URL: https://github.com/freeipa/freeipa/pull/5587 Author: antoniotorresm Title: #5587: Allow multiple permitopen/permitlisten entries in SSH keys Action: opened
PR body: """ SSH keys allow to have multiple entries for the permitopen and permitlisten options. Prior to this change, only one of each could be configured. Fixes: https://pagure.io/freeipa/issue/8423 Signed-off-by: Antonio Torres <antor...@redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5587/head:pr5587 git checkout pr5587
From 9a39677aed53f855140e0f6ce1253703777243f7 Mon Sep 17 00:00:00 2001 From: Antonio Torres <antor...@redhat.com> Date: Thu, 25 Feb 2021 18:08:53 +0100 Subject: [PATCH 1/2] Allow multiple permitopen/permitlisten in SSH keys SSH keys allow to have multiple entries for the permitopen and permitlisten options. Prior to this change, only one of each could be configured. Fixes: https://pagure.io/freeipa/issue/8423 Signed-off-by: Antonio Torres <antor...@redhat.com> --- ipapython/ssh.py | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/ipapython/ssh.py b/ipapython/ssh.py index 7d52a205b03..6a594b04c84 100644 --- a/ipapython/ssh.py +++ b/ipapython/ssh.py @@ -125,6 +125,9 @@ def _parse_openssh_without_options(self, key): def _parse_openssh_with_options(self, key): key = key.lstrip('\t ') + # Options that allow multiple entries + multiple_allowed = ('permitopen', 'permitlisten') + options = {} while True: match = OPENSSH_OPTIONS_REGEX.match(key) @@ -136,7 +139,13 @@ def _parse_openssh_with_options(self, key): if value: value = value.replace('\\"', '"') - options[name] = value + if name in multiple_allowed: + if name in options: + options[name].append(value) + else: + options[name] = [value] + else: + options[name] = value key = key[len(match.group(0)):] key0, key = key[:1], key[1:] @@ -179,6 +188,10 @@ def openssh(self): value = self._options[name] if value is None: options.append(name) + elif type(value) is list: + for v in value: + v = v.replace('"', '\\"') + options.append(u'%s="%s"' % (name, v)) else: value = value.replace('"', '\\"') options.append(u'%s="%s"' % (name, value)) From 232d8b375b56ca3b91f11827e39ea07398d9775c Mon Sep 17 00:00:00 2001 From: Antonio Torres <antor...@redhat.com> Date: Thu, 25 Feb 2021 18:13:54 +0100 Subject: [PATCH 2/2] ipatests: add test for multiple permitopen entries in SSH keys Add test to ensure that IPA allows to introduce multiple permitopen and permitlisten entries. Signed-off-by: Antonio Torres <antor...@redhat.com> --- ipatests/test_ipapython/test_ssh.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ipatests/test_ipapython/test_ssh.py b/ipatests/test_ipapython/test_ssh.py index 4aef498a300..fd71f465d33 100644 --- a/ipatests/test_ipapython/test_ssh.py +++ b/ipatests/test_ipapython/test_ssh.py @@ -69,6 +69,8 @@ u'%s this is a comment' % openssh), (u'opt3,opt2="\tx ",opt1,opt2="\\"x " %s comment ' % openssh, u'opt1,opt2="\\"x ",opt3 %s comment' % openssh), + (u'permitopen=\"1.1.1.1:111\",permitopen=\"2.2.2.2:222\" %s' % openssh, + u'permitopen=\"1.1.1.1:111\",permitopen=\"2.2.2.2:222\" %s' % openssh), (u'ssh-rsa\n%s' % b64, ValueError), (u'ssh-rsa\t%s' % b64, ValueError), (u'vanitas %s' % b64, ValueError),
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
