From 8883196efbd5ffb7c021ca0ffed720a06cb9c876 Mon Sep 17 00:00:00 2001 From: Darko Poljak Date: Sun, 17 Sep 2017 08:13:05 +0200 Subject: [PATCH] Bugfix for: __ssh_authorized_keys overwrites existing keys #577 (#579) * Fix a bug where invalid key removes all file entries. * __ssh_authorized_key: add key validation. --- cdist/conf/type/__ssh_authorized_key/explorer/entry | 11 ++++++++--- cdist/conf/type/__ssh_authorized_key/gencode-remote | 13 +++++++++++-- docs/changelog | 1 + 3 files changed, 20 insertions(+), 5 deletions(-) diff --git a/cdist/conf/type/__ssh_authorized_key/explorer/entry b/cdist/conf/type/__ssh_authorized_key/explorer/entry index 40ee0cb9..1535d348 100755 --- a/cdist/conf/type/__ssh_authorized_key/explorer/entry +++ b/cdist/conf/type/__ssh_authorized_key/explorer/entry @@ -20,7 +20,12 @@ # extract the keytype and base64 encoded key ignoring any options and comment type_and_key="$(cat "$__object/parameter/key" | tr ' ' '\n' | awk '/^(ssh|ecdsa)-[^ ]+/ { printf $1" "; getline; printf $1 }')" -file="$(cat $__object/parameter/file)" +# If type_and_key is empty, which is the case with an invalid key, do not grep $file because it results +# in greping everything in file and all entries from file are removed. +if [ -n "${type_and_key}" ] +then + file="$(cat $__object/parameter/file)" -# get any entries that match the type and key -grep ".*$type_and_key\([ \n]\|$\)" "$file" || true + # get any entries that match the type and key + grep ".*$type_and_key\([ \n]\|$\)" "$file" || true +fi diff --git a/cdist/conf/type/__ssh_authorized_key/gencode-remote b/cdist/conf/type/__ssh_authorized_key/gencode-remote index ae53c2fe..0ce41ea6 100755 --- a/cdist/conf/type/__ssh_authorized_key/gencode-remote +++ b/cdist/conf/type/__ssh_authorized_key/gencode-remote @@ -20,6 +20,15 @@ set -u +the_key="$(cat "$__object/parameter/key")" +# validate key +validated_key="$(echo "${the_key}" | tr ' ' '\n' | awk '/^(ssh|ecdsa)-[^ ]+/ { printf $1" "; getline; printf $1 }')" +if [ -z "${validated_key}" ] +then + echo "Key is invalid: \"${the_key}\"" >&2 + exit 1 +fi + remove_line() { file="$1" line="$2" @@ -55,11 +64,11 @@ mkdir "$__object/files" fi if [ -f "$__object/parameter/comment" ]; then # extract the keytype and base64 encoded key ignoring any options and comment - printf '%s ' "$(cat "$__object/parameter/key" | tr ' ' '\n' | awk '/^(ssh|ecdsa)-[^ ]+/ { printf $1" "; getline; printf $1 }')" + printf '%s ' "$(echo "${the_key}" | tr ' ' '\n' | awk '/^(ssh|ecdsa)-[^ ]+/ { printf $1" "; getline; printf $1 }')" # override the comment with the one explicitly given printf '%s' "$(cat "$__object/parameter/comment")" else - printf '%s' "$(cat "$__object/parameter/key")" + printf '%s' "${the_key}" fi printf '\n' ) > "$__object/files/should" diff --git a/docs/changelog b/docs/changelog index 1df6af21..6d193c67 100644 --- a/docs/changelog +++ b/docs/changelog @@ -18,6 +18,7 @@ next: * Type __install_stage: Fix __debug -> __cdist_log_level (Darko Poljak) * Documentation: Document __cdist_log_level (Darko Poljak) * Core: Log ERROR to stderr and rest to stdout (Darko Poljak, Steven Armstrong) + * Type __ssh_authorized_key: Bugfix the case where invalid key clears a file and add key validation (Darko Poljak) 4.6.1: 2017-08-30 * Type __user: Explore with /etc files (passwd, group, shadow) (Philippe Gregoire)