mirror of https://github.com/fluxcd/flux2.git
Migrate to fluxcd/pkg
parent
006c949941
commit
4621afcb31
@ -1,26 +0,0 @@
|
|||||||
/*
|
|
||||||
Copyright 2020 The Flux CD contributors.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package git
|
|
||||||
|
|
||||||
import "context"
|
|
||||||
|
|
||||||
// Provider is the interface that a git provider should implement
|
|
||||||
type Provider interface {
|
|
||||||
CreateRepository(ctx context.Context, r *Repository) (bool, error)
|
|
||||||
AddTeam(ctx context.Context, r *Repository, name, permission string) (bool, error)
|
|
||||||
AddDeployKey(ctx context.Context, r *Repository, key, keyName string) (bool, error)
|
|
||||||
}
|
|
@ -1,177 +0,0 @@
|
|||||||
/*
|
|
||||||
Copyright 2020 The Flux CD contributors.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package git
|
|
||||||
|
|
||||||
import (
|
|
||||||
"context"
|
|
||||||
"fmt"
|
|
||||||
"github.com/google/go-github/v32/github"
|
|
||||||
"strings"
|
|
||||||
)
|
|
||||||
|
|
||||||
// GithubProvider represents a GitHub API wrapper
|
|
||||||
type GithubProvider struct {
|
|
||||||
IsPrivate bool
|
|
||||||
IsPersonal bool
|
|
||||||
}
|
|
||||||
|
|
||||||
const (
|
|
||||||
GitHubTokenName = "GITHUB_TOKEN"
|
|
||||||
GitHubDefaultHostname = "github.com"
|
|
||||||
)
|
|
||||||
|
|
||||||
func (p *GithubProvider) newClient(r *Repository) (*github.Client, error) {
|
|
||||||
auth := github.BasicAuthTransport{
|
|
||||||
Username: "git",
|
|
||||||
Password: r.Token,
|
|
||||||
}
|
|
||||||
|
|
||||||
gh := github.NewClient(auth.Client())
|
|
||||||
if r.Host != GitHubDefaultHostname {
|
|
||||||
baseURL := fmt.Sprintf("https://%s/api/v3/", r.Host)
|
|
||||||
uploadURL := fmt.Sprintf("https://%s/api/uploads/", r.Host)
|
|
||||||
if g, err := github.NewEnterpriseClient(baseURL, uploadURL, auth.Client()); err == nil {
|
|
||||||
gh = g
|
|
||||||
} else {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return gh, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// CreateRepository returns false if the repository exists
|
|
||||||
func (p *GithubProvider) CreateRepository(ctx context.Context, r *Repository) (bool, error) {
|
|
||||||
gh, err := p.newClient(r)
|
|
||||||
if err != nil {
|
|
||||||
return false, fmt.Errorf("client error: %w", err)
|
|
||||||
}
|
|
||||||
org := ""
|
|
||||||
if !p.IsPersonal {
|
|
||||||
org = r.Owner
|
|
||||||
}
|
|
||||||
|
|
||||||
if _, _, err := gh.Repositories.Get(ctx, org, r.Name); err == nil {
|
|
||||||
return false, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
autoInit := true
|
|
||||||
_, _, err = gh.Repositories.Create(ctx, org, &github.Repository{
|
|
||||||
AutoInit: &autoInit,
|
|
||||||
Name: &r.Name,
|
|
||||||
Private: &p.IsPrivate,
|
|
||||||
})
|
|
||||||
if err != nil {
|
|
||||||
if !strings.Contains(err.Error(), "name already exists on this account") {
|
|
||||||
return false, fmt.Errorf("failed to create repository, error: %w", err)
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
return true, nil
|
|
||||||
}
|
|
||||||
return false, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// AddTeam returns false if the team is already assigned to the repository
|
|
||||||
func (p *GithubProvider) AddTeam(ctx context.Context, r *Repository, name, permission string) (bool, error) {
|
|
||||||
gh, err := p.newClient(r)
|
|
||||||
if err != nil {
|
|
||||||
return false, fmt.Errorf("client error: %w", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
// check team exists
|
|
||||||
_, _, err = gh.Teams.GetTeamBySlug(ctx, r.Owner, name)
|
|
||||||
if err != nil {
|
|
||||||
return false, fmt.Errorf("failed to retrieve team '%s', error: %w", name, err)
|
|
||||||
}
|
|
||||||
|
|
||||||
// check if team is assigned to the repo
|
|
||||||
_, resp, err := gh.Teams.IsTeamRepoBySlug(ctx, r.Owner, name, r.Owner, r.Name)
|
|
||||||
if resp == nil && err != nil {
|
|
||||||
return false, fmt.Errorf("failed to determine if team '%s' is assigned to the repository, error: %w", name, err)
|
|
||||||
}
|
|
||||||
|
|
||||||
// add team to the repo
|
|
||||||
if resp.StatusCode == 404 {
|
|
||||||
_, err = gh.Teams.AddTeamRepoBySlug(ctx, r.Owner, name, r.Owner, r.Name, &github.TeamAddTeamRepoOptions{
|
|
||||||
Permission: permission,
|
|
||||||
})
|
|
||||||
if err != nil {
|
|
||||||
return false, fmt.Errorf("failed to add team '%s' to the repository, error: %w", name, err)
|
|
||||||
}
|
|
||||||
return true, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
return false, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// AddDeployKey returns false if the key exists and the content is the same
|
|
||||||
func (p *GithubProvider) AddDeployKey(ctx context.Context, r *Repository, key, keyName string) (bool, error) {
|
|
||||||
gh, err := p.newClient(r)
|
|
||||||
if err != nil {
|
|
||||||
return false, fmt.Errorf("client error: %w", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
// list deploy keys
|
|
||||||
keys, resp, err := gh.Repositories.ListKeys(ctx, r.Owner, r.Name, nil)
|
|
||||||
if err != nil {
|
|
||||||
return false, fmt.Errorf("failed to list deploy keys, error: %w", err)
|
|
||||||
}
|
|
||||||
if resp.StatusCode >= 300 {
|
|
||||||
return false, fmt.Errorf("failed to list deploy keys (status code: %s)", resp.Status)
|
|
||||||
}
|
|
||||||
|
|
||||||
// check if the key exists
|
|
||||||
shouldCreateKey := true
|
|
||||||
var existingKey *github.Key
|
|
||||||
for _, k := range keys {
|
|
||||||
if k.Title != nil && k.Key != nil && *k.Title == keyName {
|
|
||||||
if *k.Key != key {
|
|
||||||
existingKey = k
|
|
||||||
} else {
|
|
||||||
shouldCreateKey = false
|
|
||||||
}
|
|
||||||
break
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// delete existing key if the value differs
|
|
||||||
if existingKey != nil {
|
|
||||||
resp, err := gh.Repositories.DeleteKey(ctx, r.Owner, r.Name, *existingKey.ID)
|
|
||||||
if err != nil {
|
|
||||||
return false, fmt.Errorf("failed to delete deploy key '%s', error: %w", keyName, err)
|
|
||||||
}
|
|
||||||
if resp.StatusCode >= 300 {
|
|
||||||
return false, fmt.Errorf("failed to delete deploy key '%s' (status code: %s)", keyName, resp.Status)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// create key
|
|
||||||
if shouldCreateKey {
|
|
||||||
isReadOnly := true
|
|
||||||
_, _, err = gh.Repositories.CreateKey(ctx, r.Owner, r.Name, &github.Key{
|
|
||||||
Title: &keyName,
|
|
||||||
Key: &key,
|
|
||||||
ReadOnly: &isReadOnly,
|
|
||||||
})
|
|
||||||
if err != nil {
|
|
||||||
return false, fmt.Errorf("failed to create deploy key '%s', error: %w", keyName, err)
