#29 Load ssh keys from a config file instead of statically

danielemery · Aug 4, 2024 · 1615d19 · 1615d19
1 parent 80c3370
commit 1615d19
Show file tree

Hide file tree

Showing 12 changed files with 65 additions and 137 deletions.
diff --git a/.env.example b/.env.example
@@ -1,2 +1,3 @@
 DOPPLER_ENVIRONMENT=local
 KEYS_VERSION=local
+CONFIG_PATH=./examples/keys-config.yaml
diff --git a/Dockerfile b/Dockerfile
@@ -15,4 +15,4 @@ ADD . .
 # Compile the main app so that it doesn't need to be compiled each startup/entry.
 RUN deno cache main.ts
 
-CMD ["run", "--allow-net", "--allow-env", "--allow-read=./src", "main.ts"]
+CMD ["run", "--allow-net", "--allow-env", "--allow-read", "main.ts"]
diff --git a/README.md b/README.md
@@ -38,7 +38,7 @@ cp .env.example .env
 Then run the following command to start the server:
 
 ```sh
-deno run --env --allow-net --allow-env --allow-read=./src main.ts
+deno run --env --allow-net --allow-env --allow-read main.ts
 ```
 
 ### Run tests

diff --git a/deno.lock b/deno.lock
diff --git a/examples/keys-config.yaml b/examples/keys-config.yaml
@@ -0,0 +1,12 @@
+ssh-keys:
+  - name: covid-reborn-windows
+    key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3o6dpyLFuyDfqhc84es4R2xNE+AhsKKqKJNxs6eyLcqIf9dezH8BD9Ye6E0BoupeZwJx9CL3wwZFmdpHEYmdLb1e7PRxx0hf/6nLRBI5+34gKukj3dZtAhZuiGOQ3sKl6iOqCTi499cRBi2TxdH2xS9n0sZCIWFLuvVzyYy+AX9F1hSTCkVhTvQKc3PJCUZHluk83ydvCyQh0wzUYDVSLkNkt03Ptu2tkj8VqTMsc8WPwBsnBwgNqK3FrD45HuFJYSObEO7ZqrHMZXOyys/jgjoAnIJ+CB5ef43PopTe+IQwqilf8JOjl7PWLPXDpnemiBkPKPy6MBGUr0F9mVEaD"
+    user: demery
+    tags:
+      - oak
+  - name: pgp-yubikey
+    key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6Ezt4eX71ZxvP7shtcniLJI6N0CWFrc3GSHtq3e/HF3LLWqnY5MWmhREuZrBLPhQX75n6uBWmSsbarwWeHzxO6UJCDkv9s/jMPFv3aV1d49qdF2LvEeKAy8lvN6jTINCEyE3g26tcDPavtciDszILdt+/mDrCWDU/+qKxb3I5X4MS+kj342fqPISJ1J4cfNMskyJib2LliWZnMXfAWgsIVM62Jx5WfJnsyXdjKdahUZeeN+2mr9OFr0ElKY1S3pbCds8BSibsarr9MIfWR4e/0DLWWfmpcPmuOX9lB+3g/bFFmcuyUoVhTMxW4tAG+xSOI89GVWBHx27z5MbGxmRfT2xSXb9DG9EA+p0bx4EUeyc6UIYmKk5R+rfVlagNocLqJDTEWDIum/Xq4qyL5mHXvk4gtVV8AKemqjsSGAtZnBEiAenA5vkVohHLWvq0WtkS9MvghOcG2VGAeuyr4muEGqm0BwrYxqXZBjugmhCcF5rFLSGv+h1s09JO0N5Q8eBmQTBrpif2b2ULnwm5xgVimce4VAgAN3QD0JTDqm2o43m7iS4YsoIXgVh/N5rpTWw0y/60eusxlyUC30mat1oSkYWvzXExIIvINpEGAyVieMvnCtSiSID9qQTFEja18G0Z6XN5eY6/u+ES6krZwWPbDs23auuvE+0nZth8Os9hkw=="
+    user: demery
+    tags:
+      - oak
+      - abusix
diff --git a/main.ts b/main.ts
@@ -1,8 +1,8 @@
 import start from "./src/server.ts";
-import keys from "./src/public_keys.ts";
 import { filterIncludesKey, parseParameters } from "./src/filter.ts";
 import { parseEnvironmentVariables } from "./src/environment.ts";
 import { Sentry } from "./deps.ts";
+import loadConfig from "./src/load_config.ts";
 
 const environment = parseEnvironmentVariables(Deno.env.toObject());
 
