Changeset - 08af13a090e0
Parent rev.
Child rev.
[Not reviewed]
default
0 1 0
Mads Kiilerich - 6 years ago 2020-01-25 19:53:56
mads@kiilerich.com
Grafted from: 68f0e1307d6d
py3: update ssh for base64.b64decode raising binascii.Error instead of TypeError

A command like:
python -c 'import base64; base64.b64decode("QQ")'
would fail in Python2 with:
TypeError: Incorrect padding
but in python3:
binascii.Error: Incorrect padding
1 file changed with 1 insertions and 1 deletions:
kallithea/lib/ssh.py
1
1
0 comments (0 inline, 0 general)
kallithea/lib/ssh.py
Show inline comments
 
@@ -42,95 +42,95 @@ def parse_pub_key(ssh_key):
 

			




	
	
	
		
 
    >>> getfixture('doctest_mock_ugettext')

			




	
	
	
		
 
    >>> parse_pub_key('')

			




	
	
	
		
 
    Traceback (most recent call last):

			




	
	
	
		
 
    ...

			




	
	
	
		
 
    SshKeyParseError: SSH key is missing

			




	
	
	
		
 
    >>> parse_pub_key('''AAAAB3NzaC1yc2EAAAALVGhpcyBpcyBmYWtlIQ''')

			




	
	
	
		
 
    Traceback (most recent call last):

			




	
	
	
		
 
    ...

			




	
	
	
		
 
    SshKeyParseError: Incorrect SSH key - it must have both a key type and a base64 part, like 'ssh-rsa ASRNeaZu4FA...xlJp='

			




	
	
	
		
 
    >>> parse_pub_key('''abc AAAAB3NzaC1yc2EAAAALVGhpcyBpcyBmYWtlIQ''')

			




	
	
	
		
 
    Traceback (most recent call last):

			




	
	
	
		
 
    ...

			




	
	
	
		
 
    SshKeyParseError: Incorrect SSH key - it must start with 'ssh-(rsa|dss|ed25519)'

			




	
	
	
		
 
    >>> parse_pub_key('''ssh-rsa  AAAAB3NzaC1yc2EAAAALVGhpcyBpcyBmYWtlIQ''')

			




	
	
	
		
 
    Traceback (most recent call last):

			




	
	
	
		
 
    ...

			




	
	
	
		
 
    SshKeyParseError: Incorrect SSH key - failed to decode base64 part 'AAAAB3NzaC1yc2EAAAALVGhpcyBpcyBmYWtlIQ'

			




	
	
	
		
 
    >>> parse_pub_key('''ssh-rsa  AAAAB2NzaC1yc2EAAAALVGhpcyBpcyBmYWtlIQ==''')

			




	
	
	
		
 
    Traceback (most recent call last):

			




	
	
	
		
 
    ...

			




	
	
	
		
 
    SshKeyParseError: Incorrect SSH key - base64 part is not 'ssh-rsa' as claimed but 'csh-rsa'

			




	
	
	
		
 
    >>> parse_pub_key('''ssh-rsa  AAAAB3NzaC1yc2EAAAA'LVGhpcyBpcyBmYWtlIQ''')

			




	
	
	
		
 
    Traceback (most recent call last):

			




	
	
	
		
 
    ...

			




	
	
	
		
 
    SshKeyParseError: Incorrect SSH key - unexpected characters in base64 part "AAAAB3NzaC1yc2EAAAA'LVGhpcyBpcyBmYWtlIQ"

			




	
	
	
		
 
    >>> parse_pub_key(''' ssh-rsa  AAAAB3NzaC1yc2EAAAALVGhpcyBpcyBmYWtlIQ== and a comment

			




	
	
	
		
 
    ... ''')

			




	
	
	
		
 
    ('ssh-rsa', '\x00\x00\x00\x07ssh-rsa\x00\x00\x00\x0bThis is fake!', 'and a comment\n')

			




	
	
	
		
 
    >>> parse_pub_key('''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP1NA2kBQIKe74afUXmIWD9ByDYQJqUwW44Y4gJOBRuo''')

			




	
	
	
		
 
    ('ssh-ed25519', '\x00\x00\x00\x0bssh-ed25519\x00\x00\x00 \xfdM\x03i\x01@\x82\x9e\xef\x86\x9fQy\x88X?A\xc86\x10&\xa50[\x8e\x18\xe2\x02N\x05\x1b\xa8', '')

			




	
	
	
		
 
    """

			




	
	
	
		
 
    if not ssh_key:

			




	
	
	
		
 
        raise SshKeyParseError(_("SSH key is missing"))

			




	
	
	
		
 

			




	
	
	
		
 
    parts = ssh_key.split(None, 2)

			




	
	
	
		
 
    if len(parts) < 2:

			




	
	