|
|
||||||
}
|
|
||||||
return true, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
return false, nil
|
|
||||||
}
|
|
@ -1,163 +0,0 @@
|
|||||||
/*
|
|
||||||
Copyright 2020 The Flux CD contributors.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package git
|
|
||||||
|
|
||||||
import (
|
|
||||||
"context"
|
|
||||||
"fmt"
|
|
||||||
"github.com/xanzy/go-gitlab"
|
|
||||||
)
|
|
||||||
|
|
||||||
// GitLabProvider represents a GitLab API wrapper
|
|
||||||
type GitLabProvider struct {
|
|
||||||
IsPrivate bool
|
|
||||||
IsPersonal bool
|
|
||||||
}
|
|
||||||
|
|
||||||
const (
|
|
||||||
GitLabTokenName = "GITLAB_TOKEN"
|
|
||||||
GitLabDefaultHostname = "gitlab.com"
|
|
||||||
)
|
|
||||||
|
|
||||||
func (p *GitLabProvider) newClient(r *Repository) (*gitlab.Client, error) {
|
|
||||||
gl, err := gitlab.NewClient(r.Token)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
if r.Host != GitLabDefaultHostname {
|
|
||||||
gl, err = gitlab.NewClient(r.Token, gitlab.WithBaseURL(fmt.Sprintf("https://%s/api/v4", r.Host)))
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return gl, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// CreateRepository returns false if the repository already exists
|
|
||||||
func (p *GitLabProvider) CreateRepository(ctx context.Context, r *Repository) (bool, error) {
|
|
||||||
gl, err := p.newClient(r)
|
|
||||||
if err != nil {
|
|
||||||
return false, fmt.Errorf("client error: %w", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
var id *int
|
|
||||||
if !p.IsPersonal {
|
|
||||||
groups, _, err := gl.Groups.ListGroups(&gitlab.ListGroupsOptions{Search: gitlab.String(r.Owner)}, gitlab.WithContext(ctx))
|
|
||||||
if err != nil {
|
|
||||||
return false, fmt.Errorf("failed to list groups, error: %w", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
if len(groups) > 0 {
|
|
||||||
id = &groups[0].ID
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
visibility := gitlab.PublicVisibility
|
|
||||||
if p.IsPrivate {
|
|
||||||
visibility = gitlab.PrivateVisibility
|
|
||||||
}
|
|
||||||
|
|
||||||
projects, _, err := gl.Projects.ListProjects(&gitlab.ListProjectsOptions{Search: gitlab.String(r.Name)}, gitlab.WithContext(ctx))
|
|
||||||
if err != nil {
|
|
||||||
return false, fmt.Errorf("failed to list projects, error: %w", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
if len(projects) == 0 {
|
|
||||||
p := &gitlab.CreateProjectOptions{
|
|
||||||
Name: gitlab.String(r.Name),
|
|
||||||
NamespaceID: id,
|
|
||||||
Visibility: &visibility,
|
|
||||||
InitializeWithReadme: gitlab.Bool(true),
|
|
||||||
}
|
|
||||||
|
|
||||||
_, _, err := gl.Projects.CreateProject(p)
|
|
||||||
if err != nil {
|
|
||||||
return false, fmt.Errorf("failed to create project, error: %w", err)
|
|
||||||
}
|
|
||||||
return true, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
return false, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// AddTeam returns false if the team is already assigned to the repository
|
|
||||||
func (p *GitLabProvider) AddTeam(ctx context.Context, r *Repository, name, permission string) (bool, error) {
|
|
||||||
return false, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// AddDeployKey returns false if the key exists and the content is the same
|
|
||||||
func (p *GitLabProvider) AddDeployKey(ctx context.Context, r *Repository, key, keyName string) (bool, error) {
|
|
||||||
gl, err := p.newClient(r)
|
|
||||||
if err != nil {
|
|
||||||
return false, fmt.Errorf("client error: %w", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
// list deploy keys
|
|
||||||
var projId int
|
|
||||||
projects, _, err := gl.Projects.ListProjects(&gitlab.ListProjectsOptions{Search: gitlab.String(r.Name)}, gitlab.WithContext(ctx))
|
|
||||||
if err != nil {
|
|
||||||
return false, fmt.Errorf("failed to list projects, error: %w", err)
|
|
||||||
}
|
|
||||||
if len(projects) > 0 {
|
|
||||||
projId = projects[0].ID
|
|
||||||
} else {
|
|
||||||
return false, fmt.Errorf("no project found")
|
|
||||||
}
|
|
||||||
|
|
||||||
// check if the key exists
|
|
||||||
keys, _, err := gl.DeployKeys.ListProjectDeployKeys(projId, &gitlab.ListProjectDeployKeysOptions{})
|
|
||||||
if err != nil {
|
|
||||||
return false, fmt.Errorf("failed to list deploy keys, error: %w", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
shouldCreateKey := true
|
|
||||||
var existingKey *gitlab.DeployKey
|
|
||||||
for _, k := range keys {
|
|
||||||
if k.Title == keyName {
|
|
||||||
if k.Key != key {
|
|
||||||
existingKey = k
|
|
||||||
} else {
|
|
||||||
shouldCreateKey = false
|
|
||||||
}
|
|
||||||
break
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// delete existing key if the value differs
|
|
||||||
if existingKey != nil {
|
|
||||||
_, err := gl.DeployKeys.DeleteDeployKey(projId, existingKey.ID, gitlab.WithContext(ctx))
|
|
||||||
if err != nil {
|
|
||||||
return false, fmt.Errorf("failed to delete deploy key '%s', error: %w", keyName, err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// create key
|
|
||||||
if shouldCreateKey {
|
|
||||||
_, _, err := gl.DeployKeys.AddDeployKey(projId, &gitlab.AddDeployKeyOptions{
|
|
||||||
Title: gitlab.String(keyName),
|
|
||||||
Key: gitlab.String(key),
|
|
||||||
CanPush: gitlab.Bool(false),
|
|
||||||
}, gitlab.WithContext(ctx))
|
|
||||||
if err != nil {
|
|
||||||
return false, fmt.Errorf("failed to create deploy key '%s', error: %w", keyName, err)
|
|
||||||
}
|
|
||||||
return true, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
return false, nil
|
|
||||||
}
|
|
@ -1,167 +0,0 @@
|
|||||||
/*
|
|
||||||
Copyright 2020 The Flux CD contributors.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package git
|
|
||||||
|
|
||||||
import (
|
|
||||||
"context"
|
|
||||||
"fmt"
|
|
||||||
"time"
|
|
||||||
|
|
||||||
"github.com/go-git/go-git/v5"
|
|
||||||
"github.com/go-git/go-git/v5/plumbing"
|
|
||||||
"github.com/go-git/go-git/v5/plumbing/object"
|
|
||||||
"github.com/go-git/go-git/v5/plumbing/transport"
|
|
||||||
"github.com/go-git/go-git/v5/plumbing/transport/http"
|
|
||||||
)
|
|
||||||
|
|
||||||
// Repository represents a git repository wrapper
|
|
||||||
type Repository struct {
|
|
||||||
Name string
|
|
||||||
Owner string
|
|
||||||
Host string
|
|
||||||
Token string
|
|
||||||
AuthorName string
|
|
||||||
AuthorEmail string
|
|
||||||
|
|
||||||
repo *git.Repository
|
|
||||||
}
|
|
||||||
|
|
||||||
// NewRepository returns a git repository wrapper
|
|
||||||
func NewRepository(name, owner, host, token, authorName, authorEmail string) (*Repository, error) {
