coryHawkvelt/gatehouse-api
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix: set 0600 permissions on SSH certificates and challenge files in gatehouse-cli

Browse Source
This commit is contained in:
Cory Hawklvelt
2026-04-26 00:13:37 +09:30
parent caf3fd2cd6
commit 9738765258
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
client/gatehouse-cli.py
+3
View File
@@ -369,6 +369,7 @@ def request_certificate(org_id=None):
json_result = response.json().get('data', response.json()) json_result = response.json().get('data', response.json())
with open(CERT_FILE_PATH, 'w') as f: with open(CERT_FILE_PATH, 'w') as f:
f.write(json_result['certificate']) f.write(json_result['certificate'])
os.chmod(CERT_FILE_PATH, 0o600)
logger.info(f"Certificate signed successfully, located at {CERT_FILE_PATH}") logger.info(f"Certificate signed successfully, located at {CERT_FILE_PATH}")
logger.info(f"Valid for principals: {', '.join(json_result.get('principals', principals))}") logger.info(f"Valid for principals: {', '.join(json_result.get('principals', principals))}")
@@ -432,11 +433,13 @@ def generate_and_sign_challenge(ssh_key_file, key_id):
with open(CHALLENGE_FILE_PATH, 'w') as f: with open(CHALLENGE_FILE_PATH, 'w') as f:
f.write(challenge_text) f.write(challenge_text)
os.chmod(CHALLENGE_FILE_PATH, 0o600)
subprocess.run( subprocess.run(
["ssh-keygen", "-Y", "sign", "-f", ssh_key_file, "-n", "file", CHALLENGE_FILE_PATH], ["ssh-keygen", "-Y", "sign", "-f", ssh_key_file, "-n", "file", CHALLENGE_FILE_PATH],
check=True, check=True,
) )
os.chmod(CHALLENGE_SIG_FILE_PATH, 0o600)
with open(CHALLENGE_SIG_FILE_PATH, 'rb') as f: with open(CHALLENGE_SIG_FILE_PATH, 'rb') as f:
signature = base64.b64encode(f.read()).decode('utf-8') signature = base64.b64encode(f.read()).decode('utf-8')