Rework authorizedPublicKeys to make it a resource instead of a file

README.md

@@ -748,6 +748,12 @@ public class ApplicationTest {}
 
 ## Release notes
 
+### 1.5.4
+
+* `authorizedPublicKeysFile` becomes `authorizedPublicKeys` and is now a spring resource ; you can now use :
+  * `ssh.shell.authorized-public-keys=<spring-resource-path>` (`file:<path>`, `classpath:<path>`, etc)
+  * `ssh.shell.authorized-public-keys-file=<file-path>`
+
 ### 1.5.3
 
 * Rewrite script command to be usable in background with result file (options added to default command)

lombok.config

@@ -1 +1,2 @@
-lombok.log.fieldName=LOGGER
+lombok.log.fieldName=LOGGER
+lombok.equalsandhashcode.callsuper=CALL

samples/basic/src/main/java/com/github/fonimus/ssh/shell/basic/BasicApplication.java

@@ -26,6 +26,11 @@
 @SpringBootApplication
 public class BasicApplication {
 
+    /**
+     * Start basic application
+     *
+     * @param args main args
+     */
     public static void main(String[] args) {
         new SpringApplicationBuilder(BasicApplication.class).bannerMode(Banner.Mode.OFF).run(args);
     }

samples/basic/src/main/java/com/github/fonimus/ssh/shell/basic/DemoCommand.java

@@ -44,6 +44,11 @@ public class DemoCommand {
 
     private final SshShellHelper helper;
 
+    /**
+     * Default constructor
+     *
+     * @param helper ssh shell helper
+     */
     public DemoCommand(SshShellHelper helper) {
         this.helper = helper;
     }

samples/basic/src/main/resources/application.yml

@@ -4,7 +4,7 @@ ssh:
       color: cyan
       text: 'basic::>'
     password: password
-    authorized-public-keys-file: samples/public-keys-sample
+    authorized-public-keys-file: samples/complete/src/main/resources/.ssh/authorized.keys
     commands:
       jmx:
         create: false

samples/complete/pom.xml

@@ -79,6 +79,14 @@
                 </includes>
                 <filtering>true</filtering>
             </resource>
+            <resource>
+                <directory>${basedir}/src/main/resources</directory>
+                <excludes>
+                    <exclude>*.yml</exclude>
+                    <exclude>*.txt</exclude>
+                </excludes>
+                <filtering>false</filtering>
+            </resource>
         </resources>
         <plugins>
             <plugin>

samples/complete/src/main/java/com/github/fonimus/ssh/shell/complete/CompleteApplication.java

@@ -27,6 +27,11 @@
 @EnableScheduling
 public class CompleteApplication {
 
+    /**
+     * Start complete application
+     *
+     * @param args main args
+     */
     public static void main(String[] args) {
         SpringApplication.run(CompleteApplication.class, args);
     }

samples/complete/src/main/resources/.ssh/authorized.keys

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDlkW3hZVrrOPjcswznq5WDbF8IV3iEZo4EP2A9Ofl2dqqfKhgObDQuMUQN1OebBpUCo9W13CUle1ca7AdXJY4ZU62+YJCDKy9+hSz+KWfl7kJx+StL57sv3ProC3n7gAH+uedY6pSlHr6zTjsiEyGZbaKaSShFBX0ta3j+vZ11T+bxyK3j7BFJ2YcUa4ys+gphm3by/LV6xEhr3tohnFhfO5COKrEYqYC97EjsgDhcaFtpzjOnFoYC+HDCAFCwKWJj+Puu9qNj+NlT0gX4DuVFbWEEwH2ZB+qhk5/b75pAGLikRTK9lPLrTX0MX283lAWrD84d6xKWZaqrcxoP1HBnTCaqs5XGrXN81UP2EK+3KYNcNoIwN9x5UABOc1vDfK91IyYNgheVl8NT+T7TYNNj27piXFlvSgDx5dmuqBopYri+IqS17KJXaVgRjbdAwkWHNCqqSW9RoGDxUWlYgOh7KhNlN2m4AcW9YMEd1z2WWaYQpevYG3p3GGEZ8Av5Hbk= [email protected]