|
|
||||||
if name == "" {
|
|
||||||
return nil, fmt.Errorf("name required")
|
|
||||||
}
|
|
||||||
if owner == "" {
|
|
||||||
return nil, fmt.Errorf("owner required")
|
|
||||||
}
|
|
||||||
if host == "" {
|
|
||||||
return nil, fmt.Errorf("host required")
|
|
||||||
}
|
|
||||||
if token == "" {
|
|
||||||
return nil, fmt.Errorf("token required")
|
|
||||||
}
|
|
||||||
if authorName == "" {
|
|
||||||
return nil, fmt.Errorf("author name required")
|
|
||||||
}
|
|
||||||
if authorEmail == "" {
|
|
||||||
return nil, fmt.Errorf("author email required")
|
|
||||||
}
|
|
||||||
|
|
||||||
return &Repository{
|
|
||||||
Name: name,
|
|
||||||
Owner: owner,
|
|
||||||
Host: host,
|
|
||||||
Token: token,
|
|
||||||
AuthorName: authorName,
|
|
||||||
AuthorEmail: authorEmail,
|
|
||||||
}, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// GetURL returns the repository HTTPS address
|
|
||||||
func (r *Repository) GetURL() string {
|
|
||||||
return fmt.Sprintf("https://%s/%s/%s", r.Host, r.Owner, r.Name)
|
|
||||||
}
|
|
||||||
|
|
||||||
// GetSSH returns the repository SSH address
|
|
||||||
func (r *Repository) GetSSH() string {
|
|
||||||
return fmt.Sprintf("ssh://git@%s/%s/%s", r.Host, r.Owner, r.Name)
|
|
||||||
}
|
|
||||||
|
|
||||||
func (r *Repository) auth() transport.AuthMethod {
|
|
||||||
return &http.BasicAuth{
|
|
||||||
Username: "git",
|
|
||||||
Password: r.Token,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Checkout repository branch at specified path
|
|
||||||
func (r *Repository) Checkout(ctx context.Context, branch, path string) error {
|
|
||||||
repo, err := git.PlainCloneContext(ctx, path, false, &git.CloneOptions{
|
|
||||||
URL: r.GetURL(),
|
|
||||||
Auth: r.auth(),
|
|
||||||
RemoteName: git.DefaultRemoteName,
|
|
||||||
ReferenceName: plumbing.NewBranchReferenceName(branch),
|
|
||||||
SingleBranch: true,
|
|
||||||
NoCheckout: false,
|
|
||||||
Progress: nil,
|
|
||||||
Tags: git.NoTags,
|
|
||||||
})
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("git clone error: %w", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
_, err = repo.Head()
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("git resolve HEAD error: %w", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
r.repo = repo
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// Commit changes for the specified path, returns false if no changes are detected
|
|
||||||
func (r *Repository) Commit(ctx context.Context, path, message string) (bool, error) {
|
|
||||||
if r.repo == nil {
|
|
||||||
return false, fmt.Errorf("repository hasn't been cloned")
|
|
||||||
}
|
|
||||||
|
|
||||||
w, err := r.repo.Worktree()
|
|
||||||
if err != nil {
|
|
||||||
return false, err
|
|
||||||
}
|
|
||||||
|
|
||||||
_, err = w.Add(path)
|
|
||||||
if err != nil {
|
|
||||||
return false, err
|
|
||||||
}
|
|
||||||
|
|
||||||
status, err := w.Status()
|
|
||||||
if err != nil {
|
|
||||||
return false, err
|
|
||||||
}
|
|
||||||
|
|
||||||
if !status.IsClean() {
|
|
||||||
if _, err := w.Commit(message, &git.CommitOptions{
|
|
||||||
Author: &object.Signature{
|
|
||||||
Name: r.AuthorName,
|
|
||||||
Email: r.AuthorEmail,
|
|
||||||
When: time.Now(),
|
|
||||||
},
|
|
||||||
}); err != nil {
|
|
||||||
return false, err
|
|
||||||
}
|
|
||||||
return true, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
return false, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// Push commits to origin
|
|
||||||
func (r *Repository) Push(ctx context.Context) error {
|
|
||||||
if r.repo == nil {
|
|
||||||
return fmt.Errorf("repository hasn't been cloned")
|
|
||||||
}
|
|
||||||
|
|
||||||
err := r.repo.PushContext(ctx, &git.PushOptions{
|
|
||||||
Auth: r.auth(),
|
|
||||||
Progress: nil,
|
|
||||||
})
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("git push error: %w", err)
|
|
||||||
}
|
|
||||||
return nil
|
|
||||||
}
|
|
@ -1,71 +0,0 @@
|
|||||||
/*
|
|
||||||
Copyright 2020 The Flux CD contributors.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package ssh
|
|
||||||
|
|
||||||
import (
|
|
||||||
"encoding/base64"
|
|
||||||
"fmt"
|
|
||||||
"net"
|
|
||||||
"time"
|
|
||||||
|
|
||||||
"golang.org/x/crypto/ssh"
|
|
||||||
"golang.org/x/crypto/ssh/knownhosts"
|
|
||||||
)
|
|
||||||
|
|
||||||
// ScanHostKey collects the given host's preferred public key for the
|
|
||||||
// Any errors (e.g. authentication failures) are ignored, except if
|
|
||||||
// no key could be collected from the host.
|
|
||||||
func ScanHostKey(host string, timeout time.Duration) ([]byte, error) {
|
|
||||||
col := &HostKeyCollector{}
|
|
||||||
config := &ssh.ClientConfig{
|
|
||||||
HostKeyCallback: col.StoreKey(),
|
|
||||||
Timeout: timeout,
|
|
||||||
}
|
|
||||||
client, err := ssh.Dial("tcp", host, config)
|
|
||||||
if err == nil {
|
|
||||||
defer client.Close()
|
|
||||||
}
|
|
||||||
if len(col.knownKeys) > 0 {
|
|
||||||
return col.knownKeys, nil
|
|
||||||
}
|
|
||||||
return col.knownKeys, err
|
|
||||||
}
|
|
||||||
|
|
||||||
// HostKeyCollector offers a StoreKey method which provides an
|
|
||||||
// HostKeyCallBack to collect public keys from an SSH server.
|
|
||||||
type HostKeyCollector struct {
|
|
||||||
knownKeys []byte
|
|
||||||
}
|
|
||||||
|
|
||||||
// StoreKey stores the public key in bytes as returned by the host.
|
|
||||||
// To collect multiple public key types from the host, multiple
|
|
||||||
// SSH dials need with the ClientConfig HostKeyAlgorithms set to
|
|
||||||
// the algorithm you want to collect.
|
|
||||||
func (c *HostKeyCollector) StoreKey() ssh.HostKeyCallback {
|
|
||||||
return func(hostname string, remote net.Addr, key ssh.PublicKey) error {
|
|
||||||
c.knownKeys = append(
|
|
||||||
c.knownKeys,
|
|
||||||
fmt.Sprintf("%s %s %s\n", knownhosts.Normalize(hostname), key.Type(), base64.StdEncoding.EncodeToString(key.Marshal()))...,
|
|
||||||
)
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// GetKnownKeys returns the collected public keys in bytes.
|
|
||||||
func (c *HostKeyCollector) GetKnownKeys() []byte {
|
|
||||||
return c.knownKeys
|
|
||||||
}
|
|
@ -1,146 +0,0 @@
|
|||||||
/*
|
|
||||||
Copyright 2020 The Flux CD contributors.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package ssh
|
|
||||||
|
|
||||||
import (
|
|
||||||
"crypto/ecdsa"
|
|
||||||
"crypto/ed25519"
|
|
||||||
"crypto/elliptic"
|
|
||||||
"crypto/rand"
|
|
||||||
"crypto/rsa"
|
|
||||||
"crypto/x509"
|
|
||||||
"encoding/pem"
|
|
||||||
|
|
||||||
"golang.org/x/crypto/ssh"
|
|
||||||
)
|
|
||||||
|
|
||||||
// KeyPair holds the public and private key PEM block bytes.
