From 4e3e62923b84a3101c215b7b32f0016a2f75554c Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Fri, 6 May 2022 17:58:09 +0100 Subject: [PATCH 1/2] git: Add git.HostKeyAlgos Enables the setting of HostKey algorithms to be used from a client perspective. This implementation supports go-git and libgit2 when in ManagedTransport. Signed-off-by: Paulo Gomes --- pkg/git/gogit/transport.go | 4 ++++ pkg/git/libgit2/managed/ssh.go | 3 +++ pkg/git/options.go | 7 ++++++- 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/pkg/git/gogit/transport.go b/pkg/git/gogit/transport.go index 6be46b0cc..977e8f7fd 100644 --- a/pkg/git/gogit/transport.go +++ b/pkg/git/gogit/transport.go @@ -103,5 +103,9 @@ func (a *CustomPublicKeys) ClientConfig() (*gossh.ClientConfig, error) { if len(git.KexAlgos) > 0 { config.Config.KeyExchanges = git.KexAlgos } + if len(git.HostKeyAlgos) > 0 { + config.HostKeyAlgorithms = git.HostKeyAlgos + } + return config, nil } diff --git a/pkg/git/libgit2/managed/ssh.go b/pkg/git/libgit2/managed/ssh.go index a36ac1660..d506ee420 100644 --- a/pkg/git/libgit2/managed/ssh.go +++ b/pkg/git/libgit2/managed/ssh.go @@ -421,6 +421,9 @@ func cacheKeyAndConfig(remoteAddress string, cred *git2go.Credential) (string, * if len(git.KexAlgos) > 0 { cfg.Config.KeyExchanges = git.KexAlgos } + if len(git.HostKeyAlgos) > 0 { + cfg.HostKeyAlgorithms = git.HostKeyAlgos + } return ck, cfg, nil } diff --git a/pkg/git/options.go b/pkg/git/options.go index 3d8a92611..71ecbe98f 100644 --- a/pkg/git/options.go +++ b/pkg/git/options.go @@ -70,9 +70,14 @@ type AuthOptions struct { CAFile []byte } -// List of custom key exchange algorithms to be used for ssh connections. +// KexAlgos hosts the key exchange algorithms to be used for ssh connections. +// If empty, golang's default is used instead. var KexAlgos []string +// HostKeyAlgos holds the HostKey algorithms that the ssh client will advertise +// to the server. If empty, golang's default is used instead. +var HostKeyAlgos []string + // Validate the AuthOptions against the defined Transport. func (o AuthOptions) Validate() error { switch o.Transport { From 2b59150fbe1398003c4fb4a68fb0bd67a7c7a12b Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Mon, 9 May 2022 13:31:54 +0100 Subject: [PATCH 2/2] tests: algorithms test coverage for go-git and libgit2 Assures support for: - Authentication Key Types - rsa - ecdsa P256 - ecdsa P384 - ecdsa P521 - ed25519 - Key Exchange Algoritms: - diffie-hellman-group14-sha1 - diffie-hellman-group14-sha256 - curve25519-sha256 - ecdh-sha2-nistp256 - ecdh-sha2-nistp384 - ecdh-sha2-nistp521 - curve25519-sha256@libssh.org - HostKey Algoritms: - ssh-rsa - rsa-sha2-256 - rsa-sha2-512 - ecdsa-sha2-nistp256 - ecdsa-sha2-nistp384 - ecdsa-sha2-nistp521 - ssh-ed25519 Signed-off-by: Paulo Gomes --- controllers/gitrepository_controller_test.go | 2 +- go.mod | 14 +- go.sum | 28 +- pkg/git/gogit/checkout_test.go | 367 +++++++++++++++- pkg/git/libgit2/checkout_test.go | 6 +- pkg/git/libgit2/managed/managed_test.go | 2 +- pkg/git/libgit2/managed_test.go | 401 ++++++++++++++++++ pkg/git/options.go | 8 +- pkg/git/strategy/strategy_test.go | 2 +- .../{libgit2 => }/testdata/git/repo/foo.txt | 0 10 files changed, 798 insertions(+), 32 deletions(-) create mode 100644 pkg/git/libgit2/managed_test.go rename pkg/git/{libgit2 => }/testdata/git/repo/foo.txt (100%) diff --git a/controllers/gitrepository_controller_test.go b/controllers/gitrepository_controller_test.go index 1ab7d4aa3..92461a039 100644 --- a/controllers/gitrepository_controller_test.go +++ b/controllers/gitrepository_controller_test.go @@ -478,7 +478,7 @@ func TestGitRepositoryReconciler_reconcileSource_authStrategy(t *testing.T) { u, err := url.Parse(obj.Spec.URL) g.Expect(err).NotTo(HaveOccurred()) g.Expect(u.Host).ToNot(BeEmpty()) - knownHosts, err := ssh.ScanHostKey(u.Host, timeout) + knownHosts, err := ssh.ScanHostKey(u.Host, timeout, git.HostKeyAlgos) g.Expect(err).NotTo(HaveOccurred()) secret.Data["known_hosts"] = knownHosts } diff --git a/go.mod b/go.mod index 0f4c1e30f..b67a8db15 100644 --- a/go.mod +++ b/go.mod @@ -19,13 +19,14 @@ require ( github.com/darkowlzz/controller-check v0.0.0-20220325122359-11f5827b7981 github.com/docker/go-units v0.4.0 github.com/elazarl/goproxy v0.0.0-20220417044921-416226498f94 + github.com/fluxcd/gitkit v0.5.0 github.com/fluxcd/pkg/apis/meta v0.13.0 - github.com/fluxcd/pkg/gittestserver v0.5.2 + github.com/fluxcd/pkg/gittestserver v0.5.3 github.com/fluxcd/pkg/gitutil v0.1.0 github.com/fluxcd/pkg/helmtestserver v0.7.2 github.com/fluxcd/pkg/lockedfile v0.1.0 github.com/fluxcd/pkg/runtime v0.14.2 - github.com/fluxcd/pkg/ssh v0.3.2 + github.com/fluxcd/pkg/ssh v0.3.3 github.com/fluxcd/pkg/testserver v0.2.0 github.com/fluxcd/pkg/untar v0.1.0 github.com/fluxcd/pkg/version v0.1.0 @@ -104,7 +105,7 @@ require ( github.com/docker/go-metrics v0.0.1 // indirect github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect github.com/dustin/go-humanize v1.0.0 // indirect - github.com/emirpasic/gods v1.12.0 // indirect + github.com/emirpasic/gods v1.18.1 // indirect github.com/evanphx/json-patch v5.6.0+incompatible // indirect github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect github.com/fatih/color v1.13.0 // indirect @@ -142,7 +143,7 @@ require ( github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 // indirect - github.com/kevinburke/ssh_config v1.1.0 // indirect + github.com/kevinburke/ssh_config v1.2.0 // indirect github.com/klauspost/compress v1.13.6 // indirect github.com/klauspost/cpuid v1.3.1 // indirect github.com/kylelemons/godebug v1.1.0 // indirect @@ -183,7 +184,6 @@ require ( github.com/sergi/go-diff v1.2.0 // indirect github.com/shopspring/decimal v1.2.0 // indirect github.com/sirupsen/logrus v1.8.1 // indirect - github.com/sosedoff/gitkit v0.3.0 // indirect github.com/spf13/cast v1.4.1 // indirect github.com/spf13/cobra v1.3.0 // indirect github.com/stretchr/testify v1.7.1 // indirect @@ -200,9 +200,9 @@ require ( go.uber.org/atomic v1.7.0 // indirect go.uber.org/multierr v1.6.0 // indirect go.uber.org/zap v1.21.0 // indirect - golang.org/x/net v0.0.0-20220412020605-290c469a71a5 // indirect + golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4 // indirect golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 // indirect - golang.org/x/sys v0.0.0-20220412211240-33da011f77ad // indirect + golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6 // indirect golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect golang.org/x/text v0.3.7 // indirect golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect diff --git a/go.sum b/go.sum index 889189573..7087904f4 100644 --- a/go.sum +++ b/go.sum @@ -320,8 +320,9 @@ github.com/elazarl/goproxy/ext v0.0.0-20190711103511-473e67f1d7d2 h1:dWB6v3RcOy0 github.com/elazarl/goproxy/ext v0.0.0-20190711103511-473e67f1d7d2/go.mod h1:gNh8nYJoAm43RfaxurUnxr+N1PwuFV3ZMl/efxlIlY8= github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= -github.com/emirpasic/gods v1.12.0 h1:QAUIPSaCu4G+POclxeqb3F+WPpdKqFGlw36+yOzGlrg= github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o= +github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc= +github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= @@ -347,13 +348,15 @@ github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w= github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= github.com/felixge/httpsnoop v1.0.1 h1:lvB5Jl89CsZtGIWuTcDM1E/vkVs49/Ml7JJe07l8SPQ= github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= +github.com/fluxcd/gitkit v0.5.0 h1:kNSJnWZw3W8f83U5K2nsTEHfosnZ9FU2MipfnK0XfEQ= +github.com/fluxcd/gitkit v0.5.0/go.mod h1:svOHuKi0fO9HoawdK4HfHAJJseZDHHjk7I3ihnCIqNo= github.com/fluxcd/pkg/apis/acl v0.0.3 h1:Lw0ZHdpnO4G7Zy9KjrzwwBmDZQuy4qEjaU/RvA6k1lc= github.com/fluxcd/pkg/apis/acl v0.0.3/go.mod h1:XPts6lRJ9C9fIF9xVWofmQwftvhY25n1ps7W9xw0XLU= github.com/fluxcd/pkg/apis/meta v0.11.0-rc.3/go.mod h1:ki5wJE4nuFOZt78q0RSYkrKwINgIBPynuswZhnTOSoI= github.com/fluxcd/pkg/apis/meta v0.13.0 h1:0QuNKEExSjk+Rv0I6a85p2H3xOlWhdxZRsh10waEL/c= github.com/fluxcd/pkg/apis/meta v0.13.0/go.mod h1:Z26X5uTU5LxAyWETGueRQY7TvdPaGfKU7Wye9bdUlho= -github.com/fluxcd/pkg/gittestserver v0.5.2 h1:Tt2g1C2b3DB4OM7ZX9hsj6scPdpnkl0xjH85ZkNvIzA= -github.com/fluxcd/pkg/gittestserver v0.5.2/go.mod h1:QNv2arrHGReWIev8rp3Stg1JMq+xqT/lomSFZ2KfMBI= +github.com/fluxcd/pkg/gittestserver v0.5.3 h1:2Q2+WqEDPw4lsAzby7xu8hchqpw0WmEAfjWcvCO7CnM= +github.com/fluxcd/pkg/gittestserver v0.5.3/go.mod h1:s1eTVI7IdS5fSjyrJmvAI5rWR3FXclfFJ1q9vXBvhc4= github.com/fluxcd/pkg/gitutil v0.1.0 h1:VO3kJY/CKOCO4ysDNqfdpTg04icAKBOSb3lbR5uE/IE= github.com/fluxcd/pkg/gitutil v0.1.0/go.mod h1:Ybz50Ck5gkcnvF0TagaMwtlRy3X3wXuiri1HVsK5id4= github.com/fluxcd/pkg/helmtestserver v0.7.2 h1:5BBXlZk/EJKRDWmFRj2IQPy6o+9wH7cUfYUQmrNQU0U= @@ -363,8 +366,8 @@ github.com/fluxcd/pkg/lockedfile v0.1.0/go.mod h1:EJLan8t9MiOcgTs8+puDjbE6I/KAfH github.com/fluxcd/pkg/runtime v0.13.0-rc.6/go.mod h1:4oKUO19TeudXrnCRnxCfMSS7EQTYpYlgfXwlQuDJ/Eg= github.com/fluxcd/pkg/runtime v0.14.2 h1:ktyUjcX4pHoC8DRoBmhEP6eMHbmR6+/MYoARe4YulZY= github.com/fluxcd/pkg/runtime v0.14.2/go.mod h1:NZr3PRK7xX2M1bl0LdtugvQyWkOmu2NcW3NrZH6U0is= -github.com/fluxcd/pkg/ssh v0.3.2 h1:HZlDF6Qu4yplsU4Tisv6hxsRIbIOwwr7rKus8/Q/Dn0= -github.com/fluxcd/pkg/ssh v0.3.2/go.mod h1:OVnuv9y2WCx7AoOIid0sxqe9lLKKfDS4PMl+4ta5DIo= +github.com/fluxcd/pkg/ssh v0.3.3 h1:/tc7W7LO1VoVUI5jB+p9ZHCA+iQaXTkaSCDZJsxcZ9k= +github.com/fluxcd/pkg/ssh v0.3.3/go.mod h1:+bKhuv0/pJy3HZwkK54Shz68sNv1uf5aI6wtPaEHaYk= github.com/fluxcd/pkg/testserver v0.2.0 h1:Mj0TapmKaywI6Fi5wvt1LAZpakUHmtzWQpJNKQ0Krt4= github.com/fluxcd/pkg/testserver v0.2.0/go.mod h1:bgjjydkXsZTeFzjz9Cr4heGANr41uTB1Aj1Q5qzuYVk= github.com/fluxcd/pkg/untar v0.1.0 h1:k97V/xV5hFrAkIkVPuv5AVhyxh1ZzzAKba/lbDfGo6o= @@ -680,8 +683,8 @@ github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0/go.mod h1:1NbS8ALr github.com/karrick/godirwalk v1.15.8 h1:7+rWAZPn9zuRxaIqqT8Ohs2Q2Ac0msBqwRdxNCr2VVs= github.com/karrick/godirwalk v1.15.8/go.mod h1:j4mkqPuvaLI8mp1DroR3P6ad7cyYd4c1qeJ3RV7ULlk= github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= -github.com/kevinburke/ssh_config v1.1.0 h1:pH/t1WS9NzT8go394IqZeJTMHVm6Cr6ZJ6AQ+mdNo/o= -github.com/kevinburke/ssh_config v1.1.