Properly handle missing ssh-keygen and ssh-add

dmach · Sep 7, 2022 · 2496b3e · 2496b3e
1 parent bbb2746
commit 2496b3e
Showing 1 changed file with 14 additions and 6 deletions.
diff --git a/osc/connection.py b/osc/connection.py
@@ -2,6 +2,7 @@
 import fcntl
 import os
 import re
+import shutil
 import subprocess
 import ssl
 import sys
@@ -510,6 +511,9 @@ def __init__(self, user, sshkey, basic_auth_password=None):
         self.user = user
         self.sshkey = sshkey
 
+        self.ssh_keygen_path = shutil.which("ssh-keygen")
+        self.ssh_add_path = shutil.which("ssh-add")
+
         apiurl = conf.config["apiurl"]
         if conf.config["api_host_options"][apiurl].get("credentials_mgr_class", None) == "osc.credentials.TransientCredentialsManager":
             self.basic_auth_password = False
@@ -520,12 +524,10 @@ def __init__(self, user, sshkey, basic_auth_password=None):
         self.temp_pubkey = None
 
     def list_ssh_agent_keys(self):
-        cmd = ['ssh-add', '-L']
-        try:
-            proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-        except OSError:
-            # ssh-add is not available
+        if not self.ssh_add_path:
             return []
+        cmd = [self.ssh_add_path, '-L']
+        proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
         stdout, _ = proc.communicate()
         if proc.returncode == 0 and stdout.strip():
             return stdout.strip().splitlines()
@@ -569,7 +571,7 @@ def ssh_sign(self, data, namespace, keyfile=None):
                 keyfile = '~/.ssh/' + keyfile
             keyfile = os.path.expanduser(keyfile)
 
-        cmd = ['ssh-keygen', '-Y', 'sign', '-f', keyfile, '-n', namespace, '-q']
+        cmd = [self.ssh_keygen_path, '-Y', 'sign', '-f', keyfile, '-n', namespace, '-q']
         proc = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE)
         stdout, _ = proc.communicate(data)
 
@@ -622,6 +624,12 @@ def set_request_headers_after_401(self, url, request_headers, response):
             # prefer basic auth, but only if password is set
             return False
 
+        if not self.ssh_keygen_path:
+            if conf.config["debug"]:
+                msg = "Skipping signature auth because ssh-keygen is not available"
+                print(msg, file=sys.stderr)
+            return False
+
         if not self.sshkey_known():
             # ssh key not set, try to guess it
             self.sshkey = self.guess_keyfile()