|
|
||||||
type KeyPair struct {
|
|
||||||
PublicKey []byte
|
|
||||||
PrivateKey []byte
|
|
||||||
}
|
|
||||||
|
|
||||||
type KeyPairGenerator interface {
|
|
||||||
Generate() (*KeyPair, error)
|
|
||||||
}
|
|
||||||
|
|
||||||
type RSAGenerator struct {
|
|
||||||
bits int
|
|
||||||
}
|
|
||||||
|
|
||||||
func NewRSAGenerator(bits int) KeyPairGenerator {
|
|
||||||
return &RSAGenerator{bits}
|
|
||||||
}
|
|
||||||
|
|
||||||
func (g *RSAGenerator) Generate() (*KeyPair, error) {
|
|
||||||
pk, err := rsa.GenerateKey(rand.Reader, g.bits)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
err = pk.Validate()
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
pub, err := generatePublicKey(&pk.PublicKey)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
priv, err := encodePrivateKeyToPEM(pk)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
return &KeyPair{
|
|
||||||
PublicKey: pub,
|
|
||||||
PrivateKey: priv,
|
|
||||||
}, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
type ECDSAGenerator struct {
|
|
||||||
c elliptic.Curve
|
|
||||||
}
|
|
||||||
|
|
||||||
func NewECDSAGenerator(c elliptic.Curve) KeyPairGenerator {
|
|
||||||
return &ECDSAGenerator{c}
|
|
||||||
}
|
|
||||||
|
|
||||||
func (g *ECDSAGenerator) Generate() (*KeyPair, error) {
|
|
||||||
pk, err := ecdsa.GenerateKey(g.c, rand.Reader)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
pub, err := generatePublicKey(&pk.PublicKey)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
priv, err := encodePrivateKeyToPEM(pk)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
return &KeyPair{
|
|
||||||
PublicKey: pub,
|
|
||||||
PrivateKey: priv,
|
|
||||||
}, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
type Ed25519Generator struct{}
|
|
||||||
|
|
||||||
func NewEd25519Generator() KeyPairGenerator {
|
|
||||||
return &Ed25519Generator{}
|
|
||||||
}
|
|
||||||
|
|
||||||
func (g *Ed25519Generator) Generate() (*KeyPair, error) {
|
|
||||||
pk, pv, err := ed25519.GenerateKey(rand.Reader)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
pub, err := generatePublicKey(pk)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
priv, err := encodePrivateKeyToPEM(pv)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
return &KeyPair{
|
|
||||||
PublicKey: pub,
|
|
||||||
PrivateKey: priv,
|
|
||||||
}, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func generatePublicKey(pk interface{}) ([]byte, error) {
|
|
||||||
b, err := ssh.NewPublicKey(pk)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
k := ssh.MarshalAuthorizedKey(b)
|
|
||||||
return k, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// encodePrivateKeyToPEM encodes the given private key to a PEM block.
|
|
||||||
// The encoded format is PKCS#8 for universal support of the most
|
|
||||||
// common key types (rsa, ecdsa, ed25519).
|
|
||||||
func encodePrivateKeyToPEM(pk interface{}) ([]byte, error) {
|
|
||||||
b, err := x509.MarshalPKCS8PrivateKey(pk)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
block := pem.Block{
|
|
||||||
Type: "PRIVATE KEY",
|
|
||||||
Bytes: b,
|
|
||||||
}
|
|
||||||
return pem.EncodeToMemory(&block), nil
|
|
||||||
}
|
|
@ -1,27 +0,0 @@
|
|||||||
Copyright (c) 2009 The Go Authors. All rights reserved.
|
|
||||||
|
|
||||||
Redistribution and use in source and binary forms, with or without
|
|
||||||
modification, are permitted provided that the following conditions are
|
|
||||||
met:
|
|
||||||
|
|
||||||
* Redistributions of source code must retain the above copyright
|
|
||||||
notice, this list of conditions and the following disclaimer.
|
|
||||||
* Redistributions in binary form must reproduce the above
|
|
||||||
copyright notice, this list of conditions and the following disclaimer
|
|
||||||
in the documentation and/or other materials provided with the
|
|
||||||
distribution.
|
|
||||||
* Neither the name of Google Inc. nor the names of its
|
|
||||||
contributors may be used to endorse or promote products derived from
|
|
||||||
this software without specific prior written permission.
|
|
||||||
|
|
||||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
||||||
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
||||||
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
|
||||||
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
|
||||||
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
||||||
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
|
||||||
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
||||||
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
||||||
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
||||||
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
||||||
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
@ -1,446 +0,0 @@
|
|||||||
// Copyright 2017 The Go Authors. All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
// Copyright 2020 The FluxCD contributors. All rights reserved.
|
|
||||||
// This package provides an in-memory known hosts database
|
|
||||||
// derived from the golang.org/x/crypto/ssh/knownhosts
|
|
||||||
// package.
|
|
||||||
// It has been slightly modified and adapted to work with
|
|
||||||
// in-memory host keys not related to any known_hosts files
|
|
||||||
// on disk, and the database can be initialized with just a
|
|
||||||
// known_hosts byte blob.
|
|
||||||
// https://pkg.go.dev/golang.org/x/crypto/ssh/knownhosts
|
|
||||||
|
|
||||||
package knownhosts
|
|
||||||
|
|
||||||
import (
|
|
||||||
"bufio"
|
|
||||||
"bytes"
|
|
||||||
"crypto/hmac"
|
|
||||||
"crypto/sha1"
|
|
||||||
"encoding/base64"
|
|
||||||
"errors"
|
|
||||||
"fmt"
|
|
||||||
"io"
|
|
||||||
"net"
|
|
||||||
"strings"
|
|
||||||
|
|
||||||
"golang.org/x/crypto/ssh"
|
|
||||||
"golang.org/x/crypto/ssh/knownhosts"
|
|
||||||
)
|
|
||||||
|
|
||||||
// See the sshd manpage
|
|
||||||
// (http://man.openbsd.org/sshd#SSH_KNOWN_HOSTS_FILE_FORMAT) for
|
|
||||||
// background.
|
|
||||||
|
|
||||||
type addr struct{ host, port string }
|
|
||||||
|
|
||||||
func (a *addr) String() string {
|
|
||||||
h := a.host
|
|
||||||
if strings.Contains(h, ":") {
|
|
||||||
h = "[" + h + "]"
|
|
||||||
}
|
|
||||||
return h + ":" + a.port
|
|
||||||
}
|
|
||||||
|
|
||||||
type matcher interface {
|
|
||||||
match(addr) bool
|
|
||||||
}
|
|
||||||
|
|
||||||
type hostPattern struct {
|
|
||||||
negate bool
|
|
||||||
addr addr
|
|
||||||
}
|
|
||||||
|
|
||||||
func (p *hostPattern) String() string {
|
|
||||||
n := ""
|
|
||||||
if p.negate {
|
|
||||||
n = "!"
|
|
||||||
}
|
|
||||||
|
|
||||||
return n + p.addr.String()
|
|
||||||
}
|
|
||||||
|
|
||||||
type hostPatterns []hostPattern
|
|
||||||
|
|
||||||
func (ps hostPatterns) match(a addr) bool {
|
|
||||||
matched := false
|
|
||||||
for _, p := range ps {
|
|
||||||
if !p.match(a) {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
if p.negate {
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
matched = true
|
|
||||||
}
|
|
||||||
return matched
|
|
||||||
}
|
|
||||||
|
|
||||||
// See
|
|
||||||
// https://android.googlesource.com/platform/external/openssh/+/ab28f5495c85297e7a597c1ba62e996416da7c7e/addrmatch.c
|
|
||||||
// The matching of * has no regard for separators, unlike filesystem globs
|
|
||||||
func wildcardMatch(pat []byte, str []byte) bool {
|
|
||||||
for {
|
|
||||||
if len(pat) == 0 {
|
|
||||||
return len(str) == 0
|
|
||||||
}
|
|
||||||
if len(str) == 0 {
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
|
|
||||||
if pat[0] == '*' {
|
|
||||||
if len(pat) == 1 {
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
|
|
||||||
for j := range str {
|
|
||||||
if wildcardMatch(pat[1:], str[j:]) {
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
|
|
||||||
if pat[0] == '?' || pat[0] == str[0] {
|
|
||||||
pat = pat[1:]
|
|
||||||
str = str[1:]
|
|
||||||
} else {
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func (p *hostPattern) match(a addr) bool {
|
|
||||||
return wildcardMatch([]byte(p.addr.host), []byte(a.host)) && p.addr.port == a.port
|
|
||||||
}
|
|
||||||
|
|
||||||
type inMemoryHostKeyDB struct {
|
|
||||||
hostKeys []hostKey
|
|
||||||
revoked map[string]*ssh.PublicKey
|
|
||||||
}
|
|
||||||
|
|
||||||
func newInMemoryHostKeyDB() *inMemoryHostKeyDB {
|
|
||||||
db := &inMemoryHostKeyDB{
|
|
||||||
revoked: make(map[string]*ssh.PublicKey),
|
|
||||||
}
|
|
||||||
|
|
||||||
return db
|
|
||||||
}
|
|
||||||
|
|
||||||
func keyEq(a, b ssh.PublicKey) bool {
|
|
||||||
return bytes.Equal(a.Marshal(), b.Marshal())
|
|
||||||
}
|
|
||||||
|
|
||||||
type hostKey struct {
|
|
||||||
matcher matcher
|
|
||||||
cert bool
|
|
||||||
key ssh.PublicKey
|
|
||||||
}
|
|
||||||
|
|
||||||
func (l *hostKey) match(a addr) bool {
|
|
||||||
return l.matcher.match(a)
|
|
||||||
}
|
|
||||||
|
|
||||||
// IsAuthorityForHost can be used as a callback in ssh.CertChecker
|
|
||||||
func (db *inMemoryHostKeyDB) IsHostAuthority(remote ssh.PublicKey, address string) bool {
|
|
||||||
h, p, err := net.SplitHostPort(address)
|
|
||||||
if err != nil {
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
a := addr{host: h, port: p}
|
|
||||||
|
|
||||||
for _, l := range db.hostKeys {
|
|
||||||
if l.cert && keyEq(l.key, remote) && l.match(a) {
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
|
|
||||||
// IsRevoked can be used as a callback in ssh.CertChecker
|
|
||||||
func (db *inMemoryHostKeyDB) IsRevoked(key *ssh.Certificate) bool {
|
|
||||||
_, ok := db.revoked[string(key.Marshal())]
|
|
||||||
return ok
|
|
||||||
}
|
|
||||||
|
|
||||||
const markerCert = "@cert-authority"
|
|
||||||
const markerRevoked = "@revoked"
|
|
||||||
|
|
||||||
func nextWord(line []byte) (string, []byte) {
|
|
||||||
i := bytes.IndexAny(line, "\t ")
|
|
||||||
if i == -1 {
|
|
||||||
return string(line), nil
|
|
||||||
}
|
|
||||||
|
|
||||||
return string(line[:i]), bytes.TrimSpace(line[i:])
|
|
||||||
}
|
|
||||||
|
|
||||||
func parseLine(line []byte) (marker, host string, key ssh.PublicKey, err error) {
|
|
||||||
if w, next := nextWord(line); w == markerCert || w == markerRevoked {
|
|
||||||
marker = w
|
|
||||||
line = next
|
|
||||||
}
|
|
||||||
|
|
||||||
host, line = nextWord(line)
|
|
||||||
if len(line) == 0 {
|
|
||||||
return "", "", nil, errors.New("knownhosts: missing host pattern")
|
|
||||||
}
|
|
||||||
|
|
||||||
// ignore the keytype as it's in the key blob anyway.
|
|
||||||
_, line = nextWord(line)
|
|
||||||
if len(line) == 0 {
|
|
||||||
return "", "", nil, errors.New("knownhosts: missing key type pattern")
|
|
||||||
}
|
|
||||||
|
|
||||||
keyBlob, _ := nextWord(line)
|
|
||||||
|
|
||||||
keyBytes, err := base64.StdEncoding.DecodeString(keyBlob)
|
|
||||||
if err != nil {
|
|
||||||
return "", "", nil, err
|
|
||||||
}
|
|
||||||
key, err = ssh.ParsePublicKey(keyBytes)
|
|
||||||
if err != nil {
|
|
||||||
return "", "", nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
return marker, host, key, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (db *inMemoryHostKeyDB) parseLine(line []byte) error {
|
|
||||||
marker, pattern, key, err := parseLine(line)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
if marker == markerRevoked {
|
|
||||||
db.revoked[string(key.Marshal())] = &key
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
entry := hostKey{
|
|
||||||
key: key,
|
|
||||||
cert: marker == markerCert,
|
|
||||||
}
|
|
||||||
|
|
||||||
if pattern[0] == '|' {
|
|
||||||
entry.matcher, err = newHashedHost(pattern)
|
|
||||||
} else {
|
|
||||||
entry.matcher, err = newHostnameMatcher(pattern)
|
|
||||||
}
|
|
||||||
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
db.hostKeys = append(db.hostKeys, entry)
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func newHostnameMatcher(pattern string) (matcher, error) {
|
|
||||||
var hps hostPatterns
|
|
||||||
for _, p := range strings.Split(pattern, ",") {
|
|
||||||
if len(p) == 0 {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
|
|
||||||
var a addr
|
|
||||||
var negate bool
|
|
||||||
if p[0] == '!' {
|
|
||||||
negate = true
|
|
||||||
p = p[1:]
|
|
||||||
}
|
|
||||||
|
|
||||||
if len(p) == 0 {
|
|
||||||
return nil, errors.New("knownhosts: negation without following hostname")
|
|
||||||
}
|
|
||||||
|
|
||||||
var err error
|
|
||||||
if p[0] == '[' {
|
|
||||||
a.host, a.port, err = net.SplitHostPort(p)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
a.host, a.port, err = net.SplitHostPort(p)
|
|
||||||
if err != nil {
|
|
||||||
a.host = p
|
|
||||||
a.port = "22"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
hps = append(hps, hostPattern{
|
|
||||||
negate: negate,
|
|
||||||
addr: a,
|
|
||||||
})
|
|
||||||
}
|
|
||||||
return hps, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// check checks a key against the host database. This should not be
|
|
||||||
// used for verifying certificates.
|
|
||||||
func (db *inMemoryHostKeyDB) check(address string, remote net.Addr, remoteKey ssh.PublicKey) error {
|
|
||||||
if revoked := db.revoked[string(remoteKey.Marshal())]; revoked != nil {
|
|
||||||
return &knownhosts.RevokedError{Revoked: knownhosts.KnownKey{Key: *revoked}}
|
|
||||||
}
|
|
||||||
|
|
||||||
host, port, err := net.SplitHostPort(remote.String())
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("knownhosts: SplitHostPort(%s): %v", remote, err)
|
|
||||||
}
|
|
||||||
|
|
||||||
hostToCheck := addr{host, port}
|
|
||||||
if address != "" {
|
|
||||||
// Give preference to the hostname if available.
