Files
@ 12824a48192d
Branch filter:
Location: kallithea/scripts/validate-minimum-dependency-versions - annotation
12824a48192d
1.6 KiB
text/plain
ssh: verify SSH keys haven't been truncated
Ed Wong reported problems with a SSH key that accidentally was copy-pasted with
extra newlines. This truncation wasn't detected, so the truncated key was added
to authorized_keys where it obviously didn't work for sshd.
The base64 decoding would sometimes catch truncated keys - but not always. We
seem to have to look inside the key, parse it according to the RFCs, and verify
they contain the right amount of data for the key type.
It is an additional burden to have to parse SSH key internals just to validate
them. We could consider using some external method for validation. But the
explicit validation introduced here might be more spot-on for our needs.
Ed Wong reported problems with a SSH key that accidentally was copy-pasted with
extra newlines. This truncation wasn't detected, so the truncated key was added
to authorized_keys where it obviously didn't work for sshd.
The base64 decoding would sometimes catch truncated keys - but not always. We
seem to have to look inside the key, parse it according to the RFCs, and verify
they contain the right amount of data for the key type.
It is an additional burden to have to parse SSH key internals just to validate
them. We could consider using some external method for validation. But the
explicit validation introduced here might be more spot-on for our needs.
ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e 89e9aef9b983 ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e ac6cc1b8a07e | #!/bin/bash
# Test that installation of all dependencies works fine if versions are set to
# the minimum ones.
set -e
if [ -n "$VIRTUAL_ENV" ]; then
echo "This script will create its own virtualenv - please don't run it inside an existing one." >&2
exit 1
fi
cd "$(hg root)"
venv=build/minimum-dependency-versions-venv
log=build/minimum-dependency-versions.log
min_requirements=build/minimum-dependency-versions-requirements.txt
echo "virtualenv: $venv"
echo "log: $log"
echo "minimum requirements file: $min_requirements"
# clean up previous runs
rm -rf "$venv" "$log"
mkdir -p "$venv"
# Make a light weight parsing of setup.py and dev_requirements.txt,
# finding all >= requirements and dumping into a custom requirements.txt
# while fixating the requirement at the lower bound.
sed -n 's/.*"\(.*\)>=\(.*\)".*/\1==\2/p' setup.py > "$min_requirements"
sed 's/>=/==/p' dev_requirements.txt >> "$min_requirements"
python3 -m venv "$venv"
source "$venv/bin/activate"
pip install --upgrade pip setuptools
pip install -e . -r "$min_requirements" python-ldap python-pam 2> >(tee "$log" >&2)
# Treat any message on stderr as a problem, for the caller to interpret.
if [ -s "$log" ]; then
echo
echo "Error: pip detected following problems:"
cat "$log"
echo
exit 1
fi
freeze_txt=build/minimum-dependency-versions.txt
pip freeze > $freeze_txt
echo "Installation of minimum packages was successful, providing a set of packages as in $freeze_txt . Now running test suite..."
pytest
echo "Test suite execution was successful."
echo "You can now do additional validation using virtual env '$venv'."
|