feat: add plugin ssh key generator
This commit is contained in:
+1
-1
@@ -2,7 +2,7 @@ name=mail-login
|
||||
id=mail-login
|
||||
type=user
|
||||
author=HITME.PL
|
||||
version=1.0.2
|
||||
version=1.0.3
|
||||
active=no
|
||||
installed=no
|
||||
user_run_as=root
|
||||
|
||||
Executable
+85
@@ -0,0 +1,85 @@
|
||||
#!/bin/sh
|
||||
set -eu
|
||||
|
||||
KEY_DIR="${MAIL_LOGIN_KEY_DIR:-/usr/local/hitme_plugins/mail-login/secrets}"
|
||||
KEY_NAME="${MAIL_LOGIN_KEY_NAME:-mx1_ed25519}"
|
||||
KEY_PATH="$KEY_DIR/$KEY_NAME"
|
||||
MX_MODE="${MX_LOGIN_MODE:-1}"
|
||||
SOURCE_IP="${SOURCE_IP:-SOURCE_SERVER_PUBLIC_IP}"
|
||||
HELPER_COMMAND="${MAIL_LOGIN_HELPER_COMMAND:-/usr/local/hitme_plugins/mail-login-helper/bin/create-login-url}"
|
||||
|
||||
derive_servername() {
|
||||
if [ -n "${SERVERNAME:-}" ]; then
|
||||
printf '%s' "$SERVERNAME"
|
||||
return
|
||||
fi
|
||||
host="$(hostname -f 2>/dev/null || hostname 2>/dev/null || printf 'source')"
|
||||
printf '%s' "$host" | awk -F. '{print $1}'
|
||||
}
|
||||
|
||||
clean_label() {
|
||||
printf '%s' "$1" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9-]/-/g; s/^-*//; s/-*$//'
|
||||
}
|
||||
|
||||
SERVER_LABEL="$(clean_label "$(derive_servername)")"
|
||||
if [ -z "$SERVER_LABEL" ]; then
|
||||
echo "Cannot determine SERVERNAME" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
case "$MX_MODE" in
|
||||
1|2) ;;
|
||||
*)
|
||||
echo "MX_LOGIN_MODE must be 1 or 2" >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
case "$SOURCE_IP" in
|
||||
*[!A-Za-z0-9:./_-]*|'')
|
||||
echo "SOURCE_IP contains unsupported characters" >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
mkdir -p "$KEY_DIR"
|
||||
chmod 700 "$KEY_DIR"
|
||||
|
||||
if [ ! -f "$KEY_PATH" ]; then
|
||||
umask 077
|
||||
ssh-keygen -q -t ed25519 -a 100 -N "" -f "$KEY_PATH" -C "KLUCZ PLUGINU mail-autologin DLA SERWERA $SERVER_LABEL"
|
||||
fi
|
||||
|
||||
if [ ! -f "$KEY_PATH.pub" ]; then
|
||||
ssh-keygen -y -f "$KEY_PATH" > "$KEY_PATH.pub"
|
||||
fi
|
||||
|
||||
chmod 600 "$KEY_PATH"
|
||||
chmod 644 "$KEY_PATH.pub"
|
||||
|
||||
PUB_KEY="$(cat "$KEY_PATH.pub")"
|
||||
BASE_OPTIONS="from=\"$SOURCE_IP\",restrict,no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-pty"
|
||||
|
||||
if [ "$MX_MODE" = "2" ]; then
|
||||
AUTH_OPTIONS="$BASE_OPTIONS,command=\"$HELPER_COMMAND\""
|
||||
else
|
||||
AUTH_OPTIONS="$BASE_OPTIONS"
|
||||
fi
|
||||
|
||||
COMMENT="KLUCZ PLUGINU mail-autologin DLA SERWERA $SERVER_LABEL"
|
||||
|
||||
cat <<EOF
|
||||
Private key:
|
||||
$KEY_PATH
|
||||
|
||||
Public key:
|
||||
$KEY_PATH.pub
|
||||
|
||||
Set this in plugin-settings.conf:
|
||||
MAIL_LOGIN_SSH_IDENTITY=$KEY_PATH
|
||||
MAIL_LOGIN_SSH_KNOWN_HOSTS=/root/.ssh/known_hosts
|
||||
|
||||
Add this line to /root/.ssh/authorized_keys on mx1:
|
||||
$AUTH_OPTIONS $PUB_KEY $COMMENT
|
||||
EOF
|
||||
|
||||
@@ -0,0 +1,45 @@
|
||||
<?php
|
||||
declare(strict_types=1);
