Fix setting permissions of SSH key tempfiles

a2258baf · Nick Thomas · 09607d45 · a2258baf · a2258baf
Commit a2258baf authored Aug 02, 2017 by Nick Thomas
Hide whitespace changes
Inline Side-by-side

Showing with 19 additions and 13 deletions

lib/gitlab_projects.rb lib/gitlab_projects.rb +8 -5

spec/gitlab_projects_spec.rb spec/gitlab_projects_spec.rb +11 -8

No files found.
--- a/lib/gitlab_projects.rb
+++ b/lib/gitlab_projects.rb
@@ -433,26 +433,29 @@ class GitlabProjects
    options = {}
    if ENV.key?('GITLAB_SHELL_SSH_KEY')
-      key_file = Tempfile.new('gitlab-shell-key-file', mode: 0o400)
+      key_file = Tempfile.new('gitlab-shell-key-file')
+      key_file.chmod(0o400)
      key_file.write(ENV['GITLAB_SHELL_SSH_KEY'])
      key_file.close
      options['IdentityFile'] = key_file.path
-      options['IdentitiesOnly'] = true
+      options['IdentitiesOnly'] = 'yes'
    end
    if ENV.key?('GITLAB_SHELL_KNOWN_HOSTS')
-      known_hosts_file = Tempfile.new('gitlab-shell-known-hosts', mode: 0o400)
+      known_hosts_file = Tempfile.new('gitlab-shell-known-hosts')
+      known_hosts_file.chmod(0o400)
      known_hosts_file.write(ENV['GITLAB_SHELL_KNOWN_HOSTS'])
      known_hosts_file.close
-      options['StrictHostKeyChecking'] = true
+      options['StrictHostKeyChecking'] = 'yes'
      options['UserKnownHostsFile'] = known_hosts_file.path
    end
    return yield({}) if options.empty?
-    script = Tempfile.new('gitlab-shell-ssh-wrapper', mode: 0o755)
+    script = Tempfile.new('gitlab-shell-ssh-wrapper')
+    script.chmod(0o755)
    script.write(custom_ssh_script(options))
    script.close

--- a/spec/gitlab_projects_spec.rb
+++ b/spec/gitlab_projects_spec.rb
@@ -336,12 +336,15 @@ describe GitlabProjects do
      ENV.replace(original)
    end
-    def stub_tempfile(name, *args)
+    def stub_tempfile(name, filename, opts = {})
+      chmod = opts.delete(:chmod)
      file = StringIO.new
      allow(file).to receive(:close!)
      allow(file).to receive(:path).and_return(name)
-      expect(Tempfile).to receive(:new).with(*args).and_return(file)
+      expect(Tempfile).to receive(:new).with(filename).and_return(file)
+      expect(file).to receive(:chmod).with(chmod) if chmod
      file
    end
@@ -397,14 +400,14 @@ describe GitlabProjects do
      end
      it 'sets GIT_SSH to a custom script' do
-        script = stub_tempfile('scriptFile', 'gitlab-shell-ssh-wrapper', mode: 0755)
+        script = stub_tempfile('scriptFile', 'gitlab-shell-ssh-wrapper', chmod: 0o755)
-        key = stub_tempfile('/tmp files/keyFile', 'gitlab-shell-key-file', mode: 0400)
+        key = stub_tempfile('/tmp files/keyFile', 'gitlab-shell-key-file', chmod: 0o400)
        stub_spawn({ 'GIT_SSH' => 'scriptFile' }, *cmd)
        expect(gl_projects.exec).to be true
-        expect(script.string).to eq("#!/bin/sh\nexec ssh '-oIdentityFile=\"/tmp files/keyFile\"' '-oIdentitiesOnly=\"true\"' \"$@\"")
+        expect(script.string).to eq("#!/bin/sh\nexec ssh '-oIdentityFile=\"/tmp files/keyFile\"' '-oIdentitiesOnly=\"yes\"' \"$@\"")
        expect(key.string).to eq('SSH KEY')
      end
    end
@@ -418,14 +421,14 @@ describe GitlabProjects do
      end
      it 'sets GIT_SSH to a custom script' do
-        script = stub_tempfile('scriptFile', 'gitlab-shell-ssh-wrapper', mode: 0755)
+        script = stub_tempfile('scriptFile', 'gitlab-shell-ssh-wrapper', chmod: 0o755)
-        key = stub_tempfile('/tmp files/knownHosts', 'gitlab-shell-known-hosts', mode: 0400)
+        key = stub_tempfile('/tmp files/knownHosts', 'gitlab-shell-known-hosts', chmod: 0o400)
        stub_spawn({ 'GIT_SSH' => 'scriptFile' }, *cmd)
        expect(gl_projects.exec).to be true
-        expect(script.string).to eq("#!/bin/sh\nexec ssh '-oStrictHostKeyChecking=\"true\"' '-oUserKnownHostsFile=\"/tmp files/knownHosts\"' \"$@\"")
+        expect(script.string).to eq("#!/bin/sh\nexec ssh '-oStrictHostKeyChecking=\"yes\"' '-oUserKnownHostsFile=\"/tmp files/knownHosts\"' \"$@\"")
        expect(key.string).to eq('KNOWN HOSTS')
      end
    end