samples/complete/src/main/resources/application.yml

@@ -10,7 +10,7 @@ ssh:
   shell:
     authentication: security
     auth-provider-bean-name: customAuthManager
-    authorized-public-keys-file: samples/public-keys-sample
+    authorized-public-keys: classpath:.ssh/authorized.keys
     extended-file-provider: false
     commands:
       actuator:

starter/src/main/java/com/github/fonimus/ssh/shell/SshShellConfiguration.java

@@ -78,18 +78,20 @@ public void stopServer() throws IOException {
      * @return ssh server
      */
     @Bean
-    public SshServer sshServer() {
+    public SshServer sshServer() throws IOException {
         SshServer server = SshServer.setUpDefaultServer();
         server.setKeyPairProvider(new SimpleGeneratorHostKeyProvider(properties.getHostKeyFile().toPath()));
         server.setHost(properties.getHost());
         server.setPasswordAuthenticator(passwordAuthenticator);
         server.setPublickeyAuthenticator(RejectAllPublickeyAuthenticator.INSTANCE);
-        if (properties.getAuthorizedPublicKeysFile() != null) {
-            if (properties.getAuthorizedPublicKeysFile().exists() && properties.getAuthorizedPublicKeysFile().canRead()) {
-                server.setPublickeyAuthenticator(new SshShellPublicKeyAuthenticationProvider(properties.getAuthorizedPublicKeysFile()));
+        if (properties.getAuthorizedPublicKeys() != null) {
+            if (properties.getAuthorizedPublicKeys().exists()) {
+                server.setPublickeyAuthenticator(new SshShellPublicKeyAuthenticationProvider(properties.getAuthorizedPublicKeys().getFile()));
+                LOGGER.info("Using authorized public keys from : {}",
+                        properties.getAuthorizedPublicKeys().getDescription());
             } else {
-                LOGGER.warn("Could not read authorized public keys file [{}], public key authentication is disabled.",
-                        properties.getAuthorizedPublicKeysFile().getAbsolutePath());
+                LOGGER.warn("Could not read authorized public keys from : {}, public key authentication is disabled.",
+                        properties.getAuthorizedPublicKeys().getDescription());
             }
         }
         server.setPort(properties.getPort());

starter/src/main/java/com/github/fonimus/ssh/shell/SshShellProperties.java

@@ -20,6 +20,8 @@
 import lombok.Data;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.boot.context.properties.NestedConfigurationProperty;
+import org.springframework.core.io.FileSystemResource;
+import org.springframework.core.io.Resource;
 import org.springframework.validation.annotation.Validated;
 
 import java.io.File;
@@ -78,7 +80,7 @@ public class SshShellProperties {
 
     private File hostKeyFile = new File(System.getProperty("java.io.tmpdir"), "hostKey.ser");
 
-    private File authorizedPublicKeysFile;
+    private Resource authorizedPublicKeys;
 
     private File historyFile = new File(System.getProperty("java.io.tmpdir"), "sshShellHistory.log");
 
@@ -99,6 +101,10 @@ public enum AuthenticationType {
 
     private Commands commands = new Commands();
 
+    public void setAuthorizedPublicKeysFile(File file) {
+        this.authorizedPublicKeys = new FileSystemResource(file);
+    }
+
     /**
      * Prompt configuration
      */

starter/src/test/java/com/github/fonimus/ssh/shell/auth/SshShellPublicKeyAuthenticationProviderTest.java

