Store SSH keys in git
The public SSH keys of a user are now stored in an authorized_keys file in the All-Users repository in the refs/users/CD/ABCD branch of the user. Storing SSH keys in an authorized_keys file is the standard way for SSH to store public keys. Each key is stored on a separate line. The order of the keys in the file determines the sequence numbers of the keys. Invalid keys are marked with the prefix '# INVALID'. To keep the sequence numbers intact when a key is deleted, a '# DELETED' line is inserted at the position where the key was deleted. Other comment lines are ignored on read, and are not written back when the file is modified. Supporting a 2-step live migration for a multi-master Gerrit installation is not needed since the googlesource.com instances do not use SSH and there are no other multi-master installations. On creation of an SSH key, RFC 4716 style keys need to be converted to OpenSSH style keys. Also before adding a key it should be checked that the key is parseable. Both of this requires classes from SSH libs that are only available in the SSH layer. This is why the SSH key creation must be done there. So far this was done in SshKeyCacheImpl, but since SshKeyCacheImpl needs VersionedAuthorizedKeys to load keys and to mark keys as invalid, VersionedAuthorizedKeys cannot not depend on SshKeyCacheImpl as this would be a cyclic dependency. Instead split out the SSH key creation from SshKeyCacheImpl into SshKeyCreatorImpl. This way SshKeyCacheImpl depends on VersionedAuthorizedKeys and VersionedAuthorizedKeys depends on SshKeyCreatorImpl, and there is no dependency circle. Change-Id: I8fcc3c0f27e034fc2c8e8ae3612068099075467d Signed-off-by: Edwin Kempin <ekempin@google.com>
This commit is contained in:
Edwin Kempin
@@ -20,13 +20,14 @@ import com.google.inject.AbstractModule;
|
||||
import com.google.inject.Module;
|
||||
|
||||
|
||||
public class NoSshKeyCache implements SshKeyCache {
|
||||
public class NoSshKeyCache implements SshKeyCache, SshKeyCreator {
|
||||
|
||||
public static Module module() {
|
||||
return new AbstractModule() {
|
||||
@Override
|
||||
protected void configure() {
|
||||
bind(SshKeyCache.class).to(NoSshKeyCache.class);
|
||||
bind(SshKeyCreator.class).to(NoSshKeyCache.class);
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
@@ -14,13 +14,7 @@
|
||||
|
||||
package com.google.gerrit.server.ssh;
|
||||
|
||||
import com.google.gerrit.common.errors.InvalidSshKeyException;
|
||||
import com.google.gerrit.reviewdb.client.AccountSshKey;
|
||||
|
||||
/** Permits controlling the contents of the SSH key cache area. */
|
||||
public interface SshKeyCache {
|
||||
void evict(String username);
|
||||
|
||||
AccountSshKey create(AccountSshKey.Id id, String encoded)
|
||||
throws InvalidSshKeyException;
|
||||
}
|
||||
|
||||
@@ -0,0 +1,23 @@
|
||||
// Copyright (C) 2016 The Android Open Source Project
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package com.google.gerrit.server.ssh;
|
||||
|
||||
import com.google.gerrit.common.errors.InvalidSshKeyException;
|
||||
import com.google.gerrit.reviewdb.client.AccountSshKey;
|
||||
|
||||
public interface SshKeyCreator {
|
||||
AccountSshKey create(AccountSshKey.Id id, String encoded)
|
||||
throws InvalidSshKeyException;
|
||||
}
|
||||
Reference in New Issue
Block a user