G-Research · fabiovincenzi · Mar 31, 2025 · Apr 25, 2025 · Apr 28, 2025 · May 21, 2025
diff --git a/package-lock.json b/package-lock.json
diff --git a/src/config/index.ts b/src/config/index.ts
@@ -67,6 +67,13 @@ export const getSSHConfig = () => {
   }
   return _sshConfig;
 };
+export const getPublicSSHConfig = () => {
+  if (_userSettings !== null && _userSettings.ssh) {
+    _sshConfig = _userSettings.ssh;
+  }
+  const { enabled = false, port = 22 } = _sshConfig;
+  return { enabled, port };
+};
 
 // Gets a list of authorised repositories
 export const getAuthorisedList = () => {
@@ -104,7 +111,7 @@ export const getDatabase = () => {
 
 /**
  * Get the list of enabled authentication methods
- * 
+ *
  * At least one authentication method must be enabled.
  * @return {Array} List of enabled authentication methods
  */
@@ -116,15 +123,15 @@ export const getAuthMethods = () => {
   const enabledAuthMethods = _authentication.filter((auth) => auth.enabled);
 
   if (enabledAuthMethods.length === 0) {
-    throw new Error("No authentication method enabled");
+    throw new Error('No authentication method enabled');
   }
 
   return enabledAuthMethods;
 };
 
 /**
  * Get the list of enabled authentication methods for API endpoints
- * 
+ *
  * If no API authentication methods are enabled, all endpoints are public.
  * @return {Array} List of enabled authentication methods
  */
@@ -133,7 +140,7 @@ export const getAPIAuthMethods = () => {
     _apiAuthentication = _userSettings.apiAuthentication;
   }
 
-  const enabledAuthMethods = _apiAuthentication.filter(auth => auth.enabled);
+  const enabledAuthMethods = _apiAuthentication.filter((auth) => auth.enabled);
 
   return enabledAuthMethods;
 };

diff --git a/src/db/file/index.ts b/src/db/file/index.ts
@@ -36,5 +36,6 @@ export const {
   updateUser,
   addPublicKey,
   removePublicKey,
+  getPublicKeys,
   findUserBySSHKey,
 } = users;
diff --git a/src/db/file/users.ts b/src/db/file/users.ts
@@ -25,11 +25,7 @@ export const findUser = (username: string) => {
       if (err) {
         reject(err);
       } else {
-        if (!doc) {
-          resolve(null);
-        } else {
-          resolve(doc);
-        }
+        resolve(doc || null);
       }
     });
   });
@@ -43,11 +39,7 @@ export const findUserByOIDC = function (oidcId: string) {
       if (err) {
         reject(err);
       } else {
-        if (!doc) {
-          resolve(null);
-        } else {
-          resolve(doc);
-        }
+        resolve(doc || null);
       }
     });
   });
@@ -140,15 +132,21 @@ export const getUsers = (query: any = {}) => {
     db.find(query, (err: Error, docs: User[]) => {
       // ignore for code coverage as neDB rarely returns errors even for an invalid query
       /* istanbul ignore if */
-      if (err) {
-        reject(err);
-      } else {
-        resolve(docs);
-      }
+      if (err) reject(err);
+      else resolve(docs);
     });
   });
 };
 
+export const getPublicKeys = (username: string): Promise<string[]> => {
+  return findUser(username).then((user) => {
+    if (!user) {
+      throw new Error('User not found');
+    }
+    return user.publicKeys || [];
+  });
+};
+
 export const addPublicKey = function (username: string, publicKey: string) {
   return new Promise<User>((resolve, reject) => {
     findUser(username)

diff --git a/src/db/index.ts b/src/db/index.ts
@@ -84,5 +84,6 @@ export const {
   getSessionStore,
   addPublicKey,
   removePublicKey,
+  getPublicKeys,
   findUserBySSHKey,
 } = sink;
diff --git a/src/db/mongo/users.ts b/src/db/mongo/users.ts
@@ -68,3 +68,11 @@ export const findUserBySSHKey = async function (sshKey: string) {
   const collection = await connect(collectionName);
   return collection.findOne({ publicKeys: { $eq: sshKey } });
 };
+
+export const getPublicKeys = async function (username: string): Promise<string[]> {
+  const user = await findUser(username);
+  if (!user) {
+    throw new Error('User not found');
+  }
+  return user.publicKeys || [];
+};
diff --git a/src/service/routes/users.js b/src/service/routes/users.js
@@ -1,3 +1,5 @@
+import crypto from 'node:crypto';
+
 const express = require('express');
 const router = new express.Router();
 const db = require('../../db');
@@ -100,4 +102,78 @@ router.delete('/:username/ssh-keys', async (req, res) => {
   }
 });
 
+router.delete('/:username/ssh-keys/fingerprint', async (req, res) => {
+  if (!req.user) {
+    return res.status(401).json({ error: 'Authentication required' });
+  }
+
+  const targetUsername = req.params.username.toLowerCase();
+
+  if (req.user.username !== targetUsername && !req.user.admin) {
+    return res.status(403).json({ error: 'Not authorized to remove keys for this user' });
+  }
+
+  const { fingerprint } = req.body;
+  if (!fingerprint) {
+    return res.status(400).json({ error: 'Fingerprint is required' });
+  }
+
+  try {
+    const keys = await db.getPublicKeys(targetUsername);
+    console.log(`Found ${keys} keys for user ${targetUsername}`);
+    const keyToDelete = keys.find((k) => {
+      const keyFingerprint = sshFingerprintSHA256(k);
+      return keyFingerprint === fingerprint;
+    });
+
+    if (!keyToDelete) {
+      return res.status(404).json({ error: 'SSH key not found for supplied fingerprint' });
+    }
+
+    await db.removePublicKey(targetUsername, keyToDelete);
+    res.status(200).json({ message: 'SSH key removed successfully' });
+  } catch (err) {
+    console.error('Error removing SSH key:', err);
+    res.status(500).json({ error: 'Failed to remove SSH key' });
+  }
+});
+
+// Utility: compute the fingerprint "SHA256:<digest>"
+function sshFingerprintSHA256(pubKey) {
+  if (!pubKey) return '';
+
+  // OpenSSH keys are: "<algorithm> <base64-blob> [comment]"
+  const b64 = pubKey.trim().split(/\s+/)[1];
+  if (!b64) return '';
+
+  const raw = Buffer.from(b64, 'base64'); // raw key bytes
+  const hash = crypto.createHash('sha256').update(raw).digest('base64');
+
+  return 'SHA256:' + hash.replace(/=+$/, '');
+}
+
+// Return only fingerprints & metadata,
+router.get('/:username/ssh-keys', async (req, res) => {
+  if (!req.user) {
+    return res.status(401).json({ error: 'Authentication required' });
+  }
+
+  const targetUsername = req.params.username.toLowerCase();
+
+  // A user can view their own keys; admins can view anyone's
+  if (req.user.username !== targetUsername && !req.user.admin) {
+    return res.status(403).json({ error: 'Not authorized to view keys for this user' });
+  }
+
+  try {
+    const keys = await db.getPublicKeys(targetUsername);
+    const result = keys.map((k) => sshFingerprintSHA256(k));
+
+    res.status(200).json({ publicKeys: result });
+  } catch (err) {
+    console.error('Error fetching SSH keys:', err);
+    res.status(500).json({ error: 'Failed to fetch SSH keys' });
+  }
+});
+
 module.exports = router;