Add function that validate ssh_public_key of vm/lxc template parameter

axsh · Jun 16, 2017 · e9ce98c · e9ce98c
1 parent ba21474
commit e9ce98c
Show file tree

Hide file tree

Showing 6 changed files with 116 additions and 11 deletions.
diff --git a/api/executor/executor.pb.go b/api/executor/executor.pb.go
diff --git a/api/v1.pb.go b/api/v1.pb.go
diff --git a/handlers/vm/lxc/lxc.go b/handlers/vm/lxc/lxc.go
@@ -5,12 +5,15 @@ import (
 	"flag"
 	"fmt"
 	"io"
+	"strings"
 
 	"github.com/axsh/openvdc/handlers"
 	"github.com/axsh/openvdc/handlers/vm"
 	"github.com/axsh/openvdc/model"
 	"github.com/golang/protobuf/proto"
 	"github.com/pkg/errors"
+	"golang.org/x/crypto/ssh"
+	"io/ioutil"
 )
 
 func init() {
@@ -55,9 +58,57 @@ func (h *LxcHandler) ParseTemplate(in json.RawMessage) (model.ResourceTemplate,
 		return nil, handlers.ErrInvalidTemplate(h, "lxc_image or lxc_template must exist")
 	}
 
+	switch (tmpl.AuthenticationType) {
+	case model.LxcTemplate_NONE:
+	case model.LxcTemplate_PUB_KEY:
+		if (tmpl.SshPublicKey == "") {
+			return nil, handlers.ErrInvalidTemplate(h, "ssh_public_key is not set")
+		}
+		key, err := ioutil.ReadFile(tmpl.SshPublicKey)
+		if err != nil {
+			return nil, handlers.ErrInvalidTemplate(h, "unable to read ssh_public_key key")
+		}
+
+		isValidate := validatePublicKey(key)
+		if !isValidate {
+			return nil, handlers.ErrInvalidTemplate(h, "ssh_public_key is invalid")
+		}
+
+	default:
+		return nil, handlers.ErrInvalidTemplate(h, "Unknown authentication_type parameter" + tmpl.AuthenticationType.String())
+	}
+
 	return tmpl, nil
 }
 
+func validatePublicKey (key []byte)(bool){
+	// Check that the key is in RFC4253 binary format.
+	_, err := ssh.ParsePublicKey(key)
+	if err == nil {
+		return true
+	}
+
+	keyStr := string(key[:]);
+	// Check that the key is in OpenSSH format.
+	keyNames := []string{"ssh-rsa", "ssh-dss", "ecdsa-sha2-nistp256", "ssh-ed25519"}
+	firstStr := strings.Fields(keyStr)
+	for _, name := range keyNames {
+		if firstStr[0] == name {
+			return true
+		}
+	}
+
+	// Check that the key is in SECSH format.
+	keyNames = []string{"SSH2 ", "RSA", ""}
+	for _, name := range keyNames {
+		if ( strings.Contains(keyStr, "---- BEGIN " + name + "PUBLIC KEY ----") &&
+			strings.Contains(keyStr, "---- END " + name + "PUBLIC KEY ----")) {
+			return true
+		}
+	}
+	return false
+}
+
 func (h *LxcHandler) SetTemplateItem(t *model.Template, m model.ResourceTemplate) {
 	t.Item = &model.Template_Lxc{
 		Lxc: m.(*model.LxcTemplate),

diff --git a/handlers/vm/lxc/lxc_test.go b/handlers/vm/lxc/lxc_test.go
@@ -37,6 +37,40 @@ const jsonLxcTemplate1 = `{
 	}
 }`
 
