Merge pull request #256 from github/fix-osx-regressions

Fix macOS/BSD regressions

Author: rubiojr

share/github-backup-utils/ghe-detect-leaked-ssh-keys

@@ -13,30 +13,22 @@ set -e
 
 usage() {
   grep '^#/' < "$0" | cut -c 4-
+  exit 2
 }
 
 TEMPDIR=$(mktemp -d)
 
-# Parse args.
-ARGS=$(getopt --name "$0" --long help,snapshot: --options hs -- "$@") || {
-  usage
-  exit 2
-}
-eval set -- $ARGS
-
 while [ $# -gt 0 ]; do
   case "$1" in
     -h|--help)
       usage
-      exit 2
       ;;
     -s|--snapshot)
-      shift 2
-      snapshot=$1
-      ;;
-    --)
+      snapshot=$2
       shift
-      break
+      ;;
+    *)
+      usage
       ;;
   esac
   shift
@@ -47,6 +39,11 @@ if [ -n "$ppid_script" ]; then
   ppid_name=$(basename $ppid_script)
 fi
 
+sshkeygen_multiple_hash_formats=false
+if (ssh-keygen --a-dedicated-help-flag-would-be-great 2>&1 | grep 'ssh-keygen -l ' | grep -q -- '-E'); then
+  sshkeygen_multiple_hash_formats=true
+fi
+
 # Bring in the backup configuration
 . $( dirname "${BASH_SOURCE[0]}" )/ghe-backup-config
 
@@ -56,14 +53,18 @@ keys="ssh_host_dsa_key.pub ssh_host_ecdsa_key.pub ssh_host_ed25519_key.pub ssh_h
 
 # Get all the host ssh keys tar from all snapshots directories
 if [ -n "$snapshot" ]; then
+  if [ ! -d "$snapshot" ]; then
+    echo "Invalid snapshot directory: $snapshot" >&2
+    exit 1
+  fi
   ssh_tars=$(find "$snapshot" -maxdepth 1 -type f -iname 'ssh-host-keys.tar')
 else
   ssh_tars=$(find "$GHE_DATA_DIR" -maxdepth 2 -type f -iname 'ssh-host-keys.tar')
 fi
 
 # Store the current backup snapshot folder
 if [ -L "$GHE_DATA_DIR/current" ]; then
-  current_dir=$(readlink -f "$GHE_DATA_DIR/current")
+  current_dir=$(cd "$GHE_DATA_DIR/current"; pwd -P)
 fi
 
 leaked_keys_found=false
@@ -72,7 +73,11 @@ for tar_file in $ssh_tars; do
   for key in $keys; do
     if $(tar -tvf "$tar_file" $key &>/dev/null); then
       tar -C $TEMPDIR -xvf "$tar_file" $key &>/dev/null
-      fingerprint=$(ssh-keygen -lf $TEMPDIR/$key | cut -d ' ' -f 2)
+      if $sshkeygen_multiple_hash_formats; then
+        fingerprint=$(ssh-keygen -l -E md5 -f $TEMPDIR/$key | cut -d ' ' -f 2 | cut -f2- -d':')
+      else
+        fingerprint=$(ssh-keygen -lf $TEMPDIR/$key | cut -d ' ' -f 2)
+      fi
       if echo "$fingerprint_blacklist" | grep -q "$fingerprint"; then
         leaked_keys_found=true
         if [ "$current_dir" == $(dirname "$tar_file") ]; then

test/test-ghe-detect-leaked-ssh-keys.sh

@@ -25,7 +25,7 @@ begin_test "ghe-detect-leaked-ssh-keys check -h dispays help message"
 (
   set -e
 
-  ghe-detect-leaked-ssh-keys -h | grep "--help"
+  ghe-detect-leaked-ssh-keys -h | grep "\-\-help"
 )
 end_test