jenkins-bot has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/373720 )
Change subject: Handle invalid ssh keys in LDAP
......................................................................
Handle invalid ssh keys in LDAP
Deal gracefully with invalid ssh keys that have been allowed into the
LDAP directory. Prior to this fix any invalid key encountered would
cause a fatal error when displaying the ssh-key management screen.
Bug: T174112
Change-Id: I4722104bca30b097060a737dad58c1aa3fb03387
---
M striker/profile/forms.py
M striker/profile/utils.py
M striker/profile/views.py
3 files changed, 50 insertions(+), 9 deletions(-)
Approvals:
BryanDavis: Looks good to me, approved
jenkins-bot: Verified
diff --git a/striker/profile/forms.py b/striker/profile/forms.py
index 6a878a7..9356623 100644
--- a/striker/profile/forms.py
+++ b/striker/profile/forms.py
@@ -28,7 +28,7 @@
class SshKeyDeleteForm(forms.Form):
key_hash = forms.CharField(
- label=_('SHA512 hash of ssh key'),
+ label=_('SHA256 hash of ssh key'),
widget=forms.HiddenInput(),
required=True,
)
diff --git a/striker/profile/utils.py b/striker/profile/utils.py
index 4548f8a..eb670d3 100644
--- a/striker/profile/utils.py
+++ b/striker/profile/utils.py
@@ -18,7 +18,10 @@
# You should have received a copy of the GNU General Public License
# along with Striker. If not, see <http://www.gnu.org/licenses/>.
+import base64
+import hashlib
import logging
+
import sshpubkeys
@@ -54,8 +57,19 @@
return key
+def invalid_key_hash(key):
+ """Generate a hash for an invalid ssh public key."""
+ return 'INVALID:{}'.format(base64.b85encode(
+ hashlib.sha256(key.encode('utf-8')).digest()).decode('utf-8'))
+
+
def ssh_keys_by_hash(user):
- return {
- parse_ssh_key(key).hash_sha256(): key
- for key in user.ldapuser.ssh_keys
- }
+ ret = {}
+ for key in user.ldapuser.ssh_keys:
+ pkey = parse_ssh_key(key)
+ if pkey:
+ ret[pkey.hash_sha256()] = key
+ else:
+ # T174112: handle invalid keys
+ ret[invalid_key_hash(key)] = key
+ return ret
diff --git a/striker/profile/views.py b/striker/profile/views.py
index 93bb5ed..6e67e52 100644
--- a/striker/profile/views.py
+++ b/striker/profile/views.py
@@ -28,6 +28,7 @@
from django.db.utils import DatabaseError
from django.views.decorators.debug import sensitive_post_parameters
from django.utils.translation import ugettext_lazy as _
+from django.utils.translation import ungettext
import ldap
@@ -83,12 +84,38 @@
def ssh_keys(req):
ldapuser = req.user.ldapuser
ctx = {
- 'ssh_keys': [utils.parse_ssh_key(key) for key in ldapuser.ssh_keys],
+ 'ssh_keys': [],
'new_key': forms.SshKeyForm(),
}
- for key in ctx['ssh_keys']:
- key.form = forms.SshKeyDeleteForm(
- initial={'key_hash': key.hash_sha256()})
+ invalids = 0
+ for key in ldapuser.ssh_keys:
+ pkey = utils.parse_ssh_key(key)
+ if pkey:
+ pkey.form = forms.SshKeyDeleteForm(
+ initial={'key_hash': pkey.hash_sha256()})
+ else:
+ # T174112: handle invalid keys
+ invalids += 1
+ khash = utils.invalid_key_hash(key)
+ pkey = {
+ 'comment': _('Invalid key'),
+ 'bits': _('0'),
+ 'type_name': _('UNKNOWN'),
+ 'hash_md5': khash,
+ 'hash_sha256': '',
+ 'keydata': key,
+ 'form': forms.SshKeyDeleteForm(initial={'key_hash': khash}),
+ }
+ ctx['ssh_keys'].append(pkey)
+ if invalids:
+ messages.error(
+ req,
+ ungettext(
+ "Invalid ssh key detected.",
+ "{count} invalid ssh keys detected.",
+ invalids
+ ).format(count=invalids)
+ )
return shortcuts.render(req, 'profile/settings/ssh-keys.html', ctx)
--
To view, visit https://gerrit.wikimedia.org/r/373720
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I4722104bca30b097060a737dad58c1aa3fb03387
Gerrit-PatchSet: 1
Gerrit-Project: labs/striker
Gerrit-Branch: master
Gerrit-Owner: BryanDavis <bda...@wikimedia.org>
Gerrit-Reviewer: BryanDavis <bda...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
