GitLab CI: make ssh config check less strict

fmoessbauer · jan-kiszka · commit 66b7d795d64b · 2024-10-23T16:41:13.000+02:00
For backwards compatibility we only inject the ssh rewrites if no ssh config is present. The documentation was a bit imprecise w.r.t. what exactly ssh config means, but the implementation checked for any file in ~/.ssh. This is too strict, as the authorized_keys or known_hosts files are sometimes used to inject the ssh fingerprint of the own GitLab instance. The presence of these files does not interfere with our rewrite rules. We change that by only checking for kas related ssh config vars as well as the presence of `~/.ssh/config`. Reported-by: Florian Bezdeka <florian.bezdeka@siemens.com> Fixes: af6b9ae ("auto-inject git credentials on gitlab ci") Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com> Reviewed-by: Frieder Schrempf <frieder.schrempf@kontron.de> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
diff --git a/docs/userguide/credentials.rst b/docs/userguide/credentials.rst
@@ -62,7 +62,8 @@ for repos stored on the same server. Technically this is achieved by adding
 `insteadof` entries to the ``.gitconfig`` file.
 
 For backwards compatibility, the git rewrite rules are only added if
-``.gitconfig`` does not exists and no SSH configuration is provided.
+``.gitconfig`` does not exist and no SSH configuration is provided (either
+via the kas ``SSH_`` variables or using ``.ssh/config``).
 
 If the ``CI_REGISTRY``, ``CI_REGISTRY_USER`` and ``CI_JOB_TOKEN`` variables
 are set, kas automatically creates a login file for the container
diff --git a/kas/libcmds.py b/kas/libcmds.py
@@ -193,18 +193,16 @@ def __str__(self):
     @staticmethod
     def _ssh_config_present():
         """
-            Checks if any file in the .ssh dir exists or
-            any manual ssh config option is set.
+            Checks if the .ssh/config file exists or any manual ssh config
+            option is set.
         """
         ssh_vars = ['SSH_PRIVATE_KEY', 'SSH_PRIVATE_KEY_FILE', 'SSH_AUTH_SOCK']
         if any(e in os.environ for e in ssh_vars):
             return True
 
         ssh_path = os.path.expanduser('~/.ssh')
-        if os.path.isdir(ssh_path):
-            with os.scandir(ssh_path) as it:
-                if any(it):
-                    return True
+        if os.path.exists(os.path.join(ssh_path, 'config')):
+            return True
         return False
 
     def _setup_netrc(self):