|
|
||||||
host, port, err := net.SplitHostPort(address)
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("knownhosts: SplitHostPort(%s): %v", address, err)
|
|
||||||
}
|
|
||||||
|
|
||||||
hostToCheck = addr{host, port}
|
|
||||||
}
|
|
||||||
|
|
||||||
return db.checkAddr(hostToCheck, remoteKey)
|
|
||||||
}
|
|
||||||
|
|
||||||
// checkAddr checks if we can find the given public key for the
|
|
||||||
// given address. If we only find an entry for the IP address,
|
|
||||||
// or only the hostname, then this still succeeds.
|
|
||||||
func (db *inMemoryHostKeyDB) checkAddr(a addr, remoteKey ssh.PublicKey) error {
|
|
||||||
// TODO(hanwen): are these the right semantics? What if there
|
|
||||||
// is just a key for the IP address, but not for the
|
|
||||||
// hostname?
|
|
||||||
|
|
||||||
// Algorithm => key.
|
|
||||||
knownKeys := map[string]ssh.PublicKey{}
|
|
||||||
for _, l := range db.hostKeys {
|
|
||||||
if l.match(a) {
|
|
||||||
typ := l.key.Type()
|
|
||||||
if _, ok := knownKeys[typ]; !ok {
|
|
||||||
knownKeys[typ] = l.key
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
keyErr := &knownhosts.KeyError{}
|
|
||||||
for _, v := range knownKeys {
|
|
||||||
keyErr.Want = append(keyErr.Want, knownhosts.KnownKey{Key: v})
|
|
||||||
}
|
|
||||||
|
|
||||||
// Unknown remote host.
|
|
||||||
if len(knownKeys) == 0 {
|
|
||||||
return keyErr
|
|
||||||
}
|
|
||||||
|
|
||||||
// If the remote host starts using a different, unknown key type, we
|
|
||||||
// also interpret that as a mismatch.
|
|
||||||
if known, ok := knownKeys[remoteKey.Type()]; !ok || !keyEq(known, remoteKey) {
|
|
||||||
return keyErr
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// The Read function parses file contents.
|
|
||||||
func (db *inMemoryHostKeyDB) Read(r io.Reader) error {
|
|
||||||
scanner := bufio.NewScanner(r)
|
|
||||||
|
|
||||||
lineNum := 0
|
|
||||||
for scanner.Scan() {
|
|
||||||
lineNum++
|
|
||||||
line := scanner.Bytes()
|
|
||||||
line = bytes.TrimSpace(line)
|
|
||||||
if len(line) == 0 || line[0] == '#' {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
|
|
||||||
if err := db.parseLine(line); err != nil {
|
|
||||||
return fmt.Errorf("knownhosts: %v", err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return scanner.Err()
|
|
||||||
}
|
|
||||||
|
|
||||||
// New creates a host key callback from the given OpenSSH host key
|
|
||||||
// file bytes. The returned callback is for use in
|
|
||||||
// ssh.ClientConfig.HostKeyCallback. By preference, the key check
|
|
||||||
// operates on the hostname if available, i.e. if a server changes its
|
|
||||||
// IP address, the host key check will still succeed, even though a
|
|
||||||
// record of the new IP address is not available.
|
|
||||||
func New(b []byte) (ssh.HostKeyCallback, error) {
|
|
||||||
db := newInMemoryHostKeyDB()
|
|
||||||
r := bytes.NewReader(b)
|
|
||||||
if err := db.Read(r); err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
var certChecker ssh.CertChecker
|
|
||||||
certChecker.IsHostAuthority = db.IsHostAuthority
|
|
||||||
certChecker.IsRevoked = db.IsRevoked
|
|
||||||
certChecker.HostKeyFallback = db.check
|
|
||||||
|
|
||||||
return certChecker.CheckHostKey, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func decodeHash(encoded string) (hashType string, salt, hash []byte, err error) {
|
|
||||||
if len(encoded) == 0 || encoded[0] != '|' {
|
|
||||||
err = errors.New("knownhosts: hashed host must start with '|'")
|
|
||||||
return
|
|
||||||
}
|
|
||||||
components := strings.Split(encoded, "|")
|
|
||||||
if len(components) != 4 {
|
|
||||||
err = fmt.Errorf("knownhosts: got %d components, want 3", len(components))
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
hashType = components[1]
|
|
||||||
if salt, err = base64.StdEncoding.DecodeString(components[2]); err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
if hash, err = base64.StdEncoding.DecodeString(components[3]); err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
func encodeHash(typ string, salt []byte, hash []byte) string {
|
|
||||||
return strings.Join([]string{"",
|
|
||||||
typ,
|
|
||||||
base64.StdEncoding.EncodeToString(salt),
|
|
||||||
base64.StdEncoding.EncodeToString(hash),
|
|
||||||
}, "|")
|
|
||||||
}
|
|
||||||
|
|
||||||
// See https://android.googlesource.com/platform/external/openssh/+/ab28f5495c85297e7a597c1ba62e996416da7c7e/hostfile.c#120
|
|
||||||
func hashHost(hostname string, salt []byte) []byte {
|
|
||||||
mac := hmac.New(sha1.New, salt)
|
|
||||||
mac.Write([]byte(hostname))
|
|
||||||
return mac.Sum(nil)
|
|
||||||
}
|
|
||||||
|
|
||||||
type hashedHost struct {
|
|
||||||
salt []byte
|
|
||||||
hash []byte
|
|
||||||
}
|
|
||||||
|
|
||||||
const sha1HashType = "1"
|
|
||||||
|
|
||||||
func newHashedHost(encoded string) (*hashedHost, error) {
|
|
||||||
typ, salt, hash, err := decodeHash(encoded)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
// The type field seems for future algorithm agility, but it's
|
|
||||||
// actually hardcoded in openssh currently, see
|
|
||||||
// https://android.googlesource.com/platform/external/openssh/+/ab28f5495c85297e7a597c1ba62e996416da7c7e/hostfile.c#120
|
|
||||||
if typ != sha1HashType {
|
|
||||||
return nil, fmt.Errorf("knownhosts: got hash type %s, must be '1'", typ)
|
|
||||||
}
|
|
||||||
|
|
||||||
return &hashedHost{salt: salt, hash: hash}, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (h *hashedHost) match(a addr) bool {
|
|
||||||
return bytes.Equal(hashHost(knownhosts.Normalize(a.String()), h.salt), h.hash)
|
|
||||||
}
|
|
@ -1,327 +0,0 @@
|
|||||||
// Copyright 2017 The Go Authors. All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
// Copyright 2020 The FluxCD contributors. All rights reserved.
|
|
||||||
// This package provides an in-memory known hosts database
|
|
||||||
// derived from the golang.org/x/crypto/ssh/knownhosts
|
|
||||||
// package.
|
|
||||||
// It has been slightly modified and adapted to work with
|
|
||||||
// in-memory host keys not related to any known_hosts files
|
|
||||||
// on disk, and the database can be initialized with just a
|
|
||||||
// known_hosts byte blob.
