Rework SSH key handling and configuration

I'm running homu in OpenShift v3/Kubernetes where it's installed (as root) to
`/usr`, but we run as non-root. This follows general best practice that apps
shouldn't be able to mutate their code.

However, we were trying to write the ssh key to `/usr`.  Fix this by
generating a tempfile.  This is also more secure as it closes a prior
race condition where we'd write the file with potentially non-private
access permissions, then chmod it.

Also rework things so that we only write the key once at startup.  By
using `NamedTemporaryFile`, it'll be `unlink()ed` once the object goes
out of scope.  To keep it alive long enough, pass it as an argument to
the "main loop".

Secondly, I want to have the github.com host key in a ConfigMap,
distinct from the code.  And I want to tweak the
ssh configuration for https://stribika.github.io/2015/01/04/secure-secure-shell.html
among other things.

Hence, this also adds a `ssh_config_file` config option.

Author: cgwalters

cfg.sample.toml

@@ -20,6 +20,11 @@ app_client_secret = ""
 #ssh_key = """
 #"""
 
+# If you're using local git, you may want to set up a ssh-config
+# file specific to github.com, primarily to ensure the host key
+# is configured.
+# ssh_config_path = ""
+
 # By default, Homu extracts the name+email from the Github account.  However,
 # you may want to use a private email for the account, and associate the commits
 # with a public email address.

homu/git_helper.py

@@ -3,11 +3,12 @@
 import sys
 import os
 
-SSH_KEY_FILE = os.path.join(os.path.dirname(__file__), '../cache/key')
-
-
 def main():
-    args = ['ssh', '-i', SSH_KEY_FILE, '-S', 'none'] + sys.argv[1:]
+    cfgpath = os.environ.get('HOMU_SSH_CONFIG')
+    args = ['ssh', '-i', os.getenv('HOMU_GIT_KEY_PATH'), '-S', 'none']
+    if cfgpath is not None:
+        args.extend(['-F', cfgpath])
+    args.extend(sys.argv[1:])
     os.execvp('ssh', args)
 
 

homu/main.py

@@ -15,8 +15,8 @@
 from queue import Queue
 import os
 import subprocess
-from .git_helper import SSH_KEY_FILE
 import shlex
+import tempfile
 
 STATUS_TO_PRIORITY = {
     'success': 0,
@@ -453,12 +453,6 @@ def init_local_git_cmds(repo_cfg, git_cfg):
     fpath = 'cache/{}/{}'.format(repo_cfg['owner'], repo_cfg['name'])
     url = '[email protected]:{}/{}.git'.format(repo_cfg['owner'], repo_cfg['name'])
 
-    if not os.path.exists(SSH_KEY_FILE):
-        os.makedirs(os.path.dirname(SSH_KEY_FILE), exist_ok=True)
-        with open(SSH_KEY_FILE, 'w') as fp:
-            fp.write(git_cfg['ssh_key'])
-        os.chmod(SSH_KEY_FILE, 0o600)
-
     if not os.path.exists(fpath):
         utils.logged_call(['git', 'init', fpath])
         utils.logged_call(['git', '-C', fpath, 'remote', 'add', 'origin', url])
@@ -488,7 +482,6 @@ def create_merge(state, repo_cfg, branch, git_cfg, ensure_merge_equal=False):
     desc = 'Merge conflict'
 
     if git_cfg['local_git']:
-
         git_cmd = init_local_git_cmds(repo_cfg, git_cfg)
 
         utils.logged_call(git_cmd('fetch', 'origin', state.base_ref,
@@ -959,7 +952,8 @@ def fetch_mergeability(mergeable_que):
             mergeable_que.task_done()
 
 
-def check_timeout(states, queue_handler):
+def check_timeout(states, queue_handler, tmp_ssh_key):
+    # This function holds a reference to tmp_ssh_key to keep it alive
     while True:
         try:
             for repo_label, repo_states in states.items():
@@ -1239,13 +1233,23 @@ def queue_handler():
             return process_queue(states, repos, repo_cfgs, logger, buildbot_slots, db, git_cfg)
 
     os.environ['GIT_SSH'] = os.path.join(os.path.dirname(__file__), 'git_helper.py')
+    sshcfg = cfg_git.get('ssh_config_path')
+    if sshcfg is not None:
+        os.environ['HOMU_SSH_CONFIG'] = sshcfg
     os.environ['GIT_EDITOR'] = 'cat'
 
+    tmp_ssh_key = None
+    if git_cfg['local_git']:
+        tmp_ssh_key = tempfile.NamedTemporaryFile(prefix='homu-sshkey')
+        tmp_ssh_key.write(git_cfg['ssh_key'].encode('utf-8'))
+        tmp_ssh_key.flush()
+        os.environ['HOMU_GIT_KEY_PATH'] = tmp_ssh_key.name
+
     from . import server
     Thread(target=server.start, args=[cfg, states, queue_handler, repo_cfgs, repos, logger, buildbot_slots, my_username, db, repo_labels, mergeable_que, gh]).start()
 
     Thread(target=fetch_mergeability, args=[mergeable_que]).start()
-    Thread(target=check_timeout, args=[states, queue_handler]).start()
+    Thread(target=check_timeout, args=[states, queue_handler, tmp_ssh_key]).start()
 
     queue_handler()