3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-06 10:21:05 +02:00
Code Issues Projects Releases Packages Wiki Activity

ssh: remove padding chars from base64 fingerprint (#5698)

Browse source 
Use RawStdEncoding to compute the base64 fingerprint as part of SSH
session IDs. This is mostly just so that we can use the go
`ssh.FingerprintSHA256` function in tests (which uses RawStdEncoding) to
assert on session ID strings
This commit is contained in:
Joe Kralicky 2025-07-07 12:11:53 -04:00 committed by GitHub
parent b2a86913b4
commit 4683685737
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 6 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

2
pkg/ssh/auth.go
View file

@ -351,7 +351,7 @@ func sessionIDFromFingerprint(sha256fingerprint []byte) (string, error) {
if len(sha256fingerprint) != sha256.Size { if len(sha256fingerprint) != sha256.Size {
return "", errInvalidFingerprint return "", errInvalidFingerprint
} }
return "sshkey-SHA256:" + base64.StdEncoding.EncodeToString(sha256fingerprint), nil return "sshkey-SHA256:" + base64.RawStdEncoding.EncodeToString(sha256fingerprint), nil
} }
var errPublicKeyAllowNil = errors.New("expected PublicKeyAllow message not to be nil") var errPublicKeyAllowNil = errors.New("expected PublicKeyAllow message not to be nil")

10
pkg/ssh/auth_test.go
View file

@ -59,7 +59,7 @@ func TestHandlePublicKeyMethodRequest(t *testing.T) {
Username: "username", Username: "username",
Hostname: "hostname", Hostname: "hostname",
PublicKey: fakePublicKey, PublicKey: fakePublicKey,
SessionID: "sshkey-SHA256:QUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVoxMjM0NTY=", SessionID: "sshkey-SHA256:QUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVoxMjM0NTY",
}) })
return &evaluator.Result{ return &evaluator.Result{
Allow: evaluator.NewRuleResult(true), Allow: evaluator.NewRuleResult(true),
@ -278,7 +278,7 @@ func TestHandleKeyboardInteractiveMethodRequest(t *testing.T) {
assert.Equal(t, "fake.user@example.com", putRecords[0].Id) assert.Equal(t, "fake.user@example.com", putRecords[0].Id)
assert.Equal(t, "type.googleapis.com/session.Session", putRecords[1].Type) assert.Equal(t, "type.googleapis.com/session.Session", putRecords[1].Type)
assert.Equal(t, "sshkey-SHA256:QUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVoxMjM0NTY=", putRecords[1].Id) assert.Equal(t, "sshkey-SHA256:QUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVoxMjM0NTY", putRecords[1].Id)
}) })
t.Run("denied", func(t *testing.T) { t.Run("denied", func(t *testing.T) {
pe := func(_ context.Context, _ *Request) (*evaluator.Result, error) { pe := func(_ context.Context, _ *Request) (*evaluator.Result, error) {
@ -365,7 +365,7 @@ func TestFormatSession(t *testing.T) {
get: func( get: func(
_ context.Context, in *databroker.GetRequest, _ ...grpc.CallOption, _ context.Context, in *databroker.GetRequest, _ ...grpc.CallOption,
) (*databroker.GetResponse, error) { ) (*databroker.GetResponse, error) {
const expectedID = "sshkey-SHA256:QUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVoxMjM0NTY=" const expectedID = "sshkey-SHA256:QUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVoxMjM0NTY"
assert.Equal(t, in.Type, "type.googleapis.com/session.Session") assert.Equal(t, in.Type, "type.googleapis.com/session.Session")
assert.Equal(t, in.Id, expectedID) assert.Equal(t, in.Id, expectedID)
claims := identity.FlattenedClaims{ claims := identity.FlattenedClaims{
@ -394,7 +394,7 @@ func TestFormatSession(t *testing.T) {
assert.NoError(t, err) assert.NoError(t, err)
assert.Equal(t, string(b), ` assert.Equal(t, string(b), `
User ID: USER-ID User ID: USER-ID
Session ID: sshkey-SHA256:QUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVoxMjM0NTY= Session ID: sshkey-SHA256:QUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVoxMjM0NTY
Expires at: 2025-06-26 19:15:58 +0000 UTC Expires at: 2025-06-26 19:15:58 +0000 UTC
Claims: Claims:
foo: [bar baz] foo: [bar baz]
@ -419,7 +419,7 @@ func TestDeleteSession(t *testing.T) {
_ context.Context, in *databroker.PutRequest, _ ...grpc.CallOption, _ context.Context, in *databroker.PutRequest, _ ...grpc.CallOption,
) (*databroker.PutResponse, error) { ) (*databroker.PutResponse, error) {
require.Len(t, in.Records, 1) require.Len(t, in.Records, 1)
assert.Equal(t, in.Records[0].Id, "sshkey-SHA256:QUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVoxMjM0NTY=") assert.Equal(t, in.Records[0].Id, "sshkey-SHA256:QUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVoxMjM0NTY")
assert.NotNil(t, in.Records[0].DeletedAt) assert.NotNil(t, in.Records[0].DeletedAt)
return nil, putError return nil, putError
}, },