use automatic key retrieval for github
This commit is contained in:
parent
89699bca21
commit
fa06e92a14
2 changed files with 37 additions and 23 deletions
|
|
@ -2,20 +2,28 @@ package org.domaindrivenarchitecture.provs.ubuntu.git.base
|
||||||
|
|
||||||
import org.domaindrivenarchitecture.provs.core.Prov
|
import org.domaindrivenarchitecture.provs.core.Prov
|
||||||
import org.domaindrivenarchitecture.provs.core.ProvResult
|
import org.domaindrivenarchitecture.provs.core.ProvResult
|
||||||
import org.domaindrivenarchitecture.provs.ubuntu.filesystem.base.addTextToFile
|
import org.domaindrivenarchitecture.provs.ubuntu.filesystem.base.*
|
||||||
import org.domaindrivenarchitecture.provs.ubuntu.filesystem.base.createDir
|
|
||||||
import org.domaindrivenarchitecture.provs.ubuntu.filesystem.base.dirExists
|
|
||||||
import org.domaindrivenarchitecture.provs.ubuntu.keys.base.isHostKnown
|
import org.domaindrivenarchitecture.provs.ubuntu.keys.base.isHostKnown
|
||||||
import org.domaindrivenarchitecture.provs.ubuntu.utils.printToShell
|
import org.domaindrivenarchitecture.provs.ubuntu.utils.printToShell
|
||||||
import java.io.File
|
import java.io.File
|
||||||
|
|
||||||
|
val knownHostsFile = "~/.ssh/known_hosts"
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @param host name or ip
|
* Adds ssh keys for specified host (which also can be an ip-address) to ssh-file "known_hosts"
|
||||||
* @param rsaFingerprints
|
* Either add the specified rsaFingerprints or - if null - add automatically retrieved keys.
|
||||||
|
* Note: adding keys automatically is vulnerable to a man-in-the-middle attack and not considered secure.
|
||||||
*/
|
*/
|
||||||
private fun Prov.trustHost(host: String, rsaFingerprints: Set<String>) = def {
|
private fun Prov.trustHost(host: String, rsaFingerprints: Set<String>?) = def {
|
||||||
if (!isHostKnown(host)) {
|
if (!isHostKnown(host)) {
|
||||||
|
if (!fileExists(knownHostsFile)) {
|
||||||
|
createDir(".ssh")
|
||||||
|
createFile(knownHostsFile, null)
|
||||||
|
}
|
||||||
|
if (rsaFingerprints == null) {
|
||||||
|
// auto add keys
|
||||||
|
cmd("ssh-keyscan -H $host >> $knownHostsFile")
|
||||||
|
} else {
|
||||||
// logic based on https://serverfault.com/questions/447028/non-interactive-git-clone-ssh-fingerprint-prompt
|
// logic based on https://serverfault.com/questions/447028/non-interactive-git-clone-ssh-fingerprint-prompt
|
||||||
val key = cmd("ssh-keyscan $host").out
|
val key = cmd("ssh-keyscan $host").out
|
||||||
if (key == null) {
|
if (key == null) {
|
||||||
|
|
@ -25,15 +33,16 @@ private fun Prov.trustHost(host: String, rsaFingerprints: Set<String>) = def {
|
||||||
val fpr = cmd(c + " | ssh-keygen -lf -").out
|
val fpr = cmd(c + " | ssh-keygen -lf -").out
|
||||||
if (rsaFingerprints.contains(fpr)
|
if (rsaFingerprints.contains(fpr)
|
||||||
) {
|
) {
|
||||||
createDir(".ssh", "~/")
|
cmd(printToShell(key) + " >> $knownHostsFile")
|
||||||
cmd(printToShell(key) + " >> ~/.ssh/known_hosts")
|
|
||||||
} else {
|
} else {
|
||||||
ProvResult(false, "Fingerprint $fpr not valid for $host")
|
ProvResult(false, "Fingerprint $fpr not valid for $host")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else {
|
|
||||||
ProvResult(true)
|
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
ProvResult(true, out = "Host already known")
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -58,12 +67,16 @@ fun Prov.gitClone(repo: String, path: String, pullIfExisting: Boolean = true): P
|
||||||
|
|
||||||
fun Prov.trustGithub() = def {
|
fun Prov.trustGithub() = def {
|
||||||
// current see https://docs.github.com/en/github/authenticating-to-github/githubs-ssh-key-fingerprints
|
// current see https://docs.github.com/en/github/authenticating-to-github/githubs-ssh-key-fingerprints
|
||||||
|
|
||||||
|
// todo needs (preferably automatic) conversion to encoding used by keyscan
|
||||||
val fingerprints = setOf(
|
val fingerprints = setOf(
|
||||||
"2048 SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8 github.com (RSA)\n",
|
"2048 SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8 github.com (RSA)\n",
|
||||||
"2048 SHA256:br9IjFspm1vxR3iA35FWE+4VTyz1hYVLIE2t1/CeyWQ github.com (RSA)\n"
|
// supported beginning September 14, 2021:
|
||||||
|
"2048 SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM github.com (ECDSA)\n",
|
||||||
|
"2048 SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU github.com (Ed25519)\n"
|
||||||
)
|
)
|
||||||
|
|
||||||
trustHost("github.com", fingerprints)
|
trustHost("github.com", null)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -74,7 +87,7 @@ fun Prov.trustGitlab() = def {
|
||||||
gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9
|
gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9
|
||||||
gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
|
gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
|
||||||
""".trimIndent()
|
""".trimIndent()
|
||||||
addTextToFile("\n" + gitlabFingerprints+ "\n", File("~/.ssh/known_hosts"))
|
addTextToFile("\n" + gitlabFingerprints + "\n", File(knownHostsFile))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,6 @@
|
||||||
package org.domaindrivenarchitecture.provs.ubuntu.git.base
|
package org.domaindrivenarchitecture.provs.ubuntu.git.base
|
||||||
|
|
||||||
|
import org.domaindrivenarchitecture.provs.core.processors.ContainerStartMode
|
||||||
import org.domaindrivenarchitecture.provs.test.defaultTestContainer
|
import org.domaindrivenarchitecture.provs.test.defaultTestContainer
|
||||||
import org.domaindrivenarchitecture.provs.ubuntu.install.base.aptInstall
|
import org.domaindrivenarchitecture.provs.ubuntu.install.base.aptInstall
|
||||||
import org.domaindrivenarchitecture.provs.ubuntu.keys.base.isHostKnown
|
import org.domaindrivenarchitecture.provs.ubuntu.keys.base.isHostKnown
|
||||||
|
|
@ -12,7 +13,7 @@ internal class GitKtTest {
|
||||||
@Test
|
@Test
|
||||||
fun trustGitServers(){
|
fun trustGitServers(){
|
||||||
// given
|
// given
|
||||||
val a = defaultTestContainer()
|
val a = defaultTestContainer(ContainerStartMode.CREATE_NEW_KILL_EXISTING)
|
||||||
a.aptInstall("openssh-client")
|
a.aptInstall("openssh-client")
|
||||||
|
|
||||||
// when
|
// when
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue
