Replace/remove password authentication with key based authentication

RLovelett · RLovelett · commit a482e7ec3067 · 2020-10-10T18:08:54.000-04:00
diff --git a/Package.swift b/Package.swift
@@ -27,7 +27,20 @@ let package = Package(
         ),
         .target(
             name: "SecureShell",
-            dependencies: ["Clibssh"]
+            dependencies: [
+                .target(name: "Clibssh"),
+                .product(name: "Path", package: "Path.swift"),
+            ]
+        ),
+        .testTarget(
+            name: "SecureShellTests",
+            dependencies: [
+                .target(name: "SecureShell"),
+                .product(name: "Path", package: "Path.swift"),
+            ],
+            resources: [
+                .process("Fixtures"),
+            ]
         ),
         .target(
             name: "VMwareFusion",
diff --git a/README.md b/README.md
@@ -160,15 +160,15 @@ and `cleanup_args` should be located in the respective help of each subcommand.
     prepare_args = [
       "prepare",
       "--ssh-username", "buildbot",
-      "--ssh-key", "/Users/buildbot/Library/Application Support/me.lovelett.gitlab-fusion/id_ed25519",
+      "--ssh-identity-file", "/Users/buildbot/Library/Application Support/me.lovelett.gitlab-fusion/id_ed25519",
       "/Users/buildbot/base-macOS-10.15.7-19H2-xcode-12.0.0.vmwarevm/base-macOS-10.15.7-19H2-xcode-12.0.0.vmx"
     ]
 
     run_exec = "/Users/buildbot/gitlab-fusion/.build/release/gitlab-fusion"
     run_args = [
       "run",
       "--ssh-username", "buildbot",
-      "--ssh-key", "/Users/buildbot/Library/Application Support/me.lovelett.gitlab-fusion/id_ed25519",
+      "--ssh-identity-file", "/Users/buildbot/Library/Application Support/me.lovelett.gitlab-fusion/id_ed25519",
       "/Users/buildbot/base-macOS-10.15.7-19H2-xcode-12.0.0.vmwarevm/base-macOS-10.15.7-19H2-xcode-12.0.0.vmx"
     ]
 
diff --git a/Sources/SecureShell/PrivateKey.swift b/Sources/SecureShell/PrivateKey.swift
@@ -0,0 +1,40 @@
+//
+//  PrivateKey.swift
+//  SecureShell
+//
+//  Created by Ryan Lovelett on 10/5/20.
+//
+
+import Clibssh
+import Path
+
+/// Private key used with the SecureShell public-key infrastructure (PKI).
+final class PrivateKey: CustomStringConvertible {
+    let key: ssh_key
+
+    /// Create an instance from a key at a path.
+    /// - Parameter path: Path to the private key.
+    /// - Throws: `SecureShellError` if the private key cannot be loaded.
+    init(contentsOfFile path: Path) throws {
+        var file: ssh_key?
+        let returnCode = path.string.withCString { body in
+            ssh_pki_import_privkey_file(body, nil, nil, nil, &file)
+        }
+        guard returnCode == SSH_OK, let privateKey = file else {
+            ssh_key_free(file)
+            throw SecureShellError("Could not import private key at \(path)")
+        }
+        self.key = privateKey
+    }
+
+    deinit {
+        ssh_key_free(key)
+    }
+
+    /// The type of the key (e.g., `ssh-rsa` or `ssh-ed25519`).
+    var description: String {
+        let type = ssh_key_type(key)
+        let name = ssh_key_type_to_char(type)
+        return name.map { String(cString: $0) } ?? "unknown"
+    }
+}
diff --git a/Sources/SecureShell/SecureShellError.swift b/Sources/SecureShell/SecureShellError.swift
@@ -45,4 +45,12 @@ struct SecureShellError: LocalizedError {
             libsshErrorText = "Was not able to infer the error from \(session)."
         }
     }
+
+    var errorDescription: String? {
+        if libsshErrorText.isEmpty {
+            return description
+        }
+
+        return "\(description) - \(libsshErrorText)"
+    }
 }
diff --git a/Sources/SecureShell/Session.swift b/Sources/SecureShell/Session.swift
@@ -6,6 +6,7 @@
 //
 
 import Clibssh
+import Path
 
 /// A `Session` encapsulates the entire lifetime of the connection with a remote
 /// machine. A `Session` is responsible for connecting and authenticating the
@@ -52,17 +53,17 @@ public final class Session {
         ssh_free(session)
     }
 
-    /// Attempt to authenticate the session using password.
+    /// Path to a file from which the identity (private key) for public key
+    /// authentication is read.
     ///
-    /// - Parameter password: The password to attempt authentication with.
+    /// - Parameter path: Path to identity private key.
     /// - Throws: `SecureShellError` if authentication fails.
-    public func authenticate(withPassword password: String) throws {
-        let returnCode = password.withCString {
-            ssh_auth_e(rawValue: ssh_userauth_password(session, nil, $0))
-        }
+    public func authenticate(withIdentity path: Path) throws {
+        let key = try PrivateKey(contentsOfFile: path)
+        let returnCode = ssh_auth_e(rawValue: ssh_userauth_publickey(session, nil, key.key))
 
         guard returnCode == SSH_AUTH_SUCCESS else {
-            throw SecureShellError(session, description: "Could not authenticate.")
+            throw SecureShellError(session, description: "Could not authenticate with identity \(path).")
         }
     }
 
diff --git a/Sources/gitlab-fusion/Stages/Prepare.swift b/Sources/gitlab-fusion/Stages/Prepare.swift
@@ -59,11 +59,8 @@ struct Prepare: ParsableCommand {
 
     // MARK: - Secure Shell (SSH) specific arguments
 
-    @Option(help: "User used to authenticate as over SSH to the VMware Fusion guest.")
-    var sshUsername = "buildbot"
-
-    @Option(help: "Password used to authenticate as over SSH to the VMware Fusion guest.")
-    var sshPassword = "Time2Build"
+    @OptionGroup()
+    var sshOptions: SecureShellOptions
 
     // MARK: - Validating the command-line input
 
@@ -133,8 +130,8 @@ struct Prepare: ParsableCommand {
         // Wait for ssh to become available
         for _ in 1...60 {
             // TODO: Retry if connection times out
-            let session = try Session(host: ip, username: sshUsername)
-            try session.authenticate(withPassword: sshPassword)
+            let session = try Session(host: ip, username: sshOptions.sshUsername)
+            try session.authenticate(withIdentity: sshOptions.sshIdentityFile)
             let channel = try session.openChannel()
             let exitCode = channel.execute("echo -n 2>&1")
 
diff --git a/Sources/gitlab-fusion/Stages/Run.swift b/Sources/gitlab-fusion/Stages/Run.swift
@@ -40,11 +40,8 @@ struct Run: ParsableCommand {
 
     // MARK: - Secure Shell (SSH) specific arguments
 
-    @Option(help: "User used to authenticate as over SSH to the VMware Fusion guest.")
-    var sshUsername = "buildbot"
-
-    @Option(help: "Password used to authenticate as over SSH to the VMware Fusion guest.")
-    var sshPassword = "Time2Build"
+    @OptionGroup()
+    var sshOptions: SecureShellOptions
 
     // MARK: - Virtual Machine runtime specific arguments
 
@@ -85,8 +82,8 @@ struct Run: ParsableCommand {
         let script = try String(contentsOf: scriptFile)
         os_log("Running script:\n%{public}@", log: log, type: .info, script)
 
-        let session = try Session(host: ip, username: sshUsername)
-        try session.authenticate(withPassword: sshPassword)
+        let session = try Session(host: ip, username: sshOptions.sshUsername)
+        try session.authenticate(withIdentity: sshOptions.sshIdentityFile)
         let channel = try session.openChannel()
         let exitCode = channel.execute(script, stdout: FileHandle.standardOutput, stderr: FileHandle.standardError)
 
diff --git a/Sources/gitlab-fusion/Stages/SecureShellOptions.swift b/Sources/gitlab-fusion/Stages/SecureShellOptions.swift
@@ -0,0 +1,20 @@
+//
+//  SecureShellOptions.swift
+//  gitlab-fusion
+//
+//  Created by Ryan Lovelett on 10/10/20.
+//
+
+import ArgumentParser
+import Environment
+import Path
+import VMwareFusion
+
+/// Common arguments used by the individual stage subcommands.
+struct SecureShellOptions: ParsableArguments {
+    @Option(help: "User used to authenticate as over SSH to the VMware Fusion guest.")
+    var sshUsername = "buildbot"
+
+    @Option(help: "Path to a file from which the identity (private key) for public key authentication is read.")
+    var sshIdentityFile = Path.applicationSupport / subsystem / "id_ed25519"
+}
diff --git a/Tests/SecureShellTests/Fixtures/ed25519WithoutPassword b/Tests/SecureShellTests/Fixtures/ed25519WithoutPassword
@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACDuYamDhcrjukTnYHhKH9vR+4w786CBI+BTHiVi5Rx/uwAAAJianUMxmp1D
+MQAAAAtzc2gtZWQyNTUxOQAAACDuYamDhcrjukTnYHhKH9vR+4w786CBI+BTHiVi5Rx/uw
+AAAEDnc9ytgpASKJ+EjUy8fuw4GP6CpI9I/QFEQZnUmatjx+5hqYOFyuO6ROdgeEof29H7
+jDvzoIEj4FMeJWLlHH+7AAAAEFNlY3VyZVNoZWxsVGVzdHMBAgMEBQ==
+-----END OPENSSH PRIVATE KEY-----
diff --git a/Tests/SecureShellTests/Fixtures/ed25519WithoutPassword.pub b/Tests/SecureShellTests/Fixtures/ed25519WithoutPassword.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO5hqYOFyuO6ROdgeEof29H7jDvzoIEj4FMeJWLlHH+7 SecureShellTests
diff --git a/Tests/SecureShellTests/Fixtures/emptyFile b/Tests/SecureShellTests/Fixtures/emptyFile
diff --git a/Tests/SecureShellTests/Fixtures/rsaWithoutPassword b/Tests/SecureShellTests/Fixtures/rsaWithoutPassword
@@ -0,0 +1,49 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAgEAoJUJgfMcj0CY6vpSuhRJbs9/HcXerxCoeFOkcuqn3lnA4JvMNKaU
+DDgqu4ZS5iyMbKcMw+ql8ky27ICqhLtI9d3G7KBDwBISbhpYXoFYEgvDgJBtsZVx6Vgfki
+vWyApDpGc7cuexxyebkoR4q8fqaleB/a+WlBOqNuSk6F1tXpMpv4BSvA7tNkHfdlfZoZx3
+/KxKO+MIAYRckWrLLel7CAALoeiTGo5KNjreSX3FKmsnUThjhhuTU24HUFkKEr1HQb6Ap9
+7zPsqjy0/qUFU7vFjr3nkApLCKh9Bc7rjv7WF9wC/eCgGmpQJwgYNmaUz4sNDwJREmDs6p
+0uo8gRHDQhFbhMBGz9uDlSpsVnt5F9QDpIEAcAQ3Kzdu/BKgjFhZQR3YaBn6S4ssoM61c9
+QHsus/9ibjB7OT3uV4XnIFi+h5+UKhMHhCmx5QC8KH2GdFi4uWelHlpvYS4XmATNR3YlbA
+nLZ3hER6UQGsJ531dncY66GEx5s4sJVifKYsYKP6ETS890sVBKcC72e+ChB08ytw/V/Gr9
+eJTpBCS2h+1yFCwUuxhqlxJePK6ZoLj/Gi4kb+THCkdKVUs4bmZATXYaaGyfAsBiaRVaz5
+1qpMesz3Rw1DYCzMxFqNmE8PSXTC77CK7qmWf6/uxmYn1OssbX+klCfWX8YQOgyzrvX+KN
+8AAAdIplScl6ZUnJcAAAAHc3NoLXJzYQAAAgEAoJUJgfMcj0CY6vpSuhRJbs9/HcXerxCo
+eFOkcuqn3lnA4JvMNKaUDDgqu4ZS5iyMbKcMw+ql8ky27ICqhLtI9d3G7KBDwBISbhpYXo
+FYEgvDgJBtsZVx6VgfkivWyApDpGc7cuexxyebkoR4q8fqaleB/a+WlBOqNuSk6F1tXpMp
+v4BSvA7tNkHfdlfZoZx3/KxKO+MIAYRckWrLLel7CAALoeiTGo5KNjreSX3FKmsnUThjhh
+uTU24HUFkKEr1HQb6Ap97zPsqjy0/qUFU7vFjr3nkApLCKh9Bc7rjv7WF9wC/eCgGmpQJw
+gYNmaUz4sNDwJREmDs6p0uo8gRHDQhFbhMBGz9uDlSpsVnt5F9QDpIEAcAQ3Kzdu/BKgjF
+hZQR3YaBn6S4ssoM61c9QHsus/9ibjB7OT3uV4XnIFi+h5+UKhMHhCmx5QC8KH2GdFi4uW
+elHlpvYS4XmATNR3YlbAnLZ3hER6UQGsJ531dncY66GEx5s4sJVifKYsYKP6ETS890sVBK
+cC72e+ChB08ytw/V/Gr9eJTpBCS2h+1yFCwUuxhqlxJePK6ZoLj/Gi4kb+THCkdKVUs4bm
+ZATXYaaGyfAsBiaRVaz51qpMesz3Rw1DYCzMxFqNmE8PSXTC77CK7qmWf6/uxmYn1OssbX
++klCfWX8YQOgyzrvX+KN8AAAADAQABAAACAHU+m+R/hnipZ30ZK9GlAkCfy2YHlKEpfnfs
+SgOFhO95hLP5zM0cWrfZQooMdvaLzDOAfHeHGYahsGVZRCcJPyoUtSsLkKvqBf7RyXem5J
+C4ehOiYBTq0nLW3qYwz+7aX6znmqY4uLp6FsKRajGyE1t1bPm2fDC9cugFZMorfLEyraae
+oMmh9FxLGEcluUagIZMgkErNZokFBTk/Sf3JnQSoU9XxI4aeIV0a+jWaWJyyA9DvZOsDsz
+uU+E4X1Jz+Ccrctr7ar6tG9PR68s+Yi7bnDcAvhOK560tiPJgn+zXMmq35xRp1PiD4eQB2
+2g1EH8eppczKiokBJ0lRsL9kIrUwNcL1UE+MhaGWSBA+10o+FmN5g/uf5lK4JGm22FJGbf
+poULN9wPcL3BEN0voXXTywdzKvCBPeszYw+kOjqweMQEnvx4A6+uYzBL7T3+wcrkxf7AQb
+L5tAy6gDjnmomvFEVOZlWQjbOtFq9VKxT9WDkW8MWwIWyh/LgSSQtlPPp1EPW6DYNKkEvC
+mm1ewLzO0jFUrw1xuWFYF0U1ZGHEPvUJ9ueVsSKGm72mLnXB9D9/JIi7hQsCCdgziRzmJl
+1rep+CRKLjDAuPKhT6k/gZp91vBZXDghXfN/TLLR9u8CFueNda58nDclv4woMZCPZ0tHpx
+e1bvwt04KlYz/pQ06hAAABADAuQJ+mCbMktSssoFzCjGCvwtiOIKiLAVZ5lrMs6ByJmRuO
+EgAKz9aRzQ8Rfua7gsNFqurwrUk9DjIRuFv8wBD4pHtrjhcF44yqSp/kqBH+s/s5/nDVJq
+W5LRt/YZrTpcwb5c5bAr2/4WtREXsBu1Kq+s74ohascKvlKAYZRkFS2LiR+1CtwQNPymYn
+zqoAvaU2TnhbKGTeNLOpc2QMGnUh4+L5ItX/Ga2DWxEmECNiOJbCXlN8T9eujl46q7aiV+
+ZTwHmOz/FjvwxsfIObK4CutA2kPxYovkAFpJ3uvP5xCO6hPWaBpS9+s4Hf/c/IJwnH+mBD
+HOXAO11fMUO8ECMAAAEBAMxfeHVYiLNM1ZpSEotpSULJgBwDbnE0YtNb4ivFUFagg1WT49
+s4Q0K5t47ca8aUUyFr6lVDla3joa/3j2XqJ8xQQpZUlbY2PQXbl+fO4z1tOmFg7SI+7YjP
+dzv5xO+phT6hfE8kGaRkXODcuM3xGZrxrhhDUfKjKy8DStZrzyfkyXy56HRgpjWdyeIzqR
+lQWW5oIAc00Osko/tvxHxNShvU9AXreNQ2FhP+T5AXBwklQpSJl192BzFyvAPzXPCb6WAo
+Nc3or4m8+TECoxqq3yZ0VD79GBGaUsVkTd9qd2grnGHZ2lHO+0cWQN78MOR+izBiTS6vld
+xhtYwanLuh8DcAAAEBAMklrQYfT9oQjx0A4cUoJNL8kL6HmTd+P3sH7lh7CNL4tnj5U/a+
+aVQbJNw6yb53Un1gbOZQETQZhfq5nMHVgI4DT1TBBYgiIBFFIzRSNyBaD5Uvzi7OuA4XfJ
+sd4JeDmwkhPcYp9pTPQSuMmhSUmz6qAMg2/hYAj9LjJdw8BfdU43HLTzCkP32j8YOH/OkD
+fUlq7lOKXiQqwoS0KupW7RQK0mcZqsYiuDgf5eHxKTH7tmZrweT0mOLlqyvmHI2OCNRh3L
+i8bSnehOWrn6L2OXVj8ESrDBouGwMak9XUxe5im6CgYzj1lRzUGltuEB0FltC3q+eOjLms
+CFrb9hg7KJkAAAAQU2VjdXJlU2hlbGxUZXN0cwECAw==
+-----END OPENSSH PRIVATE KEY-----
