use automatic key retrieval for github

This commit is contained in:
az 2021-11-23 13:47:20 +01:00
parent 89699bca21
commit fa06e92a14
2 changed files with 37 additions and 23 deletions

View file

@ -2,20 +2,28 @@ package org.domaindrivenarchitecture.provs.ubuntu.git.base
import org.domaindrivenarchitecture.provs.core.Prov import org.domaindrivenarchitecture.provs.core.Prov
import org.domaindrivenarchitecture.provs.core.ProvResult import org.domaindrivenarchitecture.provs.core.ProvResult
import org.domaindrivenarchitecture.provs.ubuntu.filesystem.base.addTextToFile import org.domaindrivenarchitecture.provs.ubuntu.filesystem.base.*
import org.domaindrivenarchitecture.provs.ubuntu.filesystem.base.createDir
import org.domaindrivenarchitecture.provs.ubuntu.filesystem.base.dirExists
import org.domaindrivenarchitecture.provs.ubuntu.keys.base.isHostKnown import org.domaindrivenarchitecture.provs.ubuntu.keys.base.isHostKnown
import org.domaindrivenarchitecture.provs.ubuntu.utils.printToShell import org.domaindrivenarchitecture.provs.ubuntu.utils.printToShell
import java.io.File import java.io.File
val knownHostsFile = "~/.ssh/known_hosts"
/** /**
* @param host name or ip * Adds ssh keys for specified host (which also can be an ip-address) to ssh-file "known_hosts"
* @param rsaFingerprints * Either add the specified rsaFingerprints or - if null - add automatically retrieved keys.
* Note: adding keys automatically is vulnerable to a man-in-the-middle attack and not considered secure.
*/ */
private fun Prov.trustHost(host: String, rsaFingerprints: Set<String>) = def { private fun Prov.trustHost(host: String, rsaFingerprints: Set<String>?) = def {
if (!isHostKnown(host)) { if (!isHostKnown(host)) {
if (!fileExists(knownHostsFile)) {
createDir(".ssh")
createFile(knownHostsFile, null)
}
if (rsaFingerprints == null) {
// auto add keys
cmd("ssh-keyscan -H $host >> $knownHostsFile")
} else {
// logic based on https://serverfault.com/questions/447028/non-interactive-git-clone-ssh-fingerprint-prompt // logic based on https://serverfault.com/questions/447028/non-interactive-git-clone-ssh-fingerprint-prompt
val key = cmd("ssh-keyscan $host").out val key = cmd("ssh-keyscan $host").out
if (key == null) { if (key == null) {
@ -25,15 +33,16 @@ private fun Prov.trustHost(host: String, rsaFingerprints: Set<String>) = def {
val fpr = cmd(c + " | ssh-keygen -lf -").out val fpr = cmd(c + " | ssh-keygen -lf -").out
if (rsaFingerprints.contains(fpr) if (rsaFingerprints.contains(fpr)
) { ) {
createDir(".ssh", "~/") cmd(printToShell(key) + " >> $knownHostsFile")
cmd(printToShell(key) + " >> ~/.ssh/known_hosts")
} else { } else {
ProvResult(false, "Fingerprint $fpr not valid for $host") ProvResult(false, "Fingerprint $fpr not valid for $host")
} }
} }
} else {
ProvResult(true)
} }
} else {
ProvResult(true, out = "Host already known")
}
} }
@ -58,12 +67,16 @@ fun Prov.gitClone(repo: String, path: String, pullIfExisting: Boolean = true): P
fun Prov.trustGithub() = def { fun Prov.trustGithub() = def {
// current see https://docs.github.com/en/github/authenticating-to-github/githubs-ssh-key-fingerprints // current see https://docs.github.com/en/github/authenticating-to-github/githubs-ssh-key-fingerprints
// todo needs (preferably automatic) conversion to encoding used by keyscan
val fingerprints = setOf( val fingerprints = setOf(
"2048 SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8 github.com (RSA)\n", "2048 SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8 github.com (RSA)\n",
"2048 SHA256:br9IjFspm1vxR3iA35FWE+4VTyz1hYVLIE2t1/CeyWQ github.com (RSA)\n" // supported beginning September 14, 2021:
"2048 SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM github.com (ECDSA)\n",
"2048 SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU github.com (Ed25519)\n"
) )
trustHost("github.com", fingerprints) trustHost("github.com", null)
} }
@ -74,7 +87,7 @@ fun Prov.trustGitlab() = def {
gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9 gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9
gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY= gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
""".trimIndent() """.trimIndent()
addTextToFile("\n" + gitlabFingerprints+ "\n", File("~/.ssh/known_hosts")) addTextToFile("\n" + gitlabFingerprints + "\n", File(knownHostsFile))
} }

View file

@ -1,5 +1,6 @@
package org.domaindrivenarchitecture.provs.ubuntu.git.base package org.domaindrivenarchitecture.provs.ubuntu.git.base
import org.domaindrivenarchitecture.provs.core.processors.ContainerStartMode
import org.domaindrivenarchitecture.provs.test.defaultTestContainer import org.domaindrivenarchitecture.provs.test.defaultTestContainer
import org.domaindrivenarchitecture.provs.ubuntu.install.base.aptInstall import org.domaindrivenarchitecture.provs.ubuntu.install.base.aptInstall
import org.domaindrivenarchitecture.provs.ubuntu.keys.base.isHostKnown import org.domaindrivenarchitecture.provs.ubuntu.keys.base.isHostKnown
@ -12,7 +13,7 @@ internal class GitKtTest {
@Test @Test
fun trustGitServers(){ fun trustGitServers(){
// given // given
val a = defaultTestContainer() val a = defaultTestContainer(ContainerStartMode.CREATE_NEW_KILL_EXISTING)
a.aptInstall("openssh-client") a.aptInstall("openssh-client")
// when // when