|
|
||||||
// https://pkg.go.dev/golang.org/x/crypto/ssh/knownhosts
|
|
||||||
|
|
||||||
package knownhosts
|
|
||||||
|
|
||||||
import (
|
|
||||||
"bytes"
|
|
||||||
"fmt"
|
|
||||||
"net"
|
|
||||||
"reflect"
|
|
||||||
"testing"
|
|
||||||
|
|
||||||
"golang.org/x/crypto/ssh"
|
|
||||||
"golang.org/x/crypto/ssh/knownhosts"
|
|
||||||
)
|
|
||||||
|
|
||||||
const edKeyStr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBAarftlLeoyf+v+nVchEZII/vna2PCV8FaX4vsF5BX"
|
|
||||||
const alternateEdKeyStr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIXffBYeYL+WVzVru8npl5JHt2cjlr4ornFTWzoij9sx"
|
|
||||||
const ecKeyStr = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLCu01+wpXe3xB5olXCN4SqU2rQu0qjSRKJO4Bg+JRCPU+ENcgdA5srTU8xYDz/GEa4dzK5ldPw4J/gZgSXCMs="
|
|
||||||
|
|
||||||
var ecKey, alternateEdKey, edKey ssh.PublicKey
|
|
||||||
var testAddr = &net.TCPAddr{
|
|
||||||
IP: net.IP{198, 41, 30, 196},
|
|
||||||
Port: 22,
|
|
||||||
}
|
|
||||||
|
|
||||||
var testAddr6 = &net.TCPAddr{
|
|
||||||
IP: net.IP{198, 41, 30, 196,
|
|
||||||
1, 2, 3, 4,
|
|
||||||
1, 2, 3, 4,
|
|
||||||
1, 2, 3, 4,
|
|
||||||
},
|
|
||||||
Port: 22,
|
|
||||||
}
|
|
||||||
|
|
||||||
func init() {
|
|
||||||
var err error
|
|
||||||
ecKey, _, _, _, err = ssh.ParseAuthorizedKey([]byte(ecKeyStr))
|
|
||||||
if err != nil {
|
|
||||||
panic(err)
|
|
||||||
}
|
|
||||||
edKey, _, _, _, err = ssh.ParseAuthorizedKey([]byte(edKeyStr))
|
|
||||||
if err != nil {
|
|
||||||
panic(err)
|
|
||||||
}
|
|
||||||
alternateEdKey, _, _, _, err = ssh.ParseAuthorizedKey([]byte(alternateEdKeyStr))
|
|
||||||
if err != nil {
|
|
||||||
panic(err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func testDB(t *testing.T, s string) *inMemoryHostKeyDB {
|
|
||||||
db := newInMemoryHostKeyDB()
|
|
||||||
if err := db.Read(bytes.NewBufferString(s)); err != nil {
|
|
||||||
t.Fatalf("Read: %v", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
return db
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestRevoked(t *testing.T) {
|
|
||||||
db := testDB(t, "\n\n@revoked * "+edKeyStr+"\n")
|
|
||||||
want := &knownhosts.RevokedError{
|
|
||||||
Revoked: knownhosts.KnownKey{
|
|
||||||
Key: edKey,
|
|
||||||
},
|
|
||||||
}
|
|
||||||
if err := db.check("", &net.TCPAddr{
|
|
||||||
Port: 42,
|
|
||||||
}, edKey); err == nil {
|
|
||||||
t.Fatal("no error for revoked key")
|
|
||||||
} else if !reflect.DeepEqual(want, err) {
|
|
||||||
t.Fatalf("got %#v, want %#v", want, err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestHostAuthority(t *testing.T) {
|
|
||||||
for _, m := range []struct {
|
|
||||||
authorityFor string
|
|
||||||
address string
|
|
||||||
|
|
||||||
good bool
|
|
||||||
}{
|
|
||||||
{authorityFor: "localhost", address: "localhost:22", good: true},
|
|
||||||
{authorityFor: "localhost", address: "localhost", good: false},
|
|
||||||
{authorityFor: "localhost", address: "localhost:1234", good: false},
|
|
||||||
{authorityFor: "[localhost]:1234", address: "localhost:1234", good: true},
|
|
||||||
{authorityFor: "[localhost]:1234", address: "localhost:22", good: false},
|
|
||||||
{authorityFor: "[localhost]:1234", address: "localhost", good: false},
|
|
||||||
} {
|
|
||||||
db := testDB(t, `@cert-authority `+m.authorityFor+` `+edKeyStr)
|
|
||||||
if ok := db.IsHostAuthority(db.hostKeys[0].key, m.address); ok != m.good {
|
|
||||||
t.Errorf("IsHostAuthority: authority %s, address %s, wanted good = %v, got good = %v",
|
|
||||||
m.authorityFor, m.address, m.good, ok)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestBracket(t *testing.T) {
|
|
||||||
db := testDB(t, `[git.eclipse.org]:29418,[198.41.30.196]:29418 `+edKeyStr)
|
|
||||||
|
|
||||||
if err := db.check("git.eclipse.org:29418", &net.TCPAddr{
|
|
||||||
IP: net.IP{198, 41, 30, 196},
|
|
||||||
Port: 29418,
|
|
||||||
}, edKey); err != nil {
|
|
||||||
t.Errorf("got error %v, want none", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
if err := db.check("git.eclipse.org:29419", &net.TCPAddr{
|
|
||||||
Port: 42,
|
|
||||||
}, edKey); err == nil {
|
|
||||||
t.Fatalf("no error for unknown address")
|
|
||||||
} else if ke, ok := err.(*knownhosts.KeyError); !ok {
|
|
||||||
t.Fatalf("got type %T, want *KeyError", err)
|
|
||||||
} else if len(ke.Want) > 0 {
|
|
||||||
t.Fatalf("got Want %v, want []", ke.Want)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestNewKeyType(t *testing.T) {
|
|
||||||
str := fmt.Sprintf("%s %s", testAddr, edKeyStr)
|
|
||||||
db := testDB(t, str)
|
|
||||||
if err := db.check("", testAddr, ecKey); err == nil {
|
|
||||||
t.Fatalf("no error for unknown address")
|
|
||||||
} else if ke, ok := err.(*knownhosts.KeyError); !ok {
|
|
||||||
t.Fatalf("got type %T, want *KeyError", err)
|
|
||||||
} else if len(ke.Want) == 0 {
|
|
||||||
t.Fatalf("got empty KeyError.Want")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestSameKeyType(t *testing.T) {
|
|
||||||
str := fmt.Sprintf("%s %s", testAddr, edKeyStr)
|
|
||||||
db := testDB(t, str)
|
|
||||||
if err := db.check("", testAddr, alternateEdKey); err == nil {
|
|
||||||
t.Fatalf("no error for unknown address")
|
|
||||||
} else if ke, ok := err.(*knownhosts.KeyError); !ok {
|
|
||||||
t.Fatalf("got type %T, want *KeyError", err)
|
|
||||||
} else if len(ke.Want) == 0 {
|
|
||||||
t.Fatalf("got empty KeyError.Want")
|
|
||||||
} else if got, want := ke.Want[0].Key.Marshal(), edKey.Marshal(); !bytes.Equal(got, want) {
|
|
||||||
t.Fatalf("got key %q, want %q", got, want)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestIPAddress(t *testing.T) {
|
|
||||||
str := fmt.Sprintf("%s %s", testAddr, edKeyStr)
|
|
||||||
db := testDB(t, str)
|
|
||||||
if err := db.check("", testAddr, edKey); err != nil {
|
|
||||||
t.Errorf("got error %q, want none", err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestIPv6Address(t *testing.T) {
|
|
||||||
str := fmt.Sprintf("%s %s", testAddr6, edKeyStr)
|
|
||||||
db := testDB(t, str)
|
|
||||||
|
|
||||||
if err := db.check("", testAddr6, edKey); err != nil {