@@ -0,0 +1,73 @@
+package com.github.fonimus.ssh.shell.auth;
+
+import org.apache.sshd.common.io.IoSession;
+import org.apache.sshd.server.session.ServerSession;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+import org.springframework.core.io.ClassPathResource;
+import org.springframework.core.io.FileSystemResource;
+
+import java.io.File;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.security.KeyFactory;
+import java.security.PublicKey;
+import java.security.spec.X509EncodedKeySpec;
+
+import static org.junit.jupiter.api.Assertions.*;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+class SshShellPublicKeyAuthenticationProviderTest {
+
+    private static PublicKey pub;
+    private static PublicKey wrongPub;
+
+    private SshShellPublicKeyAuthenticationProvider pubKeyAuthProv;
+
+    @BeforeAll
+    public static void init() throws Exception {
+        KeyFactory kf = KeyFactory.getInstance("RSA");
+        pub = kf.generatePublic(new X509EncodedKeySpec(Files.readAllBytes(Paths.get("src/test/resources/.ssh/pub.der"))));
+        wrongPub = kf.generatePublic(new X509EncodedKeySpec(Files.readAllBytes(Paths.get("src/test/resources/.ssh/wrong_pub.der"))));
+    }
+
+    @Test
+    public void testFile() throws Exception {
+        File file = new File("src/test/resources/.ssh/authorized.keys");
+        assertTrue(file.exists());
+        internalTest(file);
+    }
+
+    @Test
+    public void testSpringFileResource() throws Exception {
+        FileSystemResource resource = new FileSystemResource("src/test/resources/.ssh/authorized.keys");
+        assertTrue(resource.exists());
+        internalTest(resource.getFile());
+    }
+
+    @Test
+    public void testSpringClasspathResource() throws Exception {
+        ClassPathResource resource = new ClassPathResource(".ssh/authorized.keys");
+        assertTrue(resource.exists());
+        internalTest(resource.getFile());
+    }
+
+    @Test
+    public void testNotExisting() throws Exception {
+        pubKeyAuthProv = new SshShellPublicKeyAuthenticationProvider(new File("not-existing"));
+        assertFalse(pubKeyAuthProv.exists());
+        assertEquals(-1, pubKeyAuthProv.size());
+    }
+
+    private void internalTest(File file) throws Exception {
+        pubKeyAuthProv = new SshShellPublicKeyAuthenticationProvider(file);
+        assertTrue(pubKeyAuthProv.exists());
+        ServerSession session = mock(ServerSession.class);
+        IoSession io = mock(IoSession.class);
+        when(session.getIoSession()).thenReturn(io);
+        assertTrue(pubKeyAuthProv.authenticate("user", pub, session));
+        assertFalse(pubKeyAuthProv.authenticate("user", wrongPub, session));
+    }
+
+}

starter/src/test/resources/.ssh/authorized.keys

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDlkW3hZVrrOPjcswznq5WDbF8IV3iEZo4EP2A9Ofl2dqqfKhgObDQuMUQN1OebBpUCo9W13CUle1ca7AdXJY4ZU62+YJCDKy9+hSz+KWfl7kJx+StL57sv3ProC3n7gAH+uedY6pSlHr6zTjsiEyGZbaKaSShFBX0ta3j+vZ11T+bxyK3j7BFJ2YcUa4ys+gphm3by/LV6xEhr3tohnFhfO5COKrEYqYC97EjsgDhcaFtpzjOnFoYC+HDCAFCwKWJj+Puu9qNj+NlT0gX4DuVFbWEEwH2ZB+qhk5/b75pAGLikRTK9lPLrTX0MX283lAWrD84d6xKWZaqrcxoP1HBnTCaqs5XGrXN81UP2EK+3KYNcNoIwN9x5UABOc1vDfK91IyYNgheVl8NT+T7TYNNj27piXFlvSgDx5dmuqBopYri+IqS17KJXaVgRjbdAwkWHNCqqSW9RoGDxUWlYgOh7KhNlN2m4AcW9YMEd1z2WWaYQpevYG3p3GGEZ8Av5Hbk= [email protected]