andrewschleifer/cdist
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Bugfix for: __ssh_authorized_keys overwrites existing keys #577 (#579)

Browse source 
* Fix a bug where invalid key removes all file entries.

* __ssh_authorized_key: add key validation.
This commit is contained in:
Darko Poljak 2017-09-17 08:13:05 +02:00 committed by GitHub
commit 8883196efb
3 changed files with 20 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

5
cdist/conf/type/__ssh_authorized_key/explorer/entry
View file

@ -20,7 +20,12 @@
# extract the keytype and base64 encoded key ignoring any options and comment # extract the keytype and base64 encoded key ignoring any options and comment
type_and_key="$(cat "$__object/parameter/key" | tr ' ' '\n' | awk '/^(ssh|ecdsa)-[^ ]+/ { printf $1" "; getline; printf $1 }')" type_and_key="$(cat "$__object/parameter/key" | tr ' ' '\n' | awk '/^(ssh|ecdsa)-[^ ]+/ { printf $1" "; getline; printf $1 }')"
# If type_and_key is empty, which is the case with an invalid key, do not grep $file because it results
# in greping everything in file and all entries from file are removed.
if [ -n "${type_and_key}" ]
then
file="$(cat $__object/parameter/file)" file="$(cat $__object/parameter/file)"
# get any entries that match the type and key # get any entries that match the type and key
grep ".*$type_and_key\([ \n]\|$\)" "$file" || true grep ".*$type_and_key\([ \n]\|$\)" "$file" || true
fi

13
cdist/conf/type/__ssh_authorized_key/gencode-remote
View file

@ -20,6 +20,15 @@
set -u set -u
the_key="$(cat "$__object/parameter/key")"
# validate key
validated_key="$(echo "${the_key}" | tr ' ' '\n' | awk '/^(ssh|ecdsa)-[^ ]+/ { printf $1" "; getline; printf $1 }')"
if [ -z "${validated_key}" ]
then
echo "Key is invalid: \"${the_key}\"" >&2
exit 1
fi
remove_line() { remove_line() {
file="$1" file="$1"
line="$2" line="$2"
@ -55,11 +64,11 @@ mkdir "$__object/files"
fi fi
if [ -f "$__object/parameter/comment" ]; then if [ -f "$__object/parameter/comment" ]; then
# extract the keytype and base64 encoded key ignoring any options and comment # extract the keytype and base64 encoded key ignoring any options and comment
printf '%s ' "$(cat "$__object/parameter/key" | tr ' ' '\n' | awk '/^(ssh|ecdsa)-[^ ]+/ { printf $1" "; getline; printf $1 }')" printf '%s ' "$(echo "${the_key}" | tr ' ' '\n' | awk '/^(ssh|ecdsa)-[^ ]+/ { printf $1" "; getline; printf $1 }')"
# override the comment with the one explicitly given # override the comment with the one explicitly given
printf '%s' "$(cat "$__object/parameter/comment")" printf '%s' "$(cat "$__object/parameter/comment")"
else else
printf '%s' "$(cat "$__object/parameter/key")" printf '%s' "${the_key}"
fi fi
printf '\n' printf '\n'
) > "$__object/files/should" ) > "$__object/files/should"

1
docs/changelog
View file

@ -18,6 +18,7 @@ next:
* Type __install_stage: Fix __debug -> __cdist_log_level (Darko Poljak) * Type __install_stage: Fix __debug -> __cdist_log_level (Darko Poljak)
* Documentation: Document __cdist_log_level (Darko Poljak) * Documentation: Document __cdist_log_level (Darko Poljak)
* Core: Log ERROR to stderr and rest to stdout (Darko Poljak, Steven Armstrong) * Core: Log ERROR to stderr and rest to stdout (Darko Poljak, Steven Armstrong)
* Type __ssh_authorized_key: Bugfix the case where invalid key clears a file and add key validation (Darko Poljak)
4.6.1: 2017-08-30 4.6.1: 2017-08-30
* Type __user: Explore with /etc files (passwd, group, shadow) (Philippe Gregoire) * Type __user: Explore with /etc files (passwd, group, shadow) (Philippe Gregoire)