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= +github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4= +github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= @@ -972,8 +975,6 @@ github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1 github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0= -github.com/sosedoff/gitkit v0.3.0 h1:TfINVRNUM+GcFa+LGhZ3RcWN86Im1M6i8qs0IsgMy90= -github.com/sosedoff/gitkit v0.3.0/go.mod h1:V3EpGZ0nvCBhXerPsbDeqtyReNb48cwP9KtkUYTKT5I= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= @@ -1146,11 +1147,9 @@ golang.org/x/crypto v0.0.0-20201216223049-8b5274cf687f/go.mod h1:jdWPYTVW3xRLrWP golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= -golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8= golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f h1:OeJjE6G4dgCY4PIXvIRQbE8+RX+uXZyGhUy/ksMGJoc= golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= @@ -1256,8 +1255,9 @@ golang.org/x/net v0.0.0-20220107192237-5cfca573fb4d/go.mod h1:9nx3DQGgdP8bBQD5qx golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/net v0.0.0-20220412020605-290c469a71a5 h1:bRb386wvrE+oBNdF1d/Xh9mQrfQ4ecYhW5qJ5GvTGT4= golang.org/x/net v0.0.0-20220412020605-290c469a71a5/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4 h1:HVyaeDAYux4pnY+D/SiwmLOR36ewZ4iGQIIrtnuCjFA= +golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1400,11 +1400,11 @@ golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220224120231-95c6836cb0e7/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220328115105-d36c6a25d886/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220412211240-33da011f77ad h1:ntjMns5wyP/fN65tdBD4g8J5w8n015+iIIs9rtjXkY0= golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6 h1:nonptSpoQ4vQjyraW20DXPAglgQfVnM9ZC6MmNLMR60= +golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= diff --git a/pkg/git/gogit/checkout_test.go b/pkg/git/gogit/checkout_test.go index 019036b0b..f74aaf74e 100644 --- a/pkg/git/gogit/checkout_test.go +++ b/pkg/git/gogit/checkout_test.go @@ -19,11 +19,18 @@ package gogit import ( "context" "errors" + "fmt" + "net/url" "os" "path/filepath" + "strings" "testing" "time" + "github.com/fluxcd/gitkit" + "github.com/fluxcd/pkg/gittestserver" + "github.com/fluxcd/pkg/ssh" + "github.com/fluxcd/source-controller/pkg/git" "github.com/go-git/go-billy/v5/memfs" "github.com/go-git/go-billy/v5/osfs" extgogit "github.com/go-git/go-git/v5" @@ -32,8 +39,13 @@ import ( "github.com/go-git/go-git/v5/plumbing/object" "github.com/go-git/go-git/v5/storage/filesystem" . "github.com/onsi/gomega" + + cryptossh "golang.org/x/crypto/ssh" + corev1 "k8s.io/api/core/v1" ) +const testRepositoryPath = "../testdata/git/repo" + func TestCheckoutBranch_Checkout(t *testing.T) { repo, path, err := initRepo(t) if err != nil { @@ -169,7 +181,7 @@ func TestCheckoutTag_Checkout(t *testing.T) { return } - g.Expect(err).To(BeNil()) + g.Expect(err).ToNot(HaveOccurred()) g.Expect(cc.String()).To(Equal(tt.expectTag + "/" + h.String())) g.Expect(filepath.Join(tmpDir, "tag")).To(BeARegularFile()) g.Expect(os.ReadFile(filepath.Join(tmpDir, "tag"))).To(BeEquivalentTo(tt.tag)) @@ -359,6 +371,359 @@ func TestCheckoutTagSemVer_Checkout(t *testing.T) { } } +// Test_KeyTypes assures support for the different types of keys +// for SSH Authentication supported by Flux. +func Test_KeyTypes(t *testing.T) { + tests := []struct { + name string + keyType ssh.KeyPairType + authorized bool + wantErr string + }{ + {name: "RSA 4096", keyType: ssh.RSA_4096, authorized: true}, + {name: "ECDSA P256", keyType: ssh.ECDSA_P256, authorized: true}, + {name: "ECDSA P384", keyType: ssh.ECDSA_P384, authorized: true}, + {name: "ECDSA P521", keyType: ssh.ECDSA_P521, authorized: true}, + {name: "ED25519", keyType: ssh.ED25519, authorized: true}, + {name: "unauthorized key", keyType: ssh.RSA_4096, wantErr: "unable to authenticate, attempted methods [none publickey], no supported methods remain"}, + } + + serverRootDir := t.TempDir() + server := gittestserver.NewGitServer(serverRootDir) + + // Auth needs to be called, for authentication to be