Bugfix for: __ssh_authorized_keys overwrites existing keys #577 (#579)

* Fix a bug where invalid key removes all file entries. * __ssh_authorized_key: add key validation.
2017-09-17 08:13:05 +02:00 · 2017-09-17 08:13:05 +02:00 · 8883196efb
commit 8883196efb
parent ac04edc233
3 changed files with 20 additions and 5 deletions
--- a/cdist/conf/type/__ssh_authorized_key/explorer/entry
+++ b/cdist/conf/type/__ssh_authorized_key/explorer/entry
@ -20,7 +20,12 @@

 # extract the keytype and base64 encoded key ignoring any options and comment
 type_and_key="$(cat "$__object/parameter/key" | tr ' ' '\n' | awk '/^(ssh|ecdsa)-[^ ]+/ { printf $1" "; getline; printf $1 }')"
+# If type_and_key is empty, which is the case with an invalid key, do not grep $file because it results
+# in greping everything in file and all entries from file are removed.
+if [ -n "${type_and_key}" ]
+then
    file="$(cat $__object/parameter/file)"

    # get any entries that match the type and key
    grep ".*$type_and_key\([ \n]\|$\)" "$file" || true
+fi
--- a/cdist/conf/type/__ssh_authorized_key/gencode-remote
+++ b/cdist/conf/type/__ssh_authorized_key/gencode-remote
@ -20,6 +20,15 @@

 set -u

+the_key="$(cat "$__object/parameter/key")"
+# validate key
+validated_key="$(echo "${the_key}" | tr ' ' '\n' | awk '/^(ssh|ecdsa)-[^ ]+/ { printf $1" "; getline; printf $1 }')"
+if [ -z "${validated_key}" ]
+then
+    echo "Key is invalid: \"${the_key}\"" >&2
+    exit 1
+fi
+
 remove_line() {
   file="$1"
   line="$2"
@ -55,11 +64,11 @@ mkdir "$__object/files"
   fi
   if [ -f "$__object/parameter/comment" ]; then
      # extract the keytype and base64 encoded key ignoring any options and comment
-      printf '%s ' "$(cat "$__object/parameter/key" | tr ' ' '\n' | awk '/^(ssh|ecdsa)-[^ ]+/ { printf $1" "; getline; printf $1 }')"
+      printf '%s ' "$(echo "${the_key}" | tr ' ' '\n' | awk '/^(ssh|ecdsa)-[^ ]+/ { printf $1" "; getline; printf $1 }')"
      # override the comment with the one explicitly given
      printf '%s' "$(cat "$__object/parameter/comment")"
   else
-      printf '%s' "$(cat "$__object/parameter/key")"
+      printf '%s' "${the_key}"
   fi
   printf '\n'
 ) > "$__object/files/should"
--- a/docs/changelog
+++ b/docs/changelog
@ -18,6 +18,7 @@ next:
 	* Type __install_stage: Fix __debug -> __cdist_log_level (Darko Poljak)
 	* Documentation: Document __cdist_log_level (Darko Poljak)
 	* Core: Log ERROR to stderr and rest to stdout (Darko Poljak, Steven Armstrong)
+	* Type __ssh_authorized_key: Bugfix the case where invalid key clears a file and add key validation (Darko Poljak)

 4.6.1: 2017-08-30
 	* Type __user: Explore with /etc files (passwd, group, shadow) (Philippe Gregoire)