	
		
 
        raise SshKeyParseError(_("Incorrect SSH key - it must have both a key type and a base64 part, like 'ssh-rsa ASRNeaZu4FA...xlJp='"))

			




	
	
	
		
 

			




	
	
	
		
 
    keytype, keyvalue, comment = (parts + [''])[:3]

			




	
	
	
		
 
    if keytype not in ('ssh-rsa', 'ssh-dss', 'ssh-ed25519'):

			




	
	
	
		
 
        raise SshKeyParseError(_("Incorrect SSH key - it must start with 'ssh-(rsa|dss|ed25519)'"))

			




	
	
	
		
 

			




	
	
	
		
 
    if re.search(r'[^a-zA-Z0-9+/=]', keyvalue):

			




	
	
	
		
 
        raise SshKeyParseError(_("Incorrect SSH key - unexpected characters in base64 part %r") % keyvalue)

			




	
	
	
		
 

			




	
	
	
		
 
    try:

			




	
	
	
		
 
        key_bytes = base64.b64decode(keyvalue)

			




	
	
	
		
 
    except TypeError:

			




	
	
	
		
 
    except base64.binascii.Error:

			




	
	
	
		
 
        raise SshKeyParseError(_("Incorrect SSH key - failed to decode base64 part %r") % keyvalue)

			




	
	
	
		
 

			




	
	
	
		
 
    if not key_bytes.startswith(b'\x00\x00\x00%c%s\x00' % (len(keytype), ascii_bytes(keytype))):

			




	
	
	
		
 
        raise SshKeyParseError(_("Incorrect SSH key - base64 part is not %r as claimed but %r") % (keytype, ascii_str(key_bytes[4:].split(b'\0', 1)[0])))

			




	
	
	
		
 

			




	
	
	
		
 
    return keytype, key_bytes, comment

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
SSH_OPTIONS = 'no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding'

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
def _safe_check(s, rec = re.compile('^[a-zA-Z0-9+/]+={0,2}$')):

			




	
	
	
		
 
    """Return true if s really has the right content for base64 encoding and only contains safe characters

			




	
	
	
		
 
    >>> _safe_check('asdf')

			




	
	
	
		
 
    True

			




	
	
	
		
 
    >>> _safe_check('as df')

			




	
	
	
		
 
    False

			




	
	
	
		
 
    >>> _safe_check('AAAAB3NzaC1yc2EAAAALVGhpcyBpcyBmYWtlIQ==')

			




	
	
	
		
 
    True

			




	
	
	
		
 
    """

			




	
	
	
		
 
    return rec.match(s) is not None

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
def authorized_keys_line(kallithea_cli_path, config_file, key):

			




	
	
	
		
 
    """

			




	
	
	
		
 
    Return a line as it would appear in .authorized_keys

			




	
	
	
		
 

			




	
	
	
		
 
    >>> from kallithea.model.db import UserSshKeys, User

			




	
	
	
		
 
    >>> user = User(user_id=7, username='uu')

			




	
	
	
		
 
    >>> key = UserSshKeys(user_ssh_key_id=17, user=user, description='test key')

			




	
	
	
		
 
    >>> key.public_key='''ssh-rsa  AAAAB3NzaC1yc2EAAAALVGhpcyBpcyBmYWtlIQ== and a comment'''

			




	
	
	
		
 
    >>> authorized_keys_line('/srv/kallithea/venv/bin/kallithea-cli', '/srv/kallithea/my.ini', key)

			




	
	
	
		
 
    'no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="/srv/kallithea/venv/bin/kallithea-cli ssh-serve -c /srv/kallithea/my.ini 7 17" ssh-rsa AAAAB3NzaC1yc2EAAAALVGhpcyBpcyBmYWtlIQ==\\n'

			




	
	
	
		
 
    """

			




	
	
	
		
 
    try:

			




	
	
	
		
 
        keytype, key_bytes, comment = parse_pub_key(key.public_key)

			




	
	
	
		
 
    except SshKeyParseError:

			




	
	
	
		
 
        return '# Invalid Kallithea SSH key: %s %s\n' % (key.user.user_id, key.user_ssh_key_id)

			




	
	
	
		
 
    base64_key = ascii_str(base64.b64encode(key_bytes))

			




	
	
	
		
 
    assert '\n' not in base64_key

			




	
	
	
		
 
    if not _safe_check(base64_key):

			




	
	
	
		
 
        return '# Invalid Kallithea SSH key - bad base64 encoding: %s %s\n' % (key.user.user_id, key.user_ssh_key_id)

			




	
	
	
		
 
    return '%s,command="%s ssh-serve -c %s %s %s" %s %s\n' % (

			




	
	
	
		
 
        SSH_OPTIONS, kallithea_cli_path, config_file,

			




	
	
	
		
 
        key.user.user_id, key.user_ssh_key_id,

			




	
	
	
		
 
        keytype, base64_key)

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.