enabled. + server.Auth("", "") + + var authorizedPublicKey string + server.PublicKeyLookupFunc(func(content string) (*gitkit.PublicKey, error) { + authedKey := strings.TrimSuffix(string(authorizedPublicKey), "\n") + if authedKey == content { + return &gitkit.PublicKey{Content: content}, nil + } + return nil, fmt.Errorf("pubkey provided '%s' does not match %s", content, authedKey) + }) + + g := NewWithT(t) + timeout := 5 * time.Second + + server.KeyDir(filepath.Join(server.Root(), "keys")) + g.Expect(server.ListenSSH()).To(Succeed()) + + go func() { + server.StartSSH() + }() + defer server.StopSSH() + + repoPath := "test.git" + err := server.InitRepo(testRepositoryPath, git.DefaultBranch, repoPath) + g.Expect(err).NotTo(HaveOccurred()) + + sshURL := server.SSHAddress() + repoURL := sshURL + "/" + repoPath + + // Fetch host key. + u, err := url.Parse(sshURL) + g.Expect(err).NotTo(HaveOccurred()) + g.Expect(u.Host).ToNot(BeEmpty()) + + knownHosts, err := ssh.ScanHostKey(u.Host, timeout, git.HostKeyAlgos) + g.Expect(err).ToNot(HaveOccurred()) + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + g := NewWithT(t) + + // Generate ssh keys based on key type. + kp, err := ssh.GenerateKeyPair(tt.keyType) + g.Expect(err).ToNot(HaveOccurred()) + + // Update authorized key to ensure only the new key is valid on the server. + if tt.authorized { + authorizedPublicKey = string(kp.PublicKey) + } + + secret := corev1.Secret{ + Data: map[string][]byte{ + "identity": kp.PrivateKey, + "known_hosts": knownHosts, + }, + } + + authOpts, err := git.AuthOptionsFromSecret(repoURL, &secret) + g.Expect(err).ToNot(HaveOccurred()) + + // Prepare for checkout. + branchCheckoutStrat := &CheckoutBranch{Branch: git.DefaultBranch} + tmpDir := t.TempDir() + + ctx, cancel := context.WithTimeout(context.TODO(), timeout) + defer cancel() + + // Checkout the repo. + commit, err := branchCheckoutStrat.Checkout(ctx, tmpDir, repoURL, authOpts) + + if tt.wantErr == "" { + g.Expect(err).ToNot(HaveOccurred()) + g.Expect(commit).ToNot(BeNil()) + + // Confirm checkout actually happened. + d, err := os.ReadDir(tmpDir) + g.Expect(err).ToNot(HaveOccurred()) + g.Expect(d).To(HaveLen(2)) // .git and foo.txt + } else { + g.Expect(err).To(HaveOccurred()) + g.Expect(err.Error()).Should(ContainSubstring(tt.wantErr)) + } + }) + } +} + +// Test_KeyExchangeAlgos assures support for the different +// types of SSH key exchange algorithms supported by Flux. +func Test_KeyExchangeAlgos(t *testing.T) { + tests := []struct { + name string + ClientKex []string + ServerKex []string + wantErr string + }{ + { + name: "support for kex: diffie-hellman-group14-sha1", + ClientKex: []string{"diffie-hellman-group14-sha1"}, + ServerKex: []string{"diffie-hellman-group14-sha1"}, + }, + { + name: "support for kex: diffie-hellman-group14-sha256", + ClientKex: []string{"diffie-hellman-group14-sha256"}, + ServerKex: []string{"diffie-hellman-group14-sha256"}, + }, + { + name: "support for kex: curve25519-sha256", + ClientKex: []string{"curve25519-sha256"}, + ServerKex: []string{"curve25519-sha256"}, + }, + { + name: "support for kex: ecdh-sha2-nistp256", + ClientKex: []string{"ecdh-sha2-nistp256"}, + ServerKex: []string{"ecdh-sha2-nistp256"}, + }, + { + name: "support for kex: ecdh-sha2-nistp384", + ClientKex: []string{"ecdh-sha2-nistp384"}, + ServerKex: []string{"ecdh-sha2-nistp384"}, + }, + { + name: "support for kex: ecdh-sha2-nistp521", + ClientKex: []string{"ecdh-sha2-nistp521"}, + ServerKex: []string{"ecdh-sha2-nistp521"}, + }, + { + name: "support for kex: curve25519-sha256@libssh.org", + ClientKex: []string{"curve25519-sha256@libssh.org"}, + ServerKex: []string{"curve25519-sha256@libssh.org"}, + }, + { + name: "non-matching kex", + ClientKex: []string{"ecdh-sha2-nistp521"}, + ServerKex: []string{"curve25519-sha256@libssh.org"}, + wantErr: "ssh: no common algorithm for key exchange; client offered: [ecdh-sha2-nistp521 ext-info-c], server offered: [curve25519-sha256@libssh.org]", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + g := NewWithT(t) + timeout := 5 * time.Second + + serverRootDir := t.TempDir() + server := gittestserver.NewGitServer(serverRootDir).WithSSHConfig(&cryptossh.ServerConfig{ + Config: cryptossh.Config{ + KeyExchanges: tt.ServerKex, + }, + }) + + // Set what Client Key Exchange Algos to send + git.KexAlgos = tt.ClientKex + + server.KeyDir(filepath.Join(server.Root(), "keys")) + g.Expect(server.ListenSSH()).To(Succeed()) + + go func() { + server.StartSSH() + }() + defer server.StopSSH() + + repoPath := "test.git" + err := server.InitRepo(testRepositoryPath, git.DefaultBranch, repoPath) + g.Expect(err).NotTo(HaveOccurred()) + + sshURL := server.SSHAddress() + repoURL := sshURL + "/" + repoPath + + // Fetch host key. + u, err := url.Parse(sshURL) + g.Expect(err).NotTo(HaveOccurred()) + g.Expect(u.Host).ToNot(BeEmpty()) + + knownHosts, err := ssh.ScanHostKey(u.Host, timeout, git.HostKeyAlgos) + g.Expect(err).ToNot(HaveOccurred()) + + // No authentication is required for this test, but it is + // used here to make the Checkout logic happy. + kp, err := ssh.GenerateKeyPair(ssh.ED25519) + g.Expect(err).ToNot(HaveOccurred()) + + secret := corev1.Secret{ + Data: map[string][]byte{ + "identity": kp.PrivateKey, + "known_hosts": knownHosts, + }, + } + + authOpts, err := git.AuthOptionsFromSecret(repoURL, &secret) + g.Expect(err).ToNot(HaveOccurred()) + + // Prepare for checkout. + branchCheckoutStrat := &CheckoutBranch{Branch: git.DefaultBranch} + tmpDir := t.TempDir() + + ctx, cancel := context.WithTimeout(context.TODO(), timeout) + defer cancel() + + // Checkout the repo. + _, err = branchCheckoutStrat.Checkout(ctx, tmpDir, repoURL, authOpts) + if tt.wantErr != "" { + g.Expect(err).Error().Should(HaveOccurred()) + g.Expect(err.Error()).Should(ContainSubstring(tt.wantErr)) + } else { + g.Expect(err).Error().ShouldNot(HaveOccurred()) + } + }) + } +} + +// TestHostKeyAlgos assures support for the different +// types of SSH Host Key algorithms supported by Flux. +func TestHostKeyAlgos(t *testing.T) { + tests := []struct { + name string + keyType ssh.KeyPairType + ClientHostKeyAlgos []string + }{ + { + name: "support for hostkey: ssh-rsa", + keyType: ssh.RSA_4096, + ClientHostKeyAlgos: []string{"ssh-rsa"}, + }, + { + name: "support for hostkey: rsa-sha2-256", + keyType: ssh.RSA_4096, + ClientHostKeyAlgos: []string{"rsa-sha2-256"}, + }, + { + name: "support for hostkey: rsa-sha2-512", + keyType: ssh.RSA_4096, + ClientHostKeyAlgos: []string{"rsa-sha2-512"}, + }, + { + name: "support for hostkey: ecdsa-sha2-nistp256", + keyType: ssh.ECDSA_P256, + ClientHostKeyAlgos: []string{"ecdsa-sha2-nistp256"}, + }, + { + name: "support for hostkey: ecdsa-sha2-nistp384", + keyType: ssh.ECDSA_P384, + ClientHostKeyAlgos: []string{"ecdsa-sha2-nistp384"}, + }, + { + name: "support for hostkey: ecdsa-sha2-nistp521", + keyType: ssh.ECDSA_P521, + ClientHostKeyAlgos: []string{"ecdsa-sha2-nistp521"}, + }, + { + name: "support for hostkey: ssh-ed25519", + keyType: ssh.ED25519, + ClientHostKeyAlgos: []string{"ssh-ed25519"}, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + g := NewWithT(t) + timeout := 5 * time.Second + + sshConfig := &cryptossh.ServerConfig{} + + // Generate new keypair for the server to use for HostKeys. + hkp, err := ssh.GenerateKeyPair(tt.keyType) + g.Expect(err).NotTo(HaveOccurred()) + p, err := cryptossh.ParseRawPrivateKey(hkp.PrivateKey) + g.Expect(err).NotTo(HaveOccurred()) + + // Add key to server. + signer, err := cryptossh.NewSignerFromKey(p) + g.Expect(err).NotTo(HaveOccurred()) + sshConfig.AddHostKey(signer) + + serverRootDir := t.TempDir() + server := gittestserver.NewGitServer(serverRootDir).WithSSHConfig(sshConfig) + + // Set what HostKey Algos will be accepted from a client perspective. + git.HostKeyAlgos = tt.ClientHostKeyAlgos + + keyDir := filepath.Join(server.Root(), "keys") + server.KeyDir(keyDir) + g.Expect(server.ListenSSH()).To(Succeed()) + + go func() { + server.StartSSH() + }() + defer server.StopSSH() + + repoPath := "test.git" + err = server.InitRepo(testRepositoryPath, git.DefaultBranch, repoPath) + g.Expect(err).NotTo(HaveOccurred()) + + sshURL := server.SSHAddress() + repoURL := sshURL + "/" + repoPath + + // Fetch host key. + u, err := url.Parse(sshURL) + g.Expect(err).NotTo(HaveOccurred()) + g.Expect(u.Host).ToNot(BeEmpty()) + + knownHosts, err := ssh.ScanHostKey(u.Host, timeout, git.HostKeyAlgos) + g.Expect(err).ToNot(HaveOccurred()) + + // No authentication is required for this test, but it is + // used here to make the Checkout logic happy. + kp, err := ssh.GenerateKeyPair(ssh.ED25519) + g.Expect(err).ToNot(HaveOccurred()) + + secret := corev1.Secret{ + Data: map[string][]byte{ + "identity": kp.PrivateKey, + "known_hosts": knownHosts, + }, + } + + authOpts, err := git.AuthOptionsFromSecret(repoURL, &secret) + g.Expect(err).ToNot(HaveOccurred()) + + // Prepare for checkout. + branchCheckoutStrat := &CheckoutBranch{Branch: git.DefaultBranch} + tmpDir := t.TempDir() + + ctx, cancel := context.WithTimeout(context.TODO(), timeout) + defer cancel() + + // Checkout the repo. + _, err = branchCheckoutStrat.Checkout(ctx, tmpDir, repoURL, authOpts) + g.Expect(err).Error().ShouldNot(HaveOccurred()) + }) + } +} + func initRepo(t *testing.T) (*extgogit.Repository, string, error) { tmpDir := t.TempDir() sto := filesystem.NewStorage(osfs.New(tmpDir), cache.NewObjectLRUDefault()) diff --git a/pkg/git/libgit2/checkout_test.go b/pkg/git/libgit2/checkout_test.go index dadb58820..6b5ef5b39 100644 --- a/pkg/git/libgit2/checkout_test.go +++ b/pkg/git/libgit2/checkout_test.go @@ -467,7 +467,7 @@ func TestCheckout_ED25519(t *testing.T) { repoPath := "test.git" - err = server.InitRepo("testdata/git/repo", git.DefaultBranch, repoPath) + err = server.InitRepo(testRepositoryPath, git.DefaultBranch, repoPath) g.Expect(err).NotTo(HaveOccurred()) sshURL := server.SSHAddress() @@ -477,7 +477,7 @@ func TestCheckout_ED25519(t *testing.T) { u, err := url.Parse(sshURL) g.Expect(err).NotTo(HaveOccurred()) g.Expect(u.Host).ToNot(BeEmpty()) - knownHosts, err := ssh.ScanHostKey(u.Host, timeout) + knownHosts, err := ssh.ScanHostKey(u.Host, timeout, git.HostKeyAlgos) g.Expect(err).ToNot(HaveOccurred()) kp, err := ssh.NewEd25519Generator().Generate() @@ -504,7 +504,7 @@ func TestCheckout_ED25519(t *testing.T) { // This should always fail because the generated key above isn't present in // the git server. _, err = branchCheckoutStrat.Checkout(ctx, tmpDir, repoURL, authOpts) - g.Expect(err).To(BeNil()) + g.Expect(err).ToNot(HaveOccurred()) } func TestSafeClone(t *testing.T) { diff --git a/pkg/git/libgit2/managed/managed_test.go b/pkg/git/libgit2/managed/managed_test.go index 63afb6721..7d87b9141 100644 --- a/pkg/git/libgit2/managed/managed_test.go +++ b/pkg/git/libgit2/managed/managed_test.go @@ -255,7 +255,7 @@ func TestManagedTransport_E2E(t *testing.T) { InitManagedTransport(logr.Discard()) repoPath := "test.git" - err = server.InitRepo("../testdata/git/repo", git.DefaultBranch, repoPath) + err = server.InitRepo("../../testdata/git/repo", git.DefaultBranch, repoPath) g.Expect(err).ToNot(HaveOccurred()) tmpDir := t.TempDir() diff --git a/pkg/git/libgit2/managed_test.go b/pkg/git/libgit2/managed_test.go new file mode 100644 index 000000000..1e923ee8f --- /dev/null +++ b/pkg/git/libgit2/managed_test.go @@ -0,0 +1,401 @@ +/* +Copyright 2022 The Flux authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package libgit2 + +import ( + "context" + "fmt" + "net/url" + "os" + "path/filepath" + "strings" + "testing" + "time" + + "github.com/fluxcd/gitkit" + "github.com/fluxcd/pkg/gittestserver" + "github.com/fluxcd/pkg/ssh" + "github.com/fluxcd/source-controller/pkg/git" + "github.com/fluxcd/source-controller/pkg/git/libgit2/managed" + + "github.com/go-logr/logr" + . "github.com/onsi/gomega" + + cryptossh "golang.org/x/crypto/ssh" + corev1 "k8s.io/api/core/v1" +) + +const testRepositoryPath = "../testdata/git/repo" + +// Test_ManagedSSH_KeyTypes assures support for the different +// types of keys for SSH Authentication supported by Flux. +func Test_ManagedSSH_KeyTypes(t *testing.T) { + tests := []struct { + name string + keyType ssh.KeyPairType + authorized bool + wantErr string + }{ + {name: "RSA 4096", keyType: ssh.RSA_4096, authorized: true}, + {name: "ECDSA P256", keyType: ssh.ECDSA_P256, authorized: true}, + {name: "ECDSA P384", keyType: ssh.ECDSA_P384, authorized: true}, + {name: "ECDSA P521", keyType: ssh.ECDSA_P521, authorized: true}, + {name: "ED25519", keyType: ssh.ED25519, authorized: true}, + {name: "unauthorized key", keyType: ssh.RSA_4096, wantErr: "Failed to retrieve list of SSH authentication methods"}, + } + + serverRootDir := t.TempDir() + server := gittestserver.NewGitServer(serverRootDir) + + // Auth needs to be called, for authentication to be enabled. + server.Auth("", "") + + var authorizedPublicKey string + server.PublicKeyLookupFunc(func(content string) (*gitkit.PublicKey, error) { + authedKey := strings.TrimSuffix(string(authorizedPublicKey), "\n") + if authedKey == content { + return &gitkit.PublicKey{Content: content}, nil + } + return nil, fmt.Errorf("pubkey provided '%s' does not match %s", content, authedKey) + }) + + g := NewWithT(t) + timeout := 5 * time.Second + + server.KeyDir(filepath.Join(server.Root(), "keys")) + g.Expect(server.ListenSSH()).To(Succeed()) + + go func() { + server.StartSSH() + }() + defer server.StopSSH() + + repoPath := "test.git" + err := server.InitRepo(testRepositoryPath, git.DefaultBranch, repoPath) + g.Expect(err).NotTo(HaveOccurred()) + + sshURL := server.SSHAddress() + repoURL := sshURL + "/" + repoPath + + // Fetch host key. + u, err := url.Parse(sshURL) + g.Expect(err).NotTo(HaveOccurred()) + g.Expect(u.Host).ToNot(BeEmpty()) + + knownHosts, err := ssh.ScanHostKey(u.Host, timeout, git.HostKeyAlgos) + g.Expect(err).ToNot(HaveOccurred()) + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + g := NewWithT(t) + + // Generate ssh keys based on key type. + kp, err := ssh.GenerateKeyPair(tt.keyType) + g.Expect(err).ToNot(HaveOccurred()) + + // Update authorized key to ensure only the new key is valid on the server. + if tt.authorized { + authorizedPublicKey = string(kp.PublicKey) + } + + secret := corev1.Secret{ + Data: map[string][]byte{ + "identity": kp.PrivateKey, + "known_hosts": knownHosts, + }, + } + + authOpts, err := git.AuthOptionsFromSecret(repoURL, &secret) + g.Expect(err).ToNot(HaveOccurred()) + + // Prepare for checkout. + branchCheckoutStrat := &CheckoutBranch{Branch: git.DefaultBranch} + tmpDir := t.TempDir() + + ctx, cancel := context.WithTimeout(context.TODO(), timeout) + defer cancel() + + // Checkout the repo. + commit, err := branchCheckoutStrat.Checkout(ctx, tmpDir, repoURL, authOpts) + + if tt.wantErr == "" { + g.Expect(err).ToNot(HaveOccurred()) + g.Expect(commit).ToNot(BeNil()) + + // Confirm checkout actually happened. + d, err := os.ReadDir(tmpDir) + g.Expect(err).ToNot(HaveOccurred()) + g.Expect(d).To(HaveLen(2)) // .git and foo.txt + } else { + g.Expect(err).To(HaveOccurred()) + g.Expect(err.Error()).Should(ContainSubstring(tt.wantErr)) + } + }) + } +} + +// Test_ManagedSSH_KeyExchangeAlgos assures support for the different +// types of SSH key exchange algorithms supported by Flux. +func Test_ManagedSSH_KeyExchangeAlgos(t *testing.T) { + tests := []struct { + name string + ClientKex []string + ServerKex []string + wantErr string + }{ + { + name: "support for kex: diffie-hellman-group14-sha1", + ClientKex: []string{"diffie-hellman-group14-sha1"}, + ServerKex: []string{"diffie-hellman-group14-sha1"}, + }, + { + name: "support for kex: diffie-hellman-group14-sha256", + ClientKex: []string{"diffie-hellman-group14-sha256"}, + ServerKex: []string{"diffie-hellman-group14-sha256"}, + }, + { + name: "support for kex: curve25519-sha256", + ClientKex: []string{"curve25519-sha256"}, + ServerKex: []string{"curve25519-sha256"}, + }, + { + name: "support for kex: ecdh-sha2-nistp256", + ClientKex: []string{"ecdh-sha2-nistp256"}, + ServerKex: []string{"ecdh-sha2-nistp256"}, + }, + { + name: "support for kex: ecdh-sha2-nistp384", + ClientKex: []string{"ecdh-sha2-nistp384"}, + ServerKex: []string{"ecdh-sha2-nistp384"}, + }, + { + name: "support for kex: ecdh-sha2-nistp521", + ClientKex: []string{"ecdh-sha2-nistp521"}, + ServerKex: []string{"ecdh-sha2-nistp521"}, + }, + { + name: "support for kex: curve25519-sha256@libssh.org", + ClientKex: []string{"curve25519-sha256@libssh.org"}, + ServerKex: []string{"curve25519-sha256@libssh.org"}, + }, + { + name: "non-matching kex", + ClientKex: []string{"ecdh-sha2-nistp521"}, + ServerKex: []string{"curve25519-sha256@libssh.org"}, + wantErr: "ssh: no common algorithm for key exchange; client offered: [ecdh-sha2-nistp521 ext-info-c], server offered: [curve25519-sha256@libssh.org]", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + g := NewWithT(t) + timeout := 5 * time.Second + + serverRootDir := t.TempDir() + server := gittestserver.NewGitServer(serverRootDir).WithSSHConfig(&cryptossh.ServerConfig{ + Config: cryptossh.Config{ + KeyExchanges: tt.ServerKex, + }, + }) + + // Set what Client Key Exchange Algos to send + git.KexAlgos = tt.ClientKex + + server.KeyDir(filepath.Join(server.Root(), "keys")) + g.Expect(server.ListenSSH()).To(Succeed()) + + go func() { + server.StartSSH() + }() + defer server.StopSSH() + + os.Setenv("EXPERIMENTAL_GIT_TRANSPORT", "true") + managed.InitManagedTransport(logr.Discard()) + repoPath := "test.git" + + err := server.InitRepo(testRepositoryPath, git.DefaultBranch, repoPath) + g.Expect(err).NotTo(HaveOccurred()) + + sshURL := server.SSHAddress() + repoURL := sshURL + "/" + repoPath + + // Fetch host key. + u, err := url.Parse(sshURL) + g.Expect(err).NotTo(HaveOccurred()) + g.Expect(u.Host).ToNot(BeEmpty()) + + knownHosts, err := ssh.ScanHostKey(u.Host, timeout, git.HostKeyAlgos) + g.Expect(err).ToNot(HaveOccurred()) + + // No authentication is required for this test, but it is + // used here to make the Checkout logic happy. + kp, err := ssh.GenerateKeyPair(ssh.ED25519) + g.Expect(err).ToNot(HaveOccurred()) + + secret := corev1.Secret{ + Data: map[string][]byte{ + "identity": kp.PrivateKey, + "known_hosts": knownHosts, + }, + } + + authOpts, err := git.AuthOptionsFromSecret(repoURL, &secret) + g.Expect(err).ToNot(HaveOccurred()) + + // Prepare for checkout. + branchCheckoutStrat := &CheckoutBranch{Branch: git.DefaultBranch} + tmpDir := t.TempDir() + + ctx, cancel := context.WithTimeout(context.TODO(), timeout) + defer cancel() + + // Checkout the repo. + _, err = branchCheckoutStrat.Checkout(ctx, tmpDir, repoURL, authOpts) + if tt.wantErr != "" { + g.Expect(err).Error().Should(HaveOccurred()) + g.Expect(err.Error()).Should(ContainSubstring(tt.wantErr)) + } else { + g.Expect(err).Error().ShouldNot(HaveOccurred()) + } + }) + } +} + +// Test_ManagedSSH_HostKeyAlgos assures support for the different +// types of SSH Host Key algorithms supported by Flux. +func Test_ManagedSSH_HostKeyAlgos(t *testing.T) { + tests := []struct { + name string + keyType ssh.KeyPairType + ClientHostKeyAlgos []string + }{ + { + name: "support for hostkey: ssh-rsa", + keyType: ssh.RSA_4096, + ClientHostKeyAlgos: []string{"ssh-rsa"}, + }, + { + name: "support for hostkey: rsa-sha2-256", + keyType: ssh.RSA_4096, + ClientHostKeyAlgos: []string{"rsa-sha2-256"}, + }, + { + name: "support for hostkey: rsa-sha2-512", + keyType: ssh.RSA_4096, + ClientHostKeyAlgos: []string{"rsa-sha2-512"}, + }, + { + name: "support for hostkey: ecdsa-sha2-nistp256", + keyType: ssh.ECDSA_P256, + ClientHostKeyAlgos: []string{"ecdsa-sha2-nistp256"}, + }, + { + name: "support for hostkey: ecdsa-sha2-nistp384", + keyType: ssh.ECDSA_P384, + ClientHostKeyAlgos: []string{"ecdsa-sha2-nistp384"}, + }, + { + name: "support for hostkey: ecdsa-sha2-nistp521", + keyType: ssh.ECDSA_P521, + ClientHostKeyAlgos: []string{"ecdsa-sha2-nistp521"}, + }, + { + name: "support for hostkey: ssh-ed25519", + keyType: ssh.ED25519, + ClientHostKeyAlgos: []string{"ssh-ed25519"}, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + g := NewWithT(t) + timeout := 5 * time.Second + + sshConfig := &cryptossh.ServerConfig{} + + // Generate new keypair for the server to use for HostKeys. + hkp, err := ssh.GenerateKeyPair(tt.keyType) + g.Expect(err).NotTo(HaveOccurred()) + p, err := cryptossh.ParseRawPrivateKey(hkp.PrivateKey) + g.Expect(err).NotTo(HaveOccurred()) + + // Add key to server. + signer, err := cryptossh.NewSignerFromKey(p) + g.Expect(err).NotTo(HaveOccurred()) + sshConfig.AddHostKey(signer) + + serverRootDir := t.TempDir() + server := gittestserver.NewGitServer(serverRootDir).WithSSHConfig(sshConfig) + + // Set what HostKey Algos will be accepted from a client perspective. + git.HostKeyAlgos = tt.ClientHostKeyAlgos + + keyDir := filepath.Join(server.Root(), "keys") + server.KeyDir(keyDir) + g.Expect(server.ListenSSH()).To(Succeed()) + + go func() { + server.StartSSH() + }() + defer server.StopSSH() + + os.Setenv("EXPERIMENTAL_GIT_TRANSPORT", "true") + managed.InitManagedTransport(logr.Discard()) + repoPath := "test.git" + + err = server.InitRepo(testRepositoryPath, git.DefaultBranch, repoPath) + g.Expect(err).NotTo(HaveOccurred()) + + sshURL := server.SSHAddress() + repoURL := sshURL + "/" + repoPath + + // Fetch host key. + u, err := url.Parse(sshURL) + g.Expect(err).NotTo(HaveOccurred()) + g.Expect(u.Host).ToNot(BeEmpty()) + + knownHosts, err := ssh.ScanHostKey(u.Host, timeout, tt.ClientHostKeyAlgos) + g.Expect(err).ToNot(HaveOccurred()) + + // No authentication is required for this test, but it is + // used here to make the Checkout logic happy. + kp, err := ssh.GenerateKeyPair(ssh.ED25519) + g.Expect(err).ToNot(HaveOccurred()) + + secret := corev1.Secret{ + Data: map[string][]byte{ + "identity": kp.PrivateKey, + "known_hosts": knownHosts, + }, + } + + authOpts, err := git.AuthOptionsFromSecret(repoURL, &secret) + g.Expect(err).ToNot(HaveOccurred()) + + // Prepare for checkout. + branchCheckoutStrat := &CheckoutBranch{Branch: git.DefaultBranch} + tmpDir := t.TempDir() + + ctx, cancel := context.WithTimeout(context.TODO(), timeout) + defer cancel() + + // Checkout the repo. + _, err = branchCheckoutStrat.Checkout(ctx, tmpDir, repoURL, authOpts) + g.Expect(err).Error().ShouldNot(HaveOccurred()) + }) + } +} diff --git a/pkg/git/options.go b/pkg/git/options.go index 71ecbe98f..bd0b4d7b0 100644 --- a/pkg/git/options.go +++ b/pkg/git/options.go @@ -70,12 +70,12 @@ type AuthOptions struct { CAFile []byte } -// KexAlgos hosts the key exchange algorithms to be used for ssh connections. -// If empty, golang's default is used instead. +// KexAlgos hosts the key exchange algorithms to be used for SSH connections. +// If empty, Go's default is used instead. var KexAlgos []string -// HostKeyAlgos holds the HostKey algorithms that the ssh client will advertise -// to the server. If empty, golang's default is used instead. +// HostKeyAlgos holds the HostKey algorithms that the SSH client will advertise +// to the server. If empty, Go's default is used instead. var HostKeyAlgos []string // Validate the AuthOptions against the defined Transport. diff --git a/pkg/git/strategy/strategy_test.go b/pkg/git/strategy/strategy_test.go index 055c44f63..866aea938 100644 --- a/pkg/git/strategy/strategy_test.go +++ b/pkg/git/strategy/strategy_test.go @@ -97,7 +97,7 @@ func TestCheckoutStrategyForImplementation_Auth(t *testing.T) { return getSSHRepoURL(srv.SSHAddress(), repoPath) }, authOptsFunc: func(g *WithT, u *url.URL, user, pswd string, ca []byte) *git.AuthOptions { - knownhosts, err := ssh.ScanHostKey(u.Host, 5*time.Second) + knownhosts, err := ssh.ScanHostKey(u.Host, 5*time.Second, git.HostKeyAlgos) g.Expect(err).ToNot(HaveOccurred()) keygen := ssh.NewRSAGenerator(2048) diff --git a/pkg/git/libgit2/testdata/git/repo/foo.txt b/pkg/git/testdata/git/repo/foo.txt similarity index 100% rename from pkg/git/libgit2/testdata/git/repo/foo.txt rename to pkg/git/testdata/git/repo/foo.txt