|
||||
|
||||
test('keygen script creates plugin key and direct ssh authorized keys line', function (): void {
|
||||
$keyDir = TEST_TMP . '/keys-direct';
|
||||
$script = PLUGIN_ROOT . '/scripts/keygen.sh';
|
||||
$cmd = sprintf(
|
||||
'MAIL_LOGIN_KEY_DIR=%s SERVERNAME=%s SOURCE_IP=%s %s',
|
||||
escapeshellarg($keyDir),
|
||||
escapeshellarg('h4'),
|
||||
escapeshellarg('203.0.113.10'),
|
||||
escapeshellarg($script)
|
||||
);
|
||||
|
||||
exec($cmd, $out, $code);
|
||||
|
||||
assert_same(0, $code, implode("\n", $out));
|
||||
assert_true(is_file($keyDir . '/mx1_ed25519'));
|
||||
assert_true(is_file($keyDir . '/mx1_ed25519.pub'));
|
||||
$output = implode("\n", $out);
|
||||
assert_contains('from="203.0.113.10"', $output);
|
||||
assert_contains('restrict,no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-pty', $output);
|
||||
assert_not_contains('command=', $output);
|
||||
assert_contains('KLUCZ PLUGINU mail-autologin DLA SERWERA h4', $output);
|
||||
});
|
||||
|
||||
test('keygen script prints helper forced command line when mx login mode is helper', function (): void {
|
||||
$keyDir = TEST_TMP . '/keys-helper';
|
||||
$script = PLUGIN_ROOT . '/scripts/keygen.sh';
|
||||
$cmd = sprintf(
|
||||
'MAIL_LOGIN_KEY_DIR=%s MX_LOGIN_MODE=2 SERVERNAME=%s SOURCE_IP=%s %s',
|
||||
escapeshellarg($keyDir),
|
||||
escapeshellarg('h4'),
|
||||
escapeshellarg('203.0.113.10'),
|
||||
escapeshellarg($script)
|
||||
);
|
||||
|
||||
exec($cmd, $out, $code);
|
||||
|
||||
assert_same(0, $code, implode("\n", $out));
|
||||
$output = implode("\n", $out);
|
||||
assert_contains('command="/usr/local/hitme_plugins/mail-login-helper/bin/create-login-url"', $output);
|
||||
assert_contains('KLUCZ PLUGINU mail-autologin DLA SERWERA h4', $output);
|
||||
});
|
||||
|
||||
@@ -8,7 +8,7 @@ test('plugin metadata and packaging docs match project rules', function (): void
|
||||
assert_contains('name=mail-login', $conf);
|
||||
assert_contains('id=mail-login', $conf);
|
||||
assert_contains('type=user', $conf);
|
||||
assert_contains('version=1.0.2', $conf);
|
||||
assert_contains('version=1.0.3', $conf);
|
||||
assert_contains('user_run_as=root', $conf);
|
||||
assert_contains('/Users/marek/GPT/ChatGPT/da_plugins/mail-login/src', $packing);
|
||||
assert_contains('/Users/marek/GPT/ChatGPT/da_plugins/mail-login/archives/X.Y.Z/mail-login.tar.gz', $packing);
|
||||
@@ -19,6 +19,7 @@ test('package source excludes local-only files and dangerous placeholders', func
|
||||
assert_contains("--exclude='./.git'", $package);
|
||||
assert_contains("--exclude='./tests'", $package);
|
||||
assert_contains('mail-login.tar.gz', $package);
|
||||
assert_true(is_file(PLUGIN_ROOT . '/scripts/keygen.sh'));
|
||||
|
||||
$bad = [];
|
||||
$it = new RecursiveIteratorIterator(new RecursiveDirectoryIterator(PLUGIN_ROOT, FilesystemIterator::SKIP_DOTS));
|
||||
|
||||
Reference in New Issue
Block a user