Class: Gitlab::SSHPublicKey

Inherits:

Object

• Object
• Gitlab::SSHPublicKey

Includes:

Utils::StrongMemoize

Defined in:

lib/gitlab/ssh_public_key.rb

Direct Known Subclasses

SshHostKey::Fingerprint

Defined Under Namespace

Classes: Technology, WeakKeyWarning

Constant Summary

TECHNOLOGIES =

See man.openbsd.org/sshd#AUTHORIZED_KEYS_FILE_FORMAT for the list of supported algorithms.

Technology.new(:rsa, SSHData::PublicKey::RSA, [1024, 2048, 3072, 4096], %w[ssh-rsa]),
  Technology.new(:dsa, SSHData::PublicKey::DSA, [1024, 2048, 3072], %w[ssh-dss]),
  Technology.new(:ecdsa, SSHData::PublicKey::ECDSA, [256, 384, 521], %w[ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521]),
  Technology.new(:ed25519, SSHData::PublicKey::ED25519, [256], %w[ssh-ed25519]),
  Technology.new(:ecdsa_sk, SSHData::PublicKey::SKECDSA, [256], %w[sk-ecdsa-sha2-nistp256@openssh.com]),
  Technology.new(:ed25519_sk, SSHData::PublicKey::SKED25519, [256], %w[sk-ssh-ed25519@openssh.com])
].freeze

Instance Attribute Summary

• #key ⇒ Object readonly

  Returns the value of attribute key.

• #key_text ⇒ Object readonly

  Returns the value of attribute key_text.

Class Method Summary

• .sanitize(key_content) ⇒ Object
• .supported_algorithms ⇒ Object
• .supported_algorithms_for_name(name) ⇒ Object
• .supported_sizes(name) ⇒ Object
• .supported_types ⇒ Object
• .technologies ⇒ Object
• .technology(name) ⇒ Object
• .technology_for_key(key) ⇒ Object

Instance Method Summary

• #banned? ⇒ Boolean
• #bits ⇒ Object
• #fingerprint ⇒ Object
• #fingerprint_sha256 ⇒ Object
• #initialize(key_text) ⇒ SSHPublicKey constructor

  A new instance of SSHPublicKey.

• #type ⇒ Object
• #valid? ⇒ Boolean
• #weak_key_warning ⇒ Object

Constructor Details

#initialize(key_text) ⇒ SSHPublicKey

Returns a new instance of SSHPublicKey.

# File 'lib/gitlab/ssh_public_key.rb', line 71

def initialize(key_text)
  @key_text = key_text

  # We need to strip options to parse key with options or in known_hosts
  # format. See https://man.openbsd.org/sshd#AUTHORIZED_KEYS_FILE_FORMAT
  # and https://man.openbsd.org/sshd#SSH_KNOWN_HOSTS_FILE_FORMAT
  key_text_without_options = @key_text.to_s.match(/(\A|\s)(#{self.class.supported_algorithms.join('|')}).*/).to_s

  @key =
    begin
      SSHData::PublicKey.parse_openssh(key_text_without_options)
    rescue SSHData::DecodeError
    end
end

Instance Attribute Details

#key ⇒ Object (readonly)

Returns the value of attribute key.

# File 'lib/gitlab/ssh_public_key.rb', line 69

def key
  @key
end

#key_text ⇒ Object (readonly)

Returns the value of attribute key_text.

# File 'lib/gitlab/ssh_public_key.rb', line 69

def key_text
  @key_text
end

Class Method Details

.sanitize(key_content) ⇒ Object

# File 'lib/gitlab/ssh_public_key.rb', line 53

def self.sanitize(key_content)
  ssh_type, *parts = key_content.strip.split

  return key_content if parts.empty?

  parts.each_with_object("#{ssh_type} ").with_index do |(part, content), index|
    content << part

    if self.new(content).valid?
      break [content, parts[index + 1]].compact.join(' ') # Add the comment part if present
    elsif parts.size == index + 1 # return original content if we've reached the last element
      break key_content
    end
  end
end

.supported_algorithms ⇒ Object

# File 'lib/gitlab/ssh_public_key.rb', line 45

def self.supported_algorithms
  technologies.flat_map { |tech| tech.supported_algorithms }
end

.supported_algorithms_for_name(name) ⇒ Object

# File 'lib/gitlab/ssh_public_key.rb', line 49

def self.supported_algorithms_for_name(name)
  technology(name).supported_algorithms
end

.supported_sizes(name) ⇒ Object

# File 'lib/gitlab/ssh_public_key.rb', line 41

def self.supported_sizes(name)
  technology(name).supported_sizes
end

.supported_types ⇒ Object

# File 'lib/gitlab/ssh_public_key.rb', line 37

def self.supported_types
  technologies.map(&:name)
end

.technologies ⇒ Object

# File 'lib/gitlab/ssh_public_key.rb', line 21

def self.technologies
  if Gitlab::FIPS.enabled?
    Gitlab::FIPS::SSH_KEY_TECHNOLOGIES
  else
    TECHNOLOGIES
  end
end

.technology(name) ⇒ Object

# File 'lib/gitlab/ssh_public_key.rb', line 29

def self.technology(name)
  technologies.find { |tech| tech.name.to_s == name.to_s }
end

.technology_for_key(key) ⇒ Object

# File 'lib/gitlab/ssh_public_key.rb', line 33

def self.technology_for_key(key)
  technologies.find { |tech| key.instance_of?(tech.key_class) }
end

Instance Method Details

#banned? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/gitlab/ssh_public_key.rb', line 121

def banned?
  return false unless valid?

  banned_ssh_keys.fetch(type.to_s, []).include?(fingerprint_sha256)
end

#bits ⇒ Object

# File 'lib/gitlab/ssh_public_key.rb', line 102

def bits
  return unless valid?

  case type
  when :rsa
    key.n.num_bits
  when :dsa
    key.p.num_bits
  when :ecdsa
    key.openssl.group.order.num_bits
  when :ed25519
    256
  when :ecdsa_sk
    256
  when :ed25519_sk
    256
  end
end

#fingerprint ⇒ Object

# File 'lib/gitlab/ssh_public_key.rb', line 94

def fingerprint
  key.fingerprint(md5: true) if valid?
end

#fingerprint_sha256 ⇒ Object

# File 'lib/gitlab/ssh_public_key.rb', line 98

def fingerprint_sha256
  'SHA256:' + key.fingerprint(md5: false) if valid?
end

#type ⇒ Object

# File 'lib/gitlab/ssh_public_key.rb', line 90

def type
  technology.name if valid?
end

#valid? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/gitlab/ssh_public_key.rb', line 86

def valid?
  key.present?
end

#weak_key_warning ⇒ Object

# File 'lib/gitlab/ssh_public_key.rb', line 127

def weak_key_warning
  return unless valid?

  if type == :dsa
    WeakKeyWarning.new(:dsa_deprecated, _('DSA keys are considered deprecated.'))
  elsif type == :rsa && bits < 2048
    WeakKeyWarning.new(:small_key, _('Key length should be at least 2048 bits.'))
  end
end