + C
 					control_socket.puts "done #{exit_code}"
 				rescue
 				end
+
 				control_socket.close
 
 				if mode == "named-pipes"
@@ -257,6 +259,8 @@ while true
 				end
 
 				$original_stderr.puts "  finished handling request (#{process_id})"
+
+				$pseudoterminal_io.close
 			end
 		}
 
diff --git a/github-fast-env/github-fast-env.rb b/github-fast-env/github-fast-env.rb
index a697619..cd5f9a6 100644
--- a/github-fast-env/github-fast-env.rb
+++ b/github-fast-env/github-fast-env.rb
@@ -162,10 +162,20 @@ encoded_script_path = Base64.encode64(script_path).delete("\n")
 read_ios = [$control_socket]
 
 if $options[:interactive]
-	pseudoterminal_path = File.readlink("/proc/self/fd/0")
-	encoded_pseudoterminal_path = Base64.encode64(pseudoterminal_path).delete("\n")
+	#pseudoterminal_path = File.readlink("/proc/self/fd/0")
+	#encoded_pseudoterminal_path = Base64.encode64(pseudoterminal_path).delete("\n")
+	require "pty"
 
-	$control_socket.puts "new v1 pseudoterminal #{encoded_pseudoterminal_path} #{working_directory} #{encoded_script_path}"
+	$pseudoterminal_master, pseudoterminal_client = PTY.open
+	$pseudoterminal_master.raw!
+
+	log "info", "opened pseudoterminal at #{pseudoterminal_client.path}"
+
+	encoded_pseudoterminal_client_path = Base64.encode64(pseudoterminal_client.path).delete("\n")
+
+	read_ios += [$stdin, $pseudoterminal_master]
+
+	$control_socket.puts "new v1 pseudoterminal #{encoded_pseudoterminal_client_path} #{working_directory} #{encoded_script_path}"
 else
 	$control_socket.puts "new v1 named-pipes #{working_directory} #{encoded_script_path}"
 end
@@ -216,7 +226,9 @@ end
 
 exit_code = "unknown"
 
-while read_ios.include?($control_socket) or read_ios.include?(pipes["stdout"]) or read_ios.include?(pipes["stderr"])
+pseudoterminal_master_closed = false
+
+while read_ios.include?($control_socket) or read_ios.include?($pseudoterminal_master) or read_ios.include?(pipes["stdout"]) or read_ios.include?(pipes["stderr"])
 	log "trace", read_ios.inspect
 
 	ready_read_ios, _, _ = IO.select(read_ios, [], [])
@@ -227,13 +239,23 @@ while read_ios.include?($control_socket) or read_ios.include?(pipes["stdout"]) o
 		begin
 			if ready_read_io.equal? $stdin
 				log "trace", "writing to stdin"
-				pipes["stdin"].write ready_read_io.readpartial(4096)
+				chunk = ready_read_io.readpartial(4096)
+				if $options[:interactive]
+					if not pseudoterminal_master_closed
+						$pseudoterminal_master.write chunk
+					end
+				else
+					pipes["stdin"].write chunk
+				end
 			elsif ready_read_io.equal? pipes["stdout"]
 				log "trace", "reading from stdout"
 				$stdout.write ready_read_io.readpartial(4096)
 			elsif ready_read_io.equal? pipes["stderr"]
 				log "trace", "reading from stderr"
 				$stderr.write ready_read_io.readpartial(4096)
+			elsif ready_read_io.equal? $pseudoterminal_master
+				log "trace", "reading from pseudoterminal client"
+				$stdout.write ready_read_io.readpartial(4096)
 			elsif ready_read_io.equal? $control_socket
 				log "trace", "reading from control socket"
 				command, arguments = read_command
@@ -249,6 +271,11 @@ while read_ios.include?($control_socket) or read_ios.include?(pipes["stdout"]) o
 				log "warn", "received input from unknown stream"
 			end
 		rescue EOFError
+			if ready_read_io == $control_socket
+				$pseudoterminal_master.close_write
+				pseudoterminal_master_closed = true
+			end
+
 			log "trace", "closing stream #{ready_read_io}"
 			ready_read_io.close
 		end
@@ -262,3 +289,5 @@ exit_code_is_numeric = Integer(exit_code) != nil rescue false
 if exit_code_is_numeric
 	exit Integer(exit_code)
 end
+
+exit 1
diff --git a/github-fast-env/systemd/github-fast-envd.service b/github-fast-env/systemd/github-fast-envd.service
index 76461b6..16a192d 100644
--- a/github-fast-env/systemd/github-fast-envd.service
+++ b/github-fast-env/systemd/github-fast-envd.service
@@ -4,6 +4,8 @@ After=github-enterprise.target
 Wants=github-enterprise.target
 
 [Service]
+User=git
+Group=git
 RuntimeDirectory=github-fast-env
 RuntimeDirectoryMode=0700
 Type=simple