diff --git a/Tests/SecureShellTests/Fixtures/rsaWithoutPassword.pub b/Tests/SecureShellTests/Fixtures/rsaWithoutPassword.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCglQmB8xyPQJjq+lK6FEluz38dxd6vEKh4U6Ry6qfeWcDgm8w0ppQMOCq7hlLmLIxspwzD6qXyTLbsgKqEu0j13cbsoEPAEhJuGlhegVgSC8OAkG2xlXHpWB+SK9bICkOkZzty57HHJ5uShHirx+pqV4H9r5aUE6o25KToXW1ekym/gFK8Du02Qd92V9mhnHf8rEo74wgBhFyRasst6XsIAAuh6JMajko2Ot5JfcUqaydROGOGG5NTbgdQWQoSvUdBvoCn3vM+yqPLT+pQVTu8WOveeQCksIqH0FzuuO/tYX3AL94KAaalAnCBg2ZpTPiw0PAlESYOzqnS6jyBEcNCEVuEwEbP24OVKmxWe3kX1AOkgQBwBDcrN278EqCMWFlBHdhoGfpLiyygzrVz1Aey6z/2JuMHs5Pe5XhecgWL6Hn5QqEweEKbHlALwofYZ0WLi5Z6UeWm9hLheYBM1HdiVsCctneERHpRAawnnfV2dxjroYTHmziwlWJ8pixgo/oRNLz3SxUEpwLvZ74KEHTzK3D9X8av14lOkEJLaH7XIULBS7GGqXEl48rpmguP8aLiRv5McKR0pVSzhuZkBNdhpobJ8CwGJpFVrPnWqkx6zPdHDUNgLMzEWo2YTw9JdMLvsIruqZZ/r+7GZifU6yxtf6SUJ9ZfxhA6DLOu9f4o3w== SecureShellTests
diff --git a/Tests/SecureShellTests/PrivateKeyTests.swift b/Tests/SecureShellTests/PrivateKeyTests.swift
@@ -0,0 +1,40 @@
+//
+//  PrivateKeyTests.swift
+//  SecureShellTests
+//
+//  Created by Ryan Lovelett on 10/10/20.
+//
+
+import class Foundation.Bundle
+import Path
+@testable import SecureShell
+import XCTest
+
+final class PrivateKeyTests: XCTestCase {
+    var idRsaWithoutPassword: Path {
+        Bundle.module.path(forResource: "rsaWithoutPassword", ofType: nil)!
+    }
+
+    var idED25519WithoutPassword: Path {
+        Bundle.module.path(forResource: "ed25519WithoutPassword", ofType: nil)!
+    }
+
+    var emptyFile: Path {
+        Bundle.module.path(forResource: "emptyFile", ofType: nil)!
+    }
+
+    func testReadingPrivateKeyWithoutPassword() throws {
+        let a = try PrivateKey(contentsOfFile: idRsaWithoutPassword)
+        XCTAssertEqual(a.description, "ssh-rsa")
+        let b = try PrivateKey(contentsOfFile: idED25519WithoutPassword)
+        XCTAssertEqual(b.description, "ssh-ed25519")
+    }
+
+    func testReadingEmptyFile() throws {
+        XCTAssertThrowsError(try PrivateKey(contentsOfFile: emptyFile)) { error in
+            XCTAssertTrue(error is SecureShellError, "Unexpected error type: \(type(of: error))")
+            XCTAssertTrue(error.localizedDescription.starts(with: "Could not import private key at"))
+        }
+    }
+}
+

Original file line number	Diff line number	Diff line change
`@@ -45,4 +45,12 @@ struct SecureShellError: LocalizedError {`
`45`	`45`	`libsshErrorText = "Was not able to infer the error from \(session)."`
`46`	`46`	`}`
`47`	`47`	`}`
	`48`	`+`
	`49`	`+ var errorDescription: String? {`
	`50`	`+ if libsshErrorText.isEmpty {`
	`51`	`+ return description`
	`52`	`+ }`
	`53`	`+`
	`54`	`+ return "\(description) - \(libsshErrorText)"`
	`55`	`+ }`
`48`	`56`	`}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO5hqYOFyuO6ROdgeEof29H7jDvzoIEj4FMeJWLlHH+7 SecureShellTests`