Use go method to calculate ssh key fingerprint

[sapk]

Use ssh package to calculate the fingerprint in place of writing to a temporary file and relying on ssh-keygen to output the fingerprint.

This remove some i/o interaction and spinning up a sub-process. This is also needed for building a configurable rootless container because ssh-keygen try to find the running user (which is useless to calculate the fingerprint)

https://godoc.org/golang.org/x/crypto/ssh#ParseAuthorizedKey
https://godoc.org/golang.org/x/crypto/ssh#FingerprintSHA256

[lunny]

It seems you can remove ssh-keygen totally if you change SSHKeyGenParsePublicKey on the same file.

[sapk]

@lunny It seems we implemented the two methods and only use the go method for built-in ssh server.

gitea/models/ssh_key.go

Lines 287 to 293 in 744972e

	if setting.SSH.StartBuiltinServer {
	fnName = "SSHNativeParsePublicKey"
	keyType, length, err = SSHNativeParsePublicKey(content)
	} else {
	fnName = "SSHKeyGenParsePublicKey"
	keyType, length, err = SSHKeyGenParsePublicKey(content)
	}

Should I do the same trick and implements both ? or should I clean SSHKeyGenParsePublicKey and replace it with SSHNativeParsePublicKey ?

[codecov-io]

Codecov Report

Merging #7128 into master will increase coverage by <.01%.
The diff coverage is 60%.

@@            Coverage Diff             @@
##           master    #7128      +/-   ##
==========================================
+ Coverage   41.53%   41.53%   +<.01%     
==========================================
  Files         449      449              
  Lines       61314    61338      +24     
==========================================
+ Hits        25465    25479      +14     
- Misses      32497    32503       +6     
- Partials     3352     3356       +4

Impacted Files	Coverage Δ
models/ssh_key.go	46.28% <60%> (+0.47%)	⬆️
models/repo_list.go	72.08% <0%> (-1.02%)	⬇️
models/unit.go	67.56% <0%> (+5.4%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update cf2221e...358fa0a. Read the comment docs.

[zeripath]

Hmm I think unless we're certain that go's support is the same as the native we could get into trouble assuming that go SSH and native fingerprints are the same. I don't know enough about go ssh to know if this is the case. The fact that we have this native switch for parsing makes me concerned that these may be different.

PS Why we can't get the fingerprint at the time of parsing?

[sapk]

@zeripath
I think that go lib support of ssh type key should be the same as ssh-keygen now (the switch for parse date from 3 years ago) but maybe a conservative case would be to do the same and only use the go implementation for internal ssh.
We can but since we have done it before by calling ssh-keygen we have done it in separate task.
If we want to do it in one action we should use the go implementation and don't use ssh-keygen.
Looking at this part of the code (ssh key handling)), it would likely need to be refactor for other reason (duplicate code and method call).

[sapk]

I separate the native go method to only to be use with built-in ssh.
I added some test to validate both method (and refactor old test for SSHParsePublicKey to use sub-test logic). This way if a key is reported to fail with the native method we can easely reproduce by adding it to the key list to test.