|
|
||||||
t.Errorf("got error %q, want none", err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestBasic(t *testing.T) {
|
|
||||||
str := fmt.Sprintf("#comment\n\nserver.org,%s %s\notherhost %s", testAddr, edKeyStr, ecKeyStr)
|
|
||||||
db := testDB(t, str)
|
|
||||||
if err := db.check("server.org:22", testAddr, edKey); err != nil {
|
|
||||||
t.Errorf("got error %v, want none", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
want := knownhosts.KnownKey{
|
|
||||||
Key: edKey,
|
|
||||||
}
|
|
||||||
if err := db.check("server.org:22", testAddr, ecKey); err == nil {
|
|
||||||
t.Errorf("succeeded, want KeyError")
|
|
||||||
} else if ke, ok := err.(*knownhosts.KeyError); !ok {
|
|
||||||
t.Errorf("got %T, want *KeyError", err)
|
|
||||||
} else if len(ke.Want) != 1 {
|
|
||||||
t.Errorf("got %v, want 1 entry", ke)
|
|
||||||
} else if !reflect.DeepEqual(ke.Want[0], want) {
|
|
||||||
t.Errorf("got %v, want %v", ke.Want[0], want)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestHostNamePrecedence(t *testing.T) {
|
|
||||||
var evilAddr = &net.TCPAddr{
|
|
||||||
IP: net.IP{66, 66, 66, 66},
|
|
||||||
Port: 22,
|
|
||||||
}
|
|
||||||
|
|
||||||
str := fmt.Sprintf("server.org,%s %s\nevil.org,%s %s", testAddr, edKeyStr, evilAddr, ecKeyStr)
|
|
||||||
db := testDB(t, str)
|
|
||||||
|
|
||||||
if err := db.check("server.org:22", evilAddr, ecKey); err == nil {
|
|
||||||
t.Errorf("check succeeded")
|
|
||||||
} else if _, ok := err.(*knownhosts.KeyError); !ok {
|
|
||||||
t.Errorf("got %T, want *KeyError", err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestDBOrderingPrecedenceKeyType(t *testing.T) {
|
|
||||||
str := fmt.Sprintf("server.org,%s %s\nserver.org,%s %s", testAddr, edKeyStr, testAddr, alternateEdKeyStr)
|
|
||||||
db := testDB(t, str)
|
|
||||||
|
|
||||||
if err := db.check("server.org:22", testAddr, alternateEdKey); err == nil {
|
|
||||||
t.Errorf("check succeeded")
|
|
||||||
} else if _, ok := err.(*knownhosts.KeyError); !ok {
|
|
||||||
t.Errorf("got %T, want *KeyError", err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestNegate(t *testing.T) {
|
|
||||||
str := fmt.Sprintf("%s,!server.org %s", testAddr, edKeyStr)
|
|
||||||
db := testDB(t, str)
|
|
||||||
if err := db.check("server.org:22", testAddr, ecKey); err == nil {
|
|
||||||
t.Errorf("succeeded")
|
|
||||||
} else if ke, ok := err.(*knownhosts.KeyError); !ok {
|
|
||||||
t.Errorf("got error type %T, want *KeyError", err)
|
|
||||||
} else if len(ke.Want) != 0 {
|
|
||||||
t.Errorf("got expected keys %d (first of type %s), want []", len(ke.Want), ke.Want[0].Key.Type())
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestWildcard(t *testing.T) {
|
|
||||||
str := fmt.Sprintf("server*.domain %s", edKeyStr)
|
|
||||||
db := testDB(t, str)
|
|
||||||
|
|
||||||
want := &knownhosts.KeyError{
|
|
||||||
Want: []knownhosts.KnownKey{{
|
|
||||||
Key: edKey,
|
|
||||||
}},
|
|
||||||
}
|
|
||||||
|
|
||||||
got := db.check("server.domain:22", &net.TCPAddr{}, ecKey)
|
|
||||||
if !reflect.DeepEqual(got, want) {
|
|
||||||
t.Errorf("got %s, want %s", got, want)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestWildcardMatch(t *testing.T) {
|
|
||||||
for _, c := range []struct {
|
|
||||||
pat, str string
|
|
||||||
want bool
|
|
||||||
}{
|
|
||||||
{"a?b", "abb", true},
|
|
||||||
{"ab", "abc", false},
|
|
||||||
{"abc", "ab", false},
|
|
||||||
{"a*b", "axxxb", true},
|
|
||||||
{"a*b", "axbxb", true},
|
|
||||||
{"a*b", "axbxbc", false},
|
|
||||||
{"a*?", "axbxc", true},
|
|
||||||
{"a*b*", "axxbxxxxxx", true},
|
|
||||||
{"a*b*c", "axxbxxxxxxc", true},
|
|
||||||
{"a*b*?", "axxbxxxxxxc", true},
|
|
||||||
{"a*b*z", "axxbxxbxxxz", true},
|
|
||||||
{"a*b*z", "axxbxxzxxxz", true},
|
|
||||||
{"a*b*z", "axxbxxzxxx", false},
|
|
||||||
} {
|
|
||||||
got := wildcardMatch([]byte(c.pat), []byte(c.str))
|
|
||||||
if got != c.want {
|
|
||||||
t.Errorf("wildcardMatch(%q, %q) = %v, want %v", c.pat, c.str, got, c.want)
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// TODO(hanwen): test coverage for certificates.
|
|
||||||
|
|
||||||
const testHostname = "hostname"
|
|
||||||
|
|
||||||
// generated with keygen -H -f
|
|
||||||
const encodedTestHostnameHash = "|1|IHXZvQMvTcZTUU29+2vXFgx8Frs=|UGccIWfRVDwilMBnA3WJoRAC75Y="
|
|
||||||
|
|
||||||
func TestHostHash(t *testing.T) {
|
|
||||||
testHostHash(t, testHostname, encodedTestHostnameHash)
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestHashList(t *testing.T) {
|
|
||||||
encoded := knownhosts.HashHostname(testHostname)
|
|
||||||
testHostHash(t, testHostname, encoded)
|
|
||||||
}
|
|
||||||
|
|
||||||
func testHostHash(t *testing.T, hostname, encoded string) {
|
|
||||||
typ, salt, hash, err := decodeHash(encoded)
|
|
||||||
if err != nil {
|
|
||||||
t.Fatalf("decodeHash: %v", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
if got := encodeHash(typ, salt, hash); got != encoded {
|
|
||||||
t.Errorf("got encoding %s want %s", got, encoded)
|
|
||||||
}
|
|
||||||
|
|
||||||
if typ != sha1HashType {
|
|
||||||
t.Fatalf("got hash type %q, want %q", typ, sha1HashType)
|
|
||||||
}
|
|
||||||
|
|
||||||
got := hashHost(hostname, salt)
|
|
||||||
if !bytes.Equal(got, hash) {
|
|
||||||
t.Errorf("got hash %x want %x", got, hash)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestHashedHostkeyCheck(t *testing.T) {
|
|
||||||
str := fmt.Sprintf("%s %s", knownhosts.HashHostname(testHostname), edKeyStr)
|
|
||||||
db := testDB(t, str)
|
|
||||||
if err := db.check(testHostname+":22", testAddr, edKey); err != nil {
|
|
||||||
t.Errorf("check(%s): %v", testHostname, err)
|
|
||||||
}
|
|
||||||
want := &knownhosts.KeyError{
|
|
||||||
Want: []knownhosts.KnownKey{{
|
|
||||||
Key: edKey,
|
|
||||||
}},
|
|
||||||
}
|
|
||||||
if got := db.check(testHostname+":22", testAddr, alternateEdKey); !reflect.DeepEqual(got, want) {
|
|
||||||
t.Errorf("got error %v, want %v", got, want)
|
|
||||||
}
|
|
||||||
}
|
|
Loading…
Reference in New Issue