@@ -15,6 +15,8 @@ if (environment.SENTRY_DSN) {
   });
 }
 
+const { "ssh-keys": keys } = await loadConfig(environment.CONFIG_PATH);
+
 start(
   environment.PORT,
   {

diff --git a/src/environment.test.ts b/src/environment.test.ts
@@ -8,6 +8,7 @@ import { ZodError } from "../deps.ts";
 const baseVariables = {
   DOPPLER_ENVIRONMENT: "unit_tests",
   KEYS_VERSION: "unit_tests",
+  CONFIG_PATH: "/test.yaml",
 };
 
 Deno.test(

diff --git a/src/environment.ts b/src/environment.ts
@@ -5,6 +5,7 @@ const environmentSchema = z.object({
   DOPPLER_ENVIRONMENT: z.string(),
   SENTRY_DSN: z.string().optional(),
   KEYS_VERSION: z.string(),
+  CONFIG_PATH: z.string().optional().default("/config.yaml"),
 });
 
 export function parseEnvironmentVariables(variableObject: unknown) {

diff --git a/src/filter.ts b/src/filter.ts
@@ -1,4 +1,4 @@
-import { PublicKey } from "./public_keys.ts";
+import { PublicSSHKey } from "./load_config.ts";
 
 /** Available filter options. */
 export interface Filter {
@@ -18,7 +18,7 @@ export interface Filter {
  * @param key The key to check against the filter.
  * @returns true if the filter includes the key, false if not.
  */
-export function filterIncludesKey(filter: Filter, key: PublicKey) {
+export function filterIncludesKey(filter: Filter, key: PublicSSHKey) {
   if (filter.user && key.user !== filter.user) {
     /** User filter provided and does not match key. */
     return false;

diff --git a/src/load_config.ts b/src/load_config.ts
@@ -0,0 +1,36 @@
+import { parse } from "jsr:@std/yaml";
+import { z } from "../deps.ts";
+
+export default async function loadConfig(path: string) {
+  const contents = await loadFileContents(path);
+  try {
+    const config = parse(contents);
+    return configSchema.parse(config);
+  } catch (err) {
+    console.error(`Failed to parse config file at path: ${path}`);
+    throw err;
+  }
+}
+
+async function loadFileContents(path: string) {
+  try {
+    const file = await Deno.readFileSync(path);
+    const text = new TextDecoder().decode(file);
+    return text;
+  } catch (err) {
+    console.error(`Failed to read file at path: ${path}`);
+    throw err;
+  }
+}
+
+const configSchema = z.object({
+  "ssh-keys": z.array(z.object({
+    name: z.string(),
+    key: z.string(),
+    user: z.string(),
+    tags: z.array(z.string()).optional().default([]),
+  })),
+});
+
+export type Config = z.infer<typeof configSchema>;
+export type PublicSSHKey = z.infer<typeof configSchema>["ssh-keys"][number];
diff --git a/src/public_keys.ts b/src/public_keys.ts
diff --git a/src/server.ts b/src/server.ts
@@ -1,6 +1,6 @@
 import { STATUS_CODE, STATUS_TEXT } from "@std/http";
 import { filterIncludesKey, parseParameters } from "./filter.ts";
-import keys from "./public_keys.ts";
+import { PublicSSHKey } from "./load_config.ts";
 import pgp_key from "./pgp_key.ts";
 
 /**
@@ -10,7 +10,7 @@ import pgp_key from "./pgp_key.ts";
 export interface ServerDependencies {
   filterIncludesKey: typeof filterIncludesKey;
   parseParameters: typeof parseParameters;
-  keys: typeof keys;
+  keys: PublicSSHKey[];
 }
 
 /**