Allowing BLESS lambda to accept ed25519 keys, completing https://gith… (

#74) * Allowing BLESS lambda to accept ed25519 keys, completing #71 . Thanks @jnewbigin .
Netflix · Jul 14, 2018 · ba55021 · ba55021
1 parent f1e2a30
commit ba55021
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 3 deletions.
diff --git a/bless/request/bless_request.py b/bless/request/bless_request.py
@@ -29,6 +29,7 @@
 # There doesn't seem to be any practical size limits of an SSH Certificate Principal (> 4096B allowed).
 PRINCIPAL_PATTERN = re.compile(r'[\d\w!"$%&\'()*+\-./:;<=>?@\[\\\]\^`{|}~]+\Z')
 VALID_SSH_RSA_PUBLIC_KEY_HEADER = "ssh-rsa AAAAB3NzaC1yc2"
+VALID_SSH_ED25519_PUBLIC_KEY_HEADER = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5"
 
 USERNAME_VALIDATION_OPTIONS = Enum('UserNameValidationOptions',
                                    'useradd '  # Allowable usernames per 'man 8 useradd'
@@ -79,7 +80,7 @@ def _validate_principal(principal):
 
 
 def validate_ssh_public_key(public_key):
-    if public_key.startswith(VALID_SSH_RSA_PUBLIC_KEY_HEADER):
+    if public_key.startswith(VALID_SSH_RSA_PUBLIC_KEY_HEADER) or public_key.startswith(VALID_SSH_ED25519_PUBLIC_KEY_HEADER):
         pass
     # todo other key types
     else:

diff --git a/tests/aws_lambda/test_bless_lambda.py b/tests/aws_lambda/test_bless_lambda.py
@@ -4,7 +4,7 @@
 
 from bless.aws_lambda.bless_lambda import lambda_handler
 from tests.ssh.vectors import EXAMPLE_RSA_PUBLIC_KEY, RSA_CA_PRIVATE_KEY_PASSWORD, \
-    EXAMPLE_ED25519_PUBLIC_KEY
+    EXAMPLE_ED25519_PUBLIC_KEY, EXAMPLE_ECDSA_PUBLIC_KEY
 
 
 class Context(object):
@@ -21,6 +21,15 @@ class Context(object):
     "bastion_user_ip": "127.0.0.1"
 }
 
+VALID_TEST_REQUEST_ED2551 = {
+    "remote_usernames": "user",
+    "public_key_to_sign": EXAMPLE_ED25519_PUBLIC_KEY,
+    "command": "ssh user@server",
+    "bastion_ips": "127.0.0.1",
+    "bastion_user": "user",
+    "bastion_user_ip": "127.0.0.1"
+}
+
 VALID_TEST_REQUEST_USERNAME_VALIDATION_EMAIL_REMOTE_USERNAMES_USERADD = {
     "remote_usernames": "user,anotheruser",
     "public_key_to_sign": EXAMPLE_RSA_PUBLIC_KEY,
@@ -60,7 +69,7 @@ class Context(object):
 
 INVALID_TEST_REQUEST_KEY_TYPE = {
     "remote_usernames": "user",
-    "public_key_to_sign": EXAMPLE_ED25519_PUBLIC_KEY,
+    "public_key_to_sign": EXAMPLE_ECDSA_PUBLIC_KEY,
     "command": "ssh user@server",
     "bastion_ips": "127.0.0.1",
     "bastion_user": "user",
@@ -153,6 +162,14 @@ def test_basic_local_request():
     assert output['certificate'].startswith('[email protected] ')
 
 
+def test_basic_local_request_ed2551():
+    output = lambda_handler(VALID_TEST_REQUEST_ED2551, context=Context,
+                            ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD,
+                            entropy_check=False,
+                            config_file=os.path.join(os.path.dirname(__file__), 'bless-test.cfg'))
+    assert output['certificate'].startswith('[email protected] ')
+
+
 def test_basic_local_unused_kmsauth_request():
     output = lambda_handler(VALID_TEST_REQUEST_KMSAUTH, context=Context,
                             ca_private_key_password=RSA_CA_PRIVATE_KEY_PASSWORD,