From b942d94e2d59335f11f635164525a4f578ea6991 Mon Sep 17 00:00:00 2001 From: Jeff Forcier Date: Mon, 28 Aug 2017 15:40:33 -0700 Subject: Stub tests and partly-working implementation of 'load certs found alongside key_filenames' behavior re #1042 This actually breaks existing tests due to test server not supporting certs...bah --- paramiko/client.py | 30 +++++++++++++++++++++--------- tests/test_client.py | 15 +++++++++++++++ tests/util.py | 1 - 3 files changed, 36 insertions(+), 10 deletions(-) diff --git a/paramiko/client.py b/paramiko/client.py index 22e636a7..3b3895b6 100644 --- a/paramiko/client.py +++ b/paramiko/client.py @@ -515,22 +515,34 @@ class SSHClient (ClosingContextManager): def _key_from_filepath(self, filename, klass, password): """ - Attempt to derive a `.PKey` from given string path ``filename``. + Attempt to derive a `.PKey` from given string path ``filename``: + + - If ``filename`` appears to be a cert, the matching private key is + loaded. + - Otherwise, the filename is assumed to be a private key, and the + matching public cert will be loaded if it exists. """ cert_suffix = '-cert.pub' - key_path = filename - is_cert = False + # Assume privkey, not cert, by default if filename.endswith(cert_suffix): key_path = filename[:-len(cert_suffix)] - is_cert = True + cert_path = filename + else: + key_path = filename + cert_path = filename + cert_suffix + # Blindly try the key path; if no private key, nothing will work. key = klass.from_private_key_file(key_path, password) - if is_cert: - key.load_certificate(pubkey_filename=filename) - type_ = 'certificate' if is_cert else 'key' - msg = "Trying discovered {0} {1} in {2}".format( - type_, hexlify(key.get_fingerprint()), filename, + # TODO: change this to 'Loading' instead of 'Trying' sometime; probably + # when #387 is released, since this is a critical log message users are + # likely testing/filtering for (bah.) + msg = "Trying discovered key {0} in {1}".format( + hexlify(key.get_fingerprint()), key_path, ) self._log(DEBUG, msg) + # Attempt to load cert if it exists. + if os.path.isfile(cert_path): + key.load_certificate(pubkey_filename=cert_path) + self._log(DEBUG, "Adding public certificate {0}".format(cert_path)) return key def _auth(self, username, password, pkey, key_filenames, allow_agent, diff --git a/tests/test_client.py b/tests/test_client.py index e912d5b2..cfffa030 100644 --- a/tests/test_client.py +++ b/tests/test_client.py @@ -248,6 +248,21 @@ class SSHClientTest (unittest.TestCase): allowed_keys=['ecdsa-sha2-nistp256'], ) + def test_certs_allowed_as_key_filename_values(self): + # TODO: connect() with key_filename containing a cert file, loads up + # both the cert and its implied key. This is new functionality on top + # of the OpenSSH-compatible stuff. + assert False + + def test_certs_implicitly_loaded_alongside_key_filename_keys(self): + # TODO: same but with just the key paths, i.e. vanilla OpenSSH behavior + assert False + + def test_default_key_locations_trigger_cert_loads_if_found(self): + # TODO: what it says on the tin: ~/.ssh/id_rsa tries to load + # ~/.ssh/id_rsa-cert.pub + assert False + def test_4_auto_add_policy(self): """ verify that SSHClient's AutoAddPolicy works. diff --git a/tests/util.py b/tests/util.py index b546a7e1..c1b43da8 100644 --- a/tests/util.py +++ b/tests/util.py @@ -4,4 +4,3 @@ root_path = os.path.dirname(os.path.realpath(__file__)) def test_path(filename): return os.path.join(root_path, filename) - -- cgit v1.2.3