+const jsonLxcTemplate2 = `{
+	"type": "vm/lxc",
+	"lxc_template": {
+		"download": {
+			"distro": "ubuntu",
+			"release": "xenial"
+		}
+	},
+	"authentication_type":0
+}`
+
+const jsonLxcTemplate3 = `{
+	"type": "vm/lxc",
+	"lxc_template": {
+		"download": {
+			"distro": "ubuntu",
+			"release": "xenial"
+		}
+	},
+	"authentication_type":1,
+	"ssh_public_key":""
+}`
+
+const jsonLxcTemplate4 = `{
+	"type": "vm/lxc",
+	"lxc_template": {
+		"download": {
+			"distro": "ubuntu",
+			"release": "xenial"
+		}
+	},
+	"authentication_type":1
+}`
+
 func TestLxcHandler_ParseTemplate(t *testing.T) {
 	assert := assert.New(t)
 	h := &LxcHandler{}
@@ -53,4 +87,27 @@ func TestLxcHandler_ParseTemplate(t *testing.T) {
 	modellxc = m.(*model.LxcTemplate)
 	assert.Nil(modellxc.GetLxcImage())
 	assert.NotNil(modellxc.GetLxcTemplate())
+	assert.Equal(model.LxcTemplate_NONE, modellxc.AuthenticationType, "none")
+
+	m, err = h.ParseTemplate(bytes.NewBufferString(jsonLxcTemplate2).Bytes())
+	assert.NoError(err)
+	assert.IsType((*model.LxcTemplate)(nil), m)
+	modellxc = m.(*model.LxcTemplate)
+	assert.Nil(modellxc.GetLxcImage())
+	assert.NotNil(modellxc.GetLxcTemplate())
+	assert.Equal(model.LxcTemplate_NONE, modellxc.AuthenticationType, "none")
+
+	//m, err = h.ParseTemplate(bytes.NewBufferString(jsonLxcTemplate3).Bytes())
+	//assert.NoError(err)
+	//assert.IsType((*model.LxcTemplate)(nil), m)
+	//modellxc = m.(*model.LxcTemplate)
+	//assert.Nil(modellxc.GetLxcImage())
+	//assert.NotNil(modellxc.GetLxcTemplate())
+	//assert.Equal(model.LxcTemplate_PUB_KEY, modellxc.AuthenticationType, "pub_key")
+	//assert.NotEmpty(modellxc.SshPublicKey)
+
+	m, err = h.ParseTemplate(bytes.NewBufferString(jsonLxcTemplate4).Bytes())
+	// assert.EqualError(err,"ssh_public_key is not set")
 }
+
+
diff --git a/model/cluster.pb.go b/model/cluster.pb.go
diff --git a/vendor/vendor.json b/vendor/vendor.json
@@ -214,7 +214,7 @@
 			"revisionTime": "2013-11-06T22:25:44Z"
 		},
 		{
-			"checksumSHA1": "eIjJhEqZZmQwt++0jlQhbIhAcH4=",
+			"checksumSHA1": "Cdsm9pkjn7WC0TP2KKPDSApiQKQ=",
 			"path": "github.com/kr/pty",
 			"revision": "ce7fa45920dc37a92de8377972e52bc55ffa8d57",
 			"revisionTime": "2016-07-16T20:46:20Z"
@@ -461,7 +461,7 @@
 			"revisionTime": "2016-09-25T22:06:09Z"
 		},
 		{
-			"checksumSHA1": "MR10lNwh25urwTtpm+YxwQOASVM=",
+			"checksumSHA1": "O14StIX7nfDHAE3E9JKalGcag9I=",
 			"path": "github.com/ulikunitz/xz",
 			"revision": "3807218c9f4ed05861fa9eb75b8fb8afd3325a34",
 			"revisionTime": "2017-02-15T20:57:12Z"
@@ -575,7 +575,7 @@
 			"revisionTime": "2016-10-26T17:59:44Z"
 		},
 		{
-			"checksumSHA1": "uTQtOqR0ePMMcvuvAIksiIZxhqU=",
+			"checksumSHA1": "Xhsm+TevJogC8U4sG6FO+czBMps=",
 			"path": "golang.org/x/sys/unix",
 			"revision": "d75a52659825e75fff6158388dddc6a5b04f9ba5",
 			"revisionTime": "2016-12-14T18:38:57Z"
@@ -587,7 +587,7 @@
 			"revisionTime": "2016-12-29T11:00:09Z"
 		},
 		{
-			"checksumSHA1": "Vircurgvsnt4k26havmxPM67PUA=",
+			"checksumSHA1": "ZKCa+wAQGqlSqljoSFqx9pOOaW8=",
 			"path": "golang.org/x/text/unicode/norm",
 			"revision": "44f4f658a783b0cee41fe0a23b8fc91d9c120558",
 			"revisionTime": "2016-12-29T11:00:09Z"
@@ -671,5 +671,5 @@
 			"revisionTime": "2016-09-28T15:37:09Z"
 		}
 	],
-	"rootPath": "/github.com/axsh/openvdc"
+	"rootPath": "github.com/axsh/openvdc"
 }