1
0
mirror of https://github.com/openSUSE/osc.git synced 2025-02-14 14:27:16 +01:00

Use ssh key from ssh agent that contains comment 'obs=<apiurl-hostname>'

This commit is contained in:
Daniel Mach 2024-04-19 11:06:39 +02:00
parent 2cd69aa400
commit 57311a5664
2 changed files with 27 additions and 0 deletions

View File

@ -303,10 +303,19 @@ class HostOptions(OscOptions):
"""
A pointer to public SSH key that corresponds with a private SSH used for authentication:
- keep empty for auto detection
- path to the public SSH key
- public SSH key filename (must be placed in ~/.ssh)
NOTE: The private key may not be available on disk because it could be in a GPG keyring, on YubiKey or forwarded through SSH agent.
TIP: To give osc a hint which ssh key from the agent to use during auto detection,
append ``obs=<apiurl-hostname>`` to the **private** key's comment.
This will also work nicely during SSH agent forwarding, because the comments get forwarded too.
- To edit the key, run: ``ssh-keygen -c -f ~/.ssh/<private-key>``
- To query the key, run: ``ssh-keygen -y -f ~/.ssh/<private-key>``
- Example comment: ``<username@host> obs=api.example.com obs=api-test.example.com``
"""
),
) # type: ignore[assignment]

View File

@ -573,6 +573,7 @@ class SignatureAuthHandler(AuthHandlerBase):
if "/" not in self.sshkey:
self.sshkey = os.path.join("~", ".ssh", self.sshkey)
self.sshkey = os.path.expanduser(self.sshkey)
output.print_msg(f"Using ssh key file configured in oscrc: {self.sshkey}", print_to="debug")
self.ssh_keygen_path = shutil.which("ssh-keygen")
self.ssh_add_path = shutil.which("ssh-add")
@ -602,6 +603,21 @@ class SignatureAuthHandler(AuthHandlerBase):
# that's why we need to list ssh-agent's keys and store the first one into a temp file
keys_in_agent = self.list_ssh_agent_keys()
if keys_in_agent:
selected_key = None
apiurl_hostname = urllib.parse.urlparse(self.apiurl).hostname
for key in keys_in_agent:
comments = key.strip().split(" ")[2:]
pattern = f"obs={apiurl_hostname}"
if pattern in comments:
selected_key = key
output.print_msg(f"Using ssh key from ssh agent that has comment '{pattern}' which matches apiurl '{self.apiurl}': {selected_key}", print_to="debug")
break
if selected_key is None:
selected_key = keys_in_agent[0]
output.print_msg(f"Using the first ssh key from ssh agent (see `ssh-add -L`): {selected_key}", print_to="debug")
self.temp_pubkey = tempfile.NamedTemporaryFile(mode="w+")
self.temp_pubkey.write(keys_in_agent[0])
self.temp_pubkey.flush()
@ -609,9 +625,11 @@ class SignatureAuthHandler(AuthHandlerBase):
sshdir = os.path.expanduser('~/.ssh')
keyfiles = ('id_ed25519', 'id_ed25519_sk', 'id_rsa', 'id_ecdsa', 'id_ecdsa_sk', 'id_dsa')
output.print_msg(f"Searching ssh keys in '{sshdir}' in the following order: {', '.join(keyfiles)}", print_to="debug")
for keyfile in keyfiles:
keyfile_path = os.path.join(sshdir, keyfile)
if os.path.isfile(keyfile_path):
output.print_msg(f"Using ssh key from file: {keyfile_path}", print_to="debug")
return keyfile_path
return None