pan/GitMa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: implement SSH Key service layer with encryption and business logic

Browse Source 
Implemented SshKeyService class following TDD principles with comprehensive test coverage:

Service Methods:
- create_ssh_key(name, private_key, password) - Creates SSH key with AES-256-GCM encryption
- list_ssh_keys() - Lists all SSH keys (without decrypted keys)
- get_ssh_key(key_id) - Retrieves SSH key by ID
- delete_ssh_key(key_id) - Deletes key with usage validation
- get_decrypted_key(key_id) - Returns decrypted private key for Git operations

Features:
- Encrypts SSH private keys before storing using app.security.encrypt_data
- Generates SHA256 fingerprints for key identification
- Validates SSH key format (RSA, OpenSSH, DSA, EC, ED25519, PGP)
- Prevents deletion of keys in use by servers
- Base64-encoding for encrypted data storage in Text columns
- Uses app.config.settings.encrypt_key for encryption

Tests:
- 16 comprehensive test cases covering all service methods
- All tests passing (16/16)
- Tests for encryption/decryption, validation, usage checks, edge cases

Files:
- backend/app/services/ssh_key_service.py - SshKeyService implementation
- backend/tests/test_services/test_ssh_key_service.py - Test suite
- backend/tests/conftest.py - Fixed test encryption key length (32 bytes)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
panw
2026-03-30 16:06:56 +08:00
parent f425a49773
commit cefdb9f51d
3 changed files with 519 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

231
backend/app/services/ssh_key_service.py Normal file
View File

@@ -0,0 +1,231 @@
"""
SSH Key Service.
Business logic for SSH key management including:
- Creating SSH keys with encryption
- Listing and retrieving SSH keys
- Deleting SSH keys (with usage check)
- Decrypting private keys for Git operations
"""
import time
import hashlib
import base64
from typing import List, Optional
from sqlalchemy.orm import Session
from app.models.ssh_key import SshKey
from app.models.server import Server
from app.security import encrypt_data, decrypt_data
from app.config import get_settings
class SshKeyService:
"""
Service for managing SSH keys.
Handles encryption, decryption, and validation of SSH private keys.
"""
def __init__(self, db: Session):
"""
Initialize the service with a database session.
Args:
db: SQLAlchemy database session
"""
self.db = db
self.settings = get_settings()
def create_ssh_key(self, name: str, private_key: str, password: Optional[str] = None) -> SshKey:
"""
Create a new SSH key with encryption.
Args:
name: Unique name for the SSH key
private_key: SSH private key content (PEM/OpenSSH format)
password: Optional password for key protection (not stored, used for deployment)
Returns:
Created SshKey model instance
Raises:
ValueError: If name already exists or private_key is invalid
"""
# Check if name already exists
existing_key = self.db.query(SshKey).filter_by(name=name).first()
if existing_key:
raise ValueError(f"SSH key with name '{name}' already exists")
# Validate SSH private key format
if not self._is_valid_ssh_key(private_key):
raise ValueError("Invalid SSH private key format. Must be a valid PEM or OpenSSH private key.")
# Generate fingerprint
fingerprint = self._generate_fingerprint(private_key)
# Encrypt the private key
encrypted_key = encrypt_data(
private_key.encode('utf-8'),
self.settings.encrypt_key
)
# Store encrypted key as base64 for database storage
encrypted_key_b64 = base64.b64encode(encrypted_key).decode('utf-8')
# Create the SSH key record
ssh_key = SshKey(
name=name,
private_key=encrypted_key_b64,
fingerprint=fingerprint,
created_at=int(time.time())
)
self.db.add(ssh_key)
self.db.commit()
self.db.refresh(ssh_key)
return ssh_key
def list_ssh_keys(self) -> List[SshKey]:
"""
List all SSH keys.
Returns:
List of all SshKey model instances (without decrypted keys)
"""
return self.db.query(SshKey).all()
def get_ssh_key(self, key_id: int) -> Optional[SshKey]:
"""
Get an SSH key by ID.
Args:
key_id: ID of the SSH key
Returns:
SshKey model instance or None if not found
"""
return self.db.query(SshKey).filter_by(id=key_id).first()
def delete_ssh_key(self, key_id: int) -> bool:
"""
Delete an SSH key.
Args:
key_id: ID of the SSH key to delete
Returns:
True if deleted, False if not found
Raises:
ValueError: If key is in use by a server
"""
ssh_key = self.get_ssh_key(key_id)
if not ssh_key:
return False
# Check if key is in use by any server
servers_using_key = self.db.query(Server).filter_by(ssh_key_id=key_id).count()
if servers_using_key > 0:
raise ValueError(
f"Cannot delete SSH key '{ssh_key.name}'. "
f"It is in use by {servers_using_key} server(s)."
)
self.db.delete(ssh_key)
self.db.commit()
return True
def get_decrypted_key(self, key_id: int) -> str:
"""
Get the decrypted private key for Git operations.
Args:
key_id: ID of the SSH key
Returns:
Decrypted private key as a string
Raises:
ValueError: If key not found
"""
ssh_key = self.get_ssh_key(key_id)
if not ssh_key:
raise ValueError(f"SSH key with ID {key_id} not found")
# Decode from base64 first, then decrypt
encrypted_key = base64.b64decode(ssh_key.private_key.encode('utf-8'))
decrypted = decrypt_data(
encrypted_key,
self.settings.encrypt_key
)
return decrypted.decode('utf-8')
def _is_valid_ssh_key(self, private_key: str) -> bool:
"""
Validate if the provided string is a valid SSH private key.
Args:
private_key: Private key content to validate
Returns:
True if valid SSH private key format, False otherwise
"""
if not private_key or not private_key.strip():
return False
# Check for common SSH private key markers
valid_markers = [
"-----BEGIN RSA PRIVATE KEY-----",
"-----BEGIN OPENSSH PRIVATE KEY-----",
"-----BEGIN DSA PRIVATE KEY-----",
"-----BEGIN EC PRIVATE KEY-----",
"-----BEGIN ED25519 PRIVATE KEY-----",
"-----BEGIN PGP PRIVATE KEY BLOCK-----", # GPG keys
]
private_key_stripped = private_key.strip()
for marker in valid_markers:
if marker in private_key_stripped:
return True
return False
def _generate_fingerprint(self, private_key: str) -> str:
"""
Generate a fingerprint for an SSH private key.
For simplicity, we use SHA256 hash of the public key portion.
In production, you'd use cryptography or paramiko to extract
the actual public key and generate a proper SSH fingerprint.
Args:
private_key: Private key content
Returns:
Fingerprint string (SHA256 format)
"""
# Extract the key data (between BEGIN and END markers)
lines = private_key.strip().split('\n')
key_data = []
in_key_section = False
for line in lines:
if '-----BEGIN' in line:
in_key_section = True
continue
if '-----END' in line:
in_key_section = False
continue
if in_key_section and not line.startswith('---'):
key_data.append(line.strip())
key_content = ''.join(key_data)
# Generate SHA256 hash
sha256_hash = hashlib.sha256(key_content.encode('utf-8')).digest()
b64_hash = base64.b64encode(sha256_hash).decode('utf-8').rstrip('=')
return f"SHA256:{b64_hash}"