GitLab CI: make ssh config check less strict

For backwards compatibility we only inject the ssh rewrites if no ssh config is present. The documentation was a bit imprecise w.r.t. what exactly ssh config means, but the implementation checked for any file in ~/.ssh. This is too strict, as the authorized_keys or known_hosts files are sometimes used to inject the ssh fingerprint of the own GitLab instance. The presence of these files does not interfere with our rewrite rules. We change that by only checking for kas related ssh config vars as well as the presence of `~/.ssh/config`. Reported-by: Florian Bezdeka <[email protected]> Fixes: af6b9ae ("auto-inject git credentials on gitlab ci") Signed-off-by: Felix Moessbauer <[email protected]> Reviewed-by: Frieder Schrempf <[email protected]> Signed-off-by: Jan Kiszka <[email protected]>
siemens · Oct 23, 2024 · 66b7d79 · 66b7d79
1 parent 603a888
commit 66b7d79
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 7 deletions.
diff --git a/docs/userguide/credentials.rst b/docs/userguide/credentials.rst
@@ -62,7 +62,8 @@ for repos stored on the same server. Technically this is achieved by adding
 `insteadof` entries to the ``.gitconfig`` file.
 
 For backwards compatibility, the git rewrite rules are only added if
-``.gitconfig`` does not exists and no SSH configuration is provided.
+``.gitconfig`` does not exist and no SSH configuration is provided (either
+via the kas ``SSH_`` variables or using ``.ssh/config``).
 
 If the ``CI_REGISTRY``, ``CI_REGISTRY_USER`` and ``CI_JOB_TOKEN`` variables
 are set, kas automatically creates a login file for the container

diff --git a/kas/libcmds.py b/kas/libcmds.py
@@ -193,18 +193,16 @@ def __str__(self):
     @staticmethod
     def _ssh_config_present():
         """
-            Checks if any file in the .ssh dir exists or
-            any manual ssh config option is set.
+            Checks if the .ssh/config file exists or any manual ssh config
+            option is set.
         """
         ssh_vars = ['SSH_PRIVATE_KEY', 'SSH_PRIVATE_KEY_FILE', 'SSH_AUTH_SOCK']
         if any(e in os.environ for e in ssh_vars):
             return True
 
         ssh_path = os.path.expanduser('~/.ssh')
-        if os.path.isdir(ssh_path):
-            with os.scandir(ssh_path) as it:
-                if any(it):
-                    return True
+        if os.path.exists(os.path.join(ssh_path, 'config')):
+            return True
         return False
 
     def _setup_netrc(self):