superlint/lib/functions/setupSSH.sh

53 lines
2.1 KiB
Bash
Raw Permalink Normal View History

#!/usr/bin/env bash
function SetupSshAgent() {
# Check to see if a SSH_KEY_SECRET was passed
if [ -n "${SSH_KEY:-}" ]; then
info "--------------------------------------------"
info "SSH key found, setting up agent..."
export SSH_AUTH_SOCK=/tmp/ssh_agent.sock
ssh-agent -a "${SSH_AUTH_SOCK}" >/dev/null
ssh-add - <<<"${SSH_KEY}" 2>/dev/null
fi
}
function GetGitHubSshRsaKeyFingerprint() {
local GET_SSH_RSA_KEY_FINGERPRINT_CMD
if ! GET_SSH_RSA_KEY_FINGERPRINT_CMD=$(
curl -f -s --show-error -X GET \
--url "${GITHUB_META_URL}" \
-H 'Accept: application/vnd.github.v3+json' \
-H "Authorization: Bearer ${GITHUB_TOKEN}" \
-H "X-GitHub-Api-Version: 2022-11-28" 2>&1
); then
fatal "Failed to get GitHub RSA key fingerprint from ${GITHUB_META_URL}: ${GET_SSH_RSA_KEY_FINGERPRINT_CMD}"
fi
local SSH_RSA_KEY_FINGERPRINT
SSH_RSA_KEY_FINGERPRINT="SHA256:$(jq -r '.ssh_key_fingerprints.SHA256_RSA' <<<"${GET_SSH_RSA_KEY_FINGERPRINT_CMD}")"
echo "${SSH_RSA_KEY_FINGERPRINT}"
}
export -f GetGitHubSshRsaKeyFingerprint
function SetupGithubComSshKeys() {
if [[ -n "${SSH_KEY:-}" || "${SSH_SETUP_GITHUB}" == "true" ]]; then
info "Adding ${GITHUB_DOMAIN} SSH keys"
# Fetched out of band from
# https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints
GITHUB_RSA_FINGERPRINT="$(GetGitHubSshRsaKeyFingerprint)"
debug "${GITHUB_DOMAIN} key RSA key fingerprint: ${GITHUB_RSA_FINGERPRINT}"
ssh-keyscan -t rsa "${GITHUB_DOMAIN}" >/tmp/github.pub 2>/dev/null
if [[ "${SSH_INSECURE_NO_VERIFY_GITHUB_KEY}" == "true" ]]; then
warn "Skipping ${GITHUB_DOMAIN} key verification and adding without checking fingerprint"
mkdir -p ~/.ssh
cat /tmp/github.pub >>~/.ssh/known_hosts
elif [[ "$(ssh-keygen -lf /tmp/github.pub)" == "3072 ${GITHUB_RSA_FINGERPRINT} ${GITHUB_DOMAIN} (RSA)" ]]; then
info "Successfully verified ${GITHUB_DOMAIN} key"
mkdir -p ~/.ssh
cat /tmp/github.pub >>~/.ssh/known_hosts
else
error "Could not verify ${GITHUB_DOMAIN} key. SSH requests to ${GITHUB_DOMAIN} will likely